I've got two pixes with a site-to-site shared secret ipsec vpn set up and working.

I'm now adding a third site, and wished to create a second tunnel on each of the existing pixes to the third pix.

I THINK it's just as easy as adding a new peer and access-list to the crypto map, but would appreciate a sanity check.

Here's the current config of PIX A, talking to PIX B.

crypto map hrcpo-map 20 ipsec-isakmp

crypto map hrcpo-map 20 match address dc-vpn

crypto map hrcpo-map 20 set pfs group2

crypto map hrcpo-map 20 set peer 10.164.2.30

crypto map hrcpo-map 20 set transform-set hrcpo-transform

crypto map hrcpo-map 20 set security-association lifetime seconds 3600 kilobytes 4608000

crypto map hrcpo-map interface external

I think all need to do is define a new access list (ntc-vpn)for the traffic to the third site, and then add the following lines:

crypto map hrcpo-map 30 ipsec-isakmp

crypto map hrcpo-map 30 match address ntc-vpn

crypto map hrcpo-map 30 set pfs group2

crypto map hrcpo-map 30 set peer 10.164.9.94

crypto map hrcpo-map 30 set transform-set hrcpo-transform

crypto map hrcpo-map 30 set security-association lifetime seconds 3600 kilobytes 4608000

This adds a new access-list and peer to the existing crypto map.

Of course, I have to do the same thing on PIX B, and add entries on PIX C for A&B.

I'd appreciate someone confirming or denying that this works - I couldn't find any multi-tunnel examples on CCO.