Lets take a look at hybrid virtual private networks (VPNs) and the circumstances in which they makes the most sense. Crypto ipsec transform-set Trans_HUB_SP esp-aes esp-sha-hmac! The key to making a hybrid VPN setup manageable is to use a hub-and-spoke configuration in which the remote sites connect only to one central site. LNS# aaa new-model aaa authorization network default local! Router ospf 1 router-id network area 0 network area 0 LAC_9# interface Loopback0 ip address! Ip local pool pptp-Pool! Crypto map L2TP_VPN 10 ipsec-isakmp set peer set transform-set ESP-AES256-SHA1 match address L2TP_traffic!! Ip access-list extended VPN33-32-traffic permit ip any ip access-list extended VPN33-48-traffic permit ip any ip access-list extended VPN33-64-traffic permit ip any Spoke# crypto ipsec transform-set 3DES-MD5 esp-3des esp-md5-hmac mode tunnel! Crypto map test_MAP interface outside! Interface GigabitEthernet1/0 ip address omitted. Crypto ipsec profile profile-ipsec set transform-set transform-ipsec set isakmp-profile profile-isakmp interface Ethernet0/0 ip address ip nat inside ip virtual-reassembly in! Crypto ipsec transform-set Trans_SP2_HUB1 esp-aes 256 esp-md5-hmac! Sep  3 09:14:50.883: isakmp 1011 retransmitting due to retransmit phase 1 *Sep  3 09:14:51.383: isakmp 1011 retransmitting phase 1 MM_KEY_exch. Pseudowire-class pwclass2 encapsulation l2tpv3 protocol l2tpv3 ass ip local interface Ethernet0/0! Sep  3 09:14:30.663: isakmp (1010 incrementing error counter on sa, attempt 3 of 5: retransmit phase 1 *Sep  3 09:14:30.663: isakmp 1010 retransmitting phase 1 MM_KEY_exch *Sep  3 09:14:30.663: isakmp 1010 sending packet to my_port 500 peer_port 500 (I) MM_KEY_exch.

