Hi,\n\nI have two Cisco 1760 routers in headquarteers which are connected via\nGRE/IPSec tunnels with branch offices routers (they are Cisco 1760\ntoo)located in other cities.\nThese two main office routers are connected to two different ISPs and\nGRE/IPSec VPNs connected to each brunch site router are configured on\neach main office router. This was made to provide fault tolerance. In\nnormal conditions VPNs work on a single headquarteers router connected\nto the 1st ISP. If the link to 1st ISP becomes dead I direct VPN\ntraffic to use the second headquarteeers router by changing static\nroutes on both headquarteers router and brunch office routers.\n\n\n\nEverything was fine until the last few mounths when our ISP started to\nperform network equipment maintaince almost every week and it annoys us\nvery much since it disrupts network connectivity.\nIn this case I intended to use EIGRP as dynatic routing protocol\ninstead of changing static routes in a case of link failure.\nI configured EIGRP on every router and in a case of link failure it\nworks pretty well, I tested it.\nBut implementing a dynamic routing on my network exerted an issue.\nI can pretty well ping hosts located in brunch offices's networks, but\nTCP sessions (SMTP, POP3, AD) drop unexpectedly.\nI presume that I did somethng wrong when configuring hub and spoke\nIPSec VPNs.\nHere are my questions\n\n1. Should I use transport or tunnel IPSec mode when configuring\nGRE/IPSec. I tested both modes and it's seems to me there's no\ndifference in this case.\n2. Then configuring crypto map on a spoke router should I configure it\nlike this\n\ncrypto map Map1 10 ipsec-isakmp\nset peer x.x.x.x <- hub 1\nset peer y.y.y.y <- hub 2\nset transform-set cipher\nmatch address 110\n\n\nor like this\n\ncrypto map Map1 10 ipsec-isakmp\nset peer x.x.x.x\nset transform-set cipher\nmatch address 110\ncrypto map Map2 20 ipsec-isakmp\nset peer y.y.y.y\nset transform-set cipher\nmatch address 120\n\n\nThank you in for your answers in advance.