How to configure individual pre-share key on the hub for each spoke network.

Answered Question
Aug 30th, 2010

Hello Expert,

I about to set up a hub and spoke environment consist of several Cisco 2811 routers.

For my VPN we are using Dynamic multipoint VPN and for “IKE” we are using pre-share keys.

I would like to use different pre-share key for each location .

On the spoke I can easily achieve this ( inserting pre-share ) but from the Hub stand point I am unsure how to

achieve this ( separate key for each spoke network).

Attach is print screen (using SDM) of the Hub router .

Regards

Jomo

Attachment: 
I have this problem too.
0 votes
Correct Answer by Lei Tian about 6 years 3 months ago

Hi Jomo,

You can setup unique key for each spoke. It works same as point to point. If you are using single tier DMVPN, then the peer IP will be the tunnel end point.

Regards,

Lei Tian

Correct Answer by Richard Burts about 6 years 3 months ago

Jomo

I have implemented many time a VPN with multiple point to point tunnels where each tunnel uses a unique ISAKMP shared key. And this works very well. You are correct in understanding that I have not implemented a multipoint VPN at the hub and tried to implement unique keys for each remote. I would think that this would work, but can not say from experience whether it does or not.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Richard Burts Mon, 08/30/2010 - 09:31

Jomo

the print quality of your screen shot was so poor that I can not read any significant details. But I will try to provide a response based on how it should work. The general approach for multipoint like this is to specify address of 0.0.0.0 in configuring the ISAKMP pre-shared key so that all remote VPN peers will match and will therefore all use the same pre-shared key. I would assume that it would work if you put a specific peer address and a specific (unique) shared key providing a unique value for each of the remote peers.

HTH

Rick

jomo frank Mon, 08/30/2010 - 10:21

Hello Rick,

Sorry for the poor quality of the screen shot.

>>> The general approach for multipoint like this is to specify address of 0.0.0.0 in configuring the ISAKMP pre-shared key so that all remote VPN peers will match and will therefore all use the same pre-shared key.

I tested this  approach and it work okay .

But I am tring to impleament unique key for each remote peer for increase security.

From your response you think it may work but i guess you not too sure.

>>> I would assume that it would work if you put a specific peer address and a specific (unique) shared key providing a unique value for each of the remote peers.

The other alternative maybe to setup separate point to point tunnel from hub to each remote location and then use specific (unique) keys.

Regards

Jomo

Correct Answer
Richard Burts Mon, 08/30/2010 - 10:44

Jomo

I have implemented many time a VPN with multiple point to point tunnels where each tunnel uses a unique ISAKMP shared key. And this works very well. You are correct in understanding that I have not implemented a multipoint VPN at the hub and tried to implement unique keys for each remote. I would think that this would work, but can not say from experience whether it does or not.

HTH

Rick

Correct Answer
Lei Tian Mon, 08/30/2010 - 11:10

Hi Jomo,

You can setup unique key for each spoke. It works same as point to point. If you are using single tier DMVPN, then the peer IP will be the tunnel end point.

Regards,

Lei Tian

jomo frank Mon, 08/30/2010 - 12:31

Hi Tian,

Thanks for the response, just need a quick confirmation.

>> then the peer IP will be the tunnel end point.

Is this the ip of the Wan Interface ?

Regards

Lei Tian Mon, 08/30/2010 - 12:55

Hi Jomo,

Not sure what you use in your config. It is the runnel source configured on your spokes.

Regards,

Lei Tian

jomo frank Mon, 08/30/2010 - 13:55

Hello Tian,

Thanks for response.

I understand the requirements now.

Keep up the good work

Regards

Jomo

Actions

This Discussion