Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
459
Views
0
Helpful
3
Replies

Hub router for VPN

PETER KNOWLES
Level 1
Level 1

‎12-17-2006 03:50 PM - edited ‎02-21-2020 02:46 PM

We're replacing a third party router with a Cisco 1721. This location is the hub of multi-location (3 remote sites) VPN.

The 3 remote sites are all on fixed public IPs.

I've seen examples of both no assupmtion/restriction of remote IPs (crypto isakmp key [key] address 0.0.0.0 0.0.0.0); as well as setting a key per remote (crypto isakmp key [key1]address [remote ip1]

crypto isakmp key [key2] address [remote ip2]

crypto isakmp key [key3] address [remote ip3]

Is there a disadvantage/security concern to using the quad-0 approach?

Labels:
0 Helpful
3 Replies 3

spremkumar
Level 9
Level 9

‎12-17-2006 10:51 PM

Hi

AFAIK with the second config option you are clearly mentioning the peers with which your hub router will have ISAKMP key negotiations and exchange.

With the first statement you have your hub to negotiate and exchange keys with any routers in valid ip.

If you are having static ips in the remote sites then better to go with the second option..

first option is clearly used when you have dynamic ips being assigned to the remote clients..

regds

0 Helpful

roluce
Level 1
Level 1

‎12-19-2006 10:27 AM

There are no advantages or disadvantages other than what should be obvious.

Single key.

Advantage: Simple administration, common config on all routers.

Disadvantage: Potentially allows anyone to connect to the router from the Internet if not forbidden by another policy on the router.

Multiple keys.

Advantage: ISAKMP can not be negotiated if not specifically configured on the router for that remote IP address. Conceptually more secure.

Disadvantage: More administrative overhead.

With 3 sites, the specific key per site is fairly easy to do. If you had 200 sites, that method would be much less doable. You could do a quick estimate. (N * 5) + (N ^ 2) minutes to do your entire network, or something in that line.

It's much easier if you have a system that manages this for larger installs. I believe this is the one of the purposes of Cisco's GET VPN.

Rob

0 Helpful

PETER KNOWLES
Level 1
Level 1
In response to roluce

‎12-19-2006 01:05 PM

Thank you all for the responses. We have a (mostly) successful implementation. Traffic passing well from hub to spokes. Working on a few spoke to hub issues.

0 Helpful
Customers Also Viewed These Support Documents