I am confussed. When reading about dynamic maps I learnt that we used 0.0.0.0 0.0.0.0 as destination when specifing the isakmp key as we did not know what the source was going to be, and we assumed that the source was pointing to this router ip address. in other words one of the peers was pointing to the other peer when forming an isakmp negocatiation.
But lately I have seen a lot of configs on cco where both the routers have 0.0.0.0 0.0.0.0 statement and none of them are pointing to each other for isakmp policy negociation. Is this only valid in a point-to-point link or a hub and spoke topology? or I am not understading the concept?
I had posted this message before and someone responded that the case for only true in DMVPN where all peers are dynamically built using NHRP.
is this true? how is MGRE tunnel protected in the first place? I thought it was protected using ipsec?
DMVPN builds IPSec tunnels from spoke to hub. If your spokes have dynamically assigned IP addresses, you have no choice except using 0.0.0.0 0.0.0.0 for IPSec key mask in the hub.
DMVPN builds IPSec tunnels on demand between spokes. Using the same spokes with dynamically assigned IP addresses, your only choice is to use 0.0.0.0 0.0.0.0 for key in spokes too.
The 0.0.0.0 0.0.0.0 mask could be more specific if you know the IP addresses assigned to your spokes - you can add keys for every peer, just like in a traditions IPSec deployment.
One of the selling points of DMVP is the ability to add new spokes without changing the hub (at the expense of using one shared key). Adding new keys every time a spoke is provisioned requires more work.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :