Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
640
Views
0
Helpful
2
Replies

isakmp with no peer

NAVIN PARWAL
Level 2
Level 2

‎12-12-2006 02:38 PM

Folks,

I am confussed. When reading about dynamic maps I learnt that we used 0.0.0.0 0.0.0.0 as destination when specifing the isakmp key as we did not know what the source was going to be, and we assumed that the source was pointing to this router ip address. in other words one of the peers was pointing to the other peer when forming an isakmp negocatiation.

But lately I have seen a lot of configs on cco where both the routers have 0.0.0.0 0.0.0.0 statement and none of them are pointing to each other for isakmp policy negociation. Is this only valid in a point-to-point link or a hub and spoke topology? or I am not understading the concept?

Thanks

crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0

Labels:
0 Helpful
2 Replies 2

ajagadee
Cisco Employee
Cisco Employee

‎12-12-2006 05:19 PM

Navin,

Your understanding of all Zero's when defining Pre-Shared Key is correct. Basically, we define a PSK with 0.0.0.0 0.0.0.0 if we are not aware of the Source IP Address of the VPN Server that will initiate the connection.

Now, the CCO documents that you see with all Zero's on both Hub and Spoke is for DMVPN. For example the below URL:

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801982ae.shtml

DMVPN, relies on Next Hop Redundancy Protocol(NHRP) Information to build Tunnels. And the spokes build tunnels to other spokes using the NHRP information and there is no Static Configuration and that is why you will see PSK with all Zero's defined on the Hub as well as spokes.

I hope it helps.

Regards,

Arul

** Please rate all helpful posts **

0 Helpful

NAVIN PARWAL
Level 2
Level 2
In response to ajagadee

‎12-12-2006 08:49 PM

Arul,

I will definitly rate your post. I have a question though. In DMVPN you are increpting the MGRE tunnel using ipsec before the dynamic point to point tunnels comeup using NHRP information.

My question is that how does ipsec encrypt the mgre tunnel first, you do not need NHRP information between the hub and the spoke ipsec tunnel formation. How does 0.0.0.0 0.0.0.0 on both the hub and spoke facilitate the ipsec tunnel that encrypts the mgre built carryong the routing updates?

0 Helpful
Customers Also Viewed These Support Documents