Cisco Support Community
Community Member

isakmp with no peer


I am confussed. When reading about dynamic maps I learnt that we used as destination when specifing the isakmp key as we did not know what the source was going to be, and we assumed that the source was pointing to this router ip address. in other words one of the peers was pointing to the other peer when forming an isakmp negocatiation.

But lately I have seen a lot of configs on cco where both the routers have statement and none of them are pointing to each other for isakmp policy negociation. Is this only valid in a point-to-point link or a hub and spoke topology? or I am not understading the concept?


crypto isakmp key Cisco12345 address

Cisco Employee

Re: isakmp with no peer


Your understanding of all Zero's when defining Pre-Shared Key is correct. Basically, we define a PSK with if we are not aware of the Source IP Address of the VPN Server that will initiate the connection.

Now, the CCO documents that you see with all Zero's on both Hub and Spoke is for DMVPN. For example the below URL:

DMVPN, relies on Next Hop Redundancy Protocol(NHRP) Information to build Tunnels. And the spokes build tunnels to other spokes using the NHRP information and there is no Static Configuration and that is why you will see PSK with all Zero's defined on the Hub as well as spokes.

I hope it helps.



** Please rate all helpful posts **

Community Member

Re: isakmp with no peer


I will definitly rate your post. I have a question though. In DMVPN you are increpting the MGRE tunnel using ipsec before the dynamic point to point tunnels comeup using NHRP information.

My question is that how does ipsec encrypt the mgre tunnel first, you do not need NHRP information between the hub and the spoke ipsec tunnel formation. How does on both the hub and spoke facilitate the ipsec tunnel that encrypts the mgre built carryong the routing updates?

CreatePlease to create content