isakmp with 0.0.0.0 0.0.0.0

NAVIN PARWAL · ‎12-15-2006

Folks,

I am confussed. When reading about dynamic maps I learnt that we used 0.0.0.0 0.0.0.0 as destination when specifing the isakmp key as we did not know what the source was going to be, and we assumed that the source was pointing to this router ip address. in other words one of the peers was pointing to the other peer when forming an isakmp negocatiation.

But lately I have seen a lot of configs on cco where both the routers have 0.0.0.0 0.0.0.0 statement and none of them are pointing to each other for isakmp policy negociation. Is this only valid in a point-to-point link or a hub and spoke topology? or I am not understading the concept?

I had posted this message before and someone responded that the case for only true in DMVPN where all peers are dynamically built using NHRP.

is this true? how is MGRE tunnel protected in the first place? I thought it was protected using ipsec?

Thanks

crypto isakmp key Cisco12345 address 0.0.0.0 0.0.0.0

MaseBarnes · ‎12-18-2006

Could you post a link for the named example, please?

mGRE gets protected using IPSec ..

CRISTIAN LACATUS · ‎01-10-2007

DMVPN builds IPSec tunnels from spoke to hub. If your spokes have dynamically assigned IP addresses, you have no choice except using 0.0.0.0 0.0.0.0 for IPSec key mask in the hub.

DMVPN builds IPSec tunnels on demand between spokes. Using the same spokes with dynamically assigned IP addresses, your only choice is to use 0.0.0.0 0.0.0.0 for key in spokes too.

The 0.0.0.0 0.0.0.0 mask could be more specific if you know the IP addresses assigned to your spokes - you can add keys for every peer, just like in a traditions IPSec deployment.

One of the selling points of DMVP is the ability to add new spokes without changing the hub (at the expense of using one shared key). Adding new keys every time a spoke is provisioned requires more work.