isakmp with 0.0.0.0 -DMVPN

Cisconew · ‎03-23-2021

Hi everyone ,

I have one doubt about the below command while using in DMVPN.

crypto isakmp key cisco address 0.0.0.0

When to use 0.0.0.0 in Hub and when should we use in Spokes.

Is there any reasoning to use in specific area. Please share the link for any documents, if available.

Thanks in advance.

Jason

Rob Ingram · ‎03-23-2021

Hi @Cisconew

This command specifies a pre-shared key when authenticating IKE. In this instance using 0.0.0.0 means the key specified applies to any source IP address, that is generally bad practice.

Normally you'd have multiple pre-shared keys (PSKs) per peer, with unique pre-shared keys, e.g:

crypto isakmp key cisco1234 address 1.1.1.1
crypto isakmp key cisco5678 address 2.2.2.1

Obviously each router, hub and potentially spoke (if spoke-to-spoke tunnels) would need to know all the PSKs.

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfike.html#wp1017897

HTH

MHM Cisco World · ‎03-23-2021

for Hub, because the IP of Spoke is unknown for the Hub we will use 0.0.0.0
for Spoke if the traffic will go only to Hub and Hub will resend it to other spoke then we will NOT use 0.0.0.0
for Spoke if the traffic will go to other Spoke directly then use 0.0.0.0