cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2737
Views
10
Helpful
2
Replies

isakmp with 0.0.0.0 -DMVPN

Cisconew
Level 1
Level 1

Hi everyone ,

I have one doubt about the below command while using in DMVPN.

crypto isakmp key cisco address 0.0.0.0 

When to use 0.0.0.0 in Hub and when should we use in Spokes.

Is there any reasoning to use in specific area. Please share the link for any documents, if available.

Thanks in advance.

 

Jason

2 Replies 2

Hi @Cisconew 

This command specifies a pre-shared key when authenticating IKE. In this instance using 0.0.0.0 means the key specified applies to any source IP address, that is generally bad practice.

 

Normally you'd have multiple pre-shared keys (PSKs) per peer, with unique pre-shared keys, e.g:

crypto isakmp key cisco1234 address 1.1.1.1
crypto isakmp key cisco5678 address 2.2.2.1   

Obviously each router, hub and potentially spoke (if spoke-to-spoke tunnels) would need to know all the PSKs.

 

https://www.cisco.com/c/en/us/td/docs/ios/12_2/security/command/reference/srfike.html#wp1017897

HTH

for Hub, because the IP of Spoke is unknown for the Hub we will use 0.0.0.0
for Spoke if the traffic will go only to Hub and Hub will resend it to other spoke then we will NOT use 0.0.0.0
for Spoke if the traffic will go to other Spoke directly then use 0.0.0.0