Question about the "crypto keyring" command

I
was doing an ATC Lab tonight "VRF Aware DMVPN" and the Lab answer
guide used the following command.

crypto keyring DMVPN vrf
UNDERLAY_TRANSPORT 

  pre-shared-key address 0.0.0.0
0.0.0.0 key DMVPN_PSK

 

One
of the requirements for the lab is as follows

  • R6 is the DMVPN Hub, and
    should source the tunnel from its Loopback 6.6.6.6/32.

So
I used the following command

crypto keyring DMVPN vrf
UNDERLAY_TRANSPORT 

  local-address Loopback6

  pre-shared-key address 0.0.0.0
0.0.0.0 key DMVPN_PSK

 

So
everything came up fine with either command which got me thinking. The lab requirement
has you use a specific Loopback as the source, in this case 6.6.6.6 or loopback
6.

After
doing a debug I don’t understand why the first command without the local
address keyword is working. I see everything is going to and coming from
6.6.6.6. I don’t understand why this is working without the local-address
keyword. I would assume the remote router would send a request to 6.6.6.6 but
the Hub router (6.6.6.6) would respond back with the local interface address,
(in this case 155.1.146.6) which should break phase 1. 

ISAKMP:(0): sending packet to 6.6.6.6 my_port 500 peer_port 500 (I)
MM_SA_SETUP

ISAKMP:(0):Send

R5#ing an IKE IPv4 Packet.

ISAKMP:(0):Input = IKE_MESG_INTERNAL, IKE_PROCESS_COMPLETE

ISAKMP:(0):Old State = IKE_I_MM2  New State = IKE_I_MM3

 

ISAKMP (0):
received packet from 6.6.6.6 dport 500 sport 500 UNDERLAY_TRANSPORT (I)
MM_SA_SETUP

ISAKMP:(0):Input = IKE_MESG_FROM_PEER, IKE_MM_EXCH

ISAKMP:(0):Old State = IKE_I_MM3  New State = IKE_I_MM4

 

 

What am I missing here?

Comments

  • Hi,

       Per the task requirements, you need to use the "tunnel source Loopback" command when you define the mGRE tunnel. The command that you configure at the keyring level has to do with the IPsec tunnel, and is a restriction saying that the keyring is valid only for IPsec tunnels initiated or destined to its Loopback. With mGRE, you always know the tunnel source, but tunnel destination is learned through NHRP.

    Regards,

    Cristian.

  • Oh ok, the keyring local address keyword had nothing to do with the tunnel. Gosh, I totally missed that. I just assumed they both had to be sourced from the loopback interface but that was an incorrect assumption. Thanks for clearing that up. 

Sign In or Register to comment.