topic Re: Migrating Site-Site VPN in Network Security

Migrating Site-Site VPN

dasgill — Mon, 11 Mar 2019 11:57:21 GMT

I currently have a site-site VPN (VPN1) betwween a Cisco Pix 506E and an ASA 5510 in HK and Leeds respectively. I need to move the IPsec tunnel to another internet gateway (10 Mb) in Leeds to which is connected a Cisco Pix 506E. To make any changes to the PIX 506E in HK, I will need to connect to it accross the current VPN tunnel (VPN1). I run the risk of loosing connectivity to HK if changes are made to the VPN1 configuration in HK. How do I work around this ? Can I create a second VPN tunnel (VPN2) and then shutdown VPN1 when the new VPN is up and running?

Re: Migrating Site-Site VPN

Jon Marshall — Fri, 01 Feb 2008 08:55:11 GMT

Yes, that is exactly what you should do. Are you comfortable with doing it on the HK device ?

Jon

Re: Migrating Site-Site VPN

dasgill — Fri, 01 Feb 2008 10:51:08 GMT

Dear Jon,

I am comfortable creating the tunnel on the HK device. I am assuming everything should be fine as long as the isakmp poliy number, transformset and crytomap names are different on for the 2 tunnel configurations on the HK device.

Re: Migrating Site-Site VPN

Jon Marshall — Fri, 01 Feb 2008 10:59:34 GMT

Isakmp policy number is not tied to the peer ip address so you can use the same one for both connections, unless you are actually changing something within the ISAKMP policy.

The same goes for the transform-set.

The crypto map name will not be different because you can only apply one crypto map name to an interface. Just use a different index number. So if your existing crypto map looks like

crypto map vpnset 1 ipsec-isakmp

crypto map vpnset 1 set peer x.x.x.x

crypto map vpnset 1 match address "acl"

etc..

for the new VPN

crypto map vpnset 2 ipsec-isakmp

crypto map vpnset 2 set peer x.x.x.x

etc...

assuming of course you aren't already using index number 2.

HTH

Jon

Re: Migrating Site-Site VPN

dasgill — Fri, 01 Feb 2008 11:49:23 GMT

Dear Jon,

Thank you very much. As far as isakmp is concerned I will need to add a different key for the second tunnel:

isakmp key ***** address netmask 255.255.255.255.

Cryto map: change index number.

How do I take tumnnel VPN1 down once VPN2 is up and running.

Re: Migrating Site-Site VPN

Jon Marshall — Fri, 01 Feb 2008 12:13:26 GMT

Yes you will need a different isakmp key.

Do you mean take it down or make sure it can't be used again ?

Take down

clear crypto ipsec sa peer x.x.x.x

To ensure it can't be used again remove config or at very least the isakmp key.

Jon

Re: Migrating Site-Site VPN

dasgill — Fri, 01 Feb 2008 12:22:24 GMT

Thanks Jon

Re: Migrating Site-Site VPN

dasgill — Mon, 04 Feb 2008 15:17:31 GMT

I have configured both firewalls as advised by Jon but I am geeting some errors when attempting to pass interesting traffic. I attach the errors and the configs for the 2 PIx's below:

Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24150, mess id 0x47595d7)!

Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!

Feb 04 15:06:42 [IKEv1]: QM FSM error (P2 struct &0x1b24860, mess id 0x9cafcd4d)!

Feb 04 15:06:42 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!

sh Feb 04 15:06:47 [IKEv1]: QM FSM error (P2 struct &0x1d085d0, mess id 0x458d4091)!

Feb 04 15:06:47 [IKEv1]: Group = 192.168.0.1, IP = 192.168.0.1, Removing peer from correlator table failed, no match!

sh crypto isakmp sa

Active SA: 1

Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 1

1 IKE Peer: 192.168.0.1

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

PIX 1 (192.168.0.3)

crypto ipsec transform-set ford esp-des esp-md5-hmac

crypto map VPNHK 2 match address outside_crypto_acl

crypto map VPNHK 2 set peer 192.168.0.1

crypto map VPNHK 2 set transform-set ford

crypto map VPNHK interface outside

isakmp identity address

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000

isakmp am-disable

console timeout 0

tunnel-group 192.168.0.1 type ipsec-l2l

tunnel-group 192.168.0.1 ipsec-attributes

pre-shared-key ev0lut10n

PIX 2 (192.168.0.1)

crypto ipsec transform-set chevvie esp-des esp-md5-hmac

crypto map transam 1 ipsec-isakmp

crypto map transam 1 match address 101

crypto map transam 1 set peer 192.168.0.2

crypto map transam 1 set transform-set chevvie

crypto map transam 2 ipsec-isakmp

crypto map transam 2 match address 101

crypto map transam 2 set peer 192.168.0.3

crypto map transam 2 set transform-set chevvie

crypto map transam interface outside

isakmp enable outside

isakmp key ichabod address 192.168.0.2 netmask 255.255.255.255

isakmp key ev0lut10n address 192.168.0.3 netmask 255.255.255.255

isakmp identity address

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption des

isakmp policy 1 hash md5

isakmp policy 1 group 1

isakmp policy 1 lifetime 1000