08-10-2021 11:50 AM
Hello,
My manager has tasked me with changing the pre-shared local and remote keys of our 20+ home office Ikev2 site-to-site VPN's. They are either an ASA 5505 (retiring) or Cisco C881 router. Both are using ikev2.
I want to be able to remote into the device, run some commands that will change the local and remote pre-shared keys, and be able to do it one home user at a time. I would like to have two tunnel-groups defined at our ASA 5525 head-end so we can have the old keys and the new keys.
Where I'm running into troubles is most our home users are DHCP from their ISP, so I can't designate by peer IP address. How would one go about getting this to work with an ikev2 setup? I found this article, but it doesn't apply to our current setup:
Solved! Go to Solution.
08-10-2021 12:11 PM
I assume you currently use the Default L2L Group tunnel group?
How about you create a new tunnel group based on the current dhcp ip address for each ASA, which you should easily be able to determine from the ASA. As this is more specific, this tunnel will match and you can use the new PSK. Migrate all ASAs using this method and then finally change the Default L2L Group to the new PSK and remove the other tunnel groups.
08-10-2021 12:11 PM
I assume you currently use the Default L2L Group tunnel group?
How about you create a new tunnel group based on the current dhcp ip address for each ASA, which you should easily be able to determine from the ASA. As this is more specific, this tunnel will match and you can use the new PSK. Migrate all ASAs using this method and then finally change the Default L2L Group to the new PSK and remove the other tunnel groups.
08-10-2021 12:16 PM
We do currently use the Default L2L group. That is a great idea! So on the head-end just make another tunnel-group that designates the peer IP address at the time, get them all changed, then change the default L2L group to the new keys?
The only problem I'm seeing with that is there are always 2-5 home users that are not on all the time. This seams like an all or nothing type of solution right?
08-10-2021 12:23 PM
Yeah I don't see an obvious other method to do this, as I've not faced this issue before.
I'd suggest you arrange for those other home users to get there hardware turned on and once they are all online make the change over a short period of a couple of days, hopefully the dhcp IP addresses won't change in this period.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide