cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1294
Views
5
Helpful
3
Replies

Change pre-shared keys on the fly for ikev2 dyname VPN

Travis-Fleming
Level 1
Level 1

Hello,

My manager has tasked me with changing the pre-shared local and remote keys of our 20+ home office Ikev2 site-to-site VPN's. They are either an ASA 5505 (retiring) or Cisco C881 router. Both are using ikev2.

 

I want to be able to remote into the device, run some commands that will change the local and remote pre-shared keys, and be able to do it one home user at a time. I would like to have two tunnel-groups defined at our ASA 5525 head-end so we can have the old keys and the new keys.

 

Where I'm running into troubles is most our home users are DHCP from their ISP, so I can't designate by peer IP address. How would one go about getting this to work with an ikev2 setup? I found this article, but it doesn't apply to our current setup:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113573-sol-tunnels-groups.html

1 Accepted Solution

Accepted Solutions

@Travis-Fleming 

I assume you currently use the Default L2L Group tunnel group?

 

How about you create a new tunnel group based on the current dhcp ip address for each ASA, which you should easily be able to determine from the ASA. As this is more specific, this tunnel will match and you can use the new PSK. Migrate all ASAs using this method and then finally change the Default L2L Group to the new PSK and remove the other tunnel groups.

View solution in original post

3 Replies 3

@Travis-Fleming 

I assume you currently use the Default L2L Group tunnel group?

 

How about you create a new tunnel group based on the current dhcp ip address for each ASA, which you should easily be able to determine from the ASA. As this is more specific, this tunnel will match and you can use the new PSK. Migrate all ASAs using this method and then finally change the Default L2L Group to the new PSK and remove the other tunnel groups.

We do currently use the Default L2L group. That is a great idea! So on the head-end just make another tunnel-group that designates the peer IP address at the time, get them all changed, then change the default L2L group to the new keys?

 

The only problem I'm seeing with that is there are always 2-5 home users that are not on all the time. This seams like an all or nothing type of solution right?

@Travis-Fleming 

Yeah I don't see an obvious other method to do this, as I've not faced this issue before.

 

I'd suggest you arrange for those other home users to get there hardware turned on and once they are all online make the change over a short period of a couple of days, hopefully the dhcp IP addresses won't change in this period.

 

 

Review Cisco Networking for a $25 gift card