I am looking to migrate an IPSec endpoint, with numerous peers, off of an IOS loopback (/32) address to an ASA active/standby configuration. Is there a recommended configuration for emulating this loopback address on the ASA?
I do not want to apply new addressing of any sort for this IPSec endpoint during the migration as the numerous remote peers to it are not under my control would all have to be updated at the same time - something that is not easily accomplished as they are all separate organization entities.
Perhaps there are aspects of your question that I am not understanding. But it seems fairly simple to me if I am correct in my understanding. If you have an IOS router with multiple IPSec tunnels using the loopback address as the peering address and you want to move them to a pair of ASA, then you need to configure the interface of the ASA to use the IP address that is currently on the IOS router as the address of the active member of the ASA pair. (and of course you need to have configured IPSec tunnels on the ASA that correspond to the tunnels of the IOS router)
If that is not the answer that you are expecting then please help me to understand the question better.
correct, but as I understand it the ASA does not support loopbacks, or for that matter any subnet smaller than /30
my problem is that the current endpoiunt on my side is the /32 (advertised by the IOS router) in a redundant manner, and using that address means using the whole subnet around it - right? which would mean stomping on other loopbacks used on other boxes
Thanks for the additional information. It does put the problem into a different perspective. It seems to me that you have pretty much a contradictory set of requirements. You want to move the IPSec tunnels, moving the tunnels without requiring changes in the peers requires that the peer address move with the tunnels, but the address can not move without impacting other parts of the network.
Perhaps some other participant in the forum can see a solution for this. But I am not seeing a way to satisfy both the requirement that remote peers do not need to change their configuration, and that the IPSec tunnels move to the ASA without changing the way that you are doing loopbacks on the routers.