Solved: Site to Site VPN When one site changed IP.

Duong Nguyen · ‎12-23-2012

I have a site to site VPN using 2 Cisco 5510s.

Lets call it site A and site B.

Site B's 5510 was recently loaded with a saved config and communication between the site are fine.

SSH, and RDP perfectly working.

Now site has changed ISP and have a new IP address.

Following instructions I have done this to site A:

Lets say new ip is 4.4.4.4

clear configure tunnel-group 2.2.2.2

tunnel-group 4.4.4.4 type ipsec-l2l

tunnel-group 4.4.4.4 ipsec-attributes

pre-shared key x.x.x.x

no crypto map outside_map 20 set peer 2.2.2.2

crypto map outside_map 20 set peer 4.4.4.4

However I can no longer ssh or rdp from B to A.

OUTPUT OF CONFIG BEFORE ABOVE CHANGE.

crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-AES-128-SHA

crypto map outside_map 20 match address outside_cryptomap_20

crypto map outside_map 20 set peer 2.2.2.2

crypto map outside_map 20 set transform-set ESP-AES-128-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

crypto isakmp identity hostname

crypto isakmp enable outside

crypto isakmp policy 10

authentication pre-share

encryption aes

hash sha

group 2

lifetime 86400

tunnel-group Pleasanton type remote-access

tunnel-group Pleasanton general-attributes

address-pool Pleasanton

default-group-policy Pleasanton_1

tunnel-group Pleasanton ipsec-attributes

pre-shared-key xxxxxxxxxxxxxxxxxxxxxx

tunnel-group 2.2.2.2 type ipsec-l2l

tunnel-group 2.2.2.2 ipsec-attributes

roopesh.n · ‎12-24-2012

Hi Duong,

One of my client also changed the ISP for out LL VPN we wer eusing ASA 5510 as end devices .

Please find the below steps i did in order to make my tunnel Up and working .

SITE A (Site that IS changing ISPs):

1. First find all configurations using the OLD IP Segment:

sh run | inc 191.70.100.

2. Using notepad, remove all the configurations with the old IP Addresses/Segment. This will include Statics NATs,

ACLs, Names, etc… and change it to the new IP Addresses/Segment.

3. Change the IP Address on the WAN interface.

4. Change the Default Gateway.

Now go over to SITE B’s ASA.

SITE B (Site that is NOT changing ISPs):

1. Add the new peer:

crypto map vpnmap 60 set peer 88.100.200.66

2. Remove the old one:

no crypto map vpnmap 60 set peer 191.70.100.22

3. Create the tunnel-group with the pre-shared key:

tunnel-group 88.100.200.66 type ipsec-l2l

tunnel-group 88.100.200.66 ipsec-attributes

pre-shared-key c1scoK3y

4. Remove the old tunnel-group:

clear configure tunnel-group 191.70.100.22

That’s it. The tunnel should go up when you send some packets through the tunnel.

Thanks

Roopesh

View solution in original post

roopesh.n · ‎12-24-2012

Hi Duong,

One of my client also changed the ISP for out LL VPN we wer eusing ASA 5510 as end devices .

Please find the below steps i did in order to make my tunnel Up and working .

SITE A (Site that IS changing ISPs):

1. First find all configurations using the OLD IP Segment:

sh run | inc 191.70.100.

2. Using notepad, remove all the configurations with the old IP Addresses/Segment. This will include Statics NATs,

ACLs, Names, etc… and change it to the new IP Addresses/Segment.

3. Change the IP Address on the WAN interface.

4. Change the Default Gateway.

Now go over to SITE B’s ASA.

SITE B (Site that is NOT changing ISPs):

1. Add the new peer:

crypto map vpnmap 60 set peer 88.100.200.66

2. Remove the old one:

no crypto map vpnmap 60 set peer 191.70.100.22

3. Create the tunnel-group with the pre-shared key:

tunnel-group 88.100.200.66 type ipsec-l2l

tunnel-group 88.100.200.66 ipsec-attributes

pre-shared-key c1scoK3y

4. Remove the old tunnel-group:

clear configure tunnel-group 191.70.100.22

That’s it. The tunnel should go up when you send some packets through the tunnel.

Thanks

Roopesh

Duong Nguyen · ‎12-24-2012

Thank you, this is like my post at the top.

Tunnel didnt go up I see lots of this error message.

IKE Peer address not configured for destination 0.0.0.0 Not sure if this has anything to do with it or not.

roopesh.n · ‎12-26-2012

Hi,

Can you please paste the out put of

debug crypto isakmp

Thanks

Roopesh

mvsheik123 · ‎12-26-2012

Hi Duong,

When you change ISP and IP, in addition to ASA changes, you may also need to clear ARP on any L2 devices in the path. If it is done, Internet works fine and if you still have issues, make sure ISP not blocking/filtering any VPN related ports withih their infrastructure.

hth

MS

andduart · ‎12-26-2012

Hello,

Please follow these steps:

1-Check if the interesting traffic is ok

2-If the traffic is ok, please ping through the tunnel (If you try this from the internal interface you must make sure that the management access inside is configured and then try this: ping inside xxxx >remote ip address)

3-show crypto isakmp sa / show crypto ipsec sa

4-Please try the same on the other side in order to check the outputs

5-The next step will be to get some debugs and logs

>debug crypto isamkp 220 / debug crypto ipsec 220

logging on

logging buffered 7

sh low

Duong Nguyen · ‎12-27-2012

Hi Guys.

Thank you for taking the time to answer my question.

Strange thing is I re-ran :

clear configure tunnel-group 2.2.2.2

tunnel-group 4.4.4.4 type ipsec-l2l

tunnel-group 4.4.4.4 ipsec-attributes

pre-shared key x.x.x.x

no crypto map outside_map 20 set peer 2.2.2.2

crypto map outside_map 20 set peer 4.4.4.4

This time it worjs.

I can't explain it.