Will tunnel goes down if I am adding a new IP to encryption domain

aravind.krishnan · ‎06-25-2012

Hello ALL,

My organisation have a VPN concentrator 3000 series which has many VPN tunnel. One of our customer wants to add new IP to encryption domain without disturbing existing connections. So while I am adding new IP's are after doing that is there a chance that tunnel goes down?

Regards,

Aravind

Jennifer Halim · ‎06-25-2012

The new IP subnet needs to be added to both end of the VPN tunnel, and preferrebly at the same time. Otherwise, when the SA expires, it will renegotiate the new key, and if the subnets do not mirror image between the 2 sites, the VPN tunnel will not come up.

Jouni Forss · ‎06-27-2012

Hi,

I think I remember reading somewhere that it is suggested that the access-lists/rules that define the encryption domain should be exact mirror images of eachtother BUT they wouldnt have to be?

For example I have a L2L VPN connection (for test purposes) between an ASA and Cisco 7609s VPN module.

When I remove an ACE statement only from the other peer and clear the connection and generate traffic to the VPN tunnel, it comes up. Even though the access-list arent exact mirror images. (the other one now having an useless extra statement)

Does the VPN then form SA for the networks that do match on both peers but simply ignore the VPN regarding the networks that dont match on both ends?

So to my understanding you should be safe to add rules to the VPN as long as you keep the original configuration there?

Also to my understanding if you have multiple access-list lines and want to remove only one, removing that one statement wont tear down the whole VPN connection but clear the SA related to those subnets/hosts.

- Jouni