ASA - Migrate same traffic to a new VPN

aconticisco · ‎03-31-2020

Hi,

Need to migrate the same source/destination traffic to a new VPN (new peer).

What are the steps I should follow as there is already a crypto map applied for the same traffic used by current VPN. How best to disable this so new crypto map (lower priority) is used which is bound to the new vpn?

Can I pre setup most of the config to the new peer in advance and maybe confirm the VPN tunnel is up without passing any traffic? Which config should I leave to last?

This is policy based VPN.

Thanks

Cristian Matei · ‎03-31-2020

Hi,

Assuming you have something like the following and the entry you care about (the one for which you have to specify another VPN gateway) is with sequence number 200:

crypto map TEST 100 ipsec-isakmp

set peer 20.20.20.20

set transform-set FIRST

match address 100

crypto map TEST 150 ipsec-isakmp

set peer 25.25.25.25

set transform-set SECOND

match address 101

crypto map TEST 200 ipsec-isakmp

set peer 30.30.30.30

set transform-set THIRD

match address 102

If you just have to change the VPN peer, and still want to quickly rollback in case the tunnel does not come up with the second peer, you inject a new crypto map sequence number, lower than 200, with the same settings just different peer, you clear IKE and IPsec tunnel with the old peer, generate interesting traffic to trigger new tunnel formation. If it works, you remove the sequence number of 200, if it doesn't work you investigate and when time comes you rollback by removing the newly configure sequence number in crypto map.

crypto map TEST 199 ipsec-isakmp

set peer 40.40.40.40

set transform-set THIRD

match address 102

!

clear crypto sa peer 30.30.30.30

Regards,

Cristian Matei.

aconticisco · ‎03-31-2020

Unfortunately the current crypto map for the VPN I want to replace is placed at the top.

The new crypto map to be used with new VPN has to be with a lower priority (higher crypto map number).

How would this change the plan please? Would a possible option be to disable the acl used by the current VPN crypto map (set acl to inactive)?

Can I bring the new VPN up first and then switchover traffic to it?

Thanks

Cristian Matei · ‎03-31-2020

Hi,

What is the sequence number in the crypto-map for the tunnel for which you want to have a new peer? If it's let's say 10, you configure a new one with any sequence number between 1 and 9, like for example 8.

Regards,

Cristian Matei.

aconticisco · ‎03-31-2020

It’s 2 and there is a 1

Let me know action plan please based on what Wrote

Cristian Matei · ‎03-31-2020

Hi,

Assuming you have a config such as following, and the second entry is the one for which you want to change the VPN peer:

crypto map TEST 1 ipsec-isakmp

set peer 20.20.20.20

set transform-set FIRST

match address 100

crypto map TEST 2 ipsec-isakmp

set peer 25.25.25.25

set transform-set SECOND

match address 101

crypto map TEST 3 ipsec-isakmp

set peer 30.30.30.30

set transform-set THIRD

match address 102

You do the following, you replace sequence number 2 with the new VPN tunnel settings and reconfigure the old VPN tunnel with a higher, unused sequence number:

no crypto map TEST 2 ipsec-isakmp

crypto map TEST 2 ipsec-isakmp

set peer 30.30.30.30

set transform-set THIRD

match address 102

crypto map TEST 1555 ipsec-isakmp

set peer 25.25.25.25

set transform-set SECOND

match address 101

Regards,

Cristian Matei.

aconticisco · ‎03-31-2020

Yes but may involve a long downtime, can’t I create a higher (lower priority) crypto map and temporary disable the current one to test and revert back if needed?

Cristian Matei · ‎03-31-2020

Hi,

I'm not sure if you're making fun or not. You previously said that the crypto map entry that you want to replace has a sequence number of 2, and you also have another entry with a sequence number of 1, thus you can't go lower than 1.

Could you better just post the full crypto-map config, and specify which entry do you want the VPN peer changed.

Regards,

Cristian Matei.