03-31-2020 04:44 AM - edited 03-31-2020 04:45 AM
Hi,
Need to migrate the same source/destination traffic to a new VPN (new peer).
What are the steps I should follow as there is already a crypto map applied for the same traffic used by current VPN. How best to disable this so new crypto map (lower priority) is used which is bound to the new vpn?
Can I pre setup most of the config to the new peer in advance and maybe confirm the VPN tunnel is up without passing any traffic? Which config should I leave to last?
This is policy based VPN.
Thanks
03-31-2020 05:01 AM
Hi,
Assuming you have something like the following and the entry you care about (the one for which you have to specify another VPN gateway) is with sequence number 200:
crypto map TEST 100 ipsec-isakmp
set peer 20.20.20.20
set transform-set FIRST
match address 100
crypto map TEST 150 ipsec-isakmp
set peer 25.25.25.25
set transform-set SECOND
match address 101
crypto map TEST 200 ipsec-isakmp
set peer 30.30.30.30
set transform-set THIRD
match address 102
If you just have to change the VPN peer, and still want to quickly rollback in case the tunnel does not come up with the second peer, you inject a new crypto map sequence number, lower than 200, with the same settings just different peer, you clear IKE and IPsec tunnel with the old peer, generate interesting traffic to trigger new tunnel formation. If it works, you remove the sequence number of 200, if it doesn't work you investigate and when time comes you rollback by removing the newly configure sequence number in crypto map.
crypto map TEST 199 ipsec-isakmp
set peer 40.40.40.40
set transform-set THIRD
match address 102
!
clear crypto sa peer 30.30.30.30
Regards,
Cristian Matei.
03-31-2020 08:47 AM - edited 03-31-2020 09:13 AM
Unfortunately the current crypto map for the VPN I want to replace is placed at the top.
The new crypto map to be used with new VPN has to be with a lower priority (higher crypto map number).
How would this change the plan please? Would a possible option be to disable the acl used by the current VPN crypto map (set acl to inactive)?
Can I bring the new VPN up first and then switchover traffic to it?
Thanks
03-31-2020 09:23 AM
Hi,
What is the sequence number in the crypto-map for the tunnel for which you want to have a new peer? If it's let's say 10, you configure a new one with any sequence number between 1 and 9, like for example 8.
Regards,
Cristian Matei.
03-31-2020 09:48 AM
03-31-2020 10:04 AM
Hi,
Assuming you have a config such as following, and the second entry is the one for which you want to change the VPN peer:
crypto map TEST 1 ipsec-isakmp
set peer 20.20.20.20
set transform-set FIRST
match address 100
crypto map TEST 2 ipsec-isakmp
set peer 25.25.25.25
set transform-set SECOND
match address 101
crypto map TEST 3 ipsec-isakmp
set peer 30.30.30.30
set transform-set THIRD
match address 102
You do the following, you replace sequence number 2 with the new VPN tunnel settings and reconfigure the old VPN tunnel with a higher, unused sequence number:
no crypto map TEST 2 ipsec-isakmp
crypto map TEST 2 ipsec-isakmp
set peer 30.30.30.30
set transform-set THIRD
match address 102
crypto map TEST 1555 ipsec-isakmp
set peer 25.25.25.25
set transform-set SECOND
match address 101
Regards,
Cristian Matei.
03-31-2020 10:08 AM
03-31-2020 10:58 AM
Hi,
I'm not sure if you're making fun or not. You previously said that the crypto map entry that you want to replace has a sequence number of 2, and you also have another entry with a sequence number of 1, thus you can't go lower than 1.
Could you better just post the full crypto-map config, and specify which entry do you want the VPN peer changed.
Regards,
Cristian Matei.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide