Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
0
Helpful
1
Replies

change or replace the router IPSEC config-key

bymc
Level 1
Level 1

‎04-16-2020 10:14 AM

We have a number of sites with routers running DMVPN with IPSEC. With VPN connections to each other in a full mesh environment.

We would like to replace/refresh the routers IPSEC config-key on a routine basis with no or minimal interruption to the site to site network traffic.

Looking for some guidance.

 

BYMC

0 Helpful
1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

‎04-16-2020 08:43 PM

Hi

Changing the key will impact the dmvpn cloud when routers do the rekey.
If you change first the hub, all spokes will loose connectivity until you finished rolling out your changes. If you do the invert, spokes will be unreachable until hub has its key changed.
If your routers are behind an isp router handling the nat and key isn't changed yet on your spoke, it can be stuck for a while until the nat times out.

First thing is to enable ssh from the outside to avoid losing spokes to push the new key to.
Then, you can do a script to change them all in a quick and smoother way.

Personally i always mount 2 dmvpn clouds. 1 using key with limited access and 1 using certificates. This allows you to change the key as often as possible because user connectivity is always handled by the certificate cloud. Certificates are additionally renewed using your key dmvpn cloud. In that situation, you always have a backup plan for your users and yourself to access devices.

Does it make sense?

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card