Solved: Change the DH group in an isakmp policy

ssuttle1 · ‎09-20-2023

If I change the DH group in an ISAKMP policy, will the tunnel automatically start using that group after a period, or do I have to bounce the tunnel interface? I know that bouncing the interface works to get it to switch over immediately. But it would be preferable for it to start using the new group automatically without bouncing the interface.

Richard Burts · ‎09-20-2023

The good news is that policies for the ipsec tunnel are negotiated for a period of time, and when that time is about to expire there is a new negotiation, which would use the new policy. So if you are not a hurry to get the new policy being used then do not bounce and just wait.

HTH

Rick

View solution in original post

Richard Burts · ‎09-20-2023

The good news is that policies for the ipsec tunnel are negotiated for a period of time, and when that time is about to expire there is a new negotiation, which would use the new policy. So if you are not a hurry to get the new policy being used then do not bounce and just wait.

HTH

Rick

Richard Burts · ‎09-20-2023

I am glad that my explanation was helpful. Thank you for marking this question as solved. This will help other participants in the community to identify discussions which have helpful information. This community is an excellent place to ask questions and to learn about networking. I hope to see you continue to be active in the community.

HTH

Rick