Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
479
Views
0
Helpful
3
Replies

Site-to-Site and Remote-Access on same interface

bobby0110
Level 1
Level 1

‎08-27-2012 08:52 AM - edited ‎03-04-2019 05:23 PM

I'm working to consolidate internet links at one of our sites. Currently, one of the internet links is used for site to site vpn tunnels while another is used for remote-access connections.

What is the best way to consolidate these on to a single internet link?

Thanks.

Bobby

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎08-27-2012 08:59 AM

You can reconfigure all your VPNs to use the same interface. Probably you have a default-route on the interface for your RA-VPNs and static routes on the other interface for your site-to-site VPNs. Which one do you want to keep? Migrating the Site-2-Site-VPNs to the other interface is easier as you can move one VPN at a time. If you want to use the interface without the default-route you have to move all your RA-VPNs at once.

If that's not your scenario, give some more info about your network and your config.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

bobby0110
Level 1
Level 1
In response to Karsten Iwen

‎08-27-2012 10:18 AM

It's actually a new link that both site-to-site and RA will migrate to. There are currently 2XT1 connections and it's migrating to a 5Mb circuit with ethernet handoff.

We know there will be some downtime for the tunnels while things are migrated.

Right now, there is a different crypto map applied to both of the T1 interfaces.

T-1(1)

crypto dynamic-map dynmap 10

crypto map SW-Client client authentication list local_authen

crypto map SW-Client isakmp authorization list groupauth

crypto map SW-Client client configuration address respond

crypto map SW-Client 10 ipsec-isakmp dynamic dynmap

T-1(2)

crypto map Map-1 2 ipsec-isakmp

set peer x

set security-association lifetime seconds 28800

set transform-set ESP-AES256-SHA

match address x

0 Helpful

Karsten Iwen
VIP
VIP
In response to bobby0110

‎08-27-2012 10:43 AM

Well, migrating the S2S-VPNs to the new link should be easy. RA can be a little more tricky because the clients have to know the new IP-address. For that you have multiple options:

If your clients have a FQDN configured as the Peer-address, then you can change it in DNS the day you want to start your migration.

If your clients have the IP of T1(1) configured you can use mode-config to push a backup-server-list where your new IP is included. You have to wait until all clients have connected to download the new list, then you can reconfigure the RA-VPN to the new link. The clients will try to reach the old address, fail with that and then try the next backup-server which is your new IP-address. Later your clients can be cleaned with new settings in the PCF. Or even better, let the old clients phase out (the IPSec client is EOL announced) and migrate to AnyConnect.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card