03-03-2014 09:48 AM - edited 03-07-2019 06:29 PM
My main MPLS circuit is down and i have two IPSec tunnels up to my remote sites.
Everything is routing fine but i wanted to add a sub net to my NAT and Tunnels.
Can i add a new subnet to my local network/remote network and save/apply without killing or reseting my active IPSec tunnels?
Solved! Go to Solution.
03-03-2014 12:13 PM
Adding a subnet to your NAT statement should not effect anything. What type of device are you using?
HTH
03-03-2014 12:47 PM
Reza has interpreted your question in terms of NAT and I agree with him that you should be able to change the NAT configuration without impacting other parts of the router operation and connectivity.
But I read your question as involving both NAT and IPSec tunnels. And I believe that the answer is different when you consider IPSec tunnels. You can go ahead and change the configuration of the tunnels while they are up. But the tunnels negotiated their Security Associations based on the config in place when the tunnels came up. They will continue to use those Security Associations after you make your config change. So if you are changing things like what subnets are in the access list used to identify traffic for IPSec these changes will not take effect until a new Security Association is negotiated. You can either wait for the lifetime to expire and new SA negotiated or your can reset the IPSec tunnels and force a new negotiation. Also note that if you are changing the access list on your end that someone on the other end needs to make a corresponding change on their end.
HTH
Rick
03-03-2014 12:13 PM
Adding a subnet to your NAT statement should not effect anything. What type of device are you using?
HTH
03-03-2014 12:47 PM
Reza has interpreted your question in terms of NAT and I agree with him that you should be able to change the NAT configuration without impacting other parts of the router operation and connectivity.
But I read your question as involving both NAT and IPSec tunnels. And I believe that the answer is different when you consider IPSec tunnels. You can go ahead and change the configuration of the tunnels while they are up. But the tunnels negotiated their Security Associations based on the config in place when the tunnels came up. They will continue to use those Security Associations after you make your config change. So if you are changing things like what subnets are in the access list used to identify traffic for IPSec these changes will not take effect until a new Security Association is negotiated. You can either wait for the lifetime to expire and new SA negotiated or your can reset the IPSec tunnels and force a new negotiation. Also note that if you are changing the access list on your end that someone on the other end needs to make a corresponding change on their end.
HTH
Rick
03-03-2014 02:23 PM
I was talking about making changes to the NAT and the IPSec tunnel configs. When i applied my changes it did reset the tunnel but it was a quick reset and re-established fine.
Thanks all
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide