cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
976
Views
0
Helpful
3
Replies

IPSec Tunnel and Making Changes While Up

John Stevens
Level 1
Level 1

My main MPLS circuit is down and i have two IPSec tunnels up to my remote sites.

Everything is routing fine but i wanted to add a sub net to my NAT and Tunnels.

Can i add a new subnet to my local network/remote network and save/apply without killing or reseting my active IPSec tunnels?                  

2 Accepted Solutions

Accepted Solutions

Reza Sharifi
Hall of Fame
Hall of Fame

Adding a subnet to your NAT statement should not effect anything.  What type of device are you using?

HTH

View solution in original post

Reza has interpreted your question in terms of NAT and I agree with him that you should be able to change the NAT configuration without impacting other parts of the router operation and connectivity.

But I read your question as involving both NAT and IPSec tunnels. And I believe that the answer is different when you consider IPSec tunnels. You can go ahead and change the configuration of the tunnels while they are up. But the tunnels negotiated their Security Associations based on the config in place when the tunnels came up. They will continue to use those Security Associations after you make your config change. So if you are changing things like what subnets are in the access list used to identify traffic for IPSec these changes will not take effect until a new Security Association is negotiated. You can either wait for the lifetime to expire and new SA negotiated or your can reset the IPSec tunnels and force a new negotiation. Also note that if you are changing the access list on your end that someone on the other end needs to make a corresponding change on their end.

HTH

Rick

HTH

Rick

View solution in original post

3 Replies 3

Reza Sharifi
Hall of Fame
Hall of Fame

Adding a subnet to your NAT statement should not effect anything.  What type of device are you using?

HTH

Reza has interpreted your question in terms of NAT and I agree with him that you should be able to change the NAT configuration without impacting other parts of the router operation and connectivity.

But I read your question as involving both NAT and IPSec tunnels. And I believe that the answer is different when you consider IPSec tunnels. You can go ahead and change the configuration of the tunnels while they are up. But the tunnels negotiated their Security Associations based on the config in place when the tunnels came up. They will continue to use those Security Associations after you make your config change. So if you are changing things like what subnets are in the access list used to identify traffic for IPSec these changes will not take effect until a new Security Association is negotiated. You can either wait for the lifetime to expire and new SA negotiated or your can reset the IPSec tunnels and force a new negotiation. Also note that if you are changing the access list on your end that someone on the other end needs to make a corresponding change on their end.

HTH

Rick

HTH

Rick

I was talking about making changes to the NAT and the IPSec tunnel configs.  When i applied my changes it did reset the tunnel but it was a quick reset and re-established fine.

Thanks all