Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1225
Views
0
Helpful
0
Replies

crypto map with 2 peer addresses

Peter Boerjesson
Level 1
Level 1

‎12-01-2013 10:48 PM

Hi,

I need to change ip address on a central hub that terminates a lot of site-to-site tunnelns and I can't have the old and new address up at the same time. So here's the setup on the remote sites.

/start of config

crypto isakmp peer address <current pub ip>

set aggressive-mode password xxxxxxxxxx

set aggressive-mode client-endpoint fqdn <fqdn>

!

crypto ipsec transform-set highsec esp-aes 256 esp-sha-hmac

!

crypto map <map-name> 10 ipsec-isakmp

set peer <current-pub ip>

set security-association lifetime seconds 86400

set transform-set highsec

set pfs group2

match address <acl>

end of config/

By misstake I noted I could just add another peer address in the crypto map so the configuration would be like this (new config in bold).

/start of config

crypto isakmp peer address <current pub ip>

set aggressive-mode password xxxxxxxxxx

set aggressive-mode client-endpoint fqdn <fqdn>

!

crypto isakmp peer address <new pub ip>

set aggressive-mode password xxxxxxxxxx

set aggressive-mode client-endpoint fqdn <fqdn>

!

crypto ipsec transform-set highsec esp-aes 256 esp-sha-hmac

!

crypto map <map-name> 10 ipsec-isakmp

set peer <current-pub ip>

set peer <new-pub ip>

set security-association lifetime seconds 86400

set transform-set highsec

set pfs group2

match address <acl>

end of config/

From what I can see on the configuration this doesn't affect the current tunnel, I have no clue what will happen when it sa times out though.

My second alternativ would be about the same but do a second sequence on the crypto number so the config would be like this (just for the cryptop maps point of view now)

/start of config

!

crypto map <map-name> 10 ipsec-isakmp

set peer <current-pub ip>

set security-association lifetime seconds 86400

set transform-set highsec

set pfs group2

match address <acl>

!

crypto map <map-name> 20 ipsec-isakmp

set peer <new-pub ip>

set security-association lifetime seconds 86400

set transform-set highsec

set pfs group2

match address <acl>        <--- Removed

!

end of config/

In this setup my plan was to keep the second sequence "incomplete" until I changed the public IP on the central endpoint, then I would add the "match address <acl>" config part to complete the configuration. It would make the downtime longer.

Worth knowing for this setup is that the central endpoint would accept connections from any source since some remote sites are running on DHCP.

If it matters the central device is a 5510 running 8.4.7-3 and the endpoints are mostly 881 routers with advipserive license on 15.1-4(m3) code.

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents