Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1775
Views
5
Helpful
3
Replies

Can same peer IP be used in a different tunnel group & crypto map?

Go to solution
Hawk
Level 1
Level 1

‎11-12-2018 07:33 AM

One of my vpn ipsec peers are changing their vpn setting requiremnets from ikve1 to ikev2.  We are scheduling a cut over date to the new tunnel & I would like to configure everything in advanced & cutover as seemlessly as possible.  My vpn peer is not changing their peer IP address or any of the host IP's, tcp protocols & ports that are communicating over the tunnel & I would like to use the same ACL's that the existing tunnel is using. There are 2 different ACL's that are in use right now, the ACL used in the crypto map & the ACL in the group policy.  Could I configure the tunnel now in parralel to the existing tunnel using the settings I just mentioned withou breaking anything?  Or would using the same ACL's, Peer IP & NAT configs on the new tunnel configuration break the existing connection?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mkazam001
Level 3
Level 3

‎11-12-2018 08:09 AM

I'm assuming this is an ASA.

If IKEv2 is not enabled at all, you can configure the new crypto map & don't enable on the interface until you want to test with the below cmd:

crypto ikev2 enable outside

 

Referencing the same ACL will not cause any issues either.

If using same interfaces, local & remote subnets - nat exemption should not have to change either.

 

I have included the ikev2 config so you can see where things fit in:

access-list VPN-ACL extended permit source dest
crypto ikev2 enable outside

crypto ikev2 policy 10
    encryption
    integrity
    group
    lifetime seconds 86400
crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption *
    protocol esp integrity *
group-policy GP-1 internal
group-policy GP-1 attributes
    vpn-tunnel-protocol ikev2 | ikev1
    
crypto map MAP-2 match address VPN-ACL
crypto map MAP-2 set peer x.x.x.x
crypto map MAP-2 set ikev2 ipsec-proposal AES256
crypto map MAP-2 interface OUTSIDE
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
    default-group-policy GP-1
tunnel-group x.x.x.x ipsec-attributes
    ikev1 pre-shared-key
    ikev2 remote-authentication pre-shared-key
    ikev2 local-authentication pre-shared-key

Regards, mk

Please rate if helpful :)

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mkazam001
Level 3
Level 3

‎11-12-2018 08:09 AM

I'm assuming this is an ASA.

If IKEv2 is not enabled at all, you can configure the new crypto map & don't enable on the interface until you want to test with the below cmd:

crypto ikev2 enable outside

 

Referencing the same ACL will not cause any issues either.

If using same interfaces, local & remote subnets - nat exemption should not have to change either.

 

I have included the ikev2 config so you can see where things fit in:

access-list VPN-ACL extended permit source dest
crypto ikev2 enable outside

crypto ikev2 policy 10
    encryption
    integrity
    group
    lifetime seconds 86400
crypto ipsec ikev2 ipsec-proposal AES256
    protocol esp encryption *
    protocol esp integrity *
group-policy GP-1 internal
group-policy GP-1 attributes
    vpn-tunnel-protocol ikev2 | ikev1
    
crypto map MAP-2 match address VPN-ACL
crypto map MAP-2 set peer x.x.x.x
crypto map MAP-2 set ikev2 ipsec-proposal AES256
crypto map MAP-2 interface OUTSIDE
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x general-attributes
    default-group-policy GP-1
tunnel-group x.x.x.x ipsec-attributes
    ikev1 pre-shared-key
    ikev2 remote-authentication pre-shared-key
    ikev2 local-authentication pre-shared-key

Regards, mk

Please rate if helpful :)

0 Helpful

Go to solution
Hawk
Level 1
Level 1
In response to mkazam001

‎11-12-2018 08:29 AM

Thanks MK that was very helpful.  According to your feedback it sounds like I can configure everything in the new tunnel that you have outlined except enabling the new cypto map on the interface?   When enable the new crypto map on the interface during testing, I cannot remove the existing crypto map from the interface because 15 other working vpn tunnels are using it.  Is that going to be a problem when bringing the new tunnel up?  When bringing the new tunnel up should  I remove any of the old tunnel configurations in order for the new tunnel to work?

0 Helpful

Go to solution
mkazam001
Level 3
Level 3
In response to Hawk

‎11-12-2018 09:10 AM

yes, just remove the crypto map statements & tunnel group config for that specific peer

i always copy commands into notepad - so i know exactly what i removed

it sounds like this will be the first ikev2 vpn tunnel - then you can enable ikev2 on the interface & test

regards, mk

Customers Also Viewed These Support Documents