Change Peer IP of remote VPN?

Andy White · ‎05-25-2012

Hello,

I have an ASA 5520 with multiple site-to-site VPN's. A remote customer has changed their Public IP address and now the VPN has gone down. How can I easily change the peer IP of the remote site to the new one without have to put the pre-shared key in again as we don't know what it is and they don't manage their firewall.

Thanks

Julio Carvajal · ‎05-26-2012

Hello Andy,

You will need to place the pre-shared key again as you will need to create a new tunnel-group with the new IP add.

You can perform the following command to get the pre-shared key:

more system:running-config | begin tunnel-group

Then look for the Ip and the pre-shared key..

As soon as you have it create a new tunnel group with the New Ip and set the pre-shared key previously used.

Now on the Crypto map configuration change the Set peer ip addres for the new ip on the right crypto-map entry.

That should do it!

Let me know if I can do something else.

Julio

Rate all the helpful posts

Security Engineer

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Andy White · ‎05-26-2012

Hi,

Great I found the pre-shared key!

I have only ever used the ASDM to set up a new tunnel, could you explain how I remove/edit the old tunnel group via the CLI as I don't think I can do it via the ASDM.

Many thanks

Vishnu Sharma · ‎05-26-2012

Hi Andy,

I think this is what you are looking for.

I have specified the old configuration as well as the new configuration. The configuration will change on the ASA on which you have not made IP address change.

To clear the existing configuration (Old) you can either do no tunnel-group 1.1.1.1 type ipsec-l2l or clear configure tunnel-group 1.1.1.1

Please let me know if this helps.

Thanks

Vishnu Sharma

Andy White · ‎05-26-2012

Hi,

Wow thanks for this, can you cjeck this before I do it?

This is what I have:

Current Old config

tunnel-group 80.*.*.19 type ipsec-l2l
tunnel-group 80.*.*.19 general-attributes
default-group-policy CBSO-L2L
tunnel-group 80.*.*.19 ipsec-attributes
pre-shared-key mykey19

crypto map outside_map 4 match address

outside_4_cryptomap
crypto map outside_map 4 set pfs group5
crypto map outside_map 4 set peer 80.37.72.19
crypto map outside_map 4 set transform-set

ESP-AES-256-SHA
crypto map outside_map 4 set security-

association lifetime seconds 28800

New config:

no tunnel-group 80.*.*.19 type ipsec-l2l

or

clear configure tunnel-group 80.*.*.19

new peer IP is 89.*.*.221

So all I add is this, the config above is much bigger will that remain?

tunnel-group 89.*.*.220 type ipsec-l2l
tunnel-group 89.*.*.220 ipsec-attributes
pre-shared-key mykey123
crypto map outside_map 4 set peer

89.*.*.220

Thanks

Vishnu Sharma · ‎05-26-2012

Hi Andy,

You are correct except this (though I am not sure if this was intentional):

Current Old config

tunnel-group 80.*.*.19 ipsec-attributes

pre-shared-key mykey19

New config:

tunnel-group 89.*.*.220 ipsec-attributes

pre-shared-key mykey123

Please make sure that you enter the same old pre-shared-key in the new configuration.

Thanks,

Vishnu Sharma

Julio Carvajal · ‎05-26-2012

Hello Andy,

I agree with Vishnu, that is the only thing that you will need to check the pre-shared key.

Rest of the configuration is perfect,

Rate the helpful posts

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Andy White · ‎05-28-2012

Hi guys,

Sorry that pre-shared key was just a typo error by me, however this didn't work for me so I guess I have done some thing wrong.

This commands didn't work:

no tunnel-group 1.1.1.1 type ipsec-l2l

The options I have after type are:

no tunnel-group 1.1.1.1 ?

configure mode commands/options:
general-attributes Enter the general-attributes sub command mode
ipsec-attributes Enter the ipsec-attributes sub command mode

The type option isn't there:

Thanks

dnagel011 · ‎01-04-2018

Thumbs up, this worked for me also.

dnagel011 · ‎01-04-2018

That did it for me!