cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
719
Views
0
Helpful
2
Replies

Change Peer IP on existing L2L VPN Tunnel

GREG HARPER
Level 1
Level 1

I need to modify the peer IP of an existing VPN tunnel and also change the remote hosts in the crypto map.  Can you send me instructions on best practices for accomplishing this?

I'm assuming I will need to clear the crypto map before making changes.

 

Thanks in advance,

G

2 Replies 2

Vishnu Sharma
Level 1
Level 1

Hi,

 

You just need to change two things in your configuration.

1. Peer IP in tunnel-group

2. Peer IP in Crypto map.

 

Please find steps below:

1. Run this command on the ASA and capture the complete output. Command: more system:run

2. When you run this command, you will be able to see the pre-shared-keys as well otherwise normal show run will show you "*" instead of the characters. 

3. Copy the relevant tunnel group along with the sub commands i.e. ikev1 pre-shared-key command, group-policy lines and remove the old ip with new ip address and paste it. Make sure you do mention pre-shared key below the new ip address. For example:

Existing Configuration: 192.168.1.1 (Old IP) 

tunnel-group 192.168.1.1 ipsec-l2l

tunnel-group 192.168.1.1 ipsec-attributes
 pre-shared-key test123

Crypto-map outside_map 10 set peer 192.168.1.1

 

New Configuration will be: 10.1.1.1 (New IP)

tunnel-group 10.1.1.1 ipsec-l2l

tunnel-group 10.1.1.1 ipsec-attributes
 pre-shared-key test123

Crypto-map outside_map 10 set peer 10.1.1.1

 

After making changes, renegotiate the tunnel and it will start to work. 

 

Let me know if this helps.

 

 

Thanks,

Vishnu Sharma

 

This is an excellent suggestion about how to change the remote peer. As I read the original post there is also a need to change some of the hosts in the remote LAN which are identified in an access list which is referenced by the crypto map. To do this you would simply make the changes in the access list (create new ACL entries for new hosts and remove ACL entries for hosts no longer used). If you make the ACL changes before you create the new tunnel group then when the new tunnel group is negotiated it will use the altered ACL and there is no need to manually clear the crypto map.

 

HTH

 

Rick

HTH

Rick
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: