We currently have a PKI based IPSec Remote Access VPN running on an ASA. We need to switch the entire Trust Chain. During the migration window, we need to be able to support AnyConnect VPNs with either Trust Chains. I don't have a lab to test.
My current thinking is to use set trustpoint in the crypto map to differentiate between the two. Sequence 10 would use the current trust chain and sequence 20 would use the new trust chain.
Is this the workable and is this the best way to do it?
Thanks in advance.