05-12-2022 09:37 PM
Hi,
I would like to as about VPN Ike and SA key.
I have the active running VPN tunnel. I would like to add second tunnel.It will impact to current operation ?
it will need to restart router ?
if i need to renew certificate the router, do i need to restart router ?
because some site always auto up the tunnel and some site need to restart the router.
So how can i know our VPN tunnel is using new certificate or old certificate ?
05-12-2022 10:27 PM - edited 05-12-2022 10:32 PM
No you do not need to restart the router.
The router will use the new certificate when the IKE SA expire, if you wish test sooner you could clear the IKE SA "clear crypto ikev2 sa" or "clear crypto isakmp sa" then generate traffic if using a crypto map. The tunnel will establish, you can then use "show crypto ikev2 sa" or "show crypto isakmp sa" this will confirm you autenticated using the certificate.
Use the command "show crypto pki certificate" to confirm the new certificate imported correctly.
05-12-2022 10:27 PM - edited 05-14-2022 09:30 AM
Tunnel to be up need to pass phase1 and phase2
what make tunnel UP
1-the ISKAMP timeout is end
2-rest the tunnel
so you can wait 24 "default timeout for phase1 of tunnel before it RE-establish"
or rest tunnel "by clear crypto IPSec sa and clear crypto iskamp sa"
When you change the certificate router auto will use new certificate.
here you use sure that the you select the write Certificate for this VPN tunnel.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide