03-12-2007 07:39 PM - edited 02-21-2020 02:55 PM
My company is in the process of converting our IP address to a different class C and would like to change our host IPSEC tunnel end point to something different ...THis has to be a slow cut over so I can i use this config for my interface and use the secondary as my IPSEC source.
interface FastEthernet0/1
ip address 208.74.x.x 255.255.255.128 secondary
ip address 67.132.x.x 255.255.255.224
no ip proxy-arp
speed 100
full-duplex
no cdp enable
crypto map xxx
03-13-2007 09:48 AM
Hello,
You even do not need to set a secondary ip address.
You can use single IKE identity so the VPN peer is identified by all of its peers with a single IKE identity which is achieved by using a loopback address (always up) that must be advertised by your routing protocol or by the mean of a static route.
This will save resources in the case when crypto map is bound to different interfaces for access link redundancy or in your case when you are planning to change the interface ip address, so the IKE SA will exist between the two peers regardless of which ip address is used.
In the other side you can point IPSec ?set peer? command to the peer loopback interface.
Additional features might help:
- IPSec keepalive/ DPD (Dead Peer Detection), this will intercept peer failure at time.
- Another feature that will clear the IPSec SA if a maximum idle timeout is reached.
I successfully tested the configuration, take a look at routers configuration file.
I hope I answered your question.
Have a good work,
AJN
03-14-2007 08:38 AM
03-15-2007 03:51 AM
Hi,
- Make sure that the ISAKMP, crypto map, tunnel dest. ip in the remote router use the loopback interface of the router.(where you are planning to change the ip)
- Both crypto maps are bound to the physical interfaces.
- The traffic will be first tunneled using GRE then encrypted using IPSec, so make sure you have a route for traffic between sites to tunnel interfaces, and a route for the GRE traffic to the physical interfaces to trigger crypto maps.
Take a look at the enclosed file with more detailed explanation and troubleshooting.
AJN
03-15-2007 05:42 AM
Thank you....Looks like I'm going to need to purchase another Ethernet card for this router because I already have a crypto map applied to my ethernet port and i can only have one crypto map per interface...
Once i apply this command cypto map tor2 local-address loopback1 my other tunnels will go down.
03-15-2007 07:53 AM
Hello,
Try to just ping the peer interface ip, and check the command ?show ip int? for errors, a hardware error should be the last thing to think about!
It looks like at one side GRE tunnel cannot reach its configured ip destination address, so double check your routing statements.
By the way, if you have multiple VPN IPSec connections through one interface you can use different ISAKMP and IPSec policies within the same crypto map but with different sequence numbers (the lower the number, the higher the priority) and you can bypass the limitation of one crypto map per interface.
Good luck!
AJN
03-15-2007 12:12 PM
Yes I can do that but once I add this command cypto map xxx local address loopback 0 wouldn't my other tunnels that are using the physical ip address go down?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide