Re: What is the recommendable way to decommission of vpn tunnel of bra

DaeHeon Kang · ‎08-15-2021

Hi,

I am seeking for the best way to decommission of vpn tunnel of the branch closed.

The VPN setup is established using Dynamic crypto map on DC site.

Each branch site is assigned with /24 subnet inside the LAN.

ex> Branch_1(10.10.0.0/24), Branch_2(10.10.1.0/24), Branch_3(10.10.2.0/24), Branch_4(10.10.3.0/24)

Branch subnets are grouped and assigned to the ACL for the VPN interesting traffic on DC site VPN setup.

ex> ip access-list branch-vpn

permit ip 172.16.0.0 0.0.0.255 10.10.0.0 0.0.3.255

I need to decommission vpn tunnels to some closed branches on DC site.

I was thinking of modifying the branch-vpn ACL to do this.( adding earlier deny ip 172.16.0.0 0.0.255 [closed branch subnet] before permit ip 172.16.0.0 0.0.0.255 10.10.0.0 0.0.3.255).

Will it be ok

Or

Is there any better and recommendable way to do this?

Rob Ingram · ‎08-16-2021

@DaeHeon Kang

If you are de-commissioning the branch, why can you not just unconfigure the VPN on the branch router/ASA? The VPN would never attempt to establish.

On the DC router/ASA, you could change the Pre-Shared Key of the Branch that has been de-commissioned.

DaeHeon Kang · ‎08-16-2021

Hi Rob,

This decommission job requires both sides(Branch and DC).

Rob Ingram · ‎08-16-2021

@DaeHeon Kang

You said you've got a dynamic crypto map at the DC, in this instance only the spoke (branch) can initiate a tunnel. Never the other way around. So by decommissioning the branch, the hub won't attempt to build a tunnel. If you use unique PSK per branch spoke, then remove this from the hub.

DaeHeon Kang · ‎08-16-2021

@Rob Ingram

What if I modify the ACL as I mentioned on my post?

Would it be working?

What is the recommendable way to decommission of vpn tunnel of branch?