KB ID 0000391 Dtd 07/02/11
I had a client the other week with about 25 sites, his core site was changing ISP and therefore changing its IP address. On the main site this is pretty straightforward, just change the outside interfaces IP address, sub net mask and the default route (That’s the default gateway for non cisco-ites).
Well you can simply delete the VPNs and recreate them, but multiply that by 24 – then add on all the extra config for the hairpins and that’s a massive amount of work (and for the client a LOT of downtime.) So a swift config change on the remote sites is a much better idea.
In this example my main site (18.104.22.168) has changed its IP address to (22.214.171.124), and I need to reconfigure the remote site(s).
1. First – you need to understand a couple of things, for a VPN to work, it needs the IP address of the "Other End" of the tunnel in two places.
a. In the Cryptomap.
b. In a Tunnel Group.
3. To see all the cryptomaps issue a "show run crypto map" command. (you may see more or less depending on the amount of VPN tunnels you have.
4. From the example above we can see the tunnel we want to change is using "outside_map 2" so lets remove the entry for the old IP address and put one in for the new IP address.
5. That’s the cryptomap changed, now for the tunnel group. You can see all your tunnel groups with a "sho run tun" command.
6. To delete a tunnel group, you use the "clear config tunnel-group" command.
Note: Before you delete it, make sure you know the pre shared key / shared secret – to see this, issue a "more system:running-config" command.
7. Then simply create a new tunnel group, with the new IP address, and the same shared secret / pre shared key as the old one.
8. Save the new config with a "write mem" command
RemoteSite(config)# write mem Building configuration… Cryptochecksum: f3645705 ae6bafda c5606697 ecd61948
9830 bytes copied in 1.550 secs (9830 bytes/sec) [OK] RemoteSite(config)#
9. Job done!
Well that didn’t seem very quick? No, but for the sake of explanation I did go a little deep, if you have multiple sites, just have the following in notepad.
no crypto map outside_map 2 set peer 126.96.36.199
crypto map outside_map 2 set peer 188.8.131.52
clear config tunnel-group 184.108.40.206
tunnel-group 220.127.116.11 type ipsec-l2l
tunnel-group 18.104.22.168 ipsec-attributes
Then simply jump from site to site changing the cryptomap name and shared secret for each one. If you get all this info first, you can migrate hundreds of sites in minutes, (That’s why I prefer command line to GUI ASDM).
2. Remove the old one > OK > Apply.
3. Configuration > Site-to-Site VPN > Advanced > Crypto Maps > Select the old one > Delete > Apply.
4. Then to add a new one > Add > Set the Tunnel group name to the new IP > Enter the shared secret > OK > Apply.
5. Finally Save the changes > File > Save running configuration to Flash.
For older firewalls you will notice there is no "Tunnel-Group", these came in with version 7. The process is similar, again you have to change the peer entry in the cryptomap, but you also need to set an isakmp peer.
no crypto map outside_map 20 set peer 22.214.171.124
crypto map outside_map 20 set peer 126.96.36.199
no isakmp key ******** address 188.8.131.52 netmask 255.255.255.255
isakmp key 123456789 address 184.108.40.206 netmask 255.255.255.255
Related Articles, References, Credits, or External Links