[c-nsp] Cisco IPSec VPN's (Tunnel Interfaces) migrating from 12.2.25 to 15.1.4

Blake Pfankuch - Mailing List blake.mailinglist at pfankuch.me
Sat Sep 14 10:00:32 EDT 2013 

That was going to be my plan as well, however we don't have access to the devices, this vendor manages them.  I have an account that can view the config so it gets stored in our config repository and that's it.  Based on what I can see, im going to have to call BS on the vendor...

Thanks for confirming my assumptions.

Blake

-----Original Message-----
From: Gert Doering [mailto:gert at greenie.muc.de] 
Sent: Friday, September 13, 2013 4:54 AM
To: Blake Pfankuch - Mailing List
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Cisco IPSec VPN's (Tunnel Interfaces) migrating from 12.2.25 to 15.1.4

HI,

On Thu, Sep 12, 2013 at 09:49:01PM +0000, Blake Pfankuch - Mailing List wrote:
> Working with a vendor who is saying that when we "upgrade" from 12.2.25 to 15.1.4 on a couple of 2800 series routers holding about 15 IPSec vpn's and tunnel interfaces with EIGRP across them we are going to have to rewrite all of the config due to completely new command syntax on 15.1.4 compared to 12.2.25.
> 
> Has anyone run into this before?  I am seeing little differences, but not crazy amounts...

Without being able to specifically answer your question, I think there's two aspects to it

 - *usually* IOS does a tremendous job in understanding old configs, and
   rewriting to new format when upgrading on "main line" trains (when
   going from stuff like 12.0S to 12.2SB to 12.4, that might not always
   work)

 - that "vendor" might have learned that newer IOS have an *additional*
   way to configure IPSEC - the old way is "crypto map on the outside
   interface", while the new way is "a tunnel interface with encapsulation
   IPSEC".  If you want to use the new way, you'll have to rewrite your
   config, but *as far as I understand* "crypto map style" is still
   supported.

So... I would just try it on one box, and if it comes up and all the IPSEC config is borked, go back to 12.2, and go to the lab to see what needs changing :-)

gert
--
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list