[c-nsp] Changing Peer IP of VPN headend

[Tony]

Hi Michael,
I don't know about the ability to provision IPSec on a secondary IP address on the router, but given you could pick up another 2801 for about $100 why not grab one, configure it up on your new IP address and cut things over in a more controlled fashion. You can move one tunnel at a time and just update your routing to point the traffic for each remote IPSec subnet/site to the appropriate router. Once you've got all of your remote endpoints moved to new IP address remove the surplus router.
Could also be a good chance to upgrade to something newer than a 2801 if you desire, although I'm not really an advocate of upgrading hardware if there isn't really any reason for it.

regards,Tony.
      From: Michael Malitsky <malitsky at netabn.com>
 To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net> 
 Sent: Thursday, 2 April 2015, 1:05
 Subject: [c-nsp] Changing Peer IP of VPN headend
   
Greetings,

I need to change the public IP of my VPN headend, which will necessitate corresponding Peer IP changes on all N remote peers.  We already have the new IP space, currently configured as a secondary address.  Problem is that N-1 of the peers are completely outside of our control, and scheduling all of them to cut over within a narrow window (one day?) is going to be very challenging to say the least.  Is there a way to cut them over one-by-one, perhaps a way to bind another crypto map to the secondary ip address?  My searching on google and cisco lead me to believe the answer is NO, but I am hoping I missed something.

Router in question is a 2801.  All VPNs are site-to-site IPSEC.

Sincerely,
Michael Malitsky

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/