[c-nsp] Changing Peer IP of VPN headend

Thu Apr 2 10:31:25 EDT 2015

The ISP is not giving me a new circuit, just swapping IP space, so I am limited to one interface on one box.  Is there a way to bind multiple crypt maps to an interface?  Or a way to bind different entries in a crypto map to different source IPs?

Sincerely,
Michael Malitsky

-----Original Message-----

Date: Wed, 1 Apr 2015 23:49:40 +0000 (UTC)
From: Tony <td_miles at yahoo.com>
To: Michael Malitsky <malitsky at netabn.com>,
	"cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] Changing Peer IP of VPN headend
Message-ID:
	<308918667.3284805.1427932180978.JavaMail.yahoo at mail.yahoo.com>
Content-Type: text/plain; charset=UTF-8

Hi Michael,
I don't know about the ability to provision IPSec on a secondary IP address on the router, but given you could pick up another 2801 for about $100 why not grab one, configure it up on your new IP address and cut things over in a more controlled fashion. You can move one tunnel at a time and just update your routing to point the traffic for each remote IPSec subnet/site to the appropriate router. Once you've got all of your remote endpoints moved to new IP address remove the surplus router.
Could also be a good chance to upgrade to something newer than a 2801 if you desire, although I'm not really an advocate of upgrading hardware if there isn't really any reason for it.

regards,Tony.
      From: Michael Malitsky <malitsky at netabn.com>
 To: "cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
 Sent: Thursday, 2 April 2015, 1:05
 Subject: [c-nsp] Changing Peer IP of VPN headend

Greetings,

I need to change the public IP of my VPN headend, which will necessitate corresponding Peer IP changes on all N remote peers.? We already have the new IP space, currently configured as a secondary address.? Problem is that N-1 of the peers are completely outside of our control, and scheduling all of them to cut over within a narrow window (one day?) is going to be very challenging to say the least.? Is there a way to cut them over one-by-one, perhaps a way to bind another crypto map to the secondary ip address?? My searching on google and cisco lead me to believe the answer is NO, but I am hoping I missed something.

Router in question is a 2801.? All VPNs are site-to-site IPSEC.

Sincerely,
Michael Malitsky

_______________________________________________
cisco-nsp mailing list? cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

------------------------------

Message: 6
Date: Wed, 01 Apr 2015 23:13:53 -0700
From: Octavio Alvarez <alvarezp at alvarezp.ods.org>
To: Michael Malitsky <malitsky at netabn.com>,
	"cisco-nsp at puck.nether.net" <cisco-nsp at puck.nether.net>
Subject: Re: [c-nsp] Changing Peer IP of VPN headend
Message-ID: <551CDE21.9020709 at alvarezp.ods.org>
Content-Type: text/plain; charset=windows-1252

On 01/04/15 08:05, Michael Malitsky wrote:
> I need to change the public IP of my VPN headend, which will 
> necessitate corresponding Peer IP changes on all N remote peers.  We 
> already have the new IP space, currently configured as a secondary 
> address.  Problem is that N-1 of the peers are completely outside of 
> our control, and scheduling all of them to cut over within a narrow 
> window (one day?) is going to be very challenging to say the least.
> Is there a way to cut them over one-by-one, perhaps a way to bind 
> another crypto map to the secondary ip address?  My searching on 
> google and cisco lead me to believe the answer is NO, but I am hoping 
> I missed something.

I would try using a different physical interface in the router to have another crypto map (you can even use "crypto map local-address"). If you don't have another physical interface you could --depending on your
topology-- change your output interface to an 802.1Q trunk and have two subinterfaces.

> Router in question is a 2801.  All VPNs are site-to-site IPSEC.

Best regards.

------------------------------