The ISP is not giving me a new circuit, just swapping IP space, so I am limited to one interface on one box. Is there a way to bind multiple crypt maps to an interface? Or a way to bind different entries in a crypto map to different source IPs?
Sincerely, Michael Malitsky -----Original Message----- Date: Wed, 1 Apr 2015 23:49:40 +0000 (UTC) From: Tony <td_mi...@yahoo.com> To: Michael Malitsky <malit...@netabn.com>, "cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net> Subject: Re: [c-nsp] Changing Peer IP of VPN headend Message-ID: <308918667.3284805.1427932180978.javamail.ya...@mail.yahoo.com> Content-Type: text/plain; charset=UTF-8 Hi Michael, I don't know about the ability to provision IPSec on a secondary IP address on the router, but given you could pick up another 2801 for about $100 why not grab one, configure it up on your new IP address and cut things over in a more controlled fashion. You can move one tunnel at a time and just update your routing to point the traffic for each remote IPSec subnet/site to the appropriate router. Once you've got all of your remote endpoints moved to new IP address remove the surplus router. Could also be a good chance to upgrade to something newer than a 2801 if you desire, although I'm not really an advocate of upgrading hardware if there isn't really any reason for it. regards,Tony. From: Michael Malitsky <malit...@netabn.com> To: "cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net> Sent: Thursday, 2 April 2015, 1:05 Subject: [c-nsp] Changing Peer IP of VPN headend Greetings, I need to change the public IP of my VPN headend, which will necessitate corresponding Peer IP changes on all N remote peers.? We already have the new IP space, currently configured as a secondary address.? Problem is that N-1 of the peers are completely outside of our control, and scheduling all of them to cut over within a narrow window (one day?) is going to be very challenging to say the least.? Is there a way to cut them over one-by-one, perhaps a way to bind another crypto map to the secondary ip address?? My searching on google and cisco lead me to believe the answer is NO, but I am hoping I missed something. Router in question is a 2801.? All VPNs are site-to-site IPSEC. Sincerely, Michael Malitsky _______________________________________________ cisco-nsp mailing list? cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/ ------------------------------ Message: 6 Date: Wed, 01 Apr 2015 23:13:53 -0700 From: Octavio Alvarez <alvar...@alvarezp.ods.org> To: Michael Malitsky <malit...@netabn.com>, "cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net> Subject: Re: [c-nsp] Changing Peer IP of VPN headend Message-ID: <551cde21.9020...@alvarezp.ods.org> Content-Type: text/plain; charset=windows-1252 On 01/04/15 08:05, Michael Malitsky wrote: > I need to change the public IP of my VPN headend, which will > necessitate corresponding Peer IP changes on all N remote peers. We > already have the new IP space, currently configured as a secondary > address. Problem is that N-1 of the peers are completely outside of > our control, and scheduling all of them to cut over within a narrow > window (one day?) is going to be very challenging to say the least. > Is there a way to cut them over one-by-one, perhaps a way to bind > another crypto map to the secondary ip address? My searching on > google and cisco lead me to believe the answer is NO, but I am hoping > I missed something. I would try using a different physical interface in the router to have another crypto map (you can even use "crypto map local-address"). If you don't have another physical interface you could --depending on your topology-- change your output interface to an 802.1Q trunk and have two subinterfaces. > Router in question is a 2801. All VPNs are site-to-site IPSEC. Best regards. ------------------------------ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/