The ISP is not giving me a new circuit, just swapping IP space, so I am limited
to one interface on one box. Is there a way to bind multiple crypt maps to an
interface? Or a way to bind different entries in a crypto map to different
source IPs?
Sincerely,
Michael Malitsky
-----Original Message-----
Date: Wed, 1 Apr 2015 23:49:40 +0000 (UTC)
From: Tony <td_mi...@yahoo.com>
To: Michael Malitsky <malit...@netabn.com>,
"cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] Changing Peer IP of VPN headend
Message-ID:
<308918667.3284805.1427932180978.javamail.ya...@mail.yahoo.com>
Content-Type: text/plain; charset=UTF-8
Hi Michael,
I don't know about the ability to provision IPSec on a secondary IP address on
the router, but given you could pick up another 2801 for about $100 why not
grab one, configure it up on your new IP address and cut things over in a more
controlled fashion. You can move one tunnel at a time and just update your
routing to point the traffic for each remote IPSec subnet/site to the
appropriate router. Once you've got all of your remote endpoints moved to new
IP address remove the surplus router.
Could also be a good chance to upgrade to something newer than a 2801 if you
desire, although I'm not really an advocate of upgrading hardware if there
isn't really any reason for it.
regards,Tony.
From: Michael Malitsky <malit...@netabn.com>
To: "cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net>
Sent: Thursday, 2 April 2015, 1:05
Subject: [c-nsp] Changing Peer IP of VPN headend
Greetings,
I need to change the public IP of my VPN headend, which will necessitate
corresponding Peer IP changes on all N remote peers.? We already have the new
IP space, currently configured as a secondary address.? Problem is that N-1 of
the peers are completely outside of our control, and scheduling all of them to
cut over within a narrow window (one day?) is going to be very challenging to
say the least.? Is there a way to cut them over one-by-one, perhaps a way to
bind another crypto map to the secondary ip address?? My searching on google
and cisco lead me to believe the answer is NO, but I am hoping I missed
something.
Router in question is a 2801.? All VPNs are site-to-site IPSEC.
Sincerely,
Michael Malitsky
_______________________________________________
cisco-nsp mailing list? cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
------------------------------
Message: 6
Date: Wed, 01 Apr 2015 23:13:53 -0700
From: Octavio Alvarez <alvar...@alvarezp.ods.org>
To: Michael Malitsky <malit...@netabn.com>,
"cisco-nsp@puck.nether.net" <cisco-nsp@puck.nether.net>
Subject: Re: [c-nsp] Changing Peer IP of VPN headend
Message-ID: <551cde21.9020...@alvarezp.ods.org>
Content-Type: text/plain; charset=windows-1252
On 01/04/15 08:05, Michael Malitsky wrote:
> I need to change the public IP of my VPN headend, which will
> necessitate corresponding Peer IP changes on all N remote peers. We
> already have the new IP space, currently configured as a secondary
> address. Problem is that N-1 of the peers are completely outside of
> our control, and scheduling all of them to cut over within a narrow
> window (one day?) is going to be very challenging to say the least.
> Is there a way to cut them over one-by-one, perhaps a way to bind
> another crypto map to the secondary ip address? My searching on
> google and cisco lead me to believe the answer is NO, but I am hoping
> I missed something.
I would try using a different physical interface in the router to have another
crypto map (you can even use "crypto map local-address"). If you don't have
another physical interface you could --depending on your
topology-- change your output interface to an 802.1Q trunk and have two
subinterfaces.
> Router in question is a 2801. All VPNs are site-to-site IPSEC.
Best regards.
------------------------------
_______________________________________________
cisco-nsp mailing list cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
