Changing peer IP for multiple IPSec VPNs

Unanswered Question
Jul 30th, 2012
User Badges:


One of our routers has multiple IPSec site-to-site VPNs and the public IP of our router needs to change as ISP is changing. I was wondering if there is a way I can migrate the IPSec VPNs on this router one by one instead of having all of them (remote side) to change the peer IP at the same time. I know you can assign a secondary IP address to the interface and try to bring the IPSec VPN using secondary IP address, but I am not sure if that is reliable. Does any one know of any other better way to do this?

Thank you.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Marcin Latosiewicz Tue, 07/31/2012 - 00:31
User Badges:
  • Cisco Employee,

How about something like that: Plug in new ISP to a sparate L3 interface, apply same crypto map (I'm assuming non-static or lack of RRI) , start migrating routing for VPNs (both peer IP and subnets) and make sure remote ends specifcy both IPs (old and new ISP assigned IP).

Marcin Latosiewicz Tue, 08/14/2012 - 23:56
User Badges:
  • Cisco Employee,

With static crypto map it's a bit easier, you can choose which ISP is going to be chosen by setting routing for static peers via one interface or another.

You most likely need to do similar thing to subnets reachable over VPN if  you want full reliability - you can also try with RRI "reverse-route static"under crypto map entries for IPsec to populate routing table for you.


network_user Wed, 08/15/2012 - 07:39
User Badges:


I dont understand. When I am changing the IP address on an interface where crypto map is applied, remote VPN sites need to change their peer IPs. Since I wanted to migrate remote VPNs to the new IP one by one and not all at once how would that work?

Also I dont have additional interface on the router to create a new interface with new ip address and separate crypto map. Current setup has Ethernet interface with crypto map applied to it.

Thank you.

Marcin Latosiewicz Thu, 08/16/2012 - 02:20
User Badges:
  • Cisco Employee,

You can still use subinterfaces (dot1q tagged) they are L3 on routers.

But regardless, you can start adding remote peers to have both IP address as their peering points (both new and old ISP IP addresses). During transition if they will fail with one ISP they will try to establish with abother


This Discussion

Related Content