hi,
i need to update the IKE phase 1 and 2 policies to a stronger method on an IOS router acting as an EZVPN server. to my knowledge on the EZVPN server "pushes" the IKE P1 and P2 policy to remote client.
my question does changing the IKE P1 and P2 policy will cause a downtime? or will it just wait for the lifetime to die and re-establish using the new policy? i plan to lab this up soon but don't have the time to do it yet. i just want to get a quick feedback on this in the mean time
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp policy 10
encr aes 256
hash sha256
authentication pre-share
group 5
no crypto isakmp policy 1 <<< WILL THIS CAUSE A DOWNTIME??
i also plan to update IKE P2/transform set policy. can i just overwrite the current P2 policy so i can re-use the current tranform set name (ESP-3DES-SHA) under the crypto ipsec profile? will it also cause a downtime on the EZVPN client?
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
!
crypto ipsec profile MY-PROF
set security-association idle-time 86400
set transform-set ESP-3DES-SHA <<<
set isakmp-profile IKE-PROF
crypto ipsec transform-set ESP-3DES-SHA esp-aes 256 ah-sha256-hmac <<< CAN I JUST OVERWRITE? NO NEED TO NEGATE OR PUT A 'no' ON THIS COMMAND