Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1897
Views
0
Helpful
2
Replies

Will tunnel goes down if I am adding a new IP to encryption domain

aravind.krishnan
Level 1
Level 1

‎06-25-2012 04:46 AM - edited ‎03-11-2019 04:22 PM

Hello ALL,

My organisation have a VPN concentrator 3000 series which has many VPN tunnel. One of our customer wants to add new IP to encryption domain without disturbing existing connections. So while I am adding new IP's are after doing that is there a chance that tunnel goes down?

Regards,

Aravind

Labels:
0 Helpful
2 Replies 2

Jennifer Halim
Cisco Employee
Cisco Employee

‎06-25-2012 05:24 AM

The new IP subnet needs to be added to both end of the VPN tunnel, and preferrebly at the same time. Otherwise, when the SA expires, it will renegotiate the new key, and if the subnets do not mirror image between the 2 sites, the VPN tunnel will not come up.

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to Jennifer Halim

‎06-27-2012 03:30 AM

Hi,

I think I remember reading somewhere that it is suggested that the access-lists/rules that define the encryption domain should be exact mirror images of eachtother BUT they wouldnt have to be?

For example I have a L2L VPN connection (for test purposes) between an ASA and Cisco 7609s VPN module.

When I remove an ACE statement only from the other peer and clear the connection and generate traffic to the VPN tunnel, it comes up. Even though the access-list arent exact mirror images. (the other one now having an useless extra statement)

Does the VPN then form SA for the networks that do match on both peers but simply ignore the VPN regarding the networks that dont match on both ends?

So to my understanding you should be safe to add rules to the VPN as long as you keep the original configuration there?

Also to my understanding if you have multiple access-list lines and want to remove only one, removing that one statement wont tear down the whole VPN connection but clear the SA related to those subnets/hosts.

- Jouni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card