Will tunnel goes down if I am adding a new IP to encryption domain
My organisation have a VPN concentrator 3000 series which has many VPN tunnel. One of our customer wants to add new IP to encryption domain without disturbing existing connections. So while I am adding new IP's are after doing that is there a chance that tunnel goes down?
Will tunnel goes down if I am adding a new IP to encryption doma
The new IP subnet needs to be added to both end of the VPN tunnel, and preferrebly at the same time. Otherwise, when the SA expires, it will renegotiate the new key, and if the subnets do not mirror image between the 2 sites, the VPN tunnel will not come up.
Re: Will tunnel goes down if I am adding a new IP to encryption
I think I remember reading somewhere that it is suggested that the access-lists/rules that define the encryption domain should be exact mirror images of eachtother BUT they wouldnt have to be?
For example I have a L2L VPN connection (for test purposes) between an ASA and Cisco 7609s VPN module.
When I remove an ACE statement only from the other peer and clear the connection and generate traffic to the VPN tunnel, it comes up. Even though the access-list arent exact mirror images. (the other one now having an useless extra statement)
Does the VPN then form SA for the networks that do match on both peers but simply ignore the VPN regarding the networks that dont match on both ends?
So to my understanding you should be safe to add rules to the VPN as long as you keep the original configuration there?
Also to my understanding if you have multiple access-list lines and want to remove only one, removing that one statement wont tear down the whole VPN connection but clear the SA related to those subnets/hosts.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...