Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

IPSec Tunnel and Making Changes While Up

My main MPLS circuit is down and i have two IPSec tunnels up to my remote sites.

Everything is routing fine but i wanted to add a sub net to my NAT and Tunnels.

Can i add a new subnet to my local network/remote network and save/apply without killing or reseting my active IPSec tunnels?                  

Everyone's tags (2)
2 ACCEPTED SOLUTIONS

Accepted Solutions
VIP Super Bronze

IPSec Tunnel and Making Changes While Up

Adding a subnet to your NAT statement should not effect anything.  What type of device are you using?

HTH

Hall of Fame Super Silver

IPSec Tunnel and Making Changes While Up

Reza has interpreted your question in terms of NAT and I agree with him that you should be able to change the NAT configuration without impacting other parts of the router operation and connectivity.

But I read your question as involving both NAT and IPSec tunnels. And I believe that the answer is different when you consider IPSec tunnels. You can go ahead and change the configuration of the tunnels while they are up. But the tunnels negotiated their Security Associations based on the config in place when the tunnels came up. They will continue to use those Security Associations after you make your config change. So if you are changing things like what subnets are in the access list used to identify traffic for IPSec these changes will not take effect until a new Security Association is negotiated. You can either wait for the lifetime to expire and new SA negotiated or your can reset the IPSec tunnels and force a new negotiation. Also note that if you are changing the access list on your end that someone on the other end needs to make a corresponding change on their end.

HTH

Rick

3 REPLIES
VIP Super Bronze

IPSec Tunnel and Making Changes While Up

Adding a subnet to your NAT statement should not effect anything.  What type of device are you using?

HTH

Hall of Fame Super Silver

IPSec Tunnel and Making Changes While Up

Reza has interpreted your question in terms of NAT and I agree with him that you should be able to change the NAT configuration without impacting other parts of the router operation and connectivity.

But I read your question as involving both NAT and IPSec tunnels. And I believe that the answer is different when you consider IPSec tunnels. You can go ahead and change the configuration of the tunnels while they are up. But the tunnels negotiated their Security Associations based on the config in place when the tunnels came up. They will continue to use those Security Associations after you make your config change. So if you are changing things like what subnets are in the access list used to identify traffic for IPSec these changes will not take effect until a new Security Association is negotiated. You can either wait for the lifetime to expire and new SA negotiated or your can reset the IPSec tunnels and force a new negotiation. Also note that if you are changing the access list on your end that someone on the other end needs to make a corresponding change on their end.

HTH

Rick

New Member

IPSec Tunnel and Making Changes While Up

I was talking about making changes to the NAT and the IPSec tunnel configs.  When i applied my changes it did reset the tunnel but it was a quick reset and re-established fine.

Thanks all

123
Views
0
Helpful
3
Replies