Would anyone know what the impact might be on a DMVPN if I were to rename/recreate the internal IOS CA Server hostname and trustpoint?
I assume I would have to re-create the RSA certs and trustpoint from scratch. And then, I'd have to go to each of the routers (including spokes and headhends) and re-aquire the new root cert, then re-enroll for new router certs which seem like it will bring down the tunnels... and since the CA server is internal, once the tunnels are down, the spokes will not be able to renew unless I configure a temporary pre-shared key crypto tunnel.
Is there a better, simpler way?
If anyone's ever done this in a lab, I'd appreciate any comments...
You will have to recreate the RSA certificates and trustpoints if you rename the IOS CA server. You can configure graceful rollover for certificates. Graceful rollover of certificates avoids sudden loss of services in which new connections use the new certificate; existing connections continue to use the old certificate until the connections are closed.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...