I have an ISR with live lan2lan VPN tunnels and traffic on it.
The first question is if "crypto isakmp invalid-spi-recovery" can be enabled on the chassis with no harm to the live VPN tunnels.
The second question is if "crypto isakmp invalid-spi-recovery' is enabled only at one end of the VPN tunnel, will it prevent somehow VPN tunnel from forming SAs? (I do not have access to the remote VPN endpoints and some of them actually run non-IOS appliances like ASA).
1. If I can issue this command on the live environment, where I have multiple live L2L VPN tunnels. Will it kill the live VPN tunnels or make them renegotiate?
My second question is:
2. If I enable it on my end, and the other end either does not support it or does not have it on the configuration of their firewall or router, will it prevent establishing VPN tunnels? I.e. can this command be used on one end only?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...