Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Site-to-Site and Remote-Access on same interface

I'm working to consolidate internet links at one of our sites. Currently, one of the internet links is used for site to site vpn tunnels while another is used for remote-access connections.

What is the best way to consolidate these on to a single internet link?

Thanks.

Bobby

3 REPLIES
VIP Purple

Site-to-Site and Remote-Access on same interface

You can reconfigure all your VPNs to use the same interface. Probably you have a default-route on the interface for your RA-VPNs and static routes on the other interface for your site-to-site VPNs. Which one do you want to keep? Migrating the Site-2-Site-VPNs to the other interface is easier as you can move one VPN at a time. If you want to use the interface without the default-route you have to move all your RA-VPNs at once.

If that's not your scenario, give some more info about your network and your config.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Community Member

Site-to-Site and Remote-Access on same interface

It's actually a new link that both site-to-site and RA will migrate to. There are currently 2XT1 connections and it's migrating to a 5Mb circuit with ethernet handoff.

We know there will be some downtime for the tunnels while things are migrated.

Right now, there is a different crypto map applied to both of the T1 interfaces.

T-1(1)

crypto dynamic-map dynmap 10

crypto map SW-Client client authentication list local_authen

crypto map SW-Client isakmp authorization list groupauth

crypto map SW-Client client configuration address respond

crypto map SW-Client 10 ipsec-isakmp dynamic dynmap

T-1(2)

crypto map Map-1 2 ipsec-isakmp

set peer x

set security-association lifetime seconds 28800

set transform-set ESP-AES256-SHA

match address x

VIP Purple

Re: Site-to-Site and Remote-Access on same interface

Well, migrating the S2S-VPNs to the new link should be easy. RA can be a little more tricky because the clients have to know the new IP-address. For that you have multiple options:

If your clients have a FQDN configured as the Peer-address, then you can change it in DNS the day you want to start your migration.

If your clients have the IP of T1(1) configured you can use mode-config to push a backup-server-list where your new IP is included. You have to wait until all clients have connected to download the new list, then you can reconfigure the RA-VPN to the new link. The clients will try to reach the old address, fail with that and then try the next backup-server which is your new IP-address. Later your clients can be cleaned with new settings in the PCF. Or even better, let the old clients phase out (the IPSec client is EOL announced) and migrate to AnyConnect.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

169
Views
0
Helpful
3
Replies
CreatePlease to create content