cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Having multiple External addresses for IPsec

I have a 4000 series appliance on r77.30 that is our externally facing gateway.

Our ISP is forcing us change all of our public IP addresses (yay me).

We have quite a few IPsec tunnels for vendors, remote locations, etc... 

I'd like to find a way to simultaneously use both the old address and the new one for IPsec so that I can transition the tunnels one-by-one and not update every vendor simultaneously. In time, I could remove the old address entirely.

I have an external interface configured with the new address and it is able to ping externally.

Here's a breakdown:

1.1.1.1 - current address for IPsec

2.2.2.2 - new address that will be for IPsec

Tunnel 1- vendor ABC

Tunnel 2- vendor XYZ

Current setup-

Tunnels 1 and 2 are pointed at 1.1.1.1

Desired setup- 

Tunnel 1 -> pointed at 1.1.1.1

Tunnel 2 -> pointed at 2.2.2.2

Both tunnels running simultaneously without interruption.

This is a live environment so the lower the impact, the better.

Any advice is appreciated...

Thanks! 

Tags (1)
0 Kudos
2 Replies

Re: Having multiple External addresses for IPsec

CP support multiple external interfaces for both VPN and cleat text traffic, look for ISP redundancy articles. Maintaining multiple S2S IPSec tunnels on both external interfaces is possible, but require some additional efforts to configure. The working solution should be a route-based VPN. To start looking into this, go to sk35560. 

However, there is a caveat.

I assume you are using a simplified Domain Based S2S VPNs, and the remote VPN GWs are under someone else's management. In such a case I would strongly advise you to consider alternative IP migration scenarios, as moving from a Domain Based to Route Based VPN (VTIs or not) will only add complexity to your environment. In case you are not managing the remote GWs in the tunnels, you will also have to ask your VPN partners to reconfigure their sides.

0 Kudos
kamalive
Ivory

Re: Having multiple External addresses for IPsec

I find myself in the same situation. How did you end up going about it if I may ask?

0 Kudos