Does changing IP on site-to-site VPN require to regenerate the key or not ??

Castlewood
Castlewood used Ask the Experts™
on
Our site-to-site VPN currently is running okay. Recently the branch site got a new T1 and needs to transfer to use a new set of IPs. Here is what I did:
1. At the branch site, I changed the interface, nat, and route to use the new ip and cycled the power. Users then accessed internet without problem after change.
2. At the main site, I changed the "set peer" to use the new ip, and cycled the power. I then tried to ping branch site's internal ip, not working. So the site-to-site vpn is not working after the ip change. What could be wrong? Do I need to do anything more than just changing ip?? do I need to re-generate the key? Please help.

Here is the main site's current vpn config:
crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map outside_map 20 match address outside_cryptomap_20
crypto map outside_map 20 set peer 64.179.41.73
crypto map outside_map 20 set transform-set ESP-DES-SHA
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 20 authentication pre-share
isakmp policy 20 encryption des
isakmp policy 20 hash sha
isakmp policy 20 group 2
isakmp policy 20 lifetime 86400
tunnel-group 64.179.41.73 type ipsec-l2l
tunnel-group 64.179.41.73 ipsec-attributes
 pre-shared-key mykey-site2site
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Head of IT Security Division
Top Expert 2010
Commented:
you need to change the peed address, and key:

crypto map outside_map 20 set peer x.x.x.x
tunnel-group x.x.x.x  type ipsec-l2l
tunnel-group x.x.x.x  ipsec-attributes
 pre-shared-key mykey-site2site
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
and clear the old ip address key....

Best regards,
Istvan

Author

Commented:
I know how to change the set peer x.x.x.x but can you tell me how to clear the old ip address key?
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Commented:
clear config tunnel-group x.x.x.x
no crypto map outside_map 20 set peer x.x.x.x
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
and

no crypto map outside_map 20 set peer 64.179.41.73
crypto map outside_map 20 set peer x.x.x.x

Author

Commented:
Thanks for the reply. Just want to clarify what exactly needs to be done:
Do I need to clear the old ip address key and re-create at both sites or just at the main site?
to clear:
clear config tunnel-group x.x.x.x
to re-creaate:  
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key mykey-site2site


Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
Yes,

and

no crypto map outside_map 20 set peer 64.179.41.73
crypto map outside_map 20 set peer x.x.x.x

Author

Commented:
Thanks. By the way, the x.x.x.x in the following commands is just a name, correct? It doesn't need to be ip address, and can be any name, correct?

to re-creaate:  
tunnel-group x.x.x.x type ipsec-l2l
tunnel-group x.x.x.x ipsec-attributes
 pre-shared-key mykey-site2site
Commented:
On the ASA it need to be the IP address of its peer if its a L2L.
Istvan KalmarHead of IT Security Division
Top Expert 2010

Commented:
If you want to create L2L always use IP address

Author

Commented:
Actually you only need to generate the new key on the main site since it is the branch site's IP changed. The branch site's key is still correct since the main site's IP  is unchanged.
And you don't even need to clear the old key at the main site since you can add multiple key. But since the old key will not be used anymore so it can be cleared.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial