Firewall Wizards mailing list archives
IP migration on "hub" VPN terminus [long]
From: "Robert L. Wanamaker" <bobw () avantsystems com>
Date: Tue, 23 Mar 2004 10:16:30 -0500
Greetings. The challenge. 30 remote sites spread far apart enough geographically that site visits are not practical. The remote sites run PIX 506's, typically with version 5.x of the PIX OS and no 3-DES activation. The hub is a pair of 515-UR's, in failover mode. Customer is switching ISP's at the hub, and must switch IP addresses. Hence, the challenge: how to effectively cutover remote sites to the new VPN peer? The plan. a central admin console is capable of reaching each 506 in the field via tunnels. Use this capability to do the following on each remote pix: (1) upgrade to 6.3.x of the PIX OS (2) use the activation key feature in the new OS to get 3-DES capability in place (3) add necessary statements for Cisco Secure VPN client to connect from any location, and telnet into the remote pix. (4) Use the VPN client to directly connect to each PIX, and create a separate crypto map entry pointing to the new VPN peer (5) Split apart the 515's at the hub; run each in standalone mode, one connected to the old ISP network, and one connected to the new ISP network. (6) Cut the tie to the old ISP. Watch all the tunnels get gracefully rebuilt on the second 515 with little or no impact to users. (7) Restore failover of the 515's. Testing results. I've tested 1, 3, 4 with good results. My only weird results are that Cisco's site has numerous e.g.'s of the VPN client connecting with DES encryption; however, I can only make it work with 3-DES. This is certainly a good excuse for getting the client up to current rev, but am I missing something? Questions. Does this sound feasible? Is there a better way to accomplish this cutover? Thanks, and regards, Bob _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- IP migration on "hub" VPN terminus [long] Robert L. Wanamaker (Mar 24)
- RE: IP migration on "hub" VPN terminus [long] Josh Welch (Mar 27)
- <Possible follow-ups>
- RE: IP migration on "hub" VPN terminus [long] Melson, Paul (Mar 28)