IP migration on "hub" VPN terminus [long]

["Robert L. Wanamaker" <bobw () avantsystems com>]

Greetings.

The challenge.  30 remote sites spread far apart enough geographically that
site visits are not practical.  The remote sites run PIX 506's, typically
with version 5.x of the PIX OS and no 3-DES activation.  The hub is a pair
of 515-UR's, in failover mode.  Customer is switching ISP's at the hub, and
must switch IP addresses.  Hence, the challenge: how to effectively cutover
remote sites to the new VPN peer?

The plan.  a central admin console is capable of reaching each 506 in the
field via tunnels.  Use this capability to do the following on each remote
pix: 

(1) upgrade to 6.3.x of the PIX OS 
(2) use the activation key feature in the new OS to get 3-DES capability in
place 
(3) add necessary statements for Cisco Secure VPN client to connect from any
location, and telnet into the remote pix.
(4) Use the VPN client to directly connect to each PIX, and create a
separate crypto map entry pointing to the new VPN peer
(5) Split apart the 515's at the hub; run each in standalone mode, one
connected to the old ISP network, and one connected to the new ISP network.
(6) Cut the tie to the old ISP.  Watch all the tunnels get gracefully
rebuilt on the second 515 with little or no impact to users.
(7) Restore failover of the 515's.

Testing results.  I've tested 1, 3, 4 with good results.  My only weird
results are that Cisco's site has numerous e.g.'s of the VPN client
connecting with DES encryption; however, I can only make it work with 3-DES.
This is certainly a good excuse for getting the client up to current rev,
but am I missing something?

Questions. Does this sound feasible?  Is there a better way to accomplish
this cutover?

Thanks, and regards,

Bob

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards