change IP for PIX-PIX VPN

[encinitas]

hello,
I need to change the IP for my PIX to PIX VPN. Do I just retype the crypto map statement with the new IP, and then disable isakmp, retype isakmp command with key/new IP, and then re-enable isakmp?

thanks


crypto map tooffice 20 ipsec-isakmp
crypto map tooffice 20 match address 101
crypto map tooffice 20 set peer X.47.128.10
crypto map tooffice 20 set transform-set myset
crypto map tooffice interface outside
isakmp enable outside
isakmp key ******** address X.47.128.10 netmask 255.255.255.255


i think the enable command is: isakmp enable interface-ethernet0 ?
not sure about disable

 

[lashboy]

Encinitas,

just do

no crypto map tooffice 20 set peer X.47.128.10

crypto map tooffice 20 set peer <new IP address>

no isakmp key ******** address X.47.128.10 netmask 255.255.255.255

isakmp key ******** address <new IP> netmask 255.255.255.255

after , you might wana do following commands

clear crypto isakmp sa - (from configuration mode) Clears all active IKE connections.
clear crypto ipsec sa - (from configuration mode) Deletes all IPsec security associations.

clear xlate

Thanks

 

[encinitas]

thanks lashboy-
i did those new configs, and the VPN tunnel doesn't come up. do i need to generate or regenerate keys? on either or both PIX?

thanks

 

[Triplejolt]

It wont hurt to regenerate the keys, if you use keys.
Did you clear the cryptos?

A firm beleiver of the "Keep it Simple" philosophy
Cheers
/T

 

[encinitas]

hi triplejolt-
thanks- and yes, i cleared the cryptos.


here's my debugs from the remote site (IP x.229.60.249) Not exactly sure what it all means though!

westmart(config)# ping 192.168.102.1
192.168.102.1 NO response received -- 1000ms
192.168.102.1 NO response received -- 1000ms
192.168.102.1 NO response received -- 1000ms
westmart(config)# IPSEC(validate_proposal): peer address x.110.144.226 not found
IPSEC(key_engine): got a queue event...
IPSEC(key_engine_delete_sas): rec'd delete notify from ISAKMP
IPSEC(key_engine_delete_sas): delete all SAs shared with x.110.144.226
IPSEC(key_engine): got a queue event...


westmart(config)# debug crypto isakmp
westmart(config)#
crypto_isakmp_process_block:src:x.110.144.226, dest:x.229.60.249 spt:500 dpt:5
00
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
westmart#
crypto_isakmp_process_block:src:x.110.144.226, dest:x.229.60.249 spt:500 dpt:5
00
ISAKMP (0:0): phase 2 packet is a duplicate of a previous packet.
crypto_isakmp_process_block:src:x.110.144.226, dest:x.229.60.249 spt:500 dpt:5
00
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 3237837671

ISAKMP : Checking IPSec proposal 1

ISAKMP: transform 1, ESP_DES
ISAKMP: attributes in transform:
ISAKMP: encaps is 1
ISAKMP: SA life type in seconds
ISAKMP: SA life duration (basic) of 28800
ISAKMP: SA life type in kilobytes
ISAKMP: SA life duration (VPI) of 0x0 0x46 0x50 0x0
ISAKMP: authenticator is HMAC-MD5
ISAKMP (0): atts not acceptable. Next payload is 0
ISAKMP (0): SA not acceptable!
ISAKMP (0): sending NOTIFY message 14 protocol 0
return status is IKMP_ERR_NO_RETRANS
crypto_isakmp_process_block:src:x.110.144.226, dest:x.229.60.249 spt:500 dpt:5
00
ISAKMP (0): processing DELETE payload. message ID = 1795216111, spi size = 16
ISAKMP (0): deleting SA: src x.110.144.226, dst x.229.60.249
return status is IKMP_NO_ERR_NO_TRANS
ISADB: reaper checking SA 0xa77564, conn_id = 0 DELETE IT!

VPN Peer: ISAKMP: Peer ip:x.110.144.226/500 Ref cnt decremented to:0 Total VPN
Peers:1
VPN Peer: ISAKMP: Deleted peer: ip:x.110.144.226/500 Total VPN peers:0
crypto_isakmp_process_block:src:x.110.144.226, dest:x.229.60.249 spt:500 dpt:5
00
OAK_MM exchange
ISAKMP (0): processing SA payload. message ID = 0

ISAKMP (0): Checking ISAKMP transform 1 against priority 10 policy
ISAKMP: encryption DES-CBC
ISAKMP: hash MD5
ISAKMP: default group 2
ISAKMP: auth pre-share
ISAKMP: life type in seconds
ISAKMP: life duration (VPI) of 0x0 0x1 0x51 0x80
ISAKMP (0): atts are acceptable. Next payload is 3
ISAKMP (0): SA is doing pre-shared key authentication using id type ID_IPV4_ADDR
return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.110.144.226, dest:x.229.60.249 spt:500 dpt:5
00
OAK_MM exchange
ISAKMP (0): processing KE payload. message ID = 0

ISAKMP (0): processing NONCE payload. message ID = 0

ISAKMP (0): processing vendor id payload

ISAKMP (0): processing vendor id payload

ISAKMP (0): remote peer supports dead peer detection

ISAKMP (0): processing vendor id payload

ISAKMP (0): speaking to another IOS box!

return status is IKMP_NO_ERROR
crypto_isakmp_process_block:src:x.110.144.226, dest:x.229.60.249 spt:500 dpt:5
00
OAK_MM exchange
ISAKMP (0): processing ID payload. message ID = 0
ISAKMP (0): processing HASH payload. message ID = 0
ISAKMP (0): SA has been authenticated

ISAKMP (0): ID payload
next-payload : 8
type : 1
protocol : 17
port : 500
length : 8
ISAKMP (0): Total payload length: 12
return status is IKMP_NO_ERROR
ISAKMP (0): sending INITIAL_CONTACT notify
ISAKMP (0): sending NOTIFY message 24578 protocol 1
VPN Peer: ISAKMP: Added new peer: ip:x.110.144.226/500 Total VPN Peers:1
VPN Peer: ISAKMP: Peer ip:x.110.144.226/500 Ref cnt incremented to:1 Total VPN
Peers:1
crypto_isakmp_process_block:src:x.110.144.226, dest:x.229.60.249 spt:500 dpt:5
00
ISAKMP (0): processing NOTIFY payload 24578 protocol 1
spi 0, message ID = 209920897
ISAKMP (0): processing notify INITIAL_CONTACT
return status is IKMP_NO_ERR_NO_TRANS
crypto_isakmp_process_block:src:x.110.144.226, dest:x.229.60.249 spt:500 dpt:5
00
OAK_QM exchange
oakley_process_quick_mode:
OAK_QM_IDLE
ISAKMP (0): processing SA payload. message ID = 1223573907

 

[encinitas]

can anyone decipher what the debug output means? (if i copied the right data)

thanks.

 

[Triplejolt]

Hiya encinitas.

This line might be worth investigating:

westmart(config)# IPSEC(validate_proposal): peer address x.110.144.226 not found

Is this the old peer-address or the new one?

Furthermore, I'd suggest going over the cryptomap, isakmp statements and any ACL's you may have (especially ACL 101 as this one tunnels the traffic between your offices):

crypto map tooffice 20 ipsec-isakmp
crypto map tooffice 20 match address 101
crypto map tooffice 20 set peer [verify this IP address]
crypto map tooffice 20 set transform-set myset
crypto map tooffice interface outside
isakmp enable outside
isakmp key ******** address [verify this IP address] netmask 255.255.255.255

[b].... I'm adding the rest of the isakmpstatements as a suggestion. Not sure if you are using the exact same lines....:[/b]

isakmp identity address
isakmp keepalive 30 30
isakmp nat-traversal 20
isakmp policy 1 authentication pre-share
isakmp policy 1 encryption 3des
isakmp policy 1 hash md5
isakmp policy 1 group 2
isakmp policy 1 lifetime 86400

Make sure your address fields contains the correct IP address of the remote PIX.
From what I can see, you don't have to clear your keys as you use pre-share. Just make sure it matches on both sides. Retype it if needed.
One last thing... check your route entries. Default route should be changed to reflect thenew IP address of your peer. Your NoNat statements should remain the same.

Good luck and I hope this helps

A firm beleiver of the "Keep it Simple" philosophy
Cheers
/T

 

[encinitas]

thanks triplejolt-

i did retype the entries and keys and that seemed to do the trick!

thanks again for the tips

 

[Triplejolt]

Sweet

A firm beleiver of the "Keep it Simple" philosophy
Cheers
/T