Multiple branch office tunnels

[AyrishGrl]

Is it feasible to build a second BO tunnel (on Contivity) to a remote site, then to disable the original tunnel and expect the new tunnel to pick up communications? This would all be done remotely from corporate to the BO with no out of band connection to BO so the management connection would start on the original tunnel. We are going to be changing our public IP block and the tunnels are currently built using the soon to be old IPs. I'm trying to come up with a method to build new tunnels without losing connectivity. Risky, but not sure we will have much of a choise.

 

[PederChr]

The moste easy is to change the local peer addres on the central vpn.

If you create a control tunnel on the remote Contivity's then you can change the config remote.

 

[AyrishGrl]

From what I understand the Control tunnel on the remote Contivity is built from its own management IP to the public IP of the other side. That is the IP that will be changing. Can you use secondary addresses on the same interface on these boxes?

 

[PederChr]

But you can create a control tunnel that have IP adress on the private side.

 

[AyrishGrl]

Ah ok. I will try that. Thanks.

 

[AyrishGrl]

I have tried creating a control tunnel using the private interfaces on both sides of the tunnel. When I enable the tunnel, the main BO tunnel drops. I have the BO side set to control tunnel and the corp side set with control tunnel disabled. Did I config something wrong? I followed the documentation I was able to find on Nortel's website.

 

[AyrishGrl]

Found my mistake. I was using the private IP of the BO side of the tunnel instead of the public. Now the primary tunnel stays up when I enable to control tunnel, but I lose access to the GUI of the BO side. The log is showing the following error:

ISAKMP [03] Local gateway address mismatch for 10.206.91.10 - terminating connection attempt

Any ideas?