Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1141
Views
5
Helpful
3
Replies

Change pre-shared keys on the fly for ikev2 dyname VPN

Go to solution
Travis-Fleming
Level 1
Level 1

‎08-10-2021 11:50 AM

Hello,

My manager has tasked me with changing the pre-shared local and remote keys of our 20+ home office Ikev2 site-to-site VPN's. They are either an ASA 5505 (retiring) or Cisco C881 router. Both are using ikev2.

 

I want to be able to remote into the device, run some commands that will change the local and remote pre-shared keys, and be able to do it one home user at a time. I would like to have two tunnel-groups defined at our ASA 5525 head-end so we can have the old keys and the new keys.

 

Where I'm running into troubles is most our home users are DHCP from their ISP, so I can't designate by peer IP address. How would one go about getting this to work with an ikev2 setup? I found this article, but it doesn't apply to our current setup:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/113573-sol-tunnels-groups.html

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎08-10-2021 12:11 PM

@Travis-Fleming 

I assume you currently use the Default L2L Group tunnel group?

 

How about you create a new tunnel group based on the current dhcp ip address for each ASA, which you should easily be able to determine from the ASA. As this is more specific, this tunnel will match and you can use the new PSK. Migrate all ASAs using this method and then finally change the Default L2L Group to the new PSK and remove the other tunnel groups.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎08-10-2021 12:11 PM

@Travis-Fleming 

I assume you currently use the Default L2L Group tunnel group?

 

How about you create a new tunnel group based on the current dhcp ip address for each ASA, which you should easily be able to determine from the ASA. As this is more specific, this tunnel will match and you can use the new PSK. Migrate all ASAs using this method and then finally change the Default L2L Group to the new PSK and remove the other tunnel groups.

0 Helpful

Go to solution
Travis-Fleming
Level 1
Level 1
In response to Rob Ingram

‎08-10-2021 12:16 PM

We do currently use the Default L2L group. That is a great idea! So on the head-end just make another tunnel-group that designates the peer IP address at the time, get them all changed, then change the default L2L group to the new keys?

 

The only problem I'm seeing with that is there are always 2-5 home users that are not on all the time. This seams like an all or nothing type of solution right?

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Travis-Fleming

‎08-10-2021 12:23 PM

@Travis-Fleming 

Yeah I don't see an obvious other method to do this, as I've not faced this issue before.

 

I'd suggest you arrange for those other home users to get there hardware turned on and once they are all online make the change over a short period of a couple of days, hopefully the dhcp IP addresses won't change in this period.

 

 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card