topic Re: IPsec tunnel questions? in General Topics

IPsec tunnel questions?

OMatlock — Wed, 05 Apr 2017 21:26:50 GMT

Hi folks,

We have several IPsec VPN tunnels for various remote firewalls connections. One of them is changing their firewall hardware to something else next week. Sonic firewall, I believe.

I've been told that they are configuring the new replacement hardware with the same settings as before including same peer IP address.

NOTE: I will backup the current configuration of our PA 3020 before making any changes.

Questions:

Could I make changes to our existing IPsec VPN settings (if necessary) or must create new?
Would I have to make any changes at all? Assuming that the IKE and IPsec Crypto profile setting match on new hardware. Should just re-negotiate?
If things don't workout, I could always restore back to my save configuration, correct?

Thanks!

Re: IPsec tunnel questions?

OtakarKlier — Wed, 05 Apr 2017 22:53:00 GMT

Hello,

If everything is going to remain the same, e.g. IP, pass phrases, crypto settings, then you should not have to do anything. Since the only thing changing is the hardware on the customer side, you may have to tweak a setting or two, especially with routing, depending on what equipment they had before.

Could I make changes to our existing IPsec VPN settings (if necessary) or must create new?
- You can make changes
Would I have to make any changes at all? Assuming that the IKE and IPsec Crypto profile setting match on new hardware. Should just re-negotiate?
- Sjhouldnt have to, but might require tweaking?
If things don't workout, I could always restore back to my save configuration, correct?
- Yes you can always revert to a previous configuration

Hope that helps!

Re: IPsec tunnel questions?

BPry — Thu, 06 Apr 2017 01:47:47 GMT

The number one thing that you are going to see that is different is you will need to actually set the proxy ids for the other side to actually form up properly. I'm almost positive that sonicwall is going to need a proxyid setup so that it can actually form the tunnel properly.

Re: IPsec tunnel questions?

OMatlock — Thu, 06 Apr 2017 14:33:06 GMT

Thank you!!!!!

Looks like there is a type of pass phrase in the IKE gateway configuration. Since this was configured before my time, I don't know what the value is. Need to find out. I guess I could change it and make sure to match it with the remote configuration?

Re: IPsec tunnel questions?

TranceforLife — Thu, 06 Apr 2017 15:32:40 GMT

If the PSK is unknown best way as you said to agree on the new one and share between other end

Re: IPsec tunnel questions?

OMatlock — Wed, 12 Apr 2017 18:35:09 GMT

I just wanted to add to this thread that I completed this task.

Our partner changed out their firewall hardware, setup their side IPSec settings to match our's.

The only thing I had to change on our existing IPSec tunnel settings was the Shared Password, and worked no problem.

I did notice that the connection was green (but not communicating) before I changed the password.

Thanks!!