This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

IPsec tunnel questions?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IPsec tunnel questions?

Go to solution
OMatlock
L4 Transporter

‎04-05-2017 02:26 PM

Hi folks,

 

We have several IPsec VPN tunnels for various remote firewalls connections.  One of them is changing their firewall hardware to something else next week.  Sonic firewall, I believe.

 

I've been told that they are configuring the new replacement hardware with the same settings as before including same peer IP address.

NOTE:  I will backup the current configuration of our PA 3020 before making any changes.

 

Questions:

  • Could I make changes to our existing IPsec VPN settings (if necessary) or must create new?
  • Would I have to make any changes at all?  Assuming that the IKE and IPsec Crypto profile setting match on new hardware.  Should just re-negotiate?
  • If things don't workout, I could always restore back to my save configuration, correct?

Thanks!

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎04-05-2017 03:53 PM

Hello,

If everything is going to remain the same, e.g. IP, pass phrases, crypto settings, then you should not have to do anything. Since the only thing changing is the hardware on the customer side, you may have to tweak a setting or two, especially with routing, depending on what equipment they had before.

 

  • Could I make changes to our existing IPsec VPN settings (if necessary) or must create new?
    • You can make changes
  • Would I have to make any changes at all?  Assuming that the IKE and IPsec Crypto profile setting match on new hardware.  Should just re-negotiate?
    • Sjhouldnt have to, but might require tweaking?
  • If things don't workout, I could always restore back to my save configuration, correct?
    • Yes you can always revert to a previous configuration

Hope that helps!

View solution in original post

0 Likes Likes
5 REPLIES 5

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎04-05-2017 03:53 PM

Hello,

If everything is going to remain the same, e.g. IP, pass phrases, crypto settings, then you should not have to do anything. Since the only thing changing is the hardware on the customer side, you may have to tweak a setting or two, especially with routing, depending on what equipment they had before.

 

  • Could I make changes to our existing IPsec VPN settings (if necessary) or must create new?
    • You can make changes
  • Would I have to make any changes at all?  Assuming that the IKE and IPsec Crypto profile setting match on new hardware.  Should just re-negotiate?
    • Sjhouldnt have to, but might require tweaking?
  • If things don't workout, I could always restore back to my save configuration, correct?
    • Yes you can always revert to a previous configuration

Hope that helps!

0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite
In response to OtakarKlier

‎04-05-2017 06:47 PM

The number one thing that you are going to see that is different is you will need to actually set the proxy ids for the other side to actually form up properly. I'm almost positive that sonicwall is going to need a proxyid setup so that it can actually form the tunnel properly. 

0 Likes Likes

Go to solution
OMatlock
L4 Transporter
In response to BPry

‎04-06-2017 07:33 AM

Thank you!!!!!

 

Looks like there is a type of pass phrase in the IKE gateway configuration.  Since this was configured before my time, I don't know what the value is.  Need to find out.  I guess I could change it and make sure to match it with the remote configuration?

 

IKE.jpg

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to OMatlock

‎04-06-2017 08:32 AM

If  the PSK is unknown best way as you said to agree on the new one and share between other end 

0 Likes Likes

Go to solution
OMatlock
L4 Transporter
In response to TranceforLife

‎04-12-2017 11:35 AM

I just wanted to add to this thread that I completed this task.

Our partner changed out their firewall hardware, setup their side IPSec settings to match our's.

 

The only thing I had to change on our existing IPSec tunnel settings was the Shared Password, and worked no problem.

 

I did notice that the connection was green (but not communicating) before I changed the password. 

 

Thanks!!

0 Likes Likes
  • 1 accepted solution
  • 2815 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks