IPsec tunnel questions?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPsec tunnel questions?

L4 Transporter

Hi folks,

 

We have several IPsec VPN tunnels for various remote firewalls connections.  One of them is changing their firewall hardware to something else next week.  Sonic firewall, I believe.

 

I've been told that they are configuring the new replacement hardware with the same settings as before including same peer IP address.

NOTE:  I will backup the current configuration of our PA 3020 before making any changes.

 

Questions:

  • Could I make changes to our existing IPsec VPN settings (if necessary) or must create new?
  • Would I have to make any changes at all?  Assuming that the IKE and IPsec Crypto profile setting match on new hardware.  Should just re-negotiate?
  • If things don't workout, I could always restore back to my save configuration, correct?

Thanks!

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

Hello,

If everything is going to remain the same, e.g. IP, pass phrases, crypto settings, then you should not have to do anything. Since the only thing changing is the hardware on the customer side, you may have to tweak a setting or two, especially with routing, depending on what equipment they had before.

 

  • Could I make changes to our existing IPsec VPN settings (if necessary) or must create new?
    • You can make changes
  • Would I have to make any changes at all?  Assuming that the IKE and IPsec Crypto profile setting match on new hardware.  Should just re-negotiate?
    • Sjhouldnt have to, but might require tweaking?
  • If things don't workout, I could always restore back to my save configuration, correct?
    • Yes you can always revert to a previous configuration

Hope that helps!

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

Hello,

If everything is going to remain the same, e.g. IP, pass phrases, crypto settings, then you should not have to do anything. Since the only thing changing is the hardware on the customer side, you may have to tweak a setting or two, especially with routing, depending on what equipment they had before.

 

  • Could I make changes to our existing IPsec VPN settings (if necessary) or must create new?
    • You can make changes
  • Would I have to make any changes at all?  Assuming that the IKE and IPsec Crypto profile setting match on new hardware.  Should just re-negotiate?
    • Sjhouldnt have to, but might require tweaking?
  • If things don't workout, I could always restore back to my save configuration, correct?
    • Yes you can always revert to a previous configuration

Hope that helps!

The number one thing that you are going to see that is different is you will need to actually set the proxy ids for the other side to actually form up properly. I'm almost positive that sonicwall is going to need a proxyid setup so that it can actually form the tunnel properly. 

Thank you!!!!!

 

Looks like there is a type of pass phrase in the IKE gateway configuration.  Since this was configured before my time, I don't know what the value is.  Need to find out.  I guess I could change it and make sure to match it with the remote configuration?

 

IKE.jpg

If  the PSK is unknown best way as you said to agree on the new one and share between other end 

I just wanted to add to this thread that I completed this task.

Our partner changed out their firewall hardware, setup their side IPSec settings to match our's.

 

The only thing I had to change on our existing IPSec tunnel settings was the Shared Password, and worked no problem.

 

I did notice that the connection was green (but not communicating) before I changed the password. 

 

Thanks!!

  • 1 accepted solution
  • 2559 Views
  • 5 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!