Skip to content

How to Configure IPSec VPN

I have come across an odd scenario on pre-share key based IPSec tunnels…

The question being, when an IPSec tunnel is active (Phase 1 and 2 are UP) and the pre-share key is changed, does this tear down the tunnel?

The tunnel configuration on R4 follows…

The tunnel configuration on R5 follows…

Bringing the tunnel up by pinging the Peer from R4

As you can see below, the Tunnel is now UP/UP, and 4 packets have been encrypted / decrypted.

Lets change the Pre-Share Key on R4

Now, I have changed the key and pinged the remote peer again… Then checked whether the tunnel has gone down…?

As you can see below, there were 9 packets been encrypted and decrypted and tunnel is still UP/UP!

Now, we will clear ISAKMP and Crypto MAP…

Now, as we expect, the tunnel is brought down…

As expected, when we sent interesting traffic, the tunnel did not come up due to mis-match of pre-share key… “MM_KEY_EXCH”

Now, we set the key back to the original one…

<br /> R4(config)#no crypto isakmp key fnode@@@_@ address 192.168.1.5<br /> R4(config)#crypto isakmp key fnode address 192.168.1.5<br />

As expected, the tunnel comes back up when we sent interesting traffic…

The fact of the matter is, whenever there is a change is pre-share key and such, the tunnel MUST be cleared to take effect, otherwise it will _not_ come back up.

In another word, when there is an active tunnel and such modifications are made to the configuration, clearing ISAKMP and Crypto MAP is a must.

comments powered by Disqus