This chapter describes general considerations that customers need to make when upgrading the Cisco network-based IPSec VPN Release 1.5. In general, redundancy must be provided to support upgrades without affecting service availability.
Although it is the service provider's decision to determine the service availability required by its customers, it remains good practice to ensure that traffic is not interrupted. In addition to providing redundancy to cover outages of equipment or communications channels, it is necessary to provide redundancy to support traffic during upgrades of the solution components.
Caution It is the responsibility of the service provider to engineer the network in such a way as to provide the required service availability for their customers.
This chapter presents the following major topics:
Upgrading Solution Components
Upgrading Customer Premises Equipment
Before You Upgrade
Before you begin the solution upgrade, make sure that you keep the following issues in mind:
Begin the upgrade process during a maintenance window or low-traffic period, and plan for system downtime accordingly.
Ensure that all systems are working properly and that there are no alarms. Make sure there is no major congestion.
Review the software terms and conditions.
Review the software and tool requirements and procedural overview.
Review the hardware and software requirements found in the Release Notes for Cisco Network-Based IPSec VPN Solution 1.5.
Gather all required software and hardware. Your system must meet the minimum requirements as shown in the review the hardware and software requirements found in the Release Notes for Cisco Network-Based IPSec VPN Solution Release 1.5 at http://www.cisco.com/univercd/cc/td/doc/product/vpn/solution/index.htm .
The target machine must have a terminal connected by using a serial cable inserted into the console port.
Upgrading Solution Components
This section provides upgrade information for the following components of the Cisco network-based IPSec VPN solution Release 1.5:
Cisco 7204 and Cisco 7206 routers
AAA/RADIUS server
Upgrading the Cisco 7204 and the Cisco 7206 Routers
This section provides information for upgrading your Cisco IOS software images on the Cisco 7204 and 7206 routers.
Note The most recent information about upgrading the Cisco IOS software can be found in the release notes
for your software.
Any RADIUS server (such as Cisco Access Registrar) that understands Cisco AV pairs can be used. It is essential that client configuration information (authorization and authentication) not be lost. For information on upgrading Cisco Access Register servers, see:
This section provides upgrade information for the following customer premises equipment used with the Cisco network-based IPSec VPN solution Release 1.5:
Cisco VPN 3002 hardware client
Cisco 800 series routers
Cisco 1700 series routers
Cisco 2600 series routers
Cisco 3600 series routers
Cisco 7200 series routers
Note The most recent information about upgrading the Cisco IOS software can be found in the release
notes for your software.
Table 2-1 Customer Premise Equipment Upgrade Information
Upgrading from Previous Versions of the Cisco Network-Based IPSec VPN Solution
The VRF-Aware IPSec feature introduces IP security (IPSec) tunnel mapping to Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs). Using the VRF-Aware IPSec feature, you can map IPSec tunnels to virtual routing and forwarding (VRF) instances using single, public-facing addresses.
The following configurations show the changes necessary for site-to-site configuration migration from a previous version of this solution to the current Cisco network-based IPSec VPN solution Release 1.5.
Previous Version Site-to-Site Configuration
The following configuration uses a previous version of a site-to-site network-based IPSec VPN solution:
The following configuration is an upgraded version of the same site-to-site configuration to the Cisco network-based IPSec VPN solution Release 1.5 solution.
Note You must change to keyrings. The VRF Aware IPSec feature requires keys to be associated with a VRF
if the IKE local endpoint is in the VRF.
The following configurations show the changes necessary for a remote access configuration upgrade from an earlier version of this solution to the Cisco network-based IPSec VPN solution Release 1.5.
Previous Version Remote Access Configuration
crypto isakmp client configuration group VPN1-RA-GROUP
key VPN1-RA
pool VPN1-RA
!
crypto isakmp client configuration group VPN2-RA-GROUP
Combination Site-to-Site and Remote Access Configuration
The following configurations show the changes necessary for a site-to-site and remote access configuration upgrade from a previous version of the network-based IPSec VPN solution to the Cisco network-based IPSec VPN solution Release 1.5.
Previous Version Site-to-Site and Remote Access Configuration
New Version Site-to-Site and Remote Access Configuration
You must migrate to this configuration:
Note For site-to-site configurations that do not require XAUTH, configure an ISAKMP profile without
XAUTH configuration.For remote access configurations that require XAUTH, configure an isakmp
profile with XAUTH.
crypto keyring VPN1-KEYS vrf VPN1
pre-shared-key address 172.21.25.74 key VPN1
!
crypto keyring VPN2-KEYS vrf VPN2
pre-shared-key address 172.21.21.74 key VPN2
!
crypto isakmp client configuration group VPN1-RA-GROUP
key VPN1-RA
pool VPN1-RA
!
crypto isakmp client configuration group VPN2-RA-GROUP