cc/td/doc/product/vpn/solution/aswan15
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Upgrade Considerations
Upgrading Solution Components
Upgrading Customer Premise Equipment
Upgrading from Previous Versions of the Cisco Network-Based IPSec VPN Solution

Upgrade Considerations


This chapter describes general considerations that customers need to make when upgrading the Cisco network-based IPSec VPN Release 1.5. In general, redundancy must be provided to support upgrades without affecting service availability.

Although it is the service provider's decision to determine the service availability required by its customers, it remains good practice to ensure that traffic is not interrupted. In addition to providing redundancy to cover outages of equipment or communications channels, it is necessary to provide redundancy to support traffic during upgrades of the solution components.


Caution   It is the responsibility of the service provider to engineer the network in such a way as to provide the required service availability for their customers.

This chapter presents the following major topics:

Before You Upgrade

Before you begin the solution upgrade, make sure that you keep the following issues in mind:

Upgrading Solution Components

This section provides upgrade information for the following components of the Cisco network-based IPSec VPN solution Release 1.5:

Upgrading the Cisco 7204 and the Cisco 7206 Routers

This section provides information for upgrading your Cisco IOS software images on the Cisco 7204 and 7206 routers.


Note   The most recent information about upgrading the Cisco IOS software can be found in the release notes for your software.

To upgrade software on the Cisco 7204 and 7206 routers, see the information at http://www.cisco.com/warp/public/130/sw_upgrade_highendrouters_23233.html .

Upgrading RADIUS Servers

Any RADIUS server (such as Cisco Access Registrar) that understands Cisco AV pairs can be used. It is essential that client configuration information (authorization and authentication) not be lost. For information on upgrading Cisco Access Register servers, see:

http://www.cisco.com/univercd/cc/td/doc/product/rtrmgmt/cnsar/3_0/install/upgrade.htm .

Upgrading Customer Premise Equipment

This section provides upgrade information for the following customer premises equipment used with the Cisco network-based IPSec VPN solution Release 1.5:


Note    The most recent information about upgrading the Cisco IOS software can be found in the release notes for your software.

Table 2-1   Customer Premise Equipment Upgrade Information

Customer Premise Equipment Upgrade Information

Cisco VPN 3002 hardware client

See the information at http://www.cisco.com/univercd/cc/td/doc/product/vpn/vpn3000/vpn3 kco/vcoug/usr_3_0/admin.htm#xtocid2259936

Cisco 800 series routers

See the information at http://www.cisco.com/warp/public/63/IOSupgrade_800.shtml

Cisco 1700 series routers

See the information at http://www.cisco.com/warp/public/130/sw_upgrade_proc_ram.shtml

Cisco 2600 series routers

See the information at http://www.cisco.com/warp/public/130/sw_upgrade_proc_ram.shtml

Cisco 3600 series routers

See the information at http://www.cisco.com/warp/public/130/sw_upgrade_proc_ram.shtml

Cisco 7200 series routers

See the information at http://www.cisco.com/warp/public/130/sw_upgrade_highendrouters_ 23233.html

Upgrading from Previous Versions of the Cisco Network-Based IPSec VPN Solution

The VRF-Aware IPSec feature introduces IP security (IPSec) tunnel mapping to Multiprotocol Label Switching (MPLS) Virtual Private Networks (VPNs). Using the VRF-Aware IPSec feature, you can map IPSec tunnels to virtual routing and forwarding (VRF) instances using single, public-facing addresses.

The VRF Aware IPSec feature in the Cisco network-based IPSec VPN solution Release 1.5 requires that you change your existing configurations. For more information about the VRF aware IPSec feature, see http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t15/ft_vrfip.htm .

The sample configurations that follow indicate the changes you must make to your existing configurations. These samples include the following:

Site-to-Site Configuration Migration

The following configurations show the changes necessary for site-to-site configuration migration from a previous version of this solution to the current Cisco network-based IPSec VPN solution Release 1.5.

Previous Version Site-to-Site Configuration

The following configuration uses a previous version of a site-to-site network-based IPSec VPN solution:

crypto isakmp key VPN1 address 172.21.25.74
crypto isakmp key VPN2 address 172.21.21.74
!
crypto ipsec transform-set VPN1 esp-des esp-sha-hmac
crypto ipsec transform-set VPN2 esp-3des esp-sha-hmac
!
crypto map VPN1 10 ipsec-isakmp
set peer 172.21.25.74
set transform-set VPN1
match address 101
!
crypto map VPN2 10 ipsec-isakmp
set peer 172.21.21.74
set transform-set VPN2
match address 102
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding VPN1
ip address 172.21.25.73 255.255.255.0
crypto map VPN1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
ip vrf forwarding VPN2
ip address 172.21.21.74 255.255.255.0
crypto map VPN2
!

New Version Site-to-Site Configuration

The following configuration is an upgraded version of the same site-to-site configuration to the Cisco network-based IPSec VPN solution Release 1.5 solution.


Note   You must change to keyrings. The VRF Aware IPSec feature requires keys to be associated with a VRF if the IKE local endpoint is in the VRF.

crypto keyring VPN1-KEYS vrf VPN1
pre-shared-key address 172.21.25.74 key VPN1
!
crypto keyring VPN2-KEYS vrf VPN2
pre-shared-key address 172.21.21.74 key VPN2
!
crypto ipsec transform-set VPN1 esp-des esp-sha-hmac
crypto ipsec transform-set VPN2 esp-3des esp-sha-hmac
!
crypto map VPN1 10 ipsec-isakmp
set peer 172.21.25.74
set transform-set VPN1
match address 101
!
crypto map VPN2 10 ipsec-isakmp
set peer 172.21.21.74
set transform-set VPN2
match address 102
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding VPN1
ip address 172.21.25.73 255.255.255.0
crypto map VPN1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
ip vrf forwarding VPN2
ip address 172.21.21.74 255.255.255.0
crypto map VPN2
!

Remote Access Configuration Upgrade

The following configurations show the changes necessary for a remote access configuration upgrade from an earlier version of this solution to the Cisco network-based IPSec VPN solution Release 1.5.

Previous Version Remote Access Configuration

crypto isakmp client configuration group VPN1-RA-GROUP
key VPN1-RA
pool VPN1-RA
!
crypto isakmp client configuration group VPN2-RA-GROUP
key VPN2-RA
pool VPN2-RA
!
crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmac
crypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac
!
crypto dynamic-map VPN1-RA 1
set transform-set VPN1-RA
reverse-route
!
crypto dynamic-map VPN2-RA 1
set transform-set VPN2-RA
reverse-route
!
!
crypto map VPN1 client authentication list VPN1-RA-LIST
crypto map VPN1 isakmp authorization list VPN1-RA-LIST
crypto map VPN1 client configuration address initiate
crypto map VPN1 client configuration address respond
crypto map VPN1 10 ipsec-isakmp dynamic VPN1-RA
!
crypto map VPN2 client authentication list VPN2-RA-LIST
crypto map VPN2 isakmp authorization list VPN2-RA-LIST
crypto map VPN2 client configuration address initiate
crypto map VPN2 client configuration address respond
crypto map VPN2 10 ipsec-isakmp dynamic VPN2-RA
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding VPN1
ip address 172.21.25.73 255.255.255.0
crypto map VPN1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
ip vrf forwarding VPN2
ip address 172.21.21.74 255.255.255.0
crypto map VPN2
!

New Version Remote Access Configuration

In this instance there is no migration; we recommend that you change to the following configuration:

crypto isakmp client configuration group VPN1-RA-GROUP
key VPN1-RA
pool VPN1-RA
!
crypto isakmp client configuration group VPN2-RA-GROUP
key VPN2-RA
pool VPN2-RA
!
crypto isakmp profile VPN1-RA
match identity group VPN1-RA-GROUP
client authentication list VPN1-RA-LIST
isakmp authorization list VPN1-RA-LIST
client configuration address initiate
client configuration address respond
!
crypto isakmp profile VPN2-RA
match identity group VPN2-RA-GROUP
client authentication list VPN2-RA-LIST
isakmp authorization list VPN2-RA-LIST
client configuration address initiate
client configuration address respond
!
crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmac
crypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac
!
crypto dynamic-map VPN1-RA 1
set transform-set VPN1-RA
set isakmp-profile VPN1-RA
reverse-route
!
crypto dynamic-map VPN2-RA 1
set transform-set VPN2-RA
set isakmp-profile VPN2-RA
reverse-route
!
crypto map VPN1 10 ipsec-isakmp dynamic VPN1-RA
!
crypto map VPN2 10 ipsec-isakmp dynamic VPN2-RA
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding VPN1
ip address 172.21.25.73 255.255.255.0
crypto map VPN1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
ip vrf forwarding VPN2
ip address 172.21.21.74 255.255.255.0
crypto map VPN2
!

Combination Site-to-Site and Remote Access Configuration

The following configurations show the changes necessary for a site-to-site and remote access configuration upgrade from a previous version of the network-based IPSec VPN solution to the Cisco network-based IPSec VPN solution Release 1.5.

Previous Version Site-to-Site and Remote Access Configuration

crypto isakmp key VPN1 address 172.21.25.74 no-xauth
crypto isakmp key VPN2 address 172.21.21.74 no-xauth
!
crypto isakmp client configuration group VPN1-RA-GROUP
key VPN1-RA
pool VPN1-RA
!
crypto isakmp client configuration group VPN2-RA-GROUP
key VPN2-RA
pool VPN2-RA
!
crypto ipsec transform-set VPN1 esp-des esp-sha-hmac
crypto ipsec transform-set VPN2 esp-3des esp-sha-hmac
!
crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmac
crypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac
!
crypto dynamic-map VPN1-RA 1
set transform-set VPN1-RA
reverse-route
!
crypto dynamic-map VPN2-RA 1
set transform-set VPN2-RA
reverse-route
!
crypto map VPN1 client authentication list VPN1-RA-LIST
crypto map VPN1 isakmp authorization list VPN1-RA-LIST
crypto map VPN1 client configuration address initiate
crypto map VPN1 client configuration address respond
crypto map VPN1 10 ipsec-isakmp
set peer 172.21.25.74
set transform-set VPN1
match address 101
crypto map VPN1 20 ipsec-isakmp dynamic VPN1-RA
!
crypto map VPN2 client authentication list VPN2-RA-LIST
crypto map VPN2 isakmp authorization list VPN2-RA-LIST
crypto map VPN2 client configuration address initiate
crypto map VPN2 client configuration address respond
crypto map VPN2 10 ipsec-isakmp
set peer 172.21.21.74
set transform-set VPN2
match address 102
crypto map VPN2 20 ipsec-isakmp dynamic VPN2-RA
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding VPN1
ip address 172.21.25.73 255.255.255.0
crypto map VPN1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
ip vrf forwarding VPN2
ip address 172.21.21.74 255.255.255.0
crypto map VPN2

New Version Site-to-Site and Remote Access Configuration

You must migrate to this configuration:


Note   For site-to-site configurations that do not require XAUTH, configure an ISAKMP profile without XAUTH configuration.For remote access configurations that require XAUTH, configure an isakmp profile with XAUTH.

crypto keyring VPN1-KEYS vrf VPN1
pre-shared-key address 172.21.25.74 key VPN1
!
crypto keyring VPN2-KEYS vrf VPN2
pre-shared-key address 172.21.21.74 key VPN2
!
crypto isakmp client configuration group VPN1-RA-GROUP
key VPN1-RA
pool VPN1-RA
!
crypto isakmp client configuration group VPN2-RA-GROUP
key VPN2-RA
pool VPN2-RA
!
crypto isakmp profile VPN1
keyring VPN1-KEYS
match identity address 172.21.25.74 VPN1
!
crypto isakmp profile VPN2
keyring VPN2-KEYS
match identity address 172.21.21.74 VPN2
!
crypto isakmp profile VPN1-RA
match identity group VPN1-RA-GROUP
client authentication list VPN1-RA-LIST
isakmp authorization list VPN1-RA-LIST
client configuration address initiate
client configuration address respond
!
crypto isakmp profile VPN2-RA
match identity group VPN2-RA-GROUP
client authentication list VPN2-RA-LIST
isakmp authorization list VPN2-RA-LIST
client configuration address initiate
client configuration address respond
!
crypto ipsec transform-set VPN1 esp-des esp-sha-hmac
crypto ipsec transform-set VPN2 esp-3des esp-sha-hmac
!
crypto ipsec transform-set VPN1-RA esp-3des esp-sha-hmac
crypto ipsec transform-set VPN2-RA esp-3des esp-md5-hmac
!
crypto dynamic-map VPN1-RA 1
set transform-set VPN1-RA
set isakmp-profile VPN1-RA
reverse-route
!
crypto dynamic-map VPN2-RA 1
set transform-set VPN2-RA
set isakmp-profile VPN2-RA
reverse-route
!
crypto map VPN1 10 ipsec-isakmp
set peer 172.21.25.74
set transform-set VPN1
set isakmp-profile VPN1
match address 101
crypto map VPN1 20 ipsec-isakmp dynamic VPN1-RA
!
crypto map VPN2 10 ipsec-isakmp
set peer 172.21.21.74
set transform-set VPN2
set isakmp-profile VPN2
match address 102
crypto map VPN2 20 ipsec-isakmp dynamic VPN2-RA
!
interface FastEthernet0/0.1
encapsulation dot1Q 1 native
ip vrf forwarding VPN1
ip address 172.21.25.73 255.255.255.0
crypto map VPN1
!
interface FastEthernet0/0.2
encapsulation dot1Q 2 native
ip vrf forwarding VPN2
ip address 172.21.21.74 255.255.255.0
crypto map VPN2

hometocprevnextglossaryfeedbacksearchhelp
Posted: Tue May 20 05:23:27 PDT 2003
All contents are Copyright © 1992--2003 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.