This document provides information about the configurational changes to
make when a new VPN peer is added to the existing site-to-site VPN
configuration using Adaptive Security Device Manager (ASDM). This is required
in these scenarios:
The Internet Service Provider (ISP) has been changed and a new set of
public IP range is used.
A complete re-design of the network at a site.
The device used as VPN gateway at a site is migrated to a new device
with a different public IP address.
This document assumes that the site-to-site VPN is already configured
properly and works fine. This document provides the steps to follow in order to
change a VPN peer information in the L2L VPN configuration.
Cisco recommends that you have knowledge of this topic:
The information in this document is based on these software and
Technical Tips Conventions for more information on document
The site-to-site VPN is working fine between the HQASA and the BQASA.
Assume that the BQASA has got a complete network re-design and the IP schema
has been modified at the ISP level, but all the internal subnetwork details
remain the same.
This sample configuration uses these IP addresses:
Note: Here, only the peer information will be modified. Because there is no
other change in internal subnet, the crypto access-lists remain the
This section provides information about the possible methods used to
change VPN peer information on HQASA using the ASDM.
This can be the easier method because it does not disturb the existing
VPN configuration and can create a new connection profile with the new VPN peer
Go to Configuration > Site-to-Site VPN > Connection
Profiles and click Add under the Connection
The Add IPSec Site-to-Site Connection Profile
window opens up.
Under the Basic tab, provide the details for Peer IP
Address, Pre-shared Key, and
Protected Networks. Use all the same parameters as the
existing VPN, except the peer information. Click
Under the Advanced menu, click Crypto Map Entry.
Refer to the Priority tab. This Priority is equal to the
sequence number in its equivalent CLI configuration. When a lesser number than
the existing crypto map entry is assigned, this new profile is executed first.
The higher the priority number, the lesser the value. This is used to change
the order of sequence that a specific crypto map will be executed. Click
OK to complete creating the new connection
This automatically creates a new tunnel-group along with an associated
crypto map. Make sure you can reach the BQASA with the new IP address before
you use this new connection profile.
Another way of adding a new peer is to modify the existing
configuration. The existing connection profile cannot be edited for the new
peer information because it is bound to a specific peer. In order to edit the
existing configuration, you need to perform these steps:
Create a New Tunnel Group
Edit the Existing Crypto Map
Go to Configuration > Site-to-Site VPN > Advanced >
Tunnel groups and click Add to create a new
tunnel-group that contains the new VPN peer information. Specify the
Name and Pre-shared Key fields, then
Note: Make sure the Pre-shared Key matches the other end of the VPN.
Note: In the Name field, only the IP address of the remote peer should be
entered when the authentication mode is pre-shared keys. Any name can be used
only when the authentication method is through certificates. This error appears
when a name is added in the Name field and the authentication method is
The existing crypto map can be edited in order to associate the new
Complete these steps:
Go to Configuration > Site-to-Site VPN > Advanced
> Crypto Maps, then select the required crypto map and click
The Edit IPSec Rule window
Under the Tunnel Policy (Basic) tab, in the Peer Settings area,
specify the new peer in the IP Address of Peer to be added field. Then, click
Select the existing peer IP address and click
Remove to retain the new peer information only. Click
Note: After you modify the peer information in the current crypto map,
the Connection Profile associated with this crypto map is deleted instantly in
the ASDM window.
The details of the encrypted networks remain the same. If you need to
modify these, go to the Traffic Selection
Go to the Configuration > Site-to-Site VPN > Advanced
> Crypto Maps pane in order to view the modified crypto map.
However, these changes do not take place until you click
Apply. After you click Apply, go to
the Configuration > Site-to-Site VPN > Advanced > Tunnel
groups menu in order to verify if an associated tunnel-group is
present or not. If yes, then an associated Connection
Profile will be created.
Use this section in order to confirm that your configuration works
Output Interpreter Tool
(registered customers only)
(OIT) supports certain
show commands. Use the OIT to view an analysis of
show command output.
Use this section to troubleshoot your configuration.
This error is displayed in the log messages when trying to change the
VPN peer from a VPN concentrator to ASA.
This can be a result of improper configuration steps followed during
the migration. Ensure that the crypto binding to the interface is removed
before you add a new peer. Also, make sure that you used the IP address of the
peer in the tunnel-group, but not the name.