Since a few times i had to change some site-2-site vpn tunnels on cisco ASA’s and first my colleague was saying I had to remove the whole VPN configuration and rebuild this configuration. However during my testing and on. I found a way that i didn’t had to remove the whole configuration of the site-2-site… Well below i descriped when i do to change an ip address of an cisco site-2-site tunnel in live. situation while the other site got an new IP address.
First you have to look for the current configuration like below:
crypto map OUTSIDE_map 1 set peer <current IP >
tunnel-group <current IP> type ipsec-l2l
tunnel-group <current IP> ipsec-attributes
pre-shared-key <current KEY>
Second you create the same configuration with the new IP address of the location:
crypto map OUTSIDE_map 1 set peer <new IP >
tunnel-group <new IP> type ipsec-l2l
tunnel-group <new IP> ipsec-attributes
pre-shared-key <remain the same KEY>
So you will see in the show running-config a line like below:
crypto map OUTSIDE_map 1 set peer <current IP > <new IP >
The next thing what you need to do is to remove. the old IP settings on the ASA. You will need to do the following handlings.
no crypto map OUTSIDE_map 1 set peer <current IP >
no tunnel-group <current IP> type ipsec-l2l
no tunnel-group <current IP> ipsec-attributes
It may be possible that the Cisco Asa answers back to use the clear command. If you use that command the configuration of the tunnel-group will be gone also.
If you do show running-config than you will see that the old configuration is removed and the new is configured. Just check with the ASDM of your vpn tunnel is back online. and than it should be working like before..