All dynamic IPsec tunnels (dynamic LAN-to-LAN tunnels and remote-access tunnels) that terminate on the same IPsec gateway share the same configuration (config>service>sap>ipsec-gw). The SR OS provides dynamic configuration change capability to modify specific IPsec gateway configurations without impacting existing tunnels.
The following IPsec gateway configurations are dynamically configurable without shutting down the IPsec gateway:
Change the pre-shared-key.
Change the reference of the ike-policy.
Change the reference of the tunnel-template.
Enable or change reference of the radius-authentication-policy.
Enable or change reference of the radius-accounting-policy.
Enable, disable, or change reference of the ts-negotiation.
Enable, disable, or change reference of the client-d.b
Change configurations in the config>service>sap>ipsec-gw>certcontext.
Change configurations in the config>service>sap>ipsec-gw>dhcp context.
Change configurations in the config>service>sap>ipsec-gw>dhcp6 context.
Change configurations in the config>service>sap>ipsec-gw>local-address-assignment context.
Existing tunnels are not impacted by dynamic configuration changes. The system uses new configurations for new tunnel negotiations. The system continues to use previous configurations that created the tunnels for on-going operations (such as rekeying) of the existing tunnel.