Changing gateway IP addresses in an existing VPN

There are special considerations depending on whether you change the IP address of a VPN Gateway element or an External VPN Gateway element.

For VPN Gateway elements, the IP addresses you have defined for the firewall's interfaces determine the VPN endpoint addresses. On Firewall Clusters, only CVI addresses are used as VPN endpoints.

Note: If the gateway’s identity in the VPN is based on its IP address, you must update the configurations of all gateways in the VPN. You must update the configurations even if the IP address is NATed and not directly used for contact. For VPN Gateway elements, you update the configuration by refreshing the engine’s policy after you change the IP addresses. For External VPN Gateways, change the information in the configuration of the gateway device.

If you change the IP address for a firewall interface, the corresponding VPN endpoint IP address also changes automatically. The existing tunnels in the Policy-Based VPN element and the Route-Based VPN Tunnel elements are preserved.
If continuous connectivity is required, define the new address as a second endpoint before you change the IP address. The Multi-Link VPN automatically selects the IP address that works before and after the change.
If you add or remove interfaces, you might need to select or deselect endpoints manually and then check the tunnel configuration in the Policy-Based VPN element or the Route-Based VPN Tunnel elements.

Note: You cannot use the same endpoint in a policy-based VPN and a route-based VPN.

For External VPN Gateways, you always enter the VPN endpoint addresses manually. Change the IP address configured in the Management Client, then refresh the policies of all affected firewalls.