getting new public ip addresses...

[detsh]

Hello,
in the next weeks we will get a new public ip address block from our isp.
This meets, of course, our vpn's. We don't want to change it all at the same time. On our NOKIA Cluster we have one interface unconfigured, at this time.
At this interface, I will configure the new ip address.

And now my question:

Should I leave the old address on the firewallobject, configure the vpn's to the new ipaddresses and, when all vpn's points to the new ipaddress, I change the firewallobject to the new ipaddress

or

First I change the firewallobjects ipaddress to the new one and do then the configuration for the vpn's. Will this going on?

The configuration change to the VPN's will take several days. Through this time, we cannot interrupt vpn's for long time.

Any idea?

Thanks a lot

[mcnallym]

I would configure the new interface up,

add static routes onto the box so that the VPN tunnels are routed down the existing interface.

Change Default Gateway to the new line.

Leave the IP alone initially.

You can migrate the VPN's over one at a time, as you do remove the static route for the remote VPN Gateway so moves over to the new interface.

Change the IP to the new range.

[detsh]

Hello Mcnallym,
and should I change my firewall object's IP-address to the new range?
Could this produce problems for the existing vpn's?
What do you think?

[mcnallym]

You can get around this with Link Selection initially and then change the IP of the object when completed

[donshoutarp]

If you are using "ongoing probing-probe the following address" for your VPN link selection you will need add this new IP address. And you might want change the primary address eventually.