Technical Tip: Scope of password policy in IPsec tunnels
| Description | This article describes the use and impact of the password policy configured on the existing IPsec tunnels. |
| Scope | FortiGate. |
| Solution | The configured expiration policy exclusively applies to administrator logins. IPsec pre-shared keys are not subject to this policy and will remain valid indefinitely unless manually modified, thereby not affecting tunnel continuity.
This will take effect when the user tries to change the tunnels' pre-shared key; during that time, the password policy will take effect, and the user will have to match the conditions defined under the password policy.
The password policy is enforced only when a user attempts to update the pre-shared key for IPsec VPN tunnels. At that point, the system will require compliance with the defined policy parameters, such as minimum character length and ensuring the new password differs from the previous one.
Note: When a user attempts to enable the password policy for IPSec tunnel and the existing IPSec tunnels' pre-shared keys do not meet the new criteria, the user will encounter below error when trying to save the configuration changes. Therefore, existing IPSec tunnels' pre-shared keys must conform first to the password policy requirements.
|
