changes in VPN phase II

Forum|Forum|9 years ago
May 19, 2017
1 reply
7669 views

If I need to make a change in the VPN phase II, this change must be execute at the same time at both ends of the vpn tunnel otherwise the tunnel go down?

Best answer by ede_pfau

That depends.

If, for example, you add another encryption/MAC pair to the existing one, traffic will continue to flow. If you change the key lifetime the shorter of both will be negotiated and traffic continues.

Usually, you make the changes on the remote side, see the tunnel down or not, and make the changes on the local side. Or, to play safe, enable HTTPS or SSH access on the WAN port of the remote FGT temporarily.

ede_pfauAnswer

SuperUser

That depends.

If, for example, you add another encryption/MAC pair to the existing one, traffic will continue to flow. If you change the key lifetime the shorter of both will be negotiated and traffic continues.

Usually, you make the changes on the remote side, see the tunnel down or not, and make the changes on the local side. Or, to play safe, enable HTTPS or SSH access on the WAN port of the remote FGT temporarily.

nikolajAuthor

New Member

In particular I need to add new subnets in the Remote section of Phase II VPN.

Does this operation need to be accomplished at the same time at both ends of the tunnel?

rwpatterson

New Member

This should be independent of the operating subnets. No downtime should occur because your are not mucking with the already established tunnels.

I just reread what you typed. What do you mean by "the remote section of the phase II VPNs"?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded