Skip to main content
rajamanickam
rajamanickam
Explorer II
June 18, 2025
Solved

IPSEC Preshared key password policy Expire status

  • June 18, 2025
  • 1 reply
  • 1219 views

Hi,

  We have configured password policy for both admin and ipsec preshared key as below

 

conf system password-policy

set apply-to admin-password ipsec-preshared-key

set expire-day 90

set expire-status enable

 

Now the strange behaviour is, after 90 days we really didnt get any notification about ipsec preshared key expired neither IPSEC tunnel went down. We tried shutting down the ipsec tunnel and still the old key was working. There is no clear documentation about this in fortinet public document..

This is working fine for admin-password where after 90 days, its prompting to change the password. With this scenario, can we assume that this password expiration is applicable only for admin password and not for ipsec preshared key??.. Please clarify it..

 

Regards

Raja

 

Best answer by atakannatak

Hi @rajamanickam ,

 

The expiry setting you configured effectively governs only administrator logins; IPsec pre-shared keys will not expire or tear down the tunnel unless you manually change them. Quick summary – IPsec PSK vs. password-policy expiry:

 

  1. In FortiOS the password-policy expire-day/expire-status timer applies only to admin passwords. When you include ipsec-preshared-key in the same policy, FortiGate checks the PSK’s complexity when you create or edit it, but does not run any time-based expiry afterward. The IKE daemon keeps using the stored key indefinitely, so tunnels stay up and no log or alert is generated on “day 91.”
  2. What the policy really enforces for PSKs: Length, character mix, and similar rules are validated the moment you enter or change the key; if the string fails, the GUI/CLI rejects the save. Once accepted, the PSK is never re-validated for age.
  3. If you need true key rotation you must manage it yourself—e.g., calendar reminders, FortiManager/Ansible scripts to push a new PSK, or switch to IKEv2 with certificates so re-authentication can be automated.

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

1 reply

atakannatak
atakannatakAnswer
Explorer
June 18, 2025

Hi @rajamanickam ,

 

The expiry setting you configured effectively governs only administrator logins; IPsec pre-shared keys will not expire or tear down the tunnel unless you manually change them. Quick summary – IPsec PSK vs. password-policy expiry:

 

  1. In FortiOS the password-policy expire-day/expire-status timer applies only to admin passwords. When you include ipsec-preshared-key in the same policy, FortiGate checks the PSK’s complexity when you create or edit it, but does not run any time-based expiry afterward. The IKE daemon keeps using the stored key indefinitely, so tunnels stay up and no log or alert is generated on “day 91.”
  2. What the policy really enforces for PSKs: Length, character mix, and similar rules are validated the moment you enter or change the key; if the string fails, the GUI/CLI rejects the save. Once accepted, the PSK is never re-validated for age.
  3. If you need true key rotation you must manage it yourself—e.g., calendar reminders, FortiManager/Ansible scripts to push a new PSK, or switch to IKEv2 with certificates so re-authentication can be automated.

BR.

 

If my answer provided a solution for you, please mark the reply as solved it so that others can get it easily while searching for similar scenarios.

 

CCIE #68781

    rajamanickam
    rajamanickamAuthor
    Explorer II
    June 19, 2025

    Hello Atakan Atak, Thank you for your explanation. It really makes logical as well.

     

    I would strongly recommend to fortinet team on explicitly mention this in their documents to avoid any confusion

     

    Thanks again..

     

    Regards

    Raja

    Terms & ConditionsAccessibility statement