New Member

Question

Migrating from IKEv1 to v2 - Can both run simultaneously?

Forum|Forum|8 months ago
September 23, 2025
3 replies
2387 views

Hello,
We're trying to migrate our Dial-up VPN from IKEv1 to v2 and wondering if its possible to run the new IKEv2 tunnel on the same interface without issues for a transition period?

I've read a little about using the PeerID/LocalID to differentiate tunnels but I'm a little concerned about making any changes to the current IKEv1 tunnel and client configurations to accomplish this. Any guidance is much appreciated :)

FortiGate

kaman

Staff

Hi n1olan,

FortiGate supports IKEv1 and IKEv2, and both are configured similarly. The underlying protocol for IKEv2 is more streamlined, requiring fewer message exchanges to negotiate the SAs compared to IKEv1. The major difference is IKEv1 uses XAuth (Extended Authentication) for user authentication, and IKEv2 uses EAP (Extensible Authentication Protocol).

Please refer to the document below for more information:

https://docs.fortinet.com/document/fortigate/7.6.0/ssl-vpn-to-ipsec-vpn-migration/883534/ikev1-or-ikev2

Please refer to the document below on configuring Dial-Up IPsec VPN with IKEv2:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configuring-Dial-Up-IPsec-VPN-with-IKEv2-on/ta-p/404547

Note: FortiGate IPsec VPN wizard only supports IKEv1 when creating Dial-up tunnels. When IKE is changed from version '1' to '2', some settings are not configured. To authenticate successfully using IKEv2, the following commands must be set under tunnel phase1 settings:

FortiGate-Fw # config vpn ipsec phase1-interface
FortiGate-Fw (phase1-interface) # edit REMOTE
FortiGate-Fw (REMOTE) # set eap enable
FortiGate-Fw (REMOTE) # set eap-identity send-request
FortiGate-Fw (REMOTE) # set authusrgrp <User Group name>
FortiGate-Fw (REMOTE) # end

Also, please refer to the document below on 'gw validation failed' error, IPsec Dial-up using IKEv2:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-fix-gw-validation-failed-error-IPsec-Dial/ta-p/339644

Also, for IKEv2, FortiClient will use EAP-MSCHAPv2.

Please refer to the document below on IKEv2 dial-up tunnel setup with a RADIUS server and using FortiClient:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IKEv2-dialup-IPsec-tunnel-with-RADIUS-server/ta-p/191040

https://community.fortinet.com/t5/FortiGate/Troubleshooting-Tip-Using-IKEv2-for-a-dial-up-IPsec-tunnel-with/ta-p/229663

If you have found a solution, please like and accept it to make it easily accessible to others.

Regards,
Aman

hpenmetsa

Staff

Hi

You can configure a new Dialup VPN with IKE V2 on the same interface; it won't cause any issues. Also, you don't need to make any changes to the IKE v1 tunnel. Please check the following document to configure IKEV2
https://community.fortinet.com/t5/FortiClient/Technical-Tip-How-to-configure-IPsec-VPN-Tunnel-using-IKE-v2/ta-p/196140

Thanks

Toshi_Esumi

SuperUser

@hpenmetsa, So, are you saying if "dial-up1"(IKEv1) and "dial-up2"(IKEv2) are configured on the same WAN interface, when a user/client is trying to connect IKEv2 the FGT finds matching IKEv2 config and connect to that side, NOT trying to connect to IKEv1 side and fail because it's configured first?
I think that's what @n1olan is concerning about.

Toshi

hpenmetsa

Staff

Hi @Toshi_Esumi

Yes, when the user tries to connect to a dial-up2 (IKEv2) from the FortiClient, the user can only connect to a dial-up2 (IKEv2) not to dial-up1 (IKEv1), because the config of both tunnels is different.

Thanks

sjoshi

Staff

Hi @n1olan ,

I understand from your notes that you are using dialup vpn.

Currently it is working with ikev1

So when you setup ikev2 the public IP and the user group will be same or different than using ikev1?

Thanks, Salon

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded