Skip to main content
Nate_Morningstar
Nate_Morningstar
New Member
May 27, 2020
Question

Transfering or preplan for for IPSEC rollover for new machine

  • May 27, 2020
  • 1 reply
  • 2518 views

As part of a upcoming project, my manager and I are planning to remove a old 300C and put in two 100F's in a HA A-A cluster. However, one of the issues with this is that the 300C is part of a IPSEC tunnel that allows us to reach to another FortiGate Device. One Idea that I had was was pre-creating another IPSEC tunnel prior to device cut-over so that we can maintain contact with the remote FortiGate Device, then cut over the remote and local FortiGate device before wrapping up the project. We are using FortiConverter to configure the 300C config file for the 100C's, but we both accept the the IPSEC tunnels won't work because of the machine binding with the shared key. If anyone has ever done something like this or could offer any advise, that would be great. 

    1 reply

    sw2090
    SuperUser
    sw2090
    SuperUser
    May 28, 2020

    hm I replaced several FGT with IPSec tunnels by new ones.

    Ijust upgraded both FGt to the same Firmware version and then transferred the config over.

    Worked fine. IPSec was just gone for the couple of minutes needed to replace and boot up the new FGT.

     

    Just I am not sure what happens if the old FGT is still running and the new one is up and running too?

    Dial UP IPsecs support conurrent logins but I can't say anything about p2p tunnels.

    emnoc
    emnoc
    New Member
    May 28, 2020

    Not sure of what area that is confusing, but if your worried about the PSK , just rekey the vpn tunnel with a new key and use that in the migration and point the tunnel at the new FGT cluster wan public ip.

     

    As far as migration if you have a wide WAN public space, you could stack the new HA cluster and build a physical links between it and the 300C & if you had spare ports on the 300C or use a sub-vlan interface and then could walk networks over from the old 300C to the new FGTs once routing was in play.

     

    But just how big is your internal LANs  and how many policies ( 20 50 100 or 2000+ )  ? If it's a small env I would not waste that much time,  and just set a 1-2 hour window and move over all in one single shot and take a short outage.

     

    Ken Felix

    Terms & ConditionsAccessibility statement