Update/Change VPN Tunnel Peer ID

Forum|Forum|1 year ago
April 1, 2025
3 replies
1774 views

hi,

i have a remote FW that i need to change to a new WAN public IP.

it currently has a ipsec VPN established using the old public/peer IP.

my question, can i change/update the remote IP address on the fly?

i checked it currently has a reference to the ipsec phase 2 tunnel config.

FortiGate

Toshi_Esumi

SuperUser

Is it from the same ISP on the same circuit? And both IPs/subnets are active on the ISP end?
If so, the ISP set the new subnet as the secondary IP on their end. Then you can do the same on your FGT to establish the tunnel on the new/secondary IP. Then eventually when it's safe, you can swap primary/secondary IPs, or just let the secondary override the primary IP.

Toshi

johnlloyd_13Author

Explorer III

hi,

same ISP, but instead of the public LAN range i'll use the WAN public IP instead.

dingjerry_FTNT

Staff

Hi @johnlloyd_13 ,

The phase2 is referencing the name of the phase1, not the remote IP. So you can change the remote IP on the fly, either in GUI or in CLI..

dingjerry_FTNT

Staff

Actually, in the past, when I had issues bringing down the tunnel, I usually changed the remote IP in phase1, once down, I changed it back to bring it up again.

johnlloyd_13Author

Explorer III

hi,

thanks for the reply!

do i need to manually bring down the phase 1 VPN tunnel first before i change the remote peer IP in the VPN tunnel/phase 1 setting? then bring it up once new IP is applied?

Toshi_Esumi

SuperUser

@dingjerry_FTNTis saying he once used "changing remote IP in phase1" to "bring down the tunnel". You can just change the remote IP/remote-gw in phase1 config. FGT automatically flushes the existing tunnel when anything changed in the config.

Toshi

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded