| Description | This article describes how to handle an issue where, after migrating the configuration from one FortiGate to another and being a different model using FortiConverter, the IPsec tunnel did not establish (e.g. site-to-site, dialup). |
| Scope | FortiGate, FortiConverter. |
| Solution |
In this issue, after migrating the configuration, the Site-to-Site IPsec tunnel status shows as 'down'. Even the dial-up connection does not work.
When the configuration of the IPsec tunnels was checked, identified that the preshared key was missing after the migration from the old FortiGate where the tunnels were up. In the GUI it was shown like this:
If the user does not know the preshared key and the remote side is not available at the moment, in that situation the users can check the config of the older FortiGate before the migration via CLI and check for :
config vpn ipsec phase1-interface
Copy the <encrypted_psk> and go on the current FortiGate, open the CLI, and paste the <encrypted_psk> using the above command. After that, the tunnels should come up.
For dial-up users, the preshared key is added the same way as site-to-site, but the connection is still not successful. After migration, the user's password is also not migrated, which is why the dial-up connection shows as having failed.
The password can be added to the users the same way the preshared key was added to the IPsec tunnel. Take the following configuration from the old FortiGate and paste it under the new FortiGate, or copy and paste the encrypted password on the new FortiGate user's local CLI after 'set passwd ENC'.
config user local
Related articles: |
