Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Nate_Morningstar
New Contributor

Transfering or preplan for for IPSEC rollover for new machine

As part of a upcoming project, my manager and I are planning to remove a old 300C and put in two 100F's in a HA A-A cluster. However, one of the issues with this is that the 300C is part of a IPSEC tunnel that allows us to reach to another FortiGate Device. One Idea that I had was was pre-creating another IPSEC tunnel prior to device cut-over so that we can maintain contact with the remote FortiGate Device, then cut over the remote and local FortiGate device before wrapping up the project. We are using FortiConverter to configure the 300C config file for the 100C's, but we both accept the the IPSEC tunnels won't work because of the machine binding with the shared key. If anyone has ever done something like this or could offer any advise, that would be great. 

2 REPLIES 2
sw2090
Honored Contributor

hm I replaced several FGT with IPSec tunnels by new ones.

Ijust upgraded both FGt to the same Firmware version and then transferred the config over.

Worked fine. IPSec was just gone for the couple of minutes needed to replace and boot up the new FGT.

 

Just I am not sure what happens if the old FGT is still running and the new one is up and running too?

Dial UP IPsecs support conurrent logins but I can't say anything about p2p tunnels.

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
emnoc
Esteemed Contributor III

Not sure of what area that is confusing, but if your worried about the PSK , just rekey the vpn tunnel with a new key and use that in the migration and point the tunnel at the new FGT cluster wan public ip.

 

As far as migration if you have a wide WAN public space, you could stack the new HA cluster and build a physical links between it and the 300C & if you had spare ports on the 300C or use a sub-vlan interface and then could walk networks over from the old 300C to the new FGTs once routing was in play.

 

But just how big is your internal LANs  and how many policies ( 20 50 100 or 2000+ )  ? If it's a small env I would not waste that much time,  and just set a 1-2 hour window and move over all in one single shot and take a short outage.

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Labels
Top Kudoed Authors