As part of a upcoming project, my manager and I are planning to remove a old 300C and put in two 100F's in a HA A-A cluster. However, one of the issues with this is that the 300C is part of a IPSEC tunnel that allows us to reach to another FortiGate Device. One Idea that I had was was pre-creating another IPSEC tunnel prior to device cut-over so that we can maintain contact with the remote FortiGate Device, then cut over the remote and local FortiGate device before wrapping up the project. We are using FortiConverter to configure the 300C config file for the 100C's, but we both accept the the IPSEC tunnels won't work because of the machine binding with the shared key. If anyone has ever done something like this or could offer any advise, that would be great.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hm I replaced several FGT with IPSec tunnels by new ones.
Ijust upgraded both FGt to the same Firmware version and then transferred the config over.
Worked fine. IPSec was just gone for the couple of minutes needed to replace and boot up the new FGT.
Just I am not sure what happens if the old FGT is still running and the new one is up and running too?
Dial UP IPsecs support conurrent logins but I can't say anything about p2p tunnels.
--
"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
Not sure of what area that is confusing, but if your worried about the PSK , just rekey the vpn tunnel with a new key and use that in the migration and point the tunnel at the new FGT cluster wan public ip.
As far as migration if you have a wide WAN public space, you could stack the new HA cluster and build a physical links between it and the 300C & if you had spare ports on the 300C or use a sub-vlan interface and then could walk networks over from the old 300C to the new FGTs once routing was in play.
But just how big is your internal LANs and how many policies ( 20 50 100 or 2000+ ) ? If it's a small env I would not waste that much time, and just set a 1-2 hour window and move over all in one single shot and take a short outage.
Ken Felix
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.