Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
johnlloyd_13
Contributor II

Created on ‎03-31-2025 08:23 PM

Update/Change VPN Tunnel Peer ID

hi,

i have a remote FW that i need to change to a new WAN public IP.

it currently has a ipsec VPN established using the old public/peer IP.

my question, can i change/update the remote IP address on the fly?

i checked it currently has a reference to the ipsec phase 2 tunnel config.

 

image.png

 

image.png

Labels:
858
0 Kudos
7 REPLIES 7
Toshi_Esumi
SuperUser
SuperUser

Created on ‎03-31-2025 08:47 PM

Is it from the same ISP on the same circuit? And both IPs/subnets are active on the ISP end?
If so, the ISP set the new subnet as the secondary IP on their end. Then you can do the same on your FGT to establish the tunnel on the new/secondary IP. Then eventually when it's safe, you can swap primary/secondary IPs, or just let the secondary override the primary IP.

Toshi

847
johnlloyd_13
Contributor II
In response to Toshi_Esumi

Created on ‎03-31-2025 10:18 PM

hi,

same ISP, but instead of the public LAN range i'll use the WAN public IP instead.

823
0 Kudos
dingjerry_FTNT
Staff
Staff

Created on ‎03-31-2025 10:07 PM

Hi @johnlloyd_13 ,

 

The phase2 is referencing the name of the phase1, not the remote IP.  So you can change the remote IP on the fly, either in GUI or in CLI..

Regards,

Jerry
835
dingjerry_FTNT
Staff
Staff

Created on ‎03-31-2025 10:09 PM

Actually, in the past, when I had issues bringing down the tunnel, I usually changed the remote IP in phase1, once down, I changed it back to bring it up again.

Regards,

Jerry
831
johnlloyd_13
Contributor II
In response to dingjerry_FTNT

Created on ‎03-31-2025 10:20 PM

hi,

thanks for the reply!

do i need to manually bring down the phase 1 VPN tunnel first before i change the remote peer IP in the VPN tunnel/phase 1 setting? then bring it up once new IP is applied?

 

820
0 Kudos
Toshi_Esumi
SuperUser
SuperUser
In response to johnlloyd_13

Created on ‎03-31-2025 10:53 PM

@dingjerry_FTNTis saying he once used "changing remote IP in phase1" to "bring down the tunnel". You can just change the remote IP/remote-gw in phase1 config. FGT automatically flushes the existing tunnel when anything changed in the config.

Toshi

775
dingjerry_FTNT
Staff
Staff
In response to johnlloyd_13

Created on ‎04-01-2025 07:26 AM

Hi @johnlloyd_13 ,

 

No. In my case, I was troubleshooting with the original remote IP.

 

So what I meant is, you can change the remote IP directly.

Regards,

Jerry
756
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.