We want to move from IKE v1 to IKE v2 on our Fortigate 100F. If we change the tunnel config on the firewall, and then make the Forticlient EMS tunnel match in version, will we need to reinstall Forticlients/profiles, or will this be a process transparent to end users if performed after hours?
Would love to know what we're in for. Thanks!
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Certainly, your plan to create a second tunnel for testing purposes while transitioning from IKEv1 to IKEv2 is a practical approach and aligns well with best practices. Here's how you can address the points you mentioned:
### 1. Creating a Second Tunnel (DU2) with IKEv2
- **Set up a second IPsec dial-up (DU) tunnel on your FortiGate 100F with IKEv2**. This will allow you to test the new configuration without affecting your existing production VPN connections.
- **Configure a new EMS profile to match the IKEv2 settings**. You'll need to create a corresponding EMS profile with the IKEv2 settings to match the new tunnel.
- **Test with a subset of users or in a lab environment**. By having some users or test systems connect using the new tunnel and EMS profile, you can validate that everything is working as expected.
This setup allows you to keep the existing IKEv1 tunnel operational while you test and gradually transition to IKEv2.
### 2. Multiple Users on a Single Dial-Up Tunnel
- **Common Practice**: Having all users on the same dial-up tunnel is indeed a common practice, especially in small to medium-sized environments. It simplifies management and is often sufficient for the needs of the organization.
- **Challenges and Troubleshooting**: However, if you are experiencing connection drops, it's worth investigating further. The transition to IKEv2 may help, as it's generally more stable and efficient than IKEv1. But there could be other factors at play, such as bandwidth constraints, firewall policies, or underlying network issues.
### 3. Additional Steps for Troubleshooting Connection Drops
- **Monitor Logs and VPN Statistics**: FortiGate provides detailed logs and statistics that can help you identify the root cause of the connection drops.
- **Check Bandwidth and Resource Utilization**: If the VPN server is overloaded, it could lead to connection issues. Monitor the resource utilization on the FortiGate device.
- **Evaluate Security Policies and Configuration**: Misconfiguration or overly restrictive policies could also lead to connection issues. Review the configuration for any anomalies.
- **Consider Fortinet Support**: If the issue persists, Fortinet's technical support may be able to assist in diagnosing the problem.
### Conclusion
Your approach to creating a second tunnel for testing IKEv2 while keeping the existing IKEv1 tunnel operational is sound and should allow for a smooth transition. The investigation into the connection drops may require a multifaceted approach, considering various potential causes. Transitioning to IKEv2 is a positive step and may resolve the issue, but don't hesitate to leverage Fortinet's support resources if needed.
A good practice can be, configure a new IKEv2 user-based VPN, and deploy this new tunnel configuration in your EMS, once you have synced and validated all your end-points with this new configuration, you can delete old VPN.
Hello
Please refer to this link
Thanks & Regards
Mayank Sharma
Thanks for the link. I have that documentation. What I'm specifically concerned about is what breaks for the VPN users when I modify the Fortigate VPN and the EMS tunnel - will it require new profile deployments to each user, or will the change be transparent to the end user?
You can also try to understand IKEv1 and IKEv2 by below document.
Thanks. I understand the difference. What I'm specifically concerned about is what breaks for the VPN users when I modify the Fortigate VPN and the EMS tunnel - will it require new profile deployments to each user, or will the change be transparent to the end user?
Knowing you want to make a change is one thing. Knowing the impact it will have on 24/7 production is another.
The transition from IKEv1 to IKEv2 in a VPN environment, such as on a FortiGate 100F, is typically a significant change that can bring several improvements, including better security, performance, and stability. However, the impact of this change on your FortiClient EMS and the end-users will depend on the specific configuration and how the change is implemented.
Here's an overview of what you might expect:
### 1. Compatibility
Ensure that both the FortiGate device and the FortiClients support IKEv2. As of my knowledge cut-off in Aug. 2023, both should be compatible with IKEv2, but it's always wise to check the specific versions you're using.
### 2. Configuration Changes
You'll need to update the VPN configurations on both the FortiGate device and the FortiClient EMS to use IKEv2. This should include changes to the phase 1 and phase 2 settings, and possibly other parameters.
### 3. Impact on Existing Connections
Existing VPN connections using IKEv1 will likely be disconnected when the changes are made. This is why performing the update after hours, as you mentioned, would be a good strategy to minimize disruption.
### 4. Impact on FortiClient Profiles
The need to reinstall FortiClients or profiles will depend on how the changes are managed within your FortiClient EMS. If the EMS allows for updating the IKE version without changing other aspects of the profile, then you may be able to make the change transparently. The EMS should propagate the change to the clients without requiring a full reinstall.
### 5. Testing
It's highly recommended to test the IKEv2 configuration in a lab or with a subset of users before rolling it out to everyone. This can help you identify any potential issues or additional steps that might be needed for your specific environment.
### 6. Communication
Consider communicating the change to end-users, especially if there might be any noticeable impact, such as a brief disconnection. Clear communication can help avoid confusion and support calls.
### 7. Monitoring
After making the change, monitor the VPN connections to ensure that they are functioning correctly with IKEv2. Look for any unexpected behavior or issues that might need to be addressed.
### Conclusion
In general, moving from IKEv1 to IKEv2 should be manageable without reinstalling FortiClients or profiles, provided the configuration is handled carefully. However, every environment is unique, so it would be wise to consult with Fortinet support or a network security expert familiar with your specific setup to ensure a smooth transition.
This was great, Thank You Christian_89. Points 4 and 5 are the challenge. On our FORTIGATE 100F, we currently have 1 IPSEC DU tunnel for all production VPN connections. That tunnel is set to IKEv1. Could we create a 2nd tunnel to coexist as a lab environment, setting DU2 to have IKEv2? From what we have learned, the firewall VPN service sets the IKE standard, and then the EMS profile settings have to match. So, we have to change both the firewall tunnel settings and the EMS profile settings to specify a matching IKE version.
Additionally, is it common practice to have all 75 VPN users on the same dialup tunnel? The reason we're making this IKE change is in an attempt to figure out why groups of our VPN connections are dropping all at once, and if not at once, still dropping several times a day.
Certainly, your plan to create a second tunnel for testing purposes while transitioning from IKEv1 to IKEv2 is a practical approach and aligns well with best practices. Here's how you can address the points you mentioned:
### 1. Creating a Second Tunnel (DU2) with IKEv2
- **Set up a second IPsec dial-up (DU) tunnel on your FortiGate 100F with IKEv2**. This will allow you to test the new configuration without affecting your existing production VPN connections.
- **Configure a new EMS profile to match the IKEv2 settings**. You'll need to create a corresponding EMS profile with the IKEv2 settings to match the new tunnel.
- **Test with a subset of users or in a lab environment**. By having some users or test systems connect using the new tunnel and EMS profile, you can validate that everything is working as expected.
This setup allows you to keep the existing IKEv1 tunnel operational while you test and gradually transition to IKEv2.
### 2. Multiple Users on a Single Dial-Up Tunnel
- **Common Practice**: Having all users on the same dial-up tunnel is indeed a common practice, especially in small to medium-sized environments. It simplifies management and is often sufficient for the needs of the organization.
- **Challenges and Troubleshooting**: However, if you are experiencing connection drops, it's worth investigating further. The transition to IKEv2 may help, as it's generally more stable and efficient than IKEv1. But there could be other factors at play, such as bandwidth constraints, firewall policies, or underlying network issues.
### 3. Additional Steps for Troubleshooting Connection Drops
- **Monitor Logs and VPN Statistics**: FortiGate provides detailed logs and statistics that can help you identify the root cause of the connection drops.
- **Check Bandwidth and Resource Utilization**: If the VPN server is overloaded, it could lead to connection issues. Monitor the resource utilization on the FortiGate device.
- **Evaluate Security Policies and Configuration**: Misconfiguration or overly restrictive policies could also lead to connection issues. Review the configuration for any anomalies.
- **Consider Fortinet Support**: If the issue persists, Fortinet's technical support may be able to assist in diagnosing the problem.
### Conclusion
Your approach to creating a second tunnel for testing IKEv2 while keeping the existing IKEv1 tunnel operational is sound and should allow for a smooth transition. The investigation into the connection drops may require a multifaceted approach, considering various potential causes. Transitioning to IKEv2 is a positive step and may resolve the issue, but don't hesitate to leverage Fortinet's support resources if needed.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1702 | |
1092 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.