Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

What's the Impact of Changing IKE Versions?

We want to move from IKE v1 to IKE v2 on our Fortigate 100F.  If we change the tunnel config on the firewall, and then make the Forticlient EMS tunnel match in version, will we need to reinstall Forticlients/profiles, or will this be a process transparent to end users if performed after hours?


Would love to know what we're in for.  Thanks!

1 Solution

Certainly, your plan to create a second tunnel for testing purposes while transitioning from IKEv1 to IKEv2 is a practical approach and aligns well with best practices. Here's how you can address the points you mentioned:

### 1. Creating a Second Tunnel (DU2) with IKEv2
- **Set up a second IPsec dial-up (DU) tunnel on your FortiGate 100F with IKEv2**. This will allow you to test the new configuration without affecting your existing production VPN connections.
- **Configure a new EMS profile to match the IKEv2 settings**. You'll need to create a corresponding EMS profile with the IKEv2 settings to match the new tunnel.
- **Test with a subset of users or in a lab environment**. By having some users or test systems connect using the new tunnel and EMS profile, you can validate that everything is working as expected.

This setup allows you to keep the existing IKEv1 tunnel operational while you test and gradually transition to IKEv2.

### 2. Multiple Users on a Single Dial-Up Tunnel
- **Common Practice**: Having all users on the same dial-up tunnel is indeed a common practice, especially in small to medium-sized environments. It simplifies management and is often sufficient for the needs of the organization.
- **Challenges and Troubleshooting**: However, if you are experiencing connection drops, it's worth investigating further. The transition to IKEv2 may help, as it's generally more stable and efficient than IKEv1. But there could be other factors at play, such as bandwidth constraints, firewall policies, or underlying network issues.

### 3. Additional Steps for Troubleshooting Connection Drops
- **Monitor Logs and VPN Statistics**: FortiGate provides detailed logs and statistics that can help you identify the root cause of the connection drops.
- **Check Bandwidth and Resource Utilization**: If the VPN server is overloaded, it could lead to connection issues. Monitor the resource utilization on the FortiGate device.
- **Evaluate Security Policies and Configuration**: Misconfiguration or overly restrictive policies could also lead to connection issues. Review the configuration for any anomalies.
- **Consider Fortinet Support**: If the issue persists, Fortinet's technical support may be able to assist in diagnosing the problem.

### Conclusion
Your approach to creating a second tunnel for testing IKEv2 while keeping the existing IKEv1 tunnel operational is sound and should allow for a smooth transition. The investigation into the connection drops may require a multifaceted approach, considering various potential causes. Transitioning to IKEv2 is a positive step and may resolve the issue, but don't hesitate to leverage Fortinet's support resources if needed.

View solution in original post


This was really fantastic.  Cannot thank you enough.

Top Kudoed Authors