Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nikolaj
New Contributor

Created on ‎05-19-2017 01:36 AM

changes in VPN phase II

If I need to make a change in the VPN phase II, this change must be execute at the same time at both ends of the vpn tunnel otherwise the tunnel go down?

 

6650
0 Kudos
2 Solutions
ede_pfau
SuperUser
SuperUser

Created on ‎05-19-2017 03:39 AM

That depends.

 

If, for example, you add another encryption/MAC pair to the existing one, traffic will continue to flow. If you change the key lifetime the shorter of both will be negotiated and traffic continues.

Usually, you make the changes on the remote side, see the tunnel down or not, and make the changes on the local side. Or, to play safe, enable HTTPS or SSH access on the WAN port of the remote FGT temporarily.

Ede Kernel panic: Aiee, killing interrupt handler!

View solution in original post

Ede Kernel panic: Aiee, killing interrupt handler!
3809
0 Kudos
MikePruett
Valued Contributor
In response to nikolaj

Created on ‎05-19-2017 07:55 AM

yeah, just setup the new phase 2 for that tunnel on the local side and then setup the mirror image of it on the remote side. then that phase 2 should become active and you can have that traffic flow as well.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

View solution in original post

Mike Pruett Fortinet GURU | Fortinet Training Videos
3809
0 Kudos
7 REPLIES 7
ede_pfau
SuperUser
SuperUser

Created on ‎05-19-2017 03:39 AM

That depends.

 

If, for example, you add another encryption/MAC pair to the existing one, traffic will continue to flow. If you change the key lifetime the shorter of both will be negotiated and traffic continues.

Usually, you make the changes on the remote side, see the tunnel down or not, and make the changes on the local side. Or, to play safe, enable HTTPS or SSH access on the WAN port of the remote FGT temporarily.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
3810
0 Kudos
nikolaj
New Contributor
In response to ede_pfau

Created on ‎05-19-2017 04:49 AM

In particular I need to add new subnets in the Remote section of Phase II VPN.

Does this operation need to be accomplished at the same time at both ends of the tunnel?

 

3764
0 Kudos
rwpatterson
Valued Contributor III
In response to nikolaj

Created on ‎05-19-2017 06:02 AM

This should be independent of the operating subnets. No downtime should occur because your are not mucking with the already established tunnels.

 

I just reread what you typed. What do you mean by "the remote section of the phase II VPNs"?

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
3764
0 Kudos
nikolaj
New Contributor
In response to nikolaj

Created on ‎05-19-2017 06:28 AM

In IPsec SA (Phase II) | Traffic to be encrypted | Local | Remote

I have to add new subnets in the 'Remote' column.

3764
0 Kudos
rwpatterson
Valued Contributor III
In response to nikolaj

Created on ‎05-19-2017 06:49 AM

If you are truly adding and not expanding upon the existing, then you are fine.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
3764
0 Kudos
nikolaj
New Contributor
In response to nikolaj

Created on ‎05-19-2017 06:54 AM

Yes, I only add new subnets.

So can I do this change in two times, local and remote?

3764
0 Kudos
MikePruett
Valued Contributor
In response to nikolaj

Created on ‎05-19-2017 07:55 AM

yeah, just setup the new phase 2 for that tunnel on the local side and then setup the mirror image of it on the remote side. then that phase 2 should become active and you can have that traffic flow as well.

Mike Pruett

Fortinet GURU | Fortinet Training Videos

Mike Pruett Fortinet GURU | Fortinet Training Videos
3810
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.