PCNSE
NSE
StrongSwan
hrbsupport wrote:
alternatively is it possible migrate users in a more phased basis ---- eg set up a new IPsec vpn with a new preshared key and have that running in parallel with the existing IPsec vpn ?
I know this is a reply to an old thread. However, I thought I'd make a suggestion.
Basically, it is possible to use more than one pre-shared key on the same phase1 configuration. Here is the relevant (but incomplete) config bits:
config vpn ipsec phase1-interface
edit "tunnelname"
set type dynamic
set peertype dialup
set usrgrp "IPsec-PSKs"
next
end
The pre-shared key is not specified in the phase1 configuration. Instead, each key is represented by a local user. The client indicates which name/password (key) to use by entering the username as the localID or leaving the localID blank and instead only define a pre-shared key in the form of [username]+[key/password] as one long string. (This technique can be found in the FortiOS Handbook under the section "Enabling VPN access with user accounts and pre-shared keys".) Note that aggressive mode is required when using localIDs and there's more than one dynamic/dialup phase1 configuration (see "Choosing main mode or aggressive mode" in the FortiOS handbook).
You can (and perhaps should) still use Xauth with a unique account for each user.
You can then manually distribute the new pre-shared key while keeping the old one alive. If you're managing Forticlient from a Fortigate, you can "push" the changes although this wouldn't be fool-proof if some clients are not receiving updates in a timely manner.
PCNSE
NSE
StrongSwan
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.