 
					
				
			
			
				PCNSE
NSE
StrongSwan
hrbsupport wrote:
alternatively is it possible migrate users in a more phased basis ---- eg set up a new IPsec vpn with a new preshared key and have that running in parallel with the existing IPsec vpn ?
I know this is a reply to an old thread. However, I thought I'd make a suggestion.
Basically, it is possible to use more than one pre-shared key on the same phase1 configuration. Here is the relevant (but incomplete) config bits:
config vpn ipsec phase1-interface
edit "tunnelname"
set type dynamic
set peertype dialup
set usrgrp "IPsec-PSKs"
next
end
The pre-shared key is not specified in the phase1 configuration. Instead, each key is represented by a local user. The client indicates which name/password (key) to use by entering the username as the localID or leaving the localID blank and instead only define a pre-shared key in the form of [username]+[key/password] as one long string. (This technique can be found in the FortiOS Handbook under the section "Enabling VPN access with user accounts and pre-shared keys".) Note that aggressive mode is required when using localIDs and there's more than one dynamic/dialup phase1 configuration (see "Choosing main mode or aggressive mode" in the FortiOS handbook).
You can (and perhaps should) still use Xauth with a unique account for each user.
You can then manually distribute the new pre-shared key while keeping the old one alive. If you're managing Forticlient from a Fortigate, you can "push" the changes although this wouldn't be fool-proof if some clients are not receiving updates in a timely manner.
 Next best thing would be, Cert+xauth and you manage the cert expiration for control. A lot gov depts that I work for as  remote engineer does just that. 
 
 It simple and the dept head your working with,  controls the issuance of the certification requests. They manage their on signer and sign certifications off their  org-signing-certification or delegated signers,  base on the role and requirement. They still have  xauth btw.
 
 Next best thing would be, Cert+xauth and you manage the cert expiration for control. A lot gov depts that I work for as  remote engineer does just that. 
 
 It simple and the dept head your working with,  controls the issuance of the certification requests. They manage their on signer and sign certifications off their  org-signing-certification or delegated signers,  base on the role and requirement. They still have  xauth btw.
					
				
			
			
				PCNSE
NSE
StrongSwan
 
					
				
				
			
		
| User | Count | 
|---|---|
| 2677 | |
| 1412 | |
| 810 | |
| 703 | |
| 455 | 
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.