Is there a simple way to update the pre shared key for multiple end users (that are using the free forticlient) ? alternatively is it possible migrate users in a more phased basis ---- eg set up a new IPsec vpn with a new preshared key and have that running in parallel with the existing IPsec vpn ? thanks for any advice.

Never done that, typically I ' ve used the cisco vpnclient and craft the cfg file and deliver it to all depts , & with a statement of; by next monday pleas use new profile. You can do the same with the forticlient also. Also you could craft a 2nd dialup vpn, but you probably have to clone the new one and assign new ranges and give them access to the same resources. That would be more work, but would give you a way to walk and migrated from one profile to another and then sat a date for termination. FWIW: Ideally you want to be using xauth for remote-authentication. So the PSK is just one of the many things required. Than you we set expirations and password-life-cycles for the users. Nobody in a big enterprise env uses a remote-vpn with just a share PSK alone for authentication imho. Think about it and you see why; e.g a large ItT dept supporting mobile-devices, wireless clients, remote-office-workers, remote-vendors, etc..... Changing a PSK and distributing this could be a very large challenge. And if you had only a PSK, any compromised would be hard to defeat and without xauth, you have no ideal of who is logged in Next best thing would be, Cert+xauth and you manage the cert expiration for control. A lot gov depts that I work for as remote engineer does just that. It simple and the dept head your working with, controls the issuance of the certification requests. They manage their on signer and sign certifications off their org-signing-certification or delegated signers, base on the role and requirement. They still have xauth btw.