Helpful ReplyHot!changes in VPN phase II

Author
nikolaj
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/02/02 00:12:21
  • Status: offline
2017/05/19 01:36:28 (permalink)
0

changes in VPN phase II

If I need to make a change in the VPN phase II, this change must be execute at the same time at both ends of the vpn tunnel otherwise the tunnel go down?
 
#1
ede_pfau
Expert Member
  • Total Posts : 5255
  • Scores: 334
  • Reward points: 0
  • Joined: 2004/03/09 01:20:18
  • Location: Heidelberg, Germany
  • Status: offline
Re: changes in VPN phase II 2017/05/19 03:39:01 (permalink) ☄ Helpfulby nikolaj 2017/05/19 04:45:37
0
That depends.
 
If, for example, you add another encryption/MAC pair to the existing one, traffic will continue to flow. If you change the key lifetime the shorter of both will be negotiated and traffic continues.
Usually, you make the changes on the remote side, see the tunnel down or not, and make the changes on the local side. Or, to play safe, enable HTTPS or SSH access on the WAN port of the remote FGT temporarily.

Ede

" Kernel panic: Aiee, killing interrupt handler!"
#2
nikolaj
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/02/02 00:12:21
  • Status: offline
Re: changes in VPN phase II 2017/05/19 04:49:45 (permalink)
0
In particular I need to add new subnets in the Remote section of Phase II VPN.
Does this operation need to be accomplished at the same time at both ends of the tunnel?
 
#3
rwpatterson
Expert Member
  • Total Posts : 8040
  • Scores: 157
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: changes in VPN phase II 2017/05/19 06:02:42 (permalink)
0
This should be independent of the operating subnets. No downtime should occur because your are not mucking with the already established tunnels.
 
I just reread what you typed. What do you mean by "the remote section of the phase II VPNs"?
post edited by rwpatterson - 2017/05/19 06:04:21

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.18-b0689
FGT60B
FWF60B
FWF80CM (2)
FWF81CM
 
#4
nikolaj
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/02/02 00:12:21
  • Status: offline
Re: changes in VPN phase II 2017/05/19 06:28:27 (permalink)
0
In IPsec SA (Phase II) | Traffic to be encrypted | Local | Remote
I have to add new subnets in the 'Remote' column.
#5
rwpatterson
Expert Member
  • Total Posts : 8040
  • Scores: 157
  • Reward points: 0
  • Joined: 2006/08/08 10:08:18
  • Location: Long Island, New York, USA
  • Status: online
Re: changes in VPN phase II 2017/05/19 06:49:16 (permalink)
0
If you are truly adding and not expanding upon the existing, then you are fine.

-Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

-4.3.18-b0689
FGT60B
FWF60B
FWF80CM (2)
FWF81CM
 
#6
nikolaj
New Member
  • Total Posts : 20
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/02/02 00:12:21
  • Status: offline
Re: changes in VPN phase II 2017/05/19 06:54:54 (permalink)
0
Yes, I only add new subnets.
So can I do this change in two times, local and remote?
#7
MikePruett
Platinum Member
  • Total Posts : 672
  • Scores: 13
  • Reward points: 0
  • Joined: 2014/01/08 19:39:40
  • Location: Montgomery, Al
  • Status: offline
Re: changes in VPN phase II 2017/05/19 07:55:23 (permalink) ☄ Helpfulby nikolaj 2017/05/19 08:13:34
0
yeah, just setup the new phase 2 for that tunnel on the local side and then setup the mirror image of it on the remote side. then that phase 2 should become active and you can have that traffic flow as well.

Mike Pruett
Fortinet GURU
#8
Jump to:
© 2017 APG vNext Commercial Version 5.5