How do I copy existing certs & users to a new machine?

[gspannu]

I wish to transfer my existing installation of a IKEv2 VPN server with many users to a new machine.

I can install on a new machine using the 2 script files (vpnsetup and ike2setup); however how do I transfer the existing certs, keys and users to the new machine?

• What folders, files, settings would I need to copy over?
• I only have IKEv2 users setup and do not use L2P.

Thanks...

[hwdsl2]

@gspannu Hello! IKEv2 related configuration and data such as generated certificates and keys are stored in folder /etc/ipsec.d. You should be able to copy this entire folder to the new machine (with the same permissions), then restart the IPsec service.

In addition, if you are using a DNS name (e.g. vpn.example.com) for IKEv2, no additional action is needed (other than updating DNS records). On the other hand, if you are using the server's IP address for IKEv2, you will need to generate a new server certificate, update ikev2.conf accordingly and restart the IPsec service.

[gspannu]

@gspannu Hello! IKEv2 related configuration and data such as generated certificates and keys are stored in folder /etc/ipsec.d. You should be able to copy this entire folder to the new machine (with the same permissions), then restart the IPsec service.

In addition, if you are using a DNS name (e.g. vpn.example.com) for IKEv2, no additional action is needed (other than updating DNS records). On the other hand, if you are using the server's IP address for IKEv2, you will need to generate a new server certificate, update ikev2.conf accordingly and restart the IPsec service.

Thank you for your response. My IKEv2 server uses IP addresses and not a DNS name.

However, my new machine is going to have the same IP address (both private & public), essentially I am replacing the existing machine with a new one - with all network settings being the same - I guess I should not need to generate a new server cert or update ikev2.conf Will just copying the /etc/ipsec.d/ folder across and restarting the IPSec service be sufficient?

Steps, What I am planning to do...

• Install & setup my new machine (either a Raspberry Pi or a Mac Mini running Debian)
• It will have exactly the same network settings as my existing machine (direct replacement)
• Execute vpnsetup script
• Execute ikev2setup script
• I presume the above will setup the VPN server; download the necessary packages and install everything, setup the iptable rules, etc....
• Stop IPSec service
• I now copy over /etc/ipsec.d/ folder with exact permissions from older machine
• Restart IPSec Will this restore all my older users along with all necessary connection configurations ?

[hwdsl2]

@gspannu Yes, I think what you described should work, assuming that you were using IKEv2 mode only, and the IPTables rules were not customized after install. Make sure that you keep a backup of your "old" machine, and test the VPN after migration to confirm that it works as intended, in case anything goes wrong unexpectedly.