Skip to main content
Unkown
Unkown
New Member
March 24, 2020
Question

IPSEC Password Too Lon?

  • March 24, 2020
  • 1 reply
  • 6580 views

Hey,

for years, I was always able to take the config from a Fortigate 40/50/60 and to implement it on a new device including all site2site VPN data, so I don't have to reset all VPN phase1 passwords.

 

Today, I got a new 60F and wanted to copy the config from the older 60D to it:

 

config vpn ipsec phase1 edit "whatever" set interface "wan1" set keylife 900 set proposal 3des-sha1 3des-md5 set localid-type address set dpd disable set dhgrp 2 set nattraversal disable set remote-gw 1.1.1.1 set psksecret ENC vvvx5Q2mPYfi7vfBUxq30IFVQhx183v+0E77nmfsdfsdfzARCLziSGN8wTwPioZV7Owt5xmTLBZdjNSuxeaDmFiIZHmtoO+JbdmTIMXGs+adRNuvQyVquvtN5hz1zKTYtQEL/l5e3hCcT3t0KkyuQyTNkU2mkuYLIyJsyS+CeXsdfv

 

This was ALWAYS working (no, it is not my real IP, nor psksecret), but guess what I got now?

 

"Password is too long, max length is 128."

 

So... How do I suppose to change hardware, if I am not able to copy the passwords? There are 8 active VPN and I can't do it live one-by-one. 

      1 reply

      ede_pfau
      SuperUser
      ede_pfau
      SuperUser
      March 24, 2020

      Yes you can.

      There have been fundamental changes in the way VPN PSKs and WiFi PSKs are stored on a FGT. If you followed the upgrade path step-by-step (from which version?) and encounter this error then you will have to create new PSKs and store them afresh. It's not about the length of the plaintext PSK, just the algorithm to encode it has changed.

       

      This is the opportunity to get rid of outdated encryption algorithms as well (3DES? MD5?? really?) and to generate safe, random PSKs of suitable length (say, > 30 chars). Sorry, but.

      Unkown
      UnkownAuthor
      New Member
      March 24, 2020

      That's just a very old setup - The rest of the VPN tunnels were done with the latest wizard (v5.4.0) - So that's just that. 

      I can't follow any upgrade path, as I just have the old Forti without support and the new one.

      So there is no way to "convert" the passwords to the new format?

       

      ede_pfau
      SuperUser
      ede_pfau
      SuperUser
      March 25, 2020

      I'm afraid, no. Just put in a new password.

      BTW, v5.4 is already 'old' - the switch in PSK encryption was between v6.0 and v6.2 IIRC.

       

      You could have a look at the Upgrade Path tool with just one valid support contract, all you need is an account.

      Terms & ConditionsAccessibility statement