Technical Tip: Command fail while copying the Preshare key from another configuration

kajlasunil · ‎09-16-2025

Description

This article describes a scenario when attempting to configure a VPN pre-shared key (PSK) on a FortiGate device by copying it from another firewall’s configuration file, but doing so results in a ‘password too long’ or ‘command failure’ error.

Scope

FortiOS.

Solution

While copying the encrypted pre-shared key from another configuration, the following error is observed

config vpn ipsec phase1-interface

edit test_vpn

set psksecret ENC 1XO7F/RuFrR3BIX10IZDO6njcWUlvhwSYb6XXXXXXXXXXXXXXXXX

lsFUTaHjZNtKGFTu1H3hAtTLXgl31j64AoQNEPgDvc/1hfY3mJ+JcvBrY7Gzuf8vCSL0iWA19w/

GS8j7u2QiaRmzO71r51hnv4wSszzhWdzSG7XvsD5lSOLTYELRZ1PzHkBtBbllmMjY3dkVA
node_check_object fail! for psksecret ENC 1XO7F/RuFrR3BIX10IZDO6njcWUlvhwSYb6XXXXXXXXXXXXXXXXX

lsFUTaHjZNtKGFTu1H3hAtTLXgl31j64AoQNEPgDvc/1hfY3mJ+JcvBrY7Gzuf8vCSL0iWA19w/

GS8j7u2QiaRmzO71r51hnv4wSszzhWdzSG7XvsD5lSOLTYELRZ1PzHkBtBbllmMjY3dkVA

value parse error before '1XO7F/RuFrR3BIX10IZDO6njcWUlvhwSYb6M4
Command fail. Return code -204

This error message appears when Private Data Encryption is enabled in the configuration file:

Private Data Encryption feature enabled. Passwords and private keys used in certificates on the FortiGate are encrypted using a predefined private key.

To resolve this issue, either:

Configure Private Data Encryption on the new FortiGate using the same 32-digit hexadecimal master encryption password.
Or:
Disable Private Data Encryption on the other unit and re-download the configuration file.

For more details regarding private data encryption, refer to the following article:

Technical Tip: How to enable private-data-encryption feature on a standalone FortiGate

Technical Tip: Command fail while copying the Preshare key from another configuration

You are leaving our website