Technical Tip: How restrictive Password Policy can prevent FortiExtender (FEX) setup on the FortiGate

When configuring FortiExtender on the FortiGate, FortiGate automatically creates the IPsec tunnel for FortiExtender.

The IPsec tunnel preshared key FortiGate generates has a predefined length of 16 alphanumeric characters (a-z A-Z 0-9), without special characters.

If there is a Password Policy configured on FortiGate:

GUI: Go to System -> Settings -> Password Policy.

CLI:

config system password-policy
    set status enable
    set apply-to admin-password ipsec-preshared-key

    *

    *
end

This Password Policy is restrictive enough so IPsec FortiExtender preshared key does not meet its requirements, and IPsec will not be created.

The output of the 'diagnose debug cli 8' debug command during the FortiExtender configuration on FortiGate shows the following:

2024-07-11 10:26:18 cmd=config vpn ipsec phase1-interface
edit fext-ipsec-uWC2
set type dynamic
set interface port16
set ike-version 2
set peertype one
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid localid-1ipPW2wcA2PvqCK6YH7rqQjV00NAY3wQV8eoyMNE5ZYveURtSJJMexb
set dpd on-idle
set comments "[FX200F-lanext-default] Do NOT edit. Automatically generated by extension controller."
set peerid peerid-PGyDoUf0fJotTTBQiZgcCpoFrtVuyi0gsCzAKPMkdWN3UTOLueSDoAp7
set psksecret ENC vz7q3INsIuNIMwqIXKTNnhjkIVbLQqzU9aM1U6eRtjJ7CmEDjnDTATQUo3OtaLWspParOlc81hYGwYxOSp8ddY4bGGq5YGtV+6wpxQRsx8P9s
9vfv3+4lGHterk8tIa2nUjMLNNm41zUamE4DPqLRJkelysiNKP/t29XSJ4bya8FGSkBcVlxGWpTSUH6D9shrhoULg==
abort

2024-07-11 10:26:18 -49: end

Error code -49 is:
"-49": "The password must conform to the system password policy.",

If this issue happens, there are two possible approaches to overcome it:

1. Disable password policy for IPsec
2. Reconfigure the Password Policy and make it allow IPsec FortiExtender preshared key: 16 alphanumeric characters (a-z A-Z 0-9), without special characters.