Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jprokic
Staff
Staff

Created on ‎09-24-2024 02:54 AM Edited on ‎11-18-2024 03:41 AM By Moderator

Article Id 343712

Technical Tip: How restrictive Password Policy can prevent FortiExtender (FEX) setup on the FortiGate

Description This article describes that a restrictive Password Policy can cause issues during the FortiExtender (FEX) setup/configuration on the FortiGate.
FortiGate has a predefined password policy for generating a preshared key for the FortiExtender IPsec.
If the FortiExtender IPsec preshared key is not comforting the password policy, the IPsec tunnel interface won't be created.
Scope Password Policy, FortiExtender (FEX), FortiGate.
Solution

When configuring FortiExtender on the FortiGate, FortiGate automatically creates the IPsec tunnel for FortiExtender.

The IPsec tunnel preshared key FortiGate generates has a predefined length of 16 alphanumeric characters (a-z A-Z 0-9), without special characters.

If there is a Password Policy configured on FortiGate:

 

GUI: Go to System -> Settings -> Password Policy.

 

FEX_Password_policy_KB.png

CLI:


config system password-policy
    set status enable
    set apply-to admin-password ipsec-preshared-key

    *

    *
end

 

This Password Policy is restrictive enough so IPsec FortiExtender preshared key does not meet its requirements, and IPsec will not be created.

 

The output of the 'diagnose debug cli 8' debug command during the FortiExtender configuration on FortiGate shows the following:

 

2024-07-11 10:26:18 cmd=config vpn ipsec phase1-interface
edit fext-ipsec-uWC2
set type dynamic
set interface port16
set ike-version 2
set peertype one
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set localid localid-1ipPW2wcA2PvqCK6YH7rqQjV00NAY3wQV8eoyMNE5ZYveURtSJJMexb
set dpd on-idle
set comments "[FX200F-lanext-default] Do NOT edit. Automatically generated by extension controller."
set peerid peerid-PGyDoUf0fJotTTBQiZgcCpoFrtVuyi0gsCzAKPMkdWN3UTOLueSDoAp7
set psksecret ENC vz7q3INsIuNIMwqIXKTNnhjkIVbLQqzU9aM1U6eRtjJ7CmEDjnDTATQUo3OtaLWspParOlc81hYGwYxOSp8ddY4bGGq5YGtV+6wpxQRsx8P9s
9vfv3+4lGHterk8tIa2nUjMLNNm41zUamE4DPqLRJkelysiNKP/t29XSJ4bya8FGSkBcVlxGWpTSUH6D9shrhoULg==
abort


2024-07-11 10:26:18 -49: end

Error code -49 is:

 

"-49": "The password must conform to the system password policy."

 

If this issue happens, there are two possible approaches to overcome it:

  1. Disable password policy for IPsec.
  2. Reconfigure the Password Policy and make it allow IPsec FortiExtender preshared key: 16 alphanumeric characters (a-z A-Z 0-9), without special characters.

 

Note: Starting from FortiOS 7.6.1, the auto-created IPsec Preshared Key for lan-extension will have a randomly generated key with 30 characters long, containing at least 5 upper case alphabet and 5 lower case alphabet, 5 numbers, and 5 symbols.
532
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.