| Description | This article describes how to recover the plain text of an IPsec pre-shared key using a combination of the CLI and GUI. |
| Scope | All supported versions of FortiOS. |
| Solution |
Note: For the purposes of this article, it is assumed that the user has an IPsec tunnel configured with a pre-shared key, but does not remember what the actual plain text of the pre-shared key is. In this article, a VPN tunnel named 'Test' with a pre-shared key of 'Test1234' will be used.
Though the pre-shared key for this article is already known to be 'Test1234', this demonstration assumes that the user has forgotten the plain text form of the pre-shared key and needs to retrieve it.
First, edit the existing IPsec tunnel using the following CLI commands:
config vpn ipsec phase1-interface edit Test show
The output of these commands is as follows:
config vpn ipsec phase1-interface edit "Test" set interface "port2" set peertype any set net-device disable set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1 set comments "VPN: Test (Created by VPN wizard)" set wizard-type static-fortigate set remote-gw 10.60.70.8 set psksecret ENC tj1eVFF97R4IsD4cYC8f+mru59YW9yW7dY+UAAQd2SbbJKlUbgkcGsVohse4rQsVdx5Zw9zfgomMFgASz3W8YNaeCKYgaCn1vhobBJd3ar3SN7KuN1gOnUVQSNZGRquTG6N2bDcuzcqXUUqcarQ1f8/d3mFzZNUZCbITnlbTBmlP0DzV2Q0mm+jzjDRdyZyw9ctXzw== next end
Next, copy the psksecret in cluding the "ENC" and space in between as seen below and save it to a text file...
ENC tj1eVFF97R4IsD4cYC8f+mru59YW9yW7dY+UAAQd2SbbJKlUbgkcGsVohse4rQsVdx5Zw9zfgomMFgASz3W8YNaeCKYgaCn1vhobBJd3ar3SN7KuN1gOnUVQSNZGRquTG6N2bDcuzcqXUUqcarQ1f8/d3mFzZNUZCbITnlbTBmlP0DzV2Q0mm+jzjDRdyZyw9ctXzw==
After obtaining the encrypted pre-shared key value, the next step is to create a new test SSID. This can be done either via the GUI or the CLI. For the purposes of this article, only the CLI will be used - this is generally a faster method.
The commands to create the new test SSID are below. When setting the 'passphrase', use the encrypted value saved from the phase1 configuration of the IPsec tunnel.
config wireless-controller vap edit TestSSID set passphrase ENC tj1eVFF97R4IsD4cYC8f+mru59YW9yW7dY+UAAQd2SbbJKlUbgkcGsVohse4rQsVdx5Zw9zfgomMFgASz3W8YNaeCKYgaCn1vhobBJd3ar3SN7KuN1gOnUVQSNZGRquTG6N2bDcuzcqXUUqcarQ1f8/d3mFzZNUZCbITnlbTBmlP0DzV2Q0mm+jzjDRdyZyw9ctXzw== end
Once the test SSID config has been saved via the CLI, use the GUI and navigate to WiFi Controller -> SSIDs, then edit the newly created 'TestSSID'. (Select images to zoom in.)
Upon arrival at the 'Edit Interface' GUI page for the test SSID, scroll down to the 'Pre-shared Key' section and select the eye icon at the right of the 'Passphrase' field to display the plain text of the pre-shared key.
After selecting the eye icon, 'Test1234' will be displayed, which is the plain text form of the IPsec tunnel pre-shared key.
Note: As shown in this article, the IPsec pre-shared key and the SSID pre-shared key share the same encryption algorithm. Despite this fact, the method shown in this article cannot be used to uncover the plain text form of the FortiGate administrator password as it does not use the same encryption algorithm as any other pass phrases in the FortiGate. |
