| Description | This article describes how to fix an issue faced where the IPsec VPN configuration is lost after a device reboot or while restoring the old configuration file. |
| Scope | FortiGate. |
| Solution |
This can occur when the IPsec VPN tunnels are already configured and a password policy has been introduced. In cases where the pre-shared key does not match the newly enabled password policy requirements, the IPSec VPN tunnel configuration is missing the next time when the device reboots.
No matter how many times the deleted IPsec configuration is re-applied or copied and pasted, an error appears as in the example below.
In the below example, the minimum length of psksecret key was set to 15 in the password policy, but the entered key was only 10 characters long.
Error with ENC:
# config vpn ipsec phase1-interface Fortigate (phase1-interface) # edit "IPSec-VPN" Fortigate (IPSec-VPN) # Fortigate (IPSec-VPN) # set psksecret ENC sBDJpnncNr1QF7+7gWNBkJe1YtGFdg2gYP+gXObe1n0lJsnV7d4y+rZDNNmmKturGN65DMX6ABQ/tNY8RBZqrN39wccUIaJMnjyMLXib23ia9iorbAujGL3cml+luLj0P5DFXKW55JKONLRxMETfQzHZVFHIshvvrE16N0Y/vBL6hBN0AXD4xbMEAHm4hGMIPG33rg== value parse error before 'sBDJpnncNr1QF7+7gWNBkJe1YtGFdg2gYP+gX
# config vpn ipsec phase1-interface Fortigate (phase1-interface) # edit "IPSec-VPN" Fortigate (IPSec-VPN) # FortiGate (IPSec-VPN) # set psksecret Qwerty123# node_check_object fail! for psksecret Qwerty123#
It is possible to validate the parameters set by navigating to System -> Settings -> Password Policy. There, check the password scope to see if 'IPsec' or 'both' is enabled, then check the set parameters and adjust accordingly.
It is also possible to access this configuration in the CLI:
# config system password-policy |
