Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
anelis
New Contributor

Fortigate upgrade: IPsec hashed psk key password hell

Hi folks,

 

Lately, I've come up with an "issue": Between FortiOS releases the way the hash is managed is different, making it quite difficult to "upgrade" the hashed version of the ipsec phase1 passwords to a newer version when the new hardware cannot be downgraded to match the old hardware.

 

Some customers still running a Fortigate in version 4.0 or 5.0 want to get a hardware refresh and update. When a new unit arrives it cannot be downgraded to match the customer's version and most of our customer do not want to risk updating their unit as it is at the end of their lives.

 

So no problems right ? Well, there is one really time consuming task that we are forced to do: Get back a compatible hashed version of the passwords as most of the time customer's don't store the password used in IPsec tunnels. Passwords hashes are not compatible from one release to the next major release and this has been a time consuming task.

 

The only solution we've found is to downgrade all the way to the customer's version with some random Fortigate lying around and upgrade all the way to the desired final version. The problem is that it sometimes requires the use of two firewalls, one from 4.0 to 5.2 and the final one from 5.2 up to 5.6 (as of now).

 

So, my question to the community:

 

Did someone find a better solution to this "problem" ? Like a tool to convert previous version password hashes into ones that are compatible for a desired release ?

 

Thanks a lot for your feedback

8 REPLIES 8
emnoc
Esteemed Contributor III

never seen a problem nor need to upgrade  a hash. if you follow the migration  flow  suggestions between fortiOS version, this should not be a issue.

 

Ken

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
oheigl
Contributor II

Exactly that is the issue, to upgrade all the way through the firmware and models. I have asked our contact at Fortinet for an explanation regarding this situation, but haven't received an answer yet.

emnoc
Esteemed Contributor III

Still not following you. I believe in  v4.0 and v5.0 the hash value are the same. If you take that PSK and use it in v5.2 it should work.

 

What you might be able to do is to just create a VM image  and import the psk and see if it works for  fortiOS v5.4+  or use a lab-model and just run thru the psk, but you will be limited on  available fortiOS versions that you have with a VM.

 

I don't know of a  way of  decrypting the hash and I believe one  or two  fortiOS release had warnings if you downgrade that you had to re-key the PSK.

 

And lastly,  on  this part.

 

Passwords hashes are not compatible from one release to the next major release and this has been a time consuming task.

 

That's news to me, I just popped a hash from   v5.2.9 into  v5.4.1 and it worked. The last option is to look at forticonverter  and request a demo. It might allow some  simple conversions and proofs between major family versions.

 

 

 

Ken

 

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
bommi
Contributor III

emnoc wrote:

The last option is to look at forticonverter  and request a demo. It might allow some  simple conversions and proofs between major family versions.

For FortiOS to FortiOS "migrations" no license is needed.

The trial license of forticonverter supports this migrations without any limitations.

 

Regards

bommi

NSE 4/5/7

NSE 4/5/7
emnoc
Esteemed Contributor III

Thanks

 

I haven't used it in a awhile ;)

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
anelis
New Contributor

Hey folks, thanks for your answers

 

FortiConverter doesn't work in this case, or at least it didn't work in mine. I think it's a nice concept but it doesn't deliver the what you'd expect. Anyway that's for another time :p

 

And having no way but to update all the way through with different hardware in order to get a working tunnel is still quite a hassle.

 

So, if I understand, there is no other way than doing the full upgrade path :'(

ede_pfau

Still better than putting in the (documented) PSKs, right?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
aseques

To go from FXXXC 5.2 to FXXXE 5.6 we had also to use a FXXXD. I observed that the step where the things get broken (no all times) is more related to the hardware than to the version.

Once the FXXXD has the configuration (being on 5.2.11 for example) you should be able to export it and load to the FXXXE (5.6.2) and should work there.

 

A little too much voodoo on this, unfortunately...

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors