Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDLP
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPhish
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Lacework
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: Fortigate upgrade: IPsec hashed psk key passwo...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Fortigate upgrade: IPsec hashed psk key password hell
Hi folks,
Lately, I've come up with an "issue": Between FortiOS releases the way the hash is managed is different, making it quite difficult to "upgrade" the hashed version of the ipsec phase1 passwords to a newer version when the new hardware cannot be downgraded to match the old hardware.
Some customers still running a Fortigate in version 4.0 or 5.0 want to get a hardware refresh and update. When a new unit arrives it cannot be downgraded to match the customer's version and most of our customer do not want to risk updating their unit as it is at the end of their lives.
So no problems right ? Well, there is one really time consuming task that we are forced to do: Get back a compatible hashed version of the passwords as most of the time customer's don't store the password used in IPsec tunnels. Passwords hashes are not compatible from one release to the next major release and this has been a time consuming task.
The only solution we've found is to downgrade all the way to the customer's version with some random Fortigate lying around and upgrade all the way to the desired final version. The problem is that it sometimes requires the use of two firewalls, one from 4.0 to 5.2 and the final one from 5.2 up to 5.6 (as of now).
So, my question to the community:
Did someone find a better solution to this "problem" ? Like a tool to convert previous version password hashes into ones that are compatible for a desired release ?
Thanks a lot for your feedback
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
never seen a problem nor need to upgrade a hash. if you follow the migration flow suggestions between fortiOS version, this should not be a issue.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Exactly that is the issue, to upgrade all the way through the firmware and models. I have asked our contact at Fortinet for an explanation regarding this situation, but haven't received an answer yet.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still not following you. I believe in v4.0 and v5.0 the hash value are the same. If you take that PSK and use it in v5.2 it should work.
What you might be able to do is to just create a VM image and import the psk and see if it works for fortiOS v5.4+ or use a lab-model and just run thru the psk, but you will be limited on available fortiOS versions that you have with a VM.
I don't know of a way of decrypting the hash and I believe one or two fortiOS release had warnings if you downgrade that you had to re-key the PSK.
And lastly, on this part.
Passwords hashes are not compatible from one release to the next major release and this has been a time consuming task.
That's news to me, I just popped a hash from v5.2.9 into v5.4.1 and it worked. The last option is to look at forticonverter and request a demo. It might allow some simple conversions and proofs between major family versions.
Ken
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
emnoc wrote:The last option is to look at forticonverter and request a demo. It might allow some simple conversions and proofs between major family versions.
For FortiOS to FortiOS "migrations" no license is needed.
The trial license of forticonverter supports this migrations without any limitations.
Regards
bommi
NSE 4/5/7
NSE 4/5/7
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks
I haven't used it in a awhile ;)
PCNSE
NSE
StrongSwan
PCNSE
NSE
StrongSwan
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey folks, thanks for your answers
FortiConverter doesn't work in this case, or at least it didn't work in mine. I think it's a nice concept but it doesn't deliver the what you'd expect. Anyway that's for another time :p
And having no way but to update all the way through with different hardware in order to get a working tunnel is still quite a hassle.
So, if I understand, there is no other way than doing the full upgrade path :'(
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Still better than putting in the (documented) PSKs, right?
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To go from FXXXC 5.2 to FXXXE 5.6 we had also to use a FXXXD. I observed that the step where the things get broken (no all times) is more related to the hardware than to the version.
Once the FXXXD has the configuration (being on 5.2.11 for example) you should be able to export it and load to the FXXXE (5.6.2) and should work there.
A little too much voodoo on this, unfortunately...
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- Fortigate 50E 41 Views
- firmware upgrade 355 Views
- certificate for FGFM protocol - Error... 154 Views
- Firmware upgrade From v7.4.3 build2573 (Feature)... 100 Views
- Forticlient VPN client on Windows and... 203 Views
Labels
-
FortiGate
8,341 -
FortiClient
1,686 -
5.2
801 -
FortiManager
703 -
5.4
639 -
FortiAnalyzer
532 -
FortiSwitch
452 -
FortiAP
446 -
6.0
416 -
FortiClient EMS
392 -
5.6
362 -
FortiMail
307 -
6.2
251 -
FortiAuthenticator v5.5
234 -
SSL-VPN
205 -
5.0
196 -
FortiWeb
194 -
IPsec
174 -
FortiNAC
171 -
FortiGuard
132 -
6.4
128 -
SD-WAN
102 -
FortiGateCloud
100 -
FortiSIEM
97 -
FortiCloud Products
95 -
FortiToken
88 -
FortiAuthenticator
80 -
Customer Service
76 -
Wireless Controller
76 -
Firewall policy
67 -
4.0MR3
64 -
FortiProxy
56 -
FortiADC
51 -
Fortivoice
50 -
FortiEDR
50 -
High Availability
48 -
vlan
47 -
ZTNA
45 -
FortiSandbox
43 -
FortiExtender
43 -
FortiDNS
42 -
Routing
39 -
DNS
38 -
BGP
37 -
LDAP
37 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SAML
32 -
Certificate
32 -
Interface
31 -
NAT
30 -
Authentication
29 -
SSO
29 -
FortiConnect
28 -
RADIUS
27 -
FortiLink
26 -
FortiWAN
25 -
FortiConverter
25 -
FortiGate v5.2
24 -
VDOM
24 -
Web profile
23 -
Application control
22 -
Virtual IP
22 -
Logging
21 -
Fortigate Cloud
19 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
FortiMonitor
18 -
FortiPAM
18 -
SSL SSH inspection
18 -
Traffic shaping
17 -
FortiDDoS
15 -
FortiGate v5.0
14 -
OSPF
14 -
IP address management - IPAM
14 -
SSID
13 -
Static route
13 -
WAN optimization
13 -
FortiCASB
12 -
SNMP
12 -
Automation
12 -
Admin
12 -
System settings
12 -
Web application firewall profile
12 -
FortiManager v5.0
11 -
FortiSOAR
11 -
FortiManager v4.0
10 -
FortiRecorder
10 -
IPS signature
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
Proxy policy
9 -
FortiBridge
8 -
RMA Information and Announcements
8 -
Security profile
8 -
Port policy
8 -
4.0
7 -
FortiDeceptor
7 -
FortiAnalyzer v5.0
7 -
Traffic shaping policy
7 -
Fabric connector
7 -
Intrusion prevention
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Antivirus profile
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Traffic shaping profile
5 -
Web rating
5 -
Fortinet Engage Partner Program
5 -
3.6
4 -
FortiScan
4 -
Explicit proxy
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
DLP sensor
4 -
Email filter profile
4 -
Netflow
4 -
Replacement messages
4 -
FortiDB
3 -
FortiHypervisor
3 -
API
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
SDN connector
2 -
Service
2 -
Zone
2 -
Cloud Management Security
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
Multicast policy
1 -
Vulnerability Management
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1632 | |
| 1063 | |
| 749 | |
| 443 | |
| 210 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.