Lately, I've come up with an "issue": Between FortiOS releases the way the hash is managed is different, making it quite difficult to "upgrade" the hashed version of the ipsec phase1 passwords to a newer version when the new hardware cannot be downgraded to match the old hardware.
Some customers still running a Fortigate in version 4.0 or 5.0 want to get a hardware refresh and update. When a new unit arrives it cannot be downgraded to match the customer's version and most of our customer do not want to risk updating their unit as it is at the end of their lives.
So no problems right ? Well, there is one really time consuming task that we are forced to do: Get back a compatible hashed version of the passwords as most of the time customer's don't store the password used in IPsec tunnels. Passwords hashes are not compatible from one release to the next major release and this has been a time consuming task.
The only solution we've found is to downgrade all the way to the customer's version with some random Fortigate lying around and upgrade all the way to the desired final version. The problem is that it sometimes requires the use of two firewalls, one from 4.0 to 5.2 and the final one from 5.2 up to 5.6 (as of now).
So, my question to the community:
Did someone find a better solution to this "problem" ? Like a tool to convert previous version password hashes into ones that are compatible for a desired release ?
Still not following you. I believe in v4.0 and v5.0 the hash value are the same. If you take that PSK and use it in v5.2 it should work.
What you might be able to do is to just create a VM image and import the psk and see if it works for fortiOS v5.4+ or use a lab-model and just run thru the psk, but you will be limited on available fortiOS versions that you have with a VM.
I don't know of a way of decrypting the hash and I believe one or two fortiOS release had warnings if you downgrade that you had to re-key the PSK.
And lastly, on this part.
Passwords hashes are not compatible from one release to the next major release and this has been a time consuming task.
That's news to me, I just popped a hash from v5.2.9 into v5.4.1 and it worked. The last option is to look at forticonverter and request a demo. It might allow some simple conversions and proofs between major family versions.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.