hi,
i'm trying to document our FG. how do i view/check the configured pre-shared key string?
can this be viewed in the GUI or via CLI only? where in the GUI or what command to use?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Preshared keys are saved as encrypted keys once you save the config and we cannot see the decrypted value. If you lost the key, the ideal option is to change the keys on both sides of tunnel.
You can see the encrypted keys in below location on GUI/CLI.
config vpn ipsec phase1-interface
edit "Test"
set interface "port3"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: Test (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 10.10.10.1
set psksecret ENC E/W7Rt2omWmzvZOX1qGGf7ice4JdqdsSxbPLfAkKGDV9tywVxPkHVFXZE9sszT75k7gdcdXldz5uTofF60OmMYdqHBxULCAAAbNLtZ/2DBecLwoEY5Q9a3NqNmU5ZDSsC7OClaCbeaTZMAPsN2ev+yAyBaxfw9stMMGDfx7Jdy+P/YBJyJ3BR+IxIRaWBsV4vvtUiw==
next
end
Hint:
as @srajeswaran mentioned, encrypted secret/pre-shared key is visible in CLI.
In case you would need to restore such config it is in there, in backup, or could be even copied and paste to new config and it will still work. If the opposite side of the VPN still has the same pre-shared key, then tunnel will work even without knowledge of actual plain text form.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
Preshared keys are saved as encrypted keys once you save the config and we cannot see the decrypted value. If you lost the key, the ideal option is to change the keys on both sides of tunnel.
You can see the encrypted keys in below location on GUI/CLI.
config vpn ipsec phase1-interface
edit "Test"
set interface "port3"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: Test (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 10.10.10.1
set psksecret ENC E/W7Rt2omWmzvZOX1qGGf7ice4JdqdsSxbPLfAkKGDV9tywVxPkHVFXZE9sszT75k7gdcdXldz5uTofF60OmMYdqHBxULCAAAbNLtZ/2DBecLwoEY5Q9a3NqNmU5ZDSsC7OClaCbeaTZMAPsN2ev+yAyBaxfw9stMMGDfx7Jdy+P/YBJyJ3BR+IxIRaWBsV4vvtUiw==
next
end
Hint:
as @srajeswaran mentioned, encrypted secret/pre-shared key is visible in CLI.
In case you would need to restore such config it is in there, in backup, or could be even copied and paste to new config and it will still work. If the opposite side of the VPN still has the same pre-shared key, then tunnel will work even without knowledge of actual plain text form.
Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff
thanks guys! appreciate it.
One trick that I found useful in order to actually see it instead of copy/paste it as it is in case that you need it for RA IPsec, https://fortigateip:port/api/v2/cmdb/vpn.ipsec/phase1-interface?plain-text-password=1
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1547 | |
1030 | |
749 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.