Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
digimetrica
New Contributor

Created on ‎03-10-2017 01:50 AM

IPSec Preshared key after upgrade from 4.0

Hello,

 

I had to replace a very olf FGT 200A with a new FGT 200D.

FGT 200A has a 4.00 firmware with an IPSec VPN

I applied the same IPSec configurations on the new FGT200D.

The only thing im unable to export is the preshared key. a copy&paste from the old firewall of the ENC hashed password fails: the 200D keeps changing it after a save (from the CLI).

 

for exaple on the 200D, if i put "set psksecret ENC aaaaaaaaa", i save it with a "next" command.

If i make a show of the vpn config i keep having a "set psksecret ENC bbbbbbbbb".

new firewall changes it after a copy&paste from the old one 

Labels:
5997
0 Kudos
4 REPLIES 4
digimetrica
New Contributor

Created on ‎03-10-2017 02:00 AM

Byt the way i think this is a normal behaviour, it's just the VPN is not working because of a wrong PSK

2369
0 Kudos
rwpatterson
Valued Contributor III
In response to digimetrica

Created on ‎03-10-2017 07:12 AM

I have only done this with same versions of code. I would ensure both were running the same code, then do the cut/paste. The hashing algorithm may have changed between major versions.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

Bob - self proclaimed posting junkie!See my Fortigate related scripts at: http://fortigate.camerabob.com
2369
0 Kudos
digimetrica
New Contributor
In response to rwpatterson

Created on ‎03-10-2017 07:13 AM

Yeah... i am suspecting that is the issue :(

2369
0 Kudos
ede_pfau
SuperUser
SuperUser
In response to digimetrica

Created on ‎03-10-2017 10:25 AM

I don't think so, from experience.

You haven't yet stated the new FOS version.

 

If it's v5.2 or v5.4 chances are high that the PSK is correct but other phase1 parameters have changed.

Background:

when saving the config into a file (unencrypted) you only save those options which differ from the default (factoryreset) configuration.

 

Now, between v4 and v5.x some VPN parameters have changed their defaults. Notably the lifetimes in ph1 and ph2, the DHgroup selections and the choices for AH and ENC.

 

After setting these back to the (undocumented) defaults of v4 I was able to get the VPNs up, in a recent HW upgrade from 200B to 600D, v4.3 to v5.2.

 

Of course first I changed all PSKs on both sides only to notice that this didn't help. You can see the default values in the CLI by using "show full".

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
2369
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.