Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
nixbrian
New Contributor

Created on ‎09-23-2014 06:47 PM

IPSec VPN PSK

I am replacing a FortiGate and was trying to find my current configured PSK for my IPSec tunnel without having to reconfigured both ends. How can I find my current configured PSK?
20493
0 Kudos
5 REPLIES 5
journeyman
Contributor

Created on ‎09-23-2014 09:24 PM

If you copy the config from the existing fortigate into the new then the psk will be copied over. You still won' t know what it is, but it should work. Is this a system you configured or inherited? Do you have any idea what the psk might be? If you can make an educated guess, you can prove if you are right in the cli. Compare the existing encoded psk
show vpn ipsec phase1 (-interface)
 edit my-ipsec-tunnel
 [..]
     set psksecret ENC <existing psk encoded>
 next
 end
then enter what you think it is
config vpn ipsec phase1 (-interface)
 edit my-ipsec-tunnel
     set psksecret new-secret-dont-tell
 end
and check if they match
show vpn ipsec phase1 (-interface)
 edit my-ipsec-tunnel
 [..]
     set psksecret ENC <new psk encoded>
 next
 end
If the two encoded strings match, you know the psk.
4990
0 Kudos
nixbrian
New Contributor

Created on ‎09-24-2014 05:31 AM

I inherited it and do not have a clue what the current configured PSK' s are. I was hopeful there was a way to de-hash the value and be able to view it for documentation purposes.
4990
0 Kudos
Christopher_McMullan
Staff
Staff
In response to nixbrian

Created on ‎09-24-2014 05:55 AM

Unfortunately not - it' s a one-way hash. I' d echo the suggestions here on how to try and retrieve it through trial-and-error, or changing it on a running system to a known new value.

Regards, Chris McMullan Fortinet Ottawa

4990
0 Kudos
journeyman
Contributor

Created on ‎09-24-2014 07:31 PM

I' m not suggesting you try to guess on an inherited system, unless you have some good clues handy. Can you change the psk? (Obviously you need to do both ends). The outage to the tunnel shouldn' t be long. If you have admin access you can do the remote end (tunnel breaks), then your end and it should come up fine.
4990
0 Kudos
nixbrian
New Contributor

Created on ‎09-25-2014 04:53 AM

That looks like my only option at this time. I had hope to not have to go this route as I have about 12 S2S I will have to coordinate to rebuild with new PSK.
4990
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.