Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
maiconp340
New Contributor

PSK IPsec from 5.2 to 6.0 Version

Hello, I´m doing a migration from an box 600C to 100F but I don´t have save any PSK on my IPsec tunnels.

I wonder if there is any way I get theses PSK or copy and paste the Encode PSK from 5.2 version to 6.0.

I did a test copy and paste PSK encode but didn´t work.

any tipe is welcome.

thanks   

2 Solutions
sw2090
SuperUser
SuperUser

copy paste will not work becuase the encoding changedsomwhere between 5.2 and 6.0.

What should work ist: first upgrade your current FGT to 6.0 using the recommended upgrade path and then copy paste the tunnels/psks.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

View solution in original post

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
tioeudes

He can't, the 600C doesn't upgrade to 6.0. Maybe he could go to the 5.6.12 but i don't know if the encoding would be the same.

 

Starting to agree with emnoc. It's probably be better to rekey these tunnels.

View solution in original post

8 REPLIES 8
tioeudes
Contributor

Hello!

 

I did this before, but not with different firmware versions.

 

Using the config file, I copied the line where the psk is, pasted on the fgt ad it worked.

 

You lost the psk on the upgrade? There was a bug that caused that.

 

 

regards,

tioeudes

maiconp340

I´m doing migration the config by hand because my currently box is an 600C version 5.2 and my new box is an 100F version 6.0.4 

tioeudes

Sure, been there too! Another thing you can do, is to download config file of the 600C and extract the  the ipsec tunnel (phase1 and phase2) configuration and then upload it on the 100F(with the necessary adjustments) as a script. Or you can just paste it on a terminal when conected through ssh.

 

regards,

tioeudes

emnoc
Esteemed Contributor III

If it 1 or 3  tunnels I would waste any time and just rekey the PSK. I seen a lot of customer who would spend 6 hours trying to recover a key when they could just rekey the PSK on a handful of tunnels and been done.

 

just my 2cts observation

 

Ken Felix

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
sw2090
SuperUser
SuperUser

copy paste will not work becuase the encoding changedsomwhere between 5.2 and 6.0.

What should work ist: first upgrade your current FGT to 6.0 using the recommended upgrade path and then copy paste the tunnels/psks.

 

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
tioeudes

He can't, the 600C doesn't upgrade to 6.0. Maybe he could go to the 5.6.12 but i don't know if the encoding would be the same.

 

Starting to agree with emnoc. It's probably be better to rekey these tunnels.

sw2090

hm his post read like that. I didn't check that in support portal. But if it is like that I agree the best way is to rekey the tunnels.

I can only confirm that an Ipsec Tunnel from 5.6.12 to 6.0.9 works fine. But that don't say anything about encoding on both sides does it ;)

-- 

"It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams

-- "It is a mistake to think you can solve any major problems just with potatoes." - Douglas Adams
maiconp340
New Contributor

Hello, thank you. this the point.

I will go do the update.

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors