Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Humpe
New Contributor

Shared secret

Hi we are about to move vpn tunnels from our fortinet to another platform. Is there a way to see the shared secret in clear text?
7 REPLIES 7
ede_pfau
SuperUser
SuperUser

No. You can only cut+paste the hash (or whatever it is) from one config file to another (Fortigate) config file. Which will not help you I guess.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
emnoc
Esteemed Contributor III

Just re-key them with a new PSK, it' s wouldn' t hurt, and would be a good security measure imho. I' m assuming your changing from a fortigate to something else ( JUNIPER?cisco? ) We just did this on a 310 that was replacing a ASA5520, the PSKs where in some case 5 6 characters long and pretty weak, a new rekey and newly defined PSK between the 310B and the remote-sites wheres o much.......... much better. So we dump the ASA ipsec PSK keys and then after turn up, schedule yet another maintenance window, to rekey 8 site2site vpn tunnel-groups with that remote fw-admin online. fwiw: it' s way easier to go ASA to FGT , then vice-versa. The ASA site2site keys can be dump via the more system:running-config command or via a backup execute thru the ASDM interface.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Humpe
New Contributor

This is not going to be funny, it' s about 700 tunnels, these doesnt connect to equipment we have control over. Each and every peer has to be contacted personally then :-) Well a good job should last long. Thanks for your replies guys.
ede_pfau
SuperUser
SuperUser

*shake head* And where is the documentation? I really don' t get it if this is in a professional environment. You know, at home you put in a weird password and forget it over time - no problem to replace it with something else. But with 700 VPN tunnels you would expect a written documentation. Someone hasn' t made his homework a long time ago. Passwords are not decodeable for security reasons, at least that' s Fortinet policy.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
FortiRack_Eric
New Contributor III

700 tunnels and PSK' s? That' s were private generated certificates come along.

Rackmount your Fortinet --> http://www.rackmount.it/fortirack

 

Rackmount your Fortinet --> http://www.rackmount.it/fortirack
emnoc
Esteemed Contributor III

bingo I hope you document this going forward. I thought my 8 VPN tunnels where bad , 700 is just horrible. I would recommend that you use a keypass or vault for the PSK. If any of the 700 vpn tunnels are cisco or a linux platform, you might be able to recover the PSK via that side. Any cisco code IOS or PIX/ASA newer than 6.3.X should be recoverable, and the linux platforms should have it within the ipsec configurations if accessible. good luck and I would hate to be in your shoes

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
Humpe
New Contributor

Thanks guys. These tunnels are built up during several years by many diffrent administrators. At least we have the psk' s for maybe 100 tunnels. The thing is that the remote side is not managed us so either way I need to contact the adminstrators of those firewalls. Well at least I know what I will be doing the next year.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors