Just re-key them with a new PSK, it' s wouldn' t hurt, and would be a good security measure imho. I' m assuming your changing from a fortigate to something else ( JUNIPER?cisco? ) We just did this on a 310 that was replacing a ASA5520, the PSKs where in some case 5 6 characters long and pretty weak, a new rekey and newly defined PSK between the 310B and the remote-sites wheres o much.......... much better. So we dump the ASA ipsec PSK keys and then after turn up, schedule yet another maintenance window, to rekey 8 site2site vpn tunnel-groups with that remote fw-admin online. fwiw: it' s way easier to go ASA to FGT , then vice-versa. The ASA site2site keys can be dump via the more system:running-config command or via a backup execute thru the ASDM interface.

This is not going to be funny, it' s about 700 tunnels, these doesnt connect to equipment we have control over. Each and every peer has to be contacted personally then :-) Well a good job should last long. Thanks for your replies guys.

*shake head* And where is the documentation? I really don' t get it if this is in a professional environment. You know, at home you put in a weird password and forget it over time - no problem to replace it with something else. But with 700 VPN tunnels you would expect a written documentation. Someone hasn' t made his homework a long time ago. Passwords are not decodeable for security reasons, at least that' s Fortinet policy.

700 tunnels and PSK' s? That' s were private generated certificates come along.

bingo I hope you document this going forward. I thought my 8 VPN tunnels where bad , 700 is just horrible. I would recommend that you use a keypass or vault for the PSK. If any of the 700 vpn tunnels are cisco or a linux platform, you might be able to recover the PSK via that side. Any cisco code IOS or PIX/ASA newer than 6.3.X should be recoverable, and the linux platforms should have it within the ipsec configurations if accessible. good luck and I would hate to be in your shoes

Thanks guys. These tunnels are built up during several years by many diffrent administrators. At least we have the psk' s for maybe 100 tunnels. The thing is that the remote side is not managed us so either way I need to contact the adminstrators of those firewalls. Well at least I know what I will be doing the next year.