How to Recover Fortigate IPsec VPN Pre-shared Key

During a Fortinet 100D to Fortinet 100F upgrade migration, the Fortinet Firewall Migration Tool cannot recover the Fortinet IPsec VPN Pre-shared key for you, we cannot find the IPsec VPN Pre-shared key from the previous document

Troubleshooting

Searching and testing around seem the only fix is to update the key on both ends, however, for this particular environment, we are required to minimize the impact.

fortigate-pre-shared-key-recovery-not-clickable
fortigate-pre-shared-key-recovery-not-clickable

Solution

After digging into the Fortinet document and internet forms, someone mentioned you can use the below command to decrypt the key, but it is still not the Pre-share key that I am after:

di sys ha checksum sho root vpn.ipsec.phase1-interface xxxxx

The key is 47756573744d653132330d0a

Looking at decrypted keys carefully, they are actually Hex! To recover the key, simply go to a Hex to Text converter online, such as https://www.rapidtables.com/convert/number/hex-to-ascii.html

hex-to-text-converter
hex-to-text-converter

Note

This method is NOT working on the newer version of Fortinet Firmware anymore (such as 6.4.7), it is simply not a best of practice for a security product to view the password!

di-sys-ha-checksum-sho-root-vpn.ipsec.phase1-interface
di-sys-ha-checksum-sho-root-vpn.ipsec.phase1-interface

Useful link

3 thoughts on “How to Recover Fortigate IPsec VPN Pre-shared Key”

  1. An outstanding shаre! I have just forwarded this
    onto а friend who had been conducting a little research
    on this. And he in fact ordered me lunch because I stumbled upon it for
    him… lol. So let me reworԁ this…. Thank YOU for
    the meal!! But yeah, thanks for spending some time to discuss this issue here on yoᥙr web
    site.

Leave a Comment

Your email address will not be published. Required fields are marked *