How to view IPSec Tunnel PSK

johnlloyd_13 · ‎09-17-2023

hi,

i'm trying to document our FG. how do i view/check the configured pre-shared key string?

can this be viewed in the GUI or via CLI only? where in the GUI or what command to use?

Thanks,
John

srajeswaran · ‎09-17-2023

Preshared keys are saved as encrypted keys once you save the config and we cannot see the decrypted value. If you lost the key, the ideal option is to change the keys on both sides of tunnel.

You can see the encrypted keys in below location on GUI/CLI.

config vpn ipsec phase1-interface
edit "Test"
set interface "port3"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: Test (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 10.10.10.1
set psksecret ENC E/W7Rt2omWmzvZOX1qGGf7ice4JdqdsSxbPLfAkKGDV9tywVxPkHVFXZE9sszT75k7gdcdXldz5uTofF60OmMYdqHBxULCAAAbNLtZ/2DBecLwoEY5Q9a3NqNmU5ZDSsC7OClaCbeaTZMAPsN2ev+yAyBaxfw9stMMGDfx7Jdy+P/YBJyJ3BR+IxIRaWBsV4vvtUiw==
next
end

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

View solution in original post

xsilver_FTNT · ‎09-17-2023

Hi @johnlloyd_13

Hint:
as @srajeswaran mentioned, encrypted secret/pre-shared key is visible in CLI.
In case you would need to restore such config it is in there, in backup, or could be even copied and paste to new config and it will still work. If the opposite side of the VPN still has the same pre-shared key, then tunnel will work even without knowledge of actual plain text form.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

View solution in original post

srajeswaran · ‎09-17-2023

Preshared keys are saved as encrypted keys once you save the config and we cannot see the decrypted value. If you lost the key, the ideal option is to change the keys on both sides of tunnel.

You can see the encrypted keys in below location on GUI/CLI.

config vpn ipsec phase1-interface
edit "Test"
set interface "port3"
set peertype any
set net-device disable
set proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
set comments "VPN: Test (Created by VPN wizard)"
set wizard-type static-fortigate
set remote-gw 10.10.10.1
set psksecret ENC E/W7Rt2omWmzvZOX1qGGf7ice4JdqdsSxbPLfAkKGDV9tywVxPkHVFXZE9sszT75k7gdcdXldz5uTofF60OmMYdqHBxULCAAAbNLtZ/2DBecLwoEY5Q9a3NqNmU5ZDSsC7OClaCbeaTZMAPsN2ev+yAyBaxfw9stMMGDfx7Jdy+P/YBJyJ3BR+IxIRaWBsV4vvtUiw==
next
end

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

xsilver_FTNT · ‎09-17-2023

Hi @johnlloyd_13

Hint:
as @srajeswaran mentioned, encrypted secret/pre-shared key is visible in CLI.
In case you would need to restore such config it is in there, in backup, or could be even copied and paste to new config and it will still work. If the opposite side of the VPN still has the same pre-shared key, then tunnel will work even without knowledge of actual plain text form.

Tomas Stribrny - NASDAQ:FTNT - Fortinet Inc. - TAC Staff Engineer
AAA, MFA, VoIP and other Fortinet stuff

johnlloyd_13 · ‎09-19-2023

thanks guys! appreciate it.

Thanks,
John

funkylicious · ‎04-30-2024

One trick that I found useful in order to actually see it instead of copy/paste it as it is in case that you need it for RA IPsec, https://fortigateip:port/api/v2/cmdb/vpn.ipsec/phase1-interface?plain-text-password=1

geek