IPSEC Password Too Lon?

Author
Unkown
New Member
  • Total Posts : 2
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/23 10:03:06
  • Status: offline
2020/03/24 01:43:11 (permalink)
0

IPSEC Password Too Lon?

Hey,
for years, I was always able to take the config from a Fortigate 40/50/60 and to implement it on a new device including all site2site VPN data, so I don't have to reset all VPN phase1 passwords.
 
Today, I got a new 60F and wanted to copy the config from the older 60D to it:
 
config vpn ipsec phase1
edit "whatever"
set interface "wan1"
set keylife 900
set proposal 3des-sha1 3des-md5
set localid-type address
set dpd disable
set dhgrp 2
set nattraversal disable
set remote-gw 1.1.1.1
set psksecret ENC vvvx5Q2mPYfi7vfBUxq30IFVQhx183v+0E77nmfsdfsdfzARCLziSGN8wTwPioZV7Owt5xmTLBZdjNSuxeaDmFiIZHmtoO+JbdmTIMXGs+adRNuvQyVquvtN5hz1zKTYtQEL/l5e3hCcT3t0KkyuQyTNkU2mkuYLIyJsyS+CeXsdfv
 
This was ALWAYS working (no, it is not my real IP, nor psksecret), but guess what I got now?
 
"Password is too long, max length is 128."
 
So... How do I suppose to change hardware, if I am not able to copy the passwords? There are 8 active VPN and I can't do it live one-by-one. 
#1

3 Replies Related Threads

    ede_pfau
    Expert Member
    • Total Posts : 6241
    • Scores: 522
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: IPSEC Password Too Lon? 2020/03/24 03:28:12 (permalink)
    0
    Yes you can.

    There have been fundamental changes in the way VPN PSKs and WiFi PSKs are stored on a FGT. If you followed the upgrade path step-by-step (from which version?) and encounter this error then you will have to create new PSKs and store them afresh. It's not about the length of the plaintext PSK, just the algorithm to encode it has changed.
     
    This is the opportunity to get rid of outdated encryption algorithms as well (3DES? MD5?? really?) and to generate safe, random PSKs of suitable length (say, > 30 chars). Sorry, but.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #2
    Unkown
    New Member
    • Total Posts : 2
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/23 10:03:06
    • Status: offline
    Re: IPSEC Password Too Lon? 2020/03/24 07:41:42 (permalink)
    0
    That's just a very old setup - The rest of the VPN tunnels were done with the latest wizard (v5.4.0) - So that's just that. 
    I can't follow any upgrade path, as I just have the old Forti without support and the new one.
    So there is no way to "convert" the passwords to the new format?
     
    #3
    ede_pfau
    Expert Member
    • Total Posts : 6241
    • Scores: 522
    • Reward points: 0
    • Joined: 2004/03/09 01:20:18
    • Location: Heidelberg, Germany
    • Status: offline
    Re: IPSEC Password Too Lon? 2020/03/25 05:05:09 (permalink)
    0
    I'm afraid, no. Just put in a new password.
    BTW, v5.4 is already 'old' - the switch in PSK encryption was between v6.0 and v6.2 IIRC.
     
    You could have a look at the Upgrade Path tool with just one valid support contract, all you need is an account.

    Ede

    " Kernel panic: Aiee, killing interrupt handler!"
    #4
    Jump to:
    © 2020 APG vNext Commercial Version 5.5