How to recovery the PSK in IPsec VPN - FortiGate

Imagine that you could be on VPN troubleshooting and need to revalidate the PSK in both sides but doesn't have the documentation.

When you have administrative access in both sides, it's so easy to solve. However, when you have a third party connection with a partner that you don't have administrative access to do changes, the situation changes a bit.

So, you can get the PSK in two ways, let's see.

Option 01 - After logged on FortiGate that you need recovery the PSK, put on the address URL on browser, after the address of you FortiGate the URL:

/api/v2/cmdb/vpn.ipsec/phase1-interface?plain-text-password=1

If your FortiGate have a custom port to access, put after the end of address.

The result:

You will see all the IPsec VPNs and their PSKs. Search for the key word "psksecret" to find the VPN PSK easier.

Option 02 - On this second way, you will need to access the firewall by CLI and the GUI. The first step will be by CLI get the hash the applied in VPN tunnel that you need to recovery the PSK.

The PSK start with ENC until the last character after command “set psksecret”

With the PSK lets to the second step in CLI:

After did the VAP, Virtual Access Point, go to the GUI, menu “WiFi Controller”, if isn't appearing in left side menu, must be enable it in System > Feature Visibility.

In menu Wi-Fi Controller in SSIDs, the made interface “VPN_PSK” on our example will show the PSK from IPsec tunnel on field “Pre-shared key” on “Wi-Fi Settings”. There will be the option to view the PSK configured such as figure above.

An important point to consider here is, that second PSK recovery procedure, so such the pre-shared key for VPN IPsec and the password from interface SSID share the same cryptographic algorithm. However, even with that fact, the procedure shown doesn't work to get the administrator FortiGate password.