cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Pre-Share Keys CMD CLISH

Hi,  

does anyone the CMD to see the vpn Pre-Share Keys in Checkpoint?

 

In Fortinet the PSK is saved in the config File like:

set remote-gw 77.56.199.43
set psksecret ENC Sqjxee+N3ZaTG2lL..........wa27N+XALaSxVQ==

0 Kudos
5 Replies
Admin
Admin

Re: Pre-Share Keys CMD CLISH

As far as I know, no such command exists.

If you don't know what it is, you have to reset it, per this SK:

Is it possible to recover the VPN pre-shared secrets, if they are unknown? 

0 Kudos

Re: Pre-Share Keys CMD CLISH

Hi Dameon,
thanks for your reply.
Maybe in the active connections?
grep radius /config/active
....
aaa:auth_profile:base_radius_authprofile:radius_sr v:0:secret \ lDGLiWozsw==
.....
So instead of radius maybe vpn?
grep vpn /config/active
Finally i would search this in the CP Firewall with 
find / -type f  -not -path "/var/log"  | xargs grep  -i " lDGLiWozsw== " 2>&1 | grep -v "Permission denied" 
Unfortunately, at the moment, i install a CP and i don"t  have a finished CP Installation to
to see if this could find this key?
0 Kudos
Admin
Admin

Re: Pre-Share Keys CMD CLISH

I can assure you the shared VPN key will NOT appear in /config/active as that contains OS config only, nothing related to firewall, VPN, or Threat Prevention.

Highlighted

Re: Pre-Share Keys CMD CLISH

As Dameon wrote, there is an sk about that - sk92561 Is it possible to recover the VPN pre-shared secrets, if they are unknown? In older (<R75.40) version dashboard, the PSK entry was unmasked and readable, but that has been changed for good! I assume that even using GuiDBedit to search a known PSK in the database would not yield any success... At least it should not .

thallam08
Ivory

Re: Pre-Share Keys CMD CLISH

The unencrypted pre-shared key is needed to establish the VPN.  Therefor it must be stored somewhere on the CP FW in a reversible format.

The question is, where is it stored, and how is it decrypted?

Any claim that it cannot be recovered is just security by obscurity ....

0 Kudos