I have two different Watchguard XTM 515 firewalls. Each has it's own set of VPNs created in them.
Now I need to use only one firewall to handle the VPNs of both. But the problem is that I don't know the PSK of VPNs (I inherited those firewall after joining my job). Asking the customers to change PSK is not an option for me.
Now I do know that when I export the configuration (XML file) of firewall, it includes the PSKs of all VPNs. That's the reason restoring that configuration to another firewall works. But I don't know how to get hold of those PSKs. I check the configuration XML files with plain text editor and seems like they are encrypted (no surprise here). But they must be encrypted using a static key since this configuration can be uploaded to any firewall. It's just that I don't know the decryption scheme and key.
Now my objective is certainly not to break the encryption of Watchguard XML configuration files. All I need to do is merge two firewalls into one. I thought about manually merging the sections of XML configuration files exported from both firewalls, but it seems like a daunting task.
Please can you help suggesting a method to merge VPNs of two different Watchguard firewalls into one?
Best Answer
You're right, they are encrypted with a static key, and the scheme is AES Key Wrap Algorithm (RFC 3394). And you can decrypt them.
I took this public domain C# library, stripped it right down to just the decrypt functions and ported it to PowerShell, so it would fit in a StackOverflow answer and not need compiling or binaries.
It's not pretty, has no error checking or anything, but it seems to work:
e.g.
I don't think posting this is a security problem - any attacker who can get the firewall config file is already past the security, on the firewall or on a management workstation. The config contains no device management login credentials. And there isn't much else they could do to encrypt things in a config file without trading off a lot of other concerns instead. It's really a pragmatic layer to stop passwords showing up in plain text searches and indexes.