To decrypt a configured pre-shared-key, you only need to apply the hash with the request system decrypt.
This works great if you have pre-existing ipsec-configurations , and you mis-placed or don't want to re-key a vpn tunnel.
or if a sec-engineer leaves the company and fails to document the PSK for vpn-tunnels.
A fortigate for example , does not have this feature.
So unless your fortigate is peer'd with a linux-swan, cisco asa or juniperSRX, you have almost a zero% chance of decoding the share PSK.
This also make the fortiOS superior in protection of the "PSK", since it can't easily be decode base on just a interception of a fortios conf file.
So when passing JuniperSRX cfg files around, you want to redact the PSK values.
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
=( @ @ )=