Flex 500H manual migration of user account configurations

kaktusus

This is already my second consultation regarding migrating the configuration from USG Flex 200 to Flex 500H.
This time, I am trying to migrate part of the configuration related to user account definitions (including passwords).

I have successfully extracted the necessary information from the Flex 200 configuration file and adapted its format to meet the requirements of Flex 500H, while maintaining the required configuration file structure.
However, when I load the modified file and run the configuration test, it fails.

My question is: what could be causing this?
The structure of the configuration file for defining a single user seems obvious:

/ object user-object user "kaktusus"
/ object user-object user "kaktusus" "role" "user"
/ object user-object user "kaktusus" "password" "$$LCcs4rYU$EsaVbjOJ$T5IyhXbLPL3la2Xg3ldsACQqcUVGxC08AnLLS2h2BDSMwsXfJxd5hCs1Tm45B8aQl1/mQxSNjCt73p3B4PSObE0l8xb9pdGU6YiNPDT1ufcpAmcbZgun45IwT9ryfb7IM4DBK4SLtjDI7ClP2/mQRQxhnx4FDkvI1TPoHxQzCYw2OAeJgLF84t4iQ11nM9JlXhsmhPavX6mBYU0DwGeQ9e3XmN27vv8J55B1ELUL+NV/Qatudk1JgXJiU6xYXG18FruS9JsRawD6ORzPnRkjXxtel+BMbxsuCL2rn//IkJpplpZ0pHXiYqzLiQAwuYzPpXwG5eZwrXsmGgUh2eRMo/BLGycKt401zGKeHapBRdU$"
/ object user-object user "kaktusus" "description" "VPN User"
/ object user-object user "kaktusus" "logon-lease-time" "480"
/ object user-object user "kaktusus" "logon-reauth-time" "480"

My intuition tells me that the problem may occur at the password setting stage …
How can I deal with this problem without having to manually enter the configuration of dozens of users through the GUI❔

After completing the process successfully, I can share the scripts (offline) that I prepared and which are very useful. They also include the conversion of the static DHCP host list. 😎

PeterUK

I'm guessing each unit has a default key to then encrypt the password.

On non H models its possible to have the password in the clear not sure if you can do that with H models.

https://community.zyxel.com/en/discussion/comment/14989#Comment_14989

In fact just tested with a FLEX 200H and 700H with the same user name and password and the encrypted password are both different.

kaktusus

I understand. It's a big problem.

Tomorrow I plan to perform a few tests while omitting the password.
I am interested to know if anyone has already succeeded in importing ‘external users’.

I am still awaiting further suggestions or recommendations.

Zyxel_Melen

Hi @kaktusus

May I know how did you process the configuration convert? Via https://www.zyxel.com/global/en/promotions/firewall-configuration-converter or?

kaktusus

Hi.
The online tool "Firewall Configuration Converter" does not allow migration of configurations from Flex200 to Flex500H. I own such devices.

Therefore, I created a functionality that helped me transfer selected sections of the configuration file. I described information about the script in the previous message.

If you are interested in more details about my migration, I am open to questions.

Moreover, I believe that a configuration file contains sensitive data, and I would prefer not to upload it to the internet.

Zyxel_Melen

Hi @kaktusus

Yes, I'm interested on this case. Could you share more details with me via private message?

kaktusus

Ok, no problem.

I will prepare a description of my approach and share it with you, along with the scripts.

My scripts are Bash scripts, using standard tools such as awk.