Unable to use openfortivpn with new --cookie option.

[HrBingR]

So I built openfortivpn as I see the changes adding the --cookie parameter were only recently merged into master, and the MAN page in my version does have the --cookie option present, but I'm not sure it's working. When I try to connect to my VPN I get the following:

@kde:~/openfortivpn/openfortivpn$ sudo openfortivpn vpnhost:443 --cookie="SVPNCOOKIE=insertreallylongcookiehere"
WARN:   Ignoring option "cookie".
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
ERROR:  Could not get VPN configuration (HTTP status code).
INFO:   Closed connection to gateway.
INFO:   Logged out.

Not sure what's going on here, as on Windows I can log in using SAML authentication fine in forticlient, as well as in my browser. But for some reason, openfortivpn just dies immediately with the above.

[DimitriPapadopoulos]

This is where the Ignoring option "cookie" warning comes from: https://github.com/adrienverge/openfortivpn/blob/624b13d5c133620d58fa08189e028b9313d8fdf0/src/config.c#L273

Could it be that you have a cookie option in your config file? That is what is supposed to trigger the above warning.

[DimitriPapadopoulos]

The real error is Could not get VPN configuration (HTTP status code). The error message originates here: https://github.com/adrienverge/openfortivpn/blob/624b13d5c133620d58fa08189e028b9313d8fdf0/src/tunnel.c#L1317

Unfortunately it is not very informative. I would recommend running openfortivpn -v -v to get more detailed information.

[DimitriPapadopoulos]

Function auth_get_config() is simple, it retrieves the VPN configuration in XML format from the URL path /remote/fortisslvpn_xml:

int auth_get_config(struct tunnel *tunnel)
{
    char *buffer;
    int ret;

    ret = http_request(tunnel, "GET", "/remote/fortisslvpn_xml", "", &buffer, NULL);
    if (ret == 1) {
        ret = parse_xml_config(tunnel, buffer);
        free(buffer);
    }

    return ret;
}

It could be that your VPN gateway is too recent and http_request() returns an error. A (sanitized) log of openfortivpn -v -v -v might not show the exact HTTP error (we might have to add additional debug code to see what's wrong with http_request() and http_send(), but it should show the version of the VPN gateway to start with.

[bartosz-antosik]

Hello!

I have a variation of what you describe, but ending with the same Could not get VPN configuration (HTTP status code):

INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
ERROR:  Could not get VPN configuration (HTTP status code).
INFO:   Closed connection to gateway.
INFO:   Logged out.

Getting more details with -v -v -v reveals, that the request for VPN configuration:

GET /remote/fortisslvpn_xml HTTP/1.1
Host: vpnaz.cloudgpw.pl:443
User-Agent: Mozilla/5.0 SV1
Accept: */*
(...)

ends like this:

DEBUG:  http_receive:
HTTP/1.1 302 Found
Date: Sat, 10 Sep 2022 22:07:16 GMT
Server: xxxxxxxx-xxxxx
(...)

I cannot see gateway version or maybe do not know what to look for.

Could you maybe explain what is wrong?

[DimitriPapadopoulos]

The XML configuration is not available at the /remote/fortisslvpn_xml URL. This happens after authentication, and before printing the version of FortiOS, which is sent together with the configuration. I'm not sure what's wrong here. HTTP error code 302 means temporary redirection. Perhaps is related to the redirection to the Microsoft authentication page.

[DimitriPapadopoulos]

Sharing the detailed log of the official client for Linux might give a clue.

[HrBingR]

So just wanted to give a quick update here. Turns out we have two separate Fortigate realms we can connect to. One is a split tunnel giving access to the general corporate network; this is where they implemented SSO. The other isn't split tunnel and it gives access to both our corporate network, and our core network. SSO was not implemented on the latter.

When we were told we had to use SSO, I had assumed this applied across the board, but turns out it only applied to employees using the general realm. For employees such as myself, the core realm still uses username/password authentication.

That having been said, I did get the official Forticlient working on my distro and there SSO worked fine (though it would occasionally break my DNS) but I've since reinstalled an arch-based distro and could not for the life of me get the official client working there, but have managed to get openfortivpn working great using the core realm with UN/PW auth.

Will leave this open as I see others seem to be experiencing similar issues, but for me this is no longer an issue.

[DimitriPapadopoulos]

@HrBingR Thank you for sharing the solution. @bartosz-antosik You might want to open a different issue, as Could not get VPN configuration (HTTP status code) is a broad error message that may cover different issues. Are you using the --cookie option, which is the focus of the current issue?