"Unsupported version of FortiClient" message

[pablob127]

A few days ago my VPN stopped working, in the following way:

I can login correctly and the tunnels seem to be correctly set up. However, when I try to connect to any computer on the other side I simply cannot connect. From a traceroute, the packets do not even seem to reach the other end of the tunnel.

When I try to access the website, I get the following message:

  It seems you are using an unsupported version of FortiClient.                 

   Please disconnect your current VPN connection and download the official      
   supported version of FortiClient from the <website>               

I have tried with both the openfortivpn included in Debian 12 (1.19.0), and 1.22.1 (compiled by myself), and the behaviour is the same. I think that something changed in the VPN configuration that tries to enforce the Fortinet client. Do you think there may be any workarounds to avoid having to use that client?

Thanks!

[pablob127]

A bit more information:

It seems my institution's VPN has been recently updated, and now they have something called the "Zero Trust Fabric" enabled, and clients need to connect to that to (somehow) enable access. A search for this in the issues does not do bring up anything.

I'm not very optimistic, and I think I will have to install the specific client my institution provides (not that I am very happy about that), but I wonder if there would be any way I could help get over this new hurdle.

Any info will be appreciated!

[DimitriPapadopoulos]

The EMS client sends information about the client computer to the EMS server. In the absence of such information or if the EMS server is not happy with that information, the VPN server will block network traffic.

Therefore, openfortivpn needs to be modified to:

• extract/generate the information expected by the EMS server,
• send that information to the EMS server at the proper moment and in the proper format.

OpenConnect does have such a mechanism for other types of VPN servers: it runs a trojan binary or script that finds the expected information and sends it to the server. However, to the best of my knowledge, no such script is currently available for Fortinet servers.

[pablob127]

I'm trying to get the official Linux client (for some reason you cannot just download it and they make it really annoying to get it!). Can you recommend some ways I could use to try to help figure out what information is needed and when?

[DimitriPapadopoulos]

The EMS Linux client is only available from client accounts.

I would start with the FortiClient logs, they're pretty detailed. Then you might want to intercept the traffic to the telemetry server (see mitmproxy).

[bobot]

Some partial logs that you can find on internet:

• https://fortinetweb.s3.amazonaws.com/docs.fortinet.com/v2/attachments/e1adf1f2-e18f-11ee-8c42-fa163e15d75b/FortiClient_%26_FortiClient_EMS_7.4_New_Features_Guide.pdf
  • https://docs.fortinet.com/document/forticlient/7.4.0/new-features/273365/forticlient-linux-installer-creation-support