Remote gateway has allocated a VPN.

[reinhard-brandstaedter]

Hello,

I'm running into issues where openfortivpn is not able to allocate the tunnel. Running 1.6.0 with verbose output I'm getting a INFO and then an ERROR about connection refused after authentication was successful.

DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Connected to gateway. DEBUG: Cookie: SVPNCOOKIE= INFO: Authenticated. DEBUG: Cookie: SVPNCOOKIE= INFO: Remote gateway has allocated a VPN. DEBUG: server_addr: 209.202.160.253 DEBUG: server_port: 10443 DEBUG: gateway_addr: 209.202.160.253 DEBUG: gateway_port: 10443 ERROR: connect: Connection refused INFO: Closed connection to gateway. DEBUG: server_addr: 209.202.160.253 DEBUG: server_port: 10443 DEBUG: gateway_addr: 209.202.160.253 DEBUG: gateway_port: 10443 ERROR: connect: Connection refused INFO: Could not log out.

Trying to log in with a official forticlient the connection works and also logging in to the gateway via browser works. There is no VPN allocated at the gateway. Any idea what the issue is here?

Cheers!

[DimitriPapadopoulos]

DEBUG: Cookie: SVPNCOOKIE= Have you sanitized the log or is SVPNCOOKIE really empty?

[DimitriPapadopoulos]

Are you using two-factor authentication or one-time passwords?

[mrbaseman]

This is how far I could analyze this: openfortivpn fails to connect the socket because the connection was refused or the remote side was not listening to connections. There has already been a vpn allocated, and this has happened due to the previous communication to the same host and port, so it can't be that the remote side doesn't listen, and if the permission to open a tunnel is not present, the connection fails later, see #79. So, we have something different here... could it be that there is another Fortigate on the path to the vpn gateway which is doing deep packet inspection on the ssl-encrypted vpn traffic and that's blocking your connection?

[mrbaseman]

another idea: it might be the endpoint-control registered-forticlient setting or a firewall policy with a dependency on the client device on the Fortigate that only allows Forticlient to open a tunnel

[DimitriPapadopoulos]

@mrbaseman But then how does the firewall make a difference between FortiClient and openfortivpn?

[DimitriPapadopoulos]

Endpoint protection overview As far as I can see, Endpoint Protection is available for Microsoft Windows, Apple and Android devices only. Therefore I understand Endpoint Protection may prevent Linux users from using the VPN, either using the official FortiClient or openfortivpn.

@reinhard-brandstaedter When you say it works with official FortiClient, does this mean you have tried the official FortiClient from the same machine/OS, or from a different OS?

@mrbaseman Is it possible to implement Endpoint Protection in openfortivpn? If possible, do we only pretend FortiClient Endpoint Security is installed or do we actually try to mimick whatever FortiClient Endpoint Security software is supposed to do, and if so do we enforce that behavior?

[mrbaseman]

@DimitriPapadopoulos You are right, the degree of implementation depends on the type of the OS. Apart from Endpoint protection which is AntiVirus, WebFiltering etc. for the client, there is also FortiTelimetry which lets the FortiGate know details about the client and based on this information grant access or not. I don't know the details of the implementation, but it is roughly described in the Chapter "FortiTelimetry/On-Net/FortiClient Endpoint Compliance" in the Fortinet Communications Ports and Protocols Manual. The FortiClient sends some information that it collects on the client (e.g. OS type and version, installed patches and applications). This information is sent on TCP/8013 to the Fortigate. The Client has to be provisioned and configured once from the FortiGate, so FortiClient knows where to send the data. Now, the FortiGate already knows some background when a client wants to connect. I don't know how exactly it recognizes a specific client, but I can imagine that FortiClient when provisioned with FortiTelimetry sends an extra query-String that allows the FortiGate to correlate the incoming SSL VPN connection with the collected Telimetry information. In my Android FortiClient I also have a separate menu for configuring FortiTelimetry, and I think it's also possible to configure it on the client, but as far as I remember it's possible to lock this confituration during deployment of the FortiClient License Token. As what it concerns openfortivpn, I believe this is all far beyond the scope of this project and implementing features in this direction would require a deep knowledge of probably closed source. Fortinet offers accounts on their development network for interested contributors (I don't have one), where you can have access to the APIs and some internal documentation, but I doubt that they share that much details that one can successfully mimick these advanced features of FortiClient.

[mrbaseman]

@reinhard-brandstaedter do you have access to the error logs on the FortiGate to which you are trying to connect? These logs sometimes don't correctly point to the root cause of the problem, but maybe this time they can give us a hint...

[DimitriPapadopoulos]

@reinhard-brandstaedter Do you have additional information that could help us characterize and address this issue?

[DimitriPapadopoulos]

@reinhard-brandstaedter Any chance you can help us debug this issue? Was this a FortiGate device issue?