Closed borisovg closed 6 years ago
Maybe a problem with the FortiGate device. Can you try with FortiClient? Chances are it it will bail out with an error message too.
Looking at log from --pppd-log option:
rcvd [IPCP ConfNak id=0x7 <addrs 10.18.2.1 173.x.x.x>]
sent [IPCP ConfReq id=0x8 <addrs 10.18.2.1 192.0.2.1>]
rcvd [IPCP ConfRej id=0x8 <addrs 10.18.2.1 192.0.2.1>]
sent [IPCP ConfReq id=0x9]
rcvd [IPCP ConfAck id=0x9]
Peer refused to agree to our IP address
Connect time 0.3 minutes.
Sent 1219 bytes, received 1198 bytes.
sent [IPCP TermReq id=0xa "Refused our IP address"]
rcvd [IPCP TermAck id=0xa]
sent [LCP TermReq id=0x2 "No network protocols running"]
sent [LCP TermReq id=0x3 "No network protocols running"]
Connection terminated.
Modem hangup
@DimitriPapadopoulos is this enough to pin the blame on the server?
@DimitriPapadopoulos the POS FortiClient for Linux doesn't even work with 2FA :(
This message does look strange:
DEBUG: if_config: not ready yet...
The relevant code is:
https://github.com/adrienverge/openfortivpn/blob/a5ab08a/src/io.c#L540-L563
Clearly the PPP interface isn't up.
Now why PPP isn't up? You have provided the PPP log which is extremely helpful. Often users don't provide it and I myself forget about it. We should write a wiki page to document how to troubleshoot openfortivpn! This looks suspect:
Peer refused to agree to our IP address
Has anything changed on the FortiGate device that could explain it?
Thanks, I will ask the team that looks after the device.
OK, error went away with me doing nothing - must have been something on the server side. Thanks for your help. :)
I experienced the same nonsense when I forgot to use sudo.
Personally, I think openfortivpn should have "Your'e not root. It's frequently needed" as a printout in its path to an error exit (assuming it's true). For me, it would have saved about 40 minutes of post-afterwork-pondering.
@ageric That looks unrelated. Please open a new ticket.
@ageric Also openfortivpn prints: WARN: This process was not spawned with root privileges, this will probably not work. How can we improve on this? We're open to suggestions.
Yes, you're right. I realized in my state of post-debauchery hangover that I forgot to use sudo.
If root privileges are required for parts of the tunnel setup (as they certainly are), just exit immediately if geteuid() != 0.
Alternatively, make the error path check it and print it last, on every level of logging and debugging. Preferrably on a line of its own. It seems to be one of those things that is bound to happen every once in a while no matter what else is done, so going to some effort to show what it is is likely to save you quite a bit of time.
Sounds right, but please open a new ticket as this one is closed and unrelated.
Opened #373 myself to exit immediately if geteuid() != 0
.
in the recently released version 1.8.0 openfortivpn exits immediately when it is not started with enough privileges (i.e. when it is not started via sudo or direictly launched by root or systemd)
For some reason I started seeing this error yesterday when trying to connect:
Debian Sid, openfortivpn 1.7.1
Updated some packages yesterday so possible something came in and broke stuff.
Looks different to #154 so opened this new issue.