Closed kenvdh closed 4 years ago
The error message originates here: https://github.com/adrienverge/openfortivpn/blob/68c734361d7f19f9c87a3520dd16dcd5ffb7d48d/src/io.c#L448-L452
In your case the value of magic
seems to be 54 50
while the expected bytes are 50 50
.
Additionally total
is 48 54
which is way too large and totally inconsistent with the value of size
(2f 31
). Looks like garbage but not total garbage as the odds of getting 54 50
instead of 50 50
for magic
are pretty slim.
See #575. Can you try version 1.13.3?
See also #191. This might be a misconfiguration of the FortiGate appliance.
The error message originates here:
In your case the value of
magic
seems to be54 50
while the expected bytes are50 50
. Additionallytotal
is48 54
which is way too large and totally inconsistent with the value ofsize
(2f 31
). Looks like garbage but not total garbage as the odds of getting54 50
instead of50 50
formagic
are pretty slim.See #575. Can you try version 1.13.3?
See also #191. This might be a misconfiguration of the FortiGate appliance.
Hello @DimitriPapadopoulos , thanks for your reply.
I've tested with version 1.13.3, below is the output. It does now log a warning about an outdated fortigate.
About the other issue (191), does this mean it is a bug in the fortigate software ? Or it might be a configuration issue in that part ?
DEBUG: openfortivpn 1.13.3 DEBUG: revision unavailable DEBUG: Loaded config file "/etc/openfortivpn/config". DEBUG: Loaded password from config file "/etc/openfortivpn/config" DEBUG: Config host = "" DEBUG: Config realm = "" DEBUG: Config port = "443" DEBUG: Config username = "" DEBUG: Resolving gateway host ip DEBUG: Establishing ssl connection DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Connected to gateway. DEBUG: Cookie: SVPNCOOKIE=Kl9FU9p88xpJWVtdR6TPW/iNkCvhYl3Z6ePcp0iw4fZcHvONZS4P87q8ORzuVCkbhDi3T0iKSvWvKDiNHo1/GQ/lideuph2bl/saLjzfFnA5wGyXzFW9AzR1OGC2vdYyr5XXLoXI4k2AZF5GZIhOja39APtdPtC6GDjMOPp70SzuG3bY2eiykvorIOz6bhOj7V8zHvQCwJfkk5hUAU1uO5L6d7sFe85/snEYBN7N24K7zIAC/83Dz9CLu9e/r7wk INFO: Authenticated. DEBUG: Cookie: SVPNCOOKIE=Kl9FU9p88xpJWVtdR6TPW/iNkCvhYl3Z6ePcp0iw4fZcHvONZS4P87q8ORzuVCkbhDi3T0iKSvWvKDiNHo1/GQ/lideuph2bl/saLjzfFnA5wGyXzFW9AzR1OGC2vdYyr5XXLoXI4k2AZF5GZIhOja39APtdPtC6GDjMOPp70SzuG3bY2eiykvorIOz6bhOj7V8zHvQCwJfkk5hUAU1uO5L6d7sFe85/snEYBN7N24K7zIAC/83Dz9CLu9e/r7wk INFO: Remote gateway has allocated a VPN. DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. DEBUG: Retrieving configuration WARN: Configuration cannot be retrieved in XML format. This FortiGate appliance might be outdated and vulnerable, you might not be able to connect from systems with recent OpenSSL libraries. DEBUG: Establishing the tunnel DEBUG: ppp_path: /usr/sbin/pppd DEBUG: Switch to tunneling mode DEBUG: Starting IO through the tunnel DEBUG: pppd_read thread DEBUG: ssl_write thread DEBUG: ssl_read thread DEBUG: if_config thread Using interface ppp0 Connect: ppp0 <--> /dev/pts/0 DEBUG: pppd_write thread DEBUG: pppd ---> gateway (16 bytes) ERROR: Received bad header from gateway: (hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 36 20 4d 61 79 20 32 30 32 30 20 30 38 3a 31 36 3a 33 37 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 78 78 78 78 78 78 78 78 2d 78 78 78 78 78 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 58 2d 46 72 61 6d 65 2d 4f 70 74 69 6f 6e 73 3a 20 53 41 4d 45 4f 52 49 47 49 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 66 72 61 6d 65 2d 61 6e 63 65 73 74 6f 72 73 20 27 73 65 6c 66 27 0d 0a 58 2d 58 53 53 2d 50 72 6f 74 65 63 74 69 6f 6e 3a 20 31 3b 20 6d 6f 64 65 3d 62 6c 6f 63 6b 0d 0a 58 2d 43 6f 6e 74 65
(raw) HTTP/1.1 403 Forbidden. Date: Wed, 06 May 2020 08:16:37 GMT. Server: xxxxxxxx-xxxxx. Transfer-Encoding: chunked. Content-Type: text/html. X-Frame-Options: SAMEORIGIN. Content-Security-Policy: frame-ancestors 'self'. X-XSS-Protection: 1; mode=block. X-Cont INFO: Cancelling threads... DEBUG: Error canceling safe_ssl_read_thread: No such process INFO: Cleanup, joining threads... DEBUG: disconnecting DEBUG: Waiting for pppd to exit... Hangup (SIGHUP) Modem hangup Connection terminated. DEBUG: waitpid: pppd exit status code 16 INFO: pppd: The link was terminated by the modem hanging up. INFO: Terminated pppd. INFO: Closed connection to gateway. DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Logged out.
The raw output sais HTTP/1.1 403 Forbidden.
To me this looks as if your account has access to the web portal but it has not the permission to switch to tunnel mode.
The client does switch, but instead of ppp packets it receives the http error code 403 that shall tell you that you may not open the tunnel. Maybe we should catch this in the lines that @DimitriPapadopoulos has cited and print out a better error message.
FortiOS distinguishes between web access and tunnel access for the ssl vpn and it is possible to give users a shell window in the web portal, the download link for the client (which is useless, when you have no tunnel permission), bookmarks e.g. to a single sign-on page... But for using openfortivpn you need both, the web access that allows you logging in, and the tunnel access that allows you to establish the tunnel.
The raw output sais
HTTP/1.1 403 Forbidden.
To me this looks as if your account has access to the web portal but it has not the permission to switch to tunnel mode.The client does switch, but instead of ppp packets it receives the http error code 403 that shall tell you that you may not open the tunnel. Maybe we should catch this in the lines that @DimitriPapadopoulos has cited and print out a better error message.
FortiOS distinguishes between web access and tunnel access for the ssl vpn and it is possible to give users a shell window in the web portal, the download link for the client (which is useless, when you have no tunnel permission), bookmarks e.g. to a single sign-on page... But for using openfortivpn you need both, the web access that allows you logging in, and the tunnel access that allows you to establish the tunnel.
thank you @mrbaseman , I will ask the admin of the fortigate to check my profile settings again with this extra info.
@mrbaseman Indeed this is HTTP, I should have noticed. The first line is:
48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e
H T T P / 1 . 1 4 0 3 F o r b i d d e n
I will add some code for to catch that.
@kenvdh About this warning:
WARN: Configuration cannot be retrieved in XML format. This FortiGate appliance might be outdated and vulnerable, you might not be able to connect from systems with recent OpenSSL libraries.
This might be is a side-effect of the above issue, or it might be correct. To tell the truth I'm not certain about the relevance of this warning. I expect it to appear when the VPN appliance runs FortiOS 4 which is not maintained anymore and hence vulnerable. Would you happen to know the model of the FortiGate appliance and more importantly the version of FortiOS?
@DimitriPapadopoulos I've asked the admin to send me details on the used fortigate software ... I hope to receive it soon, then I will update the information here. Thanks!
@kenvdh If you feel comfortable compiling openfortivpn, could you build openfortivpn out of the latest GitHub commits (including ec798eef341f2a089cf6d4c7633548b2f1032aa1) and check you see a (more) meaningful error message?
@DimitriPapadopoulos, sure, just finished the test with the latest code. This is the output now:
DEBUG: openfortivpn 1.13.3 DEBUG: revision unavailable DEBUG: Loaded config file "/etc/openfortivpn/config". DEBUG: Loaded password from config file "/etc/openfortivpn/config" DEBUG: Config host = "" DEBUG: Config realm = "" DEBUG: Config port = "443" DEBUG: Config username = "" DEBUG: Resolving gateway host ip DEBUG: Establishing ssl connection DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Connected to gateway. DEBUG: Cookie: SVPNCOOKIE=kRRRVxUutAz9iapodlaPEVvTQAqigtVweTkvgKiMI0zfnSsP9aSBJK5jKt1ZQBUKr793r/IICnYr+gh1+jflY4DhkCwwSu2Imbm+WwEdiXCHThKw48kl9x0nhpL3ioRF0SW7+3nMRYBd9nrb8cytKSsTS7GnLzFoIbH2Fp25OQc1SIYq4tj3A/EOBLRSR4we0q3N00Yh7oJhmleJXZ+vyA1lxxailp+CvDy1tbK4F5P+wf1EWAtDWX5FUCNb4Fiw INFO: Authenticated. DEBUG: Cookie: SVPNCOOKIE=kRRRVxUutAz9iapodlaPEVvTQAqigtVweTkvgKiMI0zfnSsP9aSBJK5jKt1ZQBUKr793r/IICnYr+gh1+jflY4DhkCwwSu2Imbm+WwEdiXCHThKw48kl9x0nhpL3ioRF0SW7+3nMRYBd9nrb8cytKSsTS7GnLzFoIbH2Fp25OQc1SIYq4tj3A/EOBLRSR4we0q3N00Yh7oJhmleJXZ+vyA1lxxailp+CvDy1tbK4F5P+wf1EWAtDWX5FUCNb4Fiw INFO: Remote gateway has allocated a VPN. DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. DEBUG: Retrieving configuration WARN: Configuration cannot be retrieved in XML format. This VPN-SSL portal might be outdated and vulnerable, you might not be able to connect from systems with recent OpenSSL libraries. DEBUG: Establishing the tunnel DEBUG: ppp_path: /usr/sbin/pppd DEBUG: Switch to tunneling mode DEBUG: Starting IO through the tunnel DEBUG: pppd_read thread DEBUG: ssl_write thread DEBUG: ssl_read thread DEBUG: if_config thread Using interface ppp0 Connect: ppp0 <--> /dev/pts/2 DEBUG: pppd_write thread DEBUG: pppd ---> gateway (16 bytes) ERROR: This SSL-VPN portal does not allow tunnel mode. INFO: Cancelling threads... DEBUG: Error canceling safe_ssl_read_thread: No such process INFO: Cleanup, joining threads... DEBUG: disconnecting DEBUG: Waiting for pppd to exit... Hangup (SIGHUP) Modem hangup Connection terminated. DEBUG: waitpid: pppd exit status code 16 INFO: pppd: The link was terminated by the modem hanging up. INFO: Terminated pppd. INFO: Closed connection to gateway. DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Logged out.
I have not received any information on the software of the fortigate from the admin so far.
Hello @DimitriPapadopoulos and @mrbaseman,
Thanks to your help and extra logging, the admin found a missing config part "realm" that I needed to include in the settings. So now I have an extra config value "realm = ***" and everything works.
Thank you both for the fast reaction and help ! Issue can be closed, the software works fine.
OK I'll adapt the error message accordingly then, and suggest a broader scope of reasons for the 403 HTTP error.
Any feedback on the FortiOS version? Even without telling us the exact version, do you believe this warning makes sense in your case?
WARN: Configuration cannot be retrieved in XML format. This VPN-SSL portal might be outdated and vulnerable, you might not be able to connect from systems with recent OpenSSL libraries.
hello @DimitriPapadopoulos,
Sorry to say I have not received any information on the FortiOS version, and they are not sharing it with me. So I can only guess this is due to an older version in use. In that case the warning makes sense.
Thanks again, and if I can test the new error messages, let me know.
First of all: thanks for your software ! The official forticlient ssl vpn is impossible to find and get working on ubuntu 18.04LTS.
However I stumbled upon an old error: "received dab header from gateway". I tried different versions ranging from 1.6.0 up to 1.12.0, without any luck fixing this issue.
I have a working account, validated via a web vpn page, that is used to download a (windows only) vpn client
This issue had been resolved before, so I hope you can help for this one too. Don't have any info on the server side however.
Logs from the command: sudo openfortivpn -c /etc/openfortivpn/config -v (with account and server ip removed)
DEBUG: openfortivpn 1.12.0 DEBUG: Loaded config file "/etc/openfortivpn/config". DEBUG: Loaded password from config file "/etc/openfortivpn/config" DEBUG: Config host = "" DEBUG: Config realm = "" DEBUG: Config port = "443" DEBUG: Config username = "" DEBUG: Resolving gateway host ip DEBUG: Establishing ssl connection DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Connected to gateway. DEBUG: Cookie: SVPNCOOKIE=WMdMYFPnswAt1EMggzMQVa/spMMKoHiTrXfBRkFxBWqVS+jaL0RlAPHAoAi8sXahoN/JMYb150UFNEQnmwGWBxeRqej9LXcpyX5hynShXWrE23FgULnyI3i1F3XYiVMYlB7RcYAGUvuRJBtVh/5czujSzUgLxHAOSIvdlZ67jCNZibzAvRk1H2BEDKmUZTZriq+qyn5QUJTMhey3K7pZh3gZWBEW7HfaUvfaKqkA5zlbaHUmlutrMXRKfeDJlGco INFO: Authenticated. DEBUG: Cookie: SVPNCOOKIE=WMdMYFPnswAt1EMggzMQVa/spMMKoHiTrXfBRkFxBWqVS+jaL0RlAPHAoAi8sXahoN/JMYb150UFNEQnmwGWBxeRqej9LXcpyX5hynShXWrE23FgULnyI3i1F3XYiVMYlB7RcYAGUvuRJBtVh/5czujSzUgLxHAOSIvdlZ67jCNZibzAvRk1H2BEDKmUZTZriq+qyn5QUJTMhey3K7pZh3gZWBEW7HfaUvfaKqkA5zlbaHUmlutrMXRKfeDJlGco INFO: Remote gateway has allocated a VPN. DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. DEBUG: Retrieving configuration DEBUG: Establishing the tunnel DEBUG: ppp_path: /usr/sbin/pppd DEBUG: Switch to tunneling mode DEBUG: Starting IO through the tunnel DEBUG: pppd_read thread DEBUG: ssl_read thread DEBUG: ssl_write thread DEBUG: if_config thread Using interface ppp0 Connect: ppp0 <--> /dev/pts/0 DEBUG: pppd_write thread DEBUG: pppd ---> gateway (16 bytes) ERROR: Received bad header from gateway: (hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 57 65 64 2c 20 30 36 20 4d 61 79 20 32 30 32 30 20 30 36 3a 34 37 3a 34 32 20 47 4d 54 0d 0a 53 65 72 76 65 72 3a 20 78 78 78 78 78 78 78 78 2d 78 78 78 78 78 0d 0a 54 72 61 6e 73 66 65 72 2d 45 6e 63 6f 64 69 6e 67 3a 20 63 68 75 6e 6b 65 64 0d 0a 43 6f 6e 74 65 6e 74 2d 54 79 70 65 3a 20 74 65 78 74 2f 68 74 6d 6c 0d 0a 58 2d 46 72 61 6d 65 2d 4f 70 74 69 6f 6e 73 3a 20 53 41 4d 45 4f 52 49 47 49 4e 0d 0a 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 66 72 61 6d 65 2d 61 6e 63 65 73 74 6f 72 73 20 27 73 65 6c 66 27 0d 0a 58 2d 58 53 53 2d 50 72 6f 74 65 63 74 69 6f 6e 3a 20 31 3b 20 6d 6f 64 65 3d 62 6c 6f 63 6b 0d 0a 58 2d 43 6f 6e 74 65
(raw) HTTP/1.1 403 Forbidden. Date: Wed, 06 May 2020 06:47:42 GMT. Server: xxxxxxxx-xxxxx. Transfer-Encoding: chunked. Content-Type: text/html. X-Frame-Options: SAMEORIGIN. Content-Security-Policy: frame-ancestors 'self'. X-XSS-Protection: 1; mode=block. X-Cont INFO: Cancelling threads... DEBUG: disconnecting DEBUG: Waiting for pppd to exit... Hangup (SIGHUP) Modem hangup Connection terminated. DEBUG: waitpid: pppd exit status code 16 INFO: pppd: The link was terminated by the modem hanging up. INFO: Terminated pppd. INFO: Closed connection to gateway. DEBUG: server_addr: DEBUG: server_port: 443 DEBUG: gateway_addr: DEBUG: gateway_port: 443 DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4 DEBUG: Gateway certificate validation failed. DEBUG: Gateway certificate digest found in white list. INFO: Logged out.
Regards, Ken.