Comments (10)
Milenco
commented on August 17, 2024
1
I did some more research and resolved my issue.
I login using the command openfortivpn example.com:10443 -u milenco -p mypassword --set-routes=1 --set-dns=1 --user-cert=/root/cert.pem --user-key=/root/cert.key --ca-file=/root/ca.pem. This seem to cause to take the route of authenticating via my username and password, while authentication actually takes place using my certificates. (In the official client I can fill in whatever I want at the username and password because it identifies me using the certificate).
When removing the username and password from the openfortivpn command I force it to authenticate using certificates. Now I can connect without any issue. My new command is openfortivpn example.com:10443 --set-routes=1 --set-dns=1 --user-cert=/root/cert.pem --user-key=/root/cert.key --ca-file=/root/ca.pem.
It seems the upgrade from FortiOS 7.2.7 to 7.2.8 reacts differently to sending both user/pass and certificates, causing this issue after our server upgrade.
from openfortivpn.
mrbaseman
commented on August 17, 2024
1
Finally I had the chance to do the promised double-check: With a local user on the Fortigate with certificate authentication and user/password, the certificate and the password must match. If a wrong password is entered, the authentication is aborted:
DEBUG: Gateway certificate validation succeeded.
INFO: Connected to gateway.
ERROR: Could not authenticate to gateway. Please check the password, client certificate, etc.
from openfortivpn.
Milenco
commented on August 17, 2024
Just noticed i was running an older version of openfortivpn. Tested it with the newest version (v1.21.0) but the issue remains:
WARN: You should not pass the password on the command line. Type it interactively or use a configuration file instead.
DEBUG: ATTENTION: the output contains sensitive information such as the THE CLEAR TEXT PASSWORD.
DEBUG: openfortivpn 1.21.0
DEBUG: revision unavailable
DEBUG: Loaded configuration file "/etc/openfortivpn/config".
DEBUG: Configuration host = "example.com"
DEBUG: Configuration realm = ""
DEBUG: Configuration port = "10443"
DEBUG: Configuration username = "milenco"
DEBUG: Configuration password = "mypassword"
DEBUG: Resolving gateway host ip
DEBUG: Establishing ssl connection
DEBUG: SO_KEEPALIVE: OFF
DEBUG: TCP_KEEPIDLE: 7200
DEBUG: TCP_KEEPINTVL: 75
DEBUG: TCP_KEEPCNT: 9
DEBUG: SO_SNDBUF: 16384
DEBUG: SO_RCVBUF: 87380
DEBUG: server_addr: 1.2.3.4
DEBUG: server_port: 10443
DEBUG: gateway_ip: 1.2.3.4
DEBUG: gateway_port: 10443
DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG: Setting minimum protocol version to: 0x303.
DEBUG: Gateway certificate validation succeeded.
INFO: Connected to gateway.
DEBUG: http_send:
POST /remote/logincheck HTTP/1.1
Host: example.com:10443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: gzip, deflate, br
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie:
Content-Length: 63
username=milenco&credential=mypassword&realm=&ajax=1
DEBUG: http_receive:
HTTP/1.1 200 OK
Date: Tue, 19 Mar 2024 10:35:25 GMT
Set-Cookie: SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict;
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
5af
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta http-equiv="Pragma" content="no-cache">
<meta http-equiv="cache-control" content="no-cache">
<meta http-equiv="cache-control" content="must-revalidate">
<meta http-equiv="cache-control" content="no-store">
<title>SSL VPN Remote Access Web Portal</title>
<link href="/sslvpn/css/ssl_style.css" rel="stylesheet" type="text/css">
<script type="text/javascript" src="/remote/fgt_lang?lang=en"></script></head>
<body class="main">
<table class="container" cellpadding="0" cellspacing="0">
<tr>
<td><table class="dialog" width=300 align="center" cellpadding="0" cellspacing="0">
<tr>
<td><table class="header" cellpadding="0" cellspacing="0">
<tr>
<td id="err_title"></td>
</tr>
</table></td>
</tr>
<script>document.getElementById('err_title').innerHTML=fgt_lang['error'];</script>
<!--sslvpnerrmsg=Permission denied.-->
<tr>
<td class="body" height=100>
<table class="body"><tr></td></tr></table></td>
</tr>
<tr><td>
<table class="footer" cellpadding="0" cellspacing="0">
<tr><td>
<input id="ok_button" type="button" value="" onclick="chkbrowser()" style="width:80px">
</td></tr>
</table>
</td></tr>
</table>
</body>
<script language = "javascript">
document.getElementById('ok_button').value=fgt_lang['ok'];
function chkbrowser() {
if (window.location.pathname == "/remote/login")
window.location.reload();
else
window.location.href = "/remote/login";}
</script>
</html>
0
DEBUG: Empty cookie.
ERROR: Could not authenticate to gateway. Please check the password, client certificate, etc.
DEBUG: No cookie given (-7)
INFO: Closed connection to gateway.
DEBUG: SO_KEEPALIVE: OFF
DEBUG: TCP_KEEPIDLE: 7200
DEBUG: TCP_KEEPINTVL: 75
DEBUG: TCP_KEEPCNT: 9
DEBUG: SO_SNDBUF: 16384
DEBUG: SO_RCVBUF: 87380
DEBUG: server_addr: 1.2.3.4
DEBUG: server_port: 10443
DEBUG: gateway_ip: 1.2.3.4
DEBUG: gateway_port: 10443
DEBUG: Setting cipher list to: HIGH:!aNULL:!kRSA:!PSK:!SRP:!MD5:!RC4
DEBUG: Setting minimum protocol version to: 0x303.
DEBUG: Gateway certificate validation succeeded.
DEBUG: http_send:
GET /remote/logout HTTP/1.1
Host: example.com:10443
User-Agent: Mozilla/5.0 SV1
Accept: */*
Accept-Encoding: gzip, deflate, br
Pragma: no-cache
Cache-Control: no-store, no-cache, must-revalidate
If-Modified-Since: Sat, 1 Jan 2000 00:00:00 GMT
Content-Type: application/x-www-form-urlencoded
Cookie: SVPNCOOKIE=
Content-Length: 0
DEBUG: http_receive:
HTTP/1.1 200 OK
Date: Tue, 19 Mar 2024 10:35:25 GMT
Set-Cookie: SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict;
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict
Content-Length: 558
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
<!DOCTYPE html>
<html><head><script>function fgt_sslvpn_logout(sid) {var cookies = document.cookie.split(';');for (var c = 0; c < cookies.length; ++c) {var one_c = cookies[0];var cookie_key = one_c.split('=')[0];cookie_key.trim();if (cookie_key.search('_eff1a6b3') == null) {var base_name = cookie_key + '=; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=';document.cookie = base_name + '/';document.cookie = base_name + '/proxy/' + sid;}}window.location.href ='/remote/login';}</script></head><body><script>fgt_sslvpn_logout("00000000");</script></body></html>├←]D/OM?7?ZT"Z ؝
INFO: L⎺±±␊␍ ⎺┤├↓
▒⎽↑4↓4#
from openfortivpn.
DimitriPapadopoulos
commented on August 17, 2024
The server might have moved to SAML with authentication is a web browser. See #867.
You can also give openconnect a try.
from openfortivpn.
DimitriPapadopoulos
commented on August 17, 2024
Thank you very much for the explanation.
I wonder whether there are cases where both the certificate and the username/password are required. Otherwise, we could force authentication with the certificate when or at least emit a warning if user/password are passed as arguments in addition to the user certificate.
from openfortivpn.
Milenco
commented on August 17, 2024
For testing I've tried to login using the official Forticlient VPN client, using username 'foo' while authentication using my 'milenco' certificates. It seems the username gets fully ignored, no mentions of it in the logs on the firewall side:
velco-fw # diagnose debug application sslvpn -1
Debug messages will be on for 30 minutes.
velco-fw # diagnose debug application samld -1
velco-fw #
velco-fw # diagnose debug enable
velco-fw # [275:root:1f0]allocSSLConn:310 sconn 0x547f7e00 (0:root)
[275:root:1f0]SSL state:before SSL initialization (4.3.2.1)
[275:root:1f0]SSL state:before SSL initialization (4.3.2.1)
[275:root:1f0]no SNI received
[275:root:1f0]client cert requirement: yes
[275:root:1f0]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write change cipher spec (4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f0]no SNI received
[275:root:1f0]client cert requirement: yes
[275:root:1f0]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 write encrypted extensions (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write certificate request (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write certificate (4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 write server certificate verify (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write finished (4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[275:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS read client certificate (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS read certificate verify (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS read finished (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[275:root:1f0]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[275:root:1f0]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[275:root:1f0]req: /remote/info
[275:root:1f0]capability flags: 0x1cdf
[275:root:1f0]sslConnGotoNextState:317 error (last state: 1, closeOp: 0)
[275:root:1f0]Destroy sconn 0x547f7e00, connSize=0. (root)
[275:root:1f0]SSL state:warning close notify (4.3.2.1)
[276:root:1f0]allocSSLConn:310 sconn 0x547f7e00 (0:root)
[276:root:1f0]SSL state:before SSL initialization (4.3.2.1)
[276:root:1f0]SSL state:before SSL initialization (4.3.2.1)
[276:root:1f0]got SNI server name: example.com realm (null)
[276:root:1f0]client cert requirement: yes
[276:root:1f0]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write change cipher spec (4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f0]got SNI server name: example.com realm (null)
[276:root:1f0]client cert requirement: yes
[276:root:1f0]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 write encrypted extensions (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write certificate request (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write certificate (4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 write server certificate verify (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write finished (4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[276:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS read client certificate (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS read certificate verify (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS read finished (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[276:root:1f0]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[276:root:1f0]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[276:root:1f0]req: /remote/login
[276:root:1f0]rmt_web_auth_info_parser_common:524 no session id in auth info
[276:root:1f0]rmt_web_get_access_cache:873 invalid cache, ret=4103
[276:root:1f0]User Agent: FortiSSLVPN (Mac OS X; SV1 [SV{v=02.01; f=07;}])
[276:root:1f0]sslvpn_auth_check_usrgroup:3049 forming user/group list from policy.
[276:root:1f0]sslvpn_auth_check_usrgroup:3096 got user (0) group (0:2).
[276:root:1f0]sslvpn_validate_user_group_list:1939 validating with SSL VPN authentication rules (2), realm ().
[276:root:1f0]sslvpn_validate_user_group_list:2033 checking rule 1 cipher.
[276:root:1f0]sslvpn_validate_user_group_list:2041 checking rule 1 realm.
[276:root:1f0]sslvpn_validate_user_group_list:2052 checking rule 1 source intf.
[276:root:1f0]sslvpn_validate_user_group_list:2091 checking rule 1 vd source intf.
[276:root:1f0]sslvpn_validate_user_group_list:2590 rule 1 done, got user (0:0) group (0:0) peer group (1).
[276:root:1f0]sslvpn_validate_user_group_list:2033 checking rule 2 cipher.
[276:root:1f0]sslvpn_validate_user_group_list:2041 checking rule 2 realm.
[276:root:1f0]sslvpn_validate_user_group_list:2052 checking rule 2 source intf.
[276:root:1f0]sslvpn_validate_user_group_list:2590 rule 2 done, got user (0:0) group (0:0) peer group (2).
[276:root:1f0]sslvpn_validate_user_group_list:2598 got user (0:0) group (0:0) peer group (2).
[276:root:1f0]sslvpn_validate_user_group_list:2945 got user (0:0), group (0:0) peer group (2).
[276:root:1f0]fam_cert_send_req:1174 peer group 'vpn_admins' is sent for verification.
[276:root:1f0]fam_cert_send_req:1174 peer group 'vpn_users' is sent for verification.
[276:root:1f0]fam_cert_send_req:1180 doing authentication for 2 group(s).
[276:root:1f0][fam_cert_proc_resp:1978] Authenticated groups (2) by FNBAM with auth_type (0):
[276:root:1f0]fam_cert_proc_resp:1996 found node vpn_admins:0:, valid:1, auth:0
[276:root:1f0]auth_rsp_data.matched_cert_grps[0] = vpn_admins
[276:root:1f0]fam_cert_proc_resp:1996 found node vpn_users:0:, valid:1, auth:0
[276:root:1f0]auth_rsp_data.matched_cert_grps[1] = vpn_users
[276:root:1f0]fam_cert_proc_resp:2027 match rule (2), user (milenco:vpn_admins) portal (full-access).
[276:root:1f0]User Agent: FortiSSLVPN (Mac OS X; SV1 [SV{v=02.01; f=07;}])
[276:root:0]get tunnel link address4
[276:root:1f0]rmt_web_session_create:1029 create web session, idx[0]
[276:root:1f0]rmt_hcinstall_cb_handler:210 enter
[276:root:1f0]User Agent: FortiSSLVPN (Mac OS X; SV1 [SV{v=02.01; f=07;}])
[276:root:1f0]rmt_hcinstall_cb_handler:288 hostchk needed : 1.
[276:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[276:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[276:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[276:root:1f0]SSL state:warning close notify (4.3.2.1)
[276:root:1f0]sslConnGotoNextState:317 error (last state: 1, closeOp: 0)
[276:root:1f0]Destroy sconn 0x547f7e00, connSize=1. (root)
[276:root:1f0]SSL state:warning close notify (4.3.2.1)
[277:root:1f0]allocSSLConn:310 sconn 0x547f8400 (0:root)
[277:root:1f0]SSL state:before SSL initialization (4.3.2.1)
[277:root:1f0]SSL state:before SSL initialization (4.3.2.1)
[277:root:1f0]got SNI server name: example.com realm (null)
[277:root:1f0]client cert requirement: yes
[277:root:1f0]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write change cipher spec (4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f0]got SNI server name: example.com realm (null)
[277:root:1f0]client cert requirement: yes
[277:root:1f0]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 write encrypted extensions (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write certificate request (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write certificate (4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 write server certificate verify (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write finished (4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[277:root:1f0]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS read client certificate (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS read certificate verify (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS read finished (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[277:root:1f0]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[277:root:1f0]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[277:root:1f0]req: /remote/hostcheck_validate
[277:root:1f0]Transfer-Encoding n/a
[277:root:1f0]Content-Length 202
[277:root:1f0]readPostEnter:17 Post Data length 202.
[277:root:1f0]rmt_hcvalidate_cb_handler:327 enter
[277:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[277:root:1f0]User Agent: FortiSSLVPN (Mac OS X; SV1 [SV{v=02.01; f=07;}])
[277:root:1f0]rmt_hcvalidate_cb_handler:379 hostchk needed : 1
[277:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[277:root:1f0]host check result:3 0000,14.4.0,04:bf:1b:4d:c7:cc
[277:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[277:root:1f0]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[277:root:1f0]Transfer-Encoding n/a
[277:root:1f0]Content-Length 202
[277:root:1f0]SSL state:warning close notify (4.3.2.1)
[277:root:1f0]sslConnGotoNextState:317 error (last state: 1, closeOp: 0)
[277:root:1f0]Destroy sconn 0x547f8400, connSize=1. (root)
[277:root:1f0]SSL state:warning close notify (4.3.2.1)
[275:root:1f1]allocSSLConn:310 sconn 0x547f7e00 (0:root)
[275:root:1f1]SSL state:before SSL initialization (4.3.2.1)
[275:root:1f1]SSL state:before SSL initialization (4.3.2.1)
[275:root:1f1]got SNI server name: example.com realm (null)
[275:root:1f1]client cert requirement: yes
[275:root:1f1]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write change cipher spec (4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f1]got SNI server name: example.com realm (null)
[275:root:1f1]client cert requirement: yes
[275:root:1f1]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 write encrypted extensions (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write certificate request (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write certificate (4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 write server certificate verify (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write finished (4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[275:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS read client certificate (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS read certificate verify (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS read finished (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[275:root:1f1]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[275:root:1f1]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[275:root:1f1]req: /remote/fortisslvpn
[275:root:1f1]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[275:root:1f1]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[275:root:1f1]User Agent: FortiSSLVPN (Mac OS X; SV1 [SV{v=02.01; f=07;}])
[275:root:1f1]sslConnGotoNextState:317 error (last state: 1, closeOp: 0)
[275:root:1f1]Destroy sconn 0x547f7e00, connSize=0. (root)
[275:root:1f1]SSL state:warning close notify (4.3.2.1)
[276:root:1f1]allocSSLConn:310 sconn 0x547f7e00 (0:root)
[276:root:1f1]SSL state:before SSL initialization (4.3.2.1)
[276:root:1f1]SSL state:before SSL initialization (4.3.2.1)
[276:root:1f1]got SNI server name: example.com realm (null)
[276:root:1f1]client cert requirement: yes
[276:root:1f1]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write change cipher spec (4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f1]got SNI server name: example.com realm (null)
[276:root:1f1]client cert requirement: yes
[276:root:1f1]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 write encrypted extensions (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write certificate request (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write certificate (4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 write server certificate verify (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write finished (4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[276:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS read client certificate (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS read certificate verify (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS read finished (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[276:root:1f1]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[276:root:1f1]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[276:root:1f1]req: /remote/fortisslvpn_xml
[276:root:1f1]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[276:root:1f1]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[276:root:1f1]sslvpn_reserve_dynip:1544 tunnel vd[root] ip[10.10.11.130] app session idx[2]
[276:root:1f1]sslConnGotoNextState:317 error (last state: 1, closeOp: 0)
[276:root:1f1]Destroy sconn 0x547f7e00, connSize=1. (root)
[276:root:1f1]SSL state:warning close notify (4.3.2.1)
[277:root:1f1]allocSSLConn:310 sconn 0x547f8400 (0:root)
[277:root:1f1]SSL state:before SSL initialization (4.3.2.1)
[277:root:1f1]SSL state:before SSL initialization (4.3.2.1)
[277:root:1f1]got SNI server name: example.com realm (null)
[277:root:1f1]client cert requirement: yes
[277:root:1f1]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write change cipher spec (4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f1]got SNI server name: example.com realm (null)
[277:root:1f1]client cert requirement: yes
[277:root:1f1]SSL state:SSLv3/TLS read client hello (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write server hello (4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 write encrypted extensions (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write certificate request (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write certificate (4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 write server certificate verify (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write finished (4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 early data:(null)(4.3.2.1)
[277:root:1f1]SSL state:TLSv1.3 early data (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS read client certificate (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS read finished (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[277:root:1f1]SSL state:SSLv3/TLS write session ticket (4.3.2.1)
[277:root:1f1]SSL established: TLSv1.3 TLS_AES_256_GCM_SHA384
[277:root:1f1]No client certificate
[277:root:1f1]req: /remote/sslvpn-tunnel2?uuid=32190D99E7FE
[277:root:1f1]sslvpn_tunnel2_handler,60, Calling rmt_conn_access_ex.
[277:root:1f1]deconstruct_session_id:505 decode session id ok, user=[milenco,cn=milenco], group=[vpn_admins],authserver=[],portal=[full-access],host[4.3.2.1],realm=[],csrf_token=[24C0CB9CF9973CD870B0ED2BB0A89
CFC],idx=0,auth=32,sid=7cc20bb3,login=1710936188,access=1710936188,saml_logout_url=no,pip=no,grp_info=[g8cRh6],rmt_grp_info=[]
[277:root:1f1]normal tunnel2 request received.
[277:root:1f1]sslvpn_tunnel2_handler,171, fct_uuid = 32190D99E7FE50D09A8AB7C68CAB46F8
[277:root:1f1]sslvpn_tunnel2_handler,179, Calling tunnel2 with hostname (null).
[277:root:1f1]tunnel2_enter:1558 0x547f8400:0x5417dc00 sslvpn user[milenco,cn=milenco],type 32,logintime 0 vd 0 vrf 0
[277:root:1f1]tun dev (ssl.root) opened (32)
[277:root:1f1]fsv_associate_fd_to_ipaddr:2335 associate 10.10.11.130 to tun (ssl.root:32)
[277:root:1f1]proxy arp: scanning 13 interfaces for IP 10.10.11.130
[277:root:1f1]no ethernet address for proxy ARP
[277:root:1f1]sslvpn_user_match:1171 add user milenco in group vpn_admins
[277:root:1f1]Will add auth policy for policy 29
[277:root:1f1]sslvpn_user_match:1171 add user milenco in group vpn_admins
[277:root:1f1]Will add auth policy for policy 25
[277:root:1f1]sslvpn_user_match:1171 add user milenco in group vpn_admins
[277:root:1f1]Will add auth policy for policy 18
[277:root:1f1]Add auth logon for user milenco,cn=milenco:vpn_admins, matched group number 1
This is the relevant part from my firewall config:
config vpn ssl settings
set reqclientcert enable
set ssl-min-proto-ver tls1-1
set servercert "star.example.com.2023-2024"
set idle-timeout 7200
set tunnel-ip-pools "vpn_address_user" "vpn_address_admin"
set dns-server1 8.8.8.8
set dns-server2 9.9.9.9
set source-interface "wan1" "wan2"
set source-address "Belgium" "England" "France" "Germany" "Luxembourg" "Netherlands" "vlan_office address" "vlan_server address"
set default-portal "web-access"
config authentication-rule
edit 1
set groups "vpn_users"
set portal "vpn-access"
next
edit 2
set groups "vpn_admins"
set portal "full-access"
next
end
end
The set reqclientcert enable command causes the client cert requirement: yes notifcation in the log. So I believe when certificates are forced the username/password gets ignored. I'm not sure if it's possible to optional supply client cert's. If not, forced authentication using certificates can be used if a certifcate is supplied.
Hope this helps.
from openfortivpn.
mrbaseman
commented on August 17, 2024
I wonder whether there are cases where both the certificate and the username/password are required. Otherwise, we could force authentication with the certificate when or at least emit a warning if user/password are passed as arguments in addition to the user certificate.
I have been using username/password and certificate in combination. This not truly a second factor because all the credentials reside on the same client device, but it's at least a good protection against a simple password leak. I still have that VPN running, but I must admit that I haven't used it for a while.
from openfortivpn.
Milenco
commented on August 17, 2024
I wonder whether there are cases where both the certificate and the username/password are required. Otherwise, we could force authentication with the certificate when or at least emit a warning if user/password are passed as arguments in addition to the user certificate.
I have been using username/password and certificate in combination. This not truly a second factor because all the credentials reside on the same client device, but it's at least a good protection against a simple password leak. I still have that VPN running, but I must admit that I haven't used it for a while.
So using a different username or password in combination with your certificate actual fails to log you in? Because I can't replicate that behavior, but it's very well possible it's because of my configuration.
from openfortivpn.
mrbaseman
commented on August 17, 2024
So using a different username or password in combination with your certificate actual fails to log you in? Because I can't replicate that behavior, but it's very well possible it's because of my configuration.
I think so, but I'll try that out. Unfortunately that VPN doesn't respond at all right now. I have to check on-site what's the problem.
Maybe an important detail: in this case users and groups are local ones on the Fortigate. If authentication happens via LDAP or AD things might be different. But I'll check it for local users/groups when I get that setup working again.
from openfortivpn.
Milenco
commented on August 17, 2024
Thanks dor reporting back! So both methods (just a certificate as well as certificate+user/pass) must be supported.
from openfortivpn.
Related Issues (20)
- DNS from VPN not being added properly to resolv.conf on Ubuntu 22.04 HOT 9
- Detecting VPN Disconnections sooner for retry HOT 5
- URI missing as configuration parameter HOT 2
- Using openvpn breaks openfortivpn HOT 3
- Invalid session ID error when trying to connect from a different network HOT 5
- Use private key file from Windows?
- macOS 14.2.1 and 1.21.0 blocks HOT 5
- modify firewall HOT 3
- connecting with @ in username and context in host HOT 3
- "Error writing to SSL connection" on FreeBSD HOT 1
- 405 Method Not Allowed HOT 1
- openfortivpn on MAC gets stuck HOT 6
- openfortivpn version 1.22.0
- Wrong value in the 'Accept-Encoding' header HOT 2
- openfortivpn version 1.22.1
- IPCP terminated by peer (conflicting remote IP address) HOT 8
- Explain OTP Flag HOT 1
- v1.20.3 on OpenWRT - Hughes Internet HOT 9
- Older macOS do not provide `vdprintf`: `Undefined symbols: "_vdprintf"` HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openfortivpn.