Comments (16)
Hi @mrmodolo,
This error is caused by an authentification error. It usually occurs when the username/password couple is not valid. Have you checked that your credentials do work using another official VPN client?
Another cause could be that we don't handle well the protocol of your VPN gateway. Do you have any information on the software version on the remote end?
from openfortivpn.
Thanks for the answer!
Not the case, I have forticlientsslvpn client installed on my machine and I use it every day for remote support! I added the keys '-v -v -v' and made a small change in code to display 'total', 'magic' and 'size':
I believe the FortiGate version is the 5.x! I can also log in via the web interface, attached an image.
➜ ~ sudo /usr/bin/openfortivpn -v -v -v vpn.aws.globosat.com.br:10443 -u xxxxxxx --no-routes --no-dns --trusted-cert c755c435e2ec1221dea85847c190f9b9200013780bf82cefb25b6074562df2cd
WARN: Bad port in config file: "0".
DEBUG: Loaded config file "/etc/openfortivpn/config".
VPN account password:
DEBUG: Config host = "vpn.aws.globosat.com.br"
DEBUG: Config port = "10443"
DEBUG: Config username = "xxxxxxx"
DEBUG: Config password = "********"
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
INFO: Authenticated.
DEBUG: Cookie: SVPNCOOKIE=7HAdmxT0/HnYq3HQpZF62rirjuq3UFYLeL1RZunpGfRH0v8nMmdrl8we8RK3iqZu%0aB0ZuUkR2iY1/X3yf0VK7tTPIOSXCVfFjA9w/mf4cs0+8lU4iQKFVTWQSp17sFBlN%0aHGMrtlgHPKFOCK2UBFNUB0ArkI3vImqldZZAo6AmGhEax2fx8wXHKV1qIPQGCYgx%0aZJ
INFO: Remote gateway has allocated a VPN.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
DEBUG: pppd_read_thread
DEBUG: ssl_read_thread
DEBUG: if_config thread
DEBUG: ssl_write_thread
DEBUG: pppd ---> gateway (16 bytes)
pppd: c0 21 01 01 00 0e 01 04 05 4a 05 06 4a 48 10 47
DEBUG: pppd_write thread
ERROR: Received bad header from gateway:
DEBUG: total (18516).
DEBUG: magic (21584).
DEBUG: size (12081).
(hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 53 75 6e 2c 20 30 34 20 4f 63 74 20 32 30 31 35 20 31 31 3a 31 33 3a 34 39 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 20 53 56 50 4e 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 3b 20 65 78 70 69 72 65 73 3d 53 75 6e 2c 20 30 34 2d 4f 63 74 2d 32 30 31 35 20 31 31 3a 31 33 3a 34 39 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74 74 70 6f 6e 6c 79 3b 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 53 56 50 4e 4e 45 54 57 4f 52 4b 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 72 65 6d 6f 74 65 2f 6e 65 74 77 6f 72 6b 3b 20 65 78 70 69 72 65 73 3d 53 75 6e 2c 20 30 34 2d 4f 63 74 2d 32 30 31 35 20 31 31 3a 31 33 3a 34 39 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74
(raw) HTTP/1.1 403 Forbidden.
Date: Sun, 04 Oct 2015 11:13:49 GMT.
Set-Cookie: SVPNCOOKIE=; path=/; expires=Sun, 04-Oct-2015 11:13:49 GMT; secure; httponly;.
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 04-Oct-2015 11:13:49 GMT; secure; h
INFO: Cancelling threads...
DEBUG: Waiting for pppd to exit...
INFO: Terminated pppd.
INFO: Closed connection to gateway.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Logged out.
from openfortivpn.
Same problem here, but I'm quite sure the password is correct as it works with the binary client. I have unfortunately no access or information about the server.
# openfortivpn --no-routes --no-dns -v
DEBUG: Loaded config file "/etc/openfortivpn/config".
VPN account password:
DEBUG: Config host = "XXXXXX"
DEBUG: Config port = "10443"
DEBUG: Config username = "XXXXXXX"
DEBUG: Config password = "********"
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
INFO: Authenticated.
DEBUG: Cookie: SVPNCOOKIE=yNBN4ZFhx0N0R2EGwRi9OZdOohFBTioHQiBtVG7BEBp2iBkskef7WhsvtYXfWkHv%0aqvm6Py6gnBDmlDuaX9+6QhwzWaZsXYN/nUNTUJk6pjteVTOH75uYKgywZ27OTJee%0aTgS7H9HHQVMoluH1l2Rk5NY8Iw6SWGqbEeo+ngNi5g1oP6QXE1LBFQro4poRqdxU%0at�
INFO: Remote gateway has allocated a VPN.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
DEBUG: pppd_read_thread
DEBUG: ssl_write_thread
DEBUG: ssl_read_thread
DEBUG: if_config thread
DEBUG: pppd ---> gateway (16 bytes)
DEBUG: pppd_write thread
ERROR: Received bad header from gateway:
(hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 54 75 65 2c 20 31 33 20 4f 63 74 20 32 30 31 35 20 32 32 3a 31 32 3a 31 31 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 20 53 56 50 4e 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 3b 20 65 78 70 69 72 65 73 3d 54 75 65 2c 20 31 33 2d 4f 63 74 2d 32 30 31 35 20 32 32 3a 31 32 3a 31 31 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74 74 70 6f 6e 6c 79 3b 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 53 56 50 4e 4e 45 54 57 4f 52 4b 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 72 65 6d 6f 74 65 2f 6e 65 74 77 6f 72 6b 3b 20 65 78 70 69 72 65 73 3d 54 75 65 2c 20 31 33 2d 4f 63 74 2d 32 30 31 35 20 32 32 3a 31 32 3a 31 31 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74
(raw) HTTP/1.1 403 Forbidden.
Date: Tue, 13 Oct 2015 22:12:11 GMT.
Set-Cookie: SVPNCOOKIE=; path=/; expires=Tue, 13-Oct-2015 22:12:11 GMT; secure; httponly;.
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Tue, 13-Oct-2015 22:12:11 GMT; secure; h
INFO: Cancelling threads...
DEBUG: Waiting for pppd to exit...
INFO: Terminated pppd.
INFO: Closed connection to gateway.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Logged out.
from openfortivpn.
DEBUG: Cookie: SVPNCOOKIE=yNBN4ZFhx0N0R2EGwRi9OZdOohFBTioHQiBtVG7BEBp2iBkskef7WhsvtYXfWkHv%0aqvm6Py6gnBDmlDuaX9+6QhwzWaZsXYN/nUNTUJk6pjteVTOH75uYKgywZ27OTJee%0aTgS7H9HHQVMoluH1l2Rk5NY8Iw6SWGqbEeo+ngNi5g1oP6QXE1LBFQro4poRqdxU%0at�
Seems like there's garbage at the end of the cookie? We may have parsed it wrong or just log it wrong. Given it doesn't work I'm thinking it's the first option.
(I made changes there & probably broke it. Will take a look...).
from openfortivpn.
Hi!
If I can help, please send me a e-mail.
Thanks!
from openfortivpn.
Same problem here, the credentials are the same I use with the official client without any problem. If I give a wrong password to openfortivpn I get a different error message:
INFO: Connected to gateway.
ERROR: Could not authenticate to gateway (No cookie given).
INFO: Closed connection to gateway.
so I think that the authentication works correctly and the problem is somewhere else. Just in case it matters: I have to specify a --trusted-cert
, as the certificate is not trusted by default. If you need more feedback or testing just let me know, I'll be glad to help.
Paride
from openfortivpn.
@mrmodolo @stefan-langenmaier @legovini Can you try version 1.0.1? There´s a chance that it works for you.
from openfortivpn.
It still does not work, but it behaves differently:
VPN account password:
DEBUG: Config host = "xxx"
DEBUG: Config port = "10443"
DEBUG: Config username = "xxx"
DEBUG: Config password = "********"
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
INFO: Authenticated.
DEBUG: Cookie: SVPNCOOKIE=MFpbihJ7voL2gkXTBCQXSoQPNcw3kucMWEGBUlsFhnRWbk3Ba8jBlkerZK6lIOQ0%0aQrxSQD7fVUsKu8OuEBI8HpUZTaFaELLqEHvpx6NTd3T5AiiKjtVECfpu9s4GijBo%0aYeNU6VVctfSsZmxor1ZlTq7wAGJ2xX7x/OJc0px4kjwfLhggLRcCRhytIHfhILkX%0a+��
INFO: Remote gateway has allocated a VPN.
DEBUG: pppd_read_thread
DEBUG: ssl_read_thread
DEBUG: ssl_write_thread
DEBUG: if_config thread
DEBUG: pppd ---> gateway (16 bytes)
pppd: c0 21 01 01 00 0e 01 04 04 00 05 06 19 2a 07 cf
DEBUG: pppd_write thread
ERROR: Received bad header from gateway: 4854 5450 2f31
WARN: Looks like a HTTP 403.
INFO: Cancelling threads...
DEBUG: Waiting for pppd to exit...
INFO: Terminated pppd.
INFO: Logged out.
INFO: Closed connection to gateway.
from openfortivpn.
Hi!
It still does not work!
➜ openfortivpn git:(master) ✗ sudo /usr/bin/openfortivpn -v -v -v -v vpn.aws.globosat.com.br:10443/ --no-routes --no-dns --trusted-cert c755c435e2ec1221dea85847c190f9b9200013780bf82cefb25b6074562df2cd
DEBUG: Loaded config file "/etc/openfortivpn/config".
VPN account password:
DEBUG: Config host = "vpn.aws.globosat.com.br"
DEBUG: Config port = "10443"
DEBUG: Config username = "xxxxxx"
DEBUG: Config password = "********"
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
INFO: Authenticated.
DEBUG: Cookie: SVPNCOOKIE=7HAdmxT0/HnYq3HQpZF62rirjuq3UFYLeL1RZunpGfRH0v8nMmdrl8we8RK3iqZu%0aB0ZuUkR2iY1/X3yf0VK7tTPIOSXCVfFjA9w/mf4cs0+8lU4iQKFVTWQSp17sFBlN%0ajlSsWtArHVymaOiuZzk7+gI6RRi8pTDw+RtD2dyFsgNcmh1zp7ev82KsKVkIBeEP%0aX
INFO: Remote gateway has allocated a VPN.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
DEBUG: ssl_read_thread
DEBUG: pppd_read_thread
DEBUG: if_config thread
DEBUG: ssl_write_thread
DEBUG: pppd_write thread
DEBUG: pppd ---> gateway (16 bytes)
pppd: c0 21 01 01 00 0e 01 04 05 4a 05 06 57 5a 70 ee
ERROR: Received bad header from gateway:
(hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 4d 6f 6e 2c 20 32 36 20 4f 63 74 20 32 30 31 35 20 32 33 3a 34 37 3a 32 37 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 20 53 56 50 4e 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 3b 20 65 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 32 36 2d 4f 63 74 2d 32 30 31 35 20 32 33 3a 34 37 3a 32 37 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74 74 70 6f 6e 6c 79 3b 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 53 56 50 4e 4e 45 54 57 4f 52 4b 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 72 65 6d 6f 74 65 2f 6e 65 74 77 6f 72 6b 3b 20 65 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 32 36 2d 4f 63 74 2d 32 30 31 35 20 32 33 3a 34 37 3a 32 37 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74
(raw) HTTP/1.1 403 Forbidden.
Date: Mon, 26 Oct 2015 23:47:27 GMT.
Set-Cookie: SVPNCOOKIE=; path=/; expires=Mon, 26-Oct-2015 23:47:27 GMT; secure; httponly;.
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Mon, 26-Oct-2015 23:47:27 GMT; secure; h
INFO: Cancelling threads...
DEBUG: Waiting for pppd to exit...
INFO: Terminated pppd.
INFO: Closed connection to gateway.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Logged out.
from openfortivpn.
Hi !
Thanks for your work ! Unfortunately it's not working for me either.
Gateway is a VDOM on Fortigate 1500D FortiOS 5.2.2
Client openfortivpn 1.1.0 package on Fedora 22
Client fortisslvpn OK with same credentials
On fortigate error message is "sslvpn_login_unknown_user"
Logs from openfortivpn
DEBUG: Loaded config file "/etc/openfortivpn/config".
VPN account password:
DEBUG: Config host = "XXXXX"
DEBUG: Config port = "443"
DEBUG: Config username = "XXXXX"
DEBUG: Config password = "********"
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
WARN: Error issuing /remote/logincheck request
ERROR: Could not authenticate to gateway (Permission denied).
INFO: Closed connection to gateway.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Logged out.
Or
DEBUG: Config host = "XXXXXX"
DEBUG: Config port = "443"
DEBUG: Config username = "XXXXXX"
DEBUG: Config password = "********"
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
ERROR: Could not authenticate to gateway (No cookie given).
INFO: Closed connection to gateway.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Logged out.
from openfortivpn.
Hi,
I have found the cause of this bug, it appears newer FortiOS versions use a longer hash for the SVPNCOOKIE (or maybe it's a configuration issue?).
I had problems connecting to our various fortinet VPNs, which I belive are on FortiOS 5.2.x.
I have created a pull request to merge this into master:
#23
Note that I have not tested this with the older VPNs which worked before, as I do not have access to one. Please ensure that everything works correctly on those before merging.
from openfortivpn.
Hi!
Now I can connect!
modolo@nibiru:~⟫ sudo openfortivpn -u modolo
VPN account password:
INFO: Connected to gateway.
INFO: Authenticated.
INFO: Remote gateway has allocated a VPN.
WARN: No gateway address
INFO: Got addresses: [192.168.102.10], ns [10.1.0.12, 10.1.0.14]
INFO: Interface ppp0 is UP.
INFO: Setting new routes...
INFO: Adding VPN nameservers...
INFO: Tunnel is up and running.
But after connection I think no route is set:
route before connect:
modolo@nibiru:~⟫ route -n
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 5428 0 0 wlp1s0
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 lxcbr0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 lxcbr0
192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp1s0
route after connect:
255 modolo@nibiru:~⟫ route -n
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
1.1.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 lxcbr0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 lxcbr0
186.228.37.130 192.168.1.1 255.255.255.255 UGH 0 0 0 wlp1s0
192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp1s0
Thanks,
Módolo
from openfortivpn.
Hi @mrmodolo,
The broken routes might be a side-effect of commit 7dca981. Could you:
git checkout 38a85d1 # go back before suspicious commit
git cherry-pick 8a4ca14 ab6e879 # apply the COOKIE_SIZE fixes
recompile and try again?
Alternatively, if you're a NetworkManager user, you should try @lkundrak's NetworkManager-fortisslvpn plugin. It handles routes and nameservers in a more standard way.
from openfortivpn.
Hi!
The same thing (now thereis no "WARN: No gateway address" when connecting)
modolo@nibiru:⟫ git checkout 38a85d1⟫ git cherry-pick 8a4ca14 ab6e879
...
modolo@nibiru:
...
modolo@nibiru:~⟫ sudo openfortivpn -u modolo
VPN account password:
INFO: Connected to gateway.
INFO: Authenticated.
INFO: Remote gateway has allocated a VPN.
INFO: Got addresses: [192.168.102.10], ns [10.1.0.12, 10.1.0.14]
INFO: Got addresses: [192.168.102.10], ns [10.1.0.12, 10.1.0.14]
INFO: Interface ppp0 is UP.
INFO: Setting new routes...
INFO: Adding VPN nameservers...
INFO: Tunnel is up and running.
modolo@nibiru:~⟫ route -n
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
1.1.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 lxcbr0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 lxcbr0
186.228.37.130 192.168.1.1 255.255.255.255 UGH 0 0 0 wlp1s0
192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp1s0
^CINFO: Cancelling threads...
INFO: Setting ppp interface down.
INFO: Restoring routes...
WARN: Could not delete route through tunnel (No such process).
INFO: Removing VPN nameservers...
INFO: Terminated pppd.
INFO: Closed connection to gateway.
INFO: Logged out.
Thanks for your time.
Marcelo Módolo
from openfortivpn.
Strange... Unfortunately I don't have access to such a VPN anymore, and I don't have time neither. I'm sorry.
Here are some suggestions, however:
- If you're not afraid of adding a few
log_info()
in the code (specifically here and there), you may find out what's going wrong.
Here is the intended behavior on startup:- Back up current default route
- Set the current default route as the route to the tunnel gateway
- Delete the current default route
- Set the new default route (the one through VPN)
- Use
--no-routes
and wrap openfortivpn in a script that add routes itself - Try the NetworkManager-fortisslvpn plugin.
In any case, keep feedbacking: it's appreciated. And if you find the root cause, I'll be happy to help write a fix.
from openfortivpn.
I'm just looking through older tickets. The routing issues should be solved now. There were a couple of changes to the routing code, including a fix for #25. Can this ticket be closed? (I think it was mainly about the COOKIE_SIZE which needed to be increased)
from openfortivpn.
Related Issues (20)
- URI missing as configuration parameter HOT 2
- Using openvpn breaks openfortivpn HOT 3
- Invalid session ID error when trying to connect from a different network HOT 5
- Use private key file from Windows?
- macOS 14.2.1 and 1.21.0 blocks HOT 5
- modify firewall HOT 3
- connecting with @ in username and context in host HOT 3
- Empty cookie error after server upgrade from 7.2.7 to 7.2.8 HOT 10
- "Error writing to SSL connection" on FreeBSD
- 405 Method Not Allowed HOT 1
- openfortivpn on MAC gets stuck HOT 6
- openfortivpn version 1.22.0
- Wrong value in the 'Accept-Encoding' header HOT 2
- openfortivpn version 1.22.1
- IPCP terminated by peer (conflicting remote IP address) HOT 8
- Explain OTP Flag HOT 1
- v1.20.3 on OpenWRT - Hughes Internet HOT 9
- Older macOS do not provide `vdprintf`: `Undefined symbols: "_vdprintf"` HOT 11
- openfortivpn 1.3.0 not working on ubuntu 24.04 HOT 1
- ERROR: SSL_connect: error:0A000126:SSL routines::unexpected eof while reading, Error happen randomly HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openfortivpn.