Failed to Connect FortiNet When Getting HTTP 302 Response
I'm trying to connect to corporate FortiNet VPN, but it mostly fails. The symptom is the same as issue #359 (closed), so I assume the 302 redirection already means a fail on the server end, but I don't know what is missing on my end.
Launch script:
#!/usr/bin/env bash
function get_cookie {
openfortivpn-webview \
--ozone-platform-hint=auto \
$VPNHOST \
| grep SVPNCOOKIE | cut -d'=' -f2-
}
function connect_openconnect {
openconnect \
--protocol=fortinet \
--cookie="$1" \
-i vpn0 \
-s 'sudo -E /etc/vpnc/vpnc-script' \
--dump-http-traffic -vvv \
$VPNHOST
}
function connect_openfortivpn {
sudo openfortivpn \
--cookie="$1" \
$VPNHOST
}
COOKIE=$(get_cookie)
if [[ -z "$COOKIE" ]]; then
echo 'Error on fetching cookie.'
exit 1
else
echo "Attempt with cookie=$COOKIE"
fi
connect_openconnect $COOKIE
#connect_openfortivpn $COOKIE
The application openfortivpn-webview
is the electron application from this project. What it does is to output the cookie obtained from our Azure SAML server. If I use openfortivpn
, this will always succeed, but with openconnect
, it will often fail with HTTP 302.
As issue #359 (closed) suggests, am I missing other parameters, such as --resolve
?
Failing log:
GET https://<server>/remote/fortisslvpn_xml?dual_stack=1
Attempting to connect to server <server IP>:443
Connected to <server IP>:443
SSL negotiation with <server>
Server certificate verify failed: signer not found
Connected to HTTPS on <server> with ciphersuite (TLS1.3)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
> GET /remote/fortisslvpn_xml?dual_stack=1 HTTP/1.1
> Host: <server>
> User-Agent: Mozilla/5.0 SV1
>
Got HTTP response: HTTP/1.1 302 Found
Date: Tue, 30 Jan 2024 18:21:18 GMT
Server: xxxxxxxx-xxxxx
Set-Cookie: SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict;
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict
Location: /remote/login
Transfer-Encoding: chunked
Content-Type: text/plain
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
Creating SSL connection failed
Cookie was rejected by server; exiting.
Success Log:
GET https://<server>/remote/fortisslvpn_xml?dual_stack=1
Attempting to connect to server <server IP>:443
Connected to <server IP>:443
SSL negotiation with <server>
Server certificate verify failed: signer not found
Connected to HTTPS on <server> with ciphersuite (TLS1.3)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
> GET /remote/fortisslvpn_xml?dual_stack=1 HTTP/1.1
> Host: <server>
> User-Agent: Mozilla/5.0 SV1
> Cookie: SVPNCOOKIE=<$SVPNCOOKIE>
>
Got HTTP response: HTTP/1.1 200 OK
Date: Tue, 30 Jan 2024 18:21:29 GMT
Server: xxxxxxxx-xxxxx
Transfer-Encoding: chunked
Content-Type: text/xml
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
< <?xml version='1.0' encoding='utf-8'?><sslvpn-tunnel ver='2' dtls='1' patch='1'><dtls-config heartbeat-interval='10' heartbeat-fail-count='10' heartbeat-idle-timeout='10' client-hello-timeout='10' /><tunnel-method value='ppp' /><tunnel-method value='tun' /><tunnel-method value='websocket' /><auth-ses check-src-ip='1' tun-connect-without-reauth='0' tun-user-ses-timeout='30' /><client-config save-password='on' keep-alive='off' auto-connect='on' /><ipv4><...ROUTING_INFO...></split-tunnel-info></ipv4><idle-timeout val='300' /><auth-timeout val='39600' /></sslvpn-tunnel>
DTLS is enabled on port 443
OpenConnect version:
❯ openconnect --version
OpenConnect version v9.12
Using GnuTLS 3.8.3. Features present: TPMv2, PKCS#11, RSA software token, HOTP software token, TOTP software token, Yubikey OATH, System keys, DTLS, ESP
Supported protocols: anyconnect (default), nc, gp, pulse, f5, fortinet, array
Default vpnc-script (override with --script): /etc/vpnc/vpnc-script