Implement split-DNS in FortiNet
Hello,
I need the split-DNS feature, so that I can access the intranet websites. Here is the output from OpenConnect:
Logs
$ sudo openconnect -vvv --dump-http-traffic --protocol=fortinet -u cezdro corpo1.com:10443
GET https://corpo1.com:10443/
Attempting to connect to server xx.xxx.xxx.xx:10443
Connected to xx.xxx.xxx.xx:10443
SSL negotiation with corpo1.com
Connected to HTTPS on corpo1.com with ciphersuite (TLS1.3)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
> GET / HTTP/1.1
> Host: corpo1.com:10443
> User-Agent: Mozilla/5.0 SV1
>
Got HTTP response: HTTP/1.1 200 OK
Date: Thu, 14 Mar 2024 17:48:02 GMT
ETag: "83-65bac873"
Accept-Ranges: bytes
Content-Length: 131
Content-Type: text/html
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
HTTP body length: (131)
< <html><script type="text/javascript">
< if (window!=top) top.location=window.location;top.location="/remote/login";
< </script></html>
Password:
POST https://corpo1.com:10443/remote/logincheck
> POST /remote/logincheck HTTP/1.1
> Host: corpo1.com:10443
> User-Agent: Mozilla/5.0 SV1
> X-Pad: 0000000000000000000000000000000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 79
>
> username=cezdro&credential=REDACTED%24&realm=&ajax=1&just_logged_in=1
Got HTTP response: HTTP/1.1 200 OK
Date: Thu, 14 Mar 2024 17:48:08 GMT
Set-Cookie: SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict;
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict
Transfer-Encoding: chunked
Content-Type: text/plain
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
< ret=3,reqid=591177459,polid=1-3-512caf35,grp=,portal=corpo,magic=3-512caf35,tokeninfo=cexxxx%40xxxxxx.net,chal_msg=
Code:
POST https://corpo1.com:10443/remote/logincheck
> POST /remote/logincheck HTTP/1.1
> Host: corpo1.com:10443
> User-Agent: Mozilla/5.0 SV1
> X-Pad: 00000000000000000000000
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 105
>
> username=cezdro&code=458001&realm=&reqid=591177459&polid=1-3-512caf35&grp=&portal=corpo&magic=3-512caf35
Got HTTP response: HTTP/1.1 200 OK
Date: Thu, 14 Mar 2024 17:48:21 GMT
Set-Cookie: SVPNCOOKIE=<elided>; path=/; secure; httponly; SameSite=Strict
Transfer-Encoding: chunked
Content-Type: text/html
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
< <!DOCTYPE html>
< <html><head>
< <script language='javascript'>
< document.location='/sslvpn/portal.html';
< </script>
< </head></html>
GET https://corpo1.com:10443/remote/fortisslvpn_xml?dual_stack=1
> GET /remote/fortisslvpn_xml?dual_stack=1 HTTP/1.1
> Host: corpo1.com:10443
> User-Agent: Mozilla/5.0 SV1
> Cookie: SVPNCOOKIE=REDACTED
>
Got HTTP response: HTTP/1.1 200 OK
Date: Thu, 14 Mar 2024 17:48:21 GMT
Transfer-Encoding: chunked
Content-Type: text/xml
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)
< <?xml version='1.0' encoding='utf-8'?><sslvpn-tunnel ver='2' dtls='1' patch='1'><dtls-config heartbeat-interval='10' heartbeat-fail-count='10' heartbeat-idle-timeout='10' client-hello-timeout='10' /><tunnel-method value='ppp' /><tunnel-method value='tun' /><tunnel-method value='websocket' /><auth-ses check-src-ip='1' tun-connect-without-reauth='1' tun-user-ses-timeout='255' /><client-config save-password='on' keep-alive='on' auto-connect='on' /><ipv4><split-dns domains='corpo1.com,corpo2.com,corpo3.com' dnsserver1='192.168.3.1' dnsserver2='192.168.3.254' /><dns domain='corpo1.com' /><dns ip='192.168.3.1' /><dns ip='192.168.3.254' /><assigned-addr ipv4='10.123.123.1' /><split-tunnel-info><addr ip='192.168.3.0' mask='255.255.255.0' /><addr ip='192.168.17.2' mask='255.255.255.255' /><addr ip='10.0.2.0' mask='255.255.255.0' /><addr ip='192.168.2.0' mask='255.255.255.0' /><addr ip='192.168.44.0' mask='255.255.255.248' /></split-tunnel-info></ipv4><idle-timeout val='0' /><auth-timeout val='43200' /></sslvpn-tunnel>
DTLS is enabled on port 10443
Server reports that reconnect-after-drop is allowed within 255 seconds, but only from the same source IP address
WARNING: Got split-DNS domains corpo1.com,corpo2.com,corpo3.com (not yet implemented)
WARNING: Got split-DNS server 192.168.3.1 (not yet implemented)
WARNING: Got split-DNS server 192.168.3.254 (not yet implemented)
Got search domain corpo1.com
Got IPv4 DNS server 192.168.3.1
Got IPv4 DNS server 192.168.3.254
Got Legacy IP address 10.123.123.1
Got IPv4 route 192.168.3.0/255.255.255.0
Got IPv4 route 192.168.17.2/255.255.255.255
Got IPv4 route 10.0.2.0/255.255.255.0
Got IPv4 route 192.168.2.0/255.255.255.0
Got IPv4 route 192.168.44.0/255.255.255.248
Idle timeout is 0 minutes.
Received split routes; not setting default Legacy IP route
UDP SO_SNDBUF: 96000
DTLS initialised. DPD 10, Keepalive 0
Delaying tunnel with reason: PPP negotiation
No work to do; sleeping for 1000 ms...
Delaying tunnel with reason: awaiting PPP DTLS connection
No work to do; sleeping for 1000 ms...
Delaying tunnel with reason: awaiting PPP DTLS connection
No work to do; sleeping for 935 ms...
Delaying tunnel with reason: awaiting PPP DTLS connection
No work to do; sleeping for 935 ms...
Delaying tunnel with reason: awaiting PPP DTLS connection
No work to do; sleeping for 934 ms...
Delaying tunnel with reason: awaiting PPP DTLS connection
No work to do; sleeping for 934 ms...
Delaying tunnel with reason: awaiting PPP DTLS connection
Server presented identical cert on rehandshake
No work to do; sleeping for 864 ms...
Delaying tunnel with reason: awaiting PPP DTLS connection
No work to do; sleeping for 1000 ms...
Delaying tunnel with reason: awaiting PPP DTLS connection
Established DTLS connection (using GnuTLS). Ciphersuite (DTLS1.2)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM).
> 0000: 01 4a 47 46 74 79 70 65 00 63 6c 74 68 65 6c 6c |.JGFtype.clthell|
> 0010: 6f 00 53 56 50 4e 43 4f 4f 4b 49 45 00 32 71 43 |o.SVPNCOOKIE.2qC|
--8<------------------------------------------
No work to do; sleeping for 1000 ms...
Delaying tunnel with reason: awaiting PPP DTLS connection
< 0000: 00 1f 47 46 74 79 70 65 00 73 76 72 68 65 6c 6c |..GFtype.svrhell|
< 0010: 6f 00 68 61 6e 64 73 68 61 6b 65 00 6f 6b 00 |o.handshake.ok.|
Using base_mtu of 1406
After removing TCP/IPv4 headers, MTU of 1366
After removing protocol specific overhead (15 unpadded, 0 padded, 1 blocksize), MTU of 1351
Requesting calculated MTU of 1351
Sending our LCP/id 1 config request to server
PPP state transition from DEAD to ESTABLISH on DTLS channel
Current PPP state: ESTABLISH (encap FORTINET):
in: asyncmap=0x00000000, lcp_opts=0, lcp_magic=0x00000000, ipv4=0.0.0.0, ipv6=none
out: asyncmap=0x00000000, lcp_opts=546, lcp_magic=0x06397f1f, ipv4=10.123.123.1, ipv6=none, solicit_peerns=0, got_peerns=0
Sending PPP LCP Configure-Request packet over DTLS (id 1, 24 bytes total)
> 0000: 00 18 50 50 00 12 ff 03 c0 21 01 01 00 0e 01 04 |..PP.....!......|
> 0010: 05 47 05 06 06 39 7f 1f |.G...9..|
No work to do; sleeping for 1000 ms...
Delaying tunnel with reason: PPP negotiation
< 0000: 00 12 50 50 00 0c c0 21 01 01 00 0a 05 06 4f aa |..PP...!......O.|
< 0010: 2f fc |/.|
Received LCP/id 1 Configure-Request from server
Received magic number of 0x4faa2ffc from server
Ack LCP/id 1 config from server
Sending PPP LCP Configure-Ack packet over DTLS (id 1, 20 bytes total)
> 0000: 00 14 50 50 00 0e ff 03 c0 21 02 01 00 0a 05 06 |..PP.....!......|
> 0010: 4f aa 2f fc |O./.|
No work to do; sleeping for 1000 ms...
Delaying tunnel with reason: PPP negotiation
< 0000: 00 16 50 50 00 10 c0 21 02 01 00 0e 01 04 05 47 |..PP...!.......G|
< 0010: 05 06 06 39 7f 1f |...9..|
Received LCP/id 1 Configure-Ack from server
Sending our IPCP/id 1 config request to server
PPP state transition from ESTABLISH to OPENED on DTLS channel
Current PPP state: OPENED (encap FORTINET):
in: asyncmap=0x00000000, lcp_opts=0, lcp_magic=0x4faa2ffc, ipv4=0.0.0.0, ipv6=none
out: asyncmap=0x00000000, lcp_opts=546, lcp_magic=0x06397f1f, ipv4=10.123.123.1, ipv6=none, solicit_peerns=0, got_peerns=0
Sending PPP IPCP Configure-Request packet over DTLS (id 1, 20 bytes total)
> 0000: 00 14 50 50 00 0e ff 03 80 21 01 01 00 0a 03 06 |..PP.....!......|
> 0010: 0a 7b 7b 01 |.{{.|
No work to do; sleeping for 1000 ms...
Delaying tunnel with reason: PPP negotiation
< 0000: 00 12 50 50 00 0c 80 21 01 01 00 0a 03 06 2e aa |..PP...!........|
< 0010: a5 12 |..|
Received IPCP/id 1 Configure-Request from server
Received peer IPv4 address xx.xxx.xxx.xx from server
Ack IPCP/id 1 config from server
Sending PPP IPCP Configure-Ack packet over DTLS (id 1, 20 bytes total)
> 0000: 00 14 50 50 00 0e ff 03 80 21 02 01 00 0a 03 06 |..PP.....!......|
> 0010: 2e aa a5 12 |....|
No work to do; sleeping for 1000 ms...
Delaying tunnel with reason: PPP negotiation
< 0000: 00 12 50 50 00 0c 80 21 02 01 00 0a 03 06 0a 7b |..PP...!.......{|
< 0010: 7b 01 |{.|
Received IPCP/id 1 Configure-Ack from server
PPP state transition from OPENED to NETWORK on DTLS channel
Current PPP state: NETWORK (encap FORTINET):
in: asyncmap=0x00000000, lcp_opts=0, lcp_magic=0x4faa2ffc, ipv4=xx.xxx.xxx.xx, ipv6=none
out: asyncmap=0x00000000, lcp_opts=546, lcp_magic=0x06397f1f, ipv4=10.123.123.1, ipv6=none, solicit_peerns=0, got_peerns=0
No work to do; sleeping for 1000 ms...
Configured as 10.123.123.1, with SSL disconnected and DTLS established
Session authentication will expire at Fri Mar 15 06:48:49 2024
Detected virtual address range 0x1000-0x7ffffffff000
Using vhost-net for tun acceleration, ring size 32
Kick vhost ring
No work to do; sleeping for 9000 ms...
RX packet 0x60fe5bdf5920(48) [0] [used 6]
RX packet 0x60fe5bdf4280(48) [1] [used 6]
RX packet 0x60fe5be09970(96) [2] [used 6]
RX packet 0x60fe5b817840(53) [3] [used 6]
RX packet 0x60fe5bdf9950(75) [4] [used 6]
RX packet 0x60fe5bdfb240(79) [5] [used 6]
--8<------------------------------------------
^CGot cancel command
Delaying cancel (immediate callback).
PPP state transition from NETWORK to TERMINATE on DTLS channel
Current PPP state: TERMINATE (encap FORTINET):
in: asyncmap=0x00000000, lcp_opts=0, lcp_magic=0x4faa2ffc, ipv4=xx.xxx.xxx.xx, ipv6=none
out: asyncmap=0x00000000, lcp_opts=546, lcp_magic=0x06397f1f, ipv4=10.123.123.1, ipv6=none, solicit_peerns=0, got_peerns=0
Sending PPP LCP Terminate-Request packet over DTLS (id 2, 14 bytes total)
> 0000: 00 0e 50 50 00 08 ff 03 c0 21 05 02 00 04 |..PP.....!....|
Delaying cancel.
No work to do; sleeping for 1000 ms...
< 0000: 00 0c 50 50 00 06 c0 21 06 02 00 04 |..PP...!....|
Received LCP/id 2 Terminate-Ack from server
Read error on DTLS session: Success.
Attempt new DTLS connection
UDP SO_SNDBUF: 86464
GET https://corpo1.com:10443/remote/logout
SSL negotiation with corpo1.com
Connected to HTTPS on corpo1.com with ciphersuite (TLS1.3)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
> GET /remote/logout HTTP/1.1
> Host: corpo1.com:10443
> User-Agent: Mozilla/5.0 SV1
> Cookie: SVPNCOOKIE=REDACTED
>
Got HTTP response: HTTP/1.1 200 OK
Date: Thu, 14 Mar 2024 17:48:26 GMT
Set-Cookie: SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict;
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict
Content-Length: 558
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
HTTP body length: (558)
< <!DOCTYPE html>
< <html><head><script>function fgt_sslvpn_logout(sid) {var cookies = document.cookie.split(';');for (var c = 0; c < cookies.length; ++c) {var one_c = cookies[0];var cookie_key = one_c.split('=')[0];cookie_key.trim();if (cookie_key.search('_f9d42e54') == null) {var base_name = cookie_key + '=; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=';document.cookie = base_name + '/';document.cookie = base_name + '/proxy/' + sid;}}window.location.href ='/remote/login';}</script></head><body><script>fgt_sslvpn_logout("41624cc9");</script></body></html>
Logout successful.
User cancelled (SIGINT/SIGTERM); exiting.