Forticlient

Forticlient is available for multiple platforms but official downloads do not contain anything for linux (as of Apr 2017). Therefore here below you will find linux client provided by Arubacloud

Download, install and accept a license agreement

$ wget -q http://kb.arubacloud.com/files/tar-gz/forticlientsslvpn_linux_4-0-2281-tar.aspx -O fortisslvpn.tgz && tar -xzf fortisslvpn.tgz
$ cd forticlientsslvpn && ./helper/setup.linux.sh

Connect

Press Ctrl+C, Agree Their License (1st time only) & then connect to VPN by:

$ yes | ./forticlientsslvpn_cli --server sslvpn.server.com:10443 --vpnuser a_user > /dev/null

GUI

If you wish run with GUI you may need to install

sudo apt-get install libgtk2.0-0:i386

Troubleshooting

Error - Peer's certificate is not valid. action is 1

Disable the check

Edit forticlientsslvpn/helper/config file and set invalid_peer_cert_action=0

sed -n -E 's/^(invalid_peer_cert_action=).*$/\10/p' config    #test
sed -i -E 's/^(invalid_peer_cert_action=).*$/\10/g' config    #substitute

Upload required certificate

Your endpoint SSL certificate is not trusted by your local machine. Firstly, create trustedstore hidden directory

$ mkdir ~/.fctsslvpn_trustca

Secondly locate trusted stores on your machine and copy to Forticlient trustedstores location

$ locate cacert
$ cp /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts ~/.fctsslvpn_trustca
$ cp /opt/Citrix/ICAClient/keystore/cacerts/QuoVadis_Root_CA* ~/.fctsslvpn_trustca

Run the connection command

$ yes | ./forticlientsslvpn_cli --server sslvpn.server.com:10443 --vpnuser a_user > /dev/null
STATUS::Setting up the tunnel
STATUS::Connecting...
NOTICE::ing /home/a_user/.fctsslvpn_trustca
NOTICE::oVadis_Root_CA_2.crt => d7e8dc79.0
WARNING: cacerts does not contain a certificate or CRL: skipping
NOTICE::oVadis_Root_CA_3.crt => 76faf6c0.0
STATUS::Login succeed
STATUS::Starting PPPd
STATUS::Initializing tunnel
STATUS::Connecting to server
STATUS::Connected
STATUS::Tunnel running

Logs

tail -f forticlientsslvpn.log

2nd WIKI to be matched

Optional: Install missing root certificate

cd forticlientsslvpn/helper
mkdir ~/.fctsslvpn_trustca && cd ~/.fctsslvpn_trustca
echo -n | openssl s_client -connect sslvpn.endpoint.com:39953 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.pem
cp /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts ~/.fctsslvpn_trustca

Contents of Fortinet trusted certs location

piotr@piotr-x220 /tmp $ ls -lt ~/.fctsslvpn_trustca/
total 232
lrwxrwxrwx 1 piotr piotr     22 Jun  1 15:39 76faf6c0.0 -> QuoVadis_Root_CA_3.crt
-rw-r--r-- 1 piotr piotr   2354 Apr 26 23:54 QuoVadis_Root_CA_3.crt
-rw-r--r-- 1 piotr piotr 210764 Apr 26 23:52 cacerts

Disable certificate check

Edit the file forticlientsslvpn/64bit/helper/config and find following line

invalid_peer_cert_action=1 and change to invalid_peer_cert_action=0 

this stops a hang on connect due to our firewall having an expired cert.

Connect ./forticlientsslvpn_cli --server sslvpn.endpoint.com:39953 --vpnuser username

When connexted you should see

8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1024 qdisc fq_codel state UNKNOWN group default qlen 3
	link/ppp
	inet 172.251.251.17 peer 1.1.1.1/32 scope global ppp0
   	valid_lft forever preferred_lft forever

Logs

tail -f 

Issues

/lib/ld-linux.so.2: bad ELF interpreter: No such file or directory

Fedora or newer Red Hat, CentOS:

sudo dnf install glibc.i686

Issue

error while loading shared libraries: libstdc++.so.6

sudo dnf install linstdc++.i686

References

• OpenFortiGUI Open Source Fortinet client
• [1] Expect bash script