Difference between revisions of "VPN Client"
| Line 16: | Line 16: | ||
Press Ctrl+C, Agree Their License (1st time only) & then connect to VPN by: | Press Ctrl+C, Agree Their License (1st time only) & then connect to VPN by: | ||
$ yes | ./forticlientsslvpn_cli --server sslvpn.server.com:10443 --vpnuser a_user > /dev/null | $ yes | ./forticlientsslvpn_cli --server sslvpn.server.com:10443 --vpnuser a_user > /dev/null | ||
When connexted you should see similar | |||
8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1024 qdisc fq_codel state UNKNOWN group default qlen 3 | |||
link/ppp | |||
inet 172.251.251.17 peer 1.1.1.1/32 scope global ppp0 | |||
valid_lft forever preferred_lft forever | |||
==GUI== | ==GUI== | ||
Revision as of 22:40, 11 October 2017
Forticlient
Forticlient is available for multiple platforms but official downloads do not contain anything for linux (as of Apr 2017). Therefore here below you will find linux client provided by Arubacloud
Download, install and accept a license agreement
$ wget -q http://kb.arubacloud.com/files/tar-gz/forticlientsslvpn_linux_4-0-2281-tar.aspx -O fortisslvpn.tgz && tar -xzf fortisslvpn.tgz $ cd forticlientsslvpn && ./helper/setup.linux.sh
Optional: install 32bit libraries on 64bit system to run 32bit applications
Enable the i386 architecture (as root user):
sudo dpkg --add-architecture i386 && sudo apt-get update
Install 32-bit libraries (as root user):
sudo apt-get install libc6:i386 libstdc++6:i386
Connect
Press Ctrl+C, Agree Their License (1st time only) & then connect to VPN by:
$ yes | ./forticlientsslvpn_cli --server sslvpn.server.com:10443 --vpnuser a_user > /dev/null
When connexted you should see similar
8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1024 qdisc fq_codel state UNKNOWN group default qlen 3
link/ppp inet 172.251.251.17 peer 1.1.1.1/32 scope global ppp0
valid_lft forever preferred_lft forever
GUI
If you wish run with GUI you may need to install
sudo apt-get install libgtk2.0-0:i386
Troubleshooting
Error - Peer's certificate is not valid. action is 1
Disable the check
Edit forticlientsslvpn/helper/config file and set invalid_peer_cert_action=0
sed -n -E 's/^(invalid_peer_cert_action=).*$/\10/p' config #test sed -i -E 's/^(invalid_peer_cert_action=).*$/\10/g' config #substitute
Upload required certificate
Your endpoint SSL certificate is not trusted by your local machine. Firstly, create trustedstore hidden directory
$ mkdir ~/.fctsslvpn_trustca
Secondly locate trusted stores on your machine and copy to Forticlient trustedstores location
$ locate cacert $ cp /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts ~/.fctsslvpn_trustca $ cp /opt/Citrix/ICAClient/keystore/cacerts/QuoVadis_Root_CA* ~/.fctsslvpn_trustca
Run the connection command
$ yes | ./forticlientsslvpn_cli --server sslvpn.server.com:10443 --vpnuser a_user > /dev/null STATUS::Setting up the tunnel STATUS::Connecting... NOTICE::ing /home/a_user/.fctsslvpn_trustca NOTICE::oVadis_Root_CA_2.crt => d7e8dc79.0 WARNING: cacerts does not contain a certificate or CRL: skipping NOTICE::oVadis_Root_CA_3.crt => 76faf6c0.0 STATUS::Login succeed STATUS::Starting PPPd STATUS::Initializing tunnel STATUS::Connecting to server STATUS::Connected STATUS::Tunnel running
- Logs
tail -f forticlientsslvpn.log
2nd WIKI to be matched
Optional: Install missing root certificate
cd forticlientsslvpn/helper mkdir ~/.fctsslvpn_trustca && cd ~/.fctsslvpn_trustca echo -n | openssl s_client -connect sslvpn.endpoint.com:39953 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > certificate.pem cp /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts ~/.fctsslvpn_trustca
Contents of Fortinet trusted certs location
piotr@piotr-x220 /tmp $ ls -lt ~/.fctsslvpn_trustca/ total 232 lrwxrwxrwx 1 piotr piotr 22 Jun 1 15:39 76faf6c0.0 -> QuoVadis_Root_CA_3.crt -rw-r--r-- 1 piotr piotr 2354 Apr 26 23:54 QuoVadis_Root_CA_3.crt -rw-r--r-- 1 piotr piotr 210764 Apr 26 23:52 cacerts
Disable certificate check
Edit the file forticlientsslvpn/64bit/helper/config and find following line
invalid_peer_cert_action=1 and change to invalid_peer_cert_action=0
this stops a hang on connect due to our firewall having an expired cert.
Connect ./forticlientsslvpn_cli --server sslvpn.endpoint.com:39953 --vpnuser username
When connexted you should see
8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1024 qdisc fq_codel state UNKNOWN group default qlen 3 link/ppp inet 172.251.251.17 peer 1.1.1.1/32 scope global ppp0 valid_lft forever preferred_lft forever
Logs
tail -f
- Issues
- /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
Fedora or newer Red Hat, CentOS:
sudo dnf install glibc.i686
- Issue
- error while loading shared libraries: libstdc++.so.6
sudo dnf install linstdc++.i686
References
- OpenFortiGUI Open Source Fortinet client
- [1] Expect bash script