VPN Client
Forticlient
Forticlient is available for multiple platforms but official downloads do not contain anything for linux (as of Apr 2017). Therefore here below you will find linux client provided by Arubacloud
Download, install and accept a license agreement
$ wget -q http://kb.arubacloud.com/files/tar-gz/forticlientsslvpn_linux_4-0-2281-tar.aspx -O fortisslvpn.tgz && tar -xzf fortisslvpn.tgz $ cd forticlientsslvpn && ./helper/setup.linux.sh
$ wget https://apt.iteas.at/iteas/pool/main/f/forticlient-sslvpn/forticlient-sslvpn_4.4.2332-1_amd64.deb $ dpkg -x forticlient-sslvpn_4.4.2332-1_amd64.deb ./fortigate $ cd ./fortigate/opt/forticlient-sslvpn/64bit
Other sources: forticlient-sslvpn_4.4.2333-1_amd64.deb forticlient-sslvpn_4.4.2332-1_amd64.deb
Optional: install 32bit libraries on 64bit system to run 32bit applications
Enable the i386 architecture (as root user):
sudo dpkg --add-architecture i386 && sudo apt-get update
Install 32-bit libraries (as root user):
sudo apt-get install libc6:i386 libstdc++6:i386
Connect
Press Ctrl+C, Agree Their License (1st time only) & then connect to VPN by:
$ yes | ./forticlientsslvpn_cli --server sslvpn.server.com:10443 --vpnuser a_user > /dev/null
When connexted you should see similar
8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1024 qdisc fq_codel state UNKNOWN group default qlen 3
link/ppp
inet 172.251.251.17 peer 1.1.1.1/32 scope global ppp0
valid_lft forever preferred_lft forever
GUI
If you wish run with GUI you may need to install
sudo apt-get install libgtk2.0-0:i386
Troubleshooting
Error: Peer's certificate is not valid. action is 1
Disable the check
Edit forticlientsslvpn/helper/config file and set invalid_peer_cert_action=0
sed -n -E 's/^(invalid_peer_cert_action=).*$/\10/p' config #test sed -i -E 's/^(invalid_peer_cert_action=).*$/\10/g' config #substitute
Upload required certificate
Your endpoint SSL certificate is not trusted by your local machine. Firstly, create trustedstore hidden directory
$ mkdir ~/.fctsslvpn_trustca
Secondly locate trusted stores on your machine and copy to Forticlient trustedstores location
$ locate cacert $ cp /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts ~/.fctsslvpn_trustca $ cp /opt/Citrix/ICAClient/keystore/cacerts/QuoVadis_Root_CA* ~/.fctsslvpn_trustca
Run the connection command
$ yes | ./forticlientsslvpn_cli --server sslvpn.server.com:10443 --vpnuser a_user > /dev/null STATUS::Setting up the tunnel STATUS::Connecting... NOTICE::ing /home/a_user/.fctsslvpn_trustca NOTICE::oVadis_Root_CA_2.crt => d7e8dc79.0 WARNING: cacerts does not contain a certificate or CRL: skipping NOTICE::oVadis_Root_CA_3.crt => 76faf6c0.0 STATUS::Login succeed STATUS::Starting PPPd STATUS::Initializing tunnel STATUS::Connecting to server STATUS::Connected STATUS::Tunnel running
- Logs
tail -f forticlientsslvpn.log
Error: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory
Fedora or newer Red Hat, CentOS:
sudo dnf install glibc.i686
sudo dnf install linstdc++.i686
References
- OpenFortiGUI Open Source Fortinet client
- [1] Expect bash script