Actions

VPN Client

From Ever changing code

Forticlient

Forticlient is available for multiple platforms but official downloads do not contain anything for linux (as of Apr 2017). Therefore here below you will find linux client provided by Arubacloud

Download, install and accept a license agreement

wget -q http://kb.arubacloud.com/files/tar-gz/forticlientsslvpn_linux_4-0-2281-tar.aspx -O fortisslvpn.tgz  
 tar -xzf fortisslvpn.tgz && cd forticlientsslvpn && ./helper/setup.linux.sh

 wget https://apt.iteas.at/iteas/pool/main/f/forticlient-sslvpn/forticlient-sslvpn_4.4.2332-1_amd64.deb
 dpkg -x forticlient-sslvpn_4.4.2332-1_amd64.deb ./fortigate
 cd ./fortigate/opt/forticlient-sslvpn/64bit


Ubuntu 18.04 LTS

wget -O - https://repo.fortinet.com/repo/ubuntu/DEB-GPG-KEY | sudo apt-key add - 
#Add the following line in /etc/apt/sources.list
deb [arch=amd64] https://repo.fortinet.com/repo/ubuntu/ /bionic multiverse 
sudo apt-get update 
sudo apt install forticlient


Other sources:

Optional: install 32bit libraries on 64bit system to run 32bit applications

Enable the i386 architecture (as root user):

sudo dpkg --add-architecture i386 && sudo apt-get update

Install 32-bit libraries (as root user):

sudo apt-get install libc6:i386 libstdc++6:i386

Connect

Press Ctrl+C, Agree Their License (1st time only) & then connect to VPN by:

$ yes | ./forticlientsslvpn_cli --server sslvpn.server.com:10443 --vpnuser a_user > /dev/null

When connexted you should see similar

8: ppp0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1024 qdisc fq_codel state UNKNOWN group default qlen 3
         link/ppp
         inet 172.251.251.17 peer 1.1.1.1/32 scope global ppp0
         valid_lft forever preferred_lft forever

GUI

If you wish run with GUI you may need to install

sudo apt-get install libgtk2.0-0:i386

Troubleshooting

Error: Peer's certificate is not valid. action is 1

Disable the check

Edit forticlientsslvpn/helper/config file and set invalid_peer_cert_action=0

sed -n -E 's/^(invalid_peer_cert_action=).*$/\10/p' config    #test
sed -i -E 's/^(invalid_peer_cert_action=).*$/\10/g' config    #substitute

Upload required certificate

Your endpoint SSL certificate is not trusted by your local machine. Firstly, create trustedstore hidden directory

$ mkdir ~/.fctsslvpn_trustca

Secondly locate trusted stores on your machine and copy to Forticlient trustedstores location

$ locate cacert
$ cp /usr/lib/jvm/java-8-openjdk-amd64/jre/lib/security/cacerts ~/.fctsslvpn_trustca
$ cp /opt/Citrix/ICAClient/keystore/cacerts/QuoVadis_Root_CA* ~/.fctsslvpn_trustca

Run the connection command

$ yes | ./forticlientsslvpn_cli --server sslvpn.server.com:10443 --vpnuser a_user > /dev/null
STATUS::Setting up the tunnel
STATUS::Connecting...
NOTICE::ing /home/a_user/.fctsslvpn_trustca
NOTICE::oVadis_Root_CA_2.crt => d7e8dc79.0
WARNING: cacerts does not contain a certificate or CRL: skipping
NOTICE::oVadis_Root_CA_3.crt => 76faf6c0.0
STATUS::Login succeed
STATUS::Starting PPPd
STATUS::Initializing tunnel
STATUS::Connecting to server
STATUS::Connected
STATUS::Tunnel running
Logs
tail -f forticlientsslvpn.log

Error: /lib/ld-linux.so.2: bad ELF interpreter: No such file or directory

Fedora or newer Red Hat, CentOS:

sudo dnf install glibc.i686

Error: error while loading shared libraries: libstdc++.so.6

sudo dnf install linstdc++.i686

Windows forticlient VPN client only

The FortiNet.com does not provide or develop Linux client therefore the best is to use openfortigui project. But if you have to use Windows, best you can do is to download the official client and install only basic set of features, so only VPN client gets installed. Follow the steps below:

This has worked with version 5.6.6.1167, downloaded in May 2018

  1. Download FortiClientOnlineInstaller.exe file, FortiClient 5.6 for Windows (Win7 or higher supported) from official website
  2. Run installer until you see "Welcome to the FortiClient Setup Wizard"
  3. The installer has downloaded .msi (image) into C:\programdata\Applications\Cache
  4. Open cli with Administration privileges and run FortiClient.msi /quiet /norestart INSTALLLEVEL=1 . Quiet is optional, don't use if you wish to see the progress and features being installed.
  5. FortiClinet application should appear on a list of installed programs
  6. Run FortiClient from Start

This is a feature set controlled by MSI, INSTALLLEVEL switch

Feature Name                  Install level
Feature_Core                  1
Feature_Basic                 1
Feature_AntiVirus             5
Feature_WebFilter             5
Feature_VPN                   3
Feature_SSLVPN                1
Feature_WanAcceleration       5
Feature_EndPointNAC           3
Feature_Firewall              5
Feature_Vulnerability         5
Feature_SingleSignOnMobility  3

The default install level when running msiexec is 100, which means all features are installed. If you do install software to modify the default install level of the Features in the .MSI file, you could then create custom installers by adjusting the install level of unwanted features above a threshold.

References