Comments (12)
Hi,
This "magic" header was figured out empirically by studying how the VPN gateway communicates. I have no official specs or docs, so I don't know what 0x686f
could be. My guess is that your company uses a different version of Fortinet than mine. It would require a new study...
Happy hacking :)
from openfortivpn.
For now, I will just have to use the 'official' client, even though I don't like it.
I don't supposed you have notes somewhere describing the process you used to figure this out? I don't mind digging into it, but I don't even know where to start.
Thanks,
John
from openfortivpn.
Stuck on a same place. But got "ERROR: Received bad header from gateway: 0d0a 0012 5050". There is 0x5050, but it doesn't look like it should be interpreted in that way. But, no idea. Mine, jpoets and yours "header" values look quite distinctive.
from openfortivpn.
Fwiw "e2e 686f 7374" is the ASCII "n.host" string. I've fixed an error with HTTP header read buffering in my fork; I'm yet to try it against an actual SSLVPN server instance.
As for @ksyz's packet, "0d0a" is \r\n which is a HTTP header separator; the rest (0012 5050) looks like usual length and magic fields. We probably stopped reading the HTTP header too soon; that might be fixed as well. Will do a pull request shortly.
@jpoet, you may want to install some MITM HTTPS proxy; e.g. Burp. Run it, turn off Proxy->Intercept and set it as --proxy in the official client. You'll be able to see the actual traffic -- see if you see the "**** 5050 ****" response to your sslvpn request and whether you can find the "6e2e 686f 7374"/"n.host" string somewhere.
from openfortivpn.
Thanks for the tips lkundrak. I will give that a try.
from openfortivpn.
First of all, sorry for this late answer.
I found the 0x5050
and the rest by digging around, but maybe other versions of Fortinet VPNs use different magic codes.
@lkundrak, thank you for these precious advices, I'm sure this will help @ksyz and @jpoet solving their issues.
I've modified the code to display more useful information when such error occurs; please recompile openfortivpn at commit 6ea631c!
from openfortivpn.
@jpoet: here's the tools I've used in my protocol analysis and testing; you may find them helpful: https://git.gnome.org/browse/network-manager-fortisslvpn/tree/contrib
from openfortivpn.
Please take a look at pull request #9, it might fix this. If not, there's a link to the tooling that can obtain useful traces.
from openfortivpn.
Pull request #9 DOES fix this for me. Thank you lkundrak!
Now I just need to figure out the best way to get this working with a split tunnel. I assume I need to pass "--no-routes --no-dns" and then 'manually' add a route for the subnets behind the VPN.
from openfortivpn.
@jpoet yeah. The VPN server exports these in /remote/fortisslvpn or /remote/fortisslvpn_xml resources, but we don't attempt to parse it; it would need some effort (I'm sure the upstream would welcome the patches though).
If you're using the NetworkManager plugin (which is unlikely as I just did a first release a while ago), then you can just add the routes in IPv4->Advanced->Routes (see https://blogs.gnome.org/lkundrak/2015/09/24/fortigate-ssl-vpn-support-added-to-networkmanager/).
from openfortivpn.
Thanks @lkundrak!
from openfortivpn.
Hello!
After software update of FortiGate, I had similar problem on version 1.0.1, but 1.1.3 fixed this, thanks!
from openfortivpn.
Related Issues (20)
- Invalid session ID error when trying to connect from a different network HOT 5
- Use private key file from Windows?
- macOS 14.2.1 and 1.21.0 blocks HOT 5
- modify firewall HOT 3
- connecting with @ in username and context in host HOT 3
- Empty cookie error after server upgrade from 7.2.7 to 7.2.8 HOT 10
- "Error writing to SSL connection" on FreeBSD
- 405 Method Not Allowed HOT 1
- openfortivpn on MAC gets stuck HOT 6
- openfortivpn version 1.22.0
- Wrong value in the 'Accept-Encoding' header HOT 2
- openfortivpn version 1.22.1
- IPCP terminated by peer (conflicting remote IP address) HOT 8
- Explain OTP Flag HOT 1
- v1.20.3 on OpenWRT - Hughes Internet HOT 9
- Older macOS do not provide `vdprintf`: `Undefined symbols: "_vdprintf"` HOT 11
- openfortivpn 1.3.0 not working on ubuntu 24.04 HOT 1
- ERROR: SSL_connect: error:0A000126:SSL routines::unexpected eof while reading, Error happen randomly HOT 7
- Possibly caching issue ? pppd-ipparam
- set resolvectl domains at vpn-up HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from openfortivpn.