Open Connect VPN for Fortinet VPN

door4fun · April 30, 2024, 3:51am

I am currently attempting to establish a connection to a Fortinet VPN using the OpenConnect client running on OpenWRT. After configuring the OpenConnect client, I have encountered an issue where, upon restarting the network service, the VPN interface comes up successfully. However, as soon as the VPN interface is active, my internet connectivity is lost. Interestingly, I have successfully connected to the Fortinet server using the same credentials with OpenConnect client on a Mac terminal. I am seeking assistance in resolving this connectivity issue on OpenWRT.

When I checked routing table it was having 0.0.0.0 as a default gateway. I tried to add default gateway as gateway IP but it is getting changed in a few seconds.
What can be issue for not getting connectivity once VPN interface is up through Openconnect on OpenWRT?

Logs:

Mon Apr 29 15:55:24 2024 daemon.warn odhcpd[1660]: No default route present, overriding ra_lifetime!
Mon Apr 29 15:55:24 2024 daemon.notice netifd: Forti (10903): Connected to server_ip:443
Mon Apr 29 15:55:24 2024 daemon.notice netifd: Forti (10903): SSL negotiation with server_ip
Mon Apr 29 15:55:24 2024 user.notice firewall: Reloading firewall due to ifup of wan (wan)
Mon Apr 29 15:55:24 2024 daemon.notice netifd: Forti (10903): Server certificate verify failed: signer not found
Mon Apr 29 15:55:24 2024 daemon.notice netifd: Forti (10903): Connected to HTTPS on server_ip with ciphersuite (TLS1.3)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Mon Apr 29 15:55:24 2024 daemon.notice netifd: Forti (10903): POST https://server_ip/remote/logincheck
Mon Apr 29 15:55:24 2024 daemon.notice netifd: Forti (10903): GET https://server_ip/remote/fortisslvpn_xml?dual_stack=1
Mon Apr 29 15:55:25 2024 daemon.notice netifd: Forti (10903): DTLS is enabled on port 443
Mon Apr 29 15:55:25 2024 daemon.notice netifd: Forti (10903): Server reports that reconnect-after-drop is not allowed. OpenConnect will not
Mon Apr 29 15:55:25 2024 daemon.notice netifd: Forti (10903): be able to reconnect if dead peer is detected. If reconnection DOES work,
Mon Apr 29 15:55:25 2024 daemon.notice netifd: Forti (10903): please report to <openconnect-devel@lists.infradead.org>
Mon Apr 29 15:55:25 2024 daemon.notice netifd: Forti (10903): Got IPv4 DNS server 1.1.1.1
Mon Apr 29 15:55:25 2024 daemon.notice netifd: Forti (10903): Got IPv4 DNS server 8.8.8.8
Mon Apr 29 15:55:25 2024 daemon.notice netifd: Forti (10903): Got Legacy IP address 10.212.134.200
Mon Apr 29 15:55:25 2024 daemon.notice netifd: Forti (10903): Idle timeout is 5 minutes.
Mon Apr 29 15:55:25 2024 daemon.notice netifd: Forti (10903): No split routes received; setting default Legacy IP route
Mon Apr 29 15:55:25 2024 daemon.warn odhcpd[1660]: No default route present, overriding ra_lifetime!
Mon Apr 29 15:55:28 2024 daemon.warn odhcpd[1660]: No default route present, overriding ra_lifetime!
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): Failed to connect DTLS tunnel; using HTTPS instead (state 3).
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): GET https://server_ip/remote/fortisslvpn_xml?dual_stack=1
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): SSL negotiation with server_ip
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): Server certificate verify failed: signer not found
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): Connected to HTTPS on server_ip with ciphersuite (TLS1.3)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): Server reports that reconnect-after-drop is not allowed. OpenConnect will not
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): be able to reconnect if dead peer is detected. If reconnection DOES work,
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): please report to <openconnect-devel@lists.infradead.org>
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): Got IPv4 DNS server 1.1.1.1
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): Got IPv4 DNS server 8.8.8.8
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): Got Legacy IP address 10.212.134.200
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): Idle timeout is 5 minutes.
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): No split routes received; setting default Legacy IP route
Mon Apr 29 15:55:30 2024 daemon.notice netifd: Forti (10903): Requesting calculated MTU of 1433
Mon Apr 29 15:55:31 2024 daemon.notice netifd: Forti (10903): Configured as 10.212.134.200, with SSL connected and DTLS in progress
Mon Apr 29 15:55:31 2024 daemon.notice netifd: Forti (10903): Session authentication will expire at Mon Apr 29 23:55:30 2024
Mon Apr 29 15:55:31 2024 daemon.notice netifd: Forti (10903):
Mon Apr 29 15:55:31 2024 daemon.notice netifd: Interface 'Forti' is now up
Mon Apr 29 15:55:31 2024 daemon.info dnsmasq[1]: reading /tmp/resolv.conf.d/resolv.conf.auto
Mon Apr 29 15:55:31 2024 daemon.info dnsmasq[1]: using nameserver 1.1.1.1#53
Mon Apr 29 15:55:31 2024 daemon.notice netifd: Network device 'vpn-Forti' link is up
Mon Apr 29 15:55:31 2024 daemon.info dnsmasq[1]: using nameserver 8.8.8.8#53
Mon Apr 29 15:55:31 2024 daemon.info dnsmasq[1]: using nameserver 192.168.0.1#53
Mon Apr 29 15:55:31 2024 daemon.info dnsmasq[1]: using only locally-known addresses for test
Mon Apr 29 15:55:31 2024 daemon.info dnsmasq[1]: using only locally-known addresses for onion
Mon Apr 29 15:55:31 2024 daemon.info dnsmasq[1]: using only locally-known addresses for localhost
Mon Apr 29 15:55:31 2024 daemon.info dnsmasq[1]: using only locally-known addresses for local
Mon Apr 29 15:55:31 2024 daemon.info dnsmasq[1]: using only locally-known addresses for invalid
Mon Apr 29 15:55:31 2024 daemon.info dnsmasq[1]: using only locally-known addresses for bind
Mon Apr 29 15:55:31 2024 daemon.info dnsmasq[1]: using only locally-known addresses for lan
Mon Apr 29 15:55:31 2024 daemon.notice openconnect[10903]: Failed to set vring #0 RX backend: Bad address
Mon Apr 29 15:55:32 2024 user.notice firewall: Reloading firewall due to ifup of Forti (vpn-Forti)
Mon Apr 29 15:55:32 2024 daemon.warn odhcpd[1660]: No default route present, overriding ra_lifetime!
Mon Apr 29 15:55:50 2024 daemon.notice openconnect[10903]: Detected dead peer!
Mon Apr 29 15:55:50 2024 daemon.info openconnect[10903]: GET https://server_ip/remote/fortisslvpn_xml?dual_stack=1
root@OpenWrt:~# route add default gw 10.212.134.200
root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
0.0.0.0         10.212.134.200  0.0.0.0         UG    0      0        0 vpn-Forti
0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 vpn-Forti
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 wan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan
root@OpenWrt:~# route del default
**root@OpenWrt:~# route -n**
**Kernel IP routing table**
**Destination     Gateway         Genmask         Flags Metric Ref    Use Iface**
**0.0.0.0         0.0.0.0         0.0.0.0         U     0      0        0 vpn-Forti**
**192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 wan**
**192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan**
root@OpenWrt:~# route del default
root@OpenWrt:~# route -n
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0 wan
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 br-lan```

colo · April 30, 2024, 6:36am

I connect to a Fortigate VPN appliance from (GNU/)Linux daily, and use openfortivpn for that purpose. Maybe try that instead of OpenConnect, and see if it behaves better.

maurer · April 30, 2024, 10:51am

I confirm that openfortivpn should be used for reliable connections. Openconnect has only experimental support for fortinet vpn.

door4fun · May 1, 2024, 9:03pm

Is there a sample configuration for username and password based configuration of openfortivpn. As executing from terminal openfortivpn is required config file. I am more fond of creating interface in /etc/config/network. If there is any sample set to configuration pass me that.
Thank you folks for prompt reply.
Cheers,
Sam