User certificate?

[alfem]

Looking at the documentation and code I can not find an option to point at my user certificate. Our Fortinet vpn needs both, server and client certificates.

It would be great if you can add this parameter.

[lkundrak]

@alfem: was thinking about implementing that.

Please let me know if https://github.com/lkundrak/openfortivpn/tree/client-ssl-cert works for you.

[lkundrak]

@alfem ping?

[alfem]

Sorry, I had not access to my vpn until now.

I am testing your fork, with my user cert (keyword protected) and get this error:

ERROR: SSL_CTX_use_certificate_file: error:140AD009:SSL routines:SSL_CTX_use_certificate_file:PEM lib

I have checked that my cert and keyword work ok with forticlient. The same error comes out when I do not use the --user-key parameter

[lkundrak]

Hi. Is the certificate a PEM file? Does it begin with a "-----BEGIN CERTIFICATE-----" line?

[alfem]

Uh, I am afraid it is a pkcs12. This is the format our Government certs are issued.

I will try to convert it and test again.

[alfem]

It is (almost) working now!

openfortivpn tries to open the connection, but fails with these messages (besides, I have to enter my private key pass phrase thrice):

WARN:   You should not pass the password on the command line. Type it interactively or use a config file instead.
WARN:   Bad port in config file: "0".
Enter PEM pass phrase:
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
Enter PEM pass phrase:
ERROR:  Received bad header from gateway:
  (hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 54 68 75 2c 20 32 32 20 4f 63 74 20 32 30 31 35 20 31 33 3a 30 32 3a 34 36 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 53 56 50 4e 43 4f 4f 4b 49 45 3d 3b 70 61 74 68 3d 2f 3b 65 78 70 69 72 65 73 3d 54 68 75 2c 20 32 32 2d 4f 63 74 2d 32 30 31 35 20 31 33 3a 30 32 3a 34 36 20 47 4d 54 3b 73 65 63 75 72 65 3b 68 74 74 70 6f 6e 6c 79 3b 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 53 56 50 4e 4e 45 54 57 4f 52 4b 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 72 65 6d 6f 74 65 2f 6e 65 74 77 6f 72 6b 3b 20 65 78 70 69 72 65 73 3d 54 68 75 2c 20 32 32 2d 4f 63 74 2d 32 30 31 35 20 31 33 3a 30 32 3a 34 36 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74 74 70 6f 6e 6c

  (raw) HTTP/1.1 403 Forbidden.
Date: Thu, 22 Oct 2015 13:02:46 GMT.
Set-Cookie: SVPNCOOKIE=;path=/;expires=Thu, 22-Oct-2015 13:02:46 GMT;secure;httponly;.
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Thu, 22-Oct-2015 13:02:46 GMT; secure; httpon
INFO:   Cancelling threads...
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.
Enter PEM pass phrase:

[boospy]

Is this working now? Have the same problem. All us vpn's are with clientcert. I have 2 things. The Clientcert (p12). This file is password prodected. And the CA File. So how i set this in the configfile?

host = vpngateway.bla.com
port = 10443
username = myuser
password = mypassword
trusted-cert = 12c5c8135b94f1535b4bfdaf4299e84b6146ba754d1b0631a0b2b
ca-file=/home/myuser/.fctsslvpn_trustca/ca.crt
user-cert=/home/myuser/.fctsslvpn_trustca/clientzertifikate/clientcert_auth_customer.p12

But where i can set the password for the p12?

Thanks a lot

[ckujau]

@boospy You could remove the password from the pkcs12 certificate. I wouldn't recommend it though, for obvious reasons.

[boospy]

Hello ckujau,

i removed the pass from pkcs file. But get an error.

WARN:   Bad key in config file: "user-cert".
WARN:   Could not load config file "/home/myuser/MYHOME/openfortivpn-configs/vpntest.conf" (No such file or directory).
INFO:   Connected to gateway.
ERROR:  Could not authenticate to gateway (No cookie given).
INFO:   Closed connection to gateway.
INFO:   Logged out.

The file exist and the cacert is also ok. So what? I had the same errormessage before i changed the pkcs file.

Thanks a lot :)

[ckujau]

Bad key in config file: "user-cert" looks as if the client-ssl-cert branch hadn't been applied or isn't working. Maybe tell @lkundrak about this?

[boospy]

I've send @lkundrak an email.

[lkundrak]

@boospy, thanks for the message.

@ckujau, @boospy, please try out this: https://github.com/adrienverge/openfortivpn/tree/lr/ssl-config-file

Previously the ca-file, user-key and user-cert options were only accepted from the command line (contrary to the documentation). Also the error handling was not exactly correct, which is why you got the unhelpful error message.

[boospy]

Hello lkundrak,
thank you. It works now perfectly, after this two commands:

openssl pkcs12 -in path.p12 -out newfile.crt.pem -clcerts -nokeys
openssl pkcs12 -in path.p12 -out newfile.key.pem -nocerts -nodes

Best Regards

[alfem]

Tested and working here.

Sudo and a password-free user private key are both required.

When I tried with a password protected private key file, the client ask me to enter the password twice in order to connect, and once again to disconnect (weird):

sudo openfortivpn -c openfortivpn.conf 
Enter PEM pass phrase:
INFO:   Connected to gateway.
INFO:   Authenticated.
INFO:   Remote gateway has allocated a VPN.
Enter PEM pass phrase:
INFO:   Got addresses: [10.118.164.218], ns [10.118.96.89, 10.253.2.160]
INFO:   Interface ppp0 is UP.
INFO:   Setting new routes...
INFO:   Adding VPN nameservers...
INFO:   Tunnel is up and running.
^C
INFO:   Cancelling threads...
INFO:   Setting ppp interface down.
INFO:   Restoring routes...
INFO:   Removing VPN nameservers...
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.
Enter PEM pass phrase:
INFO:   Logged out.

[ephemeric]

Hi,
This worked perfectly first time! I cannot thank you enough for this project, thank you! I pulled apart the official Linux FortiClient on CentOS 7 and it is awful. Only allows for PKCS12 file, yuck.
You sir, are great.
Cheers.