Could not authenticate to gateway (Bad HTTP response code) #366
Comments
|
All I can say at this point is that the error message is printed after function auth_log_in() fails: Perhaps Huwaei gateways are different from Fortinet gateways. Unfortunately I'm not familiar enough with either Fortinet or Huawei devices. Do the gateway logs provide more info? |
|
@HtwoO , openfortivpn is an ssl vpn client for connecting to Fortigate appliances. I'm not sure if Huawei appliances behave exactly the same way as the ones from Fortinet do. |
|
Thank you for your response. I will look deeper into it. |
|
Did you solve this? I have the same issue with a Fortinet gateway. |
|
I just ran into this, running the official client yielded a better error message: "NOTICE::Insufficient credential(s). Please check the password, client certificate, etc." Now that the credentials are corrected openfortivpn works just fine. |
|
@Claudiuion @turbomettwurst You're connecting to a Fortinet appliance, aren't you? This ticket is about Huawei appliances. |
|
@HtwoO Have you found whether Huawei appliances are supposed to function like Fortigate appliances? Are you able to connect to Huawei appliances using Fortinet's FortiClient software? If not, I suggest we close this ticket. |
Yes, @DimitriPapadopoulos , you are right |
|
@turbomettwurst I agree the Bad HTTP response error message is imprecise and not helpful. It covers any HTTP response different from 200. I've tried to fix the most common error in #389, but we really need to switch to a lightweight 3rd party HTTP library or improve |
|
Sorry for the mess :-) |
|
@turbomettwurst If you still reproduce this problem, please do not hesitate to open a new ticket. Be aware though that such issues are usually (perhaps always?) related to authentication failures: wrong password, wrong certificate, blacklisted after too many errors, parallel VPN sessions, etc. |
No. I ended up using L2TP over IPSec. |
|
Thank you for the feedback. |
|
for the ones who were following here: In 1.8.0 we have improved the debugging output. The http response code is printed out in debugging mode (when launched with |
|
Great, now how do I get 1.8.0 ;-). I have 1.60 from the Mint repos. Will do some reading. A PPA perhaps? |
|
All good found a build here. Useful to know: https://pkgs.org/download/openfortivpn Might pay to put that link in the README. |
|
These are for ubuntu 20.04. I don't know how compatible they are with Mint. In any case such questions should be asked in Mint forums, we don't maintain vendor packages here. |
|
Well, the 1.12 package works fine. But I'd have thought if you're mentioning a 1.8 feature you'd know how to get 1.8. Even if that happened to involve building form source, but that would not have struck me as a first supposition as I sort of expect a major release (1.6, 1.7, 1.8 ...) comes packaged somehow for some systems at least. |
|
We don't package for specific distributions, we just maintain the sources. Building from sources is explained in the very first page of the project: In any case this is unrelated to this issue, which is closed. If needed, please open a new issue. Generally speaking, for issues related to vendor packages and available versions in packages, you need to talk to packagers of the distribution you're interested in. On Linux open source software usually works like this.: talk to maintainers about source code and to packagers about packages. We could do both of course but we just don't have time for that. Mint Linux forums are here: |
|
No worries, as I said this: https://pkgs.org/download/openfortivpn Is a great resource and solved the problem for me. The Ubuntu 20.04 package is fine. Always a small gamble depending entirely on all the dependencies that a given package has, but if they are few or none (the package is well self contained) no problems taking a package from an upstream version of Ubuntu or even Debian usually ... and that website is one dandy resource! |
The other day I was trying to connect to my SSLVPN gateway on Huawei USG6620. I got an error saying "ERROR: Could not authenticate to gateway (Bad HTTP response code)." Below are more detailed log and the process I used to setup the VPN.
On client side, I built openfortivpn-1.7.1, to be used on Debian Stretch.
I put the self-signed CA swan.crt in /usr/local/share/ca-certificates/swan/
and then ran update-ca-certificates
Then I ran openfortivpn to connect to the gateway.
sudo openfortivpn vpn-gateway:443 --username=cat1 --cipher-list=AES256-SHA256 --trusted-cert (censored-fingerprint) -vWARN: Bad port in config file: "0".
DEBUG: Loaded config file "/etc/openfortivpn/config".
VPN account password:
DEBUG: Config host = "censored.gateway.net"
DEBUG: Config realm = ""
DEBUG: Config port = "443"
DEBUG: Config username = "cat1"
DEBUG: Config password = "********"
DEBUG: server_addr: censored.gateway.ip
DEBUG: server_port: 443
DEBUG: gateway_addr: censored.gateway.ip
DEBUG: gateway_port: 443
DEBUG: Gateway certificate validation succeeded.
INFO: Connected to gateway.
ERROR: Could not authenticate to gateway (Bad HTTP response code).
INFO: Closed connection to gateway.
DEBUG: server_addr: censored.gateway.ip
DEBUG: server_port: 443
DEBUG: gateway_addr: censored.gateway.ip
DEBUG: gateway_port: 443
DEBUG: Gateway certificate validation succeeded.
INFO: Logged out.
Gateway setting on Huawei USG6620
v-gateway public ssl version tlsv11 tlsv12
v-gateway public ssl ciphersuit custom aes256-sha non-des-cbc3-sha aes128-sha
v-gateway public certificate-server gw_local.cer enable
v-gateway ssl interface GigabitEthernet1/0/3 private censored.gateway.net
v-gateway ssl alias ssl
#****BEGIN***ssl**1****#(Just prevent being enterpreted wrongly)v-gateway ssl
basic
...
ssl ciphersuit custom aes256-sha non-des-cbc3-sha aes128-sha
certificate-server gw_local.cer enable
certificate-ca certificate-file dr.cat1.crt.pem enable
...
security
policy-default-action permit vt-src-ip
certification cert-anonymous cert-field user-filter subject cn group-filter subject cn
certification cert-anonymous filter-policy permit-all
certification cert-challenge cert-field user-filter subject cn
certification user-cert-filter key-usage any
public-user enable
public-user default-login-number 100
On the web management panel of the Gateway. Under Network -> "SSL VPN" -> "SSL VPN", in the SSLVPN profile, in "Gateway Configuration" -> "User Authentication" part, the setting is like the following.
"Local Certificate", I chose certificate for the gateway here;
"Client CA Certificate", I uploaded the certificate fot the client I was testing;
"Certificate Authentication", I tried between "None", "Anonymous Certificate" and "Certificate Challenge"; Then I chose all default option for all the remaining options under "User Authentication" part.
The USG6620 is running V500R001C60SPC300 firmware, if that helps.
Any ideas?
The text was updated successfully, but these errors were encountered: