Received bad header from gateway

[mrmodolo]

Hi!

I am trying to connect (mygateway is https://my.gateway.com.br:10443):

sudo /usr/bin/openfortivpn my.gateway.com.br:10443 -u marcelo --no-routes --no-dns --trusted-cert c755c435e2ec1221dea85847c190f9b9200013780bf82cefb25b6074562df2cd
VPN account password:
INFO: Connected to gateway.
INFO: Authenticated.
INFO: Remote gateway has allocated a VPN.
ERROR: Received bad header from gateway:
(hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 53 61 74 2c 20 30 33 20 4f 63 74 20 32 30 31 35 20 31 33 3a 30 31 3a 32 35 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 20 53 56 50 4e 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 3b 20 65 78 70 69 72 65 73 3d 53 61 74 2c 20 30 33 2d 4f 63 74 2d 32 30 31 35 20 31 33 3a 30 31 3a 32 35 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74 74 70 6f 6e 6c 79 3b 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 53 56 50 4e 4e 45 54 57 4f 52 4b 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 72 65 6d 6f 74 65 2f 6e 65 74 77 6f 72 6b 3b 20 65 78 70 69 72 65 73 3d 53 61 74 2c 20 30 33 2d 4f 63 74 2d 32 30 31 35 20 31 33 3a 30 31 3a 32 35 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74

(raw) HTTP/1.1 403 Forbidden.
Date: Sat, 03 Oct 2015 13:01:25 GMT.
Set-Cookie: SVPNCOOKIE=; path=/; expires=Sat, 03-Oct-2015 13:01:25 GMT; secure; httponly;.
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sat, 03-Oct-2015 13:01:25 GMT; secure; h
INFO: Cancelling threads...
INFO: Terminated pppd.
INFO: Closed connection to gateway.
INFO: Logged out.

Thanks

[adrienverge]

Hi @mrmodolo,

This error is caused by an authentification error. It usually occurs when the username/password couple is not valid. Have you checked that your credentials do work using another official VPN client?

Another cause could be that we don't handle well the protocol of your VPN gateway. Do you have any information on the software version on the remote end?

[mrmodolo]

Thanks for the answer!

Not the case, I have forticlientsslvpn client installed on my machine and I use it every day for remote support! I added the keys '-v -v -v' and made a small change in code to display 'total', 'magic' and 'size':
I believe the FortiGate version is the 5.x! I can also log in via the web interface, attached an image.

➜ ~ sudo /usr/bin/openfortivpn -v -v -v vpn.aws.globosat.com.br:10443 -u xxxxxxx --no-routes --no-dns --trusted-cert c755c435e2ec1221dea85847c190f9b9200013780bf82cefb25b6074562df2cd
WARN: Bad port in config file: "0".
DEBUG: Loaded config file "/etc/openfortivpn/config".
VPN account password:
DEBUG: Config host = "vpn.aws.globosat.com.br"
DEBUG: Config port = "10443"
DEBUG: Config username = "xxxxxxx"
DEBUG: Config password = "********"
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
INFO: Authenticated.
DEBUG: Cookie: SVPNCOOKIE=7HAdmxT0/HnYq3HQpZF62rirjuq3UFYLeL1RZunpGfRH0v8nMmdrl8we8RK3iqZu%0aB0ZuUkR2iY1/X3yf0VK7tTPIOSXCVfFjA9w/mf4cs0+8lU4iQKFVTWQSp17sFBlN%0aHGMrtlgHPKFOCK2UBFNUB0ArkI3vImqldZZAo6AmGhEax2fx8wXHKV1qIPQGCYgx%0aZJ
INFO: Remote gateway has allocated a VPN.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
DEBUG: pppd_read_thread
DEBUG: ssl_read_thread
DEBUG: if_config thread
DEBUG: ssl_write_thread
DEBUG: pppd ---> gateway (16 bytes)
pppd: c0 21 01 01 00 0e 01 04 05 4a 05 06 4a 48 10 47

DEBUG: pppd_write thread
ERROR: Received bad header from gateway:
DEBUG: total (18516).
DEBUG: magic (21584).
DEBUG: size (12081).
(hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 53 75 6e 2c 20 30 34 20 4f 63 74 20 32 30 31 35 20 31 31 3a 31 33 3a 34 39 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 20 53 56 50 4e 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 3b 20 65 78 70 69 72 65 73 3d 53 75 6e 2c 20 30 34 2d 4f 63 74 2d 32 30 31 35 20 31 31 3a 31 33 3a 34 39 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74 74 70 6f 6e 6c 79 3b 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 53 56 50 4e 4e 45 54 57 4f 52 4b 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 72 65 6d 6f 74 65 2f 6e 65 74 77 6f 72 6b 3b 20 65 78 70 69 72 65 73 3d 53 75 6e 2c 20 30 34 2d 4f 63 74 2d 32 30 31 35 20 31 31 3a 31 33 3a 34 39 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74

(raw) HTTP/1.1 403 Forbidden.
Date: Sun, 04 Oct 2015 11:13:49 GMT.
Set-Cookie: SVPNCOOKIE=; path=/; expires=Sun, 04-Oct-2015 11:13:49 GMT; secure; httponly;.
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 04-Oct-2015 11:13:49 GMT; secure; h
INFO: Cancelling threads...
DEBUG: Waiting for pppd to exit...
INFO: Terminated pppd.
INFO: Closed connection to gateway.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Logged out.

[stefan-langenmaier]

Same problem here, but I'm quite sure the password is correct as it works with the binary client. I have unfortunately no access or information about the server.

# openfortivpn --no-routes --no-dns -v
DEBUG:  Loaded config file "/etc/openfortivpn/config".
VPN account password: 
DEBUG:  Config host = "XXXXXX"
DEBUG:  Config port = "10443"
DEBUG:  Config username = "XXXXXXX"
DEBUG:  Config password = "********"
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Connected to gateway.
INFO:   Authenticated.
DEBUG:  Cookie: SVPNCOOKIE=yNBN4ZFhx0N0R2EGwRi9OZdOohFBTioHQiBtVG7BEBp2iBkskef7WhsvtYXfWkHv%0aqvm6Py6gnBDmlDuaX9+6QhwzWaZsXYN/nUNTUJk6pjteVTOH75uYKgywZ27OTJee%0aTgS7H9HHQVMoluH1l2Rk5NY8Iw6SWGqbEeo+ngNi5g1oP6QXE1LBFQro4poRqdxU%0at�
INFO:   Remote gateway has allocated a VPN.
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
DEBUG:  pppd_read_thread
DEBUG:  ssl_write_thread
DEBUG:  ssl_read_thread
DEBUG:  if_config thread
DEBUG:  pppd ---> gateway (16 bytes)
DEBUG:  pppd_write thread
ERROR:  Received bad header from gateway:
  (hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 54 75 65 2c 20 31 33 20 4f 63 74 20 32 30 31 35 20 32 32 3a 31 32 3a 31 31 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 20 53 56 50 4e 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 3b 20 65 78 70 69 72 65 73 3d 54 75 65 2c 20 31 33 2d 4f 63 74 2d 32 30 31 35 20 32 32 3a 31 32 3a 31 31 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74 74 70 6f 6e 6c 79 3b 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 53 56 50 4e 4e 45 54 57 4f 52 4b 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 72 65 6d 6f 74 65 2f 6e 65 74 77 6f 72 6b 3b 20 65 78 70 69 72 65 73 3d 54 75 65 2c 20 31 33 2d 4f 63 74 2d 32 30 31 35 20 32 32 3a 31 32 3a 31 31 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74

  (raw) HTTP/1.1 403 Forbidden.
Date: Tue, 13 Oct 2015 22:12:11 GMT.
Set-Cookie:  SVPNCOOKIE=; path=/; expires=Tue, 13-Oct-2015 22:12:11 GMT; secure; httponly;.
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Tue, 13-Oct-2015 22:12:11 GMT; secure; h
INFO:   Cancelling threads...
DEBUG:  Waiting for pppd to exit...
INFO:   Terminated pppd.
INFO:   Closed connection to gateway.
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Logged out.

[lkundrak]

DEBUG: Cookie: SVPNCOOKIE=yNBN4ZFhx0N0R2EGwRi9OZdOohFBTioHQiBtVG7BEBp2iBkskef7WhsvtYXfWkHv%0aqvm6Py6gnBDmlDuaX9+6QhwzWaZsXYN/nUNTUJk6pjteVTOH75uYKgywZ27OTJee%0aTgS7H9HHQVMoluH1l2Rk5NY8Iw6SWGqbEeo+ngNi5g1oP6QXE1LBFQro4poRqdxU%0at�

Seems like there's garbage at the end of the cookie? We may have parsed it wrong or just log it wrong. Given it doesn't work I'm thinking it's the first option.

(I made changes there & probably broke it. Will take a look...).

[mrmodolo]

Hi!
If I can help, please send me a e-mail.

Thanks!

[paride]

Same problem here, the credentials are the same I use with the official client without any problem. If I give a wrong password to openfortivpn I get a different error message:

INFO:   Connected to gateway.
ERROR:  Could not authenticate to gateway (No cookie given).
INFO:   Closed connection to gateway.

so I think that the authentication works correctly and the problem is somewhere else. Just in case it matters: I have to specify a --trusted-cert, as the certificate is not trusted by default. If you need more feedback or testing just let me know, I'll be glad to help.

Paride

[adrienverge]

@mrmodolo @stefan-langenmaier @legovini Can you try version 1.0.1? There´s a chance that it works for you.

[paride]

It still does not work, but it behaves differently:

VPN account password: 
DEBUG:  Config host = "xxx"
DEBUG:  Config port = "10443"
DEBUG:  Config username = "xxx"
DEBUG:  Config password = "********"
DEBUG:  Gateway certificate validation failed.
DEBUG:  Gateway certificate digest found in white list.
INFO:   Connected to gateway.
INFO:   Authenticated.
DEBUG:  Cookie: SVPNCOOKIE=MFpbihJ7voL2gkXTBCQXSoQPNcw3kucMWEGBUlsFhnRWbk3Ba8jBlkerZK6lIOQ0%0aQrxSQD7fVUsKu8OuEBI8HpUZTaFaELLqEHvpx6NTd3T5AiiKjtVECfpu9s4GijBo%0aYeNU6VVctfSsZmxor1ZlTq7wAGJ2xX7x/OJc0px4kjwfLhggLRcCRhytIHfhILkX%0a+��
INFO:   Remote gateway has allocated a VPN.
DEBUG:  pppd_read_thread
DEBUG:  ssl_read_thread
DEBUG:  ssl_write_thread
DEBUG:  if_config thread
DEBUG:  pppd ---> gateway (16 bytes)
pppd:   c0 21 01 01 00 0e 01 04 04 00 05 06 19 2a 07 cf
DEBUG:  pppd_write thread
ERROR:  Received bad header from gateway: 4854 5450 2f31
WARN:   Looks like a HTTP 403.
INFO:   Cancelling threads...
DEBUG:  Waiting for pppd to exit...
INFO:   Terminated pppd.
INFO:   Logged out.
INFO:   Closed connection to gateway.

[mrmodolo]

Hi!

It still does not work!

➜ openfortivpn git:(master) ✗ sudo /usr/bin/openfortivpn -v -v -v -v vpn.aws.globosat.com.br:10443/ --no-routes --no-dns --trusted-cert c755c435e2ec1221dea85847c190f9b9200013780bf82cefb25b6074562df2cd
DEBUG: Loaded config file "/etc/openfortivpn/config".
VPN account password:
DEBUG: Config host = "vpn.aws.globosat.com.br"
DEBUG: Config port = "10443"
DEBUG: Config username = "xxxxxx"
DEBUG: Config password = "********"
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
INFO: Authenticated.
DEBUG: Cookie: SVPNCOOKIE=7HAdmxT0/HnYq3HQpZF62rirjuq3UFYLeL1RZunpGfRH0v8nMmdrl8we8RK3iqZu%0aB0ZuUkR2iY1/X3yf0VK7tTPIOSXCVfFjA9w/mf4cs0+8lU4iQKFVTWQSp17sFBlN%0ajlSsWtArHVymaOiuZzk7+gI6RRi8pTDw+RtD2dyFsgNcmh1zp7ev82KsKVkIBeEP%0aX
INFO: Remote gateway has allocated a VPN.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
DEBUG: ssl_read_thread
DEBUG: pppd_read_thread
DEBUG: if_config thread
DEBUG: ssl_write_thread
DEBUG: pppd_write thread
DEBUG: pppd ---> gateway (16 bytes)
pppd: c0 21 01 01 00 0e 01 04 05 4a 05 06 57 5a 70 ee

ERROR: Received bad header from gateway:
(hex) 48 54 54 50 2f 31 2e 31 20 34 30 33 20 46 6f 72 62 69 64 64 65 6e 0d 0a 44 61 74 65 3a 20 4d 6f 6e 2c 20 32 36 20 4f 63 74 20 32 30 31 35 20 32 33 3a 34 37 3a 32 37 20 47 4d 54 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 20 53 56 50 4e 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 3b 20 65 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 32 36 2d 4f 63 74 2d 32 30 31 35 20 32 33 3a 34 37 3a 32 37 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74 74 70 6f 6e 6c 79 3b 0d 0a 53 65 74 2d 43 6f 6f 6b 69 65 3a 20 53 56 50 4e 4e 45 54 57 4f 52 4b 43 4f 4f 4b 49 45 3d 3b 20 70 61 74 68 3d 2f 72 65 6d 6f 74 65 2f 6e 65 74 77 6f 72 6b 3b 20 65 78 70 69 72 65 73 3d 4d 6f 6e 2c 20 32 36 2d 4f 63 74 2d 32 30 31 35 20 32 33 3a 34 37 3a 32 37 20 47 4d 54 3b 20 73 65 63 75 72 65 3b 20 68 74

(raw) HTTP/1.1 403 Forbidden.
Date: Mon, 26 Oct 2015 23:47:27 GMT.
Set-Cookie: SVPNCOOKIE=; path=/; expires=Mon, 26-Oct-2015 23:47:27 GMT; secure; httponly;.
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Mon, 26-Oct-2015 23:47:27 GMT; secure; h
INFO: Cancelling threads...
DEBUG: Waiting for pppd to exit...
INFO: Terminated pppd.
INFO: Closed connection to gateway.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Logged out.

[vmialon]

Hi !

Thanks for your work ! Unfortunately it's not working for me either.
Gateway is a VDOM on Fortigate 1500D FortiOS 5.2.2
Client openfortivpn 1.1.0 package on Fedora 22
Client fortisslvpn OK with same credentials

On fortigate error message is "sslvpn_login_unknown_user"

Logs from openfortivpn
DEBUG: Loaded config file "/etc/openfortivpn/config".
VPN account password:
DEBUG: Config host = "XXXXX"
DEBUG: Config port = "443"
DEBUG: Config username = "XXXXX"
DEBUG: Config password = "********"
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
WARN: Error issuing /remote/logincheck request
ERROR: Could not authenticate to gateway (Permission denied).
INFO: Closed connection to gateway.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Logged out.

Or

DEBUG: Config host = "XXXXXX"
DEBUG: Config port = "443"
DEBUG: Config username = "XXXXXX"
DEBUG: Config password = "********"
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Connected to gateway.
ERROR: Could not authenticate to gateway (No cookie given).
INFO: Closed connection to gateway.
DEBUG: Gateway certificate validation failed.
DEBUG: Gateway certificate digest found in white list.
INFO: Logged out.

[dsgwork]

Hi,

I have found the cause of this bug, it appears newer FortiOS versions use a longer hash for the SVPNCOOKIE (or maybe it's a configuration issue?).

I had problems connecting to our various fortinet VPNs, which I belive are on FortiOS 5.2.x.

I have created a pull request to merge this into master:
#23

Note that I have not tested this with the older VPNs which worked before, as I do not have access to one. Please ensure that everything works correctly on those before merging.

[mrmodolo]

Hi!

Now I can connect!

modolo@nibiru:~⟫ sudo openfortivpn -u modolo
VPN account password:
INFO: Connected to gateway.
INFO: Authenticated.
INFO: Remote gateway has allocated a VPN.
WARN: No gateway address
INFO: Got addresses: [192.168.102.10], ns [10.1.0.12, 10.1.0.14]
INFO: Interface ppp0 is UP.
INFO: Setting new routes...
INFO: Adding VPN nameservers...
INFO: Tunnel is up and running.

But after connection I think no route is set:

route before connect:
modolo@nibiru:~⟫ route -n
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
0.0.0.0 192.168.1.1 0.0.0.0 UG 5428 0 0 wlp1s0
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 lxcbr0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 lxcbr0
192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp1s0

route after connect:
255 modolo@nibiru:~⟫ route -n
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
1.1.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 lxcbr0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 lxcbr0
186.228.37.130 192.168.1.1 255.255.255.255 UGH 0 0 0 wlp1s0
192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp1s0

Thanks,
Módolo

[adrienverge]

Hi @mrmodolo,

The broken routes might be a side-effect of commit 7dca981. Could you:

git checkout 38a85d1             # go back before suspicious commit
git cherry-pick 8a4ca14 ab6e879  # apply the COOKIE_SIZE fixes

recompile and try again?

Alternatively, if you're a NetworkManager user, you should try @lkundrak's NetworkManager-fortisslvpn plugin. It handles routes and nameservers in a more standard way.

[mrmodolo]

Hi!

The same thing (now thereis no "WARN: No gateway address" when connecting)

modolo@nibiru:⟫ git checkout 38a85d1
...
modolo@nibiru:⟫ git cherry-pick 8a4ca14 ab6e879
...

modolo@nibiru:~⟫ sudo openfortivpn -u modolo
VPN account password:
INFO: Connected to gateway.
INFO: Authenticated.
INFO: Remote gateway has allocated a VPN.
INFO: Got addresses: [192.168.102.10], ns [10.1.0.12, 10.1.0.14]
INFO: Got addresses: [192.168.102.10], ns [10.1.0.12, 10.1.0.14]
INFO: Interface ppp0 is UP.
INFO: Setting new routes...
INFO: Adding VPN nameservers...
INFO: Tunnel is up and running.

modolo@nibiru:~⟫ route -n
Tabela de Roteamento IP do Kernel
Destino Roteador MáscaraGen. Opções Métrica Ref Uso Iface
1.1.1.1 0.0.0.0 255.255.255.255 UH 0 0 0 ppp0
10.0.3.0 0.0.0.0 255.255.255.0 U 0 0 0 lxcbr0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 lxcbr0
186.228.37.130 192.168.1.1 255.255.255.255 UGH 0 0 0 wlp1s0
192.168.1.0 0.0.0.0 255.255.255.0 U 600 0 0 wlp1s0

^CINFO: Cancelling threads...
INFO: Setting ppp interface down.
INFO: Restoring routes...
WARN: Could not delete route through tunnel (No such process).
INFO: Removing VPN nameservers...
INFO: Terminated pppd.
INFO: Closed connection to gateway.
INFO: Logged out.

Thanks for your time.

Marcelo Módolo

[adrienverge]

Strange... Unfortunately I don't have access to such a VPN anymore, and I don't have time neither. I'm sorry.

Here are some suggestions, however:

• If you're not afraid of adding a few log_info() in the code (specifically here and there), you may find out what's going wrong.
  Here is the intended behavior on startup:
  • Back up current default route
  • Set the current default route as the route to the tunnel gateway
  • Delete the current default route
  • Set the new default route (the one through VPN)
• Use --no-routes and wrap openfortivpn in a script that add routes itself
• Try the NetworkManager-fortisslvpn plugin.

In any case, keep feedbacking: it's appreciated. And if you find the root cause, I'll be happy to help write a fix.

[mrbaseman]

I'm just looking through older tickets. The routing issues should be solved now. There were a couple of changes to the routing code, including a fix for #25. Can this ticket be closed? (I think it was mainly about the COOKIE_SIZE which needed to be increased)