-
Notifications
You must be signed in to change notification settings - Fork 316
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bad header from gateway (403 Forbidden) #191
Comments
|
Don't no; first time using the openfortivpn client
Yes! |
That's the part of the code that generates the error in src/io.c:
Could you add some code to print
|
|
Mmmh... Something's wrong here:
|
So, do you expect this is a client-side problem or just a "too new firmware" of the Fortigate? |
Is there any analysis, I can do? |
My feeling is that the new FortiOS comes with a new protocol. It's hard to help remotely and I currently don't have much time. I guess a wireshark log would help if someone else can look into this. |
@DimitriPapadopoulos I've made an PCAP, filtered on my Firewall IP. How does this help, because this is all encrypted (I tried to decrypt the SSL-stream with the SSL-key, with no success) |
Is all openfortivpn-related traffic towards port 443 of the FortiGate and encrypted? If so no need to look further. |
I think once the ssl threads are up, everything is encrypted. The debug output already shows what is sent on the ppp device: "HTTP/1.1 403 Forbidden." - which is strange, because authentication has worked and we have received a cookie just before. |
@mrbaseman What about the value of |
Oh, right.
Another tcpdump from a working connection with the binary linux client might also be helpful for comparison. |
Ipsec Binary client now also comes with an error.. "Failed to parse fortisslvpn page." I'm still trying to find a solution to tcpdump the "not yet existing ppp0 device" (trying to create a bond interface an do something with if-up scripts..) |
Oh, if the binary client doesn't work either now, is the client ip range restricted in some way, and you receive "403 Forbidden" when you are coming from the wrong network? In my setup the connection is just closed in such a case, but behavior in this case may depend on the OS version or on details how exactly such IP restrictions are imposed. |
This comes directly from the syslog of the Fortigate Binary application from Fortinet:
Openfortivpn:
|
Appeared to be an issue/bug in de FortiOS... Fixed right now (something with user mapping). Conclusion: openfortivpn works perfect with the latest version! |
@tim247 Thanks for the feedback - much appreciated! Does this mean Fortinet provided a new version / patch for FortiOS, or did they just suggest to work around the issue by modifying the user mapping? |
@DimitriPapadopoulos By changing the "default mapping" to the "portal" you actual need.. It sounds stupid to me... Before I changed it; specific group is in the "full-access"-portal and others in the "web-only"-portal. Now everybody comes in the "full-access"-portal.. |
Running openfortivpn version 1.3 (also tried lates git pull + make + install = 1.5).
Running the latest version of FortiOS on my Fortigate 60D: v5.6.2 build1486
FortiClient binary application works fine, web version also.
Using openfortivpn resulting in a "HTTP/1.1 403 Forbidden." as "bad header".
Username and password are 100% correct. Any suggestions?
The text was updated successfully, but these errors were encountered: