Experimental support for Fortinet SSLVPN was added to OpenConnect in March 2021. It is also known as FortiGatein some documentation. It is aPPP-basedprotocol using the native PPP support which was merged into the 9.00release.

Offering secure work from home options is a necessity for just about any business, and Fortinet's FortiGate firewall along with FortiClient Endpoint Protecti.

• Set VPN Type to SSL VPN. Set Remote Gateway to the IP of the listening FortiGate interface, in this example, 172.20.120.123. Select Customize Port and set it to 10443. Enable Client Certificate and select the authentication certificate.
• Forticlient – SSLVPN is a VPN Client to connect to Fortigate Devices with minimal effort, packaged here for Ubuntu and Debian. Officially there is only a generic tar.gz package available. As I use Ubuntu most the time, I decided to build.deb packages for 32/64bit Ubuntu with a nice desktop icon to start: ).

Fortinet mode is requested by adding --protocol=fortinetto the command line:

Since TCP overTCP is very suboptimal, OpenConnect tries to always use PPP-over-DTLS,and will only fall over to the PPP-over-TLS tunnel if that fails, or ifdisabled via the --no-dtls argument.

Quirks and Issues

In terms of authentication for Fortinet VPNs, OpenConnect currently supportsbasic username/password, optional TLS client certificate, and optional multifactorauthentication token entry via the 'tokeninfo' challenge/response mechanism (whichappears to be the most common mechanism by which Fortinet VPNs support multifactorauthentication). If you have access to a Fortinet VPN which uses other types ofauthentication, please send information to the mailinglist so that we add support to OpenConnect.

The Fortinet protocol appears not to allow itspost-authentication cookie (as output by --authenticate) tobe used to reestablish a dropped connection. This means that if theclient loses its connection to the gateway (for example, due to anetwork outage, or after roaming to a different physical adapter) anew authentication will always be required. This is a substantialdesign flaw which is not present in any of the other protocolssupported by OpenConnect; if you have access to a Fortinet VPN whichcan automatically reconnect after a dropped connection,please send information to the mailing listso we can understand it better, and whether we can support this featureon other Fortinet VPNs.

Experimental support for Fortinet SSLVPN was added to OpenConnect in March 2021. It is also known as FortiGatein some documentation. It is aPPP-basedprotocol using the native PPP support which was merged into the 9.00release.

Fortinet mode is requested by adding --protocol=fortinetto the command line:

Since TCP overTCP is very suboptimal, OpenConnect tries to always use PPP-over-DTLS,and will only fall over to the PPP-over-TLS tunnel if that fails, or ifdisabled via the --no-dtls argument.

Fortinet Ssl Vpn Client Internet Access

Quirks and Issues

In terms of authentication for Fortinet VPNs, OpenConnect currently supportsbasic username/password, optional TLS client certificate, and optional multifactorauthentication token entry via the 'tokeninfo' challenge/response mechanism (whichappears to be the most common mechanism by which Fortinet VPNs support multifactorauthentication). If you have access to a Fortinet VPN which uses other types ofauthentication, please send information to the mailinglist so that we add support to OpenConnect.

Fortinet Ssl Vpn Client Plugin

The Fortinet protocol appears not to allow itspost-authentication cookie (as output by --authenticate) tobe used to reestablish a dropped connection. This means that if theclient loses its connection to the gateway (for example, due to anetwork outage, or after roaming to a different physical adapter) anew authentication will always be required. This is a substantialdesign flaw which is not present in any of the other protocolssupported by OpenConnect; if you have access to a Fortinet VPN whichcan automatically reconnect after a dropped connection,please send information to the mailing listso we can understand it better, and whether we can support this featureon other Fortinet VPNs.