New Member

Question

forticlient for linux - invalid option -- 'P'

Forum|Forum|1 year ago
July 29, 2024
8 replies
9662 views

I've just installed FortiClient VPN the .deb package from here https://www.fortinet.com/support/product-downloads .

installed with `sudo dpkg -i ...`

Setupd the configuration ( as I have on my windows pc and on my android )

when I try to connect I get the following in the journal:

iul 29 14:23:43 station1 kernel: iked[283119]: segfault at 28 ip 000000000045195d sp 00007ffe2a7e6900 error 4 in iked[400000+891000] iul 29 14:23:43 station1 kernel: Code: 4c 89 e5 48 89 44 24 38 48 8d 84 24 88 00 00 00 45 89 d4 45 89 de 48 89 44 24 50 48 8b 45 00 45 89 f5 31 ff 31 db 4a 8b 0c e8 <8b> 51 28 85 d2 74 42 48 8b 71 20 8d 7a ff 31 db 48 8d 46 08 4c 8d iul 29 14:23:43 station1 fctsched[283131]: /opt/forticlient/iked: invalid option -- 'P' iul 29 14:23:43 station1 regolith.desktop[281914]: 14:23:43.573 › VpnHandler UNHANDLED {"isTrusted":true} iul 29 14:23:43 station1 fctsched[283131]: DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus iul 29 14:23:43 station1 fctsched[283131]: DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus

IPsec

AEK

SuperUser

Did you copy the VPN configuration file from Windows to Linux? And does this config use IKEv1?

Know that Linux' FCT VPN supports only IKEv2, and I guess the "P" option probably stands for Peer ID when you use PSK in IKEv1.

AEK

arw357Author

New Member

Hello,

Thank you for the reply.

The configuration is not a copy of a file.

The configuration is choosing ipsec VPN,IP of remote gateway, then using PSK for Authentication Method, then a username and password.

So - I understand that if I choose PSK then automatically I have IKEv1 ?

AEK

SuperUser

Sorry for the mistake, after double check the peer ID can also be specified for IKEv2.

And no, PSK is not only for IKEv1, but for v2 as well.

Please share your VPN config in Linux and FortiClient VPN version. You can hide the sensitive information (IP and so).

AEK

arw357Author

New Member

here you go:

AEK

SuperUser

7.0.7 is your FCT version?

AEK

arw357Author

New Member

Hello,

Apologies but I am unsure of what is FCT.

The forticlient.deb package that I downloaded is forticlient_vpn_7.4.0.1636_amd64.deb . You can see also in the print screen and below.

forticlient version

FortiClient Version: 7.4.0.1636
FortiClient Serial: FCT8004081746744
FortiClient UID: 25EEA27A1C964783B2682C9A9DB2F9EF

=====================================
Engines
=====================================
AntiVirus: 0.00000
Vulnerability: 0.00000

=====================================
Signatures
=====================================
AntiVirus: 1.00000
AntiVirus Extended: Unavailable
Vulnerability: 0.00000
Sandbox: Unavailable
ICDB: 0.00000

Now - the XML that I attached previously is exported through the interface that I printscreened above ( so the version of the interface states 7.4.0). I chose the functionality to backup the configuration. I see in the configuration that I sent that there is a 7.0.7 but I am not aware where that came from. Meaning - I do not know what is the package that wrote that information.

This is the part of the xml that you asked your question about I guess:

<forticlient_version>7.0.7.0246</forticlient_version>
<version>7.0.7</version>
<date>2019/05/13</date>

This is a list of packages that are installed on my laptop that contain `forti:

 dpkg --list | grep forti ii  forticlient                                                 7.4.0.1636                                        amd64        FortiClient, now available on Linux, is an endpoint protection application that runs on Microsoft Windows, Mac OS X, iOS and Android. It is backed by antivirus engine and signatures from the well-known FortiGuard labs - www.fortiguard.com. FortiClient on Windows has won various third-party awards, such as from VB100, AV Comparatives and NSS. ii  network-manager-fortisslvpn                                 1.2.10-0ubuntu3                                   amd64        network management framework (Fortinet SSLVPN plugin core) ii  network-manager-fortisslvpn-gnome                           1.2.10-0ubuntu3                                   amd64        network management framework (Fortinet SSLVPN plugin GNOME GUI) ii  openfortivpn                                                1.17.1-1build1                                    amd64        Fortinet client for PPP+SSL VPN tunnel services

From my pov I would say that the version is 7.4.0.1636 but the configuration says otherwise.

AEK

SuperUser

First time I installed 7.4.0 and tested IPsec, which is new feature in FortiClient VPN.

I got messages similar to yours.

Aug  4 16:06:29 mint2x kernel: [12765.747042] iked[113142]: segfault at 28 ip 000000000045195d sp 00007ffe02d536c0 error 4 in iked[400000+891000] 
Aug  4 16:06:29 mint2x kernel: [12765.747080] Code: 4c 89 e5 48 89 44 24 38 48 8d 84 24 88 00 00 00 45 89 d4 45 89 de 48 89 44 24 50 48 8b 45 00 45 89 f5 31 ff 31 db 4a 8b 0c e8 <8b> 51 28 85 d2 74 42 48 8b 71 20 8d 7a ff 31 db 48 8d 46
08 4c 8d 
Aug  4 16:06:29 mint2x fctsched[113171]: /opt/forticlient/iked: invalid option -- 'P' 
Aug  4 16:06:29 mint2x systemd[1]: Started Process Core Dump (PID 113172/UID 0). 
Aug  4 16:06:30 mint2x systemd-coredump[113180]: Process 113142 (iked) of user 0 dumped core.#012#012Found module linux-vdso.so.1 with build-id: cf68e5b0f4f33dfabf8969700b3530541157a487#012Found module legacy.so with build-id: 548117307
2312942cc5cfa6eef15eaa59463d352#012Found module libpcre2-8.so.0 with build-id: 184a841c55fb7fe5e3873fcda8368c71016cd54c#012Found module libblkid.so.1 with build-id: ecc1dfaec3a7241b41b76c3590fa135fb3c8ddfa#012Found module libgpg-error.s
o.0 with build-id: 3fbec71c67bee60d8aef00697ee187079b0fb307#012Found module libffi.so.8 with build-id: 59c2a6b204f74f358ca7711d2dfd349d88711f6a#012Found module libselinux.so.1 with build-id: 6fa53202ce676297de24873c886443b2759bfd8a#012F
ound module libmount.so.1 with build-id: a339abbcd0eb8dadcbd09c372ffac2f0eb31eeaa#012Found module libz.so.1 with build-id: 30840b79ac329ecbf1dec0bb60180eed256d319f#012Found module libgmodule-2.0.so.0 with build-id: 4663e16af8ee20469e2ed
5937b1aeb3b50df0af1#012Found module libpcre.so.3 with build-id: 3982f316c887e3ad9598015fa5bae8557320476a#012Found module libgcrypt.so.20 with build-id: 60a5e524de0ed8323edf33e9eb9127a9eee02359#012Found module libgobject-2.0.so.0 with bu
ild-id: 9e8e57082c3651843713c59ecf2976863d6d1dcd#012Found module libgio-2.0.so.0 with build-id: 9fc3ec50ff6302f82ac43f1b28e67909662dc914#012Found module ld-linux-x86-64.so.2 with build-id: 4186944c50f8a32b47d74931e3f512b811813b64#012Fou
nd module libc.so.6 with build-id: 490fef8403240c91833978d494d39e537409b92e#012Found module libgcc_s.so.1 with build-id: e3a44e0da9c6e835d293ed8fd2882b4c4a87130c#012Found module libm.so.6 with build-id: a508ec5d8bf12fb7fd08204e0f87518e5
cd0b102#012Found module libstdc++.so.6 with build-id: e37fe1a879783838de78cbc8c80621fa685d58a2#012Found module libpthread.so.0 with build-id: 81f46d553e2f7c999e43c3eede73a822bc8d5d93#012Found module libuuid.so.1 with build-id: 2ad45e51f
4ac4fc8b5f4ef938a18ca8e0a05e4af#012Found module libdl.so.2 with build-id: 6f6fe1a24b7b981e11c9a3373b806d3496d4d9d4#012Found module libanl.so.1 with build-id: 4e62fff617d96dbe405bcc86c5871aa845856c57#012Found module libglib-2.0.so.0 with
build-id: 224ac2a88b72bc8e2fe8566ee28fae789fc69241#012Found module libsecret-1.so.0 with build-id: f1bc90f2861b0a48efde601947460df81f47597b#012Found module iked with build-id: f4ecc871b89481e3cf8ffc0a247257dcfcef3414#012Stack trace of 
thread 113142:#012#0  0x000000000045195d n/a (iked + 0x5195d)#012#1  0x0000000000453a88 n/a (iked + 0x53a88)#012#2  0x0000000000454f7b n/a (iked + 0x54f7b)#012#3  0x000000000042850a n/a (iked + 0x2850a)#012#4  0x0000000000414b52 n/a (ik
ed + 0x14b52)#012#5  0x00007f2512344d90 __libc_start_call_main (libc.so.6 + 0x29d90)#012#6  0x00007f2512344e40 __libc_start_main_impl (libc.so.6 + 0x29e40)#012#7  0x0000000000419779 n/a (iked + 0x19779)#012#012Stack trace of thread 1131
49:#012#0  0x00007f2512433bcf __GI___poll (libc.so.6 + 0x118bcf)#012#1  0x00007f251293c256 n/a (libglib-2.0.so.0 + 0xab256)#012#2  0x00007f25128e43e3 g_main_context_iteration (libglib-2.0.so.0 + 0x533e3)#012#3  0x00007f25128e4431 n/a (l
ibglib-2.0.so.0 + 0x53431)#012#4  0x00007f2512915ab1 n/a (libglib-2.0.so.0 + 0x84ab1)#012#5  0x00007f25123afac3 start_thread (libc.so.6 + 0x94ac3)#012#6  0x00007f2512441850 __clone3 (libc.so.6 + 0x126850)#012#012Stack trace of thread 11
3150:#012#0  0x00007f251243988d syscall (libc.so.6 + 0x11e88d)#012#1  0x00007f25129360ac g_cond_wait_until (libglib-2.0.so.0 + 0xa50ac)#012#2  0x00007f25128b63e1 n/a (libglib-2.0.so.0 + 0x253e1)#012#3  0x00007f251291886a n/a (libglib-2.
0.so.0 + 0x8786a)#012#4  0x00007f2512915ab1 n/a (libglib-2.0.so.0 + 0x84ab1)#012#5  0x00007f25123afac3 start_thread (libc.so.6 + 0x94ac3)#012#6  0x00007f2512441850 __clone3 (libc.so.6 + 0x126850)#012#012Stack trace of thread 113151:#012
#0  0x00007f2512433bcf __GI___poll (libc.so.6 + 0x118bcf)#012#1  0x00007f251293c256 n/a (libglib-2.0.so.0 + 0xab256)#012#2  0x00007f25128e62b3 g_main_loop_run (libglib-2.0.so.0 + 0x552b3)#012#3  0x00007f251225681a n/a (libgio-2.0.so.0 +
0x11581a)#012#4  0x00007f2512915ab1 n/a (libglib-2.0.so.0 + 0x84ab1)#012#5  0x00007f25123afac3 start_thread (libc.so.6 + 0x94ac3)#012#6  0x00007f2512441850 __clone3 (libc.so.6 + 0x126850) 
Aug  4 16:06:30 mint2x fctsched[113171]: DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus 
Aug  4 16:06:30 mint2x fctsched[113171]: DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus 
Aug  4 16:06:30 mint2x systemd[1]: systemd-coredump@3-113172-0.service: Deactivated successfully.

AEK

SuperUser

Furthermore there is no "P" option in "iked" command. So I guess it is a bug in this new release.

$ sudo /opt/forticlient/iked -- 'P'
[sudo] password for b52: 
Usage:
vpn {--server=server} [--user=username] [--password] [--cert-path=certificate_path] [--cert-passwd]
vpn {-s server} [-u username] [-p] [-c certificate_path] [-k]

Options:
-h --help Show the help screen.
-s --server Remote URL (example: "vpn.example.com:8443/demo").
-u --user Username.
-p --password User password. No argument, VPN will prompts for one.
-c --cert-path Certificate URL (example: "/home/user/cert.p12").
-k --cert-passwd Certificate password. No argument, VPN will prompts for one.
-l --cert-label Certificate label for smartcard. Default is first cert in smart card.

Examples:
vpn -s server -u username -p
vpn --server=server --user=username --password
vpn --server=server --user=username --password --cert-path=certificate_path --cert-passwd
vpn --server=server --cert-path=certificate_path --cert-passwd

AEK

sw2090

SuperUser

does this version support ipsec in linux? All FortiClient linux versions I knew only supported ssl vpn but no ipsec.

AEK

SuperUser

Yes it does. IPsec has been introduced in 7.4.0.

AEK

MZBZ

Staff

1. FortiClient for Linux only supports IKEv2 (starting from version 7.2.4):

FortiClient standalone and licensed version feature comparison | FortiClient 7.2.4 | Fortinet Document Library

2. The profile must be pushed from EMS to work. Locally created VPN profiles (personal VPN) do not work as of now. The error /opt/forticlient/iked: invalid option -- 'P' is due to this.

nbianchi

New Member

Hi,

any idea of when the issue will be fixed.
I'm using forticlient_vpn_7.4.0.1636_amd64.deb on ubuntu 24.04 and I'm facing the same issue described here.

Cheers,
Nicola

MZBZ

Staff

You must use FortiClient EMS server to push IPsec IKEv2 remote access profiles to the Linux endpoint.

Stefanosu

New Member

Hi, I use FortiClient 7.4.5.1835 - Mature for linux_x64

I keep having the same problem on linux forticlient, from Fedora 40 to Fedora 43:

fctsched[26248]: /opt/forticlient/iked: invalid option -- 'P'

/opt/forticlient/fctsched it launch iked with a wrong parameter that probably stop it.

In anycase I cannot connect to the vpn, the config is correct because it connects fron windows.

Do you have any suggestion?

It seems a forticlient linux bug, can you have a look?

Thank you.

As more info here the journal-log :

fctsched[34891]: ikev2 "fctipsec" active tunnel esp inet from 0.0.0.0/0 to 0.0.0.0/0 local 192.168.188.106 peer ***.***.***.*** ikesa enc aes-256 prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 group modp2048 ikesa enc aes-256 prf hmac-sha2-256 prf hmac-sha2-384 prf hmac-sha2-512 prf hmac-sha1 auth hmac-sha2-256 group modp2048 childsa enc aes-256 auth hmac-sha2-256 group modp2048 noesn childsa enc aes-256 auth hmac-sha2-256 group modp2048 noesn ikelifetime 86400 lifetime 43200 bytes 4294967296 psk 0x************************************************************* config address 0.0.0.0 config netmask 0.0.0.0 config name-server 0.0.0.0 config protected-subnet 0.0.0.0 iface wlp0s20f3

fctsched[34925]: /opt/forticlient/iked: invalid option -- 'P'

nbianchi

New Member

I lost hope on having the forticlient to work properly on Linux...

I successfully managed to use Stronswan client to work with Fortigate and IPsec. You find many resources online on how to configure it.

Good luck.

M

MartinMG

New Member

Ok, so I am in the same situation with a broken forticlient on Fedora 43 and Fedora 44.
The forticlient that is provided ships its own “iked”, and that version does not support the -P option, but fctsched/fcts is calling it with a -P option. I have tried to replace the file with a wrapper (shell script) that removes the flag, but the wrapper is bypassed and the binary is called directly. Doing a strace on fctsched ( strace -f -e execve -p $(pgrep -n fctsched) ) gives:

[pid 10059] execve("/opt/forticlient/iked", ["/opt/forticlient/iked", "-P", "ca", "-i", "1000", "--pid=6315", "-f", "x.y.com", "--dbus-address=unix:path=/run/us"...], 0x3ef7e390 /* 14 vars */strace: Process 10060 attached
<unfinished ...>
[pid 10060] execve("/opt/forticlient/iked", ["/opt/forticlient/iked", "-P", "control", "-i", "1000", "--pid=6315", "-f", "x.y.com", "--dbus-address=unix:path=/run/us"...], 0x3ef7e390 /* 14 vars */strace: Process 10061 attached
<unfinished ...>
[pid 10059] <... execve resumed>) = 0
[pid 10060] <... execve resumed>) = 0
[pid 10061] execve("/opt/forticlient/iked", ["/opt/forticlient/iked", "-P", "ikev2", "-i", "1000", "--pid=6315", "-f", "x.y.com", "--dbus-address=unix:path=/run/us"...], 0x3ef7e390 /* 14 vars */) = 0

I have also tried to bypass the execve call via a custom compiled .so, but that also failed.

I have asked the IT dept. if I can use Strongswan, but they said no. It would be nice if Fortinet could ship a client that actually works on modern Linux.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded