Hello.
Is it still true that Linux Forticlient still does not support IPSEC CLI configuration when using FortiClient (I was following https://community.fortinet.com/t5/Support-Forum/Fortclient-VPN-Client-Linux-IPSEC/td-p/232278 )?
I aim was to replicate Macosx forticlient IPsec configuration onto Ubuntu 22 (against a small 40F / 70F with tested and working IPSEC VPN configuration).
I got Forticlient installed following https://repo.fortinet.com/ , which, as of today (5th of April 24) installs as 7.2.4.080 on Ubuntu 22.04 LTS, and IPsec functionality does seem to be there, but then the configuration goes somehow pearshaped (I only got sudo apt install gnome-keyring to improve the situation slightly but still got an issue - not sure if this is expected - it looks like it somehow uses GUI key chain infra, even when explicitly operating in CLI space so "forticlient vpn ..."(VPN CLI interface)).
ubuntu@server:~$ forticlient vpn edit newprofile
=====================
Create new VPN profile: newprofile
=====================
Type (1.SSL VPN / 2.IPsec VPN) [default=1]: 2
Remote Gateway: x.x.x.x
Port [default=443]: 500 <======= why is it treating IPsec as tcp/443 to start with?
Authentication (1.prompt / 2.save / 3.disable) [default=1]: <=regardles of what the option is, below error message always pops up (I suppose all three operations require access to key store)
Certificate Type (1.local (pkcs12) / 2.smartcard (pkcs11) / 3.disable) [current=disable]:
Unable to use system's key store: Object does not exist at path “/org/freedesktop/secrets/collection/login”.
DONE.
I run out of ideas how to fix that.
When I try the SSL configuration with Forticlient - I am getting stuck in the very same place - "Unable to use system's key store". Why does Forticlient not let me stay away from GUI?
Am I doing something fundamentally silly?
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
@syulv
For the moment, there is still no support for this feature.
The reason for it is because you don't need a specific client for that, you should "simply" use the Linux IPSec stack properly.
You may try to request a new feature for future FortiClient releases.
Could you please give additional details? It looks like we are using the stack properly.
Is there any document to explain this?
Created on 06-23-2024 03:36 PM Edited on 06-23-2024 03:40 PM
So, to clarify, if I were to use fortinetclient on Linux with IPsec mode, would all the specific functionality of the Fortinet platform (e.g., antivirus, endpoint control, Vulnerability scan, ZTNA) be unavailable to me unless I use it with SSL?
Is Fortinet telling me to use, for example, StrongSwan for IPsec rather than their native client for Linux (If this were the case, would functionality like split DNS still be available with non-Fortinet IPsec clients)?
I'm just trying to make this a seamless experience for my Linux users, but so far, we are using https://github.com/adrienverge/openfortivpn (not ideal as you can not send it to the background, to my knowledge), which is not great if you started investing in Fortinet's FortiGate devices.
I stand to be corrected if anything raised above is factually incorrect, as a lot of this is fairly new to me, and I am probably making some incorrect assumptions.
Thanks.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1720 | |
1094 | |
752 | |
447 | |
234 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.