Hi all!
I've been trying to use FortiClient to establish a VPN connection on my Kali Linux machine. The client works fine with Ubuntu on the same computer, but it fails with the same configuration in Kali. The Kali installation was fresh when I tried it, and with all the dependencies installed.
Here are the sslvpn logs in both machines for comparison:
[sslvpn:DEBG] dns:700 Disable DHCP auto DNS
[sslvpn:DEBG] dns:730 Set DNS server: x.x.x.x x.x.x.x
[sslvpn:DEBG] dns:760 Set DNS domain: xxxxxxxxxx
[sslvpn:DEBG] dns:790 NM reapply
[sslvpn:DEBG] dns:821 Setup VPN interface
[sslvpn:DEBG] dns:823 Set DNS server: x.x.x.x x.x.x.x
[sslvpn:DEBG] dns:853 Set DNS domain: xxxxxxxxxxx
[sslvpn:DEBG] dns:883 NM reapply
[sslvpn:DEBG] dns:898 Apply settings failed, try again after 1 sec
[sslvpn:DEBG] dns:898 Apply settings failed, try again after 1 sec
[sslvpn:DEBG] dns:898 Apply settings failed, try again after 1 sec
[sslvpn:DEBG] dns:151 Restart DNS service failed.
[sslvpn:DEBG] dns:161 Flush DNS cache failed.
[sslvpn:DEBG] route:99 route backup START
[sslvpn:DEBG] route:151 route backup DONE
[sslvpn:DEBG] route:237 begin route config
[sslvpn:DEBG] route:238 Remote IP: x.x.x.x
[sslvpn:DEBG] route:239 Local IP: x.x.x.x
[sslvpn:DEBG] route:240 Tunnel mode: Split tunnel
[sslvpn:DEBG] route:241 Exclusive routing: Disabled
[sslvpn:DEBG] route:299 Can't find dev for IP x.x.x.x (tun)
[sslvpn:EROR] vpn_connection:1303 Config routing table failed
[sslvpn:DEBG] dns:364 Restore DNS config
[sslvpn:DEBG] dns:700 Disable DHCP auto DNS
[sslvpn:DEBG] dns:730 Set DNS server: x.x.x.x x.x.x.x
[sslvpn:DEBG] dns:760 Set DNS domain: xxxxxxxxxxxxxxxxx
[sslvpn:DEBG] dns:790 NM reapply
[sslvpn:DEBG] dns:821 Setup VPN interface
[sslvpn:DEBG] dns:823 Set DNS server: x.x.x.x x.x.x.x
[sslvpn:DEBG] dns:853 Set DNS domain: xxxxxxxxxxxxxxxxxxx
[sslvpn:DEBG] dns:883 NM reapply
[sslvpn:DEBG] dns:149 Restart DNS service successfully.
[sslvpn:DEBG] dns:159 Flush DNS cache successfully.
[sslvpn:DEBG] route:99 route backup START
[sslvpn:DEBG] route:151 route backup DONE
[sslvpn:DEBG] route:237 begin route config
[sslvpn:DEBG] route:238 Remote IP: x.x.x.x
[sslvpn:DEBG] route:239 Local IP: x.x.x.x
In the Kali sslvpn logs, the error happens when trying to configure the routing table.
I have also posted this image with journalctl logs from the Kali machine. There seems to be a problem with the Network Manager.
Thanks in advance.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello Guy_L
Ubuntu is officially supported according to our release notes, but Kali is not mentioned, you can have more information from the following link:
https://docs.fortinet.com/document/forticlient/7.2.0/linux-release-notes/136392/product-integration-...
Best regards.
Ezequiel.
Hi Ezequiel,
Isn't Debian 11 supported too? Then, since Kali is based on Debian 11, it should work on it too. I have just downloaded a VM with a Debian 11 image to test if the same issue occurs, but Forticlient is not even reporting sslvpn logs. The client seems to freeze when trying to establish the connection.
Thanks
Hi Guy,
based-on-Debian does not mean it is same as otherwise there is no need for Kali. Most tools you can get on Debian as well, but especially Kali in its idea might handle network traffic differently.
I cannot see if you're using wireless or a wired interface. You can maybe try the other type of interface. According to the journalctl output, the network manager is failing due to some arguments the network manager is not understanding but the standard debian/ubuntu would seem to understand.
As such I'd see if you can compare both of the scripts on Debian and Kali.
/etc/NetworkManager/dispatcher.d/01-ifupdown
Try also to verify the network interfaces. I believe Debian uses the new nomenclature for naming interfaces (enp0s3 for example), Kali seems to use the old (eth0).
Best regards,
Markus
Same issue on Fedora 38. There seems to be a problem with the device being set to unmanaged when it needs to be up to be configured.
device (vpn00b09c95fd): state change: activated -> unmanaged (reason 'connection-assumed', sy
s-iface-state: 'managed')
...
...
...
audit: op="device-reapply" interface="vpn00b09c95fd" ifindex=13 pid=17027 uid=0 result="fail"
reason="Device is not activated"
"device-reapply" is tried 3 times before failing. I fixed this issue by bringing the device up before the last reapply fails.
$> sudo nmcli connection up vpn00b09c95fd
There may have been a change in the NetworkManager which needs to be incorporated into FortiClient.
#EDIT
Short script which fixes the problem:
https://gist.github.com/SydoxX/f40a9d4d7af414049b6e07092e8bbc2b
I wrote a short script which fixes the problem. Simply execute it before connecting to the VPN.
https://gist.github.com/SydoxX/f40a9d4d7af414049b6e07092e8bbc2b#file-forti-fix-sh
Great! Thank you @kpa , this fixed the problem! (I upgraded to Ubuntu 23.04, Forticlient 6.4, and then upgraded to Forticlient 7.0.7)
Unfortunately that does not work with FortiClient VPN 7.2.0.0644. Any idea why? The scripts exits after prompting the following messages:
Still waiting...
Device is unmanaged. Setting it to 'up' again...
Done.
Created on 04-24-2023 10:56 PM Edited on 04-24-2023 11:06 PM
Yes, same problem. It seems Ubuntu 23.04 has broken FortiClient (7.0.7).
When do you run the "sudo nmcli connection up" command?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1640 | |
1066 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.