Print warning if Fortinet server doesn't indicate support/no-support for reconnect...

FortiGate v6.2.1 and newer appear to support reconnect-after-drop without
reauth, but only if the tag and attribute
'<auth-ses tun-connect-without-reauth="1">' are present in the config.  As
of https://gitlab.com/openconnect/openconnect/-/merge_requests/292, we print
and act on this information.

We should also request feedback from users of Fortinet VPNs which don't
explicitly advertise either allowing or disallowing it.

See discussion at
https://gitlab.com/openconnect/openconnect/-/issues/297#note_664686767

Also, print the 'mr_num' field which is apparently part of some newer
Fortinet servers' version information.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/fortinet.c b/fortinet.c
index 28abb90dced6ab8bc8c554fc251c1f54cb8b31b0..725f402d50614dc470a5814078ae7df6c8bf82f3 100644 (file)
--- a/fortinet.c
+++ b/fortinet.c
@@ -398,7 +398,7 @@ static int parse_fortinet_xml_config(struct openconnect_info *vpninfo, char *buf
                                                     _("Server reports that reconnect-after-drop is allowed within %d seconds, %s\n"),
                                                     dropped_session_cleanup,
                                                     check_ip_src ? _("but only from the same source IP address") : _("even if source IP address changes"));
-                               } else if (reconnect_after_drop == 0)
+                               } else
                                        vpn_progress(vpninfo, PRG_ERR,
                                                     _("Server reports that reconnect-after-drop is not allowed. OpenConnect will not\n"
                                                       "be able to reconnect if dead peer is detected. If reconnection DOES work,\n"
@@ -412,7 +412,8 @@ static int parse_fortinet_xml_config(struct openconnect_info *vpninfo, char *buf
                                if (!xmlnode_get_prop(xml_node, "minor", &s))  p+=snprintf(p, e-p, ".%s", s);
                                if (!xmlnode_get_prop(xml_node, "patch", &s))  p+=snprintf(p, e-p, ".%s", s);
                                if (!xmlnode_get_prop(xml_node, "build", &s))  p+=snprintf(p, e-p, " build %s", s);
-                               if (!xmlnode_get_prop(xml_node, "branch", &s))    snprintf(p, e-p, " branch %s", s);
+                               if (!xmlnode_get_prop(xml_node, "branch", &s)) p+=snprintf(p, e-p, " branch %s", s);
+                               if (!xmlnode_get_prop(xml_node, "mr_num", &s))    snprintf(p, e-p, " mr_num %s", s);
                                vpn_progress(vpninfo, PRG_INFO,
                                             _("Reported platform is %s\n"), platform);
                        }
@@ -544,6 +545,13 @@ static int parse_fortinet_xml_config(struct openconnect_info *vpninfo, char *buf
                }
        }
 
+       if (reconnect_after_drop < 0) {
+               vpn_progress(vpninfo, PRG_ERR,
+                            _("WARNING: Fortinet server does not specifically enable or disable reconnection\n"
+                              "    without reauthentication. If automatic reconnection does work, please\n"
+                              "    report results to <openconnect-devel@lists.infradead.org>\n"));
+       }
+
        if (reconnect_after_drop == -1)
                vpn_progress(vpninfo, PRG_ERR,
                             _("Server did not send <auth-ses tun-connect-without-reauth=\"0/1\"/>. OpenConnect will\n"

diff --git a/tests/fake-fortinet-server.py b/tests/fake-fortinet-server.py
index 505eebfbad3033e45409750c31d621be55490296..c27ad09ea0d134df7a41d88021138db8bf8706f4 100755 (executable)
--- a/tests/fake-fortinet-server.py
+++ b/tests/fake-fortinet-server.py
@@ -212,7 +212,8 @@ def xml_config():
               <dtls-config heartbeat-interval="10" heartbeat-fail-count="10" heartbeat-idle-timeout="10" client-hello-timeout="10"/>
               <tunnel-method value="ppp"/>
               <tunnel-method value="tun"/>
-              <fos platform="FakeFortigate" major="1" minor="2" patch="3" build="4567" branch="4567"/>
+              <fos platform="FakeFortigate" major="1" minor="2" patch="3" build="4567" branch="4567" mr_num="??"/>
+              <auth-ses tun-connect-without-reauth="1" check-src-ip="0" tun-user-ses-timeout="240"/>
               <ipv4>
                 <dns ip="1.1.1.1"/>
                 <dns ip="8.8.8.8" domain="foo.com"/>

diff --git a/www/fortinet.xml b/www/fortinet.xml
index abe4ed2839609ec5a430cab27a6b903e0b40a264..7f23a9a455ec6058bff22d7f570daaa4d1483548 100644 (file)
--- a/www/fortinet.xml
+++ b/www/fortinet.xml
@@ -45,7 +45,7 @@ list</a> so that we can add support to OpenConnect.</p>
 
 <h2>Quirks and Issues</h2>
 
-<p>Prior to server version FortiOS 6.2.1, the Fortinet protocol appears <i>not</i> to allow its
+<p>FortiGate server versions prior to v6.2.1 do <i>not</i> allow the
 post-authentication cookie (as output by <tt>--authenticate</tt>) to
 be used to reestablish a dropped connection. This means that if the
 client loses its connection to the gateway (for example, due to a