From 8c36399e64a20e17e7419237f8d09279704c9718 Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Tue, 31 Aug 2021 16:44:52 -0700 Subject: [PATCH] Print warning if Fortinet server doesn't indicate support/no-support for reconnect-after-drop FortiGate v6.2.1 and newer appear to support reconnect-after-drop without reauth, but only if the tag and attribute '' are present in the config. As of https://gitlab.com/openconnect/openconnect/-/merge_requests/292, we print and act on this information. We should also request feedback from users of Fortinet VPNs which don't explicitly advertise either allowing or disallowing it. See discussion at https://gitlab.com/openconnect/openconnect/-/issues/297#note_664686767 Also, print the 'mr_num' field which is apparently part of some newer Fortinet servers' version information. Signed-off-by: Daniel Lenski --- fortinet.c | 12 ++++++++++-- tests/fake-fortinet-server.py | 3 ++- www/fortinet.xml | 2 +- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/fortinet.c b/fortinet.c index 28abb90d..725f402d 100644 --- a/fortinet.c +++ b/fortinet.c @@ -398,7 +398,7 @@ static int parse_fortinet_xml_config(struct openconnect_info *vpninfo, char *buf _("Server reports that reconnect-after-drop is allowed within %d seconds, %s\n"), dropped_session_cleanup, check_ip_src ? _("but only from the same source IP address") : _("even if source IP address changes")); - } else if (reconnect_after_drop == 0) + } else vpn_progress(vpninfo, PRG_ERR, _("Server reports that reconnect-after-drop is not allowed. OpenConnect will not\n" "be able to reconnect if dead peer is detected. If reconnection DOES work,\n" @@ -412,7 +412,8 @@ static int parse_fortinet_xml_config(struct openconnect_info *vpninfo, char *buf if (!xmlnode_get_prop(xml_node, "minor", &s)) p+=snprintf(p, e-p, ".%s", s); if (!xmlnode_get_prop(xml_node, "patch", &s)) p+=snprintf(p, e-p, ".%s", s); if (!xmlnode_get_prop(xml_node, "build", &s)) p+=snprintf(p, e-p, " build %s", s); - if (!xmlnode_get_prop(xml_node, "branch", &s)) snprintf(p, e-p, " branch %s", s); + if (!xmlnode_get_prop(xml_node, "branch", &s)) p+=snprintf(p, e-p, " branch %s", s); + if (!xmlnode_get_prop(xml_node, "mr_num", &s)) snprintf(p, e-p, " mr_num %s", s); vpn_progress(vpninfo, PRG_INFO, _("Reported platform is %s\n"), platform); } @@ -544,6 +545,13 @@ static int parse_fortinet_xml_config(struct openconnect_info *vpninfo, char *buf } } + if (reconnect_after_drop < 0) { + vpn_progress(vpninfo, PRG_ERR, + _("WARNING: Fortinet server does not specifically enable or disable reconnection\n" + " without reauthentication. If automatic reconnection does work, please\n" + " report results to \n")); + } + if (reconnect_after_drop == -1) vpn_progress(vpninfo, PRG_ERR, _("Server did not send . OpenConnect will\n" diff --git a/tests/fake-fortinet-server.py b/tests/fake-fortinet-server.py index 505eebfb..c27ad09e 100755 --- a/tests/fake-fortinet-server.py +++ b/tests/fake-fortinet-server.py @@ -212,7 +212,8 @@ def xml_config(): - + + diff --git a/www/fortinet.xml b/www/fortinet.xml index abe4ed28..7f23a9a4 100644 --- a/www/fortinet.xml +++ b/www/fortinet.xml @@ -45,7 +45,7 @@ list so that we can add support to OpenConnect.

Quirks and Issues

-

Prior to server version FortiOS 6.2.1, the Fortinet protocol appears not to allow its +

FortiGate server versions prior to v6.2.1 do not allow the post-authentication cookie (as output by --authenticate) to be used to reestablish a dropped connection. This means that if the client loses its connection to the gateway (for example, due to a -- 2.50.1