Fortinet SSL VPN

Experimental support for Fortinet SSL VPN was added to OpenConnect in March 2021. It is also known as FortiGate in some documentation. It is a PPP-based protocol using the native PPP support which was merged into the 9.00 release.

Fortinet mode is requested by adding --protocol=fortinet to the command line:

  openconnect --protocol=fortinet fortigate.example.com

Since TCP over TCP is very suboptimal, OpenConnect tries to always use PPP-over-DTLS, and will only fall over to the PPP-over-TLS tunnel if that fails, or if disabled via the --no-dtls argument.

Authentication

OpenConnect currently supports basic username/password, optional TLS client certificate, and optional multifactor authentication token entry via the two known challenge/response mechanisms: plaintext/"tokeninfo" (issue #225) and HTML forms (issue #332).

If you have access to a Fortinet VPN which uses other types of authentication, please send information to the mailing list so that we can add support to OpenConnect.

Quirks and Issues

Prior to server version FortiOS 6.2.1, the Fortinet protocol appears not to allow its post-authentication cookie (as output by --authenticate) to be used to reestablish a dropped connection. This means that if the client loses its connection to the gateway (for example, due to a network outage, or after roaming to a different physical adapter) a new authentication will always be required. This is a substantial design flaw which is not present in any of the other protocols supported by OpenConnect.

Starting with FortiOS 6.2.1, an optional server-side setting (tun-connect-without-reauth) appears intended to support reconnection, but still doesn't work very well (see discussion on issue #297). Please send reports on success and failure with Fortinet reconnection to the mailing list so we can understand it better.