Bug 482165

Summary: Unable to connect to Fortinet based VPN using openconnect when SSO is required
Product: [Applications] systemsettings Reporter: Niels <nvaert1986>
Component: kcm_networkmanagementAssignee: Plasma Bugs List <plasma-bugs-null>
Status: REPORTED ---    
Severity: normal CC: jgrulich, smart2128vr
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Gentoo Packages   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Niels 2024-03-01 15:36:07 UTC 
SUMMARY
***
I'm unable to connect to Fortinet based SSLVPN session using openconnect when SSL is required.
***


STEPS TO REPRODUCE
1. Connect to a Fortinet SSL-VPN based firewall where SSO is required
2. Enter SSO based username and password
3. Press connect

OBSERVED RESULT
Unable to connect

EXPECTED RESULT
A successfully established SSL-VPN session

SOFTWARE/OS VERSIONS
Windows: 
macOS: 
Linux/KDE Plasma: Gentoo Linux 2.14 (Kernel 6.6.14-gentoo) Plasma: 5.27.10
(available in About System)
KDE Plasma Version: 5.27.10
KDE Frameworks Version: 5.115.0
Qt Version: 5.15.12

ADDITIONAL INFORMATION
To work around this issue, I need to login using the browser and then use the developer tools to extract the SVPNCOOKIE, connect it using the CLI using: openconnect --protocol=fortinet --cookie-on-stdin some.random.host:1443, paste the contents of the cookie and press enter to connect successfully.

Please see issue: https://gitlab.com/openconnect/openconnect/-/issues/356 for details, which is the exact same issue, but then openconnect-nm (Gnome) related.

What we'd need to do is call an external browser, login and return the cookie from the browser.
Comment 1 Niels 2024-09-02 09:20:01 UTC 
I just updated to 6.1.4 and the issue still persists (figured I'd update it, since this is a major upgrade)
Comment 2 Vincenzo Reale 2024-10-11 09:06:26 UTC 
I hoped it would have been fully integrated in Plasma 6.2, based on some webauth patches I had recently seen.
Looking at the debug log, it seems that it isn't able to retrieve the required cookie.

GET https://<VPN_ENDPOINT>/
Attempting to connect to server VPN_ENDPOINT:443
Connected to VPN_ENDPOINT:443
SSL negotiation with VPN_ENDPOINT
Server certificate verify failed: signer not found
Connected to HTTPS on VPN_ENDPOINT with ciphersuite (TLS1.2)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 11 Oct 2024 08:42:46 GMT
ETag: "83-65bac8f5"
Accept-Ranges: bytes
Content-Length: 131
Content-Type: text/html
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https:  'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
HTTP body length:  (131)
POST https:/VPN_ENDPOINT/remote/logincheck
Got HTTP response: HTTP/1.1 200 OK
Date: Fri, 11 Oct 2024 08:43:01 GMT
Set-Cookie:  SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict;
Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict
X-UA-Compatible: requiresActiveX=true
Transfer-Encoding: chunked
Content-Type: text/html; charset=utf-8
X-Frame-Options: SAMEORIGIN
Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https:  'unsafe-eval' 'unsafe-inline' blob:;
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Strict-Transport-Security: max-age=31536000
HTTP body chunked (-2)

Using openconnect, you can retrieve it with openfortivpn-webview:
openconnect --protocol=fortinet -C "$(openfortivpn-webview VPN_ENDPOINT)" VPN_ENDPOINT