SUMMARY STEPS TO REPRODUCE 1. Setup openfortivpn connection with <host> or <host:port> as gateway 2. Save config3. 3. Try to connect OBSERVED RESULT In syslog: NetworkManager[1112]: <debug> [1575890075.2403] agent-manager: req[0x557e287b29d0, :1.34/org.kde.plasma.networkmanagement/1000]: agent returned secrets for request [0x557e287c4b20/"XXX"/"vpn"] NetworkManager[1112]: <debug> [1575890075.2407] settings-connection[0x557e28672d20,2a77d541-0d9e-417e-9f47-d3efda16f6ff]: (vpn:0x557e286bdf70) secrets returned from agent :1.34 NetworkManager[1112]: <debug> [1575890075.2408] settings-connection[0x557e28672d20,2a77d541-0d9e-417e-9f47-d3efda16f6ff]: (vpn:0x557e286bdf70) secrets request completed NetworkManager[1112]: <debug> [1575890075.2420] settings-connection[0x557e28672d20,2a77d541-0d9e-417e-9f47-d3efda16f6ff]: (vpn:0x557e286bdf70) saving new secrets to backing storage NetworkManager[1112]: <debug> [1575890075.2689] ++ connection 'get-new-secrets' (0x557e28682700/NMSimpleConnection/"vpn" < 0x557e28672d20/NMSKeyfileConnection/"vpn"): NetworkManager[1112]: <debug> [1575890075.2689] ++ vpn [ 0x7fa0e8014e80 < 0x557e2873e8a0 ] NetworkManager[1112]: <debug> [1575890075.2689] ++ vpn.secrets = ((GHashTable*) 0x7fa0e8014d80) < ((GHashTable*) 0x7fa0e8014f00) NetworkManager[1112]: <info> [1575890075.2705] settings-connection[0x557e28672d20,2a77d541-0d9e-417e-9f47-d3efda16f6ff]: write: successfully updated (keyfile: update /etc/NetworkManager/system-connections/XXX (2a77d541-0d9e-417e-9f47-d3efda16f6ff,"XXX")), connection was modified in the process NetworkManager[1112]: <debug> [1575890075.2715] vpn-connection[0x557e2879c400,2a77d541-0d9e-417e-9f47-d3efda16f6ff,"XXX",0]: asking service if additional secrets are required NetworkManager[1112]: <debug> [1575890075.2793] vpn-connection[0x557e2879c400,2a77d541-0d9e-417e-9f47-d3efda16f6ff,"XXX",0]: service indicated no additional secrets required NetworkManager[1112]: <debug> [1575890075.2800] vpn-connection[0x557e2879c400,2a77d541-0d9e-417e-9f47-d3efda16f6ff,"XXX",0]: Calling old Connect function as not all agents support interactive secrets NetworkManager[1112]: <info> [1575890075.2836] vpn-connection[0x557e2879c400,2a77d541-0d9e-417e-9f47-d3efda16f6ff,"XXX",0]: VPN plugin: state changed: starting (3) NetworkManager[1112]: INFO: Connected to gateway. NetworkManager[1112]: ERROR: Could not authenticate to gateway (Bad HTTP response code). NetworkManager[1112]: INFO: Closed connection to gateway. NetworkManager[1112]: INFO: Logged out. NetworkManager[1112]: <warn> [1575890075.7613] vpn-connection[0x557e2879c400,2a77d541-0d9e-417e-9f47-d3efda16f6ff,"XXX",0]: VPN plugin: failed: connect-failed (1) NetworkManager[1112]: <info> [1575890075.7614] vpn-connection[0x557e2879c400,2a77d541-0d9e-417e-9f47-d3efda16f6ff,"XXX",0]: VPN plugin: state changed: stopping (5) NetworkManager[1112]: <info> [1575890075.7615] vpn-connection[0x557e2879c400,2a77d541-0d9e-417e-9f47-d3efda16f6ff,"XXX",0]: VPN plugin: state changed: stopped (6) EXPECTED RESULT Succesful connection SOFTWARE/OS VERSIONS Linux/KDE Plasma: KDE neon 5.17.4 (available in About System) KDE Plasma Version: 5.17.4 KDE Frameworks Version: 5.64.0 Qt Version: 5.13.2 ADDITIONAL INFORMATION My organization uses a FortiVPN server on a non-standard port I think (443). It seems to me that the port information is no present in plasma-nm code. Note that the connection to the VPN is successful with the command-line client with the following configuration: # config file for openfortivpn, see man openfortivpn(1) host = <host> port = <port> username = <user> password = trusted-cert = <cert> Note also that we use a hardware token to generate one time password. Finally, I already saw a colleague connecting successfully to the VPN using the GNOME applet.
I wonder what we might be doing wrong, because there is no separate property for the port. We do it basically same way as Gnome (nm-connection-editor).
Well, in fact, I'm not sure that the problem comes from the port, as I was not able to get a clear error message. What makes me think it could be the port is that in the commandline tool config file, the port is separated and that if I am following the code correctly, the gateway field value is directly sent to a QHostAddress which has nothing to handle ports.
Well, in fact, I was wrong about the port. 443 is the default HTTPS port and seems to be the default in new versions of [1] (current github version is 1.11.0). In the version used on KDE Neon (1.6.0), setting the port in the configuration file was mandatory. BTW, an empty password field was also mandatory in the configuration file even when using one-time passwords. It is not anymore, it seems. But this is probably not interesting for my current pb with the plasma openfortivpn nm applet. I tried with the latest openfortivpn version and got different errors: NetworkManager[1060]: <info> [1576139547.1460] settings-connection[0x561b296e4b60,2a77d541-0d9e-417e-9f47-d3efda16f6ff]: write: successfully updated (keyfile: update /etc/NetworkManager/system-connections/XXX (2a77d541-0d9e-417e-9f47-d3efda16f6ff,"XXX")), connection was modified in the process NetworkManager[1060]: <error> [1576139547.1495] vpn-connection[0x561b29724390,2a77d541-0d9e-417e-9f47-d3efda16f6ff,"XXX",0]: final secrets request failed to provide sufficient secrets The /etc/NetworkManager/system-connections/XXX content is: [connection] id=XXX uuid=2a77d541-0d9e-417e-9f47-d3efda16f6ff type=vpn permissions=user:xxx:; [vpn] gateway=<host> otp-flags=2 password-flags=2 trusted-cert=xxx user=XYZ service-type=org.freedesktop.NetworkManager.fortisslvpn [ipv4] dns-search= method=auto [ipv6] addr-gen-mode=stable-privacy dns-search= method=auto [1] https://github.com/adrienverge/openfortivpn
I was finally able to connect by doing so: - install the current master of openfortivpn - force the install of network-manager-fortisslvpn_1.2.8-1ubuntu1_amd64.deb - in the plasma configuration GUI, set a fake password stored in clear for all users and ask fort a one time password - in the connect dialog, set my one time password BOTH in the password field AND in the OTP field. Note the putting a fake password in the password field of the connect dialog did not work either.
Hum, sorry. It is marked as connected but the connection does not work. Servers inside the domain do not answer. I'll try to find what happens later. I have to join a meeting right now.
Git commit fd8303b6a5e781c4cede89de2580f52b51132097 by Jan Grulich. Committed on 16/12/2019 at 14:12. Pushed by grulich into branch 'Plasma/5.17'. Fortisslvpn: add option to ignore the password M +9 -2 vpn/fortisslvpn/fortisslvpnwidget.cpp https://commits.kde.org/plasma-nm/fd8303b6a5e781c4cede89de2580f52b51132097
Can you try with the fix above? There is now an option to mark the password as not required.
Created attachment 124528 [details] Passwords problem as described in the bug report comment
It was a little bit difficult due to various version issues but I was able to connect to my VPN with the Plasma plugin. Thanks! There is 3 little problems though. I put them below, but maybe should I open new bug reports? - I had to manually set internal name server IPs in the IPv4 configuration box, while they are automatically set when using the commandline client; - As you can see in the attachments, the password dialog shows two fields instead of the OTP one only. And both has to be filled for the connection to work; - The OTP is visible in clear by default. But the OTP generated by my hardware token is completed by a PIN code (not shown in the screenshot :-) ). This should be hidden.
Created attachment 124541 [details] Patch fixing remaining issues Hi, can you try this patch? It should: 1) Hide the top password field in the auth dialog when the password is not required 2) Hides the input from OTP If I try this, I don't get the auth dialog from some reason, because NM doesn't ask for the OTP token when I set that the password is not required, but I believe this is an issue in the NM-fortisslvpn plugin.
I tried the patch. It does what is announced but I then get an error: <warn> [1576659928.7261] vpn-connection[0x55bc68a086d0,2a77d541-0d9e-417e-9f47-d3efda16f6ff,"VPNCEA",0]: VPN connection: failed to connect: 'Mot de passe VPN manquant ou non valide.' which translates to: "VPN password missing or invalid"
Created attachment 124581 [details] Update of the patch fixing the use of OTP password This version of the patch forces to password field to take the same value as the OTP one. This allows me to connect to my VPN.
I opened an issue here: https://gitlab.gnome.org/GNOME/NetworkManager-fortisslvpn/issues/21 I don't really know how this should be handled, it seems to be weird to set the password to the OTP token, when the password is explicitly set as not required.
Created attachment 138895 [details] New patch version necessary to be able to connect I'm still obliged to apply this patch at each plasma-nm release to be able to connect to my vpn.
(In reply to Gaël de Chalendar (aka Kleag) from comment #14) > Created attachment 138895 [details] > New patch version necessary to be able to connect > > I'm still obliged to apply this patch at each plasma-nm release to be able > to connect to my vpn. Open a merge request so we can upstream your change and you will no longer have to apply your patch yourself.
Hi, I (finally!) tried to made a merge request. I tried to to push to a branch called `work/kleag/fortisslvpn-otp-only` as it seems to be the format used in other merge requests but I was not allowed: ``` ❯ git push origin work/kleag/fortisslvpn-otp-only ERROR: Permission to KDE/plasma-nm.git denied to kleag. fatal: Could not read from remote repository. Please make sure you have the correct access rights and the repository exists. ❯ cat .git/config [core] repositoryformatversion = 0 filemode = true bare = false logallrefupdates = true [remote "origin"] url = git@github.com:KDE/plasma-nm.git fetch = +refs/heads/*:refs/remotes/origin/* [branch "master"] remote = origin merge = refs/heads/master ``` Where should I put my merge request?
(In reply to Gaël de Chalendar (aka Kleag) from comment #16) > Where should I put my merge request? Just ignore that. I will make the necessary fork.
A possibly relevant merge request was started @ https://invent.kde.org/plasma/plasma-nm/-/merge_requests/297