SUMMARY *** I'm unable to connect to Fortinet based SSLVPN session using openconnect when SSL is required. *** STEPS TO REPRODUCE 1. Connect to a Fortinet SSL-VPN based firewall where SSO is required 2. Enter SSO based username and password 3. Press connect OBSERVED RESULT Unable to connect EXPECTED RESULT A successfully established SSL-VPN session SOFTWARE/OS VERSIONS Windows: macOS: Linux/KDE Plasma: Gentoo Linux 2.14 (Kernel 6.6.14-gentoo) Plasma: 5.27.10 (available in About System) KDE Plasma Version: 5.27.10 KDE Frameworks Version: 5.115.0 Qt Version: 5.15.12 ADDITIONAL INFORMATION To work around this issue, I need to login using the browser and then use the developer tools to extract the SVPNCOOKIE, connect it using the CLI using: openconnect --protocol=fortinet --cookie-on-stdin some.random.host:1443, paste the contents of the cookie and press enter to connect successfully. Please see issue: https://gitlab.com/openconnect/openconnect/-/issues/356 for details, which is the exact same issue, but then openconnect-nm (Gnome) related. What we'd need to do is call an external browser, login and return the cookie from the browser.
I just updated to 6.1.4 and the issue still persists (figured I'd update it, since this is a major upgrade)
I hoped it would have been fully integrated in Plasma 6.2, based on some webauth patches I had recently seen. Looking at the debug log, it seems that it isn't able to retrieve the required cookie. GET https://<VPN_ENDPOINT>/ Attempting to connect to server VPN_ENDPOINT:443 Connected to VPN_ENDPOINT:443 SSL negotiation with VPN_ENDPOINT Server certificate verify failed: signer not found Connected to HTTPS on VPN_ENDPOINT with ciphersuite (TLS1.2)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) Got HTTP response: HTTP/1.1 200 OK Date: Fri, 11 Oct 2024 08:42:46 GMT ETag: "83-65bac8f5" Accept-Ranges: bytes Content-Length: 131 Content-Type: text/html X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 HTTP body length: (131) POST https:/VPN_ENDPOINT/remote/logincheck Got HTTP response: HTTP/1.1 200 OK Date: Fri, 11 Oct 2024 08:43:01 GMT Set-Cookie: SVPNCOOKIE=; path=/; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict; Set-Cookie: SVPNNETWORKCOOKIE=; path=/remote/network; expires=Sun, 11 Mar 1984 12:00:00 GMT; secure; httponly; SameSite=Strict X-UA-Compatible: requiresActiveX=true Transfer-Encoding: chunked Content-Type: text/html; charset=utf-8 X-Frame-Options: SAMEORIGIN Content-Security-Policy: frame-ancestors 'self'; object-src 'self'; script-src 'self' https: 'unsafe-eval' 'unsafe-inline' blob:; X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000 HTTP body chunked (-2) Using openconnect, you can retrieve it with openfortivpn-webview: openconnect --protocol=fortinet -C "$(openfortivpn-webview VPN_ENDPOINT)" VPN_ENDPOINT