Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

"Unsupported version of FortiClient" message #1236

Open
pablob127 opened this issue Jul 24, 2024 · 12 comments
Open

"Unsupported version of FortiClient" message #1236

pablob127 opened this issue Jul 24, 2024 · 12 comments

Comments

@pablob127
Copy link

A few days ago my VPN stopped working, in the following way:

I can login correctly and the tunnels seem to be correctly set up. However, when I try to connect to any computer on the other side I simply cannot connect. From a traceroute, the packets do not even seem to reach the other end of the tunnel.

When I try to access the website, I get the following message:

  It seems you are using an unsupported version of FortiClient.                 
                                                                                
   Please disconnect your current VPN connection and download the official      
   supported version of FortiClient from the <website>

I have tried with both the openfortivpn included in Debian 12 (1.19.0), and 1.22.1 (compiled by myself), and the behaviour is the same. I think that something changed in the VPN configuration that tries to enforce the Fortinet client. Do you think there may be any workarounds to avoid having to use that client?

Thanks!
@pablob127
Copy link
Author

A bit more information:

It seems my institution's VPN has been recently updated, and now they have something called the "Zero Trust Fabric" enabled, and clients need to connect to that to (somehow) enable access. A search for this in the issues does not do bring up anything.

I'm not very optimistic, and I think I will have to install the specific client my institution provides (not that I am very happy about that), but I wonder if there would be any way I could help get over this new hurdle.

Any info will be appreciated!

@DimitriPapadopoulos
Copy link
Collaborator

The EMS client sends information about the client computer to the EMS server. In the absence of such information or if the EMS server is not happy with that information, the VPN server will block network traffic.

FortiClient

Therefore, openfortivpn needs to be modified to:

  • extract/generate the information expected by the EMS server,
  • send that information to the EMS server at the proper moment and in the proper format.

OpenConnect does have such a mechanism for other types of VPN servers: it runs a trojan binary or script that finds the expected information and sends it to the server. However, to the best of my knowledge, no such script is currently available for Fortinet servers.

@pablob127
Copy link
Author

I'm trying to get the official Linux client (for some reason you cannot just download it and they make it really annoying to get it!). Can you recommend some ways I could use to try to help figure out what information is needed and when?

@DimitriPapadopoulos
Copy link
Collaborator

The EMS Linux client is only available from client accounts.

I would start with the FortiClient logs, they're pretty detailed. Then you might want to intercept the traffic to the telemetry server (see mitmproxy).

@bobot
Copy link

bobot commented Sep 20, 2024

Some partial logs that you can find on internet:

@exzombie
Copy link

exzombie commented Oct 2, 2024

I've been using openfortivpn with EMS for quite a while now, and it worked without issues. However, the official FortiClient needs to be set up and running, even though you don't use it to establish the VPN. It can do its zero-trust magic, despite the fact that the tunnel is set up by openfortivpn. This is with FortiClient 7.2

@bobot
Copy link

bobot commented Oct 2, 2024

Do you have details on which part of Forticlient must be running? Is everything transparent?

@exzombie
Copy link

exzombie commented Oct 2, 2024

I don't know many details as the infra is managed by our IT. All I can say is that the GUI client (shown in the above screenshot) needs to be running on the endpoint. Then, it works without issues. At least from some version of FortiClient onwards; we did have problems with an earlier version where EMS tags were not applied to traffic coming from the VPN, and it was a strange thing because they were applied to traffic coming via OpenVPN (which we had running in parallel at the time, in a test setup). This was apparently fixed on the Fortinet side and it has worked ever since.

I may be totally wrong because I haven't found a good explanation of how these enterprise networking complications actually work. But in principle, EMS is a separate thing and on a higher layer than the VPN, right? It just tags your endpoint, while managing network interfaces can be done by other means.

@nlgranger
Copy link

I cannot reproduce it here. Forticlient is running with EMS connected, but only forticlient can connect to the VPN, not openforticlient.

@pablob127
Copy link
Author

pablob127 commented Oct 7, 2024
edited
Loading

I've been using openfortivpn with EMS for quite a while now, and it worked without issues. However, the official FortiClient needs to be set up and running, even though you don't use it to establish the VPN. It can do its zero-trust magic, despite the fact that the tunnel is set up by openfortivpn. This is with FortiClient 7.2

I tried this, but it did not seem to work for me.. :-(
I set up the tunnel with openfortivpn, and then ran the Forticlient. It seems to connect successfully to the EMS, but I could not connect to anything on the other side of the VPN (and I got the "unsupported version" message). If I set up the tunnel with Forticlient it works. It seems similar to what @nlgranger reports above.
Edit: This has been with the latest Forticlient 7.2

@exzombie
Copy link

exzombie commented Oct 7, 2024

Let's try to be more precise, then. I have FortiClient version 7.2.3.4550.

but I could not connect to anything on the other side of the VPN

Do you have any servers that you can connect to without EMS applying the correct tags? This would let you confirm that the tunnel actually works, before you delve into the EMS stuff.

And when it comes to EMS, you will need to work with your IT. They have the means to tell whether the tags are applied correctly. Perhaps the errors people are seeing are simply caused by the tags not being applied properly.

@pablob127
Copy link
Author

Do you have any servers that you can connect to without EMS applying the correct tags? This would let you confirm that the tunnel actually works, before you delve into the EMS stuff.

I can only connect to a single (nonstandard port) to the EMS server, going through some router (likely the Fortinet appliance, which does not respond to pings). Anything else I tried seems to be blocked. But that leads me to believe that the tunnel is connected.

And when it comes to EMS, you will need to work with your IT. They have the means to tell whether the tags are applied correctly. Perhaps the errors people are seeing are simply caused by the tags not being applied properly.

I guess you are correct. I checked the logs, and the EMS seems to connect properly (it says it is Online and OnNet). So I will need to open a ticket.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@bobot @DimitriPapadopoulos @nlgranger @exzombie @pablob127