Hello,
I would like to connect to the corporate Fortinet VPN using
OpenConnect. After
connecting, I am able to successfully SSH to my computer using IP, but
not using
a hostname. While this is not a huge problem when using SSH, it makes
me unable
to access intranet websites—they are only available by URL and
connection times
out when I try to open them.
I don't know much about networking, so please be understanding if I miss
something obvious. Here is a `resolvectl` output:
$ resolvectl
Global
Protocols: +LLMNR +mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Fallback DNS Servers: 1.1.1.1#cloudflare-dns.com 9.9.9.9#dns.quad9.net
8.8.8.8#dns.google
2606:4700:4700::1111#cloudflare-dns.com
2620:fe::9#dns.quad9.net
2001:4860:4860::8888#dns.google
Link 2 (enp4s0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: +DefaultRoute +LLMNR +mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.0.1
DNS Servers: 192.168.3.1 192.168.0.1
DNS Domain: lan
Link 7 (vpn0)
Current Scopes: DNS LLMNR/IPv4 LLMNR/IPv6 mDNS/IPv4 mDNS/IPv6
Protocols: -DefaultRoute +LLMNR +mDNS -DNSOverTLS
DNSSEC=no/unsupported
Current DNS Server: 192.168.3.1
DNS Servers: 192.168.3.1
DNS Domain: corpo.com
192.168.3.1 is the DNS IP. For me, everything looks correct here. Here
is a log
from `openconnect` itself:
$ sudo openconnect --protocol=fortinet -u cezdro corpo.com:10443
GET https://corpo.com:10443/
Connected to xx.xx.xxx.xxx:10443
SSL negotiation with corpo.com
Connected to HTTPS on corpo.com with ciphersuite
(TLS1.3)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
Password:
POST https://corpo.com:10443/remote/logincheck
Code:
POST https://corpo.com:10443/remote/logincheck
Error reading HTTP response: Invalid argument
Retrying failed POST request on new connection
POST https://corpo.com:10443/remote/logincheck
SSL negotiation with corpo.com
Connected to HTTPS on corpo.com with ciphersuite
(TLS1.3)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
GET https://corpo.com:10443/remote/fortisslvpn_xml?dual_stack=1
DTLS is enabled on port 10443
Server reports that reconnect-after-drop is allowed within 255 seconds,
but only from the same source IP address
WARNING: Got split-DNS domains corpo.com,corpo2.com,corpo3.com (not yet
implemented)
WARNING: Got split-DNS server 192.168.3.1 (not yet implemented)
WARNING: Got split-DNS server 192.168.3.254 (not yet implemented)
Got search domain corpo.com
Got IPv4 DNS server 192.168.3.1
Got Legacy IP address 10.xxx.xxx.x
Got IPv4 route 192.168.3.0/255.255.255.0
Got IPv4 route 192.168.17.2/255.255.255.255
Got IPv4 route 10.0.2.0/255.255.255.0
Got IPv4 route 192.168.2.0/255.255.255.0
Got IPv4 route 192.168.44.2/255.255.255.255
Idle timeout is 0 minutes.
Received split routes; not setting default Legacy IP route
Established DTLS connection (using GnuTLS). Ciphersuite
(DTLS1.2)-(ECDHE-SECP384R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM).
Requesting calculated MTU of 1351
Configured as 10.xxx.xxx.x, with SSL disconnected and DTLS established
Session authentication will expire at Mon Dec 18 22:47:23 2023
Using vhost-net for tun acceleration, ring size 32
All the intranet websites are the subdomains of corpo.com (of course
the real
name is different), e.g. wiki.corpo.com, files.corpo.com etc.
Public internet websites all work as expected. Is there something I can
do?
Cezary Drożak
_______________________________________________
openconnect-devel mailing list
openconnect-devel@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/openconnect-devel
