Connecting SSL VPN FortiGate using Fedora 24

OpenForti

OpenFortiGUI is an open-source VPN-Client to connect to Fortigate VPN-Hardware. It is based on openfortivpn and adds an easy to use and nice GUI on top of it, written in Qt5.

Unlike other VPN-clients it is also possible to connect to multiple VPN-destinations  simultaneously. It is an replacement for the closed-source Forticlient – SSLVPN Client.

Important: Since version 0.2.12 the encoding of AES-encrypted passwords has changed because of a change of the upstream AES-library. You must reset all passwords for your VPN-profiles again to work, sorry for the inconveniences.

Features include:

  • Qt5 GUI, based on 5.5
  • openfortivpn library built-in, no separate download required
  • All settings saved in text-files, so easy to share, passwords saved AES-encrypted (key can be defined as needed)
  • VPNs divided into local and global sections (readonly, useful for deployments to many users)
  • VPN-groups can be defined to start groups of VPNs at the same time
  • Trayicon with fast access to start/stop VPNs and groups
  • Multiple VPN connections possible simultaneously
  • Certificate and user/password auth supported
  • English and german language
  • Source: https://github.com/theinvisible/openfortigui

Prebuild packages are available for following Distros:

Ubuntu 16.04 (last Update 19.08.2017): 

OpenFortiGUI 0.3.3 32bit
OpenFortiGUI 0.3.3 64bit

Debian 9 (last Update 19.08.2017):

OpenFortiGUI 0.3.3 64bit

You can also use our apt mirror, for instructions see: https://styrion.at/apt/

Quick instruction to build from source:

  1. Install DEV-tools (on Ubuntu: build-essential, qt5-default, libssl-dev)
  2. git clone https://github.com/theinvisible/openfortigui.git
  3. cd openfortigui && git submodule init && git submodule update
  4. cd qtinyaes && git submodule init && git submodule update
  5. cd .. && qmake && make -j8
  6. openfortigui binary is ready

Used software/libraries/resources:

Running with command line :

sudo openfortivpn [<host>:<port>] [-u <user>] [-p <pass>]
[–realm=<realm>] “Optoinal”
[–no-routes] “Optional”
[–no-dns] “Optional”
[–pppd-no-peerdns] “Optional”
[–pppd-log=<file>] “Optional”
[–pppd-plugin=<file>] “Optional”
[–ca-file=<file>] “Optional”
[–user-cert=<file>] “Optional”
[–user-key=<file>] “Optional”
[–trusted-cert=<digest>] “Need if you have some cert”
[-c <file>] [-v|-q] “Optional”

If works, you can see this INFO :

Selection_043

Thanks
Source : Bits and

Reset Password

Cisco

1. Connect Console cable
2. Reboot the router and press the Break key to interrupt the boot sequence.

For break key sequences
SOURCE: http://www.cisco.com/c/en/us/support/docs/routers/10000-series-routers/12818-61.html

Software Platform Operating System Try This
Hyperterminal IBM Compatible Windows XP Ctrl-Break
Hyperterminal IBM Compatible Windows 2000 Ctrl-Break
Hyperterminal IBM Compatible Windows 98 Ctrl-Break
Hyperterminal (version 595160) IBM Compatible Windows 95 Ctrl-F6-Break
Kermit Sun Workstation UNIX Ctrl-\l
Ctrl-\b
MicroPhone Pro IBM Compatible Windows Ctrl-Break
Minicom IBM Compatible Linux Ctrl-a f
ProComm Plus IBM Compatible DOS or Windows Alt-b
SecureCRT IBM Compatible Windows Ctrl-Break
Telix IBM Compatible DOS Ctrl-End
Telnet N/A N/A Ctrl-], then type send brk
Telnet to Cisco IBM Compatible N/A Ctrl-]
Teraterm IBM Compatible Windows Alt-b
Terminal IBM Compatible Windows Break
Ctrl-Break
Tip Sun Workstation UNIX Ctrl-], then Break or Ctrl-c
~#
VT 100 Emulation Data General N/A F16
Windows NT IBM Compatible Windows Break-F5
Shift-F5
Shift-6 Shift-4 Shift-b (^$B)
Z-TERMINAL Mac Apple Command-b
N/A Break-Out Box N/A Connect pin 2 (X-mit) to +V for half a second
Cisco to aux port N/A Control-Shft-6, then b
IBM Compatible N/A Ctrl-Break

3. reset
rommon 1 > confreg 0x2142
You must reset or power cycle for new config to take effect
rommon 2 > reset

4. Change the password
Type no after each setup question, or press Ctrl-C in order to skip the initial setup procedure
Router> enable
Router# copy startup-config running-config
Destination filename [running-config]? (hit enter)
Building configuration…
[OK]
Router# configure terminal
Router(config)# enable password cisco
Router(config)# enable secret cisco
Router(config)# line console 0
Router(config-line)# password cisco
Router(config)# username cisco privilege 15 secret cisco
Router(config)# config-register 0x2102
Router(config)# exit
Router# copy running-config startup-config
Destination filename [startup-config]? (hit enter)
Building configuration…
[OK]
Router# reload

Juniper

SOURCE : http://kb.juniper.net

1. Connect your Console cable with settings 9600/8/N/1
2. Power on the device and watch the screen for the line:
Hit [Enter] to boot immediately, or space bar for command prompt.
When you see that line, hit the SPACE BAR and you will receive an OK prompt.
3. At the OK prompt, you want to the system into single user mode by issuing the command
boot -s

4. The system will boot in single user mode and you will then be prompted if you want to enter the path name for shell or “recovery” for root password recovery. Since we are trying to recover the password, we will enter
recovery
5. The system will then boot and run a recovery script and place you in at the > prompt
> edit
# set system root-authentication plain-text-password
# commit
# exit
> exit
Reboot the system? [y/n] y
Fortigate
SN: FGT-7152316537
L: maintainer
P: bcpbFGT-7152316537
password=bcpb+SNHP:
1. Press Clear hole for 10s
Once you release the “Clear” button, only the password protection will be removed. All other configuration settings will remain intact, and the switch will not reboot
If you would like to disable the clear password button on the front of the HP Procurve switch then enter the following
>conf t
Switch(config)# no front-panel-security password-clear
You will also notice the reset button next to the clear button. To disable this button enter the following.
Switch(config)# no front-panel-security factory-reset
Both buttons are now disabled.If you would like to enable these buttons again, do so with the commands below.
Switch(config)# front-panel-security password-clear
Switch(config)# front-panel-security factory-reset
Finally if you are unsure of the status of the reset and clear buttons on the procurve switch then enter the following.
Switch(config)# show front-panel-security

Site-to-Site IPsec VPN Cisco Router to FortiGate

ROUTER1
# sh run
version 15.1
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
hostname R1a
boot-start-marker
boot system flash:c2800nm-adventerprisek9-mz.151-4.M10.bin
warm-reboot count 10 uptime 7
boot-end-marker
aaa new-model
aaa session-id common
dot11 syslog
ip source-route
ip cef
ip dhcp excluded-address 10.0.31.201 10.0.31.254
ip dhcp excluded-address 10.0.31.1 10.0.31.100
ip dhcp pool pool10.0.31.0
network 10.10.1.0 255.255.255.0
default-router 10.10.1.1
dns-server 8.8.8.8 8.8.4.4
no ip domain lookup
ip domain name kulirj45.com
ip name-server 8.8.8.8
ip name-server 8.8.4.4
no ipv6 cef
multilink bundle-name authenticated
redundancy
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key kulirj45.wordpress.com address 0.0.0.0 0.0.0.0
crypto ipsec transform-set TS esp-3des esp-md5-hmac
crypto ipsec profile 3DESMD5
set transform-set TS
set pfs group2
!
interface Tunnel1
ip unnumbered FastEthernet0/0.206
tunnel source 10.10.10.206
tunnel mode ipsec ipv4
tunnel destination 10.10.10.207
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel2
ip unnumbered FastEthernet0/0.221
tunnel source 10.10.10.206
tunnel mode ipsec ipv4
tunnel destination 10.0.10.221
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel3
ip unnumbered FastEthernet0/0.224
tunnel source 10.10.10.206
tunnel mode ipsec ipv4
tunnel destination 10.10.10.224
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel4
ip unnumbered FastEthernet0/0.226
tunnel source 10.10.10.206
tunnel mode ipsec ipv4
tunnel destination 10.10.10.226
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel5
ip unnumbered FastEthernet0/0.228
tunnel source 10.10.10.206
tunnel mode ipsec ipv4
tunnel destination 10.10.10.228
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel6
ip unnumbered FastEthernet0/0.230
tunnel source 10.10.10.206
tunnel mode ipsec ipv4
tunnel destination 10.10.10.230
tunnel protection ipsec profile 3DESMD5
!
interface Tunnel7
ip unnumbered FastEthernet0/0.232
tunnel source 10.10.10.206
tunnel mode ipsec ipv4
tunnel destination 10.10.10.232
tunnel protection ipsec profile 3DESMD5
!
interface FastEthernet0/0
ip address 10.10.10.206 255.255.255.0
ip nat outside
ip virtual-reassembly in
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 10.10.31.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
duplex auto
speed auto
!
ip forward-protocol nd
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
ip nat inside source list 101 interface FastEthernet0/0 overload
ip route 0.0.0.0 0.0.0.0 10.0.10.1
ip route 10.10.41.0 255.255.255.0 Tunnel1
ip route 10.10.42.0 255.255.255.0 Tunnel2
ip route 10.10.43.0 255.255.255.0 Tunnel3
ip route 10.10.44.0 255.255.255.0 Tunnel4
ip route 10.10.45.0 255.255.255.0 Tunnel5
ip route 10.10.46.0 255.255.255.0 Tunnel6
ip route 10.10.47.0 255.255.255.0 Tunnel7
access-list 101 permit ip 10.10.31.0 0.0.0.255 any
!
control-plane
mgcp fax t38 ecm
mgcp profile default
line con 0
line aux 0
line vty 0 4
transport input all
line vty 5 15
transport input ssh
scheduler allocate 20000 1000
end

– refresh routing table if needed
# clear ip route *

FORTIGATE2
-create objects

-create a vpn tunnel

-create Policy/IPv4

-create a static route

-Back to Cisco1
make sure after 5min, 10.10.44.0 through Tunnel4 is appear
# clear ip route *
# sh ip route
S*    0.0.0.0/0 [1/0] via 10.10.10.1
10.0.0.0/8 is variably subnetted, 8 subnets, 2 masks
C        10.10.10.0/24 is directly connected, FastEthernet0/0
L        10.10.10.206/32 is directly connected, FastEthernet0/0
C        10.10.31.0/24 is directly connected, FastEthernet0/1
L        10.10.31.1/32 is directly connected, FastEthernet0/1
S        10.10.41.0/24 is directly connected, Tunnel1
S        10.10.43.0/24 is directly connected, Tunnel3
S        10.10.44.0/24 is directly connected, Tunnel4
S        10.10.47.0/24 is directly connected, Tunnel7You can try ping from PC1 to PC2 now

Source