Fortinet SSL VPN
Experimental support for Fortinet SSL VPN was added to OpenConnect in March 2021. It is also known as FortiGate in some documentation. It is a PPP-based protocol using the native PPP support which was merged into the 9.00 release.
Fortinet mode is requested by adding --protocol=fortinet to the command line:
openconnect --protocol=fortinet fortigate.example.com
Since TCP over TCP is very suboptimal, OpenConnect tries to always use PPP-over-DTLS, and will only fall over to the PPP-over-TLS tunnel if that fails, or if disabled via the --no-dtls argument.
Authentication
OpenConnect currently supports basic username/password, optional TLS client certificate, and optional multifactor authentication token entry via the two known challenge/response mechanisms: plaintext/"tokeninfo" (issue #225) and HTML forms (issue #332).
If you have access to a Fortinet VPN which uses other types of authentication, please send information to the mailing list so that we can add support to OpenConnect.
Quirks and Issues
FortiGate server versions prior to v6.2.1 do not allow the post-authentication cookie (as output by --authenticate) to be used to reestablish a dropped connection. This means that if the client loses its connection to the gateway (for example, due to a network outage, or after roaming to a different physical adapter) a new authentication will always be required. This is a substantial design flaw which is not present in any of the other protocols supported by OpenConnect.
Starting with FortiOS 6.2.1, an optional server-side setting (tun-connect-without-reauth) appears intended to support reconnection, but still doesn't work very well (see discussion on issue #297). Please send reports on success and failure with Fortinet reconnection to the mailing list so we can understand it better.
