I'm trying to get a Linux VPN client to connect to a SSL VPN with a Forcepoint firewall as endpoint. Also adding the previous name "Stonesoft" or "Stonegate", as most of the resources are found on the net under these.
I tried openvpn (fails early, as openvpn seems not to open the TLS session with a "Client Hello", therefore refused by the firewall). My attempt with openconnect went a bit further. I ran:
openconnect --servercert pin-sha256:<blabla> <public endpoint hostname> --verbose --no-dtls
This on fails with:
POST https://<public endpoint hostname>
Attempting to connect to server <public IP>:443
Connected to <public IP>:443
SSL negotiation with <public hostname>
Server certificate verify failed: signer not found
Connected to HTTPS on <public hostname>
Failed to read from SSL socket: Success.
Error fetching HTTPS response
GET https://<public hostname>
Attempting to connect to server <public IP>:443
Connected to <public IP>:443
SSL negotiation with <public hostname>
Server certificate verify failed: signer not found
Connected to HTTPS on <public hostname>
Failed to read from SSL socket: Success.
Error fetching HTTPS response
Failed to obtain WebVPN cookie
Apart from the ironical "Failed: success" message, the logs on the firewall are not very helpful:
- SSL VPN connection - done
- SSL VPN connection - closed
The recommended way to work is to use IPsec (with strongswan). I can get it to work, but IPsec is often blocked by other firewalls, and is therefore not suitable for our usage.
Have any of you guys successfully mounted a VPN to Forcepoint/Stonegate from Linux? (Ubuntu, CentOS, or whatever else doesn't matter.)
