Closed IdiotEbrilo closed 1 month ago
ancwrd1
commented
1 month ago I think it's probably just a bug. could you please run the following command and attach the output (redacting any sensitive info). Replace SERVER_ADDRESS with your VPN GW.
curl -k -X POST -d '(CCCclientRequest :RequestHeader ( :id (0) :type (ClientHello)) :RequestData ( :client_info ( :client_type (TRAC) :client_version (1) :client_support_saml (true))))' https://SERVER_ADDRESS/clients
IdiotEbrilo
commented
1 month ago Here it goes:
(CCCserverResponse
:ResponseHeader (
:id (0)
:type (ClientHello)
:session_id ()
:return_code (600)
)
:ResponseData (
:protocol_version (
:protocol_version (100)
:features (0x1)
)
:upgrade_configuration (
:available_client_version (835000022)
:client_upgrade_url ("/CSHELL/")
:upgrade_mode (no_upgrade)
)
:connectivity_info (
:default_authentication_method (client_decide)
:client_enabled (true)
:supported_data_tunnel_protocols (
: (IPSec)
: (SSL)
: (L2TP)
)
:connectivity_type (IPSec)
:server_ip (10.5.242.70)
:ipsec_transport (auto_detect)
:tcpt_port (443)
:natt_port (4500)
:connect_with_certificate_url ("/clients/cert/")
:cookie_name (CPCVPN_SESSION_ID)
:internal_ca_fingerprint (
:1 (707371107877627815647e62630478707c6909ff0c010d13030e71610f0d1a086074110a0513121713097018137c776e07ff1d660b051d6c)
)
)
:end_point_security (
:ics (
:run_ics (false)
:ics_base_url ("/clients/ICS/components")
:ics_version (403006000)
:ics_upgrade_url ("/clients/ICS/components/icsweb.cab")
:ics_images_url ("/clients/ICS/components/ICS_images.cab")
:ics_images_ver (403006000)
:ics_cab_url ("/clients/ICS/components/cl_ics.cab")
:ics_cab_version ("994000010
")
)
)
:login_options_data (
:login_options_list (
:0 (
:id (vpn_Certificate_**********)
:secondary_realm_hash (1679091c5a880faf6fb5e6087eb1b2dc)
:display_name ("********** Certificate")
:show_realm (1)
:factors (
:0 (
:factor_type (certificate)
:securid_card_type ()
:certificate_storage_type (capi)
:custom_display_labels (
:header ("Please provide certificate in order to authenticate")
)
)
)
)
:1 (
:id (vpn_**********-Certificate)
:secondary_realm_hash (1679091c5a880faf6fb5e6087eb1b2dc)
:display_name ("********** Certificate")
:show_realm (1)
:factors (
:0 (
:factor_type (certificate)
:securid_card_type ()
:certificate_storage_type (any)
:custom_display_labels (
:header ("Please provide certificate in order to authenticate")
)
)
)
)
:2 (
:id (vpn_Cert_DID)
:secondary_realm_hash (1679091c5a880faf6fb5e6087eb1b2dc)
:display_name (**********_Contracts)
:show_realm (1)
:factors (
:0 (
:factor_type (certificate)
:securid_card_type ()
:certificate_storage_type (capi)
:custom_display_labels (
:header ("Please provide certificate in order to authenticate")
)
)
)
)
:3 (
:id (vpn_dso-cert)
:secondary_realm_hash (1679091c5a880faf6fb5e6087eb1b2dc)
:display_name ("DSO Certificate")
:show_realm (1)
:factors (
:0 (
:factor_type (certificate)
:securid_card_type ()
:certificate_storage_type (capi)
:custom_display_labels (
:header ("Please provide certificate in order to authenticate")
)
)
)
)
:4 (
:id (vpn_DSO_Capsule)
:secondary_realm_hash (1679091c5a880faf6fb5e6087eb1b2dc)
:display_name ("DSO capsule certificate")
:show_realm (1)
:factors (
:0 (
:factor_type (certificate)
:securid_card_type ()
:certificate_storage_type (any)
:custom_display_labels (
:header ("Please provide certificate in order to authenticate")
)
)
)
)
:5 (
:id (vpn_**********_ca2)
:secondary_realm_hash (1679091c5a880faf6fb5e6087eb1b2dc)
:display_name ("********** **********")
:show_realm (1)
:factors (
:0 (
:factor_type (certificate)
:securid_card_type ()
:certificate_storage_type (capi)
:custom_display_labels (
:header ("Please provide certificate in order to authenticate")
)
)
)
)
:6 (
:id (vpn)
:secondary_realm_hash (1679091c5a880faf6fb5e6087eb1b2dc)
:display_name (Standard)
:show_realm (1)
:factors (
:0 (
:factor_type (certificate)
:securid_card_type ()
:certificate_storage_type (capi)
:custom_display_labels (
:header ("Please provide certificate in order to authenticate")
)
)
)
)
)
:login_options_md5 (63596529732fdb11915ceb72660e0515)
)
)
)Please pull the changes, build and try again.
IdiotEbrilo
commented
1 month ago Thanks! Now it connects.
IdiotEbrilo
commented
1 month ago But here's one more thing with routing. I set it to ignore all routes provided by snx server and add one route manually:
But it adds completely different route:
So i can add it only manually with console:
sudo ip route add 10.0.0.0/8 dev snx-xfrm scope linkHow can i add custom static routes with gui app?
ancwrd1
commented
1 month ago So there was yet another bug (manual routes ignored for IPSec tunnel), now fixed. Thanks for reporting.
ancwrd1
commented
1 month ago The one on the screenshot is the kernel route added automatically when interface is configured with IP address.
IdiotEbrilo
commented
1 month ago Connects flawlessly now. Thanks for your work!
Hi! Sorry to annoy you once again, but i've been experimenting with snx-rs-gui for some time, and it apparently is unable to fetch login types that can be obtained with the console.
Here's the output of the
snx-rs -m info(i removed some personal info):So login options are available, although the cert check must be disabled. But when i try to do the same with GUI app, it says it's unable to fetch anything from data it received:
Cert check is disabled too:
What am i doing wrong?..
Update: also noticed, that gui app attempts to get login types from https://DOMAIN/clients, while console command uses just https://DOMAIN.