search

ancwrd1 / snx-rs

Open source Linux client for Checkpoint VPN tunnels
GNU Affero General Public License v3.0
57 stars 5 forks source link

MFA authentication not working #22

Closed podly closed 1 month ago

podly commented 1 month ago

Hi,

I'm trying to get this working with username + password + SMS verification code. Username and password seems to authenticate OK, but there is no prompt for providing SMS code. Each time I try to connect I receive SMS with code twice. Any chance to get this working?

Thx.

2024-06-04T11:12:08.313592Z DEBUG snx_rs: >>> Starting snx-rs client version 2.2.1
2024-06-04T11:12:08.313635Z DEBUG snx_rs: Running in standalone mode
2024-06-04T11:12:08.313710Z  WARN snxcore::ccc: Disabling all certificate checks!!!
2024-06-04T11:12:08.467926Z TRACE snxcore::ccc: Request to server: (CCCclientRequest
    :RequestData (
        :client_info (
            :client_support_saml (true)
            :client_type (SYMBIAN)
            :client_version (1)))
    :RequestHeader (
        :id (2)
        :type (ClientHello)))
2024-06-04T11:12:08.468143Z TRACE hyper_util::client::legacy::pool: checkout waiting for idle connection: ("https", 10.10.10.10)
2024-06-04T11:12:08.468210Z TRACE hyper_util::client::legacy::connect::http: Http::connect; scheme=Some("https"), host=Some("10.10.10.10"), port=None
2024-06-04T11:12:08.468242Z DEBUG hyper_util::client::legacy::connect::http: connecting to 10.10.10.10:443
2024-06-04T11:12:08.503449Z DEBUG hyper_util::client::legacy::connect::http: connected to 10.10.10.10:443
2024-06-04T11:12:08.580932Z TRACE hyper_util::client::legacy::client: http1 handshake complete, spawning background dispatcher task
2024-06-04T11:12:08.581350Z TRACE hyper_util::client::legacy::pool: checkout dropped for ("https", 10.10.10.10)
2024-06-04T11:12:08.615635Z TRACE snxcore::ccc: Reply from server: (CCCserverResponse
    :ResponseHeader (
        :id (2)
        :type (ClientHello)
        :session_id ()
        :return_code (600)
    )
    :ResponseData (
        :protocol_version (
            :protocol_version (100)
            :features (0x1)
        )
        :upgrade_configuration (
            :available_client_version (0)
            :client_upgrade_url ()
            :upgrade_mode (ask_user)
        )
        :connectivity_info (
            :default_authentication_method (legacy)
            :client_enabled (true)
            :supported_data_tunnel_protocols (
                : (IPSec)
                : (SSL)
                : (L2TP)
            )
            :connectivity_type (IPSec)
            :server_ip (10.10.10.10)
            :ipsec_transport (auto_detect)
            :tcpt_port (443)
            :natt_port (4500)
            :connect_with_certificate_url ("/clients/cert/")
            :cookie_name (CPCVPN_SESSION_ID)
            :internal_ca_fingerprint (
                :1 (606d6178057b7d7d731f616f7a7c01767e6a71046c070a09687d040d780b6b1a010217ff16100713171b17097008177b7775160404660f021a60)
            )
        )
        :end_point_security (
            :ics (
                :run_ics (false)
                :ics_base_url ("/clients/ICS/components")
                :ics_version (403006000)
                :ics_upgrade_url ("/clients/ICS/components/icsweb.cab")
                :ics_images_url ("/clients/ICS/components/ICS_images.cab")
                :ics_images_ver (403006000)
                :ics_cab_url ("/clients/ICS/components/cl_ics.cab")
                :ics_cab_version ("996000036
")
            )
        )
        :login_options_data (
            :login_options_list (
                :0 (
                    :id (vpn)
                    :secondary_realm_hash (c4ca4238a0b923820dcc509a6f75849b)
                    :display_name (Standard)
                    :show_realm (1)
                    :factors (
                        :0 (
                            :factor_type (user_defined)
                            :securid_card_type ()
                            :certificate_storage_type ()
                            :custom_display_labels ()
                        )
                    )
                )
            )
            :login_options_md5 (5fa927f808843186e5aa3d9230b15dd7)
        )
    )
)
2024-06-04T11:12:08.619020Z DEBUG snxcore::tunnel::ipsec::natt: Sending NAT-T probe to 10.10.10.10
2024-06-04T11:12:08.652596Z DEBUG snxcore::tunnel::ipsec::natt: Received NAT-T reply from 10.10.10.10: srcport: 4500, dstport: 4500, hash: 4ae71336e44bf9bf79d2752e234818a5
2024-06-04T11:12:08.654560Z TRACE snxcore::util: Exec: "ip" ["-4", "route", "show", "default"]
2024-06-04T11:12:08.658476Z TRACE snxcore::util: Exec: "ip" ["-4", "-o", "addr", "show", "dev", "enp0s3"]
2024-06-04T11:12:08.663165Z DEBUG isakmp::ikev1::service: Begin SA proposal
2024-06-04T11:12:08.663279Z DEBUG isakmp::transport: Sending ISAKMP message of size 592 to 10.10.10.10:500
2024-06-04T11:12:08.697547Z DEBUG isakmp::transport: Parsing ISAKMP message of size 268
2024-06-04T11:12:08.697603Z TRACE isakmp::payload: Parsing payload: type=SecurityAssociation, size=56, next=VendorId
2024-06-04T11:12:08.697614Z TRACE isakmp::payload: Parsing payload: type=Proposal, size=44, next=None
2024-06-04T11:12:08.697622Z TRACE isakmp::payload: Parsing payload: type=Transform, size=36, next=None
2024-06-04T11:12:08.697640Z TRACE isakmp::payload: Parsing payload: type=VendorId, size=40, next=VendorId
2024-06-04T11:12:08.697656Z TRACE isakmp::payload: Parsing payload: type=VendorId, size=16, next=VendorId
2024-06-04T11:12:08.697664Z TRACE isakmp::payload: Parsing payload: type=VendorId, size=16, next=VendorId
2024-06-04T11:12:08.697670Z TRACE isakmp::payload: Parsing payload: type=VendorId, size=16, next=Notification
2024-06-04T11:12:08.697678Z TRACE isakmp::payload: Parsing payload: type=Notification, size=28, next=Notification
2024-06-04T11:12:08.697686Z TRACE isakmp::payload: Parsing payload: type=Notification, size=40, next=None
2024-06-04T11:12:08.697700Z DEBUG isakmp::ikev1::service: Negotiated SA hash algorithm: Sha
2024-06-04T11:12:08.697706Z DEBUG isakmp::ikev1::service: Negotiated SA key length: 32
2024-06-04T11:12:08.697712Z DEBUG isakmp::ikev1::service: Negotiated SA group: Oakley2
2024-06-04T11:12:08.699128Z DEBUG isakmp::ikev1::service: End SA proposal
2024-06-04T11:12:08.699159Z DEBUG isakmp::ikev1::service: Begin key exchange
2024-06-04T11:12:08.699214Z DEBUG isakmp::transport: Sending ISAKMP message of size 244 to 10.10.10.10:500
2024-06-04T11:12:08.730618Z DEBUG isakmp::transport: Parsing ISAKMP message of size 232
2024-06-04T11:12:08.730673Z TRACE isakmp::payload: Parsing payload: type=KeyExchange, size=128, next=Nonce
2024-06-04T11:12:08.730689Z TRACE isakmp::payload: Parsing payload: type=Nonce, size=20, next=Natd
2024-06-04T11:12:08.730698Z TRACE isakmp::payload: Parsing payload: type=Natd, size=20, next=Natd
2024-06-04T11:12:08.730705Z TRACE isakmp::payload: Parsing payload: type=Natd, size=20, next=None
2024-06-04T11:12:08.730724Z TRACE isakmp::ikev1::service: Responder's public key length: 128
2024-06-04T11:12:08.730732Z TRACE isakmp::ikev1::service: Responder's nonce length: 20
2024-06-04T11:12:08.731831Z TRACE isakmp::ikev1::service: COOKIE_i: 86c3eebafb6e734a
2024-06-04T11:12:08.731859Z TRACE isakmp::ikev1::service: SKEYID_e: 97015a9863c149f8eb3987d644c77630f451768542a7ab1c2975fc66d2c621c0
2024-06-04T11:12:08.731866Z DEBUG isakmp::ikev1::service: End key exchange
2024-06-04T11:12:08.731876Z DEBUG isakmp::ikev1::service: Begin identity protection
2024-06-04T11:12:08.731943Z DEBUG isakmp::transport: Sending ISAKMP message of size 236 to 10.10.10.10:500
2024-06-04T11:12:08.767666Z DEBUG isakmp::transport: Parsing ISAKMP message of size 1724
2024-06-04T11:12:08.767747Z TRACE isakmp::payload: Parsing payload: type=Identification, size=8, next=Certificate
2024-06-04T11:12:08.767790Z TRACE isakmp::payload: Parsing payload: type=Certificate, size=791, next=Certificate
2024-06-04T11:12:08.767816Z TRACE isakmp::payload: Parsing payload: type=Certificate, size=752, next=Signature
2024-06-04T11:12:08.767826Z TRACE isakmp::payload: Parsing payload: type=Signature, size=128, next=None
2024-06-04T11:12:08.767841Z DEBUG isakmp::ikev1::service: Waiting for attributes payload
2024-06-04T11:12:08.867950Z TRACE isakmp::transport: Discarding already received message
2024-06-04T11:12:08.968576Z TRACE isakmp::transport: Discarding already received message
2024-06-04T11:12:09.267113Z DEBUG isakmp::transport: Parsing ISAKMP message of size 76
2024-06-04T11:12:09.267197Z TRACE isakmp::payload: Parsing payload: type=Hash, size=20, next=Attributes
2024-06-04T11:12:09.267221Z TRACE isakmp::payload: Parsing payload: type=Attributes, size=12, next=None
2024-06-04T11:12:09.267235Z DEBUG isakmp::ikev1::service: Attributes message ID: 3552dcff
2024-06-04T11:12:09.267245Z DEBUG snxcore::tunnel::ipsec::connector: No status in reply, requested challenge for: UserName
2024-06-04T11:12:09.267254Z DEBUG isakmp::ikev1::service: Sending auth attribute: UserName, timeout: Some(120) seconds
2024-06-04T11:12:09.267438Z DEBUG isakmp::transport: Sending ISAKMP message of size 108 to 10.10.10.10:500
2024-06-04T11:12:09.302972Z DEBUG isakmp::transport: Parsing ISAKMP message of size 364
2024-06-04T11:12:09.303067Z TRACE isakmp::payload: Parsing payload: type=Hash, size=20, next=Attributes
2024-06-04T11:12:09.303095Z TRACE isakmp::payload: Parsing payload: type=Attributes, size=303, next=None
2024-06-04T11:12:09.303116Z DEBUG isakmp::ikev1::service: Message ID: 3552dcff
2024-06-04T11:12:09.303128Z DEBUG isakmp::ikev1::service: Response message ID: 3552dcff
2024-06-04T11:12:09.303149Z DEBUG snxcore::tunnel::ipsec::connector: No status in reply, requested challenge for: UserPassword
2024-06-04T11:12:09.303161Z DEBUG isakmp::ikev1::service: Sending auth attribute: UserPassword, timeout: Some(120) seconds
2024-06-04T11:12:09.303337Z DEBUG isakmp::transport: Sending ISAKMP message of size 92 to 10.10.10.10:500
2024-06-04T11:12:10.267686Z DEBUG isakmp::transport: Parsing ISAKMP message of size 444
2024-06-04T11:12:10.267788Z TRACE isakmp::payload: Parsing payload: type=Hash, size=20, next=Attributes
2024-06-04T11:12:10.267804Z TRACE isakmp::payload: Parsing payload: type=Attributes, size=378, next=None
2024-06-04T11:12:10.267835Z DEBUG isakmp::ikev1::service: Message ID: 3552dcff
2024-06-04T11:12:10.267844Z DEBUG isakmp::ikev1::service: Response message ID: 3552dcff
2024-06-04T11:12:10.267855Z DEBUG snxcore::tunnel::ipsec::connector: No status in reply, requested challenge for: UserPassword
2024-06-04T11:12:10.267875Z DEBUG isakmp::ikev1::service: Sending auth attribute: UserPassword, timeout: Some(120) seconds
2024-06-04T11:12:10.268025Z DEBUG isakmp::transport: Sending ISAKMP message of size 92 to 10.10.10.10:500
2024-06-04T11:12:10.504682Z DEBUG isakmp::transport: Parsing ISAKMP message of size 508
2024-06-04T11:12:10.504759Z TRACE isakmp::payload: Parsing payload: type=Hash, size=20, next=Attributes
2024-06-04T11:12:10.504813Z TRACE isakmp::payload: Parsing payload: type=Attributes, size=438, next=None
2024-06-04T11:12:10.504864Z DEBUG isakmp::ikev1::service: Message ID: 3552dcff
2024-06-04T11:12:10.504877Z DEBUG isakmp::ikev1::service: Response message ID: 3552dcff
2024-06-04T11:12:10.504891Z  WARN snxcore::tunnel::ipsec::connector: IPSec authentication failed, status: 0
2024-06-04T11:12:10.505418Z DEBUG isakmp::transport: Sending ISAKMP message of size 80 to 10.10.10.10:500
Error: IPSec authentication failed, status: 0
ancwrd1 commented 1 month ago

Hi, do you have password specified in the config file or as a command line parameter? If yes could you try not specifying it? I think there is a bug in the code but I need to confirm it.

podly commented 1 month ago

Hi, yes, I provided password with BASE64 in command line and in config file. If I tried to not provide password, there was no prompt and auth was unsuccessful.

2024-06-04T12:05:06.195901Z DEBUG snxcore::tunnel::ipsec::connector: No status in reply, requested challenge for: UserPassword
2024-06-04T12:05:06.195917Z DEBUG snxcore::tunnel::ipsec::connector: Challenge msg: password: 
2024-06-04T12:05:06.195927Z TRACE snxcore::tunnel::ipsec::connector: msg_obj: (msg_obj
    :format (1.0)
    :id (VPN_CUMULATE_PROMPT)
    :def_msg ("password: ")
    :arguments (
        :0 (
            :type (msg_obj)
            :val (msg_obj
                :format (1.0)
                :id (CPSC_RADIUS_ENTER_PASSWORD)
                :def_msg ("password: ")
                :arguments ()
            )
            :def_text ("password: ")
        )
    )
)
2024-06-04T12:05:06.196627Z DEBUG isakmp::transport: Sending ISAKMP message of size 80 to 10.10.10.10:500
Error: No state
ancwrd1 commented 1 month ago

I have pushed a possible fix, if you could build the project please try it.

podly commented 1 month ago

Now it is asking for password, but there is still something wrong with MFA:

2024-06-04T12:45:52.673288Z DEBUG snxcore::tunnel::ipsec::connector: No status in reply, requested challenge for: UserPassword
2024-06-04T12:45:52.673313Z DEBUG snxcore::tunnel::ipsec::connector: Challenge msg: password: 
2024-06-04T12:45:52.673322Z TRACE snxcore::tunnel::ipsec::connector: msg_obj: (msg_obj
    :format (1.0)
    :id (VPN_CUMULATE_PROMPT)
    :def_msg ("password: ")
    :arguments (
        :0 (
            :type (msg_obj)
            :val (msg_obj
                :format (1.0)
                :id (CPSC_RADIUS_ENTER_PASSWORD)
                :def_msg ("password: ")
                :arguments ()
            )
            :def_text ("password: ")
        )
    )
)
2024-06-04T12:45:52.673493Z DEBUG snxcore::tunnel::ipsec::connector: Challenge ID: CPSC_RADIUS_ENTER_PASSWORD
2024-06-04T12:45:52.673520Z DEBUG snxcore::tunnel::ipsec::connector: Challenge prompt: password: 
password: 
2024-06-04T12:46:00.738953Z DEBUG isakmp::ikev1::service: Sending auth attribute: UserPassword, timeout: Some(120) seconds
2024-06-04T12:46:00.739211Z DEBUG isakmp::transport: Sending ISAKMP message of size 92 to 10.10.10.10:500
2024-06-04T12:46:00.739370Z TRACE isakmp::transport: Discarding already received message
2024-06-04T12:46:00.739407Z TRACE isakmp::transport: Discarding already received message
2024-06-04T12:46:00.739426Z TRACE isakmp::transport: Discarding already received message
2024-06-04T12:46:00.739450Z TRACE isakmp::transport: Discarding already received message
2024-06-04T12:46:01.669836Z DEBUG isakmp::transport: Parsing ISAKMP message of size 444
2024-06-04T12:46:01.669913Z TRACE isakmp::payload: Parsing payload: type=Hash, size=20, next=Attributes
2024-06-04T12:46:01.669928Z TRACE isakmp::payload: Parsing payload: type=Attributes, size=378, next=None
2024-06-04T12:46:01.669965Z DEBUG isakmp::ikev1::service: Message ID: c1ce912f
2024-06-04T12:46:01.669975Z DEBUG isakmp::ikev1::service: Response message ID: c1ce912f
2024-06-04T12:46:01.670031Z DEBUG snxcore::tunnel::ipsec::connector: No status in reply, requested challenge for: UserPassword
2024-06-04T12:46:01.670053Z DEBUG snxcore::tunnel::ipsec::connector: Challenge msg: Enter Your Microsoft verification code
2024-06-04T12:46:01.670061Z TRACE snxcore::tunnel::ipsec::connector: msg_obj: (msg_obj
    :format (1.0)
    :id (VPN_CUMULATE_PROMPT)
    :def_msg ("Enter Your Microsoft verification code")
    :arguments (
        :0 (
            :type (msg_obj)
            :val (msg_obj
                :format (1.0)
                :def_msg ("Enter Your Microsoft verification code")
                :arguments ()
            )
            :def_text ("Enter Your Microsoft verification code")
        )
    )
)
2024-06-04T12:46:01.670771Z DEBUG isakmp::transport: Sending ISAKMP message of size 80 to 10.10.10.10:500
Error: No challenge id!
ancwrd1 commented 1 month ago

Ok, another attribute missing in checkpoint reply. Try now please.

podly commented 1 month ago

It is working OK now, thank you!

ancwrd1 commented 1 month ago

Great, thanks for your help with testing.