search

ancwrd1 / snx-rs

Open Source Linux Client For Check Point VPN Tunnels
GNU Affero General Public License v3.0
116 stars 8 forks source link

deadline has elapsed #24

Closed haegemonia76 closed 5 months ago

haegemonia76 commented 5 months ago

I recently switch to Linux instead of Windows and my company use Checkpoint Mobile. It works fine on Windows thanks to the provided native client, but Linux does not have one, but I found your repo, thanks for that.

Unfortunately when I try to connect to the VPN, I go this error bellow

server-name=***.***.***.***
user-name=********
password=********
log-level=trace
tunnel-type=ipsec
login-type=vpn_Username_Password
sudo ./snx-rs -c ./snx-rs.conf > log-port-500.log
Error: deadline has elapsed

log-port-500.log

sudo ./snx-rs -c ./snx-rs.conf --ike-port 4500 > log-port-4500.log
Error: deadline has elapsed

log-port-4500.log

I must add that the https://***.***.***.***/clients return 404

ancwrd1 commented 5 months ago

Hi, the https endpoint wants POST requests in special form, please try the following:

curl -k -X POST -d '(CCCclientRequest :RequestHeader ( :id (0) :type (ClientHello)) :RequestData ( :client_info ( :client_type (TRAC) :client_version (1) :client_support_saml (true))))' https://YOURVPNSERVER/clients

I think the issue might be related to the wrong authentication type that you specify. It fails on identity protection packet, which contains something like:

  (  :clientType (TRAC)
     :clientOS (Windows_7)
     :oldSessionId ()
     :protocolVersion (100)
     :client_mode (SYMBIAN)
     :selected_realm_id (vpn_XXX))

So I am wondering if this vpn_XXX identifier is incorrectly specified. The other reason could be that some of those fields cause your Checkpoint server to throw an error, but it's a bit hard to tell, it usually just silently ignores the requests if something is wrong.

ancwrd1 commented 5 months ago

You could try to change the client_type in the sources from SYMBIAN to "secure_connect", "endpoint_security" or "secure_remote", and also add another line after it:

               :secondary_realm_hash (xxxxxx)\n\

Where xxxxx is the secondary_realm_hash value returned from the https command above (it is distinct for each vpn_xxx auth type).

haegemonia76 commented 5 months ago

Hi, the https endpoint wants POST requests in special form, please try the following:

curl -k -X POST -d '(CCCclientRequest :RequestHeader ( :id (0) :type (ClientHello)) :RequestData ( :client_info ( :client_type (TRAC) :client_version (1) :client_support_saml (true))))' https://YOURVPNSERVER/clients

I think the issue might be related to the wrong authentication type that you specify. It fails on identity protection packet, which contains something like:

  (  :clientType (TRAC)
     :clientOS (Windows_7)
     :oldSessionId ()
     :protocolVersion (100)
     :client_mode (SYMBIAN)
     :selected_realm_id (vpn_XXX))

So I am wondering if this vpn_XXX identifier is incorrectly specified. The other reason could be that some of those fields cause your Checkpoint server to throw an error, but it's a bit hard to tell, it usually just silently ignores the requests if something is wrong.

(CCCserverResponse
    :ResponseHeader (
        :id (0)
        :type (ClientHello)
        :session_id ()
        :return_code (600)
    )
    :ResponseData (
        :protocol_version (
            :protocol_version (100)
            :features (0x1)
        )
        :upgrade_configuration (
            :available_client_version (835000022)
            :client_upgrade_url ("/CSHELL/")
            :upgrade_mode (ask_user)
        )
        :connectivity_info (
            :default_authentication_method (client_decide)
            :client_enabled (true)
            :supported_data_tunnel_protocols (
                : (IPSec)
                : (SSL)
                : (L2TP)
            )
            :connectivity_type (IPSec)
            :server_ip (192.168.215.250)
            :ipsec_transport (auto_detect)
            :tcpt_port (443)
            :natt_port (4500)
            :connect_with_certificate_url ("/clients/cert/")
            :cookie_name (CPCVPN_SESSION_ID)
            :internal_ca_fingerprint (
                :1 (607c6666107274647d106c65751f776b661c6515076365036664696803086e7401100a130d181d077001137e77610b090f661b11ff69)
            )
        )
        :end_point_security (
            :ics (
                :run_ics (false)
                :ics_base_url ("/clients/ICS/components")
                :ics_version (403006000)
                :ics_upgrade_url ("/clients/ICS/components/icsweb.cab")
                :ics_images_url ("/clients/ICS/components/ICS_images.cab")
                :ics_images_ver (403006000)
                :ics_cab_url ("/clients/ICS/components/cl_ics.cab")
                :ics_cab_version ("996000036
")
            )
        )
        :login_options_data (
            :login_options_list (
                :0 (
                    :id (vpn)
                    :secondary_realm_hash (c4ca4238a0b923820dcc509a6f75849b)
                    :display_name (Standard)
                    :show_realm (1)
                    :factors (
                        :0 (
                            :factor_type (user_defined)
                            :securid_card_type ()
                            :certificate_storage_type ()
                            :custom_display_labels ()
                        )
                    )
                )
            )
            :login_options_md5 (5fa927f808843186e5aa3d9230b15dd7)
        )
    )
)

It seems there is no login type information returned (?)

You could try to change the client_type in the sources from SYMBIAN to "secure_connect", "endpoint_security" or "secure_remote", and also add another line after it:

               :secondary_realm_hash (xxxxxx)\n\

Where xxxxx is the secondary_realm_hash value returned from the https command above (it is distinct for each vpn_xxx auth type).

I'll try

ancwrd1 commented 5 months ago

I see that there is only vpnlogin factor advertised by the the server, and you have used vpn_Username_Password. May be try to change it to vpn?

haegemonia76 commented 5 months ago

I see that there is only vpnlogin factor advertised by the the server, and you have used vpn_Username_Password. May be try to change it to vpn?

I changed it, and there's some progress

sudo ./snx-rs -c ./snx-rs.conf --log-level trace > log.log
Error: [0020] The user is not defined properly.(msg_obj
    :format (1.0)
    :id (VPN_USER_NOT_PROPERLY_DEFINED_2)
    :def_msg ("The user is not defined properly.")
    :arguments ()
)

log.log

ancwrd1 commented 5 months ago

Hmm, from the logs I see that the IPSec ESP proposal wasn't accepted by the server (ESP SA exchange is the one that negotiates the keys used for traffic encryption).

May be your server uses old insecure algorithms which aren't supported (MD5 or 3DES). This app proposes HMAC-SHA-{256,160,96} and AES-CBC-{256,192,128}.

I would suggest to try the older version 0.11.0 (in the Releases section), with trace-level logs it prints HTTP server requests and responses, one response will be the KeyManagement with IPSec parameters, like algorithm and keys.

ancwrd1 commented 5 months ago

The response would look like this:

Reply from server: (CCCserverResponse
        :ResponseHeader (
                :id (4)
                :type (KeyManagement)
                :session_id (xxx)
                :return_code (600)
        )
        :ResponseData (
                :client_encsa (
                        :enckey (xxx)
                        :authkey (xxx)
                        :spi (xxx)
                )
                :client_decsa (
                        :enckey (xxx)
                        :authkey (xxx)
                        :spi (xxx)
                )
                :lifetime (86400)
                :encalg (AES-256)
                :authalg (SHA256)
                :nattport (4500)
                :udpencapsulation (true)
haegemonia76 commented 5 months ago

Might be possible, the latest version recommended from my company is E86.40 and was release 2022-05-08.

sudo ./snx-rs -s ***.***.***.*** -u *** -p *** -l trace -e ipsec -o vpn

2024-06-18T13:40:28.674228Z DEBUG snx_rs: >>> Starting snx-rs client version 0.11.0
2024-06-18T13:40:28.674253Z DEBUG snx_rs: Running in standalone mode
2024-06-18T13:40:28.674261Z DEBUG snx_rs::tunnel: Authenticating to endpoint: ***.***.***.***
2024-06-18T13:40:28.682078Z TRACE snx_rs::ccc: Request to server: (CCCclientRequest
    :RequestData (
        :client_logging_data (
            :os_name ("Android"))
        :client_type (SYMBIAN)
        :password (1f3e1231732a327878)
        :selectedLoginOption (vpn)
        :username (34433620262a2a21234a))
    :RequestHeader (
        :id (2)
        :type (UserPass)))
2024-06-18T13:40:28.682130Z TRACE hyper::client::pool: checkout waiting for idle connection: ("https", ***.***.***.***)
2024-06-18T13:40:28.682147Z TRACE hyper::client::connect::http: Http::connect; scheme=Some("https"), host=Some("***.***.***.***"), port=None
2024-06-18T13:40:28.682152Z DEBUG hyper::client::connect::http: connecting to ***.***.***.***:443
2024-06-18T13:40:28.717087Z DEBUG hyper::client::connect::http: connected to ***.***.***.***:443
2024-06-18T13:40:28.752741Z TRACE hyper::client::pool: checkout dropped for ("https", ***.***.***.***)
Error: error sending request for url (https://***.***.***.***/clients/): error trying to connect: error:0A000086:SSL routines:(unknown function):certificate verify failed:ssl/statem/statem_clnt.c:2092: (self-signed certificate in certificate chain)

Caused by:
    0: error trying to connect: error:0A000086:SSL routines:(unknown function):certificate verify failed:ssl/statem/statem_clnt.c:2092: (self-signed certificate in certificate chain)
    1: error:0A000086:SSL routines:(unknown function):certificate verify failed:ssl/statem/statem_clnt.c:2092: (self-signed certificate in certificate chain)
    2: error:0A000086:SSL routines:(unknown function):certificate verify failed:ssl/statem/statem_clnt.c:2092:

Does not seems to work at all, the config is the same

ancwrd1 commented 5 months ago

Try adding -X true option (which disables certificate validation).

haegemonia76 commented 5 months ago

sudo ./snx-rs -s ***.***.***.*** -u *** -p *** -l trace -e ipsec -o vpn -X true

2024-06-18T13:53:23.442596Z DEBUG snx_rs: >>> Starting snx-rs client version 0.11.0
2024-06-18T13:53:23.442619Z DEBUG snx_rs: Running in standalone mode
2024-06-18T13:53:23.442626Z DEBUG snx_rs::tunnel: Authenticating to endpoint: ***.***.***.***
2024-06-18T13:53:23.442653Z  WARN snx_rs::ccc: Disabling all certificate checks!!!
2024-06-18T13:53:23.450221Z TRACE snx_rs::ccc: Request to server: (CCCclientRequest
    :RequestData (
        :client_logging_data (
            :os_name ("Android"))
        :client_type (SYMBIAN)
        :password (1f3e1231732a327878)
        :selectedLoginOption (vpn_Username_Password)
        :username (34433620262a2a21234a))
    :RequestHeader (
        :id (2)
        :type (UserPass)))
2024-06-18T13:53:23.450264Z TRACE hyper::client::pool: checkout waiting for idle connection: ("https", ***.***.***.***)
2024-06-18T13:53:23.450280Z TRACE hyper::client::connect::http: Http::connect; scheme=Some("https"), host=Some("***.***.***.***"), port=None
2024-06-18T13:53:23.450285Z DEBUG hyper::client::connect::http: connecting to ***.***.***.***:443
2024-06-18T13:53:23.485035Z DEBUG hyper::client::connect::http: connected to ***.***.***.***:443
2024-06-18T13:53:23.563294Z TRACE hyper::client::conn: client handshake Http1
2024-06-18T13:53:23.563323Z TRACE hyper::client::client: handshake complete, spawning background dispatcher task
2024-06-18T13:53:23.563403Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: Init, keep_alive: Busy }
2024-06-18T13:53:23.563414Z TRACE hyper::client::pool: checkout dropped for ("https", ***.***.***.***)
2024-06-18T13:53:23.563463Z TRACE encode_headers: hyper::proto::h1::role: Client::encode method=POST, body=Some(Known(273))
2024-06-18T13:53:23.563476Z TRACE hyper::proto::h1::encode: sized write, len = 273
2024-06-18T13:53:23.563480Z TRACE hyper::proto::h1::io: buffer.flatten self.len=81 buf.len=273
2024-06-18T13:53:23.563525Z DEBUG hyper::proto::h1::io: flushed 354 bytes
2024-06-18T13:53:23.563529Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: KeepAlive, keep_alive: Busy }
2024-06-18T13:53:23.598194Z TRACE hyper::proto::h1::conn: Conn::read_head
2024-06-18T13:53:23.598249Z TRACE hyper::proto::h1::io: received 411 bytes
2024-06-18T13:53:23.598278Z TRACE parse_headers: hyper::proto::h1::role: Response.parse bytes=411
2024-06-18T13:53:23.598293Z TRACE parse_headers: hyper::proto::h1::role: Response.parse Complete(283)
2024-06-18T13:53:23.598313Z DEBUG hyper::proto::h1::io: parsed 8 headers
2024-06-18T13:53:23.598320Z DEBUG hyper::proto::h1::conn: incoming body is content-length (128 bytes)
2024-06-18T13:53:23.598326Z TRACE hyper::proto::h1::conn: remote disabling keep-alive
2024-06-18T13:53:23.598350Z TRACE hyper::proto::h1::decode: decode; state=Length(128)
2024-06-18T13:53:23.598358Z DEBUG hyper::proto::h1::conn: incoming body completed
2024-06-18T13:53:23.598363Z TRACE hyper::proto::h1::conn: try_keep_alive({role=client}): could keep-alive, but status = Disabled
2024-06-18T13:53:23.598370Z TRACE hyper::proto::h1::conn: State::close()
2024-06-18T13:53:23.598378Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Closed, writing: Closed, keep_alive: Disabled }
2024-06-18T13:53:23.598440Z TRACE hyper::proto::h1::conn: shut down IO complete
2024-06-18T13:53:23.598542Z TRACE snx_rs::ccc: Reply from server: (CCCserverResponse
    :ResponseHeader (
        :id (2)
        :type (UserPass)
        :session_id ()
        :return_code (601)
    )
    :ResponseData ()
)

Error: Request failed, error code: 601
ancwrd1 commented 5 months ago

I think you used again the wrong type, vpn_Username_Password instead of vpn.

ancwrd1 commented 5 months ago

selectedLoginOption (vpn_Username_Password)

haegemonia76 commented 5 months ago

my bad I'm stupid -_-

2024-06-18T13:56:33.160920Z DEBUG snx_rs: >>> Starting snx-rs client version 0.11.0
2024-06-18T13:56:33.160943Z DEBUG snx_rs: Running in standalone mode
2024-06-18T13:56:33.160951Z DEBUG snx_rs::tunnel: Authenticating to endpoint: ***.***.***.***
2024-06-18T13:56:33.160979Z  WARN snx_rs::ccc: Disabling all certificate checks!!!
2024-06-18T13:56:33.169605Z TRACE snx_rs::ccc: Request to server: (CCCclientRequest
    :RequestData (
        :client_logging_data (
            :os_name ("Android"))
        :client_type (SYMBIAN)
        :password (1f3e1231732a327878)
        :selectedLoginOption (vpn)
        :username (34433620262a2a21234a))
    :RequestHeader (
        :id (2)
        :type (UserPass)))
2024-06-18T13:56:33.169663Z TRACE hyper::client::pool: checkout waiting for idle connection: ("https", ***.***.***.***)
2024-06-18T13:56:33.169688Z TRACE hyper::client::connect::http: Http::connect; scheme=Some("https"), host=Some("***.***.***.***"), port=None
2024-06-18T13:56:33.169695Z DEBUG hyper::client::connect::http: connecting to ***.***.***.***:443
2024-06-18T13:56:33.205107Z DEBUG hyper::client::connect::http: connected to ***.***.***.***:443
2024-06-18T13:56:33.282554Z TRACE hyper::client::conn: client handshake Http1
2024-06-18T13:56:33.282573Z TRACE hyper::client::client: handshake complete, spawning background dispatcher task
2024-06-18T13:56:33.282653Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: Init, keep_alive: Busy }
2024-06-18T13:56:33.282659Z TRACE hyper::client::pool: checkout dropped for ("https", ***.***.***.***)
2024-06-18T13:56:33.282720Z TRACE encode_headers: hyper::proto::h1::role: Client::encode method=POST, body=Some(Known(255))
2024-06-18T13:56:33.282736Z TRACE hyper::proto::h1::encode: sized write, len = 255
2024-06-18T13:56:33.282743Z TRACE hyper::proto::h1::io: buffer.flatten self.len=81 buf.len=255
2024-06-18T13:56:33.282787Z DEBUG hyper::proto::h1::io: flushed 336 bytes
2024-06-18T13:56:33.282793Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: KeepAlive, keep_alive: Busy }
2024-06-18T13:56:33.380856Z TRACE hyper::proto::h1::conn: Conn::read_head
2024-06-18T13:56:33.380913Z TRACE hyper::proto::h1::io: received 752 bytes
2024-06-18T13:56:33.380930Z TRACE parse_headers: hyper::proto::h1::role: Response.parse bytes=752
2024-06-18T13:56:33.380940Z TRACE parse_headers: hyper::proto::h1::role: Response.parse Complete(282)
2024-06-18T13:56:33.380956Z DEBUG hyper::proto::h1::io: parsed 8 headers
2024-06-18T13:56:33.380960Z DEBUG hyper::proto::h1::conn: incoming body is content-length (470 bytes)
2024-06-18T13:56:33.380964Z TRACE hyper::proto::h1::conn: remote disabling keep-alive
2024-06-18T13:56:33.380981Z TRACE hyper::proto::h1::decode: decode; state=Length(470)
2024-06-18T13:56:33.380986Z DEBUG hyper::proto::h1::conn: incoming body completed
2024-06-18T13:56:33.380991Z TRACE hyper::proto::h1::conn: try_keep_alive({role=client}): could keep-alive, but status = Disabled
2024-06-18T13:56:33.380996Z TRACE hyper::proto::h1::conn: State::close()
2024-06-18T13:56:33.381002Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Closed, writing: Closed, keep_alive: Disabled }
2024-06-18T13:56:33.381048Z TRACE hyper::proto::h1::conn: shut down IO complete
2024-06-18T13:56:33.381130Z TRACE snx_rs::ccc: Reply from server: (CCCserverResponse
    :ResponseHeader (
        :id (2)
        :type (UserPass)
        :session_id ()
        :return_code (600)
    )
    :ResponseData (
        :authn_status (done)
        :is_authenticated (true)
        :active_key (724a150d4d05441a045610511b04090805100c0240151c5d07161c6523732a5176790c1c1f79677e0f6327207f5060633374332e6505624074767f7279707a1c)
        :server_fingerprint ()
        :server_cn ()
        :session_id (d1d19775af3938d095bfdd790200a859)
        :active_key_timeout (28800)
        :username (glecloerec)
    )
)

2024-06-18T13:56:33.382296Z DEBUG snx_rs::tunnel: Authentication OK, session id: d1d19775af3938d095bfdd790200a859
2024-06-18T13:56:33.382332Z  WARN snx_rs::ccc: Disabling all certificate checks!!!
2024-06-18T13:56:33.396970Z TRACE snx_rs::ccc: Request to server: (CCCclientRequest
    :RequestData (ClientSettings 
    :requested_policies_and_current_versions (
        :range ()))
    :RequestHeader (
        :id (3)
        :protocol_version (100)
        :session_id (d1d19775af3938d095bfdd790200a859)
        :type (ClientSettings)))
2024-06-18T13:56:33.397024Z TRACE hyper::client::pool: checkout waiting for idle connection: ("https", ***.***.***.***)
2024-06-18T13:56:33.397042Z TRACE hyper::client::connect::http: Http::connect; scheme=Some("https"), host=Some("***.***.***.***"), port=None
2024-06-18T13:56:33.397053Z DEBUG hyper::client::connect::http: connecting to ***.***.***.***:443
2024-06-18T13:56:33.431737Z DEBUG hyper::client::connect::http: connected to ***.***.***.***:443
2024-06-18T13:56:33.509602Z TRACE hyper::client::conn: client handshake Http1
2024-06-18T13:56:33.509629Z TRACE hyper::client::client: handshake complete, spawning background dispatcher task
2024-06-18T13:56:33.509672Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: Init, keep_alive: Busy }
2024-06-18T13:56:33.509685Z TRACE hyper::client::pool: checkout dropped for ("https", ***.***.***.***)
2024-06-18T13:56:33.509717Z TRACE encode_headers: hyper::proto::h1::role: Client::encode method=POST, body=Some(Known(236))
2024-06-18T13:56:33.509730Z TRACE hyper::proto::h1::encode: sized write, len = 236
2024-06-18T13:56:33.509735Z TRACE hyper::proto::h1::io: buffer.flatten self.len=81 buf.len=236
2024-06-18T13:56:33.509762Z DEBUG hyper::proto::h1::io: flushed 317 bytes
2024-06-18T13:56:33.509766Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Init, writing: KeepAlive, keep_alive: Busy }
2024-06-18T13:56:33.544892Z TRACE hyper::proto::h1::conn: Conn::read_head
2024-06-18T13:56:33.544946Z TRACE hyper::proto::h1::io: received 4584 bytes
2024-06-18T13:56:33.544961Z TRACE parse_headers: hyper::proto::h1::role: Response.parse bytes=4584
2024-06-18T13:56:33.544970Z TRACE parse_headers: hyper::proto::h1::role: Response.parse Complete(284)
2024-06-18T13:56:33.544985Z DEBUG hyper::proto::h1::io: parsed 8 headers
2024-06-18T13:56:33.544989Z DEBUG hyper::proto::h1::conn: incoming body is content-length (4300 bytes)
2024-06-18T13:56:33.544993Z TRACE hyper::proto::h1::conn: remote disabling keep-alive
2024-06-18T13:56:33.545003Z TRACE hyper::proto::h1::decode: decode; state=Length(4300)
2024-06-18T13:56:33.545008Z DEBUG hyper::proto::h1::conn: incoming body completed
2024-06-18T13:56:33.545012Z TRACE hyper::proto::h1::conn: try_keep_alive({role=client}): could keep-alive, but status = Disabled
2024-06-18T13:56:33.545015Z TRACE hyper::proto::h1::conn: State::close()
2024-06-18T13:56:33.545020Z TRACE hyper::proto::h1::conn: flushed({role=client}): State { reading: Closed, writing: Closed, keep_alive: Disabled }
2024-06-18T13:56:33.545050Z TRACE hyper::proto::h1::conn: shut down IO complete
2024-06-18T13:56:33.545185Z TRACE snx_rs::ccc: Reply from server: (CCCserverResponse
    :ResponseHeader (
        :id (3)
        :type (ClientSettings)
        :session_id (d1d19775af3938d095bfdd790200a859)
        :return_code (600)
    )
    :ResponseData (
        :updated_policies (
            :range (
                :settings (
                    : (
                        :from (10.5.85.0)
                        :to (10.5.85.255)
                    )
                    : (
                        :from (10.13.0.240)
                        :to (10.13.0.255)
                    )
                    : (
                        :from (10.14.0.240)
                        :to (10.14.0.255)
                    )
                    : (
                        :from (10.20.0.240)
                        :to (10.20.0.255)
                    )
                    : (
                        :from (10.21.0.240)
                        :to (10.21.0.255)
                    )
                    : (
                        :from (10.25.0.240)
                        :to (10.25.0.255)
                    )
                    : (
                        :from (10.29.0.240)
                        :to (10.29.0.255)
                    )
                    : (
                        :from (10.31.0.240)
                        :to (10.31.0.255)
                    )
                    : (
                        :from (10.33.0.240)
                        :to (10.33.0.255)
                    )
                    : (
                        :from (10.34.0.240)
                        :to (10.34.0.255)
                    )
                    : (
                        :from (10.35.0.240)
                        :to (10.35.0.255)
                    )
                    : (
                        :from (10.38.0.240)
                        :to (10.38.0.255)
                    )
                    : (
                        :from (10.44.0.240)
                        :to (10.44.0.255)
                    )
                    : (
                        :from (10.45.0.240)
                        :to (10.45.0.255)
                    )
                    : (
                        :from (10.51.0.240)
                        :to (10.51.0.255)
                    )
                    : (
                        :from (10.54.0.240)
                        :to (10.54.0.255)
                    )
                    : (
                        :from (10.59.0.240)
                        :to (10.59.0.255)
                    )
                    : (
                        :from (10.63.0.240)
                        :to (10.63.0.255)
                    )
                    : (
                        :from (10.67.0.240)
                        :to (10.67.0.255)
                    )
                    : (
                        :from (10.69.0.240)
                        :to (10.69.0.255)
                    )
                    : (
                        :from (10.76.0.240)
                        :to (10.76.0.255)
                    )
                    : (
                        :from (10.77.1.0)
                        :to (10.77.7.255)
                    )
                    : (
                        :from (10.77.10.0)
                        :to (10.77.11.255)
                    )
                    : (
                        :from (10.77.18.0)
                        :to (10.77.18.255)
                    )
                    : (
                        :from (10.77.21.1)
                        :to (10.77.21.1)
                    )
                    : (
                        :from (10.77.24.0)
                        :to (10.77.27.255)
                    )
                    : (
                        :from (10.77.37.32)
                        :to (10.77.37.63)
                    )
                    : (
                        :from (10.77.235.1)
                        :to (10.77.235.1)
                    )
                    : (
                        :from (10.80.0.240)
                        :to (10.80.0.255)
                    )
                    : (
                        :from (10.86.0.240)
                        :to (10.86.0.255)
                    )
                    : (
                        :from (10.95.0.240)
                        :to (10.95.0.255)
                    )
                    : (
                        :from (10.127.53.97)
                        :to (10.127.53.98)
                    )
                    : (
                        :from (10.177.0.240)
                        :to (10.177.0.255)
                    )
                    : (
                        :from (82.210.54.14)
                        :to (82.210.54.14)
                    )
                    : (
                        :from (***.***.***.***)
                        :to (***.***.***.***)
                    )
                    : (
                        :from (82.210.54.22)
                        :to (82.210.54.22)
                    )
                    : (
                        :from (82.210.54.70)
                        :to (82.210.54.70)
                    )
                    : (
                        :from (82.210.54.94)
                        :to (82.210.54.94)
                    )
                    : (
                        :from (92.103.159.43)
                        :to (92.103.159.43)
                    )
                    : (
                        :from (172.16.0.1)
                        :to (172.16.0.1)
                    )
                    : (
                        :from (192.168.199.0)
                        :to (192.168.200.255)
                    )
                    : (
                        :from (192.168.202.0)
                        :to (192.168.202.255)
                    )
                    : (
                        :from (192.168.204.0)
                        :to (192.168.214.31)
                    )
                    : (
                        :from (192.168.215.11)
                        :to (192.168.215.11)
                    )
                    : (
                        :from (192.168.215.250)
                        :to (192.168.215.252)
                    )
                    : (
                        :from (192.168.217.0)
                        :to (192.168.217.255)
                    )
                    : (
                        :from (192.168.220.0)
                        :to (192.168.220.255)
                    )
                    : (
                        :from (192.168.224.2)
                        :to (192.168.224.2)
                    )
                    : (
                        :from (192.168.225.0)
                        :to (192.168.225.255)
                    )
                    : (
                        :from (192.168.226.1)
                        :to (192.168.226.1)
                    )
                    : (
                        :from (192.168.227.0)
                        :to (192.168.227.31)
                    )
                    : (
                        :from (192.168.228.0)
                        :to (192.168.228.31)
                    )
                    : (
                        :from (192.168.233.1)
                        :to (192.168.233.1)
                    )
                    : (
                        :from (192.168.234.1)
                        :to (192.168.234.1)
                    )
                    : (
                        :from (192.168.244.0)
                        :to (192.168.244.255)
                    )
                    : (
                        :from (192.168.247.0)
                        :to (192.168.255.255)
                    )
                    : (
                        :from (217.28.175.254)
                        :to (217.28.175.254)
                    )
                )
                :expiry (0)
                :id (424fa77c135b2476dc7dc4ea4d01e8eb)
                :name (range)
            )
        )
        :unchanged_policies ()
        :unsupported_policies ()
        :gateway_policy_version (66705142)
        :gw_internal_ip (192.168.215.250)
    )
)

2024-06-18T13:56:33.548812Z DEBUG snx_rs::tunnel::ipsec: Client settings: ClientSettingsResponse { gw_internal_ip: 192.168.215.250, updated_policies: UpdatedPolicies { range: Range { settings: [NetworkRange { from: 10.5.85.0, to: 10.5.85.255 }, NetworkRange { from: 10.13.0.240, to: 10.13.0.255 }, NetworkRange { from: 10.14.0.240, to: 10.14.0.255 }, NetworkRange { from: 10.20.0.240, to: 10.20.0.255 }, NetworkRange { from: 10.21.0.240, to: 10.21.0.255 }, NetworkRange { from: 10.25.0.240, to: 10.25.0.255 }, NetworkRange { from: 10.29.0.240, to: 10.29.0.255 }, NetworkRange { from: 10.31.0.240, to: 10.31.0.255 }, NetworkRange { from: 10.33.0.240, to: 10.33.0.255 }, NetworkRange { from: 10.34.0.240, to: 10.34.0.255 }, NetworkRange { from: 10.35.0.240, to: 10.35.0.255 }, NetworkRange { from: 10.38.0.240, to: 10.38.0.255 }, NetworkRange { from: 10.44.0.240, to: 10.44.0.255 }, NetworkRange { from: 10.45.0.240, to: 10.45.0.255 }, NetworkRange { from: 10.51.0.240, to: 10.51.0.255 }, NetworkRange { from: 10.54.0.240, to: 10.54.0.255 }, NetworkRange { from: 10.59.0.240, to: 10.59.0.255 }, NetworkRange { from: 10.63.0.240, to: 10.63.0.255 }, NetworkRange { from: 10.67.0.240, to: 10.67.0.255 }, NetworkRange { from: 10.69.0.240, to: 10.69.0.255 }, NetworkRange { from: 10.76.0.240, to: 10.76.0.255 }, NetworkRange { from: 10.77.1.0, to: 10.77.7.255 }, NetworkRange { from: 10.77.10.0, to: 10.77.11.255 }, NetworkRange { from: 10.77.18.0, to: 10.77.18.255 }, NetworkRange { from: 10.77.21.1, to: 10.77.21.1 }, NetworkRange { from: 10.77.24.0, to: 10.77.27.255 }, NetworkRange { from: 10.77.37.32, to: 10.77.37.63 }, NetworkRange { from: 10.77.235.1, to: 10.77.235.1 }, NetworkRange { from: 10.80.0.240, to: 10.80.0.255 }, NetworkRange { from: 10.86.0.240, to: 10.86.0.255 }, NetworkRange { from: 10.95.0.240, to: 10.95.0.255 }, NetworkRange { from: 10.127.53.97, to: 10.127.53.98 }, NetworkRange { from: 10.177.0.240, to: 10.177.0.255 }, NetworkRange { from: 82.210.54.14, to: 82.210.54.14 }, NetworkRange { from: ***.***.***.***, to: ***.***.***.*** }, NetworkRange { from: 82.210.54.22, to: 82.210.54.22 }, NetworkRange { from: 82.210.54.70, to: 82.210.54.70 }, NetworkRange { from: 82.210.54.94, to: 82.210.54.94 }, NetworkRange { from: 92.103.159.43, to: 92.103.159.43 }, NetworkRange { from: 172.16.0.1, to: 172.16.0.1 }, NetworkRange { from: 192.168.199.0, to: 192.168.200.255 }, NetworkRange { from: 192.168.202.0, to: 192.168.202.255 }, NetworkRange { from: 192.168.204.0, to: 192.168.214.31 }, NetworkRange { from: 192.168.215.11, to: 192.168.215.11 }, NetworkRange { from: 192.168.215.250, to: 192.168.215.252 }, NetworkRange { from: 192.168.217.0, to: 192.168.217.255 }, NetworkRange { from: 192.168.220.0, to: 192.168.220.255 }, NetworkRange { from: 192.168.224.2, to: 192.168.224.2 }, NetworkRange { from: 192.168.225.0, to: 192.168.225.255 }, NetworkRange { from: 192.168.226.1, to: 192.168.226.1 }, NetworkRange { from: 192.168.227.0, to: 192.168.227.31 }, NetworkRange { from: 192.168.228.0, to: 192.168.228.31 }, NetworkRange { from: 192.168.233.1, to: 192.168.233.1 }, NetworkRange { from: 192.168.234.1, to: 192.168.234.1 }, NetworkRange { from: 192.168.244.0, to: 192.168.244.255 }, NetworkRange { from: 192.168.247.0, to: 192.168.255.255 }, NetworkRange { from: 217.28.175.254, to: 217.28.175.254 }] } } }
2024-06-18T13:56:33.548883Z DEBUG snx_rs::tunnel::ipsec::isakmp: Sending isakmp probe to 192.168.215.250
2024-06-18T13:56:38.551292Z DEBUG snx_rs::tunnel::ipsec::isakmp: Sending isakmp probe to 192.168.215.250
2024-06-18T13:56:43.553295Z DEBUG snx_rs::tunnel::ipsec::isakmp: Sending isakmp probe to 192.168.215.250
2024-06-18T13:56:48.554377Z DEBUG snx_rs::tunnel::ipsec::isakmp: Sending isakmp probe to 192.168.215.250
2024-06-18T13:56:53.556287Z DEBUG snx_rs::tunnel::ipsec::isakmp: Sending isakmp probe to 192.168.215.250
Error: Probing failed, server is not reachable via ESPinUDP tunnel!
ancwrd1 commented 5 months ago

Hmm I think there was a bug in this version which was fixed later :(

If you are able to build the project with Rust compiler you can checkout the 0.11.0 tag and comment out lines 32 and 33 in the ipsec.rs

ancwrd1 commented 5 months ago

Alternatively, you could try SSL tunnel, but it will be noticeably slower.

haegemonia76 commented 5 months ago

Ok I built it, and here's the result !

sudo ./snx-rs -s ***.***.***.*** -u *** -p *** -l trace -e ipsec -o vpn -X true > log.log
Error: Invalid key management response!

log.log

ancwrd1 commented 5 months ago

:encalg (3DES)

Damn... as I feared, it's 3DES which is used nowhere for many years except for Checkpoint servers :) May be it's time to tell your IT department to update it. I could try adding it perhaps. Might take some time, but I can't really test it.

haegemonia76 commented 5 months ago

:encalg (3DES)

Damn... as I feared, it's 3DES which is used nowhere for many years except for Checkpoint servers :) May be it's time to tell your IT department to update it. I could try adding it perhaps. Might take some time, but I can't really test it.

Ah ! It's ok, thanks for the time you put in my troubleshoot ! It will be difficult for me to tell them to update haha I tried with SSL instead and it work flawlessly and it's indeed noticeably slower

If you ever want to implement it, i'm open to test it for you if I didn't quit in the mean time :)

Thank you very much !

ancwrd1 commented 5 months ago

I have created an experimental 3des branch, you could perhaps try it.

haegemonia76 commented 5 months ago

Thanks for the quick branch creation, I keep testing since morning and I did not encounter any problem.

ancwrd1 commented 5 months ago

So it works fine now with ipsec tunnel?

ancwrd1 commented 5 months ago

Could you perhaps share a connection log, redacting any sensitive addresses or info.

haegemonia76 commented 5 months ago

Yes of course, here it is 3des.log I connected with this command: sudo ./snx-rs -m command -c /home/haegemonia76/.config/snx-rs/snx-rs.conf and i changed ssl to ipsec

ancwrd1 commented 5 months ago

Great, thanks a lot for testing. I will merge it to main and create a new release.