Error: Probing failed, server is not reachable via ESPinUDP tunnel!

[krims0n32]

Thanks for your work on this client. We have an older Checkpoint 600 that I can't get to work though. Is this supported at all?

I get this error no matter what login type I select:

Error: Probing failed, server is not reachable via ESPinUDP tunnel!

Thanks.

(CCCserverResponse
    :ResponseHeader (
        :id (0)
        :type (ClientHello)
        :session_id ()
        :return_code (600)
    )
    :ResponseData (
        :protocol_version (
            :protocol_version (100)
        )
        :upgrade_configuration (
            :available_client_version (000000001)
            :client_upgrade_url ("/CSHELL/")
            :upgrade_mode (ask_user)
        )
        :connectivity_info (
            :default_authentication_method (client_decide)
            :client_enabled (true)
            :supported_data_tunnel_protocols (
                : (IPSec)
                : (SSL)
                : (L2TP)
            )
            :connectivity_type (IPSec)
            :server_ip (X.X.X.X)
            :ipsec_transport (auto_detect)
            :tcpt_port (443)
            :natt_port (4500)
            :connect_with_certificate_url ("/clients/cert/")
            :cookie_name (CPCVPN_SESSION_ID)
            :internal_ca_fingerprint (
                :1 (71636a7c106b746d6c107861641f7d61797402041c60651a71630f04150671740b17076479ff1e0a066f06711a06010a01660e0aff79)
            )
        )
        :end_point_security (
            :ics (
                :run_ics (false)
                :ics_base_url ("/clients/ICS/componets")
                :ics_upgrade_url ("/clients/ICS/componets/icsweb.cab")
                :ics_images_url ("/clients/ICS/componets/ICS_images.cab")
                :ics_cab_url ("/clients/ICS/componets/cl_ics.cab")
                :ics_version (402517000)
                :ics_images_ver (402517000)
                :ics_cab_version (402517000)
            )
        )
    )
)

[ancwrd1]

Hi, there can be two issues: IPSec transport is disabled on the VPN server (UDP port 4500 is blocked) or it is enabled but only via TCPT protocol (Checkpoint proprietary TCP tunnel) which isn't supported by snx-rs. You could try selecting SSL tunnel type as a workaround.

[krims0n32]

Great, -e ssl works! I can't get it to work through the GUI though. I get this error when clicking Fetch info

And then I am unable to select an authentication method.

[ancwrd1]

Interesting, i will fix it. thanks for reporting.

[ancwrd1]

Should be fixed now in the main branch, you could build it as described in the README file.

[krims0n32]

Progress, but:

[ancwrd1]

Ok there can be some complications, that server info dump above, is it a complete one? It seems to be missing the login factors. They are displayed in the UI to select authentication type.

[krims0n32]

I'm not sure, I got the curl command from another ticket:

curl -k -X POST -d '(CCCclientRequest :RequestHeader ( :id (0) :type (ClientHello)) :RequestData ( :client_info ( :client_type (TRAC) :client_version (1) :client_support_saml (true))))' https://X.X.X.X/clients

snx-rs -s X.X.X.X --ignore-server-cert=true -m info                                                         
Supported tunnel protocols:
    IPSec
    SSL
    L2TP

I think it is supposed to show login types but it doesn't.

[ancwrd1]

What do you specify as a login-type parameter?

[ancwrd1]

I have added an initial support for legacy CP servers which do not advertise login types. currently it assumes vpn_Username_Password as a login type. If it doesn't work for you please let me know which one does.

[krims0n32]

Works perfectly, thanks!