Issues connecting to VPN

[tGecko]

Hi, first of all thank you a lot for creating snx-rs. It's great you're stepping in and providing what CheckPoint doesn't.

I have tried snx-rs on ubuntu about 2 months ago, and it worked flawlessly. I haven't used it after that but now I want to use it again, but on Fedora. Sadly it can't connect and fails after a few seconds with the error deadline has elapsed

The command I'm using is:

sudo /opt/snx-rs/snx-rs -s=vpn.redacted.com--cert-type=pkcs12 --cert-path /home/thomas/my_certificate.pfx --cert-password REDACTED --login-type=vpn_Personal_Certificate_PKI -l=trace --tunnel-type=ipsec > snx-rs.log

These are the last messages in snx-rs.log:

4-08-25T08:51:33.235039Z DEBUG isakmp::ikev1::service: IP address from ID payload: REDACTED
2024-08-25T08:51:33.235233Z DEBUG isakmp::ikev1::service: ID payload signature validation succeeded!
2024-08-25T08:51:33.235251Z DEBUG isakmp::ikev1::service: Waiting for attributes payload
2024-08-25T08:51:35.234520Z TRACE isakmp::transport: Discarding already received message
2024-08-25T08:51:37.234738Z TRACE isakmp::transport: Discarding already received message
2024-08-25T08:51:39.235224Z TRACE isakmp::transport: Discarding already received message
2024-08-25T08:51:41.234279Z TRACE isakmp::transport: Discarding already received message
2024-08-25T08:51:43.234082Z TRACE isakmp::transport: Discarding already received message
2024-08-25T08:51:47.234548Z TRACE isakmp::transport: Discarding already received message
2024-08-25T08:51:51.234758Z TRACE isakmp::transport: Discarding already received message
2024-08-25T08:51:56.236421Z DEBUG isakmp::transport: Sending ISAKMP message of size 80 to REDACTED:500
2024-08-25T08:51:56.236453Z TRACE isakmp::transport: Sending message: IsakmpMessage {
    cookie_i: 14492460706394793690,
    cookie_r: 1408955684825793887,
    version: 16,
    exchange_type: Informational,
    flags: IsakmpFlags(
        0x0,
    ),
    message_id: 3284912010,
    payloads: [
        Delete(
            DeletePayload {
                doi: 0,
                protocol_id: Isakmp,
                spi_size: 16,
                spi: [
                    b"\xc9\x1f\x90:e\xf7\xe6\xda",
                    b"\x13\x8d\x9d\xba\xfaO\x05_",
                ],
            },
        ),
        Hash(
            BasicPayload {
                data: b"~\xdf\xad\xda\xbf\xa1\xec\xaa\xbb\xd9\x9c4OW<\x13{\x96\x0b\x9b",
            },
        ),
    ],
}

Please let me know if you need any more info, and thanks alot for your time.

[ancwrd1]

Hi, do you know which version worked for you before? You could perhaps try the prior releases. There were some compatibility-related changes in version 2.2.5, wondering if they broke something.

[tGecko]

I don't remember which version I was using. I will try a version < 2.2.5 and report back.

[tGecko]

Indeed, using 2.2.4 works!

[ancwrd1]

Thanks for confirming, would you be able to build it and do some tests for me? I want to find out which option which exactly breaks the connection.

[tGecko]

Yes, absolutely!

[ancwrd1]

Great thanks, so there is a branch issue33, if you could build the project from that branch and try to connect again. If it still does not work, there is a new command line parameter --client-mode=xx, the default client mode is "secure_connect" (taken from my Windows client), the older snx-rs version used "SYMBIAN" there. you could try the following values: endpoint_security, secure_remote, SYMBIAN.

[tGecko]

All of the options seem to yield the same results:

SYMBIAN

sudo target/debug/snx-rs -s=vpn.REDACTED.de --cert-type=pkcs12 --cert-path /home/thomas/REDACTED/REDACTED@REDACTED.de.pfx --cert-password $(cat /home/thomas/REDACTED/pw.txt) --login-type=vpn_Personal_Certificate_PKI -l=debug --tunnel-type=ipsec --client-mode=SYMBIAN
2024-08-25T11:21:56.827680Z DEBUG snx_rs: >>> Starting snx-rs client version 2.4.0
2024-08-25T11:21:56.827703Z DEBUG snx_rs: Running in standalone mode
2024-08-25T11:21:56.839026Z DEBUG hyper_util::client::legacy::connect::dns: resolving host="vpn.REDACTED.de"
2024-08-25T11:21:56.839934Z DEBUG hyper_util::client::legacy::connect::http: connecting to REDACTED:443
2024-08-25T11:21:56.852970Z DEBUG hyper_util::client::legacy::connect::http: connected to REDACTED:443
2024-08-25T11:21:56.897256Z DEBUG snxcore::tunnel::ipsec::natt: Sending NAT-T probe to REDACTED
2024-08-25T11:21:56.909618Z DEBUG snxcore::tunnel::ipsec::natt: Received NAT-T reply from REDACTED: srcport: 4500, dstport: 4500, hash: 4ae71336e44bf9bf79d2752e234818a5
2024-08-25T11:21:56.914329Z DEBUG isakmp::ikev1::service: Begin SA proposal
2024-08-25T11:21:56.914507Z DEBUG isakmp::transport: Sending ISAKMP message, len: 592, to: REDACTED:500
2024-08-25T11:21:56.928116Z DEBUG isakmp::transport: Received ISAKMP message, len: 268
2024-08-25T11:21:56.928227Z DEBUG isakmp::ikev1::service: Negotiated SA hash algorithm: Sha
2024-08-25T11:21:56.928237Z DEBUG isakmp::ikev1::service: Negotiated SA key length: 32
2024-08-25T11:21:56.928244Z DEBUG isakmp::ikev1::service: Negotiated SA group: Oakley2
2024-08-25T11:21:56.928571Z DEBUG isakmp::ikev1::service: End SA proposal
2024-08-25T11:21:56.928589Z DEBUG isakmp::ikev1::service: Begin key exchange
2024-08-25T11:21:56.928642Z DEBUG isakmp::transport: Sending ISAKMP message, len: 333, to: REDACTED:500
2024-08-25T11:21:56.940037Z DEBUG isakmp::transport: Received ISAKMP message, len: 311
2024-08-25T11:21:56.940645Z DEBUG isakmp::ikev1::service: End key exchange
2024-08-25T11:21:56.940736Z DEBUG isakmp::ikev1::service: Begin identity protection
2024-08-25T11:21:56.941932Z DEBUG isakmp::transport: Sending ISAKMP message, len: 5084, to: REDACTED:500
2024-08-25T11:21:56.968802Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:21:56.968914Z DEBUG isakmp::ikev1::service: IP address from ID payload: REDACTED
2024-08-25T11:21:56.969105Z DEBUG isakmp::ikev1::service: ID payload signature verification succeeded!
2024-08-25T11:21:56.969125Z DEBUG isakmp::ikev1::service: Waiting for attributes payload
2024-08-25T11:21:58.969116Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:22:00.968882Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:22:02.969403Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:22:04.969874Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:22:06.968427Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:22:08.969222Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:22:12.968872Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:22:16.969343Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:22:20.969579Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:22:24.968669Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:22:28.968926Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:22:33.970296Z DEBUG isakmp::transport: Sending ISAKMP message, len: 80, to: REDACTED:500
Error: deadline has elapsed

endpoint_security

sudo target/debug/snx-rs -s=vpn.REDACTED.de --cert-type=pkcs12 --cert-path /home/thomas/REDACTED/REDACTED@REDACTED.de.pfx --cert-password $(cat /home/thomas/REDACTED/pw.txt) --login-type=vpn_Personal_Certificate_PKI -l=debug --tunnel-type=ipsec --client-mode=endpoint_security
2024-08-25T11:23:08.857230Z DEBUG snx_rs: >>> Starting snx-rs client version 2.4.0
2024-08-25T11:23:08.857251Z DEBUG snx_rs: Running in standalone mode
2024-08-25T11:23:08.864869Z DEBUG hyper_util::client::legacy::connect::dns: resolving host="vpn.REDACTED.de"
2024-08-25T11:23:08.865777Z DEBUG hyper_util::client::legacy::connect::http: connecting to REDACTED:443
2024-08-25T11:23:08.878814Z DEBUG hyper_util::client::legacy::connect::http: connected to REDACTED:443
2024-08-25T11:23:08.924259Z DEBUG snxcore::tunnel::ipsec::natt: Sending NAT-T probe to REDACTED
2024-08-25T11:23:08.936801Z DEBUG snxcore::tunnel::ipsec::natt: Received NAT-T reply from REDACTED: srcport: 4500, dstport: 4500, hash: 4ae71336e44bf9bf79d2752e234818a5
2024-08-25T11:23:08.941805Z DEBUG isakmp::ikev1::service: Begin SA proposal
2024-08-25T11:23:08.942059Z DEBUG isakmp::transport: Sending ISAKMP message, len: 592, to: REDACTED:500
2024-08-25T11:23:08.956334Z DEBUG isakmp::transport: Received ISAKMP message, len: 268
2024-08-25T11:23:08.956473Z DEBUG isakmp::ikev1::service: Negotiated SA hash algorithm: Sha
2024-08-25T11:23:08.956495Z DEBUG isakmp::ikev1::service: Negotiated SA key length: 32
2024-08-25T11:23:08.956510Z DEBUG isakmp::ikev1::service: Negotiated SA group: Oakley2
2024-08-25T11:23:08.956948Z DEBUG isakmp::ikev1::service: End SA proposal
2024-08-25T11:23:08.956970Z DEBUG isakmp::ikev1::service: Begin key exchange
2024-08-25T11:23:08.957041Z DEBUG isakmp::transport: Sending ISAKMP message, len: 333, to: REDACTED:500
2024-08-25T11:23:08.967948Z DEBUG isakmp::transport: Received ISAKMP message, len: 311
2024-08-25T11:23:08.968427Z DEBUG isakmp::ikev1::service: End key exchange
2024-08-25T11:23:08.968518Z DEBUG isakmp::ikev1::service: Begin identity protection
2024-08-25T11:23:08.969725Z DEBUG isakmp::transport: Sending ISAKMP message, len: 5100, to: REDACTED:500
2024-08-25T11:23:08.997939Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:23:08.998091Z DEBUG isakmp::ikev1::service: IP address from ID payload: REDACTED
2024-08-25T11:23:08.998353Z DEBUG isakmp::ikev1::service: ID payload signature verification succeeded!
2024-08-25T11:23:08.998382Z DEBUG isakmp::ikev1::service: Waiting for attributes payload
2024-08-25T11:23:10.995448Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:23:12.995386Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:23:14.995559Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:23:16.995444Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:23:18.995003Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:23:20.996811Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:23:24.995277Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:23:28.994990Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:23:32.997629Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:23:36.995200Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:23:41.996331Z DEBUG isakmp::transport: Sending ISAKMP message, len: 80, to: REDACTED:500
Error: deadline has elapsed

secure_remote

sudo target/debug/snx-rs -s=vpn.REDACTED.de --cert-type=pkcs12 --cert-path /home/thomas/REDACTED/REDACTED@REDACTED.de.pfx --cert-password $(cat /home/thomas/REDACTED/pw.txt) --login-type=vpn_Personal_Certificate_PKI -l=debug --tunnel-type=ipsec --client-mode=secure_remote
2024-08-25T11:24:07.511215Z DEBUG snx_rs: >>> Starting snx-rs client version 2.4.0
2024-08-25T11:24:07.511238Z DEBUG snx_rs: Running in standalone mode
2024-08-25T11:24:07.518917Z DEBUG hyper_util::client::legacy::connect::dns: resolving host="vpn.REDACTED.de"
2024-08-25T11:24:07.520109Z DEBUG hyper_util::client::legacy::connect::http: connecting to REDACTED:443
2024-08-25T11:24:07.539338Z DEBUG hyper_util::client::legacy::connect::http: connected to REDACTED:443
2024-08-25T11:24:07.583501Z DEBUG snxcore::tunnel::ipsec::natt: Sending NAT-T probe to REDACTED
2024-08-25T11:24:07.595619Z DEBUG snxcore::tunnel::ipsec::natt: Received NAT-T reply from REDACTED: srcport: 4500, dstport: 4500, hash: 4ae71336e44bf9bf79d2752e234818a5
2024-08-25T11:24:07.600430Z DEBUG isakmp::ikev1::service: Begin SA proposal
2024-08-25T11:24:07.600597Z DEBUG isakmp::transport: Sending ISAKMP message, len: 592, to: REDACTED:500
2024-08-25T11:24:07.614669Z DEBUG isakmp::transport: Received ISAKMP message, len: 268
2024-08-25T11:24:07.614807Z DEBUG isakmp::ikev1::service: Negotiated SA hash algorithm: Sha
2024-08-25T11:24:07.614824Z DEBUG isakmp::ikev1::service: Negotiated SA key length: 32
2024-08-25T11:24:07.614833Z DEBUG isakmp::ikev1::service: Negotiated SA group: Oakley2
2024-08-25T11:24:07.615262Z DEBUG isakmp::ikev1::service: End SA proposal
2024-08-25T11:24:07.615290Z DEBUG isakmp::ikev1::service: Begin key exchange
2024-08-25T11:24:07.615364Z DEBUG isakmp::transport: Sending ISAKMP message, len: 333, to: REDACTED:500
2024-08-25T11:24:07.626346Z DEBUG isakmp::transport: Received ISAKMP message, len: 311
2024-08-25T11:24:07.626922Z DEBUG isakmp::ikev1::service: End key exchange
2024-08-25T11:24:07.627011Z DEBUG isakmp::ikev1::service: Begin identity protection
2024-08-25T11:24:07.628116Z DEBUG isakmp::transport: Sending ISAKMP message, len: 5100, to: REDACTED:500
2024-08-25T11:24:07.652911Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:24:07.653008Z DEBUG isakmp::ikev1::service: IP address from ID payload: REDACTED
2024-08-25T11:24:07.653167Z DEBUG isakmp::ikev1::service: ID payload signature verification succeeded!
2024-08-25T11:24:07.653182Z DEBUG isakmp::ikev1::service: Waiting for attributes payload
2024-08-25T11:24:09.653149Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:24:11.652940Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:24:15.652834Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:24:17.653441Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:24:19.653335Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:24:23.652545Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:24:27.652804Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:24:31.652743Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:24:35.653270Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:24:39.652796Z DEBUG isakmp::transport: Received ISAKMP message, len: 3516
2024-08-25T11:24:44.654570Z DEBUG isakmp::transport: Sending ISAKMP message, len: 80, to: REDACTED:500
Error: deadline has elapsed

[ancwrd1]

Can you pull from the branch and try again, please? I have added "clientOS" field to the auth blob which there in the old version.

[tGecko]

git pull
cargo build

Same result, on all three client modes. Ending in deadline has elapsed

edit: just to be sure I didn't mess up, I did an other cargo clean && git pull && cargo build. Same result

[ancwrd1]

That's very strange. Ok, I have reverted the isakmp dependency (the one which does IPSec negotation) to the version which is used in 2.2.4. Please pull again and see if it makes any difference.

[tGecko]

Still same error (I hope they won't ban me 😅)

thomas@10-0-0-50:~/snx-rs$ git pull
remote: Enumerating objects: 9, done.
remote: Counting objects: 100% (9/9), done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 9 (delta 5), reused 9 (delta 5), pack-reused 0 (from 0)
Unpacking objects: 100% (9/9), 1.10 KiB | 375.00 KiB/s, done.
From https://github.com/ancwrd1/snx-rs
   8018796..b181b35  issue33    -> origin/issue33
Updating 8018796..b181b35
Fast-forward
 Cargo.lock                            |  6 +++---
 snxcore/Cargo.toml                    |  2 +-
 snxcore/src/tunnel/ipsec/connector.rs | 19 ++++++-------------
 3 files changed, 10 insertions(+), 17 deletions(-)
thomas@10-0-0-50:~/snx-rs$ cargo build
    Blocking waiting for file lock on build directory
   Compiling cryptoki v0.6.2
   Compiling isakmp v0.1.0 (https://github.com/ancwrd1/isakmp.git?rev=9f91390e9327d95c16d96514b1f6f3df62961d05#9f91390e)
   Compiling snxcore v2.4.0 (/home/thomas/snx-rs/snxcore)
   Compiling snx-rs-gui v2.4.0 (/home/thomas/snx-rs/snx-rs-gui)
   Compiling snxctl v2.4.0 (/home/thomas/snx-rs/snxctl)
   Compiling snx-rs v2.4.0 (/home/thomas/snx-rs/snx-rs)
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 15.29s
thomas@10-0-0-50:~/snx-rs$ sudo target/debug/snx-rs -s=vpn.REDACTED.de --cert-type=pkcs12 --cert-path /home/REDACTED/REDACTED@REDACTED.de.pfx --cert-password $(cat /home/REDACTED/pw.txt) --login-type=vpn_Personal_Certificate_PKI -l=info --tunnel-type=ipsec
[sudo] password for thomas: 
^C
thomas@10-0-0-50:~/snx-rs$ sudo target/debug/snx-rs -s=vpn.REDACTED.de --cert-type=pkcs12 --cert-path /home/REDACTED/REDACTED@REDACTED.de.pfx --cert-password $(cat /home/REDACTED/pw.txt) --login-type=vpn_Personal_Certificate_PKI -l=debug --tunnel-type=ipsec
2024-08-25T11:51:03.460258Z DEBUG snx_rs: >>> Starting snx-rs client version 2.4.0
2024-08-25T11:51:03.460288Z DEBUG snx_rs: Running in standalone mode
2024-08-25T11:51:03.468066Z DEBUG hyper_util::client::legacy::connect::dns: resolving host="vpn.REDACTED.de"
2024-08-25T11:51:03.469101Z DEBUG hyper_util::client::legacy::connect::http: connecting to REDACTED:443
2024-08-25T11:51:03.481603Z DEBUG hyper_util::client::legacy::connect::http: connected to REDACTED:443
2024-08-25T11:51:03.526269Z DEBUG snxcore::tunnel::ipsec::natt: Sending NAT-T probe to REDACTED
2024-08-25T11:51:03.538566Z DEBUG snxcore::tunnel::ipsec::natt: Received NAT-T reply from REDACTED: srcport: 4500, dstport: 4500, hash: 4ae71336e44bf9bf79d2752e234818a5
2024-08-25T11:51:03.544045Z DEBUG isakmp::ikev1::service: Begin SA proposal
2024-08-25T11:51:03.544355Z DEBUG isakmp::transport: Sending ISAKMP message of size 681 to REDACTED:500
2024-08-25T11:51:03.558234Z DEBUG isakmp::transport: Parsing ISAKMP message of size 268
2024-08-25T11:51:03.558314Z DEBUG isakmp::ikev1::service: Negotiated SA hash algorithm: Sha
2024-08-25T11:51:03.558326Z DEBUG isakmp::ikev1::service: Negotiated SA key length: 32
2024-08-25T11:51:03.558332Z DEBUG isakmp::ikev1::service: Negotiated SA group: Oakley2
2024-08-25T11:51:03.560032Z DEBUG isakmp::ikev1::service: End SA proposal
2024-08-25T11:51:03.560050Z DEBUG isakmp::ikev1::service: Begin key exchange
2024-08-25T11:51:03.560084Z DEBUG isakmp::transport: Sending ISAKMP message of size 244 to REDACTED:500
2024-08-25T11:51:03.572418Z DEBUG isakmp::transport: Parsing ISAKMP message of size 311
2024-08-25T11:51:03.572906Z DEBUG isakmp::ikev1::service: End key exchange
2024-08-25T11:51:03.572986Z DEBUG isakmp::ikev1::service: Begin identity protection
2024-08-25T11:51:03.573939Z DEBUG isakmp::transport: Sending ISAKMP message of size 5116 to REDACTED:500
2024-08-25T11:51:03.600707Z DEBUG isakmp::transport: Parsing ISAKMP message of size 3516
2024-08-25T11:51:03.600801Z DEBUG isakmp::ikev1::service: Waiting for attributes payload
2024-08-25T11:51:20.601621Z DEBUG isakmp::transport: Sending ISAKMP message of size 80 to REDACTED:500
Error: deadline has elapsed
thomas@10-0-0-50:~/snx-rs$ sudo target/debug/snx-rs -s=vpn.REDACTED.de --cert-type=pkcs12 --cert-path /home/REDACTED/REDACTED@REDACTED.de.pfx --cert-password $(cat /home/REDACTED/pw.txt) --login-type=vpn_Personal_Certificate_PKI -l=debug --tunnel-type=ipsec --client-mode=SYMBIAN
2024-08-25T11:52:06.480346Z DEBUG snx_rs: >>> Starting snx-rs client version 2.4.0
2024-08-25T11:52:06.480371Z DEBUG snx_rs: Running in standalone mode
2024-08-25T11:52:06.488638Z DEBUG hyper_util::client::legacy::connect::dns: resolving host="vpn.REDACTED.de"
2024-08-25T11:52:06.489494Z DEBUG hyper_util::client::legacy::connect::http: connecting to REDACTED:443
2024-08-25T11:52:06.502426Z DEBUG hyper_util::client::legacy::connect::http: connected to REDACTED:443
2024-08-25T11:52:06.547360Z DEBUG snxcore::tunnel::ipsec::natt: Sending NAT-T probe to REDACTED
2024-08-25T11:52:06.559334Z DEBUG snxcore::tunnel::ipsec::natt: Received NAT-T reply from REDACTED: srcport: 4500, dstport: 4500, hash: 4ae71336e44bf9bf79d2752e234818a5
2024-08-25T11:52:06.563867Z DEBUG isakmp::ikev1::service: Begin SA proposal
2024-08-25T11:52:06.564064Z DEBUG isakmp::transport: Sending ISAKMP message of size 681 to REDACTED:500
2024-08-25T11:52:06.577625Z DEBUG isakmp::transport: Parsing ISAKMP message of size 268
2024-08-25T11:52:06.577717Z DEBUG isakmp::ikev1::service: Negotiated SA hash algorithm: Sha
2024-08-25T11:52:06.577734Z DEBUG isakmp::ikev1::service: Negotiated SA key length: 32
2024-08-25T11:52:06.577741Z DEBUG isakmp::ikev1::service: Negotiated SA group: Oakley2
2024-08-25T11:52:06.579168Z DEBUG isakmp::ikev1::service: End SA proposal
2024-08-25T11:52:06.579184Z DEBUG isakmp::ikev1::service: Begin key exchange
2024-08-25T11:52:06.579211Z DEBUG isakmp::transport: Sending ISAKMP message of size 244 to REDACTED:500
2024-08-25T11:52:06.590225Z DEBUG isakmp::transport: Parsing ISAKMP message of size 311
2024-08-25T11:52:06.590659Z DEBUG isakmp::ikev1::service: End key exchange
2024-08-25T11:52:06.590734Z DEBUG isakmp::ikev1::service: Begin identity protection
2024-08-25T11:52:06.591604Z DEBUG isakmp::transport: Sending ISAKMP message of size 5116 to REDACTED:500
2024-08-25T11:52:06.617380Z DEBUG isakmp::transport: Parsing ISAKMP message of size 3516
2024-08-25T11:52:06.617496Z DEBUG isakmp::ikev1::service: Waiting for attributes payload
2024-08-25T11:52:39.619277Z DEBUG isakmp::transport: Sending ISAKMP message of size 80 to REDACTED:500
Error: deadline has elapsed
thomas@10-0-0-50:~/snx-rs$ sudo target/debug/snx-rs -s=vpn.REDACTED.de --cert-type=pkcs12 --cert-path /home/REDACTED/REDACTED@REDACTED.de.pfx --cert-password $(cat /home/REDACTED/pw.txt) --login-type=vpn_Personal_Certificate_PKI -l=debug --tunnel-type=ipsec --client-mode=endpoint_security
2024-08-25T11:52:45.284535Z DEBUG snx_rs: >>> Starting snx-rs client version 2.4.0
2024-08-25T11:52:45.284561Z DEBUG snx_rs: Running in standalone mode
2024-08-25T11:52:45.292028Z DEBUG hyper_util::client::legacy::connect::dns: resolving host="vpn.REDACTED.de"
2024-08-25T11:52:45.292791Z DEBUG hyper_util::client::legacy::connect::http: connecting to REDACTED:443
2024-08-25T11:52:45.307571Z DEBUG hyper_util::client::legacy::connect::http: connected to REDACTED:443
2024-08-25T11:52:45.354520Z DEBUG snxcore::tunnel::ipsec::natt: Sending NAT-T probe to REDACTED
2024-08-25T11:52:45.367596Z DEBUG snxcore::tunnel::ipsec::natt: Received NAT-T reply from REDACTED: srcport: 4500, dstport: 4500, hash: 4ae71336e44bf9bf79d2752e234818a5
2024-08-25T11:52:45.371655Z DEBUG isakmp::ikev1::service: Begin SA proposal
2024-08-25T11:52:45.371837Z DEBUG isakmp::transport: Sending ISAKMP message of size 681 to REDACTED:500
2024-08-25T11:52:45.385588Z DEBUG isakmp::transport: Parsing ISAKMP message of size 268
2024-08-25T11:52:45.385673Z DEBUG isakmp::ikev1::service: Negotiated SA hash algorithm: Sha
2024-08-25T11:52:45.385684Z DEBUG isakmp::ikev1::service: Negotiated SA key length: 32
2024-08-25T11:52:45.385691Z DEBUG isakmp::ikev1::service: Negotiated SA group: Oakley2
2024-08-25T11:52:45.387274Z DEBUG isakmp::ikev1::service: End SA proposal
2024-08-25T11:52:45.387290Z DEBUG isakmp::ikev1::service: Begin key exchange
2024-08-25T11:52:45.387325Z DEBUG isakmp::transport: Sending ISAKMP message of size 244 to REDACTED:500
2024-08-25T11:52:45.400267Z DEBUG isakmp::transport: Parsing ISAKMP message of size 311
2024-08-25T11:52:45.400697Z DEBUG isakmp::ikev1::service: End key exchange
2024-08-25T11:52:45.400763Z DEBUG isakmp::ikev1::service: Begin identity protection
2024-08-25T11:52:45.401556Z DEBUG isakmp::transport: Sending ISAKMP message of size 5116 to REDACTED:500
2024-08-25T11:52:45.427316Z DEBUG isakmp::transport: Parsing ISAKMP message of size 3516
2024-08-25T11:52:45.427417Z DEBUG isakmp::ikev1::service: Waiting for attributes payload
2024-08-25T11:53:00.430053Z DEBUG isakmp::transport: Sending ISAKMP message of size 80 to REDACTED:500
Error: deadline has elapsed
thomas@10-0-0-50:~/snx-rs$ sudo target/debug/snx-rs -s=vpn.REDACTED.de --cert-type=pkcs12 --cert-path /home/REDACTED/REDACTED@REDACTED.de.pfx --cert-password $(cat /home/REDACTED/pw.txt) --login-type=vpn_Personal_Certificate_PKI -l=debug --tunnel-type=ipsec --client-mode=secure_remote
2024-08-25T11:53:10.277515Z DEBUG snx_rs: >>> Starting snx-rs client version 2.4.0
2024-08-25T11:53:10.277552Z DEBUG snx_rs: Running in standalone mode
2024-08-25T11:53:10.285491Z DEBUG hyper_util::client::legacy::connect::dns: resolving host="vpn.REDACTED.de"
2024-08-25T11:53:10.286365Z DEBUG hyper_util::client::legacy::connect::http: connecting to REDACTED:443
2024-08-25T11:53:10.299808Z DEBUG hyper_util::client::legacy::connect::http: connected to REDACTED:443
2024-08-25T11:53:10.345750Z DEBUG snxcore::tunnel::ipsec::natt: Sending NAT-T probe to REDACTED
2024-08-25T11:53:10.358209Z DEBUG snxcore::tunnel::ipsec::natt: Received NAT-T reply from REDACTED: srcport: 4500, dstport: 4500, hash: 4ae71336e44bf9bf79d2752e234818a5
2024-08-25T11:53:10.363170Z DEBUG isakmp::ikev1::service: Begin SA proposal
2024-08-25T11:53:10.363420Z DEBUG isakmp::transport: Sending ISAKMP message of size 681 to REDACTED:500
2024-08-25T11:53:10.377264Z DEBUG isakmp::transport: Parsing ISAKMP message of size 268
2024-08-25T11:53:10.377347Z DEBUG isakmp::ikev1::service: Negotiated SA hash algorithm: Sha
2024-08-25T11:53:10.377358Z DEBUG isakmp::ikev1::service: Negotiated SA key length: 32
2024-08-25T11:53:10.377366Z DEBUG isakmp::ikev1::service: Negotiated SA group: Oakley2
2024-08-25T11:53:10.378923Z DEBUG isakmp::ikev1::service: End SA proposal
2024-08-25T11:53:10.378941Z DEBUG isakmp::ikev1::service: Begin key exchange
2024-08-25T11:53:10.378971Z DEBUG isakmp::transport: Sending ISAKMP message of size 244 to REDACTED:500
2024-08-25T11:53:10.390377Z DEBUG isakmp::transport: Parsing ISAKMP message of size 311
2024-08-25T11:53:10.390731Z DEBUG isakmp::ikev1::service: End key exchange
2024-08-25T11:53:10.390806Z DEBUG isakmp::ikev1::service: Begin identity protection
2024-08-25T11:53:10.391704Z DEBUG isakmp::transport: Sending ISAKMP message of size 5116 to REDACTED:500
2024-08-25T11:53:10.417769Z DEBUG isakmp::transport: Parsing ISAKMP message of size 3516
2024-08-25T11:53:10.417874Z DEBUG isakmp::ikev1::service: Waiting for attributes payload
2024-08-25T11:53:47.423116Z DEBUG isakmp::transport: Sending ISAKMP message of size 80 to REDACTED:500
Error: deadline has elapsed
thomas@10-0-0-50:~/snx-rs$ 

[ancwrd1]

So I found the problem, it was introduced in version 2.2.8, to support additional MFA codes with certificate authentication. Unfortunately, this broke certificate authentication without MFA. Please pull and try again this branch, I think it should work now.

[tGecko]

Yes, instantly works, without any client ID parameter. Nice work!

[ancwrd1]

Thanks a lot for you help in testing and for reporting this issue. I will merge it and create a new release.