Check point snx client linux

CheckPoint SNX install instructions for major Linux distributions

I decided to do a round up of how to install the software needed on GNU/Linux to enable access through a CheckPoint firewall. My focus was on distributions whose ISO downloads supported UEFI boot, and hard disk encryption out of the box. This explains why Debian is not in this list. These requirements may not apply to you so feel free to add the instructions for your distro of choice to the comments below.

As of build 800007075 Checkpoint no longer support using the Native Client on the command line. This prevents scripting logins, and also requires a heavy desktop when we were able to survive with a headless server. Access is still possible, but only via the “SSL Network Extender“. This is a major pain as it requires (from my experience) X server, Oracle Java, and the FireFox browser to run.В Chrome gives this helpful message on the Java website:

The Chrome browser does not support NPAPI plug-ins and therefore will not run all Java content. Switch to a different browser (Firefox, Internet Explorer or Safari on Mac) to run the Java plug-in.

Despite all this, it still uses the native client but with the “unsupported” -Z option.В Ah well.

With all the distributions I did the following:

• downloaded the most prominent ISO on offer at the projects main page
• used dd to transfer the image to usb stick
• installed using full disk encryption
• applied all the patch fixes
• installed openssh-server.

Let me tell you now that your future is full of warnings like, This Connection is Untrusted, I understand the Risks, Add Exception, Confirm Security Exception, allow, allow remember, continue, run, allow, trust server, etc etc. I found it useful to browse to the Verify Java Version site in Firefox to verify that java is working.

You will also need to know the url, username and password for your own checkpoint login site. It should be something like.:
https://checkpoint.example.com/sslvpn/Login/Login

These instructions are going to be terse but the links provided should give you more information if needed.

Ubuntu 15.04 Vivid Vervet

We’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.

Pressing connect will open an xterm window that downloads and runs the native client install.sh script. You will need to enter the root password you set earlier, sudo will not work.

Now finally try the Connect > Continue > Accept Key and you should get connected.

Linux Mint 17.2 “Rafaela”

Very similar to Ubuntu, we’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.

Unlike Ubuntu however the install via the browser did not work for me. You will need to go to your own login site:
https://checkpoint.example.com/sslvpn/Login/Login

Then select Settings > Edit Native Applications Settings > Download installation for Linux

Open a terminal and then run the command snx_install.sh from wherever you downloaded it.

Now when you go back to the web site, your Connect button should work.

openSUSE 13.2

This is a distribution I haven’t used too much before but decided to give it a try. Again additional libraries were necessary to get snx to run. I also followed these instructions to install java.

Then is was just a case of connecting to the website and pressing Connect

Fedora 22

We have covered installing under Fedora 21 before and the biggest problem was installing Oracle Java. Get the latest from http://www.java.com/en/download/linux_manual.jsp and I copied it to /usr/local/src. You’ll need to adjust accordingly.

Summary

I’m sorry if I haven’t covered your distribution in this round up. As I said at the beginning my requirements were pretty specific, but my time was limited. If you browse through the snx series here, you should be able to find out how you can get it running on your own distribution easily enough. This is what I had to do with openSUSE, for which I was a novice user. If not you can always drop me a line.

Having to run such a bloated and convoluted tool chain just to end up running the same application is very disappointing. I am also concerned that such an essential piece of business software is built using such old libraries, and that there is no 64 bit version.

I would like to hear if there is a way to get this plugin to run from the command line, or at least run without having a browser window open. If you have suggestions please comment below.

21 Responses to CheckPoint SNX install instructions for major Linux distributions

Thank you so much for posting this information. I went through a similar experience trying to get Check Point working on my Ubuntu laptop. The experience gave me enough concern that I switched to Windows 10 with Check Point Capsule VPN installed from the Windows Store running an Ubuntu guest VM that piggybacks my host’s VPN. A bit of an end-run around the issue I realize but the whole Firefox / Java / root password process seemed horribly brittle and a bad omen for things to come.

I’m running Ubuntu 14.04 LTS 64 bit. I’ve followed all your described steps, I’m connecting using Firefox. But anyway it is not connecting, Java console has following stack, I’ve replaced my information with my_, the rest I’ve left it as it is:
21/12/2015 03:14:19[Component] Trying to create socket to 127.0.0.1:5555
21/12/2015 03:14:19[Component] Could not connect
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:402)
at java.net.Socket.connect(Socket.java:591)
at java.net.Socket.connect(Socket.java:540)
at java.net.Socket.(Socket.java:436)
at java.net.Socket.(Socket.java:213)
at CpComponent.initPipe(CpComponent.java:96)
at SNXNMComponent.initPipe(SNXNMComponent.java:375)
at SNXNMComponent.checkCommunications(SNXNMComponent.java:449)
at SNXNMComponent.checkCommunications(SNXNMComponent.java:427)
at CpComponent.connect(CpComponent.java:131)
at ClientDirector.InstallAndConnectClient(ClientDirector.java:156)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:520)
at CpIs$1.run(CpIs.java:717)
at java.security.AccessController.doPrivileged(Native Method)
at CpIs.runPrivilegedMethod(CpIs.java:711)
at CShell.InitializeCShell(CShell.java:390)
at CShell.Initialize(CShell.java:354)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:520)
at sun.plugin.javascript.Trampoline.invoke(Unknown Source)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:520)
at sun.plugin.javascript.JSClassLoader.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MethodInfo.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass$MemberBundle.invoke(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke0(Unknown Source)
at sun.plugin2.liveconnect.JavaClass.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$DefaultInvocationDelegate.invoke(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$3.run(Unknown Source)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo.doObjectOp(Unknown Source)
at sun.plugin2.main.client.LiveConnectSupport$PerAppletInfo$LiveConnectWorker.run(Unknown Source)
at java.lang.Thread.run(Thread.java:747)
21/12/2015 03:14:19[SNXNetMode] Could not connect to SNX Network Mode, probably not installed.
21/12/2015 03:14:19[Launcher] Launching /usr/bin/snx -Z
21/12/2015 03:14:20[Component] Trying to create socket to 127.0.0.1:7776
21/12/2015 03:14:20[SNXNetMode] Successfully connected to SNX Network Mode.
21/12/2015 03:14:20[SNXNetMode] Connection to SNX Network Mode is ok
21/12/2015 03:14:20[Component] Connecting…
21/12/2015 03:14:20[Proxy] detectProxy, name = my-server
21/12/2015 03:14:20[Proxy] detectProxy, proxyFullPath = /tmp/.proxy.ini
21/12/2015 03:14:20[Proxy] URI = https://my-server
21/12/2015 03:14:20[Proxy] about to get the system-wide proxy selector…
21/12/2015 03:14:20[Proxy] about select proxy list from the selector…
21/12/2015 03:14:20[Proxy] about iterate the proxy list…
21/12/2015 03:14:20[Proxy] about iterate the proxy #0…
21/12/2015 03:14:20[Proxy] about to get address from proxy…
21/12/2015 03:14:20[Proxy] no proxy – continue
21/12/2015 03:14:20[Proxy] done with the list – there is no proxy
21/12/2015 03:14:20[Messaging] Sending INIT_DATA message:
21/12/2015 03:14:20[Messaging] Gateway IP: my.ip
21/12/2015 03:14:20[Messaging] Gateway name: my-server
21/12/2015 03:14:20[Messaging] Gateway port: 443
21/12/2015 03:14:20[Messaging] Proxy IP: 0.0.0.0
21/12/2015 03:14:20[Messaging] Proxy port: 0
21/12/2015 03:14:20[Messaging] Server CN: my-server
21/12/2015 03:14:20[Messaging] User Name: my-user
21/12/2015 03:14:20[Messaging] Server fingerprint: my_fingerprint
21/12/2015 03:14:20[Messaging] Automatic proxy replacement: true
21/12/2015 03:14:20[CShell] Initialized successfully

It writes that Initialization passes successfully. But there are two different messages:
21/12/2015 03:14:19[SNXNetMode] Could not connect to SNX Network Mode, probably not installed.
***
21/12/2015 03:14:20[SNXNetMode] Successfully connected to SNX Network Mode.
Or it work or doesn’t.
The main problems is that the Firefox shows:
Connection Mode:
Status: Connecting…
Gateway ID:
Office Mode IP:
Duration: 0 Days 00:00:00
Remaining Time: 0 Days 00:00:00
Please help me.

Источник

Клиент Checkpoint VPN Linux

Есть ли клиент Linux для Checkpoint VPN? Предпочтительно для Ubuntu?

6 ответов

Я слышал хорошие вещи о Shrew, но я только видел, что он используется в Windows.

Я использую SNX (через контрольную точку), и он работает отлично. Его можно загрузить из здесь .

Я использовал это руководство , чтобы установить snx на моем клиенте, проверить его и проверьте, установлены ли у вас все необходимые пакеты.

Кроме того, вы можете создать файл .snxrc в /home/user/ и укажите там IP-адрес и имя пользователя, например:

Затем просто запустите snx , вам будет предложено ввести ваш пароль и все.

Существующий клиент является древним, и на данный момент AFAIK нет планов писать более новый. Есть частные VPN-клиенты Linux, которые должны работать с контрольной точкой — особенно проверьте vpnc и енот.

Я успешно подключился к Checkpoint (NGX R75) с помощью Shrew Soft, подробнее здесь: https://serverfault.com/a /386021/73387

Я предполагаю, что вы ищете клиента IPSEC, но если вы ищете SSL VPN, мне повезло с клиентом Checkpoint SNX в Ubuntu.

Я тоже искал его И я нашел VPN-клиент контрольной точки на форумах пользователей Checkpoint, я свяжу его с вами завтра.

OK Вот ссылка на документацию в RedHat:

НО, VPN-клиент Linux, похоже, устарел и больше не поддерживается, как и мой собственный опыт, лучше использовать OpenSwan VPN для подключения через VPN-шлюз Checkpoint VPN под Linux.

Источник

rkueny / snx_install.sh

mkdir temp && cd temp

# for linux ‘amd64’ architecture install those packages:

sudo apt-get install libx11-6:i386 libpam0g:i386 libstdc++5:i386 lib32z1 lib32ncurses5 lib32bz2-1.0

wget https://vpnportal.aktifbank.com.tr/SNX/INSTALL/snx_install.sh

sudo ./snx_install.sh

cd .. && rm -rf temp/

This comment has been minimized.

Copy link Quote reply

skyrocknroll commented Dec 13, 2017 •

sudo apt-get install libgtk2.0-0:i386 for ubuntu 16.04

This comment has been minimized.

Copy link Quote reply

andrqm commented Feb 20, 2018

This comment has been minimized.

Copy link Quote reply

davidlebr1 commented May 14, 2018

I had to install theses packages also apt-get install libstdc++5:i386 libpam0g:i386 libx11-6:i386

This comment has been minimized.

Copy link Quote reply

flagod commented Jul 19, 2018

Hi, why does the snx_install.sh script have 4000 lines of binary code at the end? Isn’t it supposed to be a shell script?

This comment has been minimized.

Copy link Quote reply

nachohc commented Jul 22, 2018 •

@flagod It’s a compressed tar archive located at the end of the script. In the line 17 extracts the file. it’s very common on proprietary software for Linux.
You can extract the snx binary:

This comment has been minimized.

Copy link Quote reply

flagod commented Jul 26, 2018

Thanks for the reply @nachohc ! is there any open source client that can be used as an alternative to snx?

This comment has been minimized.

Copy link Quote reply

musemby commented Jan 31, 2019 •

If anyone is getting SNX: Authentication failed errors you might want to ensure you have installed snx build 800007075 . See https://unix.stackexchange.com/questions/450229/getting-checkpoint-vpn-ssl-network-extender-working-in-the-command-line

This comment has been minimized.

Copy link Quote reply

erzads commented Apr 12, 2019

I know it’s been a long time, but do you have a newer snx version?
I have been using 800007075 but the checkpoint server was updated to use TLS 1.1 and now it doesn’t work.
I tried 800008061 too but no success.

They are advising us to use Windows. Help me =\

This comment has been minimized.

Copy link Quote reply

pumukovic commented Jun 18, 2019

In the same situation than @erzads . please an update tu use snx client with updated server to use TLS1.1 and upper. Please help

This comment has been minimized.

Copy link Quote reply

archenroot commented Aug 1, 2019

Well I am on gentoo system, where C14 support is default, so being on GCC 6/7/8, therefore missing the libstdc++.so.5 library on my system, doesn’t work.

Thx a lot, hopefully its against on later libstdc++ version

This comment has been minimized.

Copy link Quote reply

icedwater commented Oct 16, 2019

Can anyone verify the md5sum of this script? I got

This comment has been minimized.

Copy link Quote reply

yelled1 commented Mar 11, 2020

Can anyone verify the md5sum of this script? I got

@icedwater got
md5sum snx_install_800007075.sh
4372e9936e2dfb1d1ebcef3ed4dd7787 snx_install_800007075.sh
but likely because we got it from same source. Did u make it work?
Thanks,

This comment has been minimized.

Copy link Quote reply

yurayko commented Apr 15, 2020

This comment has been minimized.

Copy link Quote reply

matteoredaelli commented Apr 27, 2020

It works also for me. thanks!

I used 800007075 until the checkpoint server was updated to use TLS 1.1 . After that, until today, I used the following solution/workaround

This comment has been minimized.

Copy link Quote reply

javorekm commented Aug 5, 2020 •

Looks like older versions of SNX are not able to work with TLS 1.1. I am playing now with 800010003 from Checkpoint’s site (link given by @yurayko, thanks), but no success. From «connection aborted» I have shifted to «authentication failed». When looking into the debug log (-g option from command line) I see, that all is ok, but the communication on the end is not wrong, looks like a wrong format:

Источник