getting Checkpoint VPN SSL Network Extender working in command line

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
1
down vote

favorite












The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint.



However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx command line utility, called snxconnect.



I was trying to put snxconnect text utility to work in Debian Buster, doing:



sudo pip install snxvpn


and



export PYTHONHTTPSVERIFY=0
snxconnect -H checkpoint.hostname -U USER


However, it was mostly dying either with an HTTP error of:



HTTP/1.1 301 Moved Permanently:


or:



Got HTTP response: HTTP/1.1 302 Found


or:



Unexpected response, try again.


What to do about it?



PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.







share|improve this question



























    up vote
    1
    down vote

    favorite












    The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint.



    However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx command line utility, called snxconnect.



    I was trying to put snxconnect text utility to work in Debian Buster, doing:



    sudo pip install snxvpn


    and



    export PYTHONHTTPSVERIFY=0
    snxconnect -H checkpoint.hostname -U USER


    However, it was mostly dying either with an HTTP error of:



    HTTP/1.1 301 Moved Permanently:


    or:



    Got HTTP response: HTTP/1.1 302 Found


    or:



    Unexpected response, try again.


    What to do about it?



    PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.







    share|improve this question























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint.



      However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx command line utility, called snxconnect.



      I was trying to put snxconnect text utility to work in Debian Buster, doing:



      sudo pip install snxvpn


      and



      export PYTHONHTTPSVERIFY=0
      snxconnect -H checkpoint.hostname -U USER


      However, it was mostly dying either with an HTTP error of:



      HTTP/1.1 301 Moved Permanently:


      or:



      Got HTTP response: HTTP/1.1 302 Found


      or:



      Unexpected response, try again.


      What to do about it?



      PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.







      share|improve this question













      The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint.



      However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx command line utility, called snxconnect.



      I was trying to put snxconnect text utility to work in Debian Buster, doing:



      sudo pip install snxvpn


      and



      export PYTHONHTTPSVERIFY=0
      snxconnect -H checkpoint.hostname -U USER


      However, it was mostly dying either with an HTTP error of:



      HTTP/1.1 301 Moved Permanently:


      or:



      Got HTTP response: HTTP/1.1 302 Found


      or:



      Unexpected response, try again.


      What to do about it?



      PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.









      share|improve this question












      share|improve this question




      share|improve this question








      edited Aug 3 at 14:15
























      asked Jun 16 at 23:33









      Rui F Ribeiro

      33.7k1168113




      33.7k1168113




















          2 Answers
          2






          active

          oldest

          votes

















          up vote
          1
          down vote













          When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.



          Apparently, whilst command line usage of snx from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx client, and this post is about setting it up to work.



          Firstly, the snxvp installed from python pip does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.



          Furthermore, all the URLs on snxconnect.py have to be changed from sslvpn/ to ``.





          So the step-by-step instructions are roughly:



          1) Firstly installing the snx setup:



          If in the VPN, to get the installation file, do:



          wget --no-check-certificate 


          https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh



          Otherwise you will have to get it from the web interface as describe in the linked answer.



          For Debian, you might need:



          sudo dpkg --add-architecture i386
          sudo apt-get update


          I had to install the following:



          sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


          Run then:



          chmod a+rx snx_install.sh
          sudo ./snx_install.sh`


          You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



          sudo ldd /usr/bin/snx


          You can only proceed to the following point when all the dependencies are satisfied.



          Not sure if you need to run first snx -s CheckpointURLFQDN -u USER before using snxconnect, for the signature VPN be saved at /etc/snx/USER.db.



          2) Now we have the snxconnect python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.



          So to install the to setup snxconnect, do as root:



          apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
          pip install pytz
          git clone https://github.com/agnis-mateuss/snxvpn
          git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
          cd snxvpn

          sed -i "s/sslvpn///g" snxconnect.py


          . then do as root, for python3: (recommended)



          apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
          make
          python3 setup.py install --prefix=/usr/local


          . or instead, do as root, for python2:



          apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
          sed -i "s/distutils.core/setuptools/g" setup.py
          make
          python setup.py install --prefix=/usr/local


          3) After installing it, you can run as a non-privileged user:



          /usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies


          If all went ok, it will ask for the password, and then say:



          SNX connected, to leave VPN open, leave this running!


          If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect command again.



          4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.



          After the VPN being established, you can check with ip address or ifconfig you have now a tunsnx interface:



          $ ip addr show dev tunsnx
          14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
          link/none
          inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
          valid_lft forever preferred_lft forever
          inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
          valid_lft forever preferred_lft forever


          ip route will show you also new routes going through the tunsnx interface.



          5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



          $snx -d
          SNX - Disconnecting...
          done.




          In addition, I also found out:




          • snxconnect seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem;

          • PYTHONHTTPSVERIFY=0 only affects the python2 version;

          • if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;

          • if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;

          • for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);

          • as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";

          • 7776/TCP in localhost has to be free, for snx to own it, as snxconnect talks with snx using it;

          • the hostname passed to snxconnect/snx is handled as a virtual host, and as such you cannot use directly the IP address;

          • instaling a 32-bit architecture seems to be a requirement to run the snx_install.sh script;

          • you might choose to run as python2 as a trade-off for less space, however as python2 is being phased out, snxconnect in a near future might not support it;

          • from using the web client interface, it is clear I need to patch/delete all /sslvpn strings , as my URLs do not start with /sslvpn. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback;

          • in snxconnect the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you won´t succeed on establishing the VPN;

          • The first time snx is used, a file with the signature of the VPN/Chekcpoint server will be created at /etc/snx/USER.db.





          share|improve this answer






























            up vote
            0
            down vote



            accepted










            Ultimately, I just found out SNX build 800007075 used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel 4.



            So ultimately, the previous answer holds true if you cannot get hold of SNX build 800007075, or if that specific version of SNX stops working with the current Linux versions (it will happen in the near future).



            Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.



            1) So to install snx build 800007075 I do:



            wget https://www.fc.up.pt/ci/servicos/acesso/vpn/software/CheckPointVPN_SNX_Linux_800007075.sh -O snx_install.sh


            For Debian, you might need:



            sudo dpkg --add-architecture i386
            sudo apt-get update


            I had to install the following:



            sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


            Run then:



            chmod a+rx snx_install.sh
            sudo ./snx_install.sh`


            You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



            sudo ldd /usr/bin/snx


            You can only proceed to the following point when all the dependencies are satisfied.



            You need to run manually first snx -s CheckpointURLFQDN -u USER before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db.



            2) Before using it, you create a ~/.snxrc file with the following contents:



            server IP_address_of_your_VPN
            username YOUR_USER
            reauth yes


            3) For connecting, type snx



            $ snx
            Check Point's Linux SNX
            build 800007075
            Please enter your password:

            SNX - connected.

            Session parameters:
            ===================
            Office Mode IP : 10.x.x.x
            DNS Server : 10.x.x.x
            Secondary DNS Server: 10.x.x.x
            DNS Suffix : xxx.xx, xxx.xx
            Timeout : 24 hours


            If you understand the security risks of hard coding a VPN password in a script, you also can use it as:



            echo 'Password' | snx


            5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



            $snx -d
            SNX - Disconnecting...
            done.





            share|improve this answer























              Your Answer







              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "106"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              convertImagesToLinks: false,
              noModals: false,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );








               

              draft saved


              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f450229%2fgetting-checkpoint-vpn-ssl-network-extender-working-in-command-line%23new-answer', 'question_page');

              );

              Post as a guest






























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes








              up vote
              1
              down vote













              When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.



              Apparently, whilst command line usage of snx from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx client, and this post is about setting it up to work.



              Firstly, the snxvp installed from python pip does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.



              Furthermore, all the URLs on snxconnect.py have to be changed from sslvpn/ to ``.





              So the step-by-step instructions are roughly:



              1) Firstly installing the snx setup:



              If in the VPN, to get the installation file, do:



              wget --no-check-certificate 


              https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh



              Otherwise you will have to get it from the web interface as describe in the linked answer.



              For Debian, you might need:



              sudo dpkg --add-architecture i386
              sudo apt-get update


              I had to install the following:



              sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


              Run then:



              chmod a+rx snx_install.sh
              sudo ./snx_install.sh`


              You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



              sudo ldd /usr/bin/snx


              You can only proceed to the following point when all the dependencies are satisfied.



              Not sure if you need to run first snx -s CheckpointURLFQDN -u USER before using snxconnect, for the signature VPN be saved at /etc/snx/USER.db.



              2) Now we have the snxconnect python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.



              So to install the to setup snxconnect, do as root:



              apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
              pip install pytz
              git clone https://github.com/agnis-mateuss/snxvpn
              git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
              cd snxvpn

              sed -i "s/sslvpn///g" snxconnect.py


              . then do as root, for python3: (recommended)



              apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
              make
              python3 setup.py install --prefix=/usr/local


              . or instead, do as root, for python2:



              apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
              sed -i "s/distutils.core/setuptools/g" setup.py
              make
              python setup.py install --prefix=/usr/local


              3) After installing it, you can run as a non-privileged user:



              /usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies


              If all went ok, it will ask for the password, and then say:



              SNX connected, to leave VPN open, leave this running!


              If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect command again.



              4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.



              After the VPN being established, you can check with ip address or ifconfig you have now a tunsnx interface:



              $ ip addr show dev tunsnx
              14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
              link/none
              inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
              valid_lft forever preferred_lft forever
              inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
              valid_lft forever preferred_lft forever


              ip route will show you also new routes going through the tunsnx interface.



              5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



              $snx -d
              SNX - Disconnecting...
              done.




              In addition, I also found out:




              • snxconnect seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem;

              • PYTHONHTTPSVERIFY=0 only affects the python2 version;

              • if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;

              • if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;

              • for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);

              • as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";

              • 7776/TCP in localhost has to be free, for snx to own it, as snxconnect talks with snx using it;

              • the hostname passed to snxconnect/snx is handled as a virtual host, and as such you cannot use directly the IP address;

              • instaling a 32-bit architecture seems to be a requirement to run the snx_install.sh script;

              • you might choose to run as python2 as a trade-off for less space, however as python2 is being phased out, snxconnect in a near future might not support it;

              • from using the web client interface, it is clear I need to patch/delete all /sslvpn strings , as my URLs do not start with /sslvpn. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback;

              • in snxconnect the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you won´t succeed on establishing the VPN;

              • The first time snx is used, a file with the signature of the VPN/Chekcpoint server will be created at /etc/snx/USER.db.





              share|improve this answer



























                up vote
                1
                down vote













                When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.



                Apparently, whilst command line usage of snx from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx client, and this post is about setting it up to work.



                Firstly, the snxvp installed from python pip does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.



                Furthermore, all the URLs on snxconnect.py have to be changed from sslvpn/ to ``.





                So the step-by-step instructions are roughly:



                1) Firstly installing the snx setup:



                If in the VPN, to get the installation file, do:



                wget --no-check-certificate 


                https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh



                Otherwise you will have to get it from the web interface as describe in the linked answer.



                For Debian, you might need:



                sudo dpkg --add-architecture i386
                sudo apt-get update


                I had to install the following:



                sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


                Run then:



                chmod a+rx snx_install.sh
                sudo ./snx_install.sh`


                You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



                sudo ldd /usr/bin/snx


                You can only proceed to the following point when all the dependencies are satisfied.



                Not sure if you need to run first snx -s CheckpointURLFQDN -u USER before using snxconnect, for the signature VPN be saved at /etc/snx/USER.db.



                2) Now we have the snxconnect python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.



                So to install the to setup snxconnect, do as root:



                apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
                pip install pytz
                git clone https://github.com/agnis-mateuss/snxvpn
                git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
                cd snxvpn

                sed -i "s/sslvpn///g" snxconnect.py


                . then do as root, for python3: (recommended)



                apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
                make
                python3 setup.py install --prefix=/usr/local


                . or instead, do as root, for python2:



                apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
                sed -i "s/distutils.core/setuptools/g" setup.py
                make
                python setup.py install --prefix=/usr/local


                3) After installing it, you can run as a non-privileged user:



                /usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies


                If all went ok, it will ask for the password, and then say:



                SNX connected, to leave VPN open, leave this running!


                If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect command again.



                4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.



                After the VPN being established, you can check with ip address or ifconfig you have now a tunsnx interface:



                $ ip addr show dev tunsnx
                14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
                link/none
                inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
                valid_lft forever preferred_lft forever
                inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
                valid_lft forever preferred_lft forever


                ip route will show you also new routes going through the tunsnx interface.



                5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



                $snx -d
                SNX - Disconnecting...
                done.




                In addition, I also found out:




                • snxconnect seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem;

                • PYTHONHTTPSVERIFY=0 only affects the python2 version;

                • if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;

                • if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;

                • for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);

                • as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";

                • 7776/TCP in localhost has to be free, for snx to own it, as snxconnect talks with snx using it;

                • the hostname passed to snxconnect/snx is handled as a virtual host, and as such you cannot use directly the IP address;

                • instaling a 32-bit architecture seems to be a requirement to run the snx_install.sh script;

                • you might choose to run as python2 as a trade-off for less space, however as python2 is being phased out, snxconnect in a near future might not support it;

                • from using the web client interface, it is clear I need to patch/delete all /sslvpn strings , as my URLs do not start with /sslvpn. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback;

                • in snxconnect the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you won´t succeed on establishing the VPN;

                • The first time snx is used, a file with the signature of the VPN/Chekcpoint server will be created at /etc/snx/USER.db.





                share|improve this answer

























                  up vote
                  1
                  down vote










                  up vote
                  1
                  down vote









                  When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.



                  Apparently, whilst command line usage of snx from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx client, and this post is about setting it up to work.



                  Firstly, the snxvp installed from python pip does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.



                  Furthermore, all the URLs on snxconnect.py have to be changed from sslvpn/ to ``.





                  So the step-by-step instructions are roughly:



                  1) Firstly installing the snx setup:



                  If in the VPN, to get the installation file, do:



                  wget --no-check-certificate 


                  https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh



                  Otherwise you will have to get it from the web interface as describe in the linked answer.



                  For Debian, you might need:



                  sudo dpkg --add-architecture i386
                  sudo apt-get update


                  I had to install the following:



                  sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


                  Run then:



                  chmod a+rx snx_install.sh
                  sudo ./snx_install.sh`


                  You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



                  sudo ldd /usr/bin/snx


                  You can only proceed to the following point when all the dependencies are satisfied.



                  Not sure if you need to run first snx -s CheckpointURLFQDN -u USER before using snxconnect, for the signature VPN be saved at /etc/snx/USER.db.



                  2) Now we have the snxconnect python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.



                  So to install the to setup snxconnect, do as root:



                  apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
                  pip install pytz
                  git clone https://github.com/agnis-mateuss/snxvpn
                  git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
                  cd snxvpn

                  sed -i "s/sslvpn///g" snxconnect.py


                  . then do as root, for python3: (recommended)



                  apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
                  make
                  python3 setup.py install --prefix=/usr/local


                  . or instead, do as root, for python2:



                  apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
                  sed -i "s/distutils.core/setuptools/g" setup.py
                  make
                  python setup.py install --prefix=/usr/local


                  3) After installing it, you can run as a non-privileged user:



                  /usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies


                  If all went ok, it will ask for the password, and then say:



                  SNX connected, to leave VPN open, leave this running!


                  If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect command again.



                  4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.



                  After the VPN being established, you can check with ip address or ifconfig you have now a tunsnx interface:



                  $ ip addr show dev tunsnx
                  14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
                  link/none
                  inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
                  valid_lft forever preferred_lft forever
                  inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
                  valid_lft forever preferred_lft forever


                  ip route will show you also new routes going through the tunsnx interface.



                  5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



                  $snx -d
                  SNX - Disconnecting...
                  done.




                  In addition, I also found out:




                  • snxconnect seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem;

                  • PYTHONHTTPSVERIFY=0 only affects the python2 version;

                  • if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;

                  • if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;

                  • for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);

                  • as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";

                  • 7776/TCP in localhost has to be free, for snx to own it, as snxconnect talks with snx using it;

                  • the hostname passed to snxconnect/snx is handled as a virtual host, and as such you cannot use directly the IP address;

                  • instaling a 32-bit architecture seems to be a requirement to run the snx_install.sh script;

                  • you might choose to run as python2 as a trade-off for less space, however as python2 is being phased out, snxconnect in a near future might not support it;

                  • from using the web client interface, it is clear I need to patch/delete all /sslvpn strings , as my URLs do not start with /sslvpn. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback;

                  • in snxconnect the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you won´t succeed on establishing the VPN;

                  • The first time snx is used, a file with the signature of the VPN/Chekcpoint server will be created at /etc/snx/USER.db.





                  share|improve this answer















                  When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.



                  Apparently, whilst command line usage of snx from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx client, and this post is about setting it up to work.



                  Firstly, the snxvp installed from python pip does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.



                  Furthermore, all the URLs on snxconnect.py have to be changed from sslvpn/ to ``.





                  So the step-by-step instructions are roughly:



                  1) Firstly installing the snx setup:



                  If in the VPN, to get the installation file, do:



                  wget --no-check-certificate 


                  https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh



                  Otherwise you will have to get it from the web interface as describe in the linked answer.



                  For Debian, you might need:



                  sudo dpkg --add-architecture i386
                  sudo apt-get update


                  I had to install the following:



                  sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


                  Run then:



                  chmod a+rx snx_install.sh
                  sudo ./snx_install.sh`


                  You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



                  sudo ldd /usr/bin/snx


                  You can only proceed to the following point when all the dependencies are satisfied.



                  Not sure if you need to run first snx -s CheckpointURLFQDN -u USER before using snxconnect, for the signature VPN be saved at /etc/snx/USER.db.



                  2) Now we have the snxconnect python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.



                  So to install the to setup snxconnect, do as root:



                  apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
                  pip install pytz
                  git clone https://github.com/agnis-mateuss/snxvpn
                  git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
                  cd snxvpn

                  sed -i "s/sslvpn///g" snxconnect.py


                  . then do as root, for python3: (recommended)



                  apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
                  make
                  python3 setup.py install --prefix=/usr/local


                  . or instead, do as root, for python2:



                  apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
                  sed -i "s/distutils.core/setuptools/g" setup.py
                  make
                  python setup.py install --prefix=/usr/local


                  3) After installing it, you can run as a non-privileged user:



                  /usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies


                  If all went ok, it will ask for the password, and then say:



                  SNX connected, to leave VPN open, leave this running!


                  If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect command again.



                  4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.



                  After the VPN being established, you can check with ip address or ifconfig you have now a tunsnx interface:



                  $ ip addr show dev tunsnx
                  14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
                  link/none
                  inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
                  valid_lft forever preferred_lft forever
                  inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
                  valid_lft forever preferred_lft forever


                  ip route will show you also new routes going through the tunsnx interface.



                  5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



                  $snx -d
                  SNX - Disconnecting...
                  done.




                  In addition, I also found out:




                  • snxconnect seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem;

                  • PYTHONHTTPSVERIFY=0 only affects the python2 version;

                  • if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;

                  • if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;

                  • for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);

                  • as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";

                  • 7776/TCP in localhost has to be free, for snx to own it, as snxconnect talks with snx using it;

                  • the hostname passed to snxconnect/snx is handled as a virtual host, and as such you cannot use directly the IP address;

                  • instaling a 32-bit architecture seems to be a requirement to run the snx_install.sh script;

                  • you might choose to run as python2 as a trade-off for less space, however as python2 is being phased out, snxconnect in a near future might not support it;

                  • from using the web client interface, it is clear I need to patch/delete all /sslvpn strings , as my URLs do not start with /sslvpn. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback;

                  • in snxconnect the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you won´t succeed on establishing the VPN;

                  • The first time snx is used, a file with the signature of the VPN/Chekcpoint server will be created at /etc/snx/USER.db.






                  share|improve this answer















                  share|improve this answer



                  share|improve this answer








                  edited Jul 5 at 19:55


























                  answered Jun 16 at 23:33









                  Rui F Ribeiro

                  33.7k1168113




                  33.7k1168113






















                      up vote
                      0
                      down vote



                      accepted










                      Ultimately, I just found out SNX build 800007075 used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel 4.



                      So ultimately, the previous answer holds true if you cannot get hold of SNX build 800007075, or if that specific version of SNX stops working with the current Linux versions (it will happen in the near future).



                      Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.



                      1) So to install snx build 800007075 I do:



                      wget https://www.fc.up.pt/ci/servicos/acesso/vpn/software/CheckPointVPN_SNX_Linux_800007075.sh -O snx_install.sh


                      For Debian, you might need:



                      sudo dpkg --add-architecture i386
                      sudo apt-get update


                      I had to install the following:



                      sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


                      Run then:



                      chmod a+rx snx_install.sh
                      sudo ./snx_install.sh`


                      You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



                      sudo ldd /usr/bin/snx


                      You can only proceed to the following point when all the dependencies are satisfied.



                      You need to run manually first snx -s CheckpointURLFQDN -u USER before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db.



                      2) Before using it, you create a ~/.snxrc file with the following contents:



                      server IP_address_of_your_VPN
                      username YOUR_USER
                      reauth yes


                      3) For connecting, type snx



                      $ snx
                      Check Point's Linux SNX
                      build 800007075
                      Please enter your password:

                      SNX - connected.

                      Session parameters:
                      ===================
                      Office Mode IP : 10.x.x.x
                      DNS Server : 10.x.x.x
                      Secondary DNS Server: 10.x.x.x
                      DNS Suffix : xxx.xx, xxx.xx
                      Timeout : 24 hours


                      If you understand the security risks of hard coding a VPN password in a script, you also can use it as:



                      echo 'Password' | snx


                      5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



                      $snx -d
                      SNX - Disconnecting...
                      done.





                      share|improve this answer



























                        up vote
                        0
                        down vote



                        accepted










                        Ultimately, I just found out SNX build 800007075 used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel 4.



                        So ultimately, the previous answer holds true if you cannot get hold of SNX build 800007075, or if that specific version of SNX stops working with the current Linux versions (it will happen in the near future).



                        Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.



                        1) So to install snx build 800007075 I do:



                        wget https://www.fc.up.pt/ci/servicos/acesso/vpn/software/CheckPointVPN_SNX_Linux_800007075.sh -O snx_install.sh


                        For Debian, you might need:



                        sudo dpkg --add-architecture i386
                        sudo apt-get update


                        I had to install the following:



                        sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


                        Run then:



                        chmod a+rx snx_install.sh
                        sudo ./snx_install.sh`


                        You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



                        sudo ldd /usr/bin/snx


                        You can only proceed to the following point when all the dependencies are satisfied.



                        You need to run manually first snx -s CheckpointURLFQDN -u USER before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db.



                        2) Before using it, you create a ~/.snxrc file with the following contents:



                        server IP_address_of_your_VPN
                        username YOUR_USER
                        reauth yes


                        3) For connecting, type snx



                        $ snx
                        Check Point's Linux SNX
                        build 800007075
                        Please enter your password:

                        SNX - connected.

                        Session parameters:
                        ===================
                        Office Mode IP : 10.x.x.x
                        DNS Server : 10.x.x.x
                        Secondary DNS Server: 10.x.x.x
                        DNS Suffix : xxx.xx, xxx.xx
                        Timeout : 24 hours


                        If you understand the security risks of hard coding a VPN password in a script, you also can use it as:



                        echo 'Password' | snx


                        5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



                        $snx -d
                        SNX - Disconnecting...
                        done.





                        share|improve this answer

























                          up vote
                          0
                          down vote



                          accepted







                          up vote
                          0
                          down vote



                          accepted






                          Ultimately, I just found out SNX build 800007075 used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel 4.



                          So ultimately, the previous answer holds true if you cannot get hold of SNX build 800007075, or if that specific version of SNX stops working with the current Linux versions (it will happen in the near future).



                          Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.



                          1) So to install snx build 800007075 I do:



                          wget https://www.fc.up.pt/ci/servicos/acesso/vpn/software/CheckPointVPN_SNX_Linux_800007075.sh -O snx_install.sh


                          For Debian, you might need:



                          sudo dpkg --add-architecture i386
                          sudo apt-get update


                          I had to install the following:



                          sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


                          Run then:



                          chmod a+rx snx_install.sh
                          sudo ./snx_install.sh`


                          You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



                          sudo ldd /usr/bin/snx


                          You can only proceed to the following point when all the dependencies are satisfied.



                          You need to run manually first snx -s CheckpointURLFQDN -u USER before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db.



                          2) Before using it, you create a ~/.snxrc file with the following contents:



                          server IP_address_of_your_VPN
                          username YOUR_USER
                          reauth yes


                          3) For connecting, type snx



                          $ snx
                          Check Point's Linux SNX
                          build 800007075
                          Please enter your password:

                          SNX - connected.

                          Session parameters:
                          ===================
                          Office Mode IP : 10.x.x.x
                          DNS Server : 10.x.x.x
                          Secondary DNS Server: 10.x.x.x
                          DNS Suffix : xxx.xx, xxx.xx
                          Timeout : 24 hours


                          If you understand the security risks of hard coding a VPN password in a script, you also can use it as:



                          echo 'Password' | snx


                          5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



                          $snx -d
                          SNX - Disconnecting...
                          done.





                          share|improve this answer















                          Ultimately, I just found out SNX build 800007075 used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel 4.



                          So ultimately, the previous answer holds true if you cannot get hold of SNX build 800007075, or if that specific version of SNX stops working with the current Linux versions (it will happen in the near future).



                          Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.



                          1) So to install snx build 800007075 I do:



                          wget https://www.fc.up.pt/ci/servicos/acesso/vpn/software/CheckPointVPN_SNX_Linux_800007075.sh -O snx_install.sh


                          For Debian, you might need:



                          sudo dpkg --add-architecture i386
                          sudo apt-get update


                          I had to install the following:



                          sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


                          Run then:



                          chmod a+rx snx_install.sh
                          sudo ./snx_install.sh`


                          You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



                          sudo ldd /usr/bin/snx


                          You can only proceed to the following point when all the dependencies are satisfied.



                          You need to run manually first snx -s CheckpointURLFQDN -u USER before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db.



                          2) Before using it, you create a ~/.snxrc file with the following contents:



                          server IP_address_of_your_VPN
                          username YOUR_USER
                          reauth yes


                          3) For connecting, type snx



                          $ snx
                          Check Point's Linux SNX
                          build 800007075
                          Please enter your password:

                          SNX - connected.

                          Session parameters:
                          ===================
                          Office Mode IP : 10.x.x.x
                          DNS Server : 10.x.x.x
                          Secondary DNS Server: 10.x.x.x
                          DNS Suffix : xxx.xx, xxx.xx
                          Timeout : 24 hours


                          If you understand the security risks of hard coding a VPN password in a script, you also can use it as:



                          echo 'Password' | snx


                          5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



                          $snx -d
                          SNX - Disconnecting...
                          done.






                          share|improve this answer















                          share|improve this answer



                          share|improve this answer








                          edited Jul 29 at 19:41


























                          answered Jul 5 at 20:01









                          Rui F Ribeiro

                          33.7k1168113




                          33.7k1168113






















                               

                              draft saved


                              draft discarded


























                               


                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f450229%2fgetting-checkpoint-vpn-ssl-network-extender-working-in-command-line%23new-answer', 'question_page');

                              );

                              Post as a guest













































































                              Popular posts from this blog

                              How to check contact read email or not when send email to Individual?

                              Displaying single band from multi-band raster using QGIS

                              How many registers does an x86_64 CPU actually have?