getting Checkpoint VPN SSL Network Extender working in command line
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
1
down vote
favorite
The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint.
However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx
command line utility, called snxconnect
.
I was trying to put snxconnect
text utility to work in Debian Buster, doing:
sudo pip install snxvpn
and
export PYTHONHTTPSVERIFY=0
snxconnect -H checkpoint.hostname -U USER
However, it was mostly dying either with an HTTP error of:
HTTP/1.1 301 Moved Permanently:
or:
Got HTTP response: HTTP/1.1 302 Found
or:
Unexpected response, try again.
What to do about it?
PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.
debian vpn checkpoint
add a comment |Â
up vote
1
down vote
favorite
The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint.
However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx
command line utility, called snxconnect
.
I was trying to put snxconnect
text utility to work in Debian Buster, doing:
sudo pip install snxvpn
and
export PYTHONHTTPSVERIFY=0
snxconnect -H checkpoint.hostname -U USER
However, it was mostly dying either with an HTTP error of:
HTTP/1.1 301 Moved Permanently:
or:
Got HTTP response: HTTP/1.1 302 Found
or:
Unexpected response, try again.
What to do about it?
PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.
debian vpn checkpoint
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint.
However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx
command line utility, called snxconnect
.
I was trying to put snxconnect
text utility to work in Debian Buster, doing:
sudo pip install snxvpn
and
export PYTHONHTTPSVERIFY=0
snxconnect -H checkpoint.hostname -U USER
However, it was mostly dying either with an HTTP error of:
HTTP/1.1 301 Moved Permanently:
or:
Got HTTP response: HTTP/1.1 302 Found
or:
Unexpected response, try again.
What to do about it?
PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.
debian vpn checkpoint
The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint.
However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx
command line utility, called snxconnect
.
I was trying to put snxconnect
text utility to work in Debian Buster, doing:
sudo pip install snxvpn
and
export PYTHONHTTPSVERIFY=0
snxconnect -H checkpoint.hostname -U USER
However, it was mostly dying either with an HTTP error of:
HTTP/1.1 301 Moved Permanently:
or:
Got HTTP response: HTTP/1.1 302 Found
or:
Unexpected response, try again.
What to do about it?
PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.
debian vpn checkpoint
edited Aug 3 at 14:15
asked Jun 16 at 23:33
Rui F Ribeiro
33.7k1168113
33.7k1168113
add a comment |Â
add a comment |Â
2 Answers
2
active
oldest
votes
up vote
1
down vote
When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.
Apparently, whilst command line usage of snx
from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx
client, and this post is about setting it up to work.
Firstly, the snxvp
installed from python pip
does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.
Furthermore, all the URLs on snxconnect.py
have to be changed from sslvpn/
to ``.
So the step-by-step instructions are roughly:
1) Firstly installing the snx
setup:
If in the VPN, to get the installation file, do:
wget --no-check-certificate
https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh
Otherwise you will have to get it from the web interface as describe in the linked answer.
For Debian, you might need:
sudo dpkg --add-architecture i386
sudo apt-get update
I had to install the following:
sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386
Run then:
chmod a+rx snx_install.sh
sudo ./snx_install.sh`
You will have know a /usr/bin/snx
32-bit client binary executable. Check if any dynamic libraries are missing with:
sudo ldd /usr/bin/snx
You can only proceed to the following point when all the dependencies are satisfied.
Not sure if you need to run first snx -s CheckpointURLFQDN -u USER
before using snxconnect
, for the signature VPN be saved at /etc/snx/USER.db
.
2) Now we have the snxconnect
python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.
So to install the to setup snxconnect
, do as root:
apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
pip install pytz
git clone https://github.com/agnis-mateuss/snxvpn
git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
cd snxvpn
sed -i "s/sslvpn///g" snxconnect.py
. then do as root, for python3: (recommended)
apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
make
python3 setup.py install --prefix=/usr/local
. or instead, do as root, for python2:
apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
sed -i "s/distutils.core/setuptools/g" setup.py
make
python setup.py install --prefix=/usr/local
3) After installing it, you can run as a non-privileged user:
/usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies
If all went ok, it will ask for the password, and then say:
SNX connected, to leave VPN open, leave this running!
If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect
command again.
4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.
After the VPN being established, you can check with ip address
or ifconfig
you have now a tunsnx
interface:
$ ip addr show dev tunsnx
14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
valid_lft forever preferred_lft forever
inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
valid_lft forever preferred_lft forever
ip route
will show you also new routes going through the tunsnx
interface.
5) For closing/disconnecting the VPN, while you may stop/kill snxconnect
, the better and official way is issuing the command:
$snx -d
SNX - Disconnecting...
done.
In addition, I also found out:
snxconnect
seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem;- PYTHONHTTPSVERIFY=0 only affects the python2 version;
- if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;
- if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;
- for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);
- as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";
- 7776/TCP in localhost has to be free, for
snx
to own it, assnxconnect
talks withsnx
using it; - the hostname passed to
snxconnect
/snx
is handled as a virtual host, and as such you cannot use directly the IP address; - instaling a 32-bit architecture seems to be a requirement to run the
snx_install.sh
script; - you might choose to run as
python2
as a trade-off for less space, however as python2 is being phased out,snxconnect
in a near future might not support it; - from using the web client interface, it is clear I need to patch/delete all
/sslvpn
strings , as my URLs do not start with/sslvpn
. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback; - in
snxconnect
the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you wonôt succeed on establishing the VPN; - The first time
snx
is used, a file with the signature of the VPN/Chekcpoint server will be created at/etc/snx/USER.db
.
add a comment |Â
up vote
0
down vote
accepted
Ultimately, I just found out SNX build 800007075 used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel 4.
So ultimately, the previous answer holds true if you cannot get hold of SNX build 800007075, or if that specific version of SNX stops working with the current Linux versions (it will happen in the near future).
Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.
1) So to install snx
build 800007075 I do:
wget https://www.fc.up.pt/ci/servicos/acesso/vpn/software/CheckPointVPN_SNX_Linux_800007075.sh -O snx_install.sh
For Debian, you might need:
sudo dpkg --add-architecture i386
sudo apt-get update
I had to install the following:
sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386
Run then:
chmod a+rx snx_install.sh
sudo ./snx_install.sh`
You will have know a /usr/bin/snx
32-bit client binary executable. Check if any dynamic libraries are missing with:
sudo ldd /usr/bin/snx
You can only proceed to the following point when all the dependencies are satisfied.
You need to run manually first snx -s CheckpointURLFQDN -u USER
before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db
.
2) Before using it, you create a ~/.snxrc
file with the following contents:
server IP_address_of_your_VPN
username YOUR_USER
reauth yes
3) For connecting, type snx
$ snx
Check Point's Linux SNX
build 800007075
Please enter your password:
SNX - connected.
Session parameters:
===================
Office Mode IP : 10.x.x.x
DNS Server : 10.x.x.x
Secondary DNS Server: 10.x.x.x
DNS Suffix : xxx.xx, xxx.xx
Timeout : 24 hours
If you understand the security risks of hard coding a VPN password in a script, you also can use it as:
echo 'Password' | snx
5) For closing/disconnecting the VPN, while you may stop/kill snxconnect
, the better and official way is issuing the command:
$snx -d
SNX - Disconnecting...
done.
add a comment |Â
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.
Apparently, whilst command line usage of snx
from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx
client, and this post is about setting it up to work.
Firstly, the snxvp
installed from python pip
does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.
Furthermore, all the URLs on snxconnect.py
have to be changed from sslvpn/
to ``.
So the step-by-step instructions are roughly:
1) Firstly installing the snx
setup:
If in the VPN, to get the installation file, do:
wget --no-check-certificate
https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh
Otherwise you will have to get it from the web interface as describe in the linked answer.
For Debian, you might need:
sudo dpkg --add-architecture i386
sudo apt-get update
I had to install the following:
sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386
Run then:
chmod a+rx snx_install.sh
sudo ./snx_install.sh`
You will have know a /usr/bin/snx
32-bit client binary executable. Check if any dynamic libraries are missing with:
sudo ldd /usr/bin/snx
You can only proceed to the following point when all the dependencies are satisfied.
Not sure if you need to run first snx -s CheckpointURLFQDN -u USER
before using snxconnect
, for the signature VPN be saved at /etc/snx/USER.db
.
2) Now we have the snxconnect
python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.
So to install the to setup snxconnect
, do as root:
apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
pip install pytz
git clone https://github.com/agnis-mateuss/snxvpn
git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
cd snxvpn
sed -i "s/sslvpn///g" snxconnect.py
. then do as root, for python3: (recommended)
apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
make
python3 setup.py install --prefix=/usr/local
. or instead, do as root, for python2:
apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
sed -i "s/distutils.core/setuptools/g" setup.py
make
python setup.py install --prefix=/usr/local
3) After installing it, you can run as a non-privileged user:
/usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies
If all went ok, it will ask for the password, and then say:
SNX connected, to leave VPN open, leave this running!
If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect
command again.
4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.
After the VPN being established, you can check with ip address
or ifconfig
you have now a tunsnx
interface:
$ ip addr show dev tunsnx
14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
valid_lft forever preferred_lft forever
inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
valid_lft forever preferred_lft forever
ip route
will show you also new routes going through the tunsnx
interface.
5) For closing/disconnecting the VPN, while you may stop/kill snxconnect
, the better and official way is issuing the command:
$snx -d
SNX - Disconnecting...
done.
In addition, I also found out:
snxconnect
seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem;- PYTHONHTTPSVERIFY=0 only affects the python2 version;
- if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;
- if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;
- for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);
- as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";
- 7776/TCP in localhost has to be free, for
snx
to own it, assnxconnect
talks withsnx
using it; - the hostname passed to
snxconnect
/snx
is handled as a virtual host, and as such you cannot use directly the IP address; - instaling a 32-bit architecture seems to be a requirement to run the
snx_install.sh
script; - you might choose to run as
python2
as a trade-off for less space, however as python2 is being phased out,snxconnect
in a near future might not support it; - from using the web client interface, it is clear I need to patch/delete all
/sslvpn
strings , as my URLs do not start with/sslvpn
. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback; - in
snxconnect
the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you wonôt succeed on establishing the VPN; - The first time
snx
is used, a file with the signature of the VPN/Chekcpoint server will be created at/etc/snx/USER.db
.
add a comment |Â
up vote
1
down vote
When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.
Apparently, whilst command line usage of snx
from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx
client, and this post is about setting it up to work.
Firstly, the snxvp
installed from python pip
does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.
Furthermore, all the URLs on snxconnect.py
have to be changed from sslvpn/
to ``.
So the step-by-step instructions are roughly:
1) Firstly installing the snx
setup:
If in the VPN, to get the installation file, do:
wget --no-check-certificate
https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh
Otherwise you will have to get it from the web interface as describe in the linked answer.
For Debian, you might need:
sudo dpkg --add-architecture i386
sudo apt-get update
I had to install the following:
sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386
Run then:
chmod a+rx snx_install.sh
sudo ./snx_install.sh`
You will have know a /usr/bin/snx
32-bit client binary executable. Check if any dynamic libraries are missing with:
sudo ldd /usr/bin/snx
You can only proceed to the following point when all the dependencies are satisfied.
Not sure if you need to run first snx -s CheckpointURLFQDN -u USER
before using snxconnect
, for the signature VPN be saved at /etc/snx/USER.db
.
2) Now we have the snxconnect
python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.
So to install the to setup snxconnect
, do as root:
apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
pip install pytz
git clone https://github.com/agnis-mateuss/snxvpn
git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
cd snxvpn
sed -i "s/sslvpn///g" snxconnect.py
. then do as root, for python3: (recommended)
apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
make
python3 setup.py install --prefix=/usr/local
. or instead, do as root, for python2:
apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
sed -i "s/distutils.core/setuptools/g" setup.py
make
python setup.py install --prefix=/usr/local
3) After installing it, you can run as a non-privileged user:
/usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies
If all went ok, it will ask for the password, and then say:
SNX connected, to leave VPN open, leave this running!
If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect
command again.
4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.
After the VPN being established, you can check with ip address
or ifconfig
you have now a tunsnx
interface:
$ ip addr show dev tunsnx
14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
valid_lft forever preferred_lft forever
inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
valid_lft forever preferred_lft forever
ip route
will show you also new routes going through the tunsnx
interface.
5) For closing/disconnecting the VPN, while you may stop/kill snxconnect
, the better and official way is issuing the command:
$snx -d
SNX - Disconnecting...
done.
In addition, I also found out:
snxconnect
seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem;- PYTHONHTTPSVERIFY=0 only affects the python2 version;
- if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;
- if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;
- for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);
- as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";
- 7776/TCP in localhost has to be free, for
snx
to own it, assnxconnect
talks withsnx
using it; - the hostname passed to
snxconnect
/snx
is handled as a virtual host, and as such you cannot use directly the IP address; - instaling a 32-bit architecture seems to be a requirement to run the
snx_install.sh
script; - you might choose to run as
python2
as a trade-off for less space, however as python2 is being phased out,snxconnect
in a near future might not support it; - from using the web client interface, it is clear I need to patch/delete all
/sslvpn
strings , as my URLs do not start with/sslvpn
. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback; - in
snxconnect
the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you wonôt succeed on establishing the VPN; - The first time
snx
is used, a file with the signature of the VPN/Chekcpoint server will be created at/etc/snx/USER.db
.
add a comment |Â
up vote
1
down vote
up vote
1
down vote
When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.
Apparently, whilst command line usage of snx
from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx
client, and this post is about setting it up to work.
Firstly, the snxvp
installed from python pip
does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.
Furthermore, all the URLs on snxconnect.py
have to be changed from sslvpn/
to ``.
So the step-by-step instructions are roughly:
1) Firstly installing the snx
setup:
If in the VPN, to get the installation file, do:
wget --no-check-certificate
https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh
Otherwise you will have to get it from the web interface as describe in the linked answer.
For Debian, you might need:
sudo dpkg --add-architecture i386
sudo apt-get update
I had to install the following:
sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386
Run then:
chmod a+rx snx_install.sh
sudo ./snx_install.sh`
You will have know a /usr/bin/snx
32-bit client binary executable. Check if any dynamic libraries are missing with:
sudo ldd /usr/bin/snx
You can only proceed to the following point when all the dependencies are satisfied.
Not sure if you need to run first snx -s CheckpointURLFQDN -u USER
before using snxconnect
, for the signature VPN be saved at /etc/snx/USER.db
.
2) Now we have the snxconnect
python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.
So to install the to setup snxconnect
, do as root:
apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
pip install pytz
git clone https://github.com/agnis-mateuss/snxvpn
git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
cd snxvpn
sed -i "s/sslvpn///g" snxconnect.py
. then do as root, for python3: (recommended)
apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
make
python3 setup.py install --prefix=/usr/local
. or instead, do as root, for python2:
apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
sed -i "s/distutils.core/setuptools/g" setup.py
make
python setup.py install --prefix=/usr/local
3) After installing it, you can run as a non-privileged user:
/usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies
If all went ok, it will ask for the password, and then say:
SNX connected, to leave VPN open, leave this running!
If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect
command again.
4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.
After the VPN being established, you can check with ip address
or ifconfig
you have now a tunsnx
interface:
$ ip addr show dev tunsnx
14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
valid_lft forever preferred_lft forever
inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
valid_lft forever preferred_lft forever
ip route
will show you also new routes going through the tunsnx
interface.
5) For closing/disconnecting the VPN, while you may stop/kill snxconnect
, the better and official way is issuing the command:
$snx -d
SNX - Disconnecting...
done.
In addition, I also found out:
snxconnect
seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem;- PYTHONHTTPSVERIFY=0 only affects the python2 version;
- if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;
- if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;
- for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);
- as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";
- 7776/TCP in localhost has to be free, for
snx
to own it, assnxconnect
talks withsnx
using it; - the hostname passed to
snxconnect
/snx
is handled as a virtual host, and as such you cannot use directly the IP address; - instaling a 32-bit architecture seems to be a requirement to run the
snx_install.sh
script; - you might choose to run as
python2
as a trade-off for less space, however as python2 is being phased out,snxconnect
in a near future might not support it; - from using the web client interface, it is clear I need to patch/delete all
/sslvpn
strings , as my URLs do not start with/sslvpn
. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback; - in
snxconnect
the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you wonôt succeed on establishing the VPN; - The first time
snx
is used, a file with the signature of the VPN/Chekcpoint server will be created at/etc/snx/USER.db
.
When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.
Apparently, whilst command line usage of snx
from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx
client, and this post is about setting it up to work.
Firstly, the snxvp
installed from python pip
does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.
Furthermore, all the URLs on snxconnect.py
have to be changed from sslvpn/
to ``.
So the step-by-step instructions are roughly:
1) Firstly installing the snx
setup:
If in the VPN, to get the installation file, do:
wget --no-check-certificate
https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh
Otherwise you will have to get it from the web interface as describe in the linked answer.
For Debian, you might need:
sudo dpkg --add-architecture i386
sudo apt-get update
I had to install the following:
sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386
Run then:
chmod a+rx snx_install.sh
sudo ./snx_install.sh`
You will have know a /usr/bin/snx
32-bit client binary executable. Check if any dynamic libraries are missing with:
sudo ldd /usr/bin/snx
You can only proceed to the following point when all the dependencies are satisfied.
Not sure if you need to run first snx -s CheckpointURLFQDN -u USER
before using snxconnect
, for the signature VPN be saved at /etc/snx/USER.db
.
2) Now we have the snxconnect
python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.
So to install the to setup snxconnect
, do as root:
apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
pip install pytz
git clone https://github.com/agnis-mateuss/snxvpn
git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
cd snxvpn
sed -i "s/sslvpn///g" snxconnect.py
. then do as root, for python3: (recommended)
apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
make
python3 setup.py install --prefix=/usr/local
. or instead, do as root, for python2:
apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
sed -i "s/distutils.core/setuptools/g" setup.py
make
python setup.py install --prefix=/usr/local
3) After installing it, you can run as a non-privileged user:
/usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies
If all went ok, it will ask for the password, and then say:
SNX connected, to leave VPN open, leave this running!
If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect
command again.
4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.
After the VPN being established, you can check with ip address
or ifconfig
you have now a tunsnx
interface:
$ ip addr show dev tunsnx
14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
link/none
inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
valid_lft forever preferred_lft forever
inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
valid_lft forever preferred_lft forever
ip route
will show you also new routes going through the tunsnx
interface.
5) For closing/disconnecting the VPN, while you may stop/kill snxconnect
, the better and official way is issuing the command:
$snx -d
SNX - Disconnecting...
done.
In addition, I also found out:
snxconnect
seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem;- PYTHONHTTPSVERIFY=0 only affects the python2 version;
- if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;
- if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;
- for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);
- as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";
- 7776/TCP in localhost has to be free, for
snx
to own it, assnxconnect
talks withsnx
using it; - the hostname passed to
snxconnect
/snx
is handled as a virtual host, and as such you cannot use directly the IP address; - instaling a 32-bit architecture seems to be a requirement to run the
snx_install.sh
script; - you might choose to run as
python2
as a trade-off for less space, however as python2 is being phased out,snxconnect
in a near future might not support it; - from using the web client interface, it is clear I need to patch/delete all
/sslvpn
strings , as my URLs do not start with/sslvpn
. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback; - in
snxconnect
the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you wonôt succeed on establishing the VPN; - The first time
snx
is used, a file with the signature of the VPN/Chekcpoint server will be created at/etc/snx/USER.db
.
edited Jul 5 at 19:55
answered Jun 16 at 23:33
Rui F Ribeiro
33.7k1168113
33.7k1168113
add a comment |Â
add a comment |Â
up vote
0
down vote
accepted
Ultimately, I just found out SNX build 800007075 used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel 4.
So ultimately, the previous answer holds true if you cannot get hold of SNX build 800007075, or if that specific version of SNX stops working with the current Linux versions (it will happen in the near future).
Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.
1) So to install snx
build 800007075 I do:
wget https://www.fc.up.pt/ci/servicos/acesso/vpn/software/CheckPointVPN_SNX_Linux_800007075.sh -O snx_install.sh
For Debian, you might need:
sudo dpkg --add-architecture i386
sudo apt-get update
I had to install the following:
sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386
Run then:
chmod a+rx snx_install.sh
sudo ./snx_install.sh`
You will have know a /usr/bin/snx
32-bit client binary executable. Check if any dynamic libraries are missing with:
sudo ldd /usr/bin/snx
You can only proceed to the following point when all the dependencies are satisfied.
You need to run manually first snx -s CheckpointURLFQDN -u USER
before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db
.
2) Before using it, you create a ~/.snxrc
file with the following contents:
server IP_address_of_your_VPN
username YOUR_USER
reauth yes
3) For connecting, type snx
$ snx
Check Point's Linux SNX
build 800007075
Please enter your password:
SNX - connected.
Session parameters:
===================
Office Mode IP : 10.x.x.x
DNS Server : 10.x.x.x
Secondary DNS Server: 10.x.x.x
DNS Suffix : xxx.xx, xxx.xx
Timeout : 24 hours
If you understand the security risks of hard coding a VPN password in a script, you also can use it as:
echo 'Password' | snx
5) For closing/disconnecting the VPN, while you may stop/kill snxconnect
, the better and official way is issuing the command:
$snx -d
SNX - Disconnecting...
done.
add a comment |Â
up vote
0
down vote
accepted
Ultimately, I just found out SNX build 800007075 used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel 4.
So ultimately, the previous answer holds true if you cannot get hold of SNX build 800007075, or if that specific version of SNX stops working with the current Linux versions (it will happen in the near future).
Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.
1) So to install snx
build 800007075 I do:
wget https://www.fc.up.pt/ci/servicos/acesso/vpn/software/CheckPointVPN_SNX_Linux_800007075.sh -O snx_install.sh
For Debian, you might need:
sudo dpkg --add-architecture i386
sudo apt-get update
I had to install the following:
sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386
Run then:
chmod a+rx snx_install.sh
sudo ./snx_install.sh`
You will have know a /usr/bin/snx
32-bit client binary executable. Check if any dynamic libraries are missing with:
sudo ldd /usr/bin/snx
You can only proceed to the following point when all the dependencies are satisfied.
You need to run manually first snx -s CheckpointURLFQDN -u USER
before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db
.
2) Before using it, you create a ~/.snxrc
file with the following contents:
server IP_address_of_your_VPN
username YOUR_USER
reauth yes
3) For connecting, type snx
$ snx
Check Point's Linux SNX
build 800007075
Please enter your password:
SNX - connected.
Session parameters:
===================
Office Mode IP : 10.x.x.x
DNS Server : 10.x.x.x
Secondary DNS Server: 10.x.x.x
DNS Suffix : xxx.xx, xxx.xx
Timeout : 24 hours
If you understand the security risks of hard coding a VPN password in a script, you also can use it as:
echo 'Password' | snx
5) For closing/disconnecting the VPN, while you may stop/kill snxconnect
, the better and official way is issuing the command:
$snx -d
SNX - Disconnecting...
done.
add a comment |Â
up vote
0
down vote
accepted
up vote
0
down vote
accepted
Ultimately, I just found out SNX build 800007075 used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel 4.
So ultimately, the previous answer holds true if you cannot get hold of SNX build 800007075, or if that specific version of SNX stops working with the current Linux versions (it will happen in the near future).
Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.
1) So to install snx
build 800007075 I do:
wget https://www.fc.up.pt/ci/servicos/acesso/vpn/software/CheckPointVPN_SNX_Linux_800007075.sh -O snx_install.sh
For Debian, you might need:
sudo dpkg --add-architecture i386
sudo apt-get update
I had to install the following:
sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386
Run then:
chmod a+rx snx_install.sh
sudo ./snx_install.sh`
You will have know a /usr/bin/snx
32-bit client binary executable. Check if any dynamic libraries are missing with:
sudo ldd /usr/bin/snx
You can only proceed to the following point when all the dependencies are satisfied.
You need to run manually first snx -s CheckpointURLFQDN -u USER
before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db
.
2) Before using it, you create a ~/.snxrc
file with the following contents:
server IP_address_of_your_VPN
username YOUR_USER
reauth yes
3) For connecting, type snx
$ snx
Check Point's Linux SNX
build 800007075
Please enter your password:
SNX - connected.
Session parameters:
===================
Office Mode IP : 10.x.x.x
DNS Server : 10.x.x.x
Secondary DNS Server: 10.x.x.x
DNS Suffix : xxx.xx, xxx.xx
Timeout : 24 hours
If you understand the security risks of hard coding a VPN password in a script, you also can use it as:
echo 'Password' | snx
5) For closing/disconnecting the VPN, while you may stop/kill snxconnect
, the better and official way is issuing the command:
$snx -d
SNX - Disconnecting...
done.
Ultimately, I just found out SNX build 800007075 used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel 4.
So ultimately, the previous answer holds true if you cannot get hold of SNX build 800007075, or if that specific version of SNX stops working with the current Linux versions (it will happen in the near future).
Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.
1) So to install snx
build 800007075 I do:
wget https://www.fc.up.pt/ci/servicos/acesso/vpn/software/CheckPointVPN_SNX_Linux_800007075.sh -O snx_install.sh
For Debian, you might need:
sudo dpkg --add-architecture i386
sudo apt-get update
I had to install the following:
sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386
Run then:
chmod a+rx snx_install.sh
sudo ./snx_install.sh`
You will have know a /usr/bin/snx
32-bit client binary executable. Check if any dynamic libraries are missing with:
sudo ldd /usr/bin/snx
You can only proceed to the following point when all the dependencies are satisfied.
You need to run manually first snx -s CheckpointURLFQDN -u USER
before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db
.
2) Before using it, you create a ~/.snxrc
file with the following contents:
server IP_address_of_your_VPN
username YOUR_USER
reauth yes
3) For connecting, type snx
$ snx
Check Point's Linux SNX
build 800007075
Please enter your password:
SNX - connected.
Session parameters:
===================
Office Mode IP : 10.x.x.x
DNS Server : 10.x.x.x
Secondary DNS Server: 10.x.x.x
DNS Suffix : xxx.xx, xxx.xx
Timeout : 24 hours
If you understand the security risks of hard coding a VPN password in a script, you also can use it as:
echo 'Password' | snx
5) For closing/disconnecting the VPN, while you may stop/kill snxconnect
, the better and official way is issuing the command:
$snx -d
SNX - Disconnecting...
done.
edited Jul 29 at 19:41
answered Jul 5 at 20:01
Rui F Ribeiro
33.7k1168113
33.7k1168113
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f450229%2fgetting-checkpoint-vpn-ssl-network-extender-working-in-command-line%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password