2018-06-16 23:33:06 8 Comments
The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint.
However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx
command line utility, called snxconnect
.
I was trying to put snxconnect
text utility to work in Debian Buster, doing:
sudo pip install snxvpn
and
export PYTHONHTTPSVERIFY=0
snxconnect -H checkpoint.hostname -U USER
However, it was mostly dying either with an HTTP error of:
HTTP/1.1 301 Moved Permanently:
or:
Got HTTP response: HTTP/1.1 302 Found
or:
Unexpected response, try again.
What to do about it?
PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.
Related Questions
Sponsored Content
2 Answered Questions
[SOLVED] VPN SSL Network Extender in Firefox
- 2018-06-16 09:21:32
- Rui F Ribeiro
- 7009 View
- 4 Score
- 2 Answer
- Tags: debian vpn checkpoint
3 Answered Questions
[SOLVED] Using Checkpoint VPN SSL Network Extender CLI with certificate
- 2018-12-04 01:41:46
- Ashwin Balamohan
- 914 View
- 1 Score
- 3 Answer
- Tags: debian vpn ssl checkpoint
3 Answered Questions
[SOLVED] Import VPN config files to NetworkManager from command line
- 2014-07-01 12:50:37
- petRUShka
- 18674 View
- 14 Score
- 3 Answer
- Tags: command-line vpn networkmanager openvpn nmcli
1 Answered Questions
Can't connect to vpn with Network-manager
- 2018-01-28 22:18:02
- axua
- 4820 View
- 2 Score
- 1 Answer
- Tags: kali-linux openvpn networkmanager vpn
1 Answered Questions
[SOLVED] Trouble connecting to VPN using network-manager, while command line works
- 2016-12-04 17:11:49
- Clément
- 7096 View
- 2 Score
- 1 Answer
- Tags: network-interface openvpn networkmanager vpn
2 comments
@Rui F Ribeiro 2018-07-05 20:01:04
SNX build 800007075 from 2012, used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel(s) 4.x.
So ultimately, the my other answer in this thread holds true if you cannot get hold of SNX build 800007075 or if that specific version of SNX stops working with the current Linux versions (it might happen in a near future) or if you need OTP support.
Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.
1) So to install
snx
build 800007075 I do:For Debian and Debian-based systems like Ubuntu and Linux Mint, you might need:
I had to install the following:
Run then:
You will have know a
/usr/bin/snx
32-bit client binary executable. Check if any dynamic libraries are missing with:You can only proceed to the following point when all the dependencies are satisfied.
You might need to run manually first
snx -s CheckpointURLFQDN -u USER
before scripting any automatic use, for the signature VPN be saved at/etc/snx/USER.db
.2) Before using it, you create a
~/.snxrc
file with the following contents:3) For connecting, type
snx
If you understand the security risks of hard coding a VPN password in a script, you also can use it as:
4) For closing/disconnecting the VPN, while you may stop/kill
snx
, the better and official way is issuing the command:see also Linux Checkpoint SNX tool configuration issues for some clarifications about which
snx
version to use.5) If automating the login and accepting a new signature (and understanding the security implications), I wrote an
expect
script, which I calledsnx_login.exp
:PS. Beware
snx
does not support OTP alone, you will have to use thesnxconnect
script present on the other answer if using it.PPS @gibies called to my attention that using an etoken, the password field gets the password from the etoken and not a fixed password.
@Met 2018-11-10 16:19:51
This works in arch linux using snx from aur repository.
@Rui F Ribeiro 2018-11-10 17:57:13
@Met indeed, find it much later on...see the last link in this answer. Nevertheless, not sure about the legality of that AUR giving us a much older and unsupported 32 bits 2012 version of Checkpoint's snx utility, even if downloading it from a 3rd party site. I am using the same version in the accepted answer, the other is an alternative method.
@Ashwin Balamohan 2018-12-03 16:48:55
I'm trying to connect using a certificate rather than a username, and receive this error:
SNX: Virtual Network Adapter initialization and configuration failed. Try to reconnect.
Any thoughts?@Rui F Ribeiro 2018-12-03 17:03:12
@AshwinBalamohan I would advise opening a new question describing in more detail your situation. I would also advise not flagging the same people with the same question(s) twice.
@Ashwin Balamohan 2018-12-04 01:42:39
Thanks @RuiFRibeiro. I've posted the new question here: unix.stackexchange.com/questions/485800/… Any thoughts would be wonderful.
@gibies 2018-12-26 11:51:32
Very good detailed description. It works fine on my Ubuntu laptop.
@linuxatico 2019-03-22 10:51:43
Unfortunately the link to the download is dead and I still can't find an alternate way to download it
@Rui F Ribeiro 2019-03-22 11:45:52
@linuxatico Unfortunately, dead indeed. On holidays, won't be able to edit this answer for a couple of weeks. If you follow the link about configuration issues, I describe how to get it from the AUR repositories, and if not mistaken I have the alternate link AUR uses to get it too.
@Rui F Ribeiro 2019-04-02 14:29:59
@linuxatico Answer edited to replace the old download link with a working one. How did it go?
@Amil Waduwawara 2019-06-24 04:17:43
Worked for me on Ubuntu 18.04 (64-bit). I didn't execute
snx -s CheckpointURLFQDN -u USER
and executed up only to step 3.@Rui F Ribeiro 2019-06-24 09:51:33
@AmilWaduwawara "step 4" is how to disconnect, and step 5 is mainly useful for people with checkpoint clusters that present different signatures and/when the cluster is acting up. Would you please confirm whether you have IPv6 active or disabled?
@3nomis 2019-07-29 10:02:46
Does it work with Multi factor auth?
@Rui F Ribeiro 2019-07-29 14:27:00
@3nomis It seems this client works with tokens. Never tried it though, but might try it in a couple of months.
@leoschet 2019-09-13 06:54:36
Whenever I try
snx -s <server_ip> -u <username>
or justsnx
after creating the file~/.snxrc
I get the errorSNX: Connection aborted.
any of you guys had something similar? I would try the firefox solution, but the server i'm using has no GUI@Rui F Ribeiro 2019-09-13 13:16:57
@leoschet Are you able to open a new question with the context and more debugging data and then ping me here?
@leoschet 2019-09-16 21:01:58
@RuiFRibeiro here is my question, appreciate any inputs, thanks
@Rui F Ribeiro 2018-06-16 23:33:06
When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.
Apparently, whilst command line usage of
snx
from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of thesnx
client, and this post is about setting it up to work.Firstly, the
snxvp
installed frompython pip
does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.Furthermore, all the URLs on
snxconnect.py
have to be changed fromsslvpn/
to ``.So the step-by-step instructions are roughly:
1) Firstly installing the
snx
setup:If in the VPN, to get the installation file, do:
Otherwise you will have to get it from the web interface as describe in the linked answer.
For Debian, you might need:
I had to install the following:
Run then:
You will have know a
/usr/bin/snx
32-bit client binary executable. Check if any dynamic libraries are missing with:You can only proceed to the following point when all the dependencies are satisfied.
Not sure if you need to run first
snx -s CheckpointURLFQDN -u USER
before usingsnxconnect
, for the signature VPN be saved at/etc/snx/USER.db
.2) Now we have the
snxconnect
python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.So to install the to setup
snxconnect
, do as root:. then do as root, for python3: (recommended)
. or instead, do as root, for python2:
3) After installing it, you can run as a non-privileged user:
If all went ok, it will ask for the password, and then say:
If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the
snxconnect
command again.4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.
After the VPN being established, you can check with
ip address
orifconfig
you have now atunsnx
interface:ip route
will show you also new routes going through thetunsnx
interface.5) For closing/disconnecting the VPN, while you may stop/kill
snxconnect
, the better and official way is issuing the command:In addition, I also found out:
snxconnect
seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem (have to try doingsnx -d
to see if it produces the same result);snx
to own it, assnxconnect
talks withsnx
using it;snxconnect
/snx
is handled as a virtual host, and as such you cannot use directly the VPN IP address;snx_install.sh
script;python2
as a trade-off for less space, however as python2 is being phased out,snxconnect
in a near future might not support it;/sslvpn
strings , as my URLs do not start with/sslvpn
. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback;snxconnect
the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you won´t succeed on establishing the VPN;snx
is used, a file with the signature of the VPN/Checkpoint server will be created at/etc/snx/USER.db
;snxconnect
assnx
alone does not support it.@Wiley Marques 2018-11-11 14:29:22
Regarding the removal of '/sslvpn' strings. The server I connect to has it on the URL, so I didn't that step. Interesting to point this on the answer, since it may happen to other people.
@Rui F Ribeiro 2018-11-11 15:29:10
@WileyMarques Thanks for the feedback, I already suspected it would be different for some, also because in the github/pip version the URL is there.