getting Checkpoint VPN SSL Network Extender working in the command line
The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint. However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx command line utility, called snxconnect . I was trying to put snxconnect text utility to work in Debian Buster, doing:
export PYTHONHTTPSVERIFY=0 snxconnect -H checkpoint.hostname -U USER
HTTP/1.1 301 Moved Permanently:
Got HTTP response: HTTP/1.1 302 Found
Unexpected response, try again.
What to do about it? PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.
2 Answers 2
SNX build 800007075 from 2012, used to support the CheckPoint VPN from the Linux command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel(s) 4.x/5.x.
So ultimately, my other answer in this thread holds true, if you cannot get hold of SNX build 800007075 or if that specific version of SNX stops working with the current Linux versions (it might happen in a near future) or if you need OTP support.
Presently, the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.
wget https://starkers.keybase.pub/snx_install_linux30.sh?dl=1 -O snx_install.sh
For Debian and Debian-based 64-bit systems like Ubuntu and Linux Mint, you might need to add the 32-bit architecture:
sudo dpkg --add-architecture i386 sudo apt-get update
I had to install the following 32-bit packages:
sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386
Run then the snx installation script:
chmod a+rx snx_install.sh sudo ./snx_install.sh`
You will have now a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:
You can only proceed to the following points when all the dependencies are satisfied.
You might need to run manually first snx -s CheckpointURLFQDN -u USER , before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db .
- Before using it, you create a ~/.snxrc file, using your regular user (not root) with the following contents:
server IP_address_of_your_VPN username YOUR_USER reauth yes
Session parameters:
If you understand the security risks of hard coding a VPN password in a script, you also can use it as:
- For closing/disconnecting the VPN, while you may stop/kill snx , the better and official way is issuing the command:
$snx -d SNX - Disconnecting. done.
see also Linux Checkpoint SNX tool configuration issues for some clarifications about which snx version to use.
- If automating the login and accepting a new signature (and understanding the security implications), I wrote an expect script, which I called the script snx_login.exp ; not very secure, however you can automate your login, calling it with the password as an argument: #!/usr/bin/expect spawn /usr/bin/snx set password [lindex $argv 0] expect «?assword:» send — «$password\r» expect < "o:" < send "y\r" exp_continue >eof >
PS. Beware snx does not support OTP alone, you will have to use the snxconnect script present on the other answer if using it.
PPS @gibies called to my attention that using an etoken, the password field gets the password plus the appended etoken and not a fixed password.
@Met indeed, find it much later on. see the last link in this answer. Nevertheless, not sure about the legality of that AUR giving us a much older and unsupported 32 bits 2012 version of Checkpoint’s snx utility, even if downloading it from a 3rd party site. I am using the same version in the accepted answer, the other is an alternative method.
Worked for me on Ubuntu 18.04 (64-bit). I didn’t execute snx -s CheckpointURLFQDN -u USER and executed up only to step 3.
Great thanks. This works for me in Ubuntu 20.04. I don’t have to face ugly windows vm for the vpn connection anymore.
@edib Yep, what originally motivated me to do this, was getting rid of the Windows corporate desktop, and installing Linux in my corporate issued machine.
When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.
Apparently, whilst command line usage of snx from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line client, that tries to replicate the Web+Java interface on top of the snx client, and this post is about setting it up to work.
Firstly, the snxvp installed from python pip does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.
Furthermore, all the URLs on snxconnect.py have to be changed from sslvpn/ to «.
So the step-by-step instructions are roughly:
If in the VPN, to get the installation file, do:
wget --no-check-certificate https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh
Otherwise, you will have to get it from the web interface, as described in the linked answer.
For Debian, you might need:
sudo dpkg --add-architecture i386 sudo apt-get update
I had to install the following:
sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386
chmod a+rx snx_install.sh sudo ./snx_install.sh`
You will have now a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:
You can only proceed to the following points when all the dependencies are satisfied.
Not sure if you need to run first snx -s CheckpointURLFQDN -u USER before using snxconnect , for the signature VPN be saved at /etc/snx/USER.db .
- Now we have the snxconnect python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.
So to install and setup snxconnect , run as root:
apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev apt-get -y install python-pip pip install pytz git clone https://github.com/agnis-mateuss/snxvpn git clone git://git.code.sf.net/p/sfreleasetools/code releasetools cd snxvpn Now, as for taking out the /sslvpn URL, some Checkpoint appliances need it, some do not. I am not still aware of why the difference. I need it, @WileyMarques does not. sed -i "s/sslvpn\///g" snxconnect.py
. then do as root, for python3: (recommended)
apt-get install python3-pip python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4 pip install rsa make python3 setup.py install --prefix=/usr/local
. or instead, do as root, for python2:
apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup sed -i "s/distutils.core/setuptools/g" setup.py make python setup.py install --prefix=/usr/local
- After installing it, you can run as a non-privileged user: /usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER —skip-cert —save-cookies
If all went ok, it will ask for the password, and then display:
SNX connected, to leave VPN open, leave this running!
If you are having problems getting this message, and are instead getting several times in a row, the message: «Unexpected response, try again.», do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect command again.
After the VPN being established, you can check with ip address or ifconfig you have now a tunsnx interface:
$ ip addr show dev tunsnx 14: tunsnx: mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx valid_lft forever preferred_lft forever inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy valid_lft forever preferred_lft forever
ip route will show you also new routes going through the tunsnx interface.
- For closing/disconnecting the VPN, while you may stop/kill snxconnect , the better and official way is issuing the command: $snx -d SNX — Disconnecting. done.
In addition, I also found out:
- snxconnect seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem (have to try doing snx -d to see if it produces the same result);
- PYTHONHTTPSVERIFY=0 only affects the python2 version;
- if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;
- if the certificates of the firewalls are self-signed (they often are) the —skip-cert option has to be used, or authentication will fail;
- for not having so many problems re-authenticating, had to use —save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);
- as described in the last question, for the script to work, the option «When signing-in launch SSL Network Extender» has to be changed to «automatically»;
- 7776/TCP in localhost has to be free, for snx to own it, as snxconnect talks with snx using it;
- the hostname passed to snxconnect / snx is handled as a virtual host, and as such you cannot use directly the VPN IP address;
- instaling a 32-bit architecture seems to be a requirement to run the snx_install.sh script;
- you might choose to run as python2 as a trade-off for less space, however as python2 is being phased out, snxconnect in a near future might not support it;
- from using the web client interface, it is clear I need to patch/delete all /sslvpn strings , as my URLs do not start with /sslvpn . I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback;
- in snxconnect the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you won´t succeed on establishing the VPN;
- The first time snx is used, a file with the signature of the VPN/Checkpoint server will be created at /etc/snx/USER.db ;
- If you need to use OTP from the command line, you have to use snxconnect as snx alone does not support it.