This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
WinfriedTrümper
Explorer
4 weeks ago
Jump to solution

CP VPN Linux support

We have been using a VPN solution from a competitor for several years. The hardware of the product will be discontinued. We would like to to move to a Check Point VPN in order to benefit from an administrative integration into our existing Check Point firewall.

Our 20 Linux users had been happily using an openconnect plugin for VPN access. Zero support effort dispite a broad range of Linux variants. We only realized how perfect that approach was until after we started to evaluate two Check Point VPNs. The level of dissatisfaction and frustration during the evaluation phase is high. The users vetoed against moving to Check Point. Others like me successfully use the windows client, but I agree that the required amount of local Linux support is not realistic. It is impressive to see the official clients exist - but in the end they are neither working out-of-the-box, nor compliant to local legislation, nor Linuxish from our experience.

The CP openconnect plugin, the ideal zero-support solution, has not been merged into master for the past three years. Probably it is ready only after we made a purchase decision.

The cpyvpn MAP login algorithm consists of "a bunch of hacks and tricks", so one day the Linux users might not be able to connect. We welcome the frank documentation and accept cpyvpn does not meet our expectations.

We learned about snx-rs, which would be accepted by our users. Closest we can get. However, it has a timeout problem. See https://github.com/ancwrd1/snx-rs/issues/49 The issue is not fixed in my opinion. Having the option of keepalive=true/false aids in debugging. But an idle timeout after 60 minutes still happens although the connection is not idle. That sounds like a matter that could be explained (fixed) quickly by somebody at CP deep into the matter. Maybe the keepalive-Packet is simply sent to the wrong target or not getting through. Any pointer is appreciated.

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
4 weeks ago
Jump to solution

SNX is the only Check Point-branded VPN client that can be used with Quantum Security Gateways.
However, StrongSWAN is also an option.
Harmony SASE has a Check Point-branded Linux client.

View solution in original post

8 Replies
PhoneBoy
Admin
Admin
4 weeks ago
Jump to solution

SNX is the only Check Point-branded VPN client that can be used with Quantum Security Gateways.
However, StrongSWAN is also an option.
Harmony SASE has a Check Point-branded Linux client.

WinfriedTrümper
Explorer
4 weeks ago
In response to PhoneBoy
Jump to solution

Thank you for spending effort on an answer. Yes, both VPN types. Including Harmony Sase (though it does not meet the requirement of integration). We tried them before. And we fully appreciate the chance of trials. However, we found that all CP VPN solutions suffer from the same problems described in my original post. I hope you find it useful.

2FA is mandatory without further notice. Local legislation requires it in most parts of the world for the type of customer targetted by CP. Suggesting something without 2FA like StrongSWAN does not bring the discussion further. Yes, we know about the hack of merging the OTP with the password. 

0 Kudos
PhoneBoy
Admin
Admin
4 weeks ago
In response to WinfriedTrümper
Jump to solution

I completely understand the situation.
My understanding is that there is a Linux VPN client in the works, but don't have an ETA.
I would engage your local Check Point office with your specific requirements.

0 Kudos
WinfriedTrümper
Explorer
3 weeks ago
In response to PhoneBoy
Jump to solution

My point is not to have a a Check Point Linux VPN client in a classical sense. Simply do not do it. 🙂  We did not use the official Linux client of our former solution either. We used a compatible openconnect plugin. Which is not the same in terms of advanced security and management features CP offers. So your product owner or marketing people will probably criticize my opinion as not fitting into their product strategy.  But openconnect was what our Linux users needed: zero support effort due to full integration.

0 Kudos
PhoneBoy
Admin
Admin
3 weeks ago
In response to WinfriedTrümper
Jump to solution

Wasn't familiar with OpenConnect before you mentioned it.
If an OpenConnect integration is something you need, this should be communicated through your local Check Point office.

0 Kudos
the_rock
Legend
Legend
4 weeks ago
Jump to solution

@PhoneBoy is 100% right. There were also recent discussions about this as well.

 

https://community.checkpoint.com/t5/General-Topics/Question-VPN-client/m-p/249041/emcs_t/S2h8ZW1haWx...

Andy

0 Kudos
WinfriedTrümper
Explorer
4 weeks ago
In response to the_rock
Jump to solution

From our experience you describe the problem, not the solution. I might lack the point, this forum is somewhat cumbersome to consume.

0 Kudos
ancwrd1
Explorer
3 weeks ago
Jump to solution

@WinfriedTrümperif you have a specific issue with snx-rs you can open a ticket and I will try to fix it. The recent version has some changes which may fix the problem with the keepalive timeout.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events