Solved: Connection to VPN server from Linux with SecureID

Olivier_Roulet- · ‎2018-08-31

Hi,

I have a customer who gave us access to their system using something some CheckPoint Software with SecureID (username and secureId, no Password as far as we understand). How can we connect to these system from Linux?

We could not find any VPN client for linux on CheckPoint website

It looks like we get secureId code using stoken software so that should be OK.

If going to their VPN server 87.238.64.1 then there is some login popup but they require some java plugins which are now deprecated in all existing browsers so this is not a working solution

The page also allows to start a program called snx

snx -h
Check Point's Linux SNX
build 800008061
usage: snx -s <server> {-u <user>|-c <certfile>} [-l <ca dir>] [-p <port>] [-r] [-g] [-e <cipher>]
                                run SNX using given arguments
       snx -f <cf>              run the snx using configuration file
       snx                      run the snx using the ~/.snxrc

snx -d disconnect a running SNX daemon

        -s <server>           connect to server <server>
        -u <user>             use the username <user>
        -c <certfile>         use the certificate file <certfile>
        -l <ca dir>           get trusted ca's from <ca dir>
        -p <port>             connect using port <port>
        -g                    enable debugging
        -e <cipher>           SSL cipher to use: RC4 or 3DES

But snx does not seem to allow using securId authentication

We also tried the standard Linux cisco VPN client: openconnect but it fails with some error XML response has no "auth" node

Soft token init was successful.

Soft token init was successful.
POST https://87.238.64.1/
Attempting to connect to server 87.238.64.1:443
Connected to 87.238.64.1:443
SSL negotiation with 87.238.64.1
Server certificate verify failed: signer not found
Connected to HTTPS on 87.238.64.1
Got HTTP response: HTTP/1.0 404 Not Found
Date: Fri, 31 Aug 2018 13:47:25 GMT
Server: Check Point SVN foundation
Content-Type: text/html
X-UA-Compatible: IE=EmulateIE7
Connection: close
X-Frame-Options: SAMEORIGIN
Last-Modified: Wed, 28 May 2014 09:11:07 GMT
Content-Length: 204
HTTP body length: (204)
Unexpected 404 result from server
GET https://87.238.64.1/
Attempting to connect to server 87.238.64.1:443
Connected to 87.238.64.1:443
SSL negotiation with 87.238.64.1
Server certificate verify failed: signer not found
Connected to HTTPS on 87.238.64.1
Got HTTP response: HTTP/1.0 200 OK
Date: Fri, 31 Aug 2018 13:47:26 GMT
Server: Check Point SVN foundation
Content-Type: text/html
X-UA-Compatible: IE=EmulateIE7
Connection: close
X-Frame-Options: SAMEORIGIN
Content-Length: 11788
HTTP body length: (11788)
XML response has no "auth" node

So what is the official way to connect to a VPN server using securid from Linux?

PhoneBoy · ‎2018-09-04

I read the internal comments in "Authentication failed" error presented when user tries to connect to site using SNX CLI mode in Lin..., and it turns out: the SK is correct.

Just to clarify for Olivier Roulet-Dubonnet‌:

If the customer is using Mobile Access Blade (which is sounds like they are), SNX via CLI is only supported on specific builds of the SNX client and specific versions of the gateway. Your customer will have to work with the local Check Point office for additional details and a possible RFE.
If the customer is NOT using Mobile Access Blade, then SNX over CLI is supported.

If the customer deploys the patches here, then you will be able to use the Mobile Access portal (but not the CLI) to connect: Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology

View solution in original post

PhoneBoy · ‎2018-08-31

The only supported VPN client on Linux is SNX, which does require Java, and yes, many browsers have deprecated support for this.

To activate SNX from the Mobile Access portal (which definitely supports SecurID), your customer should apply the fix described here: Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology

We do not support using the Cisco client to connect to our gateways.

Olivier_Roulet- · ‎2018-08-31

Hi,

Thanks for the quick answer.

What browser support Java these days?

And is there any way to user secureid from the snx command line? None of the options seems to indicate it, as seen in the output in report.

Thanks

Olivier

PhoneBoy · ‎2018-08-31

I'm sure there is some browser out there that still supports it, but the common cross-platform ones do not

Theoretically, you should just be able to use the PIN + SecurID token number as the password on the CLI.

If you require some other password to sign in in addition to this, then I'm afraid there is no way to do it using the CLI and you must authenticate using the Mobile Access Portal.

Olivier_Roulet- · ‎2018-08-31

Thank you again!

Pin + secureid on one line as password?

PhoneBoy · ‎2018-08-31

Pretty sure that will work, as that's exactly how you would enter it in the browser.

Olivier_Roulet- · ‎2018-09-03

Hi,

unfortunately that does not work, it is also a bit surprising because If I try to log into the gui there is field called secureid. If I let the password empty and write the secureid number in the secureid field then I get a window telling me that I am connected (If I write my pin as password I get an access denied error). No VPN connection is created because I could not find any browser supporting java yet... but this really looks like my token and config is correct

So its looks like the web solution does not require any password/pin but if I run snx from command line I get access denied with PIN and PIN + tokenid and tokenid.... If the java stuff calles snx in the background thenhow is it sending the PIN? Can i emulate it using command line?

Olivier

G_W_Albrecht · ‎2018-09-03

According to sk115242 "Authentication failed" error presented when user tries to connect to site using SNX CLI mo...you need SNX build 800007075 for MAB use - this can be found in sk90240 SSL Network Extender E75 CLI Support for Mobile Access Blade.

Olivier_Roulet- · ‎2018-09-03

Version is

snx ver

a username or a certificate were not supplied

Check Point's Linux SNX

build 800008061

That seems to be over the version adviced in this PR. Althoug there is not ver option

snx ver

a username or a certificate were not supplied

Check Point's Linux SNX

build 800008061

usage: snx -s ] [-e SSL cipher to use: RC4 or 3DES

G_W_Albrecht · ‎2018-09-03

So you are using the wrong version and SNX CLI can not work 😞 The customer is using an unsupported SNX build for Linux CLI connection (not SNX build 800007075).

Olivier_Roulet- · ‎2018-09-03

OK. And where do I get that special version? You have a link above but I click on it it says:

"""

Symptoms

SSL Network Extender does not connect to Mobile Access blade via client CLI in Linux and Mac OS X.

Solution

To view this solution, Advanced access is required.
Click here to learn more about our Support Programs and Plans .

"""

The customer website https://87.238.64.1/ gives a link to download snx, why is this a non working version? And how can I get that working version?

Thank you

Olivier

G_W_Albrecht · ‎2018-09-03

This can be accomplished by involving TAC!

PhoneBoy · ‎2018-09-03

If you see more than one "password" prompt, it maybe that your customer has multifactor authentication enabled on the gateway.

If this is the case, the command line SNX client will not work (regardless of version) and your only option is to authenticate with a web browser.

As far as I know the functionality in that special version has been rolled into current versions anyway.

G_W_Albrecht · ‎2018-09-03

Can you get that confirmed ? If this is true, sk115242 should be changed.

PhoneBoy · ‎2018-09-04

Probably worth a comment in the SK.

I'll ask.

G_W_Albrecht · ‎2018-09-04

Yes, especially as sk115242 speaks of RFE 😉

PhoneBoy · ‎2018-09-04

I read the internal comments in "Authentication failed" error presented when user tries to connect to site using SNX CLI mode in Lin..., and it turns out: the SK is correct.

Just to clarify for Olivier Roulet-Dubonnet‌:

If the customer is using Mobile Access Blade (which is sounds like they are), SNX via CLI is only supported on specific builds of the SNX client and specific versions of the gateway. Your customer will have to work with the local Check Point office for additional details and a possible RFE.
If the customer is NOT using Mobile Access Blade, then SNX over CLI is supported.

If the customer deploys the patches here, then you will be able to use the Mobile Access portal (but not the CLI) to connect: Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology

View solution in original post