hi there,

is there any update regarding support for linux users for VPN MFA?

The situation is the same as previously stated.
I recommend engaging with your local Check Point office with this requirement.

@PhoneBoy Thank you. I read in other posts that SNX client is not working with recent Ubuntu versions, nor with MFA. I don't know really is what is. From what I read on this site, it is something that the Endpoint admin has to setup, but unfortunatelly I doubt they will do it.

@G_W_Albrecht Thank you for your reply. It's R84.30 or newer. I tried to follow and adapt the tutorials of @Soeren_Rothe on this site (on Ubuntu desktops 22.04 and 21.10), but it didn't work for me because I didn't know how to adapt to the differences (Soeren is using pre-shared secret; our server seems to use a certificate).
In the Windows client, I just create a new connection (by entering the host name), confirm the server certificate fingerprint (because its root CA is self-signed) and then it's ready to use (I just enter username/password and confirm in Authenticator App).
By reading the Windows client extended logs, I saw that our config uses username+password authentication, but I didn't find info about the server certificate (I do have the root CA certificate).

It's R84.30 or newer. --> I mean the Gateway you connect to must be at least R81 to use strongSwan.

Thank you for you quick reply. How can I check what version is my Gateway?

That depends on your level of access:

- ask the FW admin

- connect to GWs GAiA portal, you do not need to login

- start SmartDashboard and look at the GW version

- connect to GW using SSH and issue # fw ver

There is nothing you can do as an end user to enable Remote Access via a Linux system.
You will need to work with your admins directly on this.

Could you please be some more specific? Maybe give some hints on which are the main configuration elements that admins and user should take into account to make connection from Linux possible?

See VPN Client for Linux

In order to give more specific details, I would need to know what precisely what versions are involved.
In general, though, there are two clients supported from Linux: SNX and StrongSWAN.

SNX is generally configured as part of Mobile Access Blade.
Refer to the relevant product documentation for your version: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_MobileAccess_AdminGuide/Cont... 
The MAB Deployment Agent is used to deploy/activate SNX from the Mobile Access Portal.
This requires JDK to be installed on client computers.
See also (for requirements): https://support.checkpoint.com/results/sk/sk114267 

StrongSWAN requires gateways running R81 and above and specific configuration.
Refer to the product documentation:
https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

Can you help me command or GUI line use that tool strongswan? Pls, thank you so much

In Linux Mint, it's integrated into Network Manager if you load the relevant package: https://community.linuxmint.com/software/view/network-manager-strongswan
I assume other Linux distributions have a similar integration.

I had to try research more and config strongswan with UI tools gome 
https://community.checkpoint.com/t5/Remote-Access-VPN/strongSwan-GUI-Network-Manager-Username-Passwo...
but I don't know how to config connect to VPN Checkpoint with 2FA get OTP token from FortiToken, I try more and config l2tp vpn client ubuntu 22.04 but cannot success.

 With my config /etc/ipsec.conf

config setup
    charondebug="ike 2, knl 2, cfg 2"

conn %default
    keyexchange=ikev2
    ike=aes256-sha256-modp2048!
    esp=aes256-sha256!

conn myvpn
    keyexchange=ikev2
    leftauth=eap-mschapv2
    eap_identity=ACCOUNT_VPN
    right=IP_SERVER_VPN
    rightid=%any
    rightauth=pubkey
    rightsubnet=0.0.0.0/0
    rightdns=8.8.8.8,8.8.4.4
    leftsourceip=%config
    auto=start

Maybe, my config is wrong so search and get by sample.

My team uses the Windows connect from Remote Access VPN

After entering the username/password -> connecting and response -> enters OTP token [Response] get from FortiToken here

My partner talked about configuring Site-to-Site Checkpoint VPN version R81.20, I need a solution client remote to connect on linux (Ubuntu).
Thank you so much, for replying to me. If can please help me.

The only supported VPN client for Linux is SNX, which is deployed through Mobile Access Blade and should support this authentication flow when logging into the web-based MAB portal (which can activate SNX).
We do not support StrongSWAN with MFA: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RemoteAccessVPN_AdminGuide/C... 

We are planning to release a VPN client for Linux, but it's not in the near term.

Thank you PhoneBoy.

Last line sound like good news for us Linux users, that have the only option of an old (and luckily working!) SNX to date.

Any hope to know something more about the meaning of "not in the near term"?

best regards

It's in the plans to do but the exact timeframe is not finalized.
Your best bet is to engage with your local Check Point office with this requirement.

Couldn't agree more.  As a developer on Linux, I've suffered for multiple years trying to access our checkpoint system, having to use an old an insecure version of SNX to connect.  Once we went to 2FA, IT had to setup an AWS entrypoint since Checkpoint no longer worked for me.

Checkpoint uses Linux but doesn't provide a Linux client.  Shameful.