Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Sagar_Manandhar
Advisor

VPN client for ubuntu

Hi,

Is there any ubuntu vpn client i can used to access the ssl vpn ?

Gaia version : R77.30

Environment : Standalone

Thanks

Sagar Manandhar

13 Replies
Danny
Champion Champion
Champion

SSL VPN works clientless, however Check Point Mobile Access includes the SNX client (SSL network extender), that enables IPsec over SSL. sk114267 is your friend. You should be able to download the client directly from your standalone firewall and read further here.

Vincenzo_Casell
Participant

Hi all,

I used SNX client with success with Ubuntu and CentOS for almost two years (build 800007075 to be precise).

Since July 2018 it seems that the server-side counterpart has disabled SNX access and allows only the CheckPoint Endpoint Security client (only available for Windows and Mac).

See here

ubuntu - Check Point VPN client alternatives - Super User 

for details.

Is there some way to overcome this problem and connect to a Checkpoint server from Linux without SNX?

@Danny Jung: what do you mean with 'clientless'?

Thank you very much

Vincenzo

0 Kudos
Josef_Kerbl
Explorer

I have good experiences using the ike-qtgui package from aptitude.

However you have to do the certificate stuff mentioned here:
https://www.shrew.net/support/Howto_Checkpoint 

Cheers

0 Kudos
Sal_Previtera
Contributor

You may want to try this link.....

CheckPoint SNX install instructions for major Linux distributions | kenfallon.com 

I have it working in command line with the latest version of ubuntu....

snx - s my-server.somwhere,com  - u my-username

it work flawless with worrying about Java and any other browser upgrade and changes,

angelo_capone
Explorer

Hi,

i successfully run SNX on Ubuntu 17.10 for over a year but,

after a change of access point due to user base migration to different active directory domain,

snx stopped working.

The downloadable snx version from the access point site is the same of previous site, but it doesn't work any more.

SNX output:

Check Point's Linux SNX
build 800007116
Please enter your password:

SNX: Connection aborted.

[ 6511 -141404352]@y310300436[15 Dec 11:47:02] snx: starting debug - Fri Dec 15 11:47:02 2017

[ 6511 -141404352]@y310300436[15 Dec 11:47:05] snx_browser::snx_browser(): called
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] snx_browser::auth: entering
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] gwinfo:gwinfo: entered!0x8bbde90
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] creating the ssl layer
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::talkssl(): entered with chunk=512, opaque=f7f18010, link_established=80ebba0, link_failure=80ebb80, packet_receive=80ebb50, verify_gw=80ebbc0
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::set_sslalg: setting ssl alg to 2
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] connecting
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl:: init_ssl_neg: using 3DES with CKPSSL_ACCEPT_TLS1_2
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] ckpSSLctx_New: prefs = 1e
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] ckpSSLctx_New: CKPSSL_ACCEPT_TLS1_2 is turned on + (CKPSSL_ACCEPT_TLSV1 | CKPSSL_ACCEPT_SSL3)
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] ckpSSLctx_New: choose SSLv23_method == the highest TLS version available -> should provide TLS 1.2
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] is_initialized: new process or forked
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] The PRNG was not initialized properly
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] rand_add_seedfile: Failed to read seed from registry.: Operation not permitted
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwrand_write_seed: Failed to read seed from registry.: Operation not permitted
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwrand_write_seed: Failed to write seed.: Operation not permitted
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] isExist: ProxyEntity didn't initiated yet
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::start_async: Creating a new connection
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::start_async: Connecting to gw: 0x0f018592, port: 443
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwasync_make_connection: 9285010f/443: dowait is -1 sock is 6
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::start_async: Connection created successfully
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwasync_connected: 6: getpeername: Transport endpoint is not connected
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwasync_client_handler_wrapper: failed to create conn
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwasync_end_conn: scheduling the end of connection 6
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwasync_do_end_conn: closing connection 6 (conn=8bcc0c0)
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::end_handler: ending connection
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] snx_browser::Failure: entering with code: 1

[ 6511 -141404352]@y310300436[15 Dec 11:47:05] got link down!- exit
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] snx: quit.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] snx_browser::~snx_browser: called
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::~talkssl: delete link
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::~talkssl: end
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] done

Any help would be appreciate, thanks in advance

0 Kudos
Sal_Previtera
Contributor

Angelo,

other the obvious syntax  " snx  -s xxx.xxxx.xxx.xxx  -u my-AD-Domain\my-username " have you tried that?

it will not work with any browser that does not support JAVA, like Firefox after version 52....

as explained in Ken Fallon article SNX seem to use some OLD library, you may need to re-installed  them again.

http://kenfallon.com/checkpont-snx-on-ubuntu-14-04-lts-trusty-tahr/

add-apt-repository -y ppa:webupd8team/java

apt-get update apt-get install oracle-java9-installer libstdc++5:i386 libpam0g:i386 libx11-6:i386

java -version

0 Kudos
angelo_capone
Explorer

Thanks for the feedback,

i finally solved the problem simply cleaning the enviroment variable https_proxy,

it seems that a corporate settings for https proxy caused trouble to snx internal browser.

0 Kudos
Victor_Chang
Participant

It would be nice if the Linux client can support TLS 1.2.

sk107166 says it does but my testing shows otherwise.

Has anyone successfully gotten SNX on Linux to negotiate TLS 1.1 or TLS 1.2 using AES[x]

The MAC and Windows clients seem okay. Its just the Linux client

0 Kudos
Sal_Previtera
Contributor

I can see your you point Victor, I did run SNX with the -g option for debugging and I see 

 talkssl, ckpSSLctx_New, ckpSSL_NegotiateStep

in the SNX.elg file. Interesting...

0 Kudos
Victor_Chang
Participant

Well here's an update

Build 800008016 (form HFA286) supports TLS 1.2. The debug output on snx is wrong. We ran a vpn debug on the gateway and we saw supported TLS was "303" 303 = TLS 1.2

Sadly for Linux it then went on to use 3DES as the only supported cipher. I'm asking support about this so stay tuned!

Pedro_Espindola
Advisor

Victor, do I have to reach TAC to get this version or is it available for download somewhere?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This is part of R77.30 Jumbo Hotfix:

Starting in Take_266, this Jumbo Hotfix Accumulator supports TLS 1.2in the following products / features:

  • ICA Management Portal / Management Portal
  • Secure Internal Communication (SIC)
  • Gaia Portal
  • Platform Portal
  • Software Updates
  • Mobile Access blade
  • Endpoint Security Management Server
  • SSL Network Extender (SNX)
CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
vivekdabhi80
Explorer

Hi All
I have a document for installing Checkpoint on an Ubuntu machine. Please refer to the steps provided in that document.

https://help.nscc.sg/wp-content/uploads/Linux_SSL_VPN_client_guide_by_HPE.pdf

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events