Hi all,

I used SNX client with success with Ubuntu and CentOS for almost two years (build 800007075 to be precise).

Since July 2018 it seems that the server-side counterpart has disabled SNX access and allows only the CheckPoint Endpoint Security client (only available for Windows and Mac).

See here

ubuntu - Check Point VPN client alternatives - Super User 

for details.

Is there some way to overcome this problem and connect to a Checkpoint server from Linux without SNX?

@Danny Jung: what do you mean with 'clientless'?

Thank you very much

Vincenzo

Hi,

i successfully run SNX on Ubuntu 17.10 for over a year but,

after a change of access point due to user base migration to different active directory domain,

snx stopped working.

The downloadable snx version from the access point site is the same of previous site, but it doesn't work any more.

SNX output:

Check Point's Linux SNX
build 800007116
Please enter your password:

SNX: Connection aborted.

[ 6511 -141404352]@y310300436[15 Dec 11:47:02] snx: starting debug - Fri Dec 15 11:47:02 2017

[ 6511 -141404352]@y310300436[15 Dec 11:47:05] snx_browser::snx_browser(): called
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] snx_browser::auth: entering
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] gwinfo:gwinfo: entered!0x8bbde90
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] creating the ssl layer
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::talkssl(): entered with chunk=512, opaque=f7f18010, link_established=80ebba0, link_failure=80ebb80, packet_receive=80ebb50, verify_gw=80ebbc0
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::set_sslalg: setting ssl alg to 2
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] connecting
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl:: init_ssl_neg: using 3DES with CKPSSL_ACCEPT_TLS1_2
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] ckpSSLctx_New: prefs = 1e
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] ckpSSLctx_New: CKPSSL_ACCEPT_TLS1_2 is turned on + (CKPSSL_ACCEPT_TLSV1 | CKPSSL_ACCEPT_SSL3)
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] ckpSSLctx_New: choose SSLv23_method == the highest TLS version available -> should provide TLS 1.2
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] is_initialized: new process or forked
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] The PRNG was not initialized properly
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] rand_add_seedfile: Failed to read seed from registry.: Operation not permitted
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwrand_write_seed: Failed to read seed from registry.: Operation not permitted
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwrand_write_seed: Failed to write seed.: Operation not permitted
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] CkpRegDir: Environment variable CPDIR is not set.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] GenerateGlobalEntry: Unable to get registry path
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] isExist: ProxyEntity didn't initiated yet
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::start_async: Creating a new connection
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::start_async: Connecting to gw: 0x0f018592, port: 443
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwasync_make_connection: 9285010f/443: dowait is -1 sock is 6
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::start_async: Connection created successfully
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwasync_connected: 6: getpeername: Transport endpoint is not connected
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwasync_client_handler_wrapper: failed to create conn
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwasync_end_conn: scheduling the end of connection 6
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] fwasync_do_end_conn: closing connection 6 (conn=8bcc0c0)
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::end_handler: ending connection
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] snx_browser::Failure: entering with code: 1

[ 6511 -141404352]@y310300436[15 Dec 11:47:05] got link down!- exit
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] snx: quit.
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] snx_browser::~snx_browser: called
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::~talkssl: delete link
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] talkssl::~talkssl: end
[ 6511 -141404352]@y310300436[15 Dec 11:47:05] done

Any help would be appreciate, thanks in advance

Angelo,

other the obvious syntax  " snx  -s xxx.xxxx.xxx.xxx  -u my-AD-Domain\my-username " have you tried that?

it will not work with any browser that does not support JAVA, like Firefox after version 52....

as explained in Ken Fallon article SNX seem to use some OLD library, you may need to re-installed  them again.

http://kenfallon.com/checkpont-snx-on-ubuntu-14-04-lts-trusty-tahr/

add-apt-repository -y ppa:webupd8team/java

apt-get update apt-get install oracle-java9-installer libstdc++5:i386 libpam0g:i386 libx11-6:i386

java -version

Thanks for the feedback,

i finally solved the problem simply cleaning the enviroment variable https_proxy,

it seems that a corporate settings for https proxy caused trouble to snx internal browser.

I can see your you point Victor, I did run SNX with the -g option for debugging and I see 

 talkssl, ckpSSLctx_New, ckpSSL_NegotiateStep

in the SNX.elg file. Interesting...

Well here's an update

Build 800008016 (form HFA286) supports TLS 1.2. The debug output on snx is wrong. We ran a vpn debug on the gateway and we saw supported TLS was "303" 303 = TLS 1.2

Sadly for Linux it then went on to use 3DES as the only supported cipher. I'm asking support about this so stay tuned!

Victor, do I have to reach TAC to get this version or is it available for download somewhere?

This is part of R77.30 Jumbo Hotfix:

Starting in Take_266, this Jumbo Hotfix Accumulator supports TLS 1.2in the following products / features:

• ICA Management Portal / Management Portal
• Secure Internal Communication (SIC)
• Gaia Portal
• Platform Portal
• Software Updates
• Mobile Access blade
• Endpoint Security Management Server
• SSL Network Extender (SNX)