- CheckMates
- :
- Products
- :
- Quantum
- :
- Remote Access VPN
- :
- Re: cshell_install.sh for ubuntu 20.04 LTS
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
cshell_install.sh for ubuntu 20.04 LTS
Hi,
I have upgraded my computer to ubuntu 20.04 and I have realized that Check Point client for linux is not supported in this release:
Since Ubuntu 20.04 is a long-term support (LTS) release, this issue blocks seriously the usage of Check Point by linux users.
So, could you give me any suggestion to get around this problem?
thanks for your help!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used SNX on Linux Mint 20, which is based on Ubuntu 20.x, and it worked fine.
Did you actually try it?
Official support is, of course, a different question and we probably need to get that clarified @AndreiR.
In the near term, we plan to support StrongSWAN with R81 gateways.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@PhoneBoyi have issues as well with LTS 20.04.2. CP Gateway is R80.40
I did as follows:
log in via Firefox.
Click on connect
Info to download and install client
Install of cshell works fine. All required packages installed as stated in SK119772.
Closed firefox as mentioned during cshell install.
Start firefox again.
Login
Click on connect
Info to download and install cshell...
Any hint where I can find a hint about the issue?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I used SNX directly with an SMB gateway using the CLI, which is different from connecting with Mobile Access on R80.40.
You can bring it up through the TAC, but I suspect this is not currently supported.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
20.04 isn't supported yet. True.
I get this
Starting Mobile access Portal Agent....
Cannot start mobile access portal agent. Installation aborted.
Looking forward to StrongSWAN
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Any idea of when Mobile Access Portal Agent will be compatible with Ubuntu 20.04 LTS?
At the cshell script fails on that Ubuntu version...
Thanks in advance
- Tags:
- ubuntu
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are not happy about current client linux support, than (unofficial) open-source analogs may be of help here.
One of them is openconnect fork (not merged yet) with capablilties similar to native linux snx program without Mobile Access Portal Agent support.
The other is cpyvpn that can talk to Mobile Access Portal and create SNX-based tunnels.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using it with Debian 10, Debian 11, Ubuntu LTS 18.04 and Ubuntu LTS 22.04 and it is working.
I actually wrote a bash wrapper for our developers that configures it in a chroot environment and installs automatically SNX and Mobile Access Portal Agent. https://github.com/ruyrybeyro/chrootvpn
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rui:
I installed R80.40 recently in our central firewalls. I have a Centos 7 and try your script but I dont have clear the commands.
I write "vpn.sh urlvpn ipvpn" and the result is "Please fill in VPN and VPNIP with the DNS FQDN and the ip address of your Checkpoint VPN server".
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Problem solved here changing a property in jdk_path/conf/security/java.security to:
security.useSystemPropertiesFile=false
This will ignore algoritms deprecated in /etc/crypto-policies/back-ends/java.config.
Tested with Centos 9 Stream
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Debian has by default security.overridePropertiesFile=true, is it the same thing?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Bit late to the party, but if you do not accept the cshell local certificate in firefox visiting the URL https://localhost:14186/id the portal asks to install the software again. That URL must be visited each time CShell is reinstalled.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank very much. Now, vpn connection is working pretty well!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, I have R80.40 recently installed. I try the vpn.sh script of rui but I put in my centos 7 "vpn.sh urlvpn ipvpn" and the result of the command is "please fill inVPN and VPNIP with the DNS FQDN and the ip adress of your checkpoint vpn server".Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi adelpozo:
I write "vpn.sh urlvpn ipvpn" and the result is "Please fill in VPN and VPNIP with the DNS FQDN and the ip address of your Checkpoint VPN server".
Can you help me with the commands?.
Thank you so much.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I launched a new version, some minor details and instructions corrections.
Either you edit VPN *and* VPNIP inside the vpn.sh script, or as an alternative, do it as:
sudo ./vpn.sh -i --vpn=DNSNAMEOFVPN
If your vpn is vpn.example.com
Then it is:
sudo ./vpn.sh -i --vpn=vpn.example.com
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Rui.
I run "sudo vpn.sh -i --vpn=urlofmyvpn" and begin install files and see this.
done.
done.
Installation successfull
Installing CShell - ignore xhost errors
/root/cshell_install.sh: 1: xhost: not found
Please add "root" and "cshell" to X11 access list
/root/cshell_install.sh: 1: xhost: not found
Please add "root" and "cshell" to X11 access list
Start Check Point Mobile Access Portal Agent installation
Extracting Mobile Access Portal Agent... Done
Installing Mobile Access Portal Agent... /root/cshell_install.sh: 178: [: Cannot: unexpected operator
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
Done
Installing certificate... /root/cshell_install.sh: 178: [: Cannot: unexpected operator
Done
Starting Mobile Access Portal Agent... Done
Installation complete
Errors on certutil.
I try open firefox and login in my vpn, status change to inicializing and the windows close.
I try now in ubuntu 22.
Thanks for your work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I already was suspecting patching the cshell installation script would give me problems with different firewall versions.
I created a new version, 0.995, that does not need cshell_install.sh patches anymore.
Please get it from https://github.com/ruyrybeyro/chrootvpn and try reinstalling again.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Rui:
I try with your new version in a clean installation of ubuntu 22 and in other clean installation of ubuntu 20 with the same result.
I execute "sudo vpn.sh -i --vpn=urlvpn"
The result is:
Installation successfull
Installing CShell
Start Check Point Mobile Access Portal Agent installation
Extracting Mobile Access Portal Agent... Done
Installing Mobile Access Portal Agent... /root/cshell_install.sh: 178: [: Cannot: unexpected operator
Done
Installing certificate... /root/cshell_install.sh: 178: [: Cannot: unexpected operator
Done
Starting Mobile Access Portal Agent... Done
Installation complete
Added graphical auto-start
For it to run, modify your /etc/sudoers for not asking for password
As in:
%sudo ALL=(ALL:ALL) NOPASSWD:ALL
#or:
%sudo ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/vpn.sh
#or:
osboxes ALL=(ALL:ALL) NOPASSWD:ALL
#or:
osboxes ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/vpn.sh
chroot setup done.
/home/osboxes/Downloads/vpn.sh copied to /usr/local/bin/vpn.sh
open browser with https://localhost:14186/id to accept new localhost certificate
afterwards open browser at https://urlvpn to login into VPN
If it does not work, launch vpn.sh in a terminal from the X11 console
If I execute "sudo vpn.sh status" it is running
I open firefox, and go to https://localhost:14186/id and accept the security warning
Open urlvpn and click in connect button, The status is "initializing", after "connecting", after status is "connected" a few seconds and the windows closed automatically and I am not connected to the vpn.
I try it also with chromium.
I dont know if I can send you a log or any file for it revision.
Thank you so much Ruy. If you can think of something I can try, I'm here for it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Unfortunately, CShell paints over the desktop and needs X11 authorization. It is probably the lack of it. I do not undertand how you still got errors in the cshell install script. Nevertheless, it seems the process went well and finished.
Try either now:
- logging out and in of the graphical interface manager - IF you gave your user sudo *without password* (it applies the X11 rights when logging in),
OR
- rebooting (if you gave your user sudo permissions without password)
OR
- running sudo ./vpn start in a graphical terminal and *not over ssh*.
Then you can login using the browser using your portal.
Is that possible also getting your cshell_install.sh? Find it odd that line 178 error. Would you be able to post cshell_install.sh line 178 here too?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ruy:
I use a virtual machines and use the console, not ssh.
I reboot the virtual machine ubuntu 20 and ubuntu 22, execute "sudo vpn.sh start", and works perfectly Ruy.
I attach our cshell_install.sh for your revision.
Is there a way to make it start automatically, or do I have to do vpn.sh start every time I boot the virtual machine?
the supported operating systems are Debian/Ubuntu/RH/CentOS/Fedora, right, or is it also compatible with archlinux, mint and others?.
Thank you so much Ruy for your script and help.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Tracked down the X11 lack of rights to me forgetting doing it in the install routine after refactoring code.
Thanks for your cshell_install.sh, it seems a variation of ours, that tests Firefox profiles differently. Added code for accounting for that.
A config file was placed under /etc/xdg automatically for launching vpn.sh upon user console graphical login, however you have to authorize in sudoers your X11 login user running /usr/local/bin/vpn.sh having sudo rights without password.
As in:
osboxes ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/vpn.sh
Released a new version with the fixes for the issues found with your use of the script, please run:
sudo vpn.sh selfupdate
The script is working in Debian and RedHat family, tested already some. Rocky works (RedHat), Mint too (Debian). CentOS 9 too. Tried implementing it for SUSE, but their debootstrap implementation seems too old.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All perfect Rui!!, for the moment I test in ubuntu 20 y 22.
I try in centos 9 and the error is:
No match for argument: epel-release
Error: Unable to find a match: epel-release
installPackages->needcentosfix: could not do yum. Fix it
If I do "yum update" before execute vpn.sh it's OK.
Anything I can add to the script to fix this?
In my case I will customize the script so that the user has to interact as little as possible.
Thank you so much Ruy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi, Did not notice that issue with centos 9, not sure of the problem.
I replaced yum by dnf, and doing a dnf check-update to see if it solves it. update might break things or be overly long. I prefer the update, others might not like it.
Could you test v0.999 please?
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ruy:
I tried v0.999 and attach the result. The vm is a clean centos 9 installation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
odd, the epel-release package has been out for 5-6 months now. Where are you getting your centos-9 image?
Getting mine from http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/iso/CentOS-Stream-9-latest-x86_64-dvd1.iso
That need to do an update seems strange, but maybe is due of it being a rolling distribution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Ruy:
Download vdi images from osboxes.org
It is a website which has most images made for virtualbox and vmware.
As I told you, if I do a "yum update" before, it installs perfectly. But I was surprised that in the ubuntu 20 and 22 tests I didn't have to do apt-get udpate before installing the script.
I understand that the changes from version 0.999 are not necessary then, right?
don't worry ruy, I'm going to test but updating packages first.
Thank you very much again.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Downloaded the osboxes centos 9 VM. It is a beta, pre-epel existence, hence the "need for upgrade".
Wrote a fix but did not post it as a release yet.
https://github.com/ruyrybeyro/chrootvpn/blob/main/vpn.sh works now ok, already tested it with the cent OS 9 early beta VM from osboxes.
Btw, there is no need for an update for the script, just refreshing the repositories with
dnf -y install centos-stream-repos
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ruy, I try with this https://github.com/ruyrybeyro/chrootvpn/blob/main/vpn.sh and all perfect.
I have created a script to automate the installation with clear instructions for my users.
Thank you so much Ruy
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Oi,
New 1.0 version, works with more Linux distributions now:
https://github.com/ruyrybeyro/chrootvpn/releases/tag/v1.0
"
Checkpoint R80.10+ VPN client chroot wrapper
Latest versions of Debian, Ubuntu, RedHat, CentOS, Fedora, Arch and SUSE distribution family working now.
Installs Mobile Access Portal certificate policy acceptance for Firefox in more locations.
Handles more Checkpoint/cshell_install.sh versions.
Experimental support for older post Mobile Access Portal older versions (--oldjava).
Handles better errors and DNS configurations.
Adds sudoers line automatically."
Regards
