Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
adelpozo
Explorer

cshell_install.sh for ubuntu 20.04 LTS

Hi,

I have upgraded my computer to ubuntu 20.04 and I have realized that Check Point client for linux is not supported in this release:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...


Since Ubuntu 20.04 is a long-term support (LTS) release, this issue blocks seriously the usage of Check Point by linux users.


So, could you give me any suggestion to get around this problem?


thanks for your help!

39 Replies
PhoneBoy
Admin
Admin

I used SNX on Linux Mint 20, which is based on Ubuntu 20.x, and it worked fine.
Did you actually try it?
Official support is, of course, a different question and we probably need to get that clarified @AndreiR.

In the near term, we plan to support StrongSWAN with R81 gateways.

D_W
Advisor

@PhoneBoyi have issues as well with LTS 20.04.2. CP Gateway is R80.40

I did as follows:
log in via Firefox.
Click on connect
Info to download and install client
Install of cshell works fine. All required packages installed as stated in SK119772.
Closed firefox as mentioned during cshell install.
Start firefox again.
Login
Click on connect
Info to download and install cshell...

Any hint where I can find a hint about the issue?

0 Kudos
PhoneBoy
Admin
Admin

I used SNX directly with an SMB gateway using the CLI, which is different from connecting with Mobile Access on R80.40.
You can bring it up through the TAC, but I suspect this is not currently supported.

0 Kudos
Daniel_Kavan
Advisor

20.04 isn't supported yet.   True.

I get this

Starting Mobile  access Portal Agent....

Cannot start mobile access portal agent.  Installation aborted.

Looking forward to StrongSWAN

0 Kudos
Nando
Explorer

Any idea of when Mobile Access Portal Agent will be compatible with Ubuntu 20.04 LTS?

At the cshell script fails on that Ubuntu version...

Thanks in advance

0 Kudos
BigAnt
Explorer

If you are not happy about current client linux support, than (unofficial) open-source analogs may be of help here.
One of them is openconnect fork (not merged yet) with capablilties similar to native linux snx program without Mobile Access Portal Agent support.
The other is cpyvpn that can talk to Mobile Access Portal and create SNX-based tunnels.

0 Kudos
RuiRibeiro
Contributor

Using it with Debian 10, Debian 11, Ubuntu LTS 18.04 and Ubuntu LTS 22.04 and it is working.

I actually wrote a bash wrapper for our developers that configures it in a chroot environment and installs automatically SNX and Mobile Access Portal Agent. https://github.com/ruyrybeyro/chrootvpn

0 Kudos
Seguridad_CORPM
Participant

Hi Rui:

I installed R80.40 recently in our central firewalls. I have a Centos 7 and try your script but I dont have clear the commands.

I write "vpn.sh urlvpn ipvpn" and the result is "Please fill in VPN and VPNIP with the DNS FQDN and the ip address of your Checkpoint VPN server".

Thanks.

0 Kudos
aborges
Explorer

Problem solved here changing a property in jdk_path/conf/security/java.security to:

security.useSystemPropertiesFile=false

This will ignore algoritms deprecated in /etc/crypto-policies/back-ends/java.config.

Tested with Centos 9 Stream

0 Kudos
RuiRibeiro
Contributor

Debian has by default security.overridePropertiesFile=true, is it the same thing?

0 Kudos
RuiRibeiro
Contributor

Bit late to the party, but if you do not accept the cshell local certificate in firefox visiting the URL  https://localhost:14186/id the portal asks to install the software again. That URL must be visited each time CShell is reinstalled.

0 Kudos
adelpozo
Explorer

Thank very much. Now, vpn connection is working pretty well!

0 Kudos
Seguridad_CORPM
Participant

Hi, I have R80.40 recently installed. I try the vpn.sh script of rui but I put in my centos 7 "vpn.sh urlvpn ipvpn" and the result of the command is "please fill inVPN and VPNIP with the DNS FQDN and the ip adress of your checkpoint vpn server".Thanks.

0 Kudos
Seguridad_CORPM
Participant

Hi adelpozo:

I write "vpn.sh urlvpn ipvpn" and the result is "Please fill in VPN and VPNIP with the DNS FQDN and the ip address of your Checkpoint VPN server".

Can you help me with the commands?.

 

Thank you so much.

0 Kudos
RuiRibeiro
Contributor

Hi,

I launched a new version, some minor details and instructions corrections.

Either you edit VPN *and* VPNIP inside the vpn.sh script, or as an alternative, do it as:

sudo ./vpn.sh -i --vpn=DNSNAMEOFVPN

If your vpn is  vpn.example.com

Then it is:

sudo ./vpn.sh -i --vpn=vpn.example.com

Regards

0 Kudos
Seguridad_CORPM
Participant

Thanks Rui.

I run "sudo vpn.sh -i --vpn=urlofmyvpn" and begin install files and see this.

done.
done.
Installation successfull
Installing CShell - ignore xhost errors
/root/cshell_install.sh: 1: xhost: not found
Please add "root" and "cshell" to X11 access list
/root/cshell_install.sh: 1: xhost: not found
Please add "root" and "cshell" to X11 access list
Start Check Point Mobile Access Portal Agent installation
Extracting Mobile Access Portal Agent... Done
Installing Mobile Access Portal Agent... /root/cshell_install.sh: 178: [: Cannot: unexpected operator
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.
Done
Installing certificate... /root/cshell_install.sh: 178: [: Cannot: unexpected operator
Done
Starting Mobile Access Portal Agent... Done
Installation complete

 

Errors on certutil.

I try open firefox and login in my vpn, status change to inicializing and the windows close.
I try now in ubuntu 22.

Thanks for your work.

0 Kudos
RuiRibeiro
Contributor

Hi,

I already was suspecting patching the  cshell installation script would give me problems with different firewall versions.

I created a new version,  0.995, that does not need cshell_install.sh patches anymore.

Please get it from https://github.com/ruyrybeyro/chrootvpn and try reinstalling again.

 

Regards

0 Kudos
Seguridad_CORPM
Participant

Hi Rui:

I try with your new version in a clean installation of ubuntu 22 and in other clean installation of ubuntu 20 with the same result.

I execute "sudo vpn.sh -i --vpn=urlvpn"

The result is:

Installation successfull
Installing CShell
Start Check Point Mobile Access Portal Agent installation
Extracting Mobile Access Portal Agent... Done
Installing Mobile Access Portal Agent... /root/cshell_install.sh: 178: [: Cannot: unexpected operator
Done
Installing certificate... /root/cshell_install.sh: 178: [: Cannot: unexpected operator
Done
Starting Mobile Access Portal Agent... Done
Installation complete
Added graphical auto-start

For it to run, modify your /etc/sudoers for not asking for password
As in:

%sudo ALL=(ALL:ALL) NOPASSWD:ALL
#or:
%sudo ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/vpn.sh
#or:
osboxes ALL=(ALL:ALL) NOPASSWD:ALL
#or:
osboxes ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/vpn.sh

chroot setup done.
/home/osboxes/Downloads/vpn.sh copied to /usr/local/bin/vpn.sh

open browser with https://localhost:14186/id to accept new localhost certificate

afterwards open browser at https://urlvpn to login into VPN
If it does not work, launch vpn.sh in a terminal from the X11 console

 

If I execute "sudo vpn.sh status" it is running

I open firefox, and go to https://localhost:14186/id and accept the security warning

Open urlvpn and click in connect button, The status is "initializing", after "connecting", after status is "connected" a few seconds and the windows closed automatically and I am not connected to the vpn.

I try it also with chromium.

I dont know if I can send you a log or any file for it revision.

Thank you so much Ruy. If you can think of something I can try, I'm here for it.

 

0 Kudos
RuiRibeiro
Contributor

Unfortunately, CShell paints over the desktop and needs X11 authorization. It is probably the lack of it. I do not undertand how you still got errors in the cshell install script. Nevertheless, it seems the process went well and finished.

Try either now:

- logging out and in of the graphical interface manager - IF you gave your user sudo *without password* (it applies the X11 rights when logging in),

OR

- rebooting  (if you gave your user sudo permissions without password)

OR

- running sudo ./vpn start in a graphical terminal and *not over ssh*.

 

Then you can login using the browser using your portal.

 

Is that possible also getting your cshell_install.sh?  Find it odd that line 178 error.  Would you be able to post cshell_install.sh line 178 here too?

0 Kudos
Seguridad_CORPM
Participant

Hi Ruy:

I use a virtual machines and use the console, not ssh.

I reboot the virtual machine ubuntu 20 and ubuntu 22, execute "sudo vpn.sh start", and works perfectly Ruy.

I attach our cshell_install.sh for your revision.

Is there a way to make it start automatically, or do I have to do vpn.sh start every time I boot the virtual machine?

the supported operating systems are Debian/Ubuntu/RH/CentOS/Fedora, right, or is it also compatible with archlinux, mint and others?.

Thank you so much Ruy for your script and help.

(1)
RuiRibeiro
Contributor

Hi,

Tracked down the X11 lack of rights to me forgetting doing it in the install routine after  refactoring code.

Thanks for your cshell_install.sh, it seems a variation of ours, that tests Firefox profiles differently. Added code for accounting for that.

A config file was placed under /etc/xdg automatically for launching vpn.sh upon user console graphical login, however you have to authorize in sudoers your X11 login user running /usr/local/bin/vpn.sh having sudo rights without password.

As in:

osboxes ALL=(ALL:ALL) NOPASSWD: /usr/local/bin/vpn.sh

 

Released a new version with the fixes for the issues found with your use of the script, please run:

sudo vpn.sh selfupdate

The script is working in Debian and RedHat family, tested already some. Rocky works (RedHat), Mint too (Debian). CentOS 9 too. Tried implementing it for SUSE, but their debootstrap implementation seems too old.

Regards

 

0 Kudos
Seguridad_CORPM
Participant

All perfect Rui!!, for the moment I test in ubuntu 20 y 22.

I try in centos 9 and the error is:

No match for argument: epel-release

Error: Unable to find a match: epel-release

installPackages->needcentosfix: could not do yum. Fix it

If I do "yum update" before execute vpn.sh it's OK.

Anything I can add to the script to fix this?
In my case I will customize the script so that the user has to interact as little as possible.

Thank you so much Ruy

0 Kudos
RuiRibeiro
Contributor

Hi, Did not notice that issue with centos 9, not sure of the problem. 

I replaced yum by dnf, and doing a dnf check-update to see if it solves it. update might break things or be overly long. I prefer the update, others might not like it.

Could you test v0.999 please?

Regards

0 Kudos
Seguridad_CORPM
Participant

Hi Ruy:

I tried v0.999 and attach the result. The vm is a clean centos 9 installation.

0 Kudos
RuiRibeiro
Contributor

odd, the epel-release package has been out for 5-6 months now. Where are you getting your centos-9 image?

Getting mine from http://mirror.stream.centos.org/9-stream/BaseOS/x86_64/iso/CentOS-Stream-9-latest-x86_64-dvd1.iso

That need to do an update seems strange, but maybe is due of it being a rolling distribution.

0 Kudos
Seguridad_CORPM
Participant

Hi Ruy:

Download vdi images from osboxes.org

It is a website which has most images made for virtualbox and vmware.

As I told you, if I do a "yum update" before, it installs perfectly. But I was surprised that in the ubuntu 20 and 22 tests I didn't have to do apt-get udpate before installing the script.

I understand that the changes from version 0.999 are not necessary then, right?

don't worry ruy, I'm going to test but updating packages first.
Thank you very much again.

0 Kudos
RuiRibeiro
Contributor

Downloaded the osboxes centos 9 VM. It is a beta, pre-epel existence, hence the "need for upgrade".

Wrote a fix but did not post it as a release yet.

https://github.com/ruyrybeyro/chrootvpn/blob/main/vpn.sh works now ok, already tested it with the cent OS 9 early beta VM from osboxes.  

Btw, there is no need for an update for the script, just refreshing the repositories with 

dnf -y install centos-stream-repos

0 Kudos
Seguridad_CORPM
Participant

Thanks Ruy, I try with this https://github.com/ruyrybeyro/chrootvpn/blob/main/vpn.sh and all perfect.

I have created a script to automate the installation with clear instructions for my users.

Thank you so much Ruy

0 Kudos
RuiRibeiro
Contributor

Oi,

New 1.0 version, works with more Linux distributions now:

 

https://github.com/ruyrybeyro/chrootvpn/releases/tag/v1.0

 

"

Checkpoint R80.10+ VPN client chroot wrapper

Latest versions of Debian, Ubuntu, RedHat, CentOS, Fedora, Arch and SUSE distribution family working now.
Installs Mobile Access Portal certificate policy acceptance for Firefox in more locations.

Handles more Checkpoint/cshell_install.sh versions.

Experimental support for older post Mobile Access Portal older versions (--oldjava).

Handles better errors and DNS configurations.

Adds sudoers line automatically."

 

Regards

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events