Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Olivier_Roulet-
Participant
Jump to solution

Connection to VPN server from Linux with SecureID

Hi,

I have a customer who gave us access to their system using something some CheckPoint Software with SecureID (username and secureId, no Password as far as we understand). How can we connect to these system from Linux?

We could not find any VPN client for linux on CheckPoint website

It looks like we get secureId code using stoken software so that should be OK.

If going to their VPN server 87.238.64.1 then there is some login popup but they require some java plugins which are now deprecated in all existing browsers so this is not a working solution

The page also allows to start a program called snx

snx -h
Check Point's Linux SNX
build 800008061
usage: snx -s <server> {-u <user>|-c <certfile>} [-l <ca dir>] [-p <port>] [-r] [-g] [-e <cipher>]
                                run SNX using given arguments
       snx -f <cf>              run the snx using configuration file
       snx                      run the snx using the ~/.snxrc

       snx -d                   disconnect a running SNX daemon

        -s <server>           connect to server <server>
        -u <user>             use the username <user>
        -c <certfile>         use the certificate file <certfile>
        -l <ca dir>           get trusted ca's from <ca dir>
        -p <port>             connect using port <port>
        -g                    enable debugging
        -e <cipher>           SSL cipher to use: RC4 or 3DES

But snx does not seem to allow using securId authentication

We also tried the standard Linux cisco VPN client: openconnect but it fails with some error XML response has no "auth" node

Soft token init was successful.

Soft token init was successful.
POST https://87.238.64.1/
Attempting to connect to server 87.238.64.1:443
Connected to 87.238.64.1:443
SSL negotiation with 87.238.64.1
Server certificate verify failed: signer not found
Connected to HTTPS on 87.238.64.1
Got HTTP response: HTTP/1.0 404 Not Found
Date: Fri, 31 Aug 2018 13:47:25 GMT
Server: Check Point SVN foundation
Content-Type: text/html
X-UA-Compatible: IE=EmulateIE7
Connection: close
X-Frame-Options: SAMEORIGIN
Last-Modified: Wed, 28 May 2014 09:11:07 GMT
Content-Length: 204
HTTP body length:  (204)
Unexpected 404 result from server
GET https://87.238.64.1/
Attempting to connect to server 87.238.64.1:443
Connected to 87.238.64.1:443
SSL negotiation with 87.238.64.1
Server certificate verify failed: signer not found
Connected to HTTPS on 87.238.64.1
Got HTTP response: HTTP/1.0 200 OK
Date: Fri, 31 Aug 2018 13:47:26 GMT
Server: Check Point SVN foundation
Content-Type: text/html
X-UA-Compatible: IE=EmulateIE7
Connection: close
X-Frame-Options: SAMEORIGIN
Content-Length: 11788
HTTP body length:  (11788)
XML response has no "auth" node

So what is the official way to connect to a VPN server using securid from Linux?

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

I read the internal comments in "Authentication failed" error presented when user tries to connect to site using SNX CLI mode in Lin..., and it turns out: the SK is correct.

Just to clarify for Olivier Roulet-Dubonnet‌:

  • If the customer is using Mobile Access Blade (which is sounds like they are), SNX via CLI is only supported on specific builds of the SNX client and specific versions of the gateway. Your customer will have to work with the local Check Point office for additional details and a possible RFE.
  • If the customer is NOT using Mobile Access Blade, then SNX over CLI is supported.

If the customer deploys the patches here, then you will be able to use the Mobile Access portal (but not the CLI) to connect: Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology 

View solution in original post

0 Kudos
16 Replies
PhoneBoy
Admin
Admin

The only supported VPN client on Linux is SNX, which does require Java, and yes, many browsers have deprecated support for this.

To activate SNX from the Mobile Access portal (which definitely supports SecurID), your customer should apply the fix described here: Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology 

We do not support using the Cisco client to connect to our gateways.

0 Kudos
Olivier_Roulet-
Participant

Hi,

Thanks for the quick answer.

What browser support Java these days?

And is there any way to user secureid from the snx command line? None of the options seems to indicate it, as seen in the output in report.

Thanks

Olivier

0 Kudos
PhoneBoy
Admin
Admin

I'm sure there is some browser out there that still supports it, but the common cross-platform ones do not Smiley Happy

Theoretically, you should just be able to use the PIN + SecurID token number as the password on the CLI.

If you require some other password to sign in in addition to this, then I'm afraid there is no way to do it using the CLI and you must authenticate using the Mobile Access Portal.

0 Kudos
Olivier_Roulet-
Participant

Thank you again!

Pin + secureid on one line as password?

0 Kudos
PhoneBoy
Admin
Admin

Pretty sure that will work, as that's exactly how you would enter it in the browser.

0 Kudos
Olivier_Roulet-
Participant

Hi,

unfortunately that does not work, it is also a bit surprising because If I try to log into the gui there is field called secureid. If I let the password empty and write the secureid number in the secureid field then I get a window telling me that I am connected (If I write my pin as password I get an access denied error). No VPN connection is created because I could not find any browser supporting java yet... but this really looks like my token and config is correct

So its looks like the web solution does not require any password/pin but if I run snx from command line I get access denied with PIN and PIN + tokenid and tokenid.... If the java stuff calles snx in the background thenhow is it sending the PIN? Can i emulate it using command line?

Olivier

0 Kudos
G_W_Albrecht
Legend Legend
Legend

According to sk115242 "Authentication failed" error presented when user tries to connect to site using SNX CLI mo...you need SNX build 800007075  for MAB use - this can be found in sk90240 SSL Network Extender E75 CLI Support for Mobile Access Blade.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Olivier_Roulet-
Participant

Version is

snx ver

a username or a certificate were not supplied

Check Point's Linux SNX

build 800008061

That seems to be over the version adviced in this PR. Althoug there is not ver option

snx ver

a username or a certificate were not supplied

Check Point's Linux SNX

build 800008061

usage: snx -s ] [-e SSL cipher to use: RC4 or 3DES

0 Kudos
G_W_Albrecht
Legend Legend
Legend

So you are using the wrong version and SNX CLI can not work 😞 The customer is using an unsupported SNX build for Linux CLI connection (not SNX build 800007075).

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Olivier_Roulet-
Participant

OK. And where do I get that special version? You have a link above but I click on it it says:

"""

Symptoms
  • SSL Network Extender does not connect to Mobile Access blade via client CLI in Linux and Mac OS X.
Solution
To view this solution, Advanced access is required.
Click here to learn more about our Support Programs and Plans .

"""

The customer website https://87.238.64.1/ gives a link to download snx, why is this a non working version? And how can I get that working version?

Thank you

Olivier

0 Kudos
G_W_Albrecht
Legend Legend
Legend

This can be accomplished by involving TAC!

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

If you see more than one "password" prompt, it maybe that your customer has multifactor authentication enabled on the gateway.

If this is the case, the command line SNX client will not work (regardless of version) and your only option is to authenticate with a web browser.

As far as I know the functionality in that special version has been rolled into current versions anyway.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Can you get that confirmed ? If this is true, sk115242 should be changed.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

Probably worth a comment in the SK.

I'll ask.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Yes, especially as sk115242 speaks of RFE 😉

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
PhoneBoy
Admin
Admin

I read the internal comments in "Authentication failed" error presented when user tries to connect to site using SNX CLI mode in Lin..., and it turns out: the SK is correct.

Just to clarify for Olivier Roulet-Dubonnet‌:

  • If the customer is using Mobile Access Blade (which is sounds like they are), SNX via CLI is only supported on specific builds of the SNX client and specific versions of the gateway. Your customer will have to work with the local Check Point office for additional details and a possible RFE.
  • If the customer is NOT using Mobile Access Blade, then SNX over CLI is supported.

If the customer deploys the patches here, then you will be able to use the Mobile Access portal (but not the CLI) to connect: Mobile Access Portal and Java Compatibility - New Mobile Access Portal Agent technology 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events