getting Checkpoint VPN SSL Network Extender working in the command lineHow to connect to CheckPoint VPN on Ubuntu 18.04LTS?Will the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayVPN SSL Network Extender in FirefoxLinux Checkpoint SNX tool configuration issuesCheck Point - Connect under Linux - snx + OTPSNX VPN Ububuntu 18.XXUsing Checkpoint VPN SSL Network Extender CLI with certificateVPN with network manager (nm-applet) is not workingWill the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayImport VPN config files to NetworkManager from command lineTrouble connecting to VPN using network-manager, while command line worksStart a VPN connection with PPTP protocol on command linestarting a docker service daemon breaks the vpn networkCan't connect to vpn with Network-managerVPN SSL Network Extender in FirefoxUsing Checkpoint VPN SSL Network Extender CLI with certificate

If human space travel is limited by the G force vulnerability, is there a way to counter G forces?

Did Shadowfax go to Valinor?

Do I have a twin with permutated remainders?

Blender 2.8 I can't see vertices, edges or faces in edit mode

1960's book about a plague that kills all white people

How can I make my BBEG immortal short of making them a Lich or Vampire?

Alternative to sending password over mail?

Is it inappropriate for a student to attend their mentor's dissertation defense?

Why is Collection not simply treated as Collection<?>

Took a trip to a parallel universe, need help deciphering

Assassin's bullet with mercury

Why is it a bad idea to hire a hitman to eliminate most corrupt politicians?

I Accidentally Deleted a Stock Terminal Theme

Is there a hemisphere-neutral way of specifying a season?

What about the virus in 12 Monkeys?

Why can't we play rap on piano?

Arrow those variables!

Today is the Center

Modeling an IP Address

How to show the equivalence between the regularized regression and their constraint formulas using KKT

How to say in German "enjoying home comforts"

What is the most common color to indicate the input-field is disabled?

What is going on with Captain Marvel's blood colour?

What killed these X2 caps?



getting Checkpoint VPN SSL Network Extender working in the command line


How to connect to CheckPoint VPN on Ubuntu 18.04LTS?Will the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayVPN SSL Network Extender in FirefoxLinux Checkpoint SNX tool configuration issuesCheck Point - Connect under Linux - snx + OTPSNX VPN Ububuntu 18.XXUsing Checkpoint VPN SSL Network Extender CLI with certificateVPN with network manager (nm-applet) is not workingWill the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayImport VPN config files to NetworkManager from command lineTrouble connecting to VPN using network-manager, while command line worksStart a VPN connection with PPTP protocol on command linestarting a docker service daemon breaks the vpn networkCan't connect to vpn with Network-managerVPN SSL Network Extender in FirefoxUsing Checkpoint VPN SSL Network Extender CLI with certificate






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








4















The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint.



However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx command line utility, called snxconnect.



I was trying to put snxconnect text utility to work in Debian Buster, doing:



sudo pip install snxvpn


and



export PYTHONHTTPSVERIFY=0
snxconnect -H checkpoint.hostname -U USER


However, it was mostly dying either with an HTTP error of:



HTTP/1.1 301 Moved Permanently:


or:



Got HTTP response: HTTP/1.1 302 Found


or:



Unexpected response, try again.


What to do about it?



PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.










share|improve this question






























    4















    The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint.



    However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx command line utility, called snxconnect.



    I was trying to put snxconnect text utility to work in Debian Buster, doing:



    sudo pip install snxvpn


    and



    export PYTHONHTTPSVERIFY=0
    snxconnect -H checkpoint.hostname -U USER


    However, it was mostly dying either with an HTTP error of:



    HTTP/1.1 301 Moved Permanently:


    or:



    Got HTTP response: HTTP/1.1 302 Found


    or:



    Unexpected response, try again.


    What to do about it?



    PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.










    share|improve this question


























      4












      4








      4


      4






      The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint.



      However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx command line utility, called snxconnect.



      I was trying to put snxconnect text utility to work in Debian Buster, doing:



      sudo pip install snxvpn


      and



      export PYTHONHTTPSVERIFY=0
      snxconnect -H checkpoint.hostname -U USER


      However, it was mostly dying either with an HTTP error of:



      HTTP/1.1 301 Moved Permanently:


      or:



      Got HTTP response: HTTP/1.1 302 Found


      or:



      Unexpected response, try again.


      What to do about it?



      PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.










      share|improve this question
















      The official Checkpoint out command line tool from CheckPoint, for setting up a SSL Network Extender VPN is not longer working from the Linux command line. It is also no longer actively supported by CheckPoint.



      However, there is a promising project, that tries to replicate the Java applet for authentication, that talks with the snx command line utility, called snxconnect.



      I was trying to put snxconnect text utility to work in Debian Buster, doing:



      sudo pip install snxvpn


      and



      export PYTHONHTTPSVERIFY=0
      snxconnect -H checkpoint.hostname -U USER


      However, it was mostly dying either with an HTTP error of:



      HTTP/1.1 301 Moved Permanently:


      or:



      Got HTTP response: HTTP/1.1 302 Found


      or:



      Unexpected response, try again.


      What to do about it?



      PS. The EndPoint Security VPN official client is working well both in a Mac High Sierra and Windows 10 Pro.







      debian vpn checkpoint






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Oct 30 '18 at 5:21







      Rui F Ribeiro

















      asked Jun 16 '18 at 23:33









      Rui F RibeiroRui F Ribeiro

      41.9k1483142




      41.9k1483142




















          2 Answers
          2






          active

          oldest

          votes


















          11














          SNX build 800007075 from 2012, used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel(s) 4.x.



          So ultimately, the my other answer in this thread holds true if you cannot get hold of SNX build 800007075 or if that specific version of SNX stops working with the current Linux versions (it might happen in a near future) or if you need OTP support.



          Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.



          1) So to install snx build 800007075 I do:



          wget https://starkers.keybase.pub/snx_install_linux30.sh?dl=1 -O snx_install.sh


          For Debian, you might need:



          sudo dpkg --add-architecture i386
          sudo apt-get update


          I had to install the following:



          sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


          Run then:



          chmod a+rx snx_install.sh
          sudo ./snx_install.sh`


          You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



          sudo ldd /usr/bin/snx


          You can only proceed to the following point when all the dependencies are satisfied.



          You might need to run manually first snx -s CheckpointURLFQDN -u USER before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db.



          2) Before using it, you create a ~/.snxrc file with the following contents:



          server IP_address_of_your_VPN
          username YOUR_USER
          reauth yes


          3) For connecting, type snx



          $ snx
          Check Point's Linux SNX
          build 800007075
          Please enter your password:

          SNX - connected.

          Session parameters:
          ===================
          Office Mode IP : 10.x.x.x
          DNS Server : 10.x.x.x
          Secondary DNS Server: 10.x.x.x
          DNS Suffix : xxx.xx, xxx.xx
          Timeout : 24 hours


          If you understand the security risks of hard coding a VPN password in a script, you also can use it as:



          echo 'Password' | snx


          5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



          $snx -d
          SNX - Disconnecting...
          done.


          see also Linux Checkpoint SNX tool configuration issues for some clarifications about which snx version to use.



          6) If automating the login and accepting a new signature (and understanding the security implications), I wrote an expect script, which I called snx_login.exp:



          #!/usr/bin/expect
          spawn /usr/bin/snx

          set password [lindex $argv 0]

          expect "*?assword:*"
          send -- "$passwordr"

          expect
          "o:"
          send "yr"
          exp_continue

          eof



          PS. Beware snx does not support OTP alone, you will have to use the snxconnect script present on the other answer if using it.



          PPS @gibies called to my attention that using an etoken, the password field gets the password from the etoken and not a fixed password.






          share|improve this answer

























          • This works in arch linux using snx from aur repository.

            – Met
            Nov 10 '18 at 16:19











          • @Met indeed, find it much later on...see the last link in this answer. Nevertheless, not sure about the legality of that AUR giving us a much older and unsupported 32 bits 2012 version of Checkpoint's snx utility, even if downloading it from a 3rd party site. I am using the same version in the accepted answer, the other is an alternative method.

            – Rui F Ribeiro
            Nov 10 '18 at 17:57











          • I'm trying to connect using a certificate rather than a username, and receive this error: SNX: Virtual Network Adapter initialization and configuration failed. Try to reconnect. Any thoughts?

            – Ashwin Balamohan
            Dec 3 '18 at 16:48






          • 1





            Thanks @RuiFRibeiro. I've posted the new question here: unix.stackexchange.com/questions/485800/… Any thoughts would be wonderful.

            – Ashwin Balamohan
            Dec 4 '18 at 1:42






          • 1





            Very good detailed description. It works fine on my Ubuntu laptop.

            – gibies
            Dec 26 '18 at 11:51



















          4














          When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.



          Apparently, whilst command line usage of snx from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx client, and this post is about setting it up to work.



          Firstly, the snxvp installed from python pip does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.



          Furthermore, all the URLs on snxconnect.py have to be changed from sslvpn/ to ``.





          So the step-by-step instructions are roughly:



          1) Firstly installing the snx setup:



          If in the VPN, to get the installation file, do:



          wget --no-check-certificate https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh 


          Otherwise you will have to get it from the web interface as describe in the linked answer.



          For Debian, you might need:



          sudo dpkg --add-architecture i386
          sudo apt-get update


          I had to install the following:



          sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


          Run then:



          chmod a+rx snx_install.sh
          sudo ./snx_install.sh`


          You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



          sudo ldd /usr/bin/snx


          You can only proceed to the following point when all the dependencies are satisfied.



          Not sure if you need to run first snx -s CheckpointURLFQDN -u USER before using snxconnect, for the signature VPN be saved at /etc/snx/USER.db.



          2) Now we have the snxconnect python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.



          So to install the to setup snxconnect, do as root:



          apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
          pip install pytz
          git clone https://github.com/agnis-mateuss/snxvpn
          git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
          cd snxvpn

          Now, as for taking out the /sslvpn URL, some Checkpoint appliances need it, some do not. I am not still aware of why the difference. I need it, @WileyMarques does not.

          sed -i "s/sslvpn///g" snxconnect.py


          . then do as root, for python3: (recommended)



          apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
          make
          python3 setup.py install --prefix=/usr/local


          . or instead, do as root, for python2:



          apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
          sed -i "s/distutils.core/setuptools/g" setup.py
          make
          python setup.py install --prefix=/usr/local


          3) After installing it, you can run as a non-privileged user:



          /usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies


          If all went ok, it will ask for the password, and then say:



          SNX connected, to leave VPN open, leave this running!


          If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect command again.



          4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.



          After the VPN being established, you can check with ip address or ifconfig you have now a tunsnx interface:



          $ ip addr show dev tunsnx
          14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
          link/none
          inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
          valid_lft forever preferred_lft forever
          inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
          valid_lft forever preferred_lft forever


          ip route will show you also new routes going through the tunsnx interface.



          5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



          $snx -d
          SNX - Disconnecting...
          done.




          In addition, I also found out:




          • snxconnect seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem (have to try doing snx -d to see if it produces the same result);

          • PYTHONHTTPSVERIFY=0 only affects the python2 version;

          • if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;

          • if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;

          • for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);

          • as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";

          • 7776/TCP in localhost has to be free, for snx to own it, as snxconnect talks with snx using it;

          • the hostname passed to snxconnect/snx is handled as a virtual host, and as such you cannot use directly the IP address;

          • instaling a 32-bit architecture seems to be a requirement to run the snx_install.sh script;

          • you might choose to run as python2 as a trade-off for less space, however as python2 is being phased out, snxconnect in a near future might not support it;

          • from using the web client interface, it is clear I need to patch/delete all /sslvpn strings , as my URLs do not start with /sslvpn. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback;

          • in snxconnect the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you won´t succeed on establishing the VPN;

          • The first time snx is used, a file with the signature of the VPN/Checkpoint server will be created at /etc/snx/USER.db;

          • If you need to use OTP from the command line, you have to use snxconnect as snx alone does not support it.





          share|improve this answer

























          • Regarding the removal of '/sslvpn' strings. The server I connect to has it on the URL, so I didn't that step. Interesting to point this on the answer, since it may happen to other people.

            – Wiley Marques
            Nov 11 '18 at 14:29











          • @WileyMarques Thanks for the feedback, I already suspected it would be different for some, also because in the github/pip version the URL is there.

            – Rui F Ribeiro
            Nov 11 '18 at 15:29











          Your Answer








          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: false,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f450229%2fgetting-checkpoint-vpn-ssl-network-extender-working-in-the-command-line%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          2 Answers
          2






          active

          oldest

          votes








          2 Answers
          2






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          11














          SNX build 800007075 from 2012, used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel(s) 4.x.



          So ultimately, the my other answer in this thread holds true if you cannot get hold of SNX build 800007075 or if that specific version of SNX stops working with the current Linux versions (it might happen in a near future) or if you need OTP support.



          Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.



          1) So to install snx build 800007075 I do:



          wget https://starkers.keybase.pub/snx_install_linux30.sh?dl=1 -O snx_install.sh


          For Debian, you might need:



          sudo dpkg --add-architecture i386
          sudo apt-get update


          I had to install the following:



          sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


          Run then:



          chmod a+rx snx_install.sh
          sudo ./snx_install.sh`


          You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



          sudo ldd /usr/bin/snx


          You can only proceed to the following point when all the dependencies are satisfied.



          You might need to run manually first snx -s CheckpointURLFQDN -u USER before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db.



          2) Before using it, you create a ~/.snxrc file with the following contents:



          server IP_address_of_your_VPN
          username YOUR_USER
          reauth yes


          3) For connecting, type snx



          $ snx
          Check Point's Linux SNX
          build 800007075
          Please enter your password:

          SNX - connected.

          Session parameters:
          ===================
          Office Mode IP : 10.x.x.x
          DNS Server : 10.x.x.x
          Secondary DNS Server: 10.x.x.x
          DNS Suffix : xxx.xx, xxx.xx
          Timeout : 24 hours


          If you understand the security risks of hard coding a VPN password in a script, you also can use it as:



          echo 'Password' | snx


          5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



          $snx -d
          SNX - Disconnecting...
          done.


          see also Linux Checkpoint SNX tool configuration issues for some clarifications about which snx version to use.



          6) If automating the login and accepting a new signature (and understanding the security implications), I wrote an expect script, which I called snx_login.exp:



          #!/usr/bin/expect
          spawn /usr/bin/snx

          set password [lindex $argv 0]

          expect "*?assword:*"
          send -- "$passwordr"

          expect
          "o:"
          send "yr"
          exp_continue

          eof



          PS. Beware snx does not support OTP alone, you will have to use the snxconnect script present on the other answer if using it.



          PPS @gibies called to my attention that using an etoken, the password field gets the password from the etoken and not a fixed password.






          share|improve this answer

























          • This works in arch linux using snx from aur repository.

            – Met
            Nov 10 '18 at 16:19











          • @Met indeed, find it much later on...see the last link in this answer. Nevertheless, not sure about the legality of that AUR giving us a much older and unsupported 32 bits 2012 version of Checkpoint's snx utility, even if downloading it from a 3rd party site. I am using the same version in the accepted answer, the other is an alternative method.

            – Rui F Ribeiro
            Nov 10 '18 at 17:57











          • I'm trying to connect using a certificate rather than a username, and receive this error: SNX: Virtual Network Adapter initialization and configuration failed. Try to reconnect. Any thoughts?

            – Ashwin Balamohan
            Dec 3 '18 at 16:48






          • 1





            Thanks @RuiFRibeiro. I've posted the new question here: unix.stackexchange.com/questions/485800/… Any thoughts would be wonderful.

            – Ashwin Balamohan
            Dec 4 '18 at 1:42






          • 1





            Very good detailed description. It works fine on my Ubuntu laptop.

            – gibies
            Dec 26 '18 at 11:51
















          11














          SNX build 800007075 from 2012, used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel(s) 4.x.



          So ultimately, the my other answer in this thread holds true if you cannot get hold of SNX build 800007075 or if that specific version of SNX stops working with the current Linux versions (it might happen in a near future) or if you need OTP support.



          Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.



          1) So to install snx build 800007075 I do:



          wget https://starkers.keybase.pub/snx_install_linux30.sh?dl=1 -O snx_install.sh


          For Debian, you might need:



          sudo dpkg --add-architecture i386
          sudo apt-get update


          I had to install the following:



          sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


          Run then:



          chmod a+rx snx_install.sh
          sudo ./snx_install.sh`


          You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



          sudo ldd /usr/bin/snx


          You can only proceed to the following point when all the dependencies are satisfied.



          You might need to run manually first snx -s CheckpointURLFQDN -u USER before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db.



          2) Before using it, you create a ~/.snxrc file with the following contents:



          server IP_address_of_your_VPN
          username YOUR_USER
          reauth yes


          3) For connecting, type snx



          $ snx
          Check Point's Linux SNX
          build 800007075
          Please enter your password:

          SNX - connected.

          Session parameters:
          ===================
          Office Mode IP : 10.x.x.x
          DNS Server : 10.x.x.x
          Secondary DNS Server: 10.x.x.x
          DNS Suffix : xxx.xx, xxx.xx
          Timeout : 24 hours


          If you understand the security risks of hard coding a VPN password in a script, you also can use it as:



          echo 'Password' | snx


          5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



          $snx -d
          SNX - Disconnecting...
          done.


          see also Linux Checkpoint SNX tool configuration issues for some clarifications about which snx version to use.



          6) If automating the login and accepting a new signature (and understanding the security implications), I wrote an expect script, which I called snx_login.exp:



          #!/usr/bin/expect
          spawn /usr/bin/snx

          set password [lindex $argv 0]

          expect "*?assword:*"
          send -- "$passwordr"

          expect
          "o:"
          send "yr"
          exp_continue

          eof



          PS. Beware snx does not support OTP alone, you will have to use the snxconnect script present on the other answer if using it.



          PPS @gibies called to my attention that using an etoken, the password field gets the password from the etoken and not a fixed password.






          share|improve this answer

























          • This works in arch linux using snx from aur repository.

            – Met
            Nov 10 '18 at 16:19











          • @Met indeed, find it much later on...see the last link in this answer. Nevertheless, not sure about the legality of that AUR giving us a much older and unsupported 32 bits 2012 version of Checkpoint's snx utility, even if downloading it from a 3rd party site. I am using the same version in the accepted answer, the other is an alternative method.

            – Rui F Ribeiro
            Nov 10 '18 at 17:57











          • I'm trying to connect using a certificate rather than a username, and receive this error: SNX: Virtual Network Adapter initialization and configuration failed. Try to reconnect. Any thoughts?

            – Ashwin Balamohan
            Dec 3 '18 at 16:48






          • 1





            Thanks @RuiFRibeiro. I've posted the new question here: unix.stackexchange.com/questions/485800/… Any thoughts would be wonderful.

            – Ashwin Balamohan
            Dec 4 '18 at 1:42






          • 1





            Very good detailed description. It works fine on my Ubuntu laptop.

            – gibies
            Dec 26 '18 at 11:51














          11












          11








          11







          SNX build 800007075 from 2012, used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel(s) 4.x.



          So ultimately, the my other answer in this thread holds true if you cannot get hold of SNX build 800007075 or if that specific version of SNX stops working with the current Linux versions (it might happen in a near future) or if you need OTP support.



          Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.



          1) So to install snx build 800007075 I do:



          wget https://starkers.keybase.pub/snx_install_linux30.sh?dl=1 -O snx_install.sh


          For Debian, you might need:



          sudo dpkg --add-architecture i386
          sudo apt-get update


          I had to install the following:



          sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


          Run then:



          chmod a+rx snx_install.sh
          sudo ./snx_install.sh`


          You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



          sudo ldd /usr/bin/snx


          You can only proceed to the following point when all the dependencies are satisfied.



          You might need to run manually first snx -s CheckpointURLFQDN -u USER before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db.



          2) Before using it, you create a ~/.snxrc file with the following contents:



          server IP_address_of_your_VPN
          username YOUR_USER
          reauth yes


          3) For connecting, type snx



          $ snx
          Check Point's Linux SNX
          build 800007075
          Please enter your password:

          SNX - connected.

          Session parameters:
          ===================
          Office Mode IP : 10.x.x.x
          DNS Server : 10.x.x.x
          Secondary DNS Server: 10.x.x.x
          DNS Suffix : xxx.xx, xxx.xx
          Timeout : 24 hours


          If you understand the security risks of hard coding a VPN password in a script, you also can use it as:



          echo 'Password' | snx


          5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



          $snx -d
          SNX - Disconnecting...
          done.


          see also Linux Checkpoint SNX tool configuration issues for some clarifications about which snx version to use.



          6) If automating the login and accepting a new signature (and understanding the security implications), I wrote an expect script, which I called snx_login.exp:



          #!/usr/bin/expect
          spawn /usr/bin/snx

          set password [lindex $argv 0]

          expect "*?assword:*"
          send -- "$passwordr"

          expect
          "o:"
          send "yr"
          exp_continue

          eof



          PS. Beware snx does not support OTP alone, you will have to use the snxconnect script present on the other answer if using it.



          PPS @gibies called to my attention that using an etoken, the password field gets the password from the etoken and not a fixed password.






          share|improve this answer















          SNX build 800007075 from 2012, used to support VPN in command line. So I tested it, and lo and behold, it still works with the latest distributions and kernel(s) 4.x.



          So ultimately, the my other answer in this thread holds true if you cannot get hold of SNX build 800007075 or if that specific version of SNX stops working with the current Linux versions (it might happen in a near future) or if you need OTP support.



          Presently the solution is then installing this specific last version of SNX that still supports doing the VPN from the command line.



          1) So to install snx build 800007075 I do:



          wget https://starkers.keybase.pub/snx_install_linux30.sh?dl=1 -O snx_install.sh


          For Debian, you might need:



          sudo dpkg --add-architecture i386
          sudo apt-get update


          I had to install the following:



          sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


          Run then:



          chmod a+rx snx_install.sh
          sudo ./snx_install.sh`


          You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



          sudo ldd /usr/bin/snx


          You can only proceed to the following point when all the dependencies are satisfied.



          You might need to run manually first snx -s CheckpointURLFQDN -u USER before scripting any automatic use, for the signature VPN be saved at /etc/snx/USER.db.



          2) Before using it, you create a ~/.snxrc file with the following contents:



          server IP_address_of_your_VPN
          username YOUR_USER
          reauth yes


          3) For connecting, type snx



          $ snx
          Check Point's Linux SNX
          build 800007075
          Please enter your password:

          SNX - connected.

          Session parameters:
          ===================
          Office Mode IP : 10.x.x.x
          DNS Server : 10.x.x.x
          Secondary DNS Server: 10.x.x.x
          DNS Suffix : xxx.xx, xxx.xx
          Timeout : 24 hours


          If you understand the security risks of hard coding a VPN password in a script, you also can use it as:



          echo 'Password' | snx


          5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



          $snx -d
          SNX - Disconnecting...
          done.


          see also Linux Checkpoint SNX tool configuration issues for some clarifications about which snx version to use.



          6) If automating the login and accepting a new signature (and understanding the security implications), I wrote an expect script, which I called snx_login.exp:



          #!/usr/bin/expect
          spawn /usr/bin/snx

          set password [lindex $argv 0]

          expect "*?assword:*"
          send -- "$passwordr"

          expect
          "o:"
          send "yr"
          exp_continue

          eof



          PS. Beware snx does not support OTP alone, you will have to use the snxconnect script present on the other answer if using it.



          PPS @gibies called to my attention that using an etoken, the password field gets the password from the etoken and not a fixed password.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited 2 days ago

























          answered Jul 5 '18 at 20:01









          Rui F RibeiroRui F Ribeiro

          41.9k1483142




          41.9k1483142












          • This works in arch linux using snx from aur repository.

            – Met
            Nov 10 '18 at 16:19











          • @Met indeed, find it much later on...see the last link in this answer. Nevertheless, not sure about the legality of that AUR giving us a much older and unsupported 32 bits 2012 version of Checkpoint's snx utility, even if downloading it from a 3rd party site. I am using the same version in the accepted answer, the other is an alternative method.

            – Rui F Ribeiro
            Nov 10 '18 at 17:57











          • I'm trying to connect using a certificate rather than a username, and receive this error: SNX: Virtual Network Adapter initialization and configuration failed. Try to reconnect. Any thoughts?

            – Ashwin Balamohan
            Dec 3 '18 at 16:48






          • 1





            Thanks @RuiFRibeiro. I've posted the new question here: unix.stackexchange.com/questions/485800/… Any thoughts would be wonderful.

            – Ashwin Balamohan
            Dec 4 '18 at 1:42






          • 1





            Very good detailed description. It works fine on my Ubuntu laptop.

            – gibies
            Dec 26 '18 at 11:51


















          • This works in arch linux using snx from aur repository.

            – Met
            Nov 10 '18 at 16:19











          • @Met indeed, find it much later on...see the last link in this answer. Nevertheless, not sure about the legality of that AUR giving us a much older and unsupported 32 bits 2012 version of Checkpoint's snx utility, even if downloading it from a 3rd party site. I am using the same version in the accepted answer, the other is an alternative method.

            – Rui F Ribeiro
            Nov 10 '18 at 17:57











          • I'm trying to connect using a certificate rather than a username, and receive this error: SNX: Virtual Network Adapter initialization and configuration failed. Try to reconnect. Any thoughts?

            – Ashwin Balamohan
            Dec 3 '18 at 16:48






          • 1





            Thanks @RuiFRibeiro. I've posted the new question here: unix.stackexchange.com/questions/485800/… Any thoughts would be wonderful.

            – Ashwin Balamohan
            Dec 4 '18 at 1:42






          • 1





            Very good detailed description. It works fine on my Ubuntu laptop.

            – gibies
            Dec 26 '18 at 11:51

















          This works in arch linux using snx from aur repository.

          – Met
          Nov 10 '18 at 16:19





          This works in arch linux using snx from aur repository.

          – Met
          Nov 10 '18 at 16:19













          @Met indeed, find it much later on...see the last link in this answer. Nevertheless, not sure about the legality of that AUR giving us a much older and unsupported 32 bits 2012 version of Checkpoint's snx utility, even if downloading it from a 3rd party site. I am using the same version in the accepted answer, the other is an alternative method.

          – Rui F Ribeiro
          Nov 10 '18 at 17:57





          @Met indeed, find it much later on...see the last link in this answer. Nevertheless, not sure about the legality of that AUR giving us a much older and unsupported 32 bits 2012 version of Checkpoint's snx utility, even if downloading it from a 3rd party site. I am using the same version in the accepted answer, the other is an alternative method.

          – Rui F Ribeiro
          Nov 10 '18 at 17:57













          I'm trying to connect using a certificate rather than a username, and receive this error: SNX: Virtual Network Adapter initialization and configuration failed. Try to reconnect. Any thoughts?

          – Ashwin Balamohan
          Dec 3 '18 at 16:48





          I'm trying to connect using a certificate rather than a username, and receive this error: SNX: Virtual Network Adapter initialization and configuration failed. Try to reconnect. Any thoughts?

          – Ashwin Balamohan
          Dec 3 '18 at 16:48




          1




          1





          Thanks @RuiFRibeiro. I've posted the new question here: unix.stackexchange.com/questions/485800/… Any thoughts would be wonderful.

          – Ashwin Balamohan
          Dec 4 '18 at 1:42





          Thanks @RuiFRibeiro. I've posted the new question here: unix.stackexchange.com/questions/485800/… Any thoughts would be wonderful.

          – Ashwin Balamohan
          Dec 4 '18 at 1:42




          1




          1





          Very good detailed description. It works fine on my Ubuntu laptop.

          – gibies
          Dec 26 '18 at 11:51






          Very good detailed description. It works fine on my Ubuntu laptop.

          – gibies
          Dec 26 '18 at 11:51














          4














          When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.



          Apparently, whilst command line usage of snx from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx client, and this post is about setting it up to work.



          Firstly, the snxvp installed from python pip does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.



          Furthermore, all the URLs on snxconnect.py have to be changed from sslvpn/ to ``.





          So the step-by-step instructions are roughly:



          1) Firstly installing the snx setup:



          If in the VPN, to get the installation file, do:



          wget --no-check-certificate https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh 


          Otherwise you will have to get it from the web interface as describe in the linked answer.



          For Debian, you might need:



          sudo dpkg --add-architecture i386
          sudo apt-get update


          I had to install the following:



          sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


          Run then:



          chmod a+rx snx_install.sh
          sudo ./snx_install.sh`


          You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



          sudo ldd /usr/bin/snx


          You can only proceed to the following point when all the dependencies are satisfied.



          Not sure if you need to run first snx -s CheckpointURLFQDN -u USER before using snxconnect, for the signature VPN be saved at /etc/snx/USER.db.



          2) Now we have the snxconnect python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.



          So to install the to setup snxconnect, do as root:



          apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
          pip install pytz
          git clone https://github.com/agnis-mateuss/snxvpn
          git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
          cd snxvpn

          Now, as for taking out the /sslvpn URL, some Checkpoint appliances need it, some do not. I am not still aware of why the difference. I need it, @WileyMarques does not.

          sed -i "s/sslvpn///g" snxconnect.py


          . then do as root, for python3: (recommended)



          apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
          make
          python3 setup.py install --prefix=/usr/local


          . or instead, do as root, for python2:



          apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
          sed -i "s/distutils.core/setuptools/g" setup.py
          make
          python setup.py install --prefix=/usr/local


          3) After installing it, you can run as a non-privileged user:



          /usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies


          If all went ok, it will ask for the password, and then say:



          SNX connected, to leave VPN open, leave this running!


          If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect command again.



          4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.



          After the VPN being established, you can check with ip address or ifconfig you have now a tunsnx interface:



          $ ip addr show dev tunsnx
          14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
          link/none
          inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
          valid_lft forever preferred_lft forever
          inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
          valid_lft forever preferred_lft forever


          ip route will show you also new routes going through the tunsnx interface.



          5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



          $snx -d
          SNX - Disconnecting...
          done.




          In addition, I also found out:




          • snxconnect seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem (have to try doing snx -d to see if it produces the same result);

          • PYTHONHTTPSVERIFY=0 only affects the python2 version;

          • if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;

          • if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;

          • for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);

          • as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";

          • 7776/TCP in localhost has to be free, for snx to own it, as snxconnect talks with snx using it;

          • the hostname passed to snxconnect/snx is handled as a virtual host, and as such you cannot use directly the IP address;

          • instaling a 32-bit architecture seems to be a requirement to run the snx_install.sh script;

          • you might choose to run as python2 as a trade-off for less space, however as python2 is being phased out, snxconnect in a near future might not support it;

          • from using the web client interface, it is clear I need to patch/delete all /sslvpn strings , as my URLs do not start with /sslvpn. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback;

          • in snxconnect the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you won´t succeed on establishing the VPN;

          • The first time snx is used, a file with the signature of the VPN/Checkpoint server will be created at /etc/snx/USER.db;

          • If you need to use OTP from the command line, you have to use snxconnect as snx alone does not support it.





          share|improve this answer

























          • Regarding the removal of '/sslvpn' strings. The server I connect to has it on the URL, so I didn't that step. Interesting to point this on the answer, since it may happen to other people.

            – Wiley Marques
            Nov 11 '18 at 14:29











          • @WileyMarques Thanks for the feedback, I already suspected it would be different for some, also because in the github/pip version the URL is there.

            – Rui F Ribeiro
            Nov 11 '18 at 15:29















          4














          When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.



          Apparently, whilst command line usage of snx from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx client, and this post is about setting it up to work.



          Firstly, the snxvp installed from python pip does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.



          Furthermore, all the URLs on snxconnect.py have to be changed from sslvpn/ to ``.





          So the step-by-step instructions are roughly:



          1) Firstly installing the snx setup:



          If in the VPN, to get the installation file, do:



          wget --no-check-certificate https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh 


          Otherwise you will have to get it from the web interface as describe in the linked answer.



          For Debian, you might need:



          sudo dpkg --add-architecture i386
          sudo apt-get update


          I had to install the following:



          sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


          Run then:



          chmod a+rx snx_install.sh
          sudo ./snx_install.sh`


          You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



          sudo ldd /usr/bin/snx


          You can only proceed to the following point when all the dependencies are satisfied.



          Not sure if you need to run first snx -s CheckpointURLFQDN -u USER before using snxconnect, for the signature VPN be saved at /etc/snx/USER.db.



          2) Now we have the snxconnect python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.



          So to install the to setup snxconnect, do as root:



          apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
          pip install pytz
          git clone https://github.com/agnis-mateuss/snxvpn
          git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
          cd snxvpn

          Now, as for taking out the /sslvpn URL, some Checkpoint appliances need it, some do not. I am not still aware of why the difference. I need it, @WileyMarques does not.

          sed -i "s/sslvpn///g" snxconnect.py


          . then do as root, for python3: (recommended)



          apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
          make
          python3 setup.py install --prefix=/usr/local


          . or instead, do as root, for python2:



          apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
          sed -i "s/distutils.core/setuptools/g" setup.py
          make
          python setup.py install --prefix=/usr/local


          3) After installing it, you can run as a non-privileged user:



          /usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies


          If all went ok, it will ask for the password, and then say:



          SNX connected, to leave VPN open, leave this running!


          If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect command again.



          4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.



          After the VPN being established, you can check with ip address or ifconfig you have now a tunsnx interface:



          $ ip addr show dev tunsnx
          14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
          link/none
          inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
          valid_lft forever preferred_lft forever
          inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
          valid_lft forever preferred_lft forever


          ip route will show you also new routes going through the tunsnx interface.



          5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



          $snx -d
          SNX - Disconnecting...
          done.




          In addition, I also found out:




          • snxconnect seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem (have to try doing snx -d to see if it produces the same result);

          • PYTHONHTTPSVERIFY=0 only affects the python2 version;

          • if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;

          • if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;

          • for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);

          • as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";

          • 7776/TCP in localhost has to be free, for snx to own it, as snxconnect talks with snx using it;

          • the hostname passed to snxconnect/snx is handled as a virtual host, and as such you cannot use directly the IP address;

          • instaling a 32-bit architecture seems to be a requirement to run the snx_install.sh script;

          • you might choose to run as python2 as a trade-off for less space, however as python2 is being phased out, snxconnect in a near future might not support it;

          • from using the web client interface, it is clear I need to patch/delete all /sslvpn strings , as my URLs do not start with /sslvpn. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback;

          • in snxconnect the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you won´t succeed on establishing the VPN;

          • The first time snx is used, a file with the signature of the VPN/Checkpoint server will be created at /etc/snx/USER.db;

          • If you need to use OTP from the command line, you have to use snxconnect as snx alone does not support it.





          share|improve this answer

























          • Regarding the removal of '/sslvpn' strings. The server I connect to has it on the URL, so I didn't that step. Interesting to point this on the answer, since it may happen to other people.

            – Wiley Marques
            Nov 11 '18 at 14:29











          • @WileyMarques Thanks for the feedback, I already suspected it would be different for some, also because in the github/pip version the URL is there.

            – Rui F Ribeiro
            Nov 11 '18 at 15:29













          4












          4








          4







          When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.



          Apparently, whilst command line usage of snx from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx client, and this post is about setting it up to work.



          Firstly, the snxvp installed from python pip does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.



          Furthermore, all the URLs on snxconnect.py have to be changed from sslvpn/ to ``.





          So the step-by-step instructions are roughly:



          1) Firstly installing the snx setup:



          If in the VPN, to get the installation file, do:



          wget --no-check-certificate https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh 


          Otherwise you will have to get it from the web interface as describe in the linked answer.



          For Debian, you might need:



          sudo dpkg --add-architecture i386
          sudo apt-get update


          I had to install the following:



          sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


          Run then:



          chmod a+rx snx_install.sh
          sudo ./snx_install.sh`


          You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



          sudo ldd /usr/bin/snx


          You can only proceed to the following point when all the dependencies are satisfied.



          Not sure if you need to run first snx -s CheckpointURLFQDN -u USER before using snxconnect, for the signature VPN be saved at /etc/snx/USER.db.



          2) Now we have the snxconnect python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.



          So to install the to setup snxconnect, do as root:



          apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
          pip install pytz
          git clone https://github.com/agnis-mateuss/snxvpn
          git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
          cd snxvpn

          Now, as for taking out the /sslvpn URL, some Checkpoint appliances need it, some do not. I am not still aware of why the difference. I need it, @WileyMarques does not.

          sed -i "s/sslvpn///g" snxconnect.py


          . then do as root, for python3: (recommended)



          apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
          make
          python3 setup.py install --prefix=/usr/local


          . or instead, do as root, for python2:



          apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
          sed -i "s/distutils.core/setuptools/g" setup.py
          make
          python setup.py install --prefix=/usr/local


          3) After installing it, you can run as a non-privileged user:



          /usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies


          If all went ok, it will ask for the password, and then say:



          SNX connected, to leave VPN open, leave this running!


          If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect command again.



          4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.



          After the VPN being established, you can check with ip address or ifconfig you have now a tunsnx interface:



          $ ip addr show dev tunsnx
          14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
          link/none
          inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
          valid_lft forever preferred_lft forever
          inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
          valid_lft forever preferred_lft forever


          ip route will show you also new routes going through the tunsnx interface.



          5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



          $snx -d
          SNX - Disconnecting...
          done.




          In addition, I also found out:




          • snxconnect seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem (have to try doing snx -d to see if it produces the same result);

          • PYTHONHTTPSVERIFY=0 only affects the python2 version;

          • if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;

          • if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;

          • for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);

          • as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";

          • 7776/TCP in localhost has to be free, for snx to own it, as snxconnect talks with snx using it;

          • the hostname passed to snxconnect/snx is handled as a virtual host, and as such you cannot use directly the IP address;

          • instaling a 32-bit architecture seems to be a requirement to run the snx_install.sh script;

          • you might choose to run as python2 as a trade-off for less space, however as python2 is being phased out, snxconnect in a near future might not support it;

          • from using the web client interface, it is clear I need to patch/delete all /sslvpn strings , as my URLs do not start with /sslvpn. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback;

          • in snxconnect the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you won´t succeed on establishing the VPN;

          • The first time snx is used, a file with the signature of the VPN/Checkpoint server will be created at /etc/snx/USER.db;

          • If you need to use OTP from the command line, you have to use snxconnect as snx alone does not support it.





          share|improve this answer















          When working to install the Firefox official SSL VPN Extender interface in the question VPN SSL Network Extender in Firefox, I found out and solved some more pieces of the puzzle of this question.



          Apparently, whilst command line usage of snx from checkpoint has been discontinued, the web based client as described in the linked post still works. However, there is a python command line cliente that tries to replicate the Web+Java interface on top of the snx client, and this post is about setting it up to work.



          Firstly, the snxvp installed from python pip does not work. There is an updated patched version on https://github.com/agnis-mateuss/snxvpn, that has some useful patches, including an option for ignoring unsigned and/or expired certificates, and more interestingly, being python2 and python3 compatible.



          Furthermore, all the URLs on snxconnect.py have to be changed from sslvpn/ to ``.





          So the step-by-step instructions are roughly:



          1) Firstly installing the snx setup:



          If in the VPN, to get the installation file, do:



          wget --no-check-certificate https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh 


          Otherwise you will have to get it from the web interface as describe in the linked answer.



          For Debian, you might need:



          sudo dpkg --add-architecture i386
          sudo apt-get update


          I had to install the following:



          sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386


          Run then:



          chmod a+rx snx_install.sh
          sudo ./snx_install.sh`


          You will have know a /usr/bin/snx 32-bit client binary executable. Check if any dynamic libraries are missing with:



          sudo ldd /usr/bin/snx


          You can only proceed to the following point when all the dependencies are satisfied.



          Not sure if you need to run first snx -s CheckpointURLFQDN -u USER before using snxconnect, for the signature VPN be saved at /etc/snx/USER.db.



          2) Now we have the snxconnect python utility. Such program tries to emulate the web interface, and more interestingly, it does not need Java to authenticate.



          So to install the to setup snxconnect, do as root:



          apt-get -y install git make libxml2-dev libxslt1-dev zlib1g-dev python-pip
          pip install pytz
          git clone https://github.com/agnis-mateuss/snxvpn
          git clone git://git.code.sf.net/p/sfreleasetools/code releasetools
          cd snxvpn

          Now, as for taking out the /sslvpn URL, some Checkpoint appliances need it, some do not. I am not still aware of why the difference. I need it, @WileyMarques does not.

          sed -i "s/sslvpn///g" snxconnect.py


          . then do as root, for python3: (recommended)



          apt-get install python3-docutils python3-pip python3-libxml2 python3-dev python3-crypto python3-bs4
          make
          python3 setup.py install --prefix=/usr/local


          . or instead, do as root, for python2:



          apt-get install python-docutils python-libxml2 python-lxml python-dev python-bs4 python-beautifulsoup
          sed -i "s/distutils.core/setuptools/g" setup.py
          make
          python setup.py install --prefix=/usr/local


          3) After installing it, you can run as a non-privileged user:



          /usr/local/bin/snxconnect -H CheckpointURLFQDN -U USER --skip-cert --save-cookies


          If all went ok, it will ask for the password, and then say:



          SNX connected, to leave VPN open, leave this running!


          If you are having problems getting this message, and are instead getting several times in a row, the message: "Unexpected response, try again.", do the Firefox method, and Disconnect and logout properly, waiting a couple of minutes before trying the snxconnect command again.



          4) The cookie(s) file will be created at ~/.snxcookies, after a successful usage.



          After the VPN being established, you can check with ip address or ifconfig you have now a tunsnx interface:



          $ ip addr show dev tunsnx
          14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100
          link/none
          inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx
          valid_lft forever preferred_lft forever
          inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy
          valid_lft forever preferred_lft forever


          ip route will show you also new routes going through the tunsnx interface.



          5) For closing/disconnecting the VPN, while you may stop/kill snxconnect, the better and official way is issuing the command:



          $snx -d
          SNX - Disconnecting...
          done.




          In addition, I also found out:




          • snxconnect seems to behave better when disconnecting the previous VPN connection and logging out in the official web interface if there is some strange problem (have to try doing snx -d to see if it produces the same result);

          • PYTHONHTTPSVERIFY=0 only affects the python2 version;

          • if the web interface is doing an HTML redirect to a secondary CheckPoint location, pointing directly to that redirected hostname, holds better results;

          • if the certificates of the firewalls are self-signed (they often are) the --skip-cert option has to be used, or authentication will fail;

          • for not having so many problems re-authenticating, had to use --save-cookies to use authentication cookies, while the user is logged in in the remote VPN point (it has a timeout of x hours);

          • as described in the last question, for the script to work, the option "When signing-in launch SSL Network Extender" has to be changed to "automatically";

          • 7776/TCP in localhost has to be free, for snx to own it, as snxconnect talks with snx using it;

          • the hostname passed to snxconnect/snx is handled as a virtual host, and as such you cannot use directly the IP address;

          • instaling a 32-bit architecture seems to be a requirement to run the snx_install.sh script;

          • you might choose to run as python2 as a trade-off for less space, however as python2 is being phased out, snxconnect in a near future might not support it;

          • from using the web client interface, it is clear I need to patch/delete all /sslvpn strings , as my URLs do not start with /sslvpn. I would check your particular case. I have absolutely no idea whether the presence of that string in the code is due to an old version, would love some feedback;

          • in snxconnect the CheckPoint hostname has to be the exact name the webinterface is showing you once authenticated in there, as it is a web virtual host. Otherwise, you won´t succeed on establishing the VPN;

          • The first time snx is used, a file with the signature of the VPN/Checkpoint server will be created at /etc/snx/USER.db;

          • If you need to use OTP from the command line, you have to use snxconnect as snx alone does not support it.






          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 11 '18 at 15:31

























          answered Jun 16 '18 at 23:33









          Rui F RibeiroRui F Ribeiro

          41.9k1483142




          41.9k1483142












          • Regarding the removal of '/sslvpn' strings. The server I connect to has it on the URL, so I didn't that step. Interesting to point this on the answer, since it may happen to other people.

            – Wiley Marques
            Nov 11 '18 at 14:29











          • @WileyMarques Thanks for the feedback, I already suspected it would be different for some, also because in the github/pip version the URL is there.

            – Rui F Ribeiro
            Nov 11 '18 at 15:29

















          • Regarding the removal of '/sslvpn' strings. The server I connect to has it on the URL, so I didn't that step. Interesting to point this on the answer, since it may happen to other people.

            – Wiley Marques
            Nov 11 '18 at 14:29











          • @WileyMarques Thanks for the feedback, I already suspected it would be different for some, also because in the github/pip version the URL is there.

            – Rui F Ribeiro
            Nov 11 '18 at 15:29
















          Regarding the removal of '/sslvpn' strings. The server I connect to has it on the URL, so I didn't that step. Interesting to point this on the answer, since it may happen to other people.

          – Wiley Marques
          Nov 11 '18 at 14:29





          Regarding the removal of '/sslvpn' strings. The server I connect to has it on the URL, so I didn't that step. Interesting to point this on the answer, since it may happen to other people.

          – Wiley Marques
          Nov 11 '18 at 14:29













          @WileyMarques Thanks for the feedback, I already suspected it would be different for some, also because in the github/pip version the URL is there.

          – Rui F Ribeiro
          Nov 11 '18 at 15:29





          @WileyMarques Thanks for the feedback, I already suspected it would be different for some, also because in the github/pip version the URL is there.

          – Rui F Ribeiro
          Nov 11 '18 at 15:29

















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Unix & Linux Stack Exchange!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f450229%2fgetting-checkpoint-vpn-ssl-network-extender-working-in-the-command-line%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Cannot Extend partition with GParted The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election ResultsCan't increase partition size with GParted?GParted doesn't recognize the unallocated space after my current partitionWhat is the best way to add unallocated space located before to Ubuntu 12.04 partition with GParted live?I can't figure out how to extend my Arch home partition into free spaceGparted Linux Mint 18.1 issueTrying to extend but swap partition is showing as Unknown in Gparted, shows proper from fdiskRearrange partitions in gparted to extend a partitionUnable to extend partition even though unallocated space is next to it using GPartedAllocate free space to root partitiongparted: how to merge unallocated space with a partition

          Marilyn Monroe Ny fiainany manokana | Jereo koa | Meny fitetezanafanitarana azy.