6

I need to connect from a Debian Stretch amd64 VM to a CheckPoint corporate VPN.

I am using it from the customer point of view, and do not know much technical details about the server side. I am using it with the CheckPoint Mobile client in Windows, and I know it accepts Web VPN connections with Firefox+Java aka SSL Network Extender.

I have tried opening it up in Firefox in Linux, but did not work. I also investigated text mode alternatives, namely the snx command line client, however CheckPoint literature clearly states direct logins from snx in the command line, are no longer supported.

I made several tests, inclusive installing the snx linux client, snxconnect and the openconnect/vpnc VPN client without much success. I also somewhat suspect the CheckPoint side besides the already convoluted process, is double-checking for the user agent, at least in my case.

What to do?

Improve this question

4 Answers 4

Reset to default
7

These 2018 instructions are for older CheckPoint VPN pre R80 (R80.10?) releases. See the new accepted answer for newer VPN/firewalls.

Ultimately, I decided to settle on authenticating with Firefox+Java (and then later on, changed my mind, see the related link at the bottom). The VM itself does not run Java nor a graphical interface, and I am running Firefox on a remote X server on my notebook when I need to connect to our corporate network.

The procedure is roughly:

  1. Installing firefox
  2. Downloading the snx Linux client installation after logging in the Web VPN client interface
  3. Installing JDK
  4. After everything installed, accessing the VPN URL in firefox each time you need to use the VPN.
  5. Closing the VPN via firefox

As for the actual steps guide:

  1. After some tests, it is evident the latest firefox version does not cut it running the Java applet.

Firefox 52 and above

Beginning with Firefox 52 (released March 2017), plug-in support is limited to Adobe Flash, and drops support for NPAPI, impacting plugins for Java, Silverlight, and other similar NPAPI based plugins.

So after testing a couple of firefox older versions, I settled for firefox 48 that will be just used to login in the VPN. Downloaded it from the firefox archives.

So in your target directory, do:

tar -jxvf firefox-48.0.tar.bz2

Then do:

cd firefox

To prevent it from updating to a more recent version the first time you run on this directory:

sudo touch updates sudo chattr +i updates

Note: the first time you run it, you also disable updates either with:

  • menu icon->Preferences->Advanced->Updates

or:

  • opening the URL about:preferences#advanced

and in "Firefox Updates" select the radio button: "Never check for updates"

  1. If in the VPN, to get the installation file, do:

    wget --no-check-certificate https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh

Alternatively, download the application from the Web VPN interface, in "Settings->Edit Native application settings SSL Network Extender: Download Installation for Linux"

snxurl

That will get you a snx_install.sh file.

You also need to select: "When signing-in launch SSL Network Extender:" change it to "automatically".

Run then:

chmod a+rx snx_install.sh sudo ./snx_install.sh`

You will have know a /usr/bin/snx 32-bit client binary executable. Check what dynamic libraries are missing with:

sudo ldd /usr/bin/snx

For Debian, I you might need:

sudo dpkg --add-architecture i386 sudo apt-get update

I had to install the following:

sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386

Check again if any dynamic libraries are missing (if any) with:

sudo ldd /usr/bin/snx

You can only proceed to the following point when all the dependencies are satisfied, as the Java applet uses snx behind the scenes.

  1. After several unsuccessful iterations and web crawling, found it is needed to install Java 6 from Sun. So got jdk-6u45-linux-x64.bin from the Oracle site.

To install it do as root:

mkdir /usr/java mv jdk-6u45-linux-x64.bin /usr/java cd /usr/java chmod a+rx jdk-6u45-linux-x64.bin ./jdk-6u45-linux-x64.bin

We won´t configure the whole system to use this Java version as it is too old. Just to use Java with Firefox later on:

sudo mkdir -p /usr/lib/mozilla/plugins sudo ln -s /usr/java/jdk1.6.0_45/jre/lib/amd64/libnpjp2.so libnpjp2.so

Now the Java installation is finished.

  1. Finally, to run firefox as a regular user do:

    ./firefox

If the Java Applet/SSL Network Extender does not launch itself after authentication, do "Native Applications->Connect". It will open a popup/Java Window. Wait for "Status: connected".

extender

You can then close the main FireFox window.

After the VPN being established, you can check with ip address or ifconfig you have now a tunsnx interface:

$ ip addr show dev tunsnx 14: tunsnx: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UNKNOWN group default qlen 100 link/none inet 10.x.x.x peer 10.x.x.x/32 scope global tunsnx valid_lft forever preferred_lft forever inet6 fe80::acfe:8fce:99a4:44b7/64 scope link stable-privacy valid_lft forever preferred_lft forever

ip route will show you also new routes going through the tunsnx interface.

For extra convenience, you can define as your home page, the URL of the WebVPN.

  1. To close the VPN, you either press the "Disconnect" button in the Java popup, or close/kill Firefox.

See related: getting Checkpoint VPN SSL Network Extender working in the command line

Improve this answer
12
  • 1
    Thanks for this! This was a really well written guide on how to do all of this... still having issues with Java but this got me close. Commented Dec 19, 2018 at 22:57
  • @saleetzo see the related link, you might be able to get away doing it without Java if you are willing to do it from the command line. Commented Dec 19, 2018 at 23:07
  • 1
    You are a good man and you guide worked great! Finally, I don't have to carry around a windows VM just for VPN. Great work and well done! Commented Dec 20, 2018 at 21:06
  • @saleetzo Pretty much was the same incentive, this allowed me to convince people at work I could ditch the corporate Windows requirement for good. Commented Dec 20, 2018 at 22:20
  • 1
    @RuiFRibeiro Just note, better for java download is this link. 85-207-0-21.static.bluetone.cz/java/1.6.0_45 Commented Dec 9, 2019 at 14:08
4

To use the latest version of firefox, once you have installed snx_install.sh and cshell_install.sh open https://localhost:14186/id in a separate Firefox tab and add a Security Exception for site "https://localhost:14186/". Once the exception is added, you will see a unique identifier in HEX format. You can now close this tab and try to connect again.

Improve this answer
2
  • 2
    I'm just accepting the unsigned certificate in the browser, and then the connection to the vpn works. I tested it on the latest version of Chrome and Firefox Commented Aug 28, 2019 at 16:55
  • At the time we were stuck with an older CheckPoint release. We have had R80 now for quite some time, wrote a wrapper for setting up this. I install a policy for the localhost certificate. will write a more detailed answer later on github.com/ruyrybeyro/chrootvpn Commented May 19, 2022 at 13:23
2

@ Kubuntu 18.04 32-bit, Firefox 75.0 (32-bit), openjdk-8

One should add to firefox an exception for page https://localhost:14186/id, that was problem in my case, applet started but didn't want to proceed because it hasn't right to get this https://localhost:14186/id

Also I should note, that I've successfully started vpn at Firefox 75.0 (32-bit) and openjdk-8, without downgrading to Firefox 48 and jdk-6u45, although I tried this as well, and cshell_install.sh didn't want to install at jdk-6u45

But anyway great thanks to the author of answer - Rui F Ribeiro. Helped me very much

Improve this answer
1
  • Things changed, at the time of my question/answer, it was a Java apllet. Commented May 31, 2022 at 9:20
1

It's 2022, and whist my previous answer is still valid por pre-R80 checkpoint releases, the world has moved on. Firefox no longer runs Java applets, so CheckPoint moved the middleware Java applet to the client/Linux side as a Java daemon - CShell daemon (around 2 years ago).

The SNX SSL Network Extender daemon, despite the executable binary unfortunately still being 32 bits, now besides using SSLv3 tunneling for old firewalls, supports and works only with TLS 1.2 for the new firewalls. It also has light changes to make it incompatible with the snxconnect python reverse engineering effort.

On the other hand, there is no longer a requirement for the Mobile Access Portal Agent (CShell) neither of using Java 8 nor an Oracle Java implementation nor a specific Firefox version. It has successfully tested with several CheckPoint versions using openJDK JRE 11.

While helping a development team of ours adapting to the new scenario, I initially wrote instructions for Debian, then in a 2nd version patches for cshell_install.sh because of it being badly behaved. Eventually arrived to the conclusion you might not want your machine being encumbered by having to have multiarch with 32-bits active, or Java, or having to patch any new cshell_install.sh variation.

As such, wrote instructions for having SNX plus the "new" CShell Java daemon in a chroot. However the document was too big, and wrote a script for Debian.

Eventually, the script evolved, to fake requirements instead of patching CheckPoint's scripts, and to support most of the main distributions, far more than using the SNX + cshell_install.sh in their "naked" official form (which for instance latest versions of Fedora no longer support).

You can fetch it here:

https://github.com/ruyrybeyro/chrootvpn

For getting and installing the script to automagically create a chroot and make your VPN work, you have to use a user that is configure for sudo and do:

curl https://raw.githubusercontent.com/ruyrybeyro/chrootvpn/main/vpn.sh -O chmod a+rx vpn.sh ./vph.sh -i --vpn=VPN_FQDN_DNS_NAME

Any derivate distributions of Debian/Ubuntu, SUSE or RedHat/CentOS/Fedora are supported. Any variation of Arch too, as long it is configured with Network Manager. Slackware, Void and Gentoo Linux too.

Nonetheless, if not using the script above, the instructions for Debian, for a plain, official, non chrooted setup are:

Open the Mobile Portal VPN in the browser, https://VPN_FW_HOSTNAME, and authenticate with user and password(+double factor PIN if any); when the browser asks if you want to save a password, select “Never save”

Select settings. Change defaults to:

When signing-in launch SSL Network Extender: automatically Connect SSL Network Extender using: Network mode

Select OK.

Close the browser.

Download Linux Clients setup scripts from the firewall:

$ wget --no-check-certificate https://VPN_FW_HOSTNAME/SNX/INSTALL/snx_install.sh $ wget --no-check-certificate https://VPN_FW_HOSTNAME/SNX/INSTALL/cshell_install.sh

Run:

chmod a+rx snx_install.sh cshell_install.sh

Installing SNX:

$ sudo dpkg --add-architecture i386 $ sudo apt update $ sudo apt install libstdc++5:i386 libx11-6:i386 libpam0g:i386 $ sudo ./snx_install.sh

Install firefox, before installing the Java agent:

$ sudo apt install firefox-esr

Run Firefox and close it.

Having installed firefox-esr, for compatibility with the CheckPoint cshell_install.sh script:

$ ln -s ~/.mozilla/firefox-esr ~/.mozilla/firefox

Be sure to open it for the user profile to be created. It is essential to call it using the non-privileged user that it will be daily used. Failure in having already run/having a Firefox/Chrome profile under /home, means cshell_install.sh will not meet minimum requirements and will abort setup.

Installing Mobile access Portal Agent

$ sudo apt install xauth x11-xserver-utils certutil libnss3-tools openjdk-11-jdk

For the next step, firefox must not be running:

$ sudo ./cshell_install.sh

If the installation went well:

# ps ax | grep cshell 14224 pts/0 Sl 0:01 java -jar /usr/bin/cshell/CSell.jar /tmp/cshell.fifo 14300 pts/0 S+ 0:00 grep cshell

The CShell daemon must be running now. In case it is not:

$ /usr/bin/cshell/launcher

To verify that the certificate has been installed, you can also do:

$ wget -q -O- --no-check-certificate https://localhost:14186/id

Finally enter firefox again, and visit

https://localhost:14186/id

to accept the https://localhost:14186 CheckPoint self-signed certificate.

Authenticate again with your login, and your password(+double factor PIN if any) in the firewall mobile portal address.

The connection to the VPN should now be automatic. If not, click on Connect.

Be aware that following the manual steps without the chroot script, cshell_install.sh install requirements are finicky and if not met, it aborts.

Relevant CheckPoint Linux support pages:

SSL Network Extender https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk65210#Linux%20Supported%20Platforms

How to install SSL Network Extender (SNX) client on Linux machines https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114267

Mobile Access Portal Agent Prerequisites for Linux https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk119772

Mobile Access Portal and Java Compatibility https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk113410

Mobile Access Portal Agent for Mozilla Firefox asks to re-install even after it was properly installed https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk122576&partition=Advanced&product=Mobile

Improve this answer
3
  • 1
    It worked! But I had to do some extra step. The "cshell_install.sh" was looking for the folder "~/.mozilla/firefox" to install/remove the certificates, but with Firefox ESR, there's only the folder "~/.mozilla/firefox-esr". I just closed Firefox, rename the folder to "~/.mozilla/firefox" temporarily, and then it was able to install the certificates. After that, I changed the folder back to it's original name. Everything is working like a charm! Thank you a lot! I've tried so many solutions, and only this one worked for me. Cheers mate. 🙏🏽 Commented Oct 3, 2022 at 13:25
  • 1
    @LuísAssunção cshell_install/snx got loads of lib files and applicational dependencies, and some cannot even be satisfied in some recent distributions. Eventually I also gave up on patching cshell install, because CheckPoint has several variations over time. Hence why I created the script for a chroot setup, where I can fake them at will. The script also installs a global Firefox policy instead of mucking up with the user certificate store copy. Cheers mate Commented Oct 3, 2022 at 18:10
  • 1
    @LuísAssunção Thanks, edited the answer with your remarks. Also, from my comments, it can be inferred snx and cshell_install.sh should not be loaded randomly from the Internet and downloaded from appliance instead. Commented Oct 4, 2022 at 7:43

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.