Connecting to Checkpoint QVPN SXN in Linux

Prerequisites

Ensure you have received their E-Mail and following information:

  • VPN Certificate file (.p12)
  • Your VPN password
  • Your server username

Please use that information to replace placeholders in scripts found in this tutorial.

Installation script

You can either download from their website (crappy and frustrating) or get it directly via http://gateway-ip.

Look for a file called snx_install_linux**.sh

wget http://gateway-ip/**/snx_install_linux**.sh

Security: We have a look what is distributed and how running it will affect our system

$ cat snx_install_linux30-7075.sh | sed -e 's/^.*\(\x42\x5A.*\)/\1/g' >| tar -jtvf
-rwxr-xr-x builder/fw 3302196 2012-12-06 14:02 snx
-r--r--r-- builder/fw 747 2012-12-06 14:02 snx_uninstall.sh

Installation

$ sudo chmod +x snx_install_linux30-7075.sh
$ sudo ./snx_install_linux30-7075.sh

You may have some libraries missing since the client is still 32bit.

$ sudo ldd /usr/bin/snx | grep "not found"
libpam.so.0 => not found
libstdc++.so.5 => not found

So, here we would need some legacy architecture

$ sudo apt-get install libx11-6:i386 libstdc++5:i386 libpam0g:i386

Connect to VPN

$ snx -c path-to-key/rl_johnbarleycorn.p12 -g -s company.inetservices.com companyvpn
Check Point's Linux SNX
build 800007075
Please enter the certificate's password:
SNX authentication:
Please confirm the connection to gateway: companyvpn VPN Certificate
Root CA fingerprint: MELT ELSE FUN BLUE ONUS GORE GAD SWAM VAST CHAT YAWL FOUR
Do you accept? [y]es/[N]o:
y
SNX - connected.
Session parameters:
===================
Office Mode IP : 172.16.10.145
Timeout : 12 hours</username>

(exit code 0)

Debugging

$ ssh -vvv vq
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
[鈥

Check what it did setup

$ ifconfig | grep -A 8 tunsnx
tunsnx: flags=4305<up,pointopoint,running,noarp,multicast> mtu 1500
inet 172.16.10.145 netmask 255.255.255.255 destination 172.16.10.144
inet6 fe80::ed2a:98f2:a47:8555 prefixlen 64 scopeid 0x20                    <link>
 unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 25 bytes 2252 (2.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,pointopoint,running,noarp,multicast>

And for the routes:

$ routes | grep tunsnx                                           :(
Kernel-IP-Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
10.7.5.0        0.0.0.0         255.255.255.0   U     0      0        0 tunsnx
10.7.6.0        0.0.0.0         255.255.255.0   U     0      0        0 tunsnx
10.8.4.0        0.0.0.0         255.255.254.0   U     0      0        0 tunsnx
10.8.6.0        0.0.0.0         255.255.255.0   U     0      0        0 tunsnx
10.14.14.15     0.0.0.0         255.255.255.255 UH    0      0        0 tunsnx
10.14.14.15     0.0.0.0         255.255.255.255 UH    2      0        0 tunsnx
10.200.1.12     0.0.0.0         255.255.255.255 UH    0      0        0 tunsnx
10.200.1.12     0.0.0.0         255.255.255.255 UH    2      0        0 tunsnx
10.200.13.0     0.0.0.0         255.255.255.0   U     0      0        0 tunsnx
10.200.13.0     0.0.0.0         255.255.255.0   U     2      0        0 tunsnx
10.200.14.0     0.0.0.0         255.255.255.0   U     0      0        0 tunsnx
10.200.14.0     0.0.0.0         255.255.255.0   U     2      0        0 tunsnx
10.200.28.9     0.0.0.0         255.255.255.255 UH    0      0        0 tunsnx
10.200.28.9     0.0.0.0         255.255.255.255 UH    2      0        0 tunsnx
10.200.29.0     0.0.0.0         255.255.255.0   U     0      0        0 tunsnx
10.200.29.0     0.0.0.0         255.255.255.0   U     2      0        0 tunsnx
172.16.10.68    0.0.0.0         255.255.255.255 UH    0      0        0 tunsnx

Automating connection

./snx-vpn-up:

#!/bin/bash

# trap ctrl-c and call ctrl_c()
trap ctrl_c INT

function ctrl_c() {
  snx -d
}

showroutes() {
  echo Routes:
  echo =======
  ip route | grep tunsnx
  if [ "$?" -ne 0 ]; then
    echo "Something failed. No routes? Try again."
    echo
    snx-vpn-down
    exit 1
  fi
}

ROUTES=$( ip route | grep tunsnx )
if [ ! -z "$ROUTES" ]; then
   echo "Already connected."
   echo
   showroutes
   exit 1
fi

echo "SNX - Connecting..."
echo 'PASSWORD' | snx -g -c path-to-key/rl_johnbarleycorn.p12  -s IP
sleep 1
showroutes
sleep 1
echo
echo /home/$( whoami )/snx.elg
echo =====
tail -n 1000 -f /home/$( whoami )/snx.elg

If this stops working at any point in future use expect

./snx-vpn-down:

#!/bin/bash
if [ -z "$( pgrep snx)" ]; then
  echo "SNX was not running."
  exit 1
fi

snx -d

Trackback

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.