Prerequisites
Ensure you have received their E-Mail and following information:
- VPN Certificate file (.p12)
- Your VPN password
- Your server username
Please use that information to replace placeholders in scripts found in this tutorial.
Installation script
You can either download from their website (crappy and frustrating) or get it directly via http://gateway-ip
.
Look for a file called snx_install_linux**.sh
wget http://gateway-ip/**/snx_install_linux**.sh
Security: We have a look what is distributed and how running it will affect our system
$ cat snx_install_linux30-7075.sh | sed -e 's/^.*\(\x42\x5A.*\)/\1/g' >| tar -jtvf
-rwxr-xr-x builder/fw 3302196 2012-12-06 14:02 snx
-r--r--r-- builder/fw 747 2012-12-06 14:02 snx_uninstall.sh
Installation
$ sudo chmod +x snx_install_linux30-7075.sh
$ sudo ./snx_install_linux30-7075.sh
You may have some libraries missing since the client is still 32bit.
$ sudo ldd /usr/bin/snx | grep "not found"
libpam.so.0 => not found
libstdc++.so.5 => not found
So, here we would need some legacy architecture
$ sudo apt-get install libx11-6:i386 libstdc++5:i386 libpam0g:i386
Connect to VPN
$ snx -c path-to-key/rl_johnbarleycorn.p12 -g -s company.inetservices.com companyvpn
Check Point's Linux SNX
build 800007075
Please enter the certificate's password:
SNX authentication:
Please confirm the connection to gateway: companyvpn VPN Certificate
Root CA fingerprint: MELT ELSE FUN BLUE ONUS GORE GAD SWAM VAST CHAT YAWL FOUR
Do you accept? [y]es/[N]o:
y
SNX - connected.
Session parameters:
===================
Office Mode IP : 172.16.10.145
Timeout : 12 hours</username>
(exit code 0)
Debugging
$ ssh -vvv vq
debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password
[…]
Check what it did setup
$ ifconfig | grep -A 8 tunsnx
tunsnx: flags=4305<up,pointopoint,running,noarp,multicast> mtu 1500
inet 172.16.10.145 netmask 255.255.255.255 destination 172.16.10.144
inet6 fe80::ed2a:98f2:a47:8555 prefixlen 64 scopeid 0x20 <link>
unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00 txqueuelen 100 (UNSPEC)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 25 bytes 2252 (2.2 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0</up,pointopoint,running,noarp,multicast>
And for the routes:
$ routes | grep tunsnx :(
Kernel-IP-Routentabelle
Ziel Router Genmask Flags Metric Ref Use Iface
10.7.5.0 0.0.0.0 255.255.255.0 U 0 0 0 tunsnx
10.7.6.0 0.0.0.0 255.255.255.0 U 0 0 0 tunsnx
10.8.4.0 0.0.0.0 255.255.254.0 U 0 0 0 tunsnx
10.8.6.0 0.0.0.0 255.255.255.0 U 0 0 0 tunsnx
10.14.14.15 0.0.0.0 255.255.255.255 UH 0 0 0 tunsnx
10.14.14.15 0.0.0.0 255.255.255.255 UH 2 0 0 tunsnx
10.200.1.12 0.0.0.0 255.255.255.255 UH 0 0 0 tunsnx
10.200.1.12 0.0.0.0 255.255.255.255 UH 2 0 0 tunsnx
10.200.13.0 0.0.0.0 255.255.255.0 U 0 0 0 tunsnx
10.200.13.0 0.0.0.0 255.255.255.0 U 2 0 0 tunsnx
10.200.14.0 0.0.0.0 255.255.255.0 U 0 0 0 tunsnx
10.200.14.0 0.0.0.0 255.255.255.0 U 2 0 0 tunsnx
10.200.28.9 0.0.0.0 255.255.255.255 UH 0 0 0 tunsnx
10.200.28.9 0.0.0.0 255.255.255.255 UH 2 0 0 tunsnx
10.200.29.0 0.0.0.0 255.255.255.0 U 0 0 0 tunsnx
10.200.29.0 0.0.0.0 255.255.255.0 U 2 0 0 tunsnx
172.16.10.68 0.0.0.0 255.255.255.255 UH 0 0 0 tunsnx
Automating connection
./snx-vpn-up:
#!/bin/bash
# trap ctrl-c and call ctrl_c()
trap ctrl_c INT
function ctrl_c() {
snx -d
}
showroutes() {
echo Routes:
echo =======
ip route | grep tunsnx
if [ "$?" -ne 0 ]; then
echo "Something failed. No routes? Try again."
echo
snx-vpn-down
exit 1
fi
}
ROUTES=$( ip route | grep tunsnx )
if [ ! -z "$ROUTES" ]; then
echo "Already connected."
echo
showroutes
exit 1
fi
echo "SNX - Connecting..."
echo 'PASSWORD' | snx -g -c path-to-key/rl_johnbarleycorn.p12 -s IP
sleep 1
showroutes
sleep 1
echo
echo /home/$( whoami )/snx.elg
echo =====
tail -n 1000 -f /home/$( whoami )/snx.elg
If this stops working at any point in future use expect
./snx-vpn-down:
#!/bin/bash
if [ -z "$( pgrep snx)" ]; then
echo "SNX was not running."
exit 1
fi
snx -d