I am wondering whether it is possible to connect to this VPN on Linux (Mint in my case). I need it for work.
On the Official Website (https://www.checkpoint.com/quantum/remote-access-vpn/#downloads), there isn’t a Linux Client.
My company provided me with a .p12 certificate file, protected by a password that I have.They also provided me with the server address/gateway. That’s all.
I tried connecting via SNX (command and output below):
➜ VPN Folder: snx -s -c .p12Check Point’s Linux SNXbuild 800008304Please enter the certificate’s password:
SNX: Authentication failed
The password for the certificate is correct 100%, but I am still getting Authentication failed, which is weird.
Does anyone know why this might be happening, or some alternative to get it working? Is it even possible or will I have to get a Windows machine for this?
I also found this, but idk whether it could be useful (could not get it working either): https://hub.docker.com/r/kedu/snx-checkpoint-vpn#with-username-and-certificate
As far as I know, there is no Check Point VPN client on Linux and needs to be done with 3rd party.
Since R81, it can be done with strongSwan . Support, Support Requests, Training, Documentation, and Knowledge base for Check Point products and services
Snx should work with Mobile Access.
Check Point does not have an Endpoint Security VPN client for Linux. There’s an (managed) Endpoint Client for Linux, but currently outdated and it does not have a VPN client.
snx, as has been said, is a Mobile VPN / Mobile Access client. It’s old and requires TLS <1.2 which most sane admins have disabled.
You can go for StrongSwan, or check out Check Point latest acquisition, Perimeter81. They have a client for all Operating Systems, but I’m not sure right now if it has the features we require. Currently Testing.
I had good results with StrongSwan and RSA SecureID and Username/Password, didn’t try certificates though.
SNX is the official supported VPN client for Linux. Certificates are notoriously easy to break between systems. I have many customers that use SNX on Linux for VPN. If your “firewall” folks can’t help you, and you can’t open a support ticket, ask on https;//community.checkpoint.com or hit me up and I’ll try to help.
Try cpyvpn: cpvpn / cpyvpn · GitLab I’ve had more success with this custom client than I ever had with the official one.
There are a few points to check:
-
SNX and Endpoint Security VPN use different schemas to authenticate. If your company didn’t configure Standard authentication, or disabled it, then you won’t able to connect. It’s worth to check on this.
-
I’ve never experienced cert authentication with SNX, but maybe you could try IPSec VPN (StrongSwan) with a bit of trial and error. There is a page in the checkpoint community of a guy making it happen with EAP on NetworkManager.
-
Also, for Linux, consider using the web plugin, cshell, which is a java daemon. You have to login through the web portal for this. It’s not my preferable solution, but it usually works.
I got it to work with a specific version of SNX, don’t remember exactly which one
I tried with StrongSwan but I could not get it to work. Don’t know much about neither SNX nor StrongSwan so I don’t really know what to do. If you know a way for me to connect to this VPN on Linux then I would be grateful.
I installed it with:pip install cpyvpn
Then tried to connect using: cp_client -c /path/to/certificate.p12 -p <cert_password>
And got an error:
Traceback (most recent call last):File “/home//.local/bin/cp_client”, line 8, in sys.exit(main())File “/home//.local/lib/python3.8/site-packages/cpyvpn/client.py”, line 474, in mainoptions.defhandler = utils.client_setup(options)File “/home//.local/lib/python3.8/site-packages/cpyvpn/utils.py”, line 288, in client_setupctx.load_cert_chain(options.user_cert, password=ask_cert_pwd)ssl.SSLError: [SSL] PEM lib (_ssl.c:4046)
The usage of cp_client:
usage: cp_client [-h] [-m MODE] [-p PATH] [-u USER] [-r REALM] [-c USER_CERT] [-C COOKIES] [–cookies-on-stdin][–passwd-on-stdin] [–passwd-script SCRIPT_PWD] [–ua UA] [–nocert] [–printcookie] [–force_v1][–force_logout] [-t TRANSPORT] [–ike IKE] [–ct CT] [-i INTERFACE] [-S SCRIPT_TUN | -s SCRIPT][–daemon] [–pidfile PIDFILE] [–logfile LOGFILE] [–enroll] [–rc RC] [–loglevel LOGLEVEL] [-v]server
I also tried: cp_client -c /path/to/cert.p12
and got error:
Traceback (most recent call last):File “/home//.local/bin/cp_client”, line 8, in sys.exit(main())File “/home//.local/lib/python3.8/site-packages/cpyvpn/client.py”, line 474, in mainoptions.defhandler = utils.client_setup(options)File “/home//.local/lib/python3.8/site-packages/cpyvpn/utils.py”, line 288, in client_setupctx.load_cert_chain(options.user_cert, password=ask_cert_pwd)ssl.SSLError: [SSL] PEM lib (_ssl.c:4046)
CShell has some compatibility problems of its own, you cant even install it in vanilla Fedora. I wrote an automated script for many distros as a workaround https://github.com/ruyrybeyro/chrootvpn
There are a lot of moving parts, but go ahead and hit me up here to start and I’ll see what I can do. Im traveling most of the coming week, but I’ll try and check in here for any messages.
There is a step “Certificate enrollment” which I think you’ve skipped. It looks like it should extract the .pem certificate out of the .p12 as well as the key for later use.
Can we just talk on here so other people see the convo if we manage to solve the problem?
So, now I’ve tried both strongSwan and SNX, and I have a bit more hope in SNX, since strongSwan is a bit more complicated.
But still, with SNX, I do not know what to do from here on out, I keep getting the same result when I try to connect and don’t know how to debug it.
➜ VPN Folder: snx -s -c .p12
Check Point’s Linux SNX
build 800008304
Please enter the certificate’s password:
SNX: Authentication failed
So I did:
cp_client --enroll -c ./<name_of_my_certificate>.p12
And got:
File ./<name_of_my_certificate>.p12 exists. Overwrite [y/n]?: y
Enrollment key (from email): Idk I did not get this from my company
Enter your certificate password:
Confirm your certificate password:
Checking SSL mode.
SSL mode is: permissive.
Traceback (most recent call last):
File “/home//.local/bin/cp_client”, line 8, in
sys.exit(main())
File “/home//.local/lib/python3.8/site-packages/cpyvpn/client.py”, line 468, in main
manage_cert(options)
File “/home//.local/lib/python3.8/site-packages/cpyvpn/client.py”, line 419, in manage_cert
bindata, pwd = get_cert_data()
File “/home//.local/lib/python3.8/site-packages/cpyvpn/client.py”, line 408, in get_cert_data
raise RuntimeError(“Certificate retrieval failed, code {}.”.format(ec))
RuntimeError: Certificate retrieval failed, code 1.
We can…
Can you unlock the certificate with OpenSSL?
See: Export Certificates and Private Key from a PKCS#12 File with OpenSSL - SSL.com
Check with the FW admin that the cert you are using is a user VPN cert and you are configured for using SNX (it the default if SNX is enabled.)
If you just browse to the gateway, does it work?
My first guesses would be SNX isn’t configured or set to accept the certificate.
I think the Enrollment key could be the CN of the certificate in the p12?
openssl pkcs12 -in yourp12.p12 -info
should show you what certs there are. Try to input the CN= part of the certificate and see if it gets you anywhere. I’ll be honest - haven’t used it along with certs before so this is also new to me.
So I managed to read the certificate with:
openssl pkcs12 -info -in cert.p12 -nodes
I also managed to convert it to a .crt file with:
openssl pkcs12 -in cert.p12 -out cert.crt -nodes
I tried connecting with SNX then but it did not work again:
sudo snx -s -c certificate.crt
Check Point’s Linux SNX
build 800010003
Please enter the certificate’s password:
SNX: Connection aborted.
If you just browse to the gateway, does it work?
Yes, it does. It takes me to a Check Point website, and asks for a username/password.
Don’t know about twinkering with the VPN’s configs though, since its probably older than me and belongs to our client and not our company directly.
If we can’t get it running then I will just use a different laptop with Windows for this client.
I managed to get it working by asking for username/pasaword credentials from the company, and connecting to the vpn via the web portal of check point vpn (login to the website that comes up when i browse the gateway)
The CN = part of the certificate is just my name, don’t know how that could help
I also tried converting my .p12 file to .pem
openssl pkcs12 -in cert.p12 -out cert.pem -nodes
Then did:
cp_client -c cert.pem
And again, just an error…
GW url(host) is:
Checking SSL mode.
SSL mode is: permissive.
Cert. login
Traceback (most recent call last):
File “/home//.local/bin/cp_client”, line 8, in
sys.exit(main())
File “/home//.local/lib/python3.8/site-packages/cpyvpn/client.py”, line 482, in main
vpn_main(options, vna_args)
File “/home//.local/lib/python3.8/site-packages/cpyvpn/client.py”, line 258, in vpn_main
sna.init()
File “/home//.local/lib/python3.8/site-packages/cpyvpn/auth.py”, line 408, in init
self.cookie = self.auth_obj.cert_login() if self.cert_login else self.auth_obj.do_login()
File “/home//.local/lib/python3.8/site-packages/cpyvpn/auth.py”, line 107, in cert_login
return self._extract_ac(self.url + self.cert_path, body)
File “/home//.local/lib/python3.8/site-packages/cpyvpn/auth.py”, line 131, in _extract_ac
rd = utils.do_ccc_request(url, data=body).find(“ResponseData”)
File “/home//.local/lib/python3.8/site-packages/cpyvpn/utils.py”, line 161, in do_ccc_request
raise CCCBadRetCode(rc)
cpyvpn.utils.CCCBadRetCode: Bad return_code: 599!