3

I noticed how there are several similar questions but none made me reach the objective.

My goal is to connect my Ubuntu machine to a remote checkpoint VPN. It looks like no VPN client exists to connect directly.

What I did:

  1. I built a Windows VM locally with Oracle VirtualBox.
  2. I connect the guest to the VPN.

As a Step 3, I would like to connect the host to the guest VPN but I wasn't able to achieve this.

I set up a NAT network and Host-only network:

  • Host: Ubuntu 16.04
  • Guest: Win 10 Home

  • Guest Host-only network: ipv4 192.168.56.101 gw 192.168.56.1 sub 255.255.255.0

  • Oracle VirtualBox 5.2.8

  • Target example VPN subnet: 123.123.0.0/24

I tried editing my default (host) gateway as How to share a VPN connection in a VMWare Guest VM with the Host:

sudo add route default 192.168.56.101

... looks fine but doesn't work.

I tried saving a route in /etc/networking/routes 123.123.0.0 255.255.255.0 192.168.56.101 any

... still not working.

I tried with iptables:

FORWARD
ACCEPT     all  --  123.123.0.0/24        anywhere             ctstate NEW
ACCEPT     all  --  anywhere              anywhere             ctstate RELATED,ESTABLISHED

I tried this https://www.expressvpn.com/support/vpn-setup/share-vpn-connection-windows/ from the guest but can't start the hostednetwork for some reason.

I'm really out of ideas now. I can setup a different Windows physical computer on the same WiFi, if that can help.

EDIT:

At first I actually tried snx solution, this is what the console displays

# snx -s 123.123.123.123 -u username -g
Check Point's Linux SNX
build 800005013
Please enter your password:

SNX: Authentication failed

while these are the logs in snx.elg

[ 17505 -140036352]@riccardo-notebook[11 May  8:34:03] exists_in_buf: returning 1
[ 17505 -140036352]@riccardo-notebook[11 May  8:34:03] snx_browser::Receive: state==FIRST_REQ
[ 17505 -140036352]@riccardo-notebook[11 May  8:34:03] search_for: searching for SESSION_ID= and  ;
[ 17505 -140036352]@riccardo-notebook[11 May  8:34:03] search_for: prefix not found!
[ 17505 -140036352]@riccardo-notebook[11 May  8:34:03] parse_page_for_sessionid: session_id not found!
[ 17505 -140036352]@riccardo-notebook[11 May  8:34:03] snx: quit.
[ 17505 -140036352]@riccardo-notebook[11 May  8:34:03] snx_browser::~snx_browser: called
[ 17505 -140036352]@riccardo-notebook[11 May  8:34:03] talkssl::~talkssl: delete link
[ 17505 -140036352]@riccardo-notebook[11 May  8:34:03] talkssl::end_handler: ending connection
[ 17505 -140036352]@riccardo-notebook[11 May  8:34:03] snx_browser::Failure: entering with code: 2
[ 17505 -140036352]@riccardo-notebook[11 May  8:34:03] got link down!- exit
[ 17505 -140036352]@riccardo-notebook[11 May  8:34:03] talkssl::~talkssl: end
[ 17505 -140036352]@riccardo-notebook[11 May  8:34:03] done
Hennes
  • 64,768
  • 7
  • 111
  • 168
Riccardo
  • 141
  • 2
  • 7
  • 1
    Same issue here, I believe there's no support for a VPN client running on Checkpoint+OTP(RSA SecruID KeyFob) on linux. – antogerva Mar 30 '20 at 22:41

3 Answers3

1

Regarding the error you are having with snx, I think you are using the wrong build. AFAIK (by direct experience), the build 800007075 should work.

See this Super User post.

robinCTS
  • 4,327
  • 4
  • 20
  • 29
Vincenzo Caselli
  • 51
  • 1
  • 1
  • 4
0

This wouldn't work if the VPN server is not configured to allow split tunneling. In that case, its VPN connection cannot be shared with other computers.

I find it very strange that you cannot find a Checkpoint VPN client for Ubuntu.

Have a look at this Checkpoint community article which provides links and instructions for accessing Checkpoint VPN.

One of the links it provides is to the article CheckPoint SNX install instructions for major Linux distributions which says :

As of build 800007075 Checkpoint no longer support using the Native Client on the command line. This prevents scripting logins, and also requires a heavy desktop when we were able to survive with a headless server. Access is still possible, but only via the “SSL Network Extender“. This is a major pain as it requires (from my experience) X server, Oracle Java, and the FireFox browser to run.

The instructions the article gives for Ubuntu 15.04 Vivid Vervet are reproduced below. Adapt them to your Ubuntu version.

We’re going to install a ppa to get java, change the root password and install some additional libraries that are needed to run checkpoint.

sudo su -
passwd
add-apt-repository -y ppa:webupd8team/java
apt-get update
apt-get install oracle-java9-installer libstdc++5:i386 libpam0g:i386 libx11-6:i386
java -version

Pressing connect will open an xterm window that downloads and runs the native client install.sh script. You will need to enter the root password you set earlier, sudo will not work.

Now finally try the Connect > Continue > Accept Key and you should get connected.

Read my entire first link for more information and other methods at getting Checkpoint VPN working.

harrymc
  • 455,459
  • 31
  • 526
  • 924
  • This was actually my first route but I forgot to mention it. If I understood correctly the vpn server doesn't accept connection from linux and browsers, I'll add the logs to my question but in short I get authentication failure (same credentials works with Windows) – Riccardo May 11 '18 at 06:37
  • Read the comments in the linked Checkpoint community article for other people who had troubles. Have a look also at [this procedure](https://gist.github.com/rafaeltuelho/899dcf1359cf4d1fbd8a839ea753e535). – harrymc May 11 '18 at 08:05
0

I have written an article describing how to share connection from guest to host: https://krasovs.ky/2021/04/26/checkpoint-snx-adventure.html

The hardest part is NAT. You have to set up snat, simple masquerading doesn't help:

GATEWAY=$(ip -o -4 addr show tunsnx | awk '{printf $4}')
nft add rule inet nat postrouting oifname "tunsnx" ip daddr 10.0.0.0/8 snat ip to $GATEWAY

Also to make it more flexible I used WireGuard on host and guest to share connection.

Savely Krasovsky
  • 11
  • 5