2

I'm trying to use the command line tool from Checkpoint to set up an SSL Network Extender VPN using a certificate (P12) rather than a password.

I tried the solution mentioned in getting Checkpoint VPN SSL Network Extender working in the command line.

Specifically:

  • build 800007075
  • compiled down to 32-bit (as per the accepted answer)

I'm able to connect with the OS X desktop client, but the command line tool throws the following error:

"Virtual Network Adapter initialization and configuration failed. Try to reconnect."

I'm running the connection in a Docker container with the ubuntu:18.04 base image (once I get it to work, I'll port it to something lightweight), using the following command:

RUN snx -s <server_ip> -c <path_to_cert> -g

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
Ashwin Balamohan
  • 123
  • 1
  • 5

3 Answers3

3

Using MacOS, I would download/use the latest Mac OS Check Point official client, that is actively supported by CheckPoint, instead of using Docker.

Been using Checkpoint's client in Mojave for a couple of months now, and contrary to my experience at the beginning of the year, in High Sierra, where it was going off all the time, it is fairly stable now.

As for running the Linux CheckPoint VPN client/snx in Docker, it won't work.

The snx VPN client routines:

  • check for the kernel presence/the tun kernel module being loaded;
  • load/insmod the tun kernel module if not loaded;
  • create and use the resulting tunsnx virtual network interface;
  • manipulate your routing table;
  • send traffic through the virtual tunsnx interface.

Some or all of those actions won't simply happen inside a Docker container.

TDLR snx inside Docker won't work. Either use the Mac native client, or run the Linux snx VPN client on a Linux VM.

PS. I would advise getting familiar with the differences between a container and a VM.

Rui F Ribeiro
  • 55,929
  • 26
  • 146
  • 227
3

I've just connected with SNX in a docker image, so it's possible.

Some tricks:

  -v /lib/modules:/lib/modules \
  -v /dev:/dev \
  --cap-add=ALL \

My approach was first have it working in a Virtualbox image, then list all the installed packages, and finally having all those packages installed on the docker image.

I suspect some X related packages are needed, now is time to trim the image and guess which packages are really needed.

Javier
  • 31
  • 3
  • How can I know what is missing exactly? I successfully installed SNX in the docker ubuntu image and getting the same "Virtual Network Adapter initialization and configuration failed....." error. I'm running from Windows machine, so I cannot mount missing volumes(( – Geka P Jan 12 '21 at 18:27
  • @GekaP SNX wont work using WSL I am afraid. See also my comment under Marjan answer. – Rui F Ribeiro Sep 02 '23 at 08:29
1

Javiers answer helped me a lot.

First i successfully connected on the host machine, then i tried to connect in container.

Some other folders were needed:

docker run -v /bin:/bin -v /lib:/lib -v /sbin:/sbin -v /usr:/usr --cap-add=ALL -it my_image bash

Marjan
  • 11
  • 2
  • 1
    important to consider: the image has to have the same OS version as the host - it needs to be clear though, that by mounting all these volumes the reasoning for using docker probably doesn't exist anymore, as many changes made in the container actually happen on the host. – til Sep 01 '23 at 10:47
  • @til In the meanwhile, pure command line SNX aka 800007075 stopped working for newer Checkpoints. I created a script last year that installs a minimal Debian chroot into most Linux distributions, because it is more lightweight and a docker does not make sense due to the closest ties to the host https://github.com/ruyrybeyro/chrootvpn – Rui F Ribeiro Sep 02 '23 at 08:25