9

My ultimate goal is to download files from an FTP server, which is behind a CheckPoint VPN in a server running ubuntu 16.04, which I only have access through ssh.

I followed the steps described in this answer, specifically:

  1. Install snx build 800007075
wget https://starkers.keybase.pub/snx_install_linux30.sh?dl=1 -O snx_install.sh
  1. Install dependencies:
sudo apt-get install libstdc++5:i386 libx11-6:i386 libpam0g:i386
  1. Run
chmod a+rx snx_install.sh
sudo ./snx_install.sh
  1. Create a ~/.snxrc file with:
server <server_ip>
username <vpn_user>
reauth yes

After that (and before the 4th step as well), whenever I try snx -s <server_ip> -u <vpn_user> I get:

Check Point's Linux SNX
build 800007075
Please enter your password:

SNX: Connection aborted.

The output of sudo ldd /usr/bin/snx here is:

    linux-gate.so.1 =>  (0xf7795000)
    libX11.so.6 => /usr/lib/i386-linux-gnu/libX11.so.6 (0xf7639000)
    libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0 (0xf761c000)
    libresolv.so.2 => /lib/i386-linux-gnu/libresolv.so.2 (0xf7603000)
    libdl.so.2 => /lib/i386-linux-gnu/libdl.so.2 (0xf75fe000)
    libpam.so.0 => /lib/i386-linux-gnu/libpam.so.0 (0xf75ee000)
    libnsl.so.1 => /lib/i386-linux-gnu/libnsl.so.1 (0xf75d2000)
    libstdc++.so.5 => /usr/lib/i386-linux-gnu/libstdc++.so.5 (0xf7518000)
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xf7362000)
    libxcb.so.1 => /usr/lib/i386-linux-gnu/libxcb.so.1 (0xf733c000)
    /lib/ld-linux.so.2 (0xf7796000)
    libaudit.so.1 => /lib/i386-linux-gnu/libaudit.so.1 (0xf7314000)
    libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xf72be000)
    libgcc_s.so.1 => /lib/i386-linux-gnu/libgcc_s.so.1 (0xf72a1000)
    libXau.so.6 => /usr/lib/i386-linux-gnu/libXau.so.6 (0xf729d000)
    libXdmcp.so.6 => /usr/lib/i386-linux-gnu/libXdmcp.so.6 (0xf7296000)

Am I missing something?

Debug logs

[19 Sep  6:14:34] snx: starting debug - Thu Sep 19 06:14:34 2019

[19 Sep  6:14:36] browser::browser(): called
[19 Sep  6:14:36] snx_CCC_browser::snx_CCC_browser: called
[19 Sep  6:14:36] snx_browser::auth: entering
[19 Sep  6:14:36] gwinfo:gwinfo: entered!0x9f674e8
[19 Sep  6:14:36] creating the ssl layer
[19 Sep  6:14:36] talkssl::talkssl(): entered with chunk=512, opaque=9f657e0, link_established=80d66a0, link_failure=80d6680, packet_receive=80d6650, verify_gw=80d66c0
[19 Sep  6:14:36] talkssl::set_sslalg:  setting ssl alg to 2
[19 Sep  6:14:36] talkssl:: init_ssl_neg: using 3DES
[19 Sep  6:14:36] ckpSSLctx_New: prefs = 1a
[19 Sep  6:14:36] CkpRegDir: Environment variable CPDIR is not set.
[19 Sep  6:14:36] GenerateGlobalEntry: Unable to get registry path
[19 Sep  6:14:36] isExist: ProxyEntity didn't initiated yet
[19 Sep  6:14:36] talkssl::start_async: Creating a new connection
[19 Sep  6:14:36] talkssl::start_async: Connecting to gw: 0x84af80b1, port: 443
[19 Sep  6:14:36] fwasync_make_connection: b180af84/443: dowait is -1 sock is 5
[19 Sep  6:14:36] talkssl::start_async: Connection created successfully
[19 Sep  6:14:36] fwasync_conn_params: <c0a80f05,44316> -> <b180af84,443>
[19 Sep  6:14:36] talkssl::client_handler: state: CONN_INIT - entering
[19 Sep  6:14:36] talkssl::client_handler: start ssl negotaition
[19 Sep  6:14:36] talkssl::client_handler: start openSSL negotaition
[19 Sep  6:14:36] ckpSSL_PrepareConnection: verify mode: 0
[19 Sep  6:14:36] My SSL Ciphers:
[19 Sep  6:14:36] Cipher List:
[19 Sep  6:14:36] 0: DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1

[19 Sep  6:14:36] 1: RC4-SHA                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=SHA1

[19 Sep  6:14:36] 2: RC4-MD5                 SSLv3 Kx=RSA      Au=RSA  Enc=RC4(128)  Mac=MD5 

[19 Sep  6:14:36] 3: DES-CBC-SHA             SSLv3 Kx=RSA      Au=RSA  Enc=DES(56)   Mac=SHA1

[19 Sep  6:14:36] talkssl::client_handler: Returning OK!!!
[19 Sep  6:14:36] ckpSSL_NegotiateStep: current state = before/connect initialization
[19 Sep  6:14:36] is_initialized: new process or forked
[19 Sep  6:14:36] CkpRegDir: Environment variable CPDIR is not set.
[19 Sep  6:14:36] GenerateGlobalEntry: Unable to get registry path
[19 Sep  6:14:36] CkpRegDir: Environment variable CPDIR is not set.
[19 Sep  6:14:36] GenerateGlobalEntry: Unable to get registry path
[19 Sep  6:14:36] CkpRegDir: Environment variable CPDIR is not set.
[19 Sep  6:14:36] GenerateGlobalEntry: Unable to get registry path
[19 Sep  6:14:36] CkpRegDir: Environment variable CPDIR is not set.
[19 Sep  6:14:36] GenerateGlobalEntry: Unable to get registry path
[19 Sep  6:14:36] rand_add_seedfile: Failed to read seed from registry.: Operation not permitted
[19 Sep  6:14:36] CkpRegDir: Environment variable CPDIR is not set.
[19 Sep  6:14:36] GenerateGlobalEntry: Unable to get registry path
[19 Sep  6:14:36] CkpRegDir: Environment variable CPDIR is not set.
[19 Sep  6:14:36] GenerateGlobalEntry: Unable to get registry path
[19 Sep  6:14:36] fwrand_write_seed: Failed to read seed from registry.: Operation not permitted
[19 Sep  6:14:36] CkpRegDir: Environment variable CPDIR is not set.
[19 Sep  6:14:36] GenerateGlobalEntry: Unable to get registry path
[19 Sep  6:14:36] CkpRegDir: Environment variable CPDIR is not set.
[19 Sep  6:14:36] GenerateGlobalEntry: Unable to get registry path
[19 Sep  6:14:36] fwrand_write_seed: Failed to write seed.: Operation not permitted
[19 Sep  6:14:36] ckpSSL_NegotiateStep: should retry.
[19 Sep  6:14:36] ckpSSL_NegotiateStep: current state = SSLv3 read server hello A
[19 Sep  6:14:36] SSL e stack
[19 Sep  6:14:36] 9594:error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version:s3_pkt.c:1033

[19 Sep  6:14:36] ckpSSL_NegotiateStep: Current step failed. Error is: 336151598
[19 Sep  6:14:36] ckpSSL_fwasync_connected: no connections err -3
[19 Sep  6:14:36] fwasync_end_conn: scheduling the end of connection 5
[19 Sep  6:14:36] fwasync_do_end_conn: closing connection 5 (conn=9f6eb68)
[19 Sep  6:14:36] talkssl::end_handler: ending connection 
[19 Sep  6:14:36] snx_browser::Failure: entering with code: 1
[19 Sep  6:14:36] got link down!- exit
[19 Sep  6:14:36] snx: quit.
[19 Sep  6:14:36] snx_CCC_browser::~snx_CCC_browser: called
[19 Sep  6:14:36] browser::~browser: called
[19 Sep  6:14:36] talkssl::~talkssl: delete link
[19 Sep  6:14:36] talkssl::~talkssl: end
[19 Sep  6:14:36] done
leoschet
  • 233
  • 1
  • 2
  • 7
  • 1
    I have had to disable IPv6 in my configuration with Debian 10 for it to work. There are also anecdotal tales of people having had to install 32-bit libraries of PAM. – Rui F Ribeiro Sep 17 '19 at 08:56
  • I checked here and I already have `libpam0g:i386`, I tried disabling IPv6, but the result is still the same – leoschet Sep 18 '19 at 19:05
  • Can you generate a debug file with snx -g? – Rui F Ribeiro Sep 18 '19 at 22:59
  • yes, I added the debug logs in the question now – leoschet Sep 19 '19 at 09:20
  • I can only double check this around Monday, out of the office for a couple of days...I would swear the connection is being correctly negotiated and established. Wrong profile/routes? Does it work in Windows? What do the networking guys say? – Rui F Ribeiro Sep 19 '19 at 09:40
  • 2
    Through the windows/mac checkpoint client the vpn connection works perfectly. With the same username, password and IP address! Still didn't hear from the networking team, but should hear soon, and when I do, I'll update the question here. Thanks for your help! – leoschet Sep 19 '19 at 15:47
  • @leoschet I understand that this is six months ago, but did you manage to solve this after talking to your networking team? If so, would you mind sharing the solution? – Wololo May 05 '20 at 07:19
  • 1
    @magnus I dont remember all the specifics, but I do remember I could not connect to the VPN through the command line. I had to install a GUI to ubuntu, and use the firefox method... – leoschet May 05 '20 at 08:06
  • @leoschet I see, thanks for the incredibly fast response! – Wololo May 05 '20 at 08:07

2 Answers2

5

I had the same issue and same error log.

Upgrading the SNX client to build 800010003 solved my issue (requires checkpoint account, which is free).

kkjawz
  • 51
  • 1
  • 2
  • 1
    This worked for me, thank you very much! – Robin Feb 15 '21 at 09:36
  • This also worked for me... Downloading the snx from the Checkpoint Server itself gave me an older version 800008209 btw. and one should think they offer the "current" version, but the link directed me to the version that worked. THANKS! – Daniel Mar 14 '21 at 12:31
  • Unfortunately, the pure command line method was obsoleted around 2021. See https://unix.stackexchange.com/questions/450131/vpn-ssl-network-extender-in-firefox/709258 and https://github.com/ruyrybeyro/chrootvpn – Rui F Ribeiro Nov 06 '22 at 11:33
1

I had the same issues and found I was applying the port incorrectly. Again this may not be the issue you were experience just wanted to post my findings.

inital:

sudo snx -s <server>:<port> -u

fix:

sudo snx -s <server> -p <port> -u <user>
schrodingerscatcuriosity
  • 12,087
  • 3
  • 29
  • 57
carterdev
  • 21
  • 1
  • If your answer is not an answer to the issue at hand, then why did you post it? – Kusalananda Oct 24 '19 at 06:09
  • @carterdev whats the default port? – leoschet Oct 24 '19 at 10:25
  • Are you saying here that the solution is to move the port from `-s server:port` to its own option, `-p port`? – Jeff Schaller Oct 24 '19 at 10:43
  • @leoschat my port was 4433 – carterdev Oct 24 '19 at 14:45
  • @Jeff Schaller. Yes that is correct. – carterdev Oct 24 '19 at 14:45
  • @carterdev can this port be configured or is it always the same? Tried that with no luck – leoschet Oct 24 '19 at 20:07
  • @leoschet do you have access to the checkpoint do you know if the ssl VPN is turned on? If so it tells you what port is to be used. – carterdev Oct 24 '19 at 20:40
  • @carterdev I can connect to the VPN using the mac/windows client. Even then is it possible that the ssl VPN is turned off? Using the [mobile access (firefox) approach](https://unix.stackexchange.com/questions/450131/vpn-ssl-network-extender-in-firefox), when accessing /sslvpn I get `Access denied. This Portal is not supported on this server. Please contact your Administrator for more information (14)` -- As you might have noticed, my knowledge on this subject is very limited – leoschet Oct 24 '19 at 20:50
  • 1
    Yes it is possible. If you don't have access to the checkpoint get with the firewall admin. They will be able to turn this on – carterdev Oct 24 '19 at 20:54