User Tools

Site Tools


howtos:ssl_network_extender_on_lucid_64-bit

Prep

Make a directory where we can dump our files and install the needed tools for compiling:

mkdir ~/faketun
cd faketun/
sudo apt-get install build-essential linux-headers-`uname -r`

Fake tun module

One of the problems with Lucid Lynx and SSL Network Extender (SNX) is that Ubuntu has compiled the tun module into the kernel and SNX expect a kernel module. Therefore we will make a fake module available for SNX. In the faketun create a source file:

vi tun.c

Enter the following:

#include <linux/module.h>
static int start__module(void) {return 0;}
static void end__module(void){return;}
module_init(start__module);
module_exit(end__module);

Next up is the makefile:

vi Makefile

Put in this:

obj-m += tun.o
all:
	make -C /lib/modules/$(shell uname -r)/build/ M=$(PWD) modules
clean:
	make -C /lib/modules/$(shell uname -r)/build/ M=$(PWD) clean
clean-files := Module.symvers

Now build the fake tun module:

cd ~/faktun
make
make -C /lib/modules/2.6.32-24-generic/build/ M=/home/tdd/faketun modules
make[1]: Entering directory `/usr/src/linux-headers-2.6.32-24-generic'
  CC [M]  /home/tdd/faketun/tun.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /home/tdd/faketun/tun.mod.o
  LD [M]  /home/tdd/faketun/tun.ko
make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-24-generic'

Still in the faktun directory, install and refresh module dependencies:

sudo install tun.ko /lib/modules/`uname -r`/kernel/net/tun.ko
sudo depmod -a
sudo modprobe tun

Old libraries

The SNX is compiled against some old libraries and thus we need them on the machine. We will need both the 64-bit and 32-bit version:

cd ~/faketun
wget http://nl.archive.ubuntu.com/ubuntu/pool/universe/g/gcc-3.3/libstdc++5_3.3.6-17ubuntu1_i386.deb
wget http://nl.archive.ubuntu.com/ubuntu/pool/universe/g/gcc-3.3/gcc-3.3-base_3.3.6-15ubuntu4_amd64.deb
wget http://nl.archive.ubuntu.com/ubuntu/pool/universe/g/gcc-3.3/libstdc++5_3.3.6-15ubuntu4_amd64.deb

Now its time to install what we need from the old libraries:

cd ~/faketun
sudo dpkg -i gcc-3.3-base_3.3.6-15ubuntu4_amd64.deb
sudo dpkg -i libstdc++5_3.3.6-15ubuntu4_amd64.deb
sudo dpkg-deb -x libstdc++5_3.3.6-17ubuntu1_i386.deb ./tmp
sudo cp -v  tmp/usr/lib/* /usr/lib32/

Getting and installing SNX software

Closing in on target! Get the SNX software from your gateway and install it manually. Don't try to use the webinterface, it wouldn't work as it ask for the non-existing root password:

wget --no-check-certificate https://checkpoint-gateway-address/CSHELL/snx_install.sh
chmod +x snx_install.sh 
sudo ./snx_install.sh 

Connecting to gateway

This should basically do it. Now just fire up the client by executing:

snx -s checkpoint-gateway-address -u username

Check Point's Linux SNX
build 800005004
Please enter your password:
SNX authentication:
Please confirm the connection to gateway: gwcluster VPN Certificate
Root CA fingerprint: ECHO FCK LONE ITU DUG ART LILY TASK HEAL FIX SEN GO
Do you accept? [y]es/[N]o:
y
SNX - connected.

Session parameters:
===================
Office Mode IP      : 192.168.2.25
DNS Server          : 192.168.2.31
Secondary DNS Server: 192.168.2.32
DNS Suffix          : domain.net
Timeout             : 8 hours 

It will ask for your acceptance of the gateway certificate, which you of course do after checking the fingerprint (right!!), and then the user password/passcode or whatever authentication you use.

You can also make a “.sxnrc” file and put it in your home. The file could look like this:

# This is an example of the ~/.snxrc file
server 1.2.3.4
username joe

All you have to do to connect is just type “snx”. It will then pick up the settings from ~/.snxrc.

Disconnecting gateway

You disconnect SNX by running:

snx -d

GUI

Put this into a file and run it. Then zenity will be the gui tool to make a more nicer interface.

#!/bin/bash
# This is a Zenity frontend for Check Point SSL Network Extender.

function abort {
	
	zenity --error --text="VPN Connection Aborted\!" --timeout=1
	exit 0
}

pidof snx
CONNECTED=$(echo $?)
if [ $CONNECTED -eq 0 ]
then
	zenity --warning --title="Already online!" --text="$(ifconfig tunsnx)" --no-wrap
	exit 0
fi


GATEWAY=$(zenity --title  "VPN Gateway" --entry --text "Enter VPN Gateway Address" --entry-text=gw.dubex.dk)
if [ $? -eq 1 ]
then
	abort
fi
USERNAME=$(zenity --title "Username" --entry --text "Enter Username" --entry-text=tdd)
if [ $? -eq 1 ]
then
	abort
fi
PASSWORD=$(zenity --title "Password" --entry --text "Enter Password/Passcode" --hide-text)
if [ $? -eq 1 ]
then
	abort
fi
echo $PASSWORD | snx -s $GATEWAY -u $USERNAME | zenity --text-info

Source: http://www.linuxplanet.org/blogs/?cat=2475

Files packed in a gzip'ed tarball: faketun.tar.gz

howtos/ssl_network_extender_on_lucid_64-bit.txt · Last modified: d/m/Y H:i by 127.0.0.1