User Tools

Site Tools


howtos:ssl_network_extender_on_lucid_64-bit

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

howtos:ssl_network_extender_on_lucid_64-bit [d/m/Y H:i] (current)
Line 1: Line 1:
 +====== Prep ======
  
 +Make a directory where we can dump our files and install the needed tools for compiling:
 +<​code>​
 +mkdir ~/faketun
 +cd faketun/
 +sudo apt-get install build-essential linux-headers-`uname -r`
 +</​code>​
 +====== Fake tun module ======
 +
 +One of the problems with Lucid Lynx and SSL Network Extender (SNX) is that Ubuntu has compiled the tun module into the kernel and SNX expect a kernel module. Therefore we will make a fake module available for SNX.
 +In the faketun create a source file:
 +
 +<​code>​
 +vi tun.c
 +</​code>​
 +
 +Enter the following:
 +
 +<​file>​
 +#include <​linux/​module.h>​
 +static int start__module(void) {return 0;}
 +static void end__module(void){return;​}
 +module_init(start__module);​
 +module_exit(end__module);​
 +</​file>​
 +
 +Next up is the makefile:
 +
 +<​code>​
 +vi Makefile
 +</​code>​
 +
 +Put in this:
 +
 +<​file>​
 +obj-m += tun.o
 +all:
 + make -C /​lib/​modules/​$(shell uname -r)/build/ M=$(PWD) modules
 +clean:
 + make -C /​lib/​modules/​$(shell uname -r)/build/ M=$(PWD) clean
 +clean-files := Module.symvers
 +</​file>​
 +
 +Now build the fake tun module:
 +
 +<​code>​
 +cd ~/faktun
 +make
 +make -C /​lib/​modules/​2.6.32-24-generic/​build/​ M=/​home/​tdd/​faketun modules
 +make[1]: Entering directory `/​usr/​src/​linux-headers-2.6.32-24-generic'​
 +  CC [M]  /​home/​tdd/​faketun/​tun.o
 +  Building modules, stage 2.
 +  MODPOST 1 modules
 +  CC      /​home/​tdd/​faketun/​tun.mod.o
 +  LD [M]  /​home/​tdd/​faketun/​tun.ko
 +make[1]: Leaving directory `/​usr/​src/​linux-headers-2.6.32-24-generic'​
 +</​code>​
 +
 +Still in the faktun directory, install and refresh module dependencies:​
 +
 +<​code>​
 +sudo install tun.ko /​lib/​modules/​`uname -r`/​kernel/​net/​tun.ko
 +sudo depmod -a
 +sudo modprobe tun
 +</​code>​
 +
 +====== Old libraries ======
 +The SNX is compiled against some old libraries and thus we need them on the machine. We will need both the 64-bit and 32-bit version:
 +
 +<​code>​
 +cd ~/faketun
 +wget http://​nl.archive.ubuntu.com/​ubuntu/​pool/​universe/​g/​gcc-3.3/​libstdc++5_3.3.6-17ubuntu1_i386.deb
 +wget http://​nl.archive.ubuntu.com/​ubuntu/​pool/​universe/​g/​gcc-3.3/​gcc-3.3-base_3.3.6-15ubuntu4_amd64.deb
 +wget http://​nl.archive.ubuntu.com/​ubuntu/​pool/​universe/​g/​gcc-3.3/​libstdc++5_3.3.6-15ubuntu4_amd64.deb
 +</​code>​
 +
 +
 +Now its time to install what we need from the old libraries:
 +<​code>​
 +cd ~/faketun
 +sudo dpkg -i gcc-3.3-base_3.3.6-15ubuntu4_amd64.deb
 +sudo dpkg -i libstdc++5_3.3.6-15ubuntu4_amd64.deb
 +sudo dpkg-deb -x libstdc++5_3.3.6-17ubuntu1_i386.deb ./tmp
 +sudo cp -v  tmp/​usr/​lib/​* /usr/lib32/
 +</​code>​
 +
 +====== Getting and installing SNX software ======
 +
 +Closing in on target! Get the SNX software from your gateway and install it manually. Don't try to use the webinterface,​ it wouldn'​t work as it ask for the non-existing root password:
 +
 +<​code>​
 +wget --no-check-certificate https://​checkpoint-gateway-address/​CSHELL/​snx_install.sh
 +chmod +x snx_install.sh ​
 +sudo ./​snx_install.sh ​
 +</​code>​
 +====== Connecting to gateway ======
 +
 +This should basically do it. Now just fire up the client by executing:
 +
 +<​code>​
 +snx -s checkpoint-gateway-address -u username
 +
 +Check Point'​s Linux SNX
 +build 800005004
 +Please enter your password:
 +SNX authentication:​
 +Please confirm the connection to gateway: gwcluster VPN Certificate
 +Root CA fingerprint:​ ECHO FCK LONE ITU DUG ART LILY TASK HEAL FIX SEN GO
 +Do you accept? [y]es/[N]o:
 +y
 +SNX - connected.
 +
 +Session parameters:
 +===================
 +Office Mode IP      : 192.168.2.25
 +DNS Server ​         : 192.168.2.31
 +Secondary DNS Server: 192.168.2.32
 +DNS Suffix ​         : domain.net
 +Timeout ​            : 8 hours 
 +</​code>​
 +
 +It will ask for your acceptance of the gateway certificate,​ which you of course do after checking the fingerprint (right!!), and then the user password/​passcode or whatever authentication you use.
 +
 +You can also make a "​.sxnrc"​ file and put it in your home. The file could look like this:
 +
 +<​file>​
 +# This is an example of the ~/.snxrc file
 +server 1.2.3.4
 +username joe
 +</​file>​
 +
 +All you have to do to connect is just type "​snx"​. It will then pick up the settings from ~/.snxrc.
 +====== Disconnecting gateway ======
 +You disconnect SNX by running:
 +
 +<​code>​
 +snx -d
 +</​code>​
 +====== GUI ======
 +Put this into a file and run it. Then zenity will be the gui tool to make a more nicer interface.
 +
 +<​file>​
 +#!/bin/bash
 +# This is a Zenity frontend for Check Point SSL Network Extender.
 +
 +function abort {
 +
 + zenity --error --text="​VPN Connection Aborted\!"​ --timeout=1
 + exit 0
 +}
 +
 +pidof snx
 +CONNECTED=$(echo $?)
 +if [ $CONNECTED -eq 0 ]
 +then
 + zenity --warning --title="​Already online!"​ --text="​$(ifconfig tunsnx)"​ --no-wrap
 + exit 0
 +fi
 +
 +
 +GATEWAY=$(zenity --title ​ "VPN Gateway"​ --entry --text "Enter VPN Gateway Address"​ --entry-text=gw.dubex.dk)
 +if [ $? -eq 1 ]
 +then
 + abort
 +fi
 +USERNAME=$(zenity --title "​Username"​ --entry --text "Enter Username"​ --entry-text=tdd)
 +if [ $? -eq 1 ]
 +then
 + abort
 +fi
 +PASSWORD=$(zenity --title "​Password"​ --entry --text "Enter Password/​Passcode"​ --hide-text)
 +if [ $? -eq 1 ]
 +then
 + abort
 +fi
 +echo $PASSWORD | snx -s $GATEWAY -u $USERNAME | zenity --text-info
 +</​file>​
 +
 +----
 +Source: http://​www.linuxplanet.org/​blogs/?​cat=2475
 +
 +Files packed in a gzip'​ed tarball: {{:​howtos:​faketun.tar.gz|}}
howtos/ssl_network_extender_on_lucid_64-bit.txt · Last modified: d/m/Y H:i (external edit)