User Tools

Site Tools


howtos:ssl_network_extender_on_lucid_64-bit

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

howtos:ssl_network_extender_on_lucid_64-bit [d/m/Y H:i] (current)
Line 1: Line 1:
 +====== Prep ======
  
 +Make a directory where we can dump our files and install the needed tools for compiling:
 +<code>
 +mkdir ~/faketun
 +cd faketun/
 +sudo apt-get install build-essential linux-headers-`uname -r`
 +</code>
 +====== Fake tun module ======
 +
 +One of the problems with Lucid Lynx and SSL Network Extender (SNX) is that Ubuntu has compiled the tun module into the kernel and SNX expect a kernel module. Therefore we will make a fake module available for SNX.
 +In the faketun create a source file:
 +
 +<code>
 +vi tun.c
 +</code>
 +
 +Enter the following:
 +
 +<file>
 +#include <linux/module.h>
 +static int start__module(void) {return 0;}
 +static void end__module(void){return;}
 +module_init(start__module);
 +module_exit(end__module);
 +</file>
 +
 +Next up is the makefile:
 +
 +<code>
 +vi Makefile
 +</code>
 +
 +Put in this:
 +
 +<file>
 +obj-m += tun.o
 +all:
 + make -C /lib/modules/$(shell uname -r)/build/ M=$(PWD) modules
 +clean:
 + make -C /lib/modules/$(shell uname -r)/build/ M=$(PWD) clean
 +clean-files := Module.symvers
 +</file>
 +
 +Now build the fake tun module:
 +
 +<code>
 +cd ~/faktun
 +make
 +make -C /lib/modules/2.6.32-24-generic/build/ M=/home/tdd/faketun modules
 +make[1]: Entering directory `/usr/src/linux-headers-2.6.32-24-generic'
 +  CC [M]  /home/tdd/faketun/tun.o
 +  Building modules, stage 2.
 +  MODPOST 1 modules
 +  CC      /home/tdd/faketun/tun.mod.o
 +  LD [M]  /home/tdd/faketun/tun.ko
 +make[1]: Leaving directory `/usr/src/linux-headers-2.6.32-24-generic'
 +</code>
 +
 +Still in the faktun directory, install and refresh module dependencies:
 +
 +<code>
 +sudo install tun.ko /lib/modules/`uname -r`/kernel/net/tun.ko
 +sudo depmod -a
 +sudo modprobe tun
 +</code>
 +
 +====== Old libraries ======
 +The SNX is compiled against some old libraries and thus we need them on the machine. We will need both the 64-bit and 32-bit version:
 +
 +<code>
 +cd ~/faketun
 +wget http://nl.archive.ubuntu.com/ubuntu/pool/universe/g/gcc-3.3/libstdc++5_3.3.6-17ubuntu1_i386.deb
 +wget http://nl.archive.ubuntu.com/ubuntu/pool/universe/g/gcc-3.3/gcc-3.3-base_3.3.6-15ubuntu4_amd64.deb
 +wget http://nl.archive.ubuntu.com/ubuntu/pool/universe/g/gcc-3.3/libstdc++5_3.3.6-15ubuntu4_amd64.deb
 +</code>
 +
 +
 +Now its time to install what we need from the old libraries:
 +<code>
 +cd ~/faketun
 +sudo dpkg -i gcc-3.3-base_3.3.6-15ubuntu4_amd64.deb
 +sudo dpkg -i libstdc++5_3.3.6-15ubuntu4_amd64.deb
 +sudo dpkg-deb -x libstdc++5_3.3.6-17ubuntu1_i386.deb ./tmp
 +sudo cp -v  tmp/usr/lib/* /usr/lib32/
 +</code>
 +
 +====== Getting and installing SNX software ======
 +
 +Closing in on target! Get the SNX software from your gateway and install it manually. Don't try to use the webinterface, it wouldn't work as it ask for the non-existing root password:
 +
 +<code>
 +wget --no-check-certificate https://checkpoint-gateway-address/CSHELL/snx_install.sh
 +chmod +x snx_install.sh 
 +sudo ./snx_install.sh 
 +</code>
 +====== Connecting to gateway ======
 +
 +This should basically do it. Now just fire up the client by executing:
 +
 +<code>
 +snx -s checkpoint-gateway-address -u username
 +
 +Check Point's Linux SNX
 +build 800005004
 +Please enter your password:
 +SNX authentication:
 +Please confirm the connection to gateway: gwcluster VPN Certificate
 +Root CA fingerprint: ECHO FCK LONE ITU DUG ART LILY TASK HEAL FIX SEN GO
 +Do you accept? [y]es/[N]o:
 +y
 +SNX - connected.
 +
 +Session parameters:
 +===================
 +Office Mode IP      : 192.168.2.25
 +DNS Server          : 192.168.2.31
 +Secondary DNS Server: 192.168.2.32
 +DNS Suffix          : domain.net
 +Timeout             : 8 hours 
 +</code>
 +
 +It will ask for your acceptance of the gateway certificate, which you of course do after checking the fingerprint (right!!), and then the user password/passcode or whatever authentication you use.
 +
 +You can also make a ".sxnrc" file and put it in your home. The file could look like this:
 +
 +<file>
 +# This is an example of the ~/.snxrc file
 +server 1.2.3.4
 +username joe
 +</file>
 +
 +All you have to do to connect is just type "snx". It will then pick up the settings from ~/.snxrc.
 +====== Disconnecting gateway ======
 +You disconnect SNX by running:
 +
 +<code>
 +snx -d
 +</code>
 +====== GUI ======
 +Put this into a file and run it. Then zenity will be the gui tool to make a more nicer interface.
 +
 +<file>
 +#!/bin/bash
 +# This is a Zenity frontend for Check Point SSL Network Extender.
 +
 +function abort {
 +
 + zenity --error --text="VPN Connection Aborted\!" --timeout=1
 + exit 0
 +}
 +
 +pidof snx
 +CONNECTED=$(echo $?)
 +if [ $CONNECTED -eq 0 ]
 +then
 + zenity --warning --title="Already online!" --text="$(ifconfig tunsnx)" --no-wrap
 + exit 0
 +fi
 +
 +
 +GATEWAY=$(zenity --title  "VPN Gateway" --entry --text "Enter VPN Gateway Address" --entry-text=gw.dubex.dk)
 +if [ $? -eq 1 ]
 +then
 + abort
 +fi
 +USERNAME=$(zenity --title "Username" --entry --text "Enter Username" --entry-text=tdd)
 +if [ $? -eq 1 ]
 +then
 + abort
 +fi
 +PASSWORD=$(zenity --title "Password" --entry --text "Enter Password/Passcode" --hide-text)
 +if [ $? -eq 1 ]
 +then
 + abort
 +fi
 +echo $PASSWORD | snx -s $GATEWAY -u $USERNAME | zenity --text-info
 +</file>
 +
 +----
 +Source: http://www.linuxplanet.org/blogs/?cat=2475
 +
 +Files packed in a gzip'ed tarball: {{:howtos:faketun.tar.gz|}}
howtos/ssl_network_extender_on_lucid_64-bit.txt · Last modified: d/m/Y H:i (external edit)