How to install Checkpoint ssl extender vpn (snx) under Debian/Kubuntu

I have released an update to this blog post: See CheckPoint SNX install instructions for major Linux distributions

Another in my series of 6 months from now posts.

There is a Linux client for Checkpoint’s ssl extender vpn. The binary is called snx and it works quite reliably after you get over the problems of getting it installed. The first thing you need is the software itself which you will need to get from Checkpoint. The install is easy enough, just run the install script

./snx_install.sh

or if you want a bit more feedback you can run

sh +x ./snx_install.sh

This shell script contains an embedded tar file which installs the snx binary as /usr/bin/snx. To run the vpn script simply type

user@pc:~$ snx

If all goes well then you should see the SNL login screen as shown here:

Check Point's Linux SNX
build XXXXXXXXX
Please enter your password:

SNX - connected.

Session parameters:
===================
Office Mode IP      : xxx.xxx.xxx.xxx
DNS Server          : xxx.xxx.xxx.xxx
Secondary DNS Server: xxx.xxx.xxx.xxx
DNS Suffix          : example.com
Timeout             : x hours

Now we get onto the if things don’t go well – which for me has been the default scenario.

We have the famed snx: error while loading shared libraries: libstdc++.so.5: cannot open shared object file: No such file or directory bug.
On Debian Sid you can simply install the correct library

$ aptitude install libstdc++5

To get around this on ubuntu download an older package.

$ wget http://nl.archive.ubuntu.com/ubuntu/pool/universe/g/gcc-3.3/libstdc++5_3.3.6-17ubuntu1_i386.deb

I extracted the debian package first to see what I was about to install.

$ dpkg-deb --extract libstdc++5_3.3.6-17ubuntu1_i386.deb ./
$ find
.
./usr
./usr/share
./usr/share/doc
./usr/share/doc/libstdc++5
./usr/share/doc/libstdc++5/TODO.Debian
./usr/share/doc/libstdc++5/copyright
./usr/share/doc/libstdc++5/README.Debian
./usr/share/doc/libstdc++5/changelog.Debian.gz
./usr/lib
./usr/lib/libstdc++.so.5.0.7
./usr/lib/libstdc++.so.5
./libstdc++5_3.3.6-17ubuntu1_i386.deb

Nothing too strange there so I then installed the package

$ dpkg -i libstdc++5_3.3.6-17ubuntu1_i386.deb

and after that snx works just fine …..

Edit2:
…. Until you try and do this on an AMD64/x86_64 computer. The steps above are the same except that you need to first install the amd64 version of gcc 3.3 as well.

dpkg -i gcc-3.3-base_3.3.6-15ubuntu4_amd64.deb
dpkg -i libstdc++5_3.3.6-15ubuntu4_amd64.deb

One extra step is to also install the 32 bit libstdc libraries as snx is compiled as a i386 application.

dpkg-deb -x libstdc++5_3.3.6-17ubuntu1_i386.deb ./tmp
cp -v  x/usr/lib/* /usr/lib32/

Shouts go out to Husain Al-Khamis for this one.

and after that snx works just fine …..

until you update to kernel 2.6.32-21-generic which happened to me when I updated to Kubuntu 10.04 LTS.

I got the error message that there is no tun available. This is because the generic kernel was shipped without the tun.ko module that snx (and many other vpn’s ) use to create a virtual network interface.

Luckily the user kazersozet posted a fix which I’m copy and pasting below. The basic fix is supplied at your own risk.

sudo apt-get install build-essential linux-headers-`uname -r`
mkdir faketun
cd faketun
echo -e "#include
\nstatic int start__module(void) {return 0;}\nstatic void end__module(void){return;}\nmodule_init(start__module);\nmodule_exit(end__module);">tun.c
echo -e "obj-m += tun.o\nall:\n\tmake -C /lib/modules/\$(shell uname -r)/build/ M=\$(PWD) modules\nclean:\n\tmake -C /lib/modules/\$(shell uname -r)/build/ M=\$(PWD) clean\nclean-files := Module.symvers">Makefile
make
sudo install tun.ko /lib/modules/`uname -r`/kernel/net/tun.ko
sudo depmod -a
sudo modprobe tun

Edit: Please see the comments by Ove – for some reason wordpress is putting in a space see the origional post.

Edit3: I’ll just link to the Makefile and tun.c files.

It first installs the applications needed to compile software. Then it creates two files called tun.c (the source code for the new module) and Makefile (the instructions on how to compile it) in a new subdirectory called faketun. Then it uses the make command to compile the software and the it installs it into the correct directory. It then runs depmod to update modules dependencies and finally it installs the new kernel module.

This entry was posted in General, snx and tagged , . Bookmark the permalink.

19 Responses to How to install Checkpoint ssl extender vpn (snx) under Debian/Kubuntu

  1. Ove says:

    Thank you!

    This fixed my problem which happened after upgrade to Ubuntu 10.04.
    I got an error message stating: Virtual Network Adapter initialization and configuration failed. Try to reconnect.
    Nothing about tun not available.

    However, installing the tun solved the problem.

    There is one bug in the script: echo -e “#include …. should be echo -e “#include

    Thanks again!

  2. Ove says:

    Let’s try again
    There is one bug in the script: echo -e “… linux /module.h…. should be echo -e “ … linux/module.h

  3. Yaniv says:

    Thanks,
    Saved my day, I had no idea that this is why I cant connect via web….

  4. Marco says:

    THANKS

  5. Marco says:

    You can try to write

    install tun /bin/true into…… /etc/modprobe.conf

  6. Pingback: ssl extender on ubuntu 10.04 | Erolucar's Blog

  7. Jean-christophe says:

    Thank you very much for you precious help.

  8. Matt Thompson says:

    Thanks fir this.

    Installing the libstdc++.so.5 files got me connected to my office (via browser)

  9. Pingback: How to install Checkpoint ssl extender vpn (snx) under Fedora 14 « kenfallon.com

  10. Kesara K says:

    Thanks !
    saved me the day with ARCH Linux x86_64. I did the following

    yaourt -S lib32-libstdc++5
    yaourt -S lib32-libx11
    yaourt -S lib32-cracklib

    LD_PRELOAD=/usr/lib32/libstdc++.so.5 snx

    Got connected

  11. boaz says:

    does not work under google chrome and ubuntu amd64 11.04

  12. DomH says:

    Hello,

    This page saved me when I update to 10.04.
    I continue updating till 11.04 without any problem.

    I just made a new OS install (11.04) and snx use fail with the following message:

    snx
    bash: /usr/bin/snx: Aucun fichier ou dossier de ce type (no file or repository of this type.

    When looking
    ls -l /usr/bin/snx*
    -r-s–x–x 1 root root 3273196 2011-06-26 01:37 /usr/bin/snx
    -r-xr-xr-x 1 root root 747 2011-06-26 01:37 /usr/bin/snx_uninstall

    it is there.

    Any idea ?
    Thanks in advance

  13. Yuval says:

    on Centos5:
    yum install libstdc++
    yum install libstdc++.so.5

  14. Pingback: How to install checkpoint ssl extender VPN SNX under Fedora 16 64bit | kenfallon.com

  15. Nadav Kavalerchik says:

    Thanks!

    Here is what helped me overcome the missing libstdc++.so.5 on Ubuntu 12.4
    http://pkgs.org/ubuntu-12.04/ubuntu-universe-i386/libstdc++5_3.3.6-25ubuntu1_i386.deb/download/

  16. Will says:

    no go on lubuntu x86_64
    uname -a
    Linux yeats 3.13.0-34-generic #60-Ubuntu SMP Wed Aug 13 15:45:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

    ls -l /usr/bin/snx
    -r-s–x–x 1 root root 3277356 Oct 29 07:52 /usr/bin/snx

    tried the above insall for libsdc++.so.5 . . .
    root@yeats:~# find /usr/lib -name libstdc++\* -exec ls -l {} \;
    total 984
    -rw-r–r– 1 root root 1006992 Aug 26 17:58 libstdc++.so.6
    -rw-r–r– 1 root root 1006992 Aug 26 17:58 /usr/lib/vmware/lib/libstdc++.so.6/libstdc++.so.6
    lrwxrwxrwx 1 root root 18 Oct 29 07:36 /usr/lib/i386-linux-gnu/libstdc++.so.5 -> libstdc++.so.5.0.7
    -rw-r–r– 1 root root 737340 Oct 29 07:36 /usr/lib/i386-linux-gnu/libstdc++.so.5.0.7
    -rw-r–r– 1 root root 979056 Apr 5 2014 /usr/lib/x86_64-linux-gnu/libstdc++.so.6.0.19
    lrwxrwxrwx 1 root root 19 Aug 26 16:27 /usr/lib/x86_64-linux-gnu/libstdc++.so.6 -> libstdc++.so.6.0.19
    lrwxrwxrwx 1 root root 18 Jan 31 2013 /usr/lib/x86_64-linux-gnu/libstdc++.so.5 -> libstdc++.so.5.0.7
    -rw-r–r– 1 root root 829792 Jan 31 2013 /usr/lib/x86_64-linux-gnu/libstdc++.so.5.0.7
    -rw-r–r– 1 root root 2904238 Apr 5 2014 /usr/lib/gcc/x86_64-linux-gnu/4.8/libstdc++.a
    lrwxrwxrwx 1 root root 40 Apr 5 2014 /usr/lib/gcc/x86_64-linux-gnu/4.8/libstdc++.so -> ../../../x86_64-linux-gnu/libstdc++.so.6

    $ LD_PRELOAD=/usr/lib/i386-linux-gnu/libstdc++.so.5 snx
    bash: /usr/bin/snx: No such file or directory
    . . . same as the following
    $ snx
    bash: /usr/bin/snx: No such file or directory

    If someone knows what is wrong, please let me know

  17. kadir says:

    Form where I will install ./snx_install.sh?

  18. ken_fallon says:

    Login to your firewall page
    https://yourfirewall.example.com/sslvpn/Portal/Main
    Then under Settings > Edit Native Application Settings
    https://yourfirewall.example.com/sslvpn/Portal/SNXSettings
    Then it should be under SSL Network Extender:
    Download installation for Linux

    If that is not the correct version then you will need to get it from the Administrator of your firewall.

    I have been asked many many times for the version that works for me, but I am not allowed to distribute it as it is Proprietary Software. I have asked permission from Checkpoint but they did not give any answer (and therefore no permission).

    I am continuing to pursue this but I will not distribute software that violates the licensing, on moral, legal and “I will get fired” grounds.

  19. sunilrebe says:

    You are great. All of your articles about snx helped me a lot to actually connect to it. Thanks for writing these articles including this one.

Leave a Reply

Your email address will not be published.