Difference between revisions of "Juniper VPN"

From ArchWiki
Jump to: navigation, search
(New page: Category:Networking =HOWTO instructions= Here's what I did to connect to the Juniper VPN at my company: References: [http://gentoo-wiki.com/HOWTO_Juniper_SSL_Network_Connect_VPN Gen...)
 
Line 60: Line 60:
 
First of all, make sure the username and password is actually correct. ;-) Check caps lock, etc. If you swear it's correct and it still says incorrect, that means the POST request to the Juniper IVE box "somehow" failed.
 
First of all, make sure the username and password is actually correct. ;-) Check caps lock, etc. If you swear it's correct and it still says incorrect, that means the POST request to the Juniper IVE box "somehow" failed.
  
The [https://addons.mozilla.org/en-US/firefox/addon/966 Tamper Data] addon for Firefox can be used to debug. Try changing the fields in the headers. One thing that had me scratching my head for months is incorrect charset. Juniper IVE apparently does not support UTF-8. For some reasons, my "intl.charset.default" setting in "about:config" for Firefox is UTF-8, causing my POST request to have *ONLY* UTF-8 in the charset. Setting it to ISO-8859-1 fixes the problem. Also double check "intl.accept_charsets". You can have UTF-8, Chinese and European charsets all you want. But make sure you have ISO-8859-1 as fallback. Use the Tamper Data addon to make sure you really are accepting ISO-8859-1 in the HTTP header.
+
The [https://addons.mozilla.org/en-US/firefox/addon/966 Tamper Data] addon for Firefox can be used to debug. Try changing the fields in the headers.
 +
 
 +
One thing that had me scratching my head for months is incorrect charset. Juniper IVE apparently does not support UTF-8. For some reasons, my "intl.charset.default" setting in "about:config" for Firefox is UTF-8, causing my POST request to have *ONLY* UTF-8 in the charset. Setting it to ISO-8859-1 fixes the problem. Also double check "intl.accept_charsets". You can have UTF-8, Chinese and European charsets all you want. But make sure you have ISO-8859-1 as fallback. Use the Tamper Data addon to make sure you really are accepting ISO-8859-1 in the HTTP header.
 +
 
 +
Another thing is the useragent must be "Firefox", not "Bon Echo". You may need to change this under "general.useragent.extra.firefox" in about:config.
  
 
==I can login but Network Connect won't launch==
 
==I can login but Network Connect won't launch==

Revision as of 02:48, 5 July 2007


HOWTO instructions

Here's what I did to connect to the Juniper VPN at my company:

References: Gentoo Wiki

  1. Get JRE
  2. Get the really old GCC libs
    1. Either with gcc3 and gcc2
    2. If you're lazy like me or just can't get it to produce the super-old libstdc++-libc6.2-2.so.3, just steal the whole lib-compat from gentoo with this PKGBUILD:
# Contributor: Clement Siuchung Cheung <clement.cheung@umich.edu>
pkgname=lib-compat
pkgver=1.4.1
pkgrel=1
pkgdesc="Gentoo lib compat for old programs only available in binary"
arch=(x86)
url="http://www.gentoo.org/"
source=(ftp://ftp.ibiblio.org/pub/linux/distributions/gentoo/distfiles/${pkgname}-${pkgver}.tar.bz2)
md5sums=('ec4a4528295b5879ad055e44c4a6d463')

build() {
  cd $startdir/src/${pkgname}-${pkgver}/x86

  # Install /lib files
  mkdir -p $startdir/pkg/lib
  mv ld-linux.so.1* $startdir/pkg/lib

  # Install /usr/lib files
  mkdir -p $startdir/pkg/usr/lib
  mv *.so* $startdir/pkg/usr/lib

  # Fix files
  cd $startdir/pkg/usr/lib
  mv -f libstdc++-libc6.2-2.so.3 libstdc++-3-libc6.2-2-2.10.0.so
  ln -s libstdc++-3-libc6.2-2-2.10.0.so libstdc++-libc6.2-2.so.3
  mv -f libstdc++-libc6.1-1.so.2 libstdc++-2-libc6.1-1-2.9.0.so
  ln -s libstdc++-2-libc6.1-1-2.9.0.so libstdc++-libc6.1-1.so.2
  ln -s libstdc++.so.2.8.0 libstdc++.so.2.8
  ln -s libstdc++.so.2.7.2.8 libstdc++.so.2.7.2
  ln -s libg++.so.2.7.2.8 libg++.so.2.7.2
  rm -f libstdc++.so.2.9.dummy libstdc++.so.2.9.0
  rm -f libsmpeg-0.4.so.0.dummy
  1. Get the smelly old Motif libs
    1. Install lesstif. Then symlink to fool the system that it's motif like they say in the Gentoo wiki.
    2. Sadly I wasn't able to get it work through the openmotif route because our openmotif package is too new and will give you libXm.so.4 instead of libXm.so.3. Add your instructions here if you manage to get this work.
  2. Get the su work. They use xterm to ask for root password to do the install. So do either of the following:
    1. Install xterm
    2. Setup your user to be able to su without password (google for the instructions)
  3. Do "sudo modprobe tun". You'll need to do it every time before you connect. So you might want to setup the tun module to be autoloaded at start up to save you time and trouble.

Troubleshooting

There are many things that can go wrong. Please share your experience here if there's something non-obvious that wasted you weeks to track down so that others can save their time. ;-)

It keeps saying password incorrect

First of all, make sure the username and password is actually correct. ;-) Check caps lock, etc. If you swear it's correct and it still says incorrect, that means the POST request to the Juniper IVE box "somehow" failed.

The Tamper Data addon for Firefox can be used to debug. Try changing the fields in the headers.

One thing that had me scratching my head for months is incorrect charset. Juniper IVE apparently does not support UTF-8. For some reasons, my "intl.charset.default" setting in "about:config" for Firefox is UTF-8, causing my POST request to have *ONLY* UTF-8 in the charset. Setting it to ISO-8859-1 fixes the problem. Also double check "intl.accept_charsets". You can have UTF-8, Chinese and European charsets all you want. But make sure you have ISO-8859-1 as fallback. Use the Tamper Data addon to make sure you really are accepting ISO-8859-1 in the HTTP header.

Another thing is the useragent must be "Firefox", not "Bon Echo". You may need to change this under "general.useragent.extra.firefox" in about:config.

I can login but Network Connect won't launch

  1. Check your JRE
  2. Go to ".juniper_networks/network_connect" in your home directory.
  3. Check that ncsvc is setuid root. Fix it if not.
  4. ldd ncsvc and see if there're any missing libraries
  5. Follow instructions here to run it from command line. Use the "-L 5" switch to log everything, use strace as root, etc. Peek at ncsvc.log and see if there's anything wrong.

Network Connect launched but the VPN doesn't work

Run "route" or "ip route" and see if the route is there. Network connect has a diagnosis tool in the GUI. You can also checks the logs (also available in the GUI).

If it initially works but stops working later on, see caveat below.

Caveats

/etc/resolv.conf will get overwritten every once in a while by DHCPCD so your VPN will stop working eventually. If that happens, just restart Network Connect. There's no known solution to the problem but I do find a discussion on Redhat bugs website about this. We need to showhow teach DHCPCD the concept of merging configs and being a good neighbor...

Until then, restart the connection every once in a while, save /etc/resolv.conf somewhere or somehow whip up some super-clever script yourself restore the VPN settings every time your DHCP lease is renewed.