Difference between revisions of "Juniper VPN"

From ArchWiki
Jump to: navigation, search
(updated name of mad-scientists script to the current name of "msjnc")
(Alternative Method: remove pacman -S)
 
(40 intermediate revisions by 19 users not shown)
Line 1: Line 1:
 
[[Category:Virtual Private Network]]
 
[[Category:Virtual Private Network]]
=Preferred installation method=
+
{{Poor writing|Using first person, needs more [[Help:Style|style]] fixes.}}
(NOTE: In [http://kb.juniper.net/InfoCenter/index?page=content&id=KB20490&actp=RSS some cases], depending on your corporate policy configuration, you _must_ login through the browser.  If this is the case, command-line tools (jnc, junipernc) won't work.)
+
{{Accuracy|Low quality workarounds}}
 +
== Native Open Source support with OpenConnect ==
  
1) Go to your companys' vpn site, log in and download / install the juniper client.  
+
The [http://www.infradead.org/openconnect/ OpenConnect]  VPN client has recently added support for Juniper VPN, supporting both TCP and UDP data transports. See the [http://lists.infradead.org/pipermail/openconnect-devel/2015-January/002628.html initial announcement] on the mailing list for more details.
  
2) Install {{AUR|jnc}} from [AUR].
+
To use, install {{Pkg|openconnect}} from the Archlinux respositories. If you want NetworkManager support, also install {{Pkg|networkmanager-openconnect}}, and restart NetworkManager.
 +
 
 +
== Official Software Preferred installation method==
 +
(NOTE: In [http://kb.juniper.net/InfoCenter/index?page=content&id=KB20490&actp=RSS some cases], depending on your corporate policy configuration, you _must_ login through the browser.  If this is the case, command-line tools (jnc, junipernc) will not work.)
 +
 
 +
1) Go to your companys' VPN site, log in and download / install the juniper client.
 +
 
 +
2) install {{AUR|jnc}} from the [[Arch User Repository]]. For 64-bit Arch, you will need to install 32-bit packages ([[Multilib]]), see [http://www.scc.kit.edu/scc/net/juniper-vpn/linux/ upstream website].
  
 
3) Make a directory for the .config file:
 
3) Make a directory for the .config file:
mkdir -p ~/.juniper_networks/network_connect/config
+
{{bc|$ mkdir -p ~/.juniper_networks/network_connect/config}}
  
 
4) Copy and adapt this .config file in this directory:
 
4) Copy and adapt this .config file in this directory:
host=foo.bar.com
+
{{hc|~/.juniper_networks/network_connect/config/.config|<nowiki>
user=username
+
host=foo.bar.com
password=secret
+
user=username
realm= realm with spaces
+
password=secret
cafile=/etc/ssl/bar-chain.pem
+
realm= realm with spaces
certfile=
+
cafile=/etc/ssl/bar-chain.pem
 +
certfile=</nowiki>}}
  
'''cafile:''' ca chain to verify the host certificate
+
; cafile: ca chain to verify the host certificate
'''certfile:''' host certificate in DER format
+
; certfile: host certificate in DER format. Cafile or certfile must be configured, you can download them from your VPN sign-in page (certificate information, export certificate).
Cafile or certfile must be configured, you can download them from your vpn sign-in page (certificate information, export certificate).
+
; realm: You can find out your realm by viewing the page source of your VPN sign-in page: just search for the word realm in it.
'''realm:''' You can find out your realm by viewing the page source of your vpn sign-in page: just search for the word realm in it.
+
  
 
5) Start / stop network connect:
 
5) Start / stop network connect:
jnc --nox
+
{{bc|$ jnc --nox}}
 
for use without GUI. To stop the client, execute
 
for use without GUI. To stop the client, execute
jnc stop
+
{{bc|$ jnc stop}}
  
=64 bit Hack=
+
==64-bit Hack==
This was the final fix after veritable hours of trying to make it work more properly, and it's very simple:
+
This was the final fix after veritable hours of trying to make it work more properly, and it is very simple:
  
1) Install bin32-jre from the AUR - make sure the PKGBUILD installs it to /opt/bin32-jre, rather than /opt/java, where it will conflict with the 64 bit JRE.
+
1) Install {{AUR|bin32-jre}} from the AUR - make sure the PKGBUILD installs it to {{ic|/opt/bin32-jre}}, rather than {{ic|/opt/java}}, where it will conflict with the 64-bit JRE.
  
2) Install jre from the AUR.
+
2) Install {{AUR|jre}} from the AUR.
  
3) As root, mv the java binary to java.orig:
+
3) Move the java binary to java.orig:
mv /opt/java/jre/bin/java /opt/java/jre/bin/java.orig
+
{{bc|# mv /opt/java/jre/bin/java /opt/java/jre/bin/java.orig}}
  
4) Create and make executable a new java script " "
+
4) Create a bash script {{ic|java}} and make it executable:
touch /opt/java/jre/bin/java
+
{{bc|# touch /opt/java/jre/bin/java
chmod 755 /opt/java/jre/bin/java
+
# chmod 755 /opt/java/jre/bin/java}}
  
5) Put the following in our new java file, and you're done:
+
5) Edit the bash script and you are done:
#!/bin/bash
+
{{hc|/opt/java/jre/bin/java|<nowiki>
if [ $3x = "NCx" ]
+
#!/bin/bash
then
+
if [ $3x = "NCx" ]
    /opt/bin32-jre/jre/bin/java "$@"
+
then
else
+
    /opt/bin32-jre/jre/bin/java "$@"
    /opt/java/jre/bin/java.orig "$@"
+
else
fi
+
    /opt/java/jre/bin/java.orig "$@"
 +
fi</nowiki>}}
  
Bear in mind, this is a terrible hack, and if you update JRE it will break and you'll have to repeat a few steps. That said, it worked fantastically for me, with minimal setup if I need to hop on a VPN from another Arch PC.
+
Bear in mind, this is a terrible hack, and if you update JRE it will break and you will have to repeat a few steps. That said, it worked fantastically for me, with minimal setup if I need to hop on a VPN from another Arch PC.
  
=Another installation method=
+
==Another installation method==
  
Here's what I did to connect to the Juniper VPN at my company:
+
Here is what I did to connect to the Juniper VPN at my company:
  
 
References:
 
References:
 
[http://www.gentoo-wiki.info/HOWTO_Juniper_SSL_Network_Connect_VPN Gentoo Wiki Archives]
 
[http://www.gentoo-wiki.info/HOWTO_Juniper_SSL_Network_Connect_VPN Gentoo Wiki Archives]
  
#Get [http://www.archlinux.org/packages/search/?q=jre JRE]
+
#Get [https://www.archlinux.org/packages/search/?q=jre JRE]
 
#Get the really old GCC libs
 
#Get the really old GCC libs
 
##Either with [https://aur.archlinux.org/packages.php?ID=27768 gcc3] and [https://aur.archlinux.org/packages.php?ID=2299 gcc2]
 
##Either with [https://aur.archlinux.org/packages.php?ID=27768 gcc3] and [https://aur.archlinux.org/packages.php?ID=2299 gcc2]
##If you're lazy like me or just can't get it to produce the super-old libstdc++-libc6.2-2.so.3, just steal the whole lib-compat from gentoo with this PKGBUILD:
+
##If you are lazy like me or just cannot get it to produce the super-old libstdc++-libc6.2-2.so.3, just steal the whole lib-compat from gentoo with this PKGBUILD:
 
  # Contributor: Clement Siuchung Cheung <clement.cheung@umich.edu>
 
  # Contributor: Clement Siuchung Cheung <clement.cheung@umich.edu>
 
  pkgname=lib-compat
 
  pkgname=lib-compat
Line 99: Line 108:
  
 
#Get the smelly old Motif libs
 
#Get the smelly old Motif libs
##Install lesstif. Then symlink to fool the system that it's motif like they say in the Gentoo wiki.
+
##Install lesstif. Then symlink to fool the system that it is motif like they say in the Gentoo wiki.
##Sadly I wasn't able to get it work through the openmotif route because our openmotif package is too new and will give you libXm.so.4 instead of libXm.so.3. Add your instructions here if you manage to get this work.
+
##Sadly I was not able to get it work through the openmotif route because our openmotif package is too new and will give you libXm.so.4 instead of libXm.so.3. Add your instructions here if you manage to get this work.
 
#Get the su work. They use xterm to ask for root password to do the install. So do either of the following:
 
#Get the su work. They use xterm to ask for root password to do the install. So do either of the following:
##Install [http://www.archlinux.org/packages/extra/i686/xterm/ xterm]
+
##Install {{Pkg|xterm}}
 
##Setup your user to be able to su without password (google for the instructions)
 
##Setup your user to be able to su without password (google for the instructions)
#Do "sudo modprobe tun". You'll need to do it every time before you connect. So you might want to setup the tun module to be autoloaded at start up to save you time and trouble.
+
#Do "sudo modprobe tun". You will need to do it every time before you connect. So you might want to setup the tun module to be autoloaded at start up to save you time and trouble.
  
=Troubleshooting=
+
==Troubleshooting==
  
There are many things that can go wrong. Please share your experience here if there's something non-obvious that wasted you weeks to track down so that others can save their time. ;-)
+
There are many things that can go wrong. Please share your experience here if there is something non-obvious that wasted you weeks to track down so that others can save their time. ;-)
  
==It keeps saying password incorrect==
+
===It keeps saying password incorrect===
First of all, make sure the username and password is actually correct. ;-) Check caps lock, etc. If you swear it's correct and it still says incorrect, that means the POST request to the Juniper IVE box "somehow" failed.
+
First of all, make sure the username and password is actually correct. ;-) Check caps lock, etc. If you swear it is correct and it still says incorrect, that means the POST request to the Juniper IVE box "somehow" failed.
  
 
The [https://addons.mozilla.org/en-US/firefox/addon/966 Tamper Data] addon for Firefox can be used to debug. Try changing the fields in the headers.
 
The [https://addons.mozilla.org/en-US/firefox/addon/966 Tamper Data] addon for Firefox can be used to debug. Try changing the fields in the headers.
Line 119: Line 128:
 
Another thing is the useragent must be "Firefox", not "Bon Echo". You may need to change this under "general.useragent.extra.firefox" in about:config.
 
Another thing is the useragent must be "Firefox", not "Bon Echo". You may need to change this under "general.useragent.extra.firefox" in about:config.
  
==I can login but Network Connect won't launch==
+
===I can login but Network Connect will not launch===
 
#Check your JRE
 
#Check your JRE
 
#Go to ".juniper_networks/network_connect" in your home directory.
 
#Go to ".juniper_networks/network_connect" in your home directory.
 
#Check that ncsvc is setuid root. Fix it if not.
 
#Check that ncsvc is setuid root. Fix it if not.
#ldd ncsvc and see if there're any missing libraries
+
#ldd ncsvc and see if there are any missing libraries
#Follow instructions [http://www.juniperforum.com/index.php/topic,2043.0.html here] to run it from command line. Use the "-L 5" switch to log everything, use strace as root, etc. Peek at ncsvc.log and see if there's anything wrong.
+
#Follow instructions [http://www.juniperforum.com/index.php/topic,2043.0.html here] to run it from command line. Use the "-L 5" switch to log everything, use strace as root, etc. Peek at ncsvc.log and see if there is anything wrong.
  
==Network Connect launched but the VPN doesn't work==
+
===Network Connect launched but the VPN does not work===
Run "route" or "ip route" and see if the route is there. Network connect has a diagnosis tool in the GUI. You can also checks the logs (also available in the GUI).
+
Run "ip route" and see if the route is there. Network connect has a diagnosis tool in the GUI. You can also checks the logs (also available in the GUI).
  
 
If it initially works but stops working later on, see caveat below.
 
If it initially works but stops working later on, see caveat below.
  
==Network Connect launched and a configuration error message is displayed==
+
===Network Connect launched and a configuration error message is displayed===
 
Check that you have net-tools installed.
 
Check that you have net-tools installed.
  
== ncapp.error Failed to connect/authenticate with IVE.==
+
=== ncapp.error Failed to connect/authenticate with IVE.===
See [http://ubuntuforums.org/showthread.php?p=12127450#post12127450 my post] on the ubuntu form.  I was trying some of the several 'command-line' options and it turns out that in certain cases, policy won't permit it.  It had to install both bin32-jre and bin32-firefox and authenticate through the browser.
+
See [http://ubuntuforums.org/showthread.php?p=12127450#post12127450 my post] on the ubuntu form.  I was trying some of the several 'command-line' options and it turns out that in certain cases, policy will not permit it.  It had to install both bin32-jre and bin32-firefox and authenticate through the browser.
  
=Caveats=
+
===Kernel 3.19 and ncsvc===
/etc/resolv.conf will get overwritten every once in a while by DHCPCD so your VPN will stop working eventually. If that happens, just restart Network Connect. There's no known solution to the problem but I do find a discussion on Redhat bugs website about this. We need to somehow teach DHCPCD the concept of merging configs and being a good neighbor...
+
 
 +
Jupitern VPN does not support {{Pkg|linux}} 3.19. [[Downgrade]] to version 3.18, or [[install]] {{Pkg|linux-lts}}. [http://www.unixgr.com/juniper-ncsvc-and-linux-3-19/]
 +
 
 +
==Caveats==
 +
/etc/resolv.conf will get overwritten every once in a while by DHCPCD so your VPN will stop working eventually. If that happens, just restart Network Connect. There is no known solution to the problem but I do find a discussion on Redhat bugs website about this. We need to somehow teach DHCPCD the concept of merging configs and being a good neighbor...
  
 
Until then, restart the connection every once in a while, save /etc/resolv.conf somewhere or somehow whip up some super-clever script yourself to restore the VPN settings every time your DHCP lease is renewed.
 
Until then, restart the connection every once in a while, save /etc/resolv.conf somewhere or somehow whip up some super-clever script yourself to restore the VPN settings every time your DHCP lease is renewed.
  
=Alternative Method=
+
==Alternative Method==
  
 
Another method to get Juniper VPN to work for 64 bit Arch linux is suggested for your reference. I use this method to connect to my university's vpn network.  
 
Another method to get Juniper VPN to work for 64 bit Arch linux is suggested for your reference. I use this method to connect to my university's vpn network.  
Line 159: Line 172:
 
I have firefox and sun java jre installed. I assume the system is 64 bit Arch linux.  
 
I have firefox and sun java jre installed. I assume the system is 64 bit Arch linux.  
  
1.) install xterm:
+
1.) [[install]] the {{pkg|xterm}} package
 
+
pacman -S xterm
+
  
 
2.) install a custom 64 bit java
 
2.) install a custom 64 bit java
Line 188: Line 199:
 
The newest firefox 5 does look at /usr/lib/mozilla/plugins for plugins, instead of the ~/.mozilla/plugins in the previous versions.
 
The newest firefox 5 does look at /usr/lib/mozilla/plugins for plugins, instead of the ~/.mozilla/plugins in the previous versions.
  
=Yet Another Method using the Mad Scientist's Ubuntu "msjnc" script=
+
==Yet Another Method using the Mad Scientist's "msjnc" script==
  
Follow the directions here: http://www.ubuntuready.com/howtos
+
Follow instructions here: http://mad-scientist.us/juniper.html
  
References:
+
For arch, you must [[install]] {{Pkg|gtk2-perl}}, {{Pkg|glib-perl}} and {{Pkg|unzip}}.
http://mad-scientist.us/juniper.html
+
 
 +
=== Special instructions for 64-bit users ===
 +
[[Multilib#Enabling|Enable multilib]].
 +
 
 +
[[Install]] {{Pkg|lib32-zlib}}, {{Pkg|net-tools}}, {{Pkg|glib-perl}}, {{Pkg|perl-libwww}} and {{Pkg|gtk2-perl}}.
 +
 
 +
Access the the Juniper VPN website you need to use. Log in and allow the installation to attempt and fail (due to non-32 bit java). I get the following error:
 +
{{bc|Setup failed.
 +
Please install 32 bit Java and update alternatives links using update-alternatives command.
 +
For more details, refer KB article KB25230}}
 +
 
 +
You should now have the file {{ic|~/.juniper_networks/ncLinuxApp.jar}} present.
 +
 
 +
However, if {{ic|ncLinuxApp.jar}} is not downloaded, manually get it from {{ic|https://server/dana-cached/nc/ncLinuxApp.jar}} (note: you need to log in first).
 +
 
 +
Download the msjnc script, make it executable, and put it in your path.
 +
{{bc|$ wget -q -O /tmp/msjnc https://raw.github.com/madscientist/msjnc/master/msjnc
 +
$ chmod 755 /tmp/msjnc
 +
# cp /tmp/msjnc /usr/bin}}
 +
 
 +
==== Automatic installation of ncsvc using msjnc ====
 +
 
 +
The first time you launch msjnc (before ncsvc is installed), it will extract {{ic|ncLinuxApp.jar}} and prompt for your password in order to install the service. This requires sudo to be configured to allow all commands to your user.
 +
 
 +
After the service is installed to {{ic|~/.juniper_networks/network_connect/ncsvc}} with suid, create a profile and connect!
 +
 
 +
==== Manual installation of msjnc ====
 +
 
 +
Create these directories:
 +
{{bc|$ mkdir -p ~/.juniper_networks/network_connect
 +
$ mkdir -p ~/.juniper_networks/tmp}}
 +
 
 +
Extract the software:
 +
{{bc|$ unzip ~/.juniper_networks/ncLinuxApp.jar -d ~/.juniper_networks/tmp}}
 +
 
 +
Copy NC.jar to the network_connect directory:
 +
{{bc|$ cp ~/.juniper_networks/tmp/NC.jar ~/.juniper_networks/network_connect}}
 +
 
 +
Install the service:
 +
{{bc|$ sh ~/.juniper_networks/tmp/installNC.sh ~/.juniper_networks/network_connect}}
 +
 
 +
Launch msjnc, create a profile, and connect!
 +
 
 +
==== Note regarding Server/URL ====
 +
For the Server/URL, you may have to provide the URL that processes the login form rather than the login page itself.  For example, my company's login form is on {{ic|/dana-na/auth/url_0/welcome.cgi}} but the form is actually processed by {{ic|/dana-na/auth/url_0/login.cgi}}.  You may have to inspect the html of the login page to find the form's action attribute.
 +
 
 +
== Yet another alternative using jvpn script (support 64bits and host checker) ==
 +
 
 +
Jvpn perl script establishes a Juniper VPN connection and supports the below features:
 +
* connection using Host Checker
 +
* automatic download of the required Juniper java and daemon files (ncsvc) when run under su/sudo
 +
https://github.com/samm-git/jvpn
 +
 
 +
=== Installation ===
 +
 
 +
1. [[Install]] the perl dependencies {{Pkg|perl-term-readkey}} and {{Pkg|perl-lwp-protocol-https}}
 +
 
 +
2. Choose whether to run jvpn with (easiest method) or without sudo and run the below steps accordingly
 +
 
 +
'''If running the script with sudo:'''
 +
 
 +
2.1- Run the command
 +
{{bc|<nowiki># curl -L https://github.com/samm-git/jvpn/archive/v0.7.0.tar.gz | tar xz</nowiki>}}
 +
The command creates a file {{ic|jvpn-0.7.0}} in current directory
 +
 
 +
'''If running the script without sudo:'''
 +
 
 +
2.1 Use your regular web browser (no need for a 32-bit java) to connect to the VPN website and download the appropriate software.
 +
The files downloaded will be located in {{ic|~/.juniper_networks/network_connect/}} (even if the VPN connection actually fails).
 +
This step is considered more complex because you have to have a functional java plugin in your browser (configured wit appropriate security settings).
 +
During installation of Network Connect, the browser will request a root password to set the setuid flag on ncsvc (Juniper daemon).
 +
 
 +
2.2 Install jvpn into the folder with command
 +
{{bc|$ cd ~/.juniper_networks/network_connect
 +
$ curl -L https://github.com/samm-git/jvpn/archive/v0.7.0.tar.gz | tar xz --strip-components=1}}
 +
 
 +
3. Edit {{ic|jvpn.ini}} (directions included in the file)
 +
 
 +
=== Run ===
 +
 
 +
'''If running the script with sudo:'''
 +
 
 +
Simply run the commands:
 +
<pre>su
 +
./jvpn.pl</pre>
 +
On first run, the script will download all the necessary files
 +
 
 +
'''If running the script without sudo:'''
 +
 
 +
Simply run the commands:
 +
<pre>
 +
cd ~/.juniper_networks/network_connect
 +
./jvpn.pl
 +
</pre>

Latest revision as of 16:08, 6 April 2016

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: Using first person, needs more style fixes. (Discuss in Talk:Juniper VPN#)

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Low quality workarounds (Discuss in Talk:Juniper VPN#)

Native Open Source support with OpenConnect

The OpenConnect VPN client has recently added support for Juniper VPN, supporting both TCP and UDP data transports. See the initial announcement on the mailing list for more details.

To use, install openconnect from the Archlinux respositories. If you want NetworkManager support, also install networkmanager-openconnect, and restart NetworkManager.

Official Software Preferred installation method

(NOTE: In some cases, depending on your corporate policy configuration, you _must_ login through the browser. If this is the case, command-line tools (jnc, junipernc) will not work.)

1) Go to your companys' VPN site, log in and download / install the juniper client.

2) install jncAUR from the Arch User Repository. For 64-bit Arch, you will need to install 32-bit packages (Multilib), see upstream website.

3) Make a directory for the .config file:

$ mkdir -p ~/.juniper_networks/network_connect/config

4) Copy and adapt this .config file in this directory:

~/.juniper_networks/network_connect/config/.config
host=foo.bar.com
user=username
password=secret
realm= realm with spaces
cafile=/etc/ssl/bar-chain.pem
certfile=
cafile
ca chain to verify the host certificate
certfile
host certificate in DER format. Cafile or certfile must be configured, you can download them from your VPN sign-in page (certificate information, export certificate).
realm
You can find out your realm by viewing the page source of your VPN sign-in page: just search for the word realm in it.

5) Start / stop network connect:

$ jnc --nox

for use without GUI. To stop the client, execute

$ jnc stop

64-bit Hack

This was the final fix after veritable hours of trying to make it work more properly, and it is very simple:

1) Install bin32-jreAUR from the AUR - make sure the PKGBUILD installs it to /opt/bin32-jre, rather than /opt/java, where it will conflict with the 64-bit JRE.

2) Install jreAUR from the AUR.

3) Move the java binary to java.orig:

# mv /opt/java/jre/bin/java /opt/java/jre/bin/java.orig

4) Create a bash script java and make it executable:

# touch /opt/java/jre/bin/java
# chmod 755 /opt/java/jre/bin/java

5) Edit the bash script and you are done:

/opt/java/jre/bin/java
#!/bin/bash
if [ $3x = "NCx" ]
then
    /opt/bin32-jre/jre/bin/java "$@"
else
    /opt/java/jre/bin/java.orig "$@"
fi

Bear in mind, this is a terrible hack, and if you update JRE it will break and you will have to repeat a few steps. That said, it worked fantastically for me, with minimal setup if I need to hop on a VPN from another Arch PC.

Another installation method

Here is what I did to connect to the Juniper VPN at my company:

References: Gentoo Wiki Archives

  1. Get JRE
  2. Get the really old GCC libs
    1. Either with gcc3 and gcc2
    2. If you are lazy like me or just cannot get it to produce the super-old libstdc++-libc6.2-2.so.3, just steal the whole lib-compat from gentoo with this PKGBUILD:
# Contributor: Clement Siuchung Cheung <clement.cheung@umich.edu>
pkgname=lib-compat
pkgver=1.4.1
pkgrel=1
pkgdesc="Gentoo lib compat for old programs only available in binary"
arch=(x86)
url="http://www.gentoo.org/"
source=(ftp://ftp.ibiblio.org/pub/linux/distributions/gentoo/distfiles/${pkgname}-${pkgver}.tar.bz2)
md5sums=('ec4a4528295b5879ad055e44c4a6d463')

build() {
  cd $startdir/src/${pkgname}-${pkgver}/x86

  # Install /lib files
  mkdir -p $startdir/pkg/lib
  mv ld-linux.so.1* $startdir/pkg/lib

  # Install /usr/lib files
  mkdir -p $startdir/pkg/usr/lib
  mv *.so* $startdir/pkg/usr/lib

  # Fix files
  cd $startdir/pkg/usr/lib
  mv -f libstdc++-libc6.2-2.so.3 libstdc++-3-libc6.2-2-2.10.0.so
  ln -s libstdc++-3-libc6.2-2-2.10.0.so libstdc++-libc6.2-2.so.3
  mv -f libstdc++-libc6.1-1.so.2 libstdc++-2-libc6.1-1-2.9.0.so
  ln -s libstdc++-2-libc6.1-1-2.9.0.so libstdc++-libc6.1-1.so.2
  ln -s libstdc++.so.2.8.0 libstdc++.so.2.8
  ln -s libstdc++.so.2.7.2.8 libstdc++.so.2.7.2
  ln -s libg++.so.2.7.2.8 libg++.so.2.7.2
  rm -f libstdc++.so.2.9.dummy libstdc++.so.2.9.0
  rm -f libsmpeg-0.4.so.0.dummy
}
  1. Get the smelly old Motif libs
    1. Install lesstif. Then symlink to fool the system that it is motif like they say in the Gentoo wiki.
    2. Sadly I was not able to get it work through the openmotif route because our openmotif package is too new and will give you libXm.so.4 instead of libXm.so.3. Add your instructions here if you manage to get this work.
  2. Get the su work. They use xterm to ask for root password to do the install. So do either of the following:
    1. Install xterm
    2. Setup your user to be able to su without password (google for the instructions)
  3. Do "sudo modprobe tun". You will need to do it every time before you connect. So you might want to setup the tun module to be autoloaded at start up to save you time and trouble.

Troubleshooting

There are many things that can go wrong. Please share your experience here if there is something non-obvious that wasted you weeks to track down so that others can save their time. ;-)

It keeps saying password incorrect

First of all, make sure the username and password is actually correct. ;-) Check caps lock, etc. If you swear it is correct and it still says incorrect, that means the POST request to the Juniper IVE box "somehow" failed.

The Tamper Data addon for Firefox can be used to debug. Try changing the fields in the headers.

One thing that had me scratching my head for months is incorrect charset. Juniper IVE apparently does not support UTF-8. For some reasons, my "intl.charset.default" setting in "about:config" for Firefox is UTF-8, causing my POST request to have *ONLY* UTF-8 in the charset. Setting it to ISO-8859-1 fixes the problem. Also double check "intl.accept_charsets". You can have UTF-8, Chinese and European charsets all you want. But make sure you have ISO-8859-1 as fallback. Use the Tamper Data addon to make sure you really are accepting ISO-8859-1 in the HTTP header.

Another thing is the useragent must be "Firefox", not "Bon Echo". You may need to change this under "general.useragent.extra.firefox" in about:config.

I can login but Network Connect will not launch

  1. Check your JRE
  2. Go to ".juniper_networks/network_connect" in your home directory.
  3. Check that ncsvc is setuid root. Fix it if not.
  4. ldd ncsvc and see if there are any missing libraries
  5. Follow instructions here to run it from command line. Use the "-L 5" switch to log everything, use strace as root, etc. Peek at ncsvc.log and see if there is anything wrong.

Network Connect launched but the VPN does not work

Run "ip route" and see if the route is there. Network connect has a diagnosis tool in the GUI. You can also checks the logs (also available in the GUI).

If it initially works but stops working later on, see caveat below.

Network Connect launched and a configuration error message is displayed

Check that you have net-tools installed.

ncapp.error Failed to connect/authenticate with IVE.

See my post on the ubuntu form. I was trying some of the several 'command-line' options and it turns out that in certain cases, policy will not permit it. It had to install both bin32-jre and bin32-firefox and authenticate through the browser.

Kernel 3.19 and ncsvc

Jupitern VPN does not support linux 3.19. Downgrade to version 3.18, or install linux-lts. [1]

Caveats

/etc/resolv.conf will get overwritten every once in a while by DHCPCD so your VPN will stop working eventually. If that happens, just restart Network Connect. There is no known solution to the problem but I do find a discussion on Redhat bugs website about this. We need to somehow teach DHCPCD the concept of merging configs and being a good neighbor...

Until then, restart the connection every once in a while, save /etc/resolv.conf somewhere or somehow whip up some super-clever script yourself to restore the VPN settings every time your DHCP lease is renewed.

Alternative Method

Another method to get Juniper VPN to work for 64 bit Arch linux is suggested for your reference. I use this method to connect to my university's vpn network.

The key reference: http://wireless.siu.edu/install-ubuntu-64.htm

Basics

The key issue is that 64 bit java plugin do not work with the Juniper software. (firefox, sun java jre)

One way to do it is to install an alternative version of java and link the java plugin for the firefox manually. This saves us from the trouble of having to deal with the chroot environment as suggested in other sites.

These are the steps I follow:

I have firefox and sun java jre installed. I assume the system is 64 bit Arch linux.

1.) install the xterm package

2.) install a custom 64 bit java

go to http://www.java.com/en/download select the Linux x64 verson

Decide on a location for the installation, extract the binary and put it in the desired location, and make the binary executable with chmod +x << binary >>.

Finally run it to install java.

3.) install the customized 32 bit java

again, go to http://www.java.com/en/download this time, select Linux(self-extracting) option

Extract the new binary to the same location created above, make it executable, and run the binary. It will ask you whether you want to replace the files to 32 bit, Type "A" to overwrite all the 64-bit files with the 32-bit ones.

4.) link the library

the relevant library for firefox is libnpjp2.so, to link it,

ln -s << location of java you installed above >>/lib/amd64/libnpjp2.so /usr/lib/mozilla/plugins/libnpjp2.so

The newest firefox 5 does look at /usr/lib/mozilla/plugins for plugins, instead of the ~/.mozilla/plugins in the previous versions.

Yet Another Method using the Mad Scientist's "msjnc" script

Follow instructions here: http://mad-scientist.us/juniper.html

For arch, you must install gtk2-perl, glib-perl and unzip.

Special instructions for 64-bit users

Enable multilib.

Install lib32-zlib, net-tools, glib-perl, perl-libwww and gtk2-perl.

Access the the Juniper VPN website you need to use. Log in and allow the installation to attempt and fail (due to non-32 bit java). I get the following error:

Setup failed.
Please install 32 bit Java and update alternatives links using update-alternatives command.
For more details, refer KB article KB25230

You should now have the file ~/.juniper_networks/ncLinuxApp.jar present.

However, if ncLinuxApp.jar is not downloaded, manually get it from https://server/dana-cached/nc/ncLinuxApp.jar (note: you need to log in first).

Download the msjnc script, make it executable, and put it in your path.

$ wget -q -O /tmp/msjnc https://raw.github.com/madscientist/msjnc/master/msjnc
$ chmod 755 /tmp/msjnc
# cp /tmp/msjnc /usr/bin

Automatic installation of ncsvc using msjnc

The first time you launch msjnc (before ncsvc is installed), it will extract ncLinuxApp.jar and prompt for your password in order to install the service. This requires sudo to be configured to allow all commands to your user.

After the service is installed to ~/.juniper_networks/network_connect/ncsvc with suid, create a profile and connect!

Manual installation of msjnc

Create these directories:

$ mkdir -p ~/.juniper_networks/network_connect
$ mkdir -p ~/.juniper_networks/tmp

Extract the software:

$ unzip ~/.juniper_networks/ncLinuxApp.jar -d ~/.juniper_networks/tmp

Copy NC.jar to the network_connect directory:

$ cp ~/.juniper_networks/tmp/NC.jar ~/.juniper_networks/network_connect

Install the service:

$ sh ~/.juniper_networks/tmp/installNC.sh ~/.juniper_networks/network_connect

Launch msjnc, create a profile, and connect!

Note regarding Server/URL

For the Server/URL, you may have to provide the URL that processes the login form rather than the login page itself. For example, my company's login form is on /dana-na/auth/url_0/welcome.cgi but the form is actually processed by /dana-na/auth/url_0/login.cgi. You may have to inspect the html of the login page to find the form's action attribute.

Yet another alternative using jvpn script (support 64bits and host checker)

Jvpn perl script establishes a Juniper VPN connection and supports the below features:

  • connection using Host Checker
  • automatic download of the required Juniper java and daemon files (ncsvc) when run under su/sudo

https://github.com/samm-git/jvpn

Installation

1. Install the perl dependencies perl-term-readkey and perl-lwp-protocol-https

2. Choose whether to run jvpn with (easiest method) or without sudo and run the below steps accordingly

If running the script with sudo:

2.1- Run the command

# curl -L https://github.com/samm-git/jvpn/archive/v0.7.0.tar.gz | tar xz

The command creates a file jvpn-0.7.0 in current directory

If running the script without sudo:

2.1 Use your regular web browser (no need for a 32-bit java) to connect to the VPN website and download the appropriate software. The files downloaded will be located in ~/.juniper_networks/network_connect/ (even if the VPN connection actually fails). This step is considered more complex because you have to have a functional java plugin in your browser (configured wit appropriate security settings). During installation of Network Connect, the browser will request a root password to set the setuid flag on ncsvc (Juniper daemon).

2.2 Install jvpn into the folder with command

$ cd ~/.juniper_networks/network_connect
$ curl -L https://github.com/samm-git/jvpn/archive/v0.7.0.tar.gz 

3. Edit jvpn.ini (directions included in the file)

Run

If running the script with sudo:

Simply run the commands:

su
./jvpn.pl

On first run, the script will download all the necessary files

If running the script without sudo:

Simply run the commands:

cd ~/.juniper_networks/network_connect
./jvpn.pl