Difference between revisions of "Juniper VPN"

From ArchWiki
Jump to: navigation, search
(use https for links to archlinux.org)
(Troubleshooting: Add workaround for an issue with connman)
 
(94 intermediate revisions by 25 users not shown)
Line 1: Line 1:
 
[[Category:Virtual Private Network]]
 
[[Category:Virtual Private Network]]
=Preferred installation method=
+
== Installation ==
(NOTE: In [http://kb.juniper.net/InfoCenter/index?page=content&id=KB20490&actp=RSS some cases], depending on your corporate policy configuration, you _must_ login through the browser.  If this is the case, command-line tools (jnc, junipernc) won't work.)
 
  
1) Go to your companys' vpn site, log in and download / install the juniper client.
+
=== Native Open Source support with OpenConnect ===
  
2) Install {{AUR|jnc}} from [AUR].
+
The [http://www.infradead.org/openconnect/ OpenConnect] VPN client has recently added support for Juniper VPN, supporting both TCP and UDP data transports. See the [http://lists.infradead.org/pipermail/openconnect-devel/2015-January/002628.html initial announcement] on the mailing list for more details.
  
3) Make a directory for the .config file:
+
To use, install {{Pkg|openconnect}}. If your Juniper VPN setup doesn't require any input after connecting you can use this command in order to connect
  mkdir -p ~/.juniper_networks/network_connect/config
+
  # openconnect --juniper https://vpn.server.com/
  
4) Copy and adapt this .config file in this directory:
+
If you want NetworkManager support, install {{Pkg|networkmanager-openconnect}}, or try the latest git version. The VPN connection can be created through the GUI or by using this command:
  host=foo.bar.com
+
  $ nmcli con add type vpn con-name "Connection Name" ifname "*" vpn-type openconnect -- vpn.data "gateway=vpn.server.com,protocol=nc"
user=username
 
password=secret
 
realm= realm with spaces
 
cafile=/etc/ssl/bar-chain.pem
 
certfile=
 
  
'''cafile:''' ca chain to verify the host certificate
+
=== Official Software Preferred installation method ===
'''certfile:''' host certificate in DER format
 
Cafile or certfile must be configured, you can download them from your vpn sign-in page (certificate information, export certificate).
 
'''realm:''' You can find out your realm by viewing the page source of your vpn sign-in page: just search for the word realm in it.
 
  
5) Start / stop network connect:
+
{{Note|1=In [http://kb.juniper.net/InfoCenter/index?page=content&id=KB20490&actp=RSS some cases], depending on your corporate policy configuration, you '''must''' login through the browser. If this is the case, command-line tools (jnc, junipernc) will not work.}}
  jnc --nox
+
 
 +
1) Go to your companys' VPN site, log in and download/install the juniper client.
 +
 
 +
2) Install {{AUR|jnc}}. For 64-bit Arch, you will need to install 32-bit packages ([[Multilib]]), see the [http://www.scc.kit.edu/scc/net/juniper-vpn/linux/ upstream website].
 +
 
 +
3) Make a directory for the ''.config'' file:
 +
$ mkdir -p ~/.juniper_networks/network_connect/config
 +
 
 +
4) Copy and adapt this ''.config'' file in this directory:
 +
{{hc|~/.juniper_networks/network_connect/config/.config|<nowiki>
 +
host=foo.bar.com
 +
user=username
 +
password=secret
 +
realm= realm with spaces
 +
cafile=/etc/ssl/bar-chain.pem
 +
certfile=</nowiki>}}
 +
 
 +
; cafile: ca chain to verify the host certificate
 +
; certfile: host certificate in DER format. Cafile or certfile must be configured, you can download them from your VPN sign-in page (certificate information, export certificate).
 +
; realm: You can find out your realm by viewing the page source of your VPN sign-in page: just search for the word realm in it.
 +
 
 +
5) Start/stop network connect:
 +
  $ jnc --nox
 
for use without GUI. To stop the client, execute
 
for use without GUI. To stop the client, execute
  jnc stop
+
  $ jnc stop
 +
 
 +
=== Using the pulsesvc CLI client ===
 +
1) Install {{AUR|pulse-secure}}.
 +
 
 +
2) Run the service
 +
 
 +
$ pulsesvc -h <hostname> -Port <port number> -u <username> -realm <realm> -Url <login URL>
 +
 
 +
Note that the login URL is different from the URL used in browsers. Check "Note regarding Server/URL" section below.
 +
 
 +
=== Using the pulseUi GUI client ===
 +
1) Install {{AUR|pulse-secure}} and {{AUR|webkitgtk}}. The latter is necessary for the GUI frontend.
 +
 
 +
2) Run {{ic|pulseUi}}. In the GUI client, the URL should be same as that used in browsers.
 +
 
 +
=== Third-party scripts ===
 +
 
 +
==== Mad Scientist's "msjnc" script ====
 +
 
 +
[[Install]] {{Pkg|gtk2-perl}}, {{Pkg|glib-perl}} and {{Pkg|unzip}}. Then follow the instructions on [http://mad-scientist.us/juniper.html mad-scientist.us].
 +
 
 +
;Instructions for 64-bit users
  
=64 bit Hack=
+
[[Multilib#Enabling|Enable multilib]] and then [[install]] {{Pkg|lib32-zlib}}, {{Pkg|net-tools}}, {{Pkg|glib-perl}}, {{Pkg|perl-libwww}} and {{Pkg|gtk2-perl}}.
This was the final fix after veritable hours of trying to make it work more properly, and it's very simple:
 
  
1) Install bin32-jre from the AUR - make sure the PKGBUILD installs it to /opt/bin32-jre, rather than /opt/java, where it will conflict with the 64 bit JRE.
+
Access the the Juniper VPN website you need to use. Log in and allow the installation to attempt and fail (due to non-32 bit Java). You should get an error similar to the following:
 +
{{bc|Setup failed.
 +
Please install 32 bit Java and update alternatives links using update-alternatives command.
 +
For more details, refer KB article KB25230}}
  
2) Install jre from the AUR.
+
You should now have the file {{ic|~/.juniper_networks/ncLinuxApp.jar}} present.
  
3) As root, mv the java binary to java.orig:
+
However, if {{ic|ncLinuxApp.jar}} is not downloaded, fetch it manually - see the following example URL: {{ic|https://server/dana-cached/nc/ncLinuxApp.jar}} (note: you need to log in first).
mv /opt/java/jre/bin/java /opt/java/jre/bin/java.orig
 
  
4) Create and make executable a new java script " "
+
Then download the [https://raw.github.com/madscientist/msjnc/master/msjnc msjnc] script, make it executable, and put it in your {{ic|PATH}}.
touch /opt/java/jre/bin/java
 
chmod 755 /opt/java/jre/bin/java
 
  
5) Put the following in our new java file, and you're done:
+
;Automatic installation of ncsvc using msjnc
#!/bin/bash
 
if [ $3x = "NCx" ]
 
then
 
    /opt/bin32-jre/jre/bin/java "$@"
 
else
 
    /opt/java/jre/bin/java.orig "$@"
 
fi
 
  
Bear in mind, this is a terrible hack, and if you update JRE it will break and you'll have to repeat a few steps.  That said, it worked fantastically for me, with minimal setup if I need to hop on a VPN from another Arch PC.
+
The first time you launch ''msjnc'' (before ''ncsvc'' is installed), it will extract {{ic|ncLinuxApp.jar}} and prompt for your password in order to install the service. This requires ''sudo'' to be configured to allow all commands to your user.
  
=Another installation method=
+
After the service is installed to {{ic|~/.juniper_networks/network_connect/ncsvc}} with suid, create a profile and connect.
  
Here's what I did to connect to the Juniper VPN at my company:
+
;Manual installation of msjnc
  
References:
+
Create these directories:
[http://www.gentoo-wiki.info/HOWTO_Juniper_SSL_Network_Connect_VPN Gentoo Wiki Archives]
+
$ mkdir -p ~/.juniper_networks/network_connect
 +
$ mkdir -p ~/.juniper_networks/tmp
  
#Get [https://www.archlinux.org/packages/search/?q=jre JRE]
+
Extract the software:
#Get the really old GCC libs
+
  $ unzip ~/.juniper_networks/ncLinuxApp.jar -d ~/.juniper_networks/tmp
##Either with [https://aur.archlinux.org/packages.php?ID=27768 gcc3] and [https://aur.archlinux.org/packages.php?ID=2299 gcc2]
 
##If you're lazy like me or just can't get it to produce the super-old libstdc++-libc6.2-2.so.3, just steal the whole lib-compat from gentoo with this PKGBUILD:
 
  # Contributor: Clement Siuchung Cheung <clement.cheung@umich.edu>
 
pkgname=lib-compat
 
pkgver=1.4.1
 
pkgrel=1
 
pkgdesc="Gentoo lib compat for old programs only available in binary"
 
arch=(x86)
 
url="http://www.gentoo.org/"
 
source=(ftp://ftp.ibiblio.org/pub/linux/distributions/gentoo/distfiles/${pkgname}-${pkgver}.tar.bz2)
 
md5sums=('ec4a4528295b5879ad055e44c4a6d463')
 
 
build() {
 
  cd $startdir/src/${pkgname}-${pkgver}/x86
 
 
  # Install /lib files
 
  mkdir -p $startdir/pkg/lib
 
  mv ld-linux.so.1* $startdir/pkg/lib
 
 
  # Install /usr/lib files
 
  mkdir -p $startdir/pkg/usr/lib
 
  mv *.so* $startdir/pkg/usr/lib
 
 
  # Fix files
 
  cd $startdir/pkg/usr/lib
 
  mv -f libstdc++-libc6.2-2.so.3 libstdc++-3-libc6.2-2-2.10.0.so
 
  ln -s libstdc++-3-libc6.2-2-2.10.0.so libstdc++-libc6.2-2.so.3
 
  mv -f libstdc++-libc6.1-1.so.2 libstdc++-2-libc6.1-1-2.9.0.so
 
  ln -s libstdc++-2-libc6.1-1-2.9.0.so libstdc++-libc6.1-1.so.2
 
  ln -s libstdc++.so.2.8.0 libstdc++.so.2.8
 
  ln -s libstdc++.so.2.7.2.8 libstdc++.so.2.7.2
 
  ln -s libg++.so.2.7.2.8 libg++.so.2.7.2
 
  rm -f libstdc++.so.2.9.dummy libstdc++.so.2.9.0
 
  rm -f libsmpeg-0.4.so.0.dummy
 
}
 
  
#Get the smelly old Motif libs
+
Copy {{ic|NC.jar}} to the {{ic|network_connect}} directory:
##Install lesstif. Then symlink to fool the system that it's motif like they say in the Gentoo wiki.
+
$ cp ~/.juniper_networks/tmp/NC.jar ~/.juniper_networks/network_connect
##Sadly I wasn't able to get it work through the openmotif route because our openmotif package is too new and will give you libXm.so.4 instead of libXm.so.3. Add your instructions here if you manage to get this work.
 
#Get the su work. They use xterm to ask for root password to do the install. So do either of the following:
 
##Install [https://www.archlinux.org/packages/extra/i686/xterm/ xterm]
 
##Setup your user to be able to su without password (google for the instructions)
 
#Do "sudo modprobe tun". You'll need to do it every time before you connect. So you might want to setup the tun module to be autoloaded at start up to save you time and trouble.
 
  
=Troubleshooting=
+
Install the service:
 +
$ sh ~/.juniper_networks/tmp/installNC.sh ~/.juniper_networks/network_connect
  
There are many things that can go wrong. Please share your experience here if there's something non-obvious that wasted you weeks to track down so that others can save their time. ;-)
+
Launch ''msjnc'', create a profile, and connect.
  
==It keeps saying password incorrect==
+
;Note regarding Server/URL
First of all, make sure the username and password is actually correct. ;-) Check caps lock, etc. If you swear it's correct and it still says incorrect, that means the POST request to the Juniper IVE box "somehow" failed.
 
  
The [https://addons.mozilla.org/en-US/firefox/addon/966 Tamper Data] addon for Firefox can be used to debug. Try changing the fields in the headers.
+
For the Server/URL, you may have to provide the URL that processes the login form rather than the login page itself. As an example, one company's login form is on {{ic|/dana-na/auth/url_0/welcome.cgi}} but the form is actually processed by {{ic|/dana-na/auth/url_0/login.cgi}}. You may have to inspect the html of the login page to find the form's action attribute.
 +
 
 +
==== Jvpn script (support 64-bit and host checker) ====
 +
 
 +
Jvpn perl script establishes a Juniper VPN connection and supports the following features:
 +
* Connection using Host Checker.
 +
* Automatic download of the required Juniper java and daemon files (ncsvc) when run as root.
 +
See [https://github.com/samm-git/jvpn jvpn].
 +
 
 +
;Installation
 +
 
 +
[[Install]] the perl dependencies {{Pkg|perl-term-readkey}} and {{Pkg|perl-lwp-protocol-https}}. Once you have done so, you must choose whether to run ''jvpn'' as root (easiest method) or as a regular user and run the steps below accordingly.
 +
 
 +
;Running as root
 +
 
 +
Run the command:
 +
# curl -L https://github.com/samm-git/jvpn/archive/v0.7.0.tar.gz | tar xz
 +
The command creates a file {{ic|jvpn-0.7.0}} in current directory.
 +
 
 +
Finally, start the script with:
 +
# ./jvpn.pl
 +
On first run, the script will download all the necessary files
 +
 
 +
;Running as a regular user
 +
 
 +
Use your web browser (no need for 32-bit Java) to connect to the VPN website and download the appropriate software. The files downloaded will be located in {{ic|~/.juniper_networks/network_connect/}} (even if the VPN connection actually fails).
 +
 
 +
This step is considered more complex because you have to have a functional Java plugin in your browser (configured with appropriate security settings). During installation of Network Connect, the browser will request a root password to set the setuid flag on ''ncsvc'' (Juniper daemon).
 +
 
 +
Then install ''jvpn'' into the folder by executing the following:
 +
$ cd ~/.juniper_networks/network_connect
 +
$ curl -L https://github.com/samm-git/jvpn/archive/v0.7.0.tar.gz | tar xz --strip-components=1
 +
 
 +
Next, edit {{ic|jvpn.ini}} (directions are included in the file).
 +
 
 +
Finally, start the script with the following:
 +
$ cd ~/.juniper_networks/network_connect
 +
$ ./jvpn.pl
 +
 
 +
== Workarounds ==
 +
 
 +
{{Accuracy|All of these workarounds are poor quality and potentially problematic. These need to be reviewed and then either fixed or removed.}}
 +
 
 +
=== 64-bit Java (workaround 1) ===
 +
 
 +
{{Warning|These steps are '''not recommended'''. Updating your JRE will break this workaround and you will have to repeat these steps.}}
 +
 
 +
1) Install {{AUR|bin32-jre}}. Make sure the PKGBUILD installs it to {{ic|/opt/bin32-jre}}, rather than {{ic|/opt/java}}, where it will conflict with the 64-bit JRE.
 +
 
 +
2) Install {{AUR|jre}}.
 +
 
 +
3) Move the java binary to {{ic|java.orig}}:
 +
# mv /opt/java/jre/bin/java /opt/java/jre/bin/java.orig
 +
 
 +
4) Create a bash script {{ic|java}} and make it executable:
 +
# touch /opt/java/jre/bin/java
 +
# chmod 755 /opt/java/jre/bin/java
 +
 
 +
5) Finally, edit the bash script as per the below:
 +
{{hc|/opt/java/jre/bin/java|<nowiki>
 +
#!/bin/bash
 +
if [ $3x = "NCx" ]
 +
then
 +
    /opt/bin32-jre/jre/bin/java "$@"
 +
else
 +
    /opt/java/jre/bin/java.orig "$@"
 +
fi</nowiki>}}
 +
 
 +
=== 64-bit Java (workaround 2) ===
 +
 
 +
{{Warning|Installing non-packaged versions of Java and symlinking libraries into arbitrary locations is '''not recommended'''.}} 
 +
 
 +
Another approach is to install an alternative version of Java and link the Java plugin for Firefox manually - this avoids the necessity of using a ''chroot'' environment. Follow the instructions below:
 +
 
 +
#[[install]] {{pkg|xterm}}.
 +
#Install a custom 64-bit Java environment from [http://www.java.com/en/download java.com]. Select the Linux x64 version. Once you have decided upon a location for the installation, extract the binary into that location and then mark it executable. Finally, run the binary to install Java.
 +
#Install a custom 32-bit Java environment, also from [http://www.java.com/en/download java.com] but this time, select the Linux (self-extracting) option. Extract the new binary to the same location created above, mark it executable, and run the binary. It will ask you whether you want to replace the files to 32 bit: '''Type "A" to overwrite all the 64-bit files with the 32-bit ones.'''
 +
#Finally, link the library into the required location. The relevant library for Firefox is {{ic|libnpjp2.so}}. To link it, use the following command {{ic|ln -s ''location-of-custom-java-installation''/lib/amd64/libnpjp2.so /usr/lib/mozilla/plugins/libnpjp2.so}}.
 +
 
 +
{{Note|Firefox 5 and higher check {{ic|/usr/lib/mozilla/plugins}} for plugins instead of {{ic|~/.mozilla/plugins}} which was used in previous versions.}}
 +
 
 +
For more information, see the following guide from [https://web.archive.org/web/20120114155121/http://wireless.siu.edu:80/install-ubuntu-64.htm Southern Illinois University].
 +
 
 +
===  Motif and libstdc++-libc6.2-2.so.3 ===
 +
 
 +
{{Accuracy|Are Motif and {{ic|libstdc++-libc6.2-2.so.3}} still required in any way? None of the clients linked to in [[#Installation]] depend on these things. Plus, the Gentoo wiki page that this section is based on no longer exists. Furthermore, if Motif is required, does one really have to use ''lesstif''? If you're going to be creating symlinks anyway, why not just use {{Pkg|openmotif}} and then symlink {{ic|libXm.so.4}} to {{ic|libXm.so.3}}?}}
 +
 
 +
{{Warning|The steps involved in this section, including using obsolete libraries and symlinking new library names to old are '''absolutely not recommended'''.}}
 +
 
 +
When trying to use Juniper VPN, you may be informed that there are missing libraries. If so, follow the instructions below.
 +
 
 +
1) Install a Java Runtime Environment (JRE) - see [[Java]].
  
One thing that had me scratching my head for months is incorrect charset. Juniper IVE apparently does not support UTF-8. For some reasons, my "intl.charset.default" setting in "about:config" for Firefox is UTF-8, causing my POST request to have *ONLY* UTF-8 in the charset. Setting it to ISO-8859-1 fixes the problem. Also double check "intl.accept_charsets". You can have UTF-8, Chinese and European charsets all you want. But make sure you have ISO-8859-1 as fallback. Use the Tamper Data addon to make sure you really are accepting ISO-8859-1 in the HTTP header.
+
2) Install {{AUR|libstdc++296}} which provides the required {{ic|libstdc++-libc6.2-2.so.3}} library.
  
Another thing is the useragent must be "Firefox", not "Bon Echo". You may need to change this under "general.useragent.extra.firefox" in about:config.
+
3) Install the Motif toolkit. Note that ''lesstif'' must be used - the {{Pkg|openmotif}} package provides a version of Motif that is too recent. Specifically, it provides {{ic|libXm.so.4}} instead of {{ic|libXm.so.3}}.
  
==I can login but Network Connect won't launch==
+
4) Then create symlinks in order to be able to use lesstif as if it is official Motif - see the reference below.
#Check your JRE
 
#Go to ".juniper_networks/network_connect" in your home directory.
 
#Check that ncsvc is setuid root. Fix it if not.
 
#ldd ncsvc and see if there're any missing libraries
 
#Follow instructions [http://www.juniperforum.com/index.php/topic,2043.0.html here] to run it from command line. Use the "-L 5" switch to log everything, use strace as root, etc. Peek at ncsvc.log and see if there's anything wrong.
 
  
==Network Connect launched but the VPN doesn't work==
+
5) Install {{Pkg|xterm}} - the installation uses xterm to ask for the root password.
Run "route" or "ip route" and see if the route is there. Network connect has a diagnosis tool in the GUI. You can also checks the logs (also available in the GUI).
 
  
If it initially works but stops working later on, see caveat below.
+
6) Next, run: {{ic|modprobe tun}} as root. You will need to do this every time before you connect. As such, you might want to setup the tun module to be autoloaded at startup.
  
==Network Connect launched and a configuration error message is displayed==
+
7) Finally, head over to your VPN portal page and initiate the connection by clicking on ''Network Connect''.
Check that you have net-tools installed.
 
  
== ncapp.error Failed to connect/authenticate with IVE.==
+
For more information see:
See [http://ubuntuforums.org/showthread.php?p=12127450#post12127450 my post] on the ubuntu form.  I was trying some of the several 'command-line' options and it turns out that in certain cases, policy won't permit it. It had to install both bin32-jre and bin32-firefox and authenticate through the browser. 
+
[https://web.archive.org/web/20151215041949/http://www.gentoo-wiki.info/HOWTO_Juniper_SSL_Network_Connect_VPN Gentoo Wiki Archives]
  
=Caveats=
+
==Troubleshooting==
/etc/resolv.conf will get overwritten every once in a while by DHCPCD so your VPN will stop working eventually. If that happens, just restart Network Connect. There's no known solution to the problem but I do find a discussion on Redhat bugs website about this. We need to somehow teach DHCPCD the concept of merging configs and being a good neighbor...
 
  
Until then, restart the connection every once in a while, save /etc/resolv.conf somewhere or somehow whip up some super-clever script yourself to restore the VPN settings every time your DHCP lease is renewed.
+
=== Password incorrect ===
  
=Alternative Method=
+
{{Accuracy|Is it still the case that Juniper IVE does not support UTF-8? Was this ever the case? This section seems to be based on one person's experiences from 10 years ago (as of 2017). This content needs to be verified.}}
  
Another method to get Juniper VPN to work for 64 bit Arch linux is suggested for your reference. I use this method to connect to my university's vpn network.  
+
If your username and password are correct but the system reports that they are incorrect, that means the POST request to the Juniper IVE box failed.
  
The key reference:
+
The [https://addons.mozilla.org/en-US/firefox/addon/966 Tamper Data] addon for Firefox can be used to debug. Try changing the fields in the headers.
http://wireless.siu.edu/install-ubuntu-64.htm
 
  
Basics
+
Note that Juniper IVE does not support UTF-8. The {{ic|intl.charset.default}} setting in {{ic|about:config}} for Firefox is UTF-8, causing a POST request to have only UTF-8 in the charset. Setting it to {{ic|ISO-8859-1}} might fix the problem. Also double check the {{ic|intl.accept_charsets}} Firefox setting. Using UTF-8, Chinese and European charsets is possible but ensure you have {{ic|ISO-8859-1}} as a fallback. Note that you can use the Tamper Data addon to make sure you really are accepting {{ic|ISO-8859-1}} in the HTTP header.
  
The key issue is that 64 bit java plugin do not work with the Juniper software. (firefox, sun java jre)
+
Finally, ensure that the useragent is {{ic|Firefox}}, not {{ic|Bon Echo}}. You may need to change this under {{ic|general.useragent.extra.firefox}} in {{ic|about:config}}.
  
One way to do it is to install an alternative version of java and link the java plugin for the firefox manually. This saves us from the trouble of having to deal with the chroot environment as suggested in other sites.
+
=== Login succeeds but Network Connect will not launch ===
  
These are the steps I follow:
+
#Firstly, verify your Java installation.
 +
#Then navigate to {{ic|~/.juniper_networks/network_connect}}.
 +
#Check that {{ic|ncsvc}} is setuid root. Fix it if not.
 +
#Run {{ic|ldd ncsvc}} and see if there are any missing libraries.
 +
#Follow the instructions from the [http://www.juniperforum.com/index.php/topic,2043.0.html Juniper forum] to run it from command line. Use the {{ic|-L 5}} switch to log everything and use ''strace'' as root. Also try consulting {{ic|ncsvc.log}} for any possible errors.
  
I have firefox and sun java jre installed. I assume the system is 64 bit Arch linux.
+
=== Network Connect launched but the VPN does not work ===
  
1.) install xterm:
+
Run {{ic|ip route}} to to check if the route is present. Network connect has a diagnosis tool in the GUI. You can also checks the logs (also available in the GUI).
  
pacman -S xterm
+
{{Accuracy|The information in the note below was added in 2007. Is this still an issue in 2017?}}
  
2.) install a custom 64 bit java
+
{{Expansion|Please provide a link to the bug report on Red Hat Bugzilla.}}
  
go to http://www.java.com/en/download
+
{{Note|{{ic|/etc/resolv.conf}} will periodically get overwritten by DHCPCD so your VPN will stop working eventually. If that happens, just restart Network Connect. You might also wish to save your {{ic|/etc/resolv.conf}} file so that your VPN settings can be easily restored. As of 2007, there is no known solution to the problem but there is a bug report on Red Hat Bugzilla.}}
select the Linux x64 verson
 
  
Decide on a location for the installation, extract the binary and put it in the desired location, and make the binary executable with
+
=== Network Connect launched and a configuration error message is displayed ===
chmod +x << binary >>.
 
  
Finally run it to install java.  
+
Check that you have {{Pkg|net-tools}} installed.
  
3.) install the customized 32 bit java
+
=== ncapp.error Failed to connect/authenticate with IVE. ===
  
again, go to http://www.java.com/en/download
+
See [http://ubuntuforums.org/showthread.php?p=12127450#post12127450 this post] on the Ubuntu forums. Note that in some cases, the policy will not permit a connection initiated from the command line. Instead, you have to install both {{AUR|bin32-jre}} and {{AUR|bin32-firefox}} and authenticate through the browser.
this time, select Linux(self-extracting) option
 
  
Extract the new binary to the same location created above, make it executable, and run the binary. It will ask you whether you want to replace the files to 32 bit, '''Type "A" to overwrite all the 64-bit files with the 32-bit ones.'''
+
===ncsvc and kernel versions 3.19 and 4.5 to 4.9===
  
4.) link the library
+
Juniter VPN does not support {{Pkg|linux}} 3.19. See [http://www.unixgr.com/juniper-ncsvc-and-linux-3-19/ UNIXgr].
  
the relevant library for firefox is libnpjp2.so, to link it,
+
There are also issues with {{Pkg|linux}} versions 4.5 to 4.9 (and probably later versions too). See [https://bugzilla.kernel.org/show_bug.cgi?id=121131 Bug 121131 on the Kernel bug tracker] for more information. There are two ways to work around this issue:
  
ln -s << location of java you installed above >>/lib/amd64/libnpjp2.so /usr/lib/mozilla/plugins/libnpjp2.so
+
* [[Downgrade]] to version 4.4, or [[install]] {{Pkg|linux-lts}}.
 +
* According to a comment on the [https://bugzilla.kernel.org/show_bug.cgi?id=121131#c24 kernel bugzilla] disabling router solicitations for IPv6 and reconnecting will also solve the issue. This can be done with the following command:
 +
# echo 0 > /proc/sys/net/ipv6/conf/default/router_solicitations
 +
:To make this setting automatically on boot time use [[Systemd#Temporary_files|systemd-tmpfiles]]:
 +
{{hc|/etc/tmpfiles.d/disable-router-solicitations.conf|
 +
w /proc/sys/net/ipv6/conf/default/router_solicitations - - - - 0}}
  
The newest firefox 5 does look at /usr/lib/mozilla/plugins for plugins, instead of the ~/.mozilla/plugins in the previous versions.
+
=== Unauthorized new route has been added, disconnecting ===
  
=Yet Another Method using the Mad Scientist's Ubuntu "msjnc" script=
+
When using the {{AUR|pulse-secure}} client, VPN may not work with {{Pkg|connman}} due to conflicting routing table strategies. Check {{ic|~/.pulse_secure/pulse/pulsesvc.log}} for such messages:
  
Follow the directions here: http://www.ubuntuready.com/howtos
+
  rmon.error Unauthorized new route to x.x.x.x/y.y.y.y has been added (conflicts with our route to z.z.z.z), disconnecting (routemon.cpp:598)
  
References:
+
If this is the case, using {{Pkg|networkmanager}} instead can fix the issue.
http://mad-scientist.us/juniper.html
 

Latest revision as of 06:09, 24 October 2017

Installation

Native Open Source support with OpenConnect

The OpenConnect VPN client has recently added support for Juniper VPN, supporting both TCP and UDP data transports. See the initial announcement on the mailing list for more details.

To use, install openconnect. If your Juniper VPN setup doesn't require any input after connecting you can use this command in order to connect

# openconnect --juniper https://vpn.server.com/

If you want NetworkManager support, install networkmanager-openconnect, or try the latest git version. The VPN connection can be created through the GUI or by using this command:

$ nmcli con add type vpn con-name "Connection Name" ifname "*" vpn-type openconnect -- vpn.data "gateway=vpn.server.com,protocol=nc"

Official Software Preferred installation method

Note: In some cases, depending on your corporate policy configuration, you must login through the browser. If this is the case, command-line tools (jnc, junipernc) will not work.

1) Go to your companys' VPN site, log in and download/install the juniper client.

2) Install jncAUR. For 64-bit Arch, you will need to install 32-bit packages (Multilib), see the upstream website.

3) Make a directory for the .config file:

$ mkdir -p ~/.juniper_networks/network_connect/config

4) Copy and adapt this .config file in this directory:

~/.juniper_networks/network_connect/config/.config
host=foo.bar.com
user=username
password=secret
realm= realm with spaces
cafile=/etc/ssl/bar-chain.pem
certfile=
cafile
ca chain to verify the host certificate
certfile
host certificate in DER format. Cafile or certfile must be configured, you can download them from your VPN sign-in page (certificate information, export certificate).
realm
You can find out your realm by viewing the page source of your VPN sign-in page: just search for the word realm in it.

5) Start/stop network connect:

$ jnc --nox

for use without GUI. To stop the client, execute

$ jnc stop

Using the pulsesvc CLI client

1) Install pulse-secureAUR.

2) Run the service

$ pulsesvc -h <hostname> -Port <port number> -u <username> -realm <realm> -Url <login URL>

Note that the login URL is different from the URL used in browsers. Check "Note regarding Server/URL" section below.

Using the pulseUi GUI client

1) Install pulse-secureAUR and webkitgtkAUR. The latter is necessary for the GUI frontend.

2) Run pulseUi. In the GUI client, the URL should be same as that used in browsers.

Third-party scripts

Mad Scientist's "msjnc" script

Install gtk2-perl, glib-perl and unzip. Then follow the instructions on mad-scientist.us.

Instructions for 64-bit users

Enable multilib and then install lib32-zlib, net-tools, glib-perl, perl-libwww and gtk2-perl.

Access the the Juniper VPN website you need to use. Log in and allow the installation to attempt and fail (due to non-32 bit Java). You should get an error similar to the following:

Setup failed.
Please install 32 bit Java and update alternatives links using update-alternatives command.
For more details, refer KB article KB25230

You should now have the file ~/.juniper_networks/ncLinuxApp.jar present.

However, if ncLinuxApp.jar is not downloaded, fetch it manually - see the following example URL: https://server/dana-cached/nc/ncLinuxApp.jar (note: you need to log in first).

Then download the msjnc script, make it executable, and put it in your PATH.

Automatic installation of ncsvc using msjnc

The first time you launch msjnc (before ncsvc is installed), it will extract ncLinuxApp.jar and prompt for your password in order to install the service. This requires sudo to be configured to allow all commands to your user.

After the service is installed to ~/.juniper_networks/network_connect/ncsvc with suid, create a profile and connect.

Manual installation of msjnc

Create these directories:

$ mkdir -p ~/.juniper_networks/network_connect
$ mkdir -p ~/.juniper_networks/tmp

Extract the software:

$ unzip ~/.juniper_networks/ncLinuxApp.jar -d ~/.juniper_networks/tmp

Copy NC.jar to the network_connect directory:

$ cp ~/.juniper_networks/tmp/NC.jar ~/.juniper_networks/network_connect

Install the service:

$ sh ~/.juniper_networks/tmp/installNC.sh ~/.juniper_networks/network_connect

Launch msjnc, create a profile, and connect.

Note regarding Server/URL

For the Server/URL, you may have to provide the URL that processes the login form rather than the login page itself. As an example, one company's login form is on /dana-na/auth/url_0/welcome.cgi but the form is actually processed by /dana-na/auth/url_0/login.cgi. You may have to inspect the html of the login page to find the form's action attribute.

Jvpn script (support 64-bit and host checker)

Jvpn perl script establishes a Juniper VPN connection and supports the following features:

  • Connection using Host Checker.
  • Automatic download of the required Juniper java and daemon files (ncsvc) when run as root.

See jvpn.

Installation

Install the perl dependencies perl-term-readkey and perl-lwp-protocol-https. Once you have done so, you must choose whether to run jvpn as root (easiest method) or as a regular user and run the steps below accordingly.

Running as root

Run the command:

# curl -L https://github.com/samm-git/jvpn/archive/v0.7.0.tar.gz | tar xz

The command creates a file jvpn-0.7.0 in current directory.

Finally, start the script with:

# ./jvpn.pl

On first run, the script will download all the necessary files

Running as a regular user

Use your web browser (no need for 32-bit Java) to connect to the VPN website and download the appropriate software. The files downloaded will be located in ~/.juniper_networks/network_connect/ (even if the VPN connection actually fails).

This step is considered more complex because you have to have a functional Java plugin in your browser (configured with appropriate security settings). During installation of Network Connect, the browser will request a root password to set the setuid flag on ncsvc (Juniper daemon).

Then install jvpn into the folder by executing the following:

$ cd ~/.juniper_networks/network_connect
$ curl -L https://github.com/samm-git/jvpn/archive/v0.7.0.tar.gz | tar xz --strip-components=1

Next, edit jvpn.ini (directions are included in the file).

Finally, start the script with the following:

$ cd ~/.juniper_networks/network_connect
$ ./jvpn.pl

Workarounds

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: All of these workarounds are poor quality and potentially problematic. These need to be reviewed and then either fixed or removed. (Discuss in Talk:Juniper VPN#)

64-bit Java (workaround 1)

Warning: These steps are not recommended. Updating your JRE will break this workaround and you will have to repeat these steps.

1) Install bin32-jreAUR. Make sure the PKGBUILD installs it to /opt/bin32-jre, rather than /opt/java, where it will conflict with the 64-bit JRE.

2) Install jreAUR.

3) Move the java binary to java.orig:

# mv /opt/java/jre/bin/java /opt/java/jre/bin/java.orig

4) Create a bash script java and make it executable:

# touch /opt/java/jre/bin/java
# chmod 755 /opt/java/jre/bin/java

5) Finally, edit the bash script as per the below:

/opt/java/jre/bin/java
#!/bin/bash
if [ $3x = "NCx" ]
then
    /opt/bin32-jre/jre/bin/java "$@"
else
    /opt/java/jre/bin/java.orig "$@"
fi

64-bit Java (workaround 2)

Warning: Installing non-packaged versions of Java and symlinking libraries into arbitrary locations is not recommended.

Another approach is to install an alternative version of Java and link the Java plugin for Firefox manually - this avoids the necessity of using a chroot environment. Follow the instructions below:

  1. install xterm.
  2. Install a custom 64-bit Java environment from java.com. Select the Linux x64 version. Once you have decided upon a location for the installation, extract the binary into that location and then mark it executable. Finally, run the binary to install Java.
  3. Install a custom 32-bit Java environment, also from java.com but this time, select the Linux (self-extracting) option. Extract the new binary to the same location created above, mark it executable, and run the binary. It will ask you whether you want to replace the files to 32 bit: Type "A" to overwrite all the 64-bit files with the 32-bit ones.
  4. Finally, link the library into the required location. The relevant library for Firefox is libnpjp2.so. To link it, use the following command ln -s location-of-custom-java-installation/lib/amd64/libnpjp2.so /usr/lib/mozilla/plugins/libnpjp2.so.
Note: Firefox 5 and higher check /usr/lib/mozilla/plugins for plugins instead of ~/.mozilla/plugins which was used in previous versions.

For more information, see the following guide from Southern Illinois University.

Motif and libstdc++-libc6.2-2.so.3

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Are Motif and libstdc++-libc6.2-2.so.3 still required in any way? None of the clients linked to in #Installation depend on these things. Plus, the Gentoo wiki page that this section is based on no longer exists. Furthermore, if Motif is required, does one really have to use lesstif? If you're going to be creating symlinks anyway, why not just use openmotif and then symlink libXm.so.4 to libXm.so.3? (Discuss in Talk:Juniper VPN#)
Warning: The steps involved in this section, including using obsolete libraries and symlinking new library names to old are absolutely not recommended.

When trying to use Juniper VPN, you may be informed that there are missing libraries. If so, follow the instructions below.

1) Install a Java Runtime Environment (JRE) - see Java.

2) Install libstdc++296AUR which provides the required libstdc++-libc6.2-2.so.3 library.

3) Install the Motif toolkit. Note that lesstif must be used - the openmotif package provides a version of Motif that is too recent. Specifically, it provides libXm.so.4 instead of libXm.so.3.

4) Then create symlinks in order to be able to use lesstif as if it is official Motif - see the reference below.

5) Install xterm - the installation uses xterm to ask for the root password.

6) Next, run: modprobe tun as root. You will need to do this every time before you connect. As such, you might want to setup the tun module to be autoloaded at startup.

7) Finally, head over to your VPN portal page and initiate the connection by clicking on Network Connect.

For more information see: Gentoo Wiki Archives

Troubleshooting

Password incorrect

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: Is it still the case that Juniper IVE does not support UTF-8? Was this ever the case? This section seems to be based on one person's experiences from 10 years ago (as of 2017). This content needs to be verified. (Discuss in Talk:Juniper VPN#)

If your username and password are correct but the system reports that they are incorrect, that means the POST request to the Juniper IVE box failed.

The Tamper Data addon for Firefox can be used to debug. Try changing the fields in the headers.

Note that Juniper IVE does not support UTF-8. The intl.charset.default setting in about:config for Firefox is UTF-8, causing a POST request to have only UTF-8 in the charset. Setting it to ISO-8859-1 might fix the problem. Also double check the intl.accept_charsets Firefox setting. Using UTF-8, Chinese and European charsets is possible but ensure you have ISO-8859-1 as a fallback. Note that you can use the Tamper Data addon to make sure you really are accepting ISO-8859-1 in the HTTP header.

Finally, ensure that the useragent is Firefox, not Bon Echo. You may need to change this under general.useragent.extra.firefox in about:config.

Login succeeds but Network Connect will not launch

  1. Firstly, verify your Java installation.
  2. Then navigate to ~/.juniper_networks/network_connect.
  3. Check that ncsvc is setuid root. Fix it if not.
  4. Run ldd ncsvc and see if there are any missing libraries.
  5. Follow the instructions from the Juniper forum to run it from command line. Use the -L 5 switch to log everything and use strace as root. Also try consulting ncsvc.log for any possible errors.

Network Connect launched but the VPN does not work

Run ip route to to check if the route is present. Network connect has a diagnosis tool in the GUI. You can also checks the logs (also available in the GUI).

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: The information in the note below was added in 2007. Is this still an issue in 2017? (Discuss in Talk:Juniper VPN#)

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: Please provide a link to the bug report on Red Hat Bugzilla. (Discuss in Talk:Juniper VPN#)
Note: /etc/resolv.conf will periodically get overwritten by DHCPCD so your VPN will stop working eventually. If that happens, just restart Network Connect. You might also wish to save your /etc/resolv.conf file so that your VPN settings can be easily restored. As of 2007, there is no known solution to the problem but there is a bug report on Red Hat Bugzilla.

Network Connect launched and a configuration error message is displayed

Check that you have net-tools installed.

ncapp.error Failed to connect/authenticate with IVE.

See this post on the Ubuntu forums. Note that in some cases, the policy will not permit a connection initiated from the command line. Instead, you have to install both bin32-jreAUR and bin32-firefoxAUR and authenticate through the browser.

ncsvc and kernel versions 3.19 and 4.5 to 4.9

Juniter VPN does not support linux 3.19. See UNIXgr.

There are also issues with linux versions 4.5 to 4.9 (and probably later versions too). See Bug 121131 on the Kernel bug tracker for more information. There are two ways to work around this issue:

  • Downgrade to version 4.4, or install linux-lts.
  • According to a comment on the kernel bugzilla disabling router solicitations for IPv6 and reconnecting will also solve the issue. This can be done with the following command:
# echo 0 > /proc/sys/net/ipv6/conf/default/router_solicitations
To make this setting automatically on boot time use systemd-tmpfiles:
/etc/tmpfiles.d/disable-router-solicitations.conf
w /proc/sys/net/ipv6/conf/default/router_solicitations - - - - 0

Unauthorized new route has been added, disconnecting

When using the pulse-secureAUR client, VPN may not work with connman due to conflicting routing table strategies. Check ~/.pulse_secure/pulse/pulsesvc.log for such messages:

rmon.error Unauthorized new route to x.x.x.x/y.y.y.y has been added (conflicts with our route to z.z.z.z), disconnecting (routemon.cpp:598)

If this is the case, using networkmanager instead can fix the issue.