Juniper Network Connect

Intro
There are various site that discuss getting Juniper's "Network Connect" to work, particularly under a 64-bit system. see

https://forums.gentoo.org/viewtopic-t-494883.html

http://ubuntuforums.org/showthread.php?t=232607&page=45&p=11189826#post11189826

https://wiki.archlinux.org/index.php/Juniper_VPN

http://www.gentoo-wiki.info/Juniper

http://techydodo.wordpress.com/2012/01/17/cracking-the-juniper-network-connect-problem-on-linux-64-bit/

http://www.scc.kit.edu/scc/net/juniper-vpn/linux/

http://mad-scientist.net/juniper.html

and http://makefile.com/.plan/2009/10/juniper-vpn-64-bit-linux-an-unsolved-mystery/ helped the most.

However you may have to mix and match bits from any of those.

Prerequisites
Here is documentation of a working setup as of Oct 2013 on a target network that requires login via a web page, and they have multiple pages on the portal for different groups, client version 7.1. The vpn client would not start automatically, or complete when manually invoked using ncsvc.

Possible requirements: SUN Java JRE (both 64 and 32 bit versions) with nsplugin, e.g.:


 * and

Probably also openssl and others. I already had everything installed except the 32 bit java with nsplugin.

Stepwise
Go to the network portal web page, and examine page source for REALM

Login through web portal, attmpt to intiate network connect. Software downloads and installs into examine the cookies for the site and find DSID. This will have to be refreshed each time.

cd into this directory.

Get the certificate, e.g.:

Compile the into an executable file:

Then execute:

Where https://portal.example.net/dana-na/auth/url_0/welcome.cgi is the full path to the login page on the portal.

With any luck you'll be connected. There should be a TUN device listed with ifconfig.

Concise Connection Steps
I'm writing this section to explain how I connect to Juniper Network Connect in a more succinct and consolidated manner. Recent versions of Google Chrome block the Java plugin, so it requires a different approach. This method does not use Java and is, personally, a better way.

Prerequisites
First make sure that TUN is enabled in your kernel as this is required to be able to create the tunnel to your vpn. Personally, I build this into the kernel and not as a module.

Also make sure openssl is installed, which should be by default

Installation Steps
You will need to download ncLinuxApp.jar for your version of Juniper Network Connect. Replace "yoursite" with the address for your vpn website.

https://yoursite.net/dana-cached/nc/ncLinuxApp.jar

Once you have ncLinuxApp.jar download, create a folder somewhere in your home directory. This is where you will be running the network connect client from.

Now extract the contents of ncLinuxApp.jar

Once you have the files extracted, you will need to change the ownership and set file permissions for a couple files. You will need to be root.

Change ownership of ncsv and set to executable

Set ncdiag to executable as well. Ownership of this file doesn't seem to need to be root

As the instructions state in the previous section, you will need to obtain the certificate from your Juniper installation.

Compile libncui.so for your arch. This creates the executable you will need. This must be done as your user.

Instructed in the previous section, you will need to obtaini the REALM and DSID from your Juniper installation. The REALM is found in the login form on the front page of your Juniper site and the DSID can be obtained from your cookies after logging into the site.

The one annoying thing about this is that you do have to log into your Juniper site to obtain the DSID everytime. At least it does work! I hope this guide helps others in need! :)

Split tunneling
http://www.digitalinternals.com/124/20090430/workaround-for-juniper-vpn-split-tunneling-restriction/ and its commentors have some methods to achieve split tunneing.

using an LD_PRELOAD to preload a custom library to redirect reads to /proc/net/route to another file seem promising, but proved problematic on a 64-bit client. see https://gist.github.com/anonymous/6777345

Patching the ncsvc binary can disable the route monitoring function, allowing one to change routes as needed manually or by script. Without patching, a route monitor may be in place that will disconnect if routes are changed.

There are probably many ways to achieve, but one tested is to convert a conditional jump statement in the route monitoring routine:

.text:0805CC9F                mov     [ebp+var_19], 0 .text:0805CCA3                cmp     dword ptr [eax+60h], 0 .text:0805CCA7                jnz     loc_805CE1A .text:0805CCAD                sub     esp, 8 .text:0805CCB0                push    offset aNoRoutesToMoni ; "no routes to monitor"
 * 1) make backup copy of ncsvc
 * 2) open ncsvc in disasembler
 * 3) search for text "no routes to monitor" in the disassembly
 * 4) a few lines up should be something that looks like


 * 1) the jnz (or possibly jne) signals the program to jump if the previous step is not zero (or equal). Change this to invert the conditional, ie jump if zero (or equal).
 * 2) To do so, look at the hexdump for this bit of code. Depending on your debugger, you may be able to change it within the program, or else open up the ncsvc binary in a hexeditor and find the corresponding bits.
 * 3) The bits will likely be either start with 75 ?? ?? or 0F 85 ?? ??
 * 4) change the 75 to 74, or 85 to 84.
 * 5) save and test.

Sample route
In order to achieve desirerd access to vpn resources, local lan resources, amd internet resources, possible post-connect commands:

Consider ncsvc gave original default gw has a higher metric, added a second default with a lower metirc, and target vpn resources are on 10.0.0.0 and 170.0.0.0, and a tun0 ip of 10.15.15.15 (besides principal resources, check the vpn network's dns servers etc)