Juniper Network Connect

From Gentoo Wiki
Jump to:navigation Jump to:search


There are various site that discuss getting Juniper's "Network Connect" to work, particularly under a 64-bit system. see

and helped the most.

However you may have to mix and match bits from any of those.


Here is documentation of a working setup as of Oct 2013 on a target network that requires login via a web page, and they have multiple pages on the portal for different groups, client version 7.1. The vpn client would not start automatically, or complete when manually invoked using ncsvc.

Possible requirements: SUN Java JRE (both 64 and 32 bit versions) with nsplugin , e.g.:

Probably also openssl and others. I already had everything installed except the 32 bit java with nsplugin.


Go to the network portal web page, and examine page source for REALM

Login through web portal, attmpt to intiate network connect. Software downloads and installs into ~/.juniper_network/network_connect/ examine the cookies for the site and find DSID. This will have to be refreshed each time.

cd into this directory.

Get the certificate, e.g.:

user $openssl s_client -connect -showcerts < /dev/null 2> /dev/null | openssl x509 -outform der > cert.der

Compile the into an executable file:

user $gcc -m32 -Wl,-rpath,`pwd` -o ncui

Then execute:

user $./ncui -h -u USERNAME -p PASSWORD -r REALM -f cert.der -l 5 -L 5 -U -c DSID=COOKIE-VALUE-FOR-DSID

Where is the full path to the login page on the portal.

With any luck you'll be connected. There should be a TUN device listed with ip.

Concise Connection Steps

I'm writing this section to explain how I connect to Juniper Network Connect in a more succinct and consolidated manner. Recent versions of Google Chrome block the Java plugin, so it requires a different approach. This method does not use Java and is, personally, a better way.


First make sure that TUN is enabled in your kernel as this is required to be able to create the tunnel to your vpn. Personally, I build this into the kernel and not as a module.

KERNEL 'make menuconfig' options
Device Drivers --->
  Network device support --->
    <*> Universal TUN/TAP device driver support

Also make sure openssl is installed, which should be by default

Installation Steps

You will need to download ncLinuxApp.jar for your version of Juniper Network Connect. Replace "yoursite" with the address for your vpn website.

Once you have ncLinuxApp.jar download, create a folder somewhere in your home directory. This is where you will be running the network connect client from.

user $mkdir ~/juniper_networks

Now extract the contents of ncLinuxApp.jar

user $unzip ncLinuxApp.jar
If you ran this app from the browser, using Firefox or something else, it will have extracted the needed files to the following directory: ~/.juniper_networks/network_connect/

Once you have the files extracted, you will need to change the ownership and set file permissions for a couple files. You will need to be root.

Change ownership of ncsv and set to executable

root #chown root ncsv && chmod +x ncsv

Set ncdiag to executable as well. Ownership of this file doesn't seem to need to be root

root #chmod +x ncdiag

As the instructions state in the previous section, you will need to obtain the certificate from your Juniper installation.

user $openssl s_client -connect -showcerts < /dev/null 2> /dev/null | openssl x509 -outform der > cert.der

Compile for your arch. This creates the executable you will need. This must be done as your user.

user $gcc -m32 -Wl,-rpath,`pwd` -o ncui
user $chmod +x ncui

Instructed in the previous section, you will need to obtaini the REALM and DSID from your Juniper installation. The REALM is found in the login form on the front page of your Juniper site and the DSID can be obtained from your cookies after logging into the site.

root #./ncui -h -u USERNAME -p PASSWORD -r REALM -f cert.der -l 5 -L 5 -U -c DSID=COOKIE-VALUE-FOR-DSID
I needed to be root to be able to create the tunnel to the VPN. You might be able to change it so that your user has access, but I just use root.

The one annoying thing about this is that you do have to log into your Juniper site to obtain the DSID everytime. At least it does work! I hope this guide helps others in need! :)

Split tunneling and its commentors have some methods to achieve split tunneing.

using an LD_PRELOAD to preload a custom library to redirect reads to /proc/net/route to another file seem promising, but proved problematic on a 64-bit client. see

Patching the ncsvc binary can disable the route monitoring function, allowing one to change routes as needed manually or by script. Without patching, a route monitor may be in place that will disconnect if routes are changed.

There are probably many ways to achieve, but one tested is to convert a conditional jump statement in the route monitoring routine:

  1. make backup copy of ncsvc
  2. open ncsvc in disasembler
  3. search for text "no routes to monitor" in the disassembly
  4. a few lines up should be something that looks like
.text:0805CC9F                 mov     [ebp+var_19], 0
.text:0805CCA3                 cmp     dword ptr [eax+60h], 0
.text:0805CCA7                 jnz     loc_805CE1A
.text:0805CCAD                 sub     esp, 8
.text:0805CCB0                 push    offset aNoRoutesToMoni ; "no routes to monitor"
  1. the jnz (or possibly jne) signals the program to jump if the previous step is not zero (or equal). Change this to invert the conditional, ie jump if zero (or equal).
  2. To do so, look at the hexdump for this bit of code. Depending on your debugger, you may be able to change it within the program, or else open up the ncsvc binary in a hexeditor and find the corresponding bits.
  3. The bits will likely be either start with 75 ?? ?? or 0F 85 ?? ??
  4. change the 75 to 74, or 85 to 84.
  5. save and test.

Sample route

In order to achieve desirerd access to vpn resources, local lan resources, amd internet resources, possible post-connect commands:

Consider ncsvc gave original default gw has a higher metric, added a second default with a lower metirc, and target vpn resources are on and, and a tun0 ip of (besides principal resources, check the vpn network's dns servers etc)

root #route del default
root #route del default
root #route add default gw metric 2
root #route del dev eth0
root #route del -net netmask dev eth0
root #route del -net gw netmask
root #route add -net netmask dev eth0
root #route add -net netmask gw dev tun0
root #route add -net netmask gw dev tun0
root #echo "nameserver" >> /etc/resolv.conf