Juniper Network Connect
Intro
There are various site that discuss getting Juniper's "Network Connect" to work, particularly under a 64-bit system. see
https://forums.gentoo.org/viewtopic-t-494883.html
http://ubuntuforums.org/showthread.php?t=232607&page=45&p=11189826#post11189826
https://wiki.archlinux.org/index.php/Juniper_VPN
http://www.gentoo-wiki.info/Juniper
http://www.scc.kit.edu/scc/net/juniper-vpn/linux/
http://mad-scientist.net/juniper.html
and http://makefile.com/.plan/2009/10/juniper-vpn-64-bit-linux-an-unsolved-mystery/ helped the most.
However you may have to mix and match bits from any of those.
Prerequisites
Here is documentation of a working setup as of Oct 2013 on a target network that requires login via a web page, and they have multiple pages on the portal for different groups, client version 7.1. The vpn client would not start automatically, or complete when manually invoked using ncsvc.
Possible requirements: SUN Java JRE (both 64 and 32 bit versions) with nsplugin , e.g.:
Probably also openssl and others. I already had everything installed except the 32 bit java with nsplugin.
Stepwise
Go to the network portal web page, and examine page source for REALM
Login through web portal, attmpt to intiate network connect. Software downloads and installs into ~/.juniper_network/network_connect/ examine the cookies for the site and find DSID. This will have to be refreshed each time.
cd into this directory.
Get the certificate, e.g.:
user $
openssl s_client -connect portal.example.net:443 -showcerts < /dev/null 2> /dev/null | openssl x509 -outform der > cert.der
Compile the lbncui.so into an executable file:
user $
gcc -m32 -Wl,-rpath,`pwd` -o ncui libncui.so
Then execute:
user $
./ncui -h portal.example.net -u USERNAME -p PASSWORD -r REALM -f cert.der -l 5 -L 5 -U https://portal.example.net/dana-na/auth/url_0/welcome.cgi -c DSID=COOKIE-VALUE-FOR-DSID
Where https://portal.example.net/dana-na/auth/url_0/welcome.cgi is the full path to the login page on the portal.
With any luck you'll be connected. There should be a TUN device listed with ifconfig.
Concise Connection Steps
I'm writing this section to explain how I connect to Juniper Network Connect in a more succinct and consolidated manner. Recent versions of Google Chrome block the Java plugin, so it requires a different approach. This method does not use Java and is, personally, a better way.
Prerequisites
First make sure that TUN is enabled in your kernel as this is required to be able to create the tunnel to your vpn. Personally, I build this into the kernel and not as a module.
Device Drivers --->
Network device support --->
<*> Universal TUN/TAP device driver support
Also make sure openssl is installed, which should be by default
Installation Steps
You will need to download ncLinuxApp.jar for your version of Juniper Network Connect. Replace "yoursite" with the address for your vpn website.
https://yoursite.net/dana-cached/nc/ncLinuxApp.jar
Once you have ncLinuxApp.jar download, create a folder somewhere in your home directory. This is where you will be running the network connect client from.
user $
mkdir ~/juniper_networks
Now extract the contents of ncLinuxApp.jar
user $
unzip ncLinuxApp.jar
If you ran this app from the browser, using Firefox or something else, it will have extracted the needed files to the following directory: ~/.juniper_networks/network_connect/
Once you have the files extracted, you will need to change the ownership and set file permissions for a couple files. You will need to be root.
Change ownership of ncsv and set to executable
root #
chown root ncsv && chmod +x ncsv
Set ncdiag to executable as well. Ownership of this file doesn't seem to need to be root
root #
chmod +x ncdiag
As the instructions state in the previous section, you will need to obtain the certificate from your Juniper installation.
user $
openssl s_client -connect yoursite.net:443 -showcerts < /dev/null 2> /dev/null | openssl x509 -outform der > cert.der
Compile libncui.so for your arch. This creates the executable you will need. This must be done as your user.
user $
gcc -m32 -Wl,-rpath,`pwd` -o ncui libncui.so
user $
chmod +x ncui
Instructed in the previous section, you will need to obtaini the REALM and DSID from your Juniper installation. The REALM is found in the login form on the front page of your Juniper site and the DSID can be obtained from your cookies after logging into the site.
root #
./ncui -h portal.example.net -u USERNAME -p PASSWORD -r REALM -f cert.der -l 5 -L 5 -U https://portal.example.net/dana-na/auth/url_0/welcome.cgi -c DSID=COOKIE-VALUE-FOR-DSID
I needed to be root to be able to create the tunnel to the VPN. You might be able to change it so that your user has access, but I just use root.
The one annoying thing about this is that you do have to log into your Juniper site to obtain the DSID everytime. At least it does work! I hope this guide helps others in need! :)
Split tunneling
http://www.digitalinternals.com/124/20090430/workaround-for-juniper-vpn-split-tunneling-restriction/ and its commentors have some methods to achieve split tunneing.
using an LD_PRELOAD to preload a custom library to redirect reads to /proc/net/route to another file seem promising, but proved problematic on a 64-bit client. see https://gist.github.com/anonymous/6777345
Patching the ncsvc binary can disable the route monitoring function, allowing one to change routes as needed manually or by script. Without patching, a route monitor may be in place that will disconnect if routes are changed.
There are probably many ways to achieve, but one tested is to convert a conditional jump statement in the route monitoring routine:
- make backup copy of ncsvc
- open ncsvc in disasembler
- search for text "no routes to monitor" in the disassembly
- a few lines up should be something that looks like
.text:0805CC9F mov [ebp+var_19], 0 .text:0805CCA3 cmp dword ptr [eax+60h], 0 .text:0805CCA7 jnz loc_805CE1A .text:0805CCAD sub esp, 8 .text:0805CCB0 push offset aNoRoutesToMoni ; "no routes to monitor"
- the jnz (or possibly jne) signals the program to jump if the previous step is not zero (or equal). Change this to invert the conditional, ie jump if zero (or equal).
- To do so, look at the hexdump for this bit of code. Depending on your debugger, you may be able to change it within the program, or else open up the ncsvc binary in a hexeditor and find the corresponding bits.
- The bits will likely be either start with 75 ?? ?? or 0F 85 ?? ??
- change the 75 to 74, or 85 to 84.
- save and test.
Sample route
In order to achieve desirerd access to vpn resources, local lan resources, amd internet resources, possible post-connect commands:
Consider ncsvc gave original default gw has a higher metric, added a second default with a lower metirc, and target vpn resources are on 10.0.0.0 and 170.0.0.0, and a tun0 ip of 10.15.15.15 (besides principal resources, check the vpn network's dns servers etc)
root #
route del default
root #
route del default
root #
route add default gw 192.168.1.1 metric 2
root #
route del 192.168.1.0 dev eth0
root #
route del -net 192.168.1.0 netmask 255.255.255.0 dev eth0
root #
route del -net 192.168.1.0 gw 10.15.15.15 netmask 255.255.255.0
root #
route add -net 192.168.1.0 netmask 255.255.255.0 dev eth0
root #
route add -net 170.0.0.0 netmask 255.0.0.0 gw 10.15.15.15 dev tun0
root #
route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.15.15.15 dev tun0
root #
echo "nameserver 192.168.1.1" >> /etc/resolv.conf