There are several problem common problems with Juniper SSL VPN on support of Linux clients:
- Most 64-bit platforms are not supported.
- Junos Pulse SSL VPN does not support Linux at all.
Best way to cover problem “1” is: http://ubuntuforums.org/showthread.php?p=11189826#post11189826 There is also well known mad-scientist way but its more complex.
Problem “2” is a bit more involved.
In my case when I login to Juniper SSL web interface it run host-checker and as Linux is not supported the web form does not have way to launch Junos Pulse SSL VPN client. In fact that client does not exists for Linux.
Good news are: old Juniper “Network Connect” client is compatible with Junos Pulse and can be used on Linux client.
So you can still lunch “Network Connect” client, separately from your web session.
If on login you only asked user name and password (either AD password or SecurID), you lucky and you can easy launch “Network Connect” as described in several sources, for example: http://serverfault.com/questions/363061/how-to-connect-to-a-juniper-vpn-from-linux
But if your VPN server use two phase auth scheme (SecurID + AD password), it can get more involved. Scott has GREAT blog on how to make it work: http://makefile.com/.plan/2009/10/juniper-vpn-64-bit-linux-an-unsolved-mystery
Only thing – you have to copy DSID cookie manually and paste it as argument in ncui call. There are several projects to automate that, for example: https://code.google.com/p/juniper-vpn/ or http://techblog.constantcontact.com/software-development/juniper-networks-network-connect-securid-and-64-bit-linux/
Both are py scripts to simulate browser behaviour. Great stuff, But it did not work for me. I believe its because before I can get to login page I have one more “Legal” page where “Agree” has to be clicked. So I decided to actually use browser for login, and just have an automated way to pass DSID cookie to the script to launch ncui. Below are steps for that. –
- Get network connect client + ncui executable (mostly from Scott’s blog):
- Login to your VPN https://some.company.com/dana-na/auth/url_default/welcome.cgi
- Get Network Connect client at: https://some.company.com/dana-cached/nc/ncLinuxApp.jar
- Install Network Connect client, gcc ncui executable, and get cert file:
sudo apt-get install gcc-multilib mkdir ~/.juniper_networks/network_connect cd ~/.juniper_networks/network_connect mv ~/Downloads/ncLinuxApp.jar . jar -xf ncLinuxApp.jar sudo gcc -m32 -Wl,-rpath,`pwd` -o ncui libncui.so sudo chown root:root ncui sudo chmod 4755 ncui echo | openssl s_client -connect some.company.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -outform der > ssl.crt
- Get DSID cookie in persistent form, and Plug it to ncui.
Problem with DSID cookie – its Session Level, so it does not persist on disk, where you can grep it from. So had to use Greasemonkey plugin for firefox to capture DSID and save to HTML5 storage.
Install Greasemonkey plugin https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/ and make sure its enabled.- Create Greasemonkey js script (replace some.company.com) to dump DSID to webappsstore.sqlite file:
mkdir ~/Greasemonkey/ cat >> ~/Greasemonkey/jsessionid.user.js <<EOF // ==UserScript== // @name DSID to localStorage // @namespace name@company.com // @description Saves the DSID cookie in localStorage // @include https://some.company.com/dana-na/* // ==/UserScript== (function() { var sessid = document.cookie.match(/DSID=([^;]+)/); if (sessid) { var oldSID = localStorage.DSID; if (sessid != oldSID) localStorage.DSID = sessid[1]; } })(); EOF
- In Firefox: Menu -> File -> Open File -> Choose “jsessionid.user.js”, and enable the script in the pop up window.
- Install sqlite:
mkdir ~/bin/ cd ~/bin/ wget http://www.sqlite.org/2014/sqlite-shell-linux-x86-3080500.zip unzip sqlite-shell-linux-x86-*.zip
- Create script to get DCID value from webappsstore.sqlite and launch ncui (replace some.company.com):
cat > ~/bin/juniper_vpn.sh <<"EOF1" sudo touch /etc/jnpr-nc-resolv.conf sudo touch /etc/jnpr-nc-hosts.bak dsid1=`~/bin/sqlite3 ~/.mozilla/firefox/*.default/webappsstore.sqlite <<EOF | grep "https:443|DSID" | awk -F"|" '{print $3}' select * from webappsstore2; EOF` echo dsid1=$dsid1 cd ~/.juniper_networks/network_connect/ ./ncui -h some.company.com -c DSID=$dsid1 -f ssl.crt EOF1 chmod 700 ~/bin/juniper_vpn.sh
- Run the script, it will prompt for the AD password. (Ctrl+C to end vpn connection)
- In another window check if VPN interface is active:
ifconfig | grep tun
And if so – You are on VPN!.. Time to get to real work 🙂
p.s. And use sun java.- Open jdk has old known problems with juniper vpn.
- Create Greasemonkey js script (replace some.company.com) to dump DSID to webappsstore.sqlite file:
Check us out on http://avmconsulting.net
Thanks! This works nicely. I do have, however, a suggestion to enhance the sqlite query. You can specify the scope to search for the DSID value: add a where-clause like this
select * from webappsstore2 where scope = ‘moc.ynapmoc.emos.:https:443’;
Yes looks like if you go to this blog, wordpress push tags to html5 storage, and “grep DSID” is not unique filter anymore.
I modified the grep to avoid putting specific web address, in script, to make it more generic, but “where” clause with “like” would do same thing.
Thanks a lot Gkok for pointing this out.
Thanks! I get an error however running the juniper_vpn.sh : ./juniper_vpn.sh: line 7: https:443|DSID: command not found
dsid1= Your help will be appreciated.
NaskoT,
looks like “grep” was missing. i fixed it now. try again now from creation of juniper_vpn.sh – it should work.
Alexey,
Thanks again, I should have seen it…sorry. Now I face one more issue (ignore some.company.com below):
ncsvc> Failed to setuid to root. Error 1: Operation not permitted
ncui: ncui.cpp:262: void NCUI::run(): Assertion `m_conn->isConnected()’ failed.
./juniper_vpn.sh: line 11: 3929 Aborted ./ncui -h some.company.com -c DSID=$dsid1 -f ssl.crt
P.S. I am using SafeNet with Juniper Pulse client in Windows (have to provide both username and password) as validation.
NaskoT, i do not have an environment to reproduce it, but from quick search, this seem to match well. try what they suggest in first answer: http://askubuntu.com/questions/289142/failed-to-setuid-to-root-how-do-i-establish-a-vpn-network
I know that page and have already tried all suggestions listed, still no success. Thanks anyway, I am giving up for now…
Pingback: Juniper Two Factor VPN & Linux – Black Hills Information Security
Here’s my simplified solution: https://github.com/zouppen/pulse-openconnect-helper
The script does everything in the browser except running the actual command. It’s much simpler but you need to paste the command to terminal manually. The script does copying to clipboard by itself.
Thanks Joel. This is working great! Automating manual process has a lot of power! In my case I used the following command:
sudo openconnect -v -v -v -C dsidValue –protocol=pulse https://yourCompanyVPNsite.com/pulsevpn