A passionate openSUSE user
RSS icon Home icon
  • Juniper VPN on openSUSE x86_64

    Posted on July 6th, 2010 Dominique Leuenberger 8 comments

    I’m in the unfortunate situation that my employer uses a Juniper SSL/VPN solution with network connect capabilities (to initiate a real tunnel).

    The solution is built around some Java code, some suid services and obviously exists as 32bit only.

    Since the update from v5 to v6.5, network connect does no longer work when initiated from the web interface, which is a shame. The issue is a 32bit library that seems no longer to be nicely wrapped and thus the 64bit java is no longer able to start the processes up. The worst about all of it: there is no error message, no log file.
    If you’re lucky enough and you only have username / password auth, you can simply use ncsvc with some parameters. Of course I am less fortunate, and besides username/password, we also use a OTP RSA Token. And of course, ncsvc does not offer any option to enter a 2nd password.

    so, no solution?

    Let’s be more optimistic: there IS a solution, albeit a very hakish one. But I DO need to connect to our VPN, so I consider it a ‘valid’ workaround until this is hopefully really getting solved.

    So, what needs to be done? When you initiate the VPN tunnel the first time from the web interface, you’re requested to enter the root password and the network_connect client is installed in ~/.juniper_network/network_connect and set suid. That’s about as far as you can get with the automatic stuff.

    you’ll have to install gcc45-lib32 in order to be able to do the tasks at hand. But then you can convert the libncui.so to a binary which we can later on invoke directly.
    # Change to the installed client folder
    cd ~/.juniper_networks/
    # Extract the LinuxApp java archive
    unzip ncLinuxApp.jar
    # go to the actual binary client
    cd network_connect
    # grab the certificate from the ssl/vpn gateway server
    sh ../getx509certificate.sh <host.you.log.in.to> cert.der
    # Convert the library into a binary
    gcc -m32 -Wl,-rpath,$(pwd) -o ncui libncui.so
    # chown and set the new binary suid
    sudo chown root:root ncui
    sudo chmod 6711 ncui

    From now on we will be able to launch ncui (with some parameters) and have it initiate a tunnel for us. The needed command line for this is:
    ./ncui -h <host.you.log.in.to> -c DSID=<YourSessionID> -f cert.cer

    So now the last obstacle: how to find your session ID? It’s stored in a cookie in your browser after logging in to the website. In Firefox you can get it from the properties/privacy or using various plugins (like Web Developer). The cookie name is DSID, so you should have an easy time finding it.

    ncui weirdly asks for a password, but in my experience it never mattered what I enter, so I just press enter and go on. The application stays running and builds the tunnel. To tear it down, simply press CTRL-C and abort ncui.

    Eventually you’re missing some more 32bit libraries, which I already had. use ldd against libncui and ncsvc to find out what other libraries you might be missing and install the corresponding 32bit equivalents.

     

    8 responses to “Juniper VPN on openSUSE x86_64” RSS icon


    Leave a reply