Juniper VPN on openSUSE x86_64Posted on July 6th, 2010 7 comments
I’m in the unfortunate situation that my employer uses a Juniper SSL/VPN solution with network connect capabilities (to initiate a real tunnel).
The solution is built around some Java code, some suid services and obviously exists as 32bit only.
Since the update from v5 to v6.5, network connect does no longer work when initiated from the web interface, which is a shame. The issue is a 32bit library that seems no longer to be nicely wrapped and thus the 64bit java is no longer able to start the processes up. The worst about all of it: there is no error message, no log file.
If you’re lucky enough and you only have username / password auth, you can simply use ncsvc with some parameters. Of course I am less fortunate, and besides username/password, we also use a OTP RSA Token. And of course, ncsvc does not offer any option to enter a 2nd password.
so, no solution?
Let’s be more optimistic: there IS a solution, albeit a very hakish one. But I DO need to connect to our VPN, so I consider it a ‘valid’ workaround until this is hopefully really getting solved.
So, what needs to be done? When you initiate the VPN tunnel the first time from the web interface, you’re requested to enter the root password and the network_connect client is installed in ~/.juniper_network/network_connect and set suid. That’s about as far as you can get with the automatic stuff.
you’ll have to install gcc45-lib32 in order to be able to do the tasks at hand. But then you can convert the libncui.so to a binary which we can later on invoke directly.
# Change to the installed client folder
# Extract the LinuxApp java archive
# go to the actual binary client
# grab the certificate from the ssl/vpn gateway server
sh ../getx509certificate.sh <host.you.log.in.to> cert.der
# Convert the library into a binary
gcc -m32 -Wl,-rpath,$(pwd) -o ncui libncui.so
# chown and set the new binary suid
sudo chown root:root ncui
sudo chmod 6711 ncui
From now on we will be able to launch ncui (with some parameters) and have it initiate a tunnel for us. The needed command line for this is:
./ncui -h <host.you.log.in.to> -c DSID=<YourSessionID> -f cert.cer
So now the last obstacle: how to find your session ID? It’s stored in a cookie in your browser after logging in to the website. In Firefox you can get it from the properties/privacy or using various plugins (like Web Developer). The cookie name is DSID, so you should have an easy time finding it.
ncui weirdly asks for a password, but in my experience it never mattered what I enter, so I just press enter and go on. The application stays running and builds the tunnel. To tear it down, simply press CTRL-C and abort ncui.
Eventually you’re missing some more 32bit libraries, which I already had. use ldd against libncui and ncsvc to find out what other libraries you might be missing and install the corresponding 32bit equivalents.
I also use juniper vpn SSL on a 11.2 64-bit machine.
The best way to make it work is to install 32-bit firefox browser as described on OSS wiki
I upgraded it to ffox 3.6.6 and java 1.6.0_20
Network Connect Version 6.5-0-Build15551
I will definitely try this out! thanks for the tip.
I wonder if this will also work for the EID authentication method..
Thanks this worked awesome
It works! Fantastic!
What a huge relief… Thanks a lot!
P. S. OpenSUSE 11.4 x64
Worked. Thanks for this guide.
openSUSE 12.2 x64
Leave a reply