I’m in the unfortunate situation that my employer uses a Juniper SSL\/VPN solution with network connect capabilities (to initiate a real tunnel).<\/p>\n
The solution is built around some Java code, some suid services and obviously exists as 32bit only.<\/p>\n
Since the update from v5 to v6.5, network connect does no longer work when initiated from the web interface, which is a shame. The issue is a 32bit library that seems no longer to be nicely wrapped and thus the 64bit java is no longer able to start the processes up. The worst about all of it: there is no error message, no log file.
\nIf you’re lucky enough and you only have username \/ password auth, you can simply use ncsvc with some parameters. Of course I am less fortunate, and besides username\/password, we also use a OTP RSA Token. And of course, ncsvc does not offer any option to enter a 2nd password.<\/p>\n
so, no solution?<\/p>\n
Let’s be more optimistic: there IS a solution, albeit a very hakish one. But I DO need to connect to our VPN, so I consider it a ‘valid’ workaround until this is hopefully really getting solved.<\/p>\n
So, what needs to be done? When you initiate the VPN tunnel the first time from the web interface, you’re requested to enter the root password and the network_connect client is installed in ~\/.juniper_network\/network_connect and set suid. That’s about as far as you can get with the automatic stuff.<\/p>\n
you’ll have to install gcc45-lib32 in order to be able to do the tasks at hand. But then you can convert the libncui.so to a binary which we can later on invoke directly. From now on we will be able to launch ncui (with some parameters) and have it initiate a tunnel for us. The needed command line for this is: So now the last obstacle: how to find your session ID? It’s stored in a cookie in your browser after logging in to the website. In Firefox you can get it from the properties\/privacy or using various plugins (like Web Developer). The cookie name is DSID, so you should have an easy time finding it.<\/p>\n ncui weirdly asks for a password, but in my experience it never mattered what I enter, so I just press enter and go on. The application stays running and builds the tunnel. To tear it down, simply press CTRL-C and abort ncui.<\/p>\n Eventually you’re missing some more 32bit libraries, which I already had. use ldd against libncui and ncsvc to find out what other libraries you might be missing and install the corresponding 32bit equivalents.<\/p><\/blockquote>\n","protected":false},"excerpt":{"rendered":" Connecting to a Juniper SSL\/VPN from openSUSE x86_64 – A pain, but does work.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[3,7],"tags":[],"class_list":["post-120","post","type-post","status-publish","format-standard","hentry","category-opensuse","category-tutorials"],"_links":{"self":[{"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/posts\/120","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/comments?post=120"}],"version-history":[{"count":3,"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/posts\/120\/revisions"}],"predecessor-version":[{"id":123,"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/posts\/120\/revisions\/123"}],"wp:attachment":[{"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/media?parent=120"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/categories?post=120"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dominique.leuenberger.net\/blog\/wp-json\/wp\/v2\/tags?post=120"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n# Change to the installed client folder
\ncd ~\/.juniper_networks\/
\n# Extract the LinuxApp java archive
\nunzip ncLinuxApp.jar
\n# go to the actual binary client
\ncd network_connect
\n# grab the certificate from the ssl\/vpn gateway server
\nsh ..\/getx509certificate.sh <host.you.log.in.to> cert.der
\n# Convert the library into a binary
\ngcc -m32 -Wl,-rpath,$(pwd) -o ncui libncui.so
\n# chown and set the new binary suid
\nsudo chown root:root ncui
\nsudo chmod 6711 ncui<\/code><\/p>\n
\n.\/ncui -h <host.you.log.in.to> -c DSID=<YourSessionID> -f cert.cer<\/code><\/p>\n