Connecting to Juniper VPN from Linux

Steps for connecting to VPN from our Linux Desktop (Tested on 32 bit, yet to test on 64 bit).

The host checker application will load some Java browser components and will download some scripts, along with a couple of ELF binaries to ~/.juniper_networks/. We must have Java and Java plugin for firefox to work.

1. Make sure you have sun-java-jdk installed along with the browser plugin (not openjdk, which will provide you the IceTea plugin) for the above browser component to work (bad that its not working with openjdk). You can check your distribution repository for sun-java-jdk or you can download the Linux binary from Sun Java website.

Ubuntu: "sudo aptitude install sun-java6-plugin sun-java6-jdk sun-java6-jre"

2. Open firefox (no matter what, the host checker doesn't work on chrome) and check in about:plugins that you have the java plugin enabled.

3. Verify the plugin actually works at: http://www.java.com/en/download/installed.jsp

4. Open https://your-official-url

5. A page ask for permission to download and execute the host checker software (tncc.jar). Choose Yes/Always.

6. It would then redirect us to the login screen where we get authenticated and enter into the system.

7. So far, if you have run the browser on a normal user mode, then "Java Secure Application Manager" will not work any further. You will have to invoke the browser from superuser(root) privilege for this to work with VPN. If not the Java plugin won't have the privilege to assign us a tunnel IP address. Everytime you connect to the VPN, you have to run the browser in superuser privilege, which is NOT A SECURE practise. I can't think of any other dumbest thing other than to run a browser in superuser mode.

8. Click on Network Connect::Start. It will open a xterm for us to enter the root password for the 'installation'. Enter the password. It will do the installation. We are good to go now. If you are not on Ubuntu, skip to step 15.

9. If you are on Ubuntu(like me), as you might know, root account is disabled. So the above installation would fail. There won't be any error message as you would expected, but its quite obvious. It will redirect you back to your homepage.

Time to do some basics.
10. Click on Network Connect::Start. The same authentication window again. Just don't do anything. Let the xterm be as it is.

11. Open a terminal and cd ~/.juniper_networks/tmp/

12. You will see the following files:

00:50:28 ~/.juniper_networks/tmp$ ll
total 2864
drwxr-xr-x 2 arun arun    4096 2010-11-17 00:47 META-INF
-rw-r--r-- 1 arun arun    1829 2010-11-17 00:47 xlaunchNC.sh
-rw-r--r-- 1 arun arun      16 2010-11-17 00:47 version.txt
-rw-r--r-- 1 arun arun 1175432 2010-11-17 00:47 ncsvc
-rw-r--r-- 1 arun arun   79292 2010-11-17 00:47 ncdiag
-rw-r--r-- 1 arun arun     721 2010-11-17 00:47 installNC.sh
-rw-r--r-- 1 arun arun 1603632 2010-11-17 00:47 libncui.so
-rw-r--r-- 1 arun arun   46207 2010-11-17 00:47 NC.jar
-rw-r--r-- 1 arun arun     770 2010-11-17 00:47 getx509certificate.sh
00:50:28 ~/.juniper_networks/tmp$

13. Try to explore the installNC.sh (as the name implies it is the installation script for the network_connect application). It tries to install a ELF binary ncsvc in network_connect directory and since the root account is not available, it keeps failing. So why give it hard time? You can do:

sudo install -m 6711 -o root ncsvc ../ncsvc

Also copy the version.txt to ../ (If not the installation script will call the xterm for every run and fail. But we will still be able to connect to VPN). Remember that we are allowing the "Network connect" to fail and then make it work from behind.

14. Job done. Now just kill the xterm invoked by the browser.

15. It would popup saying that the modprobe of Tun driver has failed. Juniper guys are not aware that the tunneling module has now been inbuilt into the kernel and their installation script does a modprobe for tun driver. This error message will continue to appear everytime we start network connect.

16. Again, a simple way to fix this is to (this applies to all Linux distros):

sudo chown root:root installNC.sh xlaunchNC.sh.

But we will face timeout issues, since the application has an event loop that will kill the session, cus the tun module initialization had failed.

To work around this, I had built a dummy kernel module and named it tun and installed it in kernel. When the network-connect starts next time, it won't fail looking for tun driver, rather load my dummy module and notify its event loop that he is running perfect ;).

17. Once everything is done, it will open a small java application (the event loop I was referring to) that will assign us an IP address and show the number of bytes sent and received. This shouldn't have worked if tun driver is not in the kernel. Poor Juniper guys! We are buying their product and not for free!

We are all set and good to go. We had to do all these tricks only cus, on Ubuntu we won't have a root account. Those who work on Debian/Gentoo/Fedora, we can run firefox once in superuser mode to avoid all these workarounds, and do:

tar cfj juniper.tar.bz2 /root/.juniper_networks

Extract the above archive in our home directory and change the permissions accordingly. Don't modify the permissions of ncscv alone!! If you know to use cp -prd, then its an alternative for tar cfj. I must mention that you will still have to do steps starting from step 15 (building a dummy module) to avoid timeout issues.

The final working structure of ~/.juniper_networks/ will be as follows:

02:39:07 ~/.juniper_networks$ ls -lR
.:
total 1432
-rw-r--r-- 1 arun arun    1277 2010-11-17 02:02 dsHCLauncher_linux1.log
-rw-r--r-- 1 arun arun 1253983 2010-08-03 11:33 ncLinuxApp.jar
drwxr-xr-x 2 arun arun    4096 2010-11-17 02:02 network_connect
drwxr-xr-x 2 arun arun    4096 2010-11-17 02:09 tmp
-rw-r--r-- 1 arun arun  191973 2010-08-03 11:57 tncc.jar
-rw-r--r-- 1 arun arun      15 2010-11-17 00:10 whitelist.txt

./network_connect:
total 2860
-rw-r--r-- 1 arun arun     150 2010-11-17 02:02 installnc.log
-rwxr--r-- 1 arun arun     721 2010-11-17 01:35 installNC.sh
-rw-r--r-- 1 arun arun 1603632 2010-11-17 02:02 libncui.so
-rw-r--r-- 1 arun arun       0 2010-11-17 01:35 missing.info
-rwxr--r-- 1 arun arun   79292 2010-11-17 02:02 ncdiag
-rw-r--r-- 1 arun arun   46207 2010-11-17 02:02 NC.jar
-rws--s--x 1 root root 1175432 2010-11-17 01:05 ncsvc
-rw-r--r-- 1 root root       0 2010-11-17 01:07 ncsvc.log
-rw-r--r-- 1 arun arun       0 2010-11-17 00:12 ncui.log
-rw-r--r-- 1 arun arun      16 2010-11-17 01:36 version.txt
-rwxr--r-- 1 arun arun    1831 2010-11-17 01:59 xlaunchNC.sh

./tmp:
total 0

Final notes:

I've not tried Java Secure Application Manager" and I'm not sure what it is used for.
I am happy with ssh and that's the power of Linux.

Code for dummy tun module:

#include 
#include 
int init_module(void)
{
   return 0;
}

void cleanup_module(void)
{
   return;
}

Makefile for the same:

obj-m += tun.o
all:
 make -C /lib/modules/$(shell uname -r)/build/ M=$(PWD) modules
clean:
 make -C /lib/modules/$(shell uname -r)/build/ M=$(PWD) clean

To install the module into the kernel:

#include 
sudo install tun.ko /lib/modules/`uname -r`/kernel/net/tun.ko
sudo depmod -a
sudo modprobe tun