The standard method for Linux users to establish a VPN connection with a Secure Access (SA) device by Juniper Networks is to login via web browser and to click the Start button next to Network Connect in the Client Application Sessions panel. At first use the software is downloaded and installed automatically. Advantage: you don't have to know anything (if it works out of the box), disadvantage: you need a web browser and you need Java every time you want to start the network connect client.
This Howto will explain how you can use network connect if you don't want to have to login via web browser everytime you want to start a VPN connection and/or if you don't want or cannot use Java (plugin) at all. It is possible to get, install and run network connect completely without Java. The ncsvc (network connect service) binary is a 32-bit executable which uses shared libs. So if you use a 64-bit system, you have to install the 32-bit version of the GNU C library (Debian/Ubuntu: package libc6-i386), of the compression library zlib (Debian/Ubuntu: package lib32z1) and of the NSS module for Multicast DNS name resolution (Debian/Ubuntu: package lib32nss-mdns).
If you've already downloaded the client software, it's possible to start network connect from the command line. Either with or without the Java GUI. Just have a look at the Help provided by Juniper Networks: If you're logged in on the web page of your Juniper SSL/VPN site, click the Help button and choose Sessions / Using Network Connect (Linux) in the menu bar. This is helpful but there are still some disadvantages: there's no configuration file possible, parameters like host and user name must be given as command line options. Moreover there's a problem with the user password. Either you give it as command line option (but then it's visible in the system's process list, so this is not a good idea) or you omit it, then it will be prompted afterwards. But the client won't detach itself from the window it was started from and you can't detach it directly (using &) because you've first to wait for the password prompt. Another unhandy thing is that if you use the Java GUI, the GUI will be started before you entered the password, so you have to switch back to the window where the password is prompted. Another point is certificate handling: network connect needs the host certificate of the Juniper SSL/VPN site to connect. First this is not very comfortable, second it would be more reasonable to verify the certificate that the host offers with the appropriate trusted certificate authority. Anyway: you have to verify the certificate that you download from the host and it would be more comfortable if this would be done automatically.
The solution is to use a wrapper for the network connect client which overcomes these disadvantages: jnc is a Perl program which does this job.
If the Java plugin from Sun Microsystems is installed on your system and you use a 32-bit Linux (sun-java6-plugin works for me on Debian/Ubuntu 32-bit), then just connect once using the standard user interface via web browser (Firefox is supported by Juniper Networks, Opera worked for me, too). You are asked for the root password because the setuid bit of the ncsvc binary must be set. If you don't have a root password (e. g. because you use Ubuntu) just press CTRL+D to abort. Nevertheless the software will be downloaded to the directory ~/.juniper_networks/network_connect. Just make sure the binaries have the required permissions:
$ sudo chown root:root ~/.juniper_networks/network_connect/ncsvc
$ sudo chmod 6711 ~/.juniper_networks/network_connect/ncsvc
$ chmod 744 ~/.juniper_networks/network_connect/ncdiag
If the Sun Java doesn't work on your system with Juniper (64-bit Linux)
or you don't want to use Java, just login on the web site of your Juniper
SSL/VPN and change the URL as follows:
If the site's URL is
https://vpn.kit.edu enter
https://vpn.kit.edu/dana-cached/nc/ncLinuxApp.jar and download the
file ncLinuxApp.jar.
Then execute the following commands:
$ mkdir -p ~/.juniper_networks/network_connect/
$ unzip ncLinuxApp.jar -d ~/.juniper_networks/network_connect/
$ sudo chown root:root ~/.juniper_networks/network_connect/ncsvc
$ sudo chmod 6711 ~/.juniper_networks/network_connect/ncsvc
$ chmod 744 ~/.juniper_networks/network_connect/ncdiag
Download jnc, copy it to an appropriate directory (e. g. /usr/local/bin) and make it executable:
$ chmod a+x jnc
In addition to perl openssl must be installed to use it. If you want to use the GUI, Java from Sun Microsystems must be available, too, of course.
If you use a 64-bit Linux the Network Connect Java GUI will not work. So remember to start jnc with option --nox (or -n), see below. Also install the 32-bit versions of the required libraries.
On Debian/Ubuntu:
# apt-get install libc6-i386 lib32z1 lib32nss-mdns
On RH 6 and higher:
# yum install glibc.i686 zlib.i686 nss.i686
Create the directory for the configuration files
$ mkdir -p ~/.juniper_networks/network_connect/config
and create a configuration file in this directory. It must be named somename.conf.
Example config file
(Karlsruhe Institute of Technology (KIT) users: click here)
host=foo.bar.com user=username password=secret realm=very long realm with spaces cafile=/etc/ssl/bar-chain.pem certfile=
password and realm are optional.
cafile: ca chain to verify the host certificate
certfile: host certificate in DER format
cafile or certfile must be configured.
For cafile/certfile you have to use the full path. You must not use ~, it won't be expanded.
If you don't know about any realm there's possibly only one, so you can omit this configuration option. You can also find out your realm by viewing the page source of your sign-in page: just search for the word realm in it.
Start network connect with
$ jnc somename
or
$ jnc --nox somename
for use without GUI. To stop the client, just (click Sign Out in the Java GUI or) execute
$ jnc stop
For more options see
$ jnc --help
Updating the client: if your Juniper SSL/VPN site was upgraded to a new firmware version there could be also a new network connect client version available. To get it, just repeat step one in this howto. You don't have to remove any files before.
For changes in jnc, see CHANGELOG. Recent version is 0.19.
Klara Mall, klara.mall@kit.edu, 2009–2010