Juniper SSL/VPN for Linux users

The standard method for Linux users to establish a VPN connection with a Secure Access (SA) device by Juniper Networks is to login via web browser and to click the Start button next to Network Connect in the Client Application Sessions panel. At first use the software is downloaded and installed automatically. Advantage: you don't have to know anything (if it works out of the box), disadvantage: you need a web browser and you need Java every time you want to start the network connect client.

This Howto will explain how you can use network connect if you don't want to have to login via web browser everytime you want to start a VPN connection and/or if you don't want or cannot use Java (plugin) at all. It is possible to get, install and run network connect completely without Java. The ncsvc (network connect service) binary is a 32-bit executable which uses shared libs. So if you use a 64-bit system, you have to install the 32-bit version of the GNU C library (Debian/Ubuntu: package libc6-i386), of the compression library zlib (Debian/Ubuntu: package lib32z1) and of the NSS module for Multicast DNS name resolution (Debian/Ubuntu: package lib32nss-mdns).

If you've already downloaded the client software, it's possible to start network connect from the command line. Either with or without the Java GUI. Just have a look at the Help provided by Juniper Networks: If you're logged in on the web page of your Juniper SSL/VPN site, click the Help button and choose Sessions / Using Network Connect (Linux) in the menu bar. This is helpful but there are still some disadvantages: there's no configuration file possible, parameters like host and user name must be given as command line options. Moreover there's a problem with the user password. Either you give it as command line option (but then it's visible in the system's process list, so this is not a good idea) or you omit it, then it will be prompted afterwards. But the client won't detach itself from the window it was started from and you can't detach it directly (using &) because you've first to wait for the password prompt. Another unhandy thing is that if you use the Java GUI, the GUI will be started before you entered the password, so you have to switch back to the window where the password is prompted. Another point is certificate handling: network connect needs the host certificate of the Juniper SSL/VPN site to connect. First this is not very comfortable, second it would be more reasonable to verify the certificate that the host offers with the appropriate trusted certificate authority. Anyway: you have to verify the certificate that you download from the host and it would be more comfortable if this would be done automatically.

The solution is to use a wrapper for the network connect client which overcomes these disadvantages: jnc is a Perl program which does this job.

Howto

  1. First you need the network connect client software from Juniper Networks.
  2. Download jnc, copy it to an appropriate directory (e. g. /usr/local/bin) and make it executable:

    $ chmod a+x jnc

    In addition to perl openssl must be installed to use it. If you want to use the GUI, Java from Sun Microsystems must be available, too, of course.

    If you use a 64-bit Linux the Network Connect Java GUI will not work. So remember to start jnc with option --nox (or -n), see below. Also install the 32-bit versions of the required libraries. On Debian/Ubuntu:
    $ apt-get install libc6-i386 lib32z1 lib32nss-mdns

  3. Create the directory for the configuration files

    $ mkdir -p ~/.juniper_networks/network_connect/config

    and create a configuration file in this directory. It must be named somename.conf.

    Example config file
    (Karlsruhe Institute of Technology (KIT) users: click here)

    host=foo.bar.com
    user=username
    password=secret
    realm=very long realm with spaces
    cafile=/etc/ssl/bar-chain.pem
    certfile=
    

    password and realm are optional.
    cafile: ca chain to verify the host certificate
    certfile: host certificate in DER format
    cafile or certfile must be configured.

    For cafile/certfile you have to use the full path. You must not use ~, it won't be expanded.

    If you don't know about any realm there's possibly only one, so you can omit this configuration option. You can also find out your realm by viewing the page source of your sign-in page: just search for the word realm in it.

  4. Start network connect with

    $ jnc somename

    or

    $ jnc --nox somename

    for use without GUI. To stop the client, just (click Sign Out in the Java GUI or) execute

    $ jnc stop

    For more options see

    $ jnc --help

  5. Updating the client: if your Juniper SSL/VPN site was upgraded to a new firmware version there could be also a new network connect client version available. To get it, just repeat step one in this howto. You don't have to remove any files before.

  6. For changes in jnc, see CHANGELOG. Recent version is 0.18.


Klara Mall, klara.mall@kit.edu, 2009–2010