# HOWTO: Juniper Network Connect on amd64 with firefox-bin

## NewBlackDak

Network connect has Linux "support", but only for RedHat.  I thought I would try and get it working in Gentoo since my company had moved to it.

Installing all the needed peices

1.  Ensure you have TUN/TAP support install.  It is a kernel option.

```
Device Drivers-->

   Network device support-->

      <M> Univesal TUN/TAP device driver support
```

if you don't know how to compile your kernel go here:http://www.gentoo.org/doc/en/kernel-upgrade.xml

2. Load the tun driver

```
modprobe tun
```

3.  If all goes well, and it loads without errors add it to your autoload file

```
echo "tun">> /etc/modules.autoload.d/kernel-2.6
```

Note: Tun can be compiled directly into the kernel, but you'll get a warning that the tun module can't be loaded.  Clicking OK still allows the client to work.

4. Install openssl

```
emerge openssl
```

Step 5-9 can now be done with 2 simple commands:

```
echo "app-emulation/emul-linux-x86-java X alsa nsplugin">>/etc/portage/package.use

merge emul-linux-x86-java
```

5. Down load Sun's java from here:http://java.com/en/download/linux_manual.jsp.

Be sure to get "Linux (self-extracting file)" installer

6. Create a java32 directory somewhere and cd into it

```
mkdir /usr/java32

cd !$
```

7. Move the installer to your newly created directory.

```
mv ~/Desktop/jre-1_5_0_06-linux-i586.bin ./
```

8. Change the permissions, so it's executable

```
chmod o+x ~/jre-1_5_0_06-linux-i586.bin
```

9. Run the installer

```
./jre-1_5_0_06-linux-i586.bin
```

Simulating the RedHat environment

1. Enable the java plugin for firefox-bin *If you did the emerge with nsplugin enabled skip this

```
cd /usr/lib32/nsbrowser/plugins/

ln -s /usr/java32/jre1.5.0_06/plugin/i386/ns7/libjavaplugin_oji.so
```

2. Rpm checks to see if openssl is installed, so we just trick it here

```
ln -s /bin/true /usr/bin/rpm
```

3. Link the libraries network connect expects to see *If your company has moved to 5.5 you shouldn't need this.

```
ln -s /usr/lib/libssl.so.0.9.7 /lib/libssl.so.2

ln -s /usr/lib/libcrypto.so.0.9.7 /lib/libcrypto.so.2
```

That's it.  If Firefox was open you will probably need to restart it to make the java plugin active.  Now connect to your VPN server just like you would in a browser on any Windows or Mac OSX machine.  After network connect is installed you can delete the /usr/bin/rpm symlink.

I got some of the tricks from here: http://www.flexion.org/site/index.php?gadget=StaticPage&action=Page&id=50

----------

## static_k

I followed these directions and it worked perfectly. 

Thanks for figuring it out!!!   :Very Happy: 

I was running an Intel core duo for those who think it's only for amd64.

----------

## slinkp

Seems to work here on a 32-bit pentium M laptop.

But for that platform, I skipped all the Java steps and just did:

```
 sudo emerge sun-jdk

```

One other annoyance - I use nscd to cache DNS lookups.

I have to restart it every time I stop or start the VPN:

```
/etc/init.d/nscd restart
```

----------

## cshobe

This page is looking pretty sketch:  http://gentoo-wiki.com/HOWTO_Juniper_SSL_Network_Connect_VPN

So after poking around for a while wondering why that page recommended stuff like installing openmotif (which seems to be necessary with NC 1.0, but not NC 1.2), I was happy to find this post.  But sadly, I'm still stuck.

What I've found is that the symlinks for libssl and libcrypto *do* make a noticeable difference, as without them, the java GUI says "Connecting to NCSVC", then immediately fails.

Now, as far as I've been able to get on this, it will say "Connecting to NCSVC" for a moment, then it will change and say "Connecting to IVE", and then it will fail.

What is IVE?

Any ideas on things I can try?

I'm on an Intel Core 2 machine, and am trying using mozilla-bin (32-bit) with Sun 32bit JRE 1.6.0.03 [emul-linux-x86-java-1.6].  I've found that if I change the system-vm to Sun JRE 1.6.0.03 [sun-jre-bin-1.6], then the GUI fails before getting to the IVE connection just as when the lib{ssl,crypto} symlinks were missing.

----------

## cshobe

Some more details:

casey@uppsala.osss.net:/home/casey/.juniper_networks/network_connect

$ ./ncdiag -A

NC Diagnostics for Linux. 

Version 1.0.

Release Date/Time: Jun 22 2007 13:26:56

+==============================================================================+

|   Tests:                      |        Results:                              |

+==============================================================================+

       o  NC Installation Check          Failed

       o  NC Diagnostics 

             NC Service                  Not Running

             NC Driver Test              Passed

             NC Tunnel Test              Not established

       o  Host Details  

             Hostname                    uppsala

             Domainname                  hi5.com

             IP Routing Enabled          No

             IP Loopback test            Passed

             Nameserver Details 

                   127.0.0.1             Ping Passed

             Gateway Ping Test                   

                192.168.64.4             Ping Passed

       o  Network Connection Diagnostics  

             Interface:                  eth0

             IP Address:                 192.168.64.119

             Netmask:                    255.255.255.0

             Broadcast:                  192.168.64.255

             MTU:                        1500

             Interface:                  lo

             IP Address:                 127.0.0.1

             Netmask:                    255.0.0.0

             Broadcast:                  127.255.255.255

             MTU:                        16436

      o  Route Info 

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.64.0    0.0.0.0         255.255.255.0   U     0      0        0 eth0

127.0.0.0       0.0.0.0         255.0.0.0       U     0      0        0 lo

0.0.0.0         192.168.64.4    0.0.0.0         UG    0      0        0 eth0

       Finished running tests 

+==============================================================================+

casey@uppsala.osss.net:/home/casey/.juniper_networks/network_connect

$ cat version.txt 

Version: 1.2

----------

## cshobe

 *cshobe wrote:*   

> What I've found is that the symlinks for libssl and libcrypto *do* make a noticeable difference, as without them, the java GUI says "Connecting to NCSVC", then immediately fails.

 

Eh no, I was wrong.  It just shows the IVE message every now and again, generally the first time I try to connect following a machine restart (umm...).

I've reinstalled my entire system as 32-bit only, and still have the same issues.  I am out of ideas.  :Sad: 

----------

## cshobe

Well, I finally figured out my issue.  In short, the Juniper software uses hard linking between /tmp and /etc to replace files, and hard links cannot traverse filesystems.  If you have both directories on a single partition you should be fine.  However since this is closed source software, if you do have multiple filesystems you're pretty much screwed:

http://www.juniperforum.com/index.php/topic,5454.0.html

Also, I made a handy CLI script so that I don't have to use firefox and java anymore:

http://www.juniperforum.com/index.php/topic,5455.0.html

----------

## someguy

east texas ?  dallas i take it ? 

same here

----------

## jbo5112

The company I'm dealing with just upgraded (or somehow changed) their Juniper VPN at the same time I switched to doing my development on my workstation at home.  With the old version, I didn't have any trouble setting this up in the office under 32-bit Ubuntu, but now I can't get it to work on 32-bit Ubuntu or 64-bit Gentoo.  I'm not sure if it still works at the office.  All I get is an error that my platform isn't supported.

So far my experiences with VPN's have been like a kick in the nads.  Do they over any advantage over something like ssh, other secure protocols or even remote desktop?

----------

## NewBlackDak

I just made some edits, because it got easier with emul-linux-x86-java package.

----------

## colschmi

Thank you so much! Worked like magic.  And, a personal comment, this is my best tuned gentoo install yet.  Everything works as it should! Thanks to the forums, and the wiki!

----------

## xmaes

Is it still working ?

I am trying to connect my gentoo laptop to my work vpn with juniper.

I am able to enter the user name password and it looks like it get connected (i get my company web page) but i dont get the java applet and i cant browse any network ressource.

Thanks,

Xavier

----------

## static_k

 *xmaes wrote:*   

> Is it still working ?
> 
> I am trying to connect my gentoo laptop to my work vpn with juniper.
> 
> I am able to enter the user name password and it looks like it get connected (i get my company web page) but i dont get the java applet and i cant browse any network ressource.
> ...

 

It's still working for me. Did you follow all of NewBlackDak's instructions?

----------

## xmaes

yes i did follow the instruction as well as using this script

Can it be that linux client are not allowed to connect ?

When i use FF to loggin before trying to open network connection, i get a web page with "host checker" turning red ( which normaly turn green on my windows PC) the i get the welcome page from my company.

But it doesnt create any extra connection with an ip from my company network.

If i use the script, i cant connect i get an error "failed to connect ive error 10"

Thank you,

Xavier

----------

## static_k

Weird. I don't see that host checker with mine. I have the company login bookmarked. After I enter my credentials a popup window comes up that says it's loading Network Connect from an applet. It's spawns the Network Connect java client and then that popup window closes out.

Did you check popup blocker stuff?

----------

## xmaes

Hi, Thanks,  :Smile: 

Well i never had a popup using juniper. After entering my user name and password i get a window with the following message

```
    Loading Components...

    Please wait. This may take several minutes.

       •    

    Host Checker

       

    If an error prevents a component from loading properly, you can click here to continue. Not all functionality may be available.
```

The black dot is green in windows and red in linux.

After it is loading the component and after normaly i am getting the welcome page.

Anyway i am using firefox in windows as well and i dont have any addon install.

I sent an email to my it support to know if they are supporting linux client for the vpn i will see.

Now i am trying to set it up in ubuntu in virtualbox with the following script http://mad-scientist.us/juniper.html.

Apparently i am able to log on because when i tried in ubuntu and then from gentoo, when i log on in the vpn i got the following

 *Quote:*   

>  There are already other user sessions in progress:
> 
> Login IP Address 	Last Access Time
> 
> xxxx 	2010-01-07 17:53:36 +0100 CET
> ...

 

but i still cant browse the lan and i dont have any additional IP.

Here is the log for the host checker on my gentoo box

 *Quote:*   

> 
> 
>           HCUtil:000 (01/07 17:59:36.948)[            main] HttpNAR: starting
> 
>           HCUtil:000 (01/07 17:59:36.949)[            main] HttpNAR: ivehost     = XXXXXXXXXXXXXXXXXXXXXXX
> ...

 

Xavier

----------

## static_k

Where did you find that log file? I can post mine and we can check differences.

----------

## xmaes

in your home directory

```
xavier@desktop ~ $ ls -l .juniper_networks/

total 1488

-rw-r--r-- 1 xavier users   51276 2010-01-07 17:59 dsHCLauncher_linux1.log

-rw-r--r-- 1 xavier users   16038 2010-01-07 17:59 dsHostChecker_linux1.log

-rw-r--r-- 1 xavier users       6 2010-01-07 17:59 narport.txt

-rw-r--r-- 1 xavier users 1235182 2009-09-24 01:00 ncLinuxApp.jar

drwxr-xr-x 2 xavier users    4096 2010-01-07 11:23 network_connect

drwxr-xr-x 3 xavier users    4096 2010-01-07 14:54 tmp

-rw-r--r-- 1 xavier users  190885 2009-09-24 01:12 tncc.jar

xavier@desktop ~ $ ls -l .juniper_networks/network_connect/

total 2848

-rw-r--r-- 1 xavier users     118 2010-01-07 14:54 installnc.log

-rwxr--r-- 1 xavier users     721 2010-01-07 14:54 installNC.sh

-rw-r--r-- 1 xavier users 1571664 2010-01-07 14:54 libncui.so

-rw-r--r-- 1 xavier users       0 2010-01-07 14:54 missing.info

-rwxr--r-- 1 xavier users   74784 2010-01-07 14:54 ncdiag

-rw-r--r-- 1 xavier users    4162 2010-01-07 11:23 ncdiag.log

-rw-r--r-- 1 xavier users   45404 2010-01-07 14:54 NC.jar

-rws--s--x 1 root   root  1159048 2010-01-07 09:53 ncsvc

-rw-r--r-- 1 root   root      612 2010-01-07 14:52 ncsvc.log

-rw-r--r-- 1 xavier users     543 2010-01-07 12:38 ncuijava.log

-rw-r--r-- 1 xavier users    8265 2010-01-07 12:38 ncui.log

-rw-r--r-- 1 xavier users      18 2010-01-07 09:53 version.txt

-rwxr--r-- 1 xavier users    1829 2010-01-07 14:54 xlaunchNC.sh

xavier@desktop ~ $ 
```

But after reading more in the ubuntu forum, apparently somebody had the same problem and apparently it is due to the host checker.

Host checker check if the host has all the prerequirement for the company policy :

-windows firewall on.

-antivirus etc...

I suppose that the problem is here.

Just one question after connecting to the vpn do you have an extra connection when you run ifconfig ?

Thanks,

Xavier

----------

## static_k

Yeah I don't have any of those host checker log files. My company must not be doing that. Hope it's not gonna happen.

Anyway, yes I do have an extra connection:

```

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  

          inet addr:172.29.3.3  P-t-P:172.29.3.3  Mask:255.255.255.255

          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1400  Metric:1

          RX packets:2447 errors:0 dropped:0 overruns:0 frame:0

          TX packets:2457 errors:0 dropped:0 overruns:0 carrier:0

          collisions:0 txqueuelen:500 

          RX bytes:335466 (327.6 KiB)  TX bytes:168994 (165.0 KiB)

```

----------

## xmaes

Hello,

I got an answer from my it department saying that it should work but i am on my own.

Anyway i gave a try in a VM to ubuntu 32 bits and it did work, i have got a tun0 interface with an ip from my company network but i am not able to browse the internet.

So i suppose i have a problem with my java setup in my gentoo box but first i d like to solve my proxy problem.

On the intranet it says that i should configure FF as no proxy.

In windows i had a look and as soon as it connects to the network a new page open that asked me which as me if i want to run a script to change my proxy settings.

When i am done with that i had a look, it changed the proxy settings to "automatic proxy configuration url" that point to a pac file

http://en.wikipedia.org/wiki/Proxy_auto-config

In linux the proxy settings are not change automatically.

I tried to transfer the pac file from windows to my linux box and i specified the file in the proxy settings but it doesnt do the trick.

I suppose the host checker is responsible for the configuration....

Anybody has experience in using juniper with a proxy configured through pac files ?

Are they suppose to be platform independent ?

Thanks,

Xavier

----------

