HOWTO set up Juniper Network Connect VPN on Ubuntu Dapper

[madscientist]

Hi all; I recently started a new job and I needs my remote access! My previous employer used Nortel Contivity and I used the Apani Contivity client; this was a bit of a pain since it's a proprietary kernel module, but it worked well (and it supported split tunneling, which is sweet!)

My new job uses Juniper's Network Connect VPN, which does not use a KLM (nice!) but does not support split tunneling (boo!) It has a very nice feature where it will try to download and install the software to your system the first time you run it... and it supports Linux! Yay! But, it only supports Red Hat (and other RPM-based distros, most likely) Boo! However, I was able to get it working with a bit of playing around

First, let me hand out props to this Flexion.org blog post by Martin... it got me going! However, it's specific to Ubuntu 5.10 and perhaps an earlier version of Network Connect and I needed to do a few different things.

Here's what I had to do; make sure openssl and the proper libstdc++ libraries are installed, as well as Sun's Java:

Code:

sudo aptitude install openssl libstdc++2.10-glibc2.2 sun-java5-bin sun-java5-jre

The installer wants to use su, not sudo. I just set my root password to something while I installed it, then reset it again later (find out how).

The installer also wants to run RPM to make sure you have openssl etc. installed. Since it doesn't actually use RPM for anything other than a check, I decided to just make a fake rpm that always succeeds. Do this:

Code:

sudo ln -s /bin/true /usr/bin/rpm

Finally, the service application tries to dlopen() the openssl library (I'm assuming, since ldd doesn't show it) and it's looking for libssl.so.0, which does not exist on our system per se. So make it exist with a symlink:

Code:

sudo ln -s libssl.so.0.9.8 /usr/lib/i686/cmov/libssl.so.0

We're all set to install! Connect to your server and use the "Start" button next to "Network Connect" under Client Application Sessions. It will open a terminal and ask for a password for su: use the one you set above. It will then install and connect and all should be working well.

At this point you can undo some of the customizations above: you won't need a root password anymore so you can undo that, and you can remove the rpm link:

Code:

sudo rm -f /usr/bin/rpm

I've only tried the most basic stuff but it seems to be working well for me!

[mcewanbr]

I have done the same thing, except I didn't fake it out using your symlink method for rpm.

Instead, I edited the $HOME/.juniper_networks/network_connect/xlaunchNC.sh. Towards the bottom is the code that looks for rpm.

Code:

rpm -q openssl 1>> $1/missing.info
if [ "$?" -ne "0" ]
then
    echo "RPM query for openssl failed." >> $1/missing.rpt
fi

I just commented these lines out. Then I ran

Code:

chattr +i xlaunchNC.sh

...on the file to prevent the logon script from overwriting this file on future logins to the vpn and reseting it back to default.

Works great for me!

[timshadel]

I also had to

Code:

sudo apt-get install lesstif2

and

Code:

sudo ln -s /usr/lib/libXm.so.2 /usr/lib/libXm.so.3

so that if found libXm.so.

The dialog comes up, but it's filled with stuff like "label47". It's unreadable, but the VPN works great.

[madscientist]

I didn't need to install Motif or Lesstif. Weird!

However, after updating to Edgy I had problems: it wanted to reinstall every time I tried to start my session. It turns out that whomever is creating the install and setup shell scripts for these packages is a horrible shell scripter. Really, I can't remember when I've seen worse. It's one thing to have crappy scripts for internal processes but to release them to customers? If you work for Juniper please find out who is responsible for this and beat them with a clue stick; they're embarrassing your company.

Since in Edgy /bin/sh is really dash, not bash, and these scripts are in no way valid POSIX sh scripts, they break badly... but for no reason other than they're poorly written.

I've attached new versions of these two scripts. Copy them into ~/.juniper_networks/network_connect. I made them immutable with chattr +i, as described elsewhere in this thread, although I'm not sure that's necessary.

Hrmph. I can't attach anything. When I try to and click the upload button FireFox gives me a dialog saying I want to open newattachment.php and what application do I want to use? I tried "firefox" but that opened a blank window. So I guess if you need these, email me or send me a private message.

[madscientist]

Another hint: I was having my login session messed up every so often. After looking carefully I realized that my DHCP client kept rewriting my /etc/resolv.conf file every time my lease was re-acquired, so I was no longer using the VPN network's DNS servers. It was also rewriting the search string so searches for hostnames weren't being resolved correctly.

The solution I used was to disable setting of the domain-name and domain-name-servers in my DHCP client; this means that if my DHCP server changed this I wouldn't automatically know about it which is a bummer, but that's very unlikely so it's the lesser of two evils.

What you need to do is edit /etc/dhcp3/dhclient.conf, and remove the domain-name and domain-name-servers from the "request" attribute list. The docs are not very clear that this means that /etc/resolv.conf won't be updated, but in fact that seems to be the case. Note you need to restart the DHCP client; an easy way to do that is to run "sudo ifdown eth0" then "sudo ifup eth0" (or whatever your network interface is). I suppose you can also bring the interface down and back up through the GUI but I've had problems with that in the past.

[lordmundi]

Question: I finally got the client to connect and work in my VMWare virtual machine of ubuntu, but as soon as it connected, the whole OS seemed to lock up.. and I think it may be because everything is getting routed through that adapter, and since I rely on NFS for my home dir and NIS for auth, that is probably killing it right?

Anybody else have this problem? So my question is (and I suppose people might want this even if they weren't having this problem), how do I selectively route to this java adapter/client instead of it redirecting everything to that adapter?

FG

[tworkemon]

madscientist, could you try to attach those files again ?? Also anyone get this to work with Feisty ??

[madscientist]

Quote:

Originally Posted by lordmundi Question: I finally got the client to connect and work in my VMWare virtual machine of ubuntu, but as soon as it connected, the whole OS seemed to lock up.. and I think it may be because everything is getting routed through that adapter, and since I rely on NFS for my home dir and NIS for auth, that is probably killing it right? Anybody else have this problem? So my question is (and I suppose people might want this even if they weren't having this problem), how do I selectively route to this java adapter/client instead of it redirecting everything to that adapter?

The system will automatically create a virtual IP interface using tun, then set up routes to send the VPN-bound traffic to the new interface. It will also reset /etc/resolv.conf so that your DNS server is pointing to the server over the VPN, so you can resolve local addresses inside the VPN.

Either of these things may be causing you to have problems. If the connect is not working properly, or if it throws some kind of invalid value into /etc/resolv.conf, then you won't be able to resolve any hostnames and that can often make it look like your system is locked up. Check the contents of /etc/resolv.conf and make sure that the address(es) there for "nameserver" are accessible (you can try pinging them).

Also, if your remote site is using an overlapping IP address space, then you could have problems (although I don't think your system should lock up). For example, on my home network I'm using the common 196.168.* class B range. However, my work internal network also uses that same class B range (this is kind of bogus but...) Now all traffic that I want to send to my local systems will instead get routed through the VPN. Not good. To fix this I modified my local LAN to use one of the other reserved IP address spaces.

[ariel]

Hi madscientist, could you make Juniper "Network Connect" work with Edgy? If so can you update this howto? For the scripts, instead of attachments how about a simple copy/paste on a port here ?

Thanks... hope you see this soon!

[madscientist]

Quote:

Originally Posted by ariel Hi madscientist, could you make Juniper "Network Connect" work with Edgy? If so can you update this howto? For the scripts, instead of attachments how about a simple copy/paste on a port here ?

It works fine with Edgy, using the same directions. I don't recall needing to do anything different.

I was able to get the attachment to work finally; check post #12 for this thread.