Hi all; I recently started a new job and I needs my remote access! My previous employer used Nortel Contivity and I used the Apani Contivity client; this was a bit of a pain since it's a proprietary kernel module, but it worked well (and it supported split tunneling, which is sweet!)

My new job uses Juniper's Network Connect VPN, which does not use a KLM (nice!) but does not support split tunneling (boo!) It has a very nice feature where it will try to download and install the software to your system the first time you run it... and it supports Linux! Yay! But, it only supports Red Hat (and other RPM-based distros, most likely) Boo! However, I was able to get it working with a bit of playing around :cool:

First, let me hand out props to this Flexion.org blog post (http://www.flexion.org/site/index.php?gadget=StaticPage&action=Page&id=50) by Martin... it got me going! However, it's specific to Ubuntu 5.10 and perhaps an earlier version of Network Connect and I needed to do a few different things.

Here's what I had to do; make sure openssl and the proper libstdc++ libraries are installed, as well as Sun's Java:

sudo aptitude install openssl libstdc++2.10-glibc2.2 sun-java5-bin sun-java5-jre
The installer wants to use su, not sudo. I just set my root password to something while I installed it, then reset it again later (find out how (https://help.ubuntu.com/community/RootSudo#head-6357ee1f3ec93078a7d7cbc2c627208117e9499d)).

The installer also wants to run RPM to make sure you have openssl etc. installed. Since it doesn't actually use RPM for anything other than a check, I decided to just make a fake rpm that always succeeds. Do this:

sudo ln -s /bin/true /usr/bin/rpm
Finally, the service application tries to dlopen() the openssl library (I'm assuming, since ldd doesn't show it) and it's looking for libssl.so.0, which does not exist on our system per se. So make it exist with a symlink:

sudo ln -s libssl.so.0.9.8 /usr/lib/i686/cmov/libssl.so.0
We're all set to install! Connect to your server and use the "Start" button next to "Network Connect" under Client Application Sessions. It will open a terminal and ask for a password for su: use the one you set above. It will then install and connect and all should be working well.

At this point you can undo some of the customizations above: you won't need a root password anymore so you can undo that, and you can remove the rpm link:

sudo rm -f /usr/bin/rpm
I've only tried the most basic stuff but it seems to be working well for me!

I have done the same thing, except I didn't fake it out using your symlink method for rpm.

Instead, I edited the $HOME/.juniper_networks/network_connect/xlaunchNC.sh. Towards the bottom is the code that looks for rpm.
rpm -q openssl 1>> $1/missing.info
if [ "$?" -ne "0" ]
then
echo "RPM query for openssl failed." >> $1/missing.rpt
fiI just commented these lines out. Then I ran
chattr +i xlaunchNC.sh...on the file to prevent the logon script from overwriting this file on future logins to the vpn and reseting it back to default.

Works great for me!

I also had to


sudo apt-get install lesstif2

and


sudo ln -s /usr/lib/libXm.so.2 /usr/lib/libXm.so.3

so that if found libXm.so.

The dialog comes up, but it's filled with stuff like "label47". It's unreadable, but the VPN works great. :-)

I didn't need to install Motif or Lesstif. Weird!

However, after updating to Edgy I had problems: it wanted to reinstall every time I tried to start my session. It turns out that whomever is creating the install and setup shell scripts for these packages is a horrible shell scripter. Really, I can't remember when I've seen worse. It's one thing to have crappy scripts for internal processes but to release them to customers? If you work for Juniper please find out who is responsible for this and beat them with a clue stick; they're embarrassing your company.

Since in Edgy /bin/sh is really dash, not bash, and these scripts are in no way valid POSIX sh scripts, they break badly... but for no reason other than they're poorly written.

I've attached new versions of these two scripts. Copy them into ~/.juniper_networks/network_connect. I made them immutable with chattr +i, as described elsewhere in this thread, although I'm not sure that's necessary.

Hrmph. I can't attach anything. When I try to and click the upload button FireFox gives me a dialog saying I want to open newattachment.php and what application do I want to use? I tried "firefox" but that opened a blank window. So I guess if you need these, email me or send me a private message.

Another hint: I was having my login session messed up every so often. After looking carefully I realized that my DHCP client kept rewriting my /etc/resolv.conf file every time my lease was re-acquired, so I was no longer using the VPN network's DNS servers. It was also rewriting the search string so searches for hostnames weren't being resolved correctly.

The solution I used was to disable setting of the domain-name and domain-name-servers in my DHCP client; this means that if my DHCP server changed this I wouldn't automatically know about it which is a bummer, but that's very unlikely so it's the lesser of two evils.

What you need to do is edit /etc/dhcp3/dhclient.conf, and remove the domain-name and domain-name-servers from the "request" attribute list. The docs are not very clear that this means that /etc/resolv.conf won't be updated, but in fact that seems to be the case. Note you need to restart the DHCP client; an easy way to do that is to run "sudo ifdown eth0" then "sudo ifup eth0" (or whatever your network interface is). I suppose you can also bring the interface down and back up through the GUI but I've had problems with that in the past.

Question: I finally got the client to connect and work in my VMWare virtual machine of ubuntu, but as soon as it connected, the whole OS seemed to lock up.. and I think it may be because everything is getting routed through that adapter, and since I rely on NFS for my home dir and NIS for auth, that is probably killing it right?

Anybody else have this problem? So my question is (and I suppose people might want this even if they weren't having this problem), how do I selectively route to this java adapter/client instead of it redirecting everything to that adapter?

FG

madscientist, could you try to attach those files again ?? Also anyone get this to work with Feisty ??

Hi madscientist, could you make Juniper "Network Connect" work with Edgy? If so can you update this howto? For the scripts, instead of attachments how about a simple copy/paste on a port here ? :)

Thanks... hope you see this soon!

I was able to get this to work on Edgy following the first post. My only issue now is that I want tsclient to go through tun0 connection that Network Connect is using. Anyone know how to make that happen?

I changed the order of my DNS and that resolved the issue.

I get this error when trying to connect...

http://i138.photobucket.com/albums/q278/nikoli827/Screenshot.png

This is pretty much the closest I got with google...

http://www.juniperforum.com/index.php?topic=3014.0

That didn't help much and now I'm kinda stuck here :confused:

Using Edgy, this worked EXACTLY as described in the original thread! God Bless You Hacker!!!

Bleah! I signed up to have private messages emailed to me but I don't get any email! Frustrating. Sorry I haven't checked this thread in quite a while.

Anyway, I'll try attaching my scripts again and maybe it will work this time.

Question: I finally got the client to connect and work in my VMWare virtual machine of ubuntu, but as soon as it connected, the whole OS seemed to lock up.. and I think it may be because everything is getting routed through that adapter, and since I rely on NFS for my home dir and NIS for auth, that is probably killing it right?

Anybody else have this problem? So my question is (and I suppose people might want this even if they weren't having this problem), how do I selectively route to this java adapter/client instead of it redirecting everything to that adapter?
The system will automatically create a virtual IP interface using tun, then set up routes to send the VPN-bound traffic to the new interface. It will also reset /etc/resolv.conf so that your DNS server is pointing to the server over the VPN, so you can resolve local addresses inside the VPN.

Either of these things may be causing you to have problems. If the connect is not working properly, or if it throws some kind of invalid value into /etc/resolv.conf, then you won't be able to resolve any hostnames and that can often make it look like your system is locked up. Check the contents of /etc/resolv.conf and make sure that the address(es) there for "nameserver" are accessible (you can try pinging them).

Also, if your remote site is using an overlapping IP address space, then you could have problems (although I don't think your system should lock up). For example, on my home network I'm using the common 196.168.* class B range. However, my work internal network also uses that same class B range (this is kind of bogus but...) Now all traffic that I want to send to my local systems will instead get routed through the VPN. Not good. To fix this I modified my local LAN to use one of the other reserved IP address spaces.

Hi madscientist, could you make Juniper "Network Connect" work with Edgy? If so can you update this howto? For the scripts, instead of attachments how about a simple copy/paste on a port here ? :)
It works fine with Edgy, using the same directions. I don't recall needing to do anything different.

I was able to get the attachment to work finally; check post #12 for this thread (http://ubuntuforums.org/showpost.php?p=2201028&postcount=12).

I get this error when trying to connect...

That didn't help much and now I'm kinda stuck here :confused:
Hm. that library is provided as part of the network connect package. Try using the scripts attached in post #12 and following the directions. Make sure you're not overriding LD_LIBRARY_PATH in your shell setup (~/.bashrc or similar).

I don't really have any other suggestions right now... :-k.

nikoli: I'm getting the same exact error as you. Did you ever figure out how to resolve it?

The Juniper didn't function at all before I found this thread so thanks y'all!

Got it to work using the main post on Edgy without any hassle.

My steps:
1. RPM Updates:
%%sudo aptitude install openssl libstdc++2.10-glibc2.2 sun-java5-bin sun-java5-jre
2. RPM fakery
%%sudo ln -s /bin/true /usr/bin/rpm
3. SSL Lib Setup - here the original post doesn't say where to create the link, so I assumed it was in the junpier's directory - ~/.juniper_networks/network_connect (This directory was created after my first attempt failed)
%%sudo ln -s libssl.so.0.9.8 /usr/lib/i686/cmov/libssl.so.0
4. Login to the Juniper and launch. Type su pw when requested.

These fixes worked great in Edgy...sadly since carrying out a fresh install of Feisty it's completely broken and I cannot get it going again. I get as far as the java gui loading but it disappears after a couple of seconds and no connection is made.

Anyone get feisty working with network connect? I can't believe Juniper don't support linux a little better than this.

I upgraded to Feisty last week and my Juniper connection works fine. Note that I upgraded rather than reinstalling, so this is really my previous installation that continues to work, rather than a brand new install.

Did anyone manage to get this working in some form on an amd64 feisty install?

I created a 32bit chroot for firefox anyways.. and followed the instructions there. I can get it to install, but it can't ever connect. Probably something that the ncsvc service is trying to do that doesn't work because it's a 32bit chroot running on a 64bit kernel?

I had a problem on my fresh install at first because I accedently skipped this step
"The installer wants to use su, not sudo. I just set my root password to something while I installed it"

It crashed the Network connect applet while connecting. After setting the password and installing the app everything runs smooth. :guitar:

Hi, I followed instructions of the first post. When I log into the Juniper home page, and I click the button Start besides "Windows secure application manager" I get the "Your OS/platform is not supported for this component." message.
Neither the directory ~/juniper_networks is created.
My customer has Juniper Secure Access SSL VPN. Is this the same you are succeeding to run here?
Where I'm going wrong?

thanks
Davide.

Of course you should not click the button that says "Windows secure application manager", because you are not running Windows. You are running GNU/Linux, and therefore the Windows secure application manager will not be supported on your system.

Instead, you should click the button above that that says "Network connect".

Then proceed as described.

thanks for the reply.
After logging in to the customer VPN site I have the page I attach so no "Network connect".
Any consideration on this?

Thanks
Davide.

Looks like your company didn't deploy the non-Windows VPN solution.

I don't know that much about the administrative side of this so I can't say if that costs extra, or how you might go about getting it enabled. You'll have to contact your IT folks and ask them to turn it on.

I've attached a screenshot of what the bottom of my VPN page looks like.

Hi

This thread has given me great hope, I am trying to connect to our corporate VPN, and I am unable to do so from Linux. Our company is basically only on MS, and our solutions dont focus on any other OSs.

The problem is that on our Juniper solution, if I authenticate on the website with the token, I will not see the Network Connect, nor the Windows Application Manager unless I am on the AD domain. I guess its the host checker which checks it? Any way to overcome that limitation?

When I connect from a windows machine thats on our Global AD, I am shown the Application Manager, etc.

Thanks
Ben

Is there anybody that can point me where to obtain the linux client software? is it enough to put the installation files in the ~/.juniper_networks foler?

thanks

Hello,

I am also trying to get Ubuntu to work with Network Connect. After supplying credentials, the Network Connect piece begins to load and the following error is displayed:

"rpm query for openssl failed".

Screenshot attached.

Any help on this is sincerely appreciated.

Respectfully,
Bob Slattery

Did you follow the directions in the very first post on this thread? If you had you wouldn't be getting this error ;)

My humble apologies for breaking the first rule of posting to the thread - READ THE ENTIRE THREAD FIRST!!

After reading the complete thread, my fresh feisty install works wonderfully with Netwrok Connect except for DNS, no name resolution through the NC tunnel. I am working on that issue now and believe I saw someone with the same issue posted here.

Thanks for *scold*, I needed it.

Respectfully,
bslattery

Not to worry. Reading the entire thread is always best, but note that in the "Tutorials & Tips" forums, with threads titled HOWTO, it's especially crucial to read the FIRST post, because the first post is the actual "tutorial" part.

Cheers!

Hi

Sorry to re-ask, but do you have any ideas about my problem, explained above? Its regarding the Host-checker, etc.

Thanks

Ben

Sorry, but I don't know. It sounds to me, if you can't see the Network Connect icon when you log in, that the server is not configured to support the Linux client or there some other server configuration issue. I don't really know what "host-checker" is?

I'm completely unfamiliar with the server side of this solution; I've only ever used/seen the client. Maybe you'd have more luck asking on a Juniper support forum?

Hi

Thanks a lot. I guess I am out of luck anyways, because when I logged in from a Windows box, that is on the AD, I can only see the Windows Secure Application Manager, and not the other one which may work for linux. So even if I can fake my Ubuntu box to act as if part of the domain, the windows applicaton manager will never launch on a Linux box.

Thanks for your kind help anyways, I will ask the Juniper guys just to be sure that my assumption is right,

Cheers

Ben

Ben, if you ever some feedback to juniper forums could you report it back here ? or post the link to the thread?

Many thanks
Davide.

Hi, I am trying to get network connect working on Debian and found this page. I followed the instructions. The network connect dialog popped up but I couldn't connect. The diagnosis message indicates the NC installation check failed. The NC service is not running. Anyone has idea how to fix this problem?

Thanks!

hi
i am using feisty
i followed the first post all the way through but i am getting this error (see pic)

can anyone assist me ?

That error message looks to me like you haven't linked RPM, like this:

sudo ln -s /bin/true /usr/bin/rpm

Are you SURE you successfully did that? If you say "ls -l /usr/bin/rpm" what do you get? If you run this "/usr/bin/rpm && echo ok" does it print "ok"? If not then something is not right with this step.

Unfortunately Juniper only produces packages for RPM-based distros and they use the RPM program to find out whether the libraries, etc. they need are installed, instead of a more portable method such as ldd or whatever. Anyway, in order to "fake out" the installer so that it won't complain that you don't have those libraries, you have to run the above sudo command.

I did everything like you did in the first post.
Here is what you asked of me:


dachinster@Ubuntu:~$ sudo ln -s /bin/true /usr/bin/rpm
ln: creating symbolic link `/usr/bin/rpm' to `/bin/true': File exists
dachinster@Ubuntu:~$ ls -l /usr/bin/rp
rpcclient rpcinfo rpl8 rpm
dachinster@Ubuntu:~$ ls -l /usr/bin/rpm
lrwxrwxrwx 1 root root 9 2007-06-03 08:22 /usr/bin/rpm -> /bin/true
dachinster@Ubuntu:~$ /usr/bin/rpm && echo ok
ok
dachinster@Ubuntu:~$

Hm, interesting. I wonder if you have a very different version; yours seems to need Motif, which someone else mentioned in an earlier post here but which my version definitely does not need.

After an unsuccessful start, do you still have a ~/.juniper_networks directory? Can you look at the file ~/.juniper_networks/network_connect/version.txt? If so what does it say?

What version do you have?
I think mine is an early version

When i check the version, this is what i see


dachinster@Ubuntu:~/.juniper_networks/network_connect$ cat version.txt
Version: 1.0
dachinster@Ubuntu:~/.juniper_networks/network_connect$

My version is 1.2. It seems like older versions of the tool might have been written in Motif? If you look at post #3 on this thread there's one from someone else who also had to install Motif (lesstif is an open source reimplementation of Motif) to get his VPN working. Start there and see if that helps at all.

Of course, you could also ask your IT folks to upgrade to the newer version; I'm sure there must be some security and other bug fixes that would be nice to have anyway.

Just want to check I'm not missing a trick or two here:

1 Should I expect to connect to a Windows Citrix server using Juniper VPN on Ubuntu, or will this only work if I attempt to connect to the Citrix server using a Windows PC?

2 If the answer to above is yes I should be able to connect to a Windows Citrix server using Ubuntu and Juniper VPN, does the Citrx server have to be configured to handle a session from my Ubuntu box, or should it all work seamlessly?

Thanks

Paul

Citrix doesn't have anything to do with Juniper VPN as far as I'm aware. If you need the Juniper VPN working in order to get network access to the Citrix server, and that you cannot get the VPN running, then we might be able to help if you describe the problem.

If you have the VPN running (or don't need it) and you're trying to get the Citrix client working, we can't help there: you want to look at a thread dealing with Citrix, like this: http://ubuntuforums.org/showthread.php?t=17979

I am trying to follow the instructions on the first post, but I am seeing a few issues.

I'm running Ubuntu Fiesty (7.04 AM64).

First, I cannot install the c++ libs libstdc++2.10-glibc2.2-0. They cannot be found by either apt-get or aptitude.

I did try installing any other libc++ stuff I could find:

libstdc++5, libstdc++6, libglib2.0-0, libglib-java

I did try using the RPM package with Alien, but still the same behavior as follows. With Alien and RPM I tried both with and without the "fake-rpm" step before and after the alien install.

I see the Java download page, but I only get about 3 or 4 blocks in on the progress bar before FireFox just crashes (disappears).

If I look at the setup version file on my windows machine after connecting, this is what I see:

[Setup]
DisplayVersion=5.5.0.11711
DisplayName=Setup
SecurityPatch=1


I have just tried the lesstif install and the same result.

Anyone have any ideas why I cannot get it to work? How can I get more debug or log information to help find out what my problem is?

Final point: my ~/.juniper_networks folder is empty.

First let me say that I wouldn't be at all surprised if the kit didn't work on a 64bit system. Although it's obviously quite possible to run 32bit apps on a 64bit system, it requires the person creating the kit to do it carefully and properly, and in my experience most 3rd party proprietary software doesn't do that.

So, you may be out of luck unless you install a 32bit version of Ubuntu on your 64bit system (which will work, but seems a shame). Or, you could try to do something super-fancy like create a 32bit chroot environment or something--but you'll have to go elsewhere for help with that.

That being said:

I checked my current install of Network Connect and it does not appear to require the old libstdc++ version 2 any longer: at least none of the programs on my system use it (according to ldd). So, either only the installer uses it or that requirement has changed since the version I was using last summer. If the former then you'll need to

Second, I'm not sure what you mean when you said you used alien on the RPM. What RPM? When I did my install everything downloaded from the server and unpacked into my home directory by default. There was no RPM installed, and nothing was installed into /usr or any other restricted directory.

Third, that version you see on your windows system is completely unrelated to the Linux version.

I think you need to re-ask your question with more precise details, because I couldn't really understand where the problem was from what you posted. So, you connect to your remote server using FireFox and that works, right? Then you see the Network Connect button and you click that, right? Then... what happens?

I was working with our IT guy who was using the VPN on his Fedora machine... He has admin access to the VPN appliance where the application installers are located. So we tried downloading the RPM installer and then converting it using alien. That doesn't seem to really install it properly either. So I have removed it, alien and rpm.

I have tried again with lesstif and libmotif3 installed but still my browser crashes.

So to clarify what I was doing:
Yes, I can reach the logon page for my remote VPN.
Originally the default preferences were set to automatically load the "Network Connect" application upon logging on, and thus immediately after logging on the java download/ install progress bar is shown.
Now, I have changed the preferences to manually start the application.

Upon clicking on start, the java icon image is shown on a new page with a progress bar above it. The first two blocks of the progress bar complete very quickly. The third and then fourth take about 20secs to reach. The fourth block is painted and within 2secs of that - firefox disappears!!! Process, everything, gone.

I'm not sure where to look to find more information about why this happens. I have even left the root password enabled???

Please, any hints or let me know what commands to run in order to tell you what is installed that may be relevant.

While I cannot currently connect directly from linux, I have been able to run the machine in a vm using physical drive mappings. Using NAT allows the linux install to piggy back my windows VPN connection when it is active.

Unfortunately I don't have any great ideas for you. If FireFox goes down that seems to me to imply that at least the installer plugin is doing something very bad. I'm still pretty suspicious about the 64bit thing. The only place any sort of error log would appear would be in the ~/.juniper_networks directory I believe.

I suppose if you get desperate you could try running strace on the PID and see if it reveals anything interesting.

Something else you might try is booting your system off of a 32bit Ubuntu LiveCD, and trying to get onto the VPN using that. Alternatively, since you have VMWare you could try installing a 32bit Ubuntu in VMWare and see if the VPN works there.

If it works in either of these situations, you'll have to file a bug report with Juniper and ask them to support 64bit Linux.

If you do get it installed and working in a 32bit environment you might try copying the installation stuff into your 64bit home directory and see if it works there. I've seen software where only the installer was broken under 64bit, but once it was installed it worked fine.

Works perfectly in feisty. Just had to get the newest java plugin for firefox.

sudo apt-get install sun-java6-jre sun-java6-plugin sun-java6-fonts

http://www.ubuntugeek.com/how-to-install-java-runtime-environment-jre-in-ubuntu.html.

Now I really can think of why I need windows.
Thanks!

madscientist,

I followed the instructions on the first page and am getting partial sucess. Basically,I am still prompted for the su password. I'm running Feisty btw.

The error:

/home/username/.juniper_network/network_connect/installNC.sh: 9: cannot open such file
/home/username/.juniper_network/network_connect/installNC.sh: 9: 1: not found
Service needs to be reinstalled.

When I enter the root/su passowrd, it connects fine. If I cancel this (CNTRL-D) and 'N' to try again, I still get connected.

I tried:

deleting ~/.juniper_networks
Start netconnect
Cancel password prompt
deteting ~/.juniper_networks/network_connect
cp -R ~/.juniper_networks/tmp to ~/.juniper_networks/network_connect/
extracted your installNC.sh and xlaunchNC.sh to the network_connect directory
chmod +x ~/.juniper_networks/network_connect/*.sh
Login to the juniper box and start netconnect
Still prompted for su password


I noticed that ~/.juniper_networks/network_connect/ncsvc was owned by root:root

I tried chown'ing it to myself and it still prompts for su password.

Do you (or anyone who have had my problem) know what I'm missing?

Regards and thanks for the post!

This is because apparently Juniper doesn't employ anyone who knows how to write shell scripts (or else they're busy elsewhere). See my post #4 (http://ubuntuforums.org/showpost.php?p=1737611&postcount=4) and also my post #12 (http://ubuntuforums.org/showpost.php?p=2201028&postcount=12). You'll need to replace the scripts in your package with the ones in the attachment, then (maybe) use chattr +i to make them immutable.

Thanks for the quick reply, madscientist.

Unfortunately, when trying to 'chattr -i' the files in question, I get:


chattr: No such file or directory while trying to stat install

I know this is not a VPN connectivity issue, but have you come across this before? I'm running Feisty on REISERFS partitions.

I tried this on another Feisty installation and same problem. The command did work on a RedHat machine (I copied the files onto USB drive and ran the commands on the files from RedHat).

But when I took it back to my Feisty laptop, NetConnect would still prompt for reinstallation of the service.

Anyway, any insight (from someone with 5 cups) would greatly help a single-cupper.

T

Sorry, you're out of luck if you're using reiserfs. That filesystem doesn't support the chattr command.

There may be some other way to make files on reiserfs filesystems immutable even to root, but I don't know what they are. You'll have to seek out someone using reiserfs filesystems (this is not a standard filesystem type for Ubuntu AFAIK).

It's possible you won't need this anyway; you should try it without the chatter, just replacing the scripts, and see if it works. The Juniper stuff is hugely annoying in that it seems to unpack itself every time you connect, but maybe it will work anyway.

It's pretty obvious Juniper doesn't give a crap about Linux. I guess they think we should be happy they offer any support at all.

I am a rookie in Linux....!!! So pls pardon me if I am asking any silly Qs.

I can't really get past the following lines even after supplying my root password..What must be the problem.. ?

I have also edited the su commands to sudo in the script.. becoz i read somewhere that ubuntu uses sudo instead of su.. but even that didn't help me..
========================================
~/.juniper_networks/network_connect/installNC.sh: 9: 1: not found
Service needs to be installed for the first time.
Please enter the root/su password
Password:
su: Authentication failure
Sorry.
Invalid su password and/or Unable to install ncsvc
Do you want to try again (enter y to try again):

If you check the first message in the thread it says: "The installer wants to use su, not sudo. I just set my root password to something while I installed it, then reset it again later" Unfortunately it looks like the link I provided there has been changed so it no longer tells you how to do that. So, run this:

sudo passwd

then when it asks for a password type your password first. Then it will ask for ANOTHER password; this will be the root password. You can put whatever you like here, it's just temporary. Then it will ask you to confirm the password; type the root password again.

Now, when you start up network connector and it asks for the root password, enter the one you created. It should work. It should also not need to do this again since it's installed what it needs to.

So, you should undo your root password again (trust me: the one and only time one of my Linux systems was hacked was because I forgot to reset the root password and I had used an easily-guessable one; someone brute-forced it 5 months after I had changed it :-/) To unset it again use:

sudo passwd -l

to lock the root password again.


The reason changing the script doesn't help is because network connector unpacks the scripts again every time you start it. Annoying, to be sure.

All this does work for feisty. You need to make sure you have the packages as detailed in the begining:


apt-get install openssl libstdc++2.10-glibc2.2 sun-java5-bin sun-java5-jre

next do

ln -s /bin/true /bin/rpm

and I also had to change this

ln -s /usr/lib/libssl.so.0.9.8 /usr/lib/libssl.so

If you need any help try to PM me and I will be glad to help out as I can. Juniper has chosen to only support RPM based programming. If you want future mainline support get with your local Juniper rep and ask them to submit an ER to support DEB or you can contact myself ;-)

best of luck

I don't care so much about supporting only RPM (it would be nice to support DEB as well, but we can work with it). I just wish they would spend a little time creating sane shell scripts instead of the buggy mess they have now. That would make things MUCH simpler. After that, if they could get a more traditional install model (where the install is a separate step, if it requires root privileges) that would be nice too.

But I have to say, I much prefer this model to the Nortel/Apani client model; that client is unquestionably more polished and has some features the Juniper one doesn't, but it (a) costs a lot extra, and (b) requires a proprietary kernel module which makes it a big PITA: you have to downgrade your kernel and/or run a custom kernel to use it.

Cheers!

from https://lists.ubuntu.com/archives/ubuntu-users/2007-April/112723.html

ln -s /usr/lib/libssl.so.0.9.8 /usr/lib/libssl.so

resolves the libncui.so issue

Thanx a Ton friends.. specially to madscientist and nofear07..

My VPN connection is working fine...I did exactly what madscientist mentioned in #56 thread and it solved the password issue...Fantastic.

BTW: How can I stop the shell pop-up which asks me to enter root password.. I have inactivated the password and the VPN works even after forcibly closing this shell, but How can I get rid of this pop-up?

Hm. I never get any kind of popup asking for a root password. I wonder if something didn't "take" during your install, so the system thinks that you need to reinstall every time you start. You might try adding back the /usr/bin/rpm symbolic link and see if that helps at all.

Hm. I never get any kind of popup asking for a root password. I wonder if something didn't "take" during your install, so the system thinks that you need to reinstall every time you start. You might try adding back the /usr/bin/rpm symbolic link and see if that helps at all.

Hi...

As you say in #4 (http://ubuntuforums.org/showpost.php?p=1737611&postcount=4), in Feisty /bin/sh is a symbolic link to /bin/dash, so, why not to change that to /bin/bash (like it is in Debian and other distros):


sudo ln -sf /bin/bash /bin/sh

Does it has other "side effects"???

P.D. i used to work with Debian and the reinstall window didn't show every time i logged on... because it uses bash, i've changed in Feisty and stopped showing :)

It's an option. In theory it shouldn't break anything, because dash is a 100% POSIX conforming shell (at least that's the goal) with no (or at least hardly any) extra added features, while bash is supposed to be a strict superset (almost, esp. if you set POSIXLY_CORRECT) of POSIX sh. So, any script that works in dash should work the same way in bash.

However, for myself I'm not willing to go that route. Call me a purist or anal retentive or whatever you want, but this "/bin/sh is /bin/bash" strikes me as the latest version of "all the world's a VAX" (for those of you old enough to remember what that means 8-)) and I refuse to give in.

Changing /bin/sh on your system is NEVER something to take lightly. I prefer to fix the shell scripts, as my attachment in #12 does.

I have replaced those files [installNC and xlaunch] with the ones in attachment, but I am still getting the pop-up.

I will install Debian/Ubuntu in one more m/c that I have here and try out from the beginning and reply with what I observe. I gotta give back something too, right!! :-)

Did you use the "chattr +i" thing on them after you replaced them, as described in the post #4 ?

The Juniper software has the annoying habit of unpacking the package fresh every time you start the connector, thus overwriting any changes you made to it previously. Setting the files immutable will "fix" this.

See, I told you this software was very badly designed! :(

MadScientist, you may be mad, but you rock! Your scripts + instructions worked flawlessly in Feisty Fawn on an IBM T41 on Fawn 7.04 running patches as of 9/5/2007.

-wds

btw - I work for Juniper and have reflected the need to support Ubuntu and the editorial comments about our scripts to the product manager...I'll update the thread if I hear anything productive.

Thanks weekdaysailor! Support for Ubuntu would be great, but as I've mentioned before just having valid POSIX shell scripts instead of the broken mess we get today would go a long way towards lessening the pain.

It looks like we're going to have to replace the old saying "all the world's not a VAX" with "all the world's not Red Hat" #-o

For some reason about a week ago my Network Connect quit working (and had been working fine) I checked the ln for true and rpm. I check the ln for the libssl

I also removed all the files in $HOME/.juniper_networks/network_connect/ and retried still no go. I'm wondering if I have updated a package that broke a dependency or something.

This is the only thing in the ncui.log and yes I'm typing the password correctly:
20070910210414.493096 ncui[17246] ncapp.info New ncapp log level set to 3 (nccommon.cpp:75)
20070910210414.493165 ncui[17246] ncui.info read from params... (nccommon.cpp:121)
20070910210414.493235 ncui[17246] ncapp.panic Failed to read password from prompt (nccommon.cpp:591)

Thoughts as to what to try next?

I slagged my install and started over (video crap driving me crazy) so I had a chance to re-do this howto. But this time I tested after every step and did NOT have to use the scripts Mad provided. (Feisty on IBM T41). In the meantime our SA box has been upgraded.

My point? Other things may have changed besides your OS. Check with your network admin and see if they upgraded or changed configs recently.

Cheers,

-Keith

Interesting. What version of netconnect are you seeing now? It'd be nice to know when they fixed this.

Ok, I got it working. Don't know why but after a reboot it was working fine. So something was hanging the process.

Also I too did not have to use the scripts provided by madscientist. This is for Netconnect 1.2

Hi all

Thanks a lot for the scripts madscientist, they work a treat.
I have found a little annoyance while using Juniper VPN however, maybe you guys got around this already:

I use firestarter for firewall configuration, and I cannot seem to figure out what policy to add to allow all traffic from the VPN to go through. So far my "fix" is to turn the firewall off while connected to the VPN... Which is ok, but annoying.

Does anyone know how to make firestarter understand I don't want it to filter (and block) traffic from the VPN?

Thanks a lot!

- Trib'

This is really great news for me as my company just switched to the Juniper Network system (from Cisco).

I have a couple of questions --

1. Has anyone gotten this to work with 7.04 64-bit? Or will I need to go to 32-bit for this to be happy.

2. I have a copy of XP that hasn't been activated. I was waiting due to the fact that I'm going to be upgrading my hardware soon. When XP Activates, how does this work on a virtual machine? If I upgrade my hardware, but run the same virtual machine, does XP throw up a red flag?

Thanks for any help!

Anyone have this working in gutsy? The GUI comes up for me and either immediately crashes or gives a connection failure. I'm running int the LiveDVD though, so I'm wondering if that's the problem. I couldn't get gutsy to install in Parallels on my Mac and don't want to install gutsy until I know I can get network connect working.

Anyone have this working in gutsy? The GUI comes up for me and either immediately crashes or gives a connection failure. I'm running int the LiveDVD though, so I'm wondering if that's the problem. I couldn't get gutsy to install in Parallels on my Mac and don't want to install gutsy until I know I can get network connect working.

It might be a live cd issue. I got it working on an installed festy. However, I tried to make a live cd with "reconstructor" based on the sames scripts and packages, but wasn't able to get it connect. It's probably a file permission problem since live cds use a special file system.
Anyway, I will check it again when I'll have time and inform you on this post.
Meanwhile, you might try it installing gutsy on a virtual machine.

I haven't tried Gutsy yet; I usually wait until the official release unless there's something there I really want. It doesn't seem likely that there's a problem here but you never know I guess. I'll let you know how it goes (9 days to go!!)

After a little finagling I was able to install the gutsy beta in VirtualPC on a Windows box. With no steps other than your original howto, the gui comes up and says Connected. Unfortunately I'm doing this already on the office network, so I can't really test the connection. But this does give me enough confidence to install 7.10 on my laptop, so I can test the actual connection from home after I've dont that.

1. Has anyone gotten this to work with 7.04 64-bit? Or will I need to go to 32-bit for this to be happy.

This is also my question. Should I bother to try this in 64bit?

What issue(s) would I likely run into with 64bit?

ok, I have gutsy beta installed on my laptop, and this howto gets the NC up and running. Although I used java6 instead of java5.

Yay! Good to know, fangorious!

gmcauley: sorry but I don't have any 64bit systems so I can't address your question; you might just have to bite the bullet and try it out 8-[

gmcauley: sorry but I don't have any 64bit systems so I can't address your question; you might just have to bite the bullet and try it out 8-[

Well I just tried it out and it did not work. It failed without any message(s) after entering my password during the install.

You say that the libstdc++2.10-glibc2.2 is necessary. This does not seem to be a 64 bit package. I have saw a post where 'dpkg -i --force-architecture' was used to install this package for another application. I am tempted to try it, but don't want to stomp on anything.

Pardon my ignorance, this is new territory for me, but how can one know what exactly in this package is needed for NC?

I really need this to work for 64 bit too! I've actually got a 32bit firefox/java setup but the pop up does not show up after putting in my password. Can't get it to work in 32bit or 64bit firefox/java in a 64bit environment.

You say that the libstdc++2.10-glibc2.2 is necessary. This does not seem to be a 64 bit package. I have saw a post where 'dpkg -i --force-architecture' was used to install this package for another application. I am tempted to try it, but don't want to stomp on anything.

Pardon my ignorance, this is new territory for me, but how can one know what exactly in this package is needed for NC?This package contains an older version of the C++ STL and runtime library. What we can infer from this requirement is that netconnect is a C++ program that was compiled with a much older version of GCC on a much older version of LInux. This package contains a backward-compatibility library needed by such programs.

It's safe to install; it won't be used by any modern programs (thanks the magic of shared library versioning).

I'd like to help you guys but I just don't have a 64bit system available to test on and I'm not that familiar with how Linux does its multiarchitecture layouts.

Im also trying to get this working on amd64 Feisty install (Will try gutsy If I get this going)
I started with the stuff in the first post (ignored rpm part as I had rpm support)
I tried to force the libstdc++2.10-glibc2.2_2.95 into my system with the following (found it on the net)



wget http://ftp.acc.umu.se/mirror/ubuntu/pool/universe/g/gcc-2.95/libstdc++2.10-glibc2.2_2.95.4-24_i386.deb
sudo dpkg --force-architecture -i libstdc++2.10-glibc2.2_2.95.4-24_i386.deb

then I started swiftweasel32 as root and loged on (dont know if I need to be root)


sudo swiftweasel32

Now I got the .juniper_network/ stuff in my home folder
but for some reason it complains that It don't find libXm.so.3
but I have


lrwxrwxrwx 1 root root 14 2006-12-22 14:09 /usr/lib/libXm.so.2 -> libXm.so.2.0.1
-rw-r--r-- 1 root root 1538384 2006-06-20 03:12 /usr/lib/libXm.so.2.0.1
lrwxrwxrwx 1 root root 14 2007-09-04 23:36 /usr/lib/libXm.so.3 -> libXm.so.3.0.2
-rw-r--r-- 1 root root 2751576 2006-11-13 07:48 /usr/lib/libXm.so.3.0.2


But maybe I have to add a 32bit version of libXm.so.3?

I also discovered that I got version 1.1 so I will have a talk with "IT department" about an upgrade to version 1.2 (or newer)

Ok, I got it working. Don't know why but after a reboot it was working fine. So something was hanging the process.

Also I too did not have to use the scripts provided by madscientist. This is for Netconnect 1.2

Good for you ;) Reboot didn't help me :(


ncapp.panic Failed to read password from prompt (nccommon.cpp:614)

It used to work couple days ago, so I wonder if some package I've installed recently broke that. Or IT changed something...

Does anybody has similar experience?

Good news / bad news about Gutsy.

Good:
It works. I had to change my shell from dash to bash because I kept getting the root login prompt but I was going to do that anyway because of all the command line work I do. It's easy enough with:

sudo dpkg-reconfigure dash

Bad:
Upon exiting the vpn, my primary network connection doesn't return. This behavior didn't happen previously. This is easy enough to resolve with a little desktop script to restart the network but I'm not sure why this happens.

I found this link
http://www.entropy.ch/blog/Mac+OS+X/2007/07/28/Juniper-Network-Connect-SSL-VPN-and-Virtualization.html
It describes how you can use the commandline to setup a connection with something like:


cd ~/.juniper_networks/network_connect ./ncsvc -h vpn.example.com -u joesixpack -p [PIN][SecurID token] -r SecurID -f vpn.example.com.der

maybe this is the solution for AMD64 since it might not neet the GUI stuff. But when I try I get:


ncsvc> DSSSL_load_so failed

If possible it would be nice to see if this method works for the people that allready have this working ...

Ooooh, a command line interface! That would be sweet!

Unfortunately, it doesn't work for me :(. I was able to get the .der file but if I run ncsvc directly it stops with no error code or error message, but it doesn't do anything else either (that I can tell--definitely my VPN is not up).

I then tried invoking the Java app directly from the command line instead of the browser, and I got an authorization error. I didn't do too much with it after that; I probably have other things I could play with.

The errors I got, though, don't look like the one that zingo saw, for whatever that's worth.

My test was on a AMD64 install, that could explain the different output.

Where did you get the .der file was it in the .jar or from the net? In my version 1.1 jar file I didn't get it.

It's not sitting there on the disk. You have to run a special command to get it. I can't remember the command offhand, but if you follow the various links referenced in your post you'll find it. I think it was in the Gentoo forums link somewhere; there's a step-by-step guide and it describes the commandline you need to invoke to get the .der file.

I still would like to poke at it some more before I conclude it will never work, but just following the directions as-is didn't work for me :sad:

I manage to get netconnect working in a virtualization enviroment (Virtualbox with Fesity i386) this might be my solution untill Junuper releases AMD64 binaries, now I will try to get a routing from virtualbox environment to my computer but that seems possible.

I have the command line method working:

on a 32 bit system (have not tried it on my 64bit yet (which is what I really want))
with the Java GUI
and also with the ncsvc (w/o the Gui)


At first I saw authentication errors from both methods. The GUI method mentioned checking user/password/realm. It turned out that I needed to specify a 'realm' for our VPN. Once IT told me what that was, it worked! It is very nice to not have to go through the web interface!

These links were very helpful:
http://www.entropy.ch/blog/Mac+OS+X/2007/07/28/Juniper-Network-Connect-SSL-VPN-and-Virtualization.html
http://www.entropy.ch/blog-resources/2007-07-28-juniper-networkconnect.html

I hope to try 64bit next.

cd ~/.juniper_networks/network_connect ./ncsvc -h vpn.example.com -u joesixpack -p [PIN][SecurID token] -r SecurID -f vpn.example.com.der

maybe this is the solution for AMD64 since it might not neet the GUI stuff. But when I try I get:


ncsvc> DSSSL_load_so failed



Bummer. I get the same error message on my 64bit machine also.


Also, I get a Java exception when trying the Java GUI command line.


Finally, when trying to connect to the web interface, a dialog pops up saying:
"Cant find required libraries".

So, everything works (web interface, Java GUI command line, ncsvc command line) on my 32 bit machine, but none work on my 64 bit machine :confused:

Thanks to the clear instruction, I got it running fine in Gutsy final release.

I'm running Gutsy here and I can not get Juniper to connect properly.

After following various steps (symlinking rpm, the libs and changing the symlink for sh) I can get the client to install and open the java client.

The problem is that my SSL connection to the VPN times out. Here are the logs:



20071024135132.653355 ncsvc[28474] session.info ive_host = ive.{domain}.com (session.cpp:146)
20071024135132.653538 ncsvc[28474] session.info cookie = DSID=<hidden> (session.cpp:154)
20071024135132.653558 ncsvc[28474] session.info Will not use a proxy to connect to the IVE (session.cpp:193)
20071024135132.654772 ncsvc[28474] rmon.info got system route *.164.152.62/255.255.255.255 gw *.211.142.1 metric 1 via 0x00000000 (routemon.cpp:510)
20071024135132.654811 ncsvc[28474] rmon.info got system route *.211.142.0/255.255.255.192 gw 0.0.0.0 metric 0 via 0x00000000 (routemon.cpp:510)
20071024135132.654831 ncsvc[28474] rmon.info got system route 169.254.0.0/255.255.0.0 gw 0.0.0.0 metric 1000 via 0x00000000 (routemon.cpp:510)
20071024135132.654848 ncsvc[28474] rmon.info got system route 0.0.0.0/0.0.0.0 gw *.211.142.1 metric 0 via 0x00000000 (routemon.cpp:510)
20071024135132.654920 ncsvc[28474] rmon.info best route to *.164.152.62 is 0.0.0.0/0.0.0.0 via 0x00000000 metric: 0 (routemon.cpp:1382)
20071024135132.654960 ncsvc[28474] session.info connecting to ive ive.{domain}.com (session.cpp:257)
20071024135132.655432 ncsvc[28474] main.info Using DSSSL to connect to IVE (ncp.cpp:1698)
20071024135132.655466 ncsvc[28474] connect.info creating a new HTTP connection... (ncp_dsssl.cpp:136)
20071024135232.651648 ncsvc[28474] session.error Timed out connecting to ive ive.{domain}.com (session.cpp:280)
20071024135232.651782 ncsvc[28474] session.info disconnecting from ive ive.{domain}.com with reason 6 (session.cpp:379)


I've asked the VPN admin to see if his end is producing any meaningful logs to help out.

I've also tried running the command line ncsvc and it times out too.

Any pointers?

Is the cert properly installed in the browser?

gmcauley: if possible would you please supply a mini howto for the command line. And what version do you have of the netconnect software.

Guys

Thanks, however I have a Question, my vpn session and NC start and connec, but I have not idication of any kind of traffic (in or out)

I got this output form the NCC

I delete my IP address for confidentiality terms, however anyone can help me?

Thanks

C Diagnostics for Linux.
Version 1.0.
Release Date/Time: Jul 16 2007 14:19:05
+================================================= =============================+
| Tests: | Results: |
+================================================= =============================+

o NC Installation Check Passed
o NC Diagnostics
NC Service Not Running
NC Driver Test Passed
NC Tunnel Test Established

o Host Details
Hostname Zeus
Domainname (none)
IP Routing Enabled No
IP Loopback test Passed
Nameserver Details
xx.xx.xx.xx Ping Failed

xx.xx.xx.xx Ping Failed
Gateway Ping Test
192.168.1.254 Ping Failed

o Network Connection Diagnostics

Interface: lo
IP Address: 127.0.0.1
Netmask: 255.0.0.0
MTU: 16436

Interface: eth0
IP Address: 192.168.1.3
Netmask: 255.255.255.0
Broadcast: 192.168.1.255
MTU: 1500

Interface: tun0
IP Address: 10.175.xx.26
MTU: 1400
o Route Info

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
ZZ.ZZ.ZZ.ZZ 192.168.1.254 255.255.255.255 UGH 1 0 0 eth0
10.XX.XX.11 10.175.210.26 255.255.255.255 UGH 1 0 0 tun0
10.XX.XX.12 10.175.210.26 255.255.255.255 UGH 1 0 0 tun0
10.XX.XX.1 10.175.210.26 255.255.255.255 UGH 1 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth0
10.0.0.0 10.175.210.26 255.0.0.0 UG 1 0 0 tun0
0.0.0.0 192.168.1.254 0.0.0.0 UG 100 0 0 eth0

Finished running tests
+================================================= =============================+

@marcw

I can connect to the https web portal without any ssl warnings. I was also able to extract the der file and verify it using openssl, so I don't think it is a certificate issue.

harryman01 posted his diagnostics and I noticed his are a bit different than mine. Does anyone else get a warning about installation?



NC Diagnostics for Linux.
Version 1.0.
Release Date/Time: Jul 16 2007 14:19:05
+================================================= =============================+
| Tests: | Results: |
+================================================= =============================+

o NC Installation Check Failed
o NC Diagnostics
NC Service Not Running
NC Driver Test Passed
NC Tunnel Test Not established

o Host Details
Hostname bond
Domainname (none)
IP Routing Enabled No
IP Loopback test Passed
Nameserver Details
*.*.142.10 Ping Passed

*.*.180.228 Ping Passed
Gateway Ping Test
*.*.142.1 Ping Passed

o Network Connection Diagnostics

Interface: lo
IP Address: 127.0.0.1
Netmask: 255.0.0.0
MTU: 16436

Interface: eth1
IP Address: *.*.142.34
Netmask: 255.255.255.192
Broadcast: *.*.142.63
MTU: 1500
o Route Info

Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
*.*.152.62 *.*.142.1 255.255.255.255 UGH 1 0 0 eth1
*.*.142.0 0.0.0.0 255.255.255.192 U 0 0 0 eth1
*.*.0.0 0.0.0.0 255.255.0.0 U 1000 0 0 eth1
0.0.0.0 *.*.142.1 0.0.0.0 UG 0 0 0 eth1

Finished running tests
+================================================= =============================+

Also, here is what my ~/.juniper_networks/network_connect/ dir looks like:



-rw-r--r-- 1 will will 118 2007-10-26 10:57 installnc.log
-rwxr--r-- 1 will will 716 2007-10-26 10:57 installNC.sh
-rw-r--r-- 1 will will 1100 2007-10-24 13:20 ive.{domain}.com.der
-rw-r--r-- 1 will will 493360 2007-10-26 10:57 libncui.so
-rw-r--r-- 1 will will 0 2007-10-26 10:57 missing.info
-rwxr--r-- 1 will will 24888 2007-10-26 10:57 ncdiag
-rw-r--r-- 1 will will 8533 2007-10-26 10:57 ncdiag.log
-rw-r--r-- 1 will will 45475 2007-10-26 10:57 NC.jar
-rws--s--x 1 root root 332044 2007-10-24 13:19 ncsvc
-rw-r--r-- 1 will will 20541 2007-10-26 10:58 ncsvc.log
-rw-r--r-- 1 will will 875 2007-10-26 10:57 ncuijava.log
-rw-r--r-- 1 will will 6179 2007-10-26 10:57 ncui.log
-rw-r--r-- 1 will will 14 2007-10-24 13:19 version.txt
-rwxr--r-- 1 will will 1632 2007-10-26 10:57 xlaunchNC.sh


The der file is from me trying to use the command line client.

Hello
I have the 1.1 version of netconnect the directory have some different files here
and the getx509certificate.sh is not part of the ncLinuxApp.jar
I anyone have the script please share it :)

as for content in my jar file I have this


stzi@SEMALWS049:~/.juniper_networks/test$ jar -xf ../ncLinuxApp.jar
stzi@SEMALWS049:~/.juniper_networks/test$ ls -la
totalt 660
drwxr-xr-x 3 stzi stzi 4096 2007-10-28 11:23 .
drwxr-xr-x 4 stzi stzi 4096 2007-10-28 11:22 ..
-rw-r--r-- 1 stzi stzi 735 2006-02-10 22:06 installNC.sh
drwxr-xr-x 2 stzi stzi 4096 2006-02-10 22:06 META-INF
-rw-r--r-- 1 stzi stzi 29096 2006-02-10 22:06 ncdiag
-rw-r--r-- 1 stzi stzi 285344 2006-02-10 22:06 ncsvc
-rw-r--r-- 1 stzi stzi 320140 2006-02-10 22:06 ncui
-rw-r--r-- 1 stzi stzi 14 2006-02-10 22:06 version.txt
-rw-r--r-- 1 stzi stzi 969 2006-02-10 22:06 xlaunchNC.sh
stzi@SEMALWS049:~/.juniper_networks/test$


pileofdirth: I assume you have version 1.2 here is version 1.1 layout



stzi@SEMALWS049:~/.juniper_networks$ ls -laR *
-rw-r--r-- 1 stzi stzi 269639 2006-02-11 06:06 ncLinuxApp.jar

network_connect:
totalt 660
drwxr-xr-x 2 stzi stzi 4096 2007-10-28 10:57 .
drwxr-xr-x 3 stzi stzi 4096 2007-10-28 10:57 ..
-rw-r--r-- 1 stzi stzi 380 2007-10-28 10:57 installnc.log
-rwxr--r-- 1 stzi stzi 735 2007-10-28 10:57 installNC.sh
-rw-r--r-- 1 stzi stzi 0 2007-10-28 10:57 missing_libs
-rwxr--r-- 1 stzi stzi 29096 2007-10-28 10:57 ncdiag
-rws--s--x 1 root root 285344 2007-10-28 10:57 ncsvc
-rw-r--r-- 1 stzi stzi 0 2007-10-28 10:57 ncsvc.log
-rwxr--r-- 1 stzi stzi 320140 2007-10-28 10:57 ncui
-rw-r--r-- 1 stzi stzi 0 2007-10-28 10:57 ncui.log
-rw-r--r-- 1 stzi stzi 14 2007-10-28 10:57 version.txt
-rwxr--r-- 1 stzi stzi 969 2007-10-28 10:57 xlaunchNC.sh
stzi@SEMALWS049:~/.juniper_networks$ cat network_connect/version.txt
Version: 1.1

stzi@SEMALWS049:~/.juniper_networks$

The problem is that on our Juniper solution, if I authenticate on the website with the token, I will not see the Network Connect, nor the Windows Application Manager unless I am on the AD domain. I guess its the host checker which checks it? Any way to overcome that limitation?


I have the exact same problem! It's frustrating, because I can't even get past Step 0 to attempt the instructions described in this thread.

Has anyone found a solution to this, or at least a satisfactory explanation?


Thanks,
Adam

Based on the information in this page, I,
I wrote a script to instaal on 7.04 and 7.1.10.

Enjoy!

http://ubuntuforums.org/attachment.php?attachmentid=48315&d=1193675395
(http://ubuntuforums.org/attachment.php?attachmentid=48315&d=1193675395)

casuarina:
Really Nice, this will help a lot of people.
Someday you/we might make a .deb package of this and have in a repository maybe.

Here are some improvement ideas...

There is a sun-java6-plugin package If you add it I don't think you need the java plugin stuff (I never needed it at least)

There is also an rpm package if this is installed you have a rpm tool and probably dont need the

sudo ln -s /bin/true /usr/bin/rpm

you get a few small packages that in this case is not needed but cleaner then a fake rpm.

It would be nice if someone made a nice gnome/KDE front end to the ncscv tool. Is there a shell-calling-gui-toolkit that one could use, like ncurses but for gnome?

There is also an rpm package if this is installed you have a rpm tool and probably dont need the

sudo ln -s /bin/true /usr/bin/rpmI think you'll still need this, because the package name that the netconnect script looks for is the Red Hat package name and isn't the same as the Debian/Ubuntu package name. So, even if you have rpm installed that lookup will still fail (IIRC).

That is probably correct the RPM stuff seems to not be used in Version 1.1 of the scripts that I have... that why it worked for me :)

I've been reading this thread for some time now, thanks to the original information supplied by madscientist & more recently the script posted casuarina (it was useful to validate the manual steps) I now have Juniper VPN working on my Gutsy 7.10 installation.

I do have one final question. In the information supplied by madscientist it suggests that i can reset (disable) my root password *but* every time i log into Juniper (which runs network connect) I am challenged for the root/su password (therefore i cannot disable root password - without compromising Juniper).

I'm worried that by having su/root enabled is a security risk. Is there anything i can do to work around (and remove) the su/root challenge response from the Juniper network connect, so i can disable the root account?

Gavin.

Here's some information that may help diagnose my problem.

The terminal style message i receive when starting network connect is:



/home/{username}/.uniper_networks/network_connect/installNC.sh: 9: cannot open 1: No such file
/home/{username}/.uniper_networks/network_connect/installNC.sh: 9: 1: not found
Service needs to be reinstalled.
Please enter the root/su password.
Password:


I can confirm the file (installNC.sh) reported as missing (above) does exist prior to connecting to Juniper. A simple ls -l in the ./network_connect/ directory returns:



-rw-r--r-- 1 fowler fowler 1421 2007-11-10 08:05 installnc.log
-rwxr--r-- 1 fowler fowler 716 2007-11-10 07:58 installNC.sh
-rw-r--r-- 1 fowler fowler 493328 2007-11-10 07:58 libncui.so
-rw-r--r-- 1 fowler fowler 0 2007-11-10 08:05 missing.info
-rwxr--r-- 1 fowler fowler 24888 2007-11-10 07:58 ncdiag
-rw-r--r-- 1 fowler fowler 4523 2007-11-10 07:19 ncdiag.log
-rw-r--r-- 1 fowler fowler 45470 2007-11-10 07:58 NC.jar
-rws--s--x 1 root root 330988 2007-11-10 07:57 ncsvc
-rw-r--r-- 1 fowler fowler 0 2007-11-10 07:05 ncsvc.log
-rw-r--r-- 1 fowler fowler 0 2007-11-10 07:05 ncui.log
-rw-r--r-- 1 fowler fowler 14 2007-11-10 07:46 version.txt
-rwxr--r-- 1 fowler fowler 1637 2007-11-10 07:28 xlaunchNC.sh
-rwxr--r-- 1 root root 1632 2007-11-10 07:25 xlaunchNC.sh.back


I thought perhaps the symbolic links were cause of the issue. I re ran the script supplied by casuarina, which reported:



ln: creating symbolic link `./libjavaplugin_oji.so' to `/usr/lib/jvm/java-6-sun-1.6.0.03/jre/plugin/i386/ns7/libjavaplugin_oji.so': File exists
ln: creating symbolic link `/usr/bin/rpm' to `/bin/true': File exists
ln: creating symbolic link `/usr/lib/i686/cmov/libssl.so' to `libssl.so.0.9.8': File exists

As an after thought, I've been looking at the ls -l listing from the /network_connect/ directory (see previous post). Is there any issue with 'ncsvc' being owned by root? Could this be the reason why the 'installNC.sh' script logic reports 'the service doesn't exist' and forces me through a reinstall and therefore the su/root password challenge persists on every use of Juniper?

These thoughts/ideas were realised after looking at the contents/logic of 'installNC.sh'. Apologies if this is newbe thought process :confused:

Hi Gavin Fowler,

I got the same problem with root login prompt. I got rid of it by redefining the default shell (changed in Ubuntu 6.06 from /bin/bash to /bin/dash for performance).

root@ubuntu-desktop:/# ls -l /bin/sh
lrwxrwxrwx 1 root root 9 2007-11-11 07:37 /bin/sh -> /bin/dash

root@ubuntu-desktop:/# rm /bin/sh && ln -s /bin/bash /bin/sh

I haven't made up my mind if I will keep it, or just live with the prompt, because if you hit ctrl-c, ENTER (or ENTER, n, ENTER) it will work anyhow.

Thanks Guys


It work, the script works as I wanted

many thanks!!:popcorn:

HOWTO set up Juniper Network Connect VPN on Ubuntu Gutsy-Gibbon amd64

I used all the tricks in the original post, but gutsy-amd64 needs some modifications.

After the first installation failed, I used ldd to check the config, ie:



sudo ldd ~/.juniper_networks/network_connect/ncsvc


That helped to identify what was missing. I had already installed some 32bit packages for gutsy-amd64, eg:


sudo apt-get install ia32-libs
sudo apt-get install ia32-sun-java5-bin
sudo apt-get install ia32-sun-java6-bin


(There is no equivalent for the ia32-sun-javaX-jre.)

For libstdc++2.10-glibc2.2, I did the following (maybe not the best way to do this, but it worked for me):



sudo -i
cd /usr/src
wget http://debian.oregonstate.edu/debian/pool/main/g/gcc-2.95/libstdc++2.10-glibc2.2_2.95.4-27_i386.deb
dpkg-deb -x libstdc++2.10-glibc2.2_2.95.4-27_i386.deb libstdc++2.10-glibc2.2_2.95.4-27_i386
mv libstdc++2.10-glibc2.2_2.95.4-27_i386/usr/lib/* /usr/lib32/
mv libstdc++2.10-glibc2.2_2.95.4-27_i386/usr/share/doc/libstdc++2.10-glibc2.2 /usr/share/doc/
rm -rf libstdc++2.10-glibc2.2_2.95.4-27_i386
rm libstdc++2.10-glibc2.2_2.95.4-27_i386.deb


For libssl symbolic links, I used:



sudo ln -s /usr/lib32/libssl.so.0.9.8 /usr/lib32/libssl.so.0
sudo ln -s /usr/lib32/i686/cmov/libssl.so.0.9.8 /usr/lib32/i686/cmov/libssl.so.0


After that, it works, hurrah!

Thanks so much for the original post, it was a life saver for me! I still hate their flaky installation scripts that have not been updated now in years!

Did anyone manage to get this working in some form on an amd64 feisty install?

I created a 32bit chroot for firefox anyways.. and followed the instructions there. I can get it to install, but it can't ever connect. Probably something that the ncsvc service is trying to do that doesn't work because it's a 32bit chroot running on a 64bit kernel?


I just posted on how it works for me with gutsy-amd64, maybe that will help.

Mad Scientist, et al,

Thanks for the great info. I've been able to connect, but can only access servers on the vpn by IP address: DNS doesn't seem to work. Any ideas?

Thanks,

beltratc

Your DNS servers are managed through the /etc/resolv.conf file. When Network Connect comes up, it should overwrite your standard /etc/resolv.conf file with a new one, that points towards the DNS server on the other side of the VPN, inside the private network: presumably that DNS server has all the local hostnames that you can't resolve outside.

So, if you can't resolve the remote hostnames that means your /etc/resolv.conf file is not being set up properly in the first place, or else is being overwritten. Take a look at what that file looks like before you've brought up the connection (or after you take it down), then again right after the connection is made. Compare the timestamps to see whether the VPN is overwriting this file.

It's also possible that netconnect IS writing this file, but something else is changing it again: see post #5 in this thread for some info on my situation which was similar. But in my situation my lease expired rarely so I didn't see it that often. It's possible yours expires more often.

After some fiddling, I got it working on my Gutsy installation. I'm using sun-java6-bin instead of sun-java5-bin. I didn't bother with the libssl or rpm symlinks. (Actually, the latter would have been problematic because I happen to have a real copy of rpm installed, for unrelated reasons.) I do not have a password set for root.

The first time I tried to log in, I got the xterm window asking me for a root password. I just pressed enter, told it not to retry, and dismissed the rpm error message box. This created and mostly populated the ~/.juniper_networks/network_connect directory.

Next, I changed to the .juniper_networks directory, and ran:
sudo install -m 6711 tmp/ncsvc network_connect/

I then edited network_connect/xlaunchNC.sh, adding an "exit 0" line near the top, followed by chmod -w network_connect/xlaunchNC.sh to keep my change from being overwritten. (In hindsight, this may not have done anything after all.)

I had to load the "tun" kernel module by hand, like so:
sudo modprobe tun

After all this, I returned to my company's Network Connect web page, and pressed the Start button. This time, the java app window stayed open and said I connected successfully.


I think the keys for me were manually installing ncsvc as setuid root, and manually loading the tun kernel module. I still get prompted for the root password at login, but just pressing enter and letting that part of the script fail seems to do no harm. I'll probably edit the scripts to skip that step, and chattr +i them as previously suggested, to get rid of the nagging.

I had this working on an old notebook running Gutsy. Then all of a sudden today, I could log in and connect, but I could not get to any of the resources at the company. I checked everything like "netstat -rn" and "/etc/resolv.conf", and sure enough, they were correct.

I finally found the problem. It was the "~/.juniper_networks/network_conenct/ncsvc.log" file that had grown too big, about 2.4 GB in size (or something). I just did a "> ncsvc.log" to zero it out, and everything is working fine again.

Does anyone know of an elegant way to rotate this file, or even to turn off debugging/logging to this file?

-K

I'm kinda late, but have your administrator change your IVE box application from Windows to Java and everything will work.

Perhaps nobody cares anymore, but i was wondering if anyone has had any luck getting the Secure Application Manager (part of IVE) to work under wine. I've had some limited success logging into the vpn https gateway with IE + wine, as well as getting the SAM installed and running (under wine as well). Although the SAM loads and connects to the VPN, it doesn't appear to tunnel any traffic generated by other apps run under wine (i.e. remote desktop). I'm unable to resolve internal DNS registered names, nor am I able to connect directly to IP addresses. My guess is that this has something to do with wine's winsock implementation.

When I try to enable DNS tunneling (I forget what the button is called) (enabled in one of the "Advanced" tabs of the SAM config systray program), I see this being printed to stdout by wine:

BTW: I'm using wine-0.9.33

fixme:winsock:WSCInstallNameSpace (L"Juniper Secure DNS (Top)" L"c:\\Program Files\\Juniper Networks\\Secure Application Manager\\gapsp.dll" 0x0000000c 0x00000000 {e90a7329-700e-4312-abc0-9b384bbb53bf}) Stub!

It's possible that this is wine-unimplemented winsock function is essential.

I've also noticed some other differences between running the SAM in windows and through wine. For one, the Protocol Catalog list (again in one of the Advanced tabs of the SAM config systray program) is completely empty when run under wine. When run under windows this list is populated with protocols which are implemented in the following DLLs:

mswsock.dll
rsvpsp.dll
winrnr.dll
samnsp.dll


Anyhow... That's all I've been able to figure out for now. Perhaps someone else has had luck with this. I want my company to support the linux client too :-((((

Hi all, 'Installation check failed' took me about an hour to figure out...


fresh Feisty/Gutsy (won't matter anyway) installation
Network Connect is unable to connect and ends up with 'connection failed'
The diagnosis message contains 'Installation check failed', as reported in post 36 and post 99


In my case, not using a /tmp symlink pointing to a directory at my crypto fs anymore is the woraround, see http://www.juniperforum.com/index.php/topic,5454.0.html and http://www.juniperforum.com/index.php/topic,5455.0.html.

=> Network Connect fails if /tmp and /etc are mounted on different partitions!
Florian

see

Hi, I am trying to get network connect working on Debian and found this page. I followed the instructions. The network connect dialog popped up but I couldn't connect. The diagnosis message indicates the NC installation check failed. The NC service is not running. Anyone has idea how to fix this problem?

Thanks!

HOWTO set up Juniper Network Connect VPN on Ubuntu Gutsy-Gibbon amd64

I used all the tricks in the original post, but gutsy-amd64 needs some modifications.

After the first installation failed, I used ldd to check the config, ie:



sudo ldd ~/.juniper_networks/network_connect/ncsvc


That helped to identify what was missing. I had already installed some 32bit packages for gutsy-amd64, eg:


sudo apt-get install ia32-libs
sudo apt-get install ia32-sun-java5-bin
sudo apt-get install ia32-sun-java6-bin


(There is no equivalent for the ia32-sun-javaX-jre.)

For libstdc++2.10-glibc2.2, I did the following (maybe not the best way to do this, but it worked for me):



sudo -i
cd /usr/src
wget http://debian.oregonstate.edu/debian/pool/main/g/gcc-2.95/libstdc++2.10-glibc2.2_2.95.4-27_i386.deb
dpkg-deb -x libstdc++2.10-glibc2.2_2.95.4-27_i386.deb libstdc++2.10-glibc2.2_2.95.4-27_i386
mv libstdc++2.10-glibc2.2_2.95.4-27_i386/usr/lib/* /usr/lib32/
mv libstdc++2.10-glibc2.2_2.95.4-27_i386/usr/share/doc/libstdc++2.10-glibc2.2 /usr/share/doc/
rm -rf libstdc++2.10-glibc2.2_2.95.4-27_i386
rm libstdc++2.10-glibc2.2_2.95.4-27_i386.deb


For libssl symbolic links, I used:



sudo ln -s /usr/lib32/libssl.so.0.9.8 /usr/lib32/libssl.so.0
sudo ln -s /usr/lib32/i686/cmov/libssl.so.0.9.8 /usr/lib32/i686/cmov/libssl.so.0


After that, it works, hurrah!

Thanks so much for the original post, it was a life saver for me! I still hate their flaky installation scripts that have not been updated now in years!

Works like a charm on my Gutsy 64 bit install. Thanks man!

Any chance we could get a script for the amd64 install like the one posted for 32 bit? :)

HOWTO set up Juniper Network Connect VPN on Ubuntu Gutsy-Gibbon amd64

I used all the tricks in the original post, but gutsy-amd64 needs some modifications.

After the first installation failed, I used ldd to check the config, ie:



sudo ldd ~/.juniper_networks/network_connect/ncsvc


That helped to identify what was missing. I had already installed some 32bit packages for gutsy-amd64, eg:


sudo apt-get install ia32-libs
sudo apt-get install ia32-sun-java5-bin
sudo apt-get install ia32-sun-java6-bin


(There is no equivalent for the ia32-sun-javaX-jre.)

For libstdc++2.10-glibc2.2, I did the following (maybe not the best way to do this, but it worked for me):



sudo -i
cd /usr/src
wget http://debian.oregonstate.edu/debian/pool/main/g/gcc-2.95/libstdc++2.10-glibc2.2_2.95.4-27_i386.deb
dpkg-deb -x libstdc++2.10-glibc2.2_2.95.4-27_i386.deb libstdc++2.10-glibc2.2_2.95.4-27_i386
mv libstdc++2.10-glibc2.2_2.95.4-27_i386/usr/lib/* /usr/lib32/
mv libstdc++2.10-glibc2.2_2.95.4-27_i386/usr/share/doc/libstdc++2.10-glibc2.2 /usr/share/doc/
rm -rf libstdc++2.10-glibc2.2_2.95.4-27_i386
rm libstdc++2.10-glibc2.2_2.95.4-27_i386.deb


For libssl symbolic links, I used:



sudo ln -s /usr/lib32/libssl.so.0.9.8 /usr/lib32/libssl.so.0
sudo ln -s /usr/lib32/i686/cmov/libssl.so.0.9.8 /usr/lib32/i686/cmov/libssl.so.0


After that, it works, hurrah!

Thanks so much for the original post, it was a life saver for me! I still hate their flaky installation scripts that have not been updated now in years!

Thanks a lot man! It works for me.

OK... I'm running Gutsy AMD64 and followed all the instructions in this post (and then some!!!). The question I have is how are you folks getting Java5/6 running in the first place???? I install them and my Firefox can't find the plugins so when I bring up the company VPN site I can't even get the Juniper stuff to download because "JRE is missing/Java not installed". I Googled all over and everyone has problems with Java5/6 on Gusty-64; according to those posts the only solution is IcedTea. I tried IcedTea and even though that seems to be working in Firefox (Java test at Sun's website comes up just fine) Juniper - at least the ver my co. uses - won't launch with IcedTea. How are you folks getting Java5/6 to run Firefox 64-bit in the first place??? - BTW, I do have the ia32-libs installed.

Any ideas!?!?!?!?!?!?

I had Juniper working just fine on my old notebook running i386 Feisty but since the boss approved a new NB with Core2Dual I figured I'd upgrade to Gutsy AMD64. Everything else is working... this is my last hurdle!!!!!! AAAAARRRRRGGGGGGHHHHHHH.

I got this working with no issues on Gutsy.

I did everything the OP did, but added:

sudo ln -s /usr/lib/i686/cmov/libssl.so.0 /lib/libssl.so.0

For some reason, it didn't work until I added the symlink.

Basically, it's:

# sudo -s
# aptitude install openssl libstdc++2.10-glibc2.2 sun-java5-bin sun-java5-jre
# ln -s /bin/true /usr/bin/rpm
# ln -s libssl.so.0.9.8 /usr/lib/i686/cmov/libssl.so.0
# ln -s /usr/lib/i686/cmov/libssl.so.0 /lib/libssl.so.0
# passwd
(enter your su password)
# exit

It's just a matter restarting firefox and logging in.

-K

Yep... I already tried that (I think it was mentioned earlier on in the post)... I also tried:

sudo ln -s /usr/lib32/libcrypto.so.0.9.8 /usr/lib32/libcrypto.so.0
sudo ln -s /usr/lib32/i686/cmov/libcrypto.so.0.9.8 /usr/lib32/i686/cmov/libcrypto.so.0

because I saw that in this or some other post (my head is swimming from all the posts I've searched).

Where do you obtain "ncsvc" or access "network connect" in the first place?
I installed all the necessary packages and symlinks, but I don't see any "network connect" button/link even after having logged-in through firefox. It just tries to launch up the SAM just like on windows ie6...

@zefew,

it's a matter of rights you have on the Juniper Secure Access system, to which you connect. There are 2 methods, SAM (Secure Access Manager) and NC (Network Connect). SAM is for allowing a particular Client Server application to be tunneled thru SSL (think of a kind of port forwarding), NC is more like an IPSEC tunnel, but over SSL. The administrator of the Juniper SA decides on your access rights. So If you haven't granted permission for NC, but for SAM, you can't use it. I don't know if someone has implemented SAM on Linux, but I don't think so.

Thomas

@zefew,

it's a matter of rights you have on the Juniper Secure Access system, to which you connect. There are 2 methods, SAM (Secure Access Manager) and NC (Network Connect). SAM is for allowing a particular Client Server application to be tunneled thru SSL (think of a kind of port forwarding), NC is more like an IPSEC tunnel, but over SSL. The administrator of the Juniper SA decides on your access rights. So If you haven't granted permission for NC, but for SAM, you can't use it. I don't know if someone has implemented SAM on Linux, but I don't think so.

Thomas

Though your post pretty much closes my hopes to be able to connect to one of the the company VPNs (it has many..) on linux, at least I'm clear on the issues. Thanks, Thomas.

I've had trouble getting this working in gutsy amd64. To get this working, I did:


...not use the installed firefox. I downloaded one from http://getfirefox.com
Installed the java5 packages

sudo apt-get install ia32-sun-java5-bin sun-java5-bin sun-java5-jdk sun-java5-jre
linked the java plugin to the mozilla plugin directory

cd ~/.mozilla/plugins
ln -sf /usr/lib/jvm/ia32-java-1.5.0-sun-1.5.0.13/jre/plugin/i386/ns7/libjavaplugin_oji.so .

PoD,

Did you ever figure out your timeout issue?

Thanks,

beltratc

Based on the information in this page, I,
I wrote a script to instaal on 7.04 and 7.1.10.

Enjoy!

http://ubuntuforums.org/attachment.php?attachmentid=48315&d=1193675395
(http://ubuntuforums.org/attachment.php?attachmentid=48315&d=1193675395)

Everyone - thanks for the fine work on this thread!

I've made a fresh install of 7.10 and used this script to setup Juniper. It works great - for 20 minutes then times out.

Prior to it timing out I noticed that the Network Connect dialog box shows COMPRESSION=NULL. Right at the 20 minute mark, the COMRESSION=DEFLATE and I no longer can access the VPN.

Any ideas?

Thanks,

Beltratc

I got tired of messing with my browser to enable/disable the VPN so, based on my own investigation and some info posted by others, I created a shell script that invokes the VPN. I put a Hardy beta release up into a VMWare instance and wrote a how-to guide for getting it working, with a few screenshots.

I've used my script on Gutsy (Ubuntu 7.10) as well, although I did it by hand rather than follow those directions.

Find the directions here: http://mad-scientist.us/juniper.html

Let me know if you have problems!

Great how-to, madscientist. Nicely summarises all of the information needed to get things running.

Unfortunately after upgrading my laptop from Gutsy to the current beta of Hardy, Network Connect stopped working.

All of the components are in place, but ncsvc reports an error:


./ncsvc: symbol lookup error: ./ncsvc: undefined symbol: __builtin_new

I'm guessing there's a shared library that's been updated/modified in Hardy. Anyone else seeing this issue?

Yeah I had the exact same issue.

I tried to just link the new library but that didn't work.

I don't know if it was wise but this is how I fixed it.

Download libstdc++2.10-glibc2.2_2.95.4-27_i386.deb get it from here (http://http.us.debian.org/debian/pool/main/g/gcc-2.95/libstdc++2.10-glibc2.2_2.95.4-27_i386.deb)


sudo dpkg -i libstdc++2.10-glibc2.2_2.95.4-27_i386.deb

Excellent how-to, madscientist. However ... no joy for me after Gutsy upgrade to Hardy 8.04.

I think my VPN host requires a cookie or something else from the browser as I couldn't get the authentication to work using your script. I'm reasonably confident my: HOST/USER/CERT/REALM parameters are correct as the applet loads (it doesn't if REALM is incorrect for example), but authentication fails, eg:


ncapp> Failed to connect/authenticate with IVE. Error 104
ncapp> Incorrect credentials. Please check the username/password/realm.


The following borrows from the past few posts.

Initially I had the same issue as fluffy (above), eg:

./ncsvc: symbol lookup error: ./ncsvc: undefined symbol: __builtin_new


The suggestion from powermac worked fine, eg:

sudo dpkg -i libstdc++2.10-glibc2.2_2.95.4-27_i386.deb


At this point I get:

~/.juniper_networks/network_connect/ncsvc --version
Juniper Network Connect Server for Linux.
Version : 1.2
Release Version : 5.3-0-Build10197
Build Date/time : Feb 15 2006 18:21:55
Copyright 2002-2006 Juniper Networks


The problem now is the incompatible shell scripts provided. I overcame this by modifying the originals and using chattr to prevent nc from overwriting with the originals (I think from an earlier post).

I created modified "source" copies in: ~/.juniper_networks/ and created a new shell script to update them, eg:

1) ~/.juniper_networks/src_installNC.sh


echo "Ubuntu compatible version of installNC.sh"

# Install the service

echo "executing $0 with params: $*"

#if(("$#"<"1"))
if [ "$#" -lt "1" ]
then
echo "Insufficiant number of parameters"
echo "$0 <install dir>"
exit;
fi

if [ -e "$1/ncsvc" ]
then
echo "Service already installed"
ok="done"
else
echo "Service needs to be installed for the first time."
ok="try"
fi

until [ "$ok" = "done" ]
do
echo "Please enter the root/su password"
su root -c "install -m 6711 -o root $1/../tmp/ncsvc $1/ncsvc"
if [ "$?" -eq "0" ]
then
cp $1/../tmp/version.txt $1/
ok="done"
rm -rf $1/../tmp
else
echo "Invalid su password and/or Unable to install ncsvc"
echo -n "Do you want to try again (enter y to try again):";
read choice;
if [ "$choice" != "y" ]
then
ok="done"
fi
fi
done
chmod 744 $1/ncdiag


2) ~/.juniper_networks/src_xlaunchNC.sh

#!/bin/sh
# launch to install the service
# 20051220 : Javeed : Added -n to modprobe for dry run. We dont want to insmod, just check if tun
# is available.

echo "Ubuntu compatible version of xlaunchNC.sh"

echo "executing $0 with params: $*"

#if(("$#"<"1"))
if [ "$#" -lt "1" ]
then
echo "Insufficient number of params"
echo "$0 <install dir> "
echo "$*";
exit
fi

#echo "$*";

#moved code from installNC.sh to here so that we call xterm only if needed.
flag=1

if [ -e "$1/ncsvc" ]
then
if [ -e "$1/version.txt" ]
then
old_version=`grep -i "Version" $1/version.txt | cut -f 2 -d " "`;
new_version=`grep -i "Version" $1/../tmp/version.txt | cut -f 2 -d " "`;
# echo "$old_version == $new_version"
if [ "$old_version" \< "$new_version" ]
then
echo "Need to install the new service"
else
flag=0;
echo "No difference found"
fi
fi
else
echo "Service needs to be installed for the first time"
fi
if [ "$flag" -eq "1" ]
then
echo "calling $1/installNC.sh" >> $0.log
chmod 744 $1/installNC.sh
`xterm -e $1/installNC.sh $1`
fi

#export LD_LIBRARY_PATH=/usr/X11R6/lib

# no need to check for ncui. Have to check for openssl package and tun driver.
#ldd $1/ncui | grep "not found" | tr -d "\t" | cut -d " " -f 1 | tee $1/missing_libs
# check if modprobe can locate the tun module.
#Adding dry run option we dont want to insmod, just check if tun is available

rm -rf $1/missing.rpt
/sbin/modprobe -n tun 1> $1/missing.info
if [ "$?" -ne "0" ]
then
echo "Modprobe for Tun driver failed." > $1/missing.rpt
# rpm -q tun 1> $1/missing.rpt
fi
#check if openssl is installed
rpm -q openssl 1>> $1/missing.info
if [ "$?" -ne "0" ]
then
echo "RPM query for openssl failed." >> $1/missing.rpt
fi

3) ~/bin/juniper_update:

#:!/bin/bash

ncpath="$HOME/.juniper_networks/network_connect"
src_installNCsh="${ncpath}/../src_installNC.sh"
src_xlaunchNCsh="${ncpath}/../src_xlaunchNC.sh"

if [ -d ${ncpath} ];
then
if [ -f ${src_installNCsh} ] && [ -f ${src_launchNCsh} ];
then
if [ -x "${ncpath}/ncsvc" ];
then
# display ncsvc version
${ncpath}/ncsvc --version
# enable access to scripts
sudo chattr -V -i ${ncpath}/installNC.sh
sudo chattr -V -i ${ncpath}/xlaunchNC.sh
if [ -w "${ncpath}/installNC.sh" ] && [ -w "${ncpath}/xlaunchNC.sh" ];
then
# overwrite with dummy version
cp -v ${src_xlaunchNCsh} ${ncpath}/installNC.sh
cp -v ${src_installNCsh} ${ncpath}/xlaunchNC.sh
# prevent dummy scripts being overwritten
sudo chattr -V +i ${ncpath}/installNC.sh ${ncpath}/xlaunchNC.sh
else
echo "unable to overwrite: ${ncpath}/installNC.sh, OR: ${ncpath}/xlaunchNC.sh"
echo "must run using: sudo $0"
fi
else
echo "Could not execute: ${ncpath}/ncsvc. Please ensure juniper network connect is \"installed\" first"
fi
else
echo "Could not find: ${src_installNCsh}, OR: ${src_xlaunchNCsh}"
fi
else
echo "ncpath is invalid: ${ncpath}"
fi


I tried to modify the originals just enough to make it work.

Now the network connect applet loads as it always used to with Gutsy (via Firefox 3 beta5 and using a similar approach).

Thanks again to all the above - it's quite a relief to have VPN access once again!

For people who upgraded to Hardy and stuff is now broken (app will not init): disable the GCJ mozilla plugin and install the official java mozilla plugin instead.

I got tired of messing with my browser to enable/disable the VPN so, based on my own investigation and some info posted by others, I created a shell script that invokes the VPN. I put a Hardy beta release up into a VMWare instance and wrote a how-to guide for getting it working, with a few screenshots.

I've used my script on Gutsy (Ubuntu 7.10) as well, although I did it by hand rather than follow those directions.

Find the directions here: http://mad-scientist.us/juniper.html

Let me know if you have problems!

Hi,

I am a big newbie here but I need to set this up so I can home work from my Vista x64 box. I.e. I'm running Ubuntu on VirtualBox and having issues.

I'm running the Version 8 (Hardy something?) of Ubuntu. Now reading that I am totally unable to Google up a way to make sense of this bit:


So, first download the junipernc script and put it somewhere on your PATH; I typically create ~/bin and add that to my PATH for these sorts of things but it's up to you.

So, I discovered from the Ubuntu manual that scripts are normally in /etc. I went into there and found a bash_completion file that looked similar so I

sudo cp bash_completion junipernc

then I
sudo gedit junipernc

deleted the existing stuff and copied in all the junipernc code found at that link.

However, the line about changing the path totally confuses me. I can't work out how to do that bit.

Cheers
Theo

Edit: Hmm. I tried just running the junipernc script with sudo sh inside the etc folder and it ran as expected but when I put in my password in the 'SecureID' bit it just says the VPN is exiting then asks me if I want to try it again. This just seems to be a looping situation now.

This is all really rather depressing... :(

Hi,

I am a big newbie here but I need to set this up so I can home work from my Vista x64 box. I.e. I'm running Ubuntu on VirtualBox and having issues.Wow. You're really jumping in on the deep end. Networking using virtual machines is not always straightforward, even for people who are very knowledgeable about it.

Before we spend a lot of time on this, can you give us more general information about what you want to be able to do if everything were working correctly? If what you really want to do is have your Vista system talk to your work environment via the VPN, then setting up the VPN in Ubuntu in a virtual machine on Vista will not really get you there. Not without a LOT of very tricky work with routing etc. that I'm certainly not prepared to describe to you, especially on Windows (I haven't owned a machine running Windows since Windows 3.1 back in the 90's). If that's what you want to do the only realistic way of doing it is to run Ubuntu as the main OS, then use VMWare or similar to run Vista as the virtual, or guest, OS. In this mode you can set up Vista to share the network connection of the host OS (Ubuntu), so when Ubuntu is connected to VPN, Vista can share that connection.

If, instead, what you want to do is use Ubuntu to connect to the VPN at work but you don't need the host OS (Vista) to connect, then we can hopefully get you going.

It may still be a bit tricky though: VPNs on virtual machines can suffer from a variety of issues.

My advice is this: I'll tell you what you've done wrong so far and get you set up right. If it still doesn't work I recommend that you use a LiveCD or Wubi install of Ubuntu and see if you can get that working just to prove that it can be done.


So, I discovered from the Ubuntu manual that scripts are normally in /etc. I went into there and found a bash_completion file that looked similar so I

sudo cp bash_completion junipernc

then I
sudo gedit junipernc

deleted the existing stuff and copied in all the junipernc code found at that link.Hrm. That's really... not right :-). I think you must have misread/misunderstood the comment in the Ubuntu manual. Configuration files (and sometimes scripts) are normally found in /etc. However, scripts that you would run as commands (like this one) are not in /etc. The system commands live in one of the directories /bin, /usr/bin, /sbin, or /usr/sbin (it's not worthwhile at this point to explain the differences between these, which are all down to convention rather than requirements anyway).

In this case, though, the most important thing you've missed is that the script does NOT need to be run as root (the administrative account; using sudo). You should run it as yourself (not using sudo). It really doesn't belong in a system directory such as /etc, /usr/bin, etc. It should live in your own home directory (/home/<username>).

My web page recommends making a /home/<username>/bin directory and putting it in there, then adding that to your PATH. Don't worry about that if you don't understand it. Instead, do this:


Download the script from my page and put it on your Desktop.
Right-click on the script icon on your Desktop, and select Properties.
Choose the "Permissions" tab and check the box "Execute: allow executing file as program" (note: be very careful about this in general... only do this for files you trust).


Now the file is executable (you can run it as a command). After we get it working we'll make an icon for it, but for now run it by double-clicking on it. You'll get a dialog asking you what to do; choose "Run in terminal" (so we can see any errors/messages). You should get a terminal window, followed by the requests for information as described on my page.

Follow the directions and see where you end up. Post any odd messages that are printed on the terminal window (beware it will go away automatically when you quit the script, so cut/paste them somewhere else first).

Hey cheers,

Basically: my computer is at work. If I want to work at home I use an addresses that is extranet.mywork.tld. This runs a bit of Java and then lets me click START for a Juniper Networks connection to put me on the network.

Then I start a remote desktop session to connect to my computer, refering to it by name as if I were on the network (which I now am).

All this would be fine but Vista x64 doesn't support this so in my new computer I thought I'd just run VirtualBox with a Linux flavour and run remote desktop from there; further down the line I want this VB to be my web development machine to more closely match my online sites rather than run stuff in Windows.


Anyway, initially I installed Ubuntu 7 and I got all this working, I think by following the first post in this thread. Y'know, I was going to mark it all down and I just didn't get a chance. :( Anyway, it connected and I got remote desktop fine. BUT, I was locked at 1024x768 and my native res is 1680x1050.

So I attempted to set this and screwed the display up so it didn't even work any more. I deleted that partition then discovered about Guest Additions. I tried again with Ubuntu 7 and used Guest Additions and the following change to the xorg.conf (from a different forum)



Section "Device"
Identifier "Generic Video Card"
Boardname "VESA driver (generic)"
Driver "vboxvideo"
BusID "PCI:0:2:0"
Screen 0
EndSection

Section "Monitor"
Identifier "Generic Monitor"
Vendorname "Generic LCD Display"
Modelname "Monitor 1680x1050"
Option "DPMS"
HorizSync 30-83
VertRefresh 56-76
Gamma 1.0
EndSection

Section "Screen"
Identifier "Default Screen"
Device "Generic Video Card"
Monitor "Generic Monitor"
DefaultDepth 24
SubSection "Display"
Depth 24
Modes "1680x1050" "1280x1024" "1024x768"
EndSubSection
EndSection


Note I had to manually do this because there was no way to select using the X-Windows stuff.


Okay...next hell: I got all this working but (and via a few more wipe downs and reinstalls) I have discovered that Guest Additions screws up Firefox. How? It causes every Java initiation to ask if I trust the applet and once I say yes, it seems that it gives up anyway and doesn't do anything.

GRRRRRR.

So I thought I'd give Ubuntu 8 a try. This doesn't exhibit this Firefox problem...it has a different one. The Java runs but Juniper Networks never boots, even after I did the original changes in the start of this thread.


So at the moment I've wiped down that Ubuntu 8 session already and got a bit frustrated. Essentially all I want is:
- Ubuntu to run at my full screen resolution
- extranet.mywork.tld to load up.
- Juniper networks to connect.
- Remote desktop to my work computer so I can work at home from this Vista x64 machine.


When all that's done I'll get around to installing:
- Apache
- MySQL
- PHP
- Ruby on Rails

(Wowsers!)

Any advice on the first phase is much appreciated. For now I'll start a new Ubuntu 8 version and do what you've said.

Cheers
Theo
-

Hmm.

Okay, well I did it correctly this time. The script runs, takes in the appropriate details, though having never been asked a 'Service Realm' I just took the default one that was there. I put in the password, it thinks, and then says "VPN has exited successfully" but I see no signs of Juniper Networks connect actually running.

However, I'm not sure it ever installs on my system anywhere. Odd. I'm going to give this another try from Ubuntu 7 and get back to you, because the way Firefox acts in each system is very different...

I have the same trouble as TheoGB, I think. Running madscientist's script. Trouble was that I was running it with sudo, i got some java errors.

baltazar@baltazar:~/.bin$ sudo sh juniper.sh
Exception in thread "AWT-EventQueue-0" java.lang.ExceptionInInitializerError
at NC$3.run(NC.java:1282)
at java.awt.event.InvocationEvent.dispatch(Invocation Event.java:209)
at java.awt.EventQueue.dispatchEvent(EventQueue.java: 597)
at java.awt.EventDispatchThread.pumpOneEventForFilter s(EventDispatchThread.java:273)
at java.awt.EventDispatchThread.pumpEventsForFilter(E ventDispatchThread.java:183)
at java.awt.EventDispatchThread.pumpEventsForHierarch y(EventDispatchThread.java:173)
at java.awt.EventDispatchThread.pumpEvents(EventDispa tchThread.java:168)
at java.awt.EventDispatchThread.pumpEvents(EventDispa tchThread.java:160)
at java.awt.EventDispatchThread.run(EventDispatchThre ad.java:121)
Caused by: java.lang.ArrayIndexOutOfBoundsException: 3
at JavaNC.<clinit>(NC.java:443)
... 9 more

running without sudo NetworkConnect starts, but alerts me with "Invalid Credentials"

baltazar@baltazar:~/.bin$ ./juniper.sh
Searching for ncsvc in current working directory
Searching for ncsvc in /home/baltazar/.juniper_networks/network_connect done.
ncapp> Failed to connect/authenticate with IVE. Error 104
ncapp> Incorrect credentials. Please check the username/password/realm.


I will have to see why with IT staff I guess....Because NetworkConnect opens, but complains about credentials..

I just upgraded to 8.04 and am using madscientist's script to connect. I login and am authenticated just fine, but after about a minute the connection dies. Has anyone else seen and/or fixed this problem? Any help would be appreciated.

I just upgraded to 8.04 and am using madscientist's script to connect. I login and am authenticated just fine, but after about a minute the connection dies. Has anyone else seen and/or fixed this problem? Any help would be appreciated.

I don't know if this is your problem, but we had a similar problem at our workplace -- but it was on windows systems, and it was caused by the new iTunes, which installed the Bonjour service, which interfered with the Juniper client. It displayed exactly the same symptoms -- connection began fine, but died within the first minute.

I haven't read through this entire thread yet, but I was looking for some assistance with Juniper on AMD64 Hardy (I've installed the 32-bit Firefox and Java plug-in, and tried the script, but the installNC.sh script keeps saying the service needs to be installed, and if I can get it to go forward by supplying a root password -- after actually making one -- the client complains that it 'Can't find required libraries'. Any idea which libraries it needs, or how I can find out? I also installed libstdc++2.10-glibc2.2_2.95.4-27_i386.

Hi, everybody. The recent openssl update to Hardy broke the client totally. All hail Juniper!



java.io.EOFException
at java.io.DataInputStream.readInt(DataInputStream.ja va:375)
at sun.security.provider.JavaKeyStore.engineLoad(Java KeyStore.java:628)
at sun.security.provider.JavaKeyStore$JKS.engineLoad( JavaKeyStore.java:38)
at java.security.KeyStore.load(KeyStore.java:1185)
at com.sun.deploy.security.DeploySSLCertStore$1.run(D eploySSLCertStore.java:153)
at java.security.AccessController.doPrivileged(Native Method)
at com.sun.deploy.security.DeploySSLCertStore.loadCer tStore(DeploySSLCertStore.java:136)
at com.sun.deploy.security.DeploySSLCertStore.load(De ploySSLCertStore.java:107)
at com.sun.deploy.security.DeploySSLCertStore.load(De ploySSLCertStore.java:92)
at com.sun.deploy.security.ImmutableCertStore.load(Im mutableCertStore.java:43)
at com.sun.deploy.security.X509ExtendedDeployTrustMan ager.checkServerTrusted(X509ExtendedDeployTrustMan ager.java:324)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serv erCertificate(ClientHandshaker.java:954)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.proc essMessage(ClientHandshaker.java:123)
at com.sun.net.ssl.internal.ssl.Handshaker.processLoo p(Handshaker.java:516)
at com.sun.net.ssl.internal.ssl.Handshaker.process_re cord(Handshaker.java:454)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRec ord(SSLSocketImpl.java:884)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.perform InitialHandshake(SSLSocketImpl.java:1096)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1123)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHa ndshake(SSLSocketImpl.java:1107)
at sun.net.www.protocol.https.HttpsClient.afterConnec t(HttpsClient.java:405)
at sun.net.www.protocol.https.AbstractDelegateHttpsUR LConnection.connect(AbstractDelegateHttpsURLConnec tion.java:166)
at sun.net.www.protocol.http.HttpURLConnection.getInp utStream(HttpURLConnection.java:977)
at sun.net.www.protocol.https.HttpsURLConnectionImpl. getInputStream(HttpsURLConnectionImpl.java:234)
at com.sun.deploy.net.HttpUtils.followRedirects(HttpU tils.java:45)
at com.sun.deploy.net.BasicHttpRequest.doRequest(Basi cHttpRequest.java:169)
at com.sun.deploy.net.BasicHttpRequest.doGetRequestEX (BasicHttpRequest.java:63)
at com.sun.deploy.net.DownloadEngine.isUpdateAvailabl e(DownloadEngine.java:709)
at com.sun.deploy.cache.DeployCacheHandler.get(Deploy CacheHandler.java:133)
at sun.net.www.protocol.http.HttpURLConnection.plainC onnect(HttpURLConnection.java:681)
at sun.net.www.protocol.https.AbstractDelegateHttpsUR LConnection.connect(AbstractDelegateHttpsURLConnec tion.java:158)
at sun.net.www.protocol.http.HttpURLConnection.getInp utStream(HttpURLConnection.java:977)
at sun.net.www.protocol.https.HttpsURLConnectionImpl. getInputStream(HttpsURLConnectionImpl.java:234)
at sun.plugin.PluginURLJarFileCallBack.downloadJAR(Pl uginURLJarFileCallBack.java:72)
at sun.plugin.PluginURLJarFileCallBack.access$000(Plu ginURLJarFileCallBack.java:46)
at sun.plugin.PluginURLJarFileCallBack$1.run(PluginUR LJarFileCallBack.java:106)
at java.security.AccessController.doPrivileged(Native Method)
at sun.plugin.PluginURLJarFileCallBack.retrieve(Plugi nURLJarFileCallBack.java:94)
at sun.net.www.protocol.jar.URLJarFile.retrieve(URLJa rFile.java:186)
at sun.net.www.protocol.jar.URLJarFile.getJarFile(URL JarFile.java:50)
at sun.net.www.protocol.jar.JarFileFactory.get(JarFil eFactory.java:68)
at sun.net.www.protocol.jar.JarURLConnection.connect( JarURLConnection.java:104)
at sun.plugin.net.protocol.jar.CachedJarURLConnection .connect(CachedJarURLConnection.java:189)
at sun.plugin.net.protocol.jar.CachedJarURLConnection .getJarFileInternal(CachedJarURLConnection.java:14 4)
at sun.plugin.net.protocol.jar.CachedJarURLConnection .getJarFile(CachedJarURLConnection.java:90)
at sun.misc.URLClassPath$JarLoader.getJarFile(URLClas sPath.java:647)
at sun.misc.URLClassPath$JarLoader.access$600(URLClas sPath.java:538)
at sun.misc.URLClassPath$JarLoader$1.run(URLClassPath .java:605)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath$JarLoader.ensureOpen(URLClas sPath.java:597)
at sun.misc.URLClassPath$JarLoader.<init>(URLClassPath.java:559)
at sun.misc.URLClassPath$3.run(URLClassPath.java:331)
at java.security.AccessController.doPrivileged(Native Method)
at sun.misc.URLClassPath.getLoader(URLClassPath.java: 320)
at sun.misc.URLClassPath.getLoader(URLClassPath.java: 297)
at sun.misc.URLClassPath.getResource(URLClassPath.jav a:167)
at java.net.URLClassLoader$1.run(URLClassLoader.java: 192)
at java.security.AccessController.doPrivileged(Native Method)
at java.net.URLClassLoader.findClass(URLClassLoader.j ava:188)
at sun.applet.AppletClassLoader.findClass(AppletClass Loader.java:155)
at java.lang.ClassLoader.loadClass(ClassLoader.java:3 06)
at sun.applet.AppletClassLoader.loadClass(AppletClass Loader.java:127)
at java.lang.ClassLoader.loadClass(ClassLoader.java:2 51)
at sun.applet.AppletClassLoader.loadCode(AppletClassL oader.java:632)
at sun.applet.AppletPanel.createApplet(AppletPanel.ja va:786)
at sun.plugin.AppletViewer.createApplet(AppletViewer. java:2108)
at sun.applet.AppletPanel.runLoader(AppletPanel.java: 715)
at sun.applet.AppletPanel.run(AppletPanel.java:369)
at java.lang.Thread.run(Thread.java:619)

Hi, everybody. The recent openssl update to Hardy broke the client totally. All hail Juniper!

Sorry to hear of your exception, but I don't think there's necessarily anything wrong with the Juniper client. My Hardy is up to date with all the recent SSH and SSL updates and doing Network Connect it continues to work fine for me doing 32bit browser and java on 64bit Hardy.

Sorry to hear of your exception, but I don't think there's necessarily anything wrong with the Juniper client. My Hardy is up to date with all the recent SSH and SSL updates and doing Network Connect it continues to work fine for me doing 32bit browser and java on 64bit Hardy.

Hmm, it indeed works by running NC.jar but doesn't work from Firefox java 1.6 plugin. The most funny thing it was working fine before openssl update, both ways...strange.

Hi,

I'm trying to connect to my work's VPN from UBUNTU 8.04, Juniper NC 1.2. When i launch NC it says i'm connected, i get the internal IP but can't access any resource on the VPN. Firewall is disabled.

Diagnostics say ping to Nameservers failed.

I have no problem connecting from computer running windows though.

Both computers connected to the internet the same way.

I spent days trying to figure this out. Really need help!

Thanks

What diagnostics are you talking about that say "ping to nameservers failed"?

It might be that the DNS server configuration by your VPN provider is wrong. But it might also be that the VPN is not working, so that's why you can't access the DNS servers. Here are some debugging steps that will help us discover what's going on.

First, find the IP address of a host on the private network you're trying to connect to and use that instead of the hostname. You can replace the hostname in a URL (http://hostname/...) or ssh with an IP address and it should work. If it does, then it's a DNS problem.

If it doesn't, then the VPN itself is not configured properly. If that's the case it will require more careful examination.

If using the IP address works, then use the "host" command to see if you can resolve hostnames. Open a terminal (Applications -> Accessories -> Terminal) and run "host gnu.org" for example. You should immediately get back:

$ host gnu.org
gnu.org has address 199.232.41.10

If you don't get that then you definitely can't access your DNS servers.

If you CAN resolve gnu.org, then try the same trick with one of your internal systems. Does that resolve? If not, then somehow the VPN setup is not changing your /etc/resolv.conf file for you or else something is changing it back again. Does it work for a while but then stop working? If so then it's almost certainly your DHCP server overwriting your /etc/resolv.conf file when you renew your lease.

Look at the contents of /etc/resolv.conf; you should see IP addresses in there for servers in your private network, rather than for your ISP. If you don't know for sure, just look at the contents before you start the VPN and after: they should be different.

I guess that's enough for now... we can't do much more trouble-shooting-wise until we find the answers to these questions.

I got a problem running the script...

So I downloaded the script from Mad Scientist's website. I called it juniper.sh. I run the script using the following command:

sudo sh junipernc.sh
This brings up this error message:

Could not unpack Juniper Network Connect!
I left the script I downloaded from MS's site untouched. Was I supposed to change something? Also the terminal window has no error message, it thinks the script ran fine.

I checked my location for the Juniper files and I have the JAR file and other stuff downloaded it seems in the ".juniper_networks" folder. Is there something else I am missing?

The directions on MS's site I followed to a T but I am left with this annoying message.

P.S. I am using the full blown version of Xubuntu 8.04 on a 32bit Intel machine.

Thanks to anyone that can help!!

Hrm. Nowhere does it say you need to or should run the script as root (using sudo).

You're at least the second person who's done this, though, so I've created a new version of the script that checks for this and prints a failure. Unfortunately I left it at home so I haven't uploaded it yet.

However, you should remove the ~/.vpn.cfg file (you might have to be root to do that) then re-run the script WITHOUT the sudo.

Thanks for the reply Mad Scientist. Here is where I am now at...

jonny@LittleBlackWebs:~/Desktop$ ./junipernc
java.io.FileNotFoundException: META-INF/MANIFEST.MF (Permission denied)
at java.io.FileOutputStream.open(Native Method)
at java.io.FileOutputStream.<init>(FileOutputStream.java:179)
at java.io.FileOutputStream.<init>(FileOutputStream.java:131)
at sun.tools.jar.Main.extractFile(Main.java:824)
at sun.tools.jar.Main.extract(Main.java:762)
at sun.tools.jar.Main.run(Main.java:210)
at sun.tools.jar.Main.main(Main.java:1022)
jonny@LittleBlackWebs:~/Desktop$

Error message then pops up:
Could not unpack Juniper Network Connect!

So is there a problem with my install of Java. Assuming this I uninstalled what I had for Java and ran the command on your site for installing the Java stuff.

I then re-ran the script just as I did in the above output, and again I get the same as what the above output shows. Error message about unpacking the Juniper NC.

I have a ".juniper_*" folder with what appears to be the appropriate files in it. I'm just not sure what else to try.

Thanks

[UPDATE]
I ran "updatedb" and "locate vpn" to look for a ".vpn.cfg" file and did not find one.

I'm getting this one:

Connecting to xxxxxxx port 443
Generating Certificate .... done.
Exception in thread "AWT-EventQueue-0" java.lang.ExceptionInInitializerError
at NC$3.run(NC.java:1282)
at java.awt.event.InvocationEvent.dispatch(Invocation Event.java:209)
at java.awt.EventQueue.dispatchEvent(EventQueue.java: 597)
at java.awt.EventDispatchThread.pumpOneEventForFilter s(EventDispatchThread.java:273)
at java.awt.EventDispatchThread.pumpEventsForFilter(E ventDispatchThread.java:183)
at java.awt.EventDispatchThread.pumpEventsForHierarch y(EventDispatchThread.java:173)
at java.awt.EventDispatchThread.pumpEvents(EventDispa tchThread.java:168)
at java.awt.EventDispatchThread.pumpEvents(EventDispa tchThread.java:160)
at java.awt.EventDispatchThread.run(EventDispatchThre ad.java:121)
Caused by: java.lang.ArrayIndexOutOfBoundsException: 3
at JavaNC.<clinit>(NC.java:443)
... 9 more

I do get the login dialog (graphical), but get this after providing credentials.

I wonder if I need to undo some of the things "did" in the early part of this thread...(I did un-install jre5 and install jre6)

-WDS

java.io.FileNotFoundException: META-INF/MANIFEST.MF (Permission denied)
I have a ".juniper_*" folder with what appears to be the appropriate files in it. I'm just not sure what else to try.

[UPDATE]
I ran "updatedb" and "locate vpn" to look for a ".vpn.cfg" file and did not find one.Based on the error message it appears to be a permissions problem. If you ran the script before as root then when the script unpacked the jar file all the resulting files are probably owned by root; they should be owned by you.

You might want to try deleting everything under ~/.juniper_networks EXCEPT ncLinuxApp.jar (you will probably have to be root again to do this), then re-run the script.

I forgot: you won't have a .vpn.cfg file yet; it doesn't get created until after you set up your username etc.

Mad Scientist: Thanks so much again for your help and putting up with me :)

I still get the same thing, I run:

jonny@LittleBlackWebs:~/Desktop$ ./junipernc
jonny@LittleBlackWebs:~/Desktop$
And then,
Error message then pops up:
Could not unpack Juniper Network Connect!

I deleted everything but the JAR file, then followed the directions on your site from scratch. Nothing.

I deleted everything but the JAR file, then followed the directions on your site from scratch. Nothing.Hrm. Very odd. OK, please try again (deleting everything but the jar file). I've posted a newer version of my script on my website at http://mad-scientist.us/juniper.html so please get a new copy before running it. This version (a) checks for root and (b) tries to keep a log file for all commands it runs.

Hopefully when it fails it will tell you to look in a log file. Do that, and/or post it here (suitably anonymized). Also, please run:
ls -alR ~/.juniper_networks so I can see what it unpacked (if anything).

I got the same error

"Cannot unpack juniper network connect"

or if I try using the web interface the Network connect client report that it cannot find the libraries


could you please let me know what i can do to fix the issue

Thanks

I'm getting the same error as well.

I uninstalled:


junipernc.sh -uninstall

then logged back into the SA and started the NC service again. This time I did _not_ provide root (whereas previously I had and got the java error posted earlier).

I get the "unpack" error now.

I uninstalled again to test the theory, this time I again provided the root pw in the dialog - and again getting the java error - but that's after the whole setup dialog has completed - so the last step b4 actually connecting.

Running heron. Also, just running ncsvc returns:

.juniper_networks/network_connect/ncsvc
.juniper_networks/network_connect/ncsvc: error while loading shared libraries: libstdc++-libc6.2-2.so.3: cannot open shared object file: No such file or directory

but that's a NOOB talking.

Hopefully this helps debug.

(thx to madscientist for all this work!)

OK. First, I tried to change the script so that it keeps all output in a log file. When the script dies it checks the log file and if there's anything in it, it's supposed to say "see the contents of log file xxxx". Did anyone see that? If so, please provide the output from the log file.

If not, what are the contents of the ~/.juniper_networks directory. Do you have a ~/.juniper_networks/network_connect directory? If so, what's in it (please use "ls -al" so we can see the owner and permissions).

Regarding the "error while loading shared libraries"; that's because your version of Network Connect is an old build that was created with a very old version of the standard C++ runtime libraries. That old version is not available on the newest versions of Ubuntu any longer. There is a newer version of Network Connect that doesn't rely on these older libraries (that's what my VPN server uses); ideally you can convince your provider to upgrade.

If you can't do that, you can get a copy of an older C++ library you can install on Hardy. You can download it from http://mad-scientist.us/libstdc++2.10-glibc2.2_2.95.4-24_i386.deb then install it with the command "sudo dpkg --force-architecture -i libstdc++2.10-glibc2.2_2.95.4-24_i386.deb"

hello Madscientist

I got the same error

"Cannot unpack juniper network connect"



usuario@pc:~$ ls -alR ~/.juniper_networks
/home/usuario/.juniper_networks:
total 1596
drwxr-xr-x 4 usuario usuario 64 2008-06-03 12:12 .
drwxr-xr-x 92 usuario usuario 237568 2008-06-03 12:16 ..
-rwxr-xr-x 1 usuario usuario 5961 2008-06-03 12:12 junipernc.sh
-rw-r--r-- 1 usuario usuario 1 2007-10-12 16:15 junipernc.sh~
-rwxr-xr-x 1 usuario usuario 1350501 2008-02-16 08:31 ncLinuxApp.jar
drwxr-xr-x 2 usuario usuario 56 2008-06-03 12:10 network_connect
drwxr-xr-x 3 usuario usuario 72 2008-06-03 12:09 tmp

/home/usuario/.juniper_networks/network_connect:
total 1808
drwxr-xr-x 2 usuario usuario 56 2008-06-03 12:10 .
drwxr-xr-x 4 usuario usuario 64 2008-06-03 12:12 ..
-rwxr--r-- 1 usuario usuario 716 2008-06-03 12:17 installNC.sh
-rwxr-xr-x 1 usuario usuario 1707120 2008-06-03 12:17 libncui.so
-rw-r--r-- 1 usuario usuario 0 2008-06-03 12:17 missing.info
-rwxr-xr-x 1 usuario usuario 74784 2008-06-03 12:17 ncdiag
-rwxr-xr-x 1 usuario usuario 45298 2008-06-03 12:17 NC.jar
-rw-r--r-- 1 usuario usuario 0 2008-06-03 12:10 ncui.log
-rwxr--r-- 1 usuario usuario 1479 2008-06-03 12:17 xlaunchNC.sh

/home/usuario/.juniper_networks/tmp:
total 3060
drwxr-xr-x 3 usuario usuario 72 2008-06-03 12:09 .
drwxr-xr-x 4 usuario usuario 64 2008-06-03 12:12 ..
-rwxr-xr-x 1 usuario usuario 770 2008-06-03 12:17 getx509certificate.sh
-rwxr-xr-x 1 usuario usuario 716 2008-06-03 12:17 installNC.sh
-rwxr-xr-x 1 usuario usuario 1707120 2008-06-03 12:17 libncui.so
drwxr-xr-x 2 usuario usuario 24 2008-06-03 12:09 META-INF
-rwxr-xr-x 1 usuario usuario 74784 2008-06-03 12:17 ncdiag
-rwxr-xr-x 1 usuario usuario 45298 2008-06-03 12:17 NC.jar
-rwxr-xr-x 1 usuario usuario 1270696 2008-06-03 12:17 ncsvc
-rw-r--r-- 1 usuario usuario 14 2008-06-03 12:17 version.txt
-rwxr-xr-x 1 usuario usuario 1479 2008-06-03 12:17 xlaunchNC.sh

/home/usuario/.juniper_networks/tmp/META-INF:
total 16
drwxr-xr-x 2 usuario usuario 24 2008-06-03 12:09 .
drwxr-xr-x 3 usuario usuario 72 2008-06-03 12:09 ..
-rw-r--r-- 1 usuario usuario 2957 2008-06-03 12:17 IMPORTED.RSA
-rw-r--r-- 1 usuario usuario 631 2008-06-03 12:17 IMPORTED.SF
-rw-r--r-- 1 usuario usuario 578 2008-06-03 12:17 MANIFEST.MF



and the error message in tmp:


Run as: /home/usuario/.juniper_networks/junipernc.sh
/home/usuario/.juniper_networks/junipernc.sh: 188: jar: not found

I got similar directory structure, I also have the script output, that it shows


Reading /home/user/.vpn.cfg...
Run as: /usr/local/bin/junipernc.sh
/usr/local/bin/junipernc.sh: 188: jar: not found

wired, as my jar file exists and is in the correct location accordigly with the script

Thanks for your help

Seems like it's got to be permissions as the script runs fine (alas, old libs...) when I download the client and provide root login at the shell dialog that comes up. If not I get the same unpack error as everyone else.

-WDS

Success with Heron 8.04!!

Turns out I was hitting an old box - we have newer ones**, so tried one of them. Same symptoms as before wrt unpack error, etc. So I provided the root pw when prompted - and darned if it didn't just launch and work! (did not need to run madscientist's script..but have run it before, so this may be a dependency...)

[**elided text - we are running a not-yet-released IVEOS 6.2 on this new box - perhaps 6.1 would work as well if you provide root pw]

I got the same error

"Cannot unpack juniper network connect"


Thanks

The unpack error went away with "chmod u+x ncsvc".

In the script, there is this line:

(cd "$_ncpath" && jar xf "$_jarfile" && [ -x "$_svc" ]) >> "$_errlog" 2>&1 \
|| die "Could not unpack Juniper Network Connect!"

Well, the -x was failing due to the ncsvc file in my case being not executable.

Still, with that I get the IVE error:

20080602221611.127751 ncui[9551] dsclient.info <-- 302 https://***/url_default/welcome.cgi?p=failed (authenticate.cpp:168)
20080602221611.127865 ncui[9551] dsclient.info state: kStateError (dsclient.cpp:358)
20080602221611.128164 ncui[9551] ncapp.error Failed to connect/authenticate with IVE. Error 104 (ncapp.cpp:174)

The output of the first time run of madscientists script:

irfan@leibniz:~$ ./junipernc
Connecting to sslvpn.vmware.com port 443
Generating Certificate .... done.
Searching for ncsvc in current working directory
Searching for ncsvc in /home/irfan/.juniper_networks/network_connect done.
ncapp> Failed to connect/authenticate with IVE. Error 104
ncapp> Incorrect credentials. Please check the username/password/realm.

Anyone know how to get around the IVE error? I'm completely stuck.

Success with Heron 8.04!!

Turns out I was hitting an old box - we have newer ones**, so tried one of them. Same symptoms as before wrt unpack error, etc. So I provided the root pw when prompted - and darned if it didn't just launch and work! (did not need to run madscientist's script..but have run it before, so this may be a dependency...)

[**elided text - we are running a not-yet-released IVEOS 6.2 on this new box - perhaps 6.1 would work as well if you provide root pw]

well done, but I still got the same issue as our box still old, hao can I make this work?


Thanks

Solved!!

what happed to me was the libssl.so.0 library, what I did was
sudo ln -s libssl.so.0.9.8 /usr/lib/i686/cmov/libssl.so.0

than i'm able to use the NC java client as I change the root password, however, a rpm message is presente to me and I fixed doing a

sudo ln -s /bin/true /usr/bin/rpm

Thanks to everyone

How to get this working on Kubuntu Hardy (8.04):

Thanks to madscientist and the others who contributed, I was finally able to get Juniper Network Connect to work with the KDE-based Kubuntu. Here is what I did:

1. Follow the instructions on [/URL][URL]http://mad-scientist.com/juniper.html (http://mad-scientist.com/juniper.html)
2. Download the latest version of the script from the above site
3. Make the following edit to the script:
change: _sudo=gksudo
to: _sudo=kdesudo
4. Install the package zenity (not installed in Kubuntu by default)
5. Continue with the instructions referenced in step 2
6. After the installer has run and populated ~/.juniper_networks, change the permissions on the ncsvc file:
chmod u+x ncsvc
7. Run the script and answer all of the questions.

Madscientist, perhaps step 6 can be put in your script -- this has tripped up a few posters here, and me too. Thanks to virtualscoop (post #164) for this fix, which was key for getting the script to run successfully for me.

Thanks for the debugging. I guess older versions of the jar file didn't set the ncsvc application to be executable by default. In retrospect it's stupid of me to require it, since I do go and change the permissions directly afterwards anyway!

I'll fix this tonight. I'll also try to add some help for Kubuntu users.

Following up on post #167:

After a successful install on my laptop running Kubuntu 8.04 I went home and tried this on my server running Kubuntu 6.06. I made sure that I had updated to sun Java version 6 and that all of the other required packages were installed. One difference - I replaced _sudo=gksudo with _sudo=kdesu in the script (kdesudo was not used in Kubuntu 6.06; it was kdesu back then).

Using the same approach as before, I ran the mad-scientist script. The script runs, I get prompted for the root password, it is accepted, then nothing further happens and I have to ctrl-c to stop the script execution. Here is the content of the log file from /tmp/junipernc.xxxx after running the script:
java.io.FileNotFoundException: ncsvc (Permission denied)
at java.io.FileOutputStream.open(Native Method)
at java.io.FileOutputStream.<init>(FileOutputStream.java:179)
at java.io.FileOutputStream.<init>(FileOutputStream.java:131)
at sun.tools.jar.Main.extractFile(Main.java:824)
at sun.tools.jar.Main.extract(Main.java:762)
at sun.tools.jar.Main.run(Main.java:210)
at sun.tools.jar.Main.main(Main.java:1022)
I have tried chmod +x ncsvc to make the file executable for everyone but that doesn't help.

Contents of ~/juniper_networks/network_connect:
mark@server:~/.juniper_networks/network_connect$ ls -al
total 2803
drwxr-xr-x 3 mark mark 400 2008-06-04 20:51 .
drwxr-xr-x 4 mark mark 136 2008-06-04 20:49 ..
-rw-r--r-- 1 mark mark 770 2008-05-06 21:47 getx509certificate.sh
-rwxr--r-- 1 mark mark 716 2008-05-06 21:47 installNC.sh
-rw-r--r-- 1 mark mark 1560752 2008-05-06 21:47 libncui.so
drwxr-xr-x 2 mark mark 144 2008-05-06 21:47 META-INF
-rw-r--r-- 1 mark mark 0 2008-06-04 20:49 missing.info
-rwxr--r-- 1 mark mark 74784 2008-05-06 21:47 ncdiag
-rw-r--r-- 1 mark mark 45299 2008-05-06 21:47 NC.jar
-rwxr-xr-x 1 mark mark 1150856 2008-05-06 21:47 ncsvc
-rw-r--r-- 1 mark mark 132 2008-06-04 20:49 ncuijava.log
-rw-r--r-- 1 mark mark 701 2008-06-04 20:49 ncui.log
-rw-r--r-- 1 mark mark 14 2008-05-06 21:47 version.txt
-rwxr--r-- 1 mark mark 1479 2008-05-06 21:47 xlaunchNC.sh
mark@server:~/.juniper_networks/network_connect$ juniperVersion info:
cat version.txt
Version: 1.2

Any suggestions?

You can't just replace kdesudo with kdesu. They are NOT the same thing. This is the reason why you get the "hang", and why things don't work afterwards.

I just uploaded a newer copy of my script with a test for gksudo, and if not then kdesudo, and if not then plain sudo. This means the first time you run the script you MUST run it from a shell prompt. This is only needed for the very first run though.

It also checks for zenity and fails if it's not found, and it just checks for the file ncsvc, not if it's executable, which should fix some other issues seen here.

Please download this version and see if it works any better. If you don't have gksudo or kdesudo, you'll be asked for your password in the CLI (via plain sudo).

madscientist:

Now that's impressive! The new script worked perfectly right off the bat. :KS

I also learned something - I expected sudo to run in the terminal on the first run of the script but instead got a graphical gksudo box. Upon later searching my disk I found /usr/bin/gksudo was present. I didn't know that this was part of a default Kubuntu install because I never tried to run it. So I probably misled us both by starting off modifying your script. I should have just run it first as-is. I guess I outsmarted myself again.

Thank you for your effort on this project. Our sysadmins at work are just in the process of removing their 6-yr old Cisco VPN concentrators and replacing them with the Juniper SSL VPN. I asked them to enable split tunneling on the main Windows profile, which they did. They have left it disabled on the Wireless profiles, however, which is fine with me. This same profile also works on Linux and gives split tunnel operation. Since this box is my home network server, I didn't want it to go invisible on the LAN every time that I'm using the work VPN.

I really appreciate your script - the client authenticates and connects via the script in less than 3 seconds and is so simple to operate without going through a web browser interface. Many thanks!

Excellent! Good to know. Hopefully some others who have been having issues can get this working now.

The only missing item is some relief for those who are using older versions of Juniper NC, that are linked with the older libstc++ libraries that are no longer available in Hardy. I have copies of those but I'm not sure how best to distribute them.

Cheers!

ncapp> Failed to connect/authenticate with IVE. Error 104
ncapp> Incorrect credentials. Please check the username/password/realm.

Anyone know how to get around the IVE error? I'm completely stuck.

Not the best instructions, but I managed to connect after getting that error. I went back to the webpage I'm supposed to use to connect, logged in (username + RSA key password) there, and when the terminal window popped up and asked for the root password I closed that window. Then the Network Connect window opened and I was connected (yes I verified it by connecting to an internal computer).

So... give that a shot. My guess is that the junipernc script by The Wonderful and Amazing madscientist got nearly everything configured, and then the web interface added the final piece to the puzzle. Tomorrow I'll ask on our internal forums if anyone knows if our Realm is something other than RSA.

Oh, also: when I ran junipernc and entered 123456 for my password, I got the same error. So my problem might be anything in the username/password realm that is getting translated by the web interface.

The only missing item is some relief for those who are using older versions of Juniper NC, that are linked with the older libstc++ libraries that are no longer available in Hardy. I have copies of those but I'm not sure how best to distribute them.

After skimming this thread, I thought the older libstc++ libraries were only needed for version 1.0, not 1.2? Yet I apparently have 1.2, but I had to install those libraries to get things to work.

Thanks for making them available :)

I'd recommend sticking a link to them with instructions for installing them on your juniper.html page, probably in the Troubleshooting section. Also, a link in the Troubleshooting section to this thread would be useful for people (not me) who find your page from some other source (and, if you had a lot of extra time, even a table with error messages in one column and the individual post that showed the solution in the other column ;)).


$ pwd
/home/osx424242/.juniper_networks/network_connect
$ ls -al
total 976
drwxr-xr-x 3 osx424242 osx424242 4096 2008-06-05 01:10 .
drwxr-xr-x 4 osx424242 osx424242 4096 2008-06-05 01:10 ..
-rw-r--r-- 1 osx424242 osx424242 770 2008-02-15 08:30 getx509certificate.sh
-rw-r--r-- 1 osx424242 osx424242 1173 2008-06-05 01:10 installnc.log
-rwxr--r-- 1 osx424242 osx424242 716 2008-06-05 01:10 installNC.sh
-rw-r--r-- 1 osx424242 osx424242 493680 2008-06-05 01:10 libncui.so
drwxr-xr-x 2 osx424242 osx424242 4096 2008-02-15 08:30 META-INF
-rw-r--r-- 1 osx424242 osx424242 0 2008-06-05 01:10 missing.info
-rw-r--r-- 1 osx424242 osx424242 30 2008-06-05 01:10 missing.rpt
-rwxr--r-- 1 osx424242 osx424242 24888 2008-06-05 01:10 ncdiag
-rw-r--r-- 1 osx424242 osx424242 4256 2008-06-05 00:30 ncdiag.log
-rw-r--r-- 1 osx424242 osx424242 45475 2008-06-05 01:10 NC.jar
-rws--s--x 1 root root 332044 2008-02-15 08:30 ncsvc
-rw-r--r-- 1 osx424242 osx424242 61 2008-06-05 01:10 ncsvc.log
-rw-r--r-- 1 osx424242 osx424242 3637 2008-06-05 01:13 ncuijava.log
-rw-r--r-- 1 osx424242 osx424242 26058 2008-06-05 01:13 ncui.log
-rw-r--r-- 1 osx424242 osx424242 14 2008-02-15 08:30 version.txt
-rwxr--r-- 1 osx424242 osx424242 1632 2008-06-05 01:10 xlaunchNC.sh
$ ./ncsvc --version
Juniper Network Connect Server for Linux.
Version : 1.2
Release Version : 5.5-0-Build12781
Build Date/time : Feb 15 2008 16:15:25
Copyright 2002-2006 Juniper Networks
$

I certainly don't pretend to understand how Juniper does their versioning--it seems pretty complex. However, the "main" version number (1.0, 1.2) apparently relates to different functionality, while the "Release Version" apparently relates to different builds of the same version. On my system I have this output:
~$ ./.juniper_networks/network_connect/ncsvc -v
Juniper Network Connect Server for Linux.
Version : 1.2
Release Version : 6.0-0-Build12023
Build Date/time : Aug 9 2007 21:15:09
Copyright 2002-2007 Juniper NetworksThis version does not need special versions of libstdc++. In fact, using ldd shows that no libstdc++ is needed at all:
~$ sudo ldd ./.juniper_networks/network_connect/ncsvc
linux-gate.so.1 => (0xb7f64000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7f49000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7f34000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7f1b000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7ef6000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7da7000)
/lib/ld-linux.so.2 (0xb7f65000)So, maybe in these newer builds they're linking libstdc++ statically.

Of course, the odd things about this are that even though my "Release Version" is newer than yours (6.0 to 5.5), my "BuildXXXX" number is lower than yours. Also my Build Date is before yours; I think that must be something to do with when your VPN server was set up or something. But on the other hand, your copyright date is 2006 while mine is 2007.

It seems pretty clear that you need at least Version 1.2, Release Version 6.0-*, in order to avoid the shared library problem.

Can you run the above ldd command and let me know what you get? Maybe I can get my script to detect this issue and give some advice.

Here you go, hope it's useful:

$ sudo ldd ~/.juniper_networks/network_connect/ncsvc
linux-gate.so.1 => (0xb7f57000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7f3a000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7f25000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7f0c000)
libstdc++-libc6.2-2.so.3 => /usr/lib/libstdc++-libc6.2-2.so.3 (0xb7ec4000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7e9f000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7d50000)
/lib/ld-linux.so.2 (0xb7f58000)
$

madscientist:

What a difference a few days make. Recall my comment that the network guys are in the process of bringing up the Juniper SSL VPN, so things are still changing. After having success with your script (see posts 167, 169, and 171) the network guys have now added Juniper's Host Checker to the SSL VPN. This intrusive little app downloads to your PC and runs each time you attempt to connect to the VPN. It checks the operating system in use, the browser name/version, whether you are running antivirus software and which brand, and whether your antivirus definitions are up-to-date. If your machine fails the criteria established by the network admins then it is not allowed to connect.

I am wondering if you have run into Juniper SSL VPNs with Host Checker before and if you can help getting it working with your script. Here's how far I've gotten to date. First I used your script to uninstall everything, then connected to the VPN site with Firefox and let it download everything again. Of course the Juniper installer fails just like before, so after logging out I ran your script. The script finished the installation just like before. However, now when I try to connect the Juniper Host Checker starts to run and, of course, fails, and probably for the same reasons that the main Network Connect script fails.

However, if I now go back to the VPN site with Firefox and click on "Network Connect" it all works. Host Checker runs, my machine passes the criteria, and a dialog box pops up for the Java installer, which concludes with the error message "Installation failed; Sorry". But the client connects and works fine anyway.

So I can connect successfully from a web browser but not from the script. When the script runs I get a Java popup with the message "Unable to connect to IVE" and everything halts. So I think that it can be made to work since it does work when run from Firefox.

Here are some details obtained from the console.

Juniper SSL VPN client troubleshooting
8 June 2008 MJW

Before updating client software:
================================================== =======================
mark@marconi:~/.juniper_networks$ ls -al
total 1213
drwxr-xr-x 4 mark mark 1024 2008-06-04 15:05 .
drwxr-xr-x 49 mark mark 2048 2008-06-05 08:31 ..
-rw-r--r-- 1 mark mark 1230080 2008-05-07 00:47 ncLinuxApp.jar
drwxr-xr-x 3 mark mark 1024 2008-06-04 15:17 network_connect
drwxr-xr-x 3 mark mark 1024 2008-06-04 15:06 tmp

mark@marconi:~/.juniper_networks$ cd network_connect/
mark@marconi:~/.juniper_networks/network_connect$ ls -al
total 2981
drwxr-xr-x 3 mark mark 1024 2008-06-04 15:17 .
drwxr-xr-x 4 mark mark 1024 2008-06-04 15:05 ..
-rw-r--r-- 1 mark mark 770 2008-06-04 15:07 getx509certificate.sh
-rw-r--r-- 1 mark mark 380 2008-06-04 15:05 installnc.log
-rwxr--r-- 1 mark mark 716 2008-06-04 15:07 installNC.sh
-rw-r--r-- 1 mark mark 1560752 2008-06-04 15:07 libncui.so
drwxr-xr-x 2 mark mark 1024 2008-06-04 15:07 META-INF
-rw-r--r-- 1 mark mark 0 2008-06-04 15:05 missing.info
-rwxr--r-- 1 mark mark 74784 2008-06-04 15:07 ncdiag
-rw-r--r-- 1 mark mark 16136 2008-06-05 07:57 ncdiag.log
-rw-r--r-- 1 mark mark 45299 2008-06-04 15:07 NC.jar
-rws--s--x 1 root root 1150856 2008-06-04 15:07 ncsvc
-rw-r--r-- 1 root root 130218 2008-06-05 08:31 ncsvc.log
-rw-r--r-- 1 mark mark 3404 2008-06-08 21:56 ncuijava.log
-rw-r--r-- 1 mark mark 38200 2008-06-08 21:56 ncui.log
-rw-r--r-- 1 mark mark 14 2008-06-04 15:07 version.txt
-rwxr--r-- 1 mark mark 1479 2008-06-04 15:07 xlaunchNC.sh

mark@marconi:~/.juniper_networks/network_connect$ ./ncsvc -v
Juniper Network Connect Server for Linux.
Version : 1.2
Release Version : 6.1-0-Build13103
Build Date/time : May 6 2008 21:34:46
Copyright 2001-2008 Juniper Networks
================================================== ========================
================================================== ========================
After uninstalling then downloading latest client software:

mark@marconi:~/.juniper_networks/network_connect$ ~/bin/junipernc.sh
Connecting to sslvpn.xxxx.xxx.xxx port xxx
Generating Certificate .... done.
Searching for ncsvc in current working directory done
ncapp> Failed to connect/authenticate with IVE. Error 10

mark@marconi:~/.juniper_networks$ ls -al
total 1455
drwxr-xr-x 4 mark mark 1024 2008-06-08 22:15 .
drwxr-xr-x 49 mark mark 2048 2008-06-08 22:18 ..
-rw-r--r-- 1 mark mark 50877 2008-06-08 22:16 dsHCLauncher_linux1.log
-rw-r--r-- 1 mark mark 14515 2008-06-08 22:16 HttpNAR_linux1.log
-rw-r--r-- 1 mark mark 6 2008-06-08 22:15 narport.txt
-rw-r--r-- 1 mark mark 1230080 2008-05-07 00:47 ncLinuxApp.jar
drwxr-xr-x 3 mark mark 1024 2008-06-08 22:17 network_connect
drwxr-xr-x 3 mark mark 1024 2008-06-08 22:16 tmp
-rw-r--r-- 1 mark mark 176148 2008-05-07 00:58 tncc.jar

mark@marconi:~/.juniper_networks$ cd network_connect/
mark@marconi:~/.juniper_networks/network_connect$ ls -al
total 2796
drwxr-xr-x 3 mark mark 1024 2008-06-08 22:17 .
drwxr-xr-x 4 mark mark 1024 2008-06-08 22:15 ..
-rw-r--r-- 1 mark mark 770 2008-06-08 22:17 getx509certificate.sh
-rw-r--r-- 1 mark mark 380 2008-06-08 22:16 installnc.log
-rwxr--r-- 1 mark mark 716 2008-06-08 22:17 installNC.sh
-rw-r--r-- 1 mark mark 1560752 2008-06-08 22:17 libncui.so
drwxr-xr-x 2 mark mark 1024 2008-06-08 22:17 META-INF
-rw-r--r-- 1 mark mark 0 2008-06-08 22:16 missing.info
-rwxr--r-- 1 mark mark 74784 2008-06-08 22:17 ncdiag
-rw-r--r-- 1 mark mark 45299 2008-06-08 22:17 NC.jar
-rws--s--x 1 root root 1150856 2008-06-08 22:17 ncsvc
-rw-r--r-- 1 mark mark 264 2008-06-08 22:18 ncuijava.log
-rw-r--r-- 1 mark mark 2936 2008-06-08 22:18 ncui.log
-rw-r--r-- 1 mark mark 14 2008-06-08 22:17 version.txt
-rwxr--r-- 1 mark mark 1479 2008-06-08 22:17 xlaunchNC.sh

Note that META-INF is moved here

mark@marconi:~/.juniper_networks/network_connect$ cd META-INF/
mark@marconi:~/.juniper_networks/network_connect/META-INF$ ls -al
total 7
drwxr-xr-x 2 mark mark 1024 2008-06-08 22:17 .
drwxr-xr-x 3 mark mark 1024 2008-06-08 22:17 ..
-rw-r--r-- 1 mark mark 2957 2008-06-08 22:17 IMPORTED.RSA
-rw-r--r-- 1 mark mark 631 2008-06-08 22:17 IMPORTED.SF
-rw-r--r-- 1 mark mark 578 2008-06-08 22:17 MANIFEST.MF

Note that the old location for META-INF is now empty:

mark@marconi:~/.juniper_networks/network_connect/META-INF$ cd ..
mark@marconi:~/.juniper_networks/network_connect$ cd ..
mark@marconi:~/.juniper_networks$ cd tmp
mark@marconi:~/.juniper_networks/tmp$ ls -l
total 1
drwxr-xr-x 2 mark mark 1024 2008-06-08 22:16 META-INF
mark@marconi:~/.juniper_networks/tmp$ cd META-INF/
mark@marconi:~/.juniper_networks/tmp/META-INF$ ls -l
total 0

Note that the ncsvc version is still the same:

mark@marconi:~/.juniper_networks/network_connect$ ./ncsvc -v
Juniper Network Connect Server for Linux.
Version : 1.2
Release Version : 6.1-0-Build13103
Build Date/time : May 6 2008 21:34:46
Copyright 2001-2008 Juniper Networks

================================================== ===============================
Log contents:

mark@marconi:~/.juniper_networks/network_connect$ cat ncui.log
20080608221828.983448 ncui[5365] ncapp.info New ncapp log level set to 3 (nccommon.cpp:75)
20080608221828.983497 ncui[5365] ncapp.info Version : 1.2
Release Version : 6.1-0-Build13103
Build Date/Time : May 6 2008
Copyright 2001-2008 Juniper Networks
(ncapp.cpp:152)
20080608221829.124692 ncui[5365] dsclient.info state: kStateSignin (dsclient.cpp:233)
20080608221829.124805 ncui[5365] dsclient.info --> GET / (authenticate.cpp:136)
20080608221829.158901 ncui[5365] dsclient.info <-- 302 https://sslvpn.xxxx.xxx.xxx/dana-na/auth/url_default/welcome.cgi (authenticate.cpp:168)
20080608221829.158987 ncui[5365] dsclient.info state: kStateWelcome (dsclient.cpp:241)
20080608221829.159012 ncui[5365] dsclient.info --> GET /dana-na/auth/url_default/welcome.cgi (authenticate.cpp:136)
20080608221829.377957 ncui[5365] dsclient.info <-- 200 (authenticate.cpp:168)
20080608221829.378062 ncui[5365] dsclient.info state: kStateLogin (dsclient.cpp:273)
20080608221829.378096 ncui[5365] dsclient.info --> POST /dana-na/auth/url_default/login.cgi (authenticate.cpp:136)
20080608221829.591983 ncui[5365] dsclient.info <-- 302 https://sslvpn.xxxx.xxx.xxx/dana-na/auth/url_default/welcome.cgi?p=preauth&id=state_{16 byte hex ID removed}&signinRealmId=2 (authenticate.cpp:168)
20080608221829.592063 ncui[5365] dsclient.info state: kStatePostAuth (dsclient.cpp:313)
20080608221829.592103 ncui[5365] dsclient.info --> GET /dana-na/auth/url_default/welcome.cgi?p=preauth&id=state_{16 byte hex ID removed}&signinRealmId=2 (authenticate.cpp:136)
20080608221829.798500 ncui[5365] dsclient.info <-- 200 (authenticate.cpp:168)
20080608221829.798585 ncui[5365] dsclient.info state: kStatePostCacheCleaner (dsclient.cpp:329)
20080608221829.798608 ncui[5365] dsclient.info --> POST /dana-na/cc/ccupdate.cgi (authenticate.cpp:136)
20080608221829.971385 ncui[5365] dsclient.info <-- 200 (authenticate.cpp:168)
20080608221829.971456 ncui[5365] dsclient.error state post auth cache cleaner failed, error 10 (dsclient.cpp:331)
20080608221829.971555 ncui[5365] ncapp.error Failed to connect/authenticate with IVE. Error 10 (ncapp.cpp:174)
20080608221845.77453 ncui[5365] ncui.info Sending kill signal (SIGQUIT) to ncsvc... (ncapp.cpp:445)

New script works great! Thanks

I am using Xubuntu 8.04

Sorry, K0LO, I've never heard of this "Host Checker" thing before. Sounds very 1984 :(

I agree it probably may be possible to get it working, given that it works via your web browser. However, without the software myself I doubt I'd be able to do it. You would need to do something like trace the browser operation to see what commands it's running, etc.

And, if "Host Checker" want to check the browser version, I suppose it's possible that it expects to be run from a browser. Maybe the "Host Checker" is written in JS or similar, rather than as a standalone program.

I just don't know.

madscientist:

It is very 1984. I tried logging on from Windows and was politely refused a connection because my antivirus definitions were 10 days old. I had to update before being allowed on the network.

On the other hand, I can see reasons for these policies. I'm at a major University with 80,000 students and 30,000 faculty and staff people on a geographically-diverse network spread across the state of Pennsylvania. If only a few people create problems on the network then policies like this end up being put in place.

Fortunately I am on good terms with the network admins. This Juniper Host Checker has no requirements to check for on Linux machines, so it does no good to run it. One of the admins is checking with Juniper to see if they can disable this for clients connecting from Linux PCs.

I will try further troubleshooting and will let you know if I can figure anything else out. Or, with luck, the admins will disable it!

I can understand it as well but that doesn't make it any less frustrating. I suppose if Juniper had any clue whatsoever when it comes to Linux support it wouldn't be such a big deal.

If you're on good terms with the admins, and you guys have significant purchasing power from Juniper (which it sounds like you do), maybe you can try to get your admins to file some bugs and/or put pressure on Juniper to make their system work better on Linux. What they have now is, frankly, and embarrassment (anyway, I'd be embarrassed if I worked there). They don't have to officially support Ubuntu (although if they're smart they will since it's been the #1 desktop distro for almost 2 years now), but they could take a few small steps that would greatly increase the portability of their product. I'd dearly love to replace my page with a link to the Juniper product page, like I did with Amazon's MP3 downloader when they finally got that ported to Linux.

Host Checker can be administratively disabled. From Juniper's Knowledge Base:




Host Checker Policies contain rules for three OS's: Windows, MAC, and Linux.

To allow a MAC or Linux user to connect, a custom rule must be defined for each respective operating system.

If no rule is desired for users of another OS, you may configure a "dummy" rule for their OS. To configure a "dummy" rule:

1. Navigate to Endpoint Security > Host Checker, select your Host Checker policy
2. Then select "Custom: File:" in the Rule settings drop down box and choose "Add".
3. Assign a new Rule Name
4. Enter a File Name which will never be found on the guest operating system (for example, "/Not-Exist").
5. Finally, set the criteria for this file to "Deny".

Talk to your admin about deploying. This is from KB9048 (support login required)

Cheers,

-WDS

Hi all; I got a private message pointing out that the latest Juniper SSL VPN version, 6.2, was just released a couple of days ago, and it has official support for Ubuntu 7.10. I haven't tested this or even seen it in action so I can't say much about it, although a quick zoom through the docs seems to imply it's shipped as an RPM, that you are to use alien to install on Ubuntu *shrug*.

If you're interested in finding out more, I located a bunch of documentation here: http://www.juniper.net/techpubs/software/ive/6.x/6.2/

That's the mysterious version I was running a few posts ago. I am running Hardy and just set a root password to enable the install. That seems to do it, but I have monkeyed with my system a bit with earlier attempts - YMMV

I did not do a package/rpm install, just clicked the button.

-WDS

Hello madscientist,

Our Juniper does not have a hostname, it is just an IP address that I browse to. When putting in the IP address with the script, it says it cannont resolve the hostname and to try again.

I am able to connect fine with firefox, although I get the sudo/root issue where it asks me for my password and errors with the rpm, but it still connects.
Edit**fixed this issue by putting your updated files in place, no more su/root and rpm errors

Do you have any suggestions?

Here's my version info:



root@mybox:~/.juniper_networks/network_connect# ./ncsvc --version
Juniper Network Connect Server for Linux.
Version : 1.2
Release Version : 5.5-0-Build11711
Build Date/time : Apr 10 2007 17:57:49
Copyright 2002-2006 Juniper Networks
root@mybox:~/.juniper_networks/network_connect# ldd ncsvc
linux-gate.so.1 => (0xffffe000)
libdl.so.2 => /lib/tls/i686/cmov/libdl.so.2 (0xb7f4c000)
libz.so.1 => /usr/lib/libz.so.1 (0xb7f38000)
libpthread.so.0 => /lib/tls/i686/cmov/libpthread.so.0 (0xb7f20000)
libstdc++-libc6.2-2.so.3 => /usr/lib/libstdc++-libc6.2-2.so.3 (0xb7ed8000)
libm.so.6 => /lib/tls/i686/cmov/libm.so.6 (0xb7eb1000)
libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7d70000)
/lib/ld-linux.so.2 (0xb7f63000)
root@mybox:~/.juniper_networks/network_connect#

hi,

i have the ubuntu version 8.04 on my laptop and i am trying to configure the juniper networks on my machine to enable me to connect to my company's network.

whenever i try to launch the network connect client from the page, i get a error message stating that Applet SecureNCLauncher not found, and my firefox just stops responding.

does anyone has faced this problem before and has fixed this?

let me know.

my system details
firefox 32 bit version
jre -1.6

thanks
rajkumar

Find the directions here: http://mad-scientist.us/juniper.html

Let me know if you have problems!

Hi mad-scientist... thanks for that great script, unfortunattely, I have a problem with my Juniper connection, I think because my company's server hasn't a valid certificate (every time a connect with Fx get a warning about it).

If I run your script from CLI, get these warnings


$ ./junipernc
Searching for ncsvc in current working directory
Searching for ncsvc in /home/gfa/.juniper_networks/network_connect done.
ncapp> Failed to connect/authenticate with IVE. Error 2
ncapp> Please check the ive hostname/ip and the ive certificate.

In the Juniper GUI, I can see an error about "Failed to connect with IVE", after closing both windows (dialog and main juniper window), got a question about restarting the VPN connection.

From Fx I have no problem connecting to my VPN (just the shell asking for root password every time).

Is there any way to disable the certificate validation?

Any help would be appreciated.

Thanks
gFa

I have recently bought a Eee PC900 with Linux on it.
Being new to Linux I run into a lot of new things to learn.

One of the problems I had was connecting to my company network through Juniper VPN.

I googled a lot a the best route to go follow looked the Mad Scientist script.

When I try to run the script I get the following error "Cannot resolve hostname $HOST".
I am 100% sure the host is correct and I can visit it through Firefox without a problem.

I tried in a terminal window to ping to the host and that didn't work.
Ping to update.eeepc.asus.com gives normal reaction.

Maybe this strange ping behavor has something to do with it?

Does anybody has some ideas what can be wrong?

Hello madscientist,

Our Juniper does not have a hostname, it is just an IP address that I browse to. When putting in the IP address with the script, it says it cannont resolve the hostname and to try again.Hi; thanks for the bug report. I uploaded a modified version of the script that won't try to resolve hostnames if you give an IP address. I hope :-). Give it a whirl.

whenever i try to launch the network connect client from the page, i get a error message stating that Applet SecureNCLauncher not found, and my firefox just stops responding.Hm, I'm not sure. Have you tried getting the version of NC you have installed? Try running:
~/.juniper_networks/network_connect/ncsvc --versionWhat do you get?


Hi mad-scientist... thanks for that great script, unfortunattely, I have a problem with my Juniper connection, I think because my company's server hasn't a valid certificate (every time a connect with Fx get a warning about it).Hrm. Well, my script doesn't use FireFox or even HTTP at all, so I don't think your company not having a valid SSL certificate for HTTPS (which is what I assume you mean by the above) will have any impact there. But, I really am not an expert on Juniper VPN so I suppose I could be wrong about that.


If I run your script from CLI, get these warnings


$ ./junipernc
Searching for ncsvc in current working directory
Searching for ncsvc in /home/gfa/.juniper_networks/network_connect done.
ncapp> Failed to connect/authenticate with IVE. Error 2
ncapp> Please check the ive hostname/ip and the ive certificate.

In the Juniper GUI, I can see an error about "Failed to connect with IVE", after closing both windows (dialog and main juniper window), got a question about restarting the VPN connection.

From Fx I have no problem connecting to my VPN (just the shell asking for root password every time).

Is there any way to disable the certificate validation?I don't think so: that's a basic part of the VPN setup.

It might be worthwhile to try removing the entire ~/.juniper_networks directory, plus the ~/.vpn* files, and try reinstalling from scratch (or, if you're cautious, you can rename these files or move them somewhere else in case you need to move them back again). I had to do that when my company deployed a new version, because the old certificate didn't work anymore.

I have recently bought a Eee PC900 with Linux on it.
Being new to Linux I run into a lot of new things to learn.

One of the problems I had was connecting to my company network through Juniper VPN.

When I try to run the script I get the following error "Cannot resolve hostname $HOST".
I am 100% sure the host is correct and I can visit it through Firefox without a problem.Does it really use the literal string "$HOST" in the message? Or does it use the hostname you entered as the server host?

I'm really not familiar with the distro of linux that comes on this system; it's not Ubuntu is it? If it really prints "$HOST" here, that means that the shell on this system is behaving oddly (unless you typed "$HOST" when it asked you for a hostname). You can remove the .vpn.cfg and .vpn.crt files in your home directory if you want to try starting over.

Does it really use the literal string "$HOST" in the message? Or does it use the hostname you entered as the server host?

I'm really not familiar with the distro of linux that comes on this system; it's not Ubuntu is it? If it really prints "$HOST" here, that means that the shell on this system is behaving oddly (unless you typed "$HOST" when it asked you for a hostname). You can remove the .vpn.cfg and .vpn.crt files in your home directory if you want to try starting over.

Yes it uses the term $HOST which I didn't enter when it asked me for a hostname.
You are correct, the distro it uses is not Ubunto but Xandros.
Any sugestions?

I am using Ubuntu 8.04 an madscientist's script to connect to a vpn. It works for awhile (usually 30s or so) and then the connection dies. My ssh session freezes. Below is the packet sequence that I captured using Wireshark. Everything looks good until the TCP Retransmissions and the TCP CHECKSUM INCORRECT errors start around packet 7914. Could someone please look at this and give me some insight? I am really stumped. Thank you!

The Wireshark logs: (see attached screenshot, too)


No. Time Source Destination Protocol Info
7905 38.299327 192.168.74.16 172.20.49.156 TCP 33472 > ssh [ACK] Seq=5241 Ack=1600384 Win=171264 Len=0 TSV=15622614 TSER=4170538983
7906 38.301442 208.70.66.53 192.168.1.103 TLSv1 Application Data
7907 38.301491 172.20.49.156 192.168.74.16 SSHv2 Encrypted response packet len=208
7908 38.301507 192.168.74.16 172.20.49.156 TCP 33472 > ssh [ACK] Seq=5241 Ack=1600592 Win=171264 Len=0 TSV=15622615 TSER=4170538986
7909 38.305724 208.70.66.53 192.168.1.103 TLSv1 Application Data
7910 38.305772 192.168.1.103 208.70.66.53 TCP 53441 > https [ACK] Seq=64738 Ack=1772123 Win=694144 Len=0
7911 38.305822 172.20.49.156 192.168.74.16 SSHv2 Encrypted response packet len=288
7912 38.305845 192.168.74.16 172.20.49.156 TCP 33472 > ssh [ACK] Seq=5241 Ack=1600880 Win=171264 Len=0 TSV=15622616 TSER=4170538991
7913 38.390166 Cisco-Li_19:e0:b6 ARP Who has 192.168.1.103? Tell 192.168.1.1
7914 38.556029 192.168.1.103 208.70.66.53 TLSv1 [TCP Retransmission] Application Data, Application Data, Application Data, Application Data
7915 39.091052 192.168.1.103 208.70.66.53 TLSv1 [TCP Retransmission] Application Data, Application Data, Application Data, Application Data
7916 39.311862 Cisco-Li_19:e0:b6 ARP Who has 192.168.1.103? Tell 192.168.1.1
7917 39.579176 127.0.0.1 127.0.0.1 TCP 33405 > 4242 [PSH, ACK] Seq=1080 Ack=10781 Win=49536 [TCP CHECKSUM INCORRECT] Len=20 TSV=15622935 TSER=15622435
7918 39.579292 127.0.0.1 127.0.0.1 TCP 4242 > 33405 [PSH, ACK] Seq=10781 Ack=1100 Win=33920 [TCP CHECKSUM INCORRECT] Len=186 TSV=15622935 TSER=15622935
7919 39.579322 127.0.0.1 127.0.0.1 TCP 33405 > 4242 [ACK] Seq=1100 Ack=10967 Win=49536 Len=0 TSV=15622935 TSER=15622935
7920 40.164047 192.168.1.103 208.70.66.53 TLSv1 [TCP Retransmission] Application Data, Application Data, Application Data, Application Data
7921 40.336134 Cisco-Li_19:e0:b6 ARP Who has 192.168.1.103? Tell 192.168.1.1
7922 41.579175 127.0.0.1 127.0.0.1 TCP 33405 > 4242 [PSH, ACK] Seq=1100 Ack=10967 Win=49536 [TCP CHECKSUM INCORRECT] Len=20 TSV=15623435 TSER=15622935
7923 41.579297 127.0.0.1 127.0.0.1 TCP 4242 > 33405 [PSH, ACK] Seq=10967 Ack=1120 Win=33920 [TCP CHECKSUM INCORRECT] Len=186 TSV=15623435 TSER=15623435
7924 41.579323 127.0.0.1 127.0.0.1 TCP 33405 > 4242 [ACK] Seq=1120 Ack=11153 Win=49536 Len=0 TSV=15623435 TSER=15623435
7925 41.651754 192.168.1.103 72.14.223.19 TLSv1 Encrypted Alert
7926 41.651786 192.168.1.103 72.14.223.19 TCP 39213 > https [FIN, ACK] Seq=1375 Ack=13630 Win=37632 Len=0 TSV=15623453 TSER=2375551429
7927 41.652012 192.168.1.103 64.233.167.83 TLSv1 Encrypted Alert
7928 41.652030 192.168.1.103 64.233.167.83 TCP 53046 > https [FIN, ACK] Seq=2301 Ack=14385 Win=40448 Len=0 TSV=15623453 TSER=1775196206
7929 41.652190 192.168.1.103 209.85.133.136 TCP 43192 > http [FIN, ACK] Seq=1 Ack=1 Win=69 Len=0 TSV=15623453 TSER=2446663484
7930 41.769660 Cisco-Li_19:e0:b6 ARP Who has 192.168.1.103? Tell 192.168.1.1
7931 41.891032 192.168.1.103 209.85.133.136 TCP 43192 > http [FIN, ACK] Seq=1 Ack=1 Win=69 Len=0 TSV=15623513 TSER=2446663484
7932 41.915023 192.168.1.103 72.14.223.19 TLSv1 [TCP Retransmission] Encrypted Alert
7933 42.308053 192.168.1.103 208.70.66.53 TLSv1 [TCP Retransmission] Application Data, Application Data, Application Data, Application Data
7934 42.375116 192.168.1.103 209.85.133.136 TCP 43192 > http [FIN, ACK] Seq=1 Ack=1 Win=69 Len=0 TSV=15623633 TSER=2446663484
7935 42.443120 192.168.1.103 72.14.223.19 TLSv1 [TCP Retransmission] Encrypted Alert
7936 42.793741 Cisco-Li_19:e0:b6 ARP Who has 192.168.1.103? Tell 192.168.1.1
7937 43.331053 192.168.1.103 209.85.133.136 TCP 43192 > http [FIN, ACK] Seq=1 Ack=1 Win=69 Len=0 TSV=15623873 TSER=2446663484
7938 43.500368 192.168.1.103 72.14.223.19 TLSv1 [TCP Retransmission] Encrypted Alert
7939 43.579107 127.0.0.1 127.0.0.1 TCP 33405 > 4242 [PSH, ACK] Seq=1120 Ack=11153 Win=49536 [TCP CHECKSUM INCORRECT] Len=20 TSV=15623935 TSER=15623435
7940 43.579185 127.0.0.1 127.0.0.1 TCP 4242 > 33405 [PSH, ACK] Seq=11153 Ack=1140 Win=33920 [TCP CHECKSUM INCORRECT] Len=186 TSV=15623935 TSER=15623935
7941 43.579201 127.0.0.1 127.0.0.1 TCP 33405 > 4242 [ACK] Seq=1140 Ack=11339 Win=49536 Len=0 TSV=15623935 TSER=15623935
7942 43.715411 Cisco-Li_19:e0:b6 ARP Who has 192.168.1.103? Tell 192.168.1.1
7943 45.251051 192.168.1.103 209.85.133.136 TCP 43192 > http [FIN, ACK] Seq=1 Ack=1 Win=69 Len=0 TSV=15624353 TSER=2446663484
7944 45.353940 Cisco-Li_19:e0:b6 ARP Who has 192.168.1.103? Tell 192.168.1.1
7945 45.580189 127.0.0.1 127.0.0.1 TCP 33405 > 4242 [PSH, ACK] Seq=1140 Ack=11339 Win=49536 [TCP CHECKSUM INCORRECT] Len=20 TSV=15624435 TSER=15623935
7946 45.580491 127.0.0.1 127.0.0.1 TCP 4242 > 33405 [PSH, ACK] Seq=11339 Ack=1160 Win=33920 [TCP CHECKSUM INCORRECT] Len=186 TSV=15624435 TSER=15624435
7947 45.580527 127.0.0.1 127.0.0.1 TCP 33405 > 4242 [ACK] Seq=1160 Ack=11525 Win=49536 Len=0 TSV=15624435 TSER=15624435
7948 45.611054 192.168.1.103 72.14.223.19 TLSv1 [TCP Retransmission] Encrypted Alert
7949 46.378063 Cisco-Li_19:e0:b6 ARP Who has 192.168.1.103? Tell 192.168.1.1
7950 46.595129 192.168.1.103 208.70.66.53 TLSv1 [TCP Retransmission] Application Data, Application Data, Application Data, Application Data
7951 47.299602 Cisco-Li_19:e0:b6 ARP Who has 192.168.1.103? Tell 192.168.1.1
7952 47.580164 127.0.0.1 127.0.0.1 TCP 33405 > 4242 [PSH, ACK] Seq=1160 Ack=11525 Win=49536 [TCP CHECKSUM INCORRECT] Len=20 TSV=15624935 TSER=15624435
7953 47.580283 127.0.0.1 127.0.0.1 TCP 4242 > 33405 [PSH, ACK] Seq=11525 Ack=1180 Win=33920 [TCP CHECKSUM INCORRECT] Len=640 TSV=15624935 TSER=15624935
7954 47.580318 127.0.0.1 127.0.0.1 TCP 33405 > 4242 [PSH, ACK] Seq=1180 Ack=12165 Win=49536 [TCP CHECKSUM INCORRECT] Len=20 TSV=15624935 TSER=15624935
7955 47.580383 127.0.0.1 127.0.0.1 TCP 4242 > 33405 [PSH, ACK] Seq=12165 Ack=1200 Win=33920 [TCP CHECKSUM INCORRECT] Len=186 TSV=15624935 TSER=15624935
7956 47.619122 127.0.0.1 127.0.0.1 TCP 33405 > 4242 [ACK] Seq=1200 Ack=12351 Win=49536 Len=0 TSV=15624945 TSER=15624935

I finally found out the problem. Its fix was pretty simple. My home network had an IP address collision with the VPN's remote network, so I set my home network to use a new RFC 1918 private IP range. All packets that were supposed to go to my home router were being routed straight to a machine at the other end of the VPN. It took a while for the routing table to enable the routes that the VPN adds, so that might explain why the VPN worked for a few seconds then died. I'm puzzled why this problem just showed up after I upgraded to 8.04 from 7.10 though.

Yes it uses the term $HOST which I didn't enter when it asked me for a hostname.
You are correct, the distro it uses is not Ubunto but Xandros.
Any sugestions?I really don't have any. I've looked at the script and it's bog-standard POSIX sh scripting as far as I can see. I can't figure out any way you'd be seeing that text, if your /bin/sh is a valid POSIX shell.

If you type "/bin/sh --version" what do you get?

Please also paste the output of "cat ~/.vpn.cfg" (feel free to anonymize it if necessary but please tell us which fields seemed to have correct data).

I am completely new to linux Ubuntu and am having the same problem as everyone else, it seems with the same error (ncsvc fails to install) and terminal can't connect to ip address

The script by Mad Scientist seems to be the fix, however I dont seem to see either a link to the file or even a how to as to a fix.

Can someone please post an easily found solution?

I am quite willing to do the work, however sorting through 20+ pages of threads which may or may not relate to my situation only to then pull up a terminal window and ruin my machine will not make my day..

I mean seriously !!!

:lolflag:

The script by Mad Scientist seems to be the fix, however I dont seem to see either a link to the file or even a how to as to a fix.You can find my howto at http://mad-scientist.us/juniper.html

If you still have problems after that, tell us where things went wrong for you: what you typed, what happened, what messages you got, etc.

i did all (i think correctly) at the end tho i get an invalid credentials msg after i input my password for vpn..
however the script loads and runs
i think its my jobs network


any help would be appreciated

bornjcan: unfortunately I'm only a NetworkConnect user and don't have any idea about the kinds of errors you can get; I don't know how the tool is administered and I don't have any documentation that might describe various error messages and what they mean.

Where do you see this message? Can you be sure to quote the message _exactly_ rather than paraphrasing it? Too often paraphrasing changes the meaning enough to make it impossible to determine the problem.

I'm assuming that you're able to log in via the web service and maybe even Windows, so you're sure that your SecurID fob is synced up, your PIN is right (do you use a PIN + SecurID code?), and your username is valid.

Beyond that the only thing I'm aware of that could be an issue is the realm setting. Did the folks managing your remote site tell you what to use for the realm value? If not, how did you determine it?

If that's all correct then I suggest you email your server admins and ask if they have any ideas.

Thanks madscientist. I followed your recommendations. Your script asks for Pin+SecurID and when i Type my password I get this:

"Searching for ncsvc in current working directory
Searching for ncsvc in /home/fidelio/.juniper_networks/network_connect done.
gij: unrecognized option -- `-h'
Try `gij --help' for more information."

It looks a java issue. Any idea how to solve this?

NEWSRG

I don't think NC works well with the "free" gij Java implementation that comes with Ubuntu by default. You should install Sun's Java instead. Use Synaptic to search for sun-java6-jre and install it, or else from the command line use:

sudo aptitude install sun-java6-jre
(enter your password when asked). Hopefully when you do this it will become the default Java install. If you continue to get the same error, post and I'll tell you have to change the default using the "alternatives" feature of the system.

I am using Ubuntu 8.04 an madscientist's script to connect to a vpn. It works for awhile (usually 30s or so) and then the connection dies. My ssh session freezes.
[...]
I finally found out the problem. Its fix was pretty simple. My home network had an IP address collision with the VPN's remote network, so I set my home network to use a new RFC 1918 private IP range. All packets that were supposed to go to my home router were being routed straight to a machine at the other end of the VPN. It took a while for the routing table to enable the routes that the VPN adds, so that might explain why the VPN worked for a few seconds then died. I'm puzzled why this problem just showed up after I upgraded to 8.04 from 7.10 though.

I have a similar issue, but with a few differences and I can't find any solution:

VPN connection hangs after 20-40 seconds
same results when using madscientist script and normal (web) network connect access, but it works under Windows on the same machine
the problem appears only if I'm behind my home firewall (Asus wireless router, but I've observed it also once with another type of cheap wireless router)
my LAN is in RFC 1918 private range (i've tried two different ranges), but corporate network isn't (it's 166.30/8)
I couldn't find any interesting logs (nor system, neither ncsvc.log) at the moment when the other side stops responding to pings
the problem appeared just after upgrading from 7.10 to 8.04


After 10-20 additional seconds there's only keep-alive restart in ncsvc.log:


ipsec.info Restarting keep-alives (engine.cpp:336)
ipsec.warn keep alive failed for ESP tunnel in:0x...
ipsec.warn Cleaning up sa 0x... (esp.cpp:58)
ipsec.info Switching to NCP mode (tunnel.cpp:552)


Any ideas?

Thanks madscientist. Unfortunately, I get the exact same message. Any further suggestion? Thanks.

I have a similar issue, but with a few differences and I can't find any solution:

VPN connection hangs after 20-40 seconds
...




I found the solution: I've downloaded again network connect components from VPN SSL page by pressing network connect button and typing root password when prompted by 'su'.

First Thank you madscientist for your big effort on this subject.
I had some trouble getting things to work.

After a fresh install of Ubuntu hardy :


sudo aptitude install sun-java6-plugin sun-java6-jdk sun-java6-jre

Installed libstdc++2.10-glibc2.2_2.95.4-22_i386.deb (due to from error running madscientists script
:

Exception in thread "AWT-EventQueue-0" java.lang.ExceptionInInitializerError
at NC$3.run(NC.java:1282)


http://debian.mirror.inra.fr/debian/pool/main/g/gcc-2.95/libstdc++2.10-glibc2.2_2.95.4-27_i386.deb

So restarting, and running madscientists script, tunnel closes immediatly.

I did :
sudo passwd

And started network connect from my companys website, and HEY PRESTO .. working :) I'm a happy puppy.

What I cannot understand is why the script cannot start the tunnel.

I'm not an expert in linux, but doing "sudo passwd" what do I risk with that ?

The log from ncsvc when using junipernc is attached.

thank you for all effort:)

my version :
Juniper Network Connect Server for Linux.
Version : 1.2
Release Version : 5.5-0-Build11905
Build Date/time : Jun 22 2007 13:26:55
Copyright 2002-2006 Juniper Networks

FOA, thanks madscientist for your contribution.

I was looking at the main loop in your script and wondering if this is possible:

I would like to mount a network share from a vpn after the connection is made (but obviously not before).

My scripting knowledge is small, but it seems you need to asynchronously call to connect, wait for a message of 'connected', and finally run the mount command.

Can anyone think of a way to do this with JNC?

(Sorry if this is slightly off topic)

I finally found out the problem. Its fix was pretty simple. My home network had an IP address collision with the VPN's remote network, so I set my home network to use a new RFC 1918 private IP range. All packets that were supposed to go to my home router were being routed straight to a machine at the other end of the VPN. It took a while for the routing table to enable the routes that the VPN adds, so that might explain why the VPN worked for a few seconds then died. I'm puzzled why this problem just showed up after I upgraded to 8.04 from 7.10 though.

I'm having the same problem too. I'm trying to understand your fix and I don't know if it'll work for me. My home ip is 10.100.x.x/28 and the vpn tunnel is 192.168.x.x/24. I don't know if I have to change my IP range at home. I do get the TCP retransmission from wireshark.

Thanks in advanced Madscientist.

I am having the same issue as bornjcan on post #198.

when log in via the website with my username and credentials it will start the Juniper service and connect fine. When I use your script ( which is awsome ) i receive invalid credentials. In your post #199, you mentioned that bornjcan may have used a the wrong realm. once the script info is entered how can you go back and change the realm settings?

Kas

once the script info is entered how can you go back and change the realm settings?

Unfortunately there's no handy GUI way to do this. Zenity only gets you so far :-?. To rerun the configuration, you should "rm ~/.vpn.cfg" from any terminal, then restart the script.

You can also just manually edit the ~/.vpn.cfg file to change the REALM value.

Thanks for the quick reply from you both.

I did the rm of the file and redid the script. I reused the default value of RSA as I do have an RSA fob. I still received invalid credentials, so I guess i will check and see if I am missing something on the REALM part at work tomorrow.

kas

I forgot to ask in previous post but what other realms are there?

That's a question that you need to ask your network admin. They can define any number of "realms" and give them any name. Here at work we have "Remote Access" and "Full Tunnel" realms defined; one does split tunneling and the other tunnels all traffic through the VPN. You need to know exactly what your admins have named the realm (hate that word; I think "profile" is a better choice of words).

I've tried everything but still get the invalid credentials error. Here's my environment:
1. Ubuntu Hardy Heron 8.04.1
2. OpenSSL 0.9.8g 19 Oct 2007

3. Juniper Network Connect Server for Linux.

Version : 1.2

Release Version : 6.0-0-Build12507

Build Date/time : Dec 27 2007 17:32:48

Copyright 2002-2007 Juniper Networks

4. java version "1.6.0_06"
Java(TM) SE Runtime Environment (build 1.6.0_06-b02)
Java HotSpot(TM) Client VM (build 10.0-b22, mixed mode, sharing)

ncapp> Failed to connect/authenticate with IVE. Error 104
ncapp> Incorrect credentials. Please check the username/password/realm.

The junipernc script works great but I always get the above error.

Any thoughts?

Problem has been resolved. The system admin had the wrong realm name.

Is there anyway to login to a server that has an invalid security certificate? We have a test server for a new fiber line that we haven't gotten the cert for yet but would like to access via Juniper using Ubuntu Hardy Heron 8.04.

Thanks in advance!

Thanks madscientist & K0LO! After getting the correct realm name, the scripts connects like a charm.

:confused:to mad scientist and all those here i humbly beg your forgiveness...

i have read all 22 pages of this and honestly am "flumuxed'

here's the bottom line

i have and asus (yes i know is xandros but hope prevails), and need to log into a juniper ssl network...

what script do i run, what info do i need.,

please help,, my little brain hurts after installing all this unix software (i'm usally an xp user but i hate microsoft) and on top of the ssl issue i still cant get the asus to connect to my xp machine (but xp filemanager connects to my asus...)

so for us slow... tired... weak... nubies (yes i know we are a pain ) can i get a recap?

do i just read http://mad-scientist.us/juniper.html and follow it.. are their fixes other then that?

again thank you "oh, great and knowlegable ones":lolflag:

laura-ann
http://biscuitq.blogspot.com

I just installed your script found on that link (the sun failed as i don't have the right repositories set up)

but i have jre 6.

i am getting a tun error...

any ideas on how to fix the tun problem...

:confused::confused::confused::confused::confused:

my head hurts.... :(

thanks

Sorry lauraannq, but I'm having trouble following what you are trying to do and what the problems are. When describing what doesn't work, please be very explicit, and be sure to quote (verbatim, or just cut and paste if possible) all error messages. And, no need to apologize for being lost; we've all been there!

Asus is a company and they make a lot of different computer parts... do you mean you're using an Asus Eee PC?

What version of the Juniper Network Connect are you using (you can run
~/.juniper_networks/network_connect/ncsvc --version to get this info)?

It's fine to use JRE 6; that's what I use as well.

I don't know what "the sun failed as i don't have the right repositories set up" means... is "the sun" meant to be the Sun JRE package install? Does this mean you're NOT using those packages? The JRE is only used for the graphical connection monitor tool; you don't need it to use the VPN itself. Just run my script with the -nogui flag. You won't be able to tell much about the state of the connection but if that works then at least you know it's just a problem with Java.

What errors did you get regarding tun, and where did you see them? It's always just worked for me but maybe there are some extra packages you'd need to install on the Eee PC to get it working. I'm afraid I don't know much about those.

okay this is solved!

my dh asked his juniper se and he got the fix.. it is SO simple

open a terminal window (ctl alt t)
login as root ==> su

type mkdir /dev/net
type mknod /dev/net/tun c 10 200

it will complain about the mod prob, but don't worry it is built into the kernel directory
version is 6.2

we tested and it worked!:KS

Hello, I first want to thank mad scientist for his tutorial on Juniper. I think i have it installed correctly but im kind of a noob to ubuntu. here is a copy of my error (with my vpn link removed of course) Any thoughts on this error would be appreciated.
Thanks in Advance

Jason

************************************error********* ************************

Connecting to XXX.XXXXXXXX.com port 443
Generating Certificate .... done.
Exception in thread "AWT-EventQueue-0" java.lang.ExceptionInInitializerError
at NC$3.run(NC.java:1282)
at java.awt.event.InvocationEvent.dispatch(Invocation Event.java:209)
at java.awt.EventQueue.dispatchEvent(EventQueue.java: 597)
at java.awt.EventDispatchThread.pumpOneEventForFilter s(EventDispatchThread.java:273)
at java.awt.EventDispatchThread.pumpEventsForFilter(E ventDispatchThread.java:183)
at java.awt.EventDispatchThread.pumpEventsForHierarch y(EventDispatchThread.java:173)
at java.awt.EventDispatchThread.pumpEvents(EventDispa tchThread.java:168)
at java.awt.EventDispatchThread.pumpEvents(EventDispa tchThread.java:160)
at java.awt.EventDispatchThread.run(EventDispatchThre ad.java:121)
Caused by: java.lang.ArrayIndexOutOfBoundsException: 3
at JavaNC.<clinit>(NC.java:443)
... 9 more

Hi mad-scientist... thanks for that great script, unfortunattely, I have a problem with my Juniper connection, I think because my company's server hasn't a valid certificate (every time a connect with Fx get a warning about it).

If I run your script from CLI, get these warnings


$ ./junipernc
Searching for ncsvc in current working directory
Searching for ncsvc in /home/gfa/.juniper_networks/network_connect done.
ncapp> Failed to connect/authenticate with IVE. Error 2
ncapp> Please check the ive hostname/ip and the ive certificate.

In the Juniper GUI, I can see an error about "Failed to connect with IVE", after closing both windows (dialog and main juniper window), got a question about restarting the VPN connection.

From Fx I have no problem connecting to my VPN (just the shell asking for root password every time).

Is there any way to disable the certificate validation?

Any help would be appreciated.

Thanks
gFa

I'm having the exact same issue here in Ubuntu Feisty.
Is there really no solution yet?

I am trying to get this going on Hardy and have had no luck so far.

I am running into the issue below. Is it not finding the libncui.so file located in the active directory?

$ ./junipernc
Failed to load the ncui library.
Quitting.

Im on 64bit Hardy

Hi all. Mad Scientist, thank you for your page an tutorials on the matter.
I've followed all the steps and now I am connecting successfully using Juniper 1.2.

The problem I'm facing now is every time a try to download or upload a file using scp, the connection stalls and become useless.

Something more or less as described in previous posts, but for network problems. My connection remains correctly for hours, always same problem: once I use scp (I even tried gftp and is the same) the connection is broken.

Have any of you experienced this problem? Can you use scp without problems?

I'm using ubuntu Hardy Heron 8.04 on a 32 bits DELL laptop.


Thanks.

I am trying to get this going on Hardy and have had no luck so far.

$ ./junipernc
Failed to load the ncui library.
Quitting.

Im on 64bit HardyI've never tried this on 64bit. Have you installed the 32bit compatibility packages?

The problem I'm facing now is every time a try to download or upload a file using scp, the connection stalls and become useless.Very odd. I've never had any problems using scp over the network link. Having it bring the link down is extremely strange: from a network protocol perspective it's just bytes; why those particular bytes should cause a problem I have no idea.

I wonder if there's some way that your server is trying to block scp?

If you do the copy with ssh, does it work then? Try something like:


tar cf - mydir | ssh remotehost tar -xBp -C /tmp -f -

and see if that works.

Hi mad scientist.
I've tried what you recommend, but the same results.
Apparently, my problem is unrelated to juniper.
Instead, it has to do with my wireless device and the drivers i have.

I have a Studio Laptop Dell - S1535. When i installed Hardy, it didn't detect wireless device, but on making an update, it worked fine. The problem is it installed the 'wl' driver, which is a restricted driver.

I'm reading this thread in case someone has the same problem

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/237894

I'm posting here again in case i solve the problem.

Hi,

Has anyone tried Juniper in 8.10? I followed instructions on madscientist web page and successfully ran it in 8.04. I did a fresh install of 8.10 and the scripts is working fine and I do see the Network connect java connection start but I get a popup of " Cannot find required libraries." I ran the script in a terminal and see this

" Searching for ncsvc in current working directory
Searching for ncsvc in /home/marn/.juniper_networks/network_connect done.
ncapp> DSSSL_load_so failed "

which looks like same issues on the 64bit version in the previous posts, although I am running the 32bit version. Any help is greatly appreciated.

Kas

I haven't tried 8.10 and I'm not sure when I will. It turns out that my system at home (an older box) has an nVidia GeForce 5500 FX, which is considered obsolete by nVidia and not supported by their new 3D drivers. So, my choices are (a) get a new video card that has supported drivers, (b) fall back to 2D mode and use the free nv driver, or (c) stay with Hardy until or unless something changes somewhere.

I haven't decided what to choose yet :-(

Hi

I am running 64 bit Ubuntu 8.10, and I got the same problem "loading ncui library".

I got it working by running
"sudo update-java-alternatives -s ia32-java-6-sun"

So I think the problem is that 64 bit java is not working for the juniper network connect, you need to use 32 bit java.

Anyway, thanks a lot for the script mad-scientist, I finally got vpn working with your script.

Regards
Alf

Ok got it. to resolve the DSSSL_load_so failed I ran the command on the first post by Madscientiest sudo ln -s libssl.so.0.9.8 /usr/lib/i686/cmov/libssl.so.0 and now I connect fine.

I would also like to point out that when you first install, the java network connect window didn't popup. I looked through the posts and installed http://debian.mirror.inra.fr/debian/pool/main/g/gcc-2.95/libstdc++2.10-glibc2.2_2.95.4-27_i386.deb thanks to post #205 Baltazar72.


Thanks again Madscientist and thanks to all within this forum.

I was getting the following error when executing the junipernc script on Ubuntu 8.10...

Exception in thread "main" java.lang.UnsatisfiedLinkError: Can't load library: /usr/lib/jvm/java-6-openjdk/jre/lib/i386/xawt/libmawt.so
at java.lang.ClassLoader.loadLibrary(ClassLoader.java :1666)
at java.lang.Runtime.load0(Runtime.java:787)
at java.lang.System.load(System.java:1022)
at java.lang.ClassLoader$NativeLibrary.load(Native Method)
at java.lang.ClassLoader.loadLibrary0(ClassLoader.jav a:1767)
at java.lang.ClassLoader.loadLibrary(ClassLoader.java :1684)
at java.lang.Runtime.loadLibrary0(Runtime.java:840)
at java.lang.System.loadLibrary(System.java:1047)
at sun.security.action.LoadLibraryAction.run(LoadLibr aryAction.java:67)
at sun.security.action.LoadLibraryAction.run(LoadLibr aryAction.java:47)
at java.security.AccessController.doPrivileged(Native Method)
at java.awt.Toolkit.loadLibraries(Toolkit.java:1610)
at java.awt.Toolkit.<clinit>(Toolkit.java:1632)
at java.awt.Component.<clinit>(Component.java:568)
Could not find the main class: NC. Program will exit.

It seemed pretty obvious why - I didn't have an xawt directory under that path, but did have that file in another path. Did a quick ln -s as follows...

user@host:/usr/lib/jvm/java-6-openjdk/jre/lib/i386$ sudo mkdir xawt
user@host:/usr/lib/jvm/java-6-openjdk/jre/lib/i386$ cd xawt
user@host:/usr/lib/jvm/java-6-openjdk/jre/lib/i386/xawt$ sudo ln -s /usr/lib/jvm/java-6-openjdk/jre/lib/i386/headless/libmawt.so libmawt.so


Now I get a shiny new error... Have no idea how to fix this one. Perhaps I need to link more parts of JRE into the folder I created?
user@host:/$ junipernc
Xlib: extension "RANDR" missing on display ":0.0".
Exception in thread "main" java.lang.UnsatisfiedLinkError: java.awt.Component.initIDs()V
at java.awt.Component.initIDs(Native Method)
at java.awt.Component.<clinit>(Component.java:571)
Could not find the main class: NC. Program will exit.
Xlib: extension "RANDR" missing on display ":0.0".
Xlib: extension "RANDR" missing on display ":0.0".
user@host:/$

Many thanks for any help that can be offered...

Update - Fixed my own problem. I hope this can help someone else someday. I removed the symlink I created and ran the following command to get Java straightened out.

sudo update-java-alternatives -s java-6-sun

Is this howto obsolete since network-manager has a "plugin" called network-management-vpnc?
"This package provides a VPN plugin for vpnc, providing easy access Cisco Concentrator based VPN's."
If yes: is there a way to figure out how to access the VPN-Server from my university (https://vpn.serv.uni-osnabrueck.de/dana-na/auth/url_default/welcome.cgi)?

Greets. Buellman

Is this howto obsolete since network-manager has a "plugin" called network-management-vpnc?
"This package provides a VPN plugin for vpnc, providing easy access Cisco Concentrator based VPN's."Since this howto is for setting up Juniper Network Connect VPNs and the comment you quote is for setting up Cisco Concentrator VPNs, no, I don't think this howto is obsolete due to network-management-vpnc.

However, I don't know much about Cisco VPNs and I know even less about network-management-vpnc, so I can't say 100%.

Ok :-)
I didn't know there was a difference :-)

Thanks. Buellman

All,

For people who have upgraded to 8.10 and have lost a previously working client try epiphany (a browser). I was able to get MadScientist's scripts to work for FireFox, but if you want to just use a browser try that one.




sudo aptitude install epiphany-browser

There is a game called epiphany, so make sure you use epiphany-browser

then just call the browser and go to your VPN website.


epiphany


Jeremy

Who's got this working in 8.10? What client do you use, and what changes did you do it (if any)?

In Firefox I get to the point where it is supposed to install the client, and after that the browser just hangs and I have to kill it.

I am using ncui_1.2-2 and Java 1.6.0_10

Hi, have Juniper Network Connect working on Ubuntu 8.10.

I've upgrade from 8.04 and after the upgrade it was still working.

I have this working in 8.10. It was working in 8.04 (no manual changes necessary), then I upgraded to 8.10 and it hung like yours.

I fixed it by rolling back from Sun JRE 6u10 to 6u7 (the previous version - there wasn't a u8 or u9 it seems).

I proved it worked by using apt to remove sun-java6-bin etc and then dpkg -i on the same packages from 8.04. However, that meant that every apt-get upgrade took the JRE back to 6u10. I think you can 'pin' certain packages so they don't get upgraded, but in the end I overrode FireFox's plugin. By default the plugins in /usr/lib/mozilla/plugins will get used, but $HOME/.mozilla/plugins also gets read. The /usr one seems to override the /home one, weirdly. So I:


Removed the package sun-java6-plugin
Downloaded 6u7 JRE from sun
Extracted it to a directory in my $HOME
linked jre/plugin/i386/ns7/libjavaplugin_oji.so in my $HOME/.mozilla/plugins


Next time you start FF, it will use the Java linked in your $HOME rather than /usr/lib. You can verify your Java version in use at http://www.javatester.org/version.html

Ian

Outstanding work, mad scientist!

It seems I have one last hurdle. The login form through my browser has *two* password fields (one for the network pw, and one for an rsa-key), but the command-line client only accepts one (to my knowledge).
Does anyone know of a solution?

Thanks!!!

An easier solution for people on 8.10 might be to remove Sun-java6 and install sun-java5 rather than try to find an old package of JRE6.7

If you need to use both you could install both and use update-alternatives to switch which one you want to use.

madscientist,

I followed the instructions on the first page and am getting partial sucess. Basically,I am still prompted for the su password. I'm running Feisty btw.

The error:

/home/username/.juniper_network/network_connect/installNC.sh: 9: cannot open such file
/home/username/.juniper_network/network_connect/installNC.sh: 9: 1: not found
Service needs to be reinstalled.

When I enter the root/su passowrd, it connects fine. If I cancel this (CNTRL-D) and 'N' to try again, I still get connected.

I tried:

deleting ~/.juniper_networks
Start netconnect
Cancel password prompt
deteting ~/.juniper_networks/network_connect
cp -R ~/.juniper_networks/tmp to ~/.juniper_networks/network_connect/
extracted your installNC.sh and xlaunchNC.sh to the network_connect directory
chmod +x ~/.juniper_networks/network_connect/*.sh
Login to the juniper box and start netconnect
Still prompted for su password


I noticed that ~/.juniper_networks/network_connect/ncsvc was owned by root:root

I tried chown'ing it to myself and it still prompts for su password.

Do you (or anyone who have had my problem) know what I'm missing?

Regards and thanks for the post!




Hello. Does anyone have a solution for this issue ?

Regards Robert.

Note: I have had no luck getting Juniper Network Connect to work with Ubuntu 8.10 (AMD64).

However, I just installed Fedora 10 and it works practically out of the box.

- Installed xterm (sudo yum install xterm)
- Downloaded & installed the latest Java JRE from the Sun website
- Copied the Java plugin to the Firefox directory
- Logged into VPN via website
- Enter root password at xterm prompt
- Network Connect applet appeared and connected

Thanks,
Chris

I want to give big thanks to mad scientist and every one else who posted on this thread. After a bit of trial and error and looking at what others have done I am successfully connecting to my company's VPN!

I did go back to sun Java 5, though I'm not sure that did anything. My main issues were libstdc++ (I downloaded the package libstdc++2.10-glibc2.2_2.95.4-27_i386.deb) and DSSSL_load_so failed (I did sudo ln -s libssl.so.0.9.8 /usr/lib/i686/cmov/libssl.so.0).

Woot!

I just wanted to reply here to confirm that JRE 5 is required for Juniper Networks VPN SSL to install.
I'm not using Ubuntu, I happen to be trying to get it to work under virtualbox running Windows XP but I had the same problems. I installed Sun Java JRE 5 and deleted all the browser cache (Delete All in IE), logged into the VPN SSL via the browser and let it install everything. It finally worked.
Before installing Sun Java JRE 5 the error that I continued to get each time was simply 'You are not allowed to login. Please contact your administrator.'

No, for me this does not depend on Java 5.

I got it up running in Intrepid AMD64. I
- installed ia32-java-6-sun
- set JAVA6_32_HOME=/usr/lib/jvm/ia32-java-6-sun/bin
- in madscientist's junipernc.sh: replaced java="${JDK_HOME:+$JDK_HOME/bin
/}java" with java="${JAVA6_32_HOME}/java"

Hello all,

I can get a connection with Connect Network; /etc/resolv.conf is ok, with the new DNS ip's well set; but it seems that the DNS is not reachable : in fact none of the ip adresses in the other side or the VPN are pingable (so for the DNS). There is no collision problem in the adresses domains. Doe's someone has already meet such an issue ? Thanks a lot.

Hi,
I tried this script on ubuntu 8.1 with x64.
without changing Java to ia32-java it didn't run completely (from post #247).
After changes: it run but I received message "Invalid Credentials".
Server, user name and password are correct.

Does anybody know how to fix it?
And Doew anybody know how to connect to Pitt.edu vpn?

my .vpn.cfg:
HOST="****.pitt.edu"
USER="****"
CERT="/home/max/.vpn.crt"
REALM="RSA"

and when I connected from firefox was downloaded this file:
/home/max/.juniper_networks/network_connect/META-INF/IMPORTED.RSA
I don't know how to use it.

Thanks advance

Hello All,

I saw just about every error that has been mentioned here.

I finally got my system working. I am running Ubuntu 8.04.

I was able to use MadSci. instructions & script in order to get the Network Connect app running, however, like others in this thread, I could not login because of the Host Checker. I found a very easy solve though.. Use Firefox 2! For some reason, FF 3 does not execute the app correctly.

Also, for those that are having issues with the Realm. I found the realm as a hidden html field in the web access VPN page. For my company, it is "Secure ID". After using the IP (since my DNS lookup didn't work), I was able to see the Host Checker block.

Good luck all!

..EdocI