Entries Comments



VPN on Ubuntu Linux with Juniper Network Connect

15 June, 2009 (16:13) | Linux, Networks | By: benjamin

There’s one standard document on HOWTO get Network Connect working on Ubuntu Linux. It’s mad scientist’s doc: http://mad-scientist.us/juniper.html . However, there are a few things not covered. I’ll assume that you’ve followed mad scientist’s excellent guide before going any further.

Issue #1: 64-bit Ubuntu

By default, when you install java on your 64-bit system, you get a 64-bit java. No surprise there, right? Well, Juniper’s tools don’t play nice with 64-bit java. If you attempt to start the junipernc script you’ll promptly see the “VPN has failed!” error message.

VPN has failed!

VPN has failed!

Also if you look closely in your Terminal you’ll see the text error:

Failed to load the ncui library.

This is the clue that we are dealing with the 64-bit issue.

The work around for this is to install a 32-bit java on your system. Type the following into your Terminal:

sudo apt-get install ia32-sun-java6-bin

After typing your password, a 32-bit copy of java will be installed at: /usr/lib/jvm/ia32-java-6-sun .

Now, you need to convince Juniper Network Connect to use the 32-bit java. If you don’t use java for much besides your new VPN, you may just want to make the 32-bit java your default. This can be done by typing the following into your Terminal:

update-alternatives --set java /usr/lib/jvm/ia32-java-6-sun/jre/bin/java

If you DO use java and just want to tell the VPN to use the 32-bit java, you should modify the junipernc by adding the following line right after the block of lines that start with “#”:

export JDK_HOME=/usr/lib/jvm/ia32-java-6-sun

Now, when you run junipernc, it will use 32-bit java and you should no longer have the failure due to ncui.

Issue #2: Determining Your Realm

The scripting for Network Connect asks a few questions that may not make sense to a typical user. Even a networking savvy programmer may not be certain what values to use for the “Realm” or “PIN + SecureID Code”.

Finding your realm is fairly straight forward if you don’t mind diving into some HTML. Point your web browser to your company’s VPN website: https://vpn.mycompany.com or https://connect.mycompany.com .   View the source of that page and look for a line like:

<input type="hidden" name="realm" value="REALMNAME">

The value of REALMNAME is what you’ll need to enter when prompted.  Your IT department may or may not know what this is if you ask them.

If you don’t know your “PIN + SecureID Code”, it’s simply the password you type along with your username on the VPN website to gain access. As mad scientist says, some companies use “SecurID so [they] enter a personal PIN plus the value provided by the SecurID fob,” which explains why he coded that as the prompt for the password input.

If you need help, there’s a long running thread over at the ubuntu forums where this continues to be discussed a lot: http://ubuntuforums.org/showthread.php?t=232607 . I gathered my info from both mad scientist’s page above and the thread itself.

One further note, I’ve tested this on Ubuntu 9.04 64-bit as well as 8.10 32-bit. Hope this is helpful to all you who need Juniper VPN access on 64-bit Ubuntu Linux.

Comments

Pingback from Juniper VPN with 64-bit Ubuntu | Notes & Commentary
Time: June 16, 2009, 8:48 am

[...] Sherman just put up an awesome post about how to get Juniper VPN working on 64-bit Ubuntu. I’m working remotely for the next 3 ish weeks, so this has saved me. I had been using my [...]

Comment from nate
Time: June 17, 2009, 11:17 pm

Thanks, the 64 bit hint really helped. But one thing I can’t figure out – I get asked on the web for both a password and a securID code. All the combinations I’ve tried (PW+id, PWid, PW:id, idPW, …) fail. Any ideas? This has come up in the ubuntu forum too http://ubuntuforums.org/printthread.php?t=232607&pp=75&page=4

Comment from benjamin
Time: June 18, 2009, 8:39 am

Interesting… so, you get 3 prompts when you login on the web: username, password, and secureID code. Do you also get those same prompts if you use the OS X or Windows VPN client?

I’m curious because the underlying Linux program which actually sets up the VPN tunnel ( ncsrv ) only has one password argument, so it seems that sum combination would have to work. Sadly I can’t provide more help as I can only test on my work VPN where we don’t have a separate field. Best of luck, and please post again if you figure it out. Also, I’m hoping to improve the “junipernc” shell script so that it has a more complete “nogui” mode if that would be of interest to you, though it wouldn’t help with your immediate problem.

Comment from nate
Time: June 18, 2009, 10:02 pm

Yeah, there are three prompts on the web or on the osx client, just like you said. And the lack of other options for the ncsrv script is really puzzling…

Comment from Josh Hardman
Time: July 11, 2009, 3:54 pm

Thanks for the info! I ended up getting mine to work without installing 32 bit java. Here’s my post on how to:

http://josh.blogdns.com/?p=206

Comment from benjamin
Time: July 11, 2009, 4:02 pm

Glad to be of help. You are correct, the 32-bit java is only required if you wish to use the GUI.

Comment from bhaskar
Time: July 17, 2009, 6:20 pm

A big big thank you!!! After hours of googling…..yours was the one post that solved it…..THANK YOU…..

Comment from benjamin
Time: July 21, 2009, 2:17 pm

Very glad I could be of help to you!

Comment from Sriraman
Time: July 23, 2009, 10:31 am

Thanks for your effort and time!

Comment from Austin
Time: September 6, 2009, 4:10 pm

Thank you so much Benjamin! Thanks to your post I finally have Juniper Network Connect working!

I thought I should add something I determined about Issue #2, the Realm. On my university’s VPN webpage, we have a dropdown list labeled “Home Folder Server.” It turns out that this is, in fact, the realm. Looking around on the internet, it looks like some folks see “Realm” or something different, but no matter the label, the item in the dropdown is probably your realm. Since it’s a dropdown, the html code doesn’t look like you have in your post, rather, it looks like:

First Realm
Second Realm

In this example there are two realms: realm1 and realm2.

Another tip I found is to launch the program with the command nohup:
nohup /home/austin/bin/junipernc
This lets you close the terminal window without killing the actual network connect program. I’ve actually made an entry in my application list that runs this command, so I don’t have any other windows besides the Java one.

Thanks again, and I hope this comment helps someone!

Comment from Austin
Time: September 6, 2009, 4:15 pm

Okay, it erased the HTML code I had for the dropdown example. Here it is again, with replaced by ). Hopefully it will post this time:

(select size=”1″ name=”realm”)
(option value=”realm1″)First Realm(/option)
(option value=”realm2″)Second Realm(/option)
(/select)

In this example there are two realms: realm1 and realm2.

Comment from Matt Park
Time: September 10, 2009, 4:41 pm

Benjamin,
I’m running Ubuntu 9.04 x64 as a Sun VirtualBox Guest under a Windows 7 Host. I can get Network Connect to work under Windows 7, but VirtualBox does not successfully pass the traffic through the VPN. I followed the instructions here and on the mad-scientist.us page and also read a lot on the ubuntu forums and I finally got the app to come up. However, I immediately get “unable to connect to IVE” and the connection never succeeds. Nothing is ever easy. I’ve got no clue what IVE is. Can you shed any light on the subject? I though I saw the solution somewhere, but couldn’t find it when I actually got the error.

Comment from Yinon
Time: October 12, 2009, 1:15 pm

Matt, did you start it the first time by browsing to your company’s site by opera browser ? (has Java capabilities built-in) ?

Comment from Ashok
Time: December 19, 2009, 11:27 am

great … I got this to work with Karmic Koala 64 bit as well…. cheers
Ashok

Comment from DrDave
Time: March 9, 2010, 7:53 pm

I just had this problem of “unable to connect to IVE” pop up. The certificate changed on me so I had to reload it. There is a script in the juniper directory for getting the x500 certificate from your site. I had the cert file write protected so it wouldn’t update.

Comment from TN
Time: March 10, 2010, 9:46 am

Cannot find the realm value. I also have a dropdown on my login page. We have an entire portal, not just for Network Connect but access to invididual apps as well.

(select size=”1″ onchange=”javascript:changeContent();” name=”realm” id=”realmTxt”)

(option value=”RSA SecurID-login (Description1)”)RSA SecurID-login (Network1)(/option)

(option value=”RSA SecurID-login (Description2)”)RSA SecurID-login (Network2)(/option)

(/select)
(/td)

(/tr)

So, I tried REALM=”RSA SecurID-login (Network1)” which is what I normally choose but I cannot connect with that as my realm.

20100310183807.662032 ncsvc[p7967.t7967] dsclient.error state login failed, error 104 (dsclient.cpp:290)
20100310183807.662315 ncsvc[p7967.t7967] ncapp.error Failed to authenticate with IVE. Error 104 (ncsvc.cpp:192)

(erased special characters that I cannot print in this comment box :) )

Comment from gosbeau
Time: July 8, 2010, 12:17 am

Hi all,
I use Ubuntu 10.4 (Lucid Lynx) 64 bits, with Firefox (Latest version).
I’ve followed all the steps above (Which are very clear ! Thanks).
However i still cannot connect.
I did:

1- sudo apt-get install ia32-sun-java6-bin
2- update-alternatives –set java /usr/lib/jvm/ia32-java-6-sun/jre/bin/java
3- export JDK_HOME=/usr/lib/jvm/ia32-java-6-sun (added in junipernc)
….. Now when I run junipernc from a console, I am prompted the server .. then the username …… and nothing else ! In the console, the junipernc command does not ends….. All I can do is CTRL+C.
At this step if I try to connect to my jobs’ vpn, using the brower…… I can see from the java debug console that it stills tries to use the 64bits version of Java.
Here is the command:
/usr/lib/jvm/java-6-sun-1.6.0.20/jre/bin/java “-classpath” “/home/gosbeau/.juniper_networks/network_connect/NC.jar” “NC” “-h” “webportal.lloydstsb.ch” “-L” “0″ “-l” “0″ “-n” “” “-t” “” “-x”

I tried to remove anything, and repeated the procedure again (Even added with JDK_HOME=/usr/lib/jvm/ia32-java-6-sun as environment variable set in my .profile)…. but still the same.

Any idea would be really appreciated.

Regards,

Comment from Torspo
Time: September 1, 2010, 1:52 am

The server I’m connecting to requires me to log in with an empty password first, then I get an SMS to my phone which I enter to the second screen on the login page. I don’t know where this second password should be entered when connecting using ncsvc or junipernc.

Comment from CraigT
Time: December 8, 2010, 9:12 am

Same issue as DrDave above – “unable to connect to IVE”. I finally located the cert file. It is .vpn.default.crt in your home directory. Mine hadn’t been updated in almost a year. Deleted that file and ran the script again and a new cert file was created and no connection problem now.
FYI – the connection settings are stored in your home directory in a file called .vpn.default.cfg If you run the ‘junipernc -uninstall’ this file doesn’t get removed – at least on my system it didn’t. So when I ran the junipernc script again (to install everything), I didn’t get all the prompts I thought I should have (since this file was still there). I removed the file, then ran the script again and got all the prompts I expected.

Comment from psypher
Time: February 15, 2011, 1:15 pm

Try this. http://wireless.siu.edu/install-ubuntu-64.htm

Comment from Eccentric.Ash
Time: April 13, 2011, 4:38 pm

A relative noob to Linux, I have been trying to get Network Connect working on 32 bit Ubuntu 10.04 using Firefox 4.0 for the past week with no success. In the process I have read a lot of forums and tried a lot of things.

Here is what my problem was :
1) Login to my company VPN site successfully using username, password1(active directory) password2(RSA pin)
2) Click on the Network Connect “Start” button, the applet loading page comes up for a short time and then takes me back to the previous page without the NC popup.

I tried Mad Scientist’s script (http://mad-scientist.us/juniper.html), which almost got me connected, but authentication failed since our company uses two passwords (active directory and RSA pin). The script was only asking for RSA pin, and I got failure stating “Invalid Credentials”. But this did get the NC popup going.

I read on one of the posts that this issue may be caused by Firefox, so I installed Google Chrome and Voila! it worked perfectly. I see the NC connect popup and am able to access the company intranet on 32 bit Ubuntu without using any fixes.

Also during my reading, I came across this post(http://makefile.com/.plan/2009/10/27/juniper-vpn-64-bit-linux-an-unsolved-mystery) which details how to connect using 64 bit Linux and two passwords. I tried this on a different machine running 64 bit Ubuntu, and it works as well.

I hope this helps.

Comment from gerrys
Time: May 5, 2011, 9:09 pm

I have been working with this for years and never got the parameters right. I did this time. I had to go to the login screen and look at the FORM ACTION= URL and put that in the ncsvc lines in the juniperrc. This is something that should go in the config but I thought I’d share it since it worked!
mine looks something like this: “https://myvpnhost.us/dana-na/auth/url_5/login.cgi”
(anonymized…)
Thank you for all your work.

Comment from Mayank Rungta
Time: June 7, 2011, 2:56 pm

I ran into another issue being discussed on the ubuntu thread -

http://ubuntuforums.org/showthread.php?p=10913967#post10913967

$ junipernc
Searching for ncsvc in current working directory
Searching for ncsvc in /home/mayankr/.juniper_networks/network_connect done.
Password:
ncapp> Failed to connect/authenticate with IVE. Error 10

Any idea how I can get rid of this error. I am hoping this is the last hurdle to make it work on the 64 bit. I haven’t got it working on 32 bit either but there at least the browser works so no issues. I would love to move to 64 bit if this is fixed.

Thanks in advance,
Mayank

Comment from goliash
Time: August 10, 2011, 12:58 am

Unfortunately I have the same problem: ncapp> Failed to connect/authenticate with IVE. Error 10
I run on Kubuntu 11.04 64bit.

Comment from goliash
Time: August 10, 2011, 6:33 am

I will answer to myself :-) Luckily I found a solution. It has to be added one parameter to ncsvc. Description is here: http://kb.juniper.net/InfoCenter/index?page=content&id=KB15890 I modified junipernc script and added this to command: -U “https://$HOST/launcher”

Write a comment