Entries Comments



Category: Networks

VPN on Ubuntu Linux with Juniper Network Connect

15 June, 2009 (16:13) | Linux, Networks | By: benjamin

There’s one standard document on HOWTO get Network Connect working on Ubuntu Linux. It’s mad scientist’s doc: http://mad-scientist.us/juniper.html . However, there are a few things not covered. I’ll assume that you’ve followed mad scientist’s excellent guide before going any further.

Issue #1: 64-bit Ubuntu

By default, when you install java on your 64-bit system, you get a 64-bit java. No surprise there, right? Well, Juniper’s tools don’t play nice with 64-bit java. If you attempt to start the junipernc script you’ll promptly see the “VPN has failed!” error message.

VPN has failed!

VPN has failed!

Also if you look closely in your Terminal you’ll see the text error:

Failed to load the ncui library.

This is the clue that we are dealing with the 64-bit issue.

The work around for this is to install a 32-bit java on your system. Type the following into your Terminal:

sudo apt-get install ia32-sun-java6-bin

After typing your password, a 32-bit copy of java will be installed at: /usr/lib/jvm/ia32-java-6-sun .

Now, you need to convince Juniper Network Connect to use the 32-bit java. If you don’t use java for much besides your new VPN, you may just want to make the 32-bit java your default. This can be done by typing the following into your Terminal:

update-alternatives --set java /usr/lib/jvm/ia32-java-6-sun/jre/bin/java

If you DO use java and just want to tell the VPN to use the 32-bit java, you should modify the junipernc by adding the following line right after the block of lines that start with “#”:

export JDK_HOME=/usr/lib/jvm/ia32-java-6-sun

Now, when you run junipernc, it will use 32-bit java and you should no longer have the failure due to ncui.

Issue #2: Determining Your Realm

The scripting for Network Connect asks a few questions that may not make sense to a typical user. Even a networking savvy programmer may not be certain what values to use for the “Realm” or “PIN + SecureID Code”.

Finding your realm is fairly straight forward if you don’t mind diving into some HTML. Point your web browser to your company’s VPN website: https://vpn.mycompany.com or https://connect.mycompany.com .   View the source of that page and look for a line like:

<input type="hidden" name="realm" value="REALMNAME">

The value of REALMNAME is what you’ll need to enter when prompted.  Your IT department may or may not know what this is if you ask them.

If you don’t know your “PIN + SecureID Code”, it’s simply the password you type along with your username on the VPN website to gain access. As mad scientist says, some companies use “SecurID so [they] enter a personal PIN plus the value provided by the SecurID fob,” which explains why he coded that as the prompt for the password input.

If you need help, there’s a long running thread over at the ubuntu forums where this continues to be discussed a lot: http://ubuntuforums.org/showthread.php?t=232607 . I gathered my info from both mad scientist’s page above and the thread itself.

One further note, I’ve tested this on Ubuntu 9.04 64-bit as well as 8.10 32-bit. Hope this is helpful to all you who need Juniper VPN access on 64-bit Ubuntu Linux.

Fight Back! (When VPN Clients Mis-Behave)

23 July, 2008 (12:20) | Mac, Networks | By: benjamin

I have to use VPNs at work. Specifically, to access my production webservers (etc), I have to use a Cisco VPN client. Sadly, the VPN concentrator overrides my choice of allowing local LAN access. So, when I am on the VPN, I have my DNS options changed so I can’t use any local servers. This is a serious, serious pain. So painful in fact, that many times instead of fight with it, I simply would run a Windows session in VMware (on my Mac) and connect the VPN there. This has drawbacks too, but it’s better than not having local network access.

So I set out to find a solution and I found a post by loudhush which described using the scutil to modify DNS network settings after connecting to a Cisco VPN. This was great, but I needed something a bit handier.

So, I cranked out the following which goes in my /Users/username/.profile:

# .profile or .bash_profile
function myvpn {
vpnclient connect VPNPROFILENAME user MYVPNUSERNAME
myworkdns
}
function myworkdns {
printf "get State:/Network/Service/com.cisco.VPN/DNS\nd.add ServerAddresses * 192.168.1.252, 192.168.1.198\nd.add SearchDomains * example.com, other.example.com\nset State:/Network/Service/com.cisco.VPN/DNS" | sudo scutil
}

These are bash functions which i run from the command line. (I also find the Client GUI Cisco to be a pain, and prefer command line)

So, obviously, you’ll need to substitute in your Cisco VPN profile name ( found in /etc/opt/cisco-vpnclient/Profiles), your VPN username, your DNS server IP addresses, and your DNS search domains to your legitimate values.

To use, run Terminal, then type myvpn. The VPN client will prompt you for your username and password. You’ll then have to hit CTRL+Z to suspend the VPN client so the script can run the DNS updates; this part uses sudo to run the command as root, so you will probably need to type your Mac password immediately after hitting CTRL+Z. If you didn’t want to bother with the command line VPN client, you could just use your GUI Cisco VPN client, then run myworkdns from Terminal, which will still probably prompt you for your Mac password.

Hope others find this useful. If I find a cleaner way, I’ll post that too.

Beating the Cisco VPN Client Error 51 On Leopard

22 July, 2008 (10:10) | Mac, Networks | By: benjamin

I had this error popup today on my Mac OS X Lepopard 10.5.4 machine.

Cisco VPN Client Error 51

This is not cool as, well, I NEED MY VPN TO WORK!

Thankfully google came to my rescue. The solution is to execute the following in Terminal:

sudo /System/Library/StartupItems/CiscoVPN/CiscoVPN restart

Thanks for the answer, VirtuallyShocking.com.

Investigating OpenID

27 May, 2008 (09:02) | Coding, Networks, Web | By: benjamin

Aaron (one of my co-workers), recently posted a link about OpenID. I’ve given OpenID only cursory glances over the last year, but the Coding Horror link in Aaron’s post had a comment to this Google Video where Simon Willison gives a Google Tech Talk on The Implications of OpenID. The video is nearly a year old, but to date, it’s done more to convince me to get on the OpenID bandwagon than anything else.

Advertising Linux Services via Avahi/Bonjour

27 January, 2008 (16:20) | Linux, Mac, Networks | By: benjamin

Update: most of this information is still correct but an update for combining service definitions into one file and setting an icon is available here: http://holyarmy.org/2008/11/bonjour-avahi-addendum

In my last post I outlined how I followed others’ directions to enable netatalk on Linux and Time Machine backups to a shared AFP folder. Originally, I also described how to put all your shares on netatalk. I suppose if only have Mac clients or you REALLY want to use AFP, you can do so. As I worked with files over AFP shares, I started noticing that the performance seemed to be quite bad. No, I didn’t benchmark, but copying large video files to a shared folder over my gigabit network was substantially slower over AFP (netatalk) than over CIFS/SMB (samba). I use my network shares pretty heavily, so this was a concern. Also, netatalk tries very hard to replicate an HFS filesystem complete with resource fork support. This means that your shared directories end up with lots of extra folders named “.AppleDouble”(and a few others) containing Mac specific info. (Note: even on CIFS you’ll get the “.AppleDB” folders unless you disable a setting in Finder. I can deal with .AppleDB better than .AppleDouble AND .AppleDB) So, because of these two issues I decided to try using CIFS and samba again.

Read more »

Time Machine backup to Linux via Netatalk

24 January, 2008 (01:26) | Linux, Mac, Networks | By: benjamin

So, when I got the upgrade from Tiger to Leopard on my MacBook Pro, I was looking for a good backup solution. I’ve used rsync in the past, but when I saw that Apple had a new Time Machine backup tool, I was curious to give it a shot. The catch is you basically needed an external USB or Firewire drive, until they recently came out with the Time Capsule. Anyway, tonight I got the itch to really see if I could make Time Machine work without buying extra hardware. I mean, seriously, I’ve got a good hunk of mirrored disk sitting on my home server; that seems like a good place to do backups.
Some googling found me this link to a blogger who’d done it!
I’ll make my own version of this post, since I had a few differences from the original I where I found the info.

Read more »

Network Directory Services

6 October, 2007 (15:00) | Networks | By: benjamin

Network directory services are core to Internet functionality. The Domain Name System (DNS) provides a global (and/or local) directory of hosts and services. Lightweight Directory Access Protocol (LDAP) servers can provide some of the same information as DNS (or be used to back DNS), but are more frequently used to create network user databases, store user group information, providing centralized account information and password storage.

I recently completed an upgrade of these two core services on a network I manage. We had been running outdated (but functional) BIND v8 and OpenLDAP v2.0 instances for of DNS and LDAP servers. Also, throw a Windows Server 2003 into the mix, which, as an Active Directory domain controller has to run its own DNS and LDAP (AD is tweaked LDAP) servers.

Read more »