Why another step-by-step recipe? Well, none of the ones available worked for me on Linux Mint13 64bit, so here’s a quick rundown of what you need to do in order to connect to your juniper networks vpn gateway using Linux Mint / Ubuntu 64bit and your SecureID token (I cannot test any other methods).
Executive Summary / Abstract
For the impatient, here’s a list of the required steps:
- Ensure your browser has a working java plugin (I used firefox)
- download latest jnc software from your vpn gateway
- download the vpn gateway certificate & store it locally
- ensure the first “java” found in your PATH is a 32 bit version (installed from Oracle’s tar.gz-Archive, for instance)
- ensure /etc/resolv.conf exists, otherwise nsvc will segfault after making a connection
Need more info? Proceed at your own risk! 😉
Remove / rename any previous installation from your home directory, changing to your home directory first:
cd mv .juniper_networks backup_juniper_networks
Make sure you are using Firefox for the next step with the java plugin enabled and “xterm” installed on your system (ia32-libs are required so that your system can run 32bit binaries):
sudo apt-get install xterm ia32-libs
The Gritty Details
In firefox, type “about:plugins” in the browser bar and make sure the java plugin stuff comes up.
Fire up your browser and go to your regular VPN login page to log in, using your secureid and token like you would on Windows.
Download & install the juniper networks software as usual, allow the java executable to run. (an xterm will come up asking you for your password). At least this much seemed to work out of the box for me.
If everything goes well, you’ll find a new .juniper_networks directory in your home directory.
Change into that directory and install a 32bit JDK from java.sun.com. I used this one:
cd .juniper_networks wget http://download.oracle.com/otn-pub/java/jdk/7u17-b02/jdk-7u17-linux-i586.tar.gz
If wget doesn’t work, point your browser to java.sun.com and download the file manually, then move the tar archive to the .juniper_networks-Folder once the download is complete.
Extract the tar.gz file in your .juniper_networks directory:
tar xvzf jdk-7u17-linux-i586.tar.gz
Rename it to something like “java32” or thereabouts:
mv jdk-7u17-linux-i586 java32
Prepend the new jdk “bin” directory to your PATH:
Make sure you’re getting the right java:
which java $HOME/.juniper_networks/java32/bin/java
Now comes the really braindead part: Create a file /etc/resolv.conf, otherwise ncsvc will segfault after launch:
sudo emacs /etc/resolv.conf
Enter a std nameserver here, the important thing is that this file exists:
Save the file. On you std. dhcp / network managed Ubuntu, this file won’t exist where jnc expects it, so you have to create it manually. Nice…
Obtain your gateway’s SSL cert using the shell script provided in the “tmp” directory of your jnc installation:
cd ~/.juniper_networks/tmp chmod +x ./getx509certificate.sh ./getx509certificate.sh your.vpn.server.com ../network_connect/vpn.crt
Change to your network_connect directory and run the “ncsvc” Command like so:
./ncsvc -h your.server.com -r "Your Realm Name" -f vpn.crt -L 5 -u username -p xxxxYYYYYY
If you don’t know the realm, check the HTML source of your login page, it’s usually passed along to the cgi script using some form of “hidden” input tag. “xxxx” is your SecureID pin, with “YYYYYY” indicates the current token.
That’s it. Check the file ncsvc.log for any errors that might crop up. To track down the resolv.conf problem, I had to run “strace” on the command line above, dirty work but if it solves the problem…
All of this could be scripted up nicely (the PATH modification, the resolv.conf bits and so on), but wouldn’t it be easier if Juniper fixed their software? It’s quite hard to believe such a pile of crap should be let loose unto the world by such a renowned company, who knows what else lies waiting in this huge binary blob… sorry for the rant. 😉
Hope this helps some of you, feel free to comment if you run into problems.