The Juniper VPN only officially supports Redhat and can be difficult to get working on Ubuntu. There are a number of great articles that cover how to work around it. Unfortunatly, none of them address using the Host Checker. This post will outline a setup that works with the Host checker while also reducing the time spent logging in and creating a VPN connection.
First off, you’ll need Java. You’ll either need to use OpenJDK xor Sun Java, depending on which version of Ubuntu you are running. With either method you can point Firefox to Java Plugin Test to verify Java is working.
12.04 LTS Precise
With Precise and newer Juniper VPN the OpenJDK and icedtea works fine
sudo apt-get install icedtea6-plugin default-jdk
For other older versions Ubuntu or Juniper VPN you will need the sun-java packages, don’t install both OpenJDK and Sun Java. Due to licensing changes Sun Java is longer available in the Ubuntu repositories, so you will need to add them from elsewhere.
sudo add-apt-repository ppa:sun-java-community-team/sun-java6
Then edit /etc/apt/sources.list.d/sun-java-community-team-sun-java6-oneiric.list to point at maverick rather than your actual distribution. This allows you to pickup the older packages that are still available and works for oneric and hopefully natty. Now you can install with
sudo apt-get update
sudo apt-get install sun-java6-jre sun-java6-plugin sun-java6-fonts sun-java6-jdk
You should now be able to go to https://yourvpn.example.com and log in. If you get a you are not authorized error then you need to setup Host Checker. Depending on you IT department they may want root access to your machine in order to create some files that Host Checker will use to verify your system. Unless you can shout them down you’ll have to let them take the machine away and do their black magic. Once they return your machine and you can successfully login you can unravel their secrets by grok the ~/.juniper_network/dsHostChecker_linux.log file to figure out which files they created.
In future you can just copy these files onto a new machine rather than having to contact support again. Be sure to make a backup of them and their locations.
After logging in you should have a start Network Connect button, click it and it will create a xterm asking for either the root or sudo password, just close the window, as it has already downloaded the jar files you need. For the next step you will need some build tools. You can install them with
sudo apt-get install python-dev build-essential gcc-multilib lib32z-dev
Then you will extract files from ncLinuxAll.jar which should be in ~/.juniper_networks/network_connect/. Some versions leave it in ~/.juniper_networks so you may need to create the network_connect directory and copy the jar file into it.
jar xf ~/.juniper_networks/ncLinuxApp.jar
Next up, create an executable you can run from the command line, it also means you don’t have an extra window hanging around your desktop.
gcc -m32 -Wl,-rpath,`pwd` -o ncui libncui.so
Now fix the ownership and permissions on various files, so they can mess with resolv.conf. If they can’t access /etc/resolv.conf they don’t work, so if it doesn’t exist you will need to create it.
sudo chown root:root ncsvc ncui
sudo chmod 06711 ncsvc
sudo chmod 4775 ncui
sudo touch /etc/resolv.conf
Finally, get your VPN systems’ SSL certificate
echo | openssl s_client -connect router.evertz.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | openssl x509 -outform der > ssl.crt
At this point you have everything you need to connect to the VPN but we’re going to add a little extra gravy to make it easier to use.
Create a new Toolbar bookmark in Firefox and set the location to
~/.juniper_networks/network_connect/ncui -h $HOST -f $CERT -p "" -c DSID=$DSID
With all that in place to create a VPN connection you
- Log in to http://yourvpn.example.com
- Click the DSID bookmark
- Copy the number following DSID=
- Run “vpn DSID”, by pasting the DSID
A huge thanks to Paul D. Smith for providing the initial setup instructions,mad-scientist.net, and support on the Ubuntu Forums. Juniper is finally starting to support Ubuntu but without his work we would have been without hope. If you don’t have Host Checker, you should try using his script. It makes things even easier.
Scott at makefile.com deserves a lot of credit for teasing the ncui command out for the jar files shipped by Juniper.
Finally, Joseph Henrich already pulled together much of this information in a post at ctctlabs. Hopefully, I’ve just filled in a few blanks for Host Checker.
Now you can get back to work.