Connecting to a Juniper VPN via the command-line in Debian

Intro:

You want to connect your Linux box running Debian to a Juniper VPN using the command-line only. (You don’t want to run X on your machine nor necessarily install Java to run the graphical client). Its possible to do with the ncsvc command-line app provided by Juniper.

Strangely, the command-line app is contained in a .jar file on the VPN server. But you can download this and extract it.

You will also need to download the certificate from the VPN server and process it to .der format.

Note that there are other ways of doing this. I like the idea of using a SecureID as a credential. This process outlined below is only for using a username/password.

Download the client:

If your Juniper VPN host is e.g. sslvpn.abc.com, from any web browser go to:

sslvpn.abc.com/dana-cached/nc/ncLinuxApp.jar

Download ncLinuxApp.jar and upload the file to your home directory on the Debian machine.

Install the client:

On your Debian machine:

mkdir -p ~/.juniper_networks/network_connect/
unzip ncLinuxApp.jar -d ~/.juniper_networks/network_connect/
sudo chown root:root ~/.juniper_networks/network_connect/ncsvc
sudo chmod 6711 ~/.juniper_networks/network_connect/ncsvc
chmod 744 ~/.juniper_networks/network_connect/ncdiag

The client is a 32-bit app. If you’re running 64-bit Linux then you need to install:

libc6-i386 lib32z1 lib32nss-mdns

Set up the certificate:

I had some problems with the next step:

sh getx509certificate.sh sslvpn.abc.com network_connect/sslvpn.abc.com.der

The exact error was:

Connecting to sslvpn.abc.com port 443
Generating Certificategetx509certificate.sh: 18: let: not found
getx509certificate.sh: 19: let: not found
error

But it did create the two files out.txt and out1.txt which is all that’s needed.  Here’s what I did:

cp out.txt cert.txt

edit cert.txt and remove everything except the certificate and the “BEGIN CERTIFICATE” and “END CERTIFICATE” lines.  In other words, your cert.txt file should like exactly like below:

-----BEGIN CERTIFICATE-----
[a lot of randome characters]
-----END CERTIFICATE-----

Then:

openssl x509 -in cert.txt -outform der -out network_connect/sslvpn.abc.com.der

Connecting:

./ncsvc -h sslvpn.abc.com -u username -f sslvpn.abc.com.der

The screen should say:

Connecting to sslvpn.abc.com : 443

If you run the command route -n you should see the routes set up by the Juniper VPN.

To Do:

Copy the ncsvc binary to /usr/local/bin, create a proper /etc directory for juniper_networks and store the key there, and copy /etc/init.d/skel to create your own custom startup script.

I actually did this and ran into one hitch: the ncsvc command does not return to prompt when it is invoked.  To get around this I had to create /usr/local/bin/ncsvc.wrapper which runs the following:

ncsvc$@ &

I then call the wrapper from inside the init.d script in place of ncsvc.

Credit:

Pretty much all of this was taken from these first two sites:

http://www.rz.uni-karlsruhe.de/~iwr91/juniper/
http://www.entropy.ch/blog/Mac+OS+X/2007/07/28/Juniper-Network-Connect-SSL-VPN-and-Virtualization.html

http://kb.juniper.net/InfoCenter/index?page=content&id=KB16188