How to connect to a Juniper VPN from Linux

Question

The Windows users have a new client "Juniper Pulse" to connect to the Juniper VPN server.

On Linux, what VPN client do we have to connect to that Juniper VPN, with maximum compatibility?

Please mention the necessary parameters that have to be provided.

score 21 · Accepted Answer · edited May 27 '15 at 09:02

21

And my favorite method (no java applet required):

Presumably:

your url: 'https://some.site.com/dana-na/auth/url_default/welcome.cgi' (or whatever)
your username=username
your password=password
you know your realm or you can find it from the web page or with:

-

REALM=$(wget -q --no-check-certificate -O - 'https://some.site.com/dana-na/auth/url_default/welcome.cgi' | sed -n 's/.*<input\( [^>]*name="realm" [^>]*\)>.*/\1/p' | sed -n 's/.* value="\([^"]*\)".*/\1/p')

After you login, download the following jar (should be done one time only):

https://some.site.com/dana-cached/nc/ncLinuxApp.jar

and unzip it to ~/.juniper_networks/network_connect

Get some new libraries for your 64bit machine yum install glibc.i686 zlib.i686 nss-mdns.i686

Go to ~/.juniper_networks/network_connect and

sudo chown root:root ncsvc
sudo chmod 6711 ncsvc
chmod 744 ncdiag
chmod +x getx509certificate.sh

Get your certificate:

./getx509certificate.sh some.site.com company.cert

And connect:

./ncsvc -h some.site.com -u username -p password -r REALM -f ./company.cert

For some sites I noticed that you also need to put the -U switch:

./ncsvc -h some.site.com -u username -p password -r REALM -f ./company.cert -U 'https://some.site.com/dana-na/auth/url_default/welcome.cgi'

edited May 27 '15 at 09:02

Community

1

answered Jan 23 '13 at 22:22

cristi

565
4
18

Any Idea how to enter 2 factor auth information??? – Tim Ludwinski Nov 07 '14 at 22:28
1

No, sorry. Check if you can make this work: https://code.google.com/p/juniper-vpn/source/browse/trunk/junipervpn.py – cristi Nov 08 '14 at 07:00
Thanks. Didn't get the script working but did manage to get the VPN working through the linked page http://makefile.com/.plan/2009/10/juniper-vpn-64-bit-linux-an-unsolved-mystery/. – Tim Ludwinski Nov 10 '14 at 17:06
1

One hint to anyone trying to get the above script to work. I think the Login URL needs to end with /dana-na/auth/url_default/login.cgi. Got the cookie but the script still is not working for me. – Tim Ludwinski Nov 11 '14 at 15:49
A small note on getting the realm. In my case, the realm wasn't present as an `input` tag; it was there as a `select` tag. So if the REALM snippet doesn't work for you, try looking in the page source for a `select` element that looks like this: ` – Chris Laplante Jan 08 '15 at 01:42
1

Now openconnect supports Juniper, so this is no longer needed. See http://www.infradead.org/openconnect/juniper.html – Thales Ceolin Jul 13 '15 at 20:56
@TimLudwinski, you genius! I could kiss you right about now. I was starting to fire up ldconfig and debugging tools only to first try using the trailing 'login.cgi' and for the first time in weeks I got a win over technology! I'm sure Maven will make me pay later today. ;) – Gazzonyx Jan 24 '16 at 11:31

dwmw2 · Answer 2 · 2015-02-02T15:10:29.400

16

The OpenConnect VPN client has (nascent) support for Juniper SSL VPN.

See the announcement at http://lists.infradead.org/pipermail/openconnect-devel/2015-January/002628.html

Edit 2015-02-02:

The Juniper support is coming along nicely now and is definitely ready for more testing. It's reached the point where we're happy to admit to its existence on the OpenConnect web site: http://www.infradead.org/openconnect/juniper.html

edited Feb 02 '15 at 15:10

answered Jan 27 '15 at 01:20

dwmw2

161
1
3

4

You should include a copy of the announcement in your answer -- that link could go dead at some time in the future leaving your answer null & void. It's OK to leave the link as well as a reference. – fukawi2 Jan 27 '15 at 01:26
1

A good point in theory in the general case — but in this case if the server hosting my mailing list archive is offline, so is my git repository. The details in the announcement won't do you much good if you can't get to the code anyway :) Yes, I could include a *summary* of the announcement, concise and also relatively future-proof so it doesn't include specifics of what has and has not been implemented yet *today*. That summary is best phrased as "OpenConnect has nascent support for Juniper SSL VPN" :) – dwmw2 Jan 28 '15 at 12:10
1

Now that openconnect supports Juniper (July 2015) - This is the correct and easier answer. Works for me. I had to manually build openconnect thought. – Thales Ceolin Jul 13 '15 at 20:54

score 9 · Answer 3 · edited Mar 26 '17 at 04:49

9

What I usually do is use openconnect, it has to run as root, from the terminal window and you have to use the --juniper flag like this:

sudo openconnect --juniper http://your.vpn.server.here

It will ask for your user name and password and will connect you to your vpn.

The only caveat is that the terminal window has to be open all the time and it may drop once or twice in a day, you have to re-connect.

edited Mar 26 '17 at 04:49

chicks

3,639
10
26
36

answered Mar 26 '17 at 04:06

Jorge Rivera Andrade

91
1
3

1

It actually doesn't have to run as root - See [Running as non-root user](http://www.infradead.org/openconnect/nonroot.html). – Randall Aug 27 '18 at 20:57

score 4 · Answer 4 · answered Mar 13 '16 at 03:44

4

Network-Connect is the Old Juniper VPN. It is no longer used/shipped by juniper, everything is now Pulse secure. The information on this site is old. Pulse Secure is not supported on Linux.

answered Mar 13 '16 at 03:44

DMJC

41
1

1

Thx for the information - the question is indeed 4 years old. – Déjà vu Mar 13 '16 at 05:06
6

This is not correct. Pulse Secure actually *is* supported on Linux. The *Pulse Secure* client `pulsesvc` is essentially a drop in replacement for `ncsvc`. The latest version of the *Pulse Secure Desktop Client* was released just this month and now seems to even have a working GUI. – Adaephon Dec 21 '16 at 07:40

score 3 · Answer 5 · answered Feb 23 '12 at 19:41

3

I found this page to be the most use for me. mad scientist

answered Feb 23 '12 at 19:41

lostinip

72
1

score 2 · Answer 6 · answered Nov 18 '15 at 03:58

On Ubuntu 15.10:

sudo apt-get install icedtea-7-plugin openjdk-7-jre:i386
sudo ln -s /usr/bin/update-alternatives /usr/sbin/ (this may already exist)
sudo apt-get install libstdc++6:i386 lib32z1 lib32ncurses5 libxext6:i386 libxrender1:i386 libxtst6:i386 libxi6:i386

Then connect to your VPN as you would normally through the web interface. You'll need to allow the IcedTea plugin to run in your browser (I used Firefox) when it prompts you. There are also a number of prompts to trust software from a remote site, and it pop up a terminal for your password.

score 0 · Answer 7 · answered Feb 23 '12 at 18:29

0

I believe this is answered on Juniper's forum here - specifically for Network Connect (I'm assuming that's what you're wanting to do). They have excellent screenshots, etc to help you through the process (Five steps).

answered Feb 23 '12 at 18:29

Laurence

129
4

5

The linked page now requires a login. – Nate Eldredge Sep 20 '13 at 21:19

How to connect to a Juniper VPN from Linux

7 Answers7