在Ubuntu桌面系统上连接Juniper SSL VPN

现在国内很多外企都使用Juniper SSL VPN，来让员工可以在家连入到公司的网络。但是我发现，Juniper的SSL VPN在windows和Mac OS X上都可以很好的工作，但是在Ubuntu上貌似就有问题。就算你正确安装了Java Runtime，打开浏览器，Host Checker 和 Network Connect 也无法正常运行。有人说这是因为现在我们大多使用64位的Ubuntu，而 Host Checker 和 Network Connect 需要32位的浏览器和32位的JRE才能工作。
我没有去深究32位的Ubuntu下是否Juniper VPN就真的可以正常工作了，因为我找到了一个更简单的办法。
这个方法来自这位大神，他自己分析了Juniper SSL VPN的工作过程，然后写了一个perl脚本解决了这个问题：
http://smallhacks.wordpress.com/2012/07/15/jvpn-perl-script-to-connect-to-the-juniper-vpn-with-host-checker-enabled/
对原理感兴趣的可以自己去看这篇文章（可能需要翻墙），这里简述一下步骤：

• 从上面的文章提供的地址，下载 jvpn-0.7.0.tar.bz2。
• 解开，将配置文件 jvpn.ini 拷贝一份以便输入自己的配置，比如：cp jvpn.ini mark.ini，然后编辑这些配置项：

1 2 3 4 5 6

host: 你的VPN server的地址 username: 用户名 realm: 区域，一般的外企应该是 `Employee` 或者 `Contractor` verifycert: 是否验证SSL证书，如果你本地没有导入你的VPN server的SSL的证书的，可以写0，否则写1 dnsprotect: 这可以防止Ubuntu的NetworkManager修改 `/etc/resolv.conf` 。我们需要修改这个文件从而修改DNS server的配置。 mode: `ncsvc/ncui` 都可以

• 然后就可以执行：sudo perl ./jvpn.pl --conf mark.ini。成功了就可以看到连到了VPN，按 Ctrl+C 可以中断连接。

Troubleshooting

• sudo apt-get install libterm-readkey-perl，如果jvpn.pl说 Term::ReadKey module 找不到的话
• sudo apt-get install lib32z1，如果出现这样的错误： libz.so.1: cannot open shared object file: No such file or directory
• sudo apt-get install gcc-multilib，如果看到这样的错误： bits/predefs.h: No such file or directory
• sudo apt-get install libhttp-request-ascgi-perl，如果jvpn.pl说 HTTP::Request module 找不到的话

这样在Ubuntu下，就可以使用Juniper SSL VPN了。很多外企的网络，自带翻墙，所以拨上VPN之后，除了工作之外，还可以实现自动翻墙。配合上chnroute，就完美了.

Download

Version 0.7.0 – samm.kiev.ua/jvpn/jvpn-0.7.0.tar.bz2.

--------------

jvpn – Perl script to connect to the Juniper VPN with Host Checker enabled

To access some company resources i need to use Network Connect  VPN from Juniper.  Network Connect is a software package that interfaces with its Secure Access hardware and provides a Virtual Private Network (VPN) solution. There are two software products that connect to Secure Access servers: Windows Secure Application Manager which, as you might guess, runs on Microsoft Windows; and Network Connect which runs on other platforms, in particular GNU/Linux. All  clients are closed source, without open source alternative.
I personally think that all closes source VPN clients should die one day – typically it is a perfect example of security by obscurity – internally they are using known algorithms and typically built with OpenSSL inside so there are no “secret” technologies. But closed source form will not allow to audit the code or to connect from non-supported OS (including non-x86 Linux, e.g. ARM). Also i`m  sure that code security level is very low – often such clients contains statically linked outdated libraries or input parameter validation is bad. In the worst case such clients including kernel modules (some s..t from Cisco) and then you forced to use only supported kernel. In Juniper case native Linux client requires Java + web browser installed. Also its built with JNI (Java Native Interface) so it will run only on 32-bit platforms. To run it on my Linux/x86_64 i installed 32 bit versions of the Firefox and Oracle  Java. It was very annoying to keep all this blobs in the RAM, so i decided to understand how it works and write some alternative.

How Network Connect works

After debugging with strace, java decompiler and tcpdump i got a clear view how Network Connect works:

1. In the web browser client opening VPN page and entering Login/Password (in my case password generated from RSA Secure device)
2. If authorization successful browser checks if VPN software is installed using Java applet. If it is not installed – ncLinux.jar file is downloaded and installation script is running. Client is installed to ~/.juniper_networks/network_connect. Also it will set SUID bit on ncsvc binary using su or sudo (password is prompted)
3. Then optionally host checker (tncc.jar) client is running. This package validating if your system conforms policies configured on VPN host. In my case HC  is running but probably is not strict – i am able to logon to VPN from my home Linux.
4. On next step Java Applet launcing NC.jar and passing some parameters to it. Most important one is DSID – dynamic session key, taken from the browser cookie.
5. NC.jar will start Java (AWT based) GUI and console client (ncsvc) using JNI (code is inside libncui.so). I found that after ncsvc startup it listening on TCP port 4242 (127.0.0.1 address). Then Java GUI starts and connecting to the ncsvc (port 4242).
6. After connecting Java GUI sending configuration to the ncsvc using non-documented protocol and ncsvc establishing remote connection. In configuration packet i found DSID, certificate md5 fingerprint, hostname and some other data.
7. When connection is established Java GUI getting reply and communicating with ncsvc to get connection statistic (number of data transferred, VPN algorithm, etc.).
8. On disconnect GUI sends special command to ncsvc process and it disconnecting from the remote host and doing some cleanup (e.g. reverting /etc/resolv.conf and /etc/hosts).

ncsvc client

Connection is established and maintained with ncsvc client. I found some information in the network (e.g. mad-scientist.us/juniper.html or www.joshhardman.net/juniper-network-connect-vpn-linux-64-bit/) on how to run it from command line, including some scripts. In my case all this scripts failed. If this scripts are working for you than you don`t need jvpn 🙂  Reason of fail was a Host Checker – related Juniper KB contains “Launch Network Connect only through the Internet browser on the supported Linux platforms” text. But i was not satisfied with this  and decided to emulate Java GUI to run client from command line, without web browser. Command line interface of ncsvc (see ncsvc -h) will not help in this case, because there is no possibility to pass DSID , and all other CLI options failing in my case. So i wrote a perl script – jvpn.pl, and hooray – i was able to establish connection.

jvpn.pl script – description

• To use this script you need Perl (with some modules) and openssl binary. Also unzip is required if client is not installed.
• jvpn.pl using configuration file jvpn.ini – before usage you will need to setup host name, login, password and realm. If you don`t know your realm – read HTML source for the login page – it will contain hidden “REALM” input element.
• If ncsvc client is not installed – jvpn will download it to the current directory automatically from your VPN host
• Then it logging in to the web site using your username/password and getting DSID. It handles some advanced scenarios like “active sessions found” and “additional code required” pages from VPN. It also getting md5 fingerprint of the SSL certificate using “openssl” binary.
• If Host Checker support is enabled in configuration it is also download and starts tncc.jar to get host checker authentication from the server
• After getting DSID it starts ncsvs and sending configuration commands to it using TCP protocol (port 4242). On this stage ncsvs establishing VPN connection. Then jvpn.pl entering statistic loop, like Java GUI.
• On Ctrl+C jvpn.pl sending disconnect command to the ncsvs and also logging out from the VPN web site, to make sure that DSID is invalidated.

Screenshot

Download

Version 0.7.0 – samm.kiev.ua/jvpn/jvpn-0.7.0.tar.bz2. If you found some bugs or did some improvements – drop me a note。

from https://smallhacks.wordpress.com/2012/07/15/jvpn-perl-script-to-connect-to-the-juniper-vpn-with-host-checker-enabled/