Linux – How to connect to a Juniper VPN from Linux

juniperlinuxvpn

The Windows users have a new client "Juniper Pulse" to connect to the Juniper VPN server.

On Linux, what VPN client do we have to connect to that Juniper VPN, with maximum compatibility?

Please mention the necessary parameters that have to be provided.

Best Answer

And my favorite method (no java applet required):

Presumably:

your url: 'https://some.site.com/dana-na/auth/url_default/welcome.cgi' (or whatever)
your username=username
your password=password
you know your realm or you can find it from the web page or with:

REALM=$(wget -q --no-check-certificate -O - 'https://some.site.com/dana-na/auth/url_default/welcome.cgi' | sed -n 's/.*<input\( [^>]*name="realm" [^>]*\)>.*/\1/p' | sed -n 's/.* value="\([^"]*\)".*/\1/p')

After you login, download the following jar (should be done one time only):

https://some.site.com/dana-cached/nc/ncLinuxApp.jar

and unzip it to ~/.juniper_networks/network_connect

Get some new libraries for your 64bit machine yum install glibc.i686 zlib.i686 nss-mdns.i686

Go to ~/.juniper_networks/network_connect and

sudo chown root:root ncsvc
sudo chmod 6711 ncsvc
chmod 744 ncdiag
chmod +x getx509certificate.sh

Get your certificate:

./getx509certificate.sh some.site.com company.cert

And connect:

./ncsvc -h some.site.com -u username -p password -r REALM -f ./company.cert

For some sites I noticed that you also need to put the -U switch:

./ncsvc -h some.site.com -u username -p password -r REALM -f ./company.cert -U 'https://some.site.com/dana-na/auth/url_default/welcome.cgi'

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Short answer: you can't. Ports below 1024 can be opened only by root. As per comment - well, you can, using CAP_NET_BIND_SERVICE, but that approach, applied to java bin will make any java program to be run with this setting, which is undesirable, if not a security risk.

The long answer: you can redirect connections on port 80 to some other port you can open as normal user.

Run as root:

# iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 8080

As loopback devices (like localhost) do not use the prerouting rules, if you need to use localhost, etc., add this rule as well (thanks @Francesco):

# iptables -t nat -I OUTPUT -p tcp -d 127.0.0.1 --dport 80 -j REDIRECT --to-ports 8080

NOTE: The above solution is not well suited for multi-user systems, as any user can open port 8080 (or any other high port you decide to use), thus intercepting the traffic. (Credits to CesarB).

EDIT: as per comment question - to delete the above rule:

# iptables -t nat --line-numbers -n -L

This will output something like:

Chain PREROUTING (policy ACCEPT)
num  target     prot opt source               destination         
1    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:8080 redir ports 8088
2    REDIRECT   tcp  --  0.0.0.0/0            0.0.0.0/0           tcp dpt:80 redir ports 8080

The rule you are interested in is nr. 2, so to delete it:

# iptables -t nat -D PREROUTING 2

Netscreen-Remote Equivalent On Linux

IME racoon can be made to work with ScreenOS/JunOS VPNs, but it's not trivial to setup.

I assume OpenSWAN and StrongSWAN should work too.

I think Cisco's VPN Client could work too, but its license requires that it be used with a Cisco device.

Best Answer

Related Solutions

Linux – How to run a server on port 80 as a normal user on Linux

Netscreen-Remote Equivalent On Linux

Related Topic