HOWTO_Juniper_SSL_Network_Connect_VPN

This is about setting up a Juniper SSL Network Connect VPN.

Preliminary Testing

Make sure you have Sun's Java JRE installed. Blackdown and others may not work. Sun-jre-bin also works. Note, this article may be 32-bit specific, however there is a discussion about how to get a 64-bit Java environment working with the Juniper SSL VPN on the Gentoo Forums.

1. First, head on over to your Juniper SSL VPN's portal website.
2. Add this portal website to your browser's whitelist for launching popups. (There will be one small one, which initiates the VPN connection. This will also display information about the connection.)
3. Click on "Network Connect"
4. Enter root password when prompted.
5. A window will likely popup saying there are some issues. Take note of them.

With any luck, you will see that you are "missing" a few requirements.

libXm.so.3
libssl.so.2
libstdc++-libc6.2-2.so.3
libcrypto.so.2

Prerequisites

Emerge the following ebuilds. (Don't worry about version numbers, just use the latest stable.)

• openssl
• lib-compat
• openmotif (lesstif is also reported to work, but will require an additional symlink.)

Recompile the kernel, if necessary, with the following enabled (as a module or monolithicly)

Device Drivers-->
   Network device support-->
      <M> Univesal TUN/TAP device driver support

If you compiled it as a module, remember to mobprobe tun or add it to /etc/modules.autoload.d/kernel-2.6.

Setup

• libXm.so.3 is provided by the openmotif ebuild.
• libstdc++-libc6.2-2.so.3 is provided by the lib-compat ebuild.
• Create the following symlinks for libssl.so.2 and libcrypto.so.2 (Note, libssl.so.0.9.8 may be version libssl.so.0.9.7. Same goes for libcrypto.so.0.9.8!):

ln -s /usr/lib/libssl.so.0.9.8 /usr/lib/libssl.so.2
ln -s /usr/lib/libcrypto.so.0.9.8 /usr/lib/libcrypto.so.2

ln -s /usr/lib/libssl.so /usr/lib/libssl.so.2
ln -s /usr/lib/libcrypto.so /usr/lib/libcrypto.so.2

• Update: If we use the .so libs this wont break when openssl updates.

And the following if you are using lesstif:

ln -s /usr/lib/libXm.so.2 /usr/lib/libXm.so.3

• Update: As of openmotif-2.2 libXm.so.3 is included. This step is no longer needed. Unless this should have been ln -s /usr/lib/libXm.so.3 /usr/lib/libXm.so.2 ?

• Add the following to /etc/ld.so.conf and then run ldconfig

/usr/X11R6/lib

RPM issue

• The rpm dependency issue.

Because this software was originally desinged for Redhat 8 or something archaic like that it requires /usr/bin/rpm to install. It doesn't actually use rpm to install itself but just to check if some of the packages it needs are installed. There are two ways to handle this.

The first way is the correct way, but this method will cause the software to throw a package not found error but still function correctly.

emerge -av app-arch/rpm

The second method is a dirty dirty hack and may/will cause issues in the future, but the program to execute without error. Please use with caution!

ln -s /bin/true /usr/bin/rpm

• Lastly, delete the Juniper "working directory" in your user's data folder:

rm -rf ~/.juniper_networks

Head on over to your portal page again, and launch "Network Connect." It should run without any problems.

Thinking out loud here, I love symlinking the rpm command to true but I could not emerge anything without it. Would it be possible to add a random path to the user to be used but only by the web browser or just you (not root).

Ebuild

Alex has created an ebuild based on the instructions above to help streamline the installation.

This ebuild should work with amd64 provided you can get some of the emul libs and java plugin for amd64. This has not been tested yet so if you would like to play around with it please modify the wiki and post any errors that you find.

This now appears to work with rpm so the symlink hack has been removed.

To install this ebuild follow instructions:

 # echo "PORTDIR_OVERLAY="/usr/local/portage" >> /etc/make.conf
 # mkdir -p /usr/local/portage/net-misc/juniper-vpn
 # cd /usr/local/portage/net-misc/juniper-vpn
 # nano -wc juniper-vpn-5.3.ebuild
    <copy paste the ebuild>
 # ebuild juniper-vpn-5.3.ebuild digest
 # USE="rpm" emerge -av juniper-vpn

For better instructions please see: HOWTO_Installing_3rd_Party_Ebuilds

 
# Copyright 1999-2008 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: $
# Created by Alex Barker (abarker@callutheran.edu)

inherit eutils libtool versionator linux-info

DESCRIPTION="Juniper Networks SSL VPN"
HOMEPAGE="http://www.juniper.net/products_and_services/ssl_vpn_secure_access/"
SRC_URI=""

LICENSE="Juniper"
# The license is unclear.
RESTRICT="nomirror"
SLOT="0"
KEYWORDS="-* ~amd64 x86"
IUSE=""

DEPEND=""
RDEPEND="${DEPEND}
	dev-libs/openssl
	sys-libs/lib-compat
	sys-libs/zlib
	>=virtual/jre-1.4.2
	x11-libs/openmotif
	app-arch/rpm"

pkg_setup() {
	# Setup kernel info for query.
	linux-info_pkg_setup	
	
	ebegin "Checking for Univesal TUN/TAP device driver support"
	linux_chkconfig_present TUN
	eend $?
	
	if [[ $? -ne 0 ]] ; then
		eerror "${DESCRIPTION} requires TUN/TAP support!"
		eerror "Please enable TUN/TAP support in your kernel config, found at:"
		eerror
		eerror "  Device Drivers-->"
		eerror "    Network device support-->"
		eerror "      <M> Univesal TUN/TAP device driver support"
		eerror
		eerror "and recompile your kernel ..."
		die "TUN/TAP support not detected!"
	fi
}

src_install() {
	# Default location and version number for libs.
	LIBCRYPT_LOC="/usr/lib"
	
	# Create Lib Location
	mkdir -p ${D}/${LIBCRYPT_LOC}
	
	# This is a dirty hack becaues they are called different 
	# names on redhat 9.
	ln -s libssl.so ${D}/${LIBCRYPT_LOC}/libssl.so.2
	ln -s libcrypto.so ${D}/${LIBCRYPT_LOC}/libcrypto.so.2
	
	# Add the following to /etc/ld.so.conf and then run ldconfig
	mkdir -p ${D}/etc/env.d/
	echo "LDPATH=\"/usr/X11R6/lib\"" >> ${D}/etc/env.d/99JuniperVPN
}

pkg_postinst() {
	einfo ""
	einfo "please be sure to remove any juniper networking information in your home directory."
	einfo "  rm -rf ~/.juniper_networks."
	einfo ""
}