сряда, 11 май 2016 г.

juniper (pulse secure) under gentoo. Finally!

Woah, that was one of the craziest thing I needed to do. It took me forever to find how to convince the company's server that I'm connecting with Pulse Secure. But after days of me wanting to rip my head off, I finally made it.
The problem is that the app which Pulse Secure provides is not a native 64x library and it's not a native Gentoo app, which makes it a nightmare to install it. In the end you can extract the deb package and put it where it belongs (/usr/local/pulse), you can connect /bin/ifconfig with /usr/sbin/ifconfig), but that won't help much since the whole thing is totally messed up and pulsesvc is a compiled file so you can't change PATHs and what's worst, you don't know the PATHs inside and so you don't get an error, you don't get anything to work with.

 After days of trying everything, here is what worked for me.
I followed this guide (for a while at least).
0. You need to start the "tun" module. 
$ sudo modprobe tun
$ sudo echo "tun" > /etc/modules-load.d/VPN.conf  - this one turned out not to be necessary
If you get an error on modprobe tun try $sudo modprobe --force tun
it worked for me. But this step is key, otherwise, openconnect cannot set up the connection.
1. Get you certificate  (from here):
Log into your vpn trough Firefox. Go to Tools->Page Info -> Security->View Certificate -> Details -> Export
Save the file as .DER (for Juniper's client) or .PEM (for OpenConnect)
2. Download stuff:
sudo equo install vpnc
sudo chmod a+x+r -R /etc/vpnc
sudo equo install libxml2 libxml2-dev gettext make libssl-dev pkg-config libtool autoconf git pip net-tools libgnutls-dev 
Most of those don't exist in Gentoo but still I post them here becaues maybe something helped :)
3.
sudo equo install openconnect
sudo pip install mechanize
git clone https://github.com/russdill/juniper-vpn-py
cd juniper-vpn-py
/if it doesn't exist,first $mkdir juniper-vpn-py/
sed -i '/ssl._create_default_https_context = ssl._create_unverified_context/d' ./juniper-vpn.py
sed -i '/ssl._create_default_https_context = ssl._create_unverified_context/d' ./tncc.py
sudo mkdir -p /run/resolvconf/interface
sudo cp /etc/resolv.conf /run/resolvconf/resolv.conf
sudo mv /etc/resolv.conf /run/resolvconf/interface/mlan0
sudo ln -s /run/resolvconf/resolv.conf /etc/resolv.conf
sudo resolvconf --enable-updates
/that gives me errors so probably wasn't very important/
4. Finally, I created this file:
$nano tun.sh
with the content:
#!/bin/bash

if (ip tuntap add dev tun0 mode tun)
then
  echo "New tun Created Successfully"
  sleep 4
else
  echo "Old tun Exists, Need to Cleanup"
  ifconfig tun0 down
  ip tuntap del dev tun0 mode tun
  sleep 4
  ip tuntap add dev tun0 mode tun
  sleep 4
fi

if(ifconfig tun0 up)
then
  echo "Interface tun0 is up"
else
  echo "Something went wrong, exiting..."
  exit;
fi

export LD_LIBRARY_PATH="/usr/local/lib"

5. $sudo sh tun.sh
This will set up the tun interface and make sure it is fresh and ok. You may add to the script
 $modprobe tun
6. For me the python script didn't work for some unknown reason which I don't have time to research right now. So to connect I did:
$ sudo openconnect --cafile ~/cert_file.pem --juniper VPN_host -u USER_name
 where cert_file is the name you gave to your certificate, VPN_host is the name of your host's VPN, USER_name is your login username for the VPN.
When it connects, it will also ask you for the password.

Then when it says "ESP session established with server"  you're good to go and do whatever you need to do with your vpn, in my case, use perforce.

7. You stop the connection with CTRL+C and $sudo ifconfig tun0 down


I'm soooo happy I managed to do that. It seems simple once it's done, but it took me days to find the howto that works for me and also, I tried to install the Pulse Secure app on Sabayon, Ubuntu x64, Fedora x32 and LUbuntu x32. It didn't work anywhere! So this is really a success.

Btw, if you don't feel like filling in the password each time, you can make a simple script:
#!/bin/bash
username="user_name"
password="vpn_pass"
url="vpn_url"
cert="your_certificate"
echo "$password" |  sudo openconnect --cafile $cert --juniper $url -u $username --passwd-on-stdin

And then to run it like sh script.sh
This way, you'll have to fill only your sudo password :)

Some links where you can find many howtos, maybe they will woro for you, they didn't for me.
ArchLinux, Short VPN guide, AnotherOneDownloadPage, GentooHowto,

Explanation how to install in Ubuntu x64. I couldn't make it work. Some more explanations + download links for Mac, Win and Linux.

This should tell you if you have TUN:
$ grep CONFIG_TUN /usr/src/linux/.config
CONFIG_TUN=y

From Sabayon wiki:
$ cd /sbin
$ sudo ln -s /bin/ifconfig ifconfig
$ sudo ln -s /bin/route route
I don't know how much the last step helped. 

Няма коментари:

Публикуване на коментар