jvpn – Perl script to connect to the Juniper VPN with Host Checker enabled

Overview

To access some company resources i need to use Network Connect  VPN from Juniper.  Network Connect is a software package that interfaces with its Secure Access hardware and provides a Virtual Private Network (VPN) solution. There are two software products that connect to Secure Access servers: Windows Secure Application Manager which, as you might guess, runs on Microsoft Windows; and Network Connect which runs on other platforms, in particular GNU/Linux. All  clients are closed source, without open source alternative.

I personally think that all closes source VPN clients should die one day – typically it is a perfect example of security by obscurity – internally they are using known algorithms and typically built with OpenSSL inside so there are no “secret” technologies. But closed source form will not allow to audit the code or to connect from non-supported OS (including non-x86 Linux, e.g. ARM). Also i`m  sure that code security level is very low – often such clients contains statically linked outdated libraries or input parameter validation is bad. In the worst case such clients including kernel modules (some s..t from Cisco) and then you forced to use only supported kernel. In Juniper case native Linux client requires Java + web browser installed. Also its built with JNI (Java Native Interface) so it will run only on 32-bit platforms. To run it on my Linux/x86_64 i installed 32 bit versions of the Firefox and Oracle  Java. It was very annoying to keep all this blobs in the RAM, so i decided to understand how it works and write some alternative.

How Network Connect works

After debugging with strace, java decompiler and tcpdump i got a clear view how Network Connect works:

  1. In the web browser client opening VPN page and entering Login/Password (in my case password generated from RSA Secure device)
  2. If authorization successful browser checks if VPN software is installed using Java applet. If it is not installed – ncLinux.jar file is downloaded and installation script is running. Client is installed to ~/.juniper_networks/network_connect. Also it will set SUID bit on ncsvc binary using su or sudo (password is prompted)
  3. Then optionally host checker (tncc.jar) client is running. This package validating if your system conforms policies configured on VPN host. In my case HC  is running but probably is not strict – i am able to logon to VPN from my home Linux.
  4. On next step Java Applet launcing NC.jar and passing some parameters to it. Most important one is DSID – dynamic session key, taken from the browser cookie.
  5. NC.jar will start Java (AWT based) GUI and console client (ncsvc) using JNI (code is inside libncui.so). I found that after ncsvc startup it listening on TCP port 4242 (127.0.0.1 address). Then Java GUI starts and connecting to the ncsvc (port 4242).
  6. After connecting Java GUI sending configuration to the ncsvc using non-documented protocol and ncsvc establishing remote connection. In configuration packet i found DSID, certificate md5 fingerprint, hostname and some other data.
  7. When connection is established Java GUI getting reply and communicating with ncsvc to get connection statistic (number of data transferred, VPN algorithm, etc.).
  8. On disconnect GUI sends special command to ncsvc process and it disconnecting from the remote host and doing some cleanup (e.g. reverting /etc/resolv.conf and /etc/hosts).

ncsvc client

Connection is established and maintained with ncsvc client. I found some information in the network (e.g. mad-scientist.us/juniper.html or www.joshhardman.net/juniper-network-connect-vpn-linux-64-bit/) on how to run it from command line, including some scripts. In my case all this scripts failed. If this scripts are working for you than you don`t need jvpn 🙂  Reason of fail was a Host Checker – related Juniper KB contains “Launch Network Connect only through the Internet browser on the supported Linux platforms” text. But i was not satisfied with this  and decided to emulate Java GUI to run client from command line, without web browser. Command line interface of ncsvc (see ncsvc -h) will not help in this case, because there is no possibility to pass DSID , and all other CLI options failing in my case. So i wrote a perl script – jvpn.pl, and hooray – i was able to establish connection.

jvpn.pl script – description

  • To use this script you need Perl (with some modules) and openssl binary. Also unzip is required if client is not installed.
  • jvpn.pl using configuration file jvpn.ini – before usage you will need to setup host name, login, password and realm. If you don`t know your realm – read HTML source for the login page – it will contain hidden “REALM” input element.
  • If ncsvc client is not installed – jvpn will download it to the current directory automatically from your VPN host
  • Then it logging in to the web site using your username/password and getting DSID. It handles some advanced scenarios like “active sessions found” and “additional code required” pages from VPN. It also getting md5 fingerprint of the SSL certificate using “openssl” binary.
  • If Host Checker support is enabled in configuration it is also download and starts tncc.jar to get host checker authentication from the server
  • After getting DSID it starts ncsvs and sending configuration commands to it using TCP protocol (port 4242). On this stage ncsvs establishing VPN connection. Then jvpn.pl entering statistic loop, like Java GUI.
  • On Ctrl+C jvpn.pl sending disconnect command to the ncsvs and also logging out from the VPN web site, to make sure that DSID is invalidated.

Screenshot

Download

Version 0.7.0 – samm.kiev.ua/jvpn/jvpn-0.7.0.tar.bz2. If you found some bugs or did some improvements – drop me a note.

Advertisements
Tagged , , , , , ,

141 thoughts on “jvpn – Perl script to connect to the Juniper VPN with Host Checker enabled

  1. Peter says:

    Hi,

    Love the post, I think ive gotten most of the way there with the needed perl modules for RHEL 6 Client x86_64. The only error that eludes me as to the solution is the following.

    # sudo ./jvpn.pl
    [sudo] password:
    Enter PIN+passsword: *********
    Can’t use an undefined value as filehandle reference at ./jvpn.pl line 74.

    I vi’ed the file and found this line “my $retcode = $curl->perform;” but stopped and figured i would ask before i went any further.

    Any help would be awesome.

    to help, here is a uname of the version I am running.
    Linux 2.6.32-279.1.1.el6.x86_64 #1

  2. Peter says:

    Ill have a go at it and let you know 🙂

  3. Peter says:

    That got me a bit further, but thru a new massage. I think a operator or element isnt happy 😀

    Can’t use string (“43”) as an ARRAY ref while “strict refs” in use

  4. Peter says:

    Funny you just said that. I tried that and I got past the massage. perhaps I am missing a module for perl.

    • sammczk says:

      No, you have all the modules. Probably curl binding in Perl is buggy. Please, try also to add line

      no strict ‘refs’;

      before line “my $cookies;”

      P.S. May be i`ll rewrite HTTP code to LWP, it could work better.

      • Peter says:

        Like so?

        no strict ‘refs’; # apended line 114
        my $cookies = $curl->getinfo(CURLINFO_COOKIELIST);
        my $cookie = “”;
        foreach $cookie (@$cookies) {
        if ( $cookie =~ /DSID\s+([a-f\d]+)/){
        $dsid=$1;
        }
        if ( $cookie =~ /DSFirstAccess\s+(\d+)/){
        $dfirst=$1;
        }
        if ( $cookie =~ /DSLastAccess\s+(\d+)/){
        $dlast=$1;
        }

    • Peter says:

      I think this helped to identify the problem. I appear to be missing the restrict.pm file.

      Can’t locate restrict.pm in @INC (@INC contains: /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at ./jvpn.pl line 113.
      BEGIN failed–compilation aborted at ./jvpn.pl line 113.

      • sammczk says:

        Ok, i found problem. Perl binding to libcurl is very buggy in RHEL6. I decided to rewrite script using LWP – now it works much better. Please try 0.4.0 version and report if it work for you. Dependency list is:

        perl
        perl-Crypt-SSLeay
        perl-TermReadKey
        perl-libwww-perl

        I tested it on RHEL6 and it works for me

  5. Peter says:

    I tried that, downloaded the Dependency’s, downloaded the script and then edited the .ini.

    It seems to be working now 🙂

    Transfer went ok
    Got DSID
    Certificate fingerprint: [11c3b544c4af316de1e5e450459eef64]
    TCP Connection to ncsvc process established.
    Sending handshake #1 packet… [done]
    Sending handshake #2 packet… [done]
    Sending configuration packet…

    Though I need to check the switch as its not responding to the config packet being sent.

    • sammczk says:

      Ok, now its much better – first stage is done. For some reason connection is not established.

      I am recommending to enable debug in the config and send me report to the samm [at] os2.kiev.ua. I`ll try to look on it.

      P.S. when you connecting from browser VPN starts fine?

    • Vitaliy says:

      Same problem in my configuration. Hanging on “Sending configuration packet…”

      • sammczk says:

        I can try to debug this – please contact me via jabber (samm at kaa.ru), skype (sammkyiv) or email (samm at os2.kiev.ua). I`ll send debug version.

      • I tried on Debian squeeze and had to do the following .Hope this helps someome
        cpan -i Term::ReadKey
        cpan -i IO::Socket::SSL
        aptitude install libcrypt-ssleay-perl libnet-ssleay-perl
        After installing everything and running the perl script , i’m having the same problem of hang @ “Sending configuration packet…”

      • sammczk says:

        I sent you debug details by email

  6. Figue says:

    Hi

    First of all, thank you for this script. I’m trying to use it to connect to my company VPN. It has a host checker and a simple user/password authentification, without any PIN (FYI I don’t have any control on the Juniper).
    The problem is the script can’t get any information in the cookie. I check the first POST submit with Tamper Data and it’s not the same in your script:

    my $res = $ua->post(“https://$dhost:$dport/dana-na/auth/url_default/login.cgi”,
    [ btnSubmit => ‘Sign In’,
    password => $password,
    realm => $realm,
    tz => ’60’,
    username => $username,
    ]);

    in my case, I see something different, I think this is what I need:
    my $res = $ua->post(“https://$dhost:$dport/dana-na/auth/url_default/login.cgi”,
    [ tz_offset => ’60’,
    username => $username,
    password => $password,
    realm => $realm,
    btnSubmit => ‘Acceder’,
    ]);

    (FYI btnSubmit it’s translated in spanish…)

    After the first POST the script can’t catch any information.

    [figue@M12658 jvpn-0.4.1]$ ./jvpn.pl
    Enter PIN+passsword: *******
    Transfer went ok
    Got DSID=, dfirst=, dlast=
    Unable to get data, exiting

    Tried many things, but I can’t find nothing. Can you help me? I’m on Archlinux x86_64 box with all Perl modules installed.

    Thank you

  7. Zach says:

    I to am getting to a “Sending configuration packet” and then it hangs. Help would be appreciated.

    • sammczk says:

      It could be number of reasons. I think i will do a blog post about jvpn debugging. If you will set debug level to 1 you should have some logs at directory with juniper binaries. E.g. ~/.juniper_networks/network_connect/. Also if you can create temporary vpn account i can try to debug it.

      BTW, does it works in Linux at all? It is also possible that host checker (tncc.jar) is mandatory on your system and this is the reason. In my case it is not.

      • lindenleAlex says:

        Hi, I have the same issue (I had to change a few of the inputs to match the web source) but when I run it just hangs at “Sending configuration packet”.

  8. Ihor says:

    As for section “Perl wrapper”:
    If in ubuntu you got message:

    root@localhost:~/Desktop/jvpn-0.4.1$ ./jvpn.pl
    Can’t locate Term/ReadKey.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.14.2 /usr/local/share/perl/5.14.2 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.14 /usr/share/perl/5.14 /usr/local/lib/site_perl .) at ./jvpn.pl line 7.
    BEGIN failed–compilation aborted at ./jvpn.pl line 7.

    then please install following module

    sudo apt-get install libterm-readkey-perl

  9. jose says:

    Hi all,

    I tried install on ubuntu 10.04 (32 bits) and have the same problem, hangs at “Sending configuration packet”.

  10. […] JVPN is a Perl script to connect to the Juniper VPN with Host Checker enabled. New version adds a lot of fixes + new experimental mode “ncui”. In this mode script trying to use libncui.so library instead of ncsvc directly. If you was able to get SSID but not able to connect in the previous version i am recommending to try ncui mode in version 0.5.0. […]

  11. senthilkumar says:

    when i tried to connect it gave following error

    sudo ./jvpn.pl
    Enter PIN+password: ****
    An error happened: 500 Can’t connect to XXXXX (certificate verify failed)

  12. lm_ says:

    hi. this script worked on srx devices?

  13. Allan Joergensen says:

    I’m unable to get this to work:

    Enter PIN+password: **********
    Transfer went ok
    Got DSID=, dfirst=, dlast=
    Unable to get data, exiting

    It seems it doesn’t get any cookie data ($cookie is empty)

  14. Stefan Becker says:

    Now that Firefox 19 broke Juniper VPN, someone from our corporate IT send me a pointer to this post. Works like a charm on Fedora 18, 64-bit.

    Thanks!

  15. Eric says:

    Installed JVPN 0.5.0 on a Pinguyos 12.4 64bits:

    Loaded following:
    perl-Crypt-SSLeay
    perl-TermReadKey
    perl-libwww-perl
    cpan -i Term::ReadKey
    cpan -i IO::Socket::SSL

    Stuck at:

    Enter PIN+password: **************
    Transfer went ok
    Got DSID
    Certificate fingerprint: [dbdc10d4f53ced8dbf1081555c76ab32]
    TCP Connection to ncsvc process established.
    Sending handshake #1 packet… [done]
    Sending handshake #2 packet… [done]
    Sending configuration packet…

  16. oxeen says:

    Hello.

    We use OTP and there is no way I can add that to any of the fine scripts which are out there.

    sudo perl jvpn.pl
    Enter PIN+password: **********
    Transfer went ok
    Got DSID=, dfirst=, dlast=
    Unable to get data, exiting

    Or should I log in via web interface and supply the OPT+password ?

  17. […] scripting support. It allows to run custom script on connect/disconnect events. Script page is https://smallhacks.wordpress.com/2012/07/15/jvpn-perl-script-to-connect-to-the-juniper-vpn-with-host-…. Please test and let me know if it works for […]

    • Yevgeniy says:

      Hi,

      Have tried new version 0.6.0 on Fedora 18, got following:
      sudo ./jvpn.pl
      Enter PIN+password: **********
      Transfer went ok
      Got DSID
      Certificate fingerprint: [b4962c86e35c8524d6c8c0e6b6158a00]
      TCP Connection to ncsvc process established.
      Sending handshake #1 packet… [done]
      Sending handshake #2 packet… [done]
      Sending configuration packet… [done]
      Status=6e
      Authentication failed, exiting

      Previous version 0.5.0 hanged on “Sending configuration packet…”

      Is any thoughts?

  18. Damian ONeill says:

    Hi,

    Certificate fingerprint: [XXXX]
    ERROR in Socket Creation : Connection refused

    Any idea why after the certificate fingerprint I’m getting Socket Creating: connection refused?

    Running on

    Linux version 2.6.35.14-106.lacp.fc14.x86_64 (root@acer) (gcc version 4.5.1 20100924 (Red Hat 4.5.1-4) (GCC) ) #1 SMP Fri Jan 18 19:47:40 GMT 2013
    Fedora release 14 (Laughlin)
    x86_64 x86_64 x86_64
    kernel-2.6.35.14-106.lacp.fc14.x86_64

    Thanks.

    • Damian ONeill says:

      bit of investigation, im on 64 bit fedora, ncsvc requires zlib, specifically 32 bit zlib.

      [root@cartman jvpn-0.6.0]# ./ncsvc
      ./ncsvc: error while loading shared libraries: libz.so.1: cannot open shared object file: No such file or directory

      yum install zlib-devel.i686 provides the dependency.

  19. Yevgeniy says:

    I have tried ncui mode with debug=1

    sudo ./jvpn.pl
    Enter PIN+password: **********
    Transfer went ok
    Got DSID=6eec2102475ee4b5fba02432f9fd22f0, dfirst=1370248077, dlast=1370248079
    Saved certificate to temporary file: /tmp/4rijQZshkG
    Client not exists, downloading from https://****.****.com:443/dana-cached/nc/ncLinuxApp.jar
    Done, extracting
    Archive: ncLinuxApp.jar
    replace ncsvc? [y]es, [n]o, [A]ll, [N]one, [r]ename: A
    inflating: ncsvc
    inflating: libncui.so
    Trying to compile ‘ncui’. gcc must be installed to make this possible
    ncui binary compiled
    Starting ncui, this should bring VPN up.
    Press CTRL+C anytime to terminate connection
    ./ncui
    -p

    -h
    ****.****.com
    -c
    DSSignInURL=/; DSID=6eec2102475ee4b5fba02432f9fd22f0; DSFirstAccess=1370248077; DSLastAccess=1370248079; path=/; secure
    -f
    /tmp/4rijQZshkG
    -l
    5
    -L
    5
    ncui terminated
    Error: new interface not found, check ncsvc logs
    Logging out…
    Killing ncsvc…
    Exiting

    In ncsvc.log file I have one suspicious line:
    ncsvc[p3880.t3889] worker.error connect to :443 failed. IVE returned error 20001068 (ncp_dsssl.cpp:1062)

    Why ncsvc try to connect to my computer at 443 port? I don’t have https server running.

  20. Pascal says:

    Hello,

    I have the following problem with the script, it is able to login, but then no cookie information is found.

    When I use firebug in my browser all cookies are set. However, when posting, in the request headers, there also seems to be a DSHCSTARTED cookie set.

    When using the script, after login, I added a print statement to see the contents of the cookie_jar variable. It contains the following:

    Enter PIN+password: **********
    Using realm: AD
    Transfer went ok
    Set-Cookie3: DSHCSTARTED=1; path=”/dana-na/”; domain=ura-eu.it-solutions.atos.net; path_spec; secure; discard; version=0

    Got DSID=, dfirst=, dlast=
    Unable to get data, exiting

    It looks like the server wants to set the cookie firefox already had set during the first GET of the login page.

    Please help.

  21. Mandel Jeff E says:

    This has been the only approach I’ve been able to get to work with my institution’s VPN. Having said this, it doesn’t allow me to do what I need, which is to automatically grab my email with fetchmail. I’d like to be able to have jvpn called from fetchmail preconnect, exit, then have the connection killed by postconect. It might also be nice to locally cache the cookie and only grab the cookie when the cached version fails.

    Suggestions?

    • sammczk says:

      Hi, thank you for feedback. Let me comment on all topics:
      1) if you have static password you can use something like
      cat /etc/vpn/passwd | jvpn
      to substitute it. In next version I am going to add support for password helpers.
      2) Currently I implemented hook support in app but it is broken in last version, I forgot to merge it.
      3) You can kill vpn by using ncsvc -K command, jvpn will shutdown as well
      4) SSID caching is controversy idea from security standpoint. May be I will make it as optional feature. Also it will make flow more complicated – if ssid does not work we need to start from beginning.

      Let me know if you have more questions

      • Mandel Jeff E says:

        1) I love password helpers on my desktop machine, but on my server, I’m not sure there’s an advantage over /etc/vpn/passwd with access restricted to the process.
        2) To do what I want, I simply need jvpn to exit leaving the connection up, perhaps waiting until it has established the route.
        3) I could see ncsvc -K would work. Thanks
        4) I think the incremental security concerns of caching the SSID are small, but I can’t worry about the security concerns of an IT department that forces me to open every port to their entire network when all I need is IMAPS to a single host. I haven’t tracked it extensively, but it seems like the cookie will only change if I change my password, which I’m already caching on the server. I think you can do more damage with my password than with the cookie. Bottom line, don’t let someone root your server.

      • sammczk says:

        Ok, probably its good idea to implement some kind of extended syntax, e.g.
        password=”text:12345678″
        password=”helper:/usr/bin/stoken”

        With exiting after connection established – I don’t like this idea too much. Probably you can do this with minor modifications. Better idea is to split gui/daemon, but I don`t think I have time for this.
        About SSID caching – for me it changes every time after logout. If I am just killing VPN without logout – old cookie will work some time.

  22. […] JVPN is a Perl script to connect to the Juniper VPN with Host Checker enabled. New version adds ability to store password/token in configuration or to use external scripts to provide it. Also it adds ability to define custom URL and addressing issues with scripting support added in 0.6.0. You can download it from JVPN post. […]

  23. […] Download location could be found in JVPN post. […]

  24. Orgad says:

    HostChecker seems to be broken. I tried to enable it. It downloads the jar and tries to execute then I get:

    Error: Main method not found in class net.juniper.tnc.HttpNAR.HttpNAR, please define the main method as:
    public static void main(String[] args)

    Any idea?

    • sammczk says:

      Could you please test if tncc.jar in the jvpb directory is valid? E.g.
      unzip -t tncc.jar
      It seems that java is unable to find main class in it.

      • Orgad says:

        It is. I even decompiled it and it doesn’t have Main…

      • sammczk says:

        Ok, so please do this:
        1) Connect to the vpn using 32-bit browser/jre
        2) do “ps ax|grep tncc”
        3) send me the report )

      • Orgad says:

        Paste with a few trivial substitutions.

        /usr/lib/jvm/java-6-openjdk-i386/jre/bin/java -classpath /home/user/.juniper_networks/tncc.jar net.juniper.tnc.NARPlatform.linux.LinuxHttpNAR log_level 2 postRetries 6 ivehost vpn.host.com Parameter0 interval=10;process_timeout=20;failurl=;cert_md5=;hash_key=;id=;logging=1 locale en home_dir /home/user user_agent Mozilla/5.0 (X11; Linux i686; rv:17.0) Gecko/20130811 Firefox/17.0 Iceweasel/17.0.8

      • Orgad says:

        Ok, I just replaced net.juniper.tnc.HttpNAR.HttpNAR with net.juniper.tnc.NARPlatform.linux.LinuxHttpNAR and now it works.

        Thanks a million! I can’t get it to work from the browser, and your script works like charm 🙂

      • sammczk says:

        Perfect, I was not aware that start class name could be different. Unfortunately it is set from another applet, so I can`t just grab it from the web page. Could you please send me your version of tncc.jar, may be I will add auto-detection.

      • sammczk says:

        Just in case – I added valid class auto-detection in git, so now it should work for you w/o patches.

      • sectorclear says:

        Hi, sammczk and all.

        I made rollback to Ubuntu Linux 14.04 (It was in 15.10). Now, my script can’t get the DSID, like this:

        $ sudo perl jvpn.pl
        Enter PIN+password: **************
        Transfer went ok
        Got DSID
        Unable to get DSID, exiting

        Until that moment I was using jvpn.ini with the configuration hostchecker=0.

        I checked that all the necessary libs are installed.

        When I changed to hostchecker=1, the error was another. So, I’ve facing the same problem to connect my company VPN that some guys reported here:

        Error: Main method not found in class net.juniper.tnc.HttpNAR.HttpNAR, please define the main method as:
        public static void main(String[] args)

        Then, I decide to make some tests while I’m reading your posts here…so, like I said, I thought my mistake was the same as that of Orgad and others experienced but after replace net.juniper.tnc.HttpNAR.HttpNAR with net.juniper.tnc.NARPlatform.linux.LinuxHttpNAR the error changed to this:

        $ sudo perl jvpn.pl
        Enter PIN+password: **************
        Transfer went ok
        Exception in thread “main” java.lang.NoClassDefFoundError: netscape/javascript/JSObject
        at net.juniper.tnc.NARPlatform.linux.LinuxNARlatform.getOSName(LinuxNARlatform.java:93)
        at net.juniper.tnc.HttpNAR.NARUtil.getOSName(NARUtil.java:249)
        at net.juniper.tnc.HttpNAR.HttpNAR.initialize(HttpNAR.java:206)
        at net.juniper.tnc.NARPlatform.linux.LinuxHttpNAR.main(LinuxHttpNAR.java:50)
        Caused by: java.lang.ClassNotFoundException: netscape.javascript.JSObject
        at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
        at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
        at java.security.AccessController.doPrivileged(Native Method)
        at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
        at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
        at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
        … 4 more
        Unable to start tncc.jar process at jvpn.pl line 690.

        For information, the line 690 contains the follow code:

        die(“Unable to start tncc.jar process”) if !-e $ENV{“HOME”}.”/.juniper_networks/narport.txt”;

        So, it’s possible that I made “a wrong movement” when changed net.juniper.tnc.HttpNAR.HttpNAR with net.juniper.tnc.NARPlatform.linux.LinuxHttpNAR. Then, I made rollback in the jvpn.pl.

        Also, I test tncc.jar with unzip -t tncc.jar and the file did not show error but I don’t know if java is able to find main class in it.

        Now, I’ll feel glad with your help, please.

        Best regards.

        Eduardo Alberton

  25. Aleksandr says:

    Hi. I have set up this script and it works perfect. Is it possible to make that it reconnects after lost connection?

    • sammczk says:

      Not yet. Should be not very hard to add. Do you have permanent password?
      Actually there are 2 possibilities to do this:
      1) Reconnect using SSID (it can work if ssid is still valid)
      2) Reconnect using login/password combination once more
      It is clear that 2) will work only if password is provided by script or defined in configuration. 1) Should work with any type of password, but probably is less reliable.

  26. Aleksandr says:

    I defined my password in config file. I need this feature because VPN client installed on PC which must be available 24/7.

  27. deniszh says:

    Hello, Alex! 🙂
    Thanks a lot for jvpn, works like a charm 🙂

  28. Pablo says:

    Man, you saved my life… Thanks a lot!!!

  29. figue82 says:

    Older versions didn’t work for me, but now 0.7.0 works fine!!! Only a little tweak is needed in my case:

    Line 138:
    btnSubmit => ‘Acceder’

    “Acceder” means in spanish “Sign in”.

    Thank you for your work! Finally I can connect (and reconnect with a little script) to one of my customers VPN without the brower pain.

  30. clean79 says:

    Hi,
    I try this script but it return the message “Unable to get DSID, exiting”. $cookie is empty, i checked the url, it is correct. Any suggestion? Thanks a lot.

  31. Jason says:

    Hi.
    Just wondering if this can be made to work with MacOS X client.
    I suspect it should be doable. At the moment, it tries to download ncLinuxApp.jar, then gives an “error connecting to 127.0.01:4242 : Operation timed out at jvpn.pl line 707”.

  32. Pavel says:

    Unable to start tncc.jar process at ./jvpn.pl line 690.

    Got this error on both Ubuntu 13.04 and RHEL 6.4, I know it’s something silly but can you please point me what am I doing wrong ?

    Java version on RHEL

    java version “1.6.0”
    Java(TM) SE Runtime Environment (build pxa6460sr14-20130705_01(SR14))
    IBM J9 VM (build 2.4, JRE 1.6.0 IBM J9 2.4 Linux amd64-64 jvmxa6460sr14-20130704_155156 (JIT enabled, AOT enabled)
    J9VM – 20130704_155156
    JIT – r9_20130517_38390
    GC – GA24_Java6_SR14_20130704_1138_B155156)
    JCL – 20130618_01

    • Pavel says:

      That’s an error:
      Enter PIN+password: ***********
      Transfer went ok
      Exception in thread “main” java.lang.NoSuchMethodError: net/juniper/tnc/HttpNAR/HttpNAR.main([Ljava/lang/String;)V
      Unable to start tncc.jar process at ./jvpn.pl line 690.

  33. pierre taieb says:

    hi, this might be a tricky one as I use Gentoo. I go all the way to

    \r
    function checkSelected() {\r
    var doCheck = 1;\r…
    (+ 5005 more bytes not shown)
    Got DSID=, dfirst=1385248792, dlast=1385248792
    Unable to get DSID, exiting

    I can connect on using firefox but it times out and restrict me to some URL, this is why I try to use your script

  34. DJJ says:

    hello,
    I nearly managed to establlish a connection I’m stuck there: , “Sending configuration packet…”
    After turning on the debug i got that:

    0x00000000 (00000) 00000000 00000066 01000000 01000000 …….f……..
    0x00000010 (00016) 000000cb 00cb0000 00c50001 0000001a …………….
    0x00000020 (00032) 76706e73 736c2e75 2d636572 67792e66 vpnssl.xxxxx.xx
    0x00000030 (00048) 72000002 00000078 44535369 676e496e x……xDSSignIn
    0x00000040 (00064) 55524c3d 2f3b2044 5349443d 39306337 URL=/; DSID=90c7
    0x00000050 (00080) 34636265 35663337 64306530 65306639 4cbe5f37d0e0e0f9
    0x00000060 (00096) 64373431 30303261 65613032 3b204453 d741002aea02; DS
    0x00000070 (00112) 46697273 74416363 6573733d 31333835 FirstAccess=1385
    0x00000080 (00128) 39353135 37323b20 44534c61 73744163 951572; DSLastAc
    0x00000090 (00144) 63657373 3d313338 35393531 3537343b cess=1385951574;
    0x000000a0 (00160) 20706174 683d2f3b 20736563 75726500 path=/; secure.
    0x000000b0 (00176) 000a0000 00216236 62366635 36313938 …..!b6b6f56198
    0x000000c0 (00192) 37356336 66333437 32346166 64313337 75c6f34724afd137
    0x000000d0 (00208) 61393234 613200 a924a2.

    any help?

  35. DJJ says:

    Hello.

    I’m really clueless about the above error. Any help please

  36. DJJ says:

    I managed to establish a connection by swhitching to mode=ncui. In the jvpn.ini file. Many Thanks for the program.

  37. CD says:

    Hi Alex,

    I can see great effort you’ve put in your script and its voluntary support. Thanks a lot.

    By any chance, do you happen to know how get over not getting DSID

    Transfer went ok
    Got DSID=, dfirst=1389890565, dlast=1389890565
    Unable to get DSID, exiting

    or how to debug it more

    Thanks a lot

    • CD says:

      btw. I always end up with

      20140116172150.615658 ncsvc[p19458.t19458] dsclient.error state post auth cache cleaner failed, error 10 (dsclient.cpp:372)
      20140116172150.615933 ncsvc[p19458.t19458] ncapp.error Failed to authenticate with IVE. Error 10 (ncsvc.cpp:225)

  38. htor says:

    Just have to say that this is the ONLY Juniper VPN solution that worked for me on Debian 64bit. Thanks alot, buddy!

    Some notes:

    I got a missing Perl library error and after that I got an error about “Connection refused” when trying to run jvpn the first time. To fix those I did:

    sudo dpkg –add-architecture i386

    sudo apt-get update

    sudo apt-get install libterm-readkey-perl zlib-bin:i386

  39. Anthony says:

    I realize this is fairly old forum and the likelyhood of getting feedback low, but here goes. I am fairly new to Linux and don’t know Perl. Perl is a scripting lanuage after all and looks pretty straight forward but I am stuck on getting it to run. A web search turned up nearly zero.

    ERROR:
    Can’t locate xfce4.pm in @INC (@INC contains: /etc/perl /usr/local/lib/perl/5.14.2 /usr/local/share/perl/5.14.2 /usr/lib/perl5 /usr/share/perl5 /usr/lib/perl/5.14 /usr/share/perl/5.14 /usr/local/lib/site_perl .) at ./jvpn.pl line 17.
    BEGIN failed–compilation aborted at ./jvpn.pl line 17.

  40. linuxchuck says:

    I know this is several months down the road since the last post, but I thought I’d let you know people are still using your script. 🙂

    I have modified my copy of your script to work with a Juniper+RSA SecurID setup. Our login page has 3 separate fields: Username, Password, and RSA Token Code. The changes I made are minor, but allow this script to work flawlessly with the Juniper setup we have. I basically added one additional password prompt, added the related post variable where needed, and instantiated a new variable inside the read_password function to keep it from overwriting both passwords with the 2nd. If you are interested, let me know, and I’ll send you a diff.

    • sammczk says:

      I`m glad that it works for you. Not sure if i can accept this diff if it breaks main functionality. But thank you for feedback anyway.

    • Al says:

      Can you provide the diff that does this? I also have the case of entering: (username, password, RSA Token) prior to starting the client.

      Thanks,

    • John Boyd says:

      Have you posted your diff anywhere? I also have to enter a password + PIN + Digipass key

  41. JTG says:

    I think that I might have the same setup as linuxchuck. However, I found that the 0.7.0 script from above would still contact my VPN concentrator on a URL that worked. When it did so, it would bring up a separate page that asks for a token. (Much like how the script already works.) However, this separate page did not contain any of the strings that the script was looking for in order to ask for a second password. So I was able to modify the 0.7.0 script to look for the new fields. I think that it should still maintain all of the old functionality that it had previously, but it should also work with the new setup as well, if you would like me to send you a diff.

  42. perl1ster says:

    This is a great script and helps to avoid the mess with Web browser, Java and 32/64 bit. I had to add a cookie to skip over an initial confirmation screen (DSSigninNotif=1), and add the 2nd password (like linuxchuck describes). However it looks like there is a problem with new versions of the SSL VPN device. Since an update, I get a failure after host checker (despite the required file for the hostchecker is present and matches):

    Enter password: ********
    Enter PIN+Tokencode: ************
    Transfer went ok
    socket opened
    TCP Connection to the tncc.jar process established.
    Sending data to tncc… [done]
    Got DSID
    Certificate fingerprint: [efee13b620800824d303fef600df421b]
    TCP Connection to ncsvc process established.
    Sending handshake #1 packet… [done]
    Sending handshake #2 packet… [done]
    Sending configuration packet… [done]
    Status=6e
    Authentication failed, exiting

    Anybody also experiencing this problem? Any idea how to solve or troubleshoot?

  43. Frank Mulder says:

    Genius! I could never get the command line scripts to work, so I always had to run a 32 bit Firefox as root, having it point to a 32 bit Java, fill in my credentials and skip the host checker and then hope it will work. When it stopped working again, I search a bit harder and found your script. It worked right away, and very beautifully, too. Thanks a lot!

  44. Jimb0 says:

    A hint on why Got DSID=, why would that be blank?

    I did try to set url= When I do chang it from the default to what shows up on my web site. I get An error happened: 404 Invalid Path.

    Any help would be great.

    Thanks.

    • Jimb0 says:

      Ok, tweaked the scipt to get my web site name right. It is a little odd.

      But still get this…..

      ~/jvpn-0.7.0 $ sudo ./jvpn.pl
      Using user-defined password
      Transfer went ok
      Got DSID
      Unable to get DSID, exiting

  45. Jimb0 says:

    Just would like a pointer. Why would DSID come back blank?

    \r
    \r
    \r
    </div…
    (+ 1401 more bytes not shown)
    Transfer went ok
    Got DSID=, dfirst=1398784876, dlast=1398784876
    Unable to get DSID, exiting

  46. Jimb0 says:

    So I turn on host checker.

    Client-SSL-Cipher: RC4-SHA
    Client-SSL-Socket-Class: IO::Socket::SSL

    (no content)
    Error: Main method not found in class net.juniper.tnc.HttpNAR.HttpNAR, please define the main method as:
    public static void main(String[] args)
    Unable to start tncc.jar process at ./jvpn.pl line 690.

  47. Jimb0 says:

    Still got a error

    \r
    \r
    \r
    </div…
    (+ 1401 more bytes not shown)
    Transfer went ok
    Error: Main method not found in class net.juniper.tnc.HttpNAR.HttpNAR, please define the main method as:
    public static void main(String[] args)
    Unable to start tncc.jar process at ./jvpn.pl line 690.

    made sure the file was in /.juniper_networks/network_connect

  48. Reavy says:

    I’m getting an error that looks like this. The double “\n\n” looks kind of strange to me. The script worked really well under Ubuntu 14.04. This is what I get in Fedora 20.

    Using user-defined password
    POST https://#######.######.com:443/dana-na/auth/url_default/login.cgi
    User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:23.0) Gecko/20100101 Firefox/23.0
    Content-Length: 75
    Content-Type: application/x-www-form-urlencoded
    Cookie: DSCheckBrowser=java
    Cookie2: $Version=”1″

    btnSubmit=Sign+In&password=##########&realm=Corporate&tz=60&username=######
    500 Can’t connect to #######.######.com:443
    Content-Type: text/plain
    Client-Date: Tue, 03 Jun 2014 18:18:32 GMT
    Client-Warning: Internal response

    Can’t connect to #######.######.com:443\n\n
    An error happened: 500 Can’t connect to #######.######.com:443

  49. I get this error:

    Transfer went ok
    Exception in thread “main” java.lang.NoClassDefFoundError: netscape/javascript/JSObject
    at net.juniper.tnc.NARPlatform.linux.LinuxNARlatform.getOSName(LinuxNARlatform.java:93)
    at net.juniper.tnc.HttpNAR.NARUtil.getOSName(NARUtil.java:249)
    at net.juniper.tnc.HttpNAR.HttpNAR.initialize(HttpNAR.java:206)
    at net.juniper.tnc.NARPlatform.linux.LinuxHttpNAR.main(LinuxHttpNAR.java:50)
    Caused by: java.lang.ClassNotFoundException: netscape.javascript.JSObject
    at java.net.URLClassLoader$1.run(URLClassLoader.java:366)
    at java.net.URLClassLoader$1.run(URLClassLoader.java:355)
    at java.security.AccessController.doPrivileged(Native Method)
    at java.net.URLClassLoader.findClass(URLClassLoader.java:354)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:425)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:308)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:358)
    … 4 more
    Unable to start tncc.jar process at ./jvpn.pl line 741.

    • Got past this by adding plugin.jar to the classpath but now I get this error:

      TCP Connection to the tncc.jar process established.
      Sending data to tncc… 0x00000000 (00000) 73746172 740a4943 3d736563 7572652e start.IC=secure.
      0x00000010 (00016) 73636c68 732e6e65 740a436f 6f6b6965 sclhs.net.Cookie
      0x00000020 (00032) 3d0a4453 5349474e 494e3d6e 756c6c0a =.DSSIGNIN=null.
      0x00000030 (00048)
      0x00000000 (00000) 3430340a 320a0a30 0a0a 404.2..0..

      Got non 200 (404) return code

  50. DJJ says:

    Hello I’m having some trouble connecting to the vpn using to jvpn.
    The connection through the browser worked fine.
    I posted the error with the debug = 1
    as well as part of the error with strace.

    Any help please.

    Using user-defined password
    POST https://vps.example.com:443/dana-na/auth/url_1/login.cgi
    User-Agent: JVPN/Linux
    Content-Length: 76
    Content-Type: application/x-www-form-urlencoded

    btnSubmit=Sign+In&password=********&realm=*****+*****&tz=60&username=*****
    500 Can’t connect to vpn.example.com:443
    Content-Type: text/plain
    Client-Date: Wed, 02 Jul 2014 10:49:50 GMT
    Client-Warning: Internal response

    Can’t connect to vpn.example.com:443\n\n
    An error happened: 500 Can’t connect to vpn.example.com:443

    Can’t connect to vpn.example.com:443\n\n
    ) = 189
    write(1, “An error happened: 500 Can’t con”…, 62An error happened: 500 Can’t connect to vpn.example:443
    ) = 62
    rt_sigaction(SIGHUP, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGINT, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGQUIT, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGILL, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGTRAP, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGABRT, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGBUS, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGFPE, NULL, {SIG_IGN, [FPE], SA_RESTART}, 8) = 0
    rt_sigaction(SIGKILL, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGUSR1, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGSEGV, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGUSR2, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGPIPE, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGALRM, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGTERM, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGSTKFLT, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGCONT, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGSTOP, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGTSTP, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGTTIN, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGTTOU, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGURG, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGXCPU, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGXFSZ, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGVTALRM, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGPROF, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGWINCH, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGIO, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGPWR, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGSYS, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_2, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_3, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_4, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_5, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_6, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_7, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_8, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_9, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_10, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_11, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_12, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_13, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_14, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_15, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_16, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_17, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_18, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_19, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_20, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_21, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_22, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_23, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_24, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_25, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_26, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_27, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_28, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_29, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_30, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_31, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGRT_32, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGABRT, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGCHLD, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGIO, NULL, {SIG_DFL, [], 0}, 8) = 0
    rt_sigaction(SIGSYS, NULL, {SIG_DFL, [], 0}, 8) = 0
    exit_group(1) = ?

  51. DavidKW says:

    Hi Samm,
    I ran successfully your script v0.7.0 on ubuntu 14.04, but seems there was an update on Ubuntu perl recently which causes the certificate check despite verifycert=0 in the ini file:

    Can’t connect to xxxxx-ssl.bvpneu.com:443 (certificate verify failed)\n
    LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 41.\n
    An error happened: 500 Can’t connect to xxxxx-ssl.bvpneu.com:443 (certificate verify failed)

    Also tried running straight from shell:
    PERL_LWP_SSL_VERIFY_HOSTNAME=0 GET https://xxxxxx-ssl.bvpneu.com/
    Can’t connect to xxxxx-ssl.bvpneu.com:443 (certificate verify failed)

    LWP::Protocol::https::Socket: SSL connect attempt failed with unknown error error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at /usr/share/perl5/LWP/Protocol/http.pm line 41.

    Found a bug report at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=748740 which hinted to add SSL_verify_mode’ => 0 as parameter to ssl_opts on line 99 to:

    $ua->ssl_opts(‘SSL_verify_mode’ => 0,’verify_hostname’ => $verifycert);

    This removes the certificate verify fail error, just getting another about invalid user/password but that’s another story

    DW

  52. […] Скачать скрипт и посмотреть скриншоты можно в моём блоге (http://samm.kiev.ua/jvpn/jvpn-0.4.0.tar.bz2). Скрипт проверялся на RHEL5/6 и […]

  53. linuxchuck says:

    I’m still using the script and appreciate your efforts on it. However, my office has a new setup coming in that will allow us to choose a role after logging in to the initial page. Any clue if this script will function with that method? On our tests with this new layout, I am getting an error of “unable to get “DSID”. Is there anywhere I should try to look to determine a possible fix?

    • Romain says:

      Do you find a fix with the other page to choose a role after logging in to the initial page ?
      I’m in the same case…

      Thanks

    • fgal says:

      Hallo, same problem here… did you ever manage to get a solution? Moreover, I have no access to login.cgi script so I don’t know whether there are further parameters which may be passed with POST…
      Thanks!

  54. Trustin Lee says:

    I was getting ‘Status=6e’ error as well. The problem went away after enabling IPv6, though. I disabled IPv6 by passing the ‘ipv6.disable=1’ option to the kernel.

  55. Selva says:

    Thank you for this work. This works like a charm. In my case hostchecker was failing saying that ‘required port 22 is not open’. It worked after

    apt-get install openssh-server

  56. Francesco P. says:

    Hi, I have doubts about this part of guide -> “before usage you will need to setup host name”.
    Is the host name the the login page for the VPN connection (e.g. https://test.****.it/dana-na/auth/url_12/welcome.cgi) ???

    Thank you.

    F.

  57. Thomas Bosch says:

    Hi.

    I think this problem, already mentioned here, is a general problem. I mean this one:

    Console out:
    ——————————————
    Enter password: ********
    Enter PIN+Tokencode: ************
    Transfer went ok
    socket opened
    TCP Connection to the tncc.jar process established.
    Sending data to tncc… [done]
    Got DSID
    Certificate fingerprint: [efee13b620800824d303fef600df421b]
    TCP Connection to ncsvc process established.
    Sending handshake #1 packet… [done]
    Sending handshake #2 packet… [done]
    Sending configuration packet… [done]
    Status=6e
    Authentication failed, exiting

    ncsvc.log
    —————————————————
    conn.info cleanup 0 (ncp.cpp:1563)
    ncp.error NCP_ESTABLISH_DONE for IVE ssl-vpn.xyz.com (ncp.cpp:1994)
    dsio.para poll got return value of 1
    dsio.para calling NcpHandler (dsio.cpp:526)
    ncphandler.para got 1 NCP callback, info->error 0 (ncphandler.cpp:255)
    ncphandler.info establish done (ncphandler.cpp:283)
    ncp.info connect to myComputer:443 svc 4 (ncp.cpp:901)
    connect.info creating a new HTTP connection… (ncp_dsssl.cpp:179)
    http_connection.para Entering state_start_connection (http_connection.cpp:344)
    http_connection.para Remote Address: ip=88.xxx.yyy.100, port=443, familiy=2 (http_connection.cpp:788)
    http_connection.para Remote Server=ssl-vpn.xyz.com (http_connection.cpp:790)
    http_connection.para Local Address: ip=0.0.0.0, port=0, familiy=2 (http_connection.cpp:795)
    http_connection.para Proxy Address: ip=(null), port=0, familiy=0 (http_connection.cpp:800)
    dsio.para poll waiting for 3 fds, max-fd: 7, with timeout : 60
    worker.para 1 sockets are ready for read/write. (ncp_dsssl.cpp:666)
    worker.para intra_ncp_server_sock ready to read. (ncp_dsssl.cpp:676)
    worker.para 1 sockets are ready for read/write. (ncp_dsssl.cpp:666)
    http_connection.para Entering state_continue_connection (http_connection.cpp:361)
    http_connection.para Entering state_ssl_connect (http_connection.cpp:531)
    dsssl.para SSL connect ssl=0xf7213b90/sd=9 connection using cipher RC4-SHA (DSSSLSock.cpp:1428)
    http_connection.para Returning DSHTTP_COMPLETE from state_ssl_connect (http_connection.cpp:539)
    worker.para 1 sockets are ready for read/write. (ncp_dsssl.cpp:666)
    connect.info IVE ncp_version = 3 (ncp_dsssl.cpp:438)
    worker.para 2 sockets are ready for read/write. (ncp_dsssl.cpp:666)
    worker.para intra_ncp_server_sock ready to read. (ncp_dsssl.cpp:676)
    worker.para compressed 19 -> 19 bytes: socket 9, host tbosch (ncp_dsssl.cpp:770)
    worker.para [conn 0x8ab31b8] wrote 21 bytes: socket 9, host tbosch, DSSSL_has_data_tosend 0 (ncp_dsssl.cpp:815)
    worker.para 1 sockets are ready for read/write. (ncp_dsssl.cpp:666)
    worker.para read 3 bytes from connection: socket 9, host myComputer (ncp_dsssl.cpp:868)
    worker.error connect to myComputer:443 failed. IVE returned error 20001068 (ncp_dsssl.cpp:1107)
    worker.para Calling NCP_DISCONNECT_DONE for conn myComputer:443 (ncp_dsssl.cpp:1322)
    dsio.para poll got return value of 1

    … where myComputer is the hostname of my pc.

  58. Romain says:

    Hello and thanks for your script.
    However, i have a problem because after the first login page, a second page ask if I really want to log on…
    See the form of this page :

    Espace securise, voulez vous continuer ?

    Therefore your script can’t get the DSID :

    Enter PIN+password: **********
    Transfer went ok
    socket opened
    TCP Connection to the tncc.jar process established.
    Sending data to tncc… [done]
    Got DSID
    Unable to get DSID, exiting

    Can I put the second post on your script ? How can I do that ?

    Thank you (your script is really great !)

  59. sectorclear says:

    Hi, Sam.

    Great job with jvpn. Thanks for your colaborate with all the people who wants to connect to their offices from VPN on Linux and other systems.

    I’m using Linux 14.10LTS and with your howto based on x86 systems I had success to connect my company VPN:

    ~/jvpn-0.7.0$ sudo perl jvpn.pl
    perl: warning: Setting locale failed.
    perl: warning: Please check that your locale settings:
    LANGUAGE = “pt_BR:pt:en”,
    are supported and installed on your system.
    perl: warning: Falling back to the standard locale (“C”).
    Enter PIN+password: *************
    Transfer went ok
    Got DSID
    Certificate fingerprint: [*************************************]
    TCP Connection to ncsvc process established.
    Sending handshake #1 packet… [done]
    Sending handshake #2 packet… [done]
    Sending configuration packet… [done]
    Connected to vpn.*******.*******.com.br, press CTRL+C to exit

    But, after connection was established I couldn’t open VPN link to access with my login. Before to proceed with the script installation, I’d success.

    Do you have any idea about it?

    Thanks a lot.

  60. Orgad says:

    With recent debian sid, the tun module is not loaded by default. This leads to failure.

    Please add a test for the module before executing, and suggest to run modprobe tun.

  61. Jebop says:

    Hello, is this script working even if the company did not deployed the non-windows vpn solution ? On my browser I can only start the “Windows secure application manager”, I don’t have the “Network connect” option.
    The script failed at some point with ncsvc : Status=6e, Authentication failed, exiting.
    I guess there’s no solution for me, am I right?
    Thank you.

  62. Juan A. S. says:

    Thank you so much!!!! You are the god!

  63. John Guthrie says:

    Hello all,

    For quite some time, I have been getting a dreaded status=6e followed by a disconnect. After checking through various things such as SELinux, iptables, and the like, it finally came down to the existence of /dev/net/tun. It turns out that I did not have that device file in place, and once I created it, then everything started working again. My thought is that the the jvpn.pl script should probably check for this. What would be the best way to submit a patch if I wanted to do that?

    Thanks.

  64. Hector says:

    Hello everyone;

    looking for some guidance, running Fedora 23 and i have been attempting to establish a VPN connection to my work for the past few weeks; i am able to authenticate but i keep getting the following error:

    Error connecting to 127.0.0.1:4242 : Connection refused

    Any one has been run into this issue?

    thank you for any information.

  65. Tonsic says:

    It is now 2017 and it still works like a charm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: