bamarni / pi64

A 64-bit OS for the Raspberry Pi 3
713 stars 126 forks source link

Juniper VPN setup in RaspberryPi 3 with pi64 OS #13

Open jbustillosdt opened 7 years ago

jbustillosdt commented 7 years ago

Hello friends. I have tried to setup a Juniper VPN in a RaspberryPi 3 using pi64 as operating system, because the necessity of execute Juniper binaries that are not available for ARM architecture with the official Raspbian image. Following some tutorials like this: http://blog.geeky.name/post/2016/03/29/HOWTO%3A-Ubuntu-Linux-64bit-Client-connect-to-Juniper-SSL-VPN-without-32bit-Java-(en) I tried first to do it with the icedtea-plugin to get the .jar files and searching a way with the offical Oracle Java Plugin, but only through icedtea is the option available for RaspberryPi and always fail during the Java API execution. After this, I tried with this great page of Arch Wiki following the content "Manual installation of msjnc": https://wiki.archlinux.org/index.php/Juniper_VPN but not success. Finally and currently I am trying these steps of a workmate:

  1. Install the next packages as root:

    aptitude install stoken libc6:i386 zlib1g:i386 libgtk2-perl libwww-perl qemu libstdc++6:i386 libxext6:i386 libxrender1:i386 libxtst6:i386 libxi6:i386 build-essential cmake pcap-dev linux-headers-[latest]

  2. Import the .sdtid file of our VPN with stoken as pi user: $ stoken import --file file_name.sdtid

  3. Create the Juniper network_connect directory as pi user: $ mkdir -p ~/.juniper_networks/network_connect

  4. Enter with Iceweasel to the URL of our customer login resource to obtain the ncLinuxApp.jar and download it.

  5. Move ncLinuxApp.jar file to ~/.juniper_networks/network_connect as pi user: $ mv /home/pi/Downloads/ncLinuxApp.jar /home/pi/.juniper_networks/network_connect

  6. Unzip the ncLinuxApp.jar file as pi user: $ unzip ncLinuxApp.jar

  7. Set the necessary privileges as root in the next files inside /home/pi/.juniper_networks/network_connect:

    chown root:root ncsvc

    chmod 6711 ncsvc

    chmod 744 ncdiag

    chmod +x getx509certificate.sh

  8. Obtain the customer VPN certificate as pi user: $ ./getx509certificate.sh customer.url.com file_name.cert

  9. Execute the next command as root:

    echo 0 | tee /proc/sys/net/ipv6/conf/default/router_solicitations

  10. And finally execute the connection to the VPN as pi user: $ stoken --pin pin_number 84535943(random_generated_token_code_as_result) $ ./ncsvc -h customer.url.com -u user_name -p 84535943(token_code) -r BlackBerry -f ./file_name.cert -U 'https://customer.url.com/dana-na/auth/url_9/login.cgi'

And when the execution finish, the next message appear in the shell prompt: Connecting to IP_of_customer.url.com : 443 Unsupported ioctl: cmd=0x400454ca pi@raspberrypi:~$

In the /home/pi/.juniper_networks/network_connect/ncsvc.log file I obtain the next output:

20170620100817.757984 ncsvc[p2503.t2503] ncsvc.info New ncsvc log level set to 3 (nccommon.cpp:75) 20170620100817.788892 ncsvc[p2503.t2503] sysdeps.info restoring DNS settings... (sysdeps.cpp:759) 20170620100817.791375 ncsvc[p2503.t2503] sysdeps.error rename /etc/jnpr-nc-resolv.conf => /etc/resolv.conf failed wirh error 2 (sysdeps.cpp:762) 20170620100817.793437 ncsvc[p2503.t2503] sysdeps.error rename /etc/jnpr-nc-hosts.bak => /etc/hosts failed wirh error 2 (sysdeps.cpp:766) 20170620100817.818755 ncsvc[p2503.t2503] ncsvc.info Connecting to IP_of_customer.url.com:443 (ncsvc.cpp:494) 20170620100818.174685 ncsvc[p2503.t2503] dsclient.info state: kStateSignin (dsclient.cpp:256) 20170620100818.175954 ncsvc[p2503.t2503] dsclient.info --> GET /dana-na/auth/url_9/login.cgi (authenticate.cpp:179) 20170620100818.204497 ncsvc[p2503.t2503] dsclient.info <-- 302 https://IP_of_customer.url.com/dana-na/auth/url_9/welcome.cgi?p=failed (authenticate.cpp:211) 20170620100818.205773 ncsvc[p2503.t2503] dsclient.info state: kStateWelcome (dsclient.cpp:264) 20170620100818.208268 ncsvc[p2503.t2503] dsclient.info --> GET /dana-na/auth/url_9/welcome.cgi?p=failed (authenticate.cpp:179) 20170620100818.357804 ncsvc[p2503.t2503] dsclient.info <-- 200 (authenticate.cpp:211) 20170620100818.361547 ncsvc[p2503.t2503] dsclient.info state: kStateLogin (dsclient.cpp:296) 20170620100818.363715 ncsvc[p2503.t2503] dsclient.info --> POST /dana-na/auth/url_9/login.cgi (authenticate.cpp:179) 20170620100822.657145 ncsvc[p2503.t2503] dsclient.info <-- 302 https://IP_of_customer.url.com/dana/home/starter0.cgi?check=yes (authenticate.cpp:211) 20170620100822.659096 ncsvc[p2503.t2503] dsclient.info --> GET /dana/home/starter0.cgi?check=yes (authenticate.cpp:179) 20170620100822.862424 ncsvc[p2503.t2503] dsclient.info <-- 200 (authenticate.cpp:211) 20170620100822.866624 ncsvc[p2503.t2503] authStateLogin.info starter0.cgi has asked for tz_offset parameter (authenticate.cpp:372) 20170620100822.871651 ncsvc[p2503.t2503] authStateLogin.info starter0.cgi has asked for clienttime parameter (authenticate.cpp:379) 20170620100822.875161 ncsvc[p2503.t2503] dsclient.info --> POST /dana/home/starter0.cgi?check=yes (authenticate.cpp:179) 20170620100823.50360 ncsvc[p2503.t2503] dsclient.info <-- 302 /dana/home/starter.cgi (authenticate.cpp:211) 20170620100823.51729 ncsvc[p2503.t2503] dsclient.info --> GET /dana/home/starter.cgi (authenticate.cpp:179) 20170620100823.233175 ncsvc[p2503.t2503] dsclient.info <-- 200 (authenticate.cpp:211) 20170620100823.236412 ncsvc[p2503.t2503] dsclient.info state: kStateAuthenticated (dsclient.cpp:376) 20170620100823.246444 ncsvc[p2503.t2503] IpcConn.info listening for IPC connections on port 4242 (ncipc.cpp:83) 20170620100823.266499 ncsvc[p2503.t2503] IpcConn.info unregistering the IPC acceptor IO handler (ncipc.cpp:125) 20170620100823.273019 ncsvc[p2503.t2503] IpcConn.info client opening connection to service (ncipc.cpp:319) 20170620100823.273788 ncsvc[p2503.t2503] session.info disconnectAll called (session.cpp:1648) 20170620100823.275666 ncsvc[p2503.t2503] ipsec.info New tunnel being created (tunnel.cpp:52) 20170620100823.289637 ncsvc[p2503.t2503] ncsvc.info received onOpen (ncsvc.cpp:546) 20170620100823.295016 ncsvc[p2503.t2503] session.info ive_host = IP_of_customer.url.com (session.cpp:195) 20170620100823.299163 ncsvc[p2503.t2503] session.info Will not use a proxy to connect to the IVE (session.cpp:237) 20170620100823.318372 ncsvc[p2503.t2503] rmon.info got system route 0.0.0.0/0.0.0.0 gw 192.168.1.254 metric 202 via 0x081C0F70 (routemon.cpp:714) 20170620100823.320132 ncsvc[p2503.t2503] rmon.info got system route 192.168.1.0/255.255.255.0 gw 0.0.0.0 metric 202 via 0x457A5556 (routemon.cpp:714) 20170620100823.321366 ncsvc[p2503.t2503] rmon.info Collecting latest routes from the system (routemon.cpp:1452) 20170620100823.324434 ncsvc[p2503.t2503] rmon.info best route to IP_of_customer.url.com is 0.0.0.0/0.0.0.0 via 0x081C0F70 metric: 202 (routemon.cpp:1473) 20170620100823.326063 ncsvc[p2503.t2503] rmon.info best route to gateway: 192.168.1.0/255.255.255.0 gw 0.0.0.0 via 0x457A5556 metric 202 (routemon.cpp:1976) 20170620100823.326835 ncsvc[p2503.t2503] rmon.info attempting to add route to next hop gateway (routemon.cpp:1980) 20170620100823.328271 ncsvc[p2503.t2503] rmon.info adding route to 192.168.1.254/255.255.255.255 with gw 0.0.0.0, metric 1, if_id 1165645142 (routemon.cpp:872) 20170620100823.331367 ncsvc[p2503.t2503] rmon.info adding server route to the IVE: dest = IP_of_customer.url.com, gw = 192.168.1.254, if_id = 136056688, dev = eth0 (routemon.cpp:1547) 20170620100823.334352 ncsvc[p2503.t2503] session.info connecting to ive IP_of_customer.url.com (session.cpp:362) 20170620100823.342682 ncsvc[p2503.t2503] ncp.error ncpEstablish for IVE IP_of_customer.url.com with context 0x81c0c60 (ncp.cpp:428) 20170620100823.376230 ncsvc[p2503.t2505] main.info Setting DSSSL to use Default ciphers (ncp.cpp:1680) 20170620100823.453247 ncsvc[p2503.t2505] main.info Setting NCP certificate hash for DSSSL certificate verification (ncp.cpp:1689) 20170620100823.458097 ncsvc[p2503.t2505] main.info Using DSSSL to connect to IVE (ncp.cpp:1750) 20170620100823.460329 ncsvc[p2503.t2505] connect.info creating a new HTTP connection... (ncp_dsssl.cpp:176) 20170620100823.907512 ncsvc[p2503.t2505] connect.info compression is enabled (ncp_dsssl.cpp:400) 20170620100823.909396 ncsvc[p2503.t2505] connect.info IVE ncp_version = 2 (ncp_dsssl.cpp:410) 20170620100823.923601 ncsvc[p2503.t2505] conn.info cleanup 0 (ncp.cpp:1418) 20170620100823.925116 ncsvc[p2503.t2505] ncp.error NCP_ESTABLISH_DONE for IVE IP_of_customer.url.com (ncp.cpp:1793) 20170620100823.928867 ncsvc[p2503.t2503] ncphandler.info establish done (ncphandler.cpp:279) 20170620100823.931022 ncsvc[p2503.t2503] ncp.info connect to raspberrypi:443 svc 4 (ncp.cpp:779) 20170620100823.932099 ncsvc[p2503.t2503] connect.info creating a new HTTP connection... (ncp_dsssl.cpp:176) 20170620100824.37056 ncsvc[p2503.t2505] connect.info compression is enabled (ncp_dsssl.cpp:400) 20170620100824.38277 ncsvc[p2503.t2505] connect.info IVE ncp_version = 2 (ncp_dsssl.cpp:410) 20170620100824.41790 ncsvc[p2503.t2505] connect.error deflateInit2 returned 0 (ncp_dsssl.cpp:486) 20170620100824.83063 ncsvc[p2503.t2503] ncphandler.info connect done (ncphandler.cpp:284) 20170620100824.84153 ncsvc[p2503.t2503] session.info Connected to ive IP_of_customer.url.com (session.cpp:426) 20170620100824.85278 ncsvc[p2503.t2503] adapter.error Can not TUNSETIFF 38 (adapter.cpp:309) 20170620100824.85813 ncsvc[p2503.t2503] session.info onConnected calling disconnect for ive IP_of_customer.url.com (session.cpp:431) 20170620100824.86336 ncsvc[p2503.t2503] session.info disconnecting from ive IP_of_customer.url.com with reason 6 (session.cpp:506) 20170620100824.86686 ncsvc[p2503.t2503] adapter.info closing tun adapter FFFFFFFF (adapter.cpp:747) 20170620100824.88829 ncsvc[p2503.t2503] sysdeps.info restoring DNS settings... (sysdeps.cpp:759) 20170620100824.89360 ncsvc[p2503.t2503] sysdeps.error rename /etc/jnpr-nc-resolv.conf => /etc/resolv.conf failed wirh error 2 (sysdeps.cpp:762) 20170620100824.89770 ncsvc[p2503.t2503] sysdeps.error rename /etc/jnpr-nc-hosts.bak => /etc/hosts failed wirh error 2 (sysdeps.cpp:766) 20170620100824.96534 ncsvc[p2503.t2503] session.info disconnecting from ive IP_of_customer.url.com with reason 6 (session.cpp:506) 20170620100824.96963 ncsvc[p2503.t2503] adapter.info closing tun adapter FFFFFFFF (adapter.cpp:747) 20170620100824.97274 ncsvc[p2503.t2503] sysdeps.info restoring DNS settings... (sysdeps.cpp:759) 20170620100824.97554 ncsvc[p2503.t2503] sysdeps.error rename /etc/jnpr-nc-resolv.conf => /etc/resolv.conf failed wirh error 2 (sysdeps.cpp:762) 20170620100824.97812 ncsvc[p2503.t2503] sysdeps.error rename /etc/jnpr-nc-hosts.bak => /etc/hosts failed wirh error 2 (sysdeps.cpp:766) 20170620100824.98358 ncsvc[p2503.t2503] ncphandler.error NCP disconnect failed, error 107 (ncphandler.cpp:131) 20170620100824.98958 ncsvc[p2503.t2503] ncp.error ncpTearDown for IVE IP_of_customer.url.com (ncp.cpp:497) 20170620100824.99602 ncsvc[p2503.t2505] worker.error NCP worker has been requested to stop (ncp_dsssl.cpp:649) 20170620100824.100750 ncsvc[p2503.t2503] ncphandler.info disconnect done - tearing down (ncphandler.cpp:322) 20170620100824.104126 ncsvc[p2503.t2505] conn.info cleanup 0 (ncp.cpp:1418) 20170620100824.104877 ncsvc[p2503.t2505] writer.error thread exit (ncp.cpp:1848) 20170620100824.104945 ncsvc[p2503.t2503] ncphandler.info teardown done (ncphandler.cpp:340) 20170620100824.110486 ncsvc[p2503.t2503] ncp.error ncpCleanup for IVE IP_of_customer.url.com (ncp.cpp:618) 20170620100824.130999 ncsvc[p2503.t2503] session.info disconnected from ive IP_of_customer.url.com with reason 6 (session.cpp:569) 20170620100824.192462 ncsvc[p2503.t2503] ncui.info received onDisconnect with reason = 6 (ncsvc.cpp:628) 20170620100824.213766 ncsvc[p2503.t2503] IpcConn.error recv failed with errno 16 (ncipc.cpp:273)

Can someone explain me what is happening or help me to setup in a correct way this Juniper VPN in RaspberryPi please?

bamarni commented 7 years ago

I'm not familiar with that software unfortunately, would it be possible for you to narrow down the problem? Is it that line : Unsupported ioctl: cmd=0x400454ca?

I can also see that you're installing kernel headers with apt, however as it's a custom kernel build they're probably not compatible, I'll add kernel headers in the next release (cf. #10).

bamarni commented 7 years ago

@jbustillosdt : any news about this? Could you try to run sudo modprobe tun (cf. https://unix.stackexchange.com/questions/302623/opening-a-tun-device-from-qemu-x86-for-armv7-fails)?