There are several problem common problems with Juniper SSL VPN on support of Linux clients:

1.Most 64-bit platforms are not supported.
2.Junos Pulse SSL VPN does not support Linux at all.

Best way to cover problem “1” is:
http://ubuntuforums.org/showthread.php?p=11189826#post11189826
There is also well known mad-scientist way but its more complex.

Problem “2” is a bit more involved.

In my case when I login to Juniper SSL web interface it run host-checker and as Linux is not supported the web form does not have way to launch Junos Pulse SSL VPN client. In fact that client does not exists for Linux.
Good news are: old Juniper “Network Connect” client is compatible with Junos Pulse and can be used on Linux client.

So you can still launch “Network Connect” client, separately from your web session.
If on login you only asked user name and password (either AD password or SecurID), you lucky and you can easy launch “Network Connect” as described in several sources, for example:
http://serverfault.com/questions/363061/how-to-connect-to-a-juniper-vpn-from-linux

But if your VPN server use two phase auth scheme (SecurID + AD password), it can get more involved. Scott has GREAT blog on how to make it work:
http://makefile.com/.plan/2009/10/juniper-vpn-64-bit-linux-an-unsolved-mystery
Only thing – you have to copy DSID cookie manually and paste it as argument in ncui call. There are several projects to automate that, for example: https://code.google.com/p/juniper-vpn/ or http://techblog.constantcontact.com/software-development/juniper-networks-network-connect-securid-and-64-bit-linux/

Both are py scripts to simulate browser behavior. Great stuff, But it did not work for me. I believe its because before I can get to login page I have one more “Legal” page where “Agree” has to be clicked. So I decided to actually use browser for login, and just have an automated way to pass DSID cookie to the script to launch ncui. Below are steps for that. –

Get network connect client + ncui executable (mostly from Scott’s blog):

  • Login to your VPN https://some.company.com/dana-na/auth/url_default/welcome.cgi
  • Get Network Connect client at: https://some.company.com/dana-cached/nc/ncLinuxApp.jar
  • Install Network Connect client, gcc ncui executable, and get cert file:
    sudo apt-get install gcc-multilib  
    mkdir ~/.juniper_networks/network_connect  
    cd ~/.juniper_networks/network_connect  
    mv ~/Downloads/ncLinuxApp.jar .  
    jar -xf ncLinuxApp.jar  
    sudo gcc -m32 -Wl,-rpath,`pwd` -o ncui libncui.so  
    sudo chown root:root ncui  
    sudo chmod 4755 ncui  
    echo | openssl s_client -connect some.company.com:443 2>&1 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' | 
    openssl x509 -outform der > ssl.crt  
    

Problem with DSID cookie – its Session Level, so it does not persist on disk, where you can grep it from. So had to use Greasemonkey plugin for firefox to capture DSID and save to HTML5 storage.
Install Greasemonkey plugin https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/ and make sure its enabled.

  • Create Greasemonkey js script (replace some.company.com) to dump DSID to webappsstore.sqlite file:
    mkdir ~/Greasemonkey/  
    cat >> ~/Greasemonkey/jsessionid.user.js <<EOF  
    // ==UserScript==  
    // @name DSID to localStorage  
    // @namespace name@company.com  
    // @description Saves the DSID cookie in localStorage  
    // @include https://some.company.com/dana-na/*  
    // ==/UserScript==  
    (function() {  
     var sessid = document.cookie.match(/DSID=([^;]+)/);  
     if (sessid) {  
     var oldSID = localStorage.DSID;  
     if (sessid != oldSID) localStorage.DSID = sessid[1];  
     }  
    })();  
    EOF  
    

  • In Firefox: Menu -> File -> Open File -> Choose “jsessionid.user.js”, and enable the script in the pop up window
  • Install sqlite:
    mkdir ~/bin/  
    cd ~/bin/  
    wget http://www.sqlite.org/2014/sqlite-shell-linux-x86-3080500.zip  
    unzip sqlite-shell-linux-x86-*.zip  
    

  • Create script to get DCID value from webappsstore.sqlite and launch ncui (replace some.company.com):
    cat > ~/bin/juniper_vpn.sh <<"EOF1"  
    
    sudo touch /etc/jnpr-nc-resolv.conf  
    sudo touch /etc/jnpr-nc-hosts.bak  
    
    dsid1=`~/bin/sqlite3 ~/.mozilla/firefox/*.default/webappsstore.sqlite <<EOF | grep "https:443|DSID" | awk -F"|" '{print $3}'  
    select * from webappsstore2;  
    EOF`  
    echo dsid1=$dsid1  
    
    cd ~/.juniper_networks/network_connect/  
    ./ncui -h some.company.com -c DSID=$dsid1 -f ssl.crt  
    
    EOF1  
    
    chmod 700 ~/bin/juniper_vpn.sh  
    

  • Run the script, it will prompt for the AD password. (Ctrl+C to end vpn connection)
  • In another window check if VPN interface is active:
    ifconfig | grep tun
    

And if so – You are on VPN!.. Time to get to real work J
p.s. And use sun java.- Open jdk has old known problems with juniper VPN.