Re: [E] Re: openconnect vpn for linux machine
Hi David, I have attached the flowchart of the lab setup. Windows and Mac users will connect to this lab via Pulse Secure VPN. LAB SETUP Internet link--->junipersrx--->cisco router--->core switch>Blade servers For Linux users, we would like to continue as you suggested. Like setting up a Linux VPN server running ocserv (or OpenVPN) alongside with SRX. We are going to install and set up a Linux machine on a blade server that is under our internal network. The concern is that we have only one internet link which is connected to the Juniper SRX firewall, but we have a separate public IPs. I can assign a public IP to the newly created Linux machine. In this setup, will I able to create a VPN connection for Linux users as you suggested? If yes, will there any security risks for this setup? Thanks & Regards Midhunlal N B +91 8921245637 On Mon, Apr 13, 2020 at 12:29 PM David Woodhouse wrote: > > > > On 13 April 2020 07:49:07 BST, "Nb, Midhunlal" > wrote: > >Hi, > >If open VPN is work in juniper srx for ubuntu, can you please share an > >open VPN configuration guide? > > No. Not with the SRX. You could set up a Linux VPN server running ocserv (or > OpenVPN) alongside your SRX, to serve the Linux users. ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: [E] Re: openconnect vpn for linux machine
On 13 April 2020 07:49:07 BST, "Nb, Midhunlal" wrote: >Hi, >If open VPN is work in juniper srx for ubuntu, can you please share an >open VPN configuration guide? No. Not with the SRX. You could set up a Linux VPN server running ocserv (or OpenVPN) alongside your SRX, to serve the Linux users. ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: [E] Re: openconnect vpn for linux machine
Hi, If open VPN is work in juniper srx for ubuntu, can you please share an open VPN configuration guide? On Thu, Apr 9, 2020 at 4:08 PM David Woodhouse wrote: > > OpenVPN would also work. > > On 9 April 2020 10:19:26 BST, "Nb, Midhunlal" > wrote: >> >> Hi, >> In my organization all users using ubuntu machine only.ocserv support ubuntu? >> >> On Thu, Apr 9, 2020 at 2:43 PM David Woodhouse wrote: >> > >>> >>> >>> >>> On 9 April 2020 09:56:10 BST, "Nb, Midhunlal" >>> wrote: Ok, thanks for the clarification. >>> >>> You aren't the first person asking about IKE support recently. It would be >>> a very welcome addition and we can certainly give development pointers — >>> and there's existing code for a lot of the pieces which will make life >>> easier. >>> >>> But it's definitely a development task, not a quick fix. Maybe 2-3 weeks? >>> >>> In the short term I'd suggest using ocserv. >>> >>> -- >>> Sent from my Android device with K-9 Mail. Please excuse my brevity. >> >> >> openconnect-devel mailing list >> openconnect-devel@lists.infradead.org >> http://lists.infradead.org/mailman/listinfo/openconnect-devel > > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: [E] Re: openconnect vpn for linux machine
Hi, In my organization all users using ubuntu machine only.ocserv support ubuntu? On Thu, Apr 9, 2020 at 2:43 PM David Woodhouse wrote: > > > > On 9 April 2020 09:56:10 BST, "Nb, Midhunlal" > wrote: > >Ok, thanks for the clarification. > > You aren't the first person asking about IKE support recently. It would be a > very welcome addition and we can certainly give development pointers — and > there's existing code for a lot of the pieces which will make life easier. > > But it's definitely a development task, not a quick fix. Maybe 2-3 weeks? > > In the short term I'd suggest using ocserv. > > -- > Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: [E] Re: openconnect vpn for linux machine
On 9 April 2020 09:56:10 BST, "Nb, Midhunlal" wrote: >Ok, thanks for the clarification. You aren't the first person asking about IKE support recently. It would be a very welcome addition and we can certainly give development pointers — and there's existing code for a lot of the pieces which will make life easier. But it's definitely a development task, not a quick fix. Maybe 2-3 weeks? In the short term I'd suggest using ocserv. -- Sent from my Android device with K-9 Mail. Please excuse my brevity. ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: [E] Re: openconnect vpn for linux machine
Ok, thanks for the clarification. On Thu, Apr 9, 2020 at 1:53 PM David Woodhouse wrote: > > > > On 9 April 2020 07:52:23 BST, "Nb, Midhunlal" > wrote: > >Hi, > >we are using IPsec VPN using IKE in our juniper srx. I want to know > >that any option is there to connect the openconnect VPN in SRX?. > > That isn't supported at the moment although we would like to add it. The > client that supports IKE is vpnc, but its development has basically stopped > and I don't believe it supports Juniper. ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: [E] Re: openconnect vpn for linux machine
On 9 April 2020 07:52:23 BST, "Nb, Midhunlal" wrote: >Hi, >we are using IPsec VPN using IKE in our juniper srx. I want to know >that any option is there to connect the openconnect VPN in SRX?. That isn't supported at the moment although we would like to add it. The client that supports IKE is vpnc, but its development has basically stopped and I don't believe it supports Juniper. ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: [E] Re: openconnect vpn for linux machine
On Wed, Apr 8, 2020 at 5:10 AM David Woodhouse wrote: > > On Wed, 2020-04-08 at 14:07 +0530, Nb, Midhunlal wrote: > > Hi, > > can you please provide any solution on this issue? > > This probably isn't the best place to ask for support for your Juniper > SRX product. We don't know what type of VPN it supports; it doesn't > seem to match the NC and Pulse protocols that OpenConnect supports. I have no firsthand knowledge, but a quick Google search suggests that Juniper SRX is an IPSec-based VPN… and *not* an SSL/TLS-based VPN like Juniper NC or Pulse. Dan ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: [E] Re: openconnect vpn for linux machine
Hi, can you please provide any solution on this issue? On Tue, Apr 7, 2020 at 9:46 PM Nb, Midhunlal wrote: > > Hi, > With your guidance and documents, I tried openconnect in ubuntu. > unfortunately, I got an error. please check below logs > > > cat /etc/lsb-release > DISTRIB_ID=Ubuntu > DISTRIB_RELEASE=16.04 > DISTRIB_CODENAME=xenial > DISTRIB_DESCRIPTION="Ubuntu 16.04.5 LTS" > root@ip-172-21-99-66:~# dpkg -l | grep openconnect > ii libopenconnect5:amd648.05-1~xenial1 > amd64open client for Cisco AnyConnect, Pulse, G > lobalProtect VPN - shared library > ii network-manager-openconnect 1.2.0-1ubuntu0.16.04.1 > amd64network management framework (OpenConnect > plugin) > ii openconnect 8.05-1~xenial1 > amd64open client for Cisco AnyConnect, Pulse, G > lobalProtect VPN > root@ip-172-21-99-66:~# dpkg -l | grep network-manager-openconnect > ii network-manager-openconnect 1.2.0-1ubuntu0.16.04.1 > amd64network management framework (OpenConnect > plugin) > > --protocol=nc > - > openconnect --protocol=nc x.x.x.x -vvv > GET https://x.x.x.x/ > Attempting to connect to server x.x.x.x:443 > Connected tox.x.x.x:443 > SSL negotiation with x.x.x.x > Server certificate verify failed: signer not found > > Certificate from VPN server "x.x.x.x" failed verification. > Reason: signer not found > To trust this server in future, perhaps add this to your command line: > --servercert pin-sha256:ZovfsMIDceLOSCZxZPx4ceHc26L3Ec+yQpQtJ541Pao= > Enter 'yes' to accept, 'no' to abort; anything else to view: Connected > to HTTPS on x.x.x.x > Got HTTP response: HTTP/1.1 301 Moved Permanently > Date: Tue, 07 Apr 2020 14:07:09 GMT > Server: Embedthis-Appweb/3.2.3 > Cache-Control: max-age=5184000 > Expires: Fri, 17 Apr 2020 21:04:22 GMT > Content-Length: 284 > Content-Type: text/html > Connection: keep-alive > Keep-Alive: timeout=120, max=199 > Location: https://x.x.x.x/dynamic-vpn/index.php > HTTP body length: (284) > GET https://x.x.x.x/dynamic-vpn/index.php > Got HTTP response: HTTP/1.1 200 OK > Date: Tue, 07 Apr 2020 14:07:09 GMT > Server: Embedthis-Appweb/3.2.3 > Cache-Control: no-cache > ETag: "1cd1d0-417-57d84162" > Content-Type: text/html > Connection: keep-alive > Keep-Alive: timeout=120, max=198 > Last-Modified: Tue, 07 Apr 2020 14:07:09 GMT > Transfer-Encoding: chunked > HTTP body chunked (-2) > Failed to find or parse web form in login page > Failed to obtain WebVPN cookie > > --protocol=pulse > -- > > openconnect --protocol=pulse x.x.x.x -vvv > Attempting to connect to server x.x.x.x:443 > Connected to x.x.x.x:443 > SSL negotiation with x.x.x.x > Server certificate verify failed: signer not found > > Certificate from VPN server "x.x.x.x" failed verification. > Reason: signer not found > To trust this server in future, perhaps add this to your command line: > --servercert pin-sha256:ZovfsMIDceLOSCZxZPx4ceHc26L3Ec+yQpQtJ541Pao= > Enter 'yes' to accept, 'no' to abort; anything else to view: yes > Connected to HTTPS on x.x.x.x > Got HTTP response: HTTP/1.1 301 Moved Permanently > Date: Tue, 07 Apr 2020 14:08:16 GMT > Server: Embedthis-Appweb/3.2.3 > Cache-Control: max-age=5184000 > Expires: Fri, 17 Apr 2020 21:05:29 GMT > Content-Length: 284 > Content-Type: text/html > Connection: keep-alive > Keep-Alive: timeout=120, max=199 > Location: https://x.x.x.x/dynamic-vpn/index.php > HTTP body length: (284) > Unexpected 301 result from server > Failed to obtain WebVPN cookie > > please help me to resolve this issue > > Kind regards, > Midhunlal.N.B. > > > On Tue, Apr 7, 2020 at 6:11 PM David Woodhouse wrote: > > > > On Tue, 2020-04-07 at 17:05 +0530, Nb, Midhunlal wrote: > > > Hi, > > > please go through the below details > > > > > > > we are using juniper srx 345 firewall > > > > Junos version:15.1X49-D60.7 > > > > For VPN we are using pulse secure (windows: pulse 5.1.5(61437), > > > > MacBook:91.2(1181)) > > > > > > Now we need a VPN for LINUX (we are using UBUNTU OS) > > > > for Linux which pulse client version we need to use and which > > > > openconnect version I need to install in my Linux? > > > > Use the latest version of OpenConnect. For Ubuntu there is a PPA at > > https://launchpad.net/~dwmw2/+archive/ubuntu/openconnect > > > > > > > > which version (pulse version and open connect version)is compatible > > > > with srx and Linux? > > > > I need a configuration guide > > > > As it says in the documentation at > > http://www.infradead.org/openconnect/pulse.html you just need to try > > connecting to your existing server using --protocol=pulse. > > > > If that doesn't work, then also try --protocol=nc which is the older > > Juniper Network Connect protocol. Most Pulse servers still support that > > too. > > > > > > Any extra configuration (eg: self-signed certificate, key pair > > > > generation) needs in juniper firewall for Linux VPN? > > > > Are you asking me about the configuration of *your*
Re: [E] Re: openconnect vpn for linux machine
Hi, With your guidance and documents, I tried openconnect in ubuntu. unfortunately, I got an error. please check below logs cat /etc/lsb-release DISTRIB_ID=Ubuntu DISTRIB_RELEASE=16.04 DISTRIB_CODENAME=xenial DISTRIB_DESCRIPTION="Ubuntu 16.04.5 LTS" root@ip-172-21-99-66:~# dpkg -l | grep openconnect ii libopenconnect5:amd648.05-1~xenial1 amd64open client for Cisco AnyConnect, Pulse, G lobalProtect VPN - shared library ii network-manager-openconnect 1.2.0-1ubuntu0.16.04.1 amd64network management framework (OpenConnect plugin) ii openconnect 8.05-1~xenial1 amd64open client for Cisco AnyConnect, Pulse, G lobalProtect VPN root@ip-172-21-99-66:~# dpkg -l | grep network-manager-openconnect ii network-manager-openconnect 1.2.0-1ubuntu0.16.04.1 amd64network management framework (OpenConnect plugin) --protocol=nc - openconnect --protocol=nc x.x.x.x -vvv GET https://x.x.x.x/ Attempting to connect to server x.x.x.x:443 Connected tox.x.x.x:443 SSL negotiation with x.x.x.x Server certificate verify failed: signer not found Certificate from VPN server "x.x.x.x" failed verification. Reason: signer not found To trust this server in future, perhaps add this to your command line: --servercert pin-sha256:ZovfsMIDceLOSCZxZPx4ceHc26L3Ec+yQpQtJ541Pao= Enter 'yes' to accept, 'no' to abort; anything else to view: Connected to HTTPS on x.x.x.x Got HTTP response: HTTP/1.1 301 Moved Permanently Date: Tue, 07 Apr 2020 14:07:09 GMT Server: Embedthis-Appweb/3.2.3 Cache-Control: max-age=5184000 Expires: Fri, 17 Apr 2020 21:04:22 GMT Content-Length: 284 Content-Type: text/html Connection: keep-alive Keep-Alive: timeout=120, max=199 Location: https://x.x.x.x/dynamic-vpn/index.php HTTP body length: (284) GET https://x.x.x.x/dynamic-vpn/index.php Got HTTP response: HTTP/1.1 200 OK Date: Tue, 07 Apr 2020 14:07:09 GMT Server: Embedthis-Appweb/3.2.3 Cache-Control: no-cache ETag: "1cd1d0-417-57d84162" Content-Type: text/html Connection: keep-alive Keep-Alive: timeout=120, max=198 Last-Modified: Tue, 07 Apr 2020 14:07:09 GMT Transfer-Encoding: chunked HTTP body chunked (-2) Failed to find or parse web form in login page Failed to obtain WebVPN cookie --protocol=pulse -- openconnect --protocol=pulse x.x.x.x -vvv Attempting to connect to server x.x.x.x:443 Connected to x.x.x.x:443 SSL negotiation with x.x.x.x Server certificate verify failed: signer not found Certificate from VPN server "x.x.x.x" failed verification. Reason: signer not found To trust this server in future, perhaps add this to your command line: --servercert pin-sha256:ZovfsMIDceLOSCZxZPx4ceHc26L3Ec+yQpQtJ541Pao= Enter 'yes' to accept, 'no' to abort; anything else to view: yes Connected to HTTPS on x.x.x.x Got HTTP response: HTTP/1.1 301 Moved Permanently Date: Tue, 07 Apr 2020 14:08:16 GMT Server: Embedthis-Appweb/3.2.3 Cache-Control: max-age=5184000 Expires: Fri, 17 Apr 2020 21:05:29 GMT Content-Length: 284 Content-Type: text/html Connection: keep-alive Keep-Alive: timeout=120, max=199 Location: https://x.x.x.x/dynamic-vpn/index.php HTTP body length: (284) Unexpected 301 result from server Failed to obtain WebVPN cookie please help me to resolve this issue Kind regards, Midhunlal.N.B. On Tue, Apr 7, 2020 at 6:11 PM David Woodhouse wrote: > > On Tue, 2020-04-07 at 17:05 +0530, Nb, Midhunlal wrote: > > Hi, > > please go through the below details > > > > > we are using juniper srx 345 firewall > > > Junos version:15.1X49-D60.7 > > > For VPN we are using pulse secure (windows: pulse 5.1.5(61437), > > > MacBook:91.2(1181)) > > > > Now we need a VPN for LINUX (we are using UBUNTU OS) > > > for Linux which pulse client version we need to use and which > > > openconnect version I need to install in my Linux? > > Use the latest version of OpenConnect. For Ubuntu there is a PPA at > https://launchpad.net/~dwmw2/+archive/ubuntu/openconnect > > > > > which version (pulse version and open connect version)is compatible > > > with srx and Linux? > > > I need a configuration guide > > As it says in the documentation at > http://www.infradead.org/openconnect/pulse.html you just need to try > connecting to your existing server using --protocol=pulse. > > If that doesn't work, then also try --protocol=nc which is the older > Juniper Network Connect protocol. Most Pulse servers still support that > too. > > > > Any extra configuration (eg: self-signed certificate, key pair > > > generation) needs in juniper firewall for Linux VPN? > > Are you asking me about the configuration of *your* VPN server? > > If you give me the root password for it perhaps I can answer those > questions... ? > > > We are facing a lot of pressure due to this VPN issue in Linux.due to > > work from home every user needs VPN connectivity in their Linux > > machine. Please help on this issue. > > Have you actually *tried* pointing OpenConnect at the existing > server...?
Re: [E] Re: openconnect vpn for linux machine
On Tue, 2020-04-07 at 17:05 +0530, Nb, Midhunlal wrote: > Hi, > please go through the below details > > > we are using juniper srx 345 firewall > > Junos version:15.1X49-D60.7 > > For VPN we are using pulse secure (windows: pulse 5.1.5(61437), > > MacBook:91.2(1181)) > > Now we need a VPN for LINUX (we are using UBUNTU OS) > > for Linux which pulse client version we need to use and which > > openconnect version I need to install in my Linux? Use the latest version of OpenConnect. For Ubuntu there is a PPA at https://launchpad.net/~dwmw2/+archive/ubuntu/openconnect > > which version (pulse version and open connect version)is compatible > > with srx and Linux? > > I need a configuration guide As it says in the documentation at http://www.infradead.org/openconnect/pulse.html you just need to try connecting to your existing server using --protocol=pulse. If that doesn't work, then also try --protocol=nc which is the older Juniper Network Connect protocol. Most Pulse servers still support that too. > > Any extra configuration (eg: self-signed certificate, key pair > > generation) needs in juniper firewall for Linux VPN? Are you asking me about the configuration of *your* VPN server? If you give me the root password for it perhaps I can answer those questions... ? > We are facing a lot of pressure due to this VPN issue in Linux.due to > work from home every user needs VPN connectivity in their Linux > machine. Please help on this issue. Have you actually *tried* pointing OpenConnect at the existing server...? smime.p7s Description: S/MIME cryptographic signature ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel
Re: [E] Re: openconnect vpn for linux machine
Hi, please go through the below details > we are using juniper srx 345 firewall > Junos version:15.1X49-D60.7 > For VPN we are using pulse secure (windows: pulse 5.1.5(61437), > MacBook:91.2(1181)) Now we need a VPN for LINUX (we are using UBUNTU OS) > for Linux which pulse client version we need to use and which openconnect > version I need to install in my Linux? > which version (pulse version and open connect version)is compatible with srx > and Linux? > I need a configuration guide > Any extra configuration (eg: self-signed certificate, key pair generation) > needs in juniper firewall for Linux VPN? We are facing a lot of pressure due to this VPN issue in Linux.due to work from home every user needs VPN connectivity in their Linux machine. Please help on this issue. Kind regards, Midhunlal 8921245637 On Tue, Apr 7, 2020 at 4:03 PM David Woodhouse wrote: > > On Tue, 2020-04-07 at 12:01 +0530, Nb, Midhunlal wrote: > > Hi team, > > > > We are using juniper srx 345 in our lab for vpn we are using > > pulsesecure.my problem is some of our users need VPN connectivity in > > their linux machine.but officially juniper is not supporting linux for > > vpn through pulse secure.Now we are in a big trouble.can you please > > suggest a solution for this issue using openconnect VPN? > > Hi, > > OpenConnect supports the Pulse Secure servers, using either the legacy > Juniper mode with --protocol=nc (which is limited to Legacy IP), or the > newer Pulse protocol with --protocol=pulse. > > The latter doesn't work with the Host Checker yet. > > I'd suggest giving it a try and letting us know with some more details > if it isn't working for you. > ___ openconnect-devel mailing list openconnect-devel@lists.infradead.org http://lists.infradead.org/mailman/listinfo/openconnect-devel