So at some point, they got rid of the Aventail VPN and went for something else that I’ve heard called Juniper, though the branding on this new product is unclear to me.

Here’s what happens.  I had to do some set up over the web where I typed in security questions and answers (mother’s maiden name, favorite pet, etc.) and that was easy enough.  When I want to connect to my workstation,  I call up a web browser and go to the connection page, and at first it asks if this is a public or private computer.  Okay, fine, it wants to know how much of the authentication it can leave in place once you’re done and how much in the way of cookies and such it should delete.  I tell it this is a private computer, and it asks to do a first level authorization of some sort, and if I’m reading this right, it’s going to store some bit of information that this computer is familiar and I’m saying it’s okay to accept connections from it, and I don’t think I’m supposed to have to authorize this computer again.  Every time I try to connect, it wants to do this once-and-you’re done authorization.  Every time.  I’ve fiddled with browser settings and all sorts of things and every so often it’ll allow me to skip this step, but there’s no rhyme or reason to it.  What it wants to do is either have me answer some of those security questions, like what’s my dog’s maiden name, or it’s going to send me a four digit random code to type in.  It will either call my office and tell me the number (which is useless: I’m never in the office when I use the VPN!) or it can send it over e-mail.  So let’s say I ask it to e-mail it.  Luckily I can read e-mail without the VPN.  So it sends the e-mail, then gives me a screen like the one below where I type in the code:

If you notice, several of the digits (0 and 9) are missing, and the spinning “still working” indicator in the tab title is still spinning.  Invariably, some of the button images fail to load, and some of those digits are part of the code I’m supposed to type…  So I guess I get to start all over, and answer what kind of car my cat drives, try another code, and hope all the right buttons load this time…

… or I could use the keyboard to enter the four digit code… so what are the image buttons for exactly?

Then, I get to type my C of C password, and finally it starts to actually set up the VPN.

An aside: The irony of this secondary authentication code is that it adds absolutely nothing to the actual security of our network.  If an intruder doesn’t know my password, they can’t get past the last page, so the overall authentication process is at least as secure as my password.  If an intruder does know my password, they can get into my e-mail through the web interface and get the four digit code, so the overall process is no more secure than my password.  Hence, the additional screens of questions before it asks for my password are just annoying security theater.

This is one of those VPN clients where apparently the idea is that you go to any internet café, call up a web browser, sign in, and a java program runs the connection inside the browser, so you don’t have to install anything, don’t need any cooperation from the computer’s administrators, etc. and since java programs are “write once run anywhere” it should all just work.  Except of course that it doesn’t.  You do have to install a piece of software on the host machine, and it turns out that this is one of a handful of critical java programs that inexplicably won’t run using java as distributed with Fedora Linux.  I don’t know where the problem is.

So, I had to download and install the Linux edition of java directly from Sun (or now, Oracle).  And of course it doesn’t install the correct web browser plug-in.  You have to muck around on the command line following obscure and poorly documented instructions.  For example, the page at java.com explains how great this new java plug-in is and how to install it on Windows and Mac, but not a word about Linux, which is supposedly officially supported by java.  So much for “run everywhere”.  The firefox documentation explains how to install java on Linux, but mentions in a tiny link that you have to do something else for firefox versions 3.6 and above, which has been the official version for a few years now… why haven’t they updated their documentation!? There is a tiny link there to a short page about the new plug-in and stating that you can’t use the old one any more, but with no instructions on how to get it working in Linux. If you keep digging and googling, eventually you find a small cryptic note in the mozilla knowledge base with some helpful discussion, and a link to some manual installation instructions that require a good bit of Linux expertise to interpret.  So finally, I got it to load the java program.  I don’t know why java’s installation program hasn’t been updated to install the new plug-in instead of the old one.

In case it disappears again, the magic incantation to do all of this is roughly as follows:

Install java directly from Sun / Oracle

Go to a terminal command line

Locate the plug-file, which is usually /usr/lib/jvm/java-sun/jre/lib/i386/libnpjp2.so

Go to the mozilla plug-in directory, which is something like

cd /usr/lib/mozilla/plugins/

Remove any links in there to javaplugin-oji.so (the old plug in) with the rm command, or I sometimes do mkdir Attic and mv file-I'm-not-sure-about Attic

Create a symbolic link there to the new java plug-in with the ln command, something like

ln -s /usr/lib/jvm/java-sun/jre/lib/i386/libnpjp2.so

Cross your fingers and re-start firefox.

The irony here is that after all the hours I’ve spent googling for solutions and figuring all of this out, the java applet seems to be mostly unnecessary.  Once you’ve logged in once through the browser, a credentials file is created somewhere, and until it expires, you can sign in to the VPN directly without going through a web browser at all, and that process can be scripted and run from a command line.  The applet mostly seems to be a monitoring service to let you know about error messages and when you’ve timed out.  Somebody probably thought they were doing me a favor by making a nice pointy-clicky window in java so I could see how the connection is holding up and click a button to log out.  Little did they know….

Now, there’s a long story somewhere about why Fedora doesn’t just ship the Sun/Oracle edition of java directly with their Linux distribution. Ubuntu Linux does, so all of this java stuff is a bit easier.  However…

… once you get the java applet running, it still has to have administrator permissions to install something.  I don’t know what this is, probably a small executable file that actually performs the network encryption, but a terminal pops up asking for the root password so it can be installed.   On Fedora, this actually works, I only have to do it once, and finally I get my VPN connection.  On Ubuntu, java is less trouble to install, but at this step you have to reconfigure the root account to enable this program to install whatever this thing is, and you get no help from the VPN web pages on what’s gone wrong or how to fix it.  That page of Ubuntu documentation is describing a fairly harmless and easily undone operation, but it’s very technical and involves mucking around with sensitive configuration files, and with all the big yellow signs and alerts, it’s more than scary enough to thwart inexperienced users.

For better and for worse, my Ubuntu laptop developed a problem about the time I was working on this, and I gave up on Ubuntu on it, and replaced it with Fedora.  Which meant I had to dig up all my notes and remember how to install java all over again…

Gasp, pant.  So now I can call up ssh and finally get to my workstation to fetch files and monitor long calculations, etc.

At least this new VPN client doesn’t time out at random all the time.

I can’t count how many faculty I’ve talked to who use Windows or Macs and  just want to access a few files from home, and told me that they couldn’t get this VPN working on their computer either.  So they gave up on it, and got in the habit of putting files they need off campus on a portable hard drive or in Dropbox, thereby bypassing and nullifying all the paranoid security that our lawyers and IT people have inflicted on us.  I was leaning that way myself, but I’m absent minded enough that I don’t trust myself not to lose a thumb drive, and I like using version control (SVN, Darcs) rather than merely copying to keep my files synchronized across machines.  And there were a few thefts where someone got into faculty offices and stole portable hard drives.  So after much learning and fixing, here I am, and I can’t tell you how many hours I’ve spent getting this to work.

Other things that you have to do:

Firefox must be set to accept third-party cookies or the applet never appears and you end up sort of half-way signed in.  Third-party cookies (I think) are when one web site (the third party) stores a bit of data on your computer (the first party) to be transmitted to other web sites (the second party).  Really, this is something that shouldn’t be enabled because there are some security issues with allowing such cookies.  Irony irony…

Oh, and the SE Linux policy has to be set to allow execution of stack code at least for Firefox. At some point, I think they repaired Fedora’s security package to fix this automatically, not sure.  What I suspect is that the java plugin generates machine-code instructions as it runs applets to speed them up, and someone made the unfortunate choice of storing them in stack memory.  But you generally don’t want programs to be able to execute code on “The Stack”, which is an area of memory designated for temporary calculations and used to pass data to and from subroutines.  Several kinds  malware get into your system by doing things like creating absurdly long URLs that overwrite part of the stack, hence the security feature.  Irony irony…

Additional resources

I’m not the only one driven nuts by all of this:

A page about the Juniper VPN and Ubuntu

A page about the Juniper VPN and Fedora x86_64

A page with step-by-step instructions for installing official Sun/Oracle java and getting the Juniper VPN to work