[j-nsp] Dynamic VPN Question

Paul Stewart paul at paulstewart.org
Tue Jun 8 11:02:25 EDT 2010


Hi there..

 

We have our first SRX up and running with Dynamic VPN configured.  While
sorting this out with JTAC we found a few things that I wanted to share with
the list (and of course a question at the end):

 

Windows 7 appears to work quite well - JTAC said it doesn't work at all and
then said it "kinda works".  Our experience has been very good so far. YMMV.

Local authentication *does* work - in fact it works very well - again YMMV.
Their documentation and also their front line JTAC folks tell you that you
must have Radius.

 

Now that I got that off my chest, the one challenge left is that of
split-tunnelling.  We are getting used to the SA appliances and with them,
once you connect to the VPN you then surf out to the Internet *from* the IP
address of the SA appliance because that's the way we've configured it.
This is ideal behavior for our needs.  On the SRX we cannot get this
behavior to occur and have been told by TJAC that it's not possible.  Not
only is this a problem for us but it raises some security related concerns
too.

 

Has anyone seen able to get this behavior to work on an SRX or found a work
around?  We want to connect to the SRX and then force people to surf "out to
the Internet" from the IP of the SRX.

 

Thanks for your time,

 

Paul

 

 

 



More information about the juniper-nsp mailing list