[j-nsp] Dynamic VPN Question

[Glenn Krutsinger]

Hello Paul,

Thanks for sharing your findings. We also require full tunneling for our VPN users, I'm not sure why the brains at Juniper are forcing split-tunneling for client VPN on the SRX.

I am in the midst of configuring SRX firewalls to replace some SSG5's. Reading up on the Dynamic VPN configuration, it looks like I need to make local users that map to RADIUS users to auth for web access and client download, and build a gateway for each user. With 30+ sites and 10-25 users per site, this doesn't seem very "Dynamic" to me.

I have opted to use dynamic VPN (note the lower case "d") and XAUTH for an AD-authenticated VPN login. Since the users need access to both local and enterprise resources, I use RADIUS to assign the client an IP address and internal DNS server. Using the Netscreen Remote client, I route all traffic through the tunnel.

What does the licensed Dynamic VPN feature buy you? From what I can see:
1) A web interface to download the VPN client and config
2) More device management and less client compatibility

Am I missing something here?

Thanks!
Glenn

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Tuesday, June 08, 2010 9:02 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Dynamic VPN Question

Hi there..

 

We have our first SRX up and running with Dynamic VPN configured.  While
sorting this out with JTAC we found a few things that I wanted to share with
the list (and of course a question at the end):

 

Windows 7 appears to work quite well - JTAC said it doesn't work at all and
then said it "kinda works".  Our experience has been very good so far. YMMV.

Local authentication *does* work - in fact it works very well - again YMMV.
Their documentation and also their front line JTAC folks tell you that you
must have Radius.

 

Now that I got that off my chest, the one challenge left is that of
split-tunnelling.  We are getting used to the SA appliances and with them,
once you connect to the VPN you then surf out to the Internet *from* the IP
address of the SA appliance because that's the way we've configured it.
This is ideal behavior for our needs.  On the SRX we cannot get this
behavior to occur and have been told by TJAC that it's not possible.  Not
only is this a problem for us but it raises some security related concerns
too.

 

Has anyone seen able to get this behavior to work on an SRX or found a work
around?  We want to connect to the SRX and then force people to surf "out to
the Internet" from the IP of the SRX.

 

Thanks for your time,

 

Paul

 

 

 

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp