[j-nsp] Dynamic VPN Question

Paul Stewart paul at paulstewart.org
Tue Jun 8 13:48:08 EDT 2010


That's a great question and one that I'm not sure of yet.... we have
deployed an SA700 appliance and an SRX210 so far - both have similar "web
based VPN" options.  In both cases though it installs a piece of software on
the client computer pretty much which wasn't what we expected.  I had
expected literally a pop up window in a web browser with a small plugin - or
else I would have just installed an IPSec client basically....

The nice thing is pushing down a pre-canned config with shared secret etc
but both of these two deployments are VERY small so having these users bring
us their notebooks and configure them for them would have taken less than an
hour for both sites combined....

The split-tunneling thing is really a show stopper and I'm hoping that JTAC
is wrong and someone has a solution..... it only applies to the SRX - on the
SA700 it works perfectly so far...

;)

Paul


-----Original Message-----
From: Glenn Krutsinger [mailto:GKrutsinger at us.ci.org] 
Sent: Tuesday, June 08, 2010 1:29 PM
To: Paul Stewart; juniper-nsp at puck.nether.net
Subject: RE: [j-nsp] Dynamic VPN Question

Hello Paul,

Thanks for sharing your findings. We also require full tunneling for our VPN
users, I'm not sure why the brains at Juniper are forcing split-tunneling
for client VPN on the SRX.

I am in the midst of configuring SRX firewalls to replace some SSG5's.
Reading up on the Dynamic VPN configuration, it looks like I need to make
local users that map to RADIUS users to auth for web access and client
download, and build a gateway for each user. With 30+ sites and 10-25 users
per site, this doesn't seem very "Dynamic" to me.

I have opted to use dynamic VPN (note the lower case "d") and XAUTH for an
AD-authenticated VPN login. Since the users need access to both local and
enterprise resources, I use RADIUS to assign the client an IP address and
internal DNS server. Using the Netscreen Remote client, I route all traffic
through the tunnel.

What does the licensed Dynamic VPN feature buy you? From what I can see:
1) A web interface to download the VPN client and config
2) More device management and less client compatibility

Am I missing something here?

Thanks!
Glenn

-----Original Message-----
From: juniper-nsp-bounces at puck.nether.net
[mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of Paul Stewart
Sent: Tuesday, June 08, 2010 9:02 AM
To: juniper-nsp at puck.nether.net
Subject: [j-nsp] Dynamic VPN Question

Hi there..

 

We have our first SRX up and running with Dynamic VPN configured.  While
sorting this out with JTAC we found a few things that I wanted to share with
the list (and of course a question at the end):

 

Windows 7 appears to work quite well - JTAC said it doesn't work at all and
then said it "kinda works".  Our experience has been very good so far. YMMV.

Local authentication *does* work - in fact it works very well - again YMMV.
Their documentation and also their front line JTAC folks tell you that you
must have Radius.

 

Now that I got that off my chest, the one challenge left is that of
split-tunnelling.  We are getting used to the SA appliances and with them,
once you connect to the VPN you then surf out to the Internet *from* the IP
address of the SA appliance because that's the way we've configured it.
This is ideal behavior for our needs.  On the SRX we cannot get this
behavior to occur and have been told by TJAC that it's not possible.  Not
only is this a problem for us but it raises some security related concerns
too.

 

Has anyone seen able to get this behavior to work on an SRX or found a work
around?  We want to connect to the SRX and then force people to surf "out to
the Internet" from the IP of the SRX.

 

Thanks for your time,

 

Paul

 

 

 

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp





More information about the juniper-nsp mailing list