[j-nsp] Dynamic VPN with Pulse, AD Integration and more

Andrew Jones aj at jonesy.com.au
Mon Mar 24 19:29:30 EDT 2014


I'd be very interested in seeing a dynamic vpn config that works with 
OSX's built-in IPSEC client.
When I've looked into this previously, I've only found people using 
third-party VPN clients on mac, such as VPN Tracker:
https://www.cryptomonkeys.com/2013/10/juniper-srx-and-mobile-ipsec/



On 25.03.2014 10:04, Chris Jones wrote:
> Well thats exactly it, Pulse on Windows does SSLVPN and IPSec. On OSX
> and mobile, its SSL only. Dynamic VPN is an IPSec remote access VPN,
> so that's why it doesn't work.
>
> Yes, built in IPSec clients for OSX will connect to Dynamic VPN just
> fine AFAIK, you just can't use Pulse. I'm not sure about iOS and
> Android though. 
>
> On Mon, Mar 24, 2014 at 3:57 PM, Skeeve Stevens
> <skeeve+junipernsp at eintellegonetworks.com> wrote:
>
>> Any other way to get OSX/mobile devices, etc to connect to an SRX 
>> VPN?
>> PPTP? IPSEC?
>>
>> ...Skeeve
>>
>> *Skeeve Stevens - *eintellego Networks Pty Ltd
>> skeeve at eintellegonetworks.com ; www.eintellegonetworks.com [1]
>>
>> Phone: 1300 239 038; Cell +61 (0)414 753 383 [2] ; skype://skeeve
>>
>> facebook.com/eintellegonetworks [3] ; 
>>  <http://twitter.com/networkceoau [4]>
>> linkedin.com/in/skeeve [5]
>>
>> twitter.com/theispguy [6] ; blog: www.theispguy.com [7]
>>
>> The Experts Who The Experts Call
>> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
>>
>> On Tue, Mar 25, 2014 at 9:54 AM, Andrew Jones <aj at jonesy.com.au> 
>> wrote:
>>
>> > I've been told that they have no plans to support OSX on Dynamic 
>> VPN. I
>> > got the impression that Juniper weren't investing in the Dynamic 
>> VPN
>> > product and were pushing people toward MAG etc.
>> >
>> > From 
>> http://kb.juniper.net/InfoCenter/index?page=content&id=KB17436 [8]
>> >
>> > The Dynamic VPN feature (Pulse or Juniper Access Manager) is not 
>> supported
>> > on the following Operating Systems:
>> > * Linux
>> > * Macintosh Desktop Systems including Pulse 3.0 (for more 
>> information,
>> > refer to KB23960 - [SRX] Junos Pulse 3.0 installed on a Mac OS X 
>> system
>> > fails to connect to a SRX device with the dynamic VPN feature).
>> > * Windows Server
>> > * iPad/iPhone
>> > * Android OS
>> >
>> >
>> > On 25.03.2014 09 [9]:46, Skeeve Stevens wrote:
>> >
>> >> What THE HELL?!
>> >>
>> >> Documentation on this?
>> >>
>> >> Thanks Chris.
>> >>
>> >>
>> >> ...Skeeve
>> >>
>> >> *Skeeve Stevens - *eintellego Networks Pty Ltd
>> >> skeeve at eintellegonetworks.com ; www.eintellegonetworks.com [1]
>> >>
>> >> Phone: 1300 239 038; Cell +61 (0)414 753 383 [2] ; skype://skeeve
>> >>
>> >> facebook.com/eintellegonetworks [3] ; 
>>  <http://twitter.com/networkceoau [4]>
>> >> linkedin.com/in/skeeve [5]
>> >>
>> >> twitter.com/theispguy [6] ; blog: www.theispguy.com [7]
>> >>
>> >>
>> >> The Experts Who The Experts Call
>> >> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
>> >>
>> >>
>> >> On Tue, Mar 25, 2014 at 5:36 AM, Chris Jones 
>> <ipv6freely at gmail.com>
>> >> wrote:
>> >>
>> >>  I don't know if this matters to you, but Pulse does not work in 
>> OSX or
>> >>> iOS/Android when connecting to a SRX with Dynamic VPN. It only 
>> works in
>> >>> Windows. Just a caveat if you weren't already aware.
>> >>>
>> >>>
>> >>> On Mon, Mar 24, 2014 at 12:21 AM, Skeeve Stevens <
>> >>> skeeve+junipernsp at eintellegonetworks.com> wrote:
>> >>>
>> >>>  Hey all,
>> >>>>
>> >>>> I am setting up an SRX with Dynamic VPN with Pulse clients..... 
>> I know
>> >>>> some
>> >>>> don't like it, but it is what we're doing (customer choice).
>> >>>>
>> >>>> One thing I am looking for is if anyone has seen any docs on 
>> how to
>> >>>> integrate the Dynamic VPN auth with Active Directory.
>> >>>>
>> >>>> Also, does anyone know what flexibility we have with the VPN on 
>> a per
>> >>>> use
>> >>>> basis... such as different IP ranges, different VRF's, firewall 
>> filters,
>> >>>> etc etc based against those AD groups.
>> >>>>
>> >>>> While this is for a specific rollout, it would be nice to know 
>> these
>> >>>> capabilities across the board for other solutions.
>> >>>>
>> >>>> Any pointers to any docs would be fantastic.  I've tried 
>> googling, but
>> >>>> came
>> >>>> up blah.
>> >>>>
>> >>>> ...Skeeve
>> >>>>
>> >>>> *Skeeve Stevens - *eintellego Networks Pty Ltd
>> >>>> skeeve at eintellegonetworks.com ; www.eintellegonetworks.com [1]
>> >>>>
>> >>>> Phone: 1300 239 038; Cell +61 (0)414 753 383 [2] ; 
>> skype://skeeve
>> >>>>
>> >>>> facebook.com/eintellegonetworks [3] ; 
>>  <http://twitter.com/networkceoau [4]>
>> >>>> linkedin.com/in/skeeve [5]
>> >>>>
>> >>>> twitter.com/theispguy [6] ; blog: www.theispguy.com [7]
>> >>>>
>> >>>>
>> >>>> The Experts Who The Experts Call
>> >>>> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
>> >>>> _______________________________________________
>> >>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> >>>> https://puck.nether.net/mailman/listinfo/juniper-nsp [10]
>> >>>>
>> >>>>
>> >>>
>> >>>
>> >>> --
>> >>> Chris Jones
>> >>> JNCIE-ENT #272
>> >>> CCIE# 25655 (R&S)
>> >>>
>> >>>  _______________________________________________
>> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> >> https://puck.nether.net/mailman/listinfo/juniper-nsp [10]
>> >>
>> >
>> > _______________________________________________
>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>> > https://puck.nether.net/mailman/listinfo/juniper-nsp [10]
>> >
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp [10]
>
> --
> Chris Jones
> JNCIE-ENT #272
> CCIE# 25655 (R&S)
>
> Links:
> ------
> [1] http://www.eintellegonetworks.com
> [2] tel:%2B61%20%280%29414%20753%20383
> [3] http://facebook.com/eintellegonetworks
> [4] http://twitter.com/networkceoau
> [5] http://linkedin.com/in/skeeve
> [6] http://twitter.com/theispguy
> [7] http://www.theispguy.com
> [8] 
> http://kb.juniper.net/InfoCenter/index?page=content&id=KB17436
> [9] tel:25.03.2014%2009
> [10] https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list