[j-nsp] Dynamic VPN with Pulse, AD Integration and more

Louis Kowolowski louisk at cryptomonkeys.org
Mon Mar 24 21:19:55 EDT 2014 

My understanding (I may be wrong) is that osx client requires l2tp, and srx doesn’t support it (ssg does).
Its kind of annoying.

On Mar 24, 2014, at 4:29 PM, Andrew Jones <aj at jonesy.com.au> wrote:

> I'd be very interested in seeing a dynamic vpn config that works with OSX's built-in IPSEC client.
> When I've looked into this previously, I've only found people using third-party VPN clients on mac, such as VPN Tracker:
> https://www.cryptomonkeys.com/2013/10/juniper-srx-and-mobile-ipsec/
> 
> 
> 
> On 25.03.2014 10:04, Chris Jones wrote:
>> Well thats exactly it, Pulse on Windows does SSLVPN and IPSec. On OSX
>> and mobile, its SSL only. Dynamic VPN is an IPSec remote access VPN,
>> so that's why it doesn't work.
>> 
>> Yes, built in IPSec clients for OSX will connect to Dynamic VPN just
>> fine AFAIK, you just can't use Pulse. I'm not sure about iOS and
>> Android though. 
>> 
>> On Mon, Mar 24, 2014 at 3:57 PM, Skeeve Stevens
>> <skeeve+junipernsp at eintellegonetworks.com> wrote:
>> 
>>> Any other way to get OSX/mobile devices, etc to connect to an SRX VPN?
>>> PPTP? IPSEC?
>>> 
>>> ...Skeeve
>>> 
>>> *Skeeve Stevens - *eintellego Networks Pty Ltd
>>> skeeve at eintellegonetworks.com ; www.eintellegonetworks.com [1]
>>> 
>>> Phone: 1300 239 038; Cell +61 (0)414 753 383 [2] ; skype://skeeve
>>> 
>>> facebook.com/eintellegonetworks [3] ;  <http://twitter.com/networkceoau [4]>
>>> linkedin.com/in/skeeve [5]
>>> 
>>> twitter.com/theispguy [6] ; blog: www.theispguy.com [7]
>>> 
>>> The Experts Who The Experts Call
>>> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
>>> 
>>> On Tue, Mar 25, 2014 at 9:54 AM, Andrew Jones <aj at jonesy.com.au> wrote:
>>> 
>>> > I've been told that they have no plans to support OSX on Dynamic VPN. I
>>> > got the impression that Juniper weren't investing in the Dynamic VPN
>>> > product and were pushing people toward MAG etc.
>>> >
>>> > From http://kb.juniper.net/InfoCenter/index?page=content&id=KB17436 [8]
>>> >
>>> > The Dynamic VPN feature (Pulse or Juniper Access Manager) is not supported
>>> > on the following Operating Systems:
>>> > * Linux
>>> > * Macintosh Desktop Systems including Pulse 3.0 (for more information,
>>> > refer to KB23960 - [SRX] Junos Pulse 3.0 installed on a Mac OS X system
>>> > fails to connect to a SRX device with the dynamic VPN feature).
>>> > * Windows Server
>>> > * iPad/iPhone
>>> > * Android OS
>>> >
>>> >
>>> > On 25.03.2014 09 [9]:46, Skeeve Stevens wrote:
>>> >
>>> >> What THE HELL?!
>>> >>
>>> >> Documentation on this?
>>> >>
>>> >> Thanks Chris.
>>> >>
>>> >>
>>> >> ...Skeeve
>>> >>
>>> >> *Skeeve Stevens - *eintellego Networks Pty Ltd
>>> >> skeeve at eintellegonetworks.com ; www.eintellegonetworks.com [1]
>>> >>
>>> >> Phone: 1300 239 038; Cell +61 (0)414 753 383 [2] ; skype://skeeve
>>> >>
>>> >> facebook.com/eintellegonetworks [3] ;  <http://twitter.com/networkceoau [4]>
>>> >> linkedin.com/in/skeeve [5]
>>> >>
>>> >> twitter.com/theispguy [6] ; blog: www.theispguy.com [7]
>>> >>
>>> >>
>>> >> The Experts Who The Experts Call
>>> >> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
>>> >>
>>> >>
>>> >> On Tue, Mar 25, 2014 at 5:36 AM, Chris Jones <ipv6freely at gmail.com>
>>> >> wrote:
>>> >>
>>> >>  I don't know if this matters to you, but Pulse does not work in OSX or
>>> >>> iOS/Android when connecting to a SRX with Dynamic VPN. It only works in
>>> >>> Windows. Just a caveat if you weren't already aware.
>>> >>>
>>> >>>
>>> >>> On Mon, Mar 24, 2014 at 12:21 AM, Skeeve Stevens <
>>> >>> skeeve+junipernsp at eintellegonetworks.com> wrote:
>>> >>>
>>> >>>  Hey all,
>>> >>>>
>>> >>>> I am setting up an SRX with Dynamic VPN with Pulse clients..... I know
>>> >>>> some
>>> >>>> don't like it, but it is what we're doing (customer choice).
>>> >>>>
>>> >>>> One thing I am looking for is if anyone has seen any docs on how to
>>> >>>> integrate the Dynamic VPN auth with Active Directory.
>>> >>>>
>>> >>>> Also, does anyone know what flexibility we have with the VPN on a per
>>> >>>> use
>>> >>>> basis... such as different IP ranges, different VRF's, firewall filters,
>>> >>>> etc etc based against those AD groups.
>>> >>>>
>>> >>>> While this is for a specific rollout, it would be nice to know these
>>> >>>> capabilities across the board for other solutions.
>>> >>>>
>>> >>>> Any pointers to any docs would be fantastic.  I've tried googling, but
>>> >>>> came
>>> >>>> up blah.
>>> >>>>
>>> >>>> ...Skeeve
>>> >>>>
>>> >>>> *Skeeve Stevens - *eintellego Networks Pty Ltd
>>> >>>> skeeve at eintellegonetworks.com ; www.eintellegonetworks.com [1]
>>> >>>>
>>> >>>> Phone: 1300 239 038; Cell +61 (0)414 753 383 [2] ; skype://skeeve
>>> >>>>
>>> >>>> facebook.com/eintellegonetworks [3] ;  <http://twitter.com/networkceoau [4]>
>>> >>>> linkedin.com/in/skeeve [5]
>>> >>>>
>>> >>>> twitter.com/theispguy [6] ; blog: www.theispguy.com [7]
>>> >>>>
>>> >>>>
>>> >>>> The Experts Who The Experts Call
>>> >>>> Juniper - Cisco - Cloud - Consulting - IPv4 Brokering
>>> >>>> _______________________________________________
>>> >>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> >>>> https://puck.nether.net/mailman/listinfo/juniper-nsp [10]
>>> >>>>
>>> >>>>
>>> >>>
>>> >>>
>>> >>> --
>>> >>> Chris Jones
>>> >>> JNCIE-ENT #272
>>> >>> CCIE# 25655 (R&S)
>>> >>>
>>> >>>  _______________________________________________
>>> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> >> https://puck.nether.net/mailman/listinfo/juniper-nsp [10]
>>> >>
>>> >
>>> > _______________________________________________
>>> > juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> > https://puck.nether.net/mailman/listinfo/juniper-nsp [10]
>>> >
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp [10]
>> 
>> --
>> Chris Jones
>> JNCIE-ENT #272
>> CCIE# 25655 (R&S)
>> 
>> Links:
>> ------
>> [1] http://www.eintellegonetworks.com
>> [2] tel:%2B61%20%280%29414%20753%20383
>> [3] http://facebook.com/eintellegonetworks
>> [4] http://twitter.com/networkceoau
>> [5] http://linkedin.com/in/skeeve
>> [6] http://twitter.com/theispguy
>> [7] http://www.theispguy.com
>> [8] http://kb.juniper.net/InfoCenter/index?page=content&id=KB17436
>> [9] tel:25.03.2014%2009
>> [10] https://puck.nether.net/mailman/listinfo/juniper-nsp
> 
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


--
Louis Kowolowski                                louisk at cryptomonkeys.org
Cryptomonkeys:                                   http://www.cryptomonkeys.com/

Making life more interesting for people since 1977

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 630 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://puck.nether.net/pipermail/juniper-nsp/attachments/20140324/eb1a6b74/attachment.sig>

More information about the juniper-nsp mailing list