[j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client?

Nick Schmalenberger nick at schmalenberger.us
Thu Mar 5 21:29:30 EST 2015


I need to have my vpn clients default route go over their tunnel
to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource
works for Windows clients 5.1r1.1-b52267, but with Mac Pulse
Secure is never able to setup a tunnel and connect. 

If I put some more specific routes, such as private addresses I
use internally and certain public addresses, as
remote-protected-resources, the Mac client (5.1r1.1-b52267 again)
is able to connect fine and reach all those networks/hosts with
the vpn assigned address, or NAT out of the same SRX in the case
of the public destinations (what I mostly want to do).

Does anyone else have that problem? Is there a known bug with the
Mac client? I made a support case with JTAC, and they agreed it
was a bug but said I need to call back and make a new case for
the Pulse Secure Client instead of SRX.

Another issue I had, was how to route the vpn clients assigned
private addresses, and give the route to OSPF. I made an
aggregate route for them, but it seemed like they weren't
contributing to bring it up, so I made a reject route for one of
the addresses in the network but not the pool. It worked, but the
clients couldn't connect to the srx itself. Any other
suggestions? A better action than reject for that? Thanks!
-Nick Schmalenberger

P.S. this post was very helpful in figuring it all out:
http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/


More information about the juniper-nsp mailing list