[j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client?

Nick Schmalenberger nick at schmalenberger.us
Mon Mar 23 20:33:42 EDT 2015 

On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote:
> I need to have my vpn clients default route go over their tunnel
> to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource
> works for Windows clients 5.1r1.1-b52267, but with Mac Pulse
> Secure is never able to setup a tunnel and connect. 
> 
> If I put some more specific routes, such as private addresses I
> use internally and certain public addresses, as
> remote-protected-resources, the Mac client (5.1r1.1-b52267 again)
> is able to connect fine and reach all those networks/hosts with
> the vpn assigned address, or NAT out of the same SRX in the case
> of the public destinations (what I mostly want to do).
> 
> Does anyone else have that problem? Is there a known bug with the
> Mac client? I made a support case with JTAC, and they agreed it
> was a bug but said I need to call back and make a new case for
> the Pulse Secure Client instead of SRX.
> 
> Another issue I had, was how to route the vpn clients assigned
> private addresses, and give the route to OSPF. I made an
> aggregate route for them, but it seemed like they weren't
> contributing to bring it up, so I made a reject route for one of
> the addresses in the network but not the pool. It worked, but the
> clients couldn't connect to the srx itself. Any other
> suggestions? A better action than reject for that? Thanks!
> -Nick Schmalenberger
> 
> P.S. this post was very helpful in figuring it all out:
> http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/

Juniper finally told me they reproduced this problem with the Mac
client, but also that the configuration did NOT work with
Windows! They then told me, the configuration is not supported at
all, but I should try some other vpn client such as VPN Tracker,
which I'm planning to do. It would then not use dynamic-vpn at
all, but could still use the same xauth access-profile.

Meanwhile, I have also setup a site-to-site tunnel for some of
the same usage, and it allows clients to use the remote SRX's dns
proxy where dynamic-vpn clients could not (at least the way I
managed to get it to work). So this will have some advantages as
well. Thanks for the helpful suggestions!
-Nick

More information about the juniper-nsp mailing list