[j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client?

Aaron Dewell aaron.dewell at gmail.com
Mon Mar 23 20:39:14 EDT 2015


Have you tried 0/1 and 128/1 instead of 0/0?

That’s also required for backup-router destination as well, so might solve this problem too.

On Mar 23, 2015, at 7:33 PM, Nick Schmalenberger <nick at schmalenberger.us> wrote:
> On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote:
>> I need to have my vpn clients default route go over their tunnel
>> to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource
>> works for Windows clients 5.1r1.1-b52267, but with Mac Pulse
>> Secure is never able to setup a tunnel and connect. 
>> 
>> If I put some more specific routes, such as private addresses I
>> use internally and certain public addresses, as
>> remote-protected-resources, the Mac client (5.1r1.1-b52267 again)
>> is able to connect fine and reach all those networks/hosts with
>> the vpn assigned address, or NAT out of the same SRX in the case
>> of the public destinations (what I mostly want to do).
>> 
>> Does anyone else have that problem? Is there a known bug with the
>> Mac client? I made a support case with JTAC, and they agreed it
>> was a bug but said I need to call back and make a new case for
>> the Pulse Secure Client instead of SRX.
>> 
>> Another issue I had, was how to route the vpn clients assigned
>> private addresses, and give the route to OSPF. I made an
>> aggregate route for them, but it seemed like they weren't
>> contributing to bring it up, so I made a reject route for one of
>> the addresses in the network but not the pool. It worked, but the
>> clients couldn't connect to the srx itself. Any other
>> suggestions? A better action than reject for that? Thanks!
>> -Nick Schmalenberger
>> 
>> P.S. this post was very helpful in figuring it all out:
>> http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/
> 
> Juniper finally told me they reproduced this problem with the Mac
> client, but also that the configuration did NOT work with
> Windows! They then told me, the configuration is not supported at
> all, but I should try some other vpn client such as VPN Tracker,
> which I'm planning to do. It would then not use dynamic-vpn at
> all, but could still use the same xauth access-profile.
> 
> Meanwhile, I have also setup a site-to-site tunnel for some of
> the same usage, and it allows clients to use the remote SRX's dns
> proxy where dynamic-vpn clients could not (at least the way I
> managed to get it to work). So this will have some advantages as
> well. Thanks for the helpful suggestions!
> -Nick
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



More information about the juniper-nsp mailing list