[j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client?

Aaron Gould aaron1 at gvtc.com
Tue Aug 13 14:17:53 EDT 2019 

Old thread (2015)...

Is there still a problem with MacOS using Pulse Secure to connect with SRX
Dynamic/Remote Access VPN ?  Anyone know how to make it work ?

I do have Windows 10 working fine... but not MacOS Apple laptop.

Using SRX300 15.1X49-D150.2 and Pulse client from Junipers website
5.1R5.1....

ps-pulse-win-5.1r5.1-b61437-64bitinstaller.msi - windows 10 working
ps-pulse-mac-5.1r5.1-b61437-installer.dmg - macos not working


-Aaron

-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces at puck.nether.net] On Behalf Of
Aaron Dewell
Sent: Monday, March 23, 2015 7:39 PM
To: Nick Schmalenberger
Cc: juniper-nsp at puck.nether.net
Subject: Re: [j-nsp] non-split tunneling to SRX dynamic vpn with Pulse
Secure client?


Have you tried 0/1 and 128/1 instead of 0/0?

That's also required for backup-router destination as well, so might solve
this problem too.

On Mar 23, 2015, at 7:33 PM, Nick Schmalenberger <nick at schmalenberger.us>
wrote:
> On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote:
>> I need to have my vpn clients default route go over their tunnel
>> to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource
>> works for Windows clients 5.1r1.1-b52267, but with Mac Pulse
>> Secure is never able to setup a tunnel and connect. 
>> 
>> If I put some more specific routes, such as private addresses I
>> use internally and certain public addresses, as
>> remote-protected-resources, the Mac client (5.1r1.1-b52267 again)
>> is able to connect fine and reach all those networks/hosts with
>> the vpn assigned address, or NAT out of the same SRX in the case
>> of the public destinations (what I mostly want to do).
>> 
>> Does anyone else have that problem? Is there a known bug with the
>> Mac client? I made a support case with JTAC, and they agreed it
>> was a bug but said I need to call back and make a new case for
>> the Pulse Secure Client instead of SRX.
>> 
>> Another issue I had, was how to route the vpn clients assigned
>> private addresses, and give the route to OSPF. I made an
>> aggregate route for them, but it seemed like they weren't
>> contributing to bring it up, so I made a reject route for one of
>> the addresses in the network but not the pool. It worked, but the
>> clients couldn't connect to the srx itself. Any other
>> suggestions? A better action than reject for that? Thanks!
>> -Nick Schmalenberger
>> 
>> P.S. this post was very helpful in figuring it all out:
>> http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/
> 
> Juniper finally told me they reproduced this problem with the Mac
> client, but also that the configuration did NOT work with
> Windows! They then told me, the configuration is not supported at
> all, but I should try some other vpn client such as VPN Tracker,
> which I'm planning to do. It would then not use dynamic-vpn at
> all, but could still use the same xauth access-profile.
> 
> Meanwhile, I have also setup a site-to-site tunnel for some of
> the same usage, and it allows clients to use the remote SRX's dns
> proxy where dynamic-vpn clients could not (at least the way I
> managed to get it to work). So this will have some advantages as
> well. Thanks for the helpful suggestions!
> -Nick
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list