[j-nsp] SRX3xx VPN Client - NCP alternatives?
Nathan Ward
juniper-nsp at daork.net
Thu Nov 7 19:31:48 EST 2019
Hi all,
First, a whinge.
We’re using the NCP Secure Entry client for Mac.
As usual with these VPN clients, it’s diabolically bad. There’s a real feeling of “this was specced by someone who’s never going to use it and has never actually seen it” type of thing going on, that really gives you zero confidence in to the quality of the software underneath.
I’m pretty regularly having to kill the app and re-open it to either make it work, or to make any of my other networking work. Always a good sign.
They’ve come out with a version 4.0 recently, which supposedly has better compatibility with OS X 10.15. I’ve installed it.
In “take all the traffic” mode, it installs a couple of /1 routes so they longest prefix match instead of default. Fine.
In “split tunneling” mode, it *still* installs those /1 routes, but with a next hop of 0.0.0.1, so all of your non-VPN traffic is just dumped on the floor. Unlike split tunnelling mode, when you turn off the VPN connection, it leaves the broken routes in the table.
That’s the sort of bug that as someone who does some software dev, you can just picture the code that’s making that happen, and how it stinks of bad design. That’s not the sort of stuff I want running on my laptop with the privileges it requires to control routing and whatever else. That seems like a very poor choice.
Of course, I say “bug”. If it was well designed, this seems like a single bug. In the way this software seems to be designed, it’s more likely two.
The licensing model sucks, the whole thing. Disaster.
Anyway, whinge over.
What are my alternatives for a VPN client to talk to the SRX3XX?
I recall when they moved away from Pulse, there was this talk of “open standards” and other things. Supposedly there was going to be a bunch of 3rd party clients available. I haven’t been able to find any. Are there any?
--
Nathan Ward
More information about the juniper-nsp
mailing list