Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. nsp>
  3. juniper
non-split tunneling to SRX dynamic vpn with Pulse Secure client?
nick at schmalenberger
Mar 5, 2015, 6:29 PM
Post #1 of 4 (3042 views)
Permalink
I need to have my vpn clients default route go over their tunnel
to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource
works for Windows clients 5.1r1.1-b52267, but with Mac Pulse
Secure is never able to setup a tunnel and connect.

If I put some more specific routes, such as private addresses I
use internally and certain public addresses, as
remote-protected-resources, the Mac client (5.1r1.1-b52267 again)
is able to connect fine and reach all those networks/hosts with
the vpn assigned address, or NAT out of the same SRX in the case
of the public destinations (what I mostly want to do).

Does anyone else have that problem? Is there a known bug with the
Mac client? I made a support case with JTAC, and they agreed it
was a bug but said I need to call back and make a new case for
the Pulse Secure Client instead of SRX.

Another issue I had, was how to route the vpn clients assigned
private addresses, and give the route to OSPF. I made an
aggregate route for them, but it seemed like they weren't
contributing to bring it up, so I made a reject route for one of
the addresses in the network but not the pool. It worked, but the
clients couldn't connect to the srx itself. Any other
suggestions? A better action than reject for that? Thanks!
-Nick Schmalenberger

P.S. this post was very helpful in figuring it all out:
http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: non-split tunneling to SRX dynamic vpn with Pulse Secure client? [ In reply to ]
nick at schmalenberger
Mar 23, 2015, 5:33 PM
Post #2 of 4 (2942 views)
Permalink
On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote:
> I need to have my vpn clients default route go over their tunnel
> to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource
> works for Windows clients 5.1r1.1-b52267, but with Mac Pulse
> Secure is never able to setup a tunnel and connect.
>
> If I put some more specific routes, such as private addresses I
> use internally and certain public addresses, as
> remote-protected-resources, the Mac client (5.1r1.1-b52267 again)
> is able to connect fine and reach all those networks/hosts with
> the vpn assigned address, or NAT out of the same SRX in the case
> of the public destinations (what I mostly want to do).
>
> Does anyone else have that problem? Is there a known bug with the
> Mac client? I made a support case with JTAC, and they agreed it
> was a bug but said I need to call back and make a new case for
> the Pulse Secure Client instead of SRX.
>
> Another issue I had, was how to route the vpn clients assigned
> private addresses, and give the route to OSPF. I made an
> aggregate route for them, but it seemed like they weren't
> contributing to bring it up, so I made a reject route for one of
> the addresses in the network but not the pool. It worked, but the
> clients couldn't connect to the srx itself. Any other
> suggestions? A better action than reject for that? Thanks!
> -Nick Schmalenberger
>
> P.S. this post was very helpful in figuring it all out:
> http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/

Juniper finally told me they reproduced this problem with the Mac
client, but also that the configuration did NOT work with
Windows! They then told me, the configuration is not supported at
all, but I should try some other vpn client such as VPN Tracker,
which I'm planning to do. It would then not use dynamic-vpn at
all, but could still use the same xauth access-profile.

Meanwhile, I have also setup a site-to-site tunnel for some of
the same usage, and it allows clients to use the remote SRX's dns
proxy where dynamic-vpn clients could not (at least the way I
managed to get it to work). So this will have some advantages as
well. Thanks for the helpful suggestions!
-Nick
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: non-split tunneling to SRX dynamic vpn with Pulse Secure client? [ In reply to ]
aaron.dewell at gmail
Mar 23, 2015, 5:39 PM
Post #3 of 4 (2933 views)
Permalink
Have you tried 0/1 and 128/1 instead of 0/0?

That’s also required for backup-router destination as well, so might solve this problem too.

On Mar 23, 2015, at 7:33 PM, Nick Schmalenberger <nick@schmalenberger.us> wrote:
> On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote:
>> I need to have my vpn clients default route go over their tunnel
>> to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource
>> works for Windows clients 5.1r1.1-b52267, but with Mac Pulse
>> Secure is never able to setup a tunnel and connect.
>>
>> If I put some more specific routes, such as private addresses I
>> use internally and certain public addresses, as
>> remote-protected-resources, the Mac client (5.1r1.1-b52267 again)
>> is able to connect fine and reach all those networks/hosts with
>> the vpn assigned address, or NAT out of the same SRX in the case
>> of the public destinations (what I mostly want to do).
>>
>> Does anyone else have that problem? Is there a known bug with the
>> Mac client? I made a support case with JTAC, and they agreed it
>> was a bug but said I need to call back and make a new case for
>> the Pulse Secure Client instead of SRX.
>>
>> Another issue I had, was how to route the vpn clients assigned
>> private addresses, and give the route to OSPF. I made an
>> aggregate route for them, but it seemed like they weren't
>> contributing to bring it up, so I made a reject route for one of
>> the addresses in the network but not the pool. It worked, but the
>> clients couldn't connect to the srx itself. Any other
>> suggestions? A better action than reject for that? Thanks!
>> -Nick Schmalenberger
>>
>> P.S. this post was very helpful in figuring it all out:
>> http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/
>
> Juniper finally told me they reproduced this problem with the Mac
> client, but also that the configuration did NOT work with
> Windows! They then told me, the configuration is not supported at
> all, but I should try some other vpn client such as VPN Tracker,
> which I'm planning to do. It would then not use dynamic-vpn at
> all, but could still use the same xauth access-profile.
>
> Meanwhile, I have also setup a site-to-site tunnel for some of
> the same usage, and it allows clients to use the remote SRX's dns
> proxy where dynamic-vpn clients could not (at least the way I
> managed to get it to work). So this will have some advantages as
> well. Thanks for the helpful suggestions!
> -Nick
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: non-split tunneling to SRX dynamic vpn with Pulse Secure client? [ In reply to ]
aaron1 at gvtc
Aug 13, 2019, 11:17 AM
Post #4 of 4 (1062 views)
Permalink
Old thread (2015)...

Is there still a problem with MacOS using Pulse Secure to connect with SRX
Dynamic/Remote Access VPN ? Anyone know how to make it work ?

I do have Windows 10 working fine... but not MacOS Apple laptop.

Using SRX300 15.1X49-D150.2 and Pulse client from Junipers website
5.1R5.1....

ps-pulse-win-5.1r5.1-b61437-64bitinstaller.msi - windows 10 working
ps-pulse-mac-5.1r5.1-b61437-installer.dmg - macos not working


-Aaron

-----Original Message-----
From: juniper-nsp [mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of
Aaron Dewell
Sent: Monday, March 23, 2015 7:39 PM
To: Nick Schmalenberger
Cc: juniper-nsp@puck.nether.net
Subject: Re: [j-nsp] non-split tunneling to SRX dynamic vpn with Pulse
Secure client?


Have you tried 0/1 and 128/1 instead of 0/0?

That's also required for backup-router destination as well, so might solve
this problem too.

On Mar 23, 2015, at 7:33 PM, Nick Schmalenberger <nick@schmalenberger.us>
wrote:
> On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote:
>> I need to have my vpn clients default route go over their tunnel
>> to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource
>> works for Windows clients 5.1r1.1-b52267, but with Mac Pulse
>> Secure is never able to setup a tunnel and connect.
>>
>> If I put some more specific routes, such as private addresses I
>> use internally and certain public addresses, as
>> remote-protected-resources, the Mac client (5.1r1.1-b52267 again)
>> is able to connect fine and reach all those networks/hosts with
>> the vpn assigned address, or NAT out of the same SRX in the case
>> of the public destinations (what I mostly want to do).
>>
>> Does anyone else have that problem? Is there a known bug with the
>> Mac client? I made a support case with JTAC, and they agreed it
>> was a bug but said I need to call back and make a new case for
>> the Pulse Secure Client instead of SRX.
>>
>> Another issue I had, was how to route the vpn clients assigned
>> private addresses, and give the route to OSPF. I made an
>> aggregate route for them, but it seemed like they weren't
>> contributing to bring it up, so I made a reject route for one of
>> the addresses in the network but not the pool. It worked, but the
>> clients couldn't connect to the srx itself. Any other
>> suggestions? A better action than reject for that? Thanks!
>> -Nick Schmalenberger
>>
>> P.S. this post was very helpful in figuring it all out:
>> http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/
>
> Juniper finally told me they reproduced this problem with the Mac
> client, but also that the configuration did NOT work with
> Windows! They then told me, the configuration is not supported at
> all, but I should try some other vpn client such as VPN Tracker,
> which I'm planning to do. It would then not use dynamic-vpn at
> all, but could still use the same xauth access-profile.
>
> Meanwhile, I have also setup a site-to-site tunnel for some of
> the same usage, and it allows clients to use the remote SRX's dns
> proxy where dynamic-vpn clients could not (at least the way I
> managed to get it to work). So this will have some advantages as
> well. Thanks for the helpful suggestions!
> -Nick
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal