Mailing List Archive

SRX3xx VPN Client - NCP alternatives?
Hi all,

First, a whinge.

We’re using the NCP Secure Entry client for Mac.

As usual with these VPN clients, it’s diabolically bad. There’s a real feeling of “this was specced by someone who’s never going to use it and has never actually seen it” type of thing going on, that really gives you zero confidence in to the quality of the software underneath.

I’m pretty regularly having to kill the app and re-open it to either make it work, or to make any of my other networking work. Always a good sign.

They’ve come out with a version 4.0 recently, which supposedly has better compatibility with OS X 10.15. I’ve installed it.
In “take all the traffic” mode, it installs a couple of /1 routes so they longest prefix match instead of default. Fine.
In “split tunneling” mode, it *still* installs those /1 routes, but with a next hop of 0.0.0.1, so all of your non-VPN traffic is just dumped on the floor. Unlike split tunnelling mode, when you turn off the VPN connection, it leaves the broken routes in the table.

That’s the sort of bug that as someone who does some software dev, you can just picture the code that’s making that happen, and how it stinks of bad design. That’s not the sort of stuff I want running on my laptop with the privileges it requires to control routing and whatever else. That seems like a very poor choice.
Of course, I say “bug”. If it was well designed, this seems like a single bug. In the way this software seems to be designed, it’s more likely two.

The licensing model sucks, the whole thing. Disaster.



Anyway, whinge over.

What are my alternatives for a VPN client to talk to the SRX3XX?
I recall when they moved away from Pulse, there was this talk of “open standards” and other things. Supposedly there was going to be a bunch of 3rd party clients available. I haven’t been able to find any. Are there any?

--
Nathan Ward

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: SRX3xx VPN Client - NCP alternatives? [ In reply to ]
Using split tunneling (and split DNS) with this here, on several macs (and good^H^Hold SRX2xx).
It usually works properly (the routes to VPNize are configured statically within the profile config).
Never seen such /1 routes.
I know that «here it works» isn't that helpful, but at least this is how our mileage varies...

> Le 8 nov. 2019 à 01:31, Nathan Ward <juniper-nsp@daork.net> a écrit :
>
> We’re using the NCP Secure Entry client for Mac.

>
>
> They’ve come out with a version 4.0 recently, which supposedly has better compatibility with OS X 10.15. I’ve installed it.
> In “take all the traffic” mode, it installs a couple of /1 routes so they longest prefix match instead of default. Fine.
> In “split tunneling” mode, it *still* installs those /1 routes, but with a next hop of 0.0.0.1, so all of your non-VPN traffic is just dumped on the floor. Unlike split tunnelling mode, when you turn off the VPN connection, it leaves the broken routes in the table.

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: SRX3xx VPN Client - NCP alternatives? [ In reply to ]
> On 8/11/2019, at 2:13 PM, Olivier Benghozi <olivier.benghozi@wifirst.fr> wrote:
>
> Using split tunneling (and split DNS) with this here, on several macs (and good^H^Hold SRX2xx).
> It usually works properly (the routes to VPNize are configured statically within the profile config).
> Never seen such /1 routes.
> I know that «here it works» isn't that helpful, but at least this is how our mileage varies…

You on 4.0? Came out a few days ago.

The NCP support are saying they can’t reproduce, so, time to fire up a VM to test it in I suppose…

--
Nathan Ward

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: SRX3xx VPN Client - NCP alternatives? [ In reply to ]
Hi,

On Fri, Nov 08, 2019 at 01:31:48PM +1300, Nathan Ward wrote:
> What are my alternatives for a VPN client to talk to the SRX3XX?

Well... we just do OpenVPN to a VM behind the SRX...

(Yes, this is not exactly an answer to your question, but it might be
an option, depending on how the network is organized. Of course I am
biased - I know how the OpenVPN code looks inside, and I can assure you
that it's maintained by people who actually *use* it and try to make
it well-behaved :-) ).

gert
--
"If was one thing all people took for granted, was conviction that if you
feed honest figures into a computer, honest figures come out. Never doubted
it myself till I met a computer with a sense of humor."
Robert A. Heinlein, The Moon is a Harsh Mistress

Gert Doering - Munich, Germany gert@greenie.muc.de
Re: SRX3xx VPN Client - NCP alternatives? [ In reply to ]
We were on 3.2 until last week, then updated to 4.0 this week.

> Le 8 nov. 2019 à 02:26, Nathan Ward <juniper-nsp@daork.net> a écrit :
>
>> On 8/11/2019, at 2:13 PM, Olivier Benghozi <olivier.benghozi@wifirst.fr> wrote:
>>
>> Using split tunneling (and split DNS) with this here, on several macs (and good^H^Hold SRX2xx).
>> It usually works properly (the routes to VPNize are configured statically within the profile config).
>> Never seen such /1 routes.
>> I know that «here it works» isn't that helpful, but at least this is how our mileage varies…
>
> You on 4.0? Came out a few days ago.
>
> The NCP support are saying they can’t reproduce, so, time to fire up a VM to test it in I suppose…

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp