Old thread (2015)... Is there still a problem with MacOS using Pulse Secure to connect with SRX Dynamic/Remote Access VPN ? Anyone know how to make it work ?
I do have Windows 10 working fine... but not MacOS Apple laptop. Using SRX300 15.1X49-D150.2 and Pulse client from Junipers website 5.1R5.1.... ps-pulse-win-5.1r5.1-b61437-64bitinstaller.msi - windows 10 working ps-pulse-mac-5.1r5.1-b61437-installer.dmg - macos not working -Aaron -----Original Message----- From: juniper-nsp [mailto:[email protected]] On Behalf Of Aaron Dewell Sent: Monday, March 23, 2015 7:39 PM To: Nick Schmalenberger Cc: [email protected] Subject: Re: [j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client? Have you tried 0/1 and 128/1 instead of 0/0? That's also required for backup-router destination as well, so might solve this problem too. On Mar 23, 2015, at 7:33 PM, Nick Schmalenberger <[email protected]> wrote: > On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote: >> I need to have my vpn clients default route go over their tunnel >> to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource >> works for Windows clients 5.1r1.1-b52267, but with Mac Pulse >> Secure is never able to setup a tunnel and connect. >> >> If I put some more specific routes, such as private addresses I >> use internally and certain public addresses, as >> remote-protected-resources, the Mac client (5.1r1.1-b52267 again) >> is able to connect fine and reach all those networks/hosts with >> the vpn assigned address, or NAT out of the same SRX in the case >> of the public destinations (what I mostly want to do). >> >> Does anyone else have that problem? Is there a known bug with the >> Mac client? I made a support case with JTAC, and they agreed it >> was a bug but said I need to call back and make a new case for >> the Pulse Secure Client instead of SRX. >> >> Another issue I had, was how to route the vpn clients assigned >> private addresses, and give the route to OSPF. I made an >> aggregate route for them, but it seemed like they weren't >> contributing to bring it up, so I made a reject route for one of >> the addresses in the network but not the pool. It worked, but the >> clients couldn't connect to the srx itself. Any other >> suggestions? A better action than reject for that? Thanks! >> -Nick Schmalenberger >> >> P.S. this post was very helpful in figuring it all out: >> http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/ > > Juniper finally told me they reproduced this problem with the Mac > client, but also that the configuration did NOT work with > Windows! They then told me, the configuration is not supported at > all, but I should try some other vpn client such as VPN Tracker, > which I'm planning to do. It would then not use dynamic-vpn at > all, but could still use the same xauth access-profile. > > Meanwhile, I have also setup a site-to-site tunnel for some of > the same usage, and it allows clients to use the remote SRX's dns > proxy where dynamic-vpn clients could not (at least the way I > managed to get it to work). So this will have some advantages as > well. Thanks for the helpful suggestions! > -Nick > _______________________________________________ > juniper-nsp mailing list [email protected] > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
