Re: [j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client?
Old thread (2015)... Is there still a problem with MacOS using Pulse Secure to connect with SRX Dynamic/Remote Access VPN ? Anyone know how to make it work ? I do have Windows 10 working fine... but not MacOS Apple laptop. Using SRX300 15.1X49-D150.2 and Pulse client from Junipers website 5.1R5.1 ps-pulse-win-5.1r5.1-b61437-64bitinstaller.msi - windows 10 working ps-pulse-mac-5.1r5.1-b61437-installer.dmg - macos not working -Aaron -Original Message- From: juniper-nsp [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Aaron Dewell Sent: Monday, March 23, 2015 7:39 PM To: Nick Schmalenberger Cc: juniper-nsp@puck.nether.net Subject: Re: [j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client? Have you tried 0/1 and 128/1 instead of 0/0? That's also required for backup-router destination as well, so might solve this problem too. On Mar 23, 2015, at 7:33 PM, Nick Schmalenberger wrote: > On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote: >> I need to have my vpn clients default route go over their tunnel >> to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource >> works for Windows clients 5.1r1.1-b52267, but with Mac Pulse >> Secure is never able to setup a tunnel and connect. >> >> If I put some more specific routes, such as private addresses I >> use internally and certain public addresses, as >> remote-protected-resources, the Mac client (5.1r1.1-b52267 again) >> is able to connect fine and reach all those networks/hosts with >> the vpn assigned address, or NAT out of the same SRX in the case >> of the public destinations (what I mostly want to do). >> >> Does anyone else have that problem? Is there a known bug with the >> Mac client? I made a support case with JTAC, and they agreed it >> was a bug but said I need to call back and make a new case for >> the Pulse Secure Client instead of SRX. >> >> Another issue I had, was how to route the vpn clients assigned >> private addresses, and give the route to OSPF. I made an >> aggregate route for them, but it seemed like they weren't >> contributing to bring it up, so I made a reject route for one of >> the addresses in the network but not the pool. It worked, but the >> clients couldn't connect to the srx itself. Any other >> suggestions? A better action than reject for that? Thanks! >> -Nick Schmalenberger >> >> P.S. this post was very helpful in figuring it all out: >> http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/ > > Juniper finally told me they reproduced this problem with the Mac > client, but also that the configuration did NOT work with > Windows! They then told me, the configuration is not supported at > all, but I should try some other vpn client such as VPN Tracker, > which I'm planning to do. It would then not use dynamic-vpn at > all, but could still use the same xauth access-profile. > > Meanwhile, I have also setup a site-to-site tunnel for some of > the same usage, and it allows clients to use the remote SRX's dns > proxy where dynamic-vpn clients could not (at least the way I > managed to get it to work). So this will have some advantages as > well. Thanks for the helpful suggestions! > -Nick > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client?
Have you tried 0/1 and 128/1 instead of 0/0? That’s also required for backup-router destination as well, so might solve this problem too. On Mar 23, 2015, at 7:33 PM, Nick Schmalenberger n...@schmalenberger.us wrote: On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote: I need to have my vpn clients default route go over their tunnel to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource works for Windows clients 5.1r1.1-b52267, but with Mac Pulse Secure is never able to setup a tunnel and connect. If I put some more specific routes, such as private addresses I use internally and certain public addresses, as remote-protected-resources, the Mac client (5.1r1.1-b52267 again) is able to connect fine and reach all those networks/hosts with the vpn assigned address, or NAT out of the same SRX in the case of the public destinations (what I mostly want to do). Does anyone else have that problem? Is there a known bug with the Mac client? I made a support case with JTAC, and they agreed it was a bug but said I need to call back and make a new case for the Pulse Secure Client instead of SRX. Another issue I had, was how to route the vpn clients assigned private addresses, and give the route to OSPF. I made an aggregate route for them, but it seemed like they weren't contributing to bring it up, so I made a reject route for one of the addresses in the network but not the pool. It worked, but the clients couldn't connect to the srx itself. Any other suggestions? A better action than reject for that? Thanks! -Nick Schmalenberger P.S. this post was very helpful in figuring it all out: http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/ Juniper finally told me they reproduced this problem with the Mac client, but also that the configuration did NOT work with Windows! They then told me, the configuration is not supported at all, but I should try some other vpn client such as VPN Tracker, which I'm planning to do. It would then not use dynamic-vpn at all, but could still use the same xauth access-profile. Meanwhile, I have also setup a site-to-site tunnel for some of the same usage, and it allows clients to use the remote SRX's dns proxy where dynamic-vpn clients could not (at least the way I managed to get it to work). So this will have some advantages as well. Thanks for the helpful suggestions! -Nick ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client?
On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote: I need to have my vpn clients default route go over their tunnel to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource works for Windows clients 5.1r1.1-b52267, but with Mac Pulse Secure is never able to setup a tunnel and connect. If I put some more specific routes, such as private addresses I use internally and certain public addresses, as remote-protected-resources, the Mac client (5.1r1.1-b52267 again) is able to connect fine and reach all those networks/hosts with the vpn assigned address, or NAT out of the same SRX in the case of the public destinations (what I mostly want to do). Does anyone else have that problem? Is there a known bug with the Mac client? I made a support case with JTAC, and they agreed it was a bug but said I need to call back and make a new case for the Pulse Secure Client instead of SRX. Another issue I had, was how to route the vpn clients assigned private addresses, and give the route to OSPF. I made an aggregate route for them, but it seemed like they weren't contributing to bring it up, so I made a reject route for one of the addresses in the network but not the pool. It worked, but the clients couldn't connect to the srx itself. Any other suggestions? A better action than reject for that? Thanks! -Nick Schmalenberger P.S. this post was very helpful in figuring it all out: http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/ Juniper finally told me they reproduced this problem with the Mac client, but also that the configuration did NOT work with Windows! They then told me, the configuration is not supported at all, but I should try some other vpn client such as VPN Tracker, which I'm planning to do. It would then not use dynamic-vpn at all, but could still use the same xauth access-profile. Meanwhile, I have also setup a site-to-site tunnel for some of the same usage, and it allows clients to use the remote SRX's dns proxy where dynamic-vpn clients could not (at least the way I managed to get it to work). So this will have some advantages as well. Thanks for the helpful suggestions! -Nick ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] non-split tunneling to SRX dynamic vpn with Pulse Secure client?
I need to have my vpn clients default route go over their tunnel to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource works for Windows clients 5.1r1.1-b52267, but with Mac Pulse Secure is never able to setup a tunnel and connect. If I put some more specific routes, such as private addresses I use internally and certain public addresses, as remote-protected-resources, the Mac client (5.1r1.1-b52267 again) is able to connect fine and reach all those networks/hosts with the vpn assigned address, or NAT out of the same SRX in the case of the public destinations (what I mostly want to do). Does anyone else have that problem? Is there a known bug with the Mac client? I made a support case with JTAC, and they agreed it was a bug but said I need to call back and make a new case for the Pulse Secure Client instead of SRX. Another issue I had, was how to route the vpn clients assigned private addresses, and give the route to OSPF. I made an aggregate route for them, but it seemed like they weren't contributing to bring it up, so I made a reject route for one of the addresses in the network but not the pool. It worked, but the clients couldn't connect to the srx itself. Any other suggestions? A better action than reject for that? Thanks! -Nick Schmalenberger P.S. this post was very helpful in figuring it all out: http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/ ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp