SRX Services Gateway
Showing results for 
Search instead for 
Do you mean 
Reply
Highlighted
Visitor
Posts: 6
Registered: ‎09-19-2010
0 Kudos

Clientless VPN to SRX not possible?

I am a big supporter of all things Juniper, we run SRX's, EX's, MX's, SA's and MAG's

 

I have read a few posts on the forums about creating dial-up VPN's using native clients to establish tunnels to SRX devices serving as VPN Servers (Dynamic IPSec or otherwise) and appears that this is just not possible.

 

It seems that you would need to purchase a Cisco / Fortinet / Checkpoint etc. or just about any other non-juniper or cheap home router if you wanted achieve clientless / semi-clientless  (i.e. not install pulse or ns-remote etc) client VPN tunnelling.

 

This does seem really crazy from juniper? No clientless SSL, IPsec or l2tp unless you purchase a SA/MAG?

 

This post is for me to make sure this is true before changing manufacturer, does anyone know if there is a way to create a working clientless VPN from windows or mac clients connecting to the SRX or is this just not possible?

 

I believe one issue preventing the SRX clientless tunnels required by windows is transport mode IPsec as per: https://support.microsoft.com/en-nz/kb/325158 possible on Cisco ASA not Juniper SRX

 

Secondly SRX's don’t support SSL VPN's as they would probably step on former SA/Mag series devices.

 

Hope this is not true!

 

Dawid

Distinguished Expert
Posts: 648
Registered: ‎06-22-2011
0 Kudos

Re: Clientless VPN to SRX not possible?

You should be able to do an IKEv2 VPN with the native Windows VPN client.

Visitor
Posts: 6
Registered: ‎09-19-2010
0 Kudos

Re: Clientless VPN to SRX not possible?

[ Edited ]

That would have been perfect, but unfortunately you cannot create a dynamic VPN using IKEv2. This is not supported on the SRX platform.

Distinguished Expert
Posts: 4,770
Registered: ‎03-30-2009
0 Kudos

Re: Clientless VPN to SRX not possible?

I agree that remote access VPN is a huge hole in the Juniper security portfolio here.  There are serious limits as you outline on the use and also further limits on specific platforms and software versions where this limited set of features run.

 

I think the SRX team is aware of this as a problem and hope to see the feature set rounded out as the release chains keep coming.  You should express your concerns to your Juniper account team so they get the feedback from users on how important these missing features are.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
Recognized Expert
Posts: 569
Registered: ‎05-28-2015
0 Kudos

Re: Clientless VPN to SRX not possible?

I also agree with spuluka in this section .
And from my point of view , Juniper is more focusing (at least for the right moment) on the networking \ switching \ data centering sections more than the security section.
Hope to see solutions and more advanced features will be supported and fixed in the SRX platform in the next years .
Regards,
A'bed AL-R.
[JNCSP-SEC Ingenious Champion]
https://srxtech.wordpress.com
Visitor
Posts: 6
Registered: ‎09-19-2010
0 Kudos

Re: Clientless VPN to SRX not possible?

Thanks for the feedback, I also believe this is a big hole in the product line.

 

I will have to wait and see if they perhaps address this at some point.

 

Dawid