10-18-2016 09:38 PM
I am a big supporter of all things Juniper, we run SRX's, EX's, MX's, SA's and MAG's
I have read a few posts on the forums about creating dial-up VPN's using native clients to establish tunnels to SRX devices serving as VPN Servers (Dynamic IPSec or otherwise) and appears that this is just not possible.
It seems that you would need to purchase a Cisco / Fortinet / Checkpoint etc. or just about any other non-juniper or cheap home router if you wanted achieve clientless / semi-clientless (i.e. not install pulse or ns-remote etc) client VPN tunnelling.
This does seem really crazy from juniper? No clientless SSL, IPsec or l2tp unless you purchase a SA/MAG?
This post is for me to make sure this is true before changing manufacturer, does anyone know if there is a way to create a working clientless VPN from windows or mac clients connecting to the SRX or is this just not possible?
I believe one issue preventing the SRX clientless tunnels required by windows is transport mode IPsec as per: https://support.microsoft.com/en-nz/kb/325158 possible on Cisco ASA not Juniper SRX
Secondly SRX's don’t support SSL VPN's as they would probably step on former SA/Mag series devices.
Hope this is not true!
10-19-2016 01:28 PM - edited 10-19-2016 01:29 PM
That would have been perfect, but unfortunately you cannot create a dynamic VPN using IKEv2. This is not supported on the SRX platform.
10-23-2016 11:20 AM
I agree that remote access VPN is a huge hole in the Juniper security portfolio here. There are serious limits as you outline on the use and also further limits on specific platforms and software versions where this limited set of features run.
I think the SRX team is aware of this as a problem and hope to see the feature set rounded out as the release chains keep coming. You should express your concerns to your Juniper account team so they get the feedback from users on how important these missing features are.
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCDA JNCDS-DC JNCDS-SEC
ACE PanOS 6 ACE PanOS 7
10-24-2016 09:33 AM
And from my point of view , Juniper is more focusing (at least for the right moment) on the networking \ switching \ data centering sections more than the security section.
Hope to see solutions and more advanced features will be supported and fixed in the SRX platform in the next years .
[JNCSP-SEC Ingenious Champion]