SRX

Hello everyone.

I am writing about an issue that hopefully a Juniper rep can address, or perhaps someone who has had a similar issue and resolved it.

I would like to create a dynamic VPN tunnel from my Mac OS X 10.7.5 to my Juniper SRX210HE (12.1).  I attempted to use Junos Pulse 4.01 (which supports Mac OS X), but I get network errors.  Upon further looking into these errors, I've come across different opinions.  Juniper itself officially states that there currently is no support, nor is there a timeframe for when support will be availible.  However, browsing a few different threads here, some people have mentioned 3rd party clients.  As such, I have been trying a variety of 3rd party software to no avail.  My question is if there is a workaround that someone has found, or if Juniper even integrated support at some point, and I'm just not configuring it properly.  Thank you all for your time.

-David

This happens to be one of those double-edged swords for Juniper.  I don't think there are any supported clients on the Mac OS X side of things, but incidentally the apps that do work appear not to count against your dynamic-vpn license count.  VPN Tracker is my favorite...but it's not cheap.

As far as the SRX side of things goes, the following config works for me:

//Standard DVPN IKE proposal

root@SRX> show configuration security ike proposal DYNAMIC-IKE-PROPOSAL-1
authentication-method pre-shared-keys;
dh-group group2;
authentication-algorithm sha1;
encryption-algorithm aes-256-cbc;
lifetime-seconds 28800;

//IKE policy that references the IKE proposal for DVPN

//Note: When setting the PSK, do not include quotes unless you want them to be in the PSK

root@SRX> show configuration security ike policy DYNAMIC-IKE-POLICY-1
mode aggressive;
proposals DYNAMIC-IKE-PROPOSAL-1;
pre-shared-key ascii-text "xxxxxxxxxxxxxxxxxxxxx"; ## SECRET-DATA

//IKE gateway that references the IKE policy and access-profile for DVPN

root@SRX> show configuration security ike gateway DYNAMIC-IKE-GATEWAY-1
ike-policy DYNAMIC-IKE-POLICY-1;
dynamic {
    hostname yourdomain.net;
    connections-limit 10;
    ike-user-type shared-ike-id;
}
dead-peer-detection interval 10;
external-interface cm-1/0/0.0;
xauth access-profile DYNAMIC-ACCESS-PROFILE-1;

//Standard DVPN IPsec proposal

root@SRX> show configuration security ipsec proposal DYNAMIC-IPSEC-PROPOSAL-1
protocol esp;
authentication-algorithm hmac-sha1-96;
encryption-algorithm aes-256-cbc;
lifetime-seconds 3600;

//IPsec policy that refers back to the IPsec proposal for DVPN

root@SRX> show configuration security ipsec policy DYNAMIC-IPSEC-POLICY-1        
perfect-forward-secrecy {
    keys group2;
}
proposals DYNAMIC-IPSEC-PROPOSAL-1;

//IPsec gateway that ties together the IPsec policy with the DVPN IKE gateway

root@SRX> show configuration security ipsec vpn DYNAMIC-IPSEC-VPN-1
ike {
    gateway DYNAMIC-IKE-GATEWAY-1;
    ipsec-policy DYNAMIC-IPSEC-POLICY-1;
}

//Define DVPN client settings as well as users and protected nets

root@SRX> show configuration security dynamic-vpn
force-upgrade;
access-profile DYNAMIC-ACCESS-PROFILE-1;
clients {
    USER1 {
        remote-protected-resources {
            0.0.0.0/0;
        }
        ipsec-vpn DYNAMIC-IPSEC-VPN-1;
        user {
            user1;
        }
    }
}

//Set passwords for DVPN users as well as address-assignment for the DVPN pool

//Note: Again, watch out for the quotes when doing the password set

root@SRX> show configuration access profile DYNAMIC-ACCESS-PROFILE-1
client user1 {
    firewall-user {
        password "xxxxxxxxxxxxxxxxxx"; ## SECRET-DATA
    }
}
address-assignment {
    pool DYNAMIC-VPN-POOL-1;
}

//This is where the DVPN address-assignment pool is configured.  Keep in mind that these pools are

//known only to the SRX and will not show up in the routing table or be announced to OSPF neighbors, etc.

root@SRX> show configuration access address-assignment pool DYNAMIC-VPN-POOL-1
family inet {
    network 192.168.123.0/24;
    range DYNAMIC-VPN-POOL-1-RANGE-1 {
        low 192.168.123.100;
        high 192.168.123.200;
    }
    xauth-attributes {
        primary-dns 8.8.8.8/32;
    }
}

//This policy allows for DVPN users to access the Internet once they are connected

root@SRX> show configuration security policies from-zone UNTRUST to-zone UNTRUST
policy UNTRUST-TO-UNTRUST-POLICY-1 {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit;
    }
}

//This allows the tunnel traffic in from the DVPN clients

root@SRX> show configuration security policies from-zone UNTRUST to-zone TRUST   
policy UNTRUST-TO-TRUST-POLICY-1 {
    match {
        source-address any;
        destination-address any;
        application any;
    }
    then {
        permit {
            tunnel {
                ipsec-vpn DYNAMIC-IPSEC-VPN-1;
            }
        }
    }
}

//This will allow the DVPN users to NAT out of your Internet connection

root@SRX> show configuration security nat source rule-set UNTRUST-TO-UNTRUST
from zone UNTRUST;
to zone UNTRUST;
rule UNTRUST-TO-UNTRUST-RULE-1 {
    match {
        source-address 192.168.123.0/24;
    }
    then {
        source-nat {
            interface;
        }
    }
}

Additional notes:

Make sure your interface in the UNTRUST security-zone has "ike" in the system-services section

--------------------------------------------------------------------------------------------------------------------------

On VPN Tracker, I use the following:

Connection based on: Custom Device/Configuration Guide

VPN Gateway: FQDN or IPv4 address of the SRX

Network Configuration: Mode Config

Topology: Host to Everywhere

Remote Networks: All traffic runs across the VPN

Authentication: Pre-shared key

Extended Authentication (XAUTH): Always

Local Identifier: FQDN: yourdomain.net

Remote Identifier: Remote Endpoint IP Address

DNS: Use Remote DNS Server (checked)

DNS: Receive DNS Settings from VPN Gateway (checked)

Use DNS Server for: All Domains

IPSecuritas should work on the Mac (free too): http://www.lobotomo.com/products/IPSecuritas/

Your experience so far is expected for that situation. Unless, a newer version is available, Dynamic VPN is only supported on WINDOWS XP, VISTA and 7

Maybe this version may help resolve the other issues - 4.0R4

Just bumping this for future reference.

I was unable to get the configuration above working.  I was in touch with a Juniper sales rep and asked him about the potential of future SRX support.  He acknowledged that Juniper initially planned to support Mac OS X and dynamic VPNs, however there was not a huge demand, so they never put in any resources in developing it.  He also said there are no plans in the foreseeable future to get development going, nor will Juniper recommend any third-party support.  Needless to say, I'm very disappointed.  Thank you all for your time.

It's this very issue that is going to make us dump all our Juniper equipment out the door, can't believe it.  Wish I would have known before I bought the stuff.  At least I can look at another vendor going forward.

Even looked at purchasing a MAG series device and then you have to bend over on licensing after we just got our SRX licensed for VPN.  What a joke.

Bumping this too and hoping that Juniper will fix this ASAP. How can they sell an "enterprise" level device and not support this?

Outrageous. We are thinking about sending all our gear back!

This has been a thorn in my side since we first deployed our SRX650 back in 2009.  No Mac support was a HUGE oversight 😕  And though I've hoped for a native Juniper client (dynamic) for the Mac, it looks less and less likely as time goes on.

What I have used very successfully is NCP's client, but it isn't cheap either.  Their licensing really grinds my gears too - the license you buy is only good on the machine you install it on.  They give you a one-time transfer to another machine, but after that you have to buy another one of their expensive licenses.  *HULK SMASH*

I think with the way everything is going with Apple's ever-increasing popularity (and frankly, Windows 8 being such an abomination), Juniper may start considering Mac support at some point.

Bumping this as dynamic-vpn to branch SRX is now supported in the Pulse client for Mac, version 5.0r3!

Release notes here.

I am truly happy to hear this, and I am about to read the release notes soon as I fininsh my comment. About time Juniper start to listen to customers and less to the people claiming to stop or delay development in a articular area so as to save money. Penny wise and pound foolinsh. With MAc having a solid stable following, Juniper can and should devote a specific amout of resources to supporting Mac clients. And I think they should also hire a few Linux/Ubuntu/Sushi developers and let them concentrate on building support for those distros. They do not have great following now, but it is steadily increasing and could be substancially more viable when they realize that big companies like Juniper support those desktops. I mean the debacle with WIn 8 does push more people over the edge. By then Juniper would have been way ahead of the competition, instead of always trying to play catch up. And these distros are preferred by many admins to Windows and may get more widely distributed if they know that VPN clients can support them for home/mobile users. Aditionally, they are widely used in countries other than US. Well time to go read the notes. Thanks for the article.

That's fantastic news.

I think it's smart on Juniper's behalf to shift towards allocating more resources for Mac.  Mac usage has been steadily increasing over the past few years.  Thanks for the update.