SRX Services Gateway
SRX Services Gateway

Clientless VPN to SRX not possible?

10.18.16   |  
‎10-18-2016 09:38 PM

I am a big supporter of all things Juniper, we run SRX's, EX's, MX's, SA's and MAG's

 

I have read a few posts on the forums about creating dial-up VPN's using native clients to establish tunnels to SRX devices serving as VPN Servers (Dynamic IPSec or otherwise) and appears that this is just not possible.

 

It seems that you would need to purchase a Cisco / Fortinet / Checkpoint etc. or just about any other non-juniper or cheap home router if you wanted achieve clientless / semi-clientless  (i.e. not install pulse or ns-remote etc) client VPN tunnelling.

 

This does seem really crazy from juniper? No clientless SSL, IPsec or l2tp unless you purchase a SA/MAG?

 

This post is for me to make sure this is true before changing manufacturer, does anyone know if there is a way to create a working clientless VPN from windows or mac clients connecting to the SRX or is this just not possible?

 

I believe one issue preventing the SRX clientless tunnels required by windows is transport mode IPsec as per: https://support.microsoft.com/en-nz/kb/325158 possible on Cisco ASA not Juniper SRX

 

Secondly SRX's don’t support SSL VPN's as they would probably step on former SA/Mag series devices.

 

Hope this is not true!

 

Dawid

5 REPLIES
SRX Services Gateway

Re: Clientless VPN to SRX not possible?

10.19.16   |  
‎10-19-2016 09:17 AM

You should be able to do an IKEv2 VPN with the native Windows VPN client.

SRX Services Gateway

Re: Clientless VPN to SRX not possible?

[ Edited ]
10.19.16   |  
‎10-19-2016 01:28 PM

That would have been perfect, but unfortunately you cannot create a dynamic VPN using IKEv2. This is not supported on the SRX platform.

SRX Services Gateway

Re: Clientless VPN to SRX not possible?

10.23.16   |  
‎10-23-2016 11:20 AM

I agree that remote access VPN is a huge hole in the Juniper security portfolio here.  There are serious limits as you outline on the use and also further limits on specific platforms and software versions where this limited set of features run.

 

I think the SRX team is aware of this as a problem and hope to see the feature set rounded out as the release chains keep coming.  You should express your concerns to your Juniper account team so they get the feedback from users on how important these missing features are.

Steve Puluka BSEET
Juniper Ambassador
Senior IP Engineer - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
JNCIA-Junos JNCIS-SEC JNCIP-SEC JNCSP-SEC
JNCIS-FWV
JNCDA JNCDS-DC JNCDS-SEC
JNCIS-SP
ACE PanOS 6 ACE PanOS 7
http://puluka.com/home
SRX Services Gateway

Re: Clientless VPN to SRX not possible?

10.24.16   |  
‎10-24-2016 09:33 AM
I also agree with spuluka in this section .
And from my point of view , Juniper is more focusing (at least for the right moment) on the networking \ switching \ data centering sections more than the security section.
Hope to see solutions and more advanced features will be supported and fixed in the SRX platform in the next years .
Regards,
A'bed AL-R.
[JNCSP-SEC JNCDA JNCIS-ENT Ingenious Champion|Sec]
https://srxtech.wordpress.com
Highlighted
SRX Services Gateway

Re: Clientless VPN to SRX not possible?

10.24.16   |  
‎10-24-2016 01:11 PM

Thanks for the feedback, I also believe this is a big hole in the product line.

 

I will have to wait and see if they perhaps address this at some point.

 

Dawid