Have you tried 0/1 and 128/1 instead of 0/0? That’s also required for backup-router destination as well, so might solve this problem too.
On Mar 23, 2015, at 7:33 PM, Nick Schmalenberger <n...@schmalenberger.us> wrote: > On Thu, Mar 05, 2015 at 06:29:30PM -0800, Nick Schmalenberger wrote: >> I need to have my vpn clients default route go over their tunnel >> to my SRX. Putting 0.0.0.0/0 as the remote-protected-resource >> works for Windows clients 5.1r1.1-b52267, but with Mac Pulse >> Secure is never able to setup a tunnel and connect. >> >> If I put some more specific routes, such as private addresses I >> use internally and certain public addresses, as >> remote-protected-resources, the Mac client (5.1r1.1-b52267 again) >> is able to connect fine and reach all those networks/hosts with >> the vpn assigned address, or NAT out of the same SRX in the case >> of the public destinations (what I mostly want to do). >> >> Does anyone else have that problem? Is there a known bug with the >> Mac client? I made a support case with JTAC, and they agreed it >> was a bug but said I need to call back and make a new case for >> the Pulse Secure Client instead of SRX. >> >> Another issue I had, was how to route the vpn clients assigned >> private addresses, and give the route to OSPF. I made an >> aggregate route for them, but it seemed like they weren't >> contributing to bring it up, so I made a reject route for one of >> the addresses in the network but not the pool. It worked, but the >> clients couldn't connect to the srx itself. Any other >> suggestions? A better action than reject for that? Thanks! >> -Nick Schmalenberger >> >> P.S. this post was very helpful in figuring it all out: >> http://rtoodtoo.net/2013/10/01/jncie-sec-dynamic-vpn/ > > Juniper finally told me they reproduced this problem with the Mac > client, but also that the configuration did NOT work with > Windows! They then told me, the configuration is not supported at > all, but I should try some other vpn client such as VPN Tracker, > which I'm planning to do. It would then not use dynamic-vpn at > all, but could still use the same xauth access-profile. > > Meanwhile, I have also setup a site-to-site tunnel for some of > the same usage, and it allows clients to use the remote SRX's dns > proxy where dynamic-vpn clients could not (at least the way I > managed to get it to work). So this will have some advantages as > well. Thanks for the helpful suggestions! > -Nick > _______________________________________________ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp