I want to tunnel Cisco IPsec VPN traffic through the ProxySG
By default the ProxySG has a service in the "Bypass Recommended" group for transparent Cisco IPsec VPN on port 10000.
If you try to create a TCP tunnel for this traffic, you will find that the Cisco client fails to connect to the VPN concentrator. This happens because the ProxySG splits the initial TCP packet from the client into three smaller packets. The problem, in part, is that the VPN concentrator appears to be ignoring/rejecting the truncated ISAKMP packets, but not informing the ProxySG of this fact. As a result, the ProxySG will retransmit until, eventually, the VPN client will timeout and send a RST.
A fix for this issue is not trivial. It would potentially involve manipulating the MSS (Maximum segment size), which currently is not possible, and modifying the underlying TCP tunnel. As such, the best practice is to bypass Cisco IPsec VPN traffic
Imported Document ID: 000013967
Subscribing will provide email updates when this Article is updated. Login is required.