The ProxySG, with Cisco IPsec VPN using TCP transport, fails to connect via TCP tunnel

book

Article ID: 166995

calendar_today

Updated On:

Products

ProxySG Software - SGOS

Issue/Introduction

I want to tunnel Cisco IPsec VPN traffic through the ProxySG

 

 

Resolution

By default the ProxySG has a service in the "Bypass Recommended" group for transparent Cisco IPsec VPN on port 10000.

If you try to create a TCP tunnel for this traffic, you will find that the Cisco client fails to connect to the VPN concentrator. This happens because the ProxySG splits the initial TCP packet from the client into three smaller packets. The problem, in part, is that the VPN concentrator appears to be ignoring/rejecting the truncated ISAKMP packets, but not informing the ProxySG of this fact. As a result, the ProxySG will retransmit until, eventually, the VPN client will timeout and send a RST.

A fix for this issue is not trivial. It would potentially involve manipulating the MSS (Maximum segment size), which currently is not possible, and modifying the underlying TCP tunnel. As such, the best practice is to bypass Cisco IPsec VPN traffic