Does pfsense support Cisco VPN Client using IPSEC over TCP (port 10000)??

AaronWalker · Sep 22, 2015, 5:20 PM

Am attempting to connect via an IPSEC VPN to a pfsense server (Release 2.2)

The Cisco VPN client works fine with "IPSEC over UDP" but when "IPSEC over TCP" is selected, I can see (via packet capture) that the TCP SYN packets are arriving at the pfsense server, but are being ignored….??
All firewall rules seem to be correct.

Am puzzled and not sure if it is even supported?

Thanks in advance.

MrMoo · Sep 22, 2015, 6:31 PM

No, IKE (and ESP) over TCP is not supported by strongSwan. Given the issues IPsec-over-TCP has and that IETF defines a mechanism for IKEv2 fragmentation, it is unlikely that this ever gets implemented in strongSwan. We support IKE fragmentation for both IKEv1 and IKEv2 now, which is IMO the better choice.

Regards
Martin

https://wiki.strongswan.org/issues/830

cmb · Sep 22, 2015, 6:47 PM

That's generally not something you'll find outside of Cisco devices. It's not good to tunnel over TCP anyway, stick with UDP.