During an IT security audit this week, I had the chance to test the Cisco AnyConnect VPN client from a VPN-hostile network. The bank has implemented multiple layers of Internet filtering including web content filtering, outbound port filtering, and inbound IP address/port filtering. As expected, the old Cisco IPSEC VPN client could not connect. The AnyConnect client, however, connected on the first try without having to ask the bank to modify any of their access controls.
FYI, the AnyConnect client dynamically determines if it can also use a Datagram Transport Layer Security (DTLS) tunnel via UDP in addition to the SSL tunnel. If the DTLS tunnel connects and is “healthy” the client will use both the SSL and DTLS tunnels to transmit data. If the DTLS tunnel cannot connect or is unreliable, the client will dynamically switch to using only the SSL tunnel. You can read more about it on Cisco’s AnyConnect FAQ page.