Even after your last comment I believe in the csptive portal theory. Here's why: the captive portal tries to redirect to the loginwebsite. Captive portals also do this for https traffic which could be the explanation that you see certificate mismatch errors. With such a captive portal often there is only port 80 and 443 allowed - at least prior to login. So ... gp is not able to connect to the portal which it does by default as a first step. If there is a cached gateway, gp continues to connect there. As you set it to prefer ipsec it tries this. If ipsec is blocked in this wifi network, then gp does a fallback to tls - which the captive portal redirecta again to the loginwebsite. So far about my theory. Obviously I don't know your situation exactly. Did you or one of your user try to connect - without vpn - to your portal website in the browser or another website? A good test website in such a case is http://neverssl.com .