I've recently deployed some 5508 WLC's for internal use, 1 4402 WLC as a guest anchor controller (on DMZ) and a WCS server. I'm having some difficulty getting a VPN connection to work over a guest SSID. I've setup the guest SSID according to the Cisco config guides (for both internal and external WLCs). For layer 3 security on that SSID it is set to "Web Policy" with "Pass Through" and email input. Normal internet access works just fine, but VPNs don't seem to work over it. Is there something that I'm missing in setup that would prevent them from working?