Re: Sniffing the WAN side of a VPN

[Hobbe <my1listmail () gmail com>]

Well
actually its like this
There are many different types of VPN tunnels.
Different tunnels have different purposes.
Since it is a Cisco router my best guess would be that it runs an IPSEC tunnel.
There are 2 different types of IPSEC.
One to make shure that noone messes with the packet, that basically
just adds a checksum to make shure that the packet arrives untampered
with. This is basically for the CPU weak appliances that does not need
the secrecy and only needs to know that it is unaltered. This type can
still be read and the information seen with wireshark.
The other type of IPSEC tunnel hides all the information within an
encrypted envelope that holds all the information on what type of
packet it is and its destination, source, content and so on.
This is what is normally used today and this type only shows you the
next hop in the VPN tunnel ie the endpoints.
so basically if it is set up "safe and correctly" then you should only
see the endpoints.
That said there are things that one can find out even if all the
information is encrypted.

Good luck

HTH




On Sat, May 1, 2010 at 1:25 AM, Martin Visser <martinvisser99 () gmail com> wrote:
> Depending on what your isp has setup will determine what you see. As
> John said your router may be using esp. However we with a carrier or
> provider vpn then the encapsulation might all be hidden from you in
> their network core.  If you can't get to the router configuration then
> put in a manageable switch between router and modem and use port
> mirroring to  wireshark to see the traffic
>
> On 5/1/10, Sheahan, John <John.Sheahan () priceline com> wrote:
> > Traffic going over your VPN through the Internet is encrypted and
> > encapsulated in the ESP protocol on your Cisco router and is routed with all
> > other internet traffic.
> > Since the IP address you are coming from (172.20.29.x) is an RFC 1918
> > address, it cannot be routed on the internet by itself without being either
> > NATed or encapsulated, in your case the ESP encapsulation will use the
> > registered IP address of your router as the source address and the peer
> > address of the other end of the VPN as its destination IP address.
> >
> > If you sniff the traffic coming and going from your Cisco router out to the
> > internet, you will see this encrypted traffic in the ESP packets.
> >
> > john
> >
> > From: wireshark-users-bounces () wireshark org
> > [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Jeff Bruns
> > Sent: Friday, April 30, 2010 1:08 PM
> > To: Community support list for Wireshark
> > Subject: [Wireshark-users] Sniffing the WAN side of a VPN
> >
> > We are part of a mid-sized VPN, one of several dozen physical locations
> > scattered across the Washington, DC metropolitan area. Each site is part of
> > a VPN provided by Comcast and has an address schema of 172.20.x.x/28. The
> > incoming internet connection is from a coax cable to a Comcast cable modem.
> > From the modem, an ethernet cable connects to a Cisco 2800 series router.
> > Network devices are then connected to the various ports on the Cisco box.
> >
> > My question is related to the visible traffic between the comcast modem and
> > the router. Specifically, I'm wondering if since we're part of a VPN, if
> > sniffing the connection between the modem and the router would allow us to
> > see traffic which may be destined to other sites within our VPN.
> >
> > For example, lets say the gateway address on our local network is
> > 172.20.28.129. The next site's gateway address would be 172.20.29.129, the
> > next 172.20.30.129 and so on. If I sniff between the modem and the router,
> > would I be able to see traffic heading to the other various private gateways
> > within my VPN?
> >
> > My knowledge of VPN networking is relatively slim, so the answer may hold no
> > relevance to wireshark. I understand that a VPN is provided by your ISP, so
> > I suppose it may vary depending on ISP. I wonder just how isolated a VPN is
> > amongst the rest of the internet. Does only traffic belonging to, or
> > originating from the VPN get routed to the cable modem, and from there,
> > filtered by the router according to destination address? Or could traffic be
> > routed at a higher level somewhere within the ISP, routing only traffic
> > destined for my local network (172.20.28.129/28<http://172.20.28.129/28>) to
> > the modem and thus the router?
> >
> > Thanks for the help.
>
>
> --
> Regards, Martin
>
> MartinVisser99 () gmail com
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe