Re: Sniffing the WAN side of a VPN

["Sheahan, John" <John.Sheahan () priceline com>]

Traffic going over your VPN through the Internet is encrypted and encapsulated in the ESP protocol on your Cisco router 
and is routed with all other internet traffic.
Since the IP address you are coming from (172.20.29.x) is an RFC 1918 address, it cannot be routed on the internet by 
itself without being either NATed or encapsulated, in your case the ESP encapsulation will use the registered IP 
address of your router as the source address and the peer address of the other end of the VPN as its destination IP 
address.

If you sniff the traffic coming and going from your Cisco router out to the internet, you will see this encrypted 
traffic in the ESP packets.

john

From: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] On Behalf Of Jeff Bruns
Sent: Friday, April 30, 2010 1:08 PM
To: Community support list for Wireshark
Subject: [Wireshark-users] Sniffing the WAN side of a VPN

We are part of a mid-sized VPN, one of several dozen physical locations scattered across the Washington, DC 
metropolitan area. Each site is part of a VPN provided by Comcast and has an address schema of 172.20.x.x/28. The 
incoming internet connection is from a coax cable to a Comcast cable modem. From the modem, an ethernet cable connects 
to a Cisco 2800 series router. Network devices are then connected to the various ports on the Cisco box.

My question is related to the visible traffic between the comcast modem and the router. Specifically, I'm wondering if 
since we're part of a VPN, if sniffing the connection between the modem and the router would allow us to see traffic 
which may be destined to other sites within our VPN.

For example, lets say the gateway address on our local network is 172.20.28.129. The next site's gateway address would 
be 172.20.29.129, the next 172.20.30.129 and so on. If I sniff between the modem and the router, would I be able to see 
traffic heading to the other various private gateways within my VPN?

My knowledge of VPN networking is relatively slim, so the answer may hold no relevance to wireshark. I understand that 
a VPN is provided by your ISP, so I suppose it may vary depending on ISP. I wonder just how isolated a VPN is amongst 
the rest of the internet. Does only traffic belonging to, or originating from the VPN get routed to the cable modem, 
and from there, filtered by the router according to destination address? Or could traffic be routed at a higher level 
somewhere within the ISP, routing only traffic destined for my local network 
(172.20.28.129/28<http://172.20.28.129/28>) to the modem and thus the router?

Thanks for the help.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe