Solved

VPNdata_Tunnell

Posted on 2010-11-29
9
498 Views
Last Modified: 2012-06-27
Can someone briefly explain how VPN works technically.

If i have checkpoint client with private IP that goes throug a checkpoint firewall in BUilding A to VPN gateway in another city to another database server.

WHere are the points the tunnel created for? Does the ip address change with outgoing and incoming traffic? Can network monitoring tools see the traffic? what protocols are being used.
0
Comment
Question by:sam15
  • 5
  • 4
9 Comments
 
LVL 68

Expert Comment

by:Qlemo
ID: 34237018
Tunnels are always built between two endpoints. One of the endpoints is the VPN client or device, the other is a VPN device (or VPN server software). The VPN client addresses the VPN gateway (as visible in its config). Between these endpoints all traffic is encrypted. The VPN gateway on the other site decrypts and encrypts as kind of proxy, so that all traffic of the LAN behind it is unencrypted.
As a consequence, only the VPN tunnel partners know of the public IPs, anything else only of the private IPs.
The payload representing the secured traffic is not getting changed by VPN. VPN just wraps another packet around the (encrypted) payload, so it can pass securely over a public infrastructure.
In the public, your traffic can be seen, but not read. The encrypted payload is just something completely strange to any stranger. Only the VPN endpoints know how to encrypt and decrypt, and the keys are changed from time to time automatically.
If you monitor the traffic after the VPN endpoint device, you'll see the decrypted payload - no privacy there.
The protocols used for an CheckPoint VPN are IP, UDP, ISAKMP and IPSec.
0
 

Author Comment

by:sam15
ID: 34238639
But is the tunnel between my PC with private IP or the company firewall machine which I go through.

My understanding is that private IP is not transmitted to the public internet.

If the tunnel is direct between my machine and remote VPN gateway then traffic should bypass our company firewall but i doubt it.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34239747
It is something in-between. Your client and the VPN gateway are the only one who know of all the required stuff for the VPN. Anything else is either forwarding unencrypted traffic (remote: VPN gateway to internal DB server), or forwarding encrypted traffic (your corporate firewall and all routers in front of the remote VPN gateway). For your corporate firewall that VPN traffic is just like Web access - you having a private IP, which is translated to a public IP (of the firewall), and the target having a public IP.

Your VPN traffic is bypassing the coprorate firewall in that regard that it cannot see the contents. But of course the firewall is the device routing traffic from and to Internet.
0
 

Author Comment

by:sam15
ID: 34243817
Let us say I  connecto to VPN gateway.

Now i send a request from my PC to remote DB server.

Can you explain how the packets really flow and what IP are going with the packet and how the response comes back.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 68

Accepted Solution

by:
Qlemo earned 500 total points
ID: 34244006
Example flow graph, with
PC = 10.10.10.1
VPN Client virtual IP (assigned by gateway) = 192.168.1.1
Local Internet Router = 1.1.1.1
VPN Gateway = 2.2.2.2
DB Server = 10.20.20.1
Your PC is sending a packet to DB Server. That packet is intercepted by the VPN Client software, and the virtual IP is used instead of the PC's address as source:
    Source = 192.16.1.1:4711 Dest. = 10.20.20.1:1521; plain-text data
Then encryption is applied, and encapsulated in another IP packet
    Source = 10.10.10.1:1111 Dest = 2.2.2.2:500; complete encrypted IP packet from previous step
That packet is sent to the default gateway, your Internet router, which is 2.2.2.2. Since that router applies private-to-public IP NAT, source data is changed:
    Source = 1.1.1.1:2222 Dest = 2.2.2.2:500; payload from previous step
The router sees the target 2.2.2.2, and will forward that according to its best knowledge to the next available router, [...].
VPN gateway 1.1.1.1 receives the IPSec packet, checks for the public IP (1.1.1.1), which is known from VPN initiation, and applies decryption:
    Source = 192.168.1.1:4711 Dest = 10.20.20.1:1521; plain-text data

As you can see, the remote server does not know anything about the real private IP of your PC; packets are originating always from the virtual IP.
The reverse route is the same in exact reverse order.
0
 

Author Comment

by:sam15
ID: 34248903
Excellent! but i do not see any virtual ip assigned by VPN gateway in the client connection details.
Is there a way to verify there is a virtual ip getting assigned by vpn gateway and sent like you explain.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34249252
Ooops, you got me! The described above is how most VPN Clients work, but not CP SafeRemote. Your client IP is not changed to a virtual IP. That again means that your client IP needs to get routed correctly on the other site, which is a configuration issue on the default gateway there. Usually that is the CP itself.
0
 

Author Comment

by:sam15
ID: 34251158
you mean the client ip as the primate ip i see on my PC or the firewal/router ip for the company i connect from.

I though private ip do not get sent to the public internet.
0
 
LVL 68

Expert Comment

by:Qlemo
ID: 34251229
My figure above still applies. Only the first packet is slightly different:
    Source = 10.10.10.1:4711 Dest. = 10.20.20.1:1521; plain-text data
and the last line is exactly the same as that.

Please follow my example again. While in any public area, only public IPs are visible. All private IPs are hidden in the encrypted and encapsulated IP packet.
0

Featured Post

Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

Join & Write a Comment

PRTG Network Monitor lets you monitor your bandwidth usage, so you know who is using up your bandwidth, and what they're using it for.
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now