[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

VPNdata_Tunnell

Posted on 2010-11-29
9
Medium Priority
?
570 Views
Last Modified: 2012-06-27
Can someone briefly explain how VPN works technically.

If i have checkpoint client with private IP that goes throug a checkpoint firewall in BUilding A to VPN gateway in another city to another database server.

WHere are the points the tunnel created for? Does the ip address change with outgoing and incoming traffic? Can network monitoring tools see the traffic? what protocols are being used.
0
Comment
Question by:sam15
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 4
9 Comments
 
LVL 71

Expert Comment

by:Qlemo
ID: 34237018
Tunnels are always built between two endpoints. One of the endpoints is the VPN client or device, the other is a VPN device (or VPN server software). The VPN client addresses the VPN gateway (as visible in its config). Between these endpoints all traffic is encrypted. The VPN gateway on the other site decrypts and encrypts as kind of proxy, so that all traffic of the LAN behind it is unencrypted.
As a consequence, only the VPN tunnel partners know of the public IPs, anything else only of the private IPs.
The payload representing the secured traffic is not getting changed by VPN. VPN just wraps another packet around the (encrypted) payload, so it can pass securely over a public infrastructure.
In the public, your traffic can be seen, but not read. The encrypted payload is just something completely strange to any stranger. Only the VPN endpoints know how to encrypt and decrypt, and the keys are changed from time to time automatically.
If you monitor the traffic after the VPN endpoint device, you'll see the decrypted payload - no privacy there.
The protocols used for an CheckPoint VPN are IP, UDP, ISAKMP and IPSec.
0
 

Author Comment

by:sam15
ID: 34238639
But is the tunnel between my PC with private IP or the company firewall machine which I go through.

My understanding is that private IP is not transmitted to the public internet.

If the tunnel is direct between my machine and remote VPN gateway then traffic should bypass our company firewall but i doubt it.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 34239747
It is something in-between. Your client and the VPN gateway are the only one who know of all the required stuff for the VPN. Anything else is either forwarding unencrypted traffic (remote: VPN gateway to internal DB server), or forwarding encrypted traffic (your corporate firewall and all routers in front of the remote VPN gateway). For your corporate firewall that VPN traffic is just like Web access - you having a private IP, which is translated to a public IP (of the firewall), and the target having a public IP.

Your VPN traffic is bypassing the coprorate firewall in that regard that it cannot see the contents. But of course the firewall is the device routing traffic from and to Internet.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:sam15
ID: 34243817
Let us say I  connecto to VPN gateway.

Now i send a request from my PC to remote DB server.

Can you explain how the packets really flow and what IP are going with the packet and how the response comes back.
0
 
LVL 71

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 34244006
Example flow graph, with
PC = 10.10.10.1
VPN Client virtual IP (assigned by gateway) = 192.168.1.1
Local Internet Router = 1.1.1.1
VPN Gateway = 2.2.2.2
DB Server = 10.20.20.1
Your PC is sending a packet to DB Server. That packet is intercepted by the VPN Client software, and the virtual IP is used instead of the PC's address as source:
    Source = 192.16.1.1:4711 Dest. = 10.20.20.1:1521; plain-text data
Then encryption is applied, and encapsulated in another IP packet
    Source = 10.10.10.1:1111 Dest = 2.2.2.2:500; complete encrypted IP packet from previous step
That packet is sent to the default gateway, your Internet router, which is 2.2.2.2. Since that router applies private-to-public IP NAT, source data is changed:
    Source = 1.1.1.1:2222 Dest = 2.2.2.2:500; payload from previous step
The router sees the target 2.2.2.2, and will forward that according to its best knowledge to the next available router, [...].
VPN gateway 1.1.1.1 receives the IPSec packet, checks for the public IP (1.1.1.1), which is known from VPN initiation, and applies decryption:
    Source = 192.168.1.1:4711 Dest = 10.20.20.1:1521; plain-text data

As you can see, the remote server does not know anything about the real private IP of your PC; packets are originating always from the virtual IP.
The reverse route is the same in exact reverse order.
0
 

Author Comment

by:sam15
ID: 34248903
Excellent! but i do not see any virtual ip assigned by VPN gateway in the client connection details.
Is there a way to verify there is a virtual ip getting assigned by vpn gateway and sent like you explain.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 34249252
Ooops, you got me! The described above is how most VPN Clients work, but not CP SafeRemote. Your client IP is not changed to a virtual IP. That again means that your client IP needs to get routed correctly on the other site, which is a configuration issue on the default gateway there. Usually that is the CP itself.
0
 

Author Comment

by:sam15
ID: 34251158
you mean the client ip as the primate ip i see on my PC or the firewal/router ip for the company i connect from.

I though private ip do not get sent to the public internet.
0
 
LVL 71

Expert Comment

by:Qlemo
ID: 34251229
My figure above still applies. Only the first packet is slightly different:
    Source = 10.10.10.1:4711 Dest. = 10.20.20.1:1521; plain-text data
and the last line is exactly the same as that.

Please follow my example again. While in any public area, only public IPs are visible. All private IPs are hidden in the encrypted and encapsulated IP packet.
0

Featured Post

Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
In this video we outline the Physical Segments view of NetCrunch network monitor. By following this brief how-to video, you will be able to learn how NetCrunch visualizes your network, how granular is the information collected, as well as where to f…

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question