|
Home > Archive > VPN > November 2007 > What traffic is pumped through the VPN?
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
What traffic is pumped through the VPN?
|
|
| StandardGreen 2007-11-03, 7:12 pm |
| When I'm VPN'd into my organization's network, is every bit of traffic
that goes down my TCP/IP stack funneled through the tunnel (rhyme
unintended) and into my org's network? Here's why I ask this:
It was my understanding that any traffic that my machine generated was
pumped through the tunnel because, in spite of my home machine being
physically far from our LAN, the VPN by design made my computer
interact with the work LAN as if it was plugged into the
organization's cable plant.
Predictably, while I was on the VPN anything that was blocked by my
org's filtering system was blocked on my home machine because, for all
intents and purposes, I was on my work LAN. Furthermore, showip.net
revealed my home PC as having the external IP of my workplace's ISA
server; whoising my nickname on IRC revealed my organizations address,
etc.. For this reason, as well as what little I've learned about the
guts of VPNs, I was under the impression that every '1' and '0' that
came from my network card went through my org's network just as if I
was plugged into the physical network. I didn't think that there was
any discrimination as to which traffic, or protocol, or port numbers
would go on the VPN or stay on my home network (except for traffic
specifically pointed towards my home network IP range of
192.168.1.0/24 rather than my work range of 10.0.0.0/16).
Lately I noticed that sites are no longer blocked while I'm on the
VPN, but they are blocked for every non VPN user inside my workplace.
I brought it up to one of my fellow IT workers who was surprised to
hear it. However, another IT person disputed my understanding that all
traffic generated on a VPN client went through the tunnel and onto the
corporate LAN. He said that port 80 traffic didn't go through the VPN
(which baffled me because of showIP.com telling that I had my org's
external address instead of my home's external IP). Puzzled, I've been
looking for answers.
Anyone care to help me in my understanding of VPNs? Could someone
share some good resources on VPNs and their behavior? Some 30,000 foot
material would be good to start with (not quite "for Dummies" but not
Cisco Press either).
Thanks,
StandardGreen
| |
| Mike Drechsler - SPAM PROTECTED EMAIL 2007-11-05, 1:14 am |
| StandardGreen wrote:
> When I'm VPN'd into my organization's network, is every bit of traffic
> that goes down my TCP/IP stack funneled through the tunnel (rhyme
> unintended) and into my org's network? Here's why I ask this:
>
> It was my understanding that any traffic that my machine generated was
> pumped through the tunnel because, in spite of my home machine being
> physically far from our LAN, the VPN by design made my computer
> interact with the work LAN as if it was plugged into the
> organization's cable plant.
>
> Predictably, while I was on the VPN anything that was blocked by my
> org's filtering system was blocked on my home machine because, for all
> intents and purposes, I was on my work LAN. Furthermore, showip.net
> revealed my home PC as having the external IP of my workplace's ISA
> server; whoising my nickname on IRC revealed my organizations address,
> etc.. For this reason, as well as what little I've learned about the
> guts of VPNs, I was under the impression that every '1' and '0' that
> came from my network card went through my org's network just as if I
> was plugged into the physical network. I didn't think that there was
> any discrimination as to which traffic, or protocol, or port numbers
> would go on the VPN or stay on my home network (except for traffic
> specifically pointed towards my home network IP range of
> 192.168.1.0/24 rather than my work range of 10.0.0.0/16).
>
> Lately I noticed that sites are no longer blocked while I'm on the
> VPN, but they are blocked for every non VPN user inside my workplace.
> I brought it up to one of my fellow IT workers who was surprised to
> hear it. However, another IT person disputed my understanding that all
> traffic generated on a VPN client went through the tunnel and onto the
> corporate LAN. He said that port 80 traffic didn't go through the VPN
> (which baffled me because of showIP.com telling that I had my org's
> external address instead of my home's external IP). Puzzled, I've been
> looking for answers.
>
> Anyone care to help me in my understanding of VPNs? Could someone
> share some good resources on VPNs and their behavior? Some 30,000 foot
> material would be good to start with (not quite "for Dummies" but not
> cisco Press either).
>
>
> Thanks,
> StandardGreen
>
A VPN tunnel can be configured to send all or only some of the traffic
over the tunnelled connection. It all depends on how the administrator
has set things up. It is also possible to configure policies that are
different for traffic exiting the corporate LAN depending on if they
came from a desktop physically on site or if the traffic is from a VPN
tunnel into the network. Just because a service or website is blocked
on site it doesn't mean that they couldn't use a different policy for
VPN traffic.
--
WARNING! Email address has been altered for spam resistance.
Please remove the -deletethispart-. section before replying directly.
Mike Drechsler (mike-newsgroup@-deletethispart-.upcraft.com)
| |
| Rick Merrill 2007-11-05, 7:12 pm |
| Mike Drechsler - SPAM PROTECTED EMAIL wrote:
> StandardGreen wrote:
>
> A VPN tunnel can be configured to send all or only some of the traffic
> over the tunnelled connection. It all depends on how the administrator
> has set things up. It is also possible to configure policies that are
> different for traffic exiting the corporate LAN depending on if they
> came from a desktop physically on site or if the traffic is from a VPN
> tunnel into the network. Just because a service or website is blocked
> on site it doesn't mean that they couldn't use a different policy for
> VPN traffic.
>
Do you suppose he has a dual-thread setup so that he uses his own
gateway to the internet, rather than using the VPN - LAN - gateway to
the internet?
| |
| StandardGreen 2007-11-08, 7:14 am |
| On Nov 4, 9:18 pm, Mike Drechsler - SPAM PROTECTED EMAIL <mike-
newsgr...@-DELETETHISPART-.upcraft.com> wrote:
> StandardGreen wrote:
>
>
>
>
>
>
> A VPN tunnel can be configured to send all or only some of the traffic
> over the tunnelled connection. It all depends on how the administrator
> has set things up. It is also possible to configure policies that are
> different for traffic exiting the corporate LAN depending on if they
> came from a desktop physically on site or if the traffic is from a VPN
> tunnel into the network. Just because a service or website is blocked
> on site it doesn't mean that they couldn't use a different policy for
> VPN traffic.
>
> --
> WARNING! Email address has been altered for spam resistance.
> Please remove the -deletethispart-. section before replying directly.
> Mike Drechsler (mike-newsgr...@-deletethispart-.upcraft.com)
@Mike Drechsler
Thanks for the info. When you say "It all depends on how the
administrator
has set things up" where does one configure such behavior? I"m
assuming its at the VPN server level (in our case, ISA). I'm somewhat
familiar with setting up VPNs with RRAS and, due to a recently
acquired consulting job, am now having to rapidly become familiarized
with setting up a VPN through a Small Business class firewall/router/
VPN combo device. Knowing the methods used in selectively choosing
which traffic to require going accross the VPN would be valuable.
@Rick Merrill
::Dear-in-the-headlights-stare::
Wha..? ;) Let me Google that and get back to you...
@Anyone:
So, what were your most informative sources for VPN info?
Thanks much,
StandardGreen
| |
| StandardGreen 2007-11-08, 7:11 pm |
| On Nov 4, 9:18 pm, Mike Drechsler - SPAM PROTECTED EMAIL <mike-
newsgr...@-DELETETHISPART-.upcraft.com> wrote:
> StandardGreen wrote:
>
>
>
>
>
>
> A VPN tunnel can be configured to send all or only some of the traffic
> over the tunnelled connection. It all depends on how the administrator
> has set things up. It is also possible to configure policies that are
> different for traffic exiting the corporate LAN depending on if they
> came from a desktop physically on site or if the traffic is from a VPN
> tunnel into the network. Just because a service or website is blocked
> on site it doesn't mean that they couldn't use a different policy for
> VPN traffic.
>
> --
> WARNING! Email address has been altered for spam resistance.
> Please remove the -deletethispart-. section before replying directly.
> Mike Drechsler (mike-newsgr...@-deletethispart-.upcraft.com)
@Mike Drechsler
Thanks for the info. When you say "It all depends on how the
administrator
has set things up" where does one configure such behavior? I"m
assuming its at the VPN server level (in our case, ISA). I'm somewhat
familiar with setting up VPNs with RRAS and, due to a recently
acquired consulting job, am now having to rapidly become familiarized
with setting up a VPN through a Small Business class firewall/router/
VPN combo device. Knowing the methods used in selectively choosing
which traffic to require going accross the VPN would be valuable.
@Rick Merrill
::Dear-in-the-headlights-stare::
Wha..? ;) Let me Google that and get back to you...
@Anyone:
So, what were your most informative sources for VPN info?
Thanks much,
StandardGreen
| |
| Rick Merrill 2007-11-09, 7:12 pm |
| StandardGreen wrote:
....
>
> Wha..? ;) Let me Google that and get back to you...
>
With a VPN what you Don't want is for the user's computer to use
the VPN to access the remote LAN for the gateway because all his
internet traffic would then travel over the VPN (twice!).
| |
| StandardGreen 2007-11-12, 7:12 pm |
| On Nov 9, 4:37 pm, Rick Merrill <rick0.merr...@NOSPAM.gmail.com>
wrote:
> StandardGreen wrote:
>
> ...
>
>
>
>
> With a VPN what you Don't want is for the user's computer to use
> the VPN to access the remote LAN for the gateway because all his
> internet traffic would then travel over the VPN (twice!).
Ah. That makes sense. Yes, I believe that was the way things were
previously set up at work. I'm going to use WireShark to watch what
goes on over the wire and see what I can find. In the meantime,
"Comparing, Designing, and Deploying VPNs " by cisco Press might be a
good place to learn from. (I know, I said no cisco Press stuff. I
changed my mind.  )
StandardGreen
| |
| Rick Merrill 2007-11-15, 1:51 pm |
| StandardGreen wrote:
> On Nov 9, 4:37 pm, Rick Merrill <rick0.merr...@NOSPAM.gmail.com>
> wrote:
>
> Ah. That makes sense. Yes, I believe that was the way things were
> previously set up at work. I'm going to use WireShark to watch what
> goes on over the wire and see what I can find. In the meantime,
> "Comparing, Designing, and Deploying VPNs " by cisco Press might be a
> good place to learn from. (I know, I said no cisco Press stuff. I
> changed my mind. )
>
> StandardGreen
>
just double check the IP of your 'gateway' and make sure
it is different from the one that VPN's LAN uses.
> ipconfig /all
|
|
|
|
|