ipsec vpn

By r0verken
in Smart Home, Network & Security

 Share

Recommended Posts

Neowinian

r0verken

Posted
Posted

Hi

When using pptp my external ip changes, but when using cisco ipsec vpn it stays the same however I can still connect to machines on the vpn. If i were to traceroute neowin, the traceroute wouldnt change from what i would normally see.

Does it only foward traffic through the vpn server for some hostnames? pptp seems to foward everything.

Thanks

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Depends on if your vpn connection is setup to be the default gateway or not. Sounds like your cisco connection is allowing for split tunnel - which normally is a no no and companies do not allow for that

On your pptp/vpn connection you can check

post-14624-1258819886_thumb.png

I would post a picture for the cisco client, but don't feel like firing up my laptop, etc.

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591877194
Share on other sites
Neowinian

r0verken

Posted
  • Author
Posted

I am using a mac, when connecting to the vpn and visiting whatismyip.com it reports the same IP as when im not on the vpn. I have not changed any settings on the mac, however am definitely on the vpn as I can ping internal mail servers etc.

The exact same thing happens with the cisco client on windows but I cant find anything on either pc about split tunnel.. does cisco ipsec work out which hosts are on the vpn and only redirect their traffic?

Thanks

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591877390
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Does not matter what OS your on -- the settings for a vpn are the same, either use the remote gateway or not, and just route traffic to the connection. Only thing that would change is the where in some gui you would make the change, or maybe terms slightly different

The cisco client would be setup by the vpn admin on the other end if you can split tunnel or not.

On the cisco client it would be call allow local access or something like that - would have to fire up client.. And then again it might have changed terms a bit.. Which cisco client are you using? 5 I would guess.. Cisco is going to end support for the ipsec clients -- need to move to the anyclient which is all SSL based.

Just take a look at your route table when you connect to your vpn and you will see what will happen. A VPN can either route all traffic through the vpn connection, or it can just add a route to the other network(s) on the other end of the vpn.

When your allowed access to local network, using your local networks gateway and also the networks on the other end of a vpn its called a split tunnel.

http://en.wikipedia.org/wiki/Split_tunneling

Normally users don't want to have to route all traffic through a vpn to access internet, etc.. since normally home internet is faster than routing through the work network, and then using the works internet connection, etc.

Unless your wanting to circumvent something by routing the traffic through the vpn connection, and then some site seeing the vpns IP vs your local one -- I don't really see what your issue is? You stated you have access to the servers using the vpn.

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591877450
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

It doesn't really know which hosts on there, it knows what networks are there.

If want to understand how it works, look up routing.

I don't have a mac, but fairly sure since os x is based off darwin that the command would be the same as it is in linux

netstat -nr

this will show you your routing table -- so run it when connected to the vpn and you will see how it knows to send your traffic down the vpn when you want to connect to machine housed at the other end of the vpn.

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591877666
Share on other sites
Grand Master

dragon2611

Posted
Posted
Normally users don't want to have to route all traffic through a vpn to access internet, etc.. since normally home internet is faster than routing through the work network, and then using the works internet connection, etc.

Unless your wanting to circumvent something by routing the traffic through the vpn connection, and then some site seeing the vpns IP vs your local one -- I don't really see what your issue is? You stated you have access to the servers using the vpn.

Some companies would want to block all external network connectivity when on the VPN, and to route all internet traffic via the VPN

1) so that there's no danger of the Local network the remote user is on interacting with the machine when it's on the Corporate network.

2) So that they can log/filter any internet access from the machine whilst it connected to the corporate network.

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591877710
Share on other sites
Neowinian

r0verken

Posted
  • Author
Posted
2) So that they can log/filter any internet access from the machine whilst it connected to the corporate network.

Why? If the internet isn't going through their vpn server and using the local connection instead then its not their problem, why waste bandwidth by sending it through their server?

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591877870
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Quite often you would want to filter the machines internet access if it connects to the work network - to protect it.. Which is why its rare to see split tunnel setups..

You would not want a work computer connecting to the public net unless its going through the company firewall and content filters, does not matter if the computer is at work or some other location.

Quite often you would block all internet access on roaming work machines other then to connect to the vpn -- and then through that connect to the internet through the controlled work connection.

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591878056
Share on other sites
Grand Master

dragon2611

Posted
Posted
Why? If the internet isn't going through their vpn server and using the local connection instead then its not their problem, why waste bandwidth by sending it through their server?

Because you probably don't want machines that are connected to your corporate network which probably has internal data on it users who have access to commercially sensitive information just running around on an unfiltered net connection.

Also by forcing them though the vpn as well as filter you can virus scan traffic at the gateway if you so wish.

Some Companies will also Mandate that the firewall software is installed and running before allowing access to the VPN and will then configure the firewall on the machine to drop all local network traffic so that the machine is only accessable by the VPN and not the network it is connected to.

It usually depends on how strict your IT department are some will let laptop users connect directly to the internet but only when not VPN'd or on their LAN, some will mandate all traffic goes via the VPN/Corp Network and some will probably allow split tunneling.

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591878088
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Apple MacBook Neo is a blessing for Windows users, here's why

      By The Werewolf · Posted

      The flaw with this analysis is that this laptop has a cellphone CPU in it. In the Intel world, that would be an N150 and those are everywhere, even in low end laptops. You can get an N150 based NUC with 16GB RAM and 256GB-512GB SSD... NOT soldered in... for < $500 Canadian (around US$360). The problem is two fold: tech bloggers/writers on most tech site (like this one, ironically) overvalue Apple and apparently aren't in the same earnings class as most regular people. As a result, we get breathless articles about how everyone needs a folding phone when most people just cannot afford one... or really need one. And we get Apple used as the baseline metric regardless of whether that comparison makes any sense. If Dell or HP released a retail laptop with a cellphone motherboard, you'd be all over them for doing that - but Apple does it and it's genius. I see articles suggesting what Samsung - a company that basically started the foldable phone market and has built them for eight years - needs to do to compete with Apple's unreleased, unspecced and unseen folding phone. Sorry, no - if the Neo (really creative name there BTW - still, better than the Go, the other "creative" product name everyone's using) encourages PC makers to make cellphone laptops using lower end ARM processors, we all lose. It's a step backwards and a capitulation to the fact that semiconductor makers and computer OEMs (and tech bloggers) have totally lost the plot.
    • Steam Next Fest returns with thousands of new demos to try out

      By +pmrd · Posted

      Everyone should install this extension and ignore games that use AI. https://chromewebstore.google....nnigaaeelfkeomjcngmnh?pli=1 https://addons.mozilla.org/en-US/firefox/addon/ai-warning-for-steam/
    • Malwarebytes Anti-Malware 5.6.0.256

      By Copernic · Posted

      Malwarebytes Anti-Malware 5.6.0.256 by Razvan Serea Malwarebytes is a high performance anti-malware application that thoroughly removes even the most advanced malware and spyware. Malwarebytes version 5.**** brings comprehensive protection against today’s threat landscape so that you can finally replace your traditional antivirus. You can finally replace your traditional antivirus, thanks to a innovative and layered approach to prevent malware infections using a healthy combination of proactive and signature-less technologies. While signatures are still effective against threats like potentially unwanted programs, the majority of malware detection events already come from signature-less technologies like Malwarebytes Anti-Exploit and Malwarebytes Anti-Ransomware; that trend will only continue to grow. For many of you, this is something you already know, since over 50% of the users already run Malwarebytes as their sole security software, without any third-party antivirus. What's new in Malwarebytes 5.****: Unified user experience - For the first time, Malwarebytes now provides a consistent experience across all of our desktop and mobile products courtesy of an all new and reimagined user experience powered by a faster and more responsive UI all managed through an intuitive dashboard. Modern security and privacy integrations - Antivirus and ultra-fast VPN come together seamlessly in one easy-to-use solution. Whether you’re looking for a next-gen VPN to secure your online activity, or harnessing the power of Browser Guard to block ad trackers and scam sites, taking charge of your privacy is simple. Trusted Advisor - Empowers you with real-time insights, easy-to-read protection score and expert guidance that puts you in control over your security and privacy. Malwarebytes 5.6.0.256 changelog: Features and improvements Simplified adding files and folders to the Allow list to make managing your exclusions easier. Improved notifications for Webcam Monitoring. Issues fixed Resolved an issue preventing the Deep Scan results window from displaying when several threats are detected during a scan. Fixed text wrapping issues on the Settings page. Fixed an issue causing tray menu notifications to appear off-screen when using multiple external monitors. Download: Malwarebytes 5.6.0.256 | 436.0 MB (Free, paid upgrade available) Links: Malwarebytes Website | Screenshot Get alerted to all of our Software updates on Twitter at @NeowinSoftware
    • Steam Next Fest returns with thousands of new demos to try out

      By LoneWolfSL · Posted

      Steam Next Fest returns with thousands of new demos to try out by Pulasthi Ariyasinghe Valve has been routinely kicking off demo festivals on Steam for years now, and the second drop of 2026 has just opened its doors. It's a great opportunity for any PC gamers to find some interesting games before they release. The June edition of Steam Next Fest is a week-long digital festival including gameplay slices from a large number of indie developers, though a few major publishers are involved this time too. Interested players can use the Next Fest hub page's various sorting and filtering options to easily sort through the hordes of demos available. The top buttons offer quick access to separate and important sorting options, including "By Genre, By Theme, By Feature," with each one offering more granular settings when clicked. At the same time, the built-in Steam tags system is also available below every page to discover new games more quickly. As always, logging in will also enable Steam gamers to utilize Valve's recommendation algorithms to find game demos they might like, specifically, depending on their past play and purchase histories. This time there is even a toggle now to swap between getting a random and personalized selection as Valve collects more data on the available demos. The Charts section is where you can find the most popular demos on the platform right now, offering up the most hyped titles in a simple list. Right at the kickoff, Mistfall Hunter, Empulse, Echoes of Aincrad, Onimusha: Way of the Sword, Over the Hill, Mortal Shell II, and more are trending. Expect this list to change as the week progresses. This edition of the Steam Next Fest is slated to end on June 22 at 10 AM PT. Valve's latest event is now open, and it can be accessed by going to the dedicated hub page here.
    • what other retro software do yall use

      By ThatGuyOnline · Posted

      I lived and breathed MSN Messenger/Windows Live Messenger. Going to the mess.be website (still online with no changes since 2013) to download display pictures etc. I was a beta tester for Messenger Plus! and spent quite a lot of time on the MsgPlus! forums (a read-only copy is still online at https://shoutbox.menthix.net) Some old Neowin articles also https://www.neowin.net/news/messenger-plus-350/ good times but how time flies The main developer of Messenger Plus!, Cyril aka. Patchou has released a game https://store.steampowered.com/app/3275440/Pluralys/

  • Recent Achievements

    • One Year In
      ThatGuyOnline earned a badge
      One Year In
    • Week One Done
      Jeroen Wilms earned a badge
      Week One Done
    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter

  • Popular Contributors

    1. 1
      +primortal
      505
    2. 2
      +Edouard
      199
    3. 3
      PsYcHoKiLLa
      127
    4. 4
      Steven P.
      82
    5. 5
      ATLien_0
      76
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!