ipsec vpn

By r0verken
in Smart Home, Network & Security

 Share

Recommended Posts

Neowinian

r0verken

Posted
Posted

Hi

When using pptp my external ip changes, but when using cisco ipsec vpn it stays the same however I can still connect to machines on the vpn. If i were to traceroute neowin, the traceroute wouldnt change from what i would normally see.

Does it only foward traffic through the vpn server for some hostnames? pptp seems to foward everything.

Thanks

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Depends on if your vpn connection is setup to be the default gateway or not. Sounds like your cisco connection is allowing for split tunnel - which normally is a no no and companies do not allow for that

On your pptp/vpn connection you can check

post-14624-1258819886_thumb.png

I would post a picture for the cisco client, but don't feel like firing up my laptop, etc.

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591877194
Share on other sites
Neowinian

r0verken

Posted
  • Author
Posted

I am using a mac, when connecting to the vpn and visiting whatismyip.com it reports the same IP as when im not on the vpn. I have not changed any settings on the mac, however am definitely on the vpn as I can ping internal mail servers etc.

The exact same thing happens with the cisco client on windows but I cant find anything on either pc about split tunnel.. does cisco ipsec work out which hosts are on the vpn and only redirect their traffic?

Thanks

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591877390
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Does not matter what OS your on -- the settings for a vpn are the same, either use the remote gateway or not, and just route traffic to the connection. Only thing that would change is the where in some gui you would make the change, or maybe terms slightly different

The cisco client would be setup by the vpn admin on the other end if you can split tunnel or not.

On the cisco client it would be call allow local access or something like that - would have to fire up client.. And then again it might have changed terms a bit.. Which cisco client are you using? 5 I would guess.. Cisco is going to end support for the ipsec clients -- need to move to the anyclient which is all SSL based.

Just take a look at your route table when you connect to your vpn and you will see what will happen. A VPN can either route all traffic through the vpn connection, or it can just add a route to the other network(s) on the other end of the vpn.

When your allowed access to local network, using your local networks gateway and also the networks on the other end of a vpn its called a split tunnel.

http://en.wikipedia.org/wiki/Split_tunneling

Normally users don't want to have to route all traffic through a vpn to access internet, etc.. since normally home internet is faster than routing through the work network, and then using the works internet connection, etc.

Unless your wanting to circumvent something by routing the traffic through the vpn connection, and then some site seeing the vpns IP vs your local one -- I don't really see what your issue is? You stated you have access to the servers using the vpn.

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591877450
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

It doesn't really know which hosts on there, it knows what networks are there.

If want to understand how it works, look up routing.

I don't have a mac, but fairly sure since os x is based off darwin that the command would be the same as it is in linux

netstat -nr

this will show you your routing table -- so run it when connected to the vpn and you will see how it knows to send your traffic down the vpn when you want to connect to machine housed at the other end of the vpn.

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591877666
Share on other sites
Grand Master

dragon2611

Posted
Posted
Normally users don't want to have to route all traffic through a vpn to access internet, etc.. since normally home internet is faster than routing through the work network, and then using the works internet connection, etc.

Unless your wanting to circumvent something by routing the traffic through the vpn connection, and then some site seeing the vpns IP vs your local one -- I don't really see what your issue is? You stated you have access to the servers using the vpn.

Some companies would want to block all external network connectivity when on the VPN, and to route all internet traffic via the VPN

1) so that there's no danger of the Local network the remote user is on interacting with the machine when it's on the Corporate network.

2) So that they can log/filter any internet access from the machine whilst it connected to the corporate network.

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591877710
Share on other sites
Neowinian

r0verken

Posted
  • Author
Posted
2) So that they can log/filter any internet access from the machine whilst it connected to the corporate network.

Why? If the internet isn't going through their vpn server and using the local connection instead then its not their problem, why waste bandwidth by sending it through their server?

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591877870
Share on other sites
Grand Master

+BudMan MVC

Posted
  • MVC
Posted

Quite often you would want to filter the machines internet access if it connects to the work network - to protect it.. Which is why its rare to see split tunnel setups..

You would not want a work computer connecting to the public net unless its going through the company firewall and content filters, does not matter if the computer is at work or some other location.

Quite often you would block all internet access on roaming work machines other then to connect to the vpn -- and then through that connect to the internet through the controlled work connection.

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591878056
Share on other sites
Grand Master

dragon2611

Posted
Posted
Why? If the internet isn't going through their vpn server and using the local connection instead then its not their problem, why waste bandwidth by sending it through their server?

Because you probably don't want machines that are connected to your corporate network which probably has internal data on it users who have access to commercially sensitive information just running around on an unfiltered net connection.

Also by forcing them though the vpn as well as filter you can virus scan traffic at the gateway if you so wish.

Some Companies will also Mandate that the firewall software is installed and running before allowing access to the VPN and will then configure the firewall on the machine to drop all local network traffic so that the machine is only accessable by the VPN and not the network it is connected to.

It usually depends on how strict your IT department are some will let laptop users connect directly to the internet but only when not VPN'd or on their LAN, some will mandate all traffic goes via the VPN/Corp Network and some will probably allow split tunneling.

Link to comment
https://www.neowin.net/forum/topic/847882-ipsec-vpn/#findComment-591878088
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.

  • Posts

    • Windows Server gets DNS over HTTPS (DoH) support

      By binaryzero · Posted

      Server Summit had a heap of announcements, ADCS changes are baller.
    • Linux 7.1 arrives with an NTFS overhaul and major hardware performance boosts

      By Max Norris · Posted

      Nice, hope they *finally* fixed the issue with the NTFS driver where the system would completely brick during large file copies using the built in driver. It's been broken for years requiring me to use the older, slower, NTFS-3G FUSE driver.
    • Windows 11 KB5094126 BSODing, freezing, forcing BitLocker lockout, breaks OneDrive, and more

      By hellowalkman · Posted

      Windows 11 KB5094126 BSODing, freezing, forcing BitLocker lockout, breaks OneDrive, and more by Sayan Sen Microsoft released Windows 11 KB5094126 and KB5093998 last week as the latest Patch Tuesday updates. Following that the company also published the accompanying dynamic updates under KB5094149, KB5095971, and KB5094156. While Microsoft has so far not acknowledged any major problems with the release, some users online are running into problems. These range from OneDrive and Dropbox access issues, BitLocker recovery lockouts, to blue screens and BSODs. The most common one seems to be happening with HP systems wherein affected users say they hit 0xc0430001 BSOD (blue screen of death) error code after the KB5094126 update. We wonder if this could be related to the recent bug we covered on HP devices wherein the ongoing Secure Boot certificate updates are leading to similar issues. While we are not certain, users affected by this issue likely need to ensure that the boot.stl file is included on the installation media (such as a USB installer or ISO), if the above-mentioned dynamic updates are deployed. If this file is missing, computers may fail to boot from the installation media and could display the error 0xc0430001. This STL file is used by Secure Boot to verify that the boot files are trusted, so it must match the same Windows version and system architecture. To ensure the file is included, Microsoft recommends using the Update WinPE script, which automatically updates the image and handles the required files. Alternatively, you can manually copy the boot.stl file from the Windows\Boot\EFI folder on a Windows device and place it in the matching folder on your installation media before deploying the updated image. Aside from blue screening some users also note their systems have been freezing following the update. This could be happening to Lenovo PCs specifically. In the case of the OneDrive and Dropbox access issues, a user figured out that there could be a conflict with UAC. He explained: "Okay, so I did some digging, and in our environment KB5094126 breaks OneDrive and Dropbox in Explorer. I went through all our GPOs and found out that the combination of disabling UAC and having my user being a local admin breaks OneDrive in Explorer. ... If I enable UAC again, then it works, even with KB5094126 still installed." Hopefully, Microsoft will look into these issues. Source: Microsoft forum (link1, link2, link3, link4), Reddit (link1, link2, link3, link4)
    • Here is how I fixed Windows 11 not booting after clean installation

      By rseiler · Posted

      It is when it's a desktop in my house though for a PC that's lightly used and not really important when it is. If it was a laptop, it would be a different story. The real solution is varied and begins starting at post #22 in that thread.
    • Microsoft hides these secret Windows 11 performance boost settings available on every PC

      By hellowalkman · Posted

      well that's the plan

  • Recent Achievements

    • Week One Done
      Jeroen Wilms earned a badge
      Week One Done
    • Week One Done
      rolfus earned a badge
      Week One Done
    • One Month Later
      Leroy Jethro Gibbs earned a badge
      One Month Later
    • Conversation Starter
      flexorcist earned a badge
      Conversation Starter
    • One Month Later
      AndreaB earned a badge
      One Month Later

  • Popular Contributors

    1. 1
      +primortal
      508
    2. 2
      +Edouard
      198
    3. 3
      PsYcHoKiLLa
      138
    4. 4
      ATLien_0
      90
    5. 5
      Steven P.
      81
    Show More

  • Tell a friend

    Love Neowin? Tell a friend!