Depending on what your isp has setup will determine what you see. As
John said your router may be using esp. However we with a carrier or
provider vpn then the encapsulation might all be hidden from you in
their network core. If you can't get to the router configuration then
put in a manageable switch between router and modem and use port
mirroring to wireshark to see the traffic
On 5/1/10, Sheahan, John <John.Sheahan@xxxxxxxxxxxxx> wrote:
> Traffic going over your VPN through the Internet is encrypted and
> encapsulated in the ESP protocol on your Cisco router and is routed with all
> other internet traffic.
> Since the IP address you are coming from (172.20.29.x) is an RFC 1918
> address, it cannot be routed on the internet by itself without being either
> NATed or encapsulated, in your case the ESP encapsulation will use the
> registered IP address of your router as the source address and the peer
> address of the other end of the VPN as its destination IP address.
>
> If you sniff the traffic coming and going from your Cisco router out to the
> internet, you will see this encrypted traffic in the ESP packets.
>
> john
>
> From: wireshark-users-bounces@xxxxxxxxxxxxx
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Jeff Bruns
> Sent: Friday, April 30, 2010 1:08 PM
> To: Community support list for Wireshark
> Subject: [Wireshark-users] Sniffing the WAN side of a VPN
>
> We are part of a mid-sized VPN, one of several dozen physical locations
> scattered across the Washington, DC metropolitan area. Each site is part of
> a VPN provided by Comcast and has an address schema of 172.20.x.x/28. The
> incoming internet connection is from a coax cable to a Comcast cable modem.
> From the modem, an ethernet cable connects to a Cisco 2800 series router.
> Network devices are then connected to the various ports on the Cisco box.
>
> My question is related to the visible traffic between the comcast modem and
> the router. Specifically, I'm wondering if since we're part of a VPN, if
> sniffing the connection between the modem and the router would allow us to
> see traffic which may be destined to other sites within our VPN.
>
> For example, lets say the gateway address on our local network is
> 172.20.28.129. The next site's gateway address would be 172.20.29.129, the
> next 172.20.30.129 and so on. If I sniff between the modem and the router,
> would I be able to see traffic heading to the other various private gateways
> within my VPN?
>
> My knowledge of VPN networking is relatively slim, so the answer may hold no
> relevance to wireshark. I understand that a VPN is provided by your ISP, so
> I suppose it may vary depending on ISP. I wonder just how isolated a VPN is
> amongst the rest of the internet. Does only traffic belonging to, or
> originating from the VPN get routed to the cable modem, and from there,
> filtered by the router according to destination address? Or could traffic be
> routed at a higher level somewhere within the ISP, routing only traffic
> destined for my local network (172.20.28.129/28<http://172.20.28.129/28>) to
> the modem and thus the router?
>
> Thanks for the help.
>
--
Regards, Martin
MartinVisser99@xxxxxxxxx
