topic vpn traffic & fields in Network Security

vpn traffic & fields

secureIT — Mon, 11 Mar 2019 23:15:04 GMT

Hi Netpro Team,

Could you please answer the queries...

Query1 :- May i know what are the fields get attached to, while a vpn traffic is passing through a tunnel....

Query2 :- which is the mechanism used to calculate the number of ACLs in asa.

Query3 :- Difference between router and firewall ACL..

regards()

vpn traffic & fields

Jennifer Halim — Mon, 04 Jun 2012 12:50:51 GMT

Query 1: do you mean which protocol and ports is VPN traffic? I assume that you mean IPSec VPN, so they are normally UDP/500, UDP/4500, ESP, and/or AH

Query 2: the number of lines in the output of "show access-list", which includes the expansion of ACL if object-group is created.

Query 3: cisco router uses wild card mask while cisco firewall uses netmask. Router ACL is stateless, while Firewall ACL is stateful, which means you only need to configure ACL in one direction, ie: where the traffic is initiated.

Hope that answers your questions.

vpn traffic & fields

secureIT — Tue, 05 Jun 2012 12:40:51 GMT

Thanks Jennifer,

I was looking for the answer - Router ACL is stateless, while Firewall ACL is stateful !!!

For the first query, please confirm if the below would suit.

[ipheader] + [AH-ESP] + [Payload]

where ipheader = ip.src + ip.srcport + ip.dst + ip.dstport

And the traffic flow of an ipsec traffic would be as given below ??

reciev-pkt -> ingress interface -> received pkt-> check conn table -> check xlate->check acl-> vpn-crypto-match -> check inpsect-csc->check nat-ip-header->check ips->egress interface->check routing->check L2-addr -> transmit packet

Thanks in advance...

vpn traffic & fields

Jennifer Halim — Tue, 05 Jun 2012 13:54:13 GMT

[ipheader] only includes ip.src + ip.dst as IP doesn't have ports

Here is a doc on AH and ESP packet for your reference:

http://www.cisco.com/en/US/partner/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml#t2

Here is a packet flow through ASA firewall:

http://www.cisco.com/en/US/products/ps6120/products_tech_note09186a0080ba9d00.shtml

vpn traffic & fields

secureIT — Tue, 05 Jun 2012 13:57:58 GMT

ooops sorry..i knew. ip header will have only ip and tcp header has ports..sorry.

below link is not working..for ah/esp

http://www.cisco.com/en/US/partner/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml#t2

vpn traffic & fields

Jennifer Halim — Tue, 05 Jun 2012 14:20:54 GMT

Try this:

http://www.cisco.com/en/US/customer/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml#t2

it should work.

vpn traffic & fields

secureIT — Tue, 05 Jun 2012 16:48:42 GMT

sorry, it does not open, it gives Forbidden File or Application..

could you pls download the same and share...

vpn traffic & fields

Jennifer Halim — Wed, 06 Jun 2012 01:36:43 GMT

Pls try to close your browser, or try with another browser as that URL is public and you should be able to access it:

http://www.cisco.com/en/US/customer/tech/tk543/tk757/technologies_tech_note09186a00800b3d15.shtml#t2

vpn traffic & fields

secureIT — Thu, 07 Jun 2012 13:28:29 GMT

Hi,

Can you please tell me, what are the field get attached to the ipheader, when the ipsec traffic is going thru a GRE tunnel.

vpn traffic & fields

Jennifer Halim — Fri, 08 Jun 2012 01:01:28 GMT

For GRE over IPSec, it would be:

[ipheader] + [ESP] + [GRE] + [Payload]

vpn traffic & fields

secureIT — Sun, 17 Jun 2012 03:51:43 GMT

Thanks for the update...

if we talk more specifically, for example, there is a gre tunnel with the peers, 172.16.1.1-2 and the two networks in both ends are 10.10.1.0/24 and 10.10.2.0/24 with ospf running.. Then what are all the fields get added in here if we go in deep...

vpn traffic & fields

Jennifer Halim — Sun, 17 Jun 2012 03:57:14 GMT

With GRE tunnels, it would be:

[GRE: source: 172.16.1.1 destination: 172.16.1.2] + [Payload: source: 10.10.1.0/24 + destination: 10.10.2.0/24]

Traffic will be routed through the GRE tunnel, and at the remote GRE tunnel interface will strip off the GRE header, and will be routed towards the destination subnet.

vpn traffic & fields

secureIT — Sun, 17 Jun 2012 03:59:14 GMT

thanks for the update.