So I always thought traffic in a site to site VPN connection flowed through a tunnel on the same interface as the VPN… but the tunnel is built on 1 interface to agree on the phase 1 & 2 cryptography and to encrypt and decrypt the traffic with the keys. The 2nd interface is where the actual traffic flows back and forth between the private networks. So the traffic still goes through the internet normally on it’s own interface, it’s just encrypted and decrypted by the VPN interface as it comes and goes?
Some of your question hinges upon the vendor of the VPN endpoint(s) (router? Firewall? Soft client?), and whether the tunnel is a policy-based or a route-based VPN.
IME, a policy-based VPN doesn’t really have an “interface” to speak of, and it doesn’t participate in the system route table. OTOH, route-based tunnels do. This can be important when discussing firewall rules on some systems.
This is all a long way of saying, give us more detail if you want an accurate answer
Any logical interface is sort of an artificial construct we use for various reason but it doesn’t exist beyond the logical. Your last statement is probably correct (although it depends on the environment). The tunnel is just going over the same path but encrypting data to put along side unencrypted data
Think of a pseudo diagram like this
User payload → user payload + headers → router encrypting it → [user payload + headers encrypted] + IPsec header + new IP headers → out to wherever
The packets coming out of the router encrypted can go out any interface as long as it’s towards the tunnel destination, not special paths exist unless you make one
Phase 1 sets up the connection with a single security association (SA). No data traverses via phase 1. Phase 2 sets up an SA per network pair (location A networks times location B networks) based on traffic flow.
One of the fundamental design features of VPNs is the concept of “on demand”. After some amount of idle time, the tunnels will drop until interesting traffic causes them to build again.
In an encrypted tunnel across the connection you specified. Just like a letter via the post office
It depends on your topology really. If you have a site to site vpn with local internet breakout, the traffic which goes from 1 site to the other will be encrypted as long as it’s destined to the other site (ie over the tunnel), internet facing traffic will not be encrypted. If the internet breakout is central/from the other site, all traffic will be encrypted as all of it is destined for the far side of the tunnel, then decrypted when reaching the far end and sent out to the internet unencrypted. So essentially to answer your question specifically, traffic is only encrypted between the interfaces that are on the vpn tunnel. As long as this traffic isn’t traversing those interfaces it won’t be encrypted.
Let’s say you have gi0/0 set on both sides as the tunnel source and destination respectively, and internet access is allowed locally from both sides, traffic entering gi0/1 will look at the routing table for its destination, and will only be encrypted if it needs to go to site 2 and vice versa, otherwise it would just flow out to the internet unencrypted. If let’s say you mandate that all traffic be filtered through a firewall in site 2, site 1 will have a default route in the routing table to send all traffic through the tunnel, then on site 1, all traffic will come in to gi0/1 from lan, look at the routing table, decide it’s going to take the default route to site 2, hit gi0/0, get encrypted and sent to vpn peer on site 2. When this traffic arrives as site 2 gi0/0, it will be decrypted and sent over to the firewall in s2 and onwards to the internet when exiting the firewall. Hope this makes sense?
We are building a policy based (not a VTI) site to site tunnel between our firewall and AWS. Let me know if you need anymore info.
Edited to clarify
When did the human race start abbreviating EVERYTHING… IME OTOH FYI TIHI
yep this is a good differentiator for starters since some peeps thinks IPSEC is IPSEC
I understand these occur on the VPN interface, but where does the actual data flow?
Out of the VPN peer interface or the internet facing interface? I know I might be overcomplicating.
Referencing your OP, in policy based VPN there are no tunnel interfaces (at least not in a cisco context). Policy based VPN is exactly as the name suggets. Traffic passing through an interface is matched against policy statements and if it matches it gets encapsulated.
The egress interface as far as NAT and routing etc. is concerned is still the interface it’s leaving from. Usually your public facing interface.
The best advice I can give you is if your device supports VTIs and route based VPNs, do that. It will make your life a lot easier. To add a subnet to a policy based VPN, you have to edit the VPN definition and on ASA’s the tunnel has to be torn down and re-established for that change to take effect (or wait till it re-keys). Route based VPNs the tunnel definition permits all traffic, so you just have to update routing to send traffic over the tunnel.
For VPNs to AWS, I strongly suggest using VTIs and BGP. You might not need it now, but at some point you will need to add a subnet or add redundancy or something and this setup will safe you lots of pain either re-building policy based tunnels or adding static routes to loads of VPC routing tables.
Cloud is all about flexibility and scalability, so design your cloud networking according to those principles.
“On the other hand” and “in my experience” take too long to type with my thumbs. I didn’t use any of the others in that post…
This is a relative concept. For policy-based VPNs, there is no “peer interface”. Normally the phrase “peer” is related to who you are connecting to and that would be their public IP just as your public IP would be their peer.
The reason I left this a little nebulous is the interface is relative to how you’ve configured your connection. I’ve had VPN connections to internal devices that peered with private IPs.
Thanks for this. It’s all coming together.
We use VTI for our VPN between us and umbrella, and I agree it is way more low maintenance than the Policy Based VPNs I have configured in the past. My original question was just trying to understand the flow of traffic in a Policy Based configuration.
We have set up our VPN (FTD 1120) devices separate from our internet firewall (FTD 1140). The VPN fw has an internal and external interface that is routed to our internet firewall. I believe this was done for scalability.
I generally prefer to keep VPN firewalls separate of permieter firewalls as the jobs are different and sometimes you want different devices to do those jobs as well as possible.
In your case for policy VPN the traffic is ingress on the internal side, and egres on the external interface. So your routes point to your external interface for VPN destinations. That is assuming you do that and don’t just rely on the default route to carry it.