VPN Packet Structure – Understanding VPN Packet Structure in Different Implementations

vpn

In order to understand different VPN technologies I tried to write down how a single HTTP packet could look like using each implementation.

SSH VPN

HTTP | TCP | IP | Ethernet ||| SSH | TCP | IP | Ethernet

OpenVPN bridged mode

HTTP | TCP | IP | Ethernet ||| OpenVPN | TLS | TCP | IP | Ethernet

OpenVPN routed mode

HTTP | TCP | IP ||| OpenVPN | TLS | TCP | IP | Ethernet

IPSec tunnel mode

HTTP | TCP | IP ||| IPSec Auth Header | IP | Ethernet

PPTP

HTTP | TCP | IP | PPP ||| GRE | IP | Ethernet

L2TP

HTTP | TCP | IP | PPP ||| L2TP | UDP | IP | Ethernet

It is based on information from different sources and I'd like to ask three questions:
1) Are the diagrams correct?
2) Are PPP and Ethernet interchangeable?
3) Is OpenVPN 'TCP over TCP' as implied by the diagrams above?

Best Answer

1) I would say yes, they are correct for some variants of these VPNs.

2) Ron Maupin already pointed out a difference. PPP is sometimes used to insert authentication like in PPPoE or with some proprietary IPsec extensions using IKEv1.

3) OpenVPN is best used with UDP because TCP over TCP is not a good idea. This article from Olaf Titz explains why. Usually you only use TCP over TCP when UDP isn't possible because some firewall on the way between the VPN gateways won't allow it.

Related Solutions

VPN Tunnel Issues from Remote Location via ISP (PPTP) – Fixes

Why it works from our side when I use 1.1.1.10 and I get error using 1.1.1.9 in NAT table?

You have a problem with the 1.1.1.9 configuration as an external NAT IP on the Mikrotik. The outside interface of the Mikrotik is a /30; you're using 1.1.1.9/30 as the default gateway and an outside NAT IP on the Mikrotik. If you're going to use 1.1.1.9/30 on the Mikrotik, you need 1.1.1.10 as a default-gateway.

As it stands, you're currently using 1.1.1.9 as both default-gateway and external NAT IP.

Current Routing table:

Dst. address   | Gateway      | Distance | Pref. source   |
0.0.0.0/0      | 1.1.1.9      | 2        | -              |

Current NAT table:

Action     | Chain  | Source Addr    | Dst Address   | Proto    | Dst Port | Out Intf   |
masquerade | srcnat | -              | -             | -        | -        | ether1     |
dstnat     | dstnat | -              | 1.1.1.9       | 6 (TCP)  | 1723     | -          |
dstnat     | dstnat | -              | 1.1.1.9       | 47 (GRE) | -        | -          |
dstnat     | dstnat | -              | 1.1.1.9       | 6 (TCP)  | 5006     | -          |
masquerade | srcnat | 192.168.1.0/24 | 192.168.1.230 | -        | -        | -          |

What's a little confusing is the diagram, which says the ISP-A's router is in transparent "modem state". Please be sure that the IP addressing scheme you're using on the Mikrotik is consistent with ISP-A's expectations. If the router is transparent, I'm not entirely sure you should have an IP address on it.

VPN Tunnel Issue from Local Network to Local VPN Server

The problem was wrong NAT translation to the VPN server and two rules at the firewall. They should check chain FORWARD instead of INPUT. It is a little hard to belive but it worked.

INPUT chain is for packet which have router public IP in destination address like in my case so they "wants" reach the router not host beyond - like FORWARD chain does. Thats interesting ^^

Best Answer

Related Solutions

VPN Tunnel Issues from Remote Location via ISP (PPTP) – Fixes

VPN Tunnel Issue from Local Network to Local VPN Server

Related Topic