VPN connects but is not encrypting data.

4

4C4Blessed

Registered
Novice at VPN here, but it looks as if nothing is being encrypted when I'm connected over VPN.

Setup:
Client: OSX 10.5.4, connecting to a server: OSX Server 10.5.4 via Apple's built-in VPN system.

Scenario:
• I've set up OSX Server on an XSERVE to allow VPN connections.
• I've set up the shared secret, and an account for logging in with.
• I've set up the client machine with VPN to use that shared secret, along with that username/password account.
• I've made sure to check the box "Send all traffic over VPN connection" on the client. Seems kind of silly that it's even an option, what would be the point of VPN otherwise?
• Connect: Client connects to server through VPN, no problem! It authenticates and the connection timer starts and everything is grand. We are connected via VPN!
• Begin packet sniffer on client machine in the terminal.
• Load a web page.
• Packet sniffer reveals that everything sent and received is good old plain text - NOT encrypted - just like we were not connected via VPN.

What am I missing here? Did I miss a setting somewhere?
Thanks!
 
I don't think a VPN connection would encrypt the text in a web page that does not provide for encryption, would it? (that is, not an https:// coded page already, or whatever). Why would you need to encrypt the text in an open web page?
 
You're probably using your local network connection to surf the web (although that shouldn't be happening since you checked "send all data over VPN connection"). In my case, I want to use my local internet connection to surf the 'net, but want to be able to connect securely to my workplace's email and file server -- so I would leave "Send all data over VPN connection unchecked, which would allow me to use my local connection for anything that doesn't resolve to my company's servers.

If you're connecting via IPSec, then not to worry -- encryption is standard and cannot be turned off with an IPSec connection. PPTP, on the other hand, can be unencrypted.

Can you connect to a share on the server via VPN and then sniff a few packets? More than likely, those packets will be encrypted.
 
Hi and thanks for taking the time to reply. I'm using what ever is the default mode when the steps I described above are used - I just checked the VPN connection type in the Network preferences, and it is listed as "L2TP". It even has a cool little padlock icon next to it, giving the user the impression that it is secured.

My goal is to send and receive all network data through an encrypted VPN connection from a client OSX machine building A to a server OSX machine in building B. Buildings A and B are in different cities, so they are surely not on the same local area network.

Watching the data flow in and out of the client OSX machine (in building A) reveals that the data is completely unencrypted and wide open - which is not what I need. As I understand, if I can read plain English text (and also see plain html and plan this and plain that), that means it is not encrypted.

So what am I not doing right in order to encrypt all data over VPN?
 
You need to try network traffic other than web traffic. Mount a shared drive from the server over VPN, then transfer a plain text file (or some easily recognizable file) from the machine over the VPN to the server. Sniff those packets and I'd be willing to bet that they're encrypted.

When you fire up a web browser, more than likely, your computer is using the local network connection (and NOT the VPN connection) to surf the web. Web traffic (http) is always unencrypted.

Also, since your packet sniffer is running on the same machine (it is, right?) that the VPN connection is being made from, then your packet sniffer is sniffing the packets between the VPN connections -- in essence, your packet sniffer is "inside" the VPN connection as well, and therefore sniffing raw packets. If while packet sniffing you don't see headers and wrappers that would lead you to believe that you're sniffing a VPN packet and rather sniffing a regular web (http) packet, then this is the case.

So what am I not doing right in order to encrypt all data over VPN?
Click to expand...
I suspect that the traffic you're sniffing isn't going over the VPN connection, and is using the local connection. Sniff packets other than web packets and see what results you get.
 
Ah that's some interesting input, thank you.

I'm going to grab an extra machine and connect it to the LAN in question and run the packet sniffer on that 3rd machine. I suppose what you said is possible, I could be sniffing packets before they "go through VPN" so to speak, because the packet sniffer is in fact on the same machine as VPN client is running.

I'll also try the shared drive and plaintext file test. Even if that does prove to be encrypted, how to I force my web traffic to also get encrypted between the client and server machine. (By all traffic, I really mean all traffic, web, and everything else) Note, I don't care of the web traffic is no longer encrypted once it leaves the server and goes to its destination. I only want to tunnel / encrypt the traffic along that single link between the client OSX and OSX server.
 
I would think that the "Send all traffic over the VPN connection" option would send web traffic over the connection, too -- at least, that's what it does on my end. It is possible, though, that even with that option checked, web traffic would still flow over the local network connection.

Perhaps you also need to change the nameserver and/or DNS entries to point to the VPN's nameserver and/or DNS entries. If you type "apple.com" and your VPN server on the other end can't resolve that name, or if your computer first consults the local DNS entries to resolve that name, then it's possible that the local network connection would be used to retrieve that data instead of the VPN server on the other end. In short, perhaps that option should read "Send all traffic that resolves to the VPN server over the VPN connection, otherwise, use the local connection."

...although that's what mine does by default with the "Send all traffic..." option unchecked. Strange.

I'm interested to see what the non-web sniffed packets look like.
 
You must log in or register to reply here.
Back
Top