Can my boss see this on my VPN/RDP

[erpa]

David, it looks to me like you in fact are doing split tunnel so that your internet bound traffic is going out your ISP, not through your company.

I’ve managed head-end remote access VPN in a large enterprise, and although its not impossible to replicate your traffic so that it goes down both forks (allowing them to monitor you), it is highly improbable that they would be doing that. It would take administrative rights on your machine to push policies and software in addition to expensive support on the head end side. And what do they stand to gain from that expensive effort?

I do admire your concern. People who are careless with technology become responsible for restrictive rules that end up removing lots of the benefits that techology should provide.

[Rusalka]

How does the VPN client take over one’s internet connection so that other programs, like one’s browser can’t access it directly? How does this “tunnel” (which is just a bunch of packet data) exert control over its carrier (TCP/IP) connection which it needs in order to exist?

Erpa, why does it look to you like he’s got a “split-tunnel”, except for the fact he’s not complaining about the slowness of his internet connection? How did you come to that conclusion?

It’s been a while since I took my Cisco router classes, but a check with Virtual private network - Wikipedia specifically the example given, shows that there is no indication that the VPN client on the home computer can or would redirect the internet connection.

[XT]

[QUOTE=Rusalka]
How does the VPN client take over one’s internet connection so that other programs, like one’s browser can’t access it directly? How does this “tunnel” (which is just a bunch of packet data) exert control over its carrier (TCP/IP) connection which it needs in order to exist?
[/QUOTE]

Might help to start with what a VPN tunnel is. Here:

Virtual private network technology is based on the idea of tunneling. VPN tunneling involves establishing and maintaining a logical network connection (that may contain intermediate hops). On this connection, packets constructed in a specific VPN protocol format are encapsulated within some other base or carrier protocol, then transmitted between VPN client and server, and finally de-encapsulated on the receiving side.

So, what’s happening in simple terms is that when you run a VPN client, it’s creating a virtual connection between your PC and the gateway device. All it’s outbound traffic is being encrypted and sent over this virtual tunnel from your PC to the gateway.

Unless of course the client supports a split tunnel…in which case the client (based on rules that reside on the gateway…in this case probably an ASA or PIX since we are talking CISCO) decides whether the traffic you are sending is to the local (private) network you are trying to attach too (say, the email server, or domain server, or some other services server inside the firewall of the target network you are trying to VPN into) or if you are trying to hit alt.sex.farmanimals.com (totally made that up btw :p)…in which case that doesn’t go through the tunnel and instead is simply sent directly to the ISP you are connecting too.

Erpa, why does it look to you like he’s got a “split-tunnel”, except for the fact he’s not complaining about the slowness of his internet connection? How did you come to that conclusion?

Well, most organizations that use a CISCO firewall set up the rules that allow the client to do a split tunnel. It’s pretty easy to do. I don’t know where Erpa drew this conclusion, but it seems reasonable…and the OP is now actually using the CISCO IPSEC client (which, btw, I believe CISCO is going to be discontinuing sometime in the near future, at least that’s my understanding) and is now reporting less problems.

It’s been a while since I took my Cisco router classes, but a check with Virtual private network - Wikipedia specifically the example given, shows that there is no indication that the VPN client on the home computer can or would redirect the internet connection.

You wouldn’t have this on the router (well, unless you have a router that has the ASA or PIX firewall imbedded). There are all sorts of guides, but here is a white paper on setting up split tunneling on an ASA/PIX firewall using ASDM v7.x that you can get a feel for what is involved. It’s pretty simply, and with the ASDM GUI it’s almost laughably easy to configure.

[Ximenean]

Rusalka:

Erpa, why does it look to you like he’s got a “split-tunnel”, except for the fact he’s not complaining about the slowness of his internet connection?

Because of the traceroute test. Despite being connected to the company VPN, it looks like the route to websites such as Yahoo is via the physical router and ISP.

Another way to check is to compare the operating system’s IP routing table when connected, to that when not connected. When not connected, there will an entry saying something like

192.168.1.0 255.255.255.0 On-link 192.168.1.3

which means “send anything on the same network directly via your network adapter” (the adapter’s address being 192.168.1.3), and another one saying something like

0.0.0.0 0.0.0.0 192.168.1.254 192.168.1.3

which means “send everything else via the router at 192.168.1.254 (which is reached through your adapter at 192.168.1.3)”. This corresponds to the “default gateway” setting.

When he connects to the VPN, it will typically modify the routing table. First, an extra, virtual adapter will be created with an address on the remote network, and an entry similar to the first one above will be added. Secondly, if the policy is for all traffic to go via the VPN, the second entry will be temporarily modified to refer to a router on the remote network.
If the policy is more selective, there may instead be entries for certain networks that are to be reached via the VPN, but the catch-all “0.0.0.0” entry will still point to your domestic router.

I have seen some VPN clients that seem to do network voodoo at a lower level than the routing table, but the above is how they often work.