You have a remarkable gift for teaching in plain language; I have watched a few of your videos on YT and gained in understanding, even though I am not an IT novice - I sense you enjoy what you do: thanks for taking the time to assist others.
Hello Ashwin- Yes, you've got it. The outside IP header will have the source IP of the VPN gateway sending the packet, with a destination IP header of the remote VPN gateway who will be receiving the packet over the internet. When the receiving router gets the packet, it will de-encapsulate and throw away the old outside header, decrypt the contents (which include the initial IP header addresses the client was using) and continue to route the packet. Keith
The VPN client installed in our home machines will do the ESP encapsulation at machine itself before it sends to our ISP ? Is that right ? In this example you said Router R1(ISP's router) is doing it.
Hi Keith, I have a short question. Why do we not use SSL universally/predominantly for VPNs but use IPSec? One good reason to use SSL as opposed to IPSec is the popularity of port on which it works (443). The positive is that it's open everywhere! Am I missing something?? Maybe one similar question should be - What prevents us from using SSL instead of IPSEC protocol suite in Site-to-site tunnels?
The the crypto ACL says any-any, there are 2 challenges. The two peers will need to agree on that to bring up a tunnel, and then secondly, all traffic leaving the VPN peers would be sent to the peer on the other side. There may be some corner cases where something similar to that would work, but for general site to site VPNs it would be a configuration/design error.
What I never understood is why a VPN is necessary at all - why not send a regular IP packet with encrypted payload? But I am getting the feeling that this is *exactly* what VPN (or rather IPsec) is doing. It always seemed to me that the encapsulation part, which was always presented as one of the two critical components of a VPN (the other being encryption), was a VPN-exclusive thing, but I guess when two PCs in their respective local networks talk to each other, encapsulation is *always* present - is that correct?
Hi Keith, Can u help with something. I have this network that I'm working on packet tracer. I have two sites site A and B. Site A is ASN 10 and B is ASN 20. In the middle is an ISP router on the ASN 50. I use OSPF for the interior routing on my two sites and bgp has been configured successfully on all three routers and I managed to get IP connectivity from hosts on site A to B and vice versa. The thing is when I implemented the IPsec VPN tunnel, the hosts on site A can reach until the router that connects the destination hosts but never reached them. The thing is the pings from a host in A reaches all networks inside site B except the network of the destination host. Like if 192.168.1.0 / 24 is the source network in site A and 192.168.2.0 / 24 is the destination network on B, the hosts on A can reach all networks except the network on which my destination hosts live. Pls help me understand what could have gone wrong
Hi Keith, At around 3:05 you say the packet is going to be encapsulated. Does this mean that the Packet basically has 2 Destination and 2 Source IP adresses, from which only 1 Destination and 1 Source Address are visable when the packet is send over the Internet?
Your channel enlighten some dark spots i had in networking, I'd like to thank you I have my network security exam at the end of this month. Otherwise, would you tell me what software are you using for the facilitation of the course?
So.. the routing table of R1 is supposed to contain the entire range of IPs of PCs under R2, or else how does it understand which of the requests are to be encrypted and sent to R2's IP ???? (and vice versa)
Thanks. But how do you connect two routers with each other? Do you use Public IP addres forwarding to each Router? For Example....How can i RDP from 172.16.0.2 to 192.168.0.20 ?
Great explanantion. Am new to networks and have a (stupid) question. Doesn't HTTPS communication provide this (Encryption/Security) already ? If so then why do we need a tunnel? why don't we just use SSL protocol for communication.
+Alok Gupta If your doing it from your work pc to say VPN to your home pc as you cannot establish a connection from your pc directly that approach would work. If you are however wanting to connection two different offices together the proper way to do it is via a LAN LAN or DMVPN as it gives flexibility that is simply not available if things are being routed via a https connection
Great video on VPN tunnels. I was trying to setup S2S VPN in AWS and what I did not understand is role of Inside IPv4 addresses (typically 169.254.0.0/16 range). It would be great if you could help me understand what these inside IPs are, why they are used, are these actual IPs?
I don't get it with the source ip adresses. The router would change the source private ip address anyway if it is ipsec or not if it goes through the internet. It also encapsulates the whole packet with HDLC or whatever protocol the router is using to connect to the ISP router. No one could ever see the private ip address even if ipsec is not used. Could you please elaborate on that one?I really don't get it
When PC1 pings 192.168.0.20, how does router 1 know that private IP is at site 2 rather than any other company using the same private address for a host? I mean it's on the internet right? it could go anywhere, that has me confused. Can you please explain?
both routers need to have same configuration on both sides in order to transmit traffic first part: IKE negotiation 1 second part : ipsec IKE negotiation 2
SSL is clientless uses a browser and does not require any network information to create a secure tunnel IPsec is client based and requires networking information (ip addresses) to create a tunnel
How did the R2 know that the packet was destined to it? there are millions of routers on the internet which have the same ip (192.168.0.20) on their local network ?
Nice explanation. However, telling how the VPN Client in Site 1 gets a private IP Address of Site 2 after authentication happens at VPN Server would clarify things better.
IP address translation is taking place at the router level and the host doesn't need an IP address from the other private network to communicate. Also, there is no "client / server" concept here.
There may be address conflicts if two different machines use the same IP. So you NAT or change the private network. If you want, you can have different subnets sharing address parts and supernet the two different private networks, like 192.168.0.0/24 and 192.168.1.0/24 being supernetted into one 192.168.0.0/16 net.
You have a remarkable gift for teaching in plain language; I have watched a few of your videos on YT and gained in understanding, even though I am not an IT novice - I sense you enjoy what you do: thanks for taking the time to assist others.
This stuff was pure gibberish before I started studying Cisco; now it's pure gold. Thank you very much CBT Nuggets.
Your enthusiasm made this much easier to understand
Hello Ashwin-
Yes, you've got it. The outside IP header will have the source IP of the VPN gateway sending the packet, with a destination IP header of the remote VPN gateway who will be receiving the packet over the internet. When the receiving router gets the packet, it will de-encapsulate and throw away the old outside header, decrypt the contents (which include the initial IP header addresses the client was using) and continue to route the packet.
Keith
You teach amazingly well. I can see the hard work you put into first explain the theory and then back it up with a practical example.
Thank you for not having a monotone voice!
You are very welcome Samer!
Best wishes,
Keith
great job by keith barker and one of the best trainer on the internet
Simple. Easy to Understand. Straight to the point. Awesome!
Thanks. Been doing site to site VPN for years now. Still is reliable for small and medium sized businesses :)
AH would've been good to mention as well. You do teach very well Keith!
This is one of the coolest explanations I've seen ..You've got talent.. Kudos
This was incredible. Simple, clear, well-paced, sticks to the subject, practical use-case. Just very well done.
The way you explain it makes it seem so easy to the point where it becomes funny!!, thank you
You Deserved 5 star ⭐ believe me
Dude is just too good.
Your style of explaining is second to none. 👍🙏🙏🙏
Excellent, learned something new. thanks for showing packet tracer working in the background
I hadn't realised how old this vid is until I saw the Windows XP Start button! Still good, though, thanks.
Amazing! I'm blown away. Thank you for the intelligent explanation.
Man you're way of teaching is just awesome.. pls keep on doing what you're doing..
My pleasure! Glad you liked the video.
Keth
Awesome video, love your enthusiasm! :)
Best of the best! Super simplified nugget, this is the best explanation of IPsec I have seen, very informative and useful. Thank you so much, Keith!
This is just so fun, thanks man!!
The VPN client installed in our home machines will do the ESP encapsulation at machine itself before it sends to our ISP ? Is that right ? In this example you said Router R1(ISP's router) is doing it.
Thanks for the video, what did you use to draw on the screen? Is that a pad you can hook up to a computer?
Hi Keith, thank you for taking the time and answering my question. Great video!
Hi Keith,
I have a short question. Why do we not use SSL universally/predominantly for VPNs but use IPSec? One good reason to use SSL as opposed to IPSec is the popularity of port on which it works (443). The positive is that it's open everywhere! Am I missing something?? Maybe one similar question should be - What prevents us from using SSL instead of IPSEC protocol suite in Site-to-site tunnels?
Thanks for the vid Mr. Barker...you take complicated topics and explain them so i can understand, keep up the great work!!
شكرا للدكتور هيازع البارقي خبير امن نظم المعلومات
The the crypto ACL says any-any, there are 2 challenges. The two peers will need to agree on that to bring up a tunnel, and then secondly, all traffic leaving the VPN peers would be sent to the peer on the other side. There may be some corner cases where something similar to that would work, but for general site to site VPNs it would be a configuration/design error.
Great description and even I got. :)
Very good voice to match the video tutorial. Thanks Keith!!
What I never understood is why a VPN is necessary at all - why not send a regular IP packet with encrypted payload?
But I am getting the feeling that this is *exactly* what VPN (or rather IPsec) is doing. It always seemed to me that the encapsulation part, which was always presented as one of the two critical components of a VPN (the other being encryption), was a VPN-exclusive thing, but I guess when two PCs in their respective local networks talk to each other, encapsulation is *always* present - is that correct?
You are amazing! I've never heard someone explain something so well! Brilliant!
This series is awesome.
thanks for this detailed explanation with the actual ping request!
How can someone thumb down this video, fantastic explanation.
Nice explanation. What i'm missing is: Who to do this? How do i create R1 and R2?
After all, it's about. How to get this to work.
Brilliant video...simple and practical example ...loved it.
Hi Keith,
Can u help with something. I have this network that I'm working on packet tracer. I have two sites site A and B. Site A is ASN 10 and B is ASN 20. In the middle is an ISP router on the ASN 50. I use OSPF for the interior routing on my two sites and bgp has been configured successfully on all three routers and I managed to get IP connectivity from hosts on site A to B and vice versa. The thing is when I implemented the IPsec VPN tunnel, the hosts on site A can reach until the router that connects the destination hosts but never reached them. The thing is the pings from a host in A reaches all networks inside site B except the network of the destination host. Like if 192.168.1.0 / 24 is the source network in site A and 192.168.2.0 / 24 is the destination network on B, the hosts on A can reach all networks except the network on which my destination hosts live. Pls help me understand what could have gone wrong
To check the data integrity of the packets as they are sent means they undergo tests like CRC (cyclic redundacy checking).
Good Job Keith!
Man! You mad helpful! So glad I found ya!
Dear Sir, you teach very very nice "super nice" than the other
This was so well illustrated and explained. Thanks
Hi Keith,
At around 3:05 you say the packet is going to be encapsulated. Does this mean that the Packet basically has 2 Destination and 2 Source IP adresses, from which only 1 Destination and 1 Source Address are visable when the packet is send over the Internet?
Your channel enlighten some dark spots i had in networking, I'd like to thank you I have my network security exam at the end of this month.
Otherwise, would you tell me what software are you using for the facilitation of the course?
Brilliant.. Thanks a lot for simplifying it.
Hi Keith..What tool are you using in creating your topology? and also the tool you use to capture the packet
Great Explanation in Simple Language
How were you able to capture the packets sent from machine to router? Then router to web?
So.. the routing table of R1 is supposed to contain the entire range of IPs of PCs under R2, or else how does it understand which of the requests are to be encrypted and sent to R2's IP ???? (and vice versa)
Would IP sec need to be configured both ways?
Thanks. But how do you connect two routers with each other? Do you use Public IP addres forwarding to each Router? For Example....How can i RDP from 172.16.0.2 to 192.168.0.20 ?
Thank you sir...You know exactly how to teach things..wonderful video
Subscribed thanks to this video. You sound so happy talking about this lol. Thanks for the vid!
Great tutorial man! Great work, Great examples!
Does Ipsec add latency to voip calls because it has to encrypt the message? When would I turn on or off ipsec? Any help would be appreciated.
CBT Nuggets licenses access to it directly from their web site.
Keith
ipsec uses 2 protocols ESP for encryption and AH for authentication . using sha1 sha2 or md5 and using aes for authentication
Keith that was amazing .. many thanks :)
Ahmed Abduljabar Thanks for the feedback! It is appreciated.
-Keith
Keith Barker
My best instructor
hi , thanks for your nice video but, software did you use??
Great explanantion. Am new to networks and have a (stupid) question.
Doesn't HTTPS communication provide this (Encryption/Security) already ?
If so then why do we need a tunnel? why don't we just use SSL protocol for communication.
+Alok Gupta If your doing it from your work pc to say VPN to your home pc as you cannot establish a connection from your pc directly that approach would work. If you are however wanting to connection two different offices together the proper way to do it is via a LAN LAN or DMVPN as it gives flexibility that is simply not available if things are being routed via a https connection
Great video on VPN tunnels. I was trying to setup S2S VPN in AWS and what I did not understand is role of Inside IPv4 addresses (typically 169.254.0.0/16 range). It would be great if you could help me understand what these inside IPs are, why they are used, are these actual IPs?
This is a year late but that looks to be APIPA range. Just google that and I think you'll be good to go
I don't get it with the source ip adresses. The router would change the source private ip address anyway if it is ipsec or not if it goes through the internet. It also encapsulates the whole packet with HDLC or whatever protocol the router is using to connect to the ISP router. No one could ever see the private ip address even if ipsec is not used. Could you please elaborate on that one?I really don't get it
IPSec or OpenVPN, which would you suggest in terms of security?
Thanks so much, really simple and clear explanation.
Excellent teacher!!! Thanks.
Excellent. You did a great job. Simple to understand. Thanks!
What if both PCs had the same IP address like 192.168.1.123 before setting up the VPN? Do the subnets have to be different at each site?
if I get the videos on your CBT Nuggets, would subtitles in my language?
Can we use black or dark mode in you videos please instead of bright white backgrounds please???
When PC1 pings 192.168.0.20, how does router 1 know that private IP is at site 2 rather than any other company using the same private address for a host? I mean it's on the internet right? it could go anywhere, that has me confused. Can you please explain?
Superb! Got it exact
what ports? and IPsec uses what kind of routing paths? bgp? and how do they open sessions with eachother? sorry
Bro I loved this video. Thank you so much haha you have a gift at teaching simply
Is the data bridge trottled
Does a vpn tunnel have to go through an isp to even be called a vpn tunnel?
Hi, I just wanna ask. What will happen if I use an access-list with permit ip any any in Ipsec VPN? Will the network be able to browse the internet?
Nice one. Cheers.
thanks. good one. well explained. short and to the point.
in order to decrypt the data in the other router,
does the other router need to install ipsec too or it will automatically decrypt it?
both routers need to have same configuration on both sides in order to transmit traffic
first part: IKE negotiation 1
second part : ipsec IKE negotiation 2
CISCO | JUNIPER | GNS3 okay thanks
Made it so clear and easy! Great job!
hi sir keith,
what is the difference between ipsec and ssl vpn?
thanks
SSL is clientless uses a browser and does not require any network information to create a secure tunnel
IPsec is client based and requires networking information (ip addresses) to create a tunnel
Thank you for such a great explanation.
right on one can see your private ip address and what about your data
is your data is secure on the network ipsec does it for vpn
HOW ENCRYPTION DECRYPTION WORKS, WHERE ARE KEYS PRESENT?
very professional video. thanks!
Thank you so much, so well explained
Great explanation! Thank you!!!
What app you used to trace ping packages:
MS Network Monitor 3.4
wireshark
Did Alice change name to Lois?
Thank you. Awesome work
viraj ayachit 🎒😈🍯👨👦👚👨👦👦♥️U.K.
Excelente !!!!!!!!!!! Congrats!!!!!!!!!!!
How did the R2 know that the packet was destined to it? there are millions of routers on the internet which have the same ip (192.168.0.20) on their local network ?
R1 "knows" the destination network is on the other side of the VPN, so it shoots the packet that way.
Nice explanation. However, telling how the VPN Client in Site 1 gets a private IP Address of Site 2 after authentication happens at VPN Server would clarify things better.
IP address translation is taking place at the router level and the host doesn't need an IP address from the other private network to communicate. Also, there is no "client / server" concept here.
What happens if the customer using the same address range as ours at pc1 and pc2?I mean the private address range
You have to NAT the traffic or change one of the subnets. Having identical ranges on both ends is a bad idea.
There may be address conflicts if two different machines use the same IP.
So you NAT or change the private network. If you want, you can have different subnets sharing address parts and supernet the two different private networks, like 192.168.0.0/24 and 192.168.1.0/24 being supernetted into one 192.168.0.0/16 net.
This was great! :D
Thank for this video!
What this tracer called ?