I'm a computer science student and this video helped me understand tunneling so much better thank you. Reading out of a textbook is rarely the best approach to learning something!
Forgive my unprofessional language for a moment here, but I have to say it... you are just so fucking good, Keith. I've been reading and watching videos trying to wrap my head around tunneling for about an hour now, then I found your video and 8mins later, I'm crystal clear about what's actually happening when we discuss tunneling. It's no longer this abstract concept in my mind, but instead is clearly defined now. Thank you, Keith. You are truly amazing man.
Configuring GRE and IPSec is very fun. That was my favorite section when I was studying for the CCNA. That and FHRP's. Thank you Keith for all of your hard work!
Thanks a lot Mr. Keith for simplifying it in best possible way, learning a lot from you everyday. Hopefully I'll be in States by the end of 2021😊. - Lots of love from Afghanistan ❤
That's funny, I work with a number of different Optical Carrier Networks, one of them is an OC-12 Transport called Jungle-mux, unrelated to tunneling, but made me chuckle :)
thank you so much for your clear explanation. please how you were able to see the original(insider) packect? Is it because the GRE protocol is not encrypted by default?
So basically, VPN client software creates a virtual router inside my PC and turns it into the default gateway to access the internet, so any packets have to first go through that. Then this virtual router which uses the same network card but has a different private IP, wraps these IP packets in a TCP segment and sends with its IP address and TCP port, to the VPN server it knows and trusts, then this server removes this padding and forwards the IP packet with its own IP and port to the internet
Thanks for this!! Exactly the added information I was looking for. How does the info get from the trusted server to the destination while keeping the info safe if the destination isn’t using a VPN? The new (VPN) IP requests the info and the destination respond do that ip address through the trusted sever again? Is the data not encrypted at that time?
Very nice explanation Keith. I just have a question - How does router 1 know what destination address to put? As in, does it contain some mapping of what local subnet is behind what router? Also, as an extension to this question, if router had formed multiple GRE tunnels with many other routers, then would it have to maintain this mapping for all remote routers. If so, where does it keep this mapping? If not, how does it know which local subnet is behind which router? Thanks a lot!
Thank you for the question @utkarshmishra1928. Depending on the vendor, and the type of VPN (remote access vs site to site) there are many options including: On the VPN client, using selective routing regarding which destination IP addresses/subnets should be sent through the tunnel. For site to site, statically configuring the networks reachable between the two sites For site to site, dynamically sharing routing via a routing protocol to identify which network are reachable via the tunnel ( and there are more options as well). Hope that helps a bit, from a high-level perspective.
i had discovered VPN tunneling trying to solve an extremly slow connection to Office 365 servers using our company VPN thanks to the "route add" command for every ip range (using a script) but i have no idea how to do the same for IPv6 on Windows 10
this cleared up things a bit. you just throw the packet out and say "hey, i need it to get to that destination. i dont care how, figure it out" and let the internet infasctructure do it for you, instead of planning it our ahead of time with a routing protocol.
Keith can you explain what that wireshark filter means ip.id==0xc3c9 please :) also how does this effect MTU will packets be fragmented due to extra header increasing the size?
IPv4 ID Used Only for Fragmentation Although RFC 1122 suggests that the IPv4 ID field has other uses, including datagram de-duplication, such uses are already not interoperable with known implementations of sources that do not vary their ID. This document thus defines this field's value only for fragmentation and reassembly: >> The IPv4 ID field MUST NOT be used for purposes other than fragmentation and reassembly.
Also from RFC 791: Procedure: IF TL =< MTU THEN Submit this datagram to the next step in datagram processing ELSE IF DF = 1 THEN discard the datagram ELSE To produce the first fragment: (1) Copy the original internet header; (2) OIHL
@@shezzy97 Yes going by how the RFC describes it. I think Keith used it as an easy way to filter out all the noise on the network and follow the TCP stream still capturing the packets that had (2) IP headers. In which if you did a follow stream via the GUI, it might only follow the session at the starting point of the addition of the ip header and end when it was decapsulated on the other end. By using the ip.id field he followed the underlaying network so it was end to end including the tunnel (e.g. another header being slapped on the packet) if that makes sense.
Thank you for the question shezzy97. And thank you Michael for the great replies. In the captures, I wanted to look at the same packet before, during, and after the tunnel. Each IP packet has a unique ID, so I used a display filter to show that same packet in each of the 3 captures.
Thank you SuperBoi45! On a local area network (LAN), the norm is to NOT use any tunnels, just forward the traffic on its way to the destination IP. Some exceptions exist, such as VXLANs and a few others, but again most of the traffic between routers is NOT through a tunnel. Hope that helps.
Can i also say it's like someone walking to their destination where they could be kidnapped, robbed, or murdered. But then you buy that person a vehicle so that they can arrive at their destination safely?
So. The idea of tunnel is just misleading. There is no dedicated private route that these packages take , as in a paper mail being transported through a underground tunnel and not the highway. The packages go through the same internet with their addresses being concealed. They should not call it a tunnel, the word "wrapper"/"Packaging" would be a better fit. that would avoid a lot of confusion. Maybe i misunderstood but do these VPN service provider have their own private routes that transfer the data or is our "concealed and encrypted" data still going through the public internet ? If it is going through the public internet, then what is so private about a Virtual private network ? Would you please help me understand. Thank you
Thx, wait for Explaination what is UndertheHood... with role of GRE / IPsec / SHA256/md5/ ikev1 vs ikev2 ... for me it's like a bunch of Terms. without final conclusion. BTW thx.
Thank you for the question Michael. It is a song from this group www.thesingerandthesongwriter.com/home Had the chance to see them perform a house concert in Vegas last year, and that is where I got the shirt.
Thank you Roberto BUFANO! I appreciate the feedback. Have you considered using the "Playback speed" controls in RUclips? I think setting it to .75 may be helpful for you. Thank you again for the feedback.
I'm a computer science student and this video helped me understand tunneling so much better thank you. Reading out of a textbook is rarely the best approach to learning something!
Thank you Evan Price!
I logged in to my account just to give this video a like - enough said. Explaining concepts so clearly is something few people can do - thanks!
One of my favorite quotes:
"If you can't explain it simply, you don't understand it well enough." -Albert Einstein
Keith is an amazing teacher
Thank you Michael Taylor!
Keith, I passed my ccna on Tuesday. Your channel played a big part. Thank you for the great content. I will be signing up with cbt nuggets for ENCOR.
Great job! So happy for you, congratulations!!!
This is SUCH a great demonstration of tunnelling for a student to understand tunnelling. Thank you.
Thank you @skwidfingaz!
Forgive my unprofessional language for a moment here, but I have to say it... you are just so fucking good, Keith.
I've been reading and watching videos trying to wrap my head around tunneling for about an hour now, then I found your video and 8mins later, I'm crystal clear about what's actually happening when we discuss tunneling.
It's no longer this abstract concept in my mind, but instead is clearly defined now.
Thank you, Keith.
You are truly amazing man.
Inner Tunnel & Outer Tunnel
Phase 1 --> Phase 2
Great teacher as always - Lots of Love 💝
Thank you office 2crazy!
Great explanation with no skipping of details, well done.
Many thanks!
I love the way you explain. Thank you for the video.
Configuring GRE and IPSec is very fun. That was my favorite section when I was studying for the CCNA. That and FHRP's. Thank you Keith for all of your hard work!
You're very welcome!
You are the best Keith. Thanks for this.
Thank you InfoSec Pat! Always great to see your name pop up! Hope you are well.
Keith Barker you’re welcome. Thanks, it’s always great seeing videos. All well and I hope the same with you.
The cups was perfect to help visualize, thanks
That is what needed. Although I am not fluent in English, I've got you straight. Thanks a lot
Thank you @user-yu4og4cp6o!
Thanks a lot Mr. Keith for simplifying it in best possible way, learning a lot from you everyday.
Hopefully I'll be in States by the end of 2021😊.
- Lots of love from Afghanistan ❤
Thank you Omid Ahmadi!
All the best to you and your family.
That's funny, I work with a number of different Optical Carrier Networks, one of them is an OC-12 Transport called Jungle-mux, unrelated to tunneling, but made me chuckle :)
Thank you Keith, you simplified the best way possible. More visualization please whenever you can, as it helps a lot. :)
Thank you Wanaaje's Channel!
@@KeithBarker yw sir.
Awesome video! i really appreciate the analogies, thank you so so much!
Glad it was helpful!
Keith is always outstanding with his content. Thank you for this informative nugget.
Happy to do it, thanks for the feedback Mohammad Julfikar.
Best explanation i have ever seen..............
Nice and simple explanation. Hoping to see more of this. :)
Thanks, will do!
Oh dear! I love this man 👍🏻👍🏻👍🏻
Thank you @arungopinath7265!
Thank you Keith, you are genius
Excellent example... Just noticed CCNA is tagged, thank you so much
Glad it was helpful!
what a video, thankyou Keith !!
Your Welcome!
thank you so much for your clear explanation. please how you were able to see the original(insider) packect? Is it because the GRE protocol is not encrypted by default?
Great explanation…thank you
You are welcome!
6:51
Today I learned how they made the "low battery" sound on my Samsung
Awesome explanation
Happy to help! Thank you!
Tunneling well explained!
Thank you Rajnish P Sinha!
Brilliant as always thanks
Very welcome
So basically, VPN client software creates a virtual router inside my PC and turns it into the default gateway to access the internet, so any packets have to first go through that.
Then this virtual router which uses the same network card but has a different private IP, wraps these IP packets in a TCP segment and sends with its IP address and TCP port, to the VPN server it knows and trusts, then this server removes this padding and forwards the IP packet with its own IP and port to the internet
Thanks for this!! Exactly the added information I was looking for. How does the info get from the trusted server to the destination while keeping the info safe if the destination isn’t using a VPN? The new (VPN) IP requests the info and the destination respond do that ip address through the trusted sever again? Is the data not encrypted at that time?
Thank you Keith
Nice explanation carry on for better future
Thank you Sohail Anjum!
How does our router know when to pass packets through tunnel ?
Thank you for the question Surya045. It will be based on the routing table on the router.
Very nice explanation Keith. I just have a question - How does router 1 know what destination address to put? As in, does it contain some mapping of what local subnet is behind what router? Also, as an extension to this question, if router had formed multiple GRE tunnels with many other routers, then would it have to maintain this mapping for all remote routers. If so, where does it keep this mapping? If not, how does it know which local subnet is behind which router? Thanks a lot!
Thank you for the question @utkarshmishra1928.
Depending on the vendor, and the type of VPN (remote access vs site to site) there are many options including:
On the VPN client, using selective routing regarding which destination IP addresses/subnets should be sent through the tunnel.
For site to site, statically configuring the networks reachable between the two sites
For site to site, dynamically sharing routing via a routing protocol to identify which network are reachable via the tunnel
( and there are more options as well).
Hope that helps a bit, from a high-level perspective.
I finally understand what a tunnel is.
i had discovered VPN tunneling trying to solve an extremly slow connection to Office 365 servers using our company VPN thanks to the "route add" command for every ip range (using a script) but i have no idea how to do the same for IPv6 on Windows 10
this cleared up things a bit. you just throw the packet out and say "hey, i need it to get to that destination. i dont care how, figure it out" and let the internet infasctructure do it for you, instead of planning it our ahead of time with a routing protocol.
Keith can you explain what that wireshark filter means ip.id==0xc3c9 please :) also how does this effect MTU will packets be fragmented due to extra header increasing the size?
IPv4 ID Used Only for Fragmentation
Although RFC 1122 suggests that the IPv4 ID field has other uses,
including datagram de-duplication, such uses are already not
interoperable with known implementations of sources that do not vary
their ID. This document thus defines this field's value only for
fragmentation and reassembly:
>> The IPv4 ID field MUST NOT be used for purposes other than
fragmentation and reassembly.
Thanks Michael, So if you filter on that ID in wireshark it displays only packets that have been fragmented ?
Also from RFC 791:
Procedure:
IF TL =< MTU THEN Submit this datagram to the next step
in datagram processing ELSE IF DF = 1 THEN discard the
datagram ELSE
To produce the first fragment:
(1) Copy the original internet header;
(2) OIHL
@@shezzy97 Yes going by how the RFC describes it.
I think Keith used it as an easy way to filter out all the noise on the network and follow the TCP stream still capturing the packets that had (2) IP headers.
In which if you did a follow stream via the GUI, it might only follow the session at the starting point of the addition of the ip header and end when it was decapsulated on the other end. By using the ip.id field he followed the underlaying network so it was end to end including the tunnel (e.g. another header being slapped on the packet) if that makes sense.
Thank you for the question shezzy97. And thank you Michael for the great replies.
In the captures, I wanted to look at the same packet before, during, and after the tunnel. Each IP packet has a unique ID, so I used a display filter to show that same packet in each of the 3 captures.
OMG!!!! THIS IS THE MOST SIMPLIEST PROFESSOR EXPLANATION IVE EVER SEEN...USING STACK CUPS WOW!!!...KUDOS! Keith
Thank you nvv21!
Thank You 💕 Keith for Good content
Happy to do it, thanks for the feedback Ranjitkumar.
thanks keith
You're Welcome!
Thanks so much
So this is why unpacking my Amazon deliveries is like Matryoshka dolls.
Is tunneling always used between routers when passing data?
Thank you SuperBoi45!
On a local area network (LAN), the norm is to NOT use any tunnels, just forward the traffic on its way to the destination IP.
Some exceptions exist, such as VXLANs and a few others, but again most of the traffic between routers is NOT through a tunnel.
Hope that helps.
Good imagery on encapsulation, I always thought of it as nesting dolls lol
Thank you! 😊
Hello kieth thanks for the videos as always,
I have request can you make roadmap how to master network security in 1 year or less?
Great suggestion! "Mastering" is a strong word for such a broad topic. Let me give that some thought.
By t=30s, I recognized that Keith is a supurb teacher.
Can i also say it's like someone walking to their destination where they could be kidnapped, robbed, or murdered. But then you buy that person a vehicle so that they can arrive at their destination safely?
Thank you @kimjames8328!
So. The idea of tunnel is just misleading. There is no dedicated private route that these packages take , as in a paper mail being transported through a underground tunnel and not the highway. The packages go through the same internet with their addresses being concealed. They should not call it a tunnel, the word "wrapper"/"Packaging" would be a better fit. that would avoid a lot of confusion.
Maybe i misunderstood but do these VPN service provider have their own private routes that transfer the data or is our "concealed and encrypted" data still going through the public internet ? If it is going through the public internet, then what is so private about a Virtual private network ? Would you please help me understand. Thank you
Thank you @user-wu7xh1fc2q!
Thx, wait for Explaination what is UndertheHood... with role of GRE / IPsec / SHA256/md5/ ikev1 vs ikev2 ... for me it's like a bunch of Terms. without final conclusion. BTW thx.
Thank you for the question Clxxcv 420. More videos coming.
I love your shirt. Where did you get it?
Thank you for the question Michael. It is a song from this group www.thesingerandthesongwriter.com/home
Had the chance to see them perform a house concert in Vegas last year, and that is where I got the shirt.
Nice quote on t-shirt
Thank you shaikh Adil!
Is it safe?
Safe is subjective.
please speak slowly for no english language people :)
Thank you Roberto BUFANO! I appreciate the feedback. Have you considered using the "Playback speed" controls in RUclips? I think setting it to .75 may be helpful for you.
Thank you again for the feedback.
@@KeithBarker Exactly
This is an outstanding video, sir! You're doing the Lord's work 🫡
Thank you Leeroy Jenkins!
Omg you are like a kindergarten teacher🫶 I was struggling and you saved me with perfect analogy! I subscribed!!!
Thank you @user-nm7wj6se6e!
Thank you very much
Happy to do it, thanks for the feedback Spiral Dynamics.