Scans through VPN Layer 2 and VPN Layer 3

Scanning / scan configuration
1

Subject: Discrepancies in VPN Layer 2 and Layer 3 Scanning Results

Hi all,
I’d like to pose a question concerning scans conducted over VPNs, especially when targeting computers located in different geographical regions.

To provide context: I initially conducted a scan “on-premises”, on a computer physically present within my LAN. The results from this scan were reliable and served as my baseline for comparison with subsequent scans, which I’ll detail below.
Here’s the output from the initial scan:

Screenshot 2023-10-24 alle 12.17.25
Screenshot 2023-10-24 alle 12.17.252388×128 10.4 KB

For the second scan, I utilized a Layer 3 VPN, connecting through an external host acting as my gateway, structured as follows:

External Host → VPN Layer 3 → Internal Network Host → Target Internal Network

In this scenario, the scan results were skewed. They did not reflect the actual state of the network. Instead of identifying 27 active hosts, it attempted to scan all possible hosts, even those not present on my LAN. My primary query is: Why does this discrepancy occur with a Layer 3 VPN connection? For reference, I used the same IP address range as the initial on-premises scan.

For the third scan, I employed a Layer 2 VPN. I set up two virtual interfaces (tap0), established the route for the external network, and configured iptables rules. From the external host, I can access an internal target network computer, which acts as a “gateway”. Hence, all connections and requests are routed through this internal host:

External Host → VPN Layer 2 → Internal Gateway Host → Other Target Network Hosts

Interestingly, the vulnerabilities identified in this scan matched the on-premises scan. However, the report still listed all 254 hosts. I’m keen to understand the reason for this discrepancy and why the VPN-based scans report 254 hosts, while the on-premises scan only lists the genuinely active hosts.

Regarding the scan settings:

  • Ports: ALL IANA TCP assigned ports
  • Scanner Name: OpenVAS Default
  • Type: OpenVAS Scanner
  • Scan Config: Full and fast
  • Order for target hosts: Sequential
  • Maximum concurrently executed NVTs per host: 4
  • Maximum concurrently scanned hosts: 20

Assets:

  • Add to Assets: Yes
  • Apply Overrides: Yes
  • Min QoD: 70%

Scan:

  • Duration of last Scan: No scans yet
  • Auto delete Reports: Do not automatically delete reports

Note: The scan settings remained consistent across all three scans.

I appreciate any insights or experiences you might share on this matter. Thank you in advance.

2

The better way is place a sensor and just tunnel the sensor traffic via VPN. You will mess your scans up due to Proxy.ID, ARP, Proxy-ARP, Firewall-Session Limits and many other factors they will mess your scan via VPN up.

2 Likes
3

@Lukas Thank you for your insights.

Could you kindly explain why, with the Layer 3 VPN, I’m getting incorrect results, while with the Layer 2 VPN, I get the results but the number of hosts is off? Referring to the screenshot I posted above, where the number of hosts should be 27 (or 28), it instead shows (254). Why does this discrepancy occur?

Furthermore, I’m not entirely clear on what you mean by “placing a sensor.” What kind of sensor are you referring to? Are you suggesting routing the traffic of the Layer 3 or Layer 2 VPN through this sensor? Where should I position this sensor? Are there any low-cost or free solutions I can use for testing?

Thank you again for your assistance.

4

Up, please help anyone