Subject: Discrepancies in VPN Layer 2 and Layer 3 Scanning Results
I’d like to pose a question concerning scans conducted over VPNs, especially when targeting computers located in different geographical regions.
To provide context: I initially conducted a scan “on-premises”, on a computer physically present within my LAN. The results from this scan were reliable and served as my baseline for comparison with subsequent scans, which I’ll detail below.
Here’s the output from the initial scan:
For the second scan, I utilized a Layer 3 VPN, connecting through an external host acting as my gateway, structured as follows:
External Host → VPN Layer 3 → Internal Network Host → Target Internal Network
In this scenario, the scan results were skewed. They did not reflect the actual state of the network. Instead of identifying 27 active hosts, it attempted to scan all possible hosts, even those not present on my LAN. My primary query is: Why does this discrepancy occur with a Layer 3 VPN connection? For reference, I used the same IP address range as the initial on-premises scan.
For the third scan, I employed a Layer 2 VPN. I set up two virtual interfaces (tap0), established the route for the external network, and configured iptables rules. From the external host, I can access an internal target network computer, which acts as a “gateway”. Hence, all connections and requests are routed through this internal host:
External Host → VPN Layer 2 → Internal Gateway Host → Other Target Network Hosts
Interestingly, the vulnerabilities identified in this scan matched the on-premises scan. However, the report still listed all 254 hosts. I’m keen to understand the reason for this discrepancy and why the VPN-based scans report 254 hosts, while the on-premises scan only lists the genuinely active hosts.
Regarding the scan settings:
- Ports: ALL IANA TCP assigned ports
- Scanner Name: OpenVAS Default
- Type: OpenVAS Scanner
- Scan Config: Full and fast
- Order for target hosts: Sequential
- Maximum concurrently executed NVTs per host: 4
- Maximum concurrently scanned hosts: 20
- Add to Assets: Yes
- Apply Overrides: Yes
- Min QoD: 70%
- Duration of last Scan: No scans yet
- Auto delete Reports: Do not automatically delete reports
Note: The scan settings remained consistent across all three scans.
I appreciate any insights or experiences you might share on this matter. Thank you in advance.