Is traffic encrypted using IPSec intercepted in transit over public internet, hackable?

Question

In the official Azure documentation describing Azure VPN Gateway, I read this about Site to Site VPN

"Though traffic is encrypted using IPSec, it can be intercepted in transit since it traverses the public Internet."

Is it a grave concern if traffic encrypted using IPSec is intercepted in transit over public internet. What is the probability that a hacker can intercept data in transit between site-to-site VPN & decrypt that info?

Answer 1

Interception of the traffic is 100% possible since the whole time the transfer is going via public internet isp etc,but retrieving sensible data out of it is highly unlikely, unless the attacker has cracked the Encapsulating Security Payload used to encapsulate the vpn traffic packets.

Answer 2

Taken at face value, the statement is implying that it is something to "consider", even though your traffic could be considered "safe" if it uses IPSec (or SSL). Perhaps the statement makes more sense when taken into context of the entire article:

1. Connecting over the public internet: traffic can be intercepted over the public internet (and read if not encrypted).
2. Connecting with a point-to-site connection: traffic can be intercepted over the public internet.
3. Connecting with a site-to-site connection: traffic can be intercepted over the public internet.
4. Connecting with a dedicated private connection: traffic cannot be intercepted over the public internet.

In scenario 1, the onus is on you to make sure your data is encrypted. In scenarios 2 and 3, your traffic is encrypted, but possibly crackable (however unlikely) by an outside party. In scenario 4, it's not even possible for an outside party to see the traffic. Just mentioning the fact that it is possible to intercept the traffic in scenarios 2 and 3 helps differentiate it from scenario 4.