NSEL records or Cisco netflow logs are only sent during flow creation, teardown or ACL deny events. Source: https://supportforums.cisco.com/docs/DOC-6113;jsessionid=09C4A6E010BFAC1E940F04533B590ECE.node0#NetFlow_v9_Overview
It seems there is no provision for VPN traffic in Cisco netflow. Even if it uses flow creation and teardown, how it would differ VPN traffic and LAN traffic?
Does anyone know how to detect VPN traffic from Cisco netflows?