*** Sagar Acharya [2023-10-15 18:00]: >How many devices can connect to IPSec VPN?
Thousands easily. Depends on bandwidth and CPU speed mainly. >What is the private key or secret key for these networks? Various. Mostly either PSK (symmetric pre-shared key) or X.509-certificate-based keypair are used for authenticaion. (Symmetric) Encryption key of course is derived every time the IKEv2 session is started with the peer. >Where does it lie? Where you wish for. Depends on implementation. IPsec itself, its transport part (ESP protocol) generally live inside the kernel itself. IKEv2 daemon (like strongSwan for example) lives in userspace. >Is it secure? Depends on configuration parameters, implementation. IKEv2/ESPv3 protocols in general are secure, yes. >In the former case, client will return an md5 sum of earlier packet data to >confirm it received. 1) Neither IPsec, nor WireGuard, nor OpenVPN confirm that packet is received. They just transparently make a secure tunnel for *IP* packets. There is just no need in that kind of confirmation. Why? Internet Protocol is "fire and forget" by design: it just sends IP packet and forgets about it, job is done. If you want guaranteed delivery, then it is the business of transport protocols above, like TCP. IPsec/WireGuard/any-VPN secures IP-level. 2) MD5 in 2023? I hope no, it is not used. Well, actually MD5 is not used as a hash function in IPsec (ESP), but as a part of HMAC-MD5, that is actually still considered safe. But why one need to use that ancient stuff? Modern protocols (WireGuard, Noise, TLS 1.3) use only AEAD-algorithms, where "MAC" is some kind of integrated with the encryption algorithm and they are always used together. IPsec supports AEAD-ciphers in modern OSes a long time ago. -- Sergey Matveev (http://www.stargrave.org/) OpenPGP: 12AD 3268 9C66 0D42 6967 FD75 CB82 0563 2107 AD8A
