Sergey Matveev <stargrave+suckl...@stargrave.org> wrote: > *** Sagar Acharya [2023-10-15 18:00]: > >How many devices can connect to IPSec VPN? > > Thousands easily. Depends on bandwidth and CPU speed mainly.
You can also find that protocol in almost any 'hardware' router that claims to support a VPN: Mikrotik, StormShield, Fortinet, Cisco... > >What is the private key or secret key for these networks? > > Various. Mostly either PSK (symmetric pre-shared key) or > X.509-certificate-based keypair are used for authenticaion. > (Symmetric) Encryption key of course is derived every time > the IKEv2 session is started with the peer. In attachment, a small "x509" script that I place in my ~/bin to manage certificate by wrapping some of the OpenSSL's tedious syntax. Not prime quality, but could help to get started. > >Where does it lie? > > Where you wish for. Depends on implementation. IPsec itself, its > transport part (ESP protocol) generally live inside the kernel itself. > IKEv2 daemon (like strongSwan for example) lives in userspace. I forgot about that, good point! IPsec is a bit particular as it does not have any network interface for the VPN itself, instead the kernel intercepts the packets going out if they match the configured rule (from Priv1 to Priv2) then encrypt/reroute them and directly send them (from Pub1 to Pub2). Because it all happens in the kernel with no network interface, troubleshooting is a bit particular. Not possible to do "tcpdump -i ipsec0" to see the packets going *over* the VPN as there is no network interface for it (OpenBSD added the pflog interface for tcpdump purpose though). So the various tools like tcpdump, firewall config syntax, etc. have special handling and syntax for it. Keyword: "XFRM". After some time working with it, it becomes more intuitive, but on day 1 I was lost! :) > >Is it secure? > > Depends on configuration parameters, implementation. IKEv2/ESPv3 > protocols in general are secure, yes. It is used by banks, phone systems, corporate VPNs... For debugging, you can try "PSK" or "pre-shared key" authentication which is just a password, to avoid to combine the difficulty of X.509 and IPsec. Josuah.
x509
Description: application/shellscript
