*** Sagar Acharya [2023-10-15 18:00]:
>How many devices can connect to IPSec VPN?
Thousands easily. Depends on bandwidth and CPU speed mainly.
>What is the private key or secret key for these networks?
Various. Mostly either PSK (symmetric pre-shared key) or
X.509-certificate-based keypair are used for authenticaion.
(Symmetric) Encryption key of course is derived every time
the IKEv2 session is started with the peer.
>Where does it lie?
Where you wish for. Depends on implementation. IPsec itself, its
transport part (ESP protocol) generally live inside the kernel itself.
IKEv2 daemon (like strongSwan for example) lives in userspace.
>Is it secure?
Depends on configuration parameters, implementation. IKEv2/ESPv3
protocols in general are secure, yes.
>In the former case, client will return an md5 sum of earlier packet data to confirm it received.
1) Neither IPsec, nor WireGuard, nor OpenVPN confirm that packet is
received. They just transparently make a secure tunnel for *IP* packets.
There is just no need in that kind of confirmation. Why? Internet
Protocol is "fire and forget" by design: it just sends IP packet and
forgets about it, job is done. If you want guaranteed delivery, then it
is the business of transport protocols above, like TCP.
IPsec/WireGuard/any-VPN secures IP-level.
2) MD5 in 2023? I hope no, it is not used. Well, actually MD5 is not
used as a hash function in IPsec (ESP), but as a part of HMAC-MD5, that
is actually still considered safe. But why one need to use that ancient
stuff? Modern protocols (WireGuard, Noise, TLS 1.3) use only
AEAD-algorithms, where "MAC" is some kind of integrated with the
encryption algorithm and they are always used together. IPsec supports
AEAD-ciphers in modern OSes a long time ago.
--
Sergey Matveev (http://www.stargrave.org/)
OpenPGP: 12AD 3268 9C66 0D42 6967 FD75 CB82 0563 2107 AD8A
Received on Sun Oct 15 2023 - 14:48:10 CEST