Sergey Matveev <stargrave+suckless_AT_stargrave.org> wrote:
> *** Sagar Acharya [2023-10-15 18:00]:
> >How many devices can connect to IPSec VPN?
>
> Thousands easily. Depends on bandwidth and CPU speed mainly.
You can also find that protocol in almost any 'hardware' router
that claims to support a VPN: Mikrotik, StormShield, Fortinet,
Cisco...
> >What is the private key or secret key for these networks?
>
> Various. Mostly either PSK (symmetric pre-shared key) or
> X.509-certificate-based keypair are used for authenticaion.
> (Symmetric) Encryption key of course is derived every time
> the IKEv2 session is started with the peer.
In attachment, a small "x509" script that I place in my ~/bin to manage
certificate by wrapping some of the OpenSSL's tedious syntax. Not
prime quality, but could help to get started.
> >Where does it lie?
>
> Where you wish for. Depends on implementation. IPsec itself, its
> transport part (ESP protocol) generally live inside the kernel itself.
> IKEv2 daemon (like strongSwan for example) lives in userspace.
I forgot about that, good point!
IPsec is a bit particular as it does not have any network interface
for the VPN itself, instead the kernel intercepts the packets going
out if they match the configured rule (from Priv1 to Priv2) then
encrypt/reroute them and directly send them (from Pub1 to Pub2).
Because it all happens in the kernel with no network interface,
troubleshooting is a bit particular.
Not possible to do "tcpdump -i ipsec0" to see the packets going
*over* the VPN as there is no network interface for it (OpenBSD
added the pflog interface for tcpdump purpose though).
So the various tools like tcpdump, firewall config syntax, etc.
have special handling and syntax for it. Keyword: "XFRM".
After some time working with it, it becomes more intuitive, but
on day 1 I was lost! :)
> >Is it secure?
>
> Depends on configuration parameters, implementation. IKEv2/ESPv3
> protocols in general are secure, yes.
It is used by banks, phone systems, corporate VPNs...
For debugging, you can try "PSK" or "pre-shared key" authentication
which is just a password, to avoid to combine the difficulty of
X.509 and IPsec.
Josuah.
- application/x-shellscript attachment: stored
Received on Sun Oct 15 2023 - 16:43:28 CEST