Research On High Available IPSec VPN

Virtual Private Network (VPN) is a type of secure transmission tunnel that established on insecure public networks by integrated using of cryptographic techniques, authentication techniques, tunneling techniques and key management techniques, and it interconnects users that spread around different geographic positions into a logically private network. However, the availability of traditional IPSec VPN is disturb often by factors that like single-link, single-point failure on the central gateway, burst traffic load, and low speed of communications on WAN etc. Therefore, the research on how to improve the availability of IPSec VPN has the theoretical significance and the practical sense, and the techniques on this field has broad application prospect.We study on the availability of IPSec VPN and defined it as the ratio of the effective tunnel communication time and the total tunnel communication time that user requested. We proposed a research idea that improving the availability of IPSec VPN by using of the three different levels of high availability techniques such as equipment redundancy, link redundancy and data redundancy.We proposed a highly available HA-VPN which using dual redundancy backup techniques. HA-VPN used two same IPSec VPN gateways to mutual backup. The state listen and data synchronization of the gateways is via RS232 cable and in the push-pull combined communications model. The backup gateway can detect the failure of the working gateway and switch to the active state from the standby state to take over tunnel communication services quickly. The system availability can be increase with the increase of the repair rate. The monitoring service of HA-VPN can detect the software failures quickly and repair them as much as possible. The system availability can be increase with the decrease of the fault rate. The kernel black box service of HA-VPN can record the circumstances of the kernel fault scene, and reboot the gateway quickly to continue the service. The records that used in the fault analysis provide many help to fix up the software errors, and are helpful to improve system availability. We built homogeneous Markov process models for the normal IPSec gateway, the single-mode HA-VPN and the dual-mode HA-VPN, and analyze their availability. The result shows that the availability of dual-mode HA-VPN improves significantly.We proposed a multi-link aggregation and load balancing VPN systems called MA-VPN. MA-VPN presents a new idea about load balancing within the IPSec communication module to improve the general single-link IPSec model. The system availability improves by the use of the link redundancy and the load balancing. MA-VPN is consisted of the M-IKE daemon in application layer and the MA-IPSec module in kernel layer. M-IKE negotiate several IPSec SA for the same protected subnet pair on the different physical link concurrent. MA-IPSec applies these IPSec SA to IP packets according the weighted random load balancing strategy to distribute IPSec traffic into different physical link. Then the multi physical links can aggregate as one link to provide IPSec communications service. MA-IPSec improves the traditional packet-based IPSec scheduling model, and introduces the new session-based IPSec scheduling model. The session-based scheduling model not only improves the tunnel scheduling efficiency, but also ensures the consistency of the SA application. The tunnel detection mechanism of MA-VPN can detect the tunnel failure quickly and transfer IPSec traffic to the other healthy tunnel promptly, and enhances the system availability. Tests show that MA-VPN can make full use of multi-link bandwidth resources, and improve the overall IPSec communication performance. We use the series-parallel hybrid model to analyze the system availability, and focus on the link availability impact to the system availability in the dual-link case that compared with the single-link case. The result shows that the system availability of MA-VPN improved so much.We proposed a WAN accelerating system called WA-VPN. IPSec VPN is base on Internet and other WAN, and its availability is reduced by the low throughput, high latency and high packet loss rate in tunnel communication that caused by various disadvantage factors. The TCP relay mechanism of WA-VPN send proxy ACKs to reduce RTT and force the TCP end to send data stream faster to increase the utilization rate of bandwidth in TCP. WA-VPN slice TCP data stream into data pieces to mine the redundancy of communication data, and cache and index these data pieces in the gateway of each end. The IPSec Thumbnail Protocol in WA-VPN is use to transfer the data piece indexes to compress redundant data and reduce the resource consumption about bandwidth and encryption, which means the increase of the communication efficiency. We analyzed the impact of data piece size and cache hit rate that affect the speed-up ratio of IPSec Thumbnail Protocol. Test results show that WA-VPN can improve the throughput of IPSec communication and reduce delay effectively. The communication quality and system availability of WA-VPN are also improve significantly.