Implementation Of VPN System In Linux Based On IPSec

With the information time coming, the connection and opening provided by Internet have been making the information exchanging and sharing to be realized. So Internet takes great economic benefits for society. However, the security question becomes more and more distinct too. To protect the network security and guarantee the information safe are becoming the core question to people. Therefore, many security technologies have been developed.VPN technology offers a safe and reliant tunnel for both sides in communication. In technology, VPN means the networks locating in the different places are connected by main public networks, which shape the logic networks. To protect the information from pried, modified, copied, and guarantee the security of data in Internet, VPN uses the Authentication, accessing control, data secreting, and data integrity etc.The technologies of VPN are include, security tunnel, user authority, encryption and decryption etc. In them, the core is security tunnel technology. And now the widely used tunnel technology is based on IPSec protocol.First, in this essay, we introduced the architecture of VPN, and compared it with the common security technologies. Second, we illustrate the realization technologies in detail, especially, the Linux network architecture, Netfilter firewallarchitecture, IKE protocol, and PF_KEY protocol. Then we importantly discussed the implementation of the WSTMK_VPN system, especially, the IPSec kernel operating, SAD management, PF_KEY protocol. At last, we evaluate theperformance of the whole system.This system has some characters. For one thing, we use the Netfilter firewall technology to realize the IPSec entrance functions, which can increase the programs efficiency, make the code modular and easy to be expanded. For another, the PF_KEY protocol is used to connect the kernel and the IKE, which could make communication easy, and simplify the code.Of course, this system has some places to be improved, such as the function modules' simplification, the IKE module, which are the next aims in the future.