The Design And Implementation Of Gateway Dased On IPSec VPN

A virtual private network (VPN) is a private data network that makes use of the public telecommunication infrastructure, maintaining privacy through the use of a tunneling protocol and security procedures. The public telecommunication infrastructure is mostly refered to the Internet. In order to protect the security of the data transmitted on the open Internet, VPN introduces many kinds of technology, such as tunnel, authentification, encryption, access control and integrity to prevent the data from being intercepted, tampered and illegally copied. A virtual private network is the extension of Intranet, with intend to help the enterprise establish safe communication link with its branches and cooperators. The main purpose of a VPN is to give the company the same capabilities as private leased lines at much lower cost by using the shared public infrastructure. A virtual private network makes it possible to have the same protected sharing of public resources for data as leased line. Companies today are looking at using a private virtual network for both extranets and wide-area intranets.In this paper, we first briefly recommend the concept, application and implement of VPN. Then various VPN based on different implement method are compared by discussing their own advantages and disadvantages. Subsequently we illustrate the security protocol and cryptography knowledge involed in IPSec VPN. We analyse the Internat key exchange protocol formally by using BAN logic and find out a neglected flaw in the IKE main mode. A new amendment is proposed to repair it. We illuminate the design and realization of IPSec VPN Gateway in details, including the working theory of IPSec and IKE modules and their interaction. The whole flow and the details of code are explained. Finally the testing result is put forward in this paper.With the deployment of IPSec VPN, there comes out some problems such as NAT traversal, dynamic IP address. Some works have been done to solve them.The creative points and difficults are outlined as follows:1. Implement the compactly integrating between IPSec module and Linux kernel to speed up the data processing2. Implement the dynamic negotiation of security association to enhance the safety3. Modify the leak of man-in-the-middle attack in the IKE main mode negociation4. Solve the problems of deploying VPN gateway with dynamic IP address...