| Compare to other VPN realization technologies, IPSec has a lot of advantages. As an important part of IPSec system, IKE mechanism can negotiate and manage IPSec SA dynamically, so as to build the secure communication tunnels between IPSec VPNs. IKEv2, the IKE's improved edition, enhances the security of the IPSec VPN communication tunnels greatly. At present, most of domestic VPN gateways have not implemented the IKEv2 dynamic key negotiation mechanism. And in our country, foreign mature products can not be used by important departments in a large scale due to secure reasons. So it has momentous current significance to study and develop IPSec VPN systems that fit in with our country's situation.This article first introduces the basic principles of IPSec VPN simply, elaborates the relations between IKE and IPSec VPN. Moreover, it analyzes the present situation of similar researches, and explains the source and meaning of the study. Then, the article analyzes IKEv2 and related technologies, put forwards the realization schemes for IPSec VPN and IKEv2, establishes the new module framework. Based on above works, the article designs and realizes the dynamic negotiation module, kernel communication module, encryption and authentication module. The article rectifies the defect of IKEv2 negotiation with dynamic IP address to extend IKEv2. And the reliability of the extension scheme is proved through BAN logic analysis. By adding new message types and items, the article extends the PFKEY second edition to make IKEv2 procession contact with SPD and IDPD in kernel. To rectifies the insufficiency of the safety in pre-shared key authentication mechanism, this article presents the improved scheme. Finally, it summarizes our work, discusses the development tendency of IPSec and IKE, and gives our thoughts about the further work. |
PDF Full Text Request