The Enhanced Design And Implementation Of Remote Access To IPsec VPN

This paper has made thorough research and analysis to IPsec VPN remote access, and realized a remote access scheme which is more available, robust and secure. Its specific research and implementation includes:Analyzing the limitations of IPsec VPN system structure, offering a PAD enhanced scheme based on the newest IPsecv2 framework and increasing a PAD server to support centralized management and a newly designed PAD server to support centralized authorization management so as to enhance the system security and management control;Analyzing the shortcomings of remote automatic configuration in IKEv1, offering a new improved scheme and realizing the DHCP client in IPsec VPN gateway that sends DHCP request based on the user identity and the group the user belongs to, in the meanwhile, the DHCP server has made user group match rules and built address pools, then choose proper address pools to assign internal IP and other internal configurations to the remote users;Implementing the remote users' access control based on the integrated firewall in IPsec and the remote automatic configuration scheme based on the user group, enhancing the system's efficiency and security;Researching on NAT detection and traversal processing when the NAT device lies between the remote user and the IPsec VPN gateway. Embedding NAT detection into IKE, which will inform IPsec kernel to start NAT travesal processing through NETLINK socket in that case, enhancing the system's universality;Researching on the DPD protocol applied to the remote access in IPsec VPN to solve the peer detection problem in IKE, enhancing the system's robustness;Supporting both IKEv1 and IKEv2 client, and fully considering the integration of IKEv1 and IKEv2 in the design, so as to improve the system's compatibility;Testing the prototype with results that the prototype could work smoothly and its compatibility, robustness and security has got its initial design goal. The research of this paper is sponsored by the Natural Science Foundation of Jiangsu Provice (project number: BK2004039).