Research And Implementation Of VPN Gateway Based On IPSec

VPN (Virtual Private Network) is an appropriate network which is constructed by using the tunnel protocols and security measures through the public network which here mainly refers to the Internet. "Virtual" refers to the meaning that uses security technologies such as encryption, authentication for building appropriative, secure communication channel, which simulates a "private" network. In order to protect the safety of the information transmission on the Internet, VPN uses authentication, access control, data confidentiality, data integrity, and other measures to ensure the information not being observed, tampered and reproduced in transmission. VPN can help the company affiliates, partners and remote users establish a credible security link to the company's Intranet, and guarantee the security of the data transmission, which is the expansion of an enterprise Intranet. The key of VPN is the security of communication, and IPSec is a core technology for providing this kind of security. IPSec does the safe handling of high-intensity on the packets in the IP layer, and provides verification of data source, connectionless data integrity, data confidentiality, anti-replay, confidentiality of limited business flow and other security services.Firstly, the concept of VPN and the related knowledge of VPN gateway are introduced in the thesis; Then the main technology, IPSec security technology, to achieve the VPN gateway is analysed, which includes security association, security strategy, authentication header(AH), encapsulation security payload (ESP), as well as Internet Key Exchange Protocol(IKE); After a further research on the IKE principle and the whole process of IKE exchange,the problems which exist in the IKE protocol are discovered and a revised proposal to solve the IKE protocol itself which can not resist the fake attack is provided; Finally, the design and implementation of VPN gateway based on IPSec is expounded on the Linux platform, a general framework of VPN gateway is provided and the module which is divided according to the function is designed and realized;As there is no formal RFC which describes how PF_KEY communicates with the security strategy database in the kernel, so a PF_KEY expansion design which gives PF_KEY interactive capacity with the security strategy database is proposed here in the thesis. Some ideas are proposed to improve the design and further development of the VPN technology is expected at the end of this thesis.