Study And Implementation On IPSec VPN Gateway Based On Netfilter Mechanism

The interconnection and openness of Internet makes information exchanging and sharing becomes a reality, it brings enormous benefits to society, but also inevitably brings about many security risks. IPSec protocol is a group of related agreements that the IETF delimited for the network layer to provide security services. Building VPN gateway based on IPSec becomes a mainstream VPN technology, however, IPSec processing will greatly increase the load of the gateway, therefore, implementation of IPSec VPN gateway should pay special attention to optimal design to enhance efficiency. Use the Netfilter mechanism of Linux, a kernel module can be inserted to achieve the extension of the new network features. In addition, stable and efficient Linux kernel, open source, not only reduces costs, but also master the security of the system. The paper studies IPSec processing based on Netfilter mechanism under Linux, the paper includes:The paper studies the architecture of KLIPS in S/WAN project which is an open source implementation of IPSec protocol suite under Linux, deeply analyzes the implementation of Openswan's kernel space modules and user space module, summarizes the framework of Openswan, the implementation of IPSec, then combines implementation mechanism of IPSec, points out the defect of the implementation of IPSec in Openswan.The paper studies the network module process of the Linux kernel, TCP/IP and HOOK mechanism of Netfilter, especially the implementation of the Netfilter, then proposes a framework of IPSec processing based on the Netfilter which brings the IPSec implementation into the IP protocol stack, but not affects the original OS protocol stack, and can uses the function achieved by Linux kernel network protocol stack, also have the efficiency of the kernel, the implementation is more reasonable and feasible.Then, paper studies and implements the processing framework of the IPSec VPN based on Netfileter, uses the openness of Linux and HOOK mechanism and Openswan to reconstruct the KLIPS module to form new IPSec processing module. And makes use of the loadable kernel modules technology to bring the module to the kernel, and registers the IPSec processing module on HOOK. The method forms a new and efficient IPSec processing module of the IP layer.Finally, paper builds the IPSec VPN system under the virtual machine environment which carries the preliminary functional testing and performance testing of our method, and analysis the test results. The experiment result shows that our method can guarantee the safety of the communication between the gateways, and compared to the vitual interface mechanism of the Openswan, the method proposed by the paper speed up the transfer of the packs, and improves the throughput and response time of the gateway.