| This research topic comes from SmartGateway Project, SmartGateway’s entity is ARMboard. SmartGateway default integrated IPSec VPN module that provides network layer VPNfunctionality. IPSec provides the only its default user data encapsulation and encryption at thenetwork layer, achieve a high degree associated with the kernel. Only a series of interfacesprovided by the system to establish a VPN channel. So users can not expand their VPN needs.In addition, IPSec peer communication model requires communicating parties have a certainIP, for dynamic IP can not be transparent transmission. In summary, IPSec highly integratedwith the system kernel is difficult to expand, point to point communication mode, configurecomplex features limits its application in SmartGateway project. Open source OpenVPN didnot fully consider the efficient realization of the lower-case application CPU. Establish asecure channel relies on a complete SSL protocol workflow,each time a key is required forexchange requires authentication,consume a lot of CPU resources on ARM board.So this paper, base a full analysis of the needs of SmartGateway project, comprehensivelycompare of the advantages and disadvantages of IPSec VPN and OpenVPN in the projectapplication, proposed a AVPN framework specifically for ARM board. AVPN architecturecombines the two-stage negotiation IPSec and OpenVPN IP packet encapsulation userlandboth design ideas,the realization is more lightweight, especially fits for ARM board thathardware resources is scarce. To achieve AVPN, this paper do the following work:(1) Defines the AVPN agreement; dual-channel transmission strategy to achieve keyexchange and data transmission control protocol separated by designing and recordingagreements. Dual channel not only solved every time when you need authentication keychange coupling problems, but also solve the key change causes all data had to hang untilthe blocking problem of key exchange is completed, key exchange and data transmissioncan be performed simultaneously, thereby improving the transmission efficiency ofAVPN network.(2) Channel demultiplexing designed to achieve a single UDP tunneling; UDP tunnelingsolves dual-TCP overlay problem. Channel demultiplexing allows AVPN simply listenon a UDP port, reducing the consumption of system resources;(3) Achieve AVPN workflow; through TAP/TUN virtual NIC to achieve IP packetsencapsulated in user mode. (4) Achieve a CA certificate management subsystem, provides certificate generation、certificate revocation,、the certificate store and download、certificate binding equipmentand other management functions.Finally, cross-compiled AVPN code and established ARM platform test environment, the testresults were compared with OpenVPN. Results show that when the key replacement intervalssmaller, AVPN network performance more stable. |
PDF Full Text Request