| In recent years, along with the IPSec technology and NAT technology is applied more andmore widely, and the contradiction between the increasingly prominent, IPSec technology andNAT technology that can improve the network security network and data communication, but alsocan solve the IPv4resource and cost higher problem. But these two kinds of technology in theirstructure, transmission principle, protocol operation aspects of a congenital deficiency incompatibility.In this paper, the full collection of the theory and practice of literature at home and abroad,the study of IPSec and NAT compatibility, in-depth understanding of IPSec technology and NATtechnology, the common work of IPSec technology and NAT technology and NAT-T mechanism,and for the NAT-T process improvement.1.study the relevant technology, VPN technology, IPSec security system, working mechanismof NAT. Solution analysis of the aspects and has not compatible with NAT and IPSec/IKEcombined with complex business processes. At the same time, points out the advantages anddisadvantages of these methods are.2. improve the safety of the first phase of IKE negotiation process. Research on UDPencapsulation to realize IPSec and NAT compatible program, focusing on analysis of IKEnegotiation mechanism (the first stage of IKE negotiation and second phases of negotiation) andencapsulation and exchange strategy. Presents the calculation for the NAT-D load of two times thehash, ensure the integrity of IKE protocol data, a certain effect on preventing by-pass monitoring,network data interception tampering up.3.using the improved NAT-T traversal based on trusted third party. Compatible scheme notonly must use ESP encapsulation format of existing UDP encapsulation to realize IPSec and NAT,must also be limited launched first IKE negotiation host, first launched IKE negotiation host mustbe located behind a NAT device (private network) in intranet. The fundamental reason is that themechanism is a one-way NAT-T practical application in traversing, namely "IPSec-NAT-Network-IPSec" mode. This thesis proposes a trusted third party based on improved NAT-Tthrough, to achieve the "network communication node-IPSec-NAT-NAT-IPSec-nodenetwork" mode, at the same time, through the use of PKE mechanism to improve the safety ofcommunication entity. |
