Design And Implementation Of IPSec VPN Server Based On Guomi Standard

It is a indisputable fact that Internet has become an important part of national economic and business, and constantly penetrated into every aspect of national life. Internet use public network to communicate,with each other at the beginning of the design that did not consider the security issues, after numerous network security events, people gradually realize the importance of network security. People have realized that it is very expensive on physical network to build special construction and maintenance cost, people is proposed to use public network to establish virtual private network (VPN) based on cryptography, The State Encryption Administration in our country according to the RFC standards also formulated the corresponding IPSec VPN technical specification. In this paper, according to The State Encryption Administration IPSec VPN technical specification2010version, has realized the Guomi standard IPSec VPN server.In this paper, the main work in two aspects:the application layer and the kernel layer.Application layer IKE management based on open source project OpenSwan, include adding algorithm, IKE processing, update message format, testing standard and so on four aspects. According to the secret standard using SM1as symmetric grouping encryption algorithm and the physical random number generation mechanism, the otherness in RFC and Guomi standard IKE processes, especially the key exchange process didn’t use the modified such as DH algorithm, at the same time, complete the user and the kernel layer format packaging and contents of the specified load in the communication, etc.Kernel layer use the Linux kernel IPSec implementation NETKEY, using the three hardware encryption card providing encryption features, in the frame of the kernel and decryption implementation common encryption algorithm and the synchronized block encryption algorithm, the secret is added in the kernel IPSec protocol standard stipulated in the new algorithm and identifier. At the same time the kernel IPSec protocol dissimilar and Guomi standard part.Selected on the basis of the universal server architecture is presented in this paper, the use function to realize the hardware encryption card provided by the algorithm of standard IPSec VPN server, through a variety of encryption card and a variety of encryption algorithm mechanism after test, can make the server throughput reach more than half of the encryption card limit rate.