Research On IPsec VPN Server Software Based On The New National Standard

With the rapid development of Internet technology,people's daily life and office have become fully networked.Network has become an important part of China's economic development.However,the network security issues have become increasingly prominent while the network facilitating our lives.The security of network data is the main problem in the development of network technology.IPSec VPN is the most widely used technology in protecting the security of network data.It establishes a virtual network data transmission channel in the network through security policy negotiation.Data encryption and authentication algorithms are used to protect the security of network data.The core content of IPSec VPN technology is a set of IPSec protocol components,which is proposed and developed by Internet Engineering Task Force(IETF).At present,the VPN products based on the IPSec protocol are various,and each of them has different implementation modes.China's National Bureau of cryptography has developed IPSec VPN technical specification,which is consistent with the development of network security technology in China.The latest version is released in 2014.The goal of this thesis is to achieve a set of IPSec VPN server software,which conforms to the national standard.First,this thesis analyzes the problems existing in the standard IPSec protocol.A new framework of IPSec IPSec protocol is designed based on IPSec VPN specification and national encryption standard.Then,this thesis studies the IKE protocol of IPSec VPN based on IPSec VPN specification.The format of data packet in the negotiation process is analyzed and discussed.Based on the IPSec kernel framework,this thesis analyzes the processing flow of IPSec to send and receive network packets.This thesis studies the mechanism of Linux kernel encryption library,and adds the encryption algorithm.Finally,On the basis of the open source IPSec server software Open Swan,the IPSec VPN software is modified and implemented in accordance with the requirements of the new national standard of VPN.The main work of this thesis.1.The contents of the IPSec VPN protocol specification and the new national standard are studied.This thesis analyzes the IKE negotiation process and IPSec kernel encryption framework.This thesis analyzes the SM1/SM4 algorithm,dense symmetric asymmetric SM2 algorithm and hash algorithm SM3.2.This thesis designs the framework of IPSec VPN protocol,which is oriented to the new standard of national density This thesis implements the IKE negotiation process,which conforms to the national standards.The authentication method is realized by adopting the national digital certificate.Data package conforms to the national standards3.This thesis implements the national standard encryption framework and completed the use of network data encryption algorithm and authentication protection.Analyzes the process of IP packet processing in the kernel layer.Add and register the national secret algorithm to the Linux kernel encryption library by writing the encryption card driver.The software realizes the separation between Usb-key and hardware encryption card in application layer and kernel layer.4.The IPSec VPN software is tested in terms of function and performance.The software meets the requirements of national standard and has good communication efficiency.In this thesis,the realization of the IPSec VPN software meets the requirements of the new national standards.In the negotiation stage,the authentication method is used for the authentication of the national digital certificate.It has high reliability and security.In the consultation stage,the software combines the Usb-Key equipment and adopts the authentication method of the national digital certificate,which has high reliability and security.The transmission of network data is authenticated and protected by the national standard encryption algorithm,which is provided by the hardware encryption card which ensureing the software wiht a high communication speed.The software has high transmission rate and stable operation,which can provide powerful support for the current network data protection.