Design And Implementation Of State Cryptography IPSec VPN Security Scheme Based On Strong Swan

With the rapid development of Internet technology,more and more people enjoy the convenience of resource sharing,which greatly facilitates people’s work and study,improves the efficiency and living standards.However,in an open Internet environment,the transmission of information is easy to suffer from a variety of attacks and threats,data security is difficult to be guaranteed.Traditional private network can guarantee the security and reliability of data transmission,but its implementation and maintenance costs are too high,so the virtual private network(VPN)technology came into being.Now the most commonly used VPN technology is IPSec VPN technology.Nowadays,the mainstream IPSec VPN technology and equipment using the international organizations to develop encryption technology.The algorithms are the international standard algorithms,are generally open on the network,so there will be a lack of security issues.Therefore,based on the open source IPSec project strong Swan,according to the latest modification standard by the State Cryptography Administration,IPSec VPN Technical Specification.Combined with USB encryption card,designed the state cryptographic IPsec VPN security scheme in the embedded Linux.The main work of the thesis is as follows:1.Studied IPSec-related protocols,after analyzing and comparison of open source IPSec projects strong Swan and Openswan advantages and disadvantages,decided to use strong Swan to design.2.Analyzed the strong Swan source structure.Without replacing the strong Swan IKE and ESP protocol on the basis of the overall process,replacing the IKE and ESP protocol used by the international algorithm for the corresponding state cryptography algorithm.Because the software encryption security is poor,so using the USB encryption card to achieve the state cryptography algorithms.3.Streamlined the Mass Storage driver used by the USB encryption card,highlighting the simple and efficient embedded features.USB encryption card and the host computer between the data communication using the Bulk-only protocol,the host computer can achieve different state cryptography algorithms by sending a specific command word to the encryption card.Because the direct development of the Linux kernel will be more difficult,so the use of libusb library to achieve non-drive development.Independent research and development of a set of encryption communication program between the card and the host computer,completed the realization of different state cryptography algorithms.4.In the strong Swan working process,it requires verification of identity of both sides of the communication.Strong Swan defaults to use RSA or ECDSA X.509 certificate to verify the identity,after replacing public key algorithm of strong Swan for the state cryptography SM2 algorithm,you can make the state cryptography SM2 certificates to verify the two certificates.At the same time,designed to implement a simple CA center under the Linux system,which is used to generate and manage certificates.5.The modified strong Swan program under the cross compiler in the Linux system,transplanted it to the embedded development board,set up an IPSec VPN environment for testing,after analysis,the scheme is very safe,the VPN performance of the scheme is good and the operation is stable.