| A new VPN (Virtual Private Network) architecture named Active VPN based on IPSec tunneling mode is put forward, and the difference with other kinds of VPNs in use is analyzed. A completed Active VPN connection includes two steps, map step and session step. In map step, all powered up VPN client registers their public and private IP address information to the register server, which roles as a center of all VPN clients and distributes this information to other register server and VPN clients, in session step, two point-to-point VPN client exchange map information over register server in a security link, which is made up in map step, by those map information, the VPN client builds a point-to-point IPSec tunnel.After map step and session step, The IKE whose defects have been founded is substituted and the new method avoids those defects, the register server also is used as a KDC (Key Distribution Center), which exchanges session key and other security arguments that is used by IPSec. Some attacks against Active VPN, some guides to protect the map connection and session connection are discussed. Pre-shared key and agreement key technology to build a encrypted connection between VPN clients and register server is used, pre-share key has some disadvantages on identity authentication but with quick speed and low delay. On the other hand, agreement key method with more safe characteristic such as anti-relaying, anti-reflection and signature but consumes more CPU resource.The cryptography-card to accelerate encryption speed is used, but the result is that the capability of CPU limits the system forwarding speed, when the number of synchronous map connection ups to 400. In the end, the problem how to develop some advanced feature such as multi-domain, trusts in domains and supporting other tunneling protocol by adding more type format item is analyzed. |
PDF Full Text Request