The Implementation And Test Program Design Of IPsec-IKE

Nowadays, with the rapid development and popularization of Internet, people pay more and more attention to network security problem. In order to solve the problem of network security better, people put forward various solutions to meet the demand of network security. As a kind of network security protocol, the IPsec can protect the safety of network data, and prevent various attack on private network VPN(such as hacking, tampering, replay attacks). It can simplify the safe disposal of IP upper and versatility. This paper systematically studies and analyzes for IPsec-IKE protocol suite, and mainly introduces the first phase using main mode,the second phase using quick mode of implementation of IPsec-IKE,as well as the IPsec-IKE test scheme design.IPsec is not a single protocol, but made up of multiple protocols, it provides a set of complete and system security architecture, that can effectively ensure the security of data on the network. The members participating in the provision of the system structure include AH, ESP and IKE(which AH and ESP provide security,IKE is in exchange for the key), and also include a series of authentication encryption algorithm. IPsec provides IP layer data packets four security services, including data encryption, data integrity check services, data source authentication and prevent replay attack services. Before using data protection protocol to encapsulate an IP packet, IPsec must generate IPsec protection channel, namely the IPsec SA(IPsec security alliance). The generation of IPsec SA is divided into two kinds, one is using manual configuration, the other is using IKE protocol to negotiate it. IKE not only can automatically generate IPsec SA, but also can provide higher security. In the negotiation process, IKE will encrypt the message, integrity verify the message, authenticate the message and prevent denial of service attack, more importantly, it uses the DH algorithm, which only exchanges key materials in the process of message interaction, without key exchange itself. So even if someone had intercepted a message, it is also unable to get to the encryption key, thus it is unable to crack interaction message.According to the implementations of the IPsec tunnel which established by IKE automatically and then protect the data, its entire process is analyzed and discussed indetail. The entire process consists of two phases, first phase negotiated and established IKE SA. This phase is mainly to finish the following task: Confirmed the SA policy used by both sides, exchanged key information, exchanged ID information and authentication information. The first phase consists of two negotiation mode, the Main Mode and the Aggressive Mode. The second phase of the exchange is also called Quick Mode exchange, this exchange is used to complete the establishment of the IPsec SA. When the first phase, IKE SA is established, the subsequent exchange packets are encrypted and authenticated by IKE SA. If the subsequent exchange packets are not protected by IKE SA, then these packets will discard directly, not be dealt with. This article described The implementation of IPsec-IKE which the fist phase uses the Main Mode exchange and the second uses the Quick Mode exchange, detailed analyzed the process of negotiation and confirmation of the communicating parties’ identity, also analyzed the creation methods and process of the negotiation packets. And then Combine the features of IPsec-IKE and the supported test networking of IPsec-IKE to design the Test program. The Test program can effectively help test engineers depth to understand IPsec-IKE.