Design And Implementation Of IPSec VPN Server Kernel System Based On State Cryptography

The rapid development of Internet technology brings convenience to people's lives at the same time, accompanied by security issues can not be ignored. Based on cryptography technology in the public network to establish a virtual private network(VPN) has become one of the important means to ensure network security, IPSec protocol works as an Internet protocol security project proposed by Internet Engineering Task Force(IETF),and it is primarily responsible for security at the network layer protocols, because of its ease of deployment and robust security, it has become the first choice for the formation of high-performance VPN solutions. Therefore, IPSec VPN technology has been rapid promotion, and its associated products have played an important role in network security. However, due to the openness of IPSec cryptographic algorithms, the main technology owned by foreign organizations and other issues, resulting in international standards-based IPSec VPN technology does not apply to China's national conditions.The purpose of this thesis is to design and implement a the kernel system of IPSec VPN servers in line with the standards of State Encryption Administration, and mainly based on the relevant standards of "IPSec VPN technical specifications" which established by State Encryption Administration, In-depth study of IPSec implementation architecture based on the kernel,with IPSec kernel layer of transformation and optimization, and it ultimately achieves a stable, easy to deploy, in line with the standards of State Encryption Administration's IPSec VPN server kernel architecture systems.The main results of this study are:1. Expansion of IPSec cryptographic algorithms, register to the kernel cryptographic framework in line with State Encryption Administration's symmetric encryption algorithm SM4 and hash algorithm SM3, in calling for asynchronous block for IPSec VPN server, providing privacy and integrity protection bentween communicating entities.2. Optimized the way IPSec kernel calls external cryptographic algorithms, designed a framework based on the work queue and producer- consumer model, and after application of the actual test, The average data transfer rate in the case of one-way TCP can reach 400Mbps,compared with the general calling way,the efficiency increase of 30%.3. Modified IPSec negotiation packet format that allows IPSec packets can traverse NAT network, ultimately allowing the system to deploy and applicate on the NAT network.4. Optimized and cut IPSec IPv6 network kernel module, so that the system supports IPv6 network.To sum up, this thesis implements associated requirements of the "IPSec VPN technical specifications", and add a new framework based on the original kernel calls on encryption card frame. The system performance has greatly improved.