LI Jian-jun,XU Duan-qing,GUO Wei-qing

DOI: https://doi.org/10.3969/j.issn.1000-7024.2005.09.068

2005-01-01

Abstract:Combining with living examples and based on IPSEC,the realization of the VPN system was approached in many internet circumstances of remote access(such as gateway,broadband,xDSL etc.),and in view of the deficiency and the hidden troubles of the traditional static password,introduces a working mechanism was introduced which took into consideration both the tokencard two factor authentication and Windows AD,and proveds to be flexible and liable for the single-sign on clients.

陆敏锋,平玲娣,李卓

DOI: https://doi.org/10.3969/j.issn.1000-3428.2010.03.051

2010-01-01

Abstract:Aiming at the problem that the IPSec-based VPN product, this paper designs and achieves a IPSec-based VPN test system running on the Linux platform. This paper introduces the IPSec protocol and its architecture, and presents the design and achievement of the test system through analyzing the principle of the IPSec protocol. Experiment result shows that this test system is feasible and effective.

Yan Shen,Qi-fei Zhang,Ling-di Ping,Yan-Fei Wang,Wen-juan Li

DOI: https://doi.org/10.1109/trustcom.2012.41

2012-01-01

Abstract:In the existing large-scale performance test of IPsec tunnel, it often needs special software and hardware. To solve the problem, this article proposed a new method, in which packet was encapsulated in user space, and a multi-tunnel controller was designed and implemented with the method of FSM(finite state machine), which controlled the negotiation and establishment of multiple tunnel, including L2tp, IKEv1, IKEv2, IKEv2+EAP and L2tp Over IPsec. Libpcap was used as the bottom layer driver of package, and the application of zero copy technique had reduced system cost immensely. At last, the result of the experiment verified the performance of the IKEv1 tunnel on Tunnel-mode and Transport-mode.

Song Wang,Hongbing Lv

DOI: https://doi.org/10.1109/iccps.2011.6089933

2011-01-01

Abstract:In the existing IPSec architecture, in which tunnel is built in kernel, the number of concurrent tunnels is restricted by IP address configured on the machine and user can not control the process of establishing tunnel. This brings inconvenience when we use personal computer to measure the performance parameters of VPN Gateway (e.g. the maximum number of concurrent tunnels and the maximum rate of the new tunnels built). In order to solve this problem, this paper presents a novel IPSec multi-tunnels concurrent architecture which uses distributed objects to build tunnels in user space. The architecture privodes one Console which are used to control all AgentNodes and multiple AgentNodes which are used to build tunnels. In AgentNode, the negotiation processing of tunnels, the IPSec processing of packets and the protocol processing of TCP/IP are all completed in user space by objects. Meanwhile, AgentNode uses virtual IP address instead of local IP address to negotiate tunnel and the number of concurrent tunnels will be unlimited (only limited by memory). Moreover, based on distributed architecture, the number of AgentNode can be arbitrarily extended. Therefore, the system has a great deal of flexibility on the number of concurrent tunnels and the rate of tunnel establishment, which helps to accurately measure the performance parameters of VPN Gateway.

Bo Ji,Jinfang Zhou,Junda Zhu,Liping Qian

DOI: https://doi.org/10.1049/cp:20061251

2006-01-01

Abstract:Networks, along with the explosive growth of the Internet, developed quickly and make our lives more convenient and efficient. However, at the same time, people will face much more network security problems such as illegal observation, modification, IP Spoofing, etc. This article proposes a novel type of universal software architecture named Fastpath which is purposely designed and optimized for Network Element (NE) in the Next Generation Networks (NGN), under Linux. Furthermore, it illustrates the experience in developing IPSec-based VPN gateway over IXP425, and offloading IPSec processing to NPEs and coprocessors by using APIs of software AccessLibrary through Open Crypto Framework (OCF). Finally, we investigate the performance issues both internally and externally. Through the benchmarks, we analyze the performance of the system and identify that Fastpath and network processor together can construct a universal and high-functional platform for NE which focuses on network processing.

黄勇,陈小平,潘雪增,陈红洲,蒋晓宁

DOI: https://doi.org/10.16208/j.issn1000-7024.2008.09.057

2008-01-01

Abstract:Under the WAN environment,large-scale VPN networks is effectively and safely managed by long-distance centralized mana-gement system based on SNMP.To solve the flaw of topology discovery,a method in which agent initiates registry to the server is pro-posed.After analysis of the SNMPv3 security features,the public key authentication mechanism is introduced and the procedure of key negotiation is discussed in detail.For poor reliability and real-time data transmission of UDP-based SNMP,a strategy of configuration based on XML is given,which is proved to be feasible and efficient by the result of experiment at last.

周立峰,周昕,金志权

DOI: https://doi.org/10.3969/j.issn.1001-3695.2002.05.021

2002-01-01

Abstract:In this article, we present some rationale and key technology relevant to the im plementation of VPN based on IPSec, then two kinds of typical implementation are described.

Hua Jiang,Qingrui Wang,Gang Zhang,Jinpo Fan

DOI: https://doi.org/10.1088/1742-6596/1176/4/042007

2019-03-01

Journal of Physics: Conference Series

Abstract:IPSec VPN is a virtual private network technology implemented using the IPSec protocol. Aiming at the problem that the national secret algorithm is relatively less applied to network security products, a gateway based on Openwrt system equipment is designed. The OpenWRT system includes the complete strongswan software, making it easy to set up a VPN. The design replaces the aes algorithm, the sha256 algorithm and the ECDSA algorithm used in the IPSec VPN in the StrongSwan source code with the SM4, SM3 and SM2 algorithms respectively, and replaces the ECDSA-SHA256 certificate with the SM2-SM3 certificate according to the X509 certificate standard to achieve the national secret standard. The SM4, SM3 and SM2 algorithms are provided by the SSX0912 encryption chip, and the certificate is placed in the SSX0912 encryption chip for dense storage. It is proved that the scheme is completely feasible, and the IPSec VPN that can be realized can run stably for a long time and has high practical value. By setting up the development environment test, the gateway runs stably, has small delay, and has higher security, and the device has high communication speed, small occupation volume, high flexibility, and strong specificity.

Abu Zafar Md. Imran,A. Gafur,Syed Zahidur Rashid,Chowdhury Mohammad Masum Refat,Md. Humayun Kabir,Rabiul Hasan Tarek,Towhidul Alam

DOI: https://doi.org/10.1109/ICISET.2018.8745601

2018-10-01

Abstract:The Purpose of this work is to improve the availability and remote access for secure enterprise network infrastructure by using dual hub dual DMVPN (Dynamic Multipoint VPN). Using multipoint GRE (mgre) over IPsec data transmission in the enterprise network is highly reliable secured. DMVPN is a technology that can be associated with different protocols concept such as IPsec encryption, next hop resolution protocol (NHRP), generic routing encapsulation (GRE) and it provides dynamic and static IPsec tunnel between spoke to the hub, spoke to spoke communication. In this paper, we implement the DMVPN technique to constructs a secure enterprise network for an organization and employing hot standby routing protocol (HSRP) to overcome the unavailability and failure of a certain network. The simulation was done by GNS3 and packets were captured by Wireshark software. It was revealed by the test that, DMVPN technology with HSRP protocols completely fulfills the demand of availability that is vital for any enterprises. It offers a faster mode, highly efficient and practically valued venture and also provides accessibility by keeping the network always in upstate thereby facilities for building a safer and highly dependable network infrastructure.

Computer Science,Engineering

沈燕然,张青山,王新,薛向阳

2008-01-01

Abstract:Development of IPv6 networks brought the need of secure communication between private networks and different kind of personal devices.Secure and scalable communication protection scheme is required.While IPSec-VPN is a popular solution,it has several drawbacks such as forced requirement of accessor's knowledge about VPN gateways.In this paper,we proposed a new IPSec-VPN packaging mode-hybrid mode,and gave the implementation of it using Linux kernel netfiltering scheme.Applications show that the hybrid-mode IPSec-VPN works well for different VPN topologies and makes VPN gateways transparent to users.

朱昌盛,余冬梅,王庆梅,谢鹏寿,包仲贤

DOI: https://doi.org/10.3969/j.issn.1000-3428.2002.11.041

2002-01-01

Abstract:The advent of VPN makes it possible for enterprises to transform private confidential massage securely and economically through the Internet. Security tunneling technology is the core technology of VPN, while L2TP IPSec are two tunneling technologies most widely used at present. As the two main accesses to IP network, the combination of L2TP IPSec can share the advantage of L2TP's low cost, initiative, mutual-communication and IPSec's high security, reliability，learn from others' strong points to offset one's weakness, to a great extent, to construct a secure, reliable and low-cost VPN.

Haichun Gao

2004-01-01

Abstract:The constant development of VPN service brings a lot of challenge toVPN management,this paper presents one kind of computer techniques-multi-agent technique to manage VPN. The technique possesses features of intelligence,cooperation,flexibility and expansion etc. It can solve problems of different network architectures and different network service providers. Both client and service provider will win together. This multi-agent based computer technique is very important for solving these problems.

朱祥飞,张申生,顾翊

DOI: https://doi.org/10.3321/j.issn:1002-8331.2003.07.067

2003-01-01

Abstract:This paper describes the IPSec standard firstly,especially on IKE and its defects.Then,to satisfy the agility of the dynamic alliance of modern enterprises,the paper proposes a new VPN solution,which manages and exchanges keys by enterprise CA.The main procedures are presented and merits and defects are discussed.

YANG Hao-miao,ZHANG Wen-ke,JIANG Lei

DOI: https://doi.org/10.3969/j.issn.1002-0802.2012.06.002

2012-01-01

Abstract:IPSec is a basic security protocol of the Internet.The communicating peers should implement mutual ID authentication prior to the building up of IPSec channel.Traditional experiment of IPSec ID authentication is based on "Pre-shared keys".Two more general experiments are designed,respectively based on "Kerberos Protocol" and "Certificate".And the experiment based on virtual machine platform is comparatively convenient and economical.In addition,various security apparatuses on Windows platform are also involved in the comprehensive experiment,including active directory,DNS server,DHCP server,firewall,certification authority(CA),and so on.

Zhao Ling

Abstract:This paper is the research of security gateway that can set up a Virtual Private Network(VPN),the gateway adopts IPSec protocol as the security protocol of the network layer.Firstly,introduces the concept of VPN and its critical techniques;Secondly,describes the key technique to implement VPN security gateway—IPSec and its architecture,working mode and implement structure; Finally,analyzes the important role of security gateway in VPN system in detail.

Engineering,Computer Science

Yun-he Zhang,Zhi-tang Li,Mei-zhen Wang,Ling Xiao

DOI: https://doi.org/10.1109/etcs.2009.639

2009-01-01

Abstract:Internet has become the universal information communications infrastructure. VPN is commonly used to implement communications over different branch intranets. IPSec is a suit of protocols that adds security to communications at the IP layer, and it is a popular technology to implement VPN. On the basis of analysis on the insufficiency of traditional IPSec systems, a multi-link aggregate IPSec model is proposed. The new model can negotiate multiple groups of security policies on different physical links for same branch intranet pair, and distribute IPSec traffics over multiple links. A prototype system of the new model which is based on Netfilter mechanism is implemented on Linux platform. Analysis on the test result from the prototype system shows that the new model can work better under the environment of multi-link, and can enhance the capability and reliability of VPN application.

XIANG Zhong-hua,LI Qi,QING Si-han,MU Hai-bing

DOI: https://doi.org/10.3969/j.issn.1673-0291.2007.02.017

2007-01-01

Abstract:A user space VPN scheme based on TLS protocol is presented and its security is analyzed. The scheme overcomes the complexity of IPSEC and increases the usability of VPN. Under the local area network and public network, user space VPN scheme is tested. The result indicates that the user space VPN scheme can meet the requirements of low bandwidth of dial-up network and the use of encryption scheme dose not obviously increase the cost of communication.

郑刚,周源远,张福炎

DOI: https://doi.org/10.3969/j.issn.1001-3695.2003.10.030

2003-01-01

Abstract:This paper explores the advantages and disadvantages of IPSec VPN and MPLS VPN according to VPN requirements, and puts forward a VPN solution integrated with IPSec and MPLS, which is aimed to get the advantages of the two techniques.

David Isaac Wolinsky,Linton Abraham,Kyungyong Lee,Yonggang Liu,Jiangyan Xu,P. Oscar Boykin,Renato Figueiredo

DOI: https://doi.org/10.48550/arXiv.1001.2575

2010-01-15

Abstract:Centralized Virtual Private Networks (VPNs) when used in distributed systems have performance constraints as all traffic must traverse through a central server. In recent years, there has been a paradigm shift towards the use of P2P in VPNs to alleviate pressure placed upon the central server by allowing participants to communicate directly with each other, relegating the server to handling session management and supporting NAT traversal using relays when necessary. Another, less common, approach uses unstructured P2P systems to remove all centralization from the VPN. These approaches currently lack the depth in security options provided by other VPN solutions, and their scalability constraints have not been well studied. In this paper, we propose and implement a novel VPN architecture, which uses a structured P2P system for peer discovery, session management, NAT traversal, and autonomic relay selection and a central server as a partially-automated public key infrastructure (PKI) via a user-friendly web interface. Our model also provides the first design and implementation of a P2P VPN with full tunneling support, whereby all non-P2P based Internet traffic routes through a trusted third party and does so in a way that is more secure than existing full tunnel techniques. To verify our model, we evaluate our reference implementation by comparing it quantitatively to other VPN technologies focusing on latency, bandwidth, and memory usage. We also discuss some of our experiences with developing, maintaining, and deploying a P2P VPN.

Networking and Internet Architecture,Distributed, Parallel, and Cluster Computing

Liu Hao,Yang Shutang,He Dequan,Xia Weiwei

DOI: https://doi.org/10.3969/j.issn.1000-386X.2006.07.002

2006-01-01

Abstract:This paper designed an IPSec VPN education experiment system and implemented it.By using virtual device technique,it can support large-scale education experiment,fulfilled the need which is at least two hundred students can join the experiment.By using ASP,COM,and information analysis & intercept technique,it can support alternating education experiment,and its interface is friendly.This education system is easy to use and completely supports all kinds of experiments based on IPSec VPN.