Research and Implimentation of VPN Gateway Supporting NAT
|School||Huazhong University of Science and Technology|
|Course||Computer System Architecture|
|Keywords||User Datagram Protocol Package Network address translation through the Virtual private network forwarding gateway Internet Protocol Security|
IPSec as the IP layer security protocol for the IP packet authentication , data integrity and confidentiality protection in the field of network security, in particular virtual private network ( VPN ) plays an important role . Network Address Translation ( NAT ) is a private network addresses within the subnet mapped to one or several on the Internet public network address , which effectively solve the problem of shortage of IPv4 addresses . IPSec and NAT protocol in-depth analysis and found that serious incompatibilities exist between them : when protected by IPSec packets after NAT link , NAT will modify the packet 's IP address or transmission identifier , it will cause the packet can not pass the IPSec security checks , so that communication can not communicate properly . These incompatibilities severely limits the NAT and IPSec to work together . However, in the field of network security applications often require NAT gateway and IPSec VPN gateway can work together. To this end , we propose the use of UDP encapsulation technology to modify existing VPN system in order to achieve the VPN through the NAT . Increase the load in the IKE SA negotiation process between the VPN gateway address detection is supported NAT traversal between the gateway and the existence of NAT . ESP and AH packet UDP encapsulation and decapsulation module . The IPSec processing processes have been modified . Finally, the problem of IP fragmentation encountered in the implementation process , ICMP PMTU an effective solution . For both sides NAT , initiate communication with the VPN device is connected to the VPN device's IP address and consultation port number can not be determined for a variety of reasons , resulting in not establish an encrypted communication tunnel . To this end, we propose to use \Also analyzed using UDP encapsulation through the NAT to be resolved .