A case of integrated application of IPSec VPN in enterprise network

IPSec is a relatively complete system of VPN technology, which provides a series of protocol standards. If you do not delve into the overly detailed content of IPSec, we understand IPSec in general terms as follows.

VPN National standard:

Standard-setting unit: Huawei Technology Co., Ltd., ZTE, Deep convinced Technology Co., Ltd., Wuxi Jiangnan Information Security Engineering Technology Center

Why to import IPSec protocols

The IPSec protocol has been imported for 2 reasons, one of which is the original TCP/IP system, which does not include a security based design, and anyone can analyze all the communication data as long as they are able to ride the line. IPSec introduces complete security mechanisms, including encryption, authentication, and data tamper-proof capabilities.

Another reason is that because of the rapid development of the Internet, access is becoming more and more convenient, many customers want to be able to use the bandwidth of the Internet to achieve the interconnection of remote networks.

Through package encapsulation technology, the IPSec protocol can use the Internet routable address, encapsulate the IP address of the internal network, and realize the interworking of the remote network.

Package Encapsulation Protocol

Imagine reality as a means of communication. It is assumed that an identity card (adult only) is required for sending and receiving letters and that children do not have identity cards and cannot send letters. There are 2 children, Xiao Zhang and Xiao Li, their father is Lao Zhang and Lao Li. Now Xiao Zhang and Xiao Li to write and exchange, how to do?

A reasonable way to achieve this is: Xiao Zhang wrote a letter, the cover to write "Xiao Zhang--> Xiao Li", then to his father, Lao Zhang write an envelope, write "Old Zhang--> Lao Li", the front of the letter set in the inside, sent to Lao Li, Lao Li received the letter, opened, found this letter is for his son, It was transferred to Xiao Li. Xiao Li also wrote back to Xiao Zhang in the name of his father.

This type of communication implementation depends on the following factors:

* Lao Li and Lao Zhang can receive letters

* Xiao Zhang sent a letter and handed it to Lao Zhang.

* Old Zhang received a letter from his son, can correctly handle (write another envelope), and the repackaged envelopes can be sent out correctly.

* At the other end, Lao Li received the letter to take apart, can be correctly handed to Xiao Li.

* The reverse process is the same.

Change the sender of the envelope to IP address on the Internet, and change the contents of the letter to IP data, this model is the package encapsulation model of IPSec. Xiao Zhang Xiao Li is the internal private network of IP host, their father is a VPN gateway, the original can not communicate two local area network, through the export of IP address encapsulation, can realize the LAN to the LAN communication.

The introduction of this package packaging agreement, is a bit of a last resort. The ideal way of networking is, of course, full routing. Any node can reach (just like the ideal real-world communication means that anyone can write to each other directly).

When the Internet protocol was originally designed, the IP address was 32 bits, and it was enough that no one could have anticipated the future of the Internet to the present scale (the same example occurred on the telecom short message, which, due to the 160-byte limit, greatly restricted the development of the short message). According to 2 of the 32-side calculation, theoretically can accommodate up to 4 billion IP addresses. The use of these IP addresses is very inadequate, and about 70% of the IP addresses are allocated by the United States (who let someone invent and manage the Internet?) So for China, the IP address resources available for allocation are very limited.

Since the IP address is limited, but also to achieve remote Lan-lan communications, packet packets, nature is the best way.

Security protocol (encryption)

Still refer to the communication model described above.

Suppose Lao Zhang to Lao Li's letter to pass through the postal system, and the middle way there are many embarrass, very want to peek Xiao Zhang and Xiao Li (Xiao Zhang Xiao Li for business, through the sale of information) communication, or damage its good.

To solve this problem, we must introduce safety measures. Security can let Xiao Li and small Zhang himself to complete, words with the code to express, also can let their father finish, write good letter, to dad, told him to send out before the password again write.

IPSec protocol encryption technology and this way is the same, since the data can be encapsulated, nature can transform the data, as long as the destination, the data can be restored to the original appearance on it. This encryption work is done at the VPN gateway of the Internet exit.