UClinux-based embedded wireless IPSec VPN gateway

Source: Internet
Author: User

Http://www.c114.net () Introduction

With the development of network and wireless communication technologies and the improvement of wireless data transmission capabilities, the application fields of wireless data transmission are constantly expanding, as shown in 1, users' mobile devices can directly access the Internet through CDMA/GPRS public wireless networks to access their internal structures, saving the cost of their own networking. As users all want to ensure their data security, therefore, using VPN technology becomes an inevitable choice.

1 IPSec Introduction

The goal of IPSec is to provide a complete set of security services based on cryptography that provide high quality interoperability for IP addresses, including access control, connectionless integrity, data source verification, anti-replay attack, confidentiality, and limited traffic confidentiality, these services are provided at the IP layer and can provide protection for IP addresses and upper-layer protocols.

The architecture of IPSec is defined in rfc2401. It uses two transmission security protocols-header authentication (AH) and encapsulation security load (ESP) as well as key management processes and related protocols to achieve their goals, Ah provides non-connection integrity, data source verification, and optional anti-Resending attack services, ESP provides confidentiality, limited traffic confidentiality, non-connection consistency, data source verification, and anti-repeated attacks. Both AH and ESP are the basis for access control based on key distribution and traffic management. Both AH and ESP have two modes: Transmission Mode and tunnel mode. Transmission mode is used to protect inter-host communication, while tunnel mode is mainly used to protect inter-Gateway communication.

In IPSec, user channels provide IPSec with their own security policies (SP) to control the use of IPSec, including which data is protected, which security services are required, and which encryption algorithms are used, the Security Association (SA) in IPSec is a basic concept. It is a simple "connection". When Ah or ESP is used to provide security services for its load, two or more SAS are required, at the same time, because Sa is one-way, if it is two-way confidential communication, each direction requires at least one SA. IPSec has two security-related databases, the Security Policy Database (SPD) and the Security Association database (SAD). The former defines how to handle all inbound and outbound IP data processing policies, the latter contains all (valid) SA-related parameters.

The distribution and SA Management of keys used in AH/ESP depend on a set of independent mechanisms, including manual and automatic methods, IPSec defines the IKE protocol used for automatic key allocation and SA management. The process of key allocation and SA Management in IKE is divided into two phases, the first stage is the establishment of a mutually trusted and confidential security channel between the two parties. The user protects the second stage of the key negotiation process, and the second stage completes the negotiation actually used for the IPSec SA.

As shown in Data Processing Model 2 of IPSec, first determine the Security Policy for inbound/outbound data. If security services are required, find the corresponding security association. According to the Security Association, the provided parameters are AH/ESP processed before the inbound/outbound operations are completed.

2. system functions

The main function of the system is to support access to the Internet through CDMA and GPRS, which can be both a VPN Server and a VPN Client. IPSec Key Exchange supports shared keys And X.509-based public keys.

3. Hardware Implementation of the System

System hardware structure 3 shows that the wireless interface uses the Wavecom CDMA/GPRS module, and the substrate uses the Freescale ColdFire 5272.

4. System Software Implementation

The IPSec support is added to the Linux 2.6 kernel. The system uses the IPsec-tools based on the Linux kernel. The IPSec-related software structure 4 is shown in the system, the linux2.6 Kernel provides support for AH and ESP in its network protocol stack. It also includes SPD implementation and sad implementation. IPSec-tools includes two applications: setkey and racoon. Setkey implements SPD management and sad manual management in IPSec. It must use the Linux kernel to support IPSec user management interfaces. Racoon is an implementation of Ike in IPsec-tools. It requires the kernel to support the pf_keyv2 interface, and to support public key authentication based on X.509 certificates, racoon needs to use the libcryto encrypted library provided by OpenSSL. The encryption algorithm used by AH/ESP requires kernel encryption algorithm support.

4.1 Linux Kernel

Download and install the linux2.6.12 kernel at www.kernel.org, and download the uClinux patch at www.uclinux.org. After the patch is installed, use make menuconfig to go To the Linux Kernel configuration interface and select all the following configurations:

4.2 OpenSSL (libcrypto.)

After installing OpenSSL 0.9.7 e source code, go to the installation directory and modify its configure file to use the m68k-elf-gcc as the compiler. Run the configure Linux-m68k to complete the configuration, compile and generate libcrypto..

4.3 IPSec-Tools

Add the IPSec-tools0.5.2 package to the/user directory of uClinux according to any document in uClinux that adds new user programs. Go to the installation directory of IPSec-tools and add the following makefile to the directory (in this makefile, specify the kernel header file and the installation directory of OpenSSL source code ):

ALL: Build $ (make)-C build

Compile and generate the setkey and Racoon applications

5 Use of IPSec-Tools

The system's IPSec supports both transmission and tunnel modes. Only the tunnel mode is used as the VPN gateway. Figure 5 shows the communication model between two IPSec gateways. and are the IP addresses of the two external gateway interfaces respectively. They protect the internal subnets and respectively. The following figure shows the gateway with the external IP address in Figure 5, this section describes how to manage security policies and keys in IPsec-tools tunnel mode.

5.1 Security Policy

The security policy management in IPsec-tools is completed by setkey. In the setkey configuration file setkey. conf, you must add the inbound (in), outbound (out), and forward (FWD) security policy rules.

5.2 Key and SA Management

(1) Manual

The SA rule in setkey. conf defines ipsev key and SA manual management.

(2) automatic mode

Automatic Management is completed by racoon. racoon supports multiple authentication methods, including pre-shared keys And X.509 certificates, and Racoon configuration file. conf mainly includes two parts: Remote and sainfo, which correspond to the first and second phases of Ike exchange respectively. The remote part specifies parameters such as the authentication method, encryption, and authentication algorithm of the first phase of Ike exchange, the sainfo section specifies the second-stage encryption and verification algorithms.

In the pre-shared key mode, your pre-shared key is stored in the file. The configuration of racoon. conf is as follows (the file where the pre-shared key is stored is specified ):

In the X.509 Certificate mode, racoon. the configuration of conf is basically the same as that of the shared key. It specifies the certificate directory, its own X.509 Certificate, its own certificate key, and the CA certificate. For more information about how to generate a certificate in racoon, see the racoon and OpenSSL user manual.

5.3 run

After the wireless gateway is connected to the Internet, run setkey and racoon.


The combination of wireless data transmission and IPSec further expands the application field of wireless data transmission. Currently, this system has been widely used in finance, insurance, electric power, monitoring, transportation, meteorological, and other industries, any device that uses Ethernet or serial ports, such as PC, industrial computer, ATM, POs, and video services, with the mobile network license, can be easily and securely connected to the Internet through the system.

Author: Liu Yuhong, Xue Tao, Shao Beibei, Tsinghua University Source: Application of Single Chip Microcomputer and Embedded Systems

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.