【作者】 樊子牛；

【导师】 向宏； 缪秦；

【作者基本信息】 重庆大学 ， 软件工程， 2007， 硕士

【摘要】 IPSec是构建VPN(Virtual Private Network虚拟专用网)的常用技术,它可以较好地解决目前Internet上面临的各种安全威胁,有效地保证数据的安全传输。但在实际的应用中,IPSec技术与用于解决IPv4地址匮乏的NAT技术存在严重的不兼容性。因为IPSec协议在VPN中用于保护传输数据的完整性,传输过程中,任何对IP地址及传输标志位的修改,都被视作对该协议的违背,并导致数据包不能通过安全检查而被丢弃。但在VPN中运用NAT技术,则不可避免地要对私有地址映射为公有地址,即对IP地址要进行修改。这一不兼容性已经严重地限制了NAT和IPSec的应用范围,特别是对远程用户访问VPN服务器造成很大的不便。在网络安全应用领域,往往需要NAT网关和IPSec网关能够协同工作。为此,本人提出的基于X.509证书的UDP封装方案穿越NAT的技术,在IKE协商SA的过程中增加载荷以探测网关之间的VPN是否支持NAT穿越以及网关之间是否存在NAT;增加了对ESP报文进行UDP封装和解封装的处理;并对整个过程进行了详细地测试与分析;同时也分析了采用UDP封装穿越NAT方案中有待解决的问题。本文结合目前我院校园网络的实际需求,在不需要对现有NAT设备进行重新部署的前提下,提出了使用UDP数据封装穿越NAT的方法来完成VPN和NAT技术的融合。以NAT穿越方案的总体架构为基础,对数据封装格式进行改进和相关协议的功能进行扩充,可以形成一套完整的NAT穿越解决方案。更多还原

【Abstract】 IPSec is a common technique which is an important part of VPN (Virtual Private Network). It can help us not only deal with various security threats on Internet, but also ensure effectively safe data transmissions. However, in applications the technique of IPSec is not compatible with the technique of NAT, which is used to solve problems of IPv4 address lack. The agreement of IPSec in VPN is used to keep the data integrality in transmissions, but any change to IP address or transmission tags in transmissions will be regarded as a violation to this agreement and cause the result that data packages can not be passed by security checks and will be lost. The application of NAT in VPN is inevitable to map private addresses to public addresses, which changes IP address. The incompatibility has limited the application scope of NAT and IPSec, and especially is inconvenient for remote users to visit VPN servers.The cooperation between NAT gateway and IPSec gateway is necessary in the application field of network security. Therefore, I put forward the technique of UDP Encapsulation across NAT based on the X.509 Certificate and increasing loads to explore if VPN between gateways can support NAT traversal and NAT can exist between gateways during the negotiation of IKE to SA. I also bring forward increasing control to UDP Encapsulation and Free Encapsulation from ESP message, and testing and analyzing the whole process. I analyze some unsolved problems about passing NAT by using UDP Encapsulation.I consider demands from own university’s network and come up with traveling NAT by using UDP Encapsulation to achieve the compatibility between VPN and NAT, not redeploying NAT equipments in existence. I plan out a complete project of NAT traversal based on the whole structure by improving data encapsulation formats and expanding relative agreement functions.更多还原