穿越NAT的VPN网关的研究和设计
摘要
VPN(虚拟私有网络)是一种以开放公共网络(Internet)为基础,通过专门的隧道加密技术在公共数据网络上仿真一条点到点的专线技术。利用VPN技术,企业只需要租用本地的数据专线,连接上本地的公共信息网,各地的机构就可以互相传递信息。使用VPN有节约成本、提供远程访问、扩展性强、便于管理和实现全面控制等好处,是目前和今后企业利用Internet网构建企业的广域网络的发展趋势。
NAT技术是用来提高IP地址使用效率的好方法。同时NAT的另一个很有用的特性是能让多台计算机共用一个IP地址,从而增强了系统的安全性。现在人们可以经常在防火墙或者网关、路由器上看到应用了NAT技术。
但是很多的网络管理员在设法配置使用私有IP地址的VPN客户端和NAT的互连上遇到了很多的麻烦。其原因在于NAT破坏了VPN建立的隧道,VPN在建立通信隧道的时候对数据包的地址或求和的值进行了加密和解密的工作,而NAT改变了这个地址或求和值。造成VPN技术和NAT技术的不兼容。
本文在详细介绍了VPN产生和应用背景,VPN的技术基础,NAT技术基础之后,介绍了这两种技术的最新应用现状,并对两家著名公司的VPN和防火墙产品进行了技术分析。用构造模拟环境进行试验的方法分别测试两种技术之间的不兼容性,然后从理论上去解释不兼容的原理。在此基础之上,本文提出了自己的解决问题的方案,构造了一种新型的VPN网关,再加上巧妙和理地分配IP地址,有效解决了VPN和NAT的冲突,同时这种新型的VPN网关具有方便管理、配置灵活的特点。本文给出了VPN网关的总体设计和IPSec的实现。最后,本文分析了即将被使用的IPv6标准的技术影响,以及总结和对未来的展望。
Virtual Private Network (VPN) is a network that uses the Internet or other network service as its backbone, and uses the security tunnel to simulate one exclusive line communication from point to point. In a VPN, so many filiales can connect each other if the enterprise rents the local connections to an Internet service provider (ISP) only. Using a virtual private network (VPN) to connect to enterprise networks has opened up a new world of flexible, cheaper, ease to manage etc.. The VPN will be adopted to build the enterprise WAN more and more in future.
Network Address Translation was developed to make more efficient use of Internet Protocol (IP) addresses. NAT has subsequently gained popularity as a security mechanism and as a means of allowing many computers to share the same IP address. You may encounter NAT in many networking devices such as firewall/security gateways, routers.
But many network administrators have tried to set up a virtual private network (VPN) client from a workstation with a private IP address only to find out much frustration with the network address translation (NAT) on the Internet router keeps the VPN client from making the connection. NAT can break the VPN tunnel. NAT changes the network IP address of a packet (and checksum values), whereas the tunneling, used by an IPSec or L2TP VPN gateway, encapsulates/encrypts the network IP address of a packet with another network IP address. This makes a trouble in compatible VPN with NAT.
In this paper, I introduced the basic concept about the technology of VPN, NAT and the background, and introduced the application up to the minute, analysed the VPN and fireware products maded by the two famous companies. Tested the incompatible in VPN and NAT by building a virtual simulate circumstance, and found out the reason from theory. Based on that, I developed a new VPN gateway which is ease to manage and config to solve the incompatible VPN and NAT. I have discussed the design and IPSec in this paper. In the end, I analysed the infection of IPV6 standard and development in future.
NAT技术是用来提高IP地址使用效率的好方法。同时NAT的另一个很有用的特性是能让多台计算机共用一个IP地址,从而增强了系统的安全性。现在人们可以经常在防火墙或者网关、路由器上看到应用了NAT技术。
但是很多的网络管理员在设法配置使用私有IP地址的VPN客户端和NAT的互连上遇到了很多的麻烦。其原因在于NAT破坏了VPN建立的隧道,VPN在建立通信隧道的时候对数据包的地址或求和的值进行了加密和解密的工作,而NAT改变了这个地址或求和值。造成VPN技术和NAT技术的不兼容。
本文在详细介绍了VPN产生和应用背景,VPN的技术基础,NAT技术基础之后,介绍了这两种技术的最新应用现状,并对两家著名公司的VPN和防火墙产品进行了技术分析。用构造模拟环境进行试验的方法分别测试两种技术之间的不兼容性,然后从理论上去解释不兼容的原理。在此基础之上,本文提出了自己的解决问题的方案,构造了一种新型的VPN网关,再加上巧妙和理地分配IP地址,有效解决了VPN和NAT的冲突,同时这种新型的VPN网关具有方便管理、配置灵活的特点。本文给出了VPN网关的总体设计和IPSec的实现。最后,本文分析了即将被使用的IPv6标准的技术影响,以及总结和对未来的展望。
Virtual Private Network (VPN) is a network that uses the Internet or other network service as its backbone, and uses the security tunnel to simulate one exclusive line communication from point to point. In a VPN, so many filiales can connect each other if the enterprise rents the local connections to an Internet service provider (ISP) only. Using a virtual private network (VPN) to connect to enterprise networks has opened up a new world of flexible, cheaper, ease to manage etc.. The VPN will be adopted to build the enterprise WAN more and more in future.
Network Address Translation was developed to make more efficient use of Internet Protocol (IP) addresses. NAT has subsequently gained popularity as a security mechanism and as a means of allowing many computers to share the same IP address. You may encounter NAT in many networking devices such as firewall/security gateways, routers.
But many network administrators have tried to set up a virtual private network (VPN) client from a workstation with a private IP address only to find out much frustration with the network address translation (NAT) on the Internet router keeps the VPN client from making the connection. NAT can break the VPN tunnel. NAT changes the network IP address of a packet (and checksum values), whereas the tunneling, used by an IPSec or L2TP VPN gateway, encapsulates/encrypts the network IP address of a packet with another network IP address. This makes a trouble in compatible VPN with NAT.
In this paper, I introduced the basic concept about the technology of VPN, NAT and the background, and introduced the application up to the minute, analysed the VPN and fireware products maded by the two famous companies. Tested the incompatible in VPN and NAT by building a virtual simulate circumstance, and found out the reason from theory. Based on that, I developed a new VPN gateway which is ease to manage and config to solve the incompatible VPN and NAT. I have discussed the design and IPSec in this paper. In the end, I analysed the infection of IPV6 standard and development in future.
引文
1.《计算机网络安全》,顾巧论、蔡振山、贾春福,科学出版社,ISBN7-03-010929-5
2.‘VPN核心技术的研究’,张大陆、户现锋,《计算机工程》,2000.3
3.《最高安全机密(第3版)》,[美]Anonymous等著 朱鲁华等译,机械工业出版社,ISBN 7-111-11032-3/TP.2632
4.‘VPN安全技术的研究与分析’,江红、余青松、顾君忠,《计算机工程》,2002.4
5.《VPN与网络安全》,戴宗坤、唐三平,电子工业出版社,ISBN7-5053-7973-9/TP.4633
6.《入侵特征与分析》,Stephen Northcutt Mark Cooper等著 林琪译,中国电力出版社,ISBN 7-5083-1097-7/TP.360
7.《个人防火墙》,[美]Jeery Lee Ford著段云所等译,人民邮电出版社,ISBN 7-115-10408-5/TP.2949
8.《对称密码学》,胡予濮、张玉清、肖国镇,机械工业出版社,ISBN 7-111-10674-1/TP.2533
9.‘VPN的实现及其应用’,冉春玉、赵双红、陈建军,《武汉理工大学学报》,2002.6
10.‘安全VPN服务器中IKE协议的设计与实现’,汪海航、师成江、谭成翔,《计算机应用研究》,2002.3
11.‘基于IP数据包加密的VPN虚拟专用网络安全结构’,周洲仪、谢志坚、谢冬青,《计算机工程》,2001.3
12.《加密解密与网络安全技术》,张曜等著,冶金工业出版社,ISBN 7-5024-3039-3/TP.366
13.《网络信息安全技术基础》,北京启明星辰信息技术有限公司,电子工业出版社,ISBN 7-5053-6890-7/TP.3916
14.《防火墙原理与实用技术》,北京启明星辰信息技术有限公司,电子工业出版社,ISBN 7-5053-6889-3/TP.3915
15.《Cisco网络安全宝典》,[美]Rajesh Kumar Sharma,NIIT等著 赵刚等译,电子工业出版社,ISBN 7-5053-8176-8/TP.4762
16.《网络与系统安全实用指南》,秦超、李素科、满成圆,北京航空航天大学出版社,ISBN 7-8 1077-089-6
17.《网络信息安全与保密(修订版)》,杨义先等著,北京邮电大学出版社,ISBN 7-5635-0386-2/TN.173
18.《网络互连技术教程》,李健等著,人民邮电出版社,ISBN 7-115-10143-4/TP.2775
19.《Linux连网详解》,[美]Bryan Pfaffenberger著 智慧东方工作室译,机械工业出版社,ISBN 7-111-09502-2/TP.2184
20.‘基于IPv6的安全技术及其应用’,王彦芳、刘永军、高占凤,《航空计算技术》,2000.4
21.‘基于PKI的IPSec-VPN网关的设计与实现’,杨宇航、孟桂娥、熊云凤,《计算机工程》,2001.2
22.《Cisco专业技术丛书:Cisco网络远程访问》,[美]Bill Burton著 戴锋译,机械工业出版社,ISBN 7-111-09182-5/TP.2090
23.《MPLS和VPN体系结构》,[美]Ivan Pepelnjak、Jim Guichard著,人民邮电出版社,ISBN 7-115-09509-4/TP.2368
24.《网络连接服务开发人员参考库(第5卷)—路由》,[美]David Iseminger著 詹文军等译,机械工业出版社,ISBN 7-111-08605-8/TP.1726
25.‘基于包过滤的VPN安全网关的设计与实现’,杨立扬、王汝传、吴凡,《中国数据通信》,2002.10
26.《计算机网络(第3版)》,Andrew S.Tanenbaum著 熊桂喜等译,清华大学出版社,ISBN 7-302-03035-9/TP.1618
27.《下一代Internet的网络技术》,李津生、洪佩琳,人民邮电出版社,ISBN 7-115-09101-3/TN.1693
28.‘密钥交换与密钥管理协议-IKE研究’,吴鸿钟、罗慧、张世雄、谭兴烈,《计算机工程与应用》,2002.21
29.《现代通信技术应用丛书——宽带城域网实用手册》,李勇等著,北京邮电大学出版社,ISBN 7-5635-0498-2/TN.226
30.《实现Cisco VPN实践指南》,[美]Adam Quiggle著 云舟工作室译,机械工业出版社,ISBN 7-111-09339-9/TP.2110
31.《网络连接服务开发人员参考库》(第一卷)[美]埃塞明著 前导工作室译,北京机械工业出版社 2000.12。
32.‘通过隧道技术建立安全的虚拟专用网’,曾勇军、杨贞斌、罗兴国,《计算机工程与应用》,2000.8
33.《虚拟私用网络技术》[美]W.Murhammer,译者:孔雷、刘云新,清华大学出版社,ISBN 7302038333
34.‘VPN:看不见的通道’,陈聪,《中国计算机报》Aug 12,2002
35.‘一种基于Windows NT的虚拟私有网络的实现’,余志东、张申生、温钢,《计算机工程》,2001.01
36.‘VPN的各种协议’,薛以辉,《中国计算机报》Aug 12,2002
37.‘基于公共网络的虚拟专用网探析’, 范志荣、陈文元、张卫平,《计算机应用研究》,2000.3
38.‘Quidway S8016 MPLS VPN技术’,钱胜、张志和,《华为技术报》148期
39.‘虚拟专用网的研究与实现’,曾志峰、冯运波、杨义先,《北京邮电大学学报》,2000.2
40.‘SSL进入VPN领域’,张志刚,《中国计算机报》Mar 04,2002
41.‘一种集成的可伸缩的网络安全系统’,刘积仁、蒋韬、秦扬、常桂然,《软件学报》,2002.3
42.《东方龙马VPN技术白皮书》,东方龙马
43.‘IPSec VPN的研究和分析’,田春歧、王立明、蔡勉、周凯,《计算机工程与应用》,2004.4
44.‘IPSec新一代因特网安全标准’,Naganand Doraswamy,机械工业出版社,2000
45.‘VPN安全技术的研究与分析’,江红,《计算机工程》,2002
46.‘面向Internet的IPSec安全体系结构’,杨宏宇,《计算机工程与应用》,2002
47. 《Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network》 [英], Sams Development Staff, ISBN 0672313413
48. 《Building and Managing Virtual Private Networks》 [英] Dave Kosiur,ISBN 0-471-29526-4
49. 《Internet Security Professional Reference, Second Edition》 [英], ISBN 156205760
50. 《Building Internet Firewalls》 [英] D.Brent Chapman, Elizabeth D.Zwicky, ISBN 1-56592-124-0
51. 《Secure Computers and Networks:Analysis, Design, and Implementation》 [英] Eric A. Fisch, Gregory B. White, ISBN: 0849318688
52. RFC 3145, L2TP Disconnect Cause Information. R. Verma, M. Verma, J. Carlson. July 2001
53. RFC 3093, Firewall Enhancement Protocol (FEP). M. Gaynor, S. Bradner. 1 April 2001
54. RFC 2888, Secure Remote Access with L2TP. P. Srisuresh. August 2000
55. RFC 2917, A Core MPLS IPVPN Architecture. K. Muthukrishnan, A. Malis. September 2000
56. RFC 2764, A Framework for IP Based Virtual Private Networks. B. Gleeson, A. Lin, J. Heinanen, G. Armitage, A. Malis. February 2000
57. RFC 2685, Virtual Private Networks Identifier. B. Fox, B. Gleeson. September 1999
58. RFC 2637, Point-to-Point Tunneling Protocol. K. Hamzeh, G. Pall, W. Verthein, Jo Taarud, W. Little, G. Zorn. July 1999
59. RFC 3078, Microsoft Point-To-Point Encryption (MPPE) Protocol. G. Pall, G. Zorn. March 2001
60. RFC 2409, The Internet Key Exchange (IKE). D. Harkins, D. Carrel, cisco Systems, November 1998
61. RFC 2406, IP Encapsulating Security Payload (ESP). S. Kent, R. Atkinson, BBN Corp, November 1998
2.‘VPN核心技术的研究’,张大陆、户现锋,《计算机工程》,2000.3
3.《最高安全机密(第3版)》,[美]Anonymous等著 朱鲁华等译,机械工业出版社,ISBN 7-111-11032-3/TP.2632
4.‘VPN安全技术的研究与分析’,江红、余青松、顾君忠,《计算机工程》,2002.4
5.《VPN与网络安全》,戴宗坤、唐三平,电子工业出版社,ISBN7-5053-7973-9/TP.4633
6.《入侵特征与分析》,Stephen Northcutt Mark Cooper等著 林琪译,中国电力出版社,ISBN 7-5083-1097-7/TP.360
7.《个人防火墙》,[美]Jeery Lee Ford著段云所等译,人民邮电出版社,ISBN 7-115-10408-5/TP.2949
8.《对称密码学》,胡予濮、张玉清、肖国镇,机械工业出版社,ISBN 7-111-10674-1/TP.2533
9.‘VPN的实现及其应用’,冉春玉、赵双红、陈建军,《武汉理工大学学报》,2002.6
10.‘安全VPN服务器中IKE协议的设计与实现’,汪海航、师成江、谭成翔,《计算机应用研究》,2002.3
11.‘基于IP数据包加密的VPN虚拟专用网络安全结构’,周洲仪、谢志坚、谢冬青,《计算机工程》,2001.3
12.《加密解密与网络安全技术》,张曜等著,冶金工业出版社,ISBN 7-5024-3039-3/TP.366
13.《网络信息安全技术基础》,北京启明星辰信息技术有限公司,电子工业出版社,ISBN 7-5053-6890-7/TP.3916
14.《防火墙原理与实用技术》,北京启明星辰信息技术有限公司,电子工业出版社,ISBN 7-5053-6889-3/TP.3915
15.《Cisco网络安全宝典》,[美]Rajesh Kumar Sharma,NIIT等著 赵刚等译,电子工业出版社,ISBN 7-5053-8176-8/TP.4762
16.《网络与系统安全实用指南》,秦超、李素科、满成圆,北京航空航天大学出版社,ISBN 7-8 1077-089-6
17.《网络信息安全与保密(修订版)》,杨义先等著,北京邮电大学出版社,ISBN 7-5635-0386-2/TN.173
18.《网络互连技术教程》,李健等著,人民邮电出版社,ISBN 7-115-10143-4/TP.2775
19.《Linux连网详解》,[美]Bryan Pfaffenberger著 智慧东方工作室译,机械工业出版社,ISBN 7-111-09502-2/TP.2184
20.‘基于IPv6的安全技术及其应用’,王彦芳、刘永军、高占凤,《航空计算技术》,2000.4
21.‘基于PKI的IPSec-VPN网关的设计与实现’,杨宇航、孟桂娥、熊云凤,《计算机工程》,2001.2
22.《Cisco专业技术丛书:Cisco网络远程访问》,[美]Bill Burton著 戴锋译,机械工业出版社,ISBN 7-111-09182-5/TP.2090
23.《MPLS和VPN体系结构》,[美]Ivan Pepelnjak、Jim Guichard著,人民邮电出版社,ISBN 7-115-09509-4/TP.2368
24.《网络连接服务开发人员参考库(第5卷)—路由》,[美]David Iseminger著 詹文军等译,机械工业出版社,ISBN 7-111-08605-8/TP.1726
25.‘基于包过滤的VPN安全网关的设计与实现’,杨立扬、王汝传、吴凡,《中国数据通信》,2002.10
26.《计算机网络(第3版)》,Andrew S.Tanenbaum著 熊桂喜等译,清华大学出版社,ISBN 7-302-03035-9/TP.1618
27.《下一代Internet的网络技术》,李津生、洪佩琳,人民邮电出版社,ISBN 7-115-09101-3/TN.1693
28.‘密钥交换与密钥管理协议-IKE研究’,吴鸿钟、罗慧、张世雄、谭兴烈,《计算机工程与应用》,2002.21
29.《现代通信技术应用丛书——宽带城域网实用手册》,李勇等著,北京邮电大学出版社,ISBN 7-5635-0498-2/TN.226
30.《实现Cisco VPN实践指南》,[美]Adam Quiggle著 云舟工作室译,机械工业出版社,ISBN 7-111-09339-9/TP.2110
31.《网络连接服务开发人员参考库》(第一卷)[美]埃塞明著 前导工作室译,北京机械工业出版社 2000.12。
32.‘通过隧道技术建立安全的虚拟专用网’,曾勇军、杨贞斌、罗兴国,《计算机工程与应用》,2000.8
33.《虚拟私用网络技术》[美]W.Murhammer,译者:孔雷、刘云新,清华大学出版社,ISBN 7302038333
34.‘VPN:看不见的通道’,陈聪,《中国计算机报》Aug 12,2002
35.‘一种基于Windows NT的虚拟私有网络的实现’,余志东、张申生、温钢,《计算机工程》,2001.01
36.‘VPN的各种协议’,薛以辉,《中国计算机报》Aug 12,2002
37.‘基于公共网络的虚拟专用网探析’, 范志荣、陈文元、张卫平,《计算机应用研究》,2000.3
38.‘Quidway S8016 MPLS VPN技术’,钱胜、张志和,《华为技术报》148期
39.‘虚拟专用网的研究与实现’,曾志峰、冯运波、杨义先,《北京邮电大学学报》,2000.2
40.‘SSL进入VPN领域’,张志刚,《中国计算机报》Mar 04,2002
41.‘一种集成的可伸缩的网络安全系统’,刘积仁、蒋韬、秦扬、常桂然,《软件学报》,2002.3
42.《东方龙马VPN技术白皮书》,东方龙马
43.‘IPSec VPN的研究和分析’,田春歧、王立明、蔡勉、周凯,《计算机工程与应用》,2004.4
44.‘IPSec新一代因特网安全标准’,Naganand Doraswamy,机械工业出版社,2000
45.‘VPN安全技术的研究与分析’,江红,《计算机工程》,2002
46.‘面向Internet的IPSec安全体系结构’,杨宏宇,《计算机工程与应用》,2002
47. 《Maximum Security: A Hacker's Guide to Protecting Your Internet Site and Network》 [英], Sams Development Staff, ISBN 0672313413
48. 《Building and Managing Virtual Private Networks》 [英] Dave Kosiur,ISBN 0-471-29526-4
49. 《Internet Security Professional Reference, Second Edition》 [英], ISBN 156205760
50. 《Building Internet Firewalls》 [英] D.Brent Chapman, Elizabeth D.Zwicky, ISBN 1-56592-124-0
51. 《Secure Computers and Networks:Analysis, Design, and Implementation》 [英] Eric A. Fisch, Gregory B. White, ISBN: 0849318688
52. RFC 3145, L2TP Disconnect Cause Information. R. Verma, M. Verma, J. Carlson. July 2001
53. RFC 3093, Firewall Enhancement Protocol (FEP). M. Gaynor, S. Bradner. 1 April 2001
54. RFC 2888, Secure Remote Access with L2TP. P. Srisuresh. August 2000
55. RFC 2917, A Core MPLS IPVPN Architecture. K. Muthukrishnan, A. Malis. September 2000
56. RFC 2764, A Framework for IP Based Virtual Private Networks. B. Gleeson, A. Lin, J. Heinanen, G. Armitage, A. Malis. February 2000
57. RFC 2685, Virtual Private Networks Identifier. B. Fox, B. Gleeson. September 1999
58. RFC 2637, Point-to-Point Tunneling Protocol. K. Hamzeh, G. Pall, W. Verthein, Jo Taarud, W. Little, G. Zorn. July 1999
59. RFC 3078, Microsoft Point-To-Point Encryption (MPPE) Protocol. G. Pall, G. Zorn. March 2001
60. RFC 2409, The Internet Key Exchange (IKE). D. Harkins, D. Carrel, cisco Systems, November 1998
61. RFC 2406, IP Encapsulating Security Payload (ESP). S. Kent, R. Atkinson, BBN Corp, November 1998