Journal of Physics: Conference Series

PAPER • OPEN ACCESS You may also like

- PRIMUS: Clustering of Star-forming and
Research on high security of IP tunnel in virtual Quiescent Central Galaxies at
0.2 < z < 0.9
private network Angela M. Berti, Alison L. Coil, Andrew P.
Hearin et al.

- Interplanetary Shock Candidates

To cite this article: Weimin Gan and Xiaogui Yin 2021 J. Phys.: Conf. Ser. 1856 012014 Observed at Venus’s Orbit
Can Wang, Mengjiao Xu, Chenglong Shen
et al.

- Comparison of gating dynamics of different

IP3R channels with immune algorithm
View the article online for updates and enhancements. searching for channel parameter
distributions
Xiuhong Cai, Xiang Li, Hong Qi et al.

This content was downloaded from IP address 201.183.128.207 on 22/03/2022 at 20:17

 
 
 
 
 
CNSSE 2021 IOP Publishing
 
Journal of Physics: Conference Series 1856 (2021) 012014 doi:10.1088/1742-6596/1856/1/012014

Research on high security of IP tunnel in virtual private

network

Weimin Gan1*, Xiaogui Yin2

1
Department of network technology, Software engineering Institute of Guangzhou,
Guangzhou, Guangdong Province, 510990, China
2
Department of teaching guarantee, Software engineering Institute of Guangzhou,
Guangzhou,Guangdong Province, 510990, China
*
Corresponding author’s e-mail: [email protected]

Abstract. IPSec encrypts and authenticates the packets of IP protocol. Both sides of IP network
layer communication use encryption authentication, data source authentication and integrity
verification to ensure the integrity, confidentiality and anti replay of IP protocol packet
transmission. In enterprise network management, we can usually use IPSec VPN technology to
establish a secure channel to realize the secure communication between headquarters and
branches.[1]

1. Introduction
The old TCP/IP network is lack of security authentication and secrecy mechanism. With the expansion
of the scale of enterprise network development and the increasing importance of network security
technology, the problem of security policy is becoming more and more necessary, and the introduction
of IPSec Security policy is becoming more and more important to ensure the security of the traditional
TCP/ IP protocol network data communication, the sender can encrypt the data in the form of ciphertext,
and the receiver can verify the data to ensure that the data packets are not tampered in the transmission
process. Using a good security strategy can not only ensure the security of the communication data, but
also prevent the unknown users from sending the captured data packets repeatedly a malicious attack.

2. Application scenarios
In enterprise network management, network administrators usually use IPSec VPN technology to ensure
the security of some private data in the public network transmission, and ensure the confidentiality and
integrity of data. Administrators often set up IPSec tunnels between the edge routers of enterprise
headquarters and branch routers, deploy IPSec VPN technology solutions, and realize network security
transmission of data traffic from designated departments. [2]

3. IPSec architecture
IPSec mainly includes three protocols: AH (authentication header), ESP (encapsulating security
payload) and IKE (Internet Key Exchange). AH protocol is mainly used for data source verification, data
integrity verification, anti message replay and other functions. ESP protocol is mainly used to encrypt
ip message data, in this way, ip data packets can be transmitted in a secure network. IKE protocol is
mainly used for automatic negotiation of cryptographic algorithms used by ah and ESP, establishment
and maintenance of SA and other services
Content from this work may be used under the terms of the Creative Commons Attribution 3.0 licence. Any further distribution
of this work must maintain attribution to the author(s) and the title of the work, journal citation and DOI.
Published under licence by IOP Publishing Ltd 1
 
 
 
 
 
CNSSE 2021 IOP Publishing
 
Journal of Physics: Conference Series 1856 (2021) 012014 doi:10.1088/1742-6596/1856/1/012014

4. IPSec encapsulation mode[3]

There are two encapsulation modes of IPSec protocol: Transport and Tunnel.

4.1. In transmission mode, AH or ESP header is located between IP header and TCP header. Before
and after AH and ESP processing, the IP header remains unchanged, which is mainly used in end to
end application scenarios. That is, it can only be suitable for PC to PC scenarios, style and spacing.
AH：

ESP：

AH-ESP:

4.2. In tunnel mode, IPSec will generate a new IP header in front of AH or ESP header. After AH and
ESP processing, an external IP header is encapsulated, which is mainly used for site-to-site application
scenarios. It can also be applied to any scenario. As tunnel mode requires more IP header overhead, it
is recommended to use transmission mode in PC to PC scenario.
AH：

ESP：

AH-ESP:

5. Security policy design process

5.1. Configure network accessibility

Check the network layer accessibility between the sender and the receiver to ensure that the two sides
can only carry out IPSec communication by establishing an IPSec VPN tunnel.

2
 
 
 
 
 
CNSSE 2021 IOP Publishing
 
Journal of Physics: Conference Series 1856 (2021) 012014 doi:10.1088/1742-6596/1856/1/012014

5.2. Configure ACL to identify interest stream

Part of the traffic can not meet the requirements of integrity and confidentiality. It is necessary to filter
the traffic. Select the interest flow that needs to be processed by IPSec. Different data flows can be
defined and distinguished by configuring ACL.

5.3. Create security proposal

In order to transmit data stream normally, IPSec proposes to protect the transmission security of data
stream. Both ends of the secure tunnel must use the same authentication algorithm, security protocol,
encryption algorithm and encapsulation mode. If you want to establish an IPSec Security tunnel between
two security gateways, the IPSec tunnel mode can easily hide the actual source IP and destination IP
used in the communication process.

5.4. Create security policy

Each IPSec security policy is identified with a unique name and serial number. The encapsulation mode,
security protocol and authentication encryption algorithm defined in the IPSec proposal will be applied
in the IPSec policy. IPSec policies can be divided into two types: manual SA establishment and Ike
negotiation SA establishment. This paper mainly introduces the strategy of creating SA manually.

5.5. Application security policy

Apply IPSec security policy to an interface.

6. Security policy implementation

Figure 1. Experimental topology.

 Define ACL flow of interest
[R1-acl-adv-3001]rule 5 permit ip source 10.0.1.0 0.0.0.255 destination 10.0.3.0 0.0.0.255
[R3-acl-adv-3001]rule 5 permit ip source 10.0.3.0 0.0.0.255 destination 10.0.1.0 0.0.0.255
 Create security proposal
[R1-ipsec-proposal-tran1]esp authentication-algorithm sha1 [R1-ipsec-proposal-tran1]esp
encryption-algorithm 3des
[R3-ipsec-proposal-tran1]esp authentication-algorithm sha1 [R3-ipsec-proposal-tran1]esp
encryption-algorithm 3des
 Creating IP protocol security policy
[R1]ipsec policy P1 10 manual
[R1-ipsec-policy-manual-P1-10]security acl 3001 [R1-ipsec-policy-manual-P1-10]proposal
tran1
[R1-ipsec-policy-manual-P1-10]tunnel remote 10.0.23.3
[R1-ipsec-policy-manual-P1-10]tunnel local 10.0.12.1
[R1-ipsec-policy-manual-P1-10]sa spi outbound esp 54321 [R1-ipsec-policy-manual-P1-
10]sa spi inbound esp 12345
[R1-ipsec-policy-manual-P1-10]sa string-key outbound esp simple huawei [R1-ipsec-policy-
manual-P1-10]sa string-key inbound esp simple huawei
[R3]ipsec policy P1 10 manual

3
 
 
 
 
 
CNSSE 2021 IOP Publishing
 
Journal of Physics: Conference Series 1856 (2021) 012014 doi:10.1088/1742-6596/1856/1/012014

[R3-ipsec-policy-manual-P1-10]security acl 3001 [R3-ipsec-policy-manual-P1-10]proposal

tran1
[R3-ipsec-policy-manual-P1-10]tunnel remote 10.0.12.1
[R3-ipsec-policy-manual-P1-10]tunnel local 10.0.23.3
[R3-ipsec-policy-manual-P1-10]sa spi outbound esp 12345 [R3-ipsec-policy-manual-P1-
10]sa spi inbound esp 54321
[R3-ipsec-policy-manual-P1-10]sa string-key outbound esp simple huawei [R3-ipsec-policy-
manual-P1-10]sa string-key inbound esp simple huawei
 Security policy application
[R1-Serial1/0/0]ipsec policy P1
[R3-Serial2/0/0]ipsec policy P1
 Detecting network connectivity
 (1) No IPSec encryption for uninterested traffic。
<R1>ping -a 10.0.11.11 10.0.33.33
Reply from 10.0.33.33: bytes=56 Sequence=1 ttl=254 time=60 ms
…………
<R1>display ipsec statistics esp
Inpacket count 0
Inpacket auth count 0
Inpacket decap count 0
Outpacket count 0
PktDuplicateDrop count 0
PktSeqNoTooSmallDrop count 0
PktInSAMissDrop count 0
 (2) The interested traffic is encrypted by IPSec.
<R1>ping -a 10.0.1.1 10.0.3.3
Reply from 10.0.3.3: bytes=56 Sequence=2 ttl=255 time=77 ms
…………..
<R1>display ipsec statistics esp
Inpacket count :5
Inpacket auth count :0
Inpacket decap count :0
Outpacket count : 5
PktDuplicateDrop count 0
PktSeqNoTooSmallDrop count 0
PktInSAMissDrop count 0

7.Conclusion
This paper mainly introduces the principle of IPSec protocol, the design and implementation process of
application scenario, architecture and security policy of IPSec VPN. It focuses on IPSec proposals,
policies and binding methods, defines traffic of interest through ACL application policies,The data flow
of interest filtered by IPSec will process and encapsulate the negotiation parameters, and then forward
through IPSec tunnel.

References
[1] Tang Xiaomeng, Liu Chang,J.(2016-08)Principle and configuration of IPSec VPN. China
cable TV.

4
 
 
 
 
 
CNSSE 2021 IOP Publishing
 
Journal of Physics: Conference Series 1856 (2021) 012014 doi:10.1088/1742-6596/1856/1/012014

[2] Xiao Weiqi,J.(2014-12)Discussion on the application of IPSec VPN Technology in private

virtual private network , Information communication.
[3] Wang Da, M. (2017), Huawei VPN learning guide, people's Posts and Telecommunications
Press. pp. 30-90.
[4] Dong SHIMENG, Gong maobin,J.(2017-01)Research on VPN network design based on
IPSec. Communication management and technology.
[5] Peng Chunyan, Wang Defang,J.(2013-06)Design and Simulation of experimental teaching
based on IPSec VPN [J]. Electronic design engineering.