A distributed object-based IPSec multi-tunnels concurrent architecture

In the existing IPSec architecture, in which tunnel is built in kernel, the number of concurrent tunnels is restricted by IP address configured on the machine and user can not control the process of establishing tunnel. This brings inconvenience when we use personal computer to measure the performance parameters of VPN Gateway (e.g. the maximum number of concurrent tunnels and the maximum rate of the new tunnels built). In order to solve this problem, this paper presents a novel IPSec multi-tunnels concurrent architecture which uses distributed objects to build tunnels in user space. The architecture privodes one Console which are used to control all AgentNodes and multiple AgentNodes which are used to build tunnels. In AgentNode, the negotiation processing of tunnels, the IPSec processing of packets and the protocol processing of TCP/IP are all completed in user space by objects. Meanwhile, AgentNode uses virtual IP address instead of local IP address to negotiate tunnel and the number of concurrent tunnels will be unlimited (only limited by memory). Moreover, based on distributed architecture, the number of AgentNode can be arbitrarily extended. Therefore, the system has a great deal of flexibility on the number of concurrent tunnels and the rate of tunnel establishment, which helps to accurately measure the performance parameters of VPN Gateway.