Abstract: This paper introduces an implementation method of an embedded wireless IPSec VPN gateway based on uClinux. It adopts the IPSec standard on the Linux 2.6 kernel, offering low cost and powerful functionality; it also has strong scalability, adapting to the needs of next-generation network IPv6. Keywords: Wireless gateway, IPSec VPN, uCLinux, Coldfire Introduction With the development of network and wireless communication technologies and the improvement of wireless data transmission capabilities, the application areas of wireless data transmission are constantly expanding. As shown in Figure 1, users' mobile devices can directly access the Internet through the CDMA/GPRS public wireless network, and then access their own internal network, saving the cost of building their own network. Since users want to ensure the security of their data, VPN technology has become an inevitable choice. 1 Introduction to IPSec The goal of IPSec is to provide a complete set of interoperable, high-quality, cryptographically based security services for IP, including access control, connectionless integrity, data source authentication, replay attack resistance, confidentiality, and limited traffic confidentiality. These services are provided at the IP layer, providing protection for IP and upper-layer protocols. The IPSec architecture is defined in RFC2401. It achieves its goals through two transport security protocols—Authenticator Header (AH) and Encapsulated Secure Payload (ESP)—as well as key management processes and related protocols. AH provides connectionless integrity, data source authentication, and optional protection against recurring attacks; ESP provides confidentiality, limited traffic confidentiality, connectionless consistency, data source authentication, and protection against recurring attacks. Both AH and ESP are the foundation of access control based on key distribution and traffic management. Both AH and ESP have two modes: transport mode and tunnel mode. Transport mode is used to protect communication between hosts; while tunnel mode encapsulates IP into an IP tunnel, primarily used to protect communication between gateways. In IPSec, users control the use of IPSec by providing their own Security Policies (SPs), including which transmitted data to protect, which security services to use, and which encryption algorithms to use. Security Association (SA) is a fundamental concept in IPSec; it is a simple "connection" that uses either AH or ESP to provide security services for its payload. If both AH and ESP are used to provide security services, two or more SAs are required. Since SAs are unidirectional, at least one SA is required in each direction for bidirectional secure communication. IPSec has two security-related databases: the Security Policy Database (SPD) and the Security Association Database (SAD). The former defines the policies for handling all inbound and outbound IP data processing, while the latter contains parameters related to all (valid) Security Associations (SAs). Key allocation and SA management in AH/ESP rely on a set of independent mechanisms, including both manual and automatic methods. IPSec defines the IKE protocol for automatic key allocation and SA management. The key allocation and SA management process in IKE is divided into two phases: the first phase involves the two parties establishing a mutually trusted, confidential, and secure channel to protect the key negotiation process in the second phase; the second phase completes the negotiation of the actual IPSec SA. The IPSec data processing model is shown in Figure 2. For inbound/outbound data, its security policy is first determined. If security services are required, the corresponding security association is found, and AH/ESP processing is performed based on the parameters provided by the security association to complete the inbound/outbound process. 2 System Functions The main function of this system is to support both CDMA and GPRS access to the Internet, functioning as both a VPN server and a VPN client. IPSec key exchange supports shared key methods and X-based methods. 3. System Hardware Implementation The system hardware configuration is shown in Figure 3. The wireless interface uses a Wavecom CDMA/GPRS module, and the baseboard uses a Frccscale Coldfire 5272. 4. System Software Implementation The Linux 2.6 kernel includes support for IPSec. This system uses IPSec-tools based on the Linux 2.6 kernel. The relevant software structure of IPSec in the entire system is shown in Figure 4. The Linux 2.6 kernel provides support for AH and ESP in its network protocol stack, and includes implementations of SPD and SAD. IPSec-tools includes two applications: setkey and racoon. Setkey implements manual management of SPD and SAD in IPSec, and it requires the Ianux kernel to support the IPSec user management interface. Racoon is the IKE implementation in IPSec-tools, and it requires the kernel to support the PF_KEYv2 interface; at the same time, in order to support the public key authentication method based on X.509 certificates, racoon needs to use the libcryto encryption library provided by openssl. The encryption algorithms used by AH/ESP require kernel encryption library support. 4.1 Linux Kernel Download and install the Linux 2.6.12 kernel from www.kernel.org, and download the uClinux patch from www.uclinux.org. After applying the patch, enter the Linux kernel configuration interface via `make menuconfig`, and select all the following configurations: 4.2 OpenSSL (libcrypto.a) After installing the OpenSSL 0.9.7e source code, go to the installation directory and modify its Configure file to use m68k-elf-gcc as the compiler. Run `Configure linux-m68k` to complete the configuration, and then compile to generate libcrypto.a. 4.3 IPSec-tools Following the documentation on how to add new user programs in uClinux, add the IPSec-tools 0.5.2 package to the /user directory of uClinux. Navigate to the IPSec-tools installation directory and add the following Makefile (this Makefile needs to specify the installation directories of the kernel header files and OpenSSL source code): `all: build $(MAKE) -C build` 5. Using IPSec-tools This system's IPSec supports both transport mode and tunnel mode. When used as a VPN gateway, only tunnel mode is used. Figure 5 shows the communication model between two IPSec gateways. 192.168.1.100 and 192.168.2.100 are the IP addresses of the external interfaces of the two gateways, protecting the internal subnets 172.16.1.0/24 and 172.16.2.0/24 respectively. The following uses the gateway with external IP 192.168.0.1 in Figure 5 as an example to introduce the security policy and key management methods in IPSec_tools under tunnel mode. 5.1 Security Policy Security policy management in IPSec_tools is completed by `setkey`. In the `setkey` configuration file... The conf file needs to include three security policy rules: inflow (in), outflow (out), and forwarding (fwd). 5.2 Key and SA Management (1) Manual Method The SA rule in setkey.conf defines the manual management of keys and SA in IPSec. 2) Automatic Method The automatic method is managed by racoon. racoon supports multiple authentication methods, including pre-shared key and X.509 certificate methods. The racoon configuration file racoon.conf mainly includes two parts: rernote and sainfo, which correspond to the first and second phases of IKE exchange, respectively. The remote part specifies the authentication method and encryption and authentication algorithm parameters for the first phase of IKE exchange. The sainfo part specifies the encryption and authentication algorithm for the second phase. Under the pre-shared key method, the user's pre-shared key is stored in a file. At this time, the configuration of racoon.conf is as follows (which specifies the file where the pre-shared key is stored): Under the X.509 certificate method, the configuration of racoon.conf is basically the same as that of the shared key method, but it specifies the certificate directory, its own X.509 certificate, its own certificate key, and the CA's certificate. For information on certificate generation in Racoon, please refer to the Racoon and OpenSSL user manuals. 5.3 Operation After the wireless gateway is connected to the Internet, run `setkey` and `racoon` accordingly. 6 Conclusion The combination of wireless data transmission and IPSec further expands the application areas of wireless data transmission. Currently, this system is widely used in industries such as finance, insurance, power, monitoring, transportation, and meteorology. Under mobile network licensing conditions, any device using Ethernet or serial ports, such as PCs, industrial control computers, ATMs, POS machines, video servers, etc., can easily and securely connect to the Internet through this system.