摘要： 提出了一个用CA+对称L2TP路由器的模型，该模型身份认证和密钥由数字证书来完成，而加密和数据完整性认证则由L2TP路由器完成。和现有LAC+LNS的接入方案比较，该方案明确和简化了工作内容，并且解决了L2TP隧道内多路呼叫独立安全的问题。L2TP路由器在考虑了Linux内核的特点后，进行架构的设计来完成数据的处理。试验表明该方案兼顾了安全和性能，提供了一个高速可信的VPN解决办法。

关键词: L2TP, CA, 数字证书, IPSec, UDP

Abstract: This paper proposes a model using CA plus symmetrical L2TP routers, the digital certificate fulfills identity-authentication and key distribution, the L2TP router fulfills encryption and data-intergrity. Compared with the present method using LAC plus LNS, the scheme distinguishes and simplifies the work, and it solves the problem that multiple calls in a L2TP tunnel are independently secure. After considering the feature of the Linux kenel, it designs the architecture of the L2TP router to deal with VPN data. The experiments show that the scheme gives attention to security and performance, it provides a speedy and authentic VPN solution.

Key words: L2TP, CA, Digital certificate, IPsec, UDP