ICS35.030

CCSL80

中華人民共和國密碼行業標準

GM/T0023—2023

代替GM/T0023—2014

IPSecVPN網關產品規范

IPSecVPNgatewayproductspecification

2023?12?04發布2024?06?01實施

國家密碼管理局發布

GM/T0023—2023

目次

前言··························································································································Ⅲ

1范圍·······················································································································1

2規范性引用文件········································································································1

3術語和定義··············································································································1

4縮略語····················································································································1

5功能要求·················································································································2

5.1隨機數生成········································································································2

5.2工作模式···········································································································2

5.3密鑰交換···········································································································2

5.4安全報文封裝·····································································································2

5.5NAT穿越··········································································································2

5.6鑒別方式···········································································································2

5.7IP協議版本支持··································································································2

5.8抗重放攻擊········································································································2

5.9密鑰更新···········································································································2

5.10包過濾·············································································································3

5.11熱備份·············································································································3

5.12負載均衡··········································································································3

5.13對端探測··········································································································3

5.14網絡適應性·······································································································3

5.15集群部署··········································································································3

5.16動態地址··········································································································3

6性能要求·················································································································3

6.1加解密吞吐率·····································································································3

6.2加解密時延········································································································3

6.3加解密丟包率·····································································································4

6.4每秒新建隧道數··································································································4

6.5最大并發隧道數··································································································4

7安全性要求··············································································································4

7.1密鑰管理要求·····································································································4

7.2密碼協議要求·····································································································4

7.3算法配用要求·····································································································5

Ⅰ

GM/T0023—2023

7.4密碼部件調用接口要求·························································································5

7.5敏感參數管理要求·······························································································5

7.6硬件安全要求·····································································································5

7.7軟件安全要求·····································································································5

8管理要求·················································································································5

8.1配置管理···········································································································5

8.2設備監控···········································································································6

8.3設備管理···········································································································7

8.4管理員要求········································································································7

8.5管理協議和接口··································································································8

9硬件要求·················································································································8

9.1外部接口···········································································································8

9.2密碼部件···········································································································8

9.3隨機數發生器·····································································································8

9.4環境適應性········································································································8

9.5電磁兼容性········································································································8

9.6可靠性··············································································································8

10檢測方法···············································································································8

10.1檢測說明··········································································································8

10.2外觀和結構的檢查······························································································9

10.3提交文檔的檢查·································································································9

10.4功能檢測··········································································································9

10.5性能檢測········································································································10

10.6安全性檢測·····································································································11

10.7管理檢測········································································································11

10.8硬件檢測········································································································12

11判定規則··············································································································12

Ⅱ

GM/T0023—2023

前言

本文件按照GB/T1.1—2020《標準化工作導則第1部分：標準化文件的結構和起草規則》的規

定起草。

本文件代替GM/T0023—2014《IPSecVPN網關產品規范》。與GM/T0023—2014相比，除結構

調整和編輯性改動外，主要技術變化如下：

a）增加了GCM可鑒別加密機制作為對稱算法的工作機制（見5.4和7.3）；

b）增加了“熱備份”“負載均衡”“對端探測”“網絡適應性”“集群部署”“動態地址”的要求（見

5.11、5.12、5.13、5.14、5.15和5.16）；

c）刪除了“參數可配置能力要求”“過程保護”（見2014年版的5.6和5.7）；

d）增加了“密碼協議要求”“算法配用要求”“密碼部件調用接口要求”“敏感參數管理要求”的要

求（見7.2、7.3、7.4和7.5）；

e）將“管理功能要求”更改為“管理要求”，并對內容進行了更改：刪除了“合規性驗證”，將“參數

配置管理”更改為“配置管理”并增加了“配置數據管理”，將“遠程監控管理”更改為“設備監

控”并刪除了“參數查詢”，將“日志管理”更改為“日志功能”并合并到“設備監控”，刪除了“遠

程管理”，增加了“管理協議和接口”，增加了遠程配置管理、遠程設備監控的協議和接口要求

（見第8章，2014年版的第5章）；

f）將“檢測要求”更改為“檢測方法”，并按照新的章節結構和內容進行了相應更改（見第10章，

2014年版的第6章）；

g）將“合格判定”更改為“判定規則”，并按照新的章節結構和內容進行了相應更改（見第11章，

2014年版的第7章）。

請注意本文件的某些內容可能涉及專利。本文件的發布機構不承擔識別專利的責任。

本文件由密碼行業標準化技術委員會提出并歸口。

本文件起草單位：中電科網絡安全科技股份有限公司、四川大學、深信服科技股份有限公司、阿里

云計算有限公司、鼎鉉商用密碼測評技術有限公司、格爾軟件股份有限公司、無錫江南信息安全工程技

術中心、興唐通信科技有限公司、山東得安信息技術有限公司、華為技術有限公司、天融信科技集團股

份有限公司、西安交大捷普網絡科技有限公司、山東大學。

本文件主要起草人：羅俊、龔勛、葉潤國、張大江、鄒家須、鄭強、譚武征、李元正、徐明翼、徐強、

王妮娜、馬洪富、黃敏、孔凡玉。

本文件及其所代替文件的歷次版本發布情況為：

——2014年首次發布為GM/T0023—2014；

——本次為第一次修訂。

Ⅲ

GM/T0023—2023

IPSecVPN網關產品規范

1范圍

本文件規定了IPSecVPN網關產品的功能要求、性能要求、安全性要求、管理要求、硬件要求、檢

測方法和合格判定條件。

本文件適用于IPSecVPN網關產品的研制、使用和檢測。

2規范性引用文件

下列文件中的內容通過文中的規范性引用而構成本文件必不可少的條款。其中，注日期的引用文

件，僅該日期對應的版本適用于本文件；