The invention provides a method for achieving IPsec-VPN based on a state secret algorithm. The method is characterized by comprising user layer algorithm extension and kernel layer algorithm extension, wherein the user layer algorithm extension comprises the steps of building an encryption library and an encryption engine library, and dynamically loading the encryption engine library; and the kernel layer algorithm extension comprises the steps of building a state secret algorithm driving module, loading the state secret algorithm driving module, applying the state secret algorithm driving module and unloading the state secret algorithm driving module. According to the method provided by the invention, the encryption engine mechanism is used in a user layer, a system kernel code does not need to be changed, and only the encryption library and the encryption engine library need to be defined, a cryptographic algorithm interface needing to be extended is achieved in the encryption engine library, and dynamical loading is performed before use; an algorithm function to be extended is used in the kernel layer to achieve modularization, the module is dynamically loaded in the system when needed, only few codes need to be added into the kernel of the system and the module is not compiled into the kernel, so that the size of the kernel is controlled.