CN103179225A - IPsec-based (internet protocol security-based) keep-alive method and equipment for NAT (network address translation) entries - Google Patents
IPsec-based (internet protocol security-based) keep-alive method and equipment for NAT (network address translation) entries Download PDFInfo
- Publication number
- CN103179225A CN103179225A CN2013100869243A CN201310086924A CN103179225A CN 103179225 A CN103179225 A CN 103179225A CN 2013100869243 A CN2013100869243 A CN 2013100869243A CN 201310086924 A CN201310086924 A CN 201310086924A CN 103179225 A CN103179225 A CN 103179225A
- Authority
- CN
- China
- Prior art keywords
- ipsec
- nat
- ike
- responder
- initiator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses IPsec-based (internet protocol security-based) keep-alive method and equipment for NAT (network address translation) entries. The method includes: establishing IKE SA (internet key exchange security association) between the equipment and an IPsec responder by an IPsec initiator, establishing IPsec SA between the equipment and the IPsec responder by the IKE SA, and starting an NAT messaging timer corresponding to the IKE SA; allowing the IPsec initiator to determine whether the IKE SA or IPsec SA is last one in an SA set or not when the IKE SA or the IPsec SA is deleted; if yes, allowing the IPsec initiator to delete the NAT messaging timer; and if not, allowing the IPsec initiator to reserve the NAT messaging timer. Interruptible flows can be avoided by the use of the method and equipment.
Description
Technical field
The present invention relates to communication technical field, especially a kind of based on IPsec(IP Security, IP safety) NAT(Network Address Translation, network address translation) list item keepalive method and equipment.
Background technology
IPsec is the three layer tunnel cryptographic protocol, to realize three-layer VPN (Virtual Private Network, VPN (virtual private network)) safe practice, and be used for providing following security service at the IP layer: (1) data confidentiality: the IPsec initiator is encrypted message before by the Internet Transmission message; (2) data integrity: the IPsec responder is docked the receiving literary composition and is authenticated, and is not tampered in transmitting procedure to guarantee message; (3) Data Source authentication: whether the IPsec responder can authenticate the IPsec initiator who sends the IPsec message legal; (4) anti-replay: the IPsec responder can detect and reject message out-of-date or that repeat.
In order to realize above-mentioned security service, IPsec provides two kinds of security mechanisms such as authentication and encryption; Whether authentication mechanism is distorted true identity and the message that the responder of IP communication can the confirmation message initiator in transmitting procedure; Encryption mechanism prevents that by message being encrypted the confidentiality that computing guarantees message message is ravesdropping in transmitting procedure.Wherein, AH(Authentication Header in the IPsec agreement, checking head) protocol definition the application process of authentication, ESP(Encapsulating Security Payload, ESP) protocol definition the application process of encryption and optional authentication; Carry out IP when communication actual, can use simultaneously AH and ESP according to actual demand for security, perhaps choice for use is wherein a kind of.
IPsec provides secure communication between two end points, and two end points are called as the IPsec peer-to-peer, is respectively IPsec initiator and IPsec responder; In addition, SA(Security Association, Security Association) be to the agreement of some key element between the IPsec peer-to-peer; For example, use which kind of agreement (AH, ESP), use which kind of protocol encapsulation pattern (transmission mode, tunnel mode), use which kind of cryptographic algorithm etc.; Further, can pass through IKE(Internet Key Exchange, Internet cipher key change between the IPsec peer-to-peer) consult to set up SA information, as shown in Figure 1, be the schematic diagram that concerns of IPsec and IKE.
Wherein, IKE uses two stages carry out key agreement and set up SA:(1 as IPsec) IPsec initiator and IPsec responder set up one each other by the passage of authentication and safeguard protection, namely sets up an IKE SA; (2) the IKE SA that sets up by the phase I is that IPsec consults security service, is IPsec and consults concrete SA, sets up the IPsec SA that is used for final IP Security transmission.
As shown in Figure 2, NAT is with the process of the IP address transition in the IP heading for another IP address, and is used for realizing private network access public network, the exhaustion that helps to slow down the IP available address space; Further, as shown in Figure 3, NAPT(Network Address Port Translation, the network address port conversion) allow a plurality of home addresses to be mapped on same publicly-owned address, and NAPT shines upon IP address and port numbers simultaneously: namely the source address from the IP message of different home addresses can be mapped to same external address, but the port numbers of each IP message is converted into the different port number of this address, therefore can share same address, i.e. conversion between private network IP address+port numbers and public network IP address+port numbers.
In present networking was used, the use of IPsec and NAT was all very general, therefore currently can dispose simultaneously IPsec and NAT device; As shown in Figure 4, RT2(router) be NAT device, PC1(main frame) and RT1 inboard at NAT, PC2 and RT3 are in the NAT outside; When needing to communicate by letter between PC1 and PC2, need to set up an IPsec link between RT1 and RT3; After RT1 sent the ike negotiation message to RT3, NAT device need to be safeguarded the nat translation table item for this ike negotiation message, so that the ike negotiation message that RT3 responds can correctly send to RT1; This nat translation table item has certain ageing time (this ageing time is to join Ge's on NAT device), if there is no the ike negotiation message through NAT device in ageing time, NAT device can be deleted this nat translation table item.
In prior art, in order to make the nat translation table item on NAT device not deleted, RT1 need to periodically send NAT list item keep-alive message (the transmission cycle defaults to 20 seconds); But the precondition that RT1 periodically sends NAT list item keep-alive message (NAT Keepalive message) is that IKE SA exists, and supposes that IKE SA does not exist, and RT1 can not send NAT list item keep-alive message to NAT device.
Because IKE SA and IPsec SA inevitablely exist simultaneously, when IKE SA does not exist, when IPsec SA existed, RT1 can not send NAT list item keep-alive message, and NAT device can be deleted the nat translation table item after ageing time; Therefore, in the situation that the IPsec passing through NAT, owing to there is no the nat translation table item, can cause flow that RT3 sends to RT1 owing to can't hit the nat translation table item, thereby cutout occur.
Summary of the invention
The embodiment of the present invention provides a kind of NAT list item keepalive method and equipment based on IPsec; when there not being IKE SA; and when having IPsec SA, can send NAT list item keep-alive message, avoid the IPsec responder to send to IPsec initiator's flow can't hit the nat translation table item on NAT device.
In order to achieve the above object, the embodiment of the present invention provides a kind of NAT list item keepalive method based on IPsec, is applied to comprise that in IPsec initiator, NAT device and IPsec responder's network, the method comprises the following steps:
Described IPsec initiator sets up the IKE SA between this equipment and described IPsec responder, and utilizes described IKE SA to set up IPsec SA between this equipment and described IPsec responder, and starts NAT message transmission timer corresponding to described IKESA;
Described IPsec initiator is at described IKE SA or IPsec SA when deleted, judges that whether described IKESA or IPsec SA are last SA in the SA set; Wherein, under initial condition, all IPsec SA that described SA set comprises described IKE SA and utilizes described IKE SA to set up;
If so, described IPsec initiator deletes described NAT message transmission timer;
If not, described IPsec initiator keeps described NAT message transmission timer;
Wherein, before described NAT message transmission timer was deleted, described IPsec initiator periodically sent NAT list item keep-alive message by described NAT device to described IPsec responder.
After described IPsec initiator sets up IKE SA between this equipment and described IPsec responder, described IPsec initiator is that described IKE SA starts the first ageing timer, and after described the first ageing timer was overtime, described IPsec initiator deleted described IKE SA;
Described IPsec initiator utilizes after described IKE SA sets up IPsec SA between this equipment and described IPsec responder, described IPsec initiator is that described IPsec SA starts the second ageing timer, and after described the second ageing timer was overtime, described IPsec initiator deleted described IPsec SA.
After described IPsec initiator deleted described NAT message transmission timer, described method also comprised:
Described IPsec initiator stops sending NAT list item keep-alive message to described IPsec responder.
Described IPsec initiator sets up the IKE SA between this equipment and described IPsec responder, specifically comprise: described IPsec initiator sends the ike negotiation message by described NAT device to described IPsec responder, by described NAT device when receiving described ike negotiation message, for described ike negotiation message is set up corresponding nat translation table item, and safeguard ageing timer for described nat translation table item;
When described IPsec initiator receives ike negotiation message from described IPsec responder by described NAT device, set up the IKE SA between this equipment and described IPsec responder.
Described NAT list item keep-alive message is used for making the described NAT device of receiving described NAT list item keep-alive message, upgrades the ageing timer of described nat translation table item.
The embodiment of the present invention provides a kind of IPsec initiator device, is applied to comprise that in described IPsec initiator, NAT device and IPsec responder's network, described IPsec initiator specifically comprises:
Set up module, be used for setting up the IKE SA between this equipment and described IPsec responder, and utilize described IKE SA to set up IPsec SA between this equipment and described IPsec responder;
Judge module is used at described IKE SA or IPsec SA when deleted, judge that whether described IKE SA or IPsec SA are last SA during SA gathers; Wherein, under initial condition, all IPsec SA that described SA set comprises described IKE SA and utilizes described IKE SA to set up;
Maintenance module is used for starting NAT message transmission timer corresponding to described IKE SA when setting up IKE SA; Delete described NAT message transmission timer when being judgment result is that; When the determination result is NO, keep described NAT message transmission timer;
Sending module is used for periodically sending NAT list item keep-alive message by described NAT device to described IPsec responder before described NAT message transmission timer is deleted.
Also comprise: processing module is used for for described IKE SA starts the first ageing timer, after described the first ageing timer is overtime, deleting described IKE SA when the IKE SA that sets up between this equipment and IPsec responder; When the IPsec SA that sets up between this equipment and IPsec responder, for described IPsecSA starts the second ageing timer, after the second ageing timer is overtime, delete described IPsec SA.
Described sending module also is used for stopping sending NAT list item keep-alive message to described IPsec responder after described NAT message transmission timer is deleted.
The described module of setting up, concrete being used for sends the ike negotiation message by described NAT device to described IPsec responder, by described NAT device when receiving described ike negotiation message, for described ike negotiation message is set up corresponding nat translation table item, and safeguard ageing timer for described nat translation table item;
When receiving ike negotiation message from described IPsec responder by described NAT device, set up the IKE SA between this equipment and described IPsec responder.
Described NAT list item keep-alive message is used for making the described NAT device of receiving described NAT list item keep-alive message, upgrades the ageing timer of described nat translation table item.
Compared with prior art; the embodiment of the present invention has the following advantages at least: in the embodiment of the present invention; under IPsec passing through NAT environment; when there not being IKE SA; and when having IPsec SA; can continue to send NAT list item keep-alive message, thereby avoid the IPsec responder to send to IPsec initiator's flow can't hit the nat translation table item on NAT device, then avoid the phenomenon that occurs stopping.
Description of drawings
Fig. 1 be in prior art IPsec and IKE concern schematic diagram;
Fig. 2 is the processing procedure schematic diagram of NAT in prior art;
Fig. 3 is the processing procedure schematic diagram of NAPT in prior art;
Fig. 4 disposes the network diagram of IPsec and NAT device simultaneously in prior art;
Fig. 5 is the NAT list item keepalive method flow chart based on IPsec that the embodiment of the present invention provides;
Fig. 6 is the IPsec initiator's of embodiment of the present invention proposition structural representation.
Embodiment
Below in conjunction with accompanying drawing, the embodiment of the present invention is described in detail.
for problems of the prior art, the embodiment of the present invention proposes a kind of NAT list item keepalive method based on IPsec, the method is applied to comprise IPsec initiator (side apparatus in NAT), in NAT device and IPsec responder's (the outer side apparatus of NAT) network, net environment at the IPsec cross-over NAT equipment, when there not being IKE SA, and when having IPsec SA, the IPsec initiator can continue to send NAT list item keep-alive message, thereby avoid the IPsec responder to send to IPsec initiator's flow can't hit the nat translation table item on NAT device, then avoid the phenomenon that occurs stopping.
As shown in Figure 5, should comprise the following steps based on the NAT list item keepalive method of IPsec:
In the embodiment of the present invention, the IPsec initiator sets up the IKE SA between this equipment and IPsec responder, specifically comprises: the IPsec initiator sends ike negotiation message (being used for consulting the relevant information of SA) by NAT device to the IPsec responder; When the IPsec initiator receives ike negotiation message from the IPsec responder by NAT device, set up the IKE SA between this equipment and IPsec responder.
In the embodiment of the present invention, the IPsec initiator by NAT device after the IPsec responder sends the ike negotiation message, in order to guarantee that the ike negotiation message that the IPsec responder sends can correctly be transferred to the IPsec initiator,: NAT device is when receiving the ike negotiation message, need to be that the ike negotiation message sets up corresponding nat translation table item, and safeguard ageing timer for the nat translation table item.
Concrete, NAT device is after receiving the ike negotiation message, if there is no nat translation table item corresponding to ike negotiation message on NAT device, set up the nat translation table item for the ike negotiation message, be nat translation table Xiang She Ge ageing time (carrying out She Ge according to practical experience), and safeguard ageing timer for the nat translation table item; If nat translation table item corresponding to ike negotiation message arranged on NAT device, upgrade the ageing timer (namely to the ageing timer reclocking) of nat translation table item correspondence.
Application scenarios schematic diagram take Fig. 4 as the embodiment of the present invention, suppose that RT1 and RT3 are deployed with IPsec, the interface Shang Pei Ge that RT1 is connected with RT2 IPsec strategy, the interface Shang Pei Ge that RT3 is connected with RT2 IPsec strategy, and the upper unlatching of RT2 nat feature, PC1 and PC2 are main frame, and PC1 is inboard at NAT, and PC2 is in the NAT outside; : when PC1 need to send data to PC2, RT1 was the IPsec initiator, and RT3 is the IPsec responder, and RT2 is NAT device.
RT1 is after receiving the data that PC1 need to send to PC2, know that according to route outgoing interface is the interface that self is connected with RT2, the address is 17.17.17.12, and due to this interface Shang Pei Ge IPsec strategy, therefore RT1 triggers the SA negotiations process of IPsec, to set up the IPsec tunnel between RT1 and RT3.Further, the IPsec tunnel set up process, RT1 need to send the ike negotiation message to RT3 by NAT device, and RT3 need to return to the ike negotiation message to RT1 by NAT device.
In said process, after sending the ike negotiation message by RT2 to RT3 at RT1, can return to the ike negotiation message to RT1 by RT2 in order to guarantee RT3, so need the nat translation table item of safeguarding that the ike negotiation message is corresponding on RT2; That is: when there is no nat translation table item corresponding to ike negotiation message on RT2, for the ike negotiation message is set up the nat translation table item, and there is certain ageing time (RT2 is upper joins Ge's by hand) in the nat translation table item, and from setting up the nat translation table item, for this nat translation table item is safeguarded ageing timer; If nat translation table item corresponding to ike negotiation message arranged on RT2, only need to remove the current timing of ageing timer, and restart this ageing timer.
In the embodiment of the present invention, in order to make the nat translation table item on NAT device not deleted, this IPsec initiator also needs to start NAT message transmission timer corresponding to IKE SA; After starting NAT message transmission timer, IPsec initiator periodically (time based on NAT message transmission timer is determined) sends NAT list item keep-alive message (this message format is form expressly) by NAT device to the IPsec responder.
Wherein, this NAT list item keep-alive message is used for making the NAT device of receiving NAT list item keep-alive message, upgrades the ageing timer of nat translation table item.Concrete, because source address in the IP head of source address in the IP head of NAT list item keep-alive message and ike negotiation message is identical, in the IP head of NAT list item keep-alive message in the IP head of destination address and ike negotiation message destination address identical, in the UDP head of NAT list item keep-alive message in the UDP head of source port and ike negotiation message source port identical, in the UDP head of NAT list item keep-alive message in the UDP head of destination interface and ike negotiation message destination interface identical; And the nat translation table item is to set up for the ike negotiation message, wherein can record the relevant information (source address and destination address in the IP head, source port and destination interface in the UDP head) of ike negotiation message; Therefore NAT device is after receiving NAT list item keep-alive message; can utilize that in source address and destination address in the IP head of NAT list item keep-alive message, UDP head, source port and destination interface match the nat translation table item; and the ageing timer of renewal nat translation table item, namely refreshing ageing timer is initial value.
In the embodiment of the present invention, after the IPsec initiator sets up IKE SA between this equipment and IPsec responder, this IPsec initiator also needs for IKE SA starts the first ageing timer, and after the first ageing timer was overtime, the IPsec initiator need to delete IKE SA; In addition, can also manual deletion IKESA.In addition, after the IPsec responder set up IKE SA between this equipment and IPsec initiator, it was that IKE SA starts the first ageing timer that this IPsec responder also needs, and after the first ageing timer was overtime, the IPsec responder need to delete IKE SA.Wherein, the ageing time of above-mentioned the first ageing timer is the life cycle that IPsec initiator and IPsec responder negotiate.
In the embodiment of the present invention, the IPsec initiator utilizes after IKE SA sets up IPsec SA between this equipment and IPsec responder, this IPsec initiator also needs to start the second ageing timer for IPsec SA, and after the second ageing timer was overtime, the IPsec initiator need to delete IPsec SA; In addition, can also delete by hand IPsec SA; In addition, after the IPsec responder sets up IPsec SA between this equipment and IPsec initiator, this IPsec responder also needs for IPsec SA starts the second ageing timer, and after the second ageing timer was overtime, the IPsec responder need to delete IPsec SA.Wherein, the ageing time of above-mentioned the second ageing timer is the life cycle that IPsec initiator and IPsec responder negotiate.
Based on the nat translation table item of setting up for the ike negotiation message on NAT device, the IKESA in the SA set is all corresponding with the nat translation table item with IPsec SA; IKE SA refers to that with IPsec SA is corresponding with the nat translation table item it possesses identical five-tuple information (source address, destination address, source port, destination interface, protocol type); Concrete, the IPsec initiator sends the ike negotiation message when setting up IKE SA by NAT device to the IPsec responder, can set up the nat translation table item for the ike negotiation message on NAT device, and the IPsec initiator need to utilize this IKE SA to set up a plurality of IPsec SA; In this process, all IKE SA of foundation are all corresponding with the nat translation table item with IPsec SA.
In the embodiment of the present invention, before NAT message transmission timer was deleted, the IPsec initiator needed periodically to send NAT list item keep-alive message by NAT device to the IPsec responder; After NAT message transmission timer was deleted, the IPsec initiator need to stop sending NAT list item keep-alive message to the IPsec responder; Afterwards, owing to not receiving NAT list item keep-alive message, therefore can cause the ageing timer of nat translation table item overtime on NAT device, the nat translation table item is deleted by NAT device.
In sum, in the embodiment of the present invention, under IPsec passing through NAT environment, when there not being IKE SA, and when having IPsec SA, as long as exist and IKE SA or the IPsec SA of nat translation table item correspondence, can continue to send NAT list item keep-alive message; And only have as last SA(IKE SA or IPsec SA) when deleted, just can delete NAT message transmission timer, and stop sending NAT list item keep-alive message; Thereby can avoid the IPsec responder to send to IPsec initiator's flow can't hit the nat translation table item on NAT device, then can avoid the phenomenon that occurs stopping.
Based on the inventive concept same with said method, a kind of IPsec initiator device also is provided in the embodiment of the present invention, be applied to comprise that in described IPsec initiator, NAT device and IPsec responder's network, as shown in Figure 6, described IPsec initiator specifically comprises:
Set up module 11, be used for setting up the IKE SA between this equipment and described IPsec responder, and utilize described IKE SA to set up IPsec SA between this equipment and described IPsec responder;
Sending module 14 is used for periodically sending NAT list item keep-alive message by described NAT device to described IPsec responder before described NAT message transmission timer is deleted.
Described IPsec initiator also comprises: processing module 15 is used for for described IKE SA starts the first ageing timer, after described the first ageing timer is overtime, deleting described IKE SA when the IKE SA that sets up between this equipment and IPsec responder; When the IPsec SA that sets up between this equipment and IPsec responder, for described IPsec SA starts the second ageing timer, after described the second ageing timer is overtime, delete described IPsec SA.
Described sending module 14 also is used for stopping sending NAT list item keep-alive message to described IPsec responder after described NAT message transmission timer is deleted.
The described module 11 of setting up, concrete being used for sends the ike negotiation message by described NAT device to described IPsec responder, by described NAT device when receiving described ike negotiation message, for described ike negotiation message is set up corresponding nat translation table item, and safeguard ageing timer for described nat translation table item;
When receiving ike negotiation message from described IPsec responder by described NAT device, set up the IKE SA between this equipment and described IPsec responder.
In the embodiment of the present invention, described NAT list item keep-alive message is used for making the described NAT device of receiving described NAT list item keep-alive message, upgrades the ageing timer of described nat translation table item.
Wherein, the modules of Ben Faming dress Ge can be integrated in one, and also can separate deployment.Above-mentioned module can be merged into a module, also can further split into a plurality of submodules.
Through the above description of the embodiments, those skilled in the art can be well understood to the present invention and can realize by the mode that software adds essential general hardware platform, can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Based on such understanding, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in a storage medium, comprise that some instructions are with so that a computer equipment (can be personal computer, server, the perhaps network equipment etc.) carry out the described method of each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, the module in accompanying drawing or flow process might not be that enforcement the present invention is necessary.
It will be appreciated by those skilled in the art that in embodiment, the module in De Zhuan Ge can be distributed in embodiment De Zhuan Ge according to the embodiment description, also can carry out respective change and be arranged in the one or more Zhuan Ge that are different from the present embodiment.The module of above-described embodiment can be merged into a module, also can further split into a plurality of submodules.
The invention described above embodiment sequence number does not represent the quality of embodiment just to description.
Above disclosed be only several specific embodiment of the present invention, still, the present invention is not limited thereto, the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.
Claims (10)
1. the NAT list item keepalive method based on IPsec, be applied to comprise in IPsec initiator, NAT device and IPsec responder's network, and it is characterized in that, the method comprises the following steps:
Described IPsec initiator sets up the IKE SA between this equipment and described IPsec responder, and utilizes described IKE SA to set up IPsec SA between this equipment and described IPsec responder, and starts NAT message transmission timer corresponding to described IKE SA;
Described IPsec initiator is at described IKE SA or IPsec SA when deleted, judges that whether described IKE SA or IPsec SA are last SA in the SA set; Wherein, under initial condition, all IPsec SA that described SA set comprises described IKE SA and utilizes described IKE SA to set up;
If so, described IPsec initiator deletes described NAT message transmission timer;
If not, described IPsec initiator keeps described NAT message transmission timer;
Wherein, before described NAT message transmission timer was deleted, described IPsec initiator periodically sent NAT list item keep-alive message by described NAT device to described IPsec responder.
2. the method for claim 1, is characterized in that,
After described IPsec initiator sets up IKE SA between this equipment and described IPsec responder, described IPsec initiator is that described IKE SA starts the first ageing timer, and after described the first ageing timer was overtime, described IPsec initiator deleted described IKE SA;
Described IPsec initiator utilizes after described IKE SA sets up IPsec SA between this equipment and described IPsec responder, described IPsec initiator is that described IPsec SA starts the second ageing timer, and after described the second ageing timer was overtime, described IPsec initiator deleted described IPsec SA.
3. the method for claim 1, is characterized in that, after described IPsec initiator deleted described NAT message transmission timer, described method also comprised:
Described IPsec initiator stops sending NAT list item keep-alive message to described IPsec responder.
4. the method for claim 1, is characterized in that, described IPsec initiator sets up the IKE SA between this equipment and described IPsec responder, specifically comprises:
Described IPsec initiator sends the ike negotiation message by described NAT device to described IPsec responder, by described NAT device when receiving described ike negotiation message, for described ike negotiation message is set up corresponding nat translation table item, and safeguard ageing timer for described nat translation table item;
When described IPsec initiator receives ike negotiation message from described IPsec responder by described NAT device, set up the IKE SA between this equipment and described IPsec responder.
5. method as claimed in claim 4, is characterized in that,
Described NAT list item keep-alive message is used for making the described NAT device of receiving described NAT list item keep-alive message, upgrades the ageing timer of described nat translation table item.
6. an IPsec initiator device, be applied to comprise in described IPsec initiator, NAT device and IPsec responder's network, and it is characterized in that, described IPsec initiator specifically comprises:
Set up module, be used for setting up the IKE SA between this equipment and described IPsec responder, and utilize described IKE SA to set up IPsec SA between this equipment and described IPsec responder;
Judge module is used at described IKE SA or IPsec SA when deleted, judge that whether described IKE SA or IPsec SA are last SA during SA gathers; Wherein, under initial condition, all IPsec SA that described SA set comprises described IKE SA and utilizes described IKE SA to set up;
Maintenance module is used for starting NAT message transmission timer corresponding to described IKE SA when setting up IKE SA; Delete described NAT message transmission timer when being judgment result is that; When the determination result is NO, keep described NAT message transmission timer;
Sending module is used for periodically sending NAT list item keep-alive message by described NAT device to described IPsec responder before described NAT message transmission timer is deleted.
7. equipment as claimed in claim 6, is characterized in that, also comprises:
Processing module is used for for described IKE SA starts the first ageing timer, after described the first ageing timer is overtime, deleting described IKESA when the IKE SA that sets up between this equipment and IPsec responder; When the IPsec SA that sets up between this equipment and IPsec responder, for described IPsec SA starts the second ageing timer, after described the second ageing timer is overtime, delete described IPsec SA.
8. equipment as claimed in claim 6, is characterized in that,
Described sending module also is used for stopping sending NAT list item keep-alive message to described IPsec responder after described NAT message transmission timer is deleted.
9. equipment as claimed in claim 6, is characterized in that,
The described module of setting up, concrete being used for sends the ike negotiation message by described NAT device to described IPsec responder, by described NAT device when receiving described ike negotiation message, for described ike negotiation message is set up corresponding nat translation table item, and safeguard ageing timer for described nat translation table item;
When receiving ike negotiation message from described IPsec responder by described NAT device, set up the IKE SA between this equipment and described IPsec responder.
10. equipment as claimed in claim 9, is characterized in that,
Described NAT list item keep-alive message is used for making the described NAT device of receiving described NAT list item keep-alive message, upgrades the ageing timer of described nat translation table item.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310086924.3A CN103179225B (en) | 2013-03-18 | 2013-03-18 | A kind of NAT table item keepalive method based on IPsec and equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310086924.3A CN103179225B (en) | 2013-03-18 | 2013-03-18 | A kind of NAT table item keepalive method based on IPsec and equipment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103179225A true CN103179225A (en) | 2013-06-26 |
| CN103179225B CN103179225B (en) | 2016-12-28 |
Family
ID=48638843
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310086924.3A Active CN103179225B (en) | 2013-03-18 | 2013-03-18 | A kind of NAT table item keepalive method based on IPsec and equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103179225B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104125151A (en) * | 2014-08-06 | 2014-10-29 | 汉柏科技有限公司 | IPSec (Internet protocol security) packet forwarding method and system |
| CN104468870A (en) * | 2014-12-31 | 2015-03-25 | 小米科技有限责任公司 | Network address translation (NAT) window duration detection method and device |
| CN104980405A (en) * | 2014-04-10 | 2015-10-14 | 中兴通讯股份有限公司 | Method and device for performing authentication header (AH) authentication on NAT (Network Address Translation)-traversal IPSEC (Internet Protocol Security) message |
| CN107466465A (en) * | 2015-03-25 | 2017-12-12 | 瑞典爱立信有限公司 | Message, which is exchanged, using internet key carrys out configuration activities inspection |
| CN109600277A (en) * | 2018-12-05 | 2019-04-09 | 杭州迪普科技股份有限公司 | Ipsec tunnel keepalive method and device based on NAT device |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030233452A1 (en) * | 2002-06-13 | 2003-12-18 | Nvidia Corp. | Method and apparatus for security protocol and address translation integration |
| CN1946062A (en) * | 2006-10-10 | 2007-04-11 | 华为数字技术有限公司 | Method and system for keep-alive conversation table in NAT device |
| CN102148810A (en) * | 2010-02-04 | 2011-08-10 | 成都市华为赛门铁克科技有限公司 | Security association lifetime detection method, device and system |
| CN102946352A (en) * | 2012-10-31 | 2013-02-27 | 杭州华三通信技术有限公司 | NAT table entry management method and equipment based on IPsec |
-
2013
- 2013-03-18 CN CN201310086924.3A patent/CN103179225B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030233452A1 (en) * | 2002-06-13 | 2003-12-18 | Nvidia Corp. | Method and apparatus for security protocol and address translation integration |
| CN1946062A (en) * | 2006-10-10 | 2007-04-11 | 华为数字技术有限公司 | Method and system for keep-alive conversation table in NAT device |
| CN102148810A (en) * | 2010-02-04 | 2011-08-10 | 成都市华为赛门铁克科技有限公司 | Security association lifetime detection method, device and system |
| CN102946352A (en) * | 2012-10-31 | 2013-02-27 | 杭州华三通信技术有限公司 | NAT table entry management method and equipment based on IPsec |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104980405A (en) * | 2014-04-10 | 2015-10-14 | 中兴通讯股份有限公司 | Method and device for performing authentication header (AH) authentication on NAT (Network Address Translation)-traversal IPSEC (Internet Protocol Security) message |
| WO2015154346A1 (en) * | 2014-04-10 | 2015-10-15 | 中兴通讯股份有限公司 | Method and device for conducting ah authentication on ipsec packet which has gone through nat traversal |
| CN104125151A (en) * | 2014-08-06 | 2014-10-29 | 汉柏科技有限公司 | IPSec (Internet protocol security) packet forwarding method and system |
| CN104468870A (en) * | 2014-12-31 | 2015-03-25 | 小米科技有限责任公司 | Network address translation (NAT) window duration detection method and device |
| CN107466465A (en) * | 2015-03-25 | 2017-12-12 | 瑞典爱立信有限公司 | Message, which is exchanged, using internet key carrys out configuration activities inspection |
| CN107466465B (en) * | 2015-03-25 | 2020-08-11 | 瑞典爱立信有限公司 | Configuring liveness check using internet key exchange messages |
| CN109600277A (en) * | 2018-12-05 | 2019-04-09 | 杭州迪普科技股份有限公司 | Ipsec tunnel keepalive method and device based on NAT device |
| CN109600277B (en) * | 2018-12-05 | 2020-08-04 | 杭州迪普科技股份有限公司 | IPSec tunnel keep-alive method and device based on NAT equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103179225B (en) | 2016-12-28 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107018134B (en) | Power distribution terminal safety access platform and implementation method thereof | |
| CN107980216B (en) | Communication method, device, system, electronic equipment and computer readable storage medium | |
| CN103155512B (en) | System and method for providing secure access to service | |
| US8327129B2 (en) | Method, apparatus and system for internet key exchange negotiation | |
| CN105873031B (en) | Distributed unmanned plane cryptographic key negotiation method based on credible platform | |
| CN102946333B (en) | A kind of DPD method based on IPsec and equipment | |
| Lau et al. | Blockchain-based authentication in IoT networks | |
| CN106169952B (en) | A kind of authentication method that internet Key Management Protocol is negotiated again and device | |
| US11558184B2 (en) | Unification of data flows over network links with different internet protocol (IP) addresses | |
| WO2013176689A1 (en) | Using neighbor discovery to create trust information for other applications | |
| CN103179225A (en) | IPsec-based (internet protocol security-based) keep-alive method and equipment for NAT (network address translation) entries | |
| CN102946352B (en) | A kind of nat translation table item management method and equipment based on IPsec | |
| US20130283050A1 (en) | Wireless client authentication and assignment | |
| CN105516062B (en) | Method for realizing L2 TP over IPsec access | |
| CN103152343A (en) | Method for establishing Internet protocol security virtual private network tunnel and network equipment | |
| US20220141027A1 (en) | Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp) | |
| US20180183584A1 (en) | IKE Negotiation Control Method, Device and System | |
| CN101572645A (en) | Method for establishing tunnel and device thereof | |
| CN104901796A (en) | Authentication method and equipment | |
| CN113037684A (en) | VxLan tunnel authentication method, device and system and gateway | |
| CN116017429A (en) | 5G network encryption networking method, system, device and storage medium | |
| CN114629678B (en) | TLS-based intranet penetration method and device | |
| CN105072010A (en) | Data flow information determination method and device | |
| CN105099849A (en) | Method and equipment for establishing IPsec tunnel | |
| van Velzen | Securing the Insecurable? An overview of Security for the Internet of Things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Patentee after: Xinhua three Technology Co., Ltd. Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base Patentee before: Huasan Communication Technology Co., Ltd. |
|
| CP03 | Change of name, title or address |