CN103188356B - A kind of outer net maps IPsec message and realizes the NAT method passed through - Google Patents

A kind of outer net maps IPsec message and realizes the NAT method passed through Download PDF

Info

Publication number
CN103188356B
CN103188356B CN201310117516.XA CN201310117516A CN103188356B CN 103188356 B CN103188356 B CN 103188356B CN 201310117516 A CN201310117516 A CN 201310117516A CN 103188356 B CN103188356 B CN 103188356B
Authority
CN
China
Prior art keywords
message
address
outer net
ipsec
nat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN201310117516.XA
Other languages
Chinese (zh)
Other versions
CN103188356A (en
Inventor
陈海滨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Opzoon Technology Co Ltd
Original Assignee
Opzoon Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Opzoon Technology Co Ltd filed Critical Opzoon Technology Co Ltd
Priority to CN201310117516.XA priority Critical patent/CN103188356B/en
Publication of CN103188356A publication Critical patent/CN103188356A/en
Application granted granted Critical
Publication of CN103188356B publication Critical patent/CN103188356B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

The present invention provides a kind of outer net to map IPsec message and realizes the NAT method passed through, it is characterised in that the method includes: NAT device receives the encapsulated message after the full certification of IPsec, and described encapsulated message carries out network address translation obtains conversion message;Outer net equipment receives described conversion message, according to the address mapping table that outer net equipment in IPsec tunnel negotiation creates, is reduced the IP address in described conversion message, and message after reduction is authenticated.Pass through by present invention achieves the NAT of message after the full certification in IPsec tunnel.

Description

A kind of outer net maps IPsec message and realizes the NAT method passed through
Technical field
The present invention relates to Internet technical field, map IPsec message particularly to a kind of outer net and realize the NAT method passed through.
Background technology
The former IP address of IP address of internal network is mainly carried out converting to the IP address of public network by NAT (network address translation) function, in order to message can forward on public network.The process of data message is had three kinds of modes respectively by IPsec tunnel, to data message encryption, to data message authentication and certification after data message adds new IP head, as follows:
The new IP head of | mac head | | IPsec encrypts authentication header | IP head | data |
In above message, it is possible to " | IP head | data | " partly it is encrypted or certification.
New IP head | the full authentication header of IPsec | IP head | the data | of | mac head |
In above message, it is possible to the data of " | new IP head | the full authentication header of IPsec | IP head | data | " part are authenticated.
Message being authenticated or encrypts, function is different, it is possible to above 3 kinds of process to message are carried out combination in any use, for instance message can be only encrypted or local authentication or all certifications by IPsec tunnel, it is also possible to message is encrypted and certification.Message is encrypted and message is carried out local authentication and can carry out NAT and pass through, but the method that message carries out whole certification just cannot be carried out NAT passes through, need to replace the former IP address in " | new IP head | " because NAT passes through, owing to message has been carried out whole certification by IPsec tunnel, namely include " | new IP head | " to be authenticated by message together, if now having done NAT conversion, its source/destination address will be changed, will result in the failure of the integrity verification after arriving at location, namely the IPsec tunnel receiving this message can not pass through certification, passing through of NAT cannot be realized.
Summary of the invention
(1) technical problem to be solved
The present invention realizes the NAT method passed through by providing a kind of outer net to map IPsec message, solves the message after the full certification in IPsec tunnel and cannot realize the NAT problem passed through.
(2) technical scheme
The present invention provides a kind of outer net to map IPsec message and realizes the NAT method passed through, and the method includes:
S1, NAT device receive the encapsulated message after the full certification of IPsec, and described encapsulated message carries out network address translation obtain conversion message;
S2, outer net equipment receive described conversion message, according to the address mapping table that outer net equipment in IPsec tunnel negotiation creates, reduced the IP address in described conversion message, and the message after reduction is authenticated.
Wherein, in described IPsec tunnel negotiation, Intranet equipment sends an original ip address to outer net equipment by IKE message, and outer net equipment creates address mapping table according to the IP header of described original ip address with described conversion message.
Wherein, described NAT device is the fire wall with NAT translation function, and outer net equipment is the fire wall with IPsec function.
Wherein, described address mapping table includes the original ip address of conversion IP address and mapping.
(3) beneficial effect
The present invention is under IPsec tunnelling mode, and by setting up address mapping table at outer net, the message carrying out network address translation through Nat equipment can be reduced by outer net equipment, it is achieved that NAT passes through.
Accompanying drawing explanation
Fig. 1 is the block diagram of the inventive method.
Detailed description of the invention
Below in conjunction with the drawings and specific embodiments, the present invention is described in further details.
The present invention provides the NAT that a kind of outer net maps IPsec message to pass through the method for realization, and the method is as it is shown in figure 1, include:
S1, NAT device receive the encapsulated message after the full certification of IPsec, and described encapsulated message carries out network address translation obtain conversion message;
The outside network termination of Intranet client sends message, adopts IPsec tunnel transmission, now need to negotiate IPsec tunnel between inside and outside two security gateways.NAT device receives and sends, through full certification, the encapsulated message of coming, and it is carried out NAT address and is converted to conversion message and is sent to outer net.
S2, outer net equipment receive described conversion message, according to the address mapping table that outer net equipment in IPsec tunnel negotiation creates, are reduced the IP address in described conversion message, and message after reduction is authenticated.
Outer net equipment receives conversion message when being authenticated message confirming, searches the address mapping table created in IPsec tunnel establishment procedure, the IP address in message carries out reducing being authenticated judging again.
Wherein, in described IPsec tunnel negotiation, Intranet equipment sends an original ip address to outer net equipment by IKE message, this IP address is carried to outer net equipment when being exchanged by IKE as data, outer net equipment compares according to the IP header of described original ip address Yu described conversion message, finding that described original ip address is changed by NAT device, at this moment outer net equipment creates address mapping table.
Concrete enforcement: adopt equipment as shown in table 1:
Table 1
Pca is the client of Intranet;
Fwa is the Intranet fire wall with IPsec function;
Fwb is the fire wall with NAT translation function;
Fwc is the outer net fire wall with IPsec function;
Pcb is the access terminal unit of outer net.
The first step: Intranet client sends message to extranet access terminal, and message format is: | mac head | IP head 1.1.1.13.3.3.2 | data |.Message need to eventually arrive at pcb through Fwa, Fwb and Fwc, here message transmits through IPsec tunnel mode, Fwa and fwc passes through intermediate equipment Fwb, negotiate IPsec tunnel, for Fwa equipment, the raw address in IPsec tunnel is 2.2.2.1 destination address is 202.1.1.2, be 202.1.1.2 destination address for the raw address in Fwc, IPsec tunnel is 202.1.1.1.
After Fwa receives the pca message being sent to pcb, this message carrying out full authentication processing the new IP head of encapsulated message, the information of certification is put in " the full authentication header of IPsec ", obtain encapsulated message, after encapsulation, message format is as follows:
New IP head 2.2.2.1202.1.1.2 | full authentication header | 1.1.1.13.3.3.2 | the data of IPsec | of | mac head |.
Second step: encapsulated message carries out NAT address after being received by NAT fire wall Fwb and is converted to conversion message, and conversion message is sent to Fwc equipment, conversion message structure is as follows: new IP head 202.1.1.1202.1.1.2 | full authentication header | 1.1.1.13.3.3.2 | the data of IPsec | of | mac head |.
3rd step: Fwc equipment receives conversion message, when being authenticated message confirming, searches the address mapping table table created in IPsec tunnel negotiation process, and the IP address in message carries out reducing being authenticated judging again, the message format of reduction is as follows:
New IP head 2.2.2.1202.1.1.2 | full authentication header | 1.1.1.13.3.3.2 | the data of IPsec | of | mac head |
This message is now authenticated confirming be just same message with Fwa equipment to the certification that message carries out again, so certification can be passed through, whole IPsec tunnel can be successfully to Message processing process, it is achieved NAT passes through.
The wherein foundation of address mapping table:
nullIn the process consulting IPsec tunnel,Fwa passes through IKE (InternetKeyexchange as Intranet equipment,Internet Key Exchange) message sends original ip address i.e. (2.2.2.1202.1.1.2) and is sent to Fwc equipment,I.e. oapayload (originaladdressplaylode,Original address payload),This content is carried to Fwc equipment as data when being exchanged by IKE,It is converted by NAT device that Fwc compares discovery original ip address according to the initial IP information in these data and the IP information of heading in conversion message and IP head,Now Fwc sets up address mapping table,Record changes IP address into 202.1.1.1,The original ip address mapped is 2.2.2.1.
Stand in the crossing problem of the angle solution NAT of outer net in the present invention, negotiations process is controlled by existing agreement and obtains initial IP, thus automatically setting up conversion table.
The above is only the preferred embodiment of the present invention; it should be pointed out that, for those skilled in the art, under the premise without departing from the technology of the present invention principle; can also making some improvement and replacement, these improve and replace and also should be regarded as protection scope of the present invention.

Claims (3)

1. an outer net mapping IPsec message realizes the NAT method passed through, it is characterised in that the method includes:
S1, NAT device receive the encapsulated message after the full certification of IPsec, and described encapsulated message carries out network address translation obtain conversion message;
S2, outer net equipment receive described conversion message, according to the address mapping table that outer net equipment in IPsec tunnel negotiation creates, reduced the IP address in described conversion message, and the message after reduction is authenticated;
Wherein, in described IPsec tunnel negotiation, Intranet equipment sends an original ip address to outer net equipment by IKE message, this original ip address is carried to outer net equipment as data when being exchanged by IKE, outer net equipment creates address mapping table according to the IP header of described original ip address with described conversion message.
2. method as claimed in claim 1, it is characterised in that described NAT device is the fire wall with NAT translation function, and outer net equipment is the fire wall with IPsec function.
3. method as claimed in claim 1, it is characterised in that described address mapping table includes the original ip address of conversion IP address and mapping.
CN201310117516.XA 2013-04-07 2013-04-07 A kind of outer net maps IPsec message and realizes the NAT method passed through Expired - Fee Related CN103188356B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310117516.XA CN103188356B (en) 2013-04-07 2013-04-07 A kind of outer net maps IPsec message and realizes the NAT method passed through

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310117516.XA CN103188356B (en) 2013-04-07 2013-04-07 A kind of outer net maps IPsec message and realizes the NAT method passed through

Publications (2)

Publication Number Publication Date
CN103188356A CN103188356A (en) 2013-07-03
CN103188356B true CN103188356B (en) 2016-07-13

Family

ID=48679318

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310117516.XA Expired - Fee Related CN103188356B (en) 2013-04-07 2013-04-07 A kind of outer net maps IPsec message and realizes the NAT method passed through

Country Status (1)

Country Link
CN (1) CN103188356B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103369065B (en) * 2013-07-05 2017-08-22 新华三技术有限公司 A kind of message forwarding method and equipment
CN104980405A (en) * 2014-04-10 2015-10-14 中兴通讯股份有限公司 Method and device for performing authentication header (AH) authentication on NAT (Network Address Translation)-traversal IPSEC (Internet Protocol Security) message
CN108769292B (en) * 2018-06-29 2021-04-13 北京百悟科技有限公司 Message data processing method and device
CN111147382B (en) * 2019-12-31 2021-09-21 杭州迪普科技股份有限公司 Message forwarding method and device

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1697452A (en) * 2005-06-17 2005-11-16 中兴通讯股份有限公司 Method for protecting access security of IP multimedia subsystem based on IPSec passing through NAT
US7159242B2 (en) * 2002-05-09 2007-01-02 International Business Machines Corporation Secure IPsec tunnels with a background system accessible via a gateway implementing NAT
CN101582856A (en) * 2009-06-29 2009-11-18 杭州华三通信技术有限公司 Session setup method of Portal server and BAS (broadband access server) device and system thereof
CN102202108A (en) * 2011-06-15 2011-09-28 中兴通讯股份有限公司 Method, device and system for realizing NAT (network address translation) traverse of IPSEC (Internet protocol security) in AH (authentication header) mode

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7159242B2 (en) * 2002-05-09 2007-01-02 International Business Machines Corporation Secure IPsec tunnels with a background system accessible via a gateway implementing NAT
CN1697452A (en) * 2005-06-17 2005-11-16 中兴通讯股份有限公司 Method for protecting access security of IP multimedia subsystem based on IPSec passing through NAT
CN101582856A (en) * 2009-06-29 2009-11-18 杭州华三通信技术有限公司 Session setup method of Portal server and BAS (broadband access server) device and system thereof
CN102202108A (en) * 2011-06-15 2011-09-28 中兴通讯股份有限公司 Method, device and system for realizing NAT (network address translation) traverse of IPSEC (Internet protocol security) in AH (authentication header) mode

Also Published As

Publication number Publication date
CN103188356A (en) 2013-07-03

Similar Documents

Publication Publication Date Title
CN107018134B (en) Power distribution terminal safety access platform and implementation method thereof
CN104272674B (en) Multiple tunnel VPN
CN101136777B (en) Security management method of dual-encryption channel cooperation in network management system
US9608963B2 (en) Scalable intermediate network device leveraging SSL session ticket extension
MX2007000931A (en) Methods, apparatuses and computer-readable media for secure communication by establishing multiple secure connections.
WO2016114842A1 (en) End-to-end service layer authentication
CN103188356B (en) A kind of outer net maps IPsec message and realizes the NAT method passed through
US20140351590A1 (en) Network device, ipsec system and method for establishing ipsec tunnel using the same
CN105812322B (en) The method for building up and device of internet safety protocol safe alliance
CN104993993B (en) A kind of message processing method, equipment and system
WO2017012142A1 (en) Dual-connection security communication method and apparatus
CN109005179A (en) Network security tunnel establishing method based on port controlling
WO2015131609A1 (en) Method for implementing l2tp over ipsec access
CN102088438B (en) Method for solving address conflict of Internet protocol security (IPSec) Client and IPSec Client
CN102348210A (en) Method and mobile security equipment for security mobile officing
CN107453861B (en) A kind of collecting method based on SSH2 agreement
CN103227742B (en) A kind of method of ipsec tunnel fast processing message
CN109525514A (en) A kind of information transferring method and information carrying means
CN102946352B (en) A kind of nat translation table item management method and equipment based on IPsec
CN106254231A (en) A kind of industrial safety encryption gateway based on state and its implementation
CN104038931A (en) LTE (Long Term Evolution) network based power distribution and utilization communication system and communication method thereof
CN104954339A (en) Electric power emergency repair remote communication method and system
CN105635076B (en) A kind of media transmission method and equipment
CN102724133A (en) Method and device for transmitting internet protocol (IP) message
KR101329968B1 (en) Method and system for determining security policy among ipsec vpn devices

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20160713

Termination date: 20180407