CN104283757A - IPsec based VPN quick-connection method - Google Patents
IPsec based VPN quick-connection method Download PDFInfo
- Publication number
- CN104283757A CN104283757A CN201310283803.8A CN201310283803A CN104283757A CN 104283757 A CN104283757 A CN 104283757A CN 201310283803 A CN201310283803 A CN 201310283803A CN 104283757 A CN104283757 A CN 104283757A
- Authority
- CN
- China
- Prior art keywords
- ipsec
- ike
- mask
- group
- vpn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides an IPsec based VPN quick-connection method. Excessive negotiation during IPsec VPN connection is avoided in the mode that information and masks required to be negotiated by IPsec correspond to each other. When the IPsec VPN connection is established, the information required to be negotiated is transmitted in CRC and mask modes so that two communicating parties can perform safety communication without negotiation. Used IPsec negotiation information is determined in advance and the mode of the information is transmitted in a safety mode, so that complicated and excessive negotiation in the IPsec VPN connection process is avoided, the whole communication process is performed in a safe environment, unnecessary signal transmission is reduced, efficiency is improved, and good user experience is obtained.
Description
Technical field
The present invention relates to communication technical field, particularly relate to the method for attachment of a kind of VPN.
Background technology
The development of information technology and widely using of Internet, while bringing great convenience to people's live and work, make people extremely worry the safety of communication data on the Internet based on open protocol platform TCP/IP and the safety of computer system operation also always.Multiple safety communication technology has been had at present to be applied to transfer of data in the Internet, wherein network layer realize internet protocol secure (IPSec) communication protocol due to completely transparent to application layer, therefore be highly suitable in existing TCP/IP network, by increasing IPSec security module, and do not need the setting revising application system, software, be the secure network communications environment that disparate networks application build one is general.
Along with network, especially the development of network economy, enterprise expands day by day, client distributes increasingly extensive, affiliate is increasing, this situation has impelled the benefit of enterprise growing, also more and more highlight on the other hand the functional defect of traditional forms of enterprises's net: so traditional forms of enterprises's net demand enterprise of being difficult to adapt to modern enterprise based on the private line access mode of fixed physical location proposes higher demand for self networking, be mainly manifested in the aspects such as the flexibility of network, fail safe, economy, autgmentability.In this context, the advantage that VPN shows unique characteristics with it has won the favor of increasing enterprise, makes enterprise less can pay close attention to the operation and maintenance of network, and is devoted to the realization of the business goal of enterprise more.
VPN (Virtual Private Network) refers to by comprehensive utilization network technology, access control technology and encryption technology, and by certain user management mechanism, set up safe " special " network in the public network, ensure that data carry out the technology of safe transmission in " encrypted tunnel ".The network interconnection is realized by tunnel (TUNNEL) or virtual circuit (VIRTUAL CIRCUIT); support user safety management; can network monitoring, failure diagnosis be carried out, have economical, select flexibly, speed is fast, fail safe good, realize the advantages such as the protection of investment.
In the prior art, by the expansion to IP layer, ipsec protocol can be supported, comprise network security protocol (AH, Authentication Header) and encapsulating security payload (esp) (ESP, Encapsulating Security Payload), IKMP (IKE, Internet Key Exchange) agreement.When creating a security strategy, be in charge of by security strategy process and safeguarded, and activate IKE process and the other side's vpn gateway consults a SA (Security Association).When sending data, the protocol encapsulation of being specified by SA by output process, and by regulation algorithm for encryption and generation verify data; When receiving data, unpacked by SA specified protocol by input process, and deciphering and checking.
Visible prior art is need between communicating pair, consult a lot of information carrying out IPSec connection, time required when the negotiation of these information increases connection undoubtedly, if and Internet Transmission is wrong, the connection failure failed to understand can be caused, have impact on quality, reduce Consumer's Experience.
Summary of the invention
The invention provides a kind of VPN quick connecting method based on IPsec, it is characterized in that, comprise the following steps:
Step 202, initiation VPN connect before, IKE and SA of the n group IPSec related to during regulation communication next time between communicating pair, and be that IKE and SA often organizing IPSec arranges corresponding mask, the node of communicating pair stores the mask of this n group IKE and SA and its correspondence;
IKE and SA of any one group of IPSec selects in step 204, session setup side, and IKE and SA of IPSec selected by record and the mask of its correspondence;
Step 206, to the data that will transmit, use IKE and SA of the IPSec of described record, obtain the outgoing data bag after using ipsec protocol encapsulation;
Step 208, the data in described outgoing data bag except IP packet header are carried out CRC computing, obtain CRC code;
Step 210, the mask of described record is used to carry out scrambling to CRC code;
Step 212, using the part behind described outgoing data bag removing IP packet header and the CRC code after scrambling as payload user data, after adding corresponding IP packet header, send, the IP packet header of wherein said correspondence comprise indicate in described outgoing data bag source, destination-address information;
Step 214, follow-up data send in, use IKE and SA and the mask of the IPSec of described record, rear transmission processed to data.
Meanwhile, present invention also offers a kind of VPN quick connecting method based on IPSec, it is characterized in that, comprise the following steps:
Step 202, initiation VPN connect before, IKE and SA of the n group IPSec related to during regulation communication next time between communicating pair, and be that IKE and SA often organizing IPSec arranges corresponding mask, the node of communicating pair stores the mask of this n group IKE and SA and its correspondence;
Step 204, reception IP packet, obtain the payload in packet;
Step 206, CRC check is carried out to payload, obtain the CRC code after verifying; Use each mask of described storage to carry out descrambling to the CRC code in the payload received successively, obtain the CRC code after descrambling; CRC code after more described verification is consistent with the CRC code after descrambling described in which;
If step 208 finds consistent, then record this mask, and according to this consistent mask, search IKE and SA that corresponding relation obtains corresponding IPSec, and record;
Step 210, in follow-up communication process, according to IKE and SA of IPSec and the mask of record, CRC check, descrambling, solution IPSec encapsulation are carried out to the packet received, completes session.
In the present invention, by determining used IPSec negotiation information in advance, and the mode of use safety transmits the mode of this information, avoid the complicated too much negotiations process in IPSec VPN connection procedure, whole communication process can not only be carried out in the environment of safety, and decrease unnecessary signal transmission, improve efficiency, obtain better Consumer's Experience.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, be briefly described to the accompanying drawing used required in embodiment or description of the prior art below, apparently, the accompanying drawing in the following describes is only some embodiments of the present invention.For those of ordinary skill in the art, under the prerequisite not paying creative work, other accompanying drawing can also be obtained according to these accompanying drawings.
Fig. 1 is the flow chart of the embodiment of the present invention one.
Fig. 2 is the flow chart of the embodiment of the present invention two.
Embodiment
For making object of the present invention, technical scheme and advantage clearly understand, below by specific embodiment and relevant drawings, the present invention will be described in further detail.
Embodiment one
The embodiment of the present invention one provides a kind of VPN quick connecting method based on IPsec, it is characterized in that, comprises the following steps:
Step 202, initiation VPN connect before, IKE and SA of the n group IPSec related to during regulation communication next time between communicating pair, and be that IKE and SA often organizing IPSec arranges corresponding mask, the node of communicating pair stores the mask of this n group IKE and SA and its correspondence;
IKE and SA of any one group of IPSec selects in step 204, session setup side, and IKE and SA of IPSec selected by record and the mask of its correspondence;
Step 206, to the data that will transmit, use IKE and SA of the IPSec of described record, obtain the outgoing data bag after using ipsec protocol encapsulation;
Step 208, the data in described outgoing data bag except IP packet header are carried out CRC computing, obtain CRC code;
Step 210, the mask of described record is used to carry out scrambling to CRC code;
Step 212, using the part behind described outgoing data bag removing IP packet header and the CRC code after scrambling as payload user data, after adding corresponding IP packet header, send, the IP packet header of wherein said correspondence comprise indicate in described outgoing data bag source, destination-address information;
Step 214, follow-up data send in, use IKE and SA and the mask of the IPSec of described record, rear transmission processed to data.
Embodiment two
Meanwhile, the embodiment of the present invention two additionally provides a kind of VPN quick connecting method based on IPsec, it is characterized in that, comprises the following steps:
Step 202, initiation VPN connect before, IKE and SA of the n group IPSec related to during regulation communication next time between communicating pair, and be that IKE and SA often organizing IPSec arranges corresponding mask, the node of communicating pair stores the mask of this n group IKE and SA and its correspondence;
Step 204, reception IP packet, obtain the payload in packet;
Step 206, CRC check is carried out to payload, obtain the CRC code after verifying; Use each mask of described storage to carry out descrambling to the CRC code in the payload received successively, obtain the CRC code after descrambling; CRC code after more described verification is consistent with the CRC code after descrambling described in which;
If step 208 finds consistent, then record this mask, and according to this consistent mask, search IKE and SA that corresponding relation obtains corresponding IPSec, and record;
Step 210, in follow-up communication process, according to IKE and SA of IPSec and the mask of record, CRC check, descrambling, solution IPSec encapsulation are carried out to the packet received, completes session.
Embodiment three
In embodiment one, before end session, generate and store IKE and SA of n group IPSec involved by next session and the mask of correspondence, as the messaging parameter carried out next time when IPSec VPN connects session, and send this n group information to session recipient.
Embodiment four
In embodiment two, before end session, receive IKE and SA of n group IPSec and the mask of correspondence that transmit leg sends, and to store, as messaging parameter when carrying out IPSec VPN connection session next time.
One of ordinary skill in the art will appreciate that all or part of flow process realized in above-described embodiment method, that the hardware that can carry out instruction relevant by mainframe program has come, described program can be stored in a main frame read/write memory medium, this program, when performing, can comprise the flow process of the embodiment as above-mentioned each side method.Wherein, described storage medium can be magnetic disc, CD, read-only store-memory body (Read-Only Memory, ROM) or random store-memory body (Random Access Memory, RAM) etc.
Above-listed preferred embodiment; the object, technical solutions and advantages of the present invention are further described; be understood that; the foregoing is only preferred embodiment of the present invention; not in order to limit the present invention; within the spirit and principles in the present invention all, any amendment done, equivalent replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (4)
1., based on a VPN quick connecting method of IPSec, it is characterized in that, comprise the following steps:
Step 202, initiation VPN connect before, IKE and SA of the n group IPSec related to during regulation communication next time between communicating pair, and be that IKE and SA often organizing IPSec arranges corresponding mask, the node of communicating pair stores the mask of this n group IKE and SA and its correspondence;
IKE and SA of any one group of IPSec selects in step 204, session setup side, and IKE and SA of IPSec selected by record and the mask of its correspondence;
Step 206, to the data that will transmit, use IKE and SA of the IPSec of described record, obtain the packet after using ipsec protocol encapsulation;
Step 208, the data in described outgoing data bag except IP packet header are carried out CRC computing, obtain CRC code;
Step 210, the mask of described record is used to carry out scrambling to CRC code;
Step 212, using the part behind described outgoing data bag removing IP packet header and the CRC code after scrambling as payload user data, after adding corresponding IP packet header, send, the IP packet header of wherein said correspondence comprise indicate in described outgoing data bag source, destination-address information;
Step 214, follow-up data send in, use IKE and SA and the mask of the IPSec of described record, rear transmission processed to data.
2. method according to claim 1, it is characterized in that, before end session, generate and store IKE and SA of n group IPSec involved by next session and the mask of correspondence, as the messaging parameter carried out next time when IPSec VPN connects session, and send this n group information to session recipient.
3., based on a VPN quick connecting method of IPSec, it is characterized in that, comprise the following steps:
Step 202, initiation VPN connect before, IKE and SA of the n group IPSec related to during regulation communication next time between communicating pair, and be that IKE and SA often organizing IPSec arranges corresponding mask, the node of communicating pair stores the mask of this n group IKE and SA and its correspondence;
Step 204, reception IP packet, obtain the payload in packet;
Step 206, CRC check is carried out to payload, obtain the CRC code after verifying; Use each mask of described storage to carry out descrambling to the CRC code in the payload received successively, obtain the CRC code after descrambling; CRC code after more described verification is consistent with the CRC code after descrambling described in which;
If step 208 finds consistent, then record this mask, and according to this consistent mask, search IKE and SA that corresponding relation obtains corresponding IPSec, and record;
Step 210, in follow-up communication process, according to IKE and SA of IPSec and the mask of record, CRC check, descrambling, solution IPSec encapsulation are carried out to the packet received, completes session.
4. method according to claim 3, is characterized in that, before end session, receives IKE and SA of n group IPSec and the mask of correspondence that transmit leg sends, and to store, as messaging parameter when carrying out IPSec VPN connection session next time.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310283803.8A CN104283757B (en) | 2013-07-08 | 2013-07-08 | A kind of VPN quick connecting methods based on IPsec |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310283803.8A CN104283757B (en) | 2013-07-08 | 2013-07-08 | A kind of VPN quick connecting methods based on IPsec |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104283757A true CN104283757A (en) | 2015-01-14 |
CN104283757B CN104283757B (en) | 2017-10-20 |
Family
ID=52258259
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310283803.8A Active CN104283757B (en) | 2013-07-08 | 2013-07-08 | A kind of VPN quick connecting methods based on IPsec |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN104283757B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016134664A1 (en) * | 2015-02-27 | 2016-09-01 | Huawei Technologies Co., Ltd. | Packet obfuscation and packet forwarding |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1588844A (en) * | 2004-09-30 | 2005-03-02 | 西安西电捷通无线网络通信有限公司 | Method for realizing movable node and basic field managing entity key consultation |
US20110113236A1 (en) * | 2009-11-02 | 2011-05-12 | Sylvain Chenard | Methods, systems, and computer readable media for offloading internet protocol security (ipsec) processing using an ipsec proxy mechanism |
CN102868686A (en) * | 2012-08-31 | 2013-01-09 | 广东电网公司电力科学研究院 | Method for enhancing data encryption based on ESP (encapsulating security payload) encapsulation |
-
2013
- 2013-07-08 CN CN201310283803.8A patent/CN104283757B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1588844A (en) * | 2004-09-30 | 2005-03-02 | 西安西电捷通无线网络通信有限公司 | Method for realizing movable node and basic field managing entity key consultation |
US20110113236A1 (en) * | 2009-11-02 | 2011-05-12 | Sylvain Chenard | Methods, systems, and computer readable media for offloading internet protocol security (ipsec) processing using an ipsec proxy mechanism |
CN102868686A (en) * | 2012-08-31 | 2013-01-09 | 广东电网公司电力科学研究院 | Method for enhancing data encryption based on ESP (encapsulating security payload) encapsulation |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2016134664A1 (en) * | 2015-02-27 | 2016-09-01 | Huawei Technologies Co., Ltd. | Packet obfuscation and packet forwarding |
US9923874B2 (en) | 2015-02-27 | 2018-03-20 | Huawei Technologies Co., Ltd. | Packet obfuscation and packet forwarding |
Also Published As
Publication number | Publication date |
---|---|
CN104283757B (en) | 2017-10-20 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN104660603B (en) | Method and system for extended use of quantum keys in IPSec VPN (internet protocol security-virtual private network) | |
CN104580189B (en) | A kind of safe communication system | |
CN109088870B (en) | Method for safely accessing acquisition terminal of power generation unit of new energy plant station to platform | |
CN102882789B (en) | A kind of data message processing method, system and equipment | |
CN103929299B (en) | Self-securing lightweight network message transmitting method with address as public key | |
CN101409619B (en) | Flash memory card and method for implementing virtual special network key exchange | |
CN108769292B (en) | Message data processing method and device | |
US9002016B2 (en) | Rekey scheme on high speed links | |
CN104660602A (en) | Quantum key transmission control method and system | |
CN108075890A (en) | Data sending terminal, data receiver, data transmission method and system | |
CN108810023A (en) | Safe encryption method, key sharing method and safety encryption isolation gateway | |
CN112422560A (en) | Lightweight substation secure communication method and system based on secure socket layer | |
CN104580190A (en) | Safety browser realizing method and safety browser device | |
CN104219217A (en) | SA (security association) negotiation method, device and system | |
CN109525477A (en) | Communication means, device and system in data center between virtual machine | |
US20210281401A1 (en) | Methods, systems, and computer readable media for utilizing predetermined encryption keys in a test simulation environment | |
US20170359214A1 (en) | IPSEC Acceleration Method, Apparatus, and System | |
US11870701B2 (en) | Data transmission method, switch, and site | |
WO2024001035A1 (en) | Message transmission method and apparatus based on blockchain relay communication network system | |
CN108964880A (en) | A kind of data transmission method and device | |
CN104283854A (en) | IPsec based method for transmitting large data volume in VPN | |
CN112822308B (en) | Method and system for high-speed safety virtual network proxy | |
CN208873145U (en) | A kind of distribution automation ipsec security chip | |
CN115567206A (en) | Method and system for realizing encryption and decryption of network data message by quantum distribution key | |
CN111541776A (en) | Safe communication device and system based on Internet of things equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
CB02 | Change of applicant information |
Address after: 100094, Beijing, Haidian District Zhongguancun software park on the two phase, building 15, Zhongxing building, three floor Applicant after: BEIJING SAPLING TECHNOLOGY CO., LTD. Address before: 100084 No. 2 building, No. 1, Nongda South Road, Beijing, Haidian District, B-604 Applicant before: BEIJING SAPLING TECHNOLOGY CO., LTD. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |