CN100417078C - Method for realizing local virtual private network based on firewall - Google Patents

Method for realizing local virtual private network based on firewall Download PDF

Info

Publication number
CN100417078C
CN100417078C CN 200410038976 CN200410038976A CN100417078C CN 100417078 C CN100417078 C CN 100417078C CN 200410038976 CN200410038976 CN 200410038976 CN 200410038976 A CN200410038976 A CN 200410038976A CN 100417078 C CN100417078 C CN 100417078C
Authority
CN
China
Prior art keywords
vpn
id
firewall
virtual private
table
Prior art date
Application number
CN 200410038976
Other languages
Chinese (zh)
Other versions
CN1697396A (en
Inventor
鹰 熊
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to CN 200410038976 priority Critical patent/CN100417078C/en
Publication of CN1697396A publication Critical patent/CN1697396A/en
Application granted granted Critical
Publication of CN100417078C publication Critical patent/CN100417078C/en

Links

Abstract

本发明提出了一种基于防火墙划分本地虚拟私网络区域的方法,其特征在于:包括如下步骤:步骤一,首先在防火墙的接口属性表中配置VPN属性值,即VPN-ID;步骤二,在路由表的查找键值中也要增加VPN-ID域,也即VPN-ID和目标IP作为查找键值;步骤三,在安全策略表的查找键值中要同时增加VPN-ID。 The present invention provides a firewall partitioning based virtual private local area network, characterized in that: comprising the following steps: a first VPN configuration attribute value in firewall interface attributes, i.e. VPN-ID; two step, in routing table lookup keys should be increased VPN-ID field, ie, VPN-ID and target IP as lookup keys; step three, find the key in the security policy table to simultaneously increase the VPN-ID. 本发明在防火墙设备上实现本地VPN区域的划分,或者从另一个角度说,实现多个安全实体的防火墙资源共享;同时,实现了多个安全VPN实体间的访问控制和各个安全实体内各个安全区域的访问控制,为本地VPN应用提供方便实用的解决方案。 The present invention is implemented in the VPN firewall devices into the local area, or from another point of view, to realize the plurality of resource sharing security firewall entities; at the same time, to achieve the various security and access control entity between a plurality of individual security VPN security entities access control area provides convenient and practical solution for local VPN applications.

Description

基于防火墙实现本地虚拟私网络的方法技术领域本发明涉及一种虛拟私网络的实现方法,特别是涉及基于防火墙技术构建安全的可相互隔离的本地虚拟私网络的方法。 BACKGROUND firewalls local virtual private network, the present invention relates to a method of implementation for a virtual private network, particularly to a method to build a secure firewall technology based on mutually isolated virtual private local network. 背景技术虚拟私网络(VPN)由于其灵活、便宜、安全等优点,已得到越来越广泛的使用。 A virtual private network (VPN) because of its flexible, inexpensive, safe, etc., have been more and more widely used. 简单地说,VPN就是利用开放的公众网络建立专用数据传输通道,将远程的分支机构、商业伙伴等连接起来,形成的一种逻辑的闭合用户群。 Briefly, VPN use is open to the public network to establish a dedicated data transmission channel, connecting remote offices, and other business partners, forming a logical closed user group. 一般而言, VPN有一定的地理跨度。 Generally, VPN certain geographic span. 有多种方案可以实现这种VPN,如基于用户CPE设备的点到点的方案和基于ISP的运营商提供的VPN方案。 There are several such schemes may be implemented VPN, VPN programs, such as point-based user equipment CPE and ISP-based programs provided by the operator. 现有技术中,MPLS VPN是一种运营商提供的VPN解决方案之一,它适合于运营商大身见模部署,同时也需要运营商多台设备的配合,是一种复杂的解决方案, 需要一整套与MPLS相关的标签协议、路由协议来实现,而且需要设备支持MPLS 标记,因此,如果希望在类似于某一个大厦内的本地VPN隔离和安全防范中,这种方案由于成本和管理原因,并不适用;而且也不能实现防火墙的安全区域的功能。 Art, MPLS VPN is one of a proven carrier providing VPN solution, which is suitable for operators to deploy large body see mode, but also need operators with multiple devices, it is a complex solution, need a set of tag protocols associated with MPLS routing protocols to achieve, and equipment required to support MPLS tag, so if you want the local VPN quarantine and security in the building similar to the one in this scheme because of the cost and management reasons , does not apply; and functional security in the region can not be achieved firewall. 目前的防火墙设备, 一般均假定只有一个公司实体来使用, 一般安全等级最高的安全区域可以任意访问其它低等级的区域,如果在本地的防火墙之下有多个公司同时使用时,不同公司应有各自私有的安全区域,不同公司的区域之间禁止互访,所以目前的防火墙不能应用于这种场合。 The current firewall device, generally assumed that only a corporate entity to use, general safety level of the highest security zones can access any other low-level area, if there are multiple companies simultaneously under local firewalls, different companies should be their own private security zones, prohibiting the exchange of visits between the different areas of the company, now have the firewall can not apply to this case. 由于本地情况下需要实现VPN的情况广泛存在,比如,上文中提到的某一个大厦内有多个公司的情况;或者, 一个公司的内部(同一个防火墙下),不同的部门需要保密的情况,而本地一般都具有防火墙设备。 Since the lower case if necessary to achieve local VPN is widespread, for example, there are a plurality of companies in a certain building mentioned above; or a company's internal (with a Firewall), different departments require secrecy , and generally have a local firewall. 如果能在防火墙上实现VPN的划分,则既可以实现本地VPN隔离和安全防范,又可以买现对外的防火墙安全防范;并且并不增加新的设备,管理起来也会更加方便。 If we can achieve division VPN on the firewall, you can either implement local VPN quarantine and security, and can be bought and outside the firewall security; and not to add new equipment, and the management will be more convenient. 发明内容本发明要解决的技术问题是提出一种基于防火墙实现本地虚拟私网络的方法,本发明所述方法为防火墙的安全增加一层本地VPN的隔离保护,可实现保护机制更为灵活的本地虛拟私网络。 Technical problem to be solved by the present invention is to propose a method based on local virtual private network firewalls, the present invention is a method of adding a layer of local security firewall VPN isolation protection, enabling a more flexible mechanism to protect local virtual private network. 本发明所述一种基于防火墙划分本地虛拟私网络区域的方法,包括如下步骤:步骤一,首先要在防火墙的接口属性表中配置VPN属性值,即VPN-ID; 步骤二,在路由表的查找4建值中也要增加VPN-ID域,也即VPN-ID和目标IP作为查找键值;步骤三,在安全策略表的查找键值中要同时增加VPN-ID。 The present invention is based firewall into native method area virtual private network, comprising the following steps: a step, to be arranged in the first table of the firewall interface attributes VPN attribute values, i.e. VPN-ID; two steps, in the routing table Find 4 build value should be increased VPN-ID field, that is, VPN-ID and target IP as lookup keys; step three, find the key in the security policy table to simultaneously increase the VPN-ID. 如上所述的基于防火墙划分本地虚拟私网络区域的方法,步骤一和步骤二之间,还包括:如果防火墙内提供专门的服务器或支持NAT,则在服务器表的查找键值中增加VPN-IDi或和目标IP地址;如上所述的基于防火墙划分本地虚拟私网络区域的方法,在所述的步骤三之后,还包括如果防火墙如果支持NAT,则在NAT转换表的查找键值中增加VPN-ID域。 The method described above firewall into the local region based on a virtual private network, between steps one and two, further comprising: if the server providing specialized support NAT or firewall, VPN-IDi is increased in the lookup table key server or IP address and destination; method as described above firewall into a local area network based on virtual private, if the NAT firewall if supported, is increased in the lookup keys VPN- NAT translation table in the following three steps, further comprising ID field. 本发明在防火墙设备上实现本地VPN区域的划分,或者从另一个角度说,实现多个安全实体的防火墙资源共享;同时,实现了多个安全VPN实体间的访问控制和各个安全实体内各个安全区域的访问控制,为本地VPN应用提供方便实用的解决方案。 The present invention is implemented in the VPN firewall devices into the local area, or from another point of view, to realize the plurality of resource sharing security firewall entities; at the same time, to achieve the various security and access control entity between a plurality of individual security VPN security entities access control area provides convenient and practical solution for local VPN applications. 附困说明图1为本发明基于防火墙的本地VPN组网示意图; 图2为本发明所述方法中设置防火墙各表的示意图; 图3是本发明所述的防火墙各表的结构示意图; 图4为本地VPN的^艮文处理的流程图。 FIG 2 is a schematic diagram of the method of the firewall of the tables provided in the invention;; local VPN network based firewall schematic explanatory view of an attachment trapped present invention FIG 3 is a schematic diagram of the present invention firewall tables; Figure 4 ^ gen is a flowchart of packet processing of the local VPN. 具体实施方式本发明中,所述的本地VPN的概念与通常的VPN有所不同,它由同在本地的连接到一个共同的防火墙设备上的多个公司或站点实体构成,这些实体之间逻辑上互相隔离,形成不同的VPN域,也即这些实体之间不可以直接互访,而且可以^L用重叠的IP地址。 DETAILED DESCRIPTION In the present invention, the concept of the local VPN with the VPN generally different, which a company or a plurality of sites connected by the same entity in a local device to a common firewall configuration, between these logical entities isolation from each other, forming different VPN domain, i.e. can not directly access each of these entities, and may ^ L with overlapping IP addresses. 本发明所述的VPN只有本地意义,至于这些VPN是否在跨越防火墙后,与远端其它的网络实体建立VPN关系。 VPN according to the present invention only local significance, such as to whether the VPN across a firewall, VPN established relationship with the distal end of the other network entities. 本地VPN典型的应用,其组网如图l所示:某一大厦中物业提供一台防火墙,大厦中的各个公司可以接入到防火墙的一个或多个接口上,彼此之间形成不同的VPN;同一公司内所属的各防火墙接口还可以配置不同的安全区域,以实现公司内部的安全控制;大厦提供统一的Internet出口,并且由专门的服务器提供一些增值业务,比如信息发布的Web服务和V0D点播等服务。 Local VPN typical application, which network shown in FIG. L: Property providing a firewall in a building, the building of the respective companies can access to one or more interfaces of the firewall, VPN between each other form different ; each firewall interface belongs to the same company can also configure different security zones, in order to achieve security control within the company; Building to provide a unified Internet outlet, and provide some value-added services by a dedicated server, such as information published Web services and V0D on-demand and other services. 上面以大厦中的多个公司为例说明该问题,实际上有着该需求的不仅限于这一种应用场合。 Above to the building of a number of companies as an example of the problem, in fact, it has the demand is not limited to this kind of application. 比如,在一个公司内部如果有需要严格隔离和划分的单位, 也可以使用这种方式,这时VPN只是多了一个安全隔离层面。 For example, a unit within the company if there is need for strict isolation and division, can also be used in this way, then just one more VPN security isolation level. 本发明的技术方案,如下所述:步骤一,首先要在防火墙的接口属性表中配置VPN属性值,即VPN-ID; 步骤二,在路由表的查找键值中也要增加VPN-ID域,也即VPN-ID+目标IP作为查找键值;步骤三,在安全策略表的查找键值中要同时增加VPN-ID。 Aspect of the present invention, as follows: Step one, first configure VPN interface attributes in the attribute value in firewall, i.e. VPN-ID; step two, the routing table lookup keys also increases VPN-ID field , ie, VPN-ID + target IP as a lookup key; step three, find the key in the security policy table to simultaneously increase the VPN-ID. 6在所述的步骤一和步骤二之间,还包括:如杲防火墙内提供专门的服务器或支持NAT,则在服务器表的查找键值中增加VPN-ID域和目标IP地址;在所述的步骤三之后,还包括:如果防火墙同时支持NAT,还需要在NAT转换表的查找44值中增加VPN-ID域。 6 between the two steps of a step, further comprising: Gao as the dedicated server or the firewall to provide support for the NAT, VPN-ID field is increased and the destination IP address in the server table lookup keys; the after three steps, further comprising: if the NAT firewall support, also need to increase the VPN-ID field 44 to find values ​​of the NAT table. 图2是本发明所述方法中设置基于防火墙本地VPN的方法示意图,为了实现基于接口/子接口划分VPN区域,本发明对防火墙的接口属性表、路由表、策略表、NAT绑定表、内部服务器地址映射表进行了设置,实现了基于防火墙的本地VPN区域划分。 FIG 2 is a schematic of a method is provided based on the local VPN firewall method of the invention, in order to achieve based interface / sub-interface VPN divided regions, the present invention firewall interface attributes, the routing table, policy table, the NAT binding table, internal server address mapping table has been set up to achieve the division of the area-based local VPN firewall. 结合图2,具体的步骤说明如下:步骤201:用户首先要在接口属性表中配置VPN属性,即VPN-ID;即为防火墙的每一个接口通过接口属性表,增加一个VPN-ID,所有VPN-ID相同的接口所连接内部网络构成一个本地的虚拟私网络。 In conjunction with FIG. 2, the specific steps as follows: Step 201: configure VPN first user interface attributes in the properties, i.e. VPN-ID; each of the interfaces is the interface attributes by the firewall, increasing a VPN-ID, all VPN -ID same interface connected to the internal network of a local virtual private network. 一般连接公网的接口的VPN-ID 设为0。 Interface is generally connected to the public network VPN-ID set to zero. 同时,如果VPN内部需要设置安全区域,也需要基于接口进行划分,所以接口属性表中还可以配置安全区域编号,也即ZONE-ID。 Meanwhile, if the internal VPN security zone needs to be set, based on the interface also needs to be divided, so the interface attributes can also be configured security zone number, i.e. ZONE-ID. ^艮文从接口进入时,需要获取这两个参数以进行后续的处理,参见图2中的表201,接口属性表中还可以有许多其它属性,比如MTU、封装类型等,不同的系统中可以有不同设置,本发明对此没有限制。 ^ Gen packet interface enters from the time, these two parameters need to obtain subsequent processing, referring to table 201 in FIG. 2, interface attributes table also can have many other attributes, such as MTU, encapsulation types, different systems can have different settings, the present invention has no limitation. 步骤202:防火墙中一般要实现静态或动态服务器映射,以完成灵活的目标访问功能。 Step 202: firewall generally implement static or dynamic mapping server to complete the flexible target access. 为了实现VPN的隔离,需要在服务器表的查找键值中增加VPN-ID 域,同时,查找键值中必须包括目标IP地址。 In order to achieve isolation VPN, it is necessary to increase VPN-ID field in a lookup table in the key server, and look for the key must be included in the target IP address. 所述的增加VPN-ID域是指在原有的表项的内容上增加一个VPN-ID得到一个新表,在新表中如果两个表项未只有VPN-ID不同,其余的部分相同,则被认为是两个不同的表项。 The increase in VPN-ID field refers to an increase in the content of the original entries of a VPN-ID to obtain a new table, if the entry is not only two different VPN-ID, the same as the rest in the new table, It is considered to be two different entries. 这样在新表看来,所有的表项按VPN-ID划分成多个区域, 不同的VPN-ID域中,可以有相同的项目,而同一个域中,不能出现相同的项目。 In this new table view, all entries by VPN-ID is divided into regions of different VPN-ID field, can have the same project, while the same domain, not the same item appears. 以下其他步骤中,所述的增加VPN-ID域的含义相同。 The following additional steps, increasing the meaning VPN-ID of the same domain. 可选地,服务器表也可以包括其它内容如IP协议号、TCP/l)DP端口号。 Alternatively, the server table may also include other content such as an IP protocol number, TCP / l) DP port number. 参见图2中的表202,服务器表可以有许多属性,比如应用协议类型、连接数量、目标地址NAT等,不同的系统中可以有不同设置,本发明对此没有限制。 Referring to Table 2 in FIG. 202, the server table can have many attributes, such as the application protocol type, number of connections, the destination address and NAT, different systems may have different arrangements, the present invention has no limitation. 步骤203:为了实现VPN域间的路由隔离,在路由表的查找键值中也要增力口VPN-ID域,也即VPN-ID+目标IP作为查找键:值。 Step 203: In order to achieve isolation between VPN routing domain, the routing table lookup keys have booster port VPN-ID field, i.e. a target IP VPN-ID + as the lookup key: value. 参见图2中的表203,对于路由表项的其他内容,本发明没有限制。 Referring to FIG. 2 table 203, routing table entry for the other content is not to limit the invention. 步骤204:为了实现基于VPN域和安全区域间的策略,在安全策略表的查找键值中要增加VPN-ID。 Step 204: In order to implement policies based on inter-domain VPN and security in the region, in a lookup table of key security policy to increase the VPN-ID. 如果VPN内部设置有安全区域,同时还要增加ZONE-ID。 If the VPN provided inside the security zone, while also increasing the ZONE-ID. 对于基于IP的安全策略,在查找键值中一般包括源/目标IP地址。 For IP-based security policy, in the lookup keys generally include source / destination IP address. 可选地,还可以包括IP协议号、TCP/UDP端口号等域。 Alternatively, it may further include an IP protocol number, TCP / UDP port number field. 安全策略表的属性中一般有是否过滤、是否作带宽管理等各种策略内容,本发明对此没有限制。 Properties Security Policies table generally whether filtration, if the content for a variety of bandwidth management strategy, the present invention without limitation. 如果在VPN内使用私网地址, 一般是RFC1918中建议的地址,用户需要访问Internet,或如果安全策略允许时,访问其它VPN内的用户,需要作网络地址转换。 If you use a private network address in the VPN, is generally recommended in RFC1918 addresses, users need to access the Internet, or if security policy allows access to other users within the VPN, the need for network address translation. 参见图2中的表205,为了支持不同VPN使用公共的NAT地址池,需要在NAT转换表的查找键值中增加VPN-ID域,通常,在查找4泉值中还包括源IP地址,可选地,还可以包括IP协议号、TCP/UDP端口号等域。 Referring to table 205 in FIG. 2, in order to support different VPN public NAT address pool, you need to increase the VPN-ID field in the lookup keys NAT translation table, in general, the value in lookup springs 4 further comprises a source IP address, Alternatively, it may further include an IP protocol number, TCP / UDP port number field. NAT转换表的属性中一般有转换后的IP地址等内容,本发明对此没有限制。 Attribute NAT translation table are generally the contents of the IP address conversion, the present invention has no limitation. NAPT(Network Address Port Translation,网络地址-端口转换)与NAT 类似,也可以同样适用于本发明。 NAPT (Network Address Port Translation, Network Address - Port Translation) is similar to the NAT, it may be equally applicable to the present invention. 参见图3中的210-212,以上几类表均以树的形式存在;210:是一个哈希桶。 210-212, in the form of the above categories table are present in the tree see FIG. 3; 210: is a hash bucket. 在对表项键值进行哈希后,取哈希值的前N位在该桶内进行索引,可以初步分开不同的表项;211:是树的分叉节点。 After the entry of the hash key value, taking the first N-bit hash value in the bucket index, you can initially separate the different entries; 211: node tree is bifurcated. 当有两个或多个表项进行哈希后,如果落在同一个哈希桶内,则需要用到分叉节点进行区分;212:是叶子节点,存放表项的具体内容。 When there are two or more hash table entry, if the same hash bucket falls, the node will need to distinguish bifurcation; 212: it is a leaf node, storing the content of the specific entries. 下面通过经过本发明方法设置的放火墙对报文的处理,进一步说明本发明的技术方案:图3为本地VPN的报文处理的流程图。 By following the method of the present invention through the fire wall provided for processing packets, further technical solutions of the present invention: FIG 3 is a flowchart of packet processing of the local VPN. 报文从物理端口进入到防火墙中。 Packets of physical ports in the firewall. 这里的物理端口一般是指以太网口,也可以是指ATM等其它类型的端口。 Herein generally refers to a physical port Ethernet port, may also refer to other types such as an ATM port. 报文处理的具体步骤如下:步骤301:报文针对不同的物理链路,查对应的接口属性表,如果是子接口,比如以太网的VLAN子接口,则查对应的子接口属性表。 DETAILED message processing steps as follows: Step 301: packets for different physical links, check the corresponding interface attributes, if a sub-interface, such as Ethernet VLAN sub-interface, then check the corresponding sub-interface attributes. 按照链路层信息进行的分类和处理,比如区分单播、多播和广播包,并进行必要的报文合法性检查。 According to the classification and processing of the link layer information, such as distinguishing unicast, multicast and broadcast packets, and check the legality of the necessary packets. 之后,携带接口属性表中配置的VPN-ID和ZONE-ID信息,转下一步。 After carrying interface attributes configured VPN-ID and ZONE-ID information, next step. 步骤302:在进行IP层的处理之前,先要进行基本的IP报文合法性检查, 主要是RFC1812中规定的处理。 Step 302: before handling IP layer, first basic IP packet validity check process is mainly defined in RFC1812. 之后查服务器表,以确定是否配置有专门的服务器或是否有目的地址NAT映射。 After the check server table to determine whether to configure a dedicated server or whether the destination address NAT mapping. 查服务器的步骤是可选的,如果不提供专门的服务器,且不支持目的IP 地址NAT,则olt步-骤可省略。 Check step is optional and the server, without providing a dedicated server, the destination IP address does not support the NAT, the olt step can be omitted. 步骤303:才艮据才艮文的目的IP地址和VPN-ID,查路由表,如果命中,贝'J 记录相应的路由信息;如果未命中,则以VPN-ID=0来查路由表,以确定是否访问公网地址。 Step 303: It was only Burgundy Burgundy packet destination IP address and VPN-ID, check the routing table, if hit, Tony 'J record corresponding routing information; if not hit, places VPN-ID = 0 to check the routing table, to determine whether access to the public network address. 这里可以有一些可选的优化,比如,如果各VPN的私网地址均使用RFC1918 确定的私网地址,则可以根据目的IP地址的类型,只查VPD-ID对应的私网路由表或只查VPN-ID^对应的公网路由表。 Here are some optional optimization can, for example, if each VPN is a private network address are determined using the RFC1918 private addresses, the IP address according to the type of the object, only the check VPD-ID corresponding to the table by a private network or just to check VPN-ID ^ corresponding to the public routing table. 如果最后仍查不到路由,则按照系统确定的策略丢弃或者作重定向等其它处理。 If the last still no route is discarded or otherwise treated redirection system according to the determined policy. 步骤304:在步骤303中查到路由表后,可以得到出接口信息,进一步从出接口属性表中得到目标VPN-1D和ZONE-1D信息,从而根据源VPN-1D、源ZONE-ID以及源IP地址等信息,再查策略表,以确定访问是否允许,是否要进行地址转换以及其它策略动作。 Step 304: In step 303 the found route table, the interface information may be obtained, further objectives and VPN-1D ZONE-1D information from the interface attributes, whereby the source VPN-1D, a source and a source ZONE-ID IP addresses and other information, and then check the policy table to determine whether to allow access, whether to address translation and other policy actions. 如果策略通过,则转发报文。 If the policy is passed, then forward packets. 所述的安全策略一般可以分为两种, 一是例外禁止,其余允许通过;二是例外允许,其佘禁止通过;也可以是两种策略的组合。 The security policy can generally be divided into two types, one exception is prohibited, by allowing the rest; the second is to allow the exception that She prohibited; may be a combination of the two strategies. 进一步,如莱是VPN之间的互访,则按目标VPN-ID和ZONE-ID信息和源VPN-ID和ZONE-ID信息在安全策略表中查找对应的安全策略;如果是VPN到公网或公网的VPN的报文,贝'J 」換目标VPN-ID和ZONE-ID信息或源VPN-ID和ZONE-ID与公网IP查找对应的安全策略。 Further, as a VPN between visits Levin, VPN-ID and the target press ZONE-ID information and the source and the VPN-ID ZONE-ID information to find the corresponding security policy in the security policy table; if the VPN network to the public VPN or public network packets, Tony 'J' change the target VPN-ID and ZONE-ID information or the source VPN-ID and ZONE-ID and find the corresponding public network IP security policy. 如果通过,则转发报文;如果不通过,则按设定进行重定向或直接丢弃。 If passed, the packet is forwarded; if not through, redirecting press setting or discarded. 步骤305:如果需要进行NAT,则从NAT地址池中分配空闲的地址资源, 进行NAT,并创建NAT转换表,以便后续报文可以直接使用该转换表。 Step 305: If you need to NAT, NAT address resource allocation from the free address pool, perform NAT, and create a NAT translation table, so that subsequent packets can be used as the conversion table. 步骤306:对报文进行链路层的封装,并转发。 Step 306: encapsulate the packet link layer, and forwards. 步骤307:后续报文可以直接通过NAT转换表转发,省去第一个包的各个处理环节。 Step 307: the subsequent packets can be directly forwarded by the NAT table, eliminating the need for each processing stage for the first packet. 各VPN实体可以通过二/三层交换机或路由器与防火墙相连,配置静态路由或者运行RIP/OSPF等路由协议。 Each entity may VPN two / three switches connected to a router or firewall, or configure static routes running RIP / OSPF routing protocols. 在支持NAT的情况下,不同VPN可以共享宝贵的乂^网地址资源,实现访问7>网(如:Internet)以及内部VPN的互访。 In the case of NAT support, different VPN can share valuable qe ^ network address resources to achieve access 7> network (eg: Internet) as well as visits inside the VPN. 下面通过具体实例说明,经过本发明设置的防火墙是如何实现公网地址的共享:如图l所示的网络结构中,假定VPNA中的主机l,记为Al,和VPNB中的主机2,记为B2,分别发起一个访问公网主机3的请求报文RA1和RB2;这两个请求在经过步骤301-304的处理后,到步骤305RA1请求报文从NAT地址池中分配了一个地址和TCP端口号对(abc d, 3000 ),其的源地址替换为该公网地址后转发,并记录下一个NAT转换关系{VPN—A, Al, (abc d, 3000 ) };同时RB2请求仍然可以从NAT地址池中分配了一个地址和TCP端口号对(abcd, 3001),其的源地址替换为该公网地址后转发,并记录下一个NAT 转换关系(VPN—B, B2, (abcd, 3001 )};当RA1请求的应答从主机3回来时,可以使用目的(IP+TCP+端口号)找到NAT转换关系表(VPN-A, Al, (abc d, 3000 )},从而将目的恢复为VPNA 中的主机A1。同样当RB2请求的应答从主机3回来时,可 By the following specific examples illustrate, the present invention is provided through the firewall is how to achieve a shared public network addresses: the network structure shown in Figure l, l for VPNA is assumed that the host, referred to as Al, and the host computer 2 VPNB denoted as B2, respectively, the host initiates a public network access request packets and the RB2 RA1 3; both requests after processing of step 301-304, the step 305RA1 request message from an address assigned to the NAT address pool and TCP port number pair (abc d, 3000), the source address thereof replaced with the forwards public address, the NAT and record a relationship {VPN-a, Al, (abc d, 3000)}; RB2 request while still from the NAT address pool assigned an address and TCP port number to (abcd, 3001), which replaced the source address for forwarding the public address, NAT and record a conversion relationship (VPN-B, B2, (abcd, 3001)}; and when a response RA1 requested back from the host 3, the purpose of use (IP + TCP + port number) to find the NAT table (VPN-a, Al, (abc d, 3000)}, so as to restore the object to VPNA hosts A1. when the same response request RB2 back from the host 3, 以使用目的(IP+TCP+端口号) 找到NAT转换关系表(VPN-B, B2, ( abc d, 3001 )},从而将目的恢复为主机VPN-B中的主才儿B2。这样,就实现了VPN A和VPN B对地址池资源的共享。 如果是VPN之间的互访,最简单的方式是在VPN内使用公网地址,将VPN 之间的互访和外部的访问同样对待;也可以通过DNS服务器使用TwiceNAT (两次转换)的方式实现,可以参见《RFC2663 NAT Terminology and Cons iderat ions》 文献。无论哪种方式,都可以通过策略方便地实现VPN间的互访控制。最后所应说明的是:以上实施例仅用以说明而非限制本发明的技术方案, 尽管参照上述实施例对本发明进行了详细说明,本领域的普通技术人员应当理解:依然可以对本发明进行修改或者等同替换,而不脱离本发明的精神和范围的任何修改或局部替换,其均应涵盖在本发明的权利要求范围当中。 To the purpose of use (IP + TCP + port number) to find the NAT table (VPN-B, B2, (abc d, 3001)}, so as to restore the object to the host VPN-B in the main only child B2. Thus, to achieve VPN a and B of the VPN address pool shared resources if the VPN between visits, the easiest way is to use the public network address in the VPN, between the outer and visits VPN access the same treatment; also implementation can use TwiceNAT (two conversions) by way of a DNS server, you can see "RFC2663 NAT Terminology and Cons iderat ions" literature. Either way, you can control the exchange of visits between the VPN easily through policies. Finally, it should Note that: the above embodiments are merely to illustrate and not limit the technical solution of the present invention, although the present invention has been described in detail with reference to the embodiments described above, those of ordinary skill in the art should be understood: modifications may be made to the present invention, or equivalent replacements , without any modification or partial departing from the spirit and scope of the present invention is replacement, among which should be covered in the scope of claims of the present invention as claimed.

Claims (9)

1. 一种基于防火墙划分本地虚拟私网络区域的方法,其特征在于:包括如下步骤: 在防火墙的接口属性表中配置VPN属性值VPN-ID; 在路由表的查找键值中增加VPN-ID的域,以VPN-ID和目标IP作为查找键值; 在安全策略表的查找键值中增加VPN-ID; 根据VPN-ID划分不同的本地虚拟私网络区域。 A method based firewall into virtual private local area network, characterized by: comprising the steps of: configuring the VPN attribute values ​​in VPN-ID table of the firewall interface properties; increased VPN-ID in the routing table lookup keys domain to VPN-ID and target IP as lookup keys; increase in VPN-ID lookup keys to the security policy table; VPN-ID is divided according to different virtual private local area network.
2、 根据权利要求1所述的基于防火墙划分本地虚拟私网络区域的方法,其特征在于:如果防火墙内提供专门的服务器或支持NAT,则在服务器表的查找键值中增加VPN-ID域和目标IP地址。 2. The division based firewall virtual private local area network The method according to claim 1, wherein: if provide specialized support NAT server or firewall, VPN-ID field is increased in the lookup table, and the key server target IP address.
3、 根据权利要求1或2所述的基于防火墙划分本地虚拟私网络区域的方法, 其特征在于:包括:所述的防火墙如果支持NAT转换,则在NAT转换表的查找4建值中增加VPN-ID域。 3, based on a virtual private network firewall into the local region or the method according to claim 1 or 2, wherein: comprising: the support if the NAT firewall, VPN increase in the value of the NAT lookup table 4 Construction of -ID domain.
4、 根据权利要求1所述的基于防火墙划分本地虚拟私网络区域的方法,其特征在于:还包括:在防火墙的接口属性表中配置安全区域编号ZONE-ID;在安全策略表的查找键值中增加Z0NE-ID。 4, divided according to Claim based firewall virtual private local area network The method according to claim 1, characterized in that: further comprising: configuring security zone ZONE-ID number in the firewall interface attributes; the security policy table lookup keys increased Z0NE-ID.
5、 根据权利要求1所述的基于防火墙划分本地虛拟私网络区域的方法,其特征在于:所述的在防火墙的接口属性表中配置VPN属性值VPN-ID的步骤包括: 为防火墙的每一个内部接口通过接口属性表,增加一个VPN-ID,所有VPN-ID 相同的接口所连接内部网络构成一个本地的虛拟私网络。 5, according to claim partitioning based firewall virtual private local area network The method according to claim 1, wherein: said interface attributes in the configuration step VPN firewall VPN-ID attribute value includes: for each firewall internal interface by interface attributes, increase a VPN-ID, all the VPN-ID of the same internal network interface connected to form a virtual private local network.
6、 根据权利要求1所述的基于防火墙划分本地虛拟私网络区域的方法,其特征在于:所述在路由表的查找键值中增加VPN-ID的域,以VPN-ID和目标IP 作为查找键值的步骤包括:根据报文的目的IP地址和VPN-ID,查路由表,如果找到,则记录相应的路由信息;如果未找到,则查路由表,以确定是否访问公网地址;如果仍查不到路由,则按照系统确定的策略丟弃或者作重定向处理。 6. division based firewall virtual private local area network method according to claim 1, wherein: said increased domain VPN-ID in the routing table lookup keys to VPN-ID as the destination IP lookup key comprises the step of: based on the packet's destination IP address and VPN-ID, check the routing table, if found, the routing information corresponding to the record; if not found, then search the routing table to determine whether to access the public network address; if still no route is discarded or redirected for processing system in accordance with the policy determined.
7、 根据权利要求1所述的基于防火墙划分本地虚拟私网络区域的方法,其特征在于:所述的在路由表的查找键值中增加VPN-ID的域,以VPN-ID和目标IP作为查找键值的步骤中,如果各VPN的私网地址均使用RFC1918确定的私网地址,则根据目的IP地址的类型,只查私网路由表或只查公网路由表。 7. The division based firewall virtual private local area network The method according to claim 1, wherein: said increased domain VPN-ID in the routing table lookup keys to VPN-ID as the destination IP to find the key, if each VPN private network addresses are determined using the RFC1918 private addresses, based on the type of the destination IP address, the VPN routing table only check or check only public routing table.
8、 根据权利要求4所述的基于防火墙划分本地虚拟私网络区域的方法,其特征在于:根据在路由表的查找键:值中增加VPN-ID的域,以VPN-ID和目标IP 作为查找键值的步骤中得到的VPN-ID和目标IP,进一步从出接口属性表中得到目标VPN-ID和ZONE-ID信息,从而根据源VPN-ID、源ZONE-ID以及源IP地址信息,再查安全策略表,如果策略通过,则转发报文;否则,根据系统确定的策略丟弃或者作重定向处理。 8, according to the division based firewall virtual private local area network The method according to claim 4, characterized in that: according to the routing table lookup key: increasing the value of the VPN-ID field, and the destination to IP VPN-ID as lookup the key step of the obtained IP VPN-ID and the target, the target further VPN-ID, and the ZONE-ID information from the interface attributes, whereby the source VPN-ID, source ZONE-ID and the source IP address, then check the security policy table, if the policy is passed, then forwards the packet; otherwise, discarded or redirected for processing system according to the policy determined.
9、 根据权利要求3所述的基于防火墙划分本地虛拟私网络区域的方法,其特征在于:不同VPN通过NAT转换表,共享防火墙的公网地址资源,实现公网地址资源的复用和/或内部VPN的互访。 9, divided according to Claim based firewall virtual private local area network The method according to claim 3, wherein: the different VPN table by the NAT, the firewall shared public network address resources, the multiplexing resources of the public network address and / or visits inside the VPN.
CN 200410038976 2004-05-10 2004-05-10 Method for realizing local virtual private network based on firewall CN100417078C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 200410038976 CN100417078C (en) 2004-05-10 2004-05-10 Method for realizing local virtual private network based on firewall

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 200410038976 CN100417078C (en) 2004-05-10 2004-05-10 Method for realizing local virtual private network based on firewall

Publications (2)

Publication Number Publication Date
CN1697396A CN1697396A (en) 2005-11-16
CN100417078C true CN100417078C (en) 2008-09-03

Family

ID=35349932

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200410038976 CN100417078C (en) 2004-05-10 2004-05-10 Method for realizing local virtual private network based on firewall

Country Status (1)

Country Link
CN (1) CN100417078C (en)

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101222456A (en) * 2008-01-28 2008-07-16 勇 陈 Network safety gateway product sharing method
CN101582830B (en) 2009-06-22 2011-12-21 杭州华三通信技术有限公司 Cross-device and method for implementing virtual private network visits
CN103004145B (en) * 2011-07-21 2015-04-08 华为技术有限公司 Flow distribution method, flow distribution device and flow distribution system for virtual private network
CN103516822A (en) * 2012-06-29 2014-01-15 同方股份有限公司 Virtualization data exchange safety system for virtualization network
CN102710669B (en) 2012-06-29 2016-03-02 杭州华三通信技术有限公司 A method and device for controlling the firewall policy
CN103036801B (en) * 2012-12-18 2019-06-14 网神信息技术(北京)股份有限公司 The processing method and processing device of data packet
CN105991442A (en) * 2015-04-30 2016-10-05 杭州迪普科技有限公司 Message forwarding method and device
CN107395645B (en) * 2017-09-05 2018-06-26 瑞科网信(北京)科技有限公司 Firewall systems for medium and method and a corresponding program is stored

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1471275A (en) 2002-07-23 2004-01-28 华为技术有限公司 Enterprise external virtual special network system and method using virtual router structure
US6693878B1 (en) 1999-10-15 2004-02-17 Cisco Technology, Inc. Technique and apparatus for using node ID as virtual private network (VPN) identifiers

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6693878B1 (en) 1999-10-15 2004-02-17 Cisco Technology, Inc. Technique and apparatus for using node ID as virtual private network (VPN) identifiers
CN1471275A (en) 2002-07-23 2004-01-28 华为技术有限公司 Enterprise external virtual special network system and method using virtual router structure

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
MPLS-VPN工作特性. 陈启美,张国强,薛健.电力自动化设备,第22卷第10期. 2002

Also Published As

Publication number Publication date
CN1697396A (en) 2005-11-16

Similar Documents

Publication Publication Date Title
Nordström et al. Serval: An end-host stack for service-centric networking
KR101379112B1 (en) Layer 2 seamless site extension of enterprises in cloud computing
US7702808B2 (en) Multi-cast enabled address resolution protocol (ME-ARP)
JP5617137B2 (en) Mechanism for the virtual layer 2 and scalable it
JP5335886B2 (en) Method and apparatus for communicating data packets between the local network
US6463061B1 (en) Shared communications network employing virtual-private-network identifiers
RU2551814C2 (en) Asymmetric network address encapsulation
JP4183379B2 (en) Network and edge routers
US8051201B2 (en) Method for providing scalable multicast service in a virtual private LAN service
US20080189769A1 (en) Secure network switching infrastructure
JP4231766B2 (en) Communication apparatus and communication method for performing routing control between As.
CN102577270B (en) Scalable architecture for enterprise extension in a cloud topology
US7307990B2 (en) Shared communications network employing virtual-private-network identifiers
US20110299537A1 (en) Method and system of scaling a cloud computing network
US8259571B1 (en) Handling overlapping IP addresses in multi-tenant architecture
US9276811B1 (en) Providing virtual networking functionality for managed computer networks
US6154839A (en) Translating packet addresses based upon a user identifier
US7991859B1 (en) Using virtual networking devices to connect managed computer networks
JP4236364B2 (en) Communication data relay apparatus
US9794116B2 (en) Managing use of intermediate destination computing nodes for provided computer networks
US20040013120A1 (en) Method and apparatus for routing and forwarding between virtual routers within a single network element
US9137102B1 (en) Using virtual networking devices to manage routing communications between connected computer networks
US8224971B1 (en) Using virtual networking devices and routing information to initiate external actions
CN1829195B (en) Packet forwarding apparatus
US8392608B1 (en) Using virtual networking devices to manage network configuration

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model
CF01