CN101521602A - Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN - Google Patents
Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN Download PDFInfo
- Publication number
- CN101521602A CN101521602A CN200810034129A CN200810034129A CN101521602A CN 101521602 A CN101521602 A CN 101521602A CN 200810034129 A CN200810034129 A CN 200810034129A CN 200810034129 A CN200810034129 A CN 200810034129A CN 101521602 A CN101521602 A CN 101521602A
- Authority
- CN
- China
- Prior art keywords
- message
- dpd
- node
- ike
- state
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a realizing method for monitoring the state of communication nodes in IPSec VPN by utilizing IKE. The technical proposal does not need to send keep alive message regularly, is mainly dependent on an IKE Notify message machine, utilizes normal IPSec interactive message and sends message in the IKE to load the message to detect the state of VPN node of the opposite end so as to judge that whether the detected IKE node can reach or not. The DPD (Dead Peer Detection) proposal sends the IKE message to detect the state of the IKE node only when in need, can obtain the current state of the IKE node in time by sending the least message, thus realizing that the survival state of the IKE node in the network can be detected by the least IKE message. In addition, like other network node detecting mechanisms, the DPD mechanism of the invention also can judge that when the detection to the state of the IKE node is carried out, and can recovery the resources related to the node under the condition without node.
Description
Technical field:
The present invention relates to information security and data communication field, particularly a kind of implementation method of utilizing state of communication nodes among IKE (InternetKey Exchange internet key exchange) the monitoring IPSec VPN.
Background technology:
IPsec (Security Architecture for IP network) is used for protecting between one or more main frame and main frame, the path between security gateway and security gateway, between security gateway and main frame, and often need hold consultation and manage with the mode of IKE (Internet Key Exchange internet key exchange) the used algorithm of ipsec encryption and key.
Yet, when two network nodes by IKE or IPSec communication the time, the time regular meeting some unpredictable factors occur and cause two connections between the node to disconnect, make mistakes or the network equipment is restarted or the like such as route.At this moment the SAs (Security Association has wherein stored relevant checking, encrypted scheduling algorithm and relevant key information) that is used for data encryption will remain in that only the lifetime to them exhausts in the network equipment; Message also will be addressed to an inaccessible forever network node simultaneously.So for finding these inaccessible nodes timely and deleting the local network device relevant information of this unreachable node that neutralizes is necessary.
And in the present network, the mode that detection IKE dies for the sake of honour a little is by regular transmission keepalive message, simultaneously because to the die for the sake of honour real-time requirement of point discovery of IKE, these message just need be to send than higher frequency, increased the weight of the burden of message processing since so again.So need in the gateway device of a large amount of IKE sessions at some, these modes that regularly send Keepalive message are worthless.
Summary of the invention:
Based on above-mentioned consideration,, the purpose of this invention is to provide the implementation method of state of communication nodes among a kind of IKE of utilization monitoring IPSec VPN for solving the limitation of existing problem in the communication of above-mentioned network node and prior art scheme.Whether this technical scheme does not need regular transmission keepalive message, mainly rely on the IKENotify message mechanism and detect the IKE node and can arrive.This DPD (Dead Peer Detection) surveys and will only send the state that the IKE message detects the IKE node in needs, reaches by sending the purpose that minimum message number in time obtains IKE node current state.
The present invention be in order in time to monitor the fast knot point among the IPSec VPN, utilizes the mutual message of normal IPSec and sends message load message among the IKE to detect opposite end VPN node state.Main process is at first to utilize the IPSec message of receiving to upgrade the network state of peer node; Detect current Link State when sending the IPSec message then,, send DPD event timing initiation message to the IKE module when then sending the IPSec message if do not receive any IPSec message in the link recently; When next step arrives in the DPD incident,, then cancel the transmission that node status message is treated in to this DPD inquiry if receive anyly in the recent period from the IPSec message for the treatment of node; If do not receive in the recent period anyly then to send DPD message, and wait for the answer message of peer node from the IPSec message for the treatment of node; Specify this peer node state for can not be big under the situation of answer sending several times (specifying) DPD message and all do not have by the user, and the SA in two stages related of the local storage of deletion (Security Association has wherein stored relevant checking, encrypted scheduling algorithm and relevant key information) information with this node.
Particularly, such scheme can be divided into following dual mode:
1, DPD Periodic mode:
In the process that normal IPSec message interaction is arranged, the state that the IKE message detects the IKE node will do not sent, because this moment, mutual IPSec message can prove that corresponding IKE node can arrive.
In the period that does not have the IPSec message interaction, will be by regularly sending R_U_THERE message to the IKE node, if receive the R_U_THERE_ACK message that opposite end IKE node returns, then this IKE node can arrive; If still do not receive the R_U_THERE_ACK message that peer node returns after sending three R_U_THERE message, then peer node is unreachable, needs the information relevant with damned node of the local storage of deletion this moment.
2, DPD On demand mode:
Only can not receive when replying message and can trigger the transmission of R_U_THERE message,, prove that then this IKE end points can reach if receive the answer message of R_U_THERE_ACK when sending the IPSec message; If still do not receive the R_U_THERE_ACK message that peer node returns after sending three R_U_THERE message, then peer node is unreachable, needs the information relevant with damned node of the local storage of deletion this moment.
The beneficial effect of foregoing invention is:
Compare with original periodicity keepalive function among the ipsec, dpd has the advantage that the generation data traffic is little, detection is timely, tunnel restoration is fast.
In DPD On demand mode is example, and particular content is as follows:
(1) R_U_THERE message sends the selection on opportunity
Can't trigger the transmission of R_U_THERE message when sending normal message, unless this message sends failure, the transmission that at this moment will trigger R_U_THERE message is to survey the state of peer node.
(2) real-time update of peer node state
If receive any message that the opposite end sends over, will upgrade the state of this node, obtain the peer node state with regard to having avoided sending extra message like this.
(3) the timely release of local memory space
When sending R_U_THERE message monitoring peer node state, if find that peer node is unreachable then the channel information to peer node of the local storage of deletion is in time cleared up local redundant information.
(4) transmission of invalid data in the minimizing network
If, then abandon the transmission of this message, avoid in network, sending invalid data finding that when network sends normal data destination node is unreachable.
Above-mentioned advantage possesses equally for DPD Periodic mode.
Description of drawings:
Further specify the present invention below in conjunction with the drawings and specific embodiments.
Fig. 1 is the present invention's initialization procedure flow chart in an embodiment.
Fig. 2 is the process chart when the DPD incident arrives in the inventive method.
Fig. 3 replys the process chart of message for receiving DPD in the inventive method.
Fig. 4 is the flow chart of steps of the mode of DPD ondemand described in the inventive method.
Embodiment:
For technological means, creation characteristic that the present invention is realized, reach purpose and effect is easy to understand, below in conjunction with concrete diagram,, further set forth and explain the present invention according to technique scheme.
(1) DPD periodic mode
This mode when line idle regular transmission DPD message to continue to obtain the state of opposite end IKE node.
When the IKE node begins to communicate with opposite end IKE node the DPD node surveyed and carry out initialization, initialization procedure is referring to Fig. 1, and step comprises:
1. send message to opposite end IKE node, declare oneself to support the DPD function, and whether the inquiry opposite end also supports this function;
If 2. the DPD function is supported in the opposite end, this locality has disposed the DPD detection simultaneously, then starts the DPD event timer;
3. when arriving, the DPD incident starts the DPD event processing mechanism.
As shown in Figure 2, the inter-process mechanism that has shown the DPD incident among the figure.Implementation step is as follows:
1. if there is the process of message interaction between nearest and the peer node, then directly return, wait for the arrival of DPD incident next time;
2. if received the DPD message that the opposite end sends over recently, then return, wait for the arrival of DPD incident next time;
3. send DPD message, and start timer wait opposite end answer DPD message, if do not receive that still any DPD replys message or without any message interaction, then deletes the relevant information of this node, stops to send DPD message after sending three DPD message.
As shown in Figure 3, show the processing procedure receive after the DPD message that peer node replys among the figure, only need to check whether this message is legal this moment,, and stop to send the DPD message over a period to come if legal then state that this node is set is for arriving.
Above-mentioned steps is initiatively initiated the process of DPD for this end node, if DPD message is initiatively initiated by peer node, then local node only need be replied corresponding D PD message and got final product to prove that this node can arrive.
(2) DPD ondemand mode
Send DPD message to obtain the state of opposite end IKE node when only after sending the IPSec message, can not receive the message that peer node replys under this mode.
This mode only starts in needs, makes the overhead minimum, and concrete implementation step is as follows:
1. send the IPSec message, and whether start the DPD event timer, if current link idle then start DPD event timer (Fig. 4) according to the state decision of current link.
2.DPD incident is checked current Link State when taking place, if current link idle then send the state of DPD message inspection peer node; Otherwise directly return (Fig. 2).
3. receive after DPD replys message the peer node state then to be set, continue to send IPSec message (Fig. 3) for reaching.
4. still do not receive that DPD replys message then deletes the resource relevant with this peer node after the DPD message that (has the user to specify) several times if send, and stop the transmission of IPSec message.
Say that to sum up the concrete configuration that the IKE node is surveyed among the present invention is as follows with operation:
(1) the DPD node of configuration periodic mode is surveyed:
Router_config#?crypto?isakmp?keepal?ive?10?periodic?2
(2) the DPD node of configuration ondemand mode is surveyed:
Router_config#?crypto?isakmp?keepalive?10?on-demand?2
Above-mentioned parameter is provided as one of realization means, is not unique as an illustration with reference to its form and parameter.
More than show and described basic principle of the present invention and principal character and advantage of the present invention.The technical staff of the industry should understand; the present invention is not restricted to the described embodiments; that describes in the foregoing description and the specification just illustrates principle of the present invention; without departing from the spirit and scope of the present invention; the present invention also has various changes and modifications, and these changes and improvements all fall in the claimed scope of the invention.The claimed scope of the present invention is defined by appending claims and equivalent thereof.
Claims (8)
1, utilizes the implementation method of state of communication nodes among the IKE monitoring IPSec VPN, message load message among mutual message of the normal IPSec of this method utilization and the transmission IKE can be divided into DPD Periodic and DPD On demand dual mode to detect opposite end VPN node state; It is characterized in that: at first utilize the IPSec message of receiving to upgrade the network state of peer node; Detect current Link State when sending the IPSec message then,, send DPD event timing initiation message to the IKE module when then sending the IPSec message if do not receive any IPSec message in the link recently; When next step arrives in the DPD incident,, then cancel the transmission that node status message is treated in to this DPD inquiry if receive anyly in the recent period from the IPSec message for the treatment of node; If do not receive in the recent period anyly then to send DPD message, and wait for the answer message of peer node from the IPSec message for the treatment of node; To specify this peer node state under the situation of answer be unreachable sending several times DPD message and all do not have, and the SA information in two stages related with this node of the local storage of deletion.
2, the IKE that utilizes according to claim 1 monitors the implementation method of state of communication nodes among the IPSec VPN, it is characterized in that, described DPD Periodic mode process is: in the process that normal IPSec message interaction is arranged, mutual IPSec message the state that the IKE message detects the IKE node will do not sent, because this moment, can prove that corresponding IKE node can arrive; In the period that does not have the IPSec message interaction, will be by regularly sending R_U_THERE message to the IKE node, if receive the R_U_THERE_ACK message that opposite end IKE node returns, then this IKE node can arrive; If still do not receive the R_U_THERE_ACK message that peer node returns after sending three R_U_THERE message, then peer node is unreachable, needs the information relevant with damned node of the local storage of deletion this moment.
3, the IKE that utilizes according to claim 1 monitors the implementation method of state of communication nodes among the IPSec VPN, it is characterized in that, described DPD On demand mode process is: only when sending the transmission that can trigger R_U_THERE message when the IPSec message can not receive the answer message, if receive the answer message of R_U_THERE_ACK, prove that then this IKE end points can reach; If still do not receive the R_U_THERE_ACK message that peer node returns after sending three R_U_THERE message, then peer node is unreachable, needs the information relevant with damned node of the local storage of deletion this moment.
4, the IKE that utilizes according to claim 1 or 2 monitors the implementation method of state of communication nodes among the IPSec VPN, it is characterized in that, described DPD periodic mode regular transmission DPD message when line idle is surveyed the DPD node when the IKE node begins to communicate with opposite end IKE node and is carried out may further comprise the steps in the initialized process continuing to obtain the state of opposite end IKE node:
1. send message to opposite end IKE node, declare oneself to support the DPD function, and whether the inquiry opposite end also supports this function;
If 2. the DPD function is supported in the opposite end, this locality has disposed the DPD detection simultaneously, then starts the DPD event timer;
3. when arriving, the DPD incident starts the DPD event processing mechanism.
5, according to the implementation method of utilizing state of communication nodes among the IKE monitoring IPSec VPN of claim 1 or 2, it is characterized in that described DPD periodic mode relates to the inter-process mechanism of DPD incident, process comprises:
If there is the process of message interaction between 1. nearest and the peer node, then directly return, wait for the arrival of DPD incident next time;
If 2. received the DPD message that the opposite end sends over recently, then return, wait for the arrival of DPD incident next time;
3. send DPD message, and start timer wait opposite end answer DPD message, if do not receive that still any DPD replys message or without any message interaction, then deletes the relevant information of this node, stops to send DPD message after sending three DPD message.
6, the IKE that utilizes according to claim 1 or 2 monitors the implementation method of state of communication nodes among the IPSec VPN, it is characterized in that, in the described DPD periodic mode after receiving the DPD message that peer node is replied, only need to check whether this message is legal, if legal then state that this node is set is for arriving, and stop to send the DPD message over a period to come.
7, the IKE that utilizes according to claim 1 or 2 monitors the implementation method of state of communication nodes among the IPSec VPN, it is characterized in that, if DPD message is initiatively initiated by peer node in the described DPD periodic mode, then local node only need be replied corresponding D PD message and got final product to prove that this node can arrive.
8, the IKE that utilizes according to claim 1 or 3 monitors the implementation method of state of communication nodes among the IPSec VPN, it is characterized in that, described DPD on demand mode sends DPD message to obtain the state of opposite end IKE node when only can not receive the message that peer node replys after sending the IPSec message, and step comprises:
1. send the IPSec message, and whether decision starts the DPD event timer according to the state of current link, if current link idle then start the DPD event timer;
Check current Link State when 2. the DPD incident takes place, if current link idle then send the state of DPD message inspection peer node; Otherwise directly return;
3. receive after DPD replys message the peer node state then to be set, continue to send the IPSec message for reaching;
Still do not receive that DPD replys message then deletes the resource relevant with this peer node after the several times DPD message if 4. send, and stop the transmission of IPSec message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810034129A CN101521602B (en) | 2008-02-29 | 2008-02-29 | Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810034129A CN101521602B (en) | 2008-02-29 | 2008-02-29 | Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101521602A true CN101521602A (en) | 2009-09-02 |
| CN101521602B CN101521602B (en) | 2012-09-05 |
Family
ID=41081986
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810034129A Expired - Fee Related CN101521602B (en) | 2008-02-29 | 2008-02-29 | Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101521602B (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102148810A (en) * | 2010-02-04 | 2011-08-10 | 成都市华为赛门铁克科技有限公司 | Security association lifetime detection method, device and system |
| CN102946333A (en) * | 2012-10-31 | 2013-02-27 | 杭州华三通信技术有限公司 | DPD method and equipment based on IPsec |
| CN103118017A (en) * | 2013-01-21 | 2013-05-22 | 杭州华三通信技术有限公司 | Message identification (ID) method and device for maintaining home terminal of IKE SA to send message |
| CN103475655A (en) * | 2013-09-06 | 2013-12-25 | 瑞斯康达科技发展股份有限公司 | Method for achieving IPSecVPN main link and backup link dynamic switching |
| CN103716196A (en) * | 2012-09-28 | 2014-04-09 | 杭州华三通信技术有限公司 | Network device and detection method |
| WO2016106589A1 (en) * | 2014-12-30 | 2016-07-07 | 华为技术有限公司 | Dead peer detection method, ipsec peer and network device |
| CN108322464A (en) * | 2018-01-31 | 2018-07-24 | 中国联合网络通信集团有限公司 | A kind of secret key verification method and equipment |
| CN109962821A (en) * | 2017-12-22 | 2019-07-02 | 迈普通信技术股份有限公司 | Connection relationship detection method and device |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100367715C (en) * | 2004-09-30 | 2008-02-06 | 迈普(四川)通信技术有限公司 | Method for realizing communication load equilibrium and gateway, central gateway thereof |
| CN100488204C (en) * | 2006-05-17 | 2009-05-13 | 杭州华三通信技术有限公司 | Method for enquiring IPSec tunnel state |
-
2008
- 2008-02-29 CN CN200810034129A patent/CN101521602B/en not_active Expired - Fee Related
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2011095097A1 (en) * | 2010-02-04 | 2011-08-11 | 成都市华为赛门铁克科技有限公司 | Survival detection method, device and system for security associations |
| CN102148810A (en) * | 2010-02-04 | 2011-08-10 | 成都市华为赛门铁克科技有限公司 | Security association lifetime detection method, device and system |
| CN102148810B (en) * | 2010-02-04 | 2014-03-12 | 华为数字技术(成都)有限公司 | Security association lifetime detection method, device and system |
| CN103716196B (en) * | 2012-09-28 | 2018-10-09 | 新华三技术有限公司 | A kind of network equipment and detection method |
| CN103716196A (en) * | 2012-09-28 | 2014-04-09 | 杭州华三通信技术有限公司 | Network device and detection method |
| CN102946333B (en) * | 2012-10-31 | 2015-12-02 | 杭州华三通信技术有限公司 | A kind of DPD method based on IPsec and equipment |
| CN102946333A (en) * | 2012-10-31 | 2013-02-27 | 杭州华三通信技术有限公司 | DPD method and equipment based on IPsec |
| CN103118017A (en) * | 2013-01-21 | 2013-05-22 | 杭州华三通信技术有限公司 | Message identification (ID) method and device for maintaining home terminal of IKE SA to send message |
| CN103118017B (en) * | 2013-01-21 | 2016-02-03 | 杭州华三通信技术有限公司 | Safeguard that the local terminal of IKE SA sends method and the device of the MessageID of message |
| CN103475655B (en) * | 2013-09-06 | 2016-09-07 | 瑞斯康达科技发展股份有限公司 | A kind of method realizing IPSecVPN main/slave link switching at runtime |
| CN103475655A (en) * | 2013-09-06 | 2013-12-25 | 瑞斯康达科技发展股份有限公司 | Method for achieving IPSecVPN main link and backup link dynamic switching |
| WO2016106589A1 (en) * | 2014-12-30 | 2016-07-07 | 华为技术有限公司 | Dead peer detection method, ipsec peer and network device |
| CN106170949A (en) * | 2014-12-30 | 2016-11-30 | 华为技术有限公司 | Inefficacy peer-to-peer detection method, IPsec peer-to-peer and the network equipment |
| CN109962821A (en) * | 2017-12-22 | 2019-07-02 | 迈普通信技术股份有限公司 | Connection relationship detection method and device |
| CN108322464A (en) * | 2018-01-31 | 2018-07-24 | 中国联合网络通信集团有限公司 | A kind of secret key verification method and equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101521602B (en) | 2012-09-05 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101521602B (en) | Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN | |
| US7000121B2 (en) | Computer systems, in particular virtual private networks | |
| CN114079669A (en) | System and method for providing Global Virtual Network (GVN) | |
| CN102148767A (en) | Network address translation (NAT)-based data routing method and device | |
| CN101599968B (en) | Reliable anonymous transmission method and system thereof | |
| JP4902878B2 (en) | Link management system | |
| CN106899500B (en) | Message processing method and device for cross-virtual extensible local area network | |
| KR101938623B1 (en) | Openflow communication method, system, controller, and service gateway | |
| CN101217482A (en) | A method traversing NAT sending down strategy and a communication device | |
| US20110047261A1 (en) | Information communication apparatus, information communication method, and program | |
| CN103166849A (en) | Internet protocol security (IPSec) virtual private network (VPN) interconnection networking routing convergence method and routing equipment | |
| CN101365014B (en) | Distributed adaptive listening system, generation and monitor control method | |
| WO2012007924A1 (en) | Sip-based call session server and message-routing method | |
| CN103188153B (en) | BFD file transmitting method and equipment on a kind of broadcasting network link | |
| US20090144433A1 (en) | Traffic Differentiated Network Services | |
| CN105141526B (en) | The method and device of virtual network communication | |
| CN100461784C (en) | Method and system for communication between gateway device | |
| CN102215378A (en) | Multimedia sensing network system capable of realizing dynamic networking | |
| CN102769552A (en) | Method and apparatus for transmitting BFD (bidirectional forwarding detection) message during LSP (label switched path) detection by BFD | |
| CN108092993A (en) | A kind of network data transmission control method and system | |
| CN102668504B (en) | There is the method and apparatus improving the speed of conversion and the encryption key distribution function of quality | |
| CN112929417B (en) | Message processing method and device | |
| CN101465858A (en) | Method for implementing private network penetration of monitoring business, network appliance and server | |
| CN105591998A (en) | Method and apparatus for inhibiting periodical registration of communication endpoint identifiers (EIDs) | |
| CN102045240B (en) | Routing conversion and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120905 Termination date: 20210228 |