CN101521602B - Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN - Google Patents
Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN Download PDFInfo
- Publication number
- CN101521602B CN101521602B CN200810034129A CN200810034129A CN101521602B CN 101521602 B CN101521602 B CN 101521602B CN 200810034129 A CN200810034129 A CN 200810034129A CN 200810034129 A CN200810034129 A CN 200810034129A CN 101521602 B CN101521602 B CN 101521602B
- Authority
- CN
- China
- Prior art keywords
- message
- dpd
- node
- ike
- opposite end
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a realizing method for monitoring the state of communication nodes in IPSec VPN by utilizing IKE. The technical proposal does not need to send keep alive message regularly, is mainly dependent on an IKE Notify message machine, utilizes normal IPSec interactive message and sends message in the IKE to load the message to detect the state of VPN node of the opposite end so as to judge that whether the detected IKE node can reach or not. The DPD (Dead Peer Detection) proposal sends the IKE message to detect the state of the IKE node only when in need, can obtain the current state of the IKE node in time by sending the least message, thus realizing that the survival state of the IKE node in the network can be detected by the least IKE message. In addition, like other network node detecting mechanisms, the DPD mechanism of the invention also can judge that when the detection to the state of the IKE node is carried out, and can recovery the resources related to the node under the condition without node.
Description
Technical field:
The present invention relates to information security and data communication field, particularly a kind of implementation method of utilizing state of communication nodes among IKE (InternetKey Exchange internet key exchange) the monitoring IPSec VPN.
Background technology:
IPsec (Security Architecture for IP network) is used for protecting between one or more main frame and main frame, the path between security gateway and security gateway, between security gateway and main frame, and often need use the mode of IKE (Internet Key Exchange internet key exchange) to hold consultation and manage to the used algorithm of ipsec encryption and key.
Yet, when two network nodes through IKE or IPSec communication the time, the time regular meeting some unpredictable factors occur and cause two connections between the node to be broken off, make mistakes or the network equipment is restarted or the like such as route.At this moment the SAs (Security Association has wherein stored relevant checking, encrypted scheduling algorithm and relevant key information) that is used for data encryption only will remain in the network equipment to their lifetime and exhaust; Message also will be addressed to an inaccessible forever network node simultaneously.So for finding these inaccessible nodes timely and deleting the relevant information of this unreachable node of local network device neutralization is necessary.
And in the present network; The mode that detection IKE dies for the sake of honour a little is through regular transmission keepalive message; Simultaneously because to the die for the sake of honour real-time requirement of point discovery of IKE, these message just need be with than higher frequency transmission, has increased the weight of the message processing burden again since like this.So need in the gateway device of a large amount of IKE sessions at some, these modes of regularly sending Keepalive message are worthless.
Summary of the invention:
Based on above-mentioned consideration,, the purpose of this invention is to provide the implementation method of state of communication nodes among a kind of IKE of utilization monitoring IPSec VPN for solving the limitation of existing problem in the communication of above-mentioned network node and prior art scheme.Whether this technical scheme does not need regular transmission keepalive message, mainly rely on the IKENotify message mechanism and detect the IKE node and can arrive.This DPD (Dead Peer Detection) surveys and will only in needs, send the state that the IKE message detects the IKE node, reaches through sending the next purpose that in time obtains IKE node current state of minimum message number.
The present invention be in order in time to monitor the fast knot point among the IPSec VPN, utilizes the mutual message of normal IPSec and sends message load message among the IKE to detect opposite end VPN node state.Main process is at first to utilize the IPSec message of receiving to upgrade the network state of peer node; Detect current Link State when sending the IPSec message then,, send DPD event timing initiation message to the IKE module when then sending the IPSec message if do not receive any IPSec message in the link recently; When next step arrives in the DPD incident,, then cancel the transmission that node status message is treated in to this DPD inquiry if receive anyly in the recent period from the IPSec message of treating node; If do not receive in the recent period and anyly then send DPD message, and wait for the answer message of peer node from the IPSec message of treating node; All do not have and specify this peer node state for can not be big under the situation of answer sending several times (specifying) DPD message by the user; And the SA in two stages related of the local storage of deletion (Security Association has wherein stored relevant checking, encrypted scheduling algorithm and relevant key information) information with this node.
Particularly, such scheme can be divided into following dual mode:
1, DPD Periodic mode:
In the process that normal IPSec message interaction is arranged, with not sending the state that the IKE message detects the IKE node, because this moment, mutual IPSec message can prove that corresponding IKE node can arrive.
In the period that does not have the IPSec message interaction, will give the IKE node through regularly sending R_U_THERE message, if receive the R_U_THERE_ACK message that opposite end IKE node returns, then this IKE node can arrive; If still do not receive the R_U_THERE_ACK message that peer node returns after sending three R_U_THERE message, then peer node is unreachable, needs the information relevant with damned node of the local storage of deletion this moment.
2, DPD On demand mode:
Only can not receive when replying message and can trigger the transmission of R_U_THERE message,, prove that then this IKE end points can reach if receive the answer message of R_U_THERE_ACK when sending the IPSec message; If still do not receive the R_U_THERE_ACK message that peer node returns after sending three R_U_THERE message, then peer node is unreachable, needs the information relevant with damned node of the local storage of deletion this moment.
The beneficial effect of foregoing invention is:
Compare with original periodicity keepalive function among the ipsec, dpd has the advantage that the generation data traffic is little, detection is timely, tunnel restoration is fast.
With DPD On demand mode is example, and particular content is following:
(1) R_U_THERE message is sent the selection on opportunity
When sending normal message, can't trigger the transmission of R_U_THERE message, only if this message sends failure, the transmission that at this moment will trigger R_U_THERE message is to survey the state of peer node.
(2) real-time update of peer node state
If receive any message that the opposite end sends over, will upgrade the state of this node, obtain the peer node state with regard to having avoided sending extra message like this.
(3) the timely release of local memory space
When sending R_U_THERE message monitoring peer node state, if find that peer node is unreachable then the channel information to peer node of the local storage of deletion is in time cleared up local redundant information.
(4) transmission of invalid data in the minimizing network
If, then abandon the transmission of this message, avoid in network, sending invalid data finding that when network sends normal data destination node is unreachable.
Above-mentioned advantage possesses for DPD Periodic mode equally.
Description of drawings:
Further specify the present invention below in conjunction with accompanying drawing and embodiment.
Fig. 1 is the present invention's initialization procedure flow chart in an embodiment.
Fig. 2 is the process chart when the DPD incident arrives in the inventive method.
Fig. 3 replys the process chart of message for receiving DPD in the inventive method.
Fig. 4 is the flow chart of steps of the mode of DPD ondemand described in the inventive method.
Embodiment:
For technological means, creation characteristic that the present invention is realized, reach purpose and effect and be easy to understand and understand, below in conjunction with concrete diagram,, further set forth and explain the present invention according to technique scheme.
(1) DPD periodic mode
This mode when line idle regular transmission DPD message to continue to obtain the state of opposite end IKE node.
When the IKE node begins to communicate with opposite end IKE node, the DPD node surveyed and carry out initialization, initialization procedure is referring to Fig. 1, and step comprises:
1. send message to the opposite end IKE node, declare oneself to support the DPD function, and whether the inquiry opposite end also supports this function;
If 2. the DPD function is supported in the opposite end, this locality has disposed the DPD detection simultaneously, then starts the DPD event timer;
3., the DPD incident starts the DPD event processing mechanism when arriving.
As shown in Figure 2, shown among the figure that the inter-process of DPD incident is machine-processed.Implementation step is following:
1. if there is the process of message interaction between nearest and the peer node, then directly return, wait for the arrival of DPD incident next time;
2. if received the DPD message that the opposite end sends over recently, then return, wait for the arrival of DPD incident next time;
3. send DPD message, and start timer wait opposite end answer DPD message, if do not receive that still any DPD replys message or has no message interaction after sending three DPD message, the relevant information of then deleting this node stops to send DPD message.
As shown in Figure 3, show the processing procedure receive after the DPD message that peer node replys among the figure, only need this moment this message of inspection whether legal, if legal then state that this node is set is for arriving, and stop to send the DPD message over a period to come.
Above-mentioned steps is initiatively initiated the process of DPD for this end node, if DPD message is initiatively initiated by peer node, then local node only need be replied corresponding D PD message and got final product to prove that this node can arrive.
(2) DPD ondemand mode
Send DPD message to obtain the state of opposite end IKE node when only after sending the IPSec message, can not receive the message that peer node replys under this mode.
This mode only starts in needs, makes overhead minimum, and the practical implementation step is following:
1. send the IPSec message, and whether start the DPD event timer, if current link idle then start DPD event timer (Fig. 4) according to the state decision of current link.
2.DPD incident is checked current Link State when taking place, if current link idle then send the state of DPD message inspection peer node; Otherwise directly return (Fig. 2).
3. receive after DPD replys message the peer node state then to be set, continue to send IPSec message (Fig. 3) for reaching.
4. still do not receive that DPD replys message then deletes the resource relevant with this peer node after the DPD message that (has the user to specify) several times if send, and stop the transmission of IPSec message.
Say that to sum up the concrete configuration that the IKE node is surveyed among the present invention is as follows with operation:
(1) the DPD node of configuration periodic mode is surveyed:
Router_config#crypto?isakmp?keepalive?10periodic?2
(2) the DPD node of configuration ondemand mode is surveyed:
Router_config#crypto?isakmp?keepalive?10on-demand?2
Above-mentioned parameter is provided with as one of realization means, is not unique as explanation with reference to its form and parameter.
More than show and described basic principle of the present invention and principal character and advantage of the present invention.The technical staff of the industry should understand; The present invention is not restricted to the described embodiments; That describes in the foregoing description and the specification just explains principle of the present invention; Under the prerequisite that does not break away from spirit and scope of the invention, the present invention also has various changes and modifications, and these variations and improvement all fall in the scope of the invention that requires protection.The present invention requires protection range to be defined by appending claims and equivalent thereof.
Claims (6)
1. utilize the implementation method of state of communication nodes among the IKE monitoring IPSec VPN; Message load message among mutual message of the normal IPSec of this method utilization and the transmission IKE can be divided into DPD Periodic and DPD On demand dual mode to detect opposite end VPN node state; It is characterized in that: at first utilize the IPSec message of receiving to upgrade the network state of opposite end VPN node; Detect current Link State when sending the IPSec message then,, send DPD event timing initiation message to the IKE module when then sending the IPSec message if do not receive any IPSec message in the link recently; When next step arrives in the DPD incident,, then cancel transmission to this DPD inquiry opposite end VPN node status message if receive any IPSec message in the recent period from opposite end VPN node; If do not receive any IPSec message in the recent period, then send DPD message, and wait for the answer message of opposite end VPN node from opposite end VPN node; Do not have all that to specify this opposite end VPN node state under the situation of answer be unreachable sending several times DPD message, and the SA information in two stages related with this node of the local storage of deletion;
Said DPD Periodic mode process is: in the process that normal IPSec message interaction is arranged, with not sending the state that the IKE message detects the IKE node, because this moment, mutual IPSec message can prove that corresponding IKE node can arrive; In the period that does not have the IPSec message interaction, will give the IKE node through regularly sending R_U_THERE message, if receive the R_U_THERE_ACK message that opposite end IKE node returns, then this IKE node can arrive; If still do not receive the R_U_THERE_ACK message that opposite end VPN node returns after sending three R_U_THERE message, then VPN node in opposite end is unreachable, needs the information relevant with damned node of the local storage of deletion this moment;
Said DPD On demand mode process is: only can trigger the transmission of R_U_THERE message when sending when the IPSec message can not receive the answer message, if receive the answer message of R_U_THERE_ACK, prove that then this IKE end points can reach; If still do not receive the R_U_THERE_ACK message that opposite end VPN node returns after sending three R_U_THERE message, then VPN node in opposite end is unreachable, needs the information relevant with damned node of the local storage of deletion this moment;
Said IKE is the abbreviation of Internet Key Exchange, i.e. internet key exchange.
2. the IKE that utilizes according to claim 1 monitors the implementation method of state of communication nodes among the IPSec VPN; It is characterized in that; Said DPD periodic mode regular transmission DPD message when line idle is surveyed the DPD node when the IKE node begins to communicate with opposite end IKE node and is carried out may further comprise the steps in the initialized process continuing to obtain the state of opposite end IKE node:
1. send message to the opposite end IKE node, declare oneself to support the DPD function, and whether the inquiry opposite end also supports this function;
If 2. the DPD function is supported in the opposite end, this locality has disposed the DPD detection simultaneously, then starts the DPD event timer;
3., the DPD incident starts the DPD event processing mechanism when arriving.
3. according to the implementation method of utilizing state of communication nodes among the IKE monitoring IPSec VPN of claim 1, it is characterized in that said DPD periodic mode relates to the inter-process mechanism of DPD incident, process comprises:
If there is the process of message interaction between 1. nearest and the opposite end VPN node, then directly return, wait for the arrival of DPD incident next time;
If 2. received the DPD message that the opposite end sends over recently, then return, wait for the arrival of DPD incident next time;
3. send DPD message, and start timer wait opposite end answer DPD message, if do not receive that still any DPD replys message or has no message interaction after sending three DPD message, the relevant information of then deleting this node stops to send DPD message.
4. the IKE that utilizes according to claim 1 monitors the implementation method of state of communication nodes among the IPSec VPN; It is characterized in that; In the said DPD periodic mode after receiving the DPD message that opposite end VPN node is replied; Only need this message of inspection whether legal,, and stop to send the DPD message over a period to come if legal then state that this node is set is for arriving.
5. the IKE that utilizes according to claim 1 monitors the implementation method of state of communication nodes among the IPSec VPN; It is characterized in that; If DPD message is initiatively initiated by opposite end VPN node in the said DPD periodic mode, then local node only need be replied corresponding D PD message and got final product to prove that this node can arrive.
6. the IKE that utilizes according to claim 1 monitors the implementation method of state of communication nodes among the IPSec VPN; It is characterized in that; Send DPD message to obtain the state of opposite end IKE node when said DPD on demand mode only can not receive the message that opposite end VPN node replys after sending the IPSec message, step comprises:
1. send the IPSec message, and whether decision starts the DPD event timer according to the state of current link, if current link idle then start the DPD event timer;
Check current Link State when 2. the DPD incident takes place, if current link idle then send the state of DPD message inspection opposite end VPN node; Otherwise directly return;
3. receive after DPD replys message opposite end VPN node state then to be set, continue to send the IPSec message for reaching;
Still do not receive that DPD replys message then deletes and the relevant resource of this opposite end VPN node after the several times DPD message if 4. send, and stop the transmission of IPSec message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810034129A CN101521602B (en) | 2008-02-29 | 2008-02-29 | Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810034129A CN101521602B (en) | 2008-02-29 | 2008-02-29 | Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101521602A CN101521602A (en) | 2009-09-02 |
| CN101521602B true CN101521602B (en) | 2012-09-05 |
Family
ID=41081986
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810034129A Expired - Fee Related CN101521602B (en) | 2008-02-29 | 2008-02-29 | Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101521602B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102148810B (en) * | 2010-02-04 | 2014-03-12 | 华为数字技术(成都)有限公司 | Security association lifetime detection method, device and system |
| CN103716196B (en) * | 2012-09-28 | 2018-10-09 | 新华三技术有限公司 | A kind of network equipment and detection method |
| CN102946333B (en) * | 2012-10-31 | 2015-12-02 | 杭州华三通信技术有限公司 | A kind of DPD method based on IPsec and equipment |
| CN103118017B (en) * | 2013-01-21 | 2016-02-03 | 杭州华三通信技术有限公司 | Safeguard that the local terminal of IKE SA sends method and the device of the MessageID of message |
| CN103475655B (en) * | 2013-09-06 | 2016-09-07 | 瑞斯康达科技发展股份有限公司 | A kind of method realizing IPSecVPN main/slave link switching at runtime |
| WO2016106589A1 (en) * | 2014-12-30 | 2016-07-07 | 华为技术有限公司 | Dead peer detection method, ipsec peer and network device |
| CN109962821A (en) * | 2017-12-22 | 2019-07-02 | 迈普通信技术股份有限公司 | Connection relationship detection method and device |
| CN108322464B (en) * | 2018-01-31 | 2020-11-17 | 中国联合网络通信集团有限公司 | Key verification method and device |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1642109A (en) * | 2004-09-30 | 2005-07-20 | 迈普(四川)通信技术有限公司 | Method for realizing communication load equilibrium and gateway, central gateway thereof |
| CN1845549A (en) * | 2006-05-17 | 2006-10-11 | 杭州华为三康技术有限公司 | Method for enquiring IPSec tunnel state |
-
2008
- 2008-02-29 CN CN200810034129A patent/CN101521602B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1642109A (en) * | 2004-09-30 | 2005-07-20 | 迈普(四川)通信技术有限公司 | Method for realizing communication load equilibrium and gateway, central gateway thereof |
| CN1845549A (en) * | 2006-05-17 | 2006-10-11 | 杭州华为三康技术有限公司 | Method for enquiring IPSec tunnel state |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101521602A (en) | 2009-09-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101521602B (en) | Realizing method for utilizing IKE to monitor the state of communication nodes in IPSec VPN | |
| CN102223365B (en) | User access method and device based on SSL (Secure Socket Layer) VPN (Virtual Private Network) gateway cluster | |
| US7000121B2 (en) | Computer systems, in particular virtual private networks | |
| US20190294449A1 (en) | Distributed processing system | |
| CN102316160B (en) | Website system and communication method thereof | |
| CN106656834B (en) | The parallel normalized device and method of Intermediate System-Intermediate System isomery function equivalence body | |
| CN101217482B (en) | A method traversing NAT sending down strategy and a communication device | |
| CN101340293B (en) | Packet safety detection method and device | |
| JP4902878B2 (en) | Link management system | |
| CN101599968B (en) | Reliable anonymous transmission method and system thereof | |
| CN103166849B (en) | The method of the interconnected network routing convergence of IPSec VPN and routing device | |
| US20060209830A1 (en) | Packet processing system including control device and packet forwarding device | |
| CN101365014B (en) | Distributed adaptive listening system, generation and monitor control method | |
| CN104202420A (en) | Method and device for supporting expansion of internet-of-things middleware cluster | |
| EP2594049A1 (en) | Sip-based call session server and message-routing method | |
| CN102437966A (en) | Layer-3 switching system and method based on layer-2 DHCP (Dynamic Host Configuration Protocol) SNOOPING | |
| CN107659930A (en) | A kind of AP connection control methods and device | |
| CN105141526B (en) | The method and device of virtual network communication | |
| CN100461784C (en) | Method and system for communication between gateway device | |
| CN102055639A (en) | Method for establishing remote access virtual private network connection and local access concentrator | |
| CN101662357A (en) | Method for accessing secure gateway client | |
| CN102668504B (en) | There is the method and apparatus improving the speed of conversion and the encryption key distribution function of quality | |
| CN108092993A (en) | A kind of network data transmission control method and system | |
| CN103997463A (en) | Secure multicast method for overlay network at low expenses | |
| CN104518959B (en) | A kind of method and device of communication between devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120905 Termination date: 20210228 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |