CN101645898A - Method for reestablishing IPSec link circuit and network equipment thereof - Google Patents
Method for reestablishing IPSec link circuit and network equipment thereof Download PDFInfo
- Publication number
- CN101645898A CN101645898A CN200910092950A CN200910092950A CN101645898A CN 101645898 A CN101645898 A CN 101645898A CN 200910092950 A CN200910092950 A CN 200910092950A CN 200910092950 A CN200910092950 A CN 200910092950A CN 101645898 A CN101645898 A CN 101645898A
- Authority
- CN
- China
- Prior art keywords
- network equipment
- ipsec
- link
- network
- address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method for reestablishing an IPSec link circuit and network equipment thereof. The method is applied to the network including first network equipment and second network equipment, wherein the first network equipment have fixed public network IP address, and the second network equipment can acquire the public network IP address in a dynamic way. The method comprises the steps: A. the second network equipment can be used for detecting whether the IPSec link circuit between the first network equipment and the second network equipment can be available; if yes, the step A is continuously carried out; if not, step B is executed; B. interesting stream is sent out by the first network equipment to trigger IPSec negotiation, so that the IPSec link circuit can be reestablished. According to the invention, the IPSec link circuit can be reestablished in time after the IPSec link circuit between the network equipment having the fixed public network IP address and the network equipment acquiring the public network IP address in a dynamic way is disconnected.
Description
Technical field
The invention belongs to network communications technology field, the particularly a kind of method and the network equipment of reconstruction IP safety (IPSec) link.
Background technology
At present, Internet has become the main flow information infrastructure of society, the tradition private wire network is based on existing physical network, for example digital circuit, asynchronous transfer mode/frame relay (ATM/FR), Digital Data Net (DDN) etc., this mode fail safe and reliability are higher, but for the customer, corresponding construction cost and cost of use costliness, and can only realize limited private network visit, lack the flexibility of networking.Follow Internet development, the pattern of building corporate virtual private networks (VPN) by the Internet more and more causes client's interest.In the VPN technologies based on the VPN agreement of IP layer---IPSec becomes the preferable solution that wide area network is built, and it has not only saved the construction and the operation and maintenance cost of wide area network greatly, and has strengthened the reliability and the fail safe of network.
Ipsec protocol comprises: internet key exchange protocol (Internet Key Exchange, IKE), Authentication Header (Authentication Header, AH), encapsulation safe bearing load (Encapsulation SecurityPayload, ESP) etc., be the one group of IP security protocol that provides in network layer that defines by the Internet engineering duty group (Internet Engineering Task Force, IETF).
Fig. 1 is for using a kind of networking schematic diagram of ipsec technology, as shown in Figure 1: the work station in the private network inserts the Internet by security gateway, one side's of general headquarters security gateway has fixedly public network IP address, and one side's of branch security gateway dynamically obtains public network IP address.Under this networking mode, set up the IPSec link between the security gateway of general headquarters and branch if desired, then initiate stream interested and trigger IPSec and consult, consult to set up the IPSec link by described IPSec by the work station of one side's of branch security gateway back.
After the IPSec link is successfully set up, one side's of branch security gateway goes offline because of reasons such as unstable networks cause, frequently obtain new IP address, cause the chain rupture of IPSec link, consult, set up new IPSec link if can not in time initiate IPSec again, then general headquarters can not visit branch.Because branch dynamically obtains the uncertainty of IP address, one side of general headquarters can't rebulid the IPSec link based on the address, opposite end of consulting, and need initiate stream interested again by the work station of branch one side's security gateway back and trigger the IPSec negotiation.But the work station of branch one side's security gateway back does not know whether security gateway has got access to the IP address again, does not know whether the IPSec link disconnects yet, therefore, can not initiatively trigger IPSec and consult, also just can not finish the reconstruction of IPSec link, cause transfer of data to be interrupted.
Summary of the invention
Technical problem to be solved by this invention provides a kind of method and network equipment of reestablishing IPSec link circuit, after making at the network equipment and dynamically obtaining IPSec link between the network equipment of public network IP address and disconnect, can finish the reconstruction of IPSec link in time with fixing public network IP address.
For solving the problems of the technologies described above, it is as follows to the invention provides technical scheme:
A kind of method of reestablishing IPSec link circuit, be applied to comprise in the network of first network equipment and second network equipment, described first network equipment has fixedly public network IP address, and described second network equipment dynamically obtains public network IP address, and described method comprises the steps:
Whether the IPSec link that A, described second network equipment detect between itself and described first network equipment is available, if, continue to carry out this step, otherwise, step B entered;
B, send stream interested to described first network equipment and trigger IPSec and consult, to rebulid the IPSec link.
Above-mentioned method wherein, also comprises step after the step B:
C, startup one timer, detect described IPSec link and whether set up success to after date at described timer, if described IPSec link is not set up success, then return step B.
Above-mentioned method, wherein, described first and second network equipment is a security gateway.
A kind of network equipment, the described network equipment dynamically obtains public network IP address, and the described network equipment comprises:
First detection module, be used to detect present networks equipment and the IPSec link that has between first network equipment of fixing public network IP address whether available, if not, the trigger link rebuilding module;
The link re-establishment module is used for sending stream interested to described first network equipment and triggers the IPSec negotiation, to rebulid the IPSec link.
The above-mentioned network equipment wherein, also comprises:
Timer starts module, is used in described link re-establishment module starting a timer after described first network equipment sends stream interested;
Second detection module is used at described timer detecting described IPSec link and whether setting up success to after date, if described IPSec link is not set up success, then triggers described link re-establishment module.
Whether the embodiment of the invention detects the IPSec link by the network equipment that dynamically obtains the IP address available, and when described IPSec link is unavailable, initiatively trigger the IPSec negotiation by the described network equipment that dynamically obtains the IP address, thereby can finish the reconstruction of IPSec link in time.
Description of drawings
Fig. 1 is for using a kind of networking schematic diagram of ipsec technology;
Fig. 2 is the method flow diagram of the reestablishing IPSec link circuit of the embodiment of the invention one;
Fig. 3 is the method flow diagram of the reestablishing IPSec link circuit of the embodiment of the invention two;
Fig. 4 is the structural representation of the network equipment of the embodiment of the invention one;
Fig. 5 is the structural representation of the network equipment of the embodiment of the invention two.
Embodiment
For making the purpose, technical solutions and advantages of the present invention clearer, describe the present invention below in conjunction with the accompanying drawings and the specific embodiments.
The key of the embodiment of the invention is: after the IPSec link disconnects, initiatively trigger IPSec by the network equipment that dynamically obtains public network IP address and consult, with reestablishing IPSec link circuit.
With reference to Fig. 2, the method of the reestablishing IPSec link circuit of the embodiment of the invention one, be applied to comprise in the network of first network equipment and second network equipment, described first network equipment has fixedly public network IP address, described second network equipment dynamically obtains public network IP address, and described method comprises the steps:
Step 201: whether the IPSec link that described second network equipment detects between itself and described first network equipment is available, if, continue to carry out this step, otherwise, step 202 entered;
IPSec link unavailable (disconnection of IPSec link) may be caused by following reason: unstable networks causes that the network equipment obtains IP address, interface UP/down, IPSec link life cycle again and expires etc.When dynamically obtaining second network equipment re-accessing network of IP address, need rebulid it and have IPSec link between first network equipment of fixing public network IP address.
Step 202: described second network equipment sends stream interested to described first network equipment and triggers the IPSec negotiation, to rebulid the IPSec link.
The IPSec negotiations process is a prior art, does not give unnecessary details here.Wherein, first network equipment is enabled the IPSec business, need not to dispose the IP address of opposite end, but needs the host name (FQDN) of configuration opposite end, is used for the host name of identification opposite end when carrying out the IKE cipher key change.Second network equipment is enabled the IPSec business, needs configuration IKE sign and peer IP address, consults so that carry out IPSec with first network equipment.
Described first and second network equipment is a security gateway, and for example, first network equipment is one side's of general headquarters a security gateway, and second network equipment is one side's of branch a security gateway.After the success of IPSec link re-establishment, just set up Security Association (SA) between first and second network equipment, make one side's of general headquarters security gateway not know under the situation of peer IP address, because corresponding Security Association is set up, can dynamically obtain the equipment of the security gateway back of IP address by the IPsec link safety accessing of setting up.
With reference to Fig. 3, the method of the reestablishing IPSec link circuit of the embodiment of the invention two, be applied to comprise in the network of first network equipment and second network equipment, described first network equipment has fixedly public network IP address, described second network equipment dynamically obtains public network IP address, and described method comprises the steps:
Step 301: whether the IPSec link that described second network equipment detects between itself and described first network equipment is available, if, continue to carry out this step, otherwise, step 302 entered;
Step 302: described second network equipment sends stream interested to described first network equipment and triggers the IPSec negotiation, to rebulid the IPSec link;
Step 303: described second network equipment starts a timer,, detects described IPSec link and whether sets up success to after date at described timer, if described IPSec link is not set up success, then returns step 302.
Because IPSec consults not necessarily once success, therefore, by timer is set, regularly detects the IPSec link and whether set up success in the present embodiment, when unsuccessful, trigger IPSec again and consult, up to the success of IPSec link re-establishment.Wherein, the cycle of described timer can be set according to real needs.
Fig. 4 is the structural representation of the network equipment of the embodiment of the invention one.The described network equipment dynamically obtains public network IP address, and with reference to Fig. 4, the described network equipment comprises first detection module and link re-establishment module, wherein:
First detection module, be used to detect present networks equipment and the IPSec link that has between first network equipment of fixing public network IP address whether available, if not, the trigger link rebuilding module.IPSec link unavailable (disconnection of IPSec link) may be caused by following reason: unstable networks causes that the network equipment obtains IP address, interface UP/down, IPSec link life cycle again and expires etc.When dynamically obtaining the network equipment re-accessing network of IP address, need rebulid it and have IPSec link between first network equipment of fixing public network IP address.
The link re-establishment module is used for sending stream interested to described first network equipment and triggers the IPSec negotiation, to rebulid the IPSec link.
Wherein, the described network equipment and described first network equipment are security gateway.For example, described first network equipment is one side's of general headquarters a security gateway, and the described network equipment is one side's of branch a security gateway.After the success of IPSec link re-establishment, just set up Security Association (SA) between the described network equipment and described first network equipment, make one side's of general headquarters security gateway not know under the situation of peer IP address, because corresponding Security Association is set up, can dynamically obtain the equipment of the security gateway back of IP address by the IPsec link safety accessing of setting up.
Fig. 5 is the structural representation of the network equipment of the embodiment of the invention two.The described network equipment dynamically obtains public network IP address, and with reference to Fig. 5, the described network equipment comprises that first detection module, link re-establishment module, timer start the module and second detection module, wherein:
First detection module, be used to detect present networks equipment and the IPSec link that has between first network equipment of fixing public network IP address whether available, if not, the trigger link rebuilding module.
The link re-establishment module is used for sending stream interested to described first network equipment and triggers the IPSec negotiation, to rebulid the IPSec link.
Timer starts module, is used in described link re-establishment module starting a timer after described first network equipment sends stream interested.
Second detection module is used at described timer detecting described IPSec link and whether setting up success to after date, if described IPSec link is not set up success, then triggers described link re-establishment module.
Because IPSec consults not necessarily once success, therefore, by timer is set, regularly detects the IPSec link and whether set up success in the present embodiment, when unsuccessful, trigger IPSec again and consult, up to the success of IPSec link re-establishment.Wherein, the cycle of described timer can be set according to real needs.
In sum, whether the embodiment of the invention detects the IPSec link by the network equipment that dynamically obtains the IP address available, and when described IPSec link is unavailable, initiatively trigger the IPSec negotiation by the described network equipment that dynamically obtains the IP address, thereby can finish the reconstruction of IPSec link in time.
Should be noted that at last, above embodiment is only unrestricted in order to technical scheme of the present invention to be described, those of ordinary skill in the art is to be understood that, can make amendment or be equal to replacement technical scheme of the present invention, and not breaking away from the spiritual scope of technical solution of the present invention, it all should be encompassed in the middle of the claim scope of the present invention.
Claims (6)
1. the method for a reestablishing IPSec link circuit, be applied to comprise that described first network equipment has fixedly public network IP address in the network of first network equipment and second network equipment, described second network equipment dynamically obtains public network IP address, it is characterized in that described method comprises the steps:
Whether the IPSec link that A, described second network equipment detect between itself and described first network equipment is available, if, continue to carry out this step, otherwise, step B entered;
B, send stream interested to described first network equipment and trigger IPSec and consult, to rebulid the IPSec link.
2. the method for claim 1 is characterized in that, also comprises step after the step B:
C, startup one timer, detect described IPSec link and whether set up success to after date at described timer, if described IPSec link is not set up success, then return step B.
3. method as claimed in claim 1 or 2 is characterized in that:
Described first and second network equipment is a security gateway.
4. network equipment, the described network equipment dynamically obtains public network IP address, it is characterized in that, and the described network equipment comprises:
First detection module, be used to detect present networks equipment and the IPSec link that has between first network equipment of fixing public network IP address whether available, if not, the trigger link rebuilding module;
The link re-establishment module is used for sending stream interested to described first network equipment and triggers the IPSec negotiation, to rebulid the IPSec link.
5. the network equipment as claimed in claim 4 is characterized in that, also comprises:
Timer starts module, is used in described link re-establishment module starting a timer after described first network equipment sends stream interested;
Second detection module is used at described timer detecting described IPSec link and whether setting up success to after date, if described IPSec link is not set up success, then triggers described link re-establishment module.
6. as the claim 4 or the 5 described network equipments, it is characterized in that:
The described network equipment and described first network equipment are security gateway.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910092950A CN101645898A (en) | 2009-09-11 | 2009-09-11 | Method for reestablishing IPSec link circuit and network equipment thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910092950A CN101645898A (en) | 2009-09-11 | 2009-09-11 | Method for reestablishing IPSec link circuit and network equipment thereof |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101645898A true CN101645898A (en) | 2010-02-10 |
Family
ID=41657618
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910092950A Pending CN101645898A (en) | 2009-09-11 | 2009-09-11 | Method for reestablishing IPSec link circuit and network equipment thereof |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101645898A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103401751A (en) * | 2013-07-17 | 2013-11-20 | 北京星网锐捷网络技术有限公司 | Method and device for establishing IPSEC (Internet Protocol Security) tunnels |
| CN111147273A (en) * | 2018-11-06 | 2020-05-12 | 中兴通讯股份有限公司 | Data security realization method and related equipment |
-
2009
- 2009-09-11 CN CN200910092950A patent/CN101645898A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103401751A (en) * | 2013-07-17 | 2013-11-20 | 北京星网锐捷网络技术有限公司 | Method and device for establishing IPSEC (Internet Protocol Security) tunnels |
| CN111147273A (en) * | 2018-11-06 | 2020-05-12 | 中兴通讯股份有限公司 | Data security realization method and related equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107836104B (en) | Method and system for internet communication with machine equipment | |
| CN101577725B (en) | Message synchronization method of anti-replay mechanism, device and system thereof | |
| EP2207321B1 (en) | An accessing method, system and equipment of layer-3 session | |
| CN103475655B (en) | A kind of method realizing IPSecVPN main/slave link switching at runtime | |
| JP4802263B2 (en) | Encrypted communication system and gateway device | |
| CN101909257B (en) | Method and system for realizing concurrency access of multiple bearer protocols by M2M platform | |
| JP2012503385A5 (en) | ||
| CN109600292B (en) | Method and system for LAC router to initiate L2TP tunnel connection by self dialing number | |
| CN101815106B (en) | Method and equipment for establishing dynamic GRE (Generic Routing Encapsulation) tunnel | |
| CN102404158B (en) | Method, device and system for processing network failures | |
| CN103166849A (en) | Internet protocol security (IPSec) virtual private network (VPN) interconnection networking routing convergence method and routing equipment | |
| CN102970293A (en) | Method and device for synchronizing security association (SA) between equipment | |
| WO2011116598A1 (en) | Method and system for achieving management of gateway | |
| CN107277058A (en) | A kind of interface authentication method and system based on BFD agreements | |
| CN102523583A (en) | VPDN multi-access point backup access method and equipment | |
| US8312530B2 (en) | System and method for providing security in a network environment using accounting information | |
| JP5464232B2 (en) | Secure communication system and communication apparatus | |
| CN101572645A (en) | Method for establishing tunnel and device thereof | |
| CN101645898A (en) | Method for reestablishing IPSec link circuit and network equipment thereof | |
| EP1645074B1 (en) | Method and network for wlan session control | |
| WO2014187241A1 (en) | Method and wireless device for controlling disconnection of a wireless device in a wi-fi direct group of a wireless network | |
| CN109600277B (en) | IPSec tunnel keep-alive method and device based on NAT equipment | |
| CN102547782B (en) | A kind of connection control method and device | |
| CN103200191A (en) | Communication device and wireless communication method | |
| CN109257444B (en) | Load sharing method, device and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100210 |