CN101753401A - A method for realizing backup and load of IPSec virtual private network tunnel - Google Patents
A method for realizing backup and load of IPSec virtual private network tunnel Download PDFInfo
- Publication number
- CN101753401A CN101753401A CN200810227972A CN200810227972A CN101753401A CN 101753401 A CN101753401 A CN 101753401A CN 200810227972 A CN200810227972 A CN 200810227972A CN 200810227972 A CN200810227972 A CN 200810227972A CN 101753401 A CN101753401 A CN 101753401A
- Authority
- CN
- China
- Prior art keywords
- tunnel
- equipment
- circuit
- centralized manager
- private network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Abstract
The invention provides a method for realizing backup and load of an IPSec virtual private network tunnel, which comprises the following steps: step A: multiple devices D1-Dk of different operator lines in the data centre are virtualized to be one logical device D, a branch device and the virtual device D establish a virtual private network (VPN) policy; the branch device and the virtual device D register at a centralized manager and add the policy to the centralized manager, wherein k is greater than 1; step B: when the failure of a certain high priority line of a certain device Dm causes the blockage of the tunnel on the line or the failure of the device Dm where the high priority line is located causes the blockage of all of tunnels between the branch device and the virtual device D, the branch device automatically establishes a new tunnel to replace the original tunnel with a device in which the low priority line is located in the virtual device D, wherein m is greater than 1 and less then k. The invention increases the stability of the tunnel and intelligence of the device.
Description
Technical field
The present invention relates to internet security agreement Virtual Private Network (Internet Protocol Security VirtualPrivate Network, IPSec VPN) technology, particularly a kind of method that realizes backup of IPSec vpn tunneling and load.
Background technology
Virtual Private Network (Virtual Private Network) is defined as setting up a connection interim, safety by a common network (normally internet), is safe, a stable tunnel that passes chaotic common network.Virtual Private Network is the expansion to intranet, can help long-distance user, corporate branch office, business parnter and supplier to set up believable safety with the in-house network of company and connect, and guarantee the safe transmission of data.
Internet security agreement (Internet Protocol Security, IPSec) be the Internet engineering duty group (Internet Engineer Task Force, IETF) perfect safety standard, its several safe practices are combined together to form a comparatively rounded system, have been subjected to the concern and the support of numerous manufacturers.By data encryption, authentication, integrity checking are guaranteed reliability of data transmission, private ownership and confidentiality.IPSec by the IP authentication header (Authentication Header, AH), IP safe load envelope carry (EncapsulatedSecurity Payload, ESP) and IKMP form.
Ipsec protocol is a VPN(Virtual Private Network) security protocol in extensive range, open.It provides all data protections on network layer, and transparent secure communication is provided.IPSec guarantees the safety of data from three aspects with cryptographic technique.That is: authentication is used for main frame and end points are carried out the identity discriminating; Integrity checking is used to guarantee that data are not modified by Network Transmission the time; Encrypt, encryption IP address and data are to guarantee private ownership.
Ipsec protocol can be arranged under two kinds of patterns and move: a kind of is tunnel mode, and a kind of is transmission mode.Under tunnel mode, IPSec is contained in IP v4 data envelope in the safe IP frame, the fail safe when protection is from a fire compartment wall to another fire compartment wall like this.Under tunnel mode, the information encapsulation is in order to protect fail safe end to end, promptly can not hide routing iinformation under this pattern.Tunnel mode is safest, but can bring bigger overhead.IPSec is now also not exclusively ripe, but it has obtained certain router manufacturer and hardware vendor's support energetically, and estimating to become the main standard of Virtual Private Network from now on.IPSec has extended capability to adapt to following commercial needs.In the end of the year 1997, IETF trouble free service group has been finished the expansion of IPSec, in ipsec protocol, add ISAKMP (Internet Security Association andKey Management Protocol) agreement, wherein also comprise a key distribution protocol Oakley.ISAKMP/Oakley supports to set up automatically encryption channel, the automatic safe distribution and the renewal of key.
Along with more and more enterprises begins to set up data center, carry out the data centralization management, in order to guarantee the communication security between branch and the data center, generally all to encrypt communication by VPN technologies.For large enterprise, following characteristics are arranged: 1, classification mechanism may spread all over the country even the whole world; 2, each branch adopts different operator's circuits to insert data center; 3, for the speed that guarantees to communicate by letter and stable, the circuit of a plurality of operators generally can be rented by data center, so that adapt to different branches, adopt the access of many VPN device processes branches simultaneously, even circuit access data center of a plurality of operators also can be rented by the branch that has.
Above-mentioned these characteristics can cause the generation of following problem: 1, how to dispose same VPN strategy safely and efficiently under many, the widespread situations of branch; How branch uses optimal route to insert data center; When optimal route broke down, how the tunnel automatically switched to the suboptimum circuit; When branch uses a plurality of operators circuit to insert, how these many circuits are made full use of; In data center, if certain equipment generation problem, the tunnel that this equipment and all branches are set up switches on other equipment fast.
Summary of the invention
The objective of the invention is to, the method for a kind of IPSec of realization virtual private network tunnel backup and load is provided.
The method of realization internet security agreement virtual private network tunnel backup of the present invention and load comprises the following steps:
Steps A: with the equipment D1~Dk of many different operators circuits of data center virtual be an equipment D in logic, the equipment of branch and described virtual unit D set up the virtual private network strategy; The equipment of branch and described virtual unit D register to centralized manager, add strategy on centralized manager, and described strategy comprises the priority of specifying the equipment of setting up the tunnel, circuit, circuit, wherein, and k>1;
Step B: when certain bar high priority line failure of a certain equipment Dm causes tunnel on this circuit obstructed, the equipment of branched structure automatically and among the virtual unit D equipment at time priority circuit place set up the new original tunnel of replacement, tunnel; When former high priority circuit recovered, the equipment of described branch was set up former tunnel with equipment Dm by former high priority circuit again, wherein, and 1<m<k; Perhaps, when high priority circuit place equipment Dm breaks down when causing that all tunnels are all obstructed between branch and the described virtual unit D, the equipment of branched structure automatically and among the virtual unit D equipment at time priority circuit place set up the new original tunnel of replacement, tunnel; When equipment Dm recovers just often, the equipment of described branch is set up all tunnels with equipment Dm again, wherein, and 1<m<k.Wherein, this time priority circuit may also may will be determined according to circuit priority on Dn on Dm.
Wherein, described equipment D1~Dk registers to centralized manager by using same digital certificate, and described centralized manager is logically regarded described multiple devices D1~Dk as a virtual unit.
Wherein, when described steps A comprised the following steps: to add equipment on centralized manager, centralized manager was provided digital certificate to equipment, sets up the VPN strategy then; Import the digital certificate that centralized manager is provided on equipment, equipment uses this certificate to register to centralized manager; Succeed in registration the back from centralized manager download VPN strategy, the strategy that device parses is downloaded, circuit automatic then and appointed equipment is set up the tunnel.
Wherein, registration between described virtual unit and the centralized manager, the tunnel management agreement TopVPN that uses when downloading.
In addition, in described step B, carry out the tunnel according to the priority of circuit and replace, if former circuit is identical with the priority of new line, then the corresponding tunnel of two circuits is active simultaneously, and encrypting traffic is all arranged in the tunnel, to realize the tunnel load function; If former circuit is different with the priority of new line, then have only the tunnel of the high circuit of priority to enliven under the normal condition, to realize the tunnel backup functionality.
The invention has the beneficial effects as follows: according to the method for realization IPSec virtual private network tunnel backup of the present invention and load, simplified the layoutprocedure of each equipment greatly, improved the uniformity and the fail safe of configuration by adopting centralized manager; Pass through dynamic handover tunnel between optimal route and suboptimum circuit in conjunction with many equipment skill multi-line art simultaneously, solved the dynamic switching in tunnel between different circuits, the different physical equipment, realize tunnel backup and loading functional, improved the intelligent of Stability of Tunnel and equipment greatly; And with the equipment of many different operators circuits of data center virtual be an equipment in logic, branch can set up the VPN strategy with this virtual unit, wherein a device fails causes the tunnel to interrupt like this, the equipment of branch can be set up corresponding tunnel by an automatic other physics related with this virtual unit so, guarantees the unobstructed of tunnel.
Description of drawings
Fig. 1 is that many equipment multi-line technology of Centralized management of policy realizes the backup of IPSec vpn tunneling and the schematic diagram of load.
Embodiment
Below, 1 method of describing realization IPSec virtual private network tunnel backup of the present invention and load in detail with reference to the accompanying drawings.
The present invention is that example describes with the equipment that circuits are discussed in 2 different utilizations of data center only, but the present invention is not limited thereto, can be the equipment D1~Dk of many different operators circuits, wherein, and k>1.
A centralized manager TopPolicy at first is installed, comprises tunnel management module, tunnel synchronization module, event processing module on the equipment D1~Dk of many different operators circuits of data center respectively.Wherein, the tunnel management module is used for safeguarding the maintenance that provides kernel data structure (for example downloading tunnel tabulation, download equipment tabulation), provides such as functions such as interpolation/sweep equipment, circuit, tunnels; The tunnel synchronization module is used for the state that timing detects each bar circuit and tunnel, and for example whether circuit is normal, whether the tunnel is normal, and is correspondingly processed according to the actual detected situation, and the switching of different priorities circuit is exactly to be responsible for by this module; Event processing module is responsible for periodically and the processing of non-periodic event.Periodic incident comprises that keep-alive, tunnel between VPN policy download, equipment and the centralized manager are synchronous, when certain incident then after, the interface function that calling corresponding module provides is handled; Non-periodic event comprises the control information between centralized manager and the equipment; for example on centralized manager the deletion or upgrade a VPN strategy, the equipment keep-alive is overtime; at this moment centralized manager will send control information to equipment; event processing module on the equipment calls the interface function of corresponding module and finishes corresponding processing according to these control informations.
Above-mentioned each module correlation is as follows:
Behind the device start, event processing module is at first registered to centralized manager, the back download policy that succeeds in registration, and the strategy that will call then after the tunnel management module will be resolved joins kernel data structure; The tunnel management module is finished the concrete operations to kernel data structure; Event processing module can call the interface of tunnel synchronization module; The tunnel synchronization module at first detects the situation of each bar circuit, and the data of kernel data structure are carried out synchronously; According to the data of kernel data structure its synchronous expansion is actual tunnel one by one then, in synchronizing process, activates all high priority tunnels, all low preferential tunnels are all cut off.
If when tunnel opposite equip. bar circuit broke down or equipment rolls off the production line, event processing module can receive the message that centralized manager is sent, call the tunnel management module and upgrade kernel data structure.
1 example in conjunction with the accompanying drawings, it is as follows to use many equipment multi-line technology to carry out the tunnel switching flow:
1, configured in one piece:
The device A of data center and equipment B use same digital certificate to register to centralized manager, A and B are taken as a device A B in logic like this, add a strategy then on centralized manager, assigned finger structural establishment C and device A B set up the tunnel, and the priority of tunnel-C-A is p1, the priority of tunnel-C-B is p2, p1>p2 is if the circuit of a of operator is normal, so on equipment C, tunnel-C-A is an active state, and tunnel-C-B is a halted state.
If the circuit of 2 device A or whole device fails
During the line failure of device A (if device fails can have been seen all line failures), centralized manager will be received the keep-alive announcement bag of each bar circuit of device A, surpass certain hour, centralized manager can be thought the circuit generation problem of device A, centralized manager announcement apparatus C then, equipment C calls the tunnel management module after receiving this notice, and the circuit of the physical equipment A of logical device AB association is changed to off-line state; The tunnel synchronization module can all carry out synchronously each bar tunnel among the equipment C, because the circuit of device A correspondence off-line, so tunnel tunnel-C-A can be deleted; At this moment, tunnel-C-B becomes the highest tunnel of priority, and equipment C will consult to set up the tunnel with equipment B, and consulting successfully, back tunnel-C-B just is in active state.
If the circuit of 3 device A recovers
When the circuit of device A recovers, centralized manager will be received the keep-alive announcement bag of each bar circuit of device A again, and centralized manager announcement apparatus C at this moment is after equipment C receives this notice, call the tunnel management module, the circuit of the physical equipment A of logical device AB association is changed to presence; The tunnel synchronization module can all carry out synchronously each bar tunnel among the equipment C, because the circuit of device A correspondence is reached the standard grade, so tunnel tunnel-C-A can be rebulid, because the priority of tunnel-C-A is the highest, equipment C will consult to set up the tunnel with device A, and consulting successfully, back tunnel-C-A just is in active state.Because synchronizing process can not waited for the result of negotiation, so in order to keep the unimpeded of VPN traffic, this time, tunnel-C-B still was in active state.By the time arrive next synchronizing cycle, if tunnel-C-A is also for active state, the tunnel synchronization module will be found: tunnel-C-A and tunnel-C-B are in active state, but the priority of tunnel-C-B is low, at this moment will cut off tunnel-C-B, make tunnel-C-B be in halted state.
In sum,, simplified the layoutprocedure of each equipment greatly, improved the uniformity and the fail safe of configuration by adopting centralized manager according to the method for realization IPSec virtual private network tunnel backup of the present invention and load; Pass through dynamic handover tunnel between optimal route and suboptimum circuit in conjunction with many equipment skill multi-line art simultaneously, solved the dynamic switching in tunnel between different circuits, the different physical equipment, realize tunnel backup and loading functional, improved the intelligent of Stability of Tunnel and equipment greatly; And with the equipment of many different operators circuits of data center virtual be an equipment in logic, branch can set up the VPN strategy with this virtual unit, wherein a device fails causes the tunnel to interrupt like this, the equipment of branch can be set up corresponding tunnel by an automatic other physics related with this virtual unit so, guarantees the unobstructed of tunnel.
More than be in order to make those of ordinary skills understand the present invention; and to detailed description that the present invention carried out; but can expect; in the scope that does not break away from claim of the present invention and contained, can also make other variation and modification, these variations and revising all in protection scope of the present invention.
Claims (5)
1. a method that realizes backup of internet security agreement virtual private network tunnel and load is characterized in that, comprises the following steps:
Steps A: with the equipment D1~Dk of many different operators circuits of data center virtual be an equipment D in logic, the equipment of branch and described virtual unit D set up the virtual private network strategy; The equipment of branch and described virtual unit D register to centralized manager, add strategy on centralized manager, and described strategy comprises the priority of specifying the equipment of setting up the tunnel, circuit, circuit, wherein, and k>1;
Step B: when certain bar high priority line failure of a certain equipment Dm causes tunnel on this circuit obstructed, the equipment of branched structure automatically and among the virtual unit D equipment at time priority circuit place set up the new original tunnel of replacement, tunnel; When former high priority circuit recovered, the equipment of described branch was set up former tunnel with equipment Dm by former high priority circuit again, wherein, and 1<m<k; Perhaps, when high priority circuit place equipment Dm breaks down when causing that all tunnels are all obstructed between branch and the described virtual unit D, the equipment of branched structure automatically and among the virtual unit D equipment at time priority circuit place set up the new original tunnel of replacement, tunnel; When equipment Dm recovers just often, the equipment of described branch is set up all tunnels with equipment Dm again, wherein, and 1<m<k.
2. the method for realization internet security agreement virtual private network tunnel backup as claimed in claim 1 and load, it is characterized in that, described equipment D1~Dk registers to centralized manager by using same digital certificate, and described centralized manager is logically regarded described multiple devices D1~Dk as a virtual unit.
3. the method for realization internet security agreement virtual private network tunnel backup as claimed in claim 2 and load is characterized in that described steps A comprises the following steps:
When adding equipment on centralized manager, centralized manager is provided digital certificate to equipment, sets up the VPN strategy then; Import the digital certificate that centralized manager is provided on equipment, equipment uses this certificate to register to centralized manager;
Succeed in registration the back from centralized manager download VPN strategy, the strategy that device parses is downloaded, circuit automatic then and appointed equipment is set up the tunnel.
4. as the method for each described realization internet security agreement virtual private network tunnel backup and load in the claim 1 to 3, it is characterized in that registration between described virtual unit and the centralized manager, the tunnel management agreement TopVPN that uses when downloading.
5. the method for realization internet security agreement virtual private network tunnel backup as claimed in claim 4 and load, it is characterized in that, in described step B, carrying out the tunnel according to the priority of circuit replaces, if former circuit is identical with the priority of new line, then the corresponding tunnel of two circuits is active simultaneously, and encrypting traffic is all arranged in the tunnel, to realize the tunnel load function; If former circuit is different with the priority of new line, then have only the tunnel of the high circuit of priority to enliven under the normal condition, to realize the tunnel backup functionality.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810227972A CN101753401A (en) | 2008-12-03 | 2008-12-03 | A method for realizing backup and load of IPSec virtual private network tunnel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200810227972A CN101753401A (en) | 2008-12-03 | 2008-12-03 | A method for realizing backup and load of IPSec virtual private network tunnel |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101753401A true CN101753401A (en) | 2010-06-23 |
Family
ID=42479835
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200810227972A Pending CN101753401A (en) | 2008-12-03 | 2008-12-03 | A method for realizing backup and load of IPSec virtual private network tunnel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101753401A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102281161A (en) * | 2011-09-15 | 2011-12-14 | 浙江大学 | Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method |
| CN102769514A (en) * | 2012-07-27 | 2012-11-07 | 汉柏科技有限公司 | Method and system for preventing data loss |
| CN106936683A (en) * | 2015-12-31 | 2017-07-07 | 北京网御星云信息技术有限公司 | A kind of method and device for realizing tunnel configuration |
| CN107528778A (en) * | 2016-06-10 | 2017-12-29 | Arad网络有限公司 | The vpn system of dynamic tunnel end mode, virtual router and manager devices for it |
| CN110247836A (en) * | 2018-12-29 | 2019-09-17 | 锐捷网络股份有限公司 | Communication means and device based on multi-operator network |
| CN110519253A (en) * | 2019-08-21 | 2019-11-29 | 浙江大学 | Virtual Private Network mimicry method in mimicry defence |
| CN111740893A (en) * | 2020-06-30 | 2020-10-02 | 成都卫士通信息产业股份有限公司 | Method, device, system, medium and equipment for realizing software-defined VPN |
| CN113691394A (en) * | 2021-07-29 | 2021-11-23 | 广州鲁邦通物联网科技有限公司 | Method and system for establishing and switching VPN communication |
-
2008
- 2008-12-03 CN CN200810227972A patent/CN101753401A/en active Pending
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102281161A (en) * | 2011-09-15 | 2011-12-14 | 浙江大学 | Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method |
| CN102281161B (en) * | 2011-09-15 | 2014-04-16 | 浙江大学 | Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method |
| CN102769514A (en) * | 2012-07-27 | 2012-11-07 | 汉柏科技有限公司 | Method and system for preventing data loss |
| CN102769514B (en) * | 2012-07-27 | 2015-04-22 | 汉柏科技有限公司 | Method and system for preventing data loss |
| CN106936683B (en) * | 2015-12-31 | 2019-09-17 | 北京网御星云信息技术有限公司 | A kind of method and device for realizing tunnel configuration |
| CN106936683A (en) * | 2015-12-31 | 2017-07-07 | 北京网御星云信息技术有限公司 | A kind of method and device for realizing tunnel configuration |
| CN107528778A (en) * | 2016-06-10 | 2017-12-29 | Arad网络有限公司 | The vpn system of dynamic tunnel end mode, virtual router and manager devices for it |
| CN110247836A (en) * | 2018-12-29 | 2019-09-17 | 锐捷网络股份有限公司 | Communication means and device based on multi-operator network |
| CN110519253A (en) * | 2019-08-21 | 2019-11-29 | 浙江大学 | Virtual Private Network mimicry method in mimicry defence |
| CN110519253B (en) * | 2019-08-21 | 2020-08-28 | 浙江大学 | Virtual private network mimicry method in mimicry defense |
| CN111740893A (en) * | 2020-06-30 | 2020-10-02 | 成都卫士通信息产业股份有限公司 | Method, device, system, medium and equipment for realizing software-defined VPN |
| CN111740893B (en) * | 2020-06-30 | 2022-02-11 | 成都卫士通信息产业股份有限公司 | Method, device, system, medium and equipment for realizing software-defined VPN |
| CN113691394A (en) * | 2021-07-29 | 2021-11-23 | 广州鲁邦通物联网科技有限公司 | Method and system for establishing and switching VPN communication |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101753401A (en) | A method for realizing backup and load of IPSec virtual private network tunnel | |
| CN101442471B (en) | Method for implementing backup and switch of IPSec tunnel, system and node equipment, networking architecture | |
| US11190491B1 (en) | Method and apparatus for maintaining a resilient VPN connection | |
| WO2016082412A1 (en) | Method and apparatus for realizing reliable transmission of data, and computer storage medium | |
| CN102025646B (en) | Link switching method and device thereof | |
| US7636364B2 (en) | Redundant router network | |
| CN102148677B (en) | Method for updating address resolution protocol table entries and core switch | |
| CN103067290B (en) | The VPN tunnel implementation of load balancing network is adapted to based on virtual network interface card | |
| CN100531136C (en) | Method and system for transmitting message in virtual special network link fault | |
| EP2845398B1 (en) | Methods and apparatus | |
| CN101917294B (en) | Method and equipment for updating anti-replay parameter during master and slave switching | |
| US9948621B2 (en) | Policy based cryptographic key distribution for network group encryption | |
| JP6056089B2 (en) | Method, apparatus and system for hot standby by two computers | |
| CN111787025B (en) | Encryption and decryption processing method, device and system and data protection gateway | |
| CN104038376A (en) | Method and device for managing real servers and LVS clustering system | |
| CN109450707B (en) | Data transmission method and device, gateway equipment and readable storage medium | |
| US20200120134A1 (en) | Synchronizing link and event detection mechanisms with a secure session associated with the link | |
| EP2775675B1 (en) | Synchronization method among network devices, network device and system | |
| CN101605060B (en) | Method and device for switching single-plate grade IPSec active and standby plates | |
| WO2022059102A1 (en) | Communication control system, communications system, communication control method and program | |
| CN110024432B (en) | X2 service transmission method and network equipment | |
| CN105391565A (en) | Method for achieving synchronization of backup business configuration | |
| CN114500177B (en) | Method and system for determining transmission communication mode | |
| WO2022001937A1 (en) | Service transmission method and apparatus, network device, and storage medium | |
| CN114465848B (en) | Data transmission method and system based on ciphertext |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Open date: 20100623 |