CN102271061B - Method and device for determining number of IP security virtual private network tunnels - Google Patents

Method and device for determining number of IP security virtual private network tunnels Download PDF

Info

Publication number
CN102271061B
CN102271061B CN 201010199198 CN201010199198A CN102271061B CN 102271061 B CN102271061 B CN 102271061B CN 201010199198 CN201010199198 CN 201010199198 CN 201010199198 A CN201010199198 A CN 201010199198A CN 102271061 B CN102271061 B CN 102271061B
Authority
CN
China
Prior art keywords
information
ipsec
vpn tunneling
ipsec vpn
read
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Fee Related
Application number
CN 201010199198
Other languages
Chinese (zh)
Other versions
CN102271061A (en
Inventor
吕华明
遇惠君
孙帅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN 201010199198 priority Critical patent/CN102271061B/en
Publication of CN102271061A publication Critical patent/CN102271061A/en
Application granted granted Critical
Publication of CN102271061B publication Critical patent/CN102271061B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention provides a method and device for determining number of IP (internet protocol) security (IPsec) virtual private network (VPN) tunnels. The method for determining the number of the IPsec VPN tunnels comprises the steps of: reading information of each IPsec VPN tunnel of each IPsec device to a data structure table; and comparing the information of all the IPsec VPN tunnels in the data structure table, and determining the number of IPsec VPN tunnels, wherein when the tunnel home-end IP address, the tunnel opposite-end IP address, the inlet-direction security alliance (SA) index and the outlet-direction SA index of one piece of IPsec VPN tunnel information are respectively consistent to the tunnel opposite-end IP address, the tunnel home-end IP address, the outlet-direction SA index and the inlet-direction SA index of another piece of IPsec VPN tunnel information, determining that the two pieces of IPsec VPN tunnel information belong to the same IPsec VPN tunnel.

Description

A kind of method and apparatus of definite IP secure virtual private network tunnel quantity
Technical field
The present invention relates to network communications technology field, particularly a kind of method and apparatus of definite IP secure virtual private network tunnel quantity.
Background technology
IP safety (IPsec) is the three layer tunnel cryptographic protocol that IETF formulates, and for the transfer of data on Internet provides high-quality safety assurance, can act on various VPN.Security Association (SA) is the agreement of the IPsec equipment at secure tunnel two ends to security factor, comprises the life cycle of security protocol, encapsulation mode, cryptographic algorithm, shared key and key etc.Wherein security protocol can be divided into checking head (AH) and ESP (ESP).
SA is unidirectional, two-way communication between IPsec equipment at least needs two SA respectively the data flow of both direction to carry out to security protection, in addition, SA builds for security protocol, and IPsec equipment can build respectively independently SA for the security protocol of using.For example, if the IPsec equipment at secure tunnel two ends agreement is carried out security protection by AH and two kinds of security protocols of ESP simultaneously, each IPsec equipment can build respectively independently SA for each security protocol.SA carrys out unique identification by a tlv triple, and each tlv triple comprises: Security Parameter Index (SPI), purpose IP address and security protocol number.Wherein SPI is 32 bit value for unique identification SA, in AH or ESP head, transmits.When manual configuration SA, SPI is manual to be specified, and while using IKE (IKE) to consult to produce SA, SPI generates at random.
Along with the application of IPsec vpn service is more and more extensive, webmastering software need to be supported IPsec equipment, for carrying out the management of IPsec vpn service, to the statistics of IPsec vpn tunneling quantity, is exactly wherein important one.Webmaster is to determine by obtain the local terminal of IPsec vpn tunneling and the mode of peer IP address to IPsec equipment to the statistics of IPsec vpn tunneling quantity at present.As shown in Figure 1, there is an IPsec vpn tunneling between router-A and router B, webmaster gets and has an IPsec vpn tunneling that peer IP address is 2.2.2.2 from router-A, get and have an IPsec vpn tunneling that peer IP address is 1.1.1.1 from router B, webmaster can be thought and managed two IPsec vpn tunnelings, obviously, this statistical is wrong.If simply by the quantity that counts on divided by 2, equally also inaccurate, because may have many IPsec vpn tunnelings between router-A and router B, these many IPsec vpn tunnelings have identical local terminal IP address and peer IP address, but adopt different SA, obviously, the mode of prior art can not get IPsec vpn tunneling quantity accurately.
Summary of the invention
In view of this, the invention provides a kind of method and apparatus of definite IPsec vpn tunneling quantity, so that obtain exactly the quantity of IPsec VPN tunnel, facilitate the management of webmaster to IPsec equipment.
A kind of method of definite IPsec vpn tunneling quantity, the method comprises:
A, each IPsec vpn tunneling information in each IPsec equipment is read to data structure table, described each IPsec vpn tunneling information comprises: local terminal IP address, tunnel, tunnel peer IP address, Inbound security alliance SA index and outgoing direction SA index;
B, each IPsec vpn tunneling information in the data structural table is compared, determine the quantity of IPsec vpn tunneling; Wherein, when local terminal IP address, tunnel, tunnel peer IP address, Inbound SA index and the outgoing direction SA index of an IPsec vpn tunneling information are consistent with tunnel peer IP address, local terminal IP address, tunnel, outgoing direction SA index and the Inbound SA index of another IPsec vpn tunneling information respectively, determine that a described IPsec vpn tunneling information and described another IPsec vpn tunneling information belong to an IPsec vpn tunneling.
A kind of device of definite IPsec vpn tunneling quantity, this device comprises: information reading unit, data storage cell and tunnel statistic unit;
Described information reading unit, read to data structure table for each IPsec vpn tunneling information by IPsec equipment; Described each IPsec vpn tunneling information comprises: local terminal IP address, tunnel, tunnel peer IP address, Inbound security alliance SA index and outgoing direction SA index;
Described data storage cell, for the store data structure table;
Described tunnel statistic unit, compare for each IPsec vpn tunneling information to the data structural table, determines the quantity of IPsec vpn tunneling; Wherein, when local terminal IP address, tunnel, tunnel peer IP address, Inbound SA index and the outgoing direction SA index of an IPsec vpn tunneling information are consistent with tunnel peer IP address, local terminal IP address, tunnel, outgoing direction SA index and the Inbound SA index of another IPsec vpn tunneling information respectively, determine that a described IPsec vpn tunneling information and described another IPsec vpn tunneling information belong to an IPsec vpn tunneling.
As can be seen from the above technical solutions, after the present invention adopts and reads in data structure table by the IPsec vpn tunneling information in IPsec equipment, each IPsec vpn tunneling information in the data structural table is compared to determine to the quantity of IPsec vpn tunneling, when definite IPsec vpn tunneling quantity, taken into full account the characteristic of the IPsec equipment institute storage tunneling information at IPsec vpn tunneling two ends, not only need to meet local terminal IP address, tunnel consistent respectively with the tunnel peer IP address, the Inbound SA index that also needs simultaneously to meet an IPsec vpn tunneling information is consistent with outgoing direction SA index and the Inbound SA index of another IPsec vpn tunneling information respectively with outgoing direction SA index.Thereby can obtain exactly the data of IPsec vpn tunneling, facilitate the management of webmaster to IPsec equipment.
The accompanying drawing explanation
The network diagram of Fig. 1 for IPsec equipment is managed;
Fig. 2 is main method flow chart provided by the invention;
Fig. 3 is the method flow diagram that reads tunnel information provided by the invention;
The first method flow chart that Fig. 4 is statistics tunnel quantity provided by the invention;
Fig. 5 is statistics tunnel quantity second method flow chart provided by the invention;
Fig. 6 be belong to same tunnel IPsec VPN tunnel information concern schematic diagram;
Fig. 7 is apparatus structure schematic diagram provided by the invention;
Fig. 8 is another kind of apparatus structure schematic diagram provided by the invention.
Embodiment
In order to make the purpose, technical solutions and advantages of the present invention clearer, below in conjunction with the drawings and specific embodiments, describe the present invention.
Main method provided by the invention can as shown in Figure 2, mainly comprise the following steps:
Step 201: the IPsec VPN tunnel information in each IPsec equipment is read to data structure table, and wherein each IPsec VPN tunnel information comprises: tunnel local terminal IP address, tunnel peer IP address, Inbound SA index and outgoing direction SA index.
Step 202: each IPsec VPN tunnel information in the data structural table is compared, determine the quantity of IPsec VPN tunnel; Wherein, when tunnel local terminal IP address, tunnel peer IP address, Inbound SA index and the outgoing direction SA index of an IPsec VPN tunnel information are consistent with tunnel peer IP address, local terminal IP address, outgoing direction SA index and the Inbound SA index of another IPsec VPN tunnel information respectively, determine that these two IPsec VPN tunnel information belong to an IPsec VPN tunnel.
In said method, Network Management Equipment can read to same data structure table by the IPsec VPN tunnel information in each IPsec equipment, when each IPsec VPN tunnel information is compared, need not yet to determine in this data structure table that the tunnel information that belongs to a certain IPsec VPN tunnel compares respectively.In addition, Network Management Equipment also can be set up data structure table for IPsec equipment respectively, IPsec VPN tunnel information in each IPsec equipment is put into to corresponding data structure table, when each IPsec VPN tunnel information is compared, not yet definite tunnel information that belongs to a certain IPsec VPN tunnel in a data structural table not yet need to be determined to the tunnel information that belongs to a certain IPsec VPN tunnel compares respectively with in other data structure table.
Below at first take and IPsec VPN tunnel information is read to same data structure table be described as example.In this data structure table, an IPsec VPN tunnel information of each list item storage, each list item can comprise:
Device id field (Device_ID): for storing IP sec device identification, this field is Optional Field, also can not arrange.
Local terminal IP address field (Local_IP): for storing the tunnel local terminal IP address of this IPsec equipment.
Peer IP address field (Remote_IP): for storing the tunnel peer IP address of this IPsec equipment.
Inbound AH agreement SA index field (In_AH_SPI): for storing the Inbound AH agreement SA index of this IPsec equipment.
Outgoing direction AH agreement SA index field (Out_AH_SPI): for storing the outgoing direction AH agreement SA index of this IPsec equipment.
Inbound ESP agreement SA index field (In_ESP_SPI): for storing the Inbound ESP agreement SA index of this IPsec equipment.
Outgoing direction ESP agreement SA index field (Out_ESP_SPI): for storing the outgoing direction ESP agreement SA index of this IPsec equipment.
Reading IPsec VPN tunnel information in each IPsec equipment to the process of data structure table in step 201 can as shown in Figure 3, comprise the following steps:
Step 301: if there is IPsec VPN tunnel information in IPsec equipment, start to read article one IPsec VPN tunnel information.
Step 302: deposit the IPsec VPN tunnel information read in data structure table.
Deposit respectively the tunnel local terminal IP address in the IPsec VPN tunnel information read, tunnel peer IP address, Inbound AH agreement SA index, outgoing direction AH agreement SA index, Inbound ESP agreement SA index and outgoing direction ESP agreement SA index in field corresponding in same list item, for the information do not read, its corresponding field is put sky.For example, if only there is the SA of AH agreement in the IPsec VPN tunnel information read, In_ESP_SPI field and Out_ESP_SPI field are all put sky.
Step 303: judge in current IP sec equipment and whether have next IPsec VPN tunnel information, if so, perform step 304; Otherwise, perform step 305.
Step 304: read next IPsec VPN tunnel information, go to step 302.
Step 305: judge whether to exist the next IPsec equipment that does not read IPsec VPN tunnel information, if so, for next IPsec equipment, go to execution step 301; Otherwise, finish tunnel information and read flow process, step 201 is finished.
If for each IPsec equipment, data structure table is set respectively, the IPsec VPN tunnel information that will read from different IPsec equipment is stored to corresponding data structure table, shown in above-mentioned Fig. 3 to read flow process constant, the IPsec VPN tunnel information that just will read from different IPsec equipment is stored to corresponding data structure table and gets final product.
If adopt same data structure table, in step 202, each IPsec VPN tunnel information in the data structural table is compared, determine that the process of the quantity of IPsec VPN tunnel can as shown in Figure 4, comprise the following steps:
Step 401: start to read article one IPsec VPN tunnel information from data structure table.
Step 402: using the IPsec VPN tunnel information that reads as the first comparison information.
Step 403: judge whether to exist next IPsec VPN tunnel information, if so, perform step 404; Otherwise, finish tunnel quantity and determine flow process.
Step 404: read next IPsec VPN tunnel information as the second comparison information.
Step 405: the first current comparison information and the second comparison information are compared, determine that whether the first comparison information and the second comparison information belong to same IPsec VPN tunnel, if so, perform step 406; Otherwise, perform step 407.
Step 406: the IPsec VPN tunnel quantity of record is added to 1, go to step 408.
Step 407: judge that whether the current VPN of the IPsec as the second comparison information tunnel information exists next IPsec VPN tunnel information, if so, goes to step 404; Otherwise, perform step 408.
Step 408: judge that whether the current VPN of the IPsec as the first comparison information tunnel information exists next IPsec VPN tunnel information, if so, performs step 409; Otherwise, finish tunnel quantity and determine flow process.
Step 409: read next IPsec VPN tunnel information of the current VPN of the IPsec as the first comparison information tunnel information, go to step 402.
Can find out, process shown in above-mentioned Fig. 4 is a dual round-robin algorithm, outer circulation is got IPsec VPN tunnel information one by one as the first comparison information, interior loop compares as the second comparison information and the first comparison information one by one from next beginning of the current VPN of the IPsec as the first comparison information tunnel information, determine whether to exist IPsec VPN tunnel information and the first comparison information to belong to same IPsec VPN tunnel, if determine and exist, finish current interior loop, and the IPsec VPN tunnel quantity of record is added to 1, finish all outer circulation times, can count all tunnel quantity.
In addition, it should be noted that, due to two the IPsec VPN tunnel information that mostly are most that belong to same IPsec VPN tunnel, therefore, when when step 405 determines that the first comparison information and the second comparison information belong to same IPsec VPN tunnel, in execution step 406, the current tunnel of the IPsec VPN as the first comparison information and the second comparison information information can be deleted from data structure table, like this in follow-up process, these two IPsec VPN tunnel information just can not participate in comparison, thereby avoid the operation of redundancy, accelerate realization flow.
If adopt data structure table separately for each IPsec equipment, in step 202, each IPsec VPN tunnel information in the data structural table is compared, the process of determining the quantity of IPsec VPN tunnel can be as shown in Figure 5, carries out following steps for each data structure table one by one:
Step 501: start to read article one IPsec VPN tunnel information from the current data structural table.
Step 502: using the IPsec VPN tunnel information that reads as the first comparison information.
Step 503: start to read article one IPsec VPN tunnel information from next data structure table.
Step 504: using the IPsec VPN tunnel information that reads as the second comparison information.
Step 505: the first current comparison information and the second comparison information are compared, determine that whether the first comparison information and the second comparison information belong to same IPsec VPN tunnel, if so, perform step 506; Otherwise, perform step 507.
Step 506: the IPsec VPN tunnel quantity of record is added to 1, go to step 509.
Step 507: judge that whether the current VPN of the IPsec as the second comparison information tunnel information exists next IPsec VPN tunnel information, if so, performs step 508; Otherwise, perform step 511.
Step 508: read next IPsec VPN tunnel information of the current VPN of the IPsec as the second comparison information tunnel information, go to step 504.
Step 509: judge that whether the current VPN of the IPsec as the first comparison information tunnel information exists next IPsec VPN tunnel information, if so, performs step 510; Otherwise, finish the tunnel quantity statistics flow process for the current data structural table, start to perform step 501 for the next data structure table of the first comparison information place data structure table.
Step 510: read next IPsec VPN tunnel information of the current VPN of the IPsec as the first comparison information tunnel information, go to step 502.
Step 511: whether the data structure table that judges current the second comparison information place exists next data structure table, if so, performs step 512; Otherwise, finish the tunnel quantity statistics flow process for the current data table, start to perform step 501 for the next data structure table of the first comparison information place data structure table.
Step 512: start to read article one IPsec VPN tunnel information from the next data structure table of current the second comparison information place data structure table, go to step 504.
Until for each data structure table all after the tunnel quantity statistics flow process shown in execution graph 5, the IPsec VPN tunnel quantity of record is exactly the tunnel quantity of final statistics.IPsec VPN tunnel information in each data structure table of this mode only need with other data structure table in IPsec VPN tunnel information compare, without with same data structure table in IPsec VPN tunnel information compare.
Equally, in the flow process shown in Fig. 5, when definite the first comparison information and the second comparison information belong to same IPsec VPN tunnel, in execution step 506, the current tunnel of the IPsec VPN as the first comparison information and the second comparison information information can be deleted from data structure table, like this in follow-up process, these two IPsec VPN tunnel information just can not participate in comparison, thereby avoid the operation of redundancy, accelerate realization flow.
In flow process shown in above-mentioned Fig. 4 and Fig. 5, the first comparison information and the second comparison information are compared, determine whether both belong to the step of same IPsec VPN tunnel, specifically comprise: by the Local_IP field (being designated as 1_Local_IP) in the first comparison information, Remote_IP field (being designated as 1_Remote_IP), In_AH_SPI field (being designated as 1_In_AH_SPI), Out_AH_SPI field (being designated as 1_Out_AH_SPI), the value of In_ESP_SPI field (being designated as 1_In_ESP_SPI) and Out_ESP_SPI field (being designated as 1_Out_ESP_SPI) respectively with the second comparison information in Remote_IP field (being designated as 2_Remote_IP), Local_IP field (being designated as 2_Local_IP), Out_AH_SPI field (being designated as 2_Out_AH_SPI), In_AH_SPI field (being designated as 2_In_AH_SPI), the value of Out_ESP_SPI field (being designated as 2_Out_ESP_SPI) and In_ESP_SPI field (being designated as 2_In_ESP_SPI) compares, if all consistent, as shown in Figure 6, determine that the first comparison information and the second comparison information belong to same IPsec VPN tunnel, otherwise determine that the first comparison information and the second comparison information belong to same IPsec VPN tunnel.That is to say, the first comparison information and the second comparison information that belong to same IPsec VPN tunnel must meet the following conditions simultaneously:
1_Local_IP=2_Remote_IP;
1_Remote_IP=2_Local_IP;
1_In_AH_SPI=2_Out_AH_SPI;
1_Out_AH_SPI=2_In_AH_SPI;
1_In_ESP_SPI=2_Out_ESP_SPI;
1_Out_ESP_SPI=2_In_ESP_SPI。
That is to say, belong in two IPsec vpn tunneling information of same IPsec vpn tunneling, need all only to have the SA of AH agreement, or all only have the SA of ESP agreement, or all have the SA of AH agreement and ESP agreement simultaneously.When all only having the SA of AH agreement, Inbound AH agreement SA index, outgoing direction AH agreement SA index in IPsec vpn tunneling information must be consistent with outgoing direction AH agreement SA index, Inbound AH agreement SA index in another IPsec vpn tunneling information.When all only having the SA of ESP agreement, Inbound ESP agreement SA index, outgoing direction ESP agreement SA index in IPsec vpn tunneling information must be consistent with outgoing direction ESP agreement SA index, Inbound ESP agreement SA index in another IPsec vpn tunneling information.When all having the SA of AH agreement and ESP agreement simultaneously, identical with the situation in above-described embodiment, Inbound AH agreement SA index, outgoing direction AH agreement SA index, Inbound ESP agreement SA index, outgoing direction ESP agreement SA index in IPsec vpn tunneling information must be consistent with outgoing direction AH agreement SA index, Inbound AH agreement SA index, outgoing direction ESP agreement SA index, Inbound ESP agreement SA index in another IPsec vpn tunneling information.Certainly, also to need to meet local terminal IP address, tunnel, a tunnel peer IP address in IPsec vpn tunneling information consistent with tunnel peer IP address, local terminal IP address, tunnel in another IPsec vpn tunneling information simultaneously for above-mentioned situation.
Be more than the detailed description that method provided by the present invention is carried out, below device provided by the present invention be described in detail.Fig. 7 is apparatus structure schematic diagram provided by the present invention, and said apparatus can be arranged in Network Management Equipment, and as shown in Figure 7, this device can comprise: information reading unit 700, data storage cell 710 and tunnel statistic unit 720.
Information reading unit 700, read to data structure table for each IPsec vpn tunneling information by IPsec equipment; Each IPsec vpn tunneling information comprises: local terminal IP address, tunnel, tunnel peer IP address, Inbound security alliance SA index and outgoing direction SA index.
Data storage cell 710, for the store data structure table.
Tunnel statistic unit 720, compare for each IPsec vpn tunneling information to the data structural table, determines the quantity of IPsec vpn tunneling; Wherein, when local terminal IP address, tunnel, tunnel peer IP address, Inbound SA index and the outgoing direction SA index of an IPsec vpn tunneling information are consistent with tunnel peer IP address, local terminal IP address, tunnel, outgoing direction SA index and the Inbound SA index of another IPsec vpn tunneling information respectively, determine that an IPsec vpn tunneling information and another IPsec vpn tunneling information belong to an IPsec vpn tunneling.
Wherein, information reading unit 700 specifically comprises: first reads subelement 701, storing sub-units 702, the first judgment sub-unit 703 and the second judgment sub-unit 704.
First reads subelement 701, if having IPsec VPN information for current IP sec equipment, starts to read article one IPsec vpn tunneling information; When judgment result is that of the first judgment sub-unit 703 is, read next IPsec vpn tunneling information.
Storing sub-units 702, deposit data structure table in for by first, reading the IPsec vpn tunneling information that subelement 701 reads.
Whether the first judgment sub-unit 703, exist next IPsec vpn tunneling information for judging current IPsec equipment.
The second judgment sub-unit 704, for in the first judgment sub-unit 703 when the determination result is NO, judge whether to exist the next IPsec equipment that does not read IPsec vpn tunneling information, if so, triggering first reads subelement 701 and starts to read IPsec vpn tunneling information for next IPsec equipment; Otherwise, trigger first and read subelement 701 end read operations.
According to the set-up mode difference of data structure table, tunnel statistic unit 720 can adopt different structures.
The first structure: information reading unit 700 reads to same data structure table by each IPsec vpn tunneling information in each IPsec equipment.
Now, tunnel statistic unit 720 specifically comprises: second reads subelement 721, the 3rd judgment sub-unit 722, third reading gets subelement 723, relatively subelement 724, the first statistics subelement 725, the 4th judgment sub-unit 726 and the 5th judgment sub-unit 727.
Second reads subelement 721, for start to read article one IPsec vpn tunneling information from data structure table, using the IPsec vpn tunneling information that reads as the first comparison information; Receive from the 5th judgment sub-unit 727 read notice after, read next IPsec vpn tunneling information of current the first comparison information as the first comparison information.
The 3rd judgment sub-unit 722, exist second to read next IPsec vpn tunneling information that subelement reads for judging whether.
Third reading is got subelement 723, for when judgment result is that of the 3rd judgment sub-unit 722 is, reads next IPsec vpn tunneling information of the first comparison information as the second comparison information; Receive while reading notice, read next IPsec vpn tunneling information as the second comparison information.
Relatively subelement 724, for the first comparison information and the second comparison information are compared, determine whether the first comparison information and the second comparison information belong to same IPsec vpn tunneling.
The first statistics subelement 725, when being, add 1 by the IPsec vpn tunneling quantity of record for the definite result at subelement relatively, sends judgement to the 5th judgment sub-unit and notify.
The 4th judgment sub-unit 726, for when relatively definite result of subelement 724 is no, judge whether the current vpn tunneling of the IPsec as the second comparison information information exists next IPsec vpn tunneling information, if so, get subelement 723 transmissions to third reading and read notice; Otherwise send the judgement notice to the 5th judgment sub-unit 727.
The 5th judgment sub-unit 727, after receiving the judgement notice, judge whether the current vpn tunneling of the IPsec as the first comparison information information exists next IPsec vpn tunneling information, if so, reads subelement 721 transmissions to second and read notice; Otherwise, notify second to read subelement 721 and third reading and get subelement 723 and finish read operations.
The second structure: stored the data structure table arranged for each IPsec equipment in data storage cell 710.
Information reading unit 700 reads to by each IPsec vpn tunneling information in each IPsec equipment the data structure table that IPsec equipment is corresponding.
Now, tunnel statistic unit 720 as shown in Figure 8, can specifically comprise: the 4th reads subelement 821, the 5th reads subelement 822, compares subelement 823, the second statistics subelement 824, the 6th judgment sub-unit 825, the 7th judgment sub-unit 826 and the 8th judgment sub-unit 827.
The 4th reads subelement 821, for start to read article one IPsec vpn tunneling information from the current data structural table, using the IPsec vpn tunneling information that reads as the first comparison information; Receive that the 7th judgment sub-unit 826 sends read notice after, read next IPsec vpn tunneling information of current the first comparison information as the first comparison information.
The 5th reads subelement 822, for the next data structure table of the data structure table since the first comparison information place, reads article one IPsec vpn tunneling information, using the IPsec vpn tunneling information that reads as the second comparison information; Receive that the 6th judgment sub-unit 825 sends read notice after, read next IPsec vpn tunneling information of current the second comparison information as the second comparison information; Receive that the 8th judgment sub-unit 827 sends read notice after, start to read article one IPsec vpn tunneling information from the next data structure table of current the second comparison information place data structure table, using the IPsec vpn tunneling information that reads as the second comparison information.
Relatively subelement 823, for the first comparison information and the second comparison information are compared, determine whether the first comparison information and the second comparison information belong to same IPsec vpn tunneling.
The second statistics subelement 824, when being, add 1 by the IPsec vpn tunneling quantity of record for the definite result at subelement 823 relatively, sends judgement to the 7th judgment sub-unit 826 and notify.
The 6th judgment sub-unit 825, for when relatively definite result of subelement 823 is no, judge whether the current vpn tunneling of the IPsec as the second comparison information information exists next IPsec vpn tunneling information, if so, read subelement 822 transmissions to the 5th and read notice; Otherwise, to the 8th judgment sub-unit 827, send the judgement notice.
The 7th judgment sub-unit 826, after receiving the judgement notice, judge whether the current vpn tunneling of the IPsec as the first comparison information information exists next IPsec vpn tunneling information, if so, reads subelement 821 transmissions to the 4th and read notice; Otherwise, notify the 4th to read subelement 821 and start read operation for the next data structure table of the first comparison information place data structure table.
The 8th judgment sub-unit 827, after receiving the judgement notice, judge whether the data structure table at current the second comparison information place exists next data structure table, if so, reads subelement 822 transmissions to the 5th and read notice; Otherwise, notify the 4th to read subelement 821 and the 5th and read subelement 822 and finish read operations.
Based on above-mentioned two kinds of structures, tunnel statistic unit 720 can also comprise: information deletion subelement 728, for subelement 724 relatively or relatively definite result of subelement 823 when being, the current information of the IPsec vpn tunneling as the first comparison information and the second comparison information is deleted from data structure table.
In above-mentioned data structure table, each list item comprises: for the local terminal IP address field of storage tunneling local terminal IP address, peer IP address field for the storage tunneling peer IP address, for being stored into the Inbound AH agreement SA index field of direction AH agreement SA index, for storing the outgoing direction AH agreement SA index field of outgoing direction AH agreement SA index, for being stored into the Inbound ESP agreement SA index field of direction ESP agreement SA index and for storing the outgoing direction ESP agreement SA index field of outgoing direction ESP agreement SA index.
Information reading unit 700 is stored to field corresponding in list item of data structure table by each information in IPsec vpn tunneling information, does not have the field of corresponding informance storage to put sky.
Relatively subelement 724 or relatively subelement 823 local terminal IP address field in the first comparison information place list item, the peer IP address field, Inbound AH agreement SA index field, outgoing direction AH agreement SA index field, the value of Inbound ESP agreement SA index field and outgoing direction ESP agreement SA index field respectively with the second comparison information place list item in the peer IP address field, the local terminal IP address field, outgoing direction AH agreement SA index field, Inbound AH agreement SA index field, when the value of outgoing direction ESP agreement SA index field and Inbound ESP agreement SA index field is identical, determine that the first comparison information and the second comparison information belong to same IPsec vpn tunneling.
By above description, can be found out, after the present invention adopts and reads in data structure table by the IPsec vpn tunneling information in IPsec equipment, each IPsec vpn tunneling information in the data structural table is compared to determine to the quantity of IPsec vpn tunneling, when definite IPsec vpn tunneling quantity, taken into full account the characteristic of the IPsec equipment institute storage tunneling information at IPsec vpn tunneling two ends, not only need to meet local terminal IP address, tunnel consistent respectively with the tunnel peer IP address, the Inbound SA index that also needs simultaneously to meet an IPsec vpn tunneling information is consistent with outgoing direction SA index and the Inbound SA index of another IPsec vpn tunneling information respectively with outgoing direction SA index.Thereby can obtain exactly the data of IPsec vpn tunneling, facilitate the management of webmaster to IPsec equipment.
The foregoing is only preferred embodiment of the present invention, in order to limit the present invention, within the spirit and principles in the present invention not all, any modification of making, be equal to replacement, improvement etc., within all should being included in the scope of protection of the invention.

Claims (12)

1. the method for the safe IPsec virtual private network of a definite IP tunnel quantity, is characterized in that, the method comprises:
A, each IPsec vpn tunneling information in each IPsec equipment is read to data structure table, described each IPsec vpn tunneling information comprises: local terminal IP address, tunnel, tunnel peer IP address, Inbound security alliance SA index and outgoing direction SA index;
B, each IPsec vpn tunneling information in the data structural table is compared, determine the quantity of IPsec vpn tunneling; Wherein, when local terminal IP address, tunnel, tunnel peer IP address, Inbound SA index and the outgoing direction SA index of an IPsec vpn tunneling information are consistent with tunnel peer IP address, local terminal IP address, tunnel, outgoing direction SA index and the Inbound SA index of another IPsec vpn tunneling information respectively, determine that a described IPsec vpn tunneling information and described another IPsec vpn tunneling information belong to an IPsec vpn tunneling.
2. method according to claim 1, is characterized in that, described steps A specifically comprises:
If there is IPsec VPN information in A1 IPsec equipment, start to read article one IPsec vpn tunneling information;
A2, deposit the IPsec vpn tunneling information read in data structure table;
A3, judge in current IPsec equipment whether have next IPsec vpn tunneling information, if so, execution step A4, otherwise execution step A5;
A4, read next IPsec vpn tunneling information, go to step A2;
A5, judge whether to exist the next IPsec equipment that does not read IPsec vpn tunneling information, if so, for next IPsec equipment, go to step A2; Otherwise, ending step A.
3. method according to claim 1, is characterized in that, each IPsec vpn tunneling information in each IPsec equipment is read to same data structure table;
Described step B specifically comprises:
B1, start to read article one IPsec vpn tunneling information from data structure table;
B2, using the IPsec vpn tunneling information that reads as the first comparison information;
B3, judge whether to exist next IPsec vpn tunneling information, if so, execution step B4; Otherwise, ending step B;
B4, read next IPsec vpn tunneling information as the second comparison information;
B5, the first current comparison information and the second comparison information are compared, determine whether the first comparison information and the second comparison information belong to same IPsec vpn tunneling, if so, execution step B6; Otherwise execution step B7;
B6, the IPsec vpn tunneling quantity of record is added to 1, go to step B8;
B7, judge that whether the current vpn tunneling of the IPsec as the second comparison information information exists next IPsec vpn tunneling information, if so, goes to step B4; Otherwise, go to step B8;
B8, judge whether the current vpn tunneling of the IPsec as the first comparison information information exists next IPsec vpn tunneling information, if so, execution step B9; Otherwise ending step B;
B9, read next IPsec vpn tunneling information of the current vpn tunneling of the IPsec as the first comparison information information, go to step B2.
4. method according to claim 1, is characterized in that, for each IPsec equipment, data structure table is set respectively, and each IPsec vpn tunneling information in IPsec equipment is read to the data structure table that IPsec equipment is corresponding;
Described step B is for carrying out following steps for each data structure table one by one:
B1, start to read article one IPsec vpn tunneling information from the current data structural table;
B2, using the IPsec vpn tunneling information that reads as the first comparison information;
B3, start to read article one IPsec vpn tunneling information from next data structure table;
B4, using the IPsec vpn tunneling information that reads as the second comparison information;
B5, the first current comparison information and the second comparison information are compared, determine whether the first comparison information and the second comparison information belong to same IPsec vpn tunneling, if so, execution step B6; Otherwise, execution step B7;
B6, the IPsec vpn tunneling quantity of record is added to 1, go to step B9;
B7, judge whether the current vpn tunneling of the IPsec as the second comparison information information exists next IPsec vpn tunneling information, if so, execution step B8; Otherwise, execution step B11;
B8, read next IPsec vpn tunneling information of the current vpn tunneling of the IPsec as the second comparison information information, go to step B4;
B9, judge whether the current vpn tunneling of the IPsec as the first comparison information information exists next IPsec vpn tunneling information, if so, execution step B10; Otherwise, for the next data structure table of the first comparison information place data structure table, start to perform step B1;
B10, read next IPsec vpn tunneling information of the current vpn tunneling of the IPsec as the first comparison information information, go to step B2;
B11, judge whether the data structure table at current the second comparison information place exists next data structure table, if so, execution step B12; Otherwise, ending step B;
B12, from the next data structure table of current the second comparison information place data structure table, start to read article one IPsec vpn tunneling information, go to step B4.
5. according to the described method of claim 3 or 4, it is characterized in that, the method also comprises: when definite the first comparison information and the second comparison information belong to same IPsec vpn tunneling, the current information of the IPsec vpn tunneling as the first comparison information and the second comparison information is deleted from data structure table.
6. according to the described method of claim 3 or 4, it is characterized in that, in described data structure table, each list item comprises: for the local terminal IP address field of storage tunneling local terminal IP address, peer IP address field for the storage tunneling peer IP address, for being stored into the Inbound AH agreement SA index field of direction AH agreement SA index, for storing the outgoing direction AH agreement SA index field of outgoing direction AH agreement SA index, for being stored into the Inbound ESP agreement SA index field of direction ESP agreement SA index and for storing the outgoing direction ESP agreement SA index field of outgoing direction ESP agreement SA index,
In steps A, each information in IPsec vpn tunneling information is stored to field corresponding in list item of data structure table, do not have the field of corresponding informance storage to put sky;
In step B, if local terminal IP address field in the first comparison information place list item, the peer IP address field, Inbound AH agreement SA index field, outgoing direction AH agreement SA index field, the value of Inbound ESP agreement SA index field and outgoing direction ESP agreement SA index field respectively with the second comparison information place list item in the peer IP address field, the local terminal IP address field, outgoing direction AH agreement SA index field, Inbound AH agreement SA index field, outgoing direction ESP agreement SA index field is identical with the value of Inbound ESP agreement SA index field, determine that the first comparison information and the second comparison information belong to same IPsec vpn tunneling.
7. the device of the safe IPsec virtual private network of a definite IP tunnel quantity, is characterized in that, this device comprises: information reading unit, data storage cell and tunnel statistic unit;
Described information reading unit, read to data structure table for each IPsec vpn tunneling information by IPsec equipment; Described each IPsec vpn tunneling information comprises: local terminal IP address, tunnel, tunnel peer IP address, Inbound security alliance SA index and outgoing direction SA index;
Described data storage cell, for the store data structure table;
Described tunnel statistic unit, compare for each IPsec vpn tunneling information to the data structural table, determines the quantity of IPsec vpn tunneling; Wherein, when local terminal IP address, tunnel, tunnel peer IP address, Inbound SA index and the outgoing direction SA index of an IPsec vpn tunneling information are consistent with tunnel peer IP address, local terminal IP address, tunnel, outgoing direction SA index and the Inbound SA index of another IPsec vpn tunneling information respectively, determine that a described IPsec vpn tunneling information and described another IPsec vpn tunneling information belong to an IPsec vpn tunneling.
8. device according to claim 7, is characterized in that, described information reading unit specifically comprises: first reads subelement, storing sub-units, the first judgment sub-unit and the second judgment sub-unit;
Described first reads subelement, if having IPsec VPN information for current IP sec equipment, starts to read article one IPsec vpn tunneling information; When judgment result is that of described the first judgment sub-unit is, read next IPsec vpn tunneling information;
Described storing sub-units, deposit data structure table in for by described first, reading the IPsec vpn tunneling information that subelement reads;
Whether described the first judgment sub-unit, exist next IPsec vpn tunneling information for judging current IPsec equipment;
Described the second judgment sub-unit, for in described the first judgment sub-unit when the determination result is NO, judge whether to exist the next IPsec equipment that does not read IPsec vpn tunneling information, if so, triggering described first reads subelement and starts to read IPsec vpn tunneling information for next IPsec equipment; Otherwise, trigger described first and read subelement end read operation.
9. device according to claim 7, is characterized in that, described information reading unit reads to same data structure table by each IPsec vpn tunneling information in each IPsec equipment;
Described tunnel statistic unit specifically comprises: second reads subelement, the 3rd judgment sub-unit, third reading gets subelement, comparison subelement, the first statistics subelement, the 4th judgment sub-unit and the 5th judgment sub-unit;
Described second reads subelement, for start to read article one IPsec vpn tunneling information from data structure table, using the IPsec vpn tunneling information that reads as the first comparison information; Receive from the 5th judgment sub-unit read notice after, read next IPsec vpn tunneling information of current the first comparison information as the first comparison information;
Described the 3rd judgment sub-unit, exist second to read next IPsec vpn tunneling information that subelement reads for judging whether;
Described third reading is got subelement, for when judgment result is that of described the 3rd judgment sub-unit is, reads next IPsec vpn tunneling information of the first comparison information as the second comparison information; Receive while reading notice, read next IPsec vpn tunneling information as the second comparison information;
Described relatively subelement, for described the first comparison information and the second comparison information are compared, determine whether the first comparison information and the second comparison information belong to same IPsec vpn tunneling;
Described the first statistics subelement, when being, add 1 by the IPsec vpn tunneling quantity of record for the definite result at described relatively subelement, sends judgement to described the 5th judgment sub-unit and notify;
Described the 4th judgment sub-unit, while being no for the definite result at described comparison subelement, judge whether the current vpn tunneling of the IPsec as the second comparison information information exists next IPsec vpn tunneling information, if so, get the subelement transmission to described third reading and read notice; Otherwise send the judgement notice to described the 5th judgment sub-unit;
Described the 5th judgment sub-unit, after receiving the judgement notice, judge whether the current vpn tunneling of the IPsec as the first comparison information information exists next IPsec vpn tunneling information, if so, reads the subelement transmission to described second and read notice; Otherwise, notify described second to read subelement and third reading and get subelement and finish read operation.
10. device according to claim 7, is characterized in that, stored the data structure table arranged for each IPsec equipment in described data storage cell;
Described information reading unit reads to by each IPsec vpn tunneling information in each IPsec equipment the data structure table that IPsec equipment is corresponding;
Described tunnel statistic unit specifically comprises: the 4th reads subelement, the 5th reads subelement, comparison subelement, the second statistics subelement, the 6th judgment sub-unit, the 7th judgment sub-unit and the 8th judgment sub-unit;
The described the 4th reads subelement, for start to read article one IPsec vpn tunneling information from the current data structural table, using the IPsec vpn tunneling information that reads as the first comparison information; Receive that described the 7th judgment sub-unit sends read notice after, read next IPsec vpn tunneling information of current the first comparison information as the first comparison information;
The described the 5th reads subelement, for the next data structure table of the data structure table since the first comparison information place, reads article one IPsec vpn tunneling information, using the IPsec vpn tunneling information that reads as the second comparison information; Receive that described the 6th judgment sub-unit sends read notice after, read next IPsec vpn tunneling information of current the second comparison information as the second comparison information; Receive that described the 8th judgment sub-unit sends read notice after, start to read article one IPsec vpn tunneling information from the next data structure table of current the second comparison information place data structure table, using the IPsec vpn tunneling information that reads as the second comparison information;
Described relatively subelement, for the first comparison information and the second comparison information are compared, determine whether the first comparison information and the second comparison information belong to same IPsec vpn tunneling;
Described the second statistics subelement, when being, add 1 by the IPsec vpn tunneling quantity of record for the definite result at described relatively subelement, sends judgement to the 7th judgment sub-unit and notify;
Described the 6th judgment sub-unit, while being no for the definite result at described comparison subelement, judge whether the current vpn tunneling of the IPsec as the second comparison information information exists next IPsec vpn tunneling information, if so, read the subelement transmission to the described the 5th and read notice; Otherwise, to described the 8th judgment sub-unit, send the judgement notice;
Described the 7th judgment sub-unit, after receiving the judgement notice, judge whether the current vpn tunneling of the IPsec as the first comparison information information exists next IPsec vpn tunneling information, if so, reads the subelement transmission to the described the 4th and read notice; Otherwise, notify the described the 4th to read subelement and start read operation for the next data structure table of the first comparison information place data structure table;
Described the 8th judgment sub-unit, after receiving the judgement notice, judge whether the data structure table at current the second comparison information place exists next data structure table, if so, reads the subelement transmission to the described the 5th and read notice; Otherwise, notify the described the 4th to read subelement and the 5th and read subelement and finish read operation.
11. according to the described device of claim 9 or 10, it is characterized in that, described tunnel statistic unit also comprises: the information deletion subelement, for the definite result at described relatively subelement, when being, the current information of the IPsec vpn tunneling as the first comparison information and the second comparison information is deleted from data structure table.
12. according to the described device of claim 9 or 10, it is characterized in that, in described data structure table, each list item comprises: for the local terminal IP address field of storage tunneling local terminal IP address, peer IP address field for the storage tunneling peer IP address, for being stored into the Inbound AH agreement SA index field of direction AH agreement SA index, for storing the outgoing direction AH agreement SA index field of outgoing direction AH agreement SA index, for being stored into the Inbound ESP agreement SA index field of direction ESP agreement SA index and for storing the outgoing direction ESP agreement SA index field of outgoing direction ESP agreement SA index,
Described information reading unit is stored to field corresponding in list item of data structure table by each information in IPsec vpn tunneling information, does not have the field of corresponding informance storage to put sky;
Described relatively subelement local terminal IP address field in the first comparison information place list item, the peer IP address field, Inbound AH agreement SA index field, outgoing direction AH agreement SA index field, the value of Inbound ESP agreement SA index field and outgoing direction ESP agreement SA index field respectively with the second comparison information place list item in the peer IP address field, the local terminal IP address field, outgoing direction AH agreement SA index field, Inbound AH agreement SA index field, when the value of outgoing direction ESP agreement SA index field and Inbound ESP agreement SA index field is identical, determine that the first comparison information and the second comparison information belong to same IPsec vpn tunneling.
CN 201010199198 2010-06-07 2010-06-07 Method and device for determining number of IP security virtual private network tunnels Expired - Fee Related CN102271061B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010199198 CN102271061B (en) 2010-06-07 2010-06-07 Method and device for determining number of IP security virtual private network tunnels

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010199198 CN102271061B (en) 2010-06-07 2010-06-07 Method and device for determining number of IP security virtual private network tunnels

Publications (2)

Publication Number Publication Date
CN102271061A CN102271061A (en) 2011-12-07
CN102271061B true CN102271061B (en) 2013-12-25

Family

ID=45053230

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010199198 Expired - Fee Related CN102271061B (en) 2010-06-07 2010-06-07 Method and device for determining number of IP security virtual private network tunnels

Country Status (1)

Country Link
CN (1) CN102271061B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109150688B (en) * 2018-10-22 2021-07-09 网宿科技股份有限公司 IPSec VPN data transmission method and device
CN109905310B (en) * 2019-03-26 2020-12-29 杭州迪普科技股份有限公司 Data transmission method and device and electronic equipment
CN112217769B (en) * 2019-07-11 2023-01-24 奇安信科技集团股份有限公司 Data decryption method, data encryption method, data decryption device, data encryption device, data decryption equipment and data decryption medium based on tunnel
WO2022112646A1 (en) * 2020-11-25 2022-06-02 Nokia Solutions And Networks Oy Method and apparatus for reducing redundancy of internet security
CN112714069A (en) * 2021-01-06 2021-04-27 上海交通大学 Method for lowering shunting module to network card hardware in IPSec security gateway environment

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1863071A (en) * 2005-08-06 2006-11-15 华为技术有限公司 Method for statistics of service flow based on IPv6
CN1874343A (en) * 2005-06-03 2006-12-06 华为技术有限公司 Method for creating IPSec safety alliance

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7209479B2 (en) * 2001-01-18 2007-04-24 Science Application International Corp. Third party VPN certification
KR100506182B1 (en) * 2003-05-13 2005-08-05 (주)디엔피그룹 A vpn system supporting a multitunnel ipsec and operation method thereof

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1874343A (en) * 2005-06-03 2006-12-06 华为技术有限公司 Method for creating IPSec safety alliance
CN1863071A (en) * 2005-08-06 2006-11-15 华为技术有限公司 Method for statistics of service flow based on IPv6

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
基于SCTP 的单接口主机间多路径传输方法;李挺屹等;《计算机工程与应用》;20090401;第45卷(第1期);全文 *
李挺屹等.基于SCTP 的单接口主机间多路径传输方法.《计算机工程与应用》.2009,第45卷(第1期),全文.

Also Published As

Publication number Publication date
CN102271061A (en) 2011-12-07

Similar Documents

Publication Publication Date Title
CN102271061B (en) Method and device for determining number of IP security virtual private network tunnels
US9917845B2 (en) Link discovery method and apparatus
CN108063816B (en) Private data cloud storage penetration type access method
CN103227777B (en) A kind of dpd of preventing detects the method unsuccessfully causing ipsec tunnel to shake
CN101106450A (en) Secure protection device and method for distributed packet transfer
CN109257834B (en) Networking method of mesh wireless sensor network based on Thread protocol
CN106850568B (en) Session aging method and device of multi-channel protocol
US20120054359A1 (en) Network Relay Device and Frame Relaying Control Method
CN103780389A (en) Port based authentication method and network device
US20220255734A1 (en) Communication Authentication Method and Related Device
CN101478485A (en) Method for local area network access control and network gateway equipment
CN104993993A (en) Message processing method, device, and system
CN106658576A (en) Data processing method, data processing device and network system
CN101207475B (en) Method for preventing non-authorization linking of network system
CN102148725A (en) Service state detecting method and system for AAA server
CN110868362A (en) Method and device for processing MACsec uncontrolled port message
CN103139201A (en) Network strategy acquiring method and data center switchboard
CN103227733A (en) Topology discovery method and topology discovery system
CN103906062B (en) A kind of owner's authentication method of wireless router, apparatus and system
CN103401682B (en) The processing method of encryption suite and equipment
JP2013077957A (en) Relay device, encryption communication system, encryption communication program, and encryption communication method
CN103051552B (en) Intelligent management and control method and system based on separation of tandem connection blockage and side channel analysis
CN106411622B (en) A kind of table entry processing method and device
CN113055535B (en) Method and system for generating 5G end-to-end call ticket
CN104301927B (en) A kind of detection method and system of Wi-Fi hotspot access amount

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.

CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20131225

Termination date: 20200607