CN102694808A - Processing system and method for internet key exchange (IKE) remote access - Google Patents
Processing system and method for internet key exchange (IKE) remote access Download PDFInfo
- Publication number
- CN102694808A CN102694808A CN2012101784765A CN201210178476A CN102694808A CN 102694808 A CN102694808 A CN 102694808A CN 2012101784765 A CN2012101784765 A CN 2012101784765A CN 201210178476 A CN201210178476 A CN 201210178476A CN 102694808 A CN102694808 A CN 102694808A
- Authority
- CN
- China
- Prior art keywords
- firewall
- backup
- master
- current
- negotiation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a processing system and a processing method for internet key exchange (IKE) remote access and relates to the technical field of network communication. The system comprises a main firewall and at least one standby firewall, wherein a server of an inner network is connected with users of an outer network through the main firewall; and when receiving a current IKE negotiation message, the main firewall judges whether the negotiation total amount of the main firewall reaches a maximum value, sends the current IKE negotiation message to at least one standby firewall for negotiation if the negotiation total amount of the main firewall reaches the maximum value, and negotiates for the current IKE negotiation message if the negotiation total amount of the main firewall does not reach the maximum value. The invention has the advantages that by sending the negotiation message which exceeds the maximum value of the negotiation total amount of the main firewall to the standby firewall for negotiation, the maximum value of the quantity of the users which can be connected with the server of the inner network is increased, and the performance of the server is improved.
Description
Technical field
The present invention relates to network communications technology field, the treatment system and the method for the long-range access of particularly a kind of IKE.
Background technology
Internet key change (IKE) has solved the problem of in unsafe network environment (like Internet), setting up or upgrade shared key safely.IKE is the agreement that non-normal open is used, and not only can be Internet protocol safety (IPSec) and consults security association, and can be the secret protocol negotiation security parameter of any requirements such as SNMPv3, RIPv2, OSPFv2.
In the long-range access service use of IKE, in the prior art, common maximum access customer number of capabilities limits according to equipment; For example; When the user of outer net passed through the server of a firewall access Intranet, the number of users that said fire compartment wall can connect was limited, after the number of users that said fire compartment wall connected reaches maximum; The situation appearance that other users can't visit said server can occur, have a strong impact on the performance of server.
Summary of the invention
The technical problem that (one) will solve
The technical problem that the present invention will solve is: the server that how to increase Intranet can connect the maximum of number of users, to improve the performance of server.
(2) technical scheme
For solving the problems of the technologies described above; The invention provides the treatment system of the long-range access of a kind of IKE; Said system comprises: master firewall and at least one backup firewall connect through said master firewall between the server of Intranet and the user of outer net, when master firewall receives current I KE negotiation packet; Whether the negotiation sum of judging said master firewall has reached maximum; If then said current I KE negotiation packet is sent to said at least one backup firewall and holds consultation, otherwise said master firewall is held consultation to said current negotiation packet.
Preferably, said at least one backup firewall adopts the backup firewall of the chain type connection and first end to be connected with said master firewall.
The invention also discloses a kind of processing method of the long-range access of IKE based on described system, said method comprising the steps of:
S1: when the user of outer net sends current I KE negotiation packet to the server of Intranet; Master firewall receives said current I KE negotiation packet, and judges whether the negotiation sum of said master firewall has reached maximum, if; Execution in step S2 then, otherwise execution in step S3;
S2: said current I KE negotiation packet is sent to said at least one backup firewall holds consultation, and execution in step S4;
S3: said master firewall is held consultation to said current I KE negotiation packet, and execution in step S4;
S4: finish said method.
Preferably, step S2 further may further comprise the steps:
Said current I KE negotiation packet is judged to the backup firewall of second end from the backup firewall of first end successively; Do not reach peaked backup firewall until searching out the negotiation sum; By the backup firewall that searches out said current I KE negotiation packet is held consultation; If the total number average of negotiation of all backup firewalls has reached maximum, then directly abandon said current I KE negotiation packet.
Preferably; After said master firewall or backup firewall are held consultation to said current I KE negotiation packet; Generate corresponding sa tlv triple and decruption key, and the sa tlv triple and the corresponding relation between decruption key and said master firewall or the backup firewall that generate are stored in the corresponding deciphering storehouse as record;
Further comprising the steps of before the step S4:
S301: the user of said outer net sends current data message to the server of said Intranet, and said master firewall receives said current data message, and said current data message is resolved;
S302: search the deciphering storehouse on the said master firewall according to the sa tlv triple in the said current data message, if the record that is complementary arranged, execution in step S303 then, otherwise execution in step S304;
S303: said master firewall is deciphered said current data message through the decruption key in the record that finds; And the current data message after will deciphering according to the IP five-tuple in the said current data message is sent to the server of said Intranet, execution in step S4 then;
S304: the sa tlv triple of the said current data message backup firewall from first end is mated to the backup firewall of second end successively; Until the backup firewall that searches out place, deciphering storehouse with record; By the backup firewall that searches out said current data message is deciphered through the decruption key in the record that finds; And the current data message after will deciphering according to the IP five-tuple in the data message is sent to the server of said Intranet; If all transmitting fast of backup firewall all do not find the record that is complementary, then directly abandon said current data message.
Preferably; After said master firewall or backup firewall are held consultation to said current I KE negotiation packet; Also generate corresponding ACL, encryption key and encryption rule; And said encryption rule and encryption key be saved in the corresponding encryption library, comprise the corresponding relation of IP five-tuple and said encryption rule and encryption key in the said ACL;
Further comprising the steps of between step S303 and S304 and the step S4:
S305: the server of said Intranet sends back message using to the user of said outer net, and said master firewall receives said back message using, and said back message using is resolved;
S306: the IP five-tuple according in the said back message using is searched the ACL on the said master firewall, if the corresponding relation that is complementary arranged, and execution in step S307 then, otherwise execution in step S308;
S307: said master firewall is encrypted said back message using according to encryption rule in the said corresponding relation that is complementary and encryption key, and the back message using after will encrypting is sent to the user of said outer net, execution in step S4;
S308: the IP five-tuple of the said back message using backup firewall from first end is mated to the backup firewall of second end successively; Until the backup firewall that searches out ACL place with record; Said back message using is encrypted according to encryption rule in the said corresponding relation that is complementary and encryption key by the backup firewall that searches out; And the back message using after will encrypting is sent to the user of said outer net; If all transmitting fast of backup firewall all do not find the record that is complementary, then directly abandon said back message using.
Preferably, said sa tlv triple comprises: Security Parameter Index SPI, purpose IP address and security protocol.
(3) beneficial effect
The present invention is sent to the backup firewall processing of holding consultation through the peaked negotiation packet of negotiation sum that will surpass master firewall, and the server that has increased Intranet can connect the maximum of number of users, has improved the performance of server.
Description of drawings
Fig. 1 is the structural representation according to the treatment system of the long-range access of IKE of an embodiment of the present invention;
Fig. 2 is the structural representation according to the treatment system of the long-range access of IKE of the another kind of embodiment of the present invention.
Embodiment
Below in conjunction with accompanying drawing and embodiment, specific embodiments of the invention describes in further detail.Following examples are used to explain the present invention, but are not used for limiting scope of the present invention.
Embodiment 1
Fig. 1 is the structural representation according to the treatment system of the long-range access of IKE of an embodiment of the present invention, is that example is explained the present invention with a backup firewall in the present embodiment, but is not used for limiting protection scope of the present invention; With reference to Fig. 1; Said system comprises: master firewall and a backup firewall connect through said master firewall between the server of Intranet and the user of outer net, when master firewall receives current I KE negotiation packet; Whether the negotiation sum of judging said master firewall has reached maximum; If then said current I KE negotiation packet is sent to said backup firewall and holds consultation, otherwise said master firewall is held consultation to said current negotiation packet; Preferably, said backup firewall is connected with said master firewall.
In the present embodiment; Four physical interfaces on the said master firewall are configured to transparent interface (promptly transparent interface " 0/0 ", " 0/1 ", " 0/6 " on the master firewall reaches " 0/7 " among the figure) and the transparent interface on the said master firewall is equally divided into two groups, and (transparent interface among the figure on the master firewall " 0/0 " and " 0/1 " are first group; " 0/6 " and " 0/7 " is second group), every group of transparent interface disposes a virtual interface respectively;
Said backup firewall is provided with two physical interfaces (promptly being respectively the physical interface on the backup firewall " 0/1 " and " 0/6 " among the figure);
Transparent interface 0/0 on the said master firewall is connected with the user of said outer net, and the transparent interface 0/7 on the said master firewall is connected with the server of said Intranet;
Transparent interface 0/1 on the said master firewall is connected with physical interface 0/1 on the said backup firewall; Transparent interface 0/6 on the said master firewall is connected with physical interface 0/6 on the said backup firewall; First group virtual interface and physical interface 0/1 are furnished with identical mac address and ip address on the said master firewall; And (the IKE configuration must be tied on the interface to use identical IKE configuration; Therefore the IKE of master firewall configuration is tied on the virtual interface, and the IKE configuration of backup firewall is tied on the physical interface 0/1), second group virtual interface and physical interface 0/6 all are furnished with identical mac address and ip address on the said master firewall.
The method that present embodiment is corresponding may further comprise the steps:
S1: when the user of outer net sends current I KE negotiation packet to the server of Intranet; Master firewall receives said current I KE negotiation packet, and judges whether the negotiation sum of said master firewall has reached maximum, if; Execution in step S2 then, otherwise execution in step S3;
S2: said current I KE negotiation packet is sent to said at least one backup firewall holds consultation, and execution in step S4;
S3: said master firewall is held consultation to said current I KE negotiation packet, and execution in step S4;
S4: finish said method.
Preferably, step S2 further may further comprise the steps:
Said current I KE negotiation packet is judged to the backup firewall of second end from the backup firewall of first end successively; Do not reach peaked backup firewall until searching out the negotiation sum; By the backup firewall that searches out said current I KE negotiation packet is held consultation; If the total number average of negotiation of all backup firewalls has reached maximum, then directly abandon said current I KE negotiation packet.
Preferably; After said master firewall or backup firewall are held consultation to said current I KE negotiation packet; Generate corresponding sa tlv triple and decruption key; And the sa tlv triple and the corresponding relation between decruption key and said master firewall or the backup firewall that generate be stored in the corresponding deciphering storehouse as record, said sa tlv triple comprises: Security Parameter Index SPI, purpose IP address and security protocol;
Further comprising the steps of before the step S4:
S301: the user of said outer net sends current data message to the server of said Intranet; Said master firewall receives said current data message through transparent interface 0/0; And said current data message resolved, said current data message is generally the safe and effective load of encapsulation (Encapsulating Security Payload for through the message after encrypting; ESP) message and authentication header (Authenticaton Header, AH) message;
S302: search the deciphering storehouse on the said master firewall according to the sa tlv triple in the said current data message, if the record that is complementary arranged, execution in step S303 then, otherwise execution in step S304;
S303: said master firewall is deciphered said current data message through the decruption key in the record that finds; And the current data message after will deciphering according to the IP five-tuple in the said current data message is sent to the server of said Intranet, execution in step S4 then through transparent interface 0/7;
S304: said master firewall is sent to said backup firewall through transparent interface 0/1 with said current data message; Said backup firewall matees the sa tlv triple and the said backup firewall of current data message; If said backup firewall has the deciphering storehouse of record; Then said current data message is deciphered through the decruption key in the record that finds by said backup firewall; And the current data message after will deciphering according to the IP five-tuple in the data message is sent to the server of said Intranet, and (transparent interface 0/6 through said backup firewall is sent to said master firewall with said current data message earlier; By the transparent interface 0/7 of said master firewall said current data message is sent to the server of said Intranet again); If do not find the record that is complementary in the transmitting fast of said backup firewall, then directly abandon said current data message.
After said master firewall or backup firewall are held consultation to said current I KE negotiation packet; Also generate corresponding ACL, encryption key and encryption rule; And said encryption rule and encryption key be saved in the corresponding encryption library, comprise the corresponding relation of IP five-tuple and said encryption rule and encryption key in the said ACL;
Preferably, further comprising the steps of between step S303 and S304 and the step S4:
S305: the server of said Intranet sends back message using to the user of said outer net, and said master firewall receives said back message using through transparent interface 0/7, and said back message using is resolved;
S306: the IP five-tuple according in the said back message using is searched the ACL on the said master firewall, if the corresponding relation that is complementary arranged, and execution in step S307 then, otherwise execution in step S308;
S307: said master firewall is encrypted said back message using according to encryption rule in the said corresponding relation that is complementary and encryption key, and the back message using after will encrypting is sent to the user of said outer net, execution in step S4 through transparent interface 0/0;
S308: said master firewall matees the IP five-tuple and the said backup firewall of said back message using; If said backup firewall has the ACL of record; Then according to encryption rule in the said corresponding relation that is complementary and encryption key said back message using is encrypted by said backup firewall; And the back message using after will encrypting is sent to the user of said outer net, and (earlier the transparent interface 0/1 through said backup firewall is sent to said master firewall with said current data message; By the transparent interface 0/0 of said master firewall said current data message is sent to the server of said Intranet again); If transmitting fast of said backup firewall all do not find the record that is complementary, then directly abandon said back message using.
Embodiment 2
With reference to Fig. 2, the structure of the system of present embodiment and the structure of embodiment are basic identical, and difference is that present embodiment is provided with two backup firewalls, and said two backup firewalls adopt chain type to connect and the backup firewall of first end is connected with said master firewall.
In the present embodiment; Four physical interfaces on the said master firewall are configured to transparent interface (promptly transparent interface " 0/0 ", " 0/1 ", " 0/6 " on the master firewall reaches " 0/7 " among the figure) and the transparent interface on the said master firewall is equally divided into two groups, and (transparent interface among the figure on the master firewall " 0/0 " and " 0/1 " are first group; " 0/6 " and " 0/7 " is second group), every group of transparent interface disposes a virtual interface respectively;
Four physical interfaces on the backup firewall of first end are configured to transparent interface (promptly transparent interface " 0/1 ", " 0/2 ", " 0/5 " on the backup firewall of first end reaches " 0/6 " among the figure) and the transparent interface on the backup firewall of said first end is equally divided into two groups, and (transparent interface among the figure on the backup firewall of first end " 0/1 " and " 0/2 " are first group; " 0/5 " and " 0/6 " is second group), every group of transparent interface disposes a virtual interface respectively;
The backup firewall of second end is provided with two physical interfaces (promptly being respectively physical interface " 0/2 " and " 0/5 " on the backup firewall of second end among the figure);
Transparent interface 0/0 on the said master firewall is connected with the user of said outer net, and the transparent interface 0/7 on the said master firewall is connected with the server of said Intranet;
Transparent interface 0/1 on the said master firewall is connected with transparent interface 0/1 on the backup firewall of said first end; Transparent interface 0/6 on the said master firewall is connected with transparent interface 0/6 on the backup firewall of said first end; Transparent interface 0/2 on the backup firewall of said first end is connected with physical interface 0/2 on the backup firewall of said second end; Transparent interface 0/5 on the backup firewall of said second end is connected with physical interface 0/5 on the backup firewall of said second end; On the said master firewall on the backup firewall of first group virtual interface, said first end physical interface 0/2 on the backup firewall of first group virtual interface and said second end be furnished with identical mac address and ip address, on the said master firewall on the backup firewall of second group virtual interface, said second end physical interface 0/5 on the backup firewall of second group virtual interface and said second end all be furnished with identical mac address and ip address.
The method that present embodiment is corresponding may further comprise the steps:
S1: when the user of outer net sends current I KE negotiation packet to the server of Intranet; Master firewall receives said current I KE negotiation packet, and judges whether the negotiation sum of said master firewall has reached maximum, if; Execution in step S2 then, otherwise execution in step S3;
S2: said current I KE negotiation packet is sent to said at least one backup firewall holds consultation, and execution in step S4;
S3: said master firewall is held consultation to said current I KE negotiation packet, and execution in step S4;
S4: finish said method.
Preferably, step S2 further may further comprise the steps:
Said current I KE negotiation packet is judged to the backup firewall of second end from the backup firewall of first end successively; Do not reach peaked backup firewall until searching out the negotiation sum; By the backup firewall that searches out said current I KE negotiation packet is held consultation; If the total number average of negotiation of all backup firewalls has reached maximum, then directly abandon said current I KE negotiation packet.
Preferably; After said master firewall or backup firewall are held consultation to said current I KE negotiation packet; Generate corresponding sa tlv triple and decruption key; And the sa tlv triple and the corresponding relation between decruption key and said master firewall and the backup firewall that generate be stored in the corresponding deciphering storehouse as record, said sa tlv triple comprises: Security Parameter Index SPI, purpose IP address and security protocol;
Further comprising the steps of before the step S4:
S301: the user of said outer net sends current data message to the server of said Intranet, and said master firewall receives said current data message through transparent interface 0/0, and said current data message is resolved;
S302: search the deciphering storehouse on the said master firewall according to the sa tlv triple in the said current data message, if the record that is complementary arranged, execution in step S303 then, otherwise execution in step S304;
S303: said master firewall is deciphered said current data message through the decruption key in the record that finds; And the current data message after will deciphering according to the IP five-tuple in the said current data message is sent to the server of said Intranet, execution in step S4 then through transparent interface 0/7;
S304: the sa tlv triple of the said current data message backup firewall from first end is mated to the backup firewall of second end successively; Until the backup firewall that searches out place, deciphering storehouse with record; By the backup firewall that searches out said current data message is deciphered through the decruption key in the record that finds; And the server that the current data message after will deciphering according to the IP five-tuple in the data message is sent to said Intranet is (if the backup firewall that searches out is the backup firewall of first end; Then elder generation is sent to said master firewall through the transparent interface 0/6 of said backup firewall with said current data message, by the transparent interface 0/7 of said master firewall said current data message is sent to the server of said Intranet again; If the backup firewall that searches out is the backup firewall of second end; Then through the transparent interface 0/5 of said backup firewall said current data message is sent to the backup firewall of said first end earlier; The transparent interface 0/6 of the backup firewall through said first end is sent to said master firewall with said current data message again; Said current data message is sent to the server of said Intranet by the transparent interface 0/7 of said master firewall); If all transmitting fast of backup firewall all do not find the record that is complementary, then directly abandon said current data message.
After said master firewall or backup firewall are held consultation to said current I KE negotiation packet; Also generate corresponding ACL, encryption key and encryption rule; And said encryption rule and encryption key be saved in the corresponding encryption library, comprise the corresponding relation of IP five-tuple and said encryption rule and encryption key in the said ACL;
Preferably, further comprising the steps of between step S303 and S304 and the step S4:
S305: the server of said Intranet sends back message using to the user of said outer net, and said master firewall receives said back message using through transparent interface 0/7, and said back message using is resolved;
S306: the IP five-tuple according in the said back message using is searched the ACL on the said master firewall, if the corresponding relation that is complementary arranged, and execution in step S307 then, otherwise execution in step S308;
S307: said master firewall is encrypted said back message using according to encryption rule in the said corresponding relation that is complementary and encryption key, and the back message using after will encrypting is sent to the user of said outer net, execution in step S4 through transparent interface 0/0;
S308: said master firewall matees the IP five-tuple of the said back message using backup firewall from first end to the backup firewall of second end successively; Until the backup firewall that searches out ACL place with record; Said back message using is encrypted according to encryption rule in the said corresponding relation that is complementary and encryption key by the backup firewall that searches out; And the user that the back message using after will encrypting is sent to said outer net is (if the backup firewall that searches out is the backup firewall of first end; Then elder generation is sent to said master firewall through the transparent interface 0/1 of said backup firewall with said current data message, by the transparent interface 0/0 of said master firewall said current data message is sent to the server of said Intranet again; If the backup firewall that searches out is the backup firewall of second end; Then through the transparent interface 0/2 of said backup firewall said current data message is sent to the backup firewall of said first end earlier; The transparent interface 0/1 of the backup firewall through said first end is sent to said master firewall with said current data message again; Said current data message is sent to the server of said Intranet by the transparent interface 0/0 of said master firewall); If all transmitting fast of backup firewall all do not find the record that is complementary, then directly abandon said back message using.
Above execution mode only is used to explain the present invention; And be not limitation of the present invention; The those of ordinary skill in relevant technologies field under the situation that does not break away from the spirit and scope of the present invention, can also be made various variations and modification; Therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (7)
1. the treatment system of the long-range access of IKE; It is characterized in that; Said system comprises: master firewall and at least one backup firewall connect through said master firewall between the server of Intranet and the user of outer net, when master firewall receives current I KE negotiation packet; Whether the negotiation sum of judging said master firewall has reached maximum; If then said current I KE negotiation packet is sent to said at least one backup firewall and holds consultation, otherwise said master firewall is held consultation to said current negotiation packet.
2. the system of claim 1 is characterized in that, said at least one backup firewall adopts chain type to connect and the backup firewall of first end is connected with said master firewall.
3. the processing method based on the long-range access of IKE of each described system in the claim 1 ~ 2 is characterized in that, said method comprising the steps of:
S1: when the user of outer net sends current I KE negotiation packet to the server of Intranet; Master firewall receives said current I KE negotiation packet, and judges whether the negotiation sum of said master firewall has reached maximum, if; Execution in step S2 then, otherwise execution in step S3;
S2: said current I KE negotiation packet is sent to said at least one backup firewall holds consultation, and execution in step S4;
S3: said master firewall is held consultation to said current I KE negotiation packet, and execution in step S4;
S4: finish said method.
4. method as claimed in claim 3 is characterized in that step S2 further may further comprise the steps:
Said current I KE negotiation packet is judged to the backup firewall of second end from the backup firewall of first end successively; Do not reach peaked backup firewall until searching out the negotiation sum; By the backup firewall that searches out said current I KE negotiation packet is held consultation; If the total number average of negotiation of all backup firewalls has reached maximum, then directly abandon said current I KE negotiation packet.
5. method as claimed in claim 3; It is characterized in that; After said master firewall or backup firewall are held consultation to said current I KE negotiation packet; Generate corresponding sa tlv triple and decruption key, and the sa tlv triple and the corresponding relation between decruption key and said master firewall or the backup firewall that generate are stored in the corresponding deciphering storehouse as record;
Further comprising the steps of before the step S4:
S301: the user of said outer net sends current data message to the server of said Intranet, and said master firewall receives said current data message, and said current data message is resolved;
S302: search the deciphering storehouse on the said master firewall according to the sa tlv triple in the said current data message, if the record that is complementary arranged, execution in step S303 then, otherwise execution in step S304;
S303: said master firewall is deciphered said current data message through the decruption key in the record that finds; And the current data message after will deciphering according to the IP five-tuple in the said current data message is sent to the server of said Intranet, execution in step S4 then;
S304: the sa tlv triple of the said current data message backup firewall from first end is mated to the backup firewall of second end successively; Until the backup firewall that searches out place, deciphering storehouse with record; By the backup firewall that searches out said current data message is deciphered through the decruption key in the record that finds; And the current data message after will deciphering according to the IP five-tuple in the data message is sent to the server of said Intranet; If all transmitting fast of backup firewall all do not find the record that is complementary, then directly abandon said current data message.
6. method as claimed in claim 5; It is characterized in that; After said master firewall or backup firewall are held consultation to said current I KE negotiation packet; Also generate corresponding ACL, encryption key and encryption rule, and said encryption rule and encryption key are saved in the corresponding encryption library, comprise the corresponding relation of IP five-tuple and said encryption rule and encryption key in the said ACL;
Further comprising the steps of between step S303 and S304 and the step S4:
S305: the server of said Intranet sends back message using to the user of said outer net, and said master firewall receives said back message using, and said back message using is resolved;
S306: the IP five-tuple according in the said back message using is searched the ACL on the said master firewall, if the corresponding relation that is complementary arranged, and execution in step S307 then, otherwise execution in step S308;
S307: said master firewall is encrypted said back message using according to encryption rule in the said corresponding relation that is complementary and encryption key, and the back message using after will encrypting is sent to the user of said outer net, execution in step S4;
S308: the IP five-tuple of the said back message using backup firewall from first end is mated to the backup firewall of second end successively; Until the backup firewall that searches out ACL place with record; Said back message using is encrypted according to encryption rule in the said corresponding relation that is complementary and encryption key by the backup firewall that searches out; And the back message using after will encrypting is sent to the user of said outer net; If all transmitting fast of backup firewall all do not find the record that is complementary, then directly abandon said back message using.
7. like claim 5 or 6 described methods, it is characterized in that said sa tlv triple comprises: Security Parameter Index SPI, purpose IP address and security protocol.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101784765A CN102694808A (en) | 2012-05-31 | 2012-05-31 | Processing system and method for internet key exchange (IKE) remote access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2012101784765A CN102694808A (en) | 2012-05-31 | 2012-05-31 | Processing system and method for internet key exchange (IKE) remote access |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102694808A true CN102694808A (en) | 2012-09-26 |
Family
ID=46860095
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2012101784765A Pending CN102694808A (en) | 2012-05-31 | 2012-05-31 | Processing system and method for internet key exchange (IKE) remote access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102694808A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220273A (en) * | 2013-03-19 | 2013-07-24 | 汉柏科技有限公司 | Method and system for central processing unit (CPU) to forward message rapidly |
| CN103227742A (en) * | 2013-03-26 | 2013-07-31 | 汉柏科技有限公司 | Method for IPSec (Internet protocol security) tunnel to rapidly process messages |
| CN104065620A (en) * | 2013-03-21 | 2014-09-24 | 苏州方位通讯科技有限公司 | Network service access connection method for access-limited devices |
| CN105516062A (en) * | 2014-09-25 | 2016-04-20 | 中兴通讯股份有限公司 | L2TP over IPsec access realizing method |
| CN114124493A (en) * | 2021-11-12 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Industrial control data processing method and firewall equipment |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101018233A (en) * | 2007-03-20 | 2007-08-15 | 杭州华为三康技术有限公司 | Session control method and control device |
| CN101299665A (en) * | 2008-05-19 | 2008-11-05 | 华为技术有限公司 | Message processing method, system and apparatus |
| CN101442471A (en) * | 2008-12-31 | 2009-05-27 | 杭州华三通信技术有限公司 | Method for implementing backup and switch of IPSec tunnel, system and node equipment, networking architecture |
| CN201657327U (en) * | 2009-12-04 | 2010-11-24 | 同济大学 | Key exchange and agreement system between mobile device and secure access gateway |
| CN102090020A (en) * | 2008-08-26 | 2011-06-08 | 思科技术公司 | Method and apparatus for dynamically instantiating services using a service insertion architecture |
| CN102231737A (en) * | 2011-06-23 | 2011-11-02 | 成都市华为赛门铁克科技有限公司 | IKE (Internet Key Exchange) consultation control method and equipment |
| CN102420770A (en) * | 2011-12-27 | 2012-04-18 | 汉柏科技有限公司 | Method and equipment for negotiating internet key exchange (IKE) message |
-
2012
- 2012-05-31 CN CN2012101784765A patent/CN102694808A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101018233A (en) * | 2007-03-20 | 2007-08-15 | 杭州华为三康技术有限公司 | Session control method and control device |
| CN101299665A (en) * | 2008-05-19 | 2008-11-05 | 华为技术有限公司 | Message processing method, system and apparatus |
| CN102090020A (en) * | 2008-08-26 | 2011-06-08 | 思科技术公司 | Method and apparatus for dynamically instantiating services using a service insertion architecture |
| CN101442471A (en) * | 2008-12-31 | 2009-05-27 | 杭州华三通信技术有限公司 | Method for implementing backup and switch of IPSec tunnel, system and node equipment, networking architecture |
| CN201657327U (en) * | 2009-12-04 | 2010-11-24 | 同济大学 | Key exchange and agreement system between mobile device and secure access gateway |
| CN102231737A (en) * | 2011-06-23 | 2011-11-02 | 成都市华为赛门铁克科技有限公司 | IKE (Internet Key Exchange) consultation control method and equipment |
| CN102420770A (en) * | 2011-12-27 | 2012-04-18 | 汉柏科技有限公司 | Method and equipment for negotiating internet key exchange (IKE) message |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103220273A (en) * | 2013-03-19 | 2013-07-24 | 汉柏科技有限公司 | Method and system for central processing unit (CPU) to forward message rapidly |
| CN103220273B (en) * | 2013-03-19 | 2016-01-06 | 汉柏科技有限公司 | A kind of method and system of CPU fast-forwarding message |
| CN104065620A (en) * | 2013-03-21 | 2014-09-24 | 苏州方位通讯科技有限公司 | Network service access connection method for access-limited devices |
| CN103227742A (en) * | 2013-03-26 | 2013-07-31 | 汉柏科技有限公司 | Method for IPSec (Internet protocol security) tunnel to rapidly process messages |
| CN105516062A (en) * | 2014-09-25 | 2016-04-20 | 中兴通讯股份有限公司 | L2TP over IPsec access realizing method |
| CN105516062B (en) * | 2014-09-25 | 2020-07-31 | 南京中兴软件有限责任公司 | Method for realizing L2 TP over IPsec access |
| CN114124493A (en) * | 2021-11-12 | 2022-03-01 | 北京天融信网络安全技术有限公司 | Industrial control data processing method and firewall equipment |
| CN114124493B (en) * | 2021-11-12 | 2023-07-04 | 北京天融信网络安全技术有限公司 | Industrial control data processing method and firewall equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100596062C (en) | Secure protection device and method for distributed packet transfer | |
| CN101820344B (en) | AAA server, home network access method and system | |
| CN109150688B (en) | IPSec VPN data transmission method and device | |
| JP4707992B2 (en) | Encrypted communication system | |
| CN100594690C (en) | Method and device for safety strategy uniformly treatment in safety gateway | |
| CN102130768B (en) | Terminal equipment having capability of encrypting and decrypting link layer and data processing method thereof | |
| US8756411B2 (en) | Application layer security proxy for automation and control system networks | |
| CN100574237C (en) | Act on behalf of cut-in method, control network devices and act on behalf of connecting system | |
| CN102035845B (en) | Switching equipment for supporting link layer secrecy transmission and data processing method thereof | |
| CN102694808A (en) | Processing system and method for internet key exchange (IKE) remote access | |
| CN102891848B (en) | Ipsec security alliance is utilized to be encrypted the method for deciphering | |
| CN111800436B (en) | IPSec isolation network card equipment and secure communication method | |
| Tawde et al. | Cyber security in smart grid SCADA automation systems | |
| CN106209883A (en) | Based on link selection and the multi-chain circuit transmission method and system of broken restructuring | |
| CN103441983A (en) | Information protection method and device based on link layer discovery protocol | |
| CN101984693A (en) | Monitoring method and monitoring device for access of terminal to local area network (LAN) | |
| CN105812322A (en) | Method and device for establishing Internet safety protocol safety alliance | |
| CN102761494A (en) | IKE (Internet Key Exchange) negotiation processing method and device | |
| Shitharth et al. | A novel IDS technique to detect DDoS and sniffers in smart grid | |
| CN105262737A (en) | Method for resisting DDOS attacks based on channel hopping mode | |
| CN107749863B (en) | Method for network security isolation of information system | |
| CN202652534U (en) | Mobile terminal safety access platform | |
| CN103269301A (en) | Desktop type IPSecVPN cryptographic machine and networking method | |
| CN115225414B (en) | Encryption strategy matching method and device based on IPSEC (Internet protocol Security) and communication system | |
| AU2015301504B2 (en) | End point secured network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20120926 |