CN103023741A - Method for processing faults of virtual private network (VPN) device - Google Patents
Method for processing faults of virtual private network (VPN) device Download PDFInfo
- Publication number
- CN103023741A CN103023741A CN2012105139581A CN201210513958A CN103023741A CN 103023741 A CN103023741 A CN 103023741A CN 2012105139581 A CN2012105139581 A CN 2012105139581A CN 201210513958 A CN201210513958 A CN 201210513958A CN 103023741 A CN103023741 A CN 103023741A
- Authority
- CN
- China
- Prior art keywords
- vpn
- equipment
- host apparatus
- stand
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method for processing faults of a VPN device. The method comprises that a certain network device serves as a VPN primary device and is provided with a VPN standby device; a VPN server negotiates with a VPN opposite end device, constructs a tunnel and send negotiation data to the VPN primary device, so that encrypted message transmission is conducted for the VPN primary device and the VPN opposite end device; and when the VPN primary device breaks down, the VPN standby device sends a device replacement request message to the VPN server, the VPN server transmits the negotiation data and the serial number of the current message to the VPN standby device, and then encrypted message transmission is conducted for the VPN standby device the VPN opposite end device. By the aid of the technical scheme, when the VPN primary device breaks down, tunnel switching can be conducted quickly, so that the time loss and the flow loss which are caused by network device faults can be reduced.
Description
Technical field
The present invention relates to VPN (virtual private network) (VPN) technology, particularly a kind of VPN equipment obstacle management method.
Background technology
VPN(Virtual Private Network, VPN (virtual private network)) refers to the technology of setting up dedicated network in common network.VPN utilizes encryption technology to encapsulate out a data communication tunnel in common network.
IPSec is the tunnel protocol that is operated in the osi model network layer, also is tunnel protocol the most frequently used among the VPN.AH(Authentication Header, authentication header) and ESP(EncapsulationSecurity Payload, encapsulation safety newspaper body) be two kinds of ipsec security agreements the most basic.Wherein, the AH agreement is used for providing access control, connectionless integrity, data origin authentication and the anti-service of replaying; The ESP agreement has increased by two kinds of security services of confidentiality and limited traffic flow security on the basis of AH agreement.
IKE(Internet Key Exchange Protocol, internet key exchange) be the Standard IPSec assembly of finishing authentication and key agreement.After ike negotiation is finished, the IPSec opposite end will be set up respectively and maintenance safe alliance (SA), thereby provide optional security service collection for the traffic on the specific direction.The IPSec system comprises two kinds of databases, i.e. SADB(SecurityAssociation Database, security association database) with SPDB(Security PolicyDatabase, Security Policy Database).SADB is responsible for tissue and management SA, and each SA is with one among the corresponding SADB; SPDB is in fact the ordered list about the global policies item, be used for to divide advances/outbound data amount and carry out respective handling.
When the network equipment among the VPN breaks down, usually need by keepalive or DPD(Dead Peer Detection, the inefficacy opposite end is detected) etc. means find that link is unusual, then again consult to set up ipsec tunnel.This process need expends a period of time, thereby occurs the problem of network cutout in causing during this period of time.
Summary of the invention
(1) technical problem to be solved
The object of the present invention is to provide a kind of method that can fast processing VPN equipment fault, to solve in the prior art when the VPN device fails, again consult to set up the tunnel and need to expend certain hour, and then occur the problem of network cutout in causing during this period of time.
(2) technical scheme
In order to solve the problems of the technologies described above, the present invention proposes a kind of VPN equipment obstacle management method, said method comprising the steps of:
The a certain network equipment among S1, the VPN is set to the VPN host apparatus, and is VPN stand-by equipment of described VPN host apparatus configuration;
S2, vpn server and VPN opposite equip. are held consultation and are set up the tunnel, simultaneously negotiation data are sent to described VPN host apparatus, and then make described VPN host apparatus and described VPN opposite equip. be encrypted message transmissions;
S3, when detecting described VPN host apparatus and break down, described VPN stand-by equipment is to described vpn server transmitting apparatus switching request message, described vpn server is transferred to described VPN stand-by equipment with the sequence number of described negotiation data and current message, and then makes described VPN stand-by equipment and described VPN opposite equip. be encrypted message transmissions.
Optionally, among the step S2, described negotiation is ike negotiation, and described tunnel is ipsec tunnel, and described negotiation data is SADB and SPDB data.
Optionally, among the step S3, described current message is AH message or ESP message.
Optionally, step S1 further comprises:
Described VPN host apparatus links to each other with described vpn server by switch and/or router with described VPN stand-by equipment.
(3) beneficial effect
The VPN equipment obstacle management method that the present invention proposes can when the VPN host apparatus break down, be carried out the tunnel and switch, thereby reduce time loss and the flow loss that causes because of network equipment failure fast.
Description of drawings
Fig. 1 is the flow chart of the VPN equipment obstacle management method that proposes of the present invention.
Fig. 2 is the application scenario schematic diagram of the VPN equipment obstacle management method that proposes of the present invention.
Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.
The present invention proposes a kind of VPN equipment obstacle management method, as shown in Figure 1, said method comprising the steps of:
The a certain network equipment among S1, the VPN is set to the VPN host apparatus, and is VPN stand-by equipment of described VPN host apparatus configuration;
S2, vpn server and VPN opposite equip. are held consultation and are set up the tunnel, simultaneously negotiation data are sent to described VPN host apparatus, and then make described VPN host apparatus and described VPN opposite equip. be encrypted message transmissions;
S3, when detecting described VPN host apparatus and break down, described VPN stand-by equipment is to described vpn server transmitting apparatus switching request message, described vpn server is transferred to described VPN stand-by equipment with the sequence number of described negotiation data and current message, and then makes described VPN stand-by equipment and described VPN opposite equip. be encrypted message transmissions.
Preferably, among the step S2, described negotiation is ike negotiation, and described tunnel is ipsec tunnel, and described negotiation data is SADB and SPDB data.
Preferably, among the step S3, described current message is AH message or ESP message.
As shown in Figure 2, in a kind of preferred implementation of the present invention, the VPN host apparatus links to each other with vpn server by switch and/or router with the VPN stand-by equipment.The vpn server here has the network address translation (nat) function.
Vpn server is equivalent to an audiomonitor, when it receives the message that the VPN opposite equip. sends, when finding that destination address is equipment (being the VPN host apparatus) to the VPN master firewall, has just acted on behalf of whole negotiations process and the other end and has held consultation.Vpn server and VPN opposite equip. are held consultation, and set up ipsec tunnel, and with the SADB(IPSec Security Association of consulting) and the SPDB(protection flow) data send the VPN host apparatus to, make VPN host apparatus and VPN opposite equip. be encrypted message transmissions.
Strategy and the policing parameter of every IP security path of Security Association (SA) record.SA is the basis of IPSec, has determined to be used for agreement, transcoding mode, key and the key term of validity etc. of protected data bag.AH and ESP will use SA, and SA is set up and safeguarded to the major function of IKE exactly.
In said process, to finish control message (such as IKE control message) by vpn server and process, the VPN host apparatus is finished data message (encryption and decryption of ESP/AH message) and is processed.
The VPN stand-by equipment can keep communicating by letter with the VPN host apparatus.When finding that the VPN host apparatus breaks down, host apparatus and for subsequent usely unusually switch, the VPN stand-by equipment can be to vpn server transmitting apparatus switching request message; After vpn server receives request message, send together the SADB of before negotiation and the sequence number of SPDB data and current ESP/AH message to the VPN stand-by equipment, finish the quick switching in tunnel this moment.
The above only is preferred implementation of the present invention; should be pointed out that for the person of ordinary skill of the art, under the prerequisite that does not break away from the technology of the present invention principle; can also make some improvement and replacement, these improvement and replacement also should be considered as protection scope of the present invention.
Claims (4)
1. a VPN equipment obstacle management method is characterized in that, said method comprising the steps of:
The a certain network equipment among S1, the VPN is set to the VPN host apparatus, and is VPN stand-by equipment of described VPN host apparatus configuration;
S2, vpn server and VPN opposite equip. are held consultation and are set up the tunnel, simultaneously negotiation data are sent to described VPN host apparatus, and then make described VPN host apparatus and described VPN opposite equip. be encrypted message transmissions;
S3, when detecting described VPN host apparatus and break down, described VPN stand-by equipment is to described vpn server transmitting apparatus switching request message, described vpn server is transferred to described VPN stand-by equipment with the sequence number of described negotiation data and current message, and then makes described VPN stand-by equipment and described VPN opposite equip. be encrypted message transmissions.
2. VPN equipment obstacle management method according to claim 1 is characterized in that, among the step S2, described negotiation is ike negotiation, and described tunnel is ipsec tunnel, and described negotiation data is SADB and SPDB data.
3. VPN equipment obstacle management method according to claim 1 and 2 is characterized in that, among the step S3, described current message is AH message or ESP message.
4. VPN equipment obstacle management method according to claim 1 is characterized in that step S1 further comprises:
Described VPN host apparatus links to each other with described vpn server by switch and/or router with described VPN stand-by equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210513958.1A CN103023741B (en) | 2012-12-04 | 2012-12-04 | VPN equipment obstacle management method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210513958.1A CN103023741B (en) | 2012-12-04 | 2012-12-04 | VPN equipment obstacle management method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103023741A true CN103023741A (en) | 2013-04-03 |
| CN103023741B CN103023741B (en) | 2016-05-18 |
Family
ID=47971891
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210513958.1A Expired - Fee Related CN103023741B (en) | 2012-12-04 | 2012-12-04 | VPN equipment obstacle management method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103023741B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110011892A (en) * | 2019-03-15 | 2019-07-12 | 平安科技(深圳)有限公司 | A kind of communication means and relevant apparatus of Virtual Private Network |
| CN112804268A (en) * | 2021-04-13 | 2021-05-14 | 北京太一星晨信息技术有限公司 | Synchronization method, first device, second device and synchronization system |
| CN113221937A (en) * | 2021-02-24 | 2021-08-06 | 山东万博科技股份有限公司 | Emergency processing system and method based on artificial intelligence judgment |
| CN113691394A (en) * | 2021-07-29 | 2021-11-23 | 广州鲁邦通物联网科技有限公司 | Method and system for establishing and switching VPN communication |
| CN113839946A (en) * | 2021-09-24 | 2021-12-24 | 深圳供电局有限公司 | IPSec transmission abnormity detection method, IPSec transmission abnormity detection device and readable storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364927A (en) * | 2008-09-24 | 2009-02-11 | 华为技术有限公司 | Method, apparatus and system realizing fault recovery of virtual private network |
| CN102480423A (en) * | 2010-11-30 | 2012-05-30 | 中兴通讯股份有限公司 | Method and system for protecting layer 2 tunneling protocol (L2TP) network |
-
2012
- 2012-12-04 CN CN201210513958.1A patent/CN103023741B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364927A (en) * | 2008-09-24 | 2009-02-11 | 华为技术有限公司 | Method, apparatus and system realizing fault recovery of virtual private network |
| CN102480423A (en) * | 2010-11-30 | 2012-05-30 | 中兴通讯股份有限公司 | Method and system for protecting layer 2 tunneling protocol (L2TP) network |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110011892A (en) * | 2019-03-15 | 2019-07-12 | 平安科技(深圳)有限公司 | A kind of communication means and relevant apparatus of Virtual Private Network |
| WO2020186694A1 (en) * | 2019-03-15 | 2020-09-24 | 平安科技(深圳)有限公司 | Communication method for virtual private network, and related device |
| CN113221937A (en) * | 2021-02-24 | 2021-08-06 | 山东万博科技股份有限公司 | Emergency processing system and method based on artificial intelligence judgment |
| CN112804268A (en) * | 2021-04-13 | 2021-05-14 | 北京太一星晨信息技术有限公司 | Synchronization method, first device, second device and synchronization system |
| CN113691394A (en) * | 2021-07-29 | 2021-11-23 | 广州鲁邦通物联网科技有限公司 | Method and system for establishing and switching VPN communication |
| CN113839946A (en) * | 2021-09-24 | 2021-12-24 | 深圳供电局有限公司 | IPSec transmission abnormity detection method, IPSec transmission abnormity detection device and readable storage medium |
| CN113839946B (en) * | 2021-09-24 | 2024-01-05 | 深圳供电局有限公司 | Abnormality detection method and device for IPSec transmission and readable storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103023741B (en) | 2016-05-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8327129B2 (en) | Method, apparatus and system for internet key exchange negotiation | |
| US7028337B2 (en) | Method of virtual private network communication in security gateway apparatus and security gateway apparatus using the same | |
| EP3096497B1 (en) | Method, apparatus, and network system for terminal to traverse private network to communicate with server in ims core network | |
| EP2161873A1 (en) | Method, device and system for realizing a new group member registration in the multicast key management | |
| US20140095862A1 (en) | Security association detection for internet protocol security | |
| CN103023741A (en) | Method for processing faults of virtual private network (VPN) device | |
| CN102420770B (en) | Method and equipment for negotiating internet key exchange (IKE) message | |
| CN105812322B (en) | The method for building up and device of internet safety protocol safe alliance | |
| CN106169952B (en) | A kind of authentication method that internet Key Management Protocol is negotiated again and device | |
| JP5316423B2 (en) | Encryption implementation control system | |
| WO2015131609A1 (en) | Method for implementing l2tp over ipsec access | |
| US11388145B2 (en) | Tunneling data traffic and signaling over secure etls over wireless local area networks | |
| US9088429B2 (en) | Method for operating, monitoring and/or configuring an automation system of a technical plant | |
| CN109245982B (en) | Internal and external network data real-time exchange system based on one-way light splitting and stateless end-to-end connection | |
| CN106161386B (en) | Method and device for realizing IPsec (Internet protocol Security) shunt | |
| CN111698245A (en) | VxLAN security gateway and two-layer security network construction method based on state cryptographic algorithm | |
| CN105743868A (en) | Data acquisition system supporting encrypted and non-encrypted protocols and method | |
| CN102868523B (en) | IKE (Internet Key Exchange) negotiation method | |
| CN111464550B (en) | HTTPS transparent protection method for message processing equipment | |
| CN103167489B (en) | The wireless public network means of communication with security protection in electric power system | |
| CN105610577B (en) | A kind of system and method preventing IPSec VPN device Multiple tunnel ike negotiations failure | |
| CN104618211A (en) | Tunnel based message processing method and headquarters gateway device | |
| WO2022001937A1 (en) | Service transmission method and apparatus, network device, and storage medium | |
| CN102868522B (en) | A kind of processing method of ike negotiation exception | |
| JP5408372B2 (en) | Encryption implementation control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PP01 | Preservation of patent right | ||
| PP01 | Preservation of patent right |
Effective date of registration: 20180823 Granted publication date: 20160518 |
|
| PD01 | Discharge of preservation of patent | ||
| PD01 | Discharge of preservation of patent |
Date of cancellation: 20210823 Granted publication date: 20160518 |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160518 Termination date: 20181204 |