CN103023741B - VPN equipment obstacle management method - Google Patents
VPN equipment obstacle management method Download PDFInfo
- Publication number
- CN103023741B CN103023741B CN201210513958.1A CN201210513958A CN103023741B CN 103023741 B CN103023741 B CN 103023741B CN 201210513958 A CN201210513958 A CN 201210513958A CN 103023741 B CN103023741 B CN 103023741B
- Authority
- CN
- China
- Prior art keywords
- vpn
- equipment
- host apparatus
- stand
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of processing method of VPN equipment fault. Described method comprises: a certain network equipment is set to VPN host apparatus, and is a VPN stand-by equipment of its configuration; Vpn server and VPN opposite equip. are held consultation and are set up tunnel, negotiation data are sent to VPN host apparatus simultaneously, make VPN host apparatus and VPN opposite equip. be encrypted message transmissions; In the time that VPN host apparatus breaks down, VPN stand-by equipment is to vpn server transmitting apparatus switching request message, the sequence number of negotiation data and current message is transferred to VPN stand-by equipment by vpn server, and then make VPN stand-by equipment and VPN opposite equip. be encrypted message transmissions. The technical scheme that the present invention proposes can, in the time that VPN host apparatus breaks down, be carried out tunnel switching fast, thereby has reduced the time loss and the flow loss that cause because of network equipment failure.
Description
Technical field
The present invention relates to VPN (VPN) technology, particularly a kind of VPN equipmentFault handling method.
Background technology
VPN(VirtualPrivateNetwork, VPN) refer in common networkOn set up the technology of dedicated network. VPN utilizes encryption technology in common networkEncapsulate out a data communication tunnel.
IPSec is the tunnel protocol that is operated in osi model Internet, is also the most frequently used in VPNTunnel protocol. AH(AuthenticationHeader, authentication header) and ESP(EncapsulationSecurityPayload, encapsulation safety report body) be two kinds of ipsec security agreements the most basic. ItsIn, AH agreement is used for providing access control, connectionless integrity, data origin authentication and anti-heavyBroadcast service; ESP agreement, on the basis of AH agreement, has increased confidentiality and limited communication stream and has protectedTwo kinds of security services of close property.
IKE(InternetKeyExchangeProtocol, internet key exchange) beBecome the Standard IPSec assembly of authentication and key agreement. After ike negotiation completes, IPSec opposite endTo set up respectively and maintenance safe alliance (SA), thus for the traffic on specific direction provides canThe security service collection of choosing. IPSec system comprises two kinds of databases, i.e. SADB(SecurityAssociationDatabase, security association database) and SPDB(SecurityPolicyDatabase, Security Policy Database). SADB is responsible for tissue and manages SA, and each SA is by rightAnswer in SADB; SPDB is in fact the ordered list about global policies item, forDivide into/outbound data amount and carry out respective handling.
When the network equipment in VPN breaks down, conventionally need to pass through keepalive or DPDMeans such as (DeadPeerDetection, inefficacy opposite end is detected) find that link is abnormal, then heavyIpsec tunnel is set up in new negotiation. This process need expends a period of time, thereby while causing this sectionIn there is the problem of network cutout.
Summary of the invention
(1) technical problem to be solved
The object of the present invention is to provide a kind of method that can fast processing VPN equipment fault,To solve in prior art when the VPN device fails, again consulting to set up tunnel needs to consumeTake certain hour, and then in causing during this period of time, occur the problem of network cutout.
(2) technical scheme
In order to solve the problems of the technologies described above, the present invention proposes a kind of VPN equipment obstacle management sideMethod, said method comprising the steps of:
The a certain network equipment in S1, VPN is set to VPN host apparatus, and described in beingA VPN stand-by equipment of VPN host apparatus configuration;
S2, vpn server and VPN opposite equip. are held consultation and are set up tunnel, will assist simultaneouslyQuotient data sends described VPN host apparatus to, so make described VPN host apparatus with described inVPN opposite equip. is encrypted message transmissions;
S3, in the time detecting that described VPN host apparatus breaks down, described VPN is for subsequent use to be establishedStandby to described vpn server transmitting apparatus switching request message, described vpn server is by instituteThe sequence number of stating negotiation data and current message is transferred to described VPN stand-by equipment, and then makesDescribed VPN stand-by equipment and described VPN opposite equip. are encrypted message transmissions.
Optionally, in step S2, described negotiation is ike negotiation, and described tunnel is IPSec tunnelRoad, described negotiation data is SADB and SPDB data.
Optionally, in step S3, described current message is AH message or ESP message.
Optionally, step S1 further comprises:
Described VPN host apparatus and described VPN stand-by equipment are by switch and/or routerBe connected with described vpn server.
(3) beneficial effect
The VPN equipment obstacle management method that the present invention proposes, can send out at VPN host apparatusWhen raw fault, carry out fast tunnel switching, cause because of network equipment failure thereby reducedTime loss and flow loss.
Brief description of the drawings
Fig. 1 is the flow chart of the VPN equipment obstacle management method that proposes of the present invention.
Fig. 2 is the application scenario schematic diagram of the VPN equipment obstacle management method that proposes of the present invention.
Detailed description of the invention
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is done further in detailDescribe.
The present invention proposes a kind of VPN equipment obstacle management method, as shown in Figure 1, described sideMethod comprises the following steps:
The a certain network equipment in S1, VPN is set to VPN host apparatus, and described in beingA VPN stand-by equipment of VPN host apparatus configuration;
S2, vpn server and VPN opposite equip. are held consultation and are set up tunnel, will assist simultaneouslyQuotient data sends described VPN host apparatus to, so make described VPN host apparatus with described inVPN opposite equip. is encrypted message transmissions;
S3, in the time detecting that described VPN host apparatus breaks down, described VPN is for subsequent use to be establishedStandby to described vpn server transmitting apparatus switching request message, described vpn server is by instituteThe sequence number of stating negotiation data and current message is transferred to described VPN stand-by equipment, and then makesDescribed VPN stand-by equipment and described VPN opposite equip. are encrypted message transmissions.
Preferably, in step S2, described negotiation is ike negotiation, and described tunnel is IPSec tunnelRoad, described negotiation data is SADB and SPDB data.
Preferably, in step S3, described current message is AH message or ESP message.
As shown in Figure 2, in a kind of preferred embodiment of the present invention, VPN host apparatus withVPN stand-by equipment is connected with vpn server by switch and/or router. The VPN hereServer has network address translation (nat) function.
Vpn server is equivalent to an audiomonitor, sends when it receives VPN opposite equip.Come message time, find that destination address is that equipment to VPN master firewall (is that VPN is primaryEquipment) time, just act on behalf of whole negotiations process and the other end and held consultation. Vpn server withVPN opposite equip. is held consultation, and sets up ipsec tunnel, and by the SADB(IPSec consultingSecurity Association) and SPDB(protection stream) data send VPN host apparatus to, make VPN masterBe encrypted message transmissions with equipment and VPN opposite equip..
Security Association (SA) records strategy and the policing parameter of every IP security path. SA is IPSecBasis, having determined to be used for agreement, transcoding mode, key and the key of protected data bag hasThe effect phase etc. AH and ESP will use SA, and a major function of IKE is set up exactly and safeguardsSA。
In said process, complete control message (as IKE controls message) by vpn server and locateReason, VPN host apparatus completes data message (encryption and decryption of ESP/AH message) and processes.
VPN stand-by equipment can keep communicating by letter with VPN host apparatus. Establish when finding that VPN is primaryWhen standby breaking down, host apparatus and for subsequent usely extremely switch, VPN stand-by equipment can be to VPNServer transmitting apparatus switching request message; Vpn server receives after request message, by itTogether with the sequence number of the SADB of front negotiation and SPDB data and current ESP/AH message, transmitGive VPN stand-by equipment, now complete the quick switching in tunnel.
The above is only the preferred embodiment of the present invention, it should be pointed out that for this areaThose of ordinary skill, not departing under the prerequisite of the technology of the present invention principle, can also makeSome improvement and replacement, these improvement and replacement also should be considered as protection scope of the present invention.
Claims (3)
1. a VPN equipment obstacle management method, is characterized in that, described method comprise withLower step:
The a certain network equipment in S1, VPN is set to VPN host apparatus, and described in beingA VPN stand-by equipment of VPN host apparatus configuration;
S2, vpn server and VPN opposite equip. carry out ike negotiation, and are described VPNHost apparatus and described VPN opposite equip. are set up ipsec tunnel, and described vpn server will be assistedQuotient data sends described VPN host apparatus to, so make described VPN host apparatus with described inVPN opposite equip. is encrypted message transmissions;
S3, in the time detecting that described VPN host apparatus breaks down, described VPN is for subsequent use to be establishedStandby to described vpn server transmitting apparatus switching request message, described vpn server is by instituteThe sequence number of stating negotiation data and current message is transferred to described VPN stand-by equipment, and then makesBetween described VPN stand-by equipment and described VPN opposite equip., rely on already present described negotiationData are set up ipsec tunnel and are encrypted message transmissions;
In step S2, described negotiation data is SADB and SPDB data.
2. VPN equipment obstacle management method according to claim 1, is characterized in that,In step S3, described current message is AH message or ESP message.
3. VPN equipment obstacle management method according to claim 1, is characterized in that,Step S1 further comprises:
Described VPN host apparatus and described VPN stand-by equipment are by switch and/or routerBe connected with described vpn server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210513958.1A CN103023741B (en) | 2012-12-04 | 2012-12-04 | VPN equipment obstacle management method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201210513958.1A CN103023741B (en) | 2012-12-04 | 2012-12-04 | VPN equipment obstacle management method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103023741A CN103023741A (en) | 2013-04-03 |
| CN103023741B true CN103023741B (en) | 2016-05-18 |
Family
ID=47971891
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201210513958.1A Expired - Fee Related CN103023741B (en) | 2012-12-04 | 2012-12-04 | VPN equipment obstacle management method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103023741B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110011892B (en) * | 2019-03-15 | 2022-04-05 | 平安科技(深圳)有限公司 | Communication method of virtual private network and related device |
| CN113221937A (en) * | 2021-02-24 | 2021-08-06 | 山东万博科技股份有限公司 | Emergency processing system and method based on artificial intelligence judgment |
| CN112804268A (en) * | 2021-04-13 | 2021-05-14 | 北京太一星晨信息技术有限公司 | Synchronization method, first device, second device and synchronization system |
| CN113691394B (en) * | 2021-07-29 | 2023-07-21 | 广州鲁邦通物联网科技股份有限公司 | VPN communication establishing and switching method and system |
| CN113839946B (en) * | 2021-09-24 | 2024-01-05 | 深圳供电局有限公司 | Abnormality detection method and device for IPSec transmission and readable storage medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364927A (en) * | 2008-09-24 | 2009-02-11 | 华为技术有限公司 | Method, apparatus and system realizing fault recovery of virtual private network |
| CN102480423A (en) * | 2010-11-30 | 2012-05-30 | 中兴通讯股份有限公司 | Method and system for protecting layer 2 tunneling protocol (L2TP) network |
-
2012
- 2012-12-04 CN CN201210513958.1A patent/CN103023741B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101364927A (en) * | 2008-09-24 | 2009-02-11 | 华为技术有限公司 | Method, apparatus and system realizing fault recovery of virtual private network |
| CN102480423A (en) * | 2010-11-30 | 2012-05-30 | 中兴通讯股份有限公司 | Method and system for protecting layer 2 tunneling protocol (L2TP) network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103023741A (en) | 2013-04-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103023741B (en) | VPN equipment obstacle management method | |
| CN102420770B (en) | Method and equipment for negotiating internet key exchange (IKE) message | |
| CN104320332A (en) | Multi-protocol industrial communication safety gateway and communication method with gateway applied | |
| US20160269897A1 (en) | Access point and system constructed based on the access point and access controller | |
| Khan et al. | Design and implementation of security gateway for synchrophasor based real-time control and monitoring in smart grid | |
| EP3632090A1 (en) | Decoupled control and data plane synchronization for ipsec geographic redundancy | |
| CN104283701A (en) | Method, system and device for issuing configuration information | |
| US8924718B2 (en) | Deciphering internet protocol (IP) security in an IP multimedia subsystem (IMS) using a monitoring system | |
| US20140095862A1 (en) | Security association detection for internet protocol security | |
| CN104378657A (en) | Video security access system based on agency and isolation and method of video security access system | |
| JP5316423B2 (en) | Encryption implementation control system | |
| CN102739665B (en) | Method for realizing network virtual security domain | |
| CN104023022A (en) | Method and device of obtaining IPSec SA (Internet Protocol Security Association) | |
| CN103227742B (en) | A kind of method of ipsec tunnel fast processing message | |
| CN113726795A (en) | Message forwarding method and device, electronic equipment and readable storage medium | |
| CN105743868A (en) | Data acquisition system supporting encrypted and non-encrypted protocols and method | |
| CN114143050B (en) | Video data encryption system | |
| CN111698245A (en) | VxLAN security gateway and two-layer security network construction method based on state cryptographic algorithm | |
| CN102868523B (en) | IKE (Internet Key Exchange) negotiation method | |
| KR101448866B1 (en) | Security apparatus for decrypting data encrypted according to the web security protocol and operating method thereof | |
| CN111526018B (en) | Communication encryption system and communication encryption method based on power distribution | |
| CN105610577B (en) | A kind of system and method preventing IPSec VPN device Multiple tunnel ike negotiations failure | |
| CN106211100A (en) | The cellular communication safety of machine to machine | |
| CN111464550A (en) | HTTPS transparent protection method for message processing equipment | |
| CN104104573A (en) | Method and system for controlling IPsec tunnel of network devices |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PP01 | Preservation of patent right |
Effective date of registration: 20180823 Granted publication date: 20160518 |
|
| PP01 | Preservation of patent right | ||
| PD01 | Discharge of preservation of patent |
Date of cancellation: 20210823 Granted publication date: 20160518 |
|
| PD01 | Discharge of preservation of patent | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160518 Termination date: 20181204 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |