CN103188266A - Address allocation recovery dynamic control method and system based on ezvpn - Google Patents
Address allocation recovery dynamic control method and system based on ezvpn Download PDFInfo
- Publication number
- CN103188266A CN103188266A CN2013101001914A CN201310100191A CN103188266A CN 103188266 A CN103188266 A CN 103188266A CN 2013101001914 A CN2013101001914 A CN 2013101001914A CN 201310100191 A CN201310100191 A CN 201310100191A CN 103188266 A CN103188266 A CN 103188266A
- Authority
- CN
- China
- Prior art keywords
- private net
- net address
- address
- client host
- compartment wall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses an address allocation recovery dynamic control method and an address allocation recovery dynamic control system based on ezvpn. The address allocation recovery dynamic control method comprises the following steps: ipsec tunnel connection between a first client-side host machine and a firewall is established by an ezvpn software, and the firewall is used for distributing a first private network address to the first client-side host machine; if the ipsec tunnel connection established between the first client-side host machine and the firewall is disconnected, whether the first private network address is recycled or not is inquired when ipsec tunnel connection is established between the other client-side host machines and the firewall again, if the first private network address is recycled, the first private network address is distributed to other client-side host machines again, otherwise, the first private network address is kept and other private addresses are distributed to the other client-side host machines. The address allocation recovery dynamic control method and the address allocation recovery dynamic control system based on ezvpn are used for recording the user visits and judging whether the private network address is recycled or recycled in a delayed manner or not when the ipsec tunnel is disconnected according to the visited server type; and only the recycled private network address is distributed to the other users for visiting again, and therefore, the private network address is dynamically allocated and recycled.
Description
Technical field
The present invention relates to the virtual network management domain, relate in particular to a kind of address assignment based on ezvpn and reclaim kinetic controlling equation method and system.
Background technology
Ezvpn(Easy VPN abbreviation, be the special-purpose VPN technologies of Cisco) be to use the PC of band ipsec access function as client, use the network equipment of band ipsec function to do ipsec server incoming end (network device server can be the fire compartment wall of band ezvpn access function), wherein in the process that the network equipment and PC carry out setting up in the ipsec tunnel, selectable distribution private net address, after this private net address is obtained by PC, can use this private net address pair private network device that is connected with the network equipment to communicate, reach data message and realize encrypted transmission by public network ipsec tunnel, the purpose that by private network IP address private network device is conducted interviews again after the deciphering, this moment, distribution and the recovery of private network IP address were responsible for by the ipsec network device server fully.Under normal circumstances, when PC initiatively disconnects or the ipsec network device server finds that ipsec tunnel unusual (can find abnormal conditions such as network is obstructed by the self-contained dpd digital predistortion function in ipsec tunnel) is when initiatively disconnecting the connection of ipsec tunnel, the private network IP address that the ipsec network equipment is distributed to PC is recovered, and carries out reallocating to other PC equipment when the ipsec tunnel is set up as other PC.But following defective is arranged in the above-mentioned control procedure that is distributed in recovery:
The financial staff a of certain company uses outer net IP address to initiate the connection of ipsec tunnel as the ezvpn function of the PC of 202.1.1.1 to ipsec network device server (outer net address is 202.1.1.2), this moment, network device server distributed private network IP address 1.1.1.1 for financial staff a according to the order in private net address pond, financial staff a uses the financial server in the private network of private net address 1.1.1.1 to conduct interviews, this moment, financial staff a (authenticated by the aaa functionality of financial server, authorize, the three kinds of safety functions of chargeing) carry out the user and authenticate, financial server is noted this private network IP address 1.1.1.1 and is authorized for the user.When financial staff a did not withdraw from according to normal flow that financial server is landed window or is willing to that owing to network reason causes the tunnel disconnection, the ipsec network device server reclaimed private network IP address 1.1.1.1.Since private network IP address 1.1.1.1 is recovered, if next there is common employee b also to insert the ipsec network device server by ezvpn, so very big probability will also be assigned to private network IP address 1.1.1.1, this common employee b just can have access to the financial server that did not have access rights originally so, causes very serious consequence.
In sum because the distribution of private net address and reclaim in have above-mentioned leak, will cause in the server significant data especially private data originally do not had the user side of access rights to have access to, information security is caused immeasurable harm.
Summary of the invention
(1) technical problem that will solve
At above-mentioned defective, the technical problem to be solved in the present invention is the problem that how to solve in the private net address recovery, and access rights are controlled, and ensures information security.
(2) technical scheme
For addressing the above problem, the invention provides a kind of address assignment based on ezvpn and reclaim the kinetic controlling equation method, described method specifically comprises:
S1: at fire compartment wall described first private net address is set and reclaims the address for the visit time-delay;
S2: first client host is set up the ipsec tunnel by ezvpn software and described fire compartment wall and is connected, and described fire compartment wall is that described first client host distributes first private net address;
S3: described first client host is visited first server by described fire compartment wall according to described first private net address;
S4: if the ipsec tunnel of setting up between described first client host and the described fire compartment wall disconnects, when setting up the ipsec tunnel again between other client host and the described fire compartment wall and be connected, whether inquire about described first private net address is recovered, if then described first private net address is redistributed to described other client host, otherwise keep described first private net address, for described other client host distributes other private net address.
Further, described first private net address is present in the original position in private net address pond, and described other private net address is arranged in the described private net address pond in order.
Further, described step S3 specifically comprises: described fire compartment wall receives the ESP message and is decrypted, to the processing of decaptitating of described ESP message, obtain the address of described first client host visit, comprise described first private net address in the wherein said ESP message.
Further, described step S3 also comprises: described first client host is visited other server and is not then upgraded the private net address recovery current time; Upgrade described private net address if described first client host is visited described first server again and reclaim the current time.
Further, the ipsec tunnel disconnects and comprising among the described step S4: initiatively disconnected by described first client host, or described fire compartment wall is found link unusually and automatic disconnection according to keepalive mechanism.
For addressing the above problem, the present invention also provides a kind of address assignment based on ezvpn to reclaim kinetic-control system, and described system comprises:
Client unit, fire compartment wall and server unit;
Described server unit comprises first server, and described first client host is visited described first server according to described first private net address;
First client host in the described client unit is set up the ipsec tunnel by ezvpn software and described fire compartment wall and is connected, and described first client host is visited first server by described fire compartment wall according to described first private net address;
Described fire compartment wall is used for arranging described first private net address and reclaims the address for the visit time-delay, and for described first client host distributes first private net address, through behind the described delay time, and the ipsec tunnel of setting up between described first client host disconnects; If the ipsec tunnel of setting up between described first client host and the described fire compartment wall disconnects, when setting up the ipsec tunnel again between other client host in the client unit and the described fire compartment wall and be connected, whether inquire about described first private net address is recovered, if then described first private net address is redistributed to described other client host, otherwise keep described first private net address, for described other client host distributes other private net address.
Further, described first private net address is present in the original position in private net address pond, and described other private net address is arranged in the described private net address pond in order.
Further, described fire compartment wall receives the ESP message and is decrypted, and to the processing of decaptitating of described ESP message, obtains the address of described first client host visit, comprises described first private net address in the wherein said ESP message.
Further, described first client host is visited other server and is not then upgraded private net address and reclaim the current time; Upgrade described private net address if described first client host is visited described first server again and reclaim the current time.
(3) beneficial effect
The invention provides a kind of address assignment based on ezvpn and reclaim kinetic controlling equation method and system, carry out record by the visit that ezvpn is inserted the user, and according to the recovery of delaying time when judging whether private net address will disconnect in the pc user tunnel of the type of server of visit, have only the private net address of recovery just can redistribute to other user access, and still keep for the private net address that does not have to reclaim, the recovery of delaying time, namely reaching delay time just reclaims, realization reasonably distributes private net address and the recovery of delaying time, and private net address is distributed dynamically and reclaims.
Description of drawings
Fig. 1 is a kind of flow chart of steps that reclaims the kinetic controlling equation method based on the address assignment of ezvpn in the embodiment of the invention one;
Fig. 2 is the interface connection diagram of fire compartment wall in the embodiment of the invention one and client, server;
Fig. 3 is that a kind of address assignment based on ezvpn in the embodiment of the invention two reclaims kinetic-control system composition schematic diagram.
Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.Following examples are used for explanation the present invention, but are not used for limiting the scope of the invention.
Embodiment one
Provide a kind of address assignment based on ezvpn to reclaim the kinetic controlling equation method in the embodiment of the invention one, steps flow chart specifically may further comprise the steps as shown in Figure 1:
Step S1: at fire compartment wall first private net address is set and reclaims the address for the visit time-delay.
Wherein, first private net address is present in the original position in private net address pond, and other private net address is arranged in the private net address pond in order.
The interface connection diagram of the fire compartment wall in the present embodiment and client, server as shown in Figure 2, wherein the local ip address of the first client host PC1 is 202.1.1.1, the local ip address of the second client host PC2 is 202.1.1.2, the IP address of the outer network interface of fire compartment wall fw_server is 202.1.1.3, the IP address of interior network interface is 172.0.0.1, private net address pond: 172.0.0.2---172.0.0.100, the IP address of first server is 172.0.0.101, and the IP address of second server is 172.0.0.102.
If 172.0.0.2 is first private net address, original position in the private net address pond, other private net address 172.0.0.3---172.0.0.100 is arranged in order backward, and configuration access time-delay recovery address is exactly 172.0.0.2 in the present embodiment, and disposing delay time simultaneously is 1 hour.
Step S2: first client host is set up the ipsec tunnel by ezvpn software and fire compartment wall and is connected, and fire compartment wall is that first client host distributes first private net address.
Fire compartment wall fw_server is that to have distributed private net address be 172.0.0.2 to the first client host PC1 in the present embodiment.Fire compartment wall receives the ESP message and is decrypted, and to the processing of decaptitating of described ESP message, obtains the address of first client host PC1 visit, wherein comprises first private net address in the ESP message.The private net address recovery initial time regularly of distributing to the first client host PC1 simultaneously is 9: 45.The first client host PC1 visits first server (the IP address is 172.0.0.101) according to the first private net address 172.0.0.2.
Began from initial time that (delay time is 1 hour to delay time in 9: 45, namely regularly finished at 10: 45) finish before, the first client host PC1 visits other server (as second server Httpserver2) and does not then upgrade the private net address recovery time current time; , upgrades 10: 15 private net address recovery time current time the first client host PC1 (time for example) if visiting the first server Httpserver1 again.
Step S3: first client host is visited first server by fire compartment wall according to first private net address.
The first client host PC1 visits first server (the IP address is 172.0.0.101) according to the first private net address 172.0.0.2, and the record private net address recovery current time is 9: 45.
Step S4: if the ipsec tunnel of setting up between first client host and the fire compartment wall disconnects, when setting up the ipsec tunnel again between other client host and the fire compartment wall and be connected, whether inquire about first private net address is recovered, if then first private net address is redistributed to other client host, otherwise keep first private net address, for other client host distributes other private net address.
If setting up the ipsec tunnel between the second client host PC2 and the fire compartment wall fw_server is connected, then at first inquire about the operating position (namely whether reclaiming) of the first private net address 172.0.0.2, if the first private net address 172.0.0.2 reclaims, then it is also put in the first place in private net address pond, then the first private net address 172.0.0.2 is redistributed, can distribute to the second client host PC2, the second client host PC2 visits corresponding server by fire compartment wall fw_server; If the opposite first private net address 172.0.0.2 does not reclaim, then still be labeled as the state that is used, therefore to keep it, cannot distribute to other client host.So just can prevent from originally can not visiting second client host visit financial server of financial server, the data message in the financial server is threatened.
Pass through said method, carry out record by the visit that ezvpn is inserted the user, and according to the recovery of delaying time when judging whether private net address will disconnect in the pc user tunnel of the type of server of visit, have only the private net address of recovery just can redistribute to other user access, and still keep for the private net address that does not have to reclaim, just reclaim up to reaching delay time, realization reasonably distributes private net address and the recovery of delaying time, and private net address is distributed dynamically and reclaims.
Embodiment two
Embodiments of the invention two provide a kind of address assignment based on ezvpn to reclaim kinetic-control system, form schematic diagram as shown in Figure 3, and described system comprises:
The ipsec tunnel of setting up between fire compartment wall 32 and first client host 311 disconnects.Wherein the ipsec tunnel disconnects and comprising: first client host 311 initiatively disconnects; or fire compartment wall 32 is found link unusually and automatic disconnection according to keepalive mechanism; be that concrete reason is that user's operating equipment disconnects, or the keepalive mechanism in ipsec tunnel is found link unusually and automatic disconnection.
When setting up the ipsec tunnel again between other client host in the client unit 31 (as second client host 312) and the fire compartment wall 32 and be connected, whether inquire about the first private net address 172.0.0.2 is recovered, if then the first private net address 172.0.0.2 is redistributed, otherwise keep the first private net address 172.0.0.2, for other client host distributes other private net address.First client host, 311 other servers of visit then do not upgrade private net address and reclaim the current time; Upgrade private net address if first client host 311 is visited first server 331 again and reclaim the current time.
Whether fire compartment wall 32 inquiries first client host 311 visited first server (Httpserver1) 331, if do not visit then directly reclaimed the first private net address 172.0.0.2, otherwise check the last access time, if initial time does not reach delay time to the time difference of current time, then in remaining time, the first private net address 172.0.0.2 is reclaimed, suppose that the last access time also differed from 30 minutes to final time-delay recovery time, then the first private net address 172.0.0.2 is reclaimed in 30 minutes in residue; Otherwise directly the first private net address 172.0.0.2 is reclaimed.
If setting up the ipsec tunnel between second client host 332 and the fire compartment wall (fw_server) 32 is connected, then at first inquire about the operating position (namely whether reclaiming) of the first private net address 172.0.0.2, if the first private net address 172.0.0.2 reclaims, then it is also put in the first place in private net address pond, then the first private net address 172.0.0.2 is redistributed, can distribute to second client host, 332, the second client hosts 332 by the corresponding server of fire compartment wall (fw_server) 32 visits; If the opposite first private net address 172.0.0.2 does not reclaim, then still be labeled as the state that is used, therefore to keep it, cannot distribute to other client host.
By using said system, carry out record by the visit that ezvpn is inserted the user, and according to the recovery of delaying time when judging whether private net address will disconnect in the pc user tunnel of the type of server of visit, have only the private net address of recovery just can redistribute to other user access, and still keep for the private net address that does not have to reclaim, just reclaim up to reaching delay time, realization reasonably distributes private net address and the recovery of delaying time, and private net address is distributed dynamically and reclaims.
Above execution mode only is used for explanation the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; under the situation that does not break away from the spirit and scope of the present invention; can also make a variety of changes and modification; therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (9)
1. the address assignment based on ezvpn reclaims the kinetic controlling equation method, it is characterized in that described method specifically comprises:
S1: at fire compartment wall described first private net address is set and reclaims the address for the visit time-delay;
S2: first client host is set up the ipsec tunnel by ezvpn software and described fire compartment wall and is connected, and described fire compartment wall is that described first client host distributes first private net address;
S3: described first client host is visited first server by described fire compartment wall according to described first private net address;
S4: if the ipsec tunnel of setting up between described first client host and the described fire compartment wall disconnects, when setting up the ipsec tunnel again between other client host and the described fire compartment wall and be connected, whether inquire about described first private net address is recovered, if then described first private net address is redistributed to described other client host, otherwise keep described first private net address, for described other client host distributes other private net address.
2. the method for claim 1 is characterized in that, described first private net address is present in the original position in private net address pond, and described other private net address is arranged in the described private net address pond in order.
3. the method for claim 1, it is characterized in that, described step S3 specifically comprises: described fire compartment wall receives the ESP message and is decrypted, to the processing of decaptitating of described ESP message, obtain the address of described first client host visit, comprise described first private net address in the wherein said ESP message.
4. the method for claim 1 is characterized in that, described step S3 also comprises: described first client host is visited other server and is not then upgraded the private net address recovery current time; Upgrade described private net address if described first client host is visited described first server again and reclaim the current time.
5. the method for claim 1 is characterized in that, the ipsec tunnel disconnects and comprising among the described step S4: initiatively disconnected by described first client host, or described fire compartment wall is found link unusually and automatic disconnection according to keepalive mechanism.
6. the address assignment based on ezvpn reclaims kinetic-control system, it is characterized in that described system comprises:
Client unit, fire compartment wall and server unit;
Described server unit comprises first server;
First client host in the described client unit is set up the ipsec tunnel by ezvpn software and described fire compartment wall and is connected, and described first client host is visited first server by described fire compartment wall according to described first private net address;
Described fire compartment wall is used for arranging described first private net address and reclaims the address for the visit time-delay, and for described first client host distributes first private net address, through behind the described delay time, and the ipsec tunnel of setting up between described first client host disconnects; If the ipsec tunnel of setting up between described first client host and the described fire compartment wall disconnects, when setting up the ipsec tunnel again between other client host in the client unit and the described fire compartment wall and be connected, whether inquire about described first private net address is recovered, if then described first private net address is redistributed to described other client host, otherwise keep described first private net address, for described other client host distributes other private net address.
7. system as claimed in claim 6 is characterized in that, described first private net address is present in the original position in private net address pond, and described other private net address is arranged in the described private net address pond in order.
8. system as claimed in claim 6, it is characterized in that described fire compartment wall receives the ESP message and is decrypted, to the processing of decaptitating of described ESP message, obtain the address of described first client host visit, comprise described first private net address in the wherein said ESP message.
9. system as claimed in claim 6 is characterized in that, described first client host is visited other server and then do not upgraded the private net address recovery current time; Upgrade described private net address if described first client host is visited described first server again and reclaim the current time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310100191.4A CN103188266B (en) | 2013-03-26 | 2013-03-26 | A kind of address assignment based on ezvpn reclaims dynamic control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310100191.4A CN103188266B (en) | 2013-03-26 | 2013-03-26 | A kind of address assignment based on ezvpn reclaims dynamic control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103188266A true CN103188266A (en) | 2013-07-03 |
| CN103188266B CN103188266B (en) | 2015-12-02 |
Family
ID=48679231
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310100191.4A Expired - Fee Related CN103188266B (en) | 2013-03-26 | 2013-03-26 | A kind of address assignment based on ezvpn reclaims dynamic control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103188266B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104125242A (en) * | 2014-08-18 | 2014-10-29 | 北京阅联信息技术有限公司 | Protection method and protection device capable of recognizing DDOS (distributed denial of service) attacks camouflaged as LDNS (local domain name server) requests |
| WO2016202014A1 (en) * | 2015-06-17 | 2016-12-22 | 中兴通讯股份有限公司 | Method and device for recycling ip address |
| CN106682821A (en) * | 2016-12-16 | 2017-05-17 | 南京轨道交通系统工程有限公司 | Unified management control method for rail transit system users |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1701573A (en) * | 2003-07-04 | 2005-11-23 | 日本电信电话株式会社 | Remote access vpn mediation method and mediation device |
| CN101742491A (en) * | 2009-12-04 | 2010-06-16 | 同济大学 | Method for exchanging and consulting secret keys between mobile device and safe access gateway |
| CN102611700A (en) * | 2012-02-24 | 2012-07-25 | 汉柏科技有限公司 | Method for realizing VPN (Virtual Private Network) access under transparent mode |
-
2013
- 2013-03-26 CN CN201310100191.4A patent/CN103188266B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1701573A (en) * | 2003-07-04 | 2005-11-23 | 日本电信电话株式会社 | Remote access vpn mediation method and mediation device |
| CN101742491A (en) * | 2009-12-04 | 2010-06-16 | 同济大学 | Method for exchanging and consulting secret keys between mobile device and safe access gateway |
| CN102611700A (en) * | 2012-02-24 | 2012-07-25 | 汉柏科技有限公司 | Method for realizing VPN (Virtual Private Network) access under transparent mode |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104125242A (en) * | 2014-08-18 | 2014-10-29 | 北京阅联信息技术有限公司 | Protection method and protection device capable of recognizing DDOS (distributed denial of service) attacks camouflaged as LDNS (local domain name server) requests |
| WO2016202014A1 (en) * | 2015-06-17 | 2016-12-22 | 中兴通讯股份有限公司 | Method and device for recycling ip address |
| CN106682821A (en) * | 2016-12-16 | 2017-05-17 | 南京轨道交通系统工程有限公司 | Unified management control method for rail transit system users |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103188266B (en) | 2015-12-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10904119B2 (en) | Generating secure name records | |
| US8800060B2 (en) | Information processing device performing software license authentication, communication system, and software license authentication method | |
| CN101340444B (en) | Fireproof wall and server policy synchronization method, system and apparatus | |
| CN102111326B (en) | Method, system and device for realizing mobility in layer 2 tunnel protocol virtual private network | |
| EP3860036B1 (en) | Key management method, security chip, service server and information system | |
| EP3605948B1 (en) | Distributing overlay network ingress information | |
| US20220103361A1 (en) | Enforcing a Segmentation Policy Using Cryptographic Proof of Identity | |
| CN110929262A (en) | Online upgrading method and system | |
| US20160036795A1 (en) | Method and system for providing a virtual asset perimeter | |
| CN106790223A (en) | The method and apparatus and its system of a kind of data transfer | |
| CN105635082A (en) | Dynamic authorization method and system, authorization center, and authorization client | |
| CN101557337A (en) | Network tunnel establishing method, data transmission method, communication system and relevant equipment | |
| CN101827138A (en) | Optimized method and device for processing IPV6 filter rule | |
| Kravets et al. | Mobile security solution for enterprise network | |
| CN104378456A (en) | Allocation optimization method for IP addresses in local area network | |
| CN103957194B (en) | A kind of procotol IP cut-in methods and access device | |
| CN107342972B (en) | Method and device for realizing remote access | |
| CN102263826A (en) | Method and device for establishing connection with transport layer | |
| CN103188266A (en) | Address allocation recovery dynamic control method and system based on ezvpn | |
| CN102333098A (en) | Implementation method for security private cloud system | |
| CN102546429A (en) | Method and system for authenticating intra-site automatic tunnel addressing protocol (ISATAP) tunnels based on dynamic host configuration protocol (DHCP) monitoring | |
| CN106992978A (en) | Network safety managing method and server | |
| WO2024002143A1 (en) | Root certificate updating method and apparatus | |
| EP4007209A1 (en) | Service endpoint interconnect in a virtual private gateway | |
| CN105812338A (en) | Data access management and control method and network management equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20151202 Termination date: 20180326 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |