CN103188266B - A kind of address assignment based on ezvpn reclaims dynamic control method and system - Google Patents
A kind of address assignment based on ezvpn reclaims dynamic control method and system Download PDFInfo
- Publication number
- CN103188266B CN103188266B CN201310100191.4A CN201310100191A CN103188266B CN 103188266 B CN103188266 B CN 103188266B CN 201310100191 A CN201310100191 A CN 201310100191A CN 103188266 B CN103188266 B CN 103188266B
- Authority
- CN
- China
- Prior art keywords
- private net
- net address
- client host
- address
- compartment wall
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a kind of address assignment based on ezvpn and reclaim dynamic control method and system, the first client host is set up ipsec tunnel by ezvpn software and fire compartment wall and is connected, and fire compartment wall distributes the first private net address for it; If the ipsec tunnel set up between the first client host and fire compartment wall disconnects, ipsec tunnel is again set up when being connected between other client host with fire compartment wall, inquire about the first private net address whether to be recovered, if it is other client host is reassigned to the first private net address, otherwise retain the first private net address, for other client host distributes other private net address.The present invention carries out record to user's access, and judge to reclaim when whether will disconnect in ipsec tunnel private net address or time delay recovery according to the type of server of access, only have the private net address of recovery just can be reassigned to other user access, private net address is distributed dynamically and reclaims.
Description
Technical field
The present invention relates to virtual network management domain, particularly relate to a kind of address assignment based on ezvpn and reclaim dynamic control method and system.
Background technology
Ezvpn(EasyVPN abridges, the special VPN technologies of Cisco) be use the PC of band ipsec access function as client, the network equipment of band ipsec function is used to do ipsec server incoming end (network device server can be the fire compartment wall of band ezvpn access function), wherein the network equipment and PC carry out in the process of ipsec tunnel foundation, selectable distribution private net address, after this private net address is obtained by PC, this private net address pair private network device be connected with the network equipment can be used to communicate, reach data message and realize encrypted transmission by public network ipsec tunnel, again by object that private network IP address conducts interviews to private network device after deciphering, now private network IP address distribution and reclaim be responsible for by ipsec network device server completely.Under normal circumstances, when PC initiatively disconnects or ipsec network device server finds that ipsec tunnel abnormal (can find the abnormal conditions such as network is obstructed by the dpd digital predistortion function that ipsec tunnel is self-contained) initiatively disconnects the connection of ipsec tunnel, the private network IP address that the ipsec network equipment distributes to PC is recovered, and carries out reallocating to other PC equipment when ipsec tunnel is set up when there being other PC.But above-mentioned being distributed in the control procedure of recovery has following defect:
The financial staff a of certain company uses the ezvpn function of the PC that outer net IP address is 202.1.1.1 to initiate the connection of ipsec tunnel to ipsec network device server (outer net address is 202.1.1.2), now network device server distributes private network IP address 1.1.1.1 according to the order in private net address pond to financial staff a, financial staff a uses private net address 1.1.1.1 to conduct interviews to the financial server in private network, now financial staff a is by the aaa functionality (certification of financial server, authorize, charging three kinds of safety functions) carry out user authentication, financial server is recorded this private network IP address 1.1.1.1 and is authorized for user.When financial staff a not according to normal flow exit financial server log in window or be willing to that reason causes tunnel to disconnect due to network time, private network IP address 1.1.1.1 reclaims by ipsec network device server.Since private network IP address 1.1.1.1 is recovered, if next there is common employee b also to access ipsec network device server by ezvpn, so very large probability will also be assigned to private network IP address 1.1.1.1, so this common employee b just can have access to the financial server originally not having access rights, causes very serious consequence.
In sum, due to the distribution of private net address with there is above-mentioned leak in reclaiming, will to cause in server significant data especially private data originally do not had the user side of access rights to have access to, immeasurable harm is caused to information security.
Summary of the invention
(1) technical problem that will solve
For above-mentioned defect, the technical problem to be solved in the present invention how to solve the problem in private net address recovery, controls, ensure information security to access rights.
(2) technical scheme
For solving the problem, the invention provides a kind of address assignment based on ezvpn and reclaim dynamic control method, described method specifically comprises:
S1: described first private net address is set for access time delay recovery address at fire compartment wall;
S2: the first client host is set up ipsec tunnel by ezvpn software and described fire compartment wall and is connected, and described fire compartment wall is that described first client host distributes the first private net address;
S3: described first client host accesses first server by described fire compartment wall according to described first private net address;
S4: if the ipsec tunnel set up between described first client host and described fire compartment wall disconnects, ipsec tunnel is again set up when being connected between other client host with described fire compartment wall, inquire about described first private net address whether to be recovered, if it is described first private net address is reassigned to other client host described, otherwise retain described first private net address, for other client host described distributes other private net address.
Further, described first private net address is present in the original position in private net address pond, and other private net address described is arranged in described private net address pond in order.
Further, described step S3 specifically comprises: described fire compartment wall receives ESP message and is decrypted, described ESP message is decaptitated process, obtains the address of described first client host access, in wherein said ESP message, comprise described first private net address.
Further, described step S3 also comprises: described first client host is accessed other server and then do not upgraded private net address recovery current time; If described first client host accesses described first server again, upgrade described private net address and reclaim current time.
Further, in described step S4, ipsec tunnel disconnects and comprising: initiatively disconnected by described first client host, or according to keepalive mechanism, described fire compartment wall finds that link disconnects extremely automatically.
For solving the problem, present invention also offers a kind of address assignment based on ezvpn and reclaim kinetic-control system, described system comprises:
Client unit, fire compartment wall and server unit;
Described server unit comprises first server, and described first client host accesses described first server according to described first private net address;
The first client host in described client unit is set up ipsec tunnel by ezvpn software and described fire compartment wall and is connected, and described first client host accesses first server by described fire compartment wall according to described first private net address;
Described fire compartment wall is used for arranging described first private net address for access time delay recovery address, and for described first client host distributes the first private net address, after described delay time, and the ipsec tunnel set up between described first client host disconnects; If the ipsec tunnel set up between described first client host and described fire compartment wall disconnects, when other client host in client unit with again set up between described fire compartment wall ipsec tunnel be connected time, inquire about described first private net address whether to be recovered, if it is described first private net address is reassigned to other client host described, otherwise retain described first private net address, for other client host described distributes other private net address.
Further, described first private net address is present in the original position in private net address pond, and other private net address described is arranged in described private net address pond in order.
Further, described fire compartment wall receives ESP message and is decrypted, and to decaptitate process to described ESP message, obtains the address of described first client host access, comprises described first private net address in wherein said ESP message.
Further, described first client host access other server then do not upgrade private net address reclaim current time; If described first client host accesses described first server again, upgrade described private net address and reclaim current time.
(3) beneficial effect
The invention provides a kind of address assignment based on ezvpn and reclaim dynamic control method and system, by carrying out record to the access of ezvpn access user, and carry out time delay recovery when judging whether private net address will disconnect in pc user tunnel according to the type of server of access, only have the private net address of recovery just can be reassigned to other user access, and for not having the private net address reclaimed still to retain, carry out time delay recovery, namely reach delay time just to reclaim, realize reasonably distributing private net address and time delay recovery, private net address is distributed dynamically and reclaims.
Accompanying drawing explanation
Fig. 1 is the flow chart of steps of a kind of recovery of the address assignment based on the ezvpn dynamic control method in the embodiment of the present invention one;
Fig. 2 is the interface connection diagram of fire compartment wall in the embodiment of the present invention one and client, server;
Fig. 3 is that a kind of address assignment based on ezvpn in the embodiment of the present invention two reclaims kinetic-control system composition schematic diagram.
Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.Following examples for illustration of the present invention, but are not used for limiting the scope of the invention.
Embodiment one
Provide a kind of address assignment based on ezvpn in the embodiment of the present invention one and reclaim dynamic control method, steps flow chart as shown in Figure 1, specifically comprises the following steps:
Step S1: the first private net address is set on fire compartment wall for access time delay recovery address.
Wherein, the first private net address is present in the original position in private net address pond, and other private net address is arranged in private net address pond in order.
The interface connection diagram of the fire compartment wall in the present embodiment and client, server as shown in Figure 2, wherein the local ip address of the first client host PC1 is 202.1.1.1, the local ip address of the second client host PC2 is 202.1.1.2, the IP address of the outer network interface of fire compartment wall fw_server is 202.1.1.3, the IP address of interior network interface is 172.0.0.1, private net address pond: 172.0.0.2---172.0.0.100, the IP address of first server is 172.0.0.101, and the IP address of second server is 172.0.0.102.
If 172.0.0.2 is the first private net address, in the original position in private net address pond, other private net address 172.0.0.3---172.0.0.100 is arranged in order backward, and in the present embodiment, address is reclaimed in configuration access time delay is exactly 172.0.0.2, and configure delay time is 1 hour simultaneously.
Step S2: the first client host is set up ipsec tunnel by ezvpn software and fire compartment wall and is connected, and fire compartment wall is that the first client host distributes the first private net address.
In the present embodiment, fire compartment wall fw_server is that to be assigned with private net address be 172.0.0.2 to the first client host PC1.Fire compartment wall receives ESP message and is decrypted, and to decaptitate process to described ESP message, obtains the address that the first client host PC1 accesses, wherein comprises the first private net address in ESP message.The initial time simultaneously distributing to the private net address recovery timing of the first client host PC1 is 9: 45.First client host PC1 accesses first server (IP address is 172.0.0.101) according to the first private net address 172.0.0.2.
From initial time, 9: 45, to delay time, (delay time is 1 hour, namely terminate timing in 45 minutes in 10 o'clock) terminate before, the first client host PC1 accesses other server (as second server Httpserver2) and does not then upgrade private net address recovery time current time; If the first client host PC1 accesses first server Httpserver1 again, upgrade private net address recovery time current time 10: 15 (citing time).
Step S3: the first client host accesses first server by fire compartment wall according to the first private net address.
First client host PC1 according to first private net address 172.0.0.2 access first server (IP address is 172.0.0.101), and record private net address reclaim current time be 9: 45.
Step S4: if the ipsec tunnel set up between the first client host and fire compartment wall disconnects, ipsec tunnel is again set up when being connected between other client host with fire compartment wall, inquire about the first private net address whether to be recovered, if it is other client host is reassigned to the first private net address, otherwise retain the first private net address, for other client host distributes other private net address.
If the second client host PC2 with set up ipsec tunnel between fire compartment wall fw_server and be connected, then first inquire about the service condition (namely whether reclaiming) of the first private net address 172.0.0.2, if the first private net address 172.0.0.2 reclaims, then it is also put in the first place in private net address pond, then the first private net address 172.0.0.2 is redistributed, can distribute to the second client host PC2, the second client host PC2 accesses corresponding server by fire compartment wall fw_server; If contrary first private net address 172.0.0.2 does not reclaim, be then still labeled as by the state used, therefore will retain it, other client host cannot be distributed to.So just can prevent the second client host access financial server originally can not accessing financial server, the data message in financial server is threatened.
Pass through said method, by carrying out record to the access of ezvpn access user, and carry out time delay recovery when judging whether private net address will disconnect in pc user tunnel according to the type of server of access, only have the private net address of recovery just can be reassigned to other user access, and for not having the private net address reclaimed still to retain, just reclaim until reach delay time, realize reasonably distributing private net address and time delay recovery, private net address is distributed dynamically and reclaims.
Embodiment two
Embodiments of the invention two provide a kind of address assignment based on ezvpn and reclaim kinetic-control system, and as shown in Figure 3, described system comprises composition schematic diagram:
Client unit 31, fire compartment wall 32 and server unit 33.
Server unit 33 comprises first server 331, the first client host 311 in client unit 31 is set up ipsec tunnel by ezvpn software and fire compartment wall 32 and is connected, and the first client host 311 accesses first server 331 by fire compartment wall 32 according to the first private net address 172.0.0.2.Wherein the first private net address 172.0.0.2 is present in the original position of private net address pond (172.0.0.2---172.0.0.100), and other private net address (172.0.0.3---172.0.0.100) is arranged in private net address pond in order.
Fire compartment wall 32 for arranging the first private net address for access time delay recovery address, and configures delay time 1 hour, is also that the first client host 311 distributes the first private net address 172.0.0.2, arranges initial time 9: 45 simultaneously.
The ipsec tunnel set up between fire compartment wall 32 and the first client host 311 disconnects.Wherein ipsec tunnel disconnects and comprising: the first client host 311 initiatively disconnects; or according to keepalive mechanism, fire compartment wall 32 finds that link disconnects extremely automatically; namely concrete reason is that user operation equipment disconnects, or the keepalive mechanism in ipsec tunnel finds that link disconnects extremely automatically.
Fire compartment wall 32 receives ESP message and is decrypted, and to decaptitate process to ESP message, obtains the address that the first client host 311 is accessed, wherein comprises the first private net address 172.0.0.2 in ESP message.
When other client host (as the second client host 312) in client unit 31 with again set up between fire compartment wall 32 ipsec tunnel be connected time, inquire about the first private net address 172.0.0.2 whether to be recovered, if it is the first private net address 172.0.0.2 is redistributed, otherwise retain the first private net address 172.0.0.2, for other client host distributes other private net address.First client host 311 is accessed other server and is not then upgraded private net address recovery current time; If the first client host 311 accesses first server 331 again, upgrade private net address and reclaim current time.
Server unit 33 comprises first server 331, and the first client host 311 accesses first server (Httpserver1) 331 according to the first private net address 172.0.0.2.
Fire compartment wall 32 is inquired about the first client host 311 and whether was accessed first server (Httpserver1) 331, if do not accessed, directly reclaimed the first private net address 172.0.0.2, otherwise check the last access time, if initial time does not reach delay time to the time difference of current time, then within remaining time, the first private net address 172.0.0.2 is reclaimed, suppose that the last access time also differs from 30 minutes to final time delay recovery time, then the first private net address 172.0.0.2 is reclaimed in 30 minutes in residue; Otherwise directly the first private net address 172.0.0.2 is reclaimed.
If set up ipsec tunnel between the second client host 332 with fire compartment wall (fw_server) 32 to be connected, then first inquire about the service condition (namely whether reclaiming) of the first private net address 172.0.0.2, if the first private net address 172.0.0.2 reclaims, then it is also put in the first place in private net address pond, then the first private net address 172.0.0.2 is redistributed, the second client host 332, second client host 332 can be distributed to and access corresponding server by fire compartment wall (fw_server) 32; If contrary first private net address 172.0.0.2 does not reclaim, be then still labeled as by the state used, therefore will retain it, other client host cannot be distributed to.
By using said system, by carrying out record to the access of ezvpn access user, and carry out time delay recovery when judging whether private net address will disconnect in pc user tunnel according to the type of server of access, only have the private net address of recovery just can be reassigned to other user access, and for not having the private net address reclaimed still to retain, just reclaim until reach delay time, realize reasonably distributing private net address and time delay recovery, private net address is distributed dynamically and reclaims.
Above execution mode is only for illustration of the present invention; and be not limitation of the present invention; the those of ordinary skill of relevant technical field; without departing from the spirit and scope of the present invention; can also make a variety of changes and modification; therefore all equivalent technical schemes also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (8)
1. the address assignment based on ezvpn reclaims a dynamic control method, and it is characterized in that, described method specifically comprises:
S1: the first private net address is set for access time delay recovery address at fire compartment wall;
S2: the first client host is set up ipsec tunnel by ezvpn software and described fire compartment wall and is connected, and described fire compartment wall is that described first client host distributes the first private net address;
S3: described first client host accesses first server by described fire compartment wall according to described first private net address;
Described step S3 also comprises: described first client host is accessed other server and then do not upgraded private net address recovery current time; If described first client host accesses described first server again, upgrade described private net address and reclaim current time;
S4: if the ipsec tunnel set up between described first client host and described fire compartment wall disconnects, ipsec tunnel is again set up when being connected between other client host with described fire compartment wall, inquire about described first private net address whether to be recovered, if it is described first private net address is reassigned to other client host described, otherwise retain described first private net address, for other client host described distributes other private net address.
2. the method for claim 1, is characterized in that, described first private net address is present in the original position in private net address pond, and other private net address described is arranged in described private net address pond in order.
3. the method for claim 1, it is characterized in that, described step S3 specifically comprises: described fire compartment wall receives ESP message and is decrypted, described ESP message is decaptitated process, obtain the address of described first client host access, in wherein said ESP message, comprise described first private net address.
4. the method for claim 1, is characterized in that, in described step S4, ipsec tunnel disconnects and comprising: initiatively disconnected by described first client host, or according to keepalive mechanism, described fire compartment wall finds that link disconnects extremely automatically.
5. the address assignment based on ezvpn reclaims a kinetic-control system, and it is characterized in that, described system comprises:
Client unit, fire compartment wall and server unit;
Described server unit comprises first server;
The first client host in described client unit is set up ipsec tunnel by ezvpn software and described fire compartment wall and is connected, and described first client host accesses first server by described fire compartment wall according to the first private net address;
Described fire compartment wall is used for arranging described first private net address for access time delay recovery address, and for described first client host distributes the first private net address, after delay time, and the ipsec tunnel set up between described first client host disconnects; If the ipsec tunnel set up between described first client host and described fire compartment wall disconnects, when other client host in client unit with again set up between described fire compartment wall ipsec tunnel be connected time, inquire about described first private net address whether to be recovered, if it is described first private net address is reassigned to other client host described, otherwise retain described first private net address, for other client host described distributes other private net address.
6. system as claimed in claim 5, it is characterized in that, described first private net address is present in the original position in private net address pond, and other private net address described is arranged in described private net address pond in order.
7. system as claimed in claim 5, it is characterized in that, described fire compartment wall receives ESP message and is decrypted, and to decaptitate process to described ESP message, obtain the address of described first client host access, in wherein said ESP message, comprise described first private net address.
8. system as claimed in claim 5, is characterized in that, described first client host is accessed other server and then do not upgraded private net address recovery current time; If described first client host accesses described first server again, upgrade described private net address and reclaim current time.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310100191.4A CN103188266B (en) | 2013-03-26 | 2013-03-26 | A kind of address assignment based on ezvpn reclaims dynamic control method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310100191.4A CN103188266B (en) | 2013-03-26 | 2013-03-26 | A kind of address assignment based on ezvpn reclaims dynamic control method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103188266A CN103188266A (en) | 2013-07-03 |
| CN103188266B true CN103188266B (en) | 2015-12-02 |
Family
ID=48679231
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310100191.4A Expired - Fee Related CN103188266B (en) | 2013-03-26 | 2013-03-26 | A kind of address assignment based on ezvpn reclaims dynamic control method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103188266B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104125242B (en) * | 2014-08-18 | 2015-05-13 | 北京阅联信息技术有限公司 | Protection method and protection device capable of recognizing DDOS (distributed denial of service) attacks camouflaged as LDNS (local domain name server) requests |
| CN106331185B (en) * | 2015-06-17 | 2020-03-10 | 中兴通讯股份有限公司 | Method and device for recovering IP address |
| CN106682821A (en) * | 2016-12-16 | 2017-05-17 | 南京轨道交通系统工程有限公司 | Unified management control method for rail transit system users |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1701573A (en) * | 2003-07-04 | 2005-11-23 | 日本电信电话株式会社 | Remote access vpn mediation method and mediation device |
| CN101742491A (en) * | 2009-12-04 | 2010-06-16 | 同济大学 | Method for exchanging and consulting secret keys between mobile device and safe access gateway |
| CN102611700A (en) * | 2012-02-24 | 2012-07-25 | 汉柏科技有限公司 | Method for realizing VPN (Virtual Private Network) access under transparent mode |
-
2013
- 2013-03-26 CN CN201310100191.4A patent/CN103188266B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1701573A (en) * | 2003-07-04 | 2005-11-23 | 日本电信电话株式会社 | Remote access vpn mediation method and mediation device |
| CN101742491A (en) * | 2009-12-04 | 2010-06-16 | 同济大学 | Method for exchanging and consulting secret keys between mobile device and safe access gateway |
| CN102611700A (en) * | 2012-02-24 | 2012-07-25 | 汉柏科技有限公司 | Method for realizing VPN (Virtual Private Network) access under transparent mode |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103188266A (en) | 2013-07-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN103843303B (en) | The management control method and device of virtual machine, system | |
| CN103067158B (en) | Encrypting and decrypting method, encrypting and decrypting device and key management system | |
| US8800060B2 (en) | Information processing device performing software license authentication, communication system, and software license authentication method | |
| US11880490B2 (en) | Context-based access control and revocation for data governance and loss mitigation | |
| US9674164B2 (en) | Method for managing keys in a manipulation-proof manner | |
| CN105429752B (en) | The processing method and system of user key under a kind of cloud environment | |
| US9473481B2 (en) | Method and system for providing a virtual asset perimeter | |
| CN104268479B (en) | A kind of method of text maninulation isolation, device and mobile terminal | |
| CN102446106A (en) | Installation management method, server and terminal for application program | |
| CN103441997A (en) | Content sharing method, device and system | |
| CN101098224B (en) | Method for encrypting/deciphering dynamically data file | |
| CN105162787A (en) | Method and apparatus of external network terminal for accessing manufacture device or internal network terminal | |
| CN104079568A (en) | Method and system for preventing file leakage based on cloud storage technology | |
| CN104935572A (en) | Multilevel privilege management method and device | |
| CN103686724A (en) | A mobile application access authentication and authorization method and system | |
| CN103188266B (en) | A kind of address assignment based on ezvpn reclaims dynamic control method and system | |
| CN105162763A (en) | Method and device for processing communication data | |
| CN105099683A (en) | Account distribution method and device | |
| CN102333098A (en) | Implementation method for security private cloud system | |
| CN101923610A (en) | Data protection method and system | |
| CN105812338A (en) | Data access management and control method and network management equipment | |
| CN102404363B (en) | A kind of access method and device | |
| CN106992978A (en) | Network safety managing method and server | |
| CN102822840B (en) | Use management system and use management method | |
| CN112437031A (en) | Multi-terminal converged homeland resource mobile government system based on heterogeneous network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20151202 Termination date: 20180326 |