CN103188356B - A kind of outer net maps IPsec message and realizes the NAT method passed through - Google Patents
A kind of outer net maps IPsec message and realizes the NAT method passed through Download PDFInfo
- Publication number
- CN103188356B CN103188356B CN201310117516.XA CN201310117516A CN103188356B CN 103188356 B CN103188356 B CN 103188356B CN 201310117516 A CN201310117516 A CN 201310117516A CN 103188356 B CN103188356 B CN 103188356B
- Authority
- CN
- China
- Prior art keywords
- message
- address
- outer net
- ipsec
- nat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
The present invention provides a kind of outer net to map IPsec message and realizes the NAT method passed through, it is characterised in that the method includes: NAT device receives the encapsulated message after the full certification of IPsec, and described encapsulated message carries out network address translation obtains conversion message;Outer net equipment receives described conversion message, according to the address mapping table that outer net equipment in IPsec tunnel negotiation creates, is reduced the IP address in described conversion message, and message after reduction is authenticated.Pass through by present invention achieves the NAT of message after the full certification in IPsec tunnel.
Description
Technical field
The present invention relates to Internet technical field, map IPsec message particularly to a kind of outer net and realize the NAT method passed through.
Background technology
The former IP address of IP address of internal network is mainly carried out converting to the IP address of public network by NAT (network address translation) function, in order to message can forward on public network.The process of data message is had three kinds of modes respectively by IPsec tunnel, to data message encryption, to data message authentication and certification after data message adds new IP head, as follows:
The new IP head of | mac head | | IPsec encrypts authentication header | IP head | data |
In above message, it is possible to " | IP head | data | " partly it is encrypted or certification.
New IP head | the full authentication header of IPsec | IP head | the data | of | mac head |
In above message, it is possible to the data of " | new IP head | the full authentication header of IPsec | IP head | data | " part are authenticated.
Message being authenticated or encrypts, function is different, it is possible to above 3 kinds of process to message are carried out combination in any use, for instance message can be only encrypted or local authentication or all certifications by IPsec tunnel, it is also possible to message is encrypted and certification.Message is encrypted and message is carried out local authentication and can carry out NAT and pass through, but the method that message carries out whole certification just cannot be carried out NAT passes through, need to replace the former IP address in " | new IP head | " because NAT passes through, owing to message has been carried out whole certification by IPsec tunnel, namely include " | new IP head | " to be authenticated by message together, if now having done NAT conversion, its source/destination address will be changed, will result in the failure of the integrity verification after arriving at location, namely the IPsec tunnel receiving this message can not pass through certification, passing through of NAT cannot be realized.
Summary of the invention
(1) technical problem to be solved
The present invention realizes the NAT method passed through by providing a kind of outer net to map IPsec message, solves the message after the full certification in IPsec tunnel and cannot realize the NAT problem passed through.
(2) technical scheme
The present invention provides a kind of outer net to map IPsec message and realizes the NAT method passed through, and the method includes:
S1, NAT device receive the encapsulated message after the full certification of IPsec, and described encapsulated message carries out network address translation obtain conversion message;
S2, outer net equipment receive described conversion message, according to the address mapping table that outer net equipment in IPsec tunnel negotiation creates, reduced the IP address in described conversion message, and the message after reduction is authenticated.
Wherein, in described IPsec tunnel negotiation, Intranet equipment sends an original ip address to outer net equipment by IKE message, and outer net equipment creates address mapping table according to the IP header of described original ip address with described conversion message.
Wherein, described NAT device is the fire wall with NAT translation function, and outer net equipment is the fire wall with IPsec function.
Wherein, described address mapping table includes the original ip address of conversion IP address and mapping.
(3) beneficial effect
The present invention is under IPsec tunnelling mode, and by setting up address mapping table at outer net, the message carrying out network address translation through Nat equipment can be reduced by outer net equipment, it is achieved that NAT passes through.
Accompanying drawing explanation
Fig. 1 is the block diagram of the inventive method.
Detailed description of the invention
Below in conjunction with the drawings and specific embodiments, the present invention is described in further details.
The present invention provides the NAT that a kind of outer net maps IPsec message to pass through the method for realization, and the method is as it is shown in figure 1, include:
S1, NAT device receive the encapsulated message after the full certification of IPsec, and described encapsulated message carries out network address translation obtain conversion message;
The outside network termination of Intranet client sends message, adopts IPsec tunnel transmission, now need to negotiate IPsec tunnel between inside and outside two security gateways.NAT device receives and sends, through full certification, the encapsulated message of coming, and it is carried out NAT address and is converted to conversion message and is sent to outer net.
S2, outer net equipment receive described conversion message, according to the address mapping table that outer net equipment in IPsec tunnel negotiation creates, are reduced the IP address in described conversion message, and message after reduction is authenticated.
Outer net equipment receives conversion message when being authenticated message confirming, searches the address mapping table created in IPsec tunnel establishment procedure, the IP address in message carries out reducing being authenticated judging again.
Wherein, in described IPsec tunnel negotiation, Intranet equipment sends an original ip address to outer net equipment by IKE message, this IP address is carried to outer net equipment when being exchanged by IKE as data, outer net equipment compares according to the IP header of described original ip address Yu described conversion message, finding that described original ip address is changed by NAT device, at this moment outer net equipment creates address mapping table.
Concrete enforcement: adopt equipment as shown in table 1:
Table 1
Pca is the client of Intranet;
Fwa is the Intranet fire wall with IPsec function;
Fwb is the fire wall with NAT translation function;
Fwc is the outer net fire wall with IPsec function;
Pcb is the access terminal unit of outer net.
The first step: Intranet client sends message to extranet access terminal, and message format is: | mac head | IP head 1.1.1.13.3.3.2 | data |.Message need to eventually arrive at pcb through Fwa, Fwb and Fwc, here message transmits through IPsec tunnel mode, Fwa and fwc passes through intermediate equipment Fwb, negotiate IPsec tunnel, for Fwa equipment, the raw address in IPsec tunnel is 2.2.2.1 destination address is 202.1.1.2, be 202.1.1.2 destination address for the raw address in Fwc, IPsec tunnel is 202.1.1.1.
After Fwa receives the pca message being sent to pcb, this message carrying out full authentication processing the new IP head of encapsulated message, the information of certification is put in " the full authentication header of IPsec ", obtain encapsulated message, after encapsulation, message format is as follows:
New IP head 2.2.2.1202.1.1.2 | full authentication header | 1.1.1.13.3.3.2 | the data of IPsec | of | mac head |.
Second step: encapsulated message carries out NAT address after being received by NAT fire wall Fwb and is converted to conversion message, and conversion message is sent to Fwc equipment, conversion message structure is as follows: new IP head 202.1.1.1202.1.1.2 | full authentication header | 1.1.1.13.3.3.2 | the data of IPsec | of | mac head |.
3rd step: Fwc equipment receives conversion message, when being authenticated message confirming, searches the address mapping table table created in IPsec tunnel negotiation process, and the IP address in message carries out reducing being authenticated judging again, the message format of reduction is as follows:
New IP head 2.2.2.1202.1.1.2 | full authentication header | 1.1.1.13.3.3.2 | the data of IPsec | of | mac head |
This message is now authenticated confirming be just same message with Fwa equipment to the certification that message carries out again, so certification can be passed through, whole IPsec tunnel can be successfully to Message processing process, it is achieved NAT passes through.
The wherein foundation of address mapping table:
nullIn the process consulting IPsec tunnel,Fwa passes through IKE (InternetKeyexchange as Intranet equipment,Internet Key Exchange) message sends original ip address i.e. (2.2.2.1202.1.1.2) and is sent to Fwc equipment,I.e. oapayload (originaladdressplaylode,Original address payload),This content is carried to Fwc equipment as data when being exchanged by IKE,It is converted by NAT device that Fwc compares discovery original ip address according to the initial IP information in these data and the IP information of heading in conversion message and IP head,Now Fwc sets up address mapping table,Record changes IP address into 202.1.1.1,The original ip address mapped is 2.2.2.1.
Stand in the crossing problem of the angle solution NAT of outer net in the present invention, negotiations process is controlled by existing agreement and obtains initial IP, thus automatically setting up conversion table.
The above is only the preferred embodiment of the present invention; it should be pointed out that, for those skilled in the art, under the premise without departing from the technology of the present invention principle; can also making some improvement and replacement, these improve and replace and also should be regarded as protection scope of the present invention.
Claims (3)
1. an outer net mapping IPsec message realizes the NAT method passed through, it is characterised in that the method includes:
S1, NAT device receive the encapsulated message after the full certification of IPsec, and described encapsulated message carries out network address translation obtain conversion message;
S2, outer net equipment receive described conversion message, according to the address mapping table that outer net equipment in IPsec tunnel negotiation creates, reduced the IP address in described conversion message, and the message after reduction is authenticated;
Wherein, in described IPsec tunnel negotiation, Intranet equipment sends an original ip address to outer net equipment by IKE message, this original ip address is carried to outer net equipment as data when being exchanged by IKE, outer net equipment creates address mapping table according to the IP header of described original ip address with described conversion message.
2. method as claimed in claim 1, it is characterised in that described NAT device is the fire wall with NAT translation function, and outer net equipment is the fire wall with IPsec function.
3. method as claimed in claim 1, it is characterised in that described address mapping table includes the original ip address of conversion IP address and mapping.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310117516.XA CN103188356B (en) | 2013-04-07 | 2013-04-07 | A kind of outer net maps IPsec message and realizes the NAT method passed through |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310117516.XA CN103188356B (en) | 2013-04-07 | 2013-04-07 | A kind of outer net maps IPsec message and realizes the NAT method passed through |
Publications (2)
Publication Number | Publication Date |
---|---|
CN103188356A CN103188356A (en) | 2013-07-03 |
CN103188356B true CN103188356B (en) | 2016-07-13 |
Family
ID=48679318
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310117516.XA Expired - Fee Related CN103188356B (en) | 2013-04-07 | 2013-04-07 | A kind of outer net maps IPsec message and realizes the NAT method passed through |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN103188356B (en) |
Families Citing this family (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN103369065B (en) * | 2013-07-05 | 2017-08-22 | 新华三技术有限公司 | A kind of message forwarding method and equipment |
CN104980405A (en) * | 2014-04-10 | 2015-10-14 | 中兴通讯股份有限公司 | Method and device for performing authentication header (AH) authentication on NAT (Network Address Translation)-traversal IPSEC (Internet Protocol Security) message |
CN108769292B (en) * | 2018-06-29 | 2021-04-13 | 北京百悟科技有限公司 | Message data processing method and device |
CN111147382B (en) * | 2019-12-31 | 2021-09-21 | 杭州迪普科技股份有限公司 | Message forwarding method and device |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN1697452A (en) * | 2005-06-17 | 2005-11-16 | 中兴通讯股份有限公司 | Method for protecting access security of IP multimedia subsystem based on IPSec passing through NAT |
US7159242B2 (en) * | 2002-05-09 | 2007-01-02 | International Business Machines Corporation | Secure IPsec tunnels with a background system accessible via a gateway implementing NAT |
CN101582856A (en) * | 2009-06-29 | 2009-11-18 | 杭州华三通信技术有限公司 | Session setup method of Portal server and BAS (broadband access server) device and system thereof |
CN102202108A (en) * | 2011-06-15 | 2011-09-28 | 中兴通讯股份有限公司 | Method, device and system for realizing NAT (network address translation) traverse of IPSEC (Internet protocol security) in AH (authentication header) mode |
-
2013
- 2013-04-07 CN CN201310117516.XA patent/CN103188356B/en not_active Expired - Fee Related
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7159242B2 (en) * | 2002-05-09 | 2007-01-02 | International Business Machines Corporation | Secure IPsec tunnels with a background system accessible via a gateway implementing NAT |
CN1697452A (en) * | 2005-06-17 | 2005-11-16 | 中兴通讯股份有限公司 | Method for protecting access security of IP multimedia subsystem based on IPSec passing through NAT |
CN101582856A (en) * | 2009-06-29 | 2009-11-18 | 杭州华三通信技术有限公司 | Session setup method of Portal server and BAS (broadband access server) device and system thereof |
CN102202108A (en) * | 2011-06-15 | 2011-09-28 | 中兴通讯股份有限公司 | Method, device and system for realizing NAT (network address translation) traverse of IPSEC (Internet protocol security) in AH (authentication header) mode |
Also Published As
Publication number | Publication date |
---|---|
CN103188356A (en) | 2013-07-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN113596828B (en) | End-to-end service layer authentication | |
US9608963B2 (en) | Scalable intermediate network device leveraging SSL session ticket extension | |
CN101136777B (en) | Security management method of dual-encryption channel cooperation in network management system | |
CN104168173B (en) | The method, apparatus and network system of terminal crosses private network and server communication in IMS core net | |
MX2007000931A (en) | Methods, apparatuses and computer-readable media for secure communication by establishing multiple secure connections. | |
CN102137100B (en) | Method for constructing IP (Internet Protocol) layer SSL VPN (Secure Socket Layer Virtual Private Network) tunnel | |
CN103188356B (en) | A kind of outer net maps IPsec message and realizes the NAT method passed through | |
CN105812322B (en) | The method for building up and device of internet safety protocol safe alliance | |
CN104993993B (en) | A kind of message processing method, equipment and system | |
US20140351590A1 (en) | Network device, ipsec system and method for establishing ipsec tunnel using the same | |
CN106169952B (en) | A kind of authentication method that internet Key Management Protocol is negotiated again and device | |
CN109005179A (en) | Network security tunnel establishing method based on port controlling | |
WO2015131609A1 (en) | Method for implementing l2tp over ipsec access | |
CN102348210A (en) | Method and mobile security equipment for security mobile officing | |
CN208873145U (en) | Distribution network automation IPSec security chip | |
CN107453861B (en) | A kind of collecting method based on SSH2 agreement | |
CN109525514A (en) | A kind of information transferring method and information carrying means | |
CN102946352B (en) | A kind of nat translation table item management method and equipment based on IPsec | |
CN102088438A (en) | Method for solving address conflict of Internet protocol security (IPSec) Client and IPSec Client | |
CN104954339A (en) | Electric power emergency repair remote communication method and system | |
CN105635076B (en) | A kind of media transmission method and equipment | |
CN102724133A (en) | Method and device for transmitting internet protocol (IP) message | |
KR102030053B1 (en) | Parking management system and method supporting lightweight security | |
CN101018232A (en) | A PPP protocol-based authentication method, system and its device | |
Pawlowski et al. | EAP for IoT: More Efficient Transport of Authentication Data--TEPANOM Case Study |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
C14 | Grant of patent or utility model | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20160713 Termination date: 20180407 |