CN103220203B - A kind of method realizing LA Management Room many IPsec tunnel and set up - Google Patents
A kind of method realizing LA Management Room many IPsec tunnel and set up Download PDFInfo
- Publication number
- CN103220203B CN103220203B CN201310124040.2A CN201310124040A CN103220203B CN 103220203 B CN103220203 B CN 103220203B CN 201310124040 A CN201310124040 A CN 201310124040A CN 103220203 B CN103220203 B CN 103220203B
- Authority
- CN
- China
- Prior art keywords
- tunnel
- server end
- protection subnet
- dimension
- initiator
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a kind of method realizing LA Management Room many IPsec tunnel and set up, comprise: server end static configuration, described configuration comprises the local IP address that server end sets up IPsec tunnel, and the corresponding table of configuration two dimension, the corresponding table of described two dimension comprises the IP address of all clients and the protection subnet of correspondence; Request is set up in the tunnel that server end sends according to the client communication initiator received; scan the corresponding table of described two dimension; judge whether source protection subnet and object protection subnet information match; set up IPsec tunnel initiator and server end; server end and client end response side carry out inverse negotiation; responder sets up information according to the request that server end sends and judges whether local terminal protection subnet mates with it; be set up tunnel and connect, otherwise disconnection initiator is connected with the tunnel of server end.By present invention achieves Dynamic link library and the Dynamic Maintenance in LA Management Room many IPsec tunnel.
Description
Technical field
The present invention relates to Internet communication technology field, particularly a kind of method realizing LA Management Room many IPsec tunnel and set up.
Background technology
N IPsec (InternetProtocolSecurity; internet security agreement) client network device is connected to same IPsec server network device; each IPsec client network device is made to set up IPsec tunnel with IPsec server network device; and require that every two IPsec client network device can communicate; existing method, for each IPsec client network device is configured to n-1 protection subnet, distinguishes the subnet of corresponding n-1 platform IPsec client network device in addition.But when IPsec client network device quantity is larger; such as there are 100 clients; then be required to be each client network device and configure 99 protection subnets; and the configuration of corresponding each IPsec client network device subnet is configured respectively at IPsec server end; namely 100 tunnels are multiplied by 99 subnets in each tunnel in addition, so continuous consumption cpu resource, safeguard that the amount of getting up to work is very large; particularly when needs dynamically increase connection number, be difficult to especially realize safeguarding.
Summary of the invention
(1) technical problem to be solved
A kind of method that the object of the invention is set up for providing LA Management Room many IPsec tunnel, by present method solves LA Management Room, to set up resource consumption when many IPsec tunnel connects large, is difficult to the problem safeguarded.
(2) technical scheme
The invention provides a kind of method realizing LA Management Room many IPsec tunnel and set up, the method comprises:
S1, server end carry out static configuration, and described configuration comprises the local IP address that configuration server end sets up IPsec tunnel, and the corresponding table of configuration two dimension, the corresponding table of described two dimension comprises the IP address of all clients and the protection subnet of correspondence;
S2, communication initiator initiate IPsec tunnel to server end and set up request, the corresponding table of the described two dimension of server end scanning, according to the solicited message received, judge that whether source protection subnet is protection subnet corresponding to originating end IP address, judge whether responder's object protection subnet is configured in the corresponding table of two dimension, be set up tunnel between initiator and server end, continue step S3;
Request is set up in the tunnel that S3, server end are initiated to responder, according to the solicited message received, responder judges whether local terminal protection subnet mates with solicited message, is, sets up tunnel, otherwise disconnection initiator is connected with the tunnel of server end;
Wherein, the method also comprises step S4: if initiator described in third direction or responder's initiating communication, then repeat step S2-S3.
(3) beneficial effect
The present invention adopts the method for server end static configuration, does simple configuration at client and server end, comprises the required information needed for tunnel foundation.The minimum configuration of use like this reaches the intercommunication of many IPsec, can be disconnected when not using certain tunnel, tunnel corresponding with it also can disconnect, and achieves the interlock in tunnel like this, decrease cpu resource consumption, achieve Dynamic link library and the Dynamic Maintenance in many IPsec tunnel.
Accompanying drawing explanation
Fig. 1 is the flow chart of the inventive method.
Embodiment
Below in conjunction with the drawings and specific embodiments, the present invention is described in further details.
The invention provides a kind of method that LA Management Room many IPsec tunnel connects, as shown in Figure 1, the method comprises:
S1, server end carry out static configuration, and described configuration comprises the local IP address that configuration server end sets up IPsec tunnel, and the corresponding table of configuration two dimension, the corresponding table of described two dimension comprises the IP address of all clients and the protection subnet of correspondence;
Must configure for static state that server end carries out, be configured with the required information in tunnel foundation, client has also configured, comprises the protection subnet of IP address and correspondence, according to the corresponding table of these information configuration two dimensions.
The communication initiator of S2, client initiates IPsec tunnel to server end and sets up request, the corresponding table of the described two dimension of server end scanning, according to the solicited message received, judge that whether source protection subnet is protection subnet corresponding to originating end IP address, judge whether responder's object protection subnet of client is configured in the corresponding table of two dimension, be set up tunnel between initiator and server end, continue step S3;
Initiator sends and sets up solicited message; the protected data stream of solicited message; comprise source protection stream and object protection stream; carry the information such as the source protection subnet of initiator and the object protection subnet of responder; the match query of real-time two dimension correspondence table can be carried out according to these information, define Dynamic link library.
Request is set up in the tunnel that S3, server end are initiated to responder, according to the solicited message received, responder judges whether local terminal protection subnet mates with solicited message, is, sets up tunnel, otherwise disconnection initiator is connected with the tunnel of server end;
After responder receives and sets up solicited message; judging that whether local terminal protection subnet is identical with the object protection subnet of carrying in information, is then connect; responder position is found in the IP address that server end is corresponding according to object protection subnet in the corresponding table of two dimension, and sets up tunnel with it and be connected.
If S4 the 3rd end is to described initiator or responder's initiating communication, then repeats step S2-S3, set up IPsec tunnel, set up protection subnet rule.
The invention provides a kind of method that LA Management Room Multiple tunnel connects, be embodied as:
For 3 IPsec client network device and 1 IPsec server-side network equipment,
Wherein Fw_server is server-side network equipment, and Fw_client is client network device, arranges address:
Fw_client1: local terminal IP1.1.1.1 server ip 1.1.1.4 local terminal protection subnet 11.0.0.0;
Fw_client2: local terminal IP1.1.1.2 server ip 1.1.1.4 local terminal protection subnet 12.0.0.0;
Fw_client3: local terminal IP1.1.1.3 server ip 1.1.1.4 local terminal protection subnet 13.0.0.0;
Fw_server: local terminal IP1.1.1.4.
First static necessary configuration is carried out to server Fw_server: configuration 1.1.1.4 is the local IP address that local terminal sets up IPsec tunnel; and the corresponding table of configuration two dimension; corresponding table comprise the protection subnet of all client ip address and correspondence thereof; namely IP address is the subnet of the corresponding 11.0.0.0 of equipment of 1.1.1.1, the like.Then carry out the exchanging visit of IPsec tunnel to set up:
1:Fw_client1 is communication initiator; need to communicate to responder Fw_client2; at this moment Fw_client1 initiates IPsec tunnel to Fw_server and sets up request; the tunnel path that will set up now initiated is IP1.1.1.1 to IP1.1.1.4, and protection subnet is that source protection subnet 11.0.0.0 is to object protection subnet 12.0.0.0.Server end receives after IPsec sets up solicited message; the corresponding table of scanning two dimension; judge whether the source protection subnet 11.0.0.0 in information is the protection subnet that IP1.1.1.1 is corresponding; no; then connect unsuccessfully; be; then continue to judge that whether object protection subnet 12.0.0.0 shows the two dimension of configuration is corresponding; be; then Fw_server and Fw_client1 sets up by the IPsec tunnel of IP1.1.1.1 to IP1.1.1.4; protection subnet rule is 11.0.0.0 to 12.0.0.0, otherwise connects unsuccessfully.
2: after Fw_client1 and Fw_server is successfully established; Fw_server carries out inverse negotiation; the tunnel being initiatively initiated to Fw_client2 is set up; protection subnet rule is 11.0.0.0 to 12.0.0.0; now Fw_client2 sets up solicited message according to what receive; judge whether local terminal protection subnet is 12.0.0.0; accept tunnel and set up request; the corresponding table of now server end scanning two dimension; find the IP of Fw_client2 according to object protection subnet 12.0.0.0, set up the IPsec tunnel of path by IP1.1.1.4 to IP1.1.1.2.If Fw_server and Fw_client2 sets up unsuccessfully, then the tunnel disconnecting Fw_client1 and Fw_server connects.
3: if now third party Fw_client3 wants to communicate with Fw_client1, then repeat two steps above.
When in three IPsec tunnels that Fw_client2 or Fw_client1 or Fw_client3 and Fw_server sets up in the present invention; arbitrary IPsec tunnel is had to disconnect or subnet disconnection; a then corresponding other IPsec protection subnet tunnel also disconnects; realize the interlock in tunnel, save the consumption of resource.
The above is only the preferred embodiment of the present invention; it should be pointed out that for those skilled in the art, under the prerequisite not departing from the technology of the present invention principle; can also make some improvement and replacement, these improve and replace and also should be considered as protection scope of the present invention.
Claims (2)
1. realize the method that LA Management Room many IPsec tunnel is set up, it is characterized in that, comprising:
S1, server end carry out static configuration, and described configuration comprises the local IP address that configuration server end sets up IPsec tunnel, and the corresponding table of configuration two dimension, the corresponding table of described two dimension comprises the IP address of all clients and the protection subnet of correspondence;
S2, communication initiator initiate IPsec tunnel to server end and set up request, the corresponding table of the described two dimension of server end scanning, according to the solicited message received, judge that whether source protection subnet is protection subnet corresponding to originating end IP address, judge whether responder's object protection subnet is configured in the corresponding table of two dimension, be set up tunnel between initiator and server end, continue step S3;
Request is set up in the tunnel that S3, server end are initiated to responder, according to the solicited message received, responder judges whether local terminal protection subnet mates with solicited message, is, sets up tunnel, otherwise disconnection initiator is connected with the tunnel of server end.
2. method as claimed in claim 1, it is characterized in that, the method also comprises step S4: if initiator described in third direction or responder's initiating communication, then repeat step S2-S3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310124040.2A CN103220203B (en) | 2013-04-11 | 2013-04-11 | A kind of method realizing LA Management Room many IPsec tunnel and set up |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310124040.2A CN103220203B (en) | 2013-04-11 | 2013-04-11 | A kind of method realizing LA Management Room many IPsec tunnel and set up |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN103220203A CN103220203A (en) | 2013-07-24 |
| CN103220203B true CN103220203B (en) | 2015-12-02 |
Family
ID=48817685
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310124040.2A Expired - Fee Related CN103220203B (en) | 2013-04-11 | 2013-04-11 | A kind of method realizing LA Management Room many IPsec tunnel and set up |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103220203B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114301704B (en) * | 2021-12-30 | 2023-11-10 | 北京天融信网络安全技术有限公司 | Ipsec tunnel negotiation method, home terminal equipment, opposite terminal equipment and storage medium |
| CN114866371B (en) * | 2022-04-21 | 2023-11-28 | 北京天融信网络安全技术有限公司 | Method and device for establishing IPSec tunnel, storage medium and electronic equipment |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447909A (en) * | 2008-12-29 | 2009-06-03 | 深圳市深信服电子科技有限公司 | VPN network construction method |
| CN102984045A (en) * | 2012-12-05 | 2013-03-20 | 网神信息技术(北京)股份有限公司 | Access method of Virtual Private Network and Virtual Private Network client |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2006072891A1 (en) * | 2005-01-07 | 2006-07-13 | Alcatel Lucent | Method and apparatus for providing route-optimized secure session continuity between mobile nodes |
-
2013
- 2013-04-11 CN CN201310124040.2A patent/CN103220203B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101447909A (en) * | 2008-12-29 | 2009-06-03 | 深圳市深信服电子科技有限公司 | VPN network construction method |
| CN102984045A (en) * | 2012-12-05 | 2013-03-20 | 网神信息技术(北京)股份有限公司 | Access method of Virtual Private Network and Virtual Private Network client |
Also Published As
| Publication number | Publication date |
|---|---|
| CN103220203A (en) | 2013-07-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10630784B2 (en) | Facilitating a secure 3 party network session by a network device | |
| CN102231763B (en) | Sharing method based on NAT (Network Address Translation) penetration | |
| CN103108037B (en) | A kind of communication means, Web server and Web communication system | |
| CN101039310B (en) | Link sharing service apparatus and communication method thereof | |
| CN104348710A (en) | Methods and systems for acquiring and correlating web real-time communications (webrtc) interactive flow characteristics | |
| CN103812913A (en) | Remote access method and device based on VNC (virtual network computing) | |
| TW200640189A (en) | Method, apparatus and computer program product enabling negotiation of firewall features by endpoints | |
| CN102546559A (en) | Method, equipment and system for end-to-end transmission of data in challenged network | |
| CN204350029U (en) | Data interaction system | |
| CN104243182A (en) | Directional traffic charging method and directional traffic charging system | |
| CN102811174A (en) | Method for processing monitor service and network video recorder (NVR) | |
| WO2016086755A1 (en) | Packet processing method and transparent proxy server | |
| Alhazmi et al. | Fog-based internet of things: a security scheme | |
| CN104426895A (en) | Information processing method and terminal equipment | |
| CN103067956B (en) | Ipsec tunnel backup and changing method and equipment in 3G network environment | |
| CN103220203B (en) | A kind of method realizing LA Management Room many IPsec tunnel and set up | |
| CN103858389A (en) | Session transmission method, client and Push server | |
| CN102647432A (en) | Authentication information transmission method, device and authentication middleware | |
| CN103916489A (en) | Method and system for resolving single-domain-name multi-IP domain name | |
| CN104065656B (en) | A kind of media stream data recognition methods | |
| CN111787078B (en) | Signaling control system and communication method based on elevator Internet of things | |
| CN102655474A (en) | Method, device and system for identifying equipment-crossing traffic types | |
| CN105049543A (en) | P2P communication system and method crossing asymmetric NAT between intelligent routers | |
| CN104283957A (en) | CDN cache method based on continuous connectionism | |
| CN103546487A (en) | Mobile office device based on IOS platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20151202 Termination date: 20180411 |