CN104104573A - Method and system for controlling IPsec tunnel of network devices - Google Patents
Method and system for controlling IPsec tunnel of network devices Download PDFInfo
- Publication number
- CN104104573A CN104104573A CN201410382421.5A CN201410382421A CN104104573A CN 104104573 A CN104104573 A CN 104104573A CN 201410382421 A CN201410382421 A CN 201410382421A CN 104104573 A CN104104573 A CN 104104573A
- Authority
- CN
- China
- Prior art keywords
- ipsec tunnel
- tunnel
- ipsec
- message
- time
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a method and a system for controlling an IPsec (Internet Protocol security) tunnel of network devices. The method comprises the following steps of establishing the IPsec tunnel between the network devices and negotiating to generate the primary tunnel IKE SA (Internet Key Exchange Security Association) and the secondary tunnel IPsec SA of the IPsec tunnel, transmitting a negotiation message upon detecting that the expiration time of the primary tunnel IKE SA or that of the secondary tunnel IPsec SA reaches preset time, determining whether the message processing speed of outcoming physical interface of the negotiation message is equal to or greater than a preset upper limit if no response message is received, further determining whether the IPsec tunnel is capable of normally encrypting and decrypting the message if the message processing speed is equal to or greater than the preset upper limit, and if so, determining that the IPsec tunnel is available, and re-transmitting the negotiation message after waiting for a preset time interval. The method is capable of solving the oscillation problem of the IPsec tunnel.
Description
Technical field
The present invention relates to network communications technology field, particularly a kind of control method and system of the IPsec tunnel for the network equipment.
Background technology
When multi-core network device is processed message, first processing forward message, secondly processing host message, can ensure like this throughput of equipment increases performance.But for other functions, if taking defeat, can retransmit main frame message, do not have and have a strong impact on, but for IPsec (Internet Protocol Security, Internet protocol safety) tunnel, negotiation packet is main frame message, if now negotiation packet take defeat will cause IPsec tunnel disconnect.Because the reason of negotiation packet failure may be to be caused by many-side, and this reason also can be along with the change of network state disappears.Iff taking defeat and just disconnect IPsec tunnel because of negotiation packet, thereby can concerning user, there will be the situation of tunnel concussion, and careless disconnection IPsec tunnel, and there is no the recovery IPsec tunnel in good time according to the variation of current network state, can affect the normal function in IPsec tunnel.
Summary of the invention
The present invention In view of the foregoing makes, and its objective is the control method that a kind of IPsec tunnel for the network equipment is provided, and the method can solve the concussion problem in IPsec tunnel.
For achieving the above object, the invention provides a kind of control method of the IPsec tunnel for the network equipment, comprise the steps:
Set up the IPsec tunnel of LA Management Room, consult to generate one-level tunnel IKE SA and the secondary tunnel IPsec SA in IPsec tunnel;
Detecting that the time-out time of described one-level tunnel IKE SA or the time-out time of secondary tunnel IPsec SA reach after Preset Time, sending negotiation packet;
If do not receive back message using, judge whether the message processing speed that physical interface of described negotiation packet is equal to or greater than preset upper limit;
If message processing speed is equal to or greater than preset upper limit, further judge whether described IPsec tunnel can be to the normal encryption and decryption of message;
If so, judge that described IPsec tunnel can use, wait for after default duration, resend described negotiation packet.
According to an aspect of the present invention, if the message processing speed that goes out physical interface of described negotiation packet is less than preset upper limit, disconnect described IPsec tunnel.
According to another aspect of the present invention, in the time detecting that described IPsec tunnel is provided with into encryption message, judge that described IPsec tunnel can normally encrypt message.
According to another aspect of the invention, if judge that described IPsec tunnel cannot, to the normal encryption of message or deciphering, disconnect described IPsec tunnel.
In accordance with a further aspect of the present invention, described default duration is configured according to network state by user.
The control method in the IPsec tunnel for the network equipment provided by the invention, after finding to consult unsuccessfully, do not carry out immediately the deletion of IPsec tunnel, but whether the speed that goes out physical interface and the IPsec tunnel that consider negotiation packet can be to the normal encryption and decryption of message, select to disconnect IPsec tunnel or time delay certain hour, miss flow peak and again consult again, thus the concussion problem in solution IPsec tunnel.
Another object of the present invention is to provide a kind of control system of the IPsec tunnel for the network equipment, and this system can solve the concussion problem in IPsec tunnel.
For achieving the above object, the invention provides a kind of control system of the IPsec tunnel for the network equipment, comprise: IPsec tunnel arranges module, also consult to generate one-level tunnel IKE SA and the secondary tunnel IPsec SA in IPsec tunnel for setting up the IPsec tunnel of LA Management Room; Whether time-out time detection module, reach Preset Time for detection of the time-out time of described one-level tunnel IKE SA or the time-out time of secondary tunnel IPsec SA; Communication module, described communication module is connected to described time-out time detection module, for detecting that at described time-out time detection module the time-out time of described one-level tunnel IKE SA or the time-out time of secondary tunnel IPsec SA reach after Preset Time, send negotiation packet; Judge module, described judge module is connected to described communication module and described IPsec tunnel arranges module, for not receiving after back message using in described communication module, whether the message processing speed that goes out physical interface that judges described negotiation packet is equal to or greater than preset upper limit, if it is further judge whether described IPsec tunnel can be to the normal encryption and decryption of message, if it is judge that described IPsec tunnel can use, wait for after default duration, resend described negotiation packet by described communication module.
According to an aspect of the present invention, be less than preset upper limit if described judge module judges the message processing speed that physical interface of negotiation packet, described IPsec tunnel arranges module and disconnects described IPsec tunnel.
According to another aspect of the invention, be less than preset upper limit if described judge module judges the message processing speed that physical interface of negotiation packet, described IPsec tunnel arranges module and disconnects described IPsec tunnel.
In accordance with a further aspect of the present invention, cannot encrypt or deciphering message is normal if described judge module judges described IPsec tunnel, described IPsec tunnel arranges module and disconnects described IPsec tunnel.
According to another aspect of the invention, described default duration is configured according to network state by user.
The control system in the IPsec tunnel for the network equipment provided by the invention, after finding to consult unsuccessfully, do not carry out immediately the deletion of IPsec tunnel, but whether the speed that goes out physical interface and the IPsec tunnel that consider negotiation packet can be to the normal encryption and decryption of message, select to disconnect IPsec tunnel or time delay certain hour, miss flow peak and again consult again, thus the concussion problem in solution IPsec tunnel.
Brief description of the drawings
Fig. 1 is according to the flow chart of the control method in the IPsec tunnel for the network equipment of first embodiment of the invention;
Fig. 2 is according to the flow chart of the control method in the IPsec tunnel for the network equipment of second embodiment of the invention;
The schematic diagram in the IPsec tunnel of the schematically illustrated LA Management Room of Fig. 3;
Fig. 4 is according to the structure chart of the control system in the IPsec tunnel for the network equipment of embodiment of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention more cheer and bright, below in conjunction with embodiment and with reference to accompanying drawing, the present invention is described in more detail.Should be appreciated that, these descriptions are exemplary, and do not really want to limit the scope of the invention.In addition, in the following description, omitted the description to known features and technology, to avoid unnecessarily obscuring concept of the present invention.
Because the priority of multi-core network device processing message is, first processing forward message, secondly processing host message, thus can ensure handling up of equipment, increase performance.But for IPsec tunnel, negotiation packet is main frame message, will cause IPsec tunnel to disconnect if now abandon negotiation packet, concerning user, just there will be the situation of tunnel concussion.Therefore, for multi-core network device, the invention provides a kind of control method and system of the IPsec tunnel for the network equipment, can prevent because the E-Packet network interface card that causes of priority treatment is busy, i.e. processing host message or negotiation packet in time, cause negotiation packet part to be lost, and then failure is heavily consulted in the IPsec tunnel causing, delete IPsec tunnel, cannot ensure the normal function in IPsec tunnel.
Fig. 1 is according to the flow chart of the control method in the IPsec tunnel for the network equipment of first embodiment of the invention.
As shown in Figure 1, the control method in the IPsec tunnel for the network equipment of first embodiment of the invention, comprises the steps:
Step S1, sets up the IPsec tunnel of LA Management Room, consults to generate one-level tunnel IKE SA and the secondary tunnel IPsec SA in IPsec tunnel.
Specifically, between the network equipment, set up IPsec tunnel.With reference to figure 3, taking firewall box Fw a and firewall box Fw b as example, firewall box Fw a and firewall box Fw b set up IPsec tunnel.In the process of establishing in IPsec tunnel, consult to generate one-level tunnel IKE SA and secondary tunnel IPsec SA.Wherein, IKE SA in one-level tunnel is for the protection of IKE protocol massages.Secondary tunnel IPsec SA encrypts for data message.
Step S2, is detecting that the time-out time of one-level tunnel IKE SA or the time-out time of secondary tunnel IPsec SA reach after Preset Time, sends negotiation packet.
Whether detect one-level tunnel IKE SA or secondary tunnel IPsec SA occurs overtime, and whether time-out time reaches Preset Time, if it is the message of holding consultation sends, and the renewal that starts IKE SA and IPsec SA is consulted, and consults to generate new IKE SA and IPsec SA.
Step S3, if do not receive back message using, judges whether the message processing speed that physical interface of negotiation packet is equal to or greater than preset upper limit.
Send negotiation packet in step S2 after, if receive back message using, judgement is consulted successfully, generates new IKE SA and IPsec SA.If do not receive back message using, judgement is consulted unsuccessfully, does not now carry out immediately the deletion of IPsec tunnel, but checks the message processing speed that physical interface of this negotiation packet.Whether the message processing speed that goes out physical interface that particularly, judges negotiation packet is equal to or greater than preset upper limit.Because can utilizing message processing speed and unit duration calculation, obtains the flow that goes out physical interface of a period of time, therefore whether be equal to or greater than preset upper limit by the message processing speed that goes out physical interface that judges negotiation packet, can reach and judge to go out in unit duration whether the flow of physical interface exceedes the object of the upper limit.
Step S4, if message processing speed is equal to or greater than preset upper limit, further judges whether IPsec tunnel can be to the normal encryption and decryption of message.
If the message processing speed that goes out physical interface of negotiation packet is equal to or greater than preset upper limit, check whether IPsec tunnel can normally be encrypted message.
In embodiments of the present invention, by judging whether IPsec tunnel has into encryption message, judge whether message can be encrypted normally.Wherein, if IPsec tunnel has into encryption message, judge that IPsec tunnel can normally encrypt message, otherwise judge that IPsec tunnel can not normally encrypt message.
And, can carry out message in IPsec tunnel, on normal basis of encrypting, further judging whether message can normally be deciphered.Particularly, can be by searching the tlv triple of decrypted message in this step, wherein, tlv triple comprises SPI (Security Parameter Index, Security Parameter Index), encryption and decryption type and destination address.If can find corresponding deciphering SA (Security Association, security association) by SPI, these three elements of encryption and decryption type HE destination address, so just can regard as message and can normally decipher.
Step S5, if so, judges that IPsec tunnel can use, and waits for after default duration, resends negotiation packet.
If the message processing speed that goes out physical interface of negotiation packet is equal to or greater than preset upper limit, and IPsec tunnel can carry out normal encryption and decryption to message, think that tunnel is still can continue to use, just because causing negotiation packet in message repeating process, the reason of multinuclear equipment self loses, use current IP sec tunnel, after the default duration of wait (as: wait flow peak period to cross or wait for 10 minutes), again send negotiation packet, hold consultation, can normal negotiations IKE SA and when IPsec SA, re-use new IPsec tunnel, so just the renewal of IKE SA and IPsec SA being postponed to default duration upgrades again, can solve thus the concussion problem in IPsec tunnel.
In embodiments of the present invention, default duration is configured according to network state by user.Preferably, default duration is one-period, for example 10 minutes.
Fig. 2 is according to the flow chart of the control method in the IPsec tunnel for the network equipment of second embodiment of the invention.
In an embodiment of the invention, after step S3, also comprise the steps:, if the message processing speed that goes out physical interface of negotiation packet is less than preset upper limit, to perform step S6, disconnect IPsec tunnel.It should be noted that, the disconnection IPsec tunnel in step is the disconnection of implementing in the active meeting under certain condition, and is not due to the passive disconnection of consulting unsuccessfully to cause in prior art.Specifically, because the message processing speed that goes out physical interface of message is now less than preset upper limit, show that now network gets congestion.Under this opportunity, disconnect IPsec tunnel, the message in IPsec tunnel is not encrypted and is deciphered, the message in IPsec tunnel is temporarily stopped.This mode can fundamentally solve the problem of IPsec tunnel concussion, because do not set up IPsec tunnel, has cut off the source that the concussion of IPsec tunnel occurs.Can be understood as from another aspect, avoid the concussion of IPsec tunnel by the temporary transient shielding in IPsec tunnel is reached, ensure limited the passing through of background stream simultaneously.
And, IPsec tunnel is temporary transient disconnection under certain condition, when the message processing speed that goes out physical interface of message is equal to or greater than preset upper limit, be that network congestion situation is removed, when the flow bandwidth of port is enough, re-establish IPsec tunnel, recover the encryption and decryption of the message in IPsec tunnel, thereby accomplish not affect the normal function in IPsec tunnel as far as possible.
After step S4, also comprise the steps:, if judge that IPsec tunnel does not enter to encrypt message or Decryption failures, to perform step S6, disconnect IPsec tunnel.
According to the control method in the IPsec tunnel for the network equipment of embodiment of the present invention, after finding to consult unsuccessfully, do not carry out immediately the deletion of IPsec tunnel, but whether the message processing speed that goes out physical interface and the IPsec tunnel that consider negotiation packet can be to the normal encryption and decryption of message, select to disconnect the default duration of IPsec tunnel or time delay, miss flow peak and again consult again, thus the concussion problem in solution IPsec tunnel.
Fig. 4 is according to the structure chart of the control system in the IPsec tunnel for the network equipment of embodiment of the present invention.
As shown in Figure 4, the control system in the IPsec tunnel for the network equipment of embodiment of the present invention comprises: IPsec tunnel arranges module 1, time-out time detection module 2, communication module 3 and judge module 4.
Particularly, IPsec tunnel arranges module 1 for setting up also one-level tunnel IKE SA and the secondary tunnel IPsec SA in negotiation generation IPsec tunnel of IPsec tunnel of LA Management Room.
Specifically, IPsec tunnel arranges module 1 and between the network equipment, sets up IPsec tunnel.In the process of establishing in IPsec tunnel, consult to generate one-level tunnel IKE SA and secondary tunnel IPsec SA.Wherein, IKE SA in one-level tunnel is for the protection of IKE protocol massages.Secondary tunnel IPsec SA encrypts for data message.
Whether time-out time detection module 2 reaches Preset Time for detection of the time-out time of one-level tunnel IKE SA or the time-out time of secondary tunnel IPsec SA.
Communication module 3 is connected to time-out time detection module 2, for detecting that at time-out time detection module 2 time-out time of one-level tunnel IKE SA or the time-out time of secondary tunnel IPsec SA reach after Preset Time, send negotiation packet, the renewal that starts IKE SA and IPsec SA is consulted, and consults to generate new IKE SA and IPsec SA.
Judge module 4 is connected to communication module 3, and for not receiving after back message using in communication module 3, judgement is consulted unsuccessfully, does not now carry out immediately the deletion of IPsec tunnel.Judge module 4 further judges whether the message processing speed that physical interface of negotiation packet is equal to or greater than preset upper limit.Because can utilizing message processing speed and unit duration calculation, obtains the flow that goes out physical interface of a period of time, therefore whether be equal to or greater than preset upper limit by the message processing speed that goes out physical interface that judges negotiation packet, can reach and judge to go out in unit duration whether the flow of physical interface exceedes the object of the upper limit.If it is judge module 4 further judges whether IPsec tunnel can be to the normal encryption and decryption of message, if it is judges that IPsec tunnel can use, and waits for after default duration, resends negotiation packet by communication module 3.
It should be noted that, if communication module 3 is received back message using, can think and consult successfully, generate new IKE SA and IPsec SA.
In embodiments of the present invention, judge module 4, by judging whether IPsec tunnel has into encryption message, judges whether that message can be encrypted normally.Wherein, if IPsec tunnel has into encryption message, judge that IPsec tunnel can normally encrypt message, otherwise judge that IPsec tunnel can not normally encrypt message.
And, can carry out message on normal basis of encrypting in IPsec tunnel, judge module 4 further judges whether message can normally be deciphered.
If the message processing speed that goes out physical interface of negotiation packet is equal to or greater than preset upper limit, and IPsec tunnel can carry out normal encryption and decryption to message, judge module 4 thinks that tunnel is still can continue to use, just because causing protocol massages, the reason of multinuclear equipment self loses, use current IP sec tunnel, after the default duration of wait (as: wait flow peak period to cross or wait for 10 minutes), again send negotiation packet, hold consultation, can normal negotiations IKE SA and when IPsec SA, re-use new IPsec tunnel, so just the renewal of IKE SA and IPsec SA being postponed to default duration upgrades again, can solve thus the concussion problem in IPsec tunnel.
In embodiments of the present invention, default duration is configured according to network state by user.Preferably, default duration is one-period, for example 10 minutes.
In an embodiment of the invention, be less than preset upper limit if judge module 4 judges the message processing speed that physical interface of negotiation packet, IPsec tunnel arranges module 1 and disconnects IPsec tunnel.It should be noted that, IPsec tunnel arranges module 1, and to disconnect IPsec tunnel be the disconnection of implementing meeting active under certain condition, and not in prior art due to the passive disconnection of consulting unsuccessfully to cause.Specifically, because the message processing speed that goes out physical interface of message is now less than preset upper limit, show that now network gets congestion.Under this opportunity, disconnect IPsec tunnel, the message in IPsec tunnel is not encrypted and is deciphered, the message in IPsec tunnel is temporarily stopped.This to the temporary transient shielding measure in IPsec tunnel in avoiding tunnel concussion, ensure limited the passing through of background stream.
And, IPsec tunnel is temporary transient disconnection under certain condition, when the message processing speed that goes out physical interface of message is equal to or greater than preset upper limit, be that network congestion situation is removed, when the flow bandwidth of port is enough, re-establish IPsec tunnel, recover the encryption and decryption of the message in IPsec tunnel, thereby accomplish not affect the normal function in IPsec tunnel as far as possible.
Judge module 4, in the time detecting that IPsec tunnel is provided with into encryption message, judges that IPsec tunnel can normally encrypt message.If judge module 4 judges IPsec tunnel and do not enter to encrypt message or Decryption failures, IPsec tunnel arranges module 1 and disconnects IPsec tunnel.
According to the control system in the IPsec tunnel for the network equipment of embodiment of the present invention, after finding to consult unsuccessfully, do not carry out immediately the deletion of IPsec tunnel, but whether the message processing speed that goes out physical interface and the IPsec tunnel that consider negotiation packet can be to the normal encryption and decryption of message, select to disconnect the default duration of IPsec tunnel or time delay, miss flow peak and again consult again, thus the concussion problem in solution IPsec tunnel.
Should be understood that, above-mentioned embodiment of the present invention is only for exemplary illustration or explain principle of the present invention, and is not construed as limiting the invention.Therefore any amendment of, making, be equal to replacement, improvement etc., within protection scope of the present invention all should be included in without departing from the spirit and scope of the present invention in the situation that.In addition, claims of the present invention are intended to contain whole variations and the modification in the equivalents that falls into claims scope and border or this scope and border.
Claims (10)
1. for the control method in the IPsec tunnel of the network equipment, comprise the steps:
Set up the IPsec tunnel of LA Management Room, consult to generate one-level tunnel IKE SA and the secondary tunnel IPsec SA in IPsec tunnel;
Detecting that the time-out time of described one-level tunnel IKE SA or the time-out time of secondary tunnel IPsec SA reach after Preset Time, sending negotiation packet;
If do not receive back message using, judge whether the message processing speed that physical interface of described negotiation packet is equal to or greater than preset upper limit;
If message processing speed is equal to or greater than preset upper limit, further judge whether described IPsec tunnel can be to the normal encryption and decryption of message;
If so, judge that described IPsec tunnel can use, wait for after default duration, resend described negotiation packet.
2. the control method in the IPsec tunnel for the network equipment according to claim 1, wherein, if the message processing speed that goes out physical interface of described negotiation packet is less than preset upper limit, disconnects described IPsec tunnel.
3. the control method in the IPsec tunnel for the network equipment according to claim 1, wherein, in the time detecting that described IPsec tunnel is provided with into encryption message, judges that described IPsec tunnel can normally encrypt message.
4. the control method in the IPsec tunnel for the network equipment according to claim 1, wherein, if judge that described IPsec tunnel cannot, to the normal encryption of message or deciphering, disconnect described IPsec tunnel.
5. the control method in the IPsec tunnel for the network equipment according to claim 1, wherein, described default duration is configured according to network state by user.
6. for the control system in the IPsec tunnel of the network equipment, comprising:
IPsec tunnel arranges module, also consults to generate one-level tunnel IKE SA and the secondary tunnel IPsec SA in IPsec tunnel for setting up the IPsec tunnel of LA Management Room;
Whether time-out time detection module, reach Preset Time for detection of the time-out time of described one-level tunnel IKE SA or the time-out time of secondary tunnel IPsec SA;
Communication module, described communication module is connected to described time-out time detection module, for detecting that at described time-out time detection module the time-out time of described one-level tunnel IKE SA or the time-out time of secondary tunnel IPsec SA reach after Preset Time, send negotiation packet; And
Judge module, described judge module is connected to described communication module and described IPsec tunnel arranges module, for not receiving after back message using in described communication module, whether the message processing speed that goes out physical interface that judges described negotiation packet is equal to or greater than preset upper limit, if it is further judge whether described IPsec tunnel can be to the normal encryption and decryption of message, if it is judge that described IPsec tunnel can use, wait for after default duration, resend described negotiation packet by described communication module.
7. the control system in the IPsec tunnel of equipment according to claim 6, wherein, if described judge module judges the message processing speed that physical interface of negotiation packet and be less than preset upper limit, described IPsec tunnel arranges module and disconnects described IPsec tunnel.
8. the control system in the IPsec tunnel for the network equipment according to claim 6, wherein, described judge module, in the time detecting that described IPsec tunnel is provided with into encryption message, judges that described IPsec tunnel can normally encrypt message.
9. the control system in the IPsec tunnel for the network equipment according to claim 6, wherein, cannot encrypt or deciphering message is normal if described judge module judges described IPsec tunnel, described IPsec tunnel arranges module and disconnects described IPsec tunnel.
10. the control system in the IPsec tunnel for the network equipment according to claim 6, wherein, described default duration is configured according to network state by user.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410382421.5A CN104104573A (en) | 2014-08-06 | 2014-08-06 | Method and system for controlling IPsec tunnel of network devices |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410382421.5A CN104104573A (en) | 2014-08-06 | 2014-08-06 | Method and system for controlling IPsec tunnel of network devices |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104104573A true CN104104573A (en) | 2014-10-15 |
Family
ID=51672389
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410382421.5A Pending CN104104573A (en) | 2014-08-06 | 2014-08-06 | Method and system for controlling IPsec tunnel of network devices |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104104573A (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610577A (en) * | 2016-01-07 | 2016-05-25 | 成都卫士通信息产业股份有限公司 | System and method for preventing IPSec (Internet Protocol Security) VPN (Virtual Private Network) device from multi-tunnel IKE (Internet Key Exchange) negotiation failure |
| CN106302248A (en) * | 2016-08-31 | 2017-01-04 | 杭州华三通信技术有限公司 | A kind of neighbours' method for building up and device |
| CN113438178A (en) * | 2021-06-22 | 2021-09-24 | 北京天融信网络安全技术有限公司 | Message forwarding method and device, computer equipment and storage medium |
| CN114553633A (en) * | 2020-11-10 | 2022-05-27 | 华为技术有限公司 | Tunnel negotiation method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100313023A1 (en) * | 2008-01-03 | 2010-12-09 | Hangzhou H3C Technologies Co., Ltd. | Method, apparatus and system for internet key exchange negotiation |
| CN102025742A (en) * | 2010-12-16 | 2011-04-20 | 成都市华为赛门铁克科技有限公司 | Negotiation method and device of internet key exchange (IKE) message |
| CN103475647A (en) * | 2013-08-23 | 2013-12-25 | 天津汉柏汉安信息技术有限公司 | Method for preventing IPSEC (internet protocol security) tunnel re-negotiation from failing |
-
2014
- 2014-08-06 CN CN201410382421.5A patent/CN104104573A/en active Pending
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100313023A1 (en) * | 2008-01-03 | 2010-12-09 | Hangzhou H3C Technologies Co., Ltd. | Method, apparatus and system for internet key exchange negotiation |
| CN102025742A (en) * | 2010-12-16 | 2011-04-20 | 成都市华为赛门铁克科技有限公司 | Negotiation method and device of internet key exchange (IKE) message |
| CN103475647A (en) * | 2013-08-23 | 2013-12-25 | 天津汉柏汉安信息技术有限公司 | Method for preventing IPSEC (internet protocol security) tunnel re-negotiation from failing |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105610577A (en) * | 2016-01-07 | 2016-05-25 | 成都卫士通信息产业股份有限公司 | System and method for preventing IPSec (Internet Protocol Security) VPN (Virtual Private Network) device from multi-tunnel IKE (Internet Key Exchange) negotiation failure |
| CN105610577B (en) * | 2016-01-07 | 2018-09-14 | 成都卫士通信息产业股份有限公司 | A kind of system and method preventing IPSec VPN device Multiple tunnel ike negotiations failure |
| CN106302248A (en) * | 2016-08-31 | 2017-01-04 | 杭州华三通信技术有限公司 | A kind of neighbours' method for building up and device |
| CN106302248B (en) * | 2016-08-31 | 2021-10-12 | 新华三技术有限公司 | Neighbor establishing method and device |
| CN114553633A (en) * | 2020-11-10 | 2022-05-27 | 华为技术有限公司 | Tunnel negotiation method and device |
| CN114553633B (en) * | 2020-11-10 | 2023-06-02 | 华为技术有限公司 | Tunnel negotiation method and device |
| CN113438178A (en) * | 2021-06-22 | 2021-09-24 | 北京天融信网络安全技术有限公司 | Message forwarding method and device, computer equipment and storage medium |
| CN113438178B (en) * | 2021-06-22 | 2023-04-18 | 北京天融信网络安全技术有限公司 | Message forwarding method and device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110996318B (en) | Safety communication access system of intelligent inspection robot of transformer substation | |
| US11757623B2 (en) | Encryption method, decryption method, and related apparatus | |
| CN102946333B (en) | A kind of DPD method based on IPsec and equipment | |
| US20200228977A1 (en) | Parameter Protection Method And Device, And System | |
| CN102420770B (en) | Method and equipment for negotiating internet key exchange (IKE) message | |
| CN106571907A (en) | Method and system for securely transmitting data between upper computer and USB flash disk | |
| CN104104573A (en) | Method and system for controlling IPsec tunnel of network devices | |
| CN106254231A (en) | A kind of industrial safety encryption gateway based on state and its implementation | |
| CN102891848A (en) | Method for carrying out encryption and decryption by using IPSec security association | |
| CN102571488B (en) | Failure processing method, device and system for encryption card | |
| KR20090012248A (en) | Method and system for the manipulation-protected generation of a cryptographic key | |
| US11006346B2 (en) | X2 service transmission method and network device | |
| KR101847636B1 (en) | Method and apprapatus for watching encrypted traffic | |
| CN110166410B (en) | Method and terminal for safely transmitting data and multimode communication terminal | |
| CN102868523A (en) | IKE (Internet Key Exchange) negotiation method | |
| KR20190045575A (en) | Method and apparatus for autonomous mutual authentication between devices in wireless communication system | |
| CN113973000A (en) | Method and device for processing pre-shared key PSK | |
| CN111526018A (en) | Communication encryption system and communication encryption method based on power distribution | |
| CN113765900B (en) | Protocol interaction information output transmission method, adapter device and storage medium | |
| CN107547478B (en) | Message transmission method, device and system | |
| CN102891766B (en) | Internet protocol security (IPSec) state recovery method | |
| CN113965462A (en) | Service transmission method, device, network equipment and storage medium | |
| CN113709069B (en) | Lossless switching method and device for data transmission | |
| CN103118017B (en) | Safeguard that the local terminal of IKE SA sends method and the device of the MessageID of message | |
| WO2017118269A1 (en) | Method and apparatus for protecting air interface identity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20141015 |