CN107332885A - The method and apparatus that a kind of IPSec VPN realize two-node cluster hot backup - Google Patents
The method and apparatus that a kind of IPSec VPN realize two-node cluster hot backup Download PDFInfo
- Publication number
- CN107332885A CN107332885A CN201710464935.9A CN201710464935A CN107332885A CN 107332885 A CN107332885 A CN 107332885A CN 201710464935 A CN201710464935 A CN 201710464935A CN 107332885 A CN107332885 A CN 107332885A
- Authority
- CN
- China
- Prior art keywords
- status informations
- standby
- ipsec server
- ipsec
- server
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L1/00—Arrangements for detecting or preventing errors in the information received
- H04L1/12—Arrangements for detecting or preventing errors in the information received by using return channel
- H04L1/16—Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
- H04L1/1607—Details of the supervisory signal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L1/00—Arrangements for detecting or preventing errors in the information received
- H04L1/12—Arrangements for detecting or preventing errors in the information received by using return channel
- H04L1/16—Arrangements for detecting or preventing errors in the information received by using return channel in which the return channel carries supervisory signals, e.g. repetition request signals
- H04L1/18—Automatic repetition systems, e.g. Van Duuren systems
- H04L1/1867—Arrangements specially adapted for the transmitter end
- H04L1/188—Time-out mechanisms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0668—Management of faults, events, alarms or notifications using network fault recovery by dynamic selection of recovery network elements, e.g. replacement by the most appropriate element after failure
Abstract
The application provides the method and apparatus that a kind of IPSec VPN realize two-node cluster hot backup, applied to primary ipsec server and standby ipsec server.Methods described includes:Primary ipsec server sends the Backup Data for carrying SA status informations to standby ipsec server;After standby ipsec server receives the Backup Data, the Backup Data is parsed, and feedback message is sent to primary ipsec server.When primary ipsec server is not received by feedback message in default time range, periodically the Backup Data is resend to standby ipsec server.If feedback message were received in default time range, and the feedback message would carry fail flag, and the Backup Data is resend to standby ipsec server.Using the technical method of the application, the stability for improving IPSec VPN two-node cluster hot backups.
Description
Technical field
The application is related to network communication technology field, more particularly to a kind of IPSec VPN realize two-node cluster hot backup method and
Device.
Background technology
With the demand that information security is interacted in network, VPN technologies are arisen at the historic moment.Wherein, the VPN based on ipsec protocol
Technology is widely used.
Ipsec protocol as protection IP message safe transmissions important protocol, it is necessary to ensure IPSec networks stability and
Reliability, and can recover network within the most short time when a network fails and continue with business.In order to realize
The stability and reliability of IPSec networks, and the quick recovery network operation when a network fails, IPSec VPN's is double
The hot standby technology of machine is arisen at the historic moment.
In the prior art, the technology of the two-node cluster hot backup of the IPSec VPN is primary ipsec server by the SA of generation
Status information is sent to standby ipsec server by backup path, so that standby ipsec server preserves the SA shapes received
State information.When primary ipsec server breaks down, switch to standby ipsec server, by standby ipsec server after
Continuous processing business.
The content of the invention
In view of this, the application provides the method and apparatus that a kind of IPSec VPN realize two-node cluster hot backup, applied to primary
Ipsec server and standby ipsec server, the reliability for improving IPSec VPN two-node cluster hot backups.
Specifically, the application is achieved by the following technical solution:
A kind of method that IPSec VPN realize two-node cluster hot backup, applied to primary ipsec server, including:
The Backup Data of alliance SA status informations safe to carry is sent to standby ipsec server;
Judge in default time range, if receive standby ipsec server and receive after the Backup Data
The feedback message of transmission;
If it is, determining whether standby ipsec server successfully parses the Backup Data based on the feedback message.
A kind of method that IPSec VPN realize two-node cluster hot backup, applied to standby ipsec server, it is characterised in that bag
Include:
Receive the Backup Data for the carrying SA status informations that primary ipsec server is sent;
The Backup Data is parsed, and analysis result is carried on to the feedback sent to primary ipsec server
In message;
Feedback message is sent to primary ipsec server;Wherein, when standby ipsec server is to the Backup Data solution
After analysing successfully, pass flag is carried in the feedback message, is failed when standby ipsec server is parsed to the Backup Data
Afterwards, fail flag is carried in the feedback message.
A kind of IPSec VPN realize the device of two-node cluster hot backup, applied to primary ipsec server, including:
Transmitting element, for the Backup Data of alliance SA status informations safe to carry to be sent to standby ipsec server;
Judging unit, for judging in default time range, if receive standby ipsec server and receive institute
State the feedback message sent after Backup Data;
Determining unit, for if it is, determining whether standby ipsec server successfully parses institute based on the feedback message
State Backup Data.
A kind of IPSec VPN realize the device of two-node cluster hot backup, applied to standby ipsec server, including:
Receiving unit, the Backup Data for receiving the carrying SA status informations that primary ipsec server is sent;
Resolution unit, is carried on to primary IPSec services for being parsed to the Backup Data, and by analysis result
In the feedback message that device is sent;
Transmitting element, for sending feedback message to primary ipsec server;Wherein, when standby ipsec server is to institute
State after Backup Data successfully resolved, pass flag is carried in the feedback message, when standby ipsec server is to the backup
After data parsing failure, fail flag is carried in the feedback message.
Because primary ipsec server has been sent after Backup Data to standby ipsec server, primary ipsec server
Standby ipsec server can be waited to send feedback message, it is primary if not receiving feedback message in default time range
Ipsec server periodically can resend Backup Data until standby ipsec server successfully connects to standby ipsec server
Untill receiving Backup Data.In addition, primary ipsec server can according to standby ipsec server send feedback message come
Determine whether standby ipsec server successfully parses Backup Data, if standby ipsec server does not parse backup number successfully
According to, then primary ipsec server will send Backup Data to standby ipsec server again, therefore, in this application, main
Sent with ipsec server to standby ipsec server after Backup Data, standby IPSec clothes can be confirmed using affirmation mechanism
Business device is successfully received Backup Data and successfully parses Backup Data, so as to improve the reliability of IPSec VPN two-node cluster hot backups.
Brief description of the drawings
Fig. 1 is the network architecture diagram of the IPSec VPN two-node cluster hot backups shown in the application;
Fig. 2 is the method flow diagram that a kind of IPSec VPN that the embodiment of the present application is illustrated realize two-node cluster hot backup;
Fig. 3 is that one kind of primary ipsec server where a kind of IPSec VPN of the application realize the device of two-node cluster hot backup is hard
Part structure chart;
Fig. 4 is the device that a kind of IPSec VPN that the embodiment of the present application is illustrated realize two-node cluster hot backup;
Fig. 5 is one kind that another IPSec VPN of the application realize standby ipsec server where the device of two-node cluster hot backup
Hardware structure diagram;
Fig. 6 is the device that another IPSec VPN that the embodiment of the present application is illustrated realize two-node cluster hot backup.
Embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to
During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent apparatus and method of some aspects be described in detail in claims, the application.
It is the purpose only merely for description specific embodiment in term used in this application, and is not intended to be limiting the application.
" one kind ", " described " and "the" of singulative used in the application and appended claims are also intended to including majority
Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wrapped
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used for same type of information being distinguished from each other out.For example, not departing from
In the case of the application scope, the first information can also be referred to as the second information, similarly, and the second information can also be referred to as
One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determining ".
Fig. 1 is referred to, Fig. 1 is the network architecture diagram of the IPSec VPN two-node cluster hot backups shown in the application.
The hot standby of the two-server being applied in high-availability system is refered in particular in the two-node cluster hot backup.Two-node cluster hot backup is according to work
In switching mode be divided into:Main-standby mode (Active-Standby modes) and double host mode (Active-Active sides
Formula), main-standby mode is to refer to that a server is in the state of activation (i.e. Active states) of certain business, another clothes
Business device is in the stand-by state (i.e. Standby states) of the business.And double host modes are to refer to two kinds of different business difference
Activestandby state (i.e. the Active-Standby and Standby-Active states) each other on two-server.
Double heat that the IPSec VPN two-node cluster hot backups refer to being applied in IPSec VPN scenes are hot standby.In IPSec
The data of two ipsec servers backup in VPN scenes are mainly SA (Security Association, Security Association) shape
State information.Specifically effect refer to related art to the SA, not be described further in this application.
In the prior art, when primary ipsec server produces SA status informations, primary ipsec server can be by
The Backup Data for carrying the SA status informations is sent to standby ipsec server by backup path.When standby IPSec services
Device is received after Backup Data, can parse the Backup Data, SA status informations is obtained, then according to the SA status informations
It is required that (newly-built SA status informations delete SA status informations), is handled the SA status informations accordingly.
However, in the prior art, the backup path between primary ipsec server and standby ipsec server may
Failure occurs, when backup path breaks down, then standby ipsec server can not just receive primary IPSec services
The Backup Data that device is sent.When the primary ipsec server of network breaks down, then primary ipsec server can be switched to
Standby ipsec server, is consulted to continue with after setting up IPSec vpn tunnelings by standby ipsec server and opposite end server
Business.Due to breaking down backup path, it is incomplete that standby ipsec server receives Backup Data, so as to cause standby
Being become with ipsec server can not normal process business after primary ipsec server.
In order to solve problems of the prior art, a kind of IPSec VPN that the application is proposed realize two-node cluster hot backup
Method and apparatus, applied to primary ipsec server and standby ipsec server.Methods described includes:Primary IPSec services
Device sends the Backup Data for carrying SA status informations to standby ipsec server;Described in being received when standby ipsec server
After Backup Data, the Backup Data is parsed, and feedback message is sent to primary ipsec server.As primary IPSec
When server is not received by feedback message in default time range, periodically resend to standby ipsec server
The Backup Data.If feedback message is received in default time range, and the feedback message carries fail flag,
The Backup Data is resend to standby ipsec server.
Because primary ipsec server has been sent after Backup Data to standby ipsec server, primary ipsec server
Standby ipsec server can be waited to send feedback message, it is primary if not receiving feedback message in default time range
Ipsec server periodically can resend Backup Data until standby ipsec server successfully connects to standby ipsec server
Untill receiving Backup Data.In addition, primary ipsec server can according to standby ipsec server send feedback message come
Determine whether standby ipsec server successfully parses Backup Data, if standby ipsec server does not parse backup number successfully
According to, then primary ipsec server will send Backup Data to standby ipsec server again, therefore, in this application, main
Sent with ipsec server to standby ipsec server after Backup Data, standby IPSec clothes can be confirmed using affirmation mechanism
Business device is successfully received Backup Data and successfully parses Backup Data, so as to improve the reliability of IPSec VPN two-node cluster hot backups.
The technical method proposed below by way of specific embodiment and schematic diagram to the application is described.
Fig. 2 is referred to, Fig. 2 is the side that a kind of IPSec VPN that the embodiment of the present application is illustrated realize two-node cluster hot backup
Method flow chart, specifically performs following steps:
Step 201:The Backup Data for carrying SA status informations is sent to standby IPSec and serviced by primary ipsec server
Device;
In this application, primary ipsec server can send the Backup Data for carrying SA status informations to standby
Ipsec server.Then primary ipsec server can be by default time range, if receive standby IPSec
The feedback message that server is sent judges whether standby ipsec server is successfully received Backup Data, if standby IPSec
Server is not successfully receiving Backup Data, then primary ipsec server can be periodically to standby ipsec server weight
It is new to send Backup Data.If standby ipsec server is successfully received Backup Data, then primary ipsec server can be with
Further judge whether standby ipsec server successfully parses backup number by whether carrying pass flag in feedback message
According to if standby ipsec server does not parse Backup Data successfully, then primary ipsec server will be again to standby
Ipsec server sends Backup Data.
In the present embodiment, consult to set up the success of IPSec vpn tunnelings in primary ipsec server and opposite end server
Afterwards, when the address of primary ipsec server changes, and SA time-out updates, primary ipsec server can be produced
New SA status informations.
Wherein, also can be the new SA status informations distribution when primary ipsec server produces new SA status informations
Cookie values and SPI (Serial Peripheral Interface, peripheral hardware serial line interface) value.
It is primary when primary ipsec server produces new SA status informations in a kind of embodiment shown
Ipsec server can be sent to standby ipsec server by backup path and carry the SA status informations, and be described
The cookie values of SA status informations distribution and the Backup Data of SPI values, wherein, the operation for the SA status informations is newly-built
SA status informations.
Parameter is consulted in configuration recovery etc. after the IPSec configuration changes consulted or the restarting of standby ipsec server
During change, standby ipsec server will send backup request to primary ipsec server.In this case, it is primary
Ipsec server can obtain corresponding with backup request SA status informations and be institute according to the backup request
State the cookie values and SPI values of SA status informations distribution.
Wherein, need the SA status informations of backup relatively more after the restarting of standby ipsec server, show in the application
In the embodiment gone out, standby ipsec server can ask batch backup to primary ipsec server, standby when realizing
Ipsec server can indicate that the SA states for needing batch backup are believed in the backup request sent to primary ipsec server
Breath.
When primary ipsec server based on the backup request gets corresponding SA status informations, and it is the SA
After the cookie values and SPI values of status information distribution, primary ipsec server can will carry the SA status informations, and
The cookie values and the Backup Data of SPI values distributed for the SA status informations are sent to standby ipsec server, wherein, pin
Operation to the SA status informations is newly-built SA status informations.
Step 202:Primary ipsec server is judged in default time range, if receive standby IPSec services
The feedback message that device is sent;
When primary ipsec server will carry SA status informations, and the cookie values distributed for the SA status informations
After the Backup Data of SPI values, primary ipsec server can start the timer that local terminal is pre-set, wherein, the timing
Timing length set by device user can be adjusted voluntarily according to demand.Primary ipsec server can be by judging described
In timing length, if the feedback message that standby ipsec server is sent is received, whether to judge standby ipsec server
It is successfully received the Backup Data.
In embodiments herein, if the timer expiry, primary ipsec server does not receive standby
The feedback message that ipsec server is sent, then can determine that standby ipsec server is not successfully receiving Backup Data,
Under such circumstances, long period when primary ipsec server can be based on default, periodically to standby ipsec server
Backup Data is resend, the backup is being successfully received until primary ipsec server receives standby ipsec server
During the feedback message sent after data, primary ipsec server just can no longer carry out periodically sending out to standby ipsec server
Send Backup Data.
If before the timer expiry, primary ipsec server receives the anti-of standby ipsec server transmission
Message is presented, then can determine that standby ipsec server is successfully received the Backup Data.
Step 203:When standby ipsec server is successfully received Backup Data, standby ipsec server is to described standby
Number is according to being parsed;
In embodiments herein, when standby ipsec server is successfully received the standby of primary ipsec server transmission
Number according to when, standby ipsec server can be parsed to the Backup Data.If standby ipsec server is successfully solved
The Backup Data is analysed, standby ipsec server can read SA status informations, primary IPSec clothes from the Backup Data
Business device is the cookie values and SPI values that the SA status informations are distributed, and for the operation of the SA status informations.
Wherein, the operation for the SA status informations includes newly-built SA status informations and deletes SA status informations.If
Operation for the SA status informations is newly-built SA status informations, and standby ipsec server can preserve the SA states letter
Breath, and the cookie values and SPI values distributed for the SA status informations.Meanwhile, standby ipsec server can be to the SA
Status information is marked, such as, and standby ipsec server can use " backup " field to enter the SA status informations
Line flag, shows that the SA status informations that standby ipsec server is received are Backup Data, for distinguishing standby IPSec
Server becomes the SA status informations produced after primary ipsec server.
If the operation for the SA status informations is deletion SA status informations, standby ipsec server can be at this
In the SA status informations that ground is preserved, the SA status informations carried in the Backup Data are deleted, and be the SA states
The cookie values and SPI values of information distribution.
In embodiments herein, when standby ipsec server successfully parses the Backup Data, standby IPSec
Server can send feedback message to primary ipsec server;Wherein, pass flag is carried in the feedback message.When standby
When successfully not parsing the Backup Data with ipsec server, standby ipsec server can also be serviced to primary IPSec
Device sends feedback message;Wherein, fail flag is carried in the feedback message.
Step 204:If primary IPSEc receives standby ipsec server in the default time range and sent
Feedback message, primary ipsec server further judges whether standby ipsec server successfully solves by the feedback message
Analyse Backup Data.
When primary ipsec server determines that standby ipsec server is successfully received Backup Data, primary IPSec clothes
Business device can parse the feedback message that standby ipsec server is sent.It is primary when carrying pass flag in the feedback message
Ipsec server can determine that standby ipsec server successfully parses the Backup Data.Lost when being carried in the feedback message
When losing mark, primary ipsec server can determine that standby ipsec server does not parse the Backup Data successfully.
In embodiments herein, when primary ipsec server determines that standby ipsec server does not parse institute successfully
When stating Backup Data, primary ipsec server can resend the Backup Data to standby ipsec server.When primary
When ipsec server determines that standby ipsec server successfully parses the Backup Data, primary ipsec server can be to standby
Sent with ipsec server and determine message, so that standby ipsec server determines that primary ipsec server is successfully received institute
State feedback message.
When primary ipsec server breaks down, standby ipsec server becomes primary ipsec server.It is standby
Ipsec server will be renegotiated with opposite end server sets up IPSec vpn tunnelings, and is being successfully established IPSec vpn tunnelings
New SA status informations are produced afterwards, and distribute cookie values and SPI values for the SA status informations.
However, due to primary ipsec server and standby ipsec server be the cookie values distributed of SA status informations with
SPI values are separate.Therefore, it is the SA shapes newly produced after standby ipsec server becomes primary ipsec server
The cookie values and SPI values of state information distribution, may be corresponding with the SA status informations come from the backup of primary ipsec server
Cookie values are identical with SPI values.Wherein, the identical cookie values and SPI for referring to standby ipsec server generation described here
In value, the cookie values and SPI values that are produced with primary ipsec server, as long as there is a value identical it is determined that identical.Than
Such as, the cookie values that standby ipsec server is produced are identical with the cookie values that primary ipsec server is produced, standby IPSec
The SPI values that the SPI values that server is produced are produced with primary ipsec server are differed, then judge that standby ipsec server is produced
Cookie values and SPI values, it is identical with SPI values with the cookie values of primary ipsec server generation.In this case,
Standby ipsec server becomes after primary IPSec, it is impossible to successfully issue the SA status informations of the new generation.
In view of the above-mentioned problems, in this application, when standby ipsec server is that the SA status informations newly produced distribute target
When cookie values and target SPI values, standby ipsec server can be checked corresponding to the SA status informations locally preserved
In cookie values and SPI values, if exist and the target cookie values and target SPI values identical cookie values and SPI values.
If it does, the cookie values found and the corresponding SA status informations of SPI values can be substituted for by standby ipsec server
The SA status informations of the new generation.
Because primary ipsec server is serviced to standby IPSec it can be seen from the technical method that above-mentioned the application is provided
Device has been sent after Backup Data, and primary ipsec server can wait standby ipsec server to send feedback message, if pre-
If time range in do not receive feedback message, primary ipsec server periodically can be sent out again to standby ipsec server
Backup Data is sent untill standby ipsec server is successfully received Backup Data.In addition, primary ipsec server can be with
Determine whether standby ipsec server successfully parses Backup Data according to the feedback message of standby ipsec server transmission, such as
Really standby ipsec server does not parse Backup Data successfully, then primary ipsec server will take to standby IPSec again
Business device sends Backup Data, therefore, in this application, and primary ipsec server sends complete number to standby ipsec server
According to rear, it can confirm that standby ipsec server is successfully received Backup Data and successfully parses Backup Data using affirmation mechanism, from
And improve the reliability of IPSec VPN two-node cluster hot backups.
Realize that the embodiment of the method for two-node cluster hot backup is corresponding with a kind of foregoing IPSec VPN, present invention also provides one
Plant the embodiment that IPSec VPN realize the device of two-node cluster hot backup.
A kind of IPSec VPN of the application realize that the embodiment of the device of two-node cluster hot backup can be applied in primary IPSec services
On device.Device embodiment can be realized by software, can also be realized by way of hardware or software and hardware combining.With software
Exemplified by realization, as the device on a logical meaning, being will be non-volatile by the processor of primary ipsec server where it
Property memory in corresponding computer program instructions read in internal memory what operation was formed.For hardware view, such as Fig. 3 institutes
Show, be a kind of hardware configuration that a kind of IPSec VPN of the application realize primary ipsec server where the device of two-node cluster hot backup
Figure, in addition to the processor shown in Fig. 3, internal memory, network interface and nonvolatile memory, in embodiment where device
Primary ipsec server the actual functional capability of two-node cluster hot backup is realized generally according to the IPSec VPN, other can also be included hard
Part, is repeated no more to this.
Fig. 4 is referred to, Fig. 4 is the dress that a kind of IPSec VPN that the embodiment of the present application is illustrated realize two-node cluster hot backup
Put, applied to primary ipsec server, described device includes:Transmitting element 410, judging unit 420, determining unit 430.
Wherein, the transmitting element 410, for the Backup Data of alliance SA status informations safe to carry to be sent to standby
Ipsec server;
The judging unit 420, for judging in default time range, if receive standby ipsec server
Receive the feedback message sent after the Backup Data;
The determining unit 430, for if it is, based on the feedback message determine standby ipsec server whether into
Work(parses the Backup Data.
In this embodiment, the operation for the SA status informations includes newly-built SA status informations and deletes SA states letter
Breath;The transmitting element 410 specifically for:
When primary ipsec server produces new SA status informations, the carrying institute that primary ipsec server is sent is received
State the Backup Data of new SA status informations;Wherein, the operation for the SA status informations is newly-built SA status informations;
Backup request is sent to primary ipsec server, and the backup request is received in primary ipsec server
Afterwards, the Backup Data for the carrying SA status informations corresponding with the backup request that primary ipsec server is sent is received;Its
In, the operation for the SA status informations is newly-built SA status informations;
When primary ipsec server deletes either objective SA status informations, taking for primary ipsec server transmission is received
With the target SA status informations for needing to delete;Wherein, the operation for the SA status informations is deletion SA status informations.
In addition, the transmitting element 410 is additionally operable to:
If not receiving the feedback message that standby ipsec server is sent in the default time range, it is based on
Long period when default, is periodically re-transmitted to standby ipsec server by the Backup Data, standby until receiving
No longer the Backup Data is sent after the feedback message that ipsec server is sent to standby ipsec server.
In this embodiment, the determining unit 430 specifically for:
If receiving the feedback information for carrying pass flag, determine that standby ipsec server successfully parses the backup
Data;
If receiving the feedback information for carrying fail flag, determine that standby ipsec server is not parsed successfully described
Backup Data, and send the Backup Data to standby ipsec server again.
Realize that the embodiment of the method for two-node cluster hot backup is corresponding with a kind of foregoing IPSec VPN, present invention also provides another
A kind of IPSec VPN realize the embodiment of the device of two-node cluster hot backup.
Another IPSec VPN of the application realize that the embodiment of the device of two-node cluster hot backup can be applied in standby IPSec clothes
It is engaged on device.Device embodiment can be realized by software, can also be realized by way of hardware or software and hardware combining.With soft
Exemplified by part is realized, as the device on a logical meaning, being will be non-easy by the processor of standby ipsec server where it
Corresponding computer program instructions read what operation in internal memory was formed in the property lost memory.For hardware view, such as Fig. 5 institutes
Show, be a kind of hardware configuration that another IPSec VPN of the application realize standby ipsec server where the device of two-node cluster hot backup
Figure, in addition to the processor shown in Fig. 5, internal memory, network interface and nonvolatile memory, in embodiment where device
Standby ipsec server the actual functional capability of two-node cluster hot backup is realized generally according to the IPSec VPN, other can also be included hard
Part, is repeated no more to this.
Fig. 6 is referred to, Fig. 6 is that another IPSec VPN that the embodiment of the present application is illustrated realize two-node cluster hot backup
Device, applied to standby ipsec server, described device includes:Receiving unit 610, resolution unit 620, transmitting element 630.
Wherein, the receiving unit 610, for receiving the standby of the carrying SA status informations that primary ipsec server is sent
Number evidence;
The resolution unit 620, for being parsed to the Backup Data, and analysis result is carried on to primary
In the feedback message that ipsec server is sent;
The transmitting element 630, for sending feedback message to primary ipsec server;Wherein, when standby IPSec takes
After device be engaged in the Backup Data successfully resolved, pass flag is carried in the feedback message, when standby ipsec server pair
After the Backup Data parsing failure, fail flag is carried in the feedback message.
In this embodiment, the operation for the SA status informations includes newly-built SA status informations and deletes SA states letter
Breath;
The receiving unit 610 specifically for:
When primary ipsec server produces new SA status informations, the carrying institute that primary ipsec server is sent is received
State the Backup Data of new SA status informations;Wherein, the operation for the SA status informations is newly-built SA status informations;
Backup request is sent to primary ipsec server, and the backup request is received in primary ipsec server
Afterwards, the Backup Data for the carrying SA status informations corresponding with the backup request that primary ipsec server is sent is received;Its
In, the operation for the SA status informations is newly-built SA status informations;
When primary ipsec server deletes either objective SA status informations, taking for primary ipsec server transmission is received
With the target SA status informations for needing to delete;Wherein, the operation for the SA status informations is deletion SA status informations.
The function of unit and the implementation process of effect specifically refer to correspondence step in the above method in said apparatus
Implementation process, will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is real referring to method
Apply the part explanation of example.Device embodiment described above is only schematical, wherein described be used as separating component
The unit of explanation can be or may not be physically separate, and the part shown as unit can be or can also
It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality
Selection some or all of module therein is needed to realize the purpose of application scheme.Those of ordinary skill in the art are not paying
In the case of going out creative work, you can to understand and implement.
The preferred embodiment of the application is the foregoing is only, not to limit the application, all essences in the application
God is with principle, and any modification, equivalent substitution and improvements done etc. should be included within the scope of the application protection.
Claims (12)
1. a kind of method that IPSec VPN realize two-node cluster hot backup, applied to primary ipsec server, it is characterised in that including:
The Backup Data of alliance SA status informations safe to carry is sent to standby ipsec server;
Judge in default time range, if receive standby ipsec server and receive transmission after the Backup Data
Feedback message;
If it is, determining whether standby ipsec server successfully parses the Backup Data based on the feedback message.
2. according to the method described in claim 1, it is characterised in that the operation for the SA status informations includes newly-built SA shapes
State information and deletion SA status informations;
The Backup Data by alliance SA status informations safe to carry is sent to standby ipsec server, including:
When producing new SA status informations, the Backup Data for carrying the new SA status informations is sent to standby IPSec
Server;Wherein, the operation for the SA status informations is newly-built SA status informations;
When receiving the backup request for the SA status informations that standby ipsec server is sent, it will carry and the backup request
The Backup Data of corresponding SA status informations is sent to standby ipsec server;Wherein, for the operation of the SA status informations
For newly-built SA status informations;
When deleting either objective SA status informations, the Backup Data for carrying the target SA status informations is sent to standby
Ipsec server;Wherein, the operation for the SA status informations is deletion SA status informations.
3. according to the method described in claim 1, it is characterised in that methods described also includes:
If the feedback message that standby ipsec server is sent is not received in the default time range, based on default
When long period, the Backup Data is periodically re-transmitted to standby ipsec server, until receiving standby IPSec
No longer the Backup Data is sent after the feedback message that server is sent to standby ipsec server.
4. according to the method described in claim 1, it is characterised in that described that standby IPSec clothes are determined based on the feedback message
Whether business device successfully parses the Backup Data, including:
If receiving the feedback information for carrying pass flag, determine that standby ipsec server successfully parses the Backup Data;
If receiving the feedback information for carrying fail flag, determine that standby ipsec server does not parse the backup successfully
Data, and send the Backup Data to standby ipsec server again.
5. a kind of method that IPSec VPN realize two-node cluster hot backup, applied to standby ipsec server, it is characterised in that including:
Receive the Backup Data for the carrying SA status informations that primary ipsec server is sent;
The Backup Data is parsed, and analysis result is carried on to the feedback message sent to primary ipsec server
In;
Feedback message is sent to primary ipsec server;Wherein, when standby ipsec server is parsed into the Backup Data
After work(, pass flag is carried in the feedback message, after standby ipsec server is parsed to the Backup Data to fail,
Fail flag is carried in the feedback message.
6. method according to claim 5, it is characterised in that the operation for the SA status informations includes newly-built SA shapes
State information and deletion SA status informations;
The Backup Data for receiving the carrying SA status informations that primary ipsec server is sent, including:
When primary ipsec server produces new SA status informations, the carrying for receiving primary ipsec server transmission is described new
SA status informations Backup Data;Wherein, the operation for the SA status informations is newly-built SA status informations;
Backup request is sent to primary ipsec server, and after primary ipsec server receives the backup request, is connect
Receive the Backup Data for the carrying SA status informations corresponding with the backup request that primary ipsec server is sent;Wherein, for
The operation of the SA status informations is newly-built SA status informations;
When primary ipsec server deletes either objective SA status informations, receiving the carrying of primary ipsec server transmission needs
The target SA status informations to be deleted;Wherein, the operation for the SA status informations is deletion SA status informations.
7. a kind of IPSec VPN realize the device of two-node cluster hot backup, applied to primary ipsec server, it is characterised in that including:
Transmitting element, for the Backup Data of alliance SA status informations safe to carry to be sent to standby ipsec server;
Judging unit, for judging in default time range, if receive standby ipsec server receive it is described standby
The feedback message that number is sent after;
Determining unit, for if it is, to determine whether standby ipsec server successfully parses based on the feedback message described standby
Number evidence.
8. method according to claim 7, it is characterised in that the operation for the SA status informations includes newly-built SA shapes
State information and deletion SA status informations;
The transmitting element specifically for:
When producing new SA status informations, the Backup Data for carrying the new SA status informations is sent to standby IPSec
Server;Wherein, the operation for the SA status informations is newly-built SA status informations;
When receiving the backup request for the SA status informations that standby ipsec server is sent, it will carry and the backup request
The Backup Data of corresponding SA status informations is sent to standby ipsec server;Wherein, for the operation of the SA status informations
For newly-built SA status informations;
When deleting either objective SA status informations, the Backup Data for carrying the target SA status informations is sent to standby
Ipsec server;Wherein, the operation for the SA status informations is deletion SA status informations.
9. device according to claim 7, it is characterised in that the transmitting element is additionally operable to:
If the feedback message that standby ipsec server is sent is not received in the default time range, based on default
When long period, the Backup Data is periodically re-transmitted to standby ipsec server, until receiving standby IPSec
No longer the Backup Data is sent after the feedback message that server is sent to standby ipsec server.
10. device according to claim 7, it is characterised in that the determining unit specifically for:
If receiving the feedback information for carrying pass flag, determine that standby ipsec server successfully parses the Backup Data;
If receiving the feedback information for carrying fail flag, determine that standby ipsec server does not parse the backup successfully
Data, and send the Backup Data to standby ipsec server again.
11. a kind of IPSec VPN realize the device of two-node cluster hot backup, applied to standby ipsec server, it is characterised in that including:
Receiving unit, the Backup Data for receiving the carrying SA status informations that primary ipsec server is sent;
Resolution unit, is carried on to primary ipsec server hair for being parsed to the Backup Data, and by analysis result
In the feedback message sent;
Transmitting element, for sending feedback message to primary ipsec server;Wherein, when standby ipsec server is to described standby
After number is according to successfully resolved, pass flag is carried in the feedback message, when standby ipsec server is to the Backup Data
After parsing failure, fail flag is carried in the feedback message.
12. device according to claim 1, it is characterised in that the operation for the SA status informations includes newly-built SA
Status information and deletion SA status informations;
The receiving unit specifically for:
When primary ipsec server produces new SA status informations, the carrying for receiving primary ipsec server transmission is described new
SA status informations Backup Data;Wherein, the operation for the SA status informations is newly-built SA status informations;
Backup request is sent to primary ipsec server, and after primary ipsec server receives the backup request, is connect
Receive the Backup Data for the carrying SA status informations corresponding with the backup request that primary ipsec server is sent;Wherein, for
The operation of the SA status informations is newly-built SA status informations;
When primary ipsec server deletes either objective SA status informations, receiving the carrying of primary ipsec server transmission needs
The target SA status informations to be deleted;Wherein, the operation for the SA status informations is deletion SA status informations.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710464935.9A CN107332885A (en) | 2017-06-19 | 2017-06-19 | The method and apparatus that a kind of IPSec VPN realize two-node cluster hot backup |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710464935.9A CN107332885A (en) | 2017-06-19 | 2017-06-19 | The method and apparatus that a kind of IPSec VPN realize two-node cluster hot backup |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN107332885A true CN107332885A (en) | 2017-11-07 |
Family
ID=60195408
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710464935.9A Pending CN107332885A (en) | 2017-06-19 | 2017-06-19 | The method and apparatus that a kind of IPSec VPN realize two-node cluster hot backup |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107332885A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112804268A (en) * | 2021-04-13 | 2021-05-14 | 北京太一星晨信息技术有限公司 | Synchronization method, first device, second device and synchronization system |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859204A (en) * | 2006-03-21 | 2006-11-08 | 华为技术有限公司 | Method and device for realizing synchronous data in double machine heat backup |
| CN101163036A (en) * | 2006-10-10 | 2008-04-16 | 中兴通讯股份有限公司 | Method of implementing two-computer hot backup of network equipment management software |
| US20080155677A1 (en) * | 2006-12-22 | 2008-06-26 | Mahmood Hossain | Apparatus and method for resilient ip security/internet key exchange security gateway |
| CN101917294A (en) * | 2010-08-24 | 2010-12-15 | 杭州华三通信技术有限公司 | Method and equipment for updating anti-replay parameter during master and slave switching |
| CN103107973A (en) * | 2011-11-09 | 2013-05-15 | 中兴通讯股份有限公司 | High availability method and high availability device for achieving security protocol |
| CN103441987A (en) * | 2013-07-30 | 2013-12-11 | 曙光信息产业(北京)有限公司 | Method and device for managing dual-computer firewall system |
| CN103731407A (en) * | 2012-10-12 | 2014-04-16 | 华为技术有限公司 | IKE message negotiation method and system |
| CN105635295A (en) * | 2016-01-08 | 2016-06-01 | 成都卫士通信息产业股份有限公司 | IPSec VPN high-performance data synchronization method |
| CN105871592A (en) * | 2016-03-18 | 2016-08-17 | 广州海格通信集团股份有限公司 | Duplicated hot-redundancy method of telephone dispatching device in distributed system architecture |
-
2017
- 2017-06-19 CN CN201710464935.9A patent/CN107332885A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1859204A (en) * | 2006-03-21 | 2006-11-08 | 华为技术有限公司 | Method and device for realizing synchronous data in double machine heat backup |
| CN101163036A (en) * | 2006-10-10 | 2008-04-16 | 中兴通讯股份有限公司 | Method of implementing two-computer hot backup of network equipment management software |
| US20080155677A1 (en) * | 2006-12-22 | 2008-06-26 | Mahmood Hossain | Apparatus and method for resilient ip security/internet key exchange security gateway |
| CN101917294A (en) * | 2010-08-24 | 2010-12-15 | 杭州华三通信技术有限公司 | Method and equipment for updating anti-replay parameter during master and slave switching |
| CN103107973A (en) * | 2011-11-09 | 2013-05-15 | 中兴通讯股份有限公司 | High availability method and high availability device for achieving security protocol |
| CN103731407A (en) * | 2012-10-12 | 2014-04-16 | 华为技术有限公司 | IKE message negotiation method and system |
| CN103441987A (en) * | 2013-07-30 | 2013-12-11 | 曙光信息产业(北京)有限公司 | Method and device for managing dual-computer firewall system |
| CN105635295A (en) * | 2016-01-08 | 2016-06-01 | 成都卫士通信息产业股份有限公司 | IPSec VPN high-performance data synchronization method |
| CN105871592A (en) * | 2016-03-18 | 2016-08-17 | 广州海格通信集团股份有限公司 | Duplicated hot-redundancy method of telephone dispatching device in distributed system architecture |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN112804268A (en) * | 2021-04-13 | 2021-05-14 | 北京太一星晨信息技术有限公司 | Synchronization method, first device, second device and synchronization system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7822718B1 (en) | Restoration of archived configurations for a network device | |
| US9106525B2 (en) | High availability transport protocol method and apparatus | |
| US7107481B2 (en) | Server takeover system and method | |
| US7363534B1 (en) | Method and system for stateful switch-over in a high-availability point to point system | |
| US20080172582A1 (en) | Method and system for providing peer liveness for high speed environments | |
| CN106982259A (en) | The failure solution of server cluster | |
| EP2119184B1 (en) | Virtualization and high availability of network connections | |
| WO2017219779A1 (en) | Device active/standby switchover method and apparatus based on link protocol, and storage medium | |
| CN101729543B (en) | Method for improving performance of mobile SSL VPN by utilizing remote Socks5 technology | |
| KR20040071331A (en) | System and method for providing a fault tolerant routing data base | |
| WO2008080356A1 (en) | System and method for tcp high availability | |
| JP2007088949A (en) | Information processing apparatus, communication load diffusing method and communication load diffusion program | |
| EP2939401B1 (en) | Method for guaranteeing service continuity in a telecommunication network and system thereof | |
| CN110324375B (en) | Information backup method and related equipment | |
| CN107203443A (en) | A kind of method and apparatus of the virtual machine High Availabitity based on KVM virtualization | |
| EP3605954B1 (en) | State detection of netconf session | |
| US7076645B2 (en) | Method of rebooting a multi-device cluster while maintaining cluster operation | |
| CN108199903B (en) | Distributed aggregation system configuration method and device | |
| CN107332885A (en) | The method and apparatus that a kind of IPSec VPN realize two-node cluster hot backup | |
| US20030225782A1 (en) | Managing configuration state within a network node | |
| CN111130886A (en) | Network port switching method and device, board card and network port switching system | |
| JP4415391B2 (en) | Method and apparatus for transmitting data to a network and method and apparatus for receiving data from a network | |
| CN103475465B (en) | MACsec key update method and device in ISSU process | |
| Cisco | Release Notes - Cisco 4000 for Cisco IOS Release 11.3(2) | |
| Cisco | Cisco IOS System Error Messages Volume 1 of 2 Release 12.2 |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20171107 |