CN108322379B - Virtual private network VPN system and implementation method - Google Patents
Virtual private network VPN system and implementation method Download PDFInfo
- Publication number
- CN108322379B CN108322379B CN201810094297.0A CN201810094297A CN108322379B CN 108322379 B CN108322379 B CN 108322379B CN 201810094297 A CN201810094297 A CN 201810094297A CN 108322379 B CN108322379 B CN 108322379B
- Authority
- CN
- China
- Prior art keywords
- firewall
- gateway
- vpn
- data center
- ipsec
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0663—Performing the actions predefined by failover planning, e.g. switching to standby network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
Abstract
The embodiment of the invention provides a Virtual Private Network (VPN) system and an implementation method thereof, wherein the VPN system comprises a first gateway, a first firewall, a second gateway and a second firewall, wherein if the first firewall has no fault and IPSec between the first firewall and a far-end firewall has no fault, the following characteristics exist: the second gateway is used for forwarding the received first service from the VPN to the first gateway; the first gateway is used for forwarding the received second service from the VPN and the first service from the second gateway to the first firewall; the first firewall is used for sending the traffic from the first gateway to the remote firewall through the IPSec between the first firewall and the remote firewall. By adopting the embodiment of the invention, the stability of flow transmission between the customer data center and the VPN can be improved.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a Virtual Private Network (VPN) system and an implementation method.
Background
Virtual Private Network (VPN) refers to a technology for establishing a Private transmission path by using open public Network resources to connect remote branches, business partners, mobile office workers, and the like and provide secure end-to-end data communication. Internet Protocol Security (IPSec) VPN is a VPN technology based on IPSec, and the IPSec Protocol provides tunnel Security. The VPN service requires firewalls to be deployed at both VPN and customer data center sides, using firewall functionality to implement encryption and decryption of IPSec VPN data. The reliability of VPN services is an important indicator of the competitiveness of VPN services. From the traffic flow direction in the VPN, the reliability mainly depends on the reliability of the firewall in the VPN and the reliability of the link between the firewall in the VPN and the firewall on the customer data center side.
In order to improve the reliability of the firewall in the VPN, a main firewall and a standby firewall are usually deployed, and the two firewalls are connected through a Virtual Router Redundancy Protocol (VRRP) and provide a public network IP address to the outside. In a scene of dual Availability Zones (AZ), a main firewall and a standby firewall can be respectively deployed in one AZ, if the AZ deployed by the main firewall is AZ1 and the AZ deployed by the standby firewall is AZ2, a core switch between the AZ1 and the AZ2 is opened by using two layers of Virtual Extensible LANs (vxlans), and the main firewall and the standby firewall are connected through a heartbeat line, so that configuration information and state information can be synchronized. When the main firewall breaks down or is powered off, the standby firewall cannot detect the main firewall through heartbeat, so that the state of the standby firewall is set as the main state, and meanwhile, the IP of the VRRP is arranged on an interface of the standby firewall, so that the standby firewall is converted into a new main firewall. The method realizes the disaster recovery function of the VPN. Then, this method can only ensure that the traffic flow in the VPN can still be transmitted to the customer data center when the main firewall fails or is powered off, but cannot ensure that the traffic flow in the VPN is transmitted when the IPSec link between the VPN and the customer data center fails.
Disclosure of Invention
The embodiment of the invention discloses a Virtual Private Network (VPN) system and an implementation method thereof, which can improve the stability of flow transmission between a customer data center and a VPN.
The first aspect of the embodiment of the invention discloses a Virtual Private Network (VPN) system, which comprises a first gateway, a first firewall, a second gateway and a second firewall, wherein the first gateway and the second gateway belong to gateways in a VPN, the first firewall and the second firewall belong to firewalls in the VPN, the first gateway is connected with the second gateway, the first gateway is also connected with the first firewall, and the second gateway is also connected with the second firewall; an internet security protocol connection IPSec is established between the first firewall and the second firewall and a far-end firewall; the remote firewall belongs to a firewall in the user data center; if the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail, the following features exist:
the second gateway is used for forwarding the received first service from the VPN to the first gateway;
the first gateway is used for forwarding the received second traffic from the VPN and the first traffic from the second gateway to the first firewall;
the first firewall is used for sending the traffic from the first gateway to the far-end firewall through IPSec between the first firewall and the far-end firewall;
the IPSec between the second firewall and the far-end firewall is used for starting when the first firewall fails or the IPSec between the first firewall and the far-end firewall fails.
In the system, an IPSec between a first firewall and a far-end firewall and an IPSec between a second firewall and the far-end firewall are established, when the first firewall is not in fault and the IPSec between the first firewall and the far-end firewall is not in fault, the flow received by the second gateway flows to the first gateway, the flow received by the first gateway flows to the first firewall, and finally the flow is forwarded to the far-end firewall by the first firewall; when the first firewall fails or the IPSec between the first firewall and the far-end firewall fails, the flow received by the first gateway flows to the second gateway, the flow received by the second gateway flows to the second firewall, and finally the second firewall forwards the flow to the far-end firewall; the backup of IPSec between the customer data center and the VPN is realized, and the stability of flow transmission between the customer data center and the VPN is improved.
With reference to the first aspect, in a first possible implementation manner of the first aspect, if the first firewall fails or the IPSec between the first firewall and the remote firewall fails, the following features exist:
the first gateway is used for forwarding the received second service from the VPN to the second gateway;
the second gateway forwards the first traffic from the VPN and the second traffic from the first gateway for reception to the second firewall;
and the second firewall is used for sending the service from the second gateway to the far-end firewall through the IPSec between the second firewall and the far-end firewall.
With reference to the first aspect, or any one of the foregoing possible implementation manners of the first aspect, in a second possible implementation manner of the first aspect, if the first firewall fails or the IPSec between the first firewall and the remote firewall fails, there are the following further features:
before the first gateway forwards the received second service from the VPN to the second gateway, the second firewall is used for receiving second negotiation information sent by the far-end firewall;
the second firewall is configured to send the route of the user data center to the second gateway according to the second negotiation information, so that the second gateway sends the received service that needs to be sent to the user data center to the second firewall;
the second gateway is used for sending the route of the user data center to the first gateway so that the first gateway sends the received service which needs to be sent to the user data center to the second gateway;
the gateway is used for deleting the route of the user data center learned from the first firewall.
With reference to the first aspect, or any one of the foregoing possible implementation manners of the first aspect, in a third possible implementation manner of the first aspect, if the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail, there are the following further features:
the first firewall is used for receiving first negotiation information sent by the far-end firewall before the second gateway forwards the received first service from the VPN to the first gateway;
the first firewall is configured to send the route of the user data center to the first gateway according to the first negotiation information, so that the first gateway sends the received service, which needs to be sent to the user data center, to the first firewall;
the first gateway is configured to send the route of the user data center to the second gateway, so that the second gateway sends the received service that needs to be sent to the user data center to the first gateway.
With reference to the first aspect or any one of the foregoing possible implementation manners of the first aspect, in a fourth possible implementation manner of the first aspect, a border gateway protocol BGP is configured on each of the first gateway, the first firewall, the second gateway, and the second firewall, a peer of the first firewall is the first gateway, a peer of the first gateway is the first firewall and the second gateway, a peer of the second firewall is the second gateway, a peer of the second gateway is the second firewall and the first gateway, and the BGP is used to notify a route of the user data center.
In a second aspect, an embodiment of the present application provides a method for implementing a virtual private network VPN, where the method is applied to a VPN system, and the VPN system includes a first gateway, a first firewall, a second gateway, and a second firewall, where the first gateway and the second gateway belong to gateways in a VPN, the first firewall and the second firewall belong to firewalls in the VPN, the first gateway is connected to the second gateway, the first gateway is further connected to the first firewall, and the second gateway is further connected to the second firewall; an internet security protocol connection IPSec is established between the first firewall and the second firewall and a far-end firewall; the remote firewall belongs to a firewall in the user data center; if the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail, the method includes:
the second gateway forwards the received first service from the VPN to the first gateway;
the first gateway forwards the received second traffic from the VPN and the first traffic from the second gateway to the first firewall;
the first firewall sends the traffic from the first gateway to the far-end firewall through IPSec between the first firewall and the far-end firewall;
the IPSec between the second firewall and the far-end firewall is used for starting when the first firewall fails or the IPSec between the first firewall and the far-end firewall fails.
In the method, an IPSec between a first firewall and a far-end firewall and an IPSec between a second firewall and the far-end firewall are established, when the first firewall is not in fault and the IPSec between the first firewall and the far-end firewall is not in fault, the flow received by the second gateway flows to the first gateway, the flow received by the first gateway flows to the first firewall, and finally the flow is forwarded to the far-end firewall by the first firewall; when the first firewall fails or the IPSec between the first firewall and the far-end firewall fails, the flow received by the first gateway flows to the second gateway, the flow received by the second gateway flows to the second firewall, and finally the second firewall forwards the flow to the far-end firewall; the backup of IPSec between the customer data center and the VPN is realized, and the stability of flow transmission between the customer data center and the VPN is improved.
With reference to the second aspect, in a first possible implementation manner of the second aspect, if the first firewall fails or the IPSec between the first firewall and the remote firewall fails, the method further includes:
the first gateway forwards the received second service from the VPN to the second gateway;
the second gateway forwards the received first traffic from the VPN and the second traffic from the first gateway to the second firewall;
and the second firewall sends the service from the second gateway to the far-end firewall through IPSec between the second firewall and the far-end firewall.
With reference to the second aspect, or any one of the foregoing possible implementation manners of the second aspect, in a second possible implementation manner of the second aspect, if the first firewall fails or the IPSec between the first firewall and the remote firewall fails, the IPSec is configured to be a firewall-based firewall; before the first gateway forwards the received second traffic from the VPN to the second gateway, the method further includes:
the second firewall receives second negotiation information sent by the far-end firewall;
the second firewall sends the route of the user data center to the second gateway according to the second negotiation information, so that the second gateway sends the received service which needs to be sent to the user data center to the second firewall;
the second gateway sends the route of the user data center to the first gateway so that the first gateway sends the received service which needs to be sent to the user data center to the second gateway;
the first gateway deletes the route of the user data center learned from the first firewall.
With reference to the second aspect, or any one of the foregoing possible implementation manners of the second aspect, in a third possible implementation manner of the second aspect, if the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail; before the second gateway forwards the received first traffic from the VPN to the first gateway, the method further includes:
the first firewall receives first negotiation information sent by the far-end firewall;
the first firewall sends the route of the user data center to the first gateway according to the first negotiation information, so that the first gateway sends the received service which needs to be sent to the user data center to the first firewall;
and the first gateway sends the route of the user data center to the second gateway so that the second gateway sends the received service which needs to be sent to the user data center to the first gateway.
With reference to the second aspect, or any one of the foregoing possible implementation manners of the second aspect, in a fourth possible implementation manner of the second aspect, a border gateway protocol BGP is configured on each of the first gateway, the first firewall, the second gateway, and the second firewall, a peer of the first firewall is the first gateway, a peer of the first gateway is the first firewall and the second gateway, a peer of the second firewall is the second gateway, a peer of the second gateway is the second firewall and the first gateway, and the BGP is configured to notify a route of the user data center.
By implementing the embodiment of the invention, the IPSec between the first firewall and the far-end firewall and the IPSec between the second firewall and the far-end firewall are established, when the first firewall is not in fault and the IPSec between the first firewall and the far-end firewall is not in fault, the flow received by the second gateway flows to the first gateway, the flow received by the first gateway flows to the first firewall, and finally the flow is forwarded to the far-end firewall by the first firewall; when the first firewall fails or the IPSec between the first firewall and the far-end firewall fails, the flow received by the first gateway flows to the second gateway, the flow received by the second gateway flows to the second firewall, and finally the second firewall forwards the flow to the far-end firewall; the backup of IPSec between the customer data center and the VPN is realized, and the stability of flow transmission between the customer data center and the VPN is improved.
Drawings
The drawings used in the embodiments of the present invention are described below.
Fig. 1 is a schematic structural diagram of a VPN system according to an embodiment of the present invention;
fig. 2 is a flowchart illustrating a VPN implementation method according to an embodiment of the present invention;
fig. 3 is a schematic view of a traffic transmission scenario provided in an embodiment of the present invention;
fig. 4 is a schematic view of a scenario of another traffic transmission according to an embodiment of the present invention.
Detailed Description
The embodiments of the present invention will be described below with reference to the drawings.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a VPN system according to an embodiment of the present invention, where the VPN system includes a first firewall 101, a first gateway 102, a second gateway 103, and a second firewall 104, where the first gateway 102 and the second gateway 103 belong to gateways in a VPN, and the first firewall 101 and the second firewall 104 belong to firewalls in the VPN. In addition, the first firewall 101 establishes one IPSec link with the remote firewall 105 in the customer data center and the second firewall 104 establishes another IPSec link with the remote firewall 105 in the customer data center. The first gateway 102 establishes a communication connection with the first Virtual router 106, the second gateway 103 establishes a communication connection with the second Virtual router 107, both the first Virtual router 106 and the second Virtual router 107 establish a communication connection with a device 108 in the cloud network, the device 108 is configured to send traffic to the first Virtual router 106 and the second Virtual router 107, the device 108 is further configured to receive traffic from the customer data center sent by the first Virtual router 106 and the second Virtual router 107, and one or more Virtual Machines (VMs) may be deployed on the device 108.
Further, the first firewall 101 establishes a communication connection with the first gateway 102, the first gateway 102 establishes a communication connection with the second gateway 103, and the second gateway 103 establishes a communication connection with the second firewall 104. In addition, both the first firewall 101 and the second firewall 104 can import a Route (also called a "User Network Route") of the customer data center. Optionally, Border Gateway Protocol (BGP) is configured on each of the first firewall 101, the first Gateway 102, the second Gateway 103, and the second firewall 104, so that the first firewall 101 and the first Gateway 102 may communicate based on BGP (e.g., route advertisement), the first Gateway 102 and the second Gateway 103 may communicate based on BGP (e.g., route advertisement), the second Gateway 103 and the second firewall 104 may communicate based on BPG (e.g., route advertisement), and configuration parameters of BGP are configured on each node for convenience of understanding.
For the first firewall 101, an identifier (number) of an autonomous system AS which the first firewall 101 acts AS is configured AS 100, and a Peer of the first firewall 101 is configured AS a first gateway 102.
For the first gateway 102, the identifier (number) of the autonomous system AS which the first gateway 102 acts AS is configured to be 200, and the Peer of the first gateway 102 is configured to be the second gateway 103 and the first firewall 101.
For the second gateway 103, the identifier (number) of the autonomous system AS which the second gateway 103 acts AS is configured to be 300, and the Peer of the second gateway 103 is configured to be the first gateway 102 and the second firewall 104.
For the second firewall 104, the identifier (number) of the autonomous system AS which the second firewall 104 acts AS is configured AS 400, and the Peer of the second firewall 104 is configured AS the second gateway 103.
The flow of execution of each node in the VPN system is described below in conjunction with fig. 2 to better understand the VPN system.
Referring to fig. 2, fig. 2 is a method for implementing a VPN, which may be implemented based on the architecture shown in fig. 1 and includes the following two stages.
In the first stage: in the process of the first firewall without failure and the IPSec between the first firewall and the remote firewall without failure, the first firewall 101 notifies the route of the customer data center to the first gateway 102 through BGP, and the first gateway 102 notifies the second gateway 103 through BGP; for example, if the interface Internet Protocol (IP) of the client data center connected to the first firewall 101 is 30.1.1.0/24, the interface IP of the first firewall connected to the first gateway is 169.254.194.251, and the interface IP of the first gateway connected to the second gateway is 169.254.192.1, the routing configuration of the first firewall, the first gateway, and the second gateway may be as follows:
TABLE 1
| Destination/Mask | Proto | Pre | Cost | Flags | NextHop | Interface |
| 30.1.1.0/24 | Unr | 60 | 0 | D | 129.1.1.1 | GigabitEthernet1/0/0 |
TABLE 2
| Destination/Mask | Proto | Pre | Cost | Flags | NextHop | Interface |
| 30.1.1.0/24 | EBGP | 60 | 0 | D | 169.254.194.251 | GigabitEthernet3/0/0 |
TABLE 3
| Destination/Mask | Proto | Pre | Cost | Flags | NextHop | Interface |
| 30.1.1.0/24 | EBGP | 60 | 0 | D | 169.254.192.1 | GigabitEthernet5/0/0 |
Where table 1 illustrates the routes on the first firewall, table 2 illustrates the routes on the first gateway, and table 3 illustrates the routes on the second gateway. Thus, when the subsequent second gateway 103 identifies that traffic from the VPN needs to be sent to the customer data center, the second gateway 103 forwards the traffic to the first gateway; when a subsequent first gateway 102 identifies that traffic from a VPN needs to be sent to the customer data center, the first gateway 102 forwards the traffic to a first firewall. In addition, "Destination/Mask" is "Destination/Mask", "Proto" indicates protocol type, "Pre" indicates priority, "Cost" indicates overhead, "Flags" indicates flag, "NextHop" indicates next hop, "Interface" indicates Interface, and "Unr" and "EBGP" are each different protocol types, "gigabit ethernet 1/0/0", "gigabit ethernet 3/0/0" and "gigabit ethernet 5/0/0" are each different port types, and the rest of similar cases are not illustrated one by one here.
Specifically, the flow at this stage may include, but is not limited to, steps S201-S206.
Step S201: the first firewall receives first negotiation information sent by the remote firewall.
Specifically, the first firewall negotiates with the remote firewall, and the information generated by negotiation is the first negotiation information. The first firewall can determine that the IPSec between the first firewall and the remote firewall is not faulty according to the first negotiation information, and thus determine that subsequent traffic from the VPN can be sent to the customer data center through the IPSec.
Step S202: the first firewall sends the route of the customer data center to the first gateway.
Specifically, after determining that the subsequent traffic flow from the VPN can be sent to the customer data center through the IPSec according to the first negotiation information, the first firewall sends the route of the customer data center to the first gateway. After learning the route to the client data center, the first gateway can determine that the next hop of the traffic required to be sent to the client data center is the first firewall, so that the received traffic required to be sent to the client data center is sent to the first firewall subsequently.
Step S203: the first gateway sends the route of the customer data center to the second gateway.
Step S204: the second gateway forwards the received first traffic from the VPN to the first gateway.
Specifically, after learning the route to the customer data center, the second gateway can determine that the next hop of the service which needs to be sent to the customer data center is the first gateway. The first traffic from the VPN received by the second gateway is traffic that needs to be sent to the customer data center, so the second gateway forwards the first traffic from the VPN to the first gateway. In addition, the first service from the VPN is specifically a traffic that the device sends to the second gateway through the second virtual router.
Step S205: the first gateway is configured to forward the received second traffic from the VPN and the first traffic from the second gateway to the first firewall.
Specifically, the second service from the VPN is a traffic that the device sends to the first gateway through the first virtual router, and since the first service and the second service are both services that need to be sent to the customer data center, and a next hop of the service that needs to be sent to the customer data center on the first gateway is the first firewall, the first gateway forwards the first service and the second service to the first firewall.
Step S206: the first firewall is used for sending the traffic from the first gateway to the far-end firewall through IPSec between the first firewall and the far-end firewall.
Specifically, the service from the first gateway includes the first service and the second service. For ease of understanding, the following description is made for traffic flows of the first service and the second service, respectively, as follows:
and a second service: the second traffic comes out of the virtual machine and first arrives at the first virtual router (vrouter 1). vrouter1 sends the second traffic to the first gateway. After the first gateway is reached, the flow goes through three layers, and is forwarded according to the routing table, and is matched to the routing table entry of 30.1.1.0/24 (namely, the routing of the client data center), and then the second service is sent to the next hop 169.254.194.251 of the first gateway, namely, the first firewall, and after the first firewall performs IPSec encryption and encapsulation on the second service, the second service is sent to the remote firewall through the public network gateway.
A first service: after the first traffic comes out of the virtual machine, it first arrives at the second virtual router (Vrouter2), and Vrouter2 sends the first traffic to the second gateway. After the first service reaches the second gateway, the flow goes through three layers, and is forwarded according to the routing table, and is matched to the routing table entry of 30.1.1.0/24 (i.e. the route of the customer data center), and then the first service is sent to the next hop 169.254.192.1 of the second gateway, i.e. the first gateway. The routing entry (i.e., the customer data center route) at 30.1.1.0/24 is also matched at the first gateway, and then the first traffic is sent to the next hop 169.254.194.251 of the first gateway, i.e., the first firewall, which performs IPSec encryption on the first traffic, encapsulates the first traffic, and sends the first traffic to the remote firewall through the public network gateway.
For the first stage, the direction indicated by the solid arrow in fig. 3 illustrates the transmission process of the traffic from the VPN to the customer data center, and the direction indicated by the dotted arrow in fig. 3 illustrates the transmission process of the traffic from the customer data center to the VPN.
The second stage is as follows: in the case of a failure of the first firewall or a failure of IPSec between the first firewall and the remote firewall, the second firewall 104 notifies the second gateway 103 of the route of the customer data center through BGP, and the second gateway 103 notifies the first gateway 102 through BGP; for example, if the interface Internet Protocol (IP) of the client data center connected to the second firewall 104 is also 30.1.1.0/24, the interface IP of the second firewall connected to the second gateway is 169.254.194.231, and the interface IP of the second gateway connected to the first gateway is 169.254.193.1, the routing configuration of the second firewall, the first gateway, and the second gateway may be as follows:
TABLE 4
| Destination/Mask | Proto | Pre | Cost | Flags | NextHop | Interface |
| 30.1.1.0/24 | Unr | 60 | 0 | D | 130.1.1.1 | GigabitEthernet1/0/0 |
TABLE 5
| Destination/Mask | Proto | Pre | Cost | Flags | NextHop | Interface |
| 30.1.1.0/24 | EBGP | 60 | 0 | D | 169.254.193.1 | GigabitEthernet2/0/0 |
TABLE 6
| Destination/Mask | Proto | Pre | Cost | Flags | NextHop | Interface |
| 30.1.1.0/24 | EBGP | 60 | 0 | D | 169.254.195.231 | GigabitEthernet6/0/0 |
Where table 4 illustrates the routes on the second firewall, table 5 illustrates the routes on the second gateway, and table 6 illustrates the routes on the first gateway. Thus, when subsequent first gateways 102 identify that traffic from a VPN needs to be sent to the customer data center, first gateway 102 forwards the traffic to a second gateway; when a subsequent second gateway 103 identifies that traffic from a VPN needs to be sent to the customer data center, the second gateway 103 forwards the traffic to a second firewall.
The flow at this stage may include, but is not limited to, steps S207-S213.
Step S207: and the second firewall receives second negotiation information sent by the remote firewall.
Specifically, after the far-end firewall attempts to communicate with the first firewall in a failure, it may be determined that the first firewall fails or that IPSec between the first firewall and the far-end firewall fails, so that the far-end firewall negotiates with the second firewall, and information generated in the negotiation process is the second negotiation information.
Step S208: the second firewall sends the route of the customer data center to the second gateway.
Specifically, the second firewall may determine, according to the second negotiation information, a subsequent traffic flow from the VPN, and may send the traffic flow to the client data center through the IPSec between the second firewall and the remote firewall. Therefore, the second firewall sends the route of the client data center to the second gateway, and after the second gateway learns the route of the client data center, the next hop of the service which needs to be sent to the client data center can be determined to be the second firewall, so that the received service which needs to be sent to the client data center is sent to the second firewall subsequently.
Step S209: the second gateway sends the route of the customer data center to the first gateway.
Specifically, after the first gateway learns the route to the customer data center, it may determine that the next hop of the traffic that needs to be sent to the customer data center is the second gateway.
Step S210: the first gateway deletes the route of the customer data center learned from the first firewall.
In particular, the first gateway may also delete previously learned routes of the customer data center from the first firewall because the next hop for traffic that the first gateway needs to send to the customer data center is the first gateway according to the previously learned routes.
Step S211: the first gateway forwards the received second traffic from the VPN to the second gateway.
Specifically, the second traffic from the VPN received by the first gateway is the traffic that needs to be sent to the customer data center, so the first gateway forwards the second traffic from the VPN to the second gateway. In addition, the second service from the VPN is specifically a traffic that the device sends to the first gateway through the first virtual router.
Step S212: the second gateway forwards the received first traffic from the VPN and the second traffic from the first gateway to the second firewall.
Specifically, the first service from the VPN is a traffic that the device sends to the second gateway through the second virtual router, and since the first service and the second service are both services that need to be sent to the customer data center, and a next hop of the service that needs to be sent to the customer data center on the second gateway is the second firewall, the second gateway forwards the first service and the second service to the second firewall.
Step S213: the second firewall sends traffic from the second gateway to the remote firewall through the IPSec between the second firewall and the remote firewall.
Specifically, the service from the second gateway includes the first service and the second service. For ease of understanding, the following description is made for traffic flows of the first service and the second service, respectively, as follows:
a first service: the first traffic comes out of the virtual machine and then reaches the second virtual router (vrouter 2). Vrouter2 sends the first traffic to the second gateway. After the first service reaches the second gateway, the flow goes through three layers, and is forwarded according to the routing table, and is matched to a routing table entry (namely, a routing of the client data center) of 30.1.1.0/24, and then the first service is sent to a next hop 169.254.194.231 of the second gateway, namely, a second firewall, and the second firewall performs IPSec encryption and encapsulation on the first service, and then sends the first service to the remote firewall through the public network gateway.
And a second service: after the second traffic comes out of the virtual machine, it first arrives at the first virtual router (Vrouter1), and Vrouter1 sends the second traffic to the first gateway. After the second service reaches the first gateway, the flow goes through three layers, and is forwarded according to the routing table, and is matched to the routing table entry of 30.1.1.0/24 (i.e. the route of the customer data center), and then the second service is sent to the next hop 169.254.193.1 of the first gateway, i.e. the second gateway. The routing entry (i.e., the routing of the customer data center) is also matched to 30.1.1.0/24 at the second gateway, and then the second traffic is sent to the next hop 169.254.194.231 of the first gateway, i.e., the second firewall, which performs IPSec encryption on the second traffic, encapsulates the second traffic, and sends the second traffic to the remote firewall through the public network gateway.
For the second stage, the direction indicated by the solid arrow in fig. 4 illustrates the transmission process of the traffic from the VPN to the customer data center, and the direction indicated by the dotted arrow in fig. 4 illustrates the transmission process of the traffic from the customer data center to the VPN.
It can be understood that, as can be seen from the above description of the first and second cases, the priority of the first firewall is higher than that of the second firewall, that is, when the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail, the remote firewall triggers the flow described in the first case; i.e. when the first firewall fails or the IPSec between the first firewall and the remote firewall fails, the remote firewall triggers the procedure described in the second case. Whether the first firewall fails and whether IPSec between the first firewall and the remote firewall fails can be detected by the remote firewall 105.
The first and second stages describe a processing flow when traffic in the VPN is sent to the customer data center, and the following briefly describes the processing flow when traffic in the customer data center is sent to the VPN.
1. Two routes to the VPN need to be configured on the far-end firewall, and the priority of the two routes is different, so that route backup is realized. The route with high priority is a main route, the route with low priority is a standby route, the tunnel outlet interface of the main route is arranged on the first firewall, and the tunnel outlet interface of the standby route is arranged on the second firewall.
2. The primary route binds tools (e.g., PING, IP-Link, etc.) that detect whether a Link is reachable to detect the Link status on the primary route. The traffic from the customer data center to the VPN is transmitted by the main route by default, and when a link on the main route fails, the remote firewall enables the standby route to transmit the traffic from the customer data center to the VPN. Thereby ensuring the stability of the transmission of traffic from the customer data center to the VPN.
In the method described in fig. 2, IPSec between the first firewall and the remote firewall and IPSec between the second firewall and the remote firewall are established, when the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail, the traffic received by the second gateway flows to the first gateway, the traffic received by the first gateway flows to the first firewall, and is finally forwarded to the remote firewall by the first firewall; when the first firewall fails or the IPSec between the first firewall and the far-end firewall fails, the flow received by the first gateway flows to the second gateway, the flow received by the second gateway flows to the second firewall, and finally the second firewall forwards the flow to the far-end firewall; the backup of IPSec between the customer data center and the VPN is realized, and the stability of flow transmission between the customer data center and the VPN is improved.
One of ordinary skill in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by hardware related to instructions of a computer program, which may be stored in a computer-readable storage medium, and when executed, may include the processes of the above method embodiments. And the aforementioned storage medium includes: various media capable of storing program codes, such as ROM or RAM, magnetic or optical disks, etc.
Claims (10)
1. A VPN system is characterized in that the VPN system comprises a first gateway, a first firewall, a second gateway and a second firewall, wherein the first gateway and the second gateway belong to gateways in a VPN, the first firewall and the second firewall belong to firewalls in the VPN, the first gateway is connected with the second gateway, the first gateway is further connected with the first firewall, and the second gateway is further connected with the second firewall; an internet security protocol connection IPSec is established between the first firewall and the second firewall and a far-end firewall; the remote firewall belongs to a firewall in the user data center; if the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail, the following features exist:
the second gateway is used for forwarding the received first service from the VPN to the first gateway;
the first gateway is used for forwarding the received second traffic from the VPN and the first traffic from the second gateway to the first firewall;
the first firewall is used for sending the traffic from the first gateway to the far-end firewall through IPSec between the first firewall and the far-end firewall;
the IPSec between the second firewall and the remote firewall is used to be enabled when the first firewall fails or the IPSec between the first firewall and the remote firewall fails, when the IPSec between the second firewall and the remote firewall is enabled, the traffic received by the first gateway flows to the second gateway, and the traffic received by the second gateway flows to the second firewall to be forwarded to the remote firewall by the second firewall.
2. The system of claim 1, wherein if the first firewall fails or the IPSec between the first firewall and the remote firewall fails, the following features exist:
the first gateway is used for forwarding the received second service from the VPN to the second gateway;
the second gateway forwards the first traffic from the VPN and the second traffic from the first gateway for reception to the second firewall;
and the second firewall is used for sending the service from the second gateway to the far-end firewall through the IPSec between the second firewall and the far-end firewall.
3. The system of claim 2, wherein if the first firewall fails or the IPSec between the first firewall and the remote firewall fails, the following further features exist:
before the first gateway forwards the received second service from the VPN to the second gateway, the second firewall is used for receiving second negotiation information sent by the far-end firewall;
the second firewall is configured to send the route of the user data center to the second gateway according to the second negotiation information, so that the second gateway sends the received service that needs to be sent to the user data center to the second firewall;
the second gateway is used for sending the route of the user data center to the first gateway so that the first gateway sends the received service which needs to be sent to the user data center to the second gateway;
the gateway is used for deleting the route of the user data center learned from the first firewall.
4. A system according to any of claims 1 to 3, wherein if the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail, the following further features exist:
the first firewall is used for receiving first negotiation information sent by the far-end firewall before the second gateway forwards the received first service from the VPN to the first gateway;
the first firewall is configured to send the route of the user data center to the first gateway according to the first negotiation information, so that the first gateway sends the received service, which needs to be sent to the user data center, to the first firewall;
the first gateway is configured to send the route of the user data center to the second gateway, so that the second gateway sends the received service that needs to be sent to the user data center to the first gateway.
5. The system according to any of claims 1-3, wherein a Border Gateway Protocol (BGP) is configured on each of the first gateway, the first firewall, the second gateway, and the second firewall, wherein a peer of the first firewall is the first gateway, a peer of the first gateway is the first firewall and the second gateway, a peer of the second firewall is the second gateway, a peer of the second gateway is the second firewall and the first gateway, and the BGP is configured to advertise a route of the user data center.
6. A VPN implementation method is characterized in that the method is applied to a VPN system, the VPN system comprises a first gateway, a first firewall, a second gateway and a second firewall, wherein the first gateway and the second gateway belong to gateways in the VPN, the first firewall and the second firewall belong to firewalls in the VPN, the first gateway is connected with the second gateway, the first gateway is also connected with the first firewall, and the second gateway is also connected with the second firewall; an internet security protocol connection IPSec is established between the first firewall and the second firewall and a far-end firewall; the remote firewall belongs to a firewall in the user data center; if the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail, the method includes:
the second gateway forwards the received first service from the VPN to the first gateway;
the first gateway forwards the received second traffic from the VPN and the first traffic from the second gateway to the first firewall;
the first firewall sends the traffic from the first gateway to the far-end firewall through IPSec between the first firewall and the far-end firewall;
the IPSec between the second firewall and the remote firewall is used to be enabled when the first firewall fails or the IPSec between the first firewall and the remote firewall fails, when the IPSec between the second firewall and the remote firewall is enabled, the traffic received by the first gateway flows to the second gateway, and the traffic received by the second gateway flows to the second firewall to be forwarded to the remote firewall by the second firewall.
7. The method of claim 6, wherein if the first firewall fails or the IPSec between the first firewall and the remote firewall fails, the method further comprises:
the first gateway forwards the received second service from the VPN to the second gateway;
the second gateway forwards the received first traffic from the VPN and the second traffic from the first gateway to the second firewall;
and the second firewall sends the service from the second gateway to the far-end firewall through IPSec between the second firewall and the far-end firewall.
8. The method of claim 7, wherein if the first firewall fails or if IPSec between the first firewall and the remote firewall fails; before the first gateway forwards the received second traffic from the VPN to the second gateway, the method further includes:
the second firewall receives second negotiation information sent by the far-end firewall;
the second firewall sends the route of the user data center to the second gateway according to the second negotiation information, so that the second gateway sends the received service which needs to be sent to the user data center to the second firewall;
the second gateway sends the route of the user data center to the first gateway so that the first gateway sends the received service which needs to be sent to the user data center to the second gateway;
the first gateway deletes the route of the user data center learned from the first firewall.
9. The method of any of claims 6-8, wherein if the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail; before the second gateway forwards the received first traffic from the VPN to the first gateway, the method further includes:
the first firewall receives first negotiation information sent by the far-end firewall;
the first firewall sends the route of the user data center to the first gateway according to the first negotiation information, so that the first gateway sends the received service which needs to be sent to the user data center to the first firewall;
and the first gateway sends the route of the user data center to the second gateway so that the second gateway sends the received service which needs to be sent to the user data center to the first gateway.
10. The method according to any one of claims 6 to 8, wherein a Border Gateway Protocol (BGP) is configured on each of the first gateway, the first firewall, the second gateway, and the second firewall, wherein a peer of the first firewall is the first gateway, a peer of the first gateway is the first firewall and the second gateway, a peer of the second firewall is the second gateway, a peer of the second gateway is the second firewall and the first gateway, and the BGP is used for advertising the route of the user data center.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810094297.0A CN108322379B (en) | 2018-01-30 | 2018-01-30 | Virtual private network VPN system and implementation method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810094297.0A CN108322379B (en) | 2018-01-30 | 2018-01-30 | Virtual private network VPN system and implementation method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108322379A CN108322379A (en) | 2018-07-24 |
| CN108322379B true CN108322379B (en) | 2021-04-20 |
Family
ID=62888325
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810094297.0A Active CN108322379B (en) | 2018-01-30 | 2018-01-30 | Virtual private network VPN system and implementation method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108322379B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110138656B (en) * | 2019-05-28 | 2022-03-01 | 新华三技术有限公司 | Service processing method and device |
| CN111698245A (en) * | 2020-06-10 | 2020-09-22 | 成都国泰网信科技有限公司 | VxLAN security gateway and two-layer security network construction method based on state cryptographic algorithm |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072157A (en) * | 2007-06-08 | 2007-11-14 | 迈普(四川)通信技术有限公司 | Virtual special net load backup system and its establishing method and data forwarding method |
| CN202282786U (en) * | 2011-09-30 | 2012-06-20 | 上海煤气第二管线工程有限公司 | Network architecture |
| CN103386994A (en) * | 2012-05-08 | 2013-11-13 | 上海富欣智能交通控制有限公司 | Intelligent transport system for urban railway based on safety communication |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9065802B2 (en) * | 2012-05-01 | 2015-06-23 | Fortinet, Inc. | Policy-based configuration of internet protocol security for a virtual private network |
-
2018
- 2018-01-30 CN CN201810094297.0A patent/CN108322379B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101072157A (en) * | 2007-06-08 | 2007-11-14 | 迈普(四川)通信技术有限公司 | Virtual special net load backup system and its establishing method and data forwarding method |
| CN202282786U (en) * | 2011-09-30 | 2012-06-20 | 上海煤气第二管线工程有限公司 | Network architecture |
| CN103386994A (en) * | 2012-05-08 | 2013-11-13 | 上海富欣智能交通控制有限公司 | Intelligent transport system for urban railway based on safety communication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108322379A (en) | 2018-07-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3509256B1 (en) | Determining routing decisions in a software-defined wide area network | |
| CN107819677B (en) | Message forwarding method and device | |
| EP3198822B1 (en) | Computer network packet flow controller | |
| CN111740913B (en) | Method, router and readable medium for forwarding network traffic in computer network | |
| US20180248755A1 (en) | Control traffic in software defined networks | |
| US7957306B2 (en) | Providing reachability information in a routing domain of an external destination address in a data communications network | |
| US8812726B2 (en) | Service insertion in a computer network using internet protocol version 6 techniques | |
| US7583590B2 (en) | Router and method for protocol process migration | |
| EP3065359A1 (en) | Managing routing information in a hub-and-spokes network | |
| US10716045B2 (en) | Lossless handover for mobility with location identifier separation protocol in 3rd generation partnership project networks | |
| US10044608B2 (en) | Virtual machine migration | |
| JP2017537547A (en) | Stateful load balancing in stateless networks | |
| CN110120916B (en) | Priority formation for BGP sessions | |
| WO2021042445A1 (en) | Layer 2 leased line network system, configuration method, and device | |
| US9917768B2 (en) | System and method for reflecting FEC route information | |
| CN115943614A (en) | Layer 2 network extension over layer 3 networks using encapsulation | |
| US8559431B2 (en) | Multiple label based processing of frames | |
| US8612626B2 (en) | Group member detection among nodes of a network | |
| CN111064659A (en) | Node protection of BUM traffic for multi-homed node failures | |
| CN107682261B (en) | Flow forwarding method and device | |
| CN108322379B (en) | Virtual private network VPN system and implementation method | |
| CN108833272A (en) | A kind of route management method and device | |
| CN113225252B (en) | Establishment method, processing method and related equipment for Bidirectional Forwarding Detection (BFD) session | |
| US8675669B2 (en) | Policy homomorphic network extension | |
| JP6718739B2 (en) | Communication device and communication method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20220207 Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province Patentee after: Huawei Cloud Computing Technology Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20221207 Address after: 518129 Huawei Headquarters Office Building 101, Wankecheng Community, Bantian Street, Longgang District, Shenzhen, Guangdong Patentee after: Shenzhen Huawei Cloud Computing Technology Co.,Ltd. Address before: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province Patentee before: Huawei Cloud Computing Technology Co.,Ltd. |
|
| TR01 | Transfer of patent right |