Disclosure of Invention
The embodiment of the invention discloses a Virtual Private Network (VPN) system and an implementation method thereof, which can improve the stability of flow transmission between a customer data center and a VPN.
The first aspect of the embodiment of the invention discloses a Virtual Private Network (VPN) system, which comprises a first gateway, a first firewall, a second gateway and a second firewall, wherein the first gateway and the second gateway belong to gateways in a VPN, the first firewall and the second firewall belong to firewalls in the VPN, the first gateway is connected with the second gateway, the first gateway is also connected with the first firewall, and the second gateway is also connected with the second firewall; an internet security protocol connection IPSec is established between the first firewall and the second firewall and a far-end firewall; the remote firewall belongs to a firewall in the user data center; if the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail, the following features exist:
the second gateway is used for forwarding the received first service from the VPN to the first gateway;
the first gateway is used for forwarding the received second traffic from the VPN and the first traffic from the second gateway to the first firewall;
the first firewall is used for sending the traffic from the first gateway to the far-end firewall through IPSec between the first firewall and the far-end firewall;
the IPSec between the second firewall and the far-end firewall is used for starting when the first firewall fails or the IPSec between the first firewall and the far-end firewall fails.
In the system, an IPSec between a first firewall and a far-end firewall and an IPSec between a second firewall and the far-end firewall are established, when the first firewall is not in fault and the IPSec between the first firewall and the far-end firewall is not in fault, the flow received by the second gateway flows to the first gateway, the flow received by the first gateway flows to the first firewall, and finally the flow is forwarded to the far-end firewall by the first firewall; when the first firewall fails or the IPSec between the first firewall and the far-end firewall fails, the flow received by the first gateway flows to the second gateway, the flow received by the second gateway flows to the second firewall, and finally the second firewall forwards the flow to the far-end firewall; the backup of IPSec between the customer data center and the VPN is realized, and the stability of flow transmission between the customer data center and the VPN is improved.
With reference to the first aspect, in a first possible implementation manner of the first aspect, if the first firewall fails or the IPSec between the first firewall and the remote firewall fails, the following features exist:
the first gateway is used for forwarding the received second service from the VPN to the second gateway;
the second gateway forwards the first traffic from the VPN and the second traffic from the first gateway for reception to the second firewall;
and the second firewall is used for sending the service from the second gateway to the far-end firewall through the IPSec between the second firewall and the far-end firewall.
With reference to the first aspect, or any one of the foregoing possible implementation manners of the first aspect, in a second possible implementation manner of the first aspect, if the first firewall fails or the IPSec between the first firewall and the remote firewall fails, there are the following further features:
before the first gateway forwards the received second service from the VPN to the second gateway, the second firewall is used for receiving second negotiation information sent by the far-end firewall;
the second firewall is configured to send the route of the user data center to the second gateway according to the second negotiation information, so that the second gateway sends the received service that needs to be sent to the user data center to the second firewall;
the second gateway is used for sending the route of the user data center to the first gateway so that the first gateway sends the received service which needs to be sent to the user data center to the second gateway;
the gateway is used for deleting the route of the user data center learned from the first firewall.
With reference to the first aspect, or any one of the foregoing possible implementation manners of the first aspect, in a third possible implementation manner of the first aspect, if the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail, there are the following further features:
the first firewall is used for receiving first negotiation information sent by the far-end firewall before the second gateway forwards the received first service from the VPN to the first gateway;
the first firewall is configured to send the route of the user data center to the first gateway according to the first negotiation information, so that the first gateway sends the received service, which needs to be sent to the user data center, to the first firewall;
the first gateway is configured to send the route of the user data center to the second gateway, so that the second gateway sends the received service that needs to be sent to the user data center to the first gateway.
With reference to the first aspect or any one of the foregoing possible implementation manners of the first aspect, in a fourth possible implementation manner of the first aspect, a border gateway protocol BGP is configured on each of the first gateway, the first firewall, the second gateway, and the second firewall, a peer of the first firewall is the first gateway, a peer of the first gateway is the first firewall and the second gateway, a peer of the second firewall is the second gateway, a peer of the second gateway is the second firewall and the first gateway, and the BGP is used to notify a route of the user data center.
In a second aspect, an embodiment of the present application provides a method for implementing a virtual private network VPN, where the method is applied to a VPN system, and the VPN system includes a first gateway, a first firewall, a second gateway, and a second firewall, where the first gateway and the second gateway belong to gateways in a VPN, the first firewall and the second firewall belong to firewalls in the VPN, the first gateway is connected to the second gateway, the first gateway is further connected to the first firewall, and the second gateway is further connected to the second firewall; an internet security protocol connection IPSec is established between the first firewall and the second firewall and a far-end firewall; the remote firewall belongs to a firewall in the user data center; if the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail, the method includes:
the second gateway forwards the received first service from the VPN to the first gateway;
the first gateway forwards the received second traffic from the VPN and the first traffic from the second gateway to the first firewall;
the first firewall sends the traffic from the first gateway to the far-end firewall through IPSec between the first firewall and the far-end firewall;
the IPSec between the second firewall and the far-end firewall is used for starting when the first firewall fails or the IPSec between the first firewall and the far-end firewall fails.
In the method, an IPSec between a first firewall and a far-end firewall and an IPSec between a second firewall and the far-end firewall are established, when the first firewall is not in fault and the IPSec between the first firewall and the far-end firewall is not in fault, the flow received by the second gateway flows to the first gateway, the flow received by the first gateway flows to the first firewall, and finally the flow is forwarded to the far-end firewall by the first firewall; when the first firewall fails or the IPSec between the first firewall and the far-end firewall fails, the flow received by the first gateway flows to the second gateway, the flow received by the second gateway flows to the second firewall, and finally the second firewall forwards the flow to the far-end firewall; the backup of IPSec between the customer data center and the VPN is realized, and the stability of flow transmission between the customer data center and the VPN is improved.
With reference to the second aspect, in a first possible implementation manner of the second aspect, if the first firewall fails or the IPSec between the first firewall and the remote firewall fails, the method further includes:
the first gateway forwards the received second service from the VPN to the second gateway;
the second gateway forwards the received first traffic from the VPN and the second traffic from the first gateway to the second firewall;
and the second firewall sends the service from the second gateway to the far-end firewall through IPSec between the second firewall and the far-end firewall.
With reference to the second aspect, or any one of the foregoing possible implementation manners of the second aspect, in a second possible implementation manner of the second aspect, if the first firewall fails or the IPSec between the first firewall and the remote firewall fails, the IPSec is configured to be a firewall-based firewall; before the first gateway forwards the received second traffic from the VPN to the second gateway, the method further includes:
the second firewall receives second negotiation information sent by the far-end firewall;
the second firewall sends the route of the user data center to the second gateway according to the second negotiation information, so that the second gateway sends the received service which needs to be sent to the user data center to the second firewall;
the second gateway sends the route of the user data center to the first gateway so that the first gateway sends the received service which needs to be sent to the user data center to the second gateway;
the first gateway deletes the route of the user data center learned from the first firewall.
With reference to the second aspect, or any one of the foregoing possible implementation manners of the second aspect, in a third possible implementation manner of the second aspect, if the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail; before the second gateway forwards the received first traffic from the VPN to the first gateway, the method further includes:
the first firewall receives first negotiation information sent by the far-end firewall;
the first firewall sends the route of the user data center to the first gateway according to the first negotiation information, so that the first gateway sends the received service which needs to be sent to the user data center to the first firewall;
and the first gateway sends the route of the user data center to the second gateway so that the second gateway sends the received service which needs to be sent to the user data center to the first gateway.
With reference to the second aspect, or any one of the foregoing possible implementation manners of the second aspect, in a fourth possible implementation manner of the second aspect, a border gateway protocol BGP is configured on each of the first gateway, the first firewall, the second gateway, and the second firewall, a peer of the first firewall is the first gateway, a peer of the first gateway is the first firewall and the second gateway, a peer of the second firewall is the second gateway, a peer of the second gateway is the second firewall and the first gateway, and the BGP is configured to notify a route of the user data center.
By implementing the embodiment of the invention, the IPSec between the first firewall and the far-end firewall and the IPSec between the second firewall and the far-end firewall are established, when the first firewall is not in fault and the IPSec between the first firewall and the far-end firewall is not in fault, the flow received by the second gateway flows to the first gateway, the flow received by the first gateway flows to the first firewall, and finally the flow is forwarded to the far-end firewall by the first firewall; when the first firewall fails or the IPSec between the first firewall and the far-end firewall fails, the flow received by the first gateway flows to the second gateway, the flow received by the second gateway flows to the second firewall, and finally the second firewall forwards the flow to the far-end firewall; the backup of IPSec between the customer data center and the VPN is realized, and the stability of flow transmission between the customer data center and the VPN is improved.
Detailed Description
The embodiments of the present invention will be described below with reference to the drawings.
Referring to fig. 1, fig. 1 is a schematic structural diagram of a VPN system according to an embodiment of the present invention, where the VPN system includes a first firewall 101, a first gateway 102, a second gateway 103, and a second firewall 104, where the first gateway 102 and the second gateway 103 belong to gateways in a VPN, and the first firewall 101 and the second firewall 104 belong to firewalls in the VPN. In addition, the first firewall 101 establishes one IPSec link with the remote firewall 105 in the customer data center and the second firewall 104 establishes another IPSec link with the remote firewall 105 in the customer data center. The first gateway 102 establishes a communication connection with the first Virtual router 106, the second gateway 103 establishes a communication connection with the second Virtual router 107, both the first Virtual router 106 and the second Virtual router 107 establish a communication connection with a device 108 in the cloud network, the device 108 is configured to send traffic to the first Virtual router 106 and the second Virtual router 107, the device 108 is further configured to receive traffic from the customer data center sent by the first Virtual router 106 and the second Virtual router 107, and one or more Virtual Machines (VMs) may be deployed on the device 108.
Further, the first firewall 101 establishes a communication connection with the first gateway 102, the first gateway 102 establishes a communication connection with the second gateway 103, and the second gateway 103 establishes a communication connection with the second firewall 104. In addition, both the first firewall 101 and the second firewall 104 can import a Route (also called a "User Network Route") of the customer data center. Optionally, Border Gateway Protocol (BGP) is configured on each of the first firewall 101, the first Gateway 102, the second Gateway 103, and the second firewall 104, so that the first firewall 101 and the first Gateway 102 may communicate based on BGP (e.g., route advertisement), the first Gateway 102 and the second Gateway 103 may communicate based on BGP (e.g., route advertisement), the second Gateway 103 and the second firewall 104 may communicate based on BPG (e.g., route advertisement), and configuration parameters of BGP are configured on each node for convenience of understanding.
For the first firewall 101, an identifier (number) of an autonomous system AS which the first firewall 101 acts AS is configured AS 100, and a Peer of the first firewall 101 is configured AS a first gateway 102.
For the first gateway 102, the identifier (number) of the autonomous system AS which the first gateway 102 acts AS is configured to be 200, and the Peer of the first gateway 102 is configured to be the second gateway 103 and the first firewall 101.
For the second gateway 103, the identifier (number) of the autonomous system AS which the second gateway 103 acts AS is configured to be 300, and the Peer of the second gateway 103 is configured to be the first gateway 102 and the second firewall 104.
For the second firewall 104, the identifier (number) of the autonomous system AS which the second firewall 104 acts AS is configured AS 400, and the Peer of the second firewall 104 is configured AS the second gateway 103.
The flow of execution of each node in the VPN system is described below in conjunction with fig. 2 to better understand the VPN system.
Referring to fig. 2, fig. 2 is a method for implementing a VPN, which may be implemented based on the architecture shown in fig. 1 and includes the following two stages.
In the first stage: in the process of the first firewall without failure and the IPSec between the first firewall and the remote firewall without failure, the first firewall 101 notifies the route of the customer data center to the first gateway 102 through BGP, and the first gateway 102 notifies the second gateway 103 through BGP; for example, if the interface Internet Protocol (IP) of the client data center connected to the first firewall 101 is 30.1.1.0/24, the interface IP of the first firewall connected to the first gateway is 169.254.194.251, and the interface IP of the first gateway connected to the second gateway is 169.254.192.1, the routing configuration of the first firewall, the first gateway, and the second gateway may be as follows:
TABLE 1
Destination/Mask
|
Proto
|
Pre
|
Cost
|
Flags
|
NextHop
|
Interface
|
30.1.1.0/24
|
Unr
|
60
|
0
|
D
|
129.1.1.1
|
GigabitEthernet1/0/0 |
TABLE 2
Destination/Mask
|
Proto
|
Pre
|
Cost
|
Flags
|
NextHop
|
Interface
|
30.1.1.0/24
|
EBGP
|
60
|
0
|
D
|
169.254.194.251
|
GigabitEthernet3/0/0 |
TABLE 3
Destination/Mask
|
Proto
|
Pre
|
Cost
|
Flags
|
NextHop
|
Interface
|
30.1.1.0/24
|
EBGP
|
60
|
0
|
D
|
169.254.192.1
|
GigabitEthernet5/0/0 |
Where table 1 illustrates the routes on the first firewall, table 2 illustrates the routes on the first gateway, and table 3 illustrates the routes on the second gateway. Thus, when the subsequent second gateway 103 identifies that traffic from the VPN needs to be sent to the customer data center, the second gateway 103 forwards the traffic to the first gateway; when a subsequent first gateway 102 identifies that traffic from a VPN needs to be sent to the customer data center, the first gateway 102 forwards the traffic to a first firewall. In addition, "Destination/Mask" is "Destination/Mask", "Proto" indicates protocol type, "Pre" indicates priority, "Cost" indicates overhead, "Flags" indicates flag, "NextHop" indicates next hop, "Interface" indicates Interface, and "Unr" and "EBGP" are each different protocol types, "gigabit ethernet 1/0/0", "gigabit ethernet 3/0/0" and "gigabit ethernet 5/0/0" are each different port types, and the rest of similar cases are not illustrated one by one here.
Specifically, the flow at this stage may include, but is not limited to, steps S201-S206.
Step S201: the first firewall receives first negotiation information sent by the remote firewall.
Specifically, the first firewall negotiates with the remote firewall, and the information generated by negotiation is the first negotiation information. The first firewall can determine that the IPSec between the first firewall and the remote firewall is not faulty according to the first negotiation information, and thus determine that subsequent traffic from the VPN can be sent to the customer data center through the IPSec.
Step S202: the first firewall sends the route of the customer data center to the first gateway.
Specifically, after determining that the subsequent traffic flow from the VPN can be sent to the customer data center through the IPSec according to the first negotiation information, the first firewall sends the route of the customer data center to the first gateway. After learning the route to the client data center, the first gateway can determine that the next hop of the traffic required to be sent to the client data center is the first firewall, so that the received traffic required to be sent to the client data center is sent to the first firewall subsequently.
Step S203: the first gateway sends the route of the customer data center to the second gateway.
Step S204: the second gateway forwards the received first traffic from the VPN to the first gateway.
Specifically, after learning the route to the customer data center, the second gateway can determine that the next hop of the service which needs to be sent to the customer data center is the first gateway. The first traffic from the VPN received by the second gateway is traffic that needs to be sent to the customer data center, so the second gateway forwards the first traffic from the VPN to the first gateway. In addition, the first service from the VPN is specifically a traffic that the device sends to the second gateway through the second virtual router.
Step S205: the first gateway is configured to forward the received second traffic from the VPN and the first traffic from the second gateway to the first firewall.
Specifically, the second service from the VPN is a traffic that the device sends to the first gateway through the first virtual router, and since the first service and the second service are both services that need to be sent to the customer data center, and a next hop of the service that needs to be sent to the customer data center on the first gateway is the first firewall, the first gateway forwards the first service and the second service to the first firewall.
Step S206: the first firewall is used for sending the traffic from the first gateway to the far-end firewall through IPSec between the first firewall and the far-end firewall.
Specifically, the service from the first gateway includes the first service and the second service. For ease of understanding, the following description is made for traffic flows of the first service and the second service, respectively, as follows:
and a second service: the second traffic comes out of the virtual machine and first arrives at the first virtual router (vrouter 1). vrouter1 sends the second traffic to the first gateway. After the first gateway is reached, the flow goes through three layers, and is forwarded according to the routing table, and is matched to the routing table entry of 30.1.1.0/24 (namely, the routing of the client data center), and then the second service is sent to the next hop 169.254.194.251 of the first gateway, namely, the first firewall, and after the first firewall performs IPSec encryption and encapsulation on the second service, the second service is sent to the remote firewall through the public network gateway.
A first service: after the first traffic comes out of the virtual machine, it first arrives at the second virtual router (Vrouter2), and Vrouter2 sends the first traffic to the second gateway. After the first service reaches the second gateway, the flow goes through three layers, and is forwarded according to the routing table, and is matched to the routing table entry of 30.1.1.0/24 (i.e. the route of the customer data center), and then the first service is sent to the next hop 169.254.192.1 of the second gateway, i.e. the first gateway. The routing entry (i.e., the customer data center route) at 30.1.1.0/24 is also matched at the first gateway, and then the first traffic is sent to the next hop 169.254.194.251 of the first gateway, i.e., the first firewall, which performs IPSec encryption on the first traffic, encapsulates the first traffic, and sends the first traffic to the remote firewall through the public network gateway.
For the first stage, the direction indicated by the solid arrow in fig. 3 illustrates the transmission process of the traffic from the VPN to the customer data center, and the direction indicated by the dotted arrow in fig. 3 illustrates the transmission process of the traffic from the customer data center to the VPN.
The second stage is as follows: in the case of a failure of the first firewall or a failure of IPSec between the first firewall and the remote firewall, the second firewall 104 notifies the second gateway 103 of the route of the customer data center through BGP, and the second gateway 103 notifies the first gateway 102 through BGP; for example, if the interface Internet Protocol (IP) of the client data center connected to the second firewall 104 is also 30.1.1.0/24, the interface IP of the second firewall connected to the second gateway is 169.254.194.231, and the interface IP of the second gateway connected to the first gateway is 169.254.193.1, the routing configuration of the second firewall, the first gateway, and the second gateway may be as follows:
TABLE 4
Destination/Mask
|
Proto
|
Pre
|
Cost
|
Flags
|
NextHop
|
Interface
|
30.1.1.0/24
|
Unr
|
60
|
0
|
D
|
130.1.1.1
|
GigabitEthernet1/0/0 |
TABLE 5
Destination/Mask
|
Proto
|
Pre
|
Cost
|
Flags
|
NextHop
|
Interface
|
30.1.1.0/24
|
EBGP
|
60
|
0
|
D
|
169.254.193.1
|
GigabitEthernet2/0/0 |
TABLE 6
Destination/Mask
|
Proto
|
Pre
|
Cost
|
Flags
|
NextHop
|
Interface
|
30.1.1.0/24
|
EBGP
|
60
|
0
|
D
|
169.254.195.231
|
GigabitEthernet6/0/0 |
Where table 4 illustrates the routes on the second firewall, table 5 illustrates the routes on the second gateway, and table 6 illustrates the routes on the first gateway. Thus, when subsequent first gateways 102 identify that traffic from a VPN needs to be sent to the customer data center, first gateway 102 forwards the traffic to a second gateway; when a subsequent second gateway 103 identifies that traffic from a VPN needs to be sent to the customer data center, the second gateway 103 forwards the traffic to a second firewall.
The flow at this stage may include, but is not limited to, steps S207-S213.
Step S207: and the second firewall receives second negotiation information sent by the remote firewall.
Specifically, after the far-end firewall attempts to communicate with the first firewall in a failure, it may be determined that the first firewall fails or that IPSec between the first firewall and the far-end firewall fails, so that the far-end firewall negotiates with the second firewall, and information generated in the negotiation process is the second negotiation information.
Step S208: the second firewall sends the route of the customer data center to the second gateway.
Specifically, the second firewall may determine, according to the second negotiation information, a subsequent traffic flow from the VPN, and may send the traffic flow to the client data center through the IPSec between the second firewall and the remote firewall. Therefore, the second firewall sends the route of the client data center to the second gateway, and after the second gateway learns the route of the client data center, the next hop of the service which needs to be sent to the client data center can be determined to be the second firewall, so that the received service which needs to be sent to the client data center is sent to the second firewall subsequently.
Step S209: the second gateway sends the route of the customer data center to the first gateway.
Specifically, after the first gateway learns the route to the customer data center, it may determine that the next hop of the traffic that needs to be sent to the customer data center is the second gateway.
Step S210: the first gateway deletes the route of the customer data center learned from the first firewall.
In particular, the first gateway may also delete previously learned routes of the customer data center from the first firewall because the next hop for traffic that the first gateway needs to send to the customer data center is the first gateway according to the previously learned routes.
Step S211: the first gateway forwards the received second traffic from the VPN to the second gateway.
Specifically, the second traffic from the VPN received by the first gateway is the traffic that needs to be sent to the customer data center, so the first gateway forwards the second traffic from the VPN to the second gateway. In addition, the second service from the VPN is specifically a traffic that the device sends to the first gateway through the first virtual router.
Step S212: the second gateway forwards the received first traffic from the VPN and the second traffic from the first gateway to the second firewall.
Specifically, the first service from the VPN is a traffic that the device sends to the second gateway through the second virtual router, and since the first service and the second service are both services that need to be sent to the customer data center, and a next hop of the service that needs to be sent to the customer data center on the second gateway is the second firewall, the second gateway forwards the first service and the second service to the second firewall.
Step S213: the second firewall sends traffic from the second gateway to the remote firewall through the IPSec between the second firewall and the remote firewall.
Specifically, the service from the second gateway includes the first service and the second service. For ease of understanding, the following description is made for traffic flows of the first service and the second service, respectively, as follows:
a first service: the first traffic comes out of the virtual machine and then reaches the second virtual router (vrouter 2). Vrouter2 sends the first traffic to the second gateway. After the first service reaches the second gateway, the flow goes through three layers, and is forwarded according to the routing table, and is matched to a routing table entry (namely, a routing of the client data center) of 30.1.1.0/24, and then the first service is sent to a next hop 169.254.194.231 of the second gateway, namely, a second firewall, and the second firewall performs IPSec encryption and encapsulation on the first service, and then sends the first service to the remote firewall through the public network gateway.
And a second service: after the second traffic comes out of the virtual machine, it first arrives at the first virtual router (Vrouter1), and Vrouter1 sends the second traffic to the first gateway. After the second service reaches the first gateway, the flow goes through three layers, and is forwarded according to the routing table, and is matched to the routing table entry of 30.1.1.0/24 (i.e. the route of the customer data center), and then the second service is sent to the next hop 169.254.193.1 of the first gateway, i.e. the second gateway. The routing entry (i.e., the routing of the customer data center) is also matched to 30.1.1.0/24 at the second gateway, and then the second traffic is sent to the next hop 169.254.194.231 of the first gateway, i.e., the second firewall, which performs IPSec encryption on the second traffic, encapsulates the second traffic, and sends the second traffic to the remote firewall through the public network gateway.
For the second stage, the direction indicated by the solid arrow in fig. 4 illustrates the transmission process of the traffic from the VPN to the customer data center, and the direction indicated by the dotted arrow in fig. 4 illustrates the transmission process of the traffic from the customer data center to the VPN.
It can be understood that, as can be seen from the above description of the first and second cases, the priority of the first firewall is higher than that of the second firewall, that is, when the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail, the remote firewall triggers the flow described in the first case; i.e. when the first firewall fails or the IPSec between the first firewall and the remote firewall fails, the remote firewall triggers the procedure described in the second case. Whether the first firewall fails and whether IPSec between the first firewall and the remote firewall fails can be detected by the remote firewall 105.
The first and second stages describe a processing flow when traffic in the VPN is sent to the customer data center, and the following briefly describes the processing flow when traffic in the customer data center is sent to the VPN.
1. Two routes to the VPN need to be configured on the far-end firewall, and the priority of the two routes is different, so that route backup is realized. The route with high priority is a main route, the route with low priority is a standby route, the tunnel outlet interface of the main route is arranged on the first firewall, and the tunnel outlet interface of the standby route is arranged on the second firewall.
2. The primary route binds tools (e.g., PING, IP-Link, etc.) that detect whether a Link is reachable to detect the Link status on the primary route. The traffic from the customer data center to the VPN is transmitted by the main route by default, and when a link on the main route fails, the remote firewall enables the standby route to transmit the traffic from the customer data center to the VPN. Thereby ensuring the stability of the transmission of traffic from the customer data center to the VPN.
In the method described in fig. 2, IPSec between the first firewall and the remote firewall and IPSec between the second firewall and the remote firewall are established, when the first firewall does not fail and the IPSec between the first firewall and the remote firewall does not fail, the traffic received by the second gateway flows to the first gateway, the traffic received by the first gateway flows to the first firewall, and is finally forwarded to the remote firewall by the first firewall; when the first firewall fails or the IPSec between the first firewall and the far-end firewall fails, the flow received by the first gateway flows to the second gateway, the flow received by the second gateway flows to the second firewall, and finally the second firewall forwards the flow to the far-end firewall; the backup of IPSec between the customer data center and the VPN is realized, and the stability of flow transmission between the customer data center and the VPN is improved.
One of ordinary skill in the art will appreciate that all or part of the processes in the methods of the above embodiments may be implemented by hardware related to instructions of a computer program, which may be stored in a computer-readable storage medium, and when executed, may include the processes of the above method embodiments. And the aforementioned storage medium includes: various media capable of storing program codes, such as ROM or RAM, magnetic or optical disks, etc.