CN108494744B - IPsec VPN client message processing method and device - Google Patents
IPsec VPN client message processing method and device Download PDFInfo
- Publication number
- CN108494744B CN108494744B CN201810185764.0A CN201810185764A CN108494744B CN 108494744 B CN108494744 B CN 108494744B CN 201810185764 A CN201810185764 A CN 201810185764A CN 108494744 B CN108494744 B CN 108494744B
- Authority
- CN
- China
- Prior art keywords
- message
- server
- data
- internal port
- negotiation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
- H04L69/162—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields involving adaptations of sockets based mechanisms
Abstract
The application provides an IPsec VPN client message processing method, which is characterized in that a first process and a second process are configured: after the first process appoints the agent parameter, the second process is started to inform the second process, and the control message of the second process is transmitted by the agent through the appointed agent parameter; after the first process successfully starts the second process, the first process sends a control channel proxy message to the second process at regular time through the first internal port; the second process receives the control channel agent message, establishes mapping between a locally created Socket related to the local IP and the first internal port, starts negotiation with the server, and synchronizes security alliance data generated by the negotiation to the first process through the second internal port after the negotiation with the server is successful; and the first process acquires the safety alliance data synchronized with the second process, and processes the received data message according to the safety alliance data under the condition of receiving the data message sent by the server.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for processing IPsec VPN client packets.
Background
An IPsec VPN is a VPN technology that uses an IPsec protocol to implement remote access, and user identity authentication and establishment of an IPsec VPN tunnel are generally implemented by an IKE protocol. The IKE protocol is usually operated by an independent process, and the user service is handled by other processes, for convenience, the process operating the IKE protocol is called an IKE Server process, and the process responsible for handling the user service is called a VPN Client process. The existing processing flow of the IPsec VPN client for receiving and sending the message is roughly as follows: the IKE Server process receives the data message sent by the VPN Server, decrypts the data message and forwards the data message to the VPN Client process through an internal port (such as 4502); the VPN Client process forwards the decrypted data message received through the internal port to the virtual network card, receives a response message returned by the virtual network card, and forwards the response message to the IKE Server process through the internal port (such as 4501); and the IKE Server process encapsulates the response message and then sends the response message to the VPN Server. In the prior art, the control message of the control channel and the data message of the data channel share the same UDP channel, that is, the data message needs to be received by the IKE Server process and then forwarded to the VPN Client process, and the response message of the VPN Client process needs to be forwarded to the Server by the IKE Server process, so that the data message needs to be transmitted back and forth between the IKE Server process and the VPN Client process, which causes the problem of slow processing of the user data message.
Disclosure of Invention
In view of this, the present application provides an IPsec VPN client message processing method and apparatus.
Specifically, the method is realized through the following technical scheme:
a message processing method of an IPsec VPN client configures a first process and a second process:
after the first process appoints the agent parameter, the second process is started to inform the second process, and the control message of the second process is transmitted by the agent through the appointed agent parameter;
after the first process successfully starts the second process, the first process sends a control channel proxy message to the second process at regular time through the first internal port;
the second process receives the control channel agent message, establishes mapping between a locally created Socket related to the local IP and the first internal port, starts negotiation with the server, synchronizes security alliance data generated by the negotiation to the first process through the second internal port after the negotiation with the server is successful, and the mapping is used for sending a control message generated by the negotiation with the server to the first process;
and the first process acquires the safety alliance data synchronized with the second process, and processes the received data message according to the safety alliance data under the condition of receiving the data message sent by the server.
An IPsec VPN client message processing apparatus, the apparatus comprising:
a configuration unit, configured to configure a first process and a second process, where the first process is configured to receive and transmit a user data packet and a control packet, and the second process is configured to run an IKE protocol:
the informing unit is used for starting the second process after the first process appoints the proxy parameter, informing the second process and proxying and forwarding the control message of the second process through the appointed proxy parameter;
the message sending unit is used for sending the control channel agent message to the second process by the first process through the first internal port at regular time after the first process starts the second process successfully;
the data synchronization unit is used for the second process to receive the control channel proxy message, establish mapping between a locally-created Socket related to the local IP and the first internal port, start negotiation with the server, synchronize the security alliance data generated by the negotiation to the first process through the second internal port after the negotiation with the server is successful, and the mapping is used for sending a control message generated by the negotiation with the server to the first process;
and the message processing unit is used for the first process to acquire the safety alliance data synchronized with the second process, and processing the received data message according to the safety alliance data under the condition of receiving the data message sent by the server.
According to the method and the device, the control message of the second process is forwarded through the proxy channel proxy, and after the second process successfully negotiates with the server, the first process processes the data message according to the security alliance data generated by successful negotiation, so that the processing performance of the data message of the IPsec VPN client is greatly improved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required in the description of the embodiments will be briefly introduced below, and it is apparent that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings.
FIG. 1 is a schematic diagram of an application scenario illustrated in an exemplary embodiment of the present application;
fig. 2 is a flowchart illustrating an implementation of a method for processing a packet at an IPSec VPN client according to an exemplary embodiment of the present application;
fig. 3 is a schematic diagram illustrating an IPSec VPN client according to an exemplary embodiment of the present application;
fig. 4 is a flowchart of a preferred implementation of a method for processing a packet at an IPSec VPN client according to an exemplary embodiment of the present application;
fig. 5 is a schematic structural diagram of an IPSec VPN client packet processing apparatus according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
First, a method for processing a packet at an IPsec VPN client provided in an embodiment of the present application is described, where the method includes the following steps:
after the first process appoints the agent parameter, the second process is started to inform the second process, and the control message of the second process is transmitted by the agent through the appointed agent parameter;
after the first process successfully starts the second process, the first process sends a control channel proxy message to the second process at regular time through the first internal port;
the second process receives the control channel agent message, establishes mapping between a locally created Socket related to the local IP and the first internal port, starts negotiation with the server, synchronizes security alliance data generated by the negotiation to the first process through the second internal port after the negotiation with the server is successful, and the mapping is used for sending a control message generated by the negotiation with the server to the first process;
and the first process acquires the safety alliance data synchronized with the second process, and processes the received data message according to the safety alliance data under the condition of receiving the data message sent by the server.
As shown in fig. 1, an application scenario diagram is that a first process is responsible for receiving and sending all service data (data packets and control packets), and forwards the control packets to a second process using an internal port, and the second process sends the control packets to the first process via the internal port after processing the control packets, and the control packets are forwarded by a first process proxy and sent to a virtual network card for processing.
Specifically, in the process of processing a message at an IPsec VPN client, a Socket related to a local IP is created when a first process is started, and the Socket is used for sending a control message and a data message to a server; the first process starts the second process after appointing the agent parameter, informs the second process, and transmits the control message of the second process through the appointed agent parameter agent, namely, the first process reads the source IP used for accessing the target IP according to the target IP configured by the user, then starts the second process, informs the second process, and transmits the control message of the second process through the read source IP agent; after the first process successfully starts the second process, the first process regularly sends a message for controlling the channel proxy through the first internal port until a response message returned by the second process is received; the second process receives the control channel agent message, establishes mapping between a locally created Socket related to the local IP and the first internal port, starts negotiation with the server, synchronizes security alliance data generated by the negotiation to the first process through the second internal port after the negotiation with the server is successful, and the mapping is used for sending a control message generated by the negotiation with the server to the first process; and the first process acquires the safety alliance data synchronized with the second process, and processes the received data message according to the safety alliance data under the condition of receiving the data message sent by the server. For further explanation of the present application, the following examples are provided to illustrate the present application:
as shown in fig. 2, an implementation flowchart of the IPSec VPN client packet processing method according to the present application may specifically include the following steps:
s101, after a first process appoints an agent parameter, a second process is started to inform the second process, and a control message of the second process is forwarded through the appointed agent parameter agent;
in an embodiment, the first process reads a source IP to be used for accessing the destination IP according to the destination IP configured by the user, then starts the second process, informs the second process, and forwards a control message of the second process through the read source IP agent. For example, the local IP address is 1.1.1.1, the VPN server address is 1.1.1.254, the destination IP configured by the user is the address of the VPN server, the first process reads the source IP1.1.1.1 to be used for accessing the destination IP1.1.1.254 according to the destination IP1.1.1.254 configured by the user, then starts the second process, informs the second process, and forwards the control message of the second process through the read source IP1.1.1.1 proxy.
And the second process is normally started, does not initialize the control channel for the moment, and waits for the arrival of the message of the control channel agent.
S102, after the first process starts the second process successfully, the first process sends a control channel agent message to the second process at regular time through the first internal port;
in an embodiment, after the first process successfully starts the second process, the first process sends a message for controlling the channel proxy to the second process through the first internal port at regular time until receiving a response message returned by the second process. As shown in fig. 3, an exemplary IPSec VPN client, where a UDP channel is connected to a first process, two internal ports exist between the first process and a second process, the first internal port is 4501, the second internal port is 4502, and after the first process starts the second process successfully, the first process sends a message for controlling a channel proxy to the second process through the 4501 port at regular time (i.e., forwards a control packet of the second process through the UDP channel proxy), until a response message returned by the second process is received, the message for controlling the channel proxy is stopped from being sent to the second process. The response message returned by the second process is sent to the first process through port 4501.
S103, the second process receives the control channel agent message, establishes mapping between a locally-created Socket related to the local IP and the first internal port, starts negotiation with the server, synchronizes security alliance data generated by the negotiation to the first process through the second internal port after the negotiation with the server is successful, and the mapping is used for sending a control message generated by the negotiation with the server to the first process;
in an embodiment, the second process receives a message of the control channel agent, maps the locally created Socket related to the local IP with the first internal port, for example, the first internal port 4501 described above, and establishes a mapping between the locally created Socket1.1.1.1:502 related to the local IP (1.1.1.1) and the first internal port 4501, where the mapping is established as follows, and the purpose of establishing the mapping is to send a control packet to the Socket through the mapping, to the first process agent for forwarding:
1.1.1.1:502<——>127.0.0.1:4501
and initiates a negotiation (security association negotiation) with the server, such as the VPN server (1.1.1.254), which is an agreement established by both parties, determining information such as the protocol, transcoding method, key, and key validity period used to protect the packet. After the negotiation with the server is successful, synchronizing the security alliance data generated by the negotiation to the first process through the second internal port, wherein the security alliance data comprises but is not limited to an encryption key, a decryption key, an encryption algorithm and an authentication algorithm, namely data required by outer header encapsulation.
And S104, the first process acquires the safety alliance data synchronized with the second process, and processes the received data message according to the safety alliance data under the condition of receiving the data message sent by the server.
In an embodiment, the first process obtains the security association data synchronized with the second process, and obtains the above mentioned encryption key, decryption key, encryption algorithm, authentication algorithm, i.e. the data required by the outer header encapsulation, etc. Under the condition of receiving a data message sent by a server, sending the decrypted and authenticated data message to a virtual network card according to a decryption key and an authentication algorithm in the security alliance data; and adding an ESP label to the response message and packaging the response message and then sending the response message to the server under the condition of receiving the response message returned by the virtual network card. The ESP provides an encapsulation protocol for encrypting and authenticating data packets in the intranet in the VPN tunnel, and specifies an encapsulation format for the data packets.
As shown in fig. 4, another preferred embodiment provided for the present application adds the following steps:
s105, when the first process is started, creating the Socket related to the local IP, and sending a control message and a data message to a server;
in an embodiment, a UDP Socket associated with a local IP is created when the first process is started, and is used to send a control packet and a data packet to the server, for example, a UDP Socket associated with a local IP is created when the first process is started, and a UDP Socket associated with a local IP is created when the first process is started, for example, the UDP Socket is created as 1.1.1.1.1: the Socket of 500 may send the data message returned by the virtual network card to the server through the Socket, and may send the control message processed by the second process to the server.
And S106, after the second process successfully negotiates with the server, sending a message for updating the security alliance.
In an embodiment, after the negotiation between the second process and the server is successful, that is, after the negotiation between the second process and the server Security Association (SA) is successful, it means that the IPSec SA is successfully established, and the currently established IPSec SA needs to be used, so that a message for updating the security association needs to be sent, and the IPSec SA established last time is discarded.
The method includes the steps that a control message of a second process is forwarded through a proxy channel proxy, after the second process successfully negotiates with a server, security alliance data generated by negotiation are synchronized to a first process by the second process, and the first process processes the data message according to the security alliance data generated by successful negotiation, so that the first process can directly process the data message, the processing performance of the data message of the IPsec VPN client is greatly improved, and the processing speed of the user data message is improved.
Those of ordinary skill in the art will understand that: all or part of the steps for realizing the method embodiments can be completed by hardware related to program instructions, the program can be stored in a computer readable storage medium, and the program executes the steps comprising the method embodiments when executed; and the aforementioned storage medium includes: various media that can store program codes, such as ROM, RAM, magnetic or optical disks.
Corresponding to the foregoing embodiments of the IPSec VPN client message processing method, the present application also provides an embodiment of an IPSec VPN client message processing apparatus, which includes, as shown in fig. 5, a configuration unit 200, an informing unit 210, a message sending unit 220, a data synchronization unit 230, and a message processing unit 240.
The configuration unit 200 is configured to configure a first process and a second process, where the first process is configured to receive and transmit a user data packet and a control packet, and the second process is configured to run an IKE protocol:
the informing unit 210 is configured to start the second process after the first process specifies the proxy parameter, inform the second process, and proxy-forward the control packet of the second process through the specified proxy parameter;
the message sending unit 220 is configured to, after the first process successfully starts the second process, send a control channel proxy message to the second process at regular time through the first internal port by the first process;
the data synchronization unit 230 is configured to receive a control channel proxy message by the second process, establish a mapping between a locally created Socket related to a local IP and a first internal port, start a negotiation with a server, synchronize security alliance data generated by the negotiation to the first process through the second internal port after the negotiation with the server is successful, and send a control packet generated by the negotiation with the server to the first process through the mapping;
the message processing unit 240 is configured to obtain, by the first process, the security federation data synchronized with the second process, and process, when receiving the data message sent by the server, the received data message according to the security federation data.
In a specific embodiment of the present application, the informing unit 210 is specifically configured to:
and the first process reads a source IP used for accessing the target IP according to the target IP configured by the user, starts the second process, informs the second process, and forwards a control message of the second process through the read source IP agent.
In a specific embodiment of the present application, the message sending unit 220 is specifically configured to:
after the first process successfully starts the second process, the first process sends the message of controlling the channel proxy through the first internal port at regular time until receiving the response message returned by the second process.
In one embodiment of the present application, the apparatus further comprises: socket creation unit 250, update message transmission unit 260
The Socket creating unit 250 is configured to create the Socket related to the local IP when the first process is started, and send a control packet and a data packet to the server.
The update message sending unit 260 is configured to send a message for updating the security association after the second process successfully negotiates with the server.
The implementation process of the functions of each unit in the system is specifically described in the implementation process of the corresponding step in the method, and is not described herein again.
For the system embodiment, since it basically corresponds to the method embodiment, reference may be made to the partial description of the method embodiment for relevant points. The above-described system embodiments are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
The invention may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The invention may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The foregoing is directed to embodiments of the present invention, and it is understood that various modifications and improvements can be made by those skilled in the art without departing from the spirit of the invention.
Claims (10)
1. An IPsec VPN client message processing method is characterized in that a first process and a second process are configured, the first process is used for receiving and sending user data messages and control messages, and the second process is used for running an IKE protocol:
after the first process appoints the agent parameter, the second process is started to inform the second process, and the control message of the second process is transmitted by the agent through the appointed agent parameter;
after the first process successfully starts the second process, the first process sends a control channel proxy message to the second process at regular time through the first internal port;
the second process receives the control channel agent message, and establishes mapping between a locally-created Socket related to the local IP and the first internal port, wherein the mapping is used for sending a control message generated by negotiation with the server to the first process, so that the first process acts on the second process to send the control message to the server;
the second process negotiates with the server through the first process, and after negotiation with the server is successful, the security alliance data generated by negotiation is synchronized to the first process through a second internal port;
and the first process acquires the safety alliance data synchronized with the second process, and processes the received data message according to the safety alliance data under the condition of receiving the data message sent by the server.
2. The method of claim 1, further comprising:
and when the first process is started, creating the Socket related to the local IP, and sending a control message and a data message to the server.
3. The method according to claim 1, wherein the first process starts the second process after specifying the proxy parameter, informs the second process, and proxies the control packet of the second process through the specified proxy parameter, and includes:
and the first process reads a source IP used for accessing the target IP according to the target IP configured by the user, starts the second process, informs the second process, and forwards a control message of the second process through the read source IP agent.
4. The method of claim 1, wherein after the first process successfully starts the second process, the first process sends the control channel proxy message to the second process via the first internal port at a fixed time, and the method comprises:
after the first process successfully starts the second process, the first process sends the message of controlling the channel proxy through the first internal port at regular time until receiving the response message returned by the second process.
5. The method according to any one of claims 1 to 4, further comprising:
and after the second process successfully negotiates with the server, sending a message for updating the security alliance.
6. An IPsec VPN client message handling apparatus, the apparatus comprising:
a configuration unit, configured to configure a first process and a second process, where the first process is configured to receive and transmit a user data packet and a control packet, and the second process is configured to run an IKE protocol:
the informing unit is used for starting the second process after the first process appoints the proxy parameter, informing the second process and proxying and forwarding the control message of the second process through the appointed proxy parameter;
the message sending unit is used for sending the control channel agent message to the second process by the first process through the first internal port at regular time after the first process starts the second process successfully;
the data synchronization unit is used for receiving the control channel agent message by the second process, establishing mapping between a locally-created Socket related to a local IP and a first internal port, wherein the mapping is used for sending a control message generated by negotiation with the server to the first process so that the first process acts on the second process to send the control message to the server; the second process negotiates with the server through the first process, and after negotiation with the server is successful, the security alliance data generated by negotiation is synchronized to the first process through a second internal port;
and the message processing unit is used for the first process to acquire the safety alliance data synchronized with the second process, and processing the received data message according to the safety alliance data under the condition of receiving the data message sent by the server.
7. The apparatus of claim 6, further comprising:
and the Socket creating unit is used for creating the Socket related to the local IP when the first process is started and sending a control message and a data message to the server.
8. The apparatus according to claim 6, wherein the notification unit is specifically configured to:
and the first process reads a source IP used for accessing the target IP according to the target IP configured by the user, starts the second process, informs the second process, and forwards a control message of the second process through the read source IP agent.
9. The apparatus according to claim 6, wherein the message sending unit is specifically configured to:
after the first process successfully starts the second process, the first process sends the message of controlling the channel proxy through the first internal port at regular time until receiving the response message returned by the second process.
10. The apparatus of any one of claims 6 to 9, further comprising:
and the updating message sending unit is used for sending a message for updating the security alliance after the second process successfully negotiates with the server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810185764.0A CN108494744B (en) | 2018-03-07 | 2018-03-07 | IPsec VPN client message processing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201810185764.0A CN108494744B (en) | 2018-03-07 | 2018-03-07 | IPsec VPN client message processing method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108494744A CN108494744A (en) | 2018-09-04 |
| CN108494744B true CN108494744B (en) | 2021-08-24 |
Family
ID=63341766
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201810185764.0A Active CN108494744B (en) | 2018-03-07 | 2018-03-07 | IPsec VPN client message processing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108494744B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110365759B (en) * | 2019-07-08 | 2021-12-28 | 深圳市多尼卡航空电子有限公司 | Data forwarding method, device, system, gateway equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105991562A (en) * | 2015-02-05 | 2016-10-05 | 华为技术有限公司 | IPSec acceleration method, apparatus and system |
Family Cites Families (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7107464B2 (en) * | 2001-07-10 | 2006-09-12 | Telecom Italia S.P.A. | Virtual private network mechanism incorporating security association processor |
| CN100539537C (en) * | 2007-05-22 | 2009-09-09 | 网御神州科技(北京)有限公司 | A kind of IPSec of utilization expands to the network route in the method and the device of telecommunication network |
| CN100594690C (en) * | 2007-05-22 | 2010-03-17 | 网御神州科技(北京)有限公司 | Method and device for safety strategy uniformly treatment in safety gateway |
| CN102065021B (en) * | 2011-01-28 | 2012-12-26 | 北京交通大学 | IPSecVPN (Internet Protocol Security Virtual Private Network) realizing system and method based on NetFPGA (Net Field Programmable Gate Array) |
| CN103067215B (en) * | 2011-10-21 | 2018-02-13 | 广东智通人才连锁股份有限公司 | Realize method, application server, network data base and the system of heartbeat mechanism |
| US9305163B2 (en) * | 2013-08-15 | 2016-04-05 | Mocana Corporation | User, device, and app authentication implemented between a client device and VPN gateway |
| CN103442068A (en) * | 2013-08-30 | 2013-12-11 | 成都卫士通信息产业股份有限公司 | Multi-process high-currency IPSec VPN tunnel achievement method and device |
| US9444796B2 (en) * | 2014-04-09 | 2016-09-13 | Cisco Technology, Inc. | Group member recovery techniques |
| US9712504B2 (en) * | 2015-04-22 | 2017-07-18 | Aruba Networks, Inc. | Method and apparatus for avoiding double-encryption in site-to-site IPsec VPN connections |
| CN106549850B (en) * | 2016-12-06 | 2019-09-17 | 东软集团股份有限公司 | Virtual special network server and its message transmitting method |
-
2018
- 2018-03-07 CN CN201810185764.0A patent/CN108494744B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105991562A (en) * | 2015-02-05 | 2016-10-05 | 华为技术有限公司 | IPSec acceleration method, apparatus and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108494744A (en) | 2018-09-04 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP3286896B1 (en) | Scalable intermediate network device leveraging ssl session ticket extension | |
| CN109150688B (en) | IPSec VPN data transmission method and device | |
| US9210131B2 (en) | Aggressive rehandshakes on unknown session identifiers for split SSL | |
| US8984268B2 (en) | Encrypted record transmission | |
| EP2213036B1 (en) | System and method for providing secure network communications | |
| CN106209838B (en) | IP access method and device of SSL VPN | |
| US10721219B2 (en) | Method for establishing a secure communication session in a communications system | |
| JP2009506617A (en) | System and method for processing secure transmission information | |
| JP2006101051A (en) | Server, vpn client, vpn system, and software | |
| US10721061B2 (en) | Method for establishing a secure communication session in a communications system | |
| US11924248B2 (en) | Secure communications using secure sessions | |
| US10659228B2 (en) | Method for establishing a secure communication session in a communications system | |
| US9473466B2 (en) | System and method for internet protocol security processing | |
| CN108924157B (en) | Message forwarding method and device based on IPSec VPN | |
| WO2016165277A1 (en) | Ipsec diversion implementing method and apparatus | |
| CN108494744B (en) | IPsec VPN client message processing method and device | |
| CN112583599B (en) | Communication method and device | |
| WO2020228130A1 (en) | Communication method and system for network management server and network element of communication device | |
| KR101837064B1 (en) | Apparatus and method for secure communication | |
| CN115720160B (en) | Data communication method and system based on quantum key | |
| US20240022402A1 (en) | A Method for Tunneling an Internet Protocol Connection Between Two Endpoints | |
| EP4109828B1 (en) | Method for communicating with a remote dns server | |
| KR101594897B1 (en) | Secure Communication System and Method for Building a Secure Communication Session between Lightweight Things | |
| EP3832949A1 (en) | Method for securing a data communication network | |
| CN114567478A (en) | Communication method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |