CN109743316B - Data transmission method, exit router, firewall and double firewall systems - Google Patents
Data transmission method, exit router, firewall and double firewall systems Download PDFInfo
- Publication number
- CN109743316B CN109743316B CN201811643288.9A CN201811643288A CN109743316B CN 109743316 B CN109743316 B CN 109743316B CN 201811643288 A CN201811643288 A CN 201811643288A CN 109743316 B CN109743316 B CN 109743316B
- Authority
- CN
- China
- Prior art keywords
- router
- firewall
- firewalls
- ipsec virtual
- ipsec
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 230000005540 biological transmission Effects 0.000 title claims abstract description 49
- 230000009977 dual effect Effects 0.000 claims description 30
- 238000012545 processing Methods 0.000 claims description 15
- 230000004913 activation Effects 0.000 claims description 13
- 230000002159 abnormal effect Effects 0.000 claims description 8
- 238000012544 monitoring process Methods 0.000 claims description 4
- 230000001360 synchronised effect Effects 0.000 claims description 3
- 239000002699 waste material Substances 0.000 abstract description 16
- 230000008569 process Effects 0.000 abstract description 10
- 238000010586 diagram Methods 0.000 description 4
- 230000006870 function Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 101150064138 MAP1 gene Proteins 0.000 description 2
- 238000013519 translation Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000001681 protective effect Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Abstract
The invention provides a data transmission method, an exit router, a firewall and a double firewall system, wherein the exit router in the double firewall system is used for acquiring the link state of IPSEC virtual tunnels corresponding to the two firewalls; and if the link states of the two IPSEC virtual tunnels are both in a normal working state, the exit router performs data transmission with opposite-end equipment through the two IPSEC virtual tunnels by adopting a load sharing mode. The method of the invention enables two firewalls to process IPSEC VPN service flow in a load way through the load sharing of the double active modes of the double firewall systems, improves the data transmission speed, avoids the waste of resources, has higher reliability and stability, does not need to arrange two firewalls on opposite-end equipment, and avoids the increase of cost and the waste of address resources.
Description
Technical Field
The invention relates to the technical field of communication, in particular to a data transmission method, an outlet router, a firewall and a double firewall system.
Background
Firewall (Firewall), also known as a protective wall, was invented in 1993 by the Check Point founder Gil Shwed and introduced into the Internet (US5606668(A) 1993-12-15). It is a network security system located between an internal network and an external network. An information security system allows or restricts the passage of transmitted data according to specific rules. Government, traffic, public security, telecommunication, finance, energy and other departments all bear intranet information systems, and with the demand of internet service development, these enterprise-level intranet systems and networks usually need to establish session connection with public networks. In order to prevent the intranet from receiving network intrusion and network attack, the firewall is widely applied to isolate the intranet from the public network.
Because the flow of public network service is larger, the traditional firewall architecture deployed at the public network outlet of the enterprise network at present generally adopts a mode that two devices are mutually master and backup, when the master device fails, the backup device can immediately bear the service, and the service which needs to be forwarded through the device is ensured not to be interrupted. In the prior art, two firewalls work at three layers according to service interfaces, and a load sharing networking of an uplink and downlink connection switch configures dual-computer hot standby. One firewall is a main firewall, and the IPSEC tunnel between the opposite terminal equipment and the firewall is established. When the IPSEC tunnel is established, the opposite terminal equipment can only carry out the operation with the main firewall, and the standby firewall can not establish the IPSEC tunnel. If the active firewall fails, the opposite end device needs to establish an IPSEC tunnel with the standby firewall.
In the prior art, the local terminal has two firewalls, and normally, only the main firewall is used for data transmission, which causes waste of system resources and limits the data transmission speed.
Disclosure of Invention
The invention provides a data transmission method, an exit router, a firewall and a double firewall system, which are used for improving the data transmission speed and avoiding the waste of resources by sharing the load of the two firewalls in a double active mode.
One aspect of the present invention is to provide a data transmission method, which is applied to a dual firewall system, where the dual firewall system includes: the method comprises the following steps that two firewalls, an exit router and an intranet router which are mutually hot standby are respectively configured to be in an Active activation state, the two firewalls respectively establish IPSEC virtual tunnels with opposite end equipment through the exit router, and the two firewalls are respectively connected with the intranet equipment through the intranet router, and the method comprises the following steps:
the exit router acquires the link state of the IPSEC virtual tunnel corresponding to the two firewalls;
and if the link states of the two IPSEC virtual tunnels are both in a normal working state, the exit router performs data transmission with the opposite terminal equipment through the two IPSEC virtual tunnels in a load sharing mode.
Further, the method further comprises:
and if the link state of one IPSEC virtual tunnel is in an abnormal working state, the exit router transmits all data with the opposite terminal equipment through the other IPSEC virtual tunnel.
Further, the method further comprises:
the egress router identifying a type of the data;
and if the data type is a preset data type, the exit router transmits data with the opposite terminal device through the IPSEC virtual tunnel corresponding to the preset data type.
Further, before the two firewalls respectively perform data transmission with the peer device through the corresponding IPSEC virtual tunnels, the method further includes:
and the exit router configures an IP address as the exit gateway address of the two IPSEC virtual tunnels.
Another aspect of the present invention is to provide an egress router applied to a dual firewall system, where the dual firewall system includes: two firewall, export router and the intranet router that each other is hot to be equipped with, two firewall configure respectively into Active activation state, just two firewall pass through respectively export router and opposite terminal equipment establish IPSEC virtual tunnel, two firewall pass through respectively intranet router and intranet equipment are connected, the export router includes:
the monitoring module is used for acquiring the link states of the IPSEC virtual tunnels corresponding to the two firewalls;
and the processing module is used for performing data transmission with the opposite terminal equipment through the two IPSEC virtual tunnels by adopting a load sharing mode if the link states of the two IPSEC virtual tunnels are both in a normal working state.
Further, the processing module is further configured to:
and if the link state of one IPSEC virtual tunnel is in an abnormal working state, transmitting all data by the other IPSEC virtual tunnel and the opposite-end equipment.
Further, the processing module is further configured to:
and identifying the type of the data, and if the type of the data is a preset data type, performing data transmission with the opposite terminal equipment through the IPSEC virtual tunnel corresponding to the preset data type.
Further, the processing module is further configured to:
and configuring an IP address as the exit gateway address of the two IPSEC virtual tunnels.
Another aspect of the present invention is to provide a firewall for a dual firewall system, the dual firewall system comprising: the two firewalls, the exit router and the intranet router are mutually hot standby;
the firewall is configured to be in an Active activation state;
the firewall is configured and synchronized with another firewall through a heartbeat wire;
the firewall establishes an IPSEC virtual tunnel with opposite terminal equipment through the exit router, and the two firewalls are respectively connected with the intranet equipment through the intranet router.
Another aspect of the present invention provides a dual firewall system, comprising: an egress router as described above, two firewalls as described above, and an intranet router;
the two firewalls are respectively configured to be in an Active activation state, the two firewalls respectively establish IPSEC virtual tunnels with opposite-end equipment through the exit router, and the two firewalls are respectively connected with intranet equipment through the intranet router.
According to the data transmission method, the exit router, the firewall and the double firewall systems, the exit router in the double firewall systems acquires the link states of IPSEC virtual tunnels corresponding to the two firewalls; and if the link states of the two IPSEC virtual tunnels are both in a normal working state, the exit router performs data transmission with opposite-end equipment through the two IPSEC virtual tunnels by adopting a load sharing mode. The method of the invention enables two firewalls to process IPSEC VPN service flow in a load way through the load sharing of the double active modes of the double firewall systems, improves the data transmission speed, avoids the waste of resources, has higher reliability and stability, does not need to arrange two firewalls on opposite-end equipment, and avoids the increase of cost and the waste of address resources.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to these drawings without creative efforts.
FIG. 1 is a diagram of a network architecture for a dual firewall system according to an embodiment of the present invention;
fig. 2 is a flowchart of a data transmission method according to an embodiment of the present invention;
fig. 3 is a flowchart of a data transmission method according to another embodiment of the present invention;
fig. 4 is a block diagram of an egress router according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
FIG. 1 is a diagram of a network architecture for a dual firewall system according to an embodiment of the present invention; fig. 2 is a flowchart of a data transmission method according to an embodiment of the present invention. The embodiment of the invention provides a data transmission method, which is applied to a double firewall system shown in figure 1, wherein the double firewall system comprises: the firewall system comprises two firewalls 111 and 112, an exit router 120 and an intranet router 130 which are mutually hot-standby, wherein the two firewalls 111 and 112 are respectively configured to be in an Active activation state, and the two firewalls 111 and 112 respectively establish an IPSEC (Internet Protocol Security) virtual tunnel with an opposite terminal device 200 through the exit router 120 and are connected with the intranet device 300 through the intranet router 130.
As shown in fig. 2, a VRRP Protocol (Virtual Router Redundancy Protocol) is configured between the two firewalls and the intranet Router, the VRRP Protocol is configured for the egress Router, and the routing is reachable through a static routing or a dynamic routing Protocol, the two firewalls are both configured with a dual-hot-standby function, and both firewalls are configured in an Active activation state, so that cooperative work is realized through dual activities, and the spare firewall is prevented from being in an idle state to cause resource waste. In the dual firewall system of this embodiment, the two firewalls respectively establish an IPSEC Virtual tunnel with the peer device through the egress router, so that the IPSEC VPN traffic flows through the two IPSEC Virtual tunnels in a shuttling manner, thereby implementing data transmission with the peer device, where the IPSEC VPN refers to a VPN (Virtual Private Network) technology that implements remote access by using an IPSEC protocol, and provides end-to-end encryption and authentication services for public and Private networks. It should be noted that, because the two firewall systems respectively establish the IPSEC virtual tunnels with the opposite-end device through the egress router, that is, the two IPSEC virtual tunnels share one link between the egress router and the opposite-end device, if the opposite-end device can only support one VPN tunnel, it is not necessary to set two firewalls at the opposite end to satisfy the establishment of the two IPSEC virtual tunnels, thereby avoiding the increase of cost and the waste of address resources.
As shown in fig. 2, the method comprises the following specific steps:
s101, the exit router acquires the link state of the IPSEC virtual tunnels corresponding to the two firewalls.
In this embodiment, the egress router determines whether the two firewalls work normally by detecting the link status of the IPSEC virtual tunnels corresponding to the two firewalls. Specifically, the egress router monitors the link status between the two firewalls and the egress router. Optionally, the egress router may monitor in real time, or monitor when there is a data transmission task.
And S102, if the link states of the two IPSEC virtual tunnels are both in a normal working state, the exit router performs data transmission with the opposite terminal equipment through the two IPSEC virtual tunnels in a load sharing mode.
In this embodiment, when the egress router detects that the link states of the two IPSEC virtual tunnels are both normal operating states, that is, the two firewalls are both normal operating states, the egress router performs data transmission with the opposite device through the two IPSEC virtual tunnels in a load sharing manner, specifically including sending data and receiving data, so that the IPSEC VPN traffic flows shuttle between the two IPSEC virtual tunnels. Optionally, in this embodiment, flow-based load sharing, packet-based load sharing, or broadband-based load sharing may be adopted.
It should be noted that, when data is sent from the intranet device to the opposite end through the intranet router, the intranet router may also use the process executed by the egress router in the present invention.
In the data transmission method provided by this embodiment, the exit router in the dual firewall system obtains the link states of the IPSEC virtual tunnels corresponding to the two firewalls; and if the link states of the two IPSEC virtual tunnels are both in a normal working state, the exit router performs data transmission with opposite-end equipment through the two IPSEC virtual tunnels by adopting a load sharing mode. According to the method, through the load sharing of the double active modes of the double firewall systems, the two firewalls can process the IPSEC VPN service flow in a load mode, the data transmission speed is improved, the waste of resources is avoided, meanwhile, the method has higher reliability and stability, the opposite-end equipment does not need to be provided with the two firewalls, and the increase of cost and the waste of address resources are avoided.
Fig. 3 is a flowchart of a data transmission method according to another embodiment of the present invention. On the basis of the foregoing embodiment, after the egress router acquires the link states of the IPSEC virtual tunnels corresponding to the two firewalls in S101, the method further includes:
s201, if the link state of one IPSEC virtual tunnel is in an abnormal working state, the exit router transmits all data with the opposite terminal equipment through the other IPSEC virtual tunnel.
In this embodiment, when the egress router detects that any one of the link states in the two IPSEC virtual tunnels is an abnormal working state, it indicates that the corresponding firewall fails, and at this time, the other firewall takes over the work of the failed firewall in a balanced manner, that is, all data of the peer device is transmitted by the IPSEC virtual tunnel that normally works, so as to improve the reliability and stability of the dual firewall system.
And when the exit router detects that the failed link is recovered to be normal again, the load sharing in the dual active mode is recovered.
Further, the method provided by the above embodiment may further include:
the egress router identifying a type of the data;
and if the data type is a preset data type, the exit router transmits data with the opposite terminal device through the IPSEC virtual tunnel corresponding to the preset data type.
In this embodiment, it may be autonomously specified that specific service data is transmitted through a specific IPSEC virtual tunnel, that is, the type of the data is set in advance, the egress router identifies the type of the data to be transmitted, and if the type of the data is a predetermined data type, a matched IPSEC virtual tunnel is selected. Of course, if the link state of the IPSEC virtual tunnel is an abnormal working state, another IPSEC virtual tunnel is used for data transmission.
Further, before the two firewalls respectively perform data transmission with the peer device through the corresponding IPSEC virtual tunnels, the method further includes:
and the exit router configures an IP address as the exit gateway address of the two IPSEC virtual tunnels.
In this embodiment, the two firewalls and the external access are implemented by performing Address Translation of multiple NATs (Network Address Translation) on the IP Address, so that the IPSEC and the NAT are perfectly combined in the dual active mode.
In the data transmission method provided by this embodiment, the exit router in the dual firewall system obtains the link states of the IPSEC virtual tunnels corresponding to the two firewalls; and if the link states of the two IPSEC virtual tunnels are both in a normal working state, the exit router performs data transmission with opposite-end equipment through the two IPSEC virtual tunnels by adopting a load sharing mode. According to the method, through the load sharing of the double active modes of the double firewall systems, the two firewalls can process the IPSEC VPN service flow in a load mode, the data transmission speed is improved, the waste of resources is avoided, meanwhile, the method has higher reliability and stability, the opposite-end equipment does not need to be provided with the two firewalls, and the increase of cost and the waste of address resources are avoided.
Fig. 4 is a block diagram of an egress router according to an embodiment of the present invention. An embodiment of the present invention provides an egress router, which may perform a processing procedure provided in an embodiment of a data transmission method, as shown in fig. 4, where the egress router is applied to a dual firewall system, where the dual firewall system includes: two firewall, export router and the intranet router that each other is hot to be equipped with, two firewall configure respectively into Active activation state, just two firewall pass through respectively export router and opposite terminal equipment establish IPSEC virtual tunnel, two firewall pass through respectively intranet router and intranet equipment are connected, the export router includes: a monitoring module 121, and a processing module 122.
The monitoring module 121 is configured to obtain link states of IPSEC virtual tunnels corresponding to the two firewalls;
and the processing module 122 is configured to perform data transmission with the opposite end device through the two IPSEC virtual tunnels in a load sharing manner if the link states of the two IPSEC virtual tunnels are both normal working states.
Further, the processing module 122 is further configured to:
and if the link state of one IPSEC virtual tunnel is in an abnormal working state, transmitting all data by the other IPSEC virtual tunnel and the opposite-end equipment.
Further, the processing module 122 is further configured to:
and identifying the type of the data, and if the type of the data is a preset data type, performing data transmission with the opposite terminal equipment through the IPSEC virtual tunnel corresponding to the preset data type.
Further, the processing module 122 is further configured to:
and configuring an IP address as the exit gateway address of the two IPSEC virtual tunnels.
The egress router provided in the embodiment of the present invention may be specifically configured to execute the method embodiments provided in fig. 2 and 3, and specific functions are not described herein again.
In the egress router provided in this embodiment, the link states of the IPSEC virtual tunnels corresponding to the two firewalls are obtained through the egress router in the two firewall systems; and if the link states of the two IPSEC virtual tunnels are both in a normal working state, the exit router performs data transmission with opposite-end equipment through the two IPSEC virtual tunnels by adopting a load sharing mode. The outlet router of the embodiment enables two firewalls to process the IPSECVPN service flow in a load mode by configuring the load sharing of the double active modes of the double firewall systems, improves the data transmission speed, avoids the waste of resources, has higher reliability and stability, and does not need to be provided with two firewalls on opposite-end equipment, thereby avoiding the increase of cost and the waste of address resources.
Another embodiment of the present invention provides a firewall, which is used in a dual firewall system, where the dual firewall system includes: the two firewalls, the exit router and the intranet router are mutually hot standby;
the firewall is configured to be in an Active activation state;
the firewall is configured and synchronized with another firewall through a heartbeat wire;
the firewall establishes an IPSEC virtual tunnel with opposite terminal equipment through the exit router, and the two firewalls are respectively connected with the intranet equipment through the intranet router.
In this embodiment, two firewalls may be configured through the following steps:
1) configuring an uplink and downlink service interface (configuring an interface IP address and adding the interface into a corresponding safe area);
2) configuring an inter-domain security policy of a firewall (configuring forwarding policies of a Trust domain and an Untrust domain, and allowing messages before encapsulation and after decapsulation to pass through the firewall; local strategies of a Local domain and an Untrust domain are configured, and the IKE negotiation message is allowed to normally pass through a firewall;
3) configuring a firewall to a private network router of a client;
4) configuring and operating an OSPF dynamic router protocol on a firewall;
5) configuring an access control list and defining data streams needing to be protected;
6) configure IPSec security offer named tran 1;
7) configuring an IKE security proposal with sequence number 10;
8) configuring an IKE Peer;
9) configuring an IPSec security policy template with the name of map _ temp serial number being 1;
10) a security policy template map _ temp is referred to in IPSec security policy map 1;
11) applying a security policy map1 on the upper business interface;
12) and starting the dual-machine configuration of the firewall.
Specifically, taking one of the firewalls as an example, 1) configures an uplink service interface and a downlink service interface (configuration command as follows), and configures the uplink service interface (gigabit ethernet1/0/1) of the firewall (USG6600-1), that is, the interface connected to the egress router, into an Active group and a standby group at the same time, thereby implementing the configuration of the Active state of the firewall.
[USG6600-1-GigabitEthernet1/0/1]hrp track active
[USG6600-1-GigabitEthernet1/0/1]hrp track standby
Further, dynamic learning is prevented by 3) configuring a private network router of a firewall to a client, wherein the configuration commands are as follows:
[USG6600-1]ip route-static 10.1.2.0 255.255.255.0 132.168.7.2
[USG6600-1]ip route-static 10.1.3.0 255.255.255.0 60.29.112.122
further, by 12) starting the dual-machine configuration of the firewall, the load sharing, session fast backup, automatic real-time backup configuration command and periodic backup status information of the two firewalls are realized, and the specific configuration command is as follows:
[USG6600-1]hrp interface GigabitEthernet 1/0/2
[USG6600-1]hrp enable
HRP_A[USG6600-1]hrp loadbalance-device
HRP_A[USG6600-1]hrp mirror session enable
HRP_A[USG6600-1]hrp auto-sync config
in the firewall provided by this embodiment, the exit router in the dual firewall system obtains the link states of the IPSEC virtual tunnels corresponding to the two firewalls; and if the link states of the two IPSEC virtual tunnels are both in a normal working state, the exit router performs data transmission with opposite-end equipment through the two IPSEC virtual tunnels by adopting a load sharing mode. In this embodiment, by configuring load sharing of the dual active modes of the dual firewall systems, the two firewalls can load and process IPSEC VPN traffic, so that data transmission speed is increased, waste of resources is avoided, and meanwhile, higher reliability and stability are achieved.
Another embodiment of the present invention provides a double firewall system, as specifically shown in fig. 1, including: an egress router as described in the above embodiments, two firewalls as described in the above embodiments, and an intranet router;
the two firewalls are respectively configured to be in an Active activation state, the two firewalls respectively establish IPSEC virtual tunnels with opposite-end equipment through the exit router, and the two firewalls are respectively connected with intranet equipment through the intranet router.
According to the double firewall system, the link states of IPSEC virtual tunnels corresponding to the two firewalls are obtained through the exit router in the double firewall system; and if the link states of the two IPSEC virtual tunnels are both in a normal working state, the exit router performs data transmission with opposite-end equipment through the two IPSEC virtual tunnels by adopting a load sharing mode. In this embodiment, by configuring load sharing of the dual active modes of the dual firewall systems, the two firewalls can load and process IPSEC VPN traffic, so that data transmission speed is increased, waste of resources is avoided, and meanwhile, higher reliability and stability are achieved.
In the embodiments provided in the present invention, it should be understood that the disclosed apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, or in a form of hardware plus a software functional unit.
The integrated unit implemented in the form of a software functional unit may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium and includes several instructions to enable a computer device (which may be a personal computer, a server, or a network device) or a processor (processor) to execute some steps of the methods according to the embodiments of the present invention. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
It is obvious to those skilled in the art that, for convenience and simplicity of description, the foregoing division of the functional modules is merely used as an example, and in practical applications, the above function distribution may be performed by different functional modules according to needs, that is, the internal structure of the device is divided into different functional modules to perform all or part of the above described functions. For the specific working process of the device described above, reference may be made to the corresponding process in the foregoing method embodiment, which is not described herein again.
Finally, it should be noted that: the above embodiments are only used to illustrate the technical solution of the present invention, and not to limit the same; while the invention has been described in detail and with reference to the foregoing embodiments, it will be understood by those skilled in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A data transmission method is characterized by being applied to a double firewall system, wherein the double firewall system comprises: the method comprises the following steps that two firewalls, an exit router and an intranet router which are mutually hot standby are respectively configured to be in an Active activation state, the two firewalls respectively establish IPSEC virtual tunnels with opposite end equipment through the exit router, and the two firewalls are respectively connected with the intranet equipment through the intranet router, and the method comprises the following steps:
the exit router acquires the link state of the IPSEC virtual tunnel corresponding to the two firewalls;
and if the link states of the two IPSEC virtual tunnels are both in a normal working state, the exit router performs data transmission with the opposite terminal equipment through the two IPSEC virtual tunnels in a load sharing mode, and the opposite terminal equipment is provided with a firewall.
2. The method of claim 1, further comprising:
and if the link state of one IPSEC virtual tunnel is in an abnormal working state, the exit router transmits all data with the opposite terminal equipment through the other IPSEC virtual tunnel.
3. The method of claim 1, further comprising:
the egress router identifying a type of the data;
and if the data type is a preset data type, the exit router transmits data with the opposite terminal device through the IPSEC virtual tunnel corresponding to the preset data type.
4. The method according to any one of claims 1 to 3, wherein before the two firewalls respectively perform data transmission with the peer device through the corresponding IPSEC virtual tunnels, the method further comprises:
and the exit router configures an IP address as the exit gateway address of the two IPSEC virtual tunnels.
5. An egress router, applied to a dual firewall system, the dual firewall system comprising: two firewall, export router and the intranet router that each other is hot to be equipped with, two firewall configure respectively into Active activation state, just two firewall pass through respectively export router and opposite terminal equipment establish IPSEC virtual tunnel, two firewall pass through respectively intranet router and intranet equipment are connected, the export router includes:
the monitoring module is used for acquiring the link states of the IPSEC virtual tunnels corresponding to the two firewalls;
and the processing module is used for performing data transmission with the opposite terminal equipment through the two IPSEC virtual tunnels by adopting a load sharing mode if the link states of the two IPSEC virtual tunnels are both in a normal working state, and the opposite terminal equipment is provided with a firewall.
6. The egress router of claim 5, wherein the processing module is further configured to:
and if the link state of one IPSEC virtual tunnel is in an abnormal working state, transmitting all data by the other IPSEC virtual tunnel and the opposite-end equipment.
7. The egress router of claim 5, wherein the processing module is further configured to:
and identifying the type of the data, and if the type of the data is a preset data type, performing data transmission with the opposite terminal equipment through the IPSEC virtual tunnel corresponding to the preset data type.
8. The egress router of any of claims 5-7, wherein the processing module is further configured to:
and configuring an IP address as the exit gateway address of the two IPSEC virtual tunnels.
9. A firewall, for use in a dual firewall system, the dual firewall system comprising: the two firewalls, the exit router and the intranet router are mutually hot standby;
the firewall is configured to be in an Active activation state;
the firewall is configured and synchronized with another firewall through a heartbeat wire;
the firewall establishes an IPSEC virtual tunnel with the opposite terminal equipment through the exit router, the two firewalls are respectively connected with the intranet equipment through the intranet router, and the opposite terminal equipment is provided with one firewall.
10. A dual fire wall system, comprising: the egress router of any one of claims 5-8, two firewalls of claim 9, and an intranet router;
the two firewalls are respectively configured to be in an Active activation state, the two firewalls respectively establish IPSEC virtual tunnels with opposite-end equipment through the exit router, the two firewalls are respectively connected with the intranet equipment through the intranet router, and the opposite-end equipment is provided with one firewall.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811643288.9A CN109743316B (en) | 2018-12-29 | 2018-12-29 | Data transmission method, exit router, firewall and double firewall systems |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201811643288.9A CN109743316B (en) | 2018-12-29 | 2018-12-29 | Data transmission method, exit router, firewall and double firewall systems |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN109743316A CN109743316A (en) | 2019-05-10 |
| CN109743316B true CN109743316B (en) | 2021-06-29 |
Family
ID=66362627
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201811643288.9A Active CN109743316B (en) | 2018-12-29 | 2018-12-29 | Data transmission method, exit router, firewall and double firewall systems |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN109743316B (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113872880B (en) * | 2020-06-30 | 2024-04-16 | 华为技术有限公司 | Network, data transmission method and device |
| CN112702439B (en) * | 2020-12-31 | 2022-11-15 | 北京天融信网络安全技术有限公司 | Method for synchronizing status of gatekeeper and isolated gatekeeper |
| CN113645117B (en) * | 2021-07-08 | 2023-04-07 | 郑州信大捷安信息技术股份有限公司 | IPSec protocol-based multi-channel intelligent routing method and system |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1725702A (en) * | 2004-07-20 | 2006-01-25 | 联想网御科技(北京)有限公司 | Network safety equipment and assemblied system and method for implementing high availability |
| US7480737B2 (en) * | 2002-10-25 | 2009-01-20 | International Business Machines Corporation | Technique for addressing a cluster of network servers |
| CN102006310A (en) * | 2010-12-24 | 2011-04-06 | 山石网科通信技术(北京)有限公司 | Data stream processing method and firewall |
| CN103501299A (en) * | 2013-09-24 | 2014-01-08 | 曙光信息产业(北京)有限公司 | Firewall cluster management method and system |
| CN105450550A (en) * | 2015-11-10 | 2016-03-30 | 北京奇虎科技有限公司 | Channel priority adjustment method and device for router |
-
2018
- 2018-12-29 CN CN201811643288.9A patent/CN109743316B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7480737B2 (en) * | 2002-10-25 | 2009-01-20 | International Business Machines Corporation | Technique for addressing a cluster of network servers |
| CN1725702A (en) * | 2004-07-20 | 2006-01-25 | 联想网御科技(北京)有限公司 | Network safety equipment and assemblied system and method for implementing high availability |
| CN102006310A (en) * | 2010-12-24 | 2011-04-06 | 山石网科通信技术(北京)有限公司 | Data stream processing method and firewall |
| CN103501299A (en) * | 2013-09-24 | 2014-01-08 | 曙光信息产业(北京)有限公司 | Firewall cluster management method and system |
| CN105450550A (en) * | 2015-11-10 | 2016-03-30 | 北京奇虎科技有限公司 | Channel priority adjustment method and device for router |
Also Published As
| Publication number | Publication date |
|---|---|
| CN109743316A (en) | 2019-05-10 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11082304B2 (en) | Methods, systems, and computer readable media for providing a multi-tenant software-defined wide area network (SD-WAN) node | |
| EP3761592B1 (en) | System and method for virtual interfaces and advanced smart routing in a global virtual network | |
| EP2579634B1 (en) | Methods and apparatus for a self-organized layer-2 enterprise network architecture | |
| US9065802B2 (en) | Policy-based configuration of internet protocol security for a virtual private network | |
| US8713305B2 (en) | Packet transmission method, apparatus, and network system | |
| EP2579514B1 (en) | Method and apparatus for a converged wired/wireless enterprise network architecture | |
| US9231918B2 (en) | Use of virtual network interfaces and a websocket based transport mechanism to realize secure node-to-site and site-to-site virtual private network solutions | |
| CN109743316B (en) | Data transmission method, exit router, firewall and double firewall systems | |
| CN101262409A (en) | Virtual private network VPN access method and device | |
| CN108011759B (en) | VPN management method, device and system | |
| US20220210130A1 (en) | Method and apparatus for maintaining a resilient vpn connection | |
| CN109450905B (en) | Method, device and system for transmitting data | |
| CN110661858A (en) | Websocket-based intranet penetration method and system | |
| US8365253B2 (en) | Method and system for secure management of co-located customer premises equipment | |
| WO2022001937A1 (en) | Service transmission method and apparatus, network device, and storage medium | |
| JP5345651B2 (en) | Secure tunneling platform system and method | |
| US20200287868A1 (en) | Systems and methods for in-band remote management | |
| Wolinsky et al. | On the design and implementation of structured P2P VPNs | |
| CN112039854A (en) | Data transmission method, device and storage medium | |
| US7729289B2 (en) | Method, system and computer program product for routing information across firewalls | |
| KR102376484B1 (en) | Apparatus and method for automatic switching of duplication lines | |
| KR101308089B1 (en) | Ipsec vpn system and method for supporing high availability | |
| CN102946359B (en) | Method and device for forwarding flow | |
| CN115883256B (en) | Data transmission method, device and storage medium based on encryption tunnel | |
| WO2023070572A1 (en) | Communication device and method therein for facilitating ipsec communications |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |