CN111614796B - Method and device for configuring IPsec tunnel to pass through NAT by using manual secret key - Google Patents
Method and device for configuring IPsec tunnel to pass through NAT by using manual secret key Download PDFInfo
- Publication number
- CN111614796B CN111614796B CN202010365418.8A CN202010365418A CN111614796B CN 111614796 B CN111614796 B CN 111614796B CN 202010365418 A CN202010365418 A CN 202010365418A CN 111614796 B CN111614796 B CN 111614796B
- Authority
- CN
- China
- Prior art keywords
- ipsec
- tunnel
- header
- control
- nat
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/22—Parsing or analysis of headers
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/663—Transport layer addresses, e.g. aspects of transmission control protocol [TCP] or user datagram protocol [UDP] ports
Abstract
The invention provides a method and a device for configuring an IPsec tunnel to pass through NAT by using a manual secret key, wherein the method is based on a new IPsec packaging protocol, a control protocol is added in the next message header of the packaging header part of the existing IPsec packaging protocol, a corresponding TLV control header is packaged, TLV is defined by using an extended protocol based on IPsec packaging, and the intercommunication between manually configured IPsec endpoints is ensured in an NAT scene by combining with a design flow.
Description
Technical Field
The invention belongs to the technical field of IP networks, and particularly relates to a method for configuring an IPsec tunnel to pass through NAT by using a manual secret key.
Background
There are two types of IPsec encapsulation protocols defined by the IETF, one is AH and one is ESP. The encapsulation modes of these two protocols are further divided into transport mode and tunnel mode. The transmission mode is based on original IP header to make IPsec package once, the tunnel mode is used to package new message header, and in actual use, the tunnel mode is used more.
In IPsec, in order to ensure the security of encapsulation, keys thereof need to be replaced periodically, and there are two current methods for replacement: first, by manual configuration (which may be issued by an SDN controller or automatically configured); the other is through IKE renegotiation. The IKE negotiation can realize NAT traversal through loads such as NAT-T and NAT-D, but no corresponding method exists in manual configuration.
In the current SD-WAN networking, a secret key can be issued through an SDN controller, which is equivalent to manual configuration, a scheme for passing through NAT is not provided, and the Server side of the public network cannot configure the IP of the Client of the private network side, so that the encapsulation of a forwarding plane cannot be guided.
Disclosure of Invention
Aiming at the problems in the prior art, the invention provides a method for configuring an IPsec tunnel to pass through an NAT by using an IPsec encapsulation-based extension protocol, and can realize the intercommunication of IPsec endpoints by manually configuring a key in a network with the NAT.
In order to achieve the purpose of the invention, the technical scheme of the invention is as follows, a method for configuring IPsec tunnel to pass through NAT by using manual secret key comprises the following steps:
step one, a Client and a Server configure a manual key of an IPsec tunnel and configure the same tunnel identity information;
secondly, a Client starts a timer, sends an IPsec control message at regular time, and the IPsec control message encapsulates a UDP (user Datagram protocol) head with a port number of 4500 by referring to an NAT (network Address translation) traversing mode in an IKE (Internet Key exchange) mode;
step three, the IPsec control message is converted by NAT equipment and then reaches a Server end; the Server end confirms that the message is a control message passing through the detection NAT according to the control field in the IPsec message, searches the IP of a local tunnel according to the Value, acquires tunnel information after matching, acquires the IP address and the UDP port of the NAT equipment after modification according to the outer IP head and the UDP port of the message, associates the IP address and the UDP port information with the tunnel, and guides subsequent forwarding and packaging according to the information.
And the IPsec control message adds a control protocol in the next message header of the encapsulation header part of the existing IPsec encapsulation protocol and encapsulates the corresponding TLV control header.
The control protocol comprises:
next Header: a next message header;
type =2: indicating that the NAT traversal is detected through the control message of the Type 2;
len =4: indicating that Value is 4 bytes in length;
value: and indicating the identity information of the tunnel, and matching the tunnel configuration of the Server end with the identity information.
In an ESP (encapsulating security protocol) in the IPsec encapsulation protocol, the next message header in the message headers indicates that the next message header in the IPsec encapsulation protocol is an IPsec control header, and the next message header in the IPsec control header indicates original message information.
In tunnel mode of ESP encapsulation protocol, the control protocol encapsulates the UDP header before the ESP header after the ESP header is added and before the original IP header.
The node is equipment at two ends of the IPsec tunnel and comprises a Client and a Server;
the Server end confirms that the message is a control message passing through the detection NAT according to the control field in the IPsec message, searches the IP of a local tunnel according to the Value, acquires tunnel information after matching, acquires the IP address and the UDP port of the NAT equipment after modification according to the outer IP head and the UDP port of the message, associates the IP address and the UDP port information with the tunnel, and guides subsequent forwarding and packaging according to the information;
the SDN controller issues IPsec key information, and manually configures IPsec tunnel keys for a Client terminal and a Server terminal and configures the same tunnel identity information;
the timer module is deployed in the Client terminal and used for sending the IPsec control message at regular time;
and the NAT equipment is used for converting the message.
Further, the control message adds a control protocol in the next message header of the encapsulation header part of the existing IPsec encapsulation protocol, and encapsulates the corresponding TLV control header.
Further, the control protocol includes:
next Header: a next message header;
type =2: indicating that the control message is a control message for detecting NAT traversal;
len =4: indicating that Value is 4 bytes in length;
value: and indicating the identity information of the tunnel, and matching the tunnel configuration of the Server end with the identity information.
Further, in tunnel mode of the ESP encapsulation protocol, the control protocol encapsulates the UDP header before the ESP header after the ESP header is added and before the original IP header.
Advantageous effects
The invention has the advantages that the extensible IPsec control protocol is provided, the protocol header is flexibly extended, and control information can be conveniently provided for the IPsec and upper-layer application.
By using an IPsec encapsulation-based extension protocol, defining a new TLV and designing a corresponding flow, the problem that IPsec endpoints cannot communicate through manually configuring a key in a network with NAT is solved.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the embodiments will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to these drawings without creative efforts.
Fig. 1 is a schematic diagram of a data structure of a control packet;
fig. 2 is a schematic diagram of an ESP encapsulation format after adding an IPsec control protocol;
fig. 3 is a schematic diagram of an IPsec endpoint connection;
fig. 4 is a schematic diagram of a network environment scenario in an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Example 1
First, a new IPsec encapsulation protocol with a control packet in the present solution is introduced. The original IPsec encapsulation protocol, includes two forms: AH encapsulation protocol and ESP encapsulation protocol, original IPsec encapsulation, indicating the original IP packet (tunnel mode) or the original upper layer data protocol (transport mode) by the next header.
The next header value commonly used in IPsec encapsulation defined in IANA:
4: IPv4 message
6: TCP message
17: UDP message
41: IPv6 message
In this embodiment, a protocol packet is newly added, and the format of the protocol packet is shown in fig. 1, where each field is described as follows:
next Header: the next header, 8 bits in size, is usually the protocol number of IPv 4;
type: type field, 8 bit size, defines the padding control type according to the requirements, ranging from 0 to 255.
Len: a length field, 16 bits in size, and a corresponding data length defined according to the control type, wherein the length is the length of Value, and ranges from 0 to 65535, and a Value of 0 indicates that there is no Value field.
Value: and a control data field, the length of which is defined according to Len.
The control protocol TLV provided in this embodiment is defined as follows:
type =2: control message indicating detection of NAT traversal
Len =4: value length of 4 bytes is indicated as an ID number, which may be assigned by the SDN controller to distinguish between tunnels.
Value: and indicating the identity information of the tunnel, and matching the tunnel configuration of the server side through the identity information.
Further, as shown in fig. 2, in the tunnel mode of ESP encapsulation, the control protocol is added after the ESP header and before the original IP header; encapsulating a UDP header before the ESP header.
As shown in fig. 4, the present invention provides a method for using a manual key to configure IPsec tunnel to traverse NAT, comprising the following steps:
step one, a Client and a Server configure a manual key of an IPsec tunnel and configure the same tunnel identity information;
secondly, a Client starts a timer, sends an IPsec control message at regular time, and the IPsec control message encapsulates a UDP (user Datagram protocol) head with a port number of 4500 by referring to an NAT (network Address translation) traversing mode in an IKE (Internet Key exchange) mode;
step three, the IPsec control message is converted by NAT equipment and then reaches a Server end; the Server end confirms that the message is a control message passing through the detection NAT according to the control field in the IPsec message, searches the IP of a local tunnel according to the Value, acquires tunnel information after matching, acquires the IP address and the UDP port of the NAT equipment after modification according to the outer IP head and the UDP port of the message, associates the IP address and the UDP port information with the tunnel, and guides subsequent forwarding and packaging according to the information.
The Client sends the control message at regular time to keep the session of the NAT equipment from aging.
As shown in fig. 3 and 4, by using an extended protocol based on IPsec encapsulation, defining a new TLV and designing a corresponding flow, the problem that IPsec endpoints cannot communicate with each other by manually configuring a key in a network with NAT is solved.
Example 2
In order to realize the process of traversing NAT, the invention also provides nodes which are devices at two ends of the IPsec tunnel and comprise a Client at a user end and a Server at a Server end;
the Server end confirms that the message is a control message passing through the detection NAT according to the control field in the IPsec message, searches the IP of a local tunnel according to the Value, acquires tunnel information after matching, acquires the IP address and the UDP port of the NAT equipment after modification according to the outer IP head and the UDP port of the message, associates the IP address and the UDP port information with the tunnel, and guides subsequent forwarding and packaging according to the information;
the SDN controller issues IPsec key information, and manually configures IPsec tunnel keys for a Client terminal and a Server terminal and configures the same tunnel identity information;
the timer module is deployed in the Client terminal and used for sending the IPsec control message at regular time;
and the NAT equipment is used for converting the message.
Further, the control message adds a control protocol in the next message header of the encapsulation header part of the existing IPsec encapsulation protocol, and encapsulates the corresponding TLV control header.
By defining a new control TLV based on the IPsec encapsulation extended protocol provided by the embodiment and combining with a process design, the problem that IPsec endpoints cannot communicate through manual key configuration in an NAT network is solved.
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of instructions, which comprises one or more executable instructions for implementing the specified logical function(s). In some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Having described embodiments of the present invention, the foregoing description is intended to be exemplary, not exhaustive, and not limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the described embodiments. The terminology used herein is chosen in order to best explain the principles of the embodiments, the practical application, or improvements made to the technology in the marketplace, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.
Claims (9)
1. A method for using a manual key to configure IPsec tunnels across NATs, the method comprising the steps of:
step one, a Client and a Server configure a manual key of an IPsec tunnel and configure the same tunnel identity information;
secondly, a Client starts a timer, sends an IPsec control message at regular time, and the IPsec control message encapsulates a UDP (user Datagram protocol) head with a port number of 4500 by referring to an NAT (network Address translation) traversing mode in an IKE (Internet Key exchange) mode;
step three, the IPsec control message is converted by NAT equipment and then reaches a Server end; the Server end confirms that the message is a control message passing through the detection NAT according to the control field in the IPsec control message, searches the IP address of a local tunnel according to the Value, acquires tunnel information after matching, acquires the IP address and the UDP port of the NAT equipment after modification according to the outer layer IP head and the UDP port of the message, associates the IP address and the UDP port information with the tunnel, and guides subsequent forwarding and packaging according to the information.
2. The method of claim 1, wherein the IPsec control packet adds a control protocol to a next packet header of an encapsulation header part of an existing IPsec encapsulation protocol, and encapsulates a corresponding TLV control header.
3. A method of using a manual key configuration IPsec tunnel traversal NAT as claimed in claim 2, wherein the control protocol comprises:
Next Header;
type =2: indicating that the control message is a control message for detecting NAT traversal;
len =4: indicating that Value is 4 bytes in length;
value: and indicating the identity information of the tunnel, and matching the tunnel configuration of the Server end with the identity information.
4. A method as claimed in claim 2, wherein in an ESP encapsulation protocol in the IPsec encapsulation protocol, a next header in the headers indicates the IPsec control header, and a next header in the IPsec control header indicates original message information.
5. A method for NAT traversal using manual key configuration IPsec tunnel according to claim 4, characterized in that in tunnel mode of ESP encapsulation protocol, the control protocol encapsulates UDP header before ESP header after it is added and before original IP header.
6. An apparatus for configuring an IPsec tunnel across a NAT using a manual key, the apparatus comprising:
the node is equipment at two ends of the IPsec tunnel and comprises a Client and a Server;
the Server end confirms that the message is a control message passing through the detection NAT according to a control field in the IPsec control message, searches the IP of a local tunnel according to a Value, acquires tunnel information after matching, acquires the IP address and the UDP port of the NAT equipment after modification according to the outer IP head and the UDP port of the message, associates the IP address and the UDP port information with the tunnel, and guides subsequent forwarding and packaging according to the information;
the system comprises an SDN controller, wherein the SDN controller issues IPsec key information, and manually configures IPsec tunnel keys for a Client terminal and a Server terminal and configures the same tunnel identity information;
the timer module is deployed in the Client terminal and used for sending the IPsec control message at regular time;
and the NAT equipment is used for converting the message.
7. An apparatus according to claim 6, wherein the control packet adds a control protocol in the next header of the encapsulation header part of the existing IPsec encapsulation protocol and encapsulates the corresponding TLV control header.
8. An apparatus according to claim 7, wherein said control protocol comprises:
Next Header;
type =2: indicating that the control message is a control message for detecting NAT traversal;
len =4: indicating that Value is 4 bytes in length;
value: and indicating the identity information of the tunnel, and matching the tunnel configuration of the Server end with the identity information.
9. An apparatus for traversing an NAT using a manual key configuration IPsec tunnel according to claim 8, wherein in tunnel mode of ESP encapsulation protocol, after the control protocol is added to ESP header, before original IP header, before encapsulating UDP header with 4500 port number.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010365418.8A CN111614796B (en) | 2020-04-30 | 2020-04-30 | Method and device for configuring IPsec tunnel to pass through NAT by using manual secret key |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010365418.8A CN111614796B (en) | 2020-04-30 | 2020-04-30 | Method and device for configuring IPsec tunnel to pass through NAT by using manual secret key |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111614796A CN111614796A (en) | 2020-09-01 |
| CN111614796B true CN111614796B (en) | 2023-03-24 |
Family
ID=72205607
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010365418.8A Active CN111614796B (en) | 2020-04-30 | 2020-04-30 | Method and device for configuring IPsec tunnel to pass through NAT by using manual secret key |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111614796B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116319105B (en) * | 2023-05-22 | 2023-08-15 | 北京中鼎昊硕科技有限责任公司 | High-reliability data transmission management system based on multipath secure tunnel |
| CN117134991A (en) * | 2023-10-16 | 2023-11-28 | 北京环宇博亚科技有限公司 | Safety encryption protection system for traffic information release system |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103825972A (en) * | 2014-02-21 | 2014-05-28 | 清华大学 | IPv6 tunnel communication method based on ICMPv6 |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP2002033764A (en) * | 2000-07-14 | 2002-01-31 | Fujitsu Ltd | Communication service providing system, mobile terminal equipment to be used for the same, address server device and router system |
| CN101159657A (en) * | 2007-10-16 | 2008-04-09 | 华为技术有限公司 | Method, equipment and server of implementing private network cross-over |
| CN101753531B (en) * | 2008-12-19 | 2013-04-10 | 上海安达通信息安全技术股份有限公司 | Method utilizing https/http protocol to realize encapsulation of IPsec protocol |
| CN102868523B (en) * | 2012-09-18 | 2017-05-24 | 汉柏科技有限公司 | IKE (Internet Key Exchange) negotiation method |
| CN104023022B (en) * | 2014-06-13 | 2017-08-08 | 新华三技术有限公司 | A kind of IPSec SA acquisition methods and device |
-
2020
- 2020-04-30 CN CN202010365418.8A patent/CN111614796B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103825972A (en) * | 2014-02-21 | 2014-05-28 | 清华大学 | IPv6 tunnel communication method based on ICMPv6 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111614796A (en) | 2020-09-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10200264B2 (en) | Link status monitoring based on packet loss detection | |
| US9667594B2 (en) | Maintaining network address translations | |
| US10257061B2 (en) | Detecting source network address translation in a communication system | |
| US20210036953A1 (en) | Flow modification including shared context | |
| CN113132342B (en) | Method, network device, tunnel entry point device, and storage medium | |
| US10091099B2 (en) | Session continuity in the presence of network address translation | |
| US7000120B1 (en) | Scheme for determining transport level information in the presence of IP security encryption | |
| CN111614796B (en) | Method and device for configuring IPsec tunnel to pass through NAT by using manual secret key | |
| CN111614463B (en) | Key updating method and device based on IPsec encapsulation function | |
| EP3937457A1 (en) | Secure communications using secure sessions | |
| US7346926B2 (en) | Method for sending messages over secure mobile communication links | |
| WO2016066027A1 (en) | Media transmission method and device | |
| US20140207958A1 (en) | Virtual private network communication system, routing device and method thereof | |
| Phelan et al. | DCCP-UDP: A Datagram Congestion Control Protocol UDP Encapsulation for NAT Traversal | |
| Durand et al. | RFC 6333: Dual-stack lite broadband deployments following IPv4 exhaustion | |
| US11956145B1 (en) | Method and apparatus to recover flow using an error message in a tunnel-less SDWAN | |
| CN113067910A (en) | NAT traversal method, device, electronic equipment and storage medium | |
| US10771429B1 (en) | Mechanisms for solving an IP fragmentation overlapping issue in L2VPN using multiple IP addresses in GRE headers | |
| CN115296988B (en) | Method for realizing IPSec gateway dynamic networking | |
| WO2023159346A1 (en) | Communication devices and methods therein for facilitating ipsec communications | |
| CN117692277A (en) | Data transmission method, device, equipment and readable storage medium | |
| Shanmugaraja et al. | An approach to secure Teredo tunneling technology | |
| Virgeniya et al. | Attacks on Ipv4 and Ipv6 Protocols and it’s Performance Parameters | |
| US10862972B2 (en) | Method and system to transmit and receive data packets through at least one end-to-end connection | |
| CN115277190A (en) | Method for realizing neighbor discovery on network by link layer transparent encryption system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |