CN113411245B - IPSec tunnel network configuration method, IPSec tunnel network configuration device, electronic equipment and storage medium - Google Patents
IPSec tunnel network configuration method, IPSec tunnel network configuration device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN113411245B CN113411245B CN202110734540.2A CN202110734540A CN113411245B CN 113411245 B CN113411245 B CN 113411245B CN 202110734540 A CN202110734540 A CN 202110734540A CN 113411245 B CN113411245 B CN 113411245B
- Authority
- CN
- China
- Prior art keywords
- ipsec tunnel
- network
- ipsec
- configuration information
- terminal equipment
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0803—Configuration setting
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2592—Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
Abstract
The present disclosure relates to a method and an apparatus for configuring an IPSec tunnel network, an electronic device, and a storage medium, where the method for configuring the IPSec tunnel network is applied to an IPSec VPN networking, and when the IPSec VPN networking is in operation, an IPSec peer can be configured as a local device or an opposite device, and the method includes: establishing communication channels between the local terminal equipment and the opposite terminal equipment and between the safety control equipment; submitting first configuration information of the local terminal equipment in an IPSec tunnel link to the safety control equipment; when the local terminal device allows to access the target network, the security control device is controlled to translate the first configuration information into second configuration information and send the second configuration information to the opposite terminal device, so that the local terminal device and the opposite terminal device can establish an IPSec tunnel, the complexity of networking configuration is reduced, and the security of the IPSec tunnel network configuration is ensured.
Description
Technical Field
The present disclosure relates to the field of communications technologies, and in particular, to a method and an apparatus for configuring an IPSec tunnel network, an electronic device, and a storage medium.
Background
With the development of computer and network technologies, the encryption transmission requirements of enterprises and personal services are increasing day by day, and various encryption transmission technologies and products are in operation, but the deployment and operation and maintenance difficulty of the encryption technology is high, and higher requirements are provided for users and network operation and maintenance personnel.
Among them, with the launch of software-defined wide area network SDWAN products, IPSec (Internet Protocol Security) tunneling technology is used in large scale on the Internet. But still high in terms of the difficulty of deploying network devices that support the IPSec protocol. There are network products like "security management devices" (or security management) in SDWAN products to handle the IPSec tunnel configuration of the overall SDWAN network. However, products of most manufacturers can be delivered from top to bottom when the IPSec tunnel of the SDWAN network is initially deployed, so that higher requirements are provided for operation and maintenance personnel of the security control device, the operation and maintenance personnel need to know not only the configuration mode of the IPSec protocol itself but also the network deployment structure of the whole network topology, and then the configuration and delivery are performed between two peers.
The configuration method of the IPSec tunnel in the prior art:
(1) respectively configuring on two IPSec peer devices;
(2) the method comprises the steps that configuration and issuing are carried out on two IPSec peer devices through a safety control device;
(3) and configuring a configuration item similar to an automatic tunnel at one end of the IPSec peer, and performing access negotiation after the other end is configured.
The configuration mode of the IPSec tunnel in the prior art has the following defects:
(1) configuration operation complexity is high, usually two IPSec devices are not located at the same geographical position, and operation and maintenance personnel need to configure at two places respectively;
(2) the situation of dynamic amplification of the network element cannot be processed by configuring the safety control equipment, and manual participation in debugging and issuing on the safety control equipment is still needed after a new network element is added;
(3) one end of the dynamic IPSec is used as a server end, the credibility of the other end cannot be evaluated, and the security risk exists.
Disclosure of Invention
In order to solve the technical problem or at least partially solve the technical problem, the present disclosure provides an IPSec tunnel network configuration method, apparatus, electronic device, and storage medium, which reduce the complexity of networking configuration.
In a first aspect, an embodiment of the present disclosure provides a method for configuring an IPSec tunnel network, where the method is applied to an IPSec peer in an IPSec VPN networking, and when the IPSec VPN networking is in operation, the IPSec peer may be configured as a local device or an opposite device, and the method includes:
establishing communication channels between the local terminal equipment and the opposite terminal equipment and between the opposite terminal equipment and the safety control equipment;
submitting first configuration information of the local terminal equipment in an IPSec tunnel link to the safety control equipment;
when the local terminal device allows to access a target network, controlling the security management and control device to translate the first configuration information into second configuration information and sending the second configuration information to the opposite terminal device;
and establishing an IPSec tunnel between the local terminal equipment and the opposite terminal equipment.
Optionally, the method further includes:
and when the local terminal equipment forbids to access the target network, controlling the safety control equipment to send rejection information to the local terminal equipment.
Optionally, after the establishing of the communication channel between the local device and the peer device, the method further includes:
and acquiring an application scene of the local terminal equipment, wherein the application scene comprises a network address conversion scene and a non-network address conversion scene.
Optionally, when the application scenario is a non-network address translation scenario, the submitting the first configuration information of the home terminal device in the IPSec tunnel link to the security management and control device includes:
and submitting the home terminal identification, the home terminal address, the first-stage and second-stage negotiation Hash algorithm and the encryption algorithm of the home terminal equipment in the IPSec tunnel link to the safety control equipment.
Optionally, when the application scenario is a network address translation scenario, the submitting the first configuration information of the home terminal device in the IPSec tunnel link to the security management and control device includes:
and converting the local terminal address of the local terminal equipment in the IPSec tunnel link into a target address and submitting the target address to the safety control equipment.
Optionally, before the establishing of the communication channels between the local device and the peer device and the security management and control device, the method includes:
and acquiring a matching strategy in IPSec VPN networking, wherein the matching strategy comprises bidirectional matching and non-bidirectional matching.
Optionally, before controlling the security management and control device to translate the first configuration information into the second configuration information and send the second configuration information to the peer device when the home device allows accessing the target network, the method further includes:
and judging whether the local terminal equipment is allowed to access the target network or not according to matching conditions, wherein the matching conditions comprise network information accessed by the local terminal equipment and network information accessed by opposite terminal equipment.
In a second aspect, an embodiment of the present disclosure further provides an IPSec tunnel network configuration apparatus, including:
the communication channel establishing module is used for establishing communication channels between the local terminal equipment and the opposite terminal equipment and the safety control equipment;
the first information submitting module is used for submitting first configuration information of the local terminal equipment in an IPSec tunnel link to the safety control equipment;
the second information sending module is configured to control the security management and control device to translate the first configuration information into second configuration information and send the second configuration information to the peer device when the home device allows access to the target network;
and the IPSec tunnel establishing module is used for establishing an IPSec tunnel between the local terminal equipment and the opposite terminal equipment.
In a third aspect, an embodiment of the present disclosure further provides an electronic device, including:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the IPSec tunnel network configuration method of any of the first aspects.
In a fourth aspect, this disclosed embodiment also provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the IPSec tunnel network configuration method according to any one of the first aspect.
Compared with the prior art, the technical scheme provided by the embodiment of the disclosure has the following advantages:
according to the IPSec tunnel network configuration method, the IPSec tunnel network configuration device, the electronic device and the storage medium, when the fact that the opposite-end device is allowed to access the target network is determined, the safety control device is controlled to translate the first configuration information into the second configuration information and send the second configuration information to the opposite-end device, and therefore the target tunnel message of the local-end device is sent to the opposite-end device, and the IPSec tunnel network configuration between the local-end device and the opposite-end device is achieved. After the control security control device translates the first configuration information in the local terminal device into the second configuration information of the opposite terminal device, the control security control device sends the translated second configuration information to the opposite terminal device, so that the IPSec configuration of the opposite terminal device in an IPSec tunnel link is realized, therefore, operation and maintenance personnel do not need to perform IPSec configuration on the opposite terminal device, and the configuration complexity of networking is reduced. In addition, when it is determined that both the local terminal device and the opposite terminal device are accessed to the target network, the security control device is controlled to send the second configuration information to the opposite terminal device, and then after an IPSec tunnel is established between the local terminal device and the opposite terminal device, the security of the IPSec tunnel network configuration is ensured.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure.
In order to more clearly illustrate the embodiments or technical solutions in the prior art of the present disclosure, the drawings used in the description of the embodiments or prior art will be briefly described below, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without inventive exercise.
Fig. 1 is a schematic flowchart of a method for configuring an IPSec tunnel network according to an embodiment of the present disclosure;
fig. 2 is an exemplary diagram of a method for configuring an IPSec tunnel network according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart of another IPSec tunnel network configuration method according to an embodiment of the present disclosure;
fig. 4 is an exemplary diagram of another IPSec tunnel network configuration method provided in an embodiment of the present disclosure;
fig. 5 is a flowchart illustrating a further IPSec tunnel network configuration method according to an embodiment of the present disclosure;
fig. 6 is a flowchart illustrating a further IPSec tunnel network configuration method according to an embodiment of the present disclosure;
fig. 7 is a schematic diagram of an IPSec tunnel network configuration apparatus according to an embodiment of the present disclosure;
fig. 8 is a schematic structural diagram of an electronic device provided in an embodiment of the present disclosure.
Detailed Description
In order that the above objects, features and advantages of the present disclosure may be more clearly understood, aspects of the present disclosure will be further described below. It should be noted that the embodiments and features of the embodiments of the present disclosure may be combined with each other without conflict.
In the following description, numerous specific details are set forth in order to provide a thorough understanding of the present disclosure, but the present disclosure may be practiced otherwise than as described herein; it is to be understood that the embodiments disclosed in the specification are only a few embodiments of the present disclosure, and not all embodiments.
Fig. 1 is a schematic flowchart of a method for configuring an IPSec tunnel network according to an embodiment of the present disclosure. The present embodiment is applicable to a case where IPSec tunnel network configuration is performed between IPSec peers in an IPSec VPN networking. The method of this embodiment may be performed by an IPSec tunnel network configuration apparatus, which may be implemented in hardware and/or by an application program and may be configured in an electronic device. The IPSec tunnel network configuration method described in any embodiment of the present application can be implemented.
In the prior art, when two IPSec devices are not in the same geographic location, operation and maintenance staff need to configure the IPSec devices in two places, configuration operation complexity is high, and when one end of a dynamic IPSec device is used as a server end, the trustworthiness of the other end cannot be evaluated, and there is a security risk.
As shown in fig. 1, the method specifically includes the following steps:
s110, establishing a communication channel between the local terminal device and the security management and control device and between the opposite terminal device and the security management and control device.
For example, referring to fig. 2, a communication channel between the local device and the security management and control device and a communication channel between the peer device and the security management and control device are established, where the local device and the peer device are IPSec peers in an IPSec VPN networking. Specifically, normal communication between the two IPSEC peer network elements and the security control device can be realized by registering the serial number corresponding to the local device on the security control device and registering the serial number corresponding to the peer device on the security control device.
S120, submitting the first configuration information of the local terminal equipment in the IPSec tunnel link to the safety control equipment.
When the IPSec peers in the IPSec VPN networking are not located in the same geographic location, in order to implement communication between the IPSec peers, that is, the local device and the peer device, operation and maintenance personnel are generally required to configure the local device and the peer device at the locations corresponding to the local device and the peer device, and the configuration operation complexity is high. In order to reduce the complexity of networking configuration, after the operation and maintenance personnel configure the IPSec configuration on the local terminal device at the position corresponding to the local terminal device, the first configuration information of the local terminal device in the IPSec tunnel link is submitted to the security control device.
S130, when the local terminal device allows to access the target network, the security control device is controlled to translate the first configuration information into second configuration information and send the second configuration information to the opposite terminal device.
After receiving the first configuration information of the local terminal equipment in the IPSec tunnel link, the safety control equipment judges whether the local terminal equipment is allowed to access the target network according to the matching condition of the safety control equipment, wherein the matching condition comprises network information accessed by the local terminal equipment and network information accessed by opposite terminal equipment. Specifically, the security management and control device may determine whether the local device is allowed to access the target network through the matching condition. For example, the matching condition includes network information accessed by the local device and network information accessed by the peer device, and when the network information accessed by the local device is an intranet and the network information accessed by the peer device is an extranet, the security management and control device may determine whether to allow the peer device to access the target network according to the network information accessed by the local device and the network information accessed by the peer device. In addition, the control security management and control device needs to perform operations including but not limited to release (i.e. release of the translated second configuration information), rejection, alarm triggering, approval triggering, access concurrency limiting, and the like.
S140, establishing an IPSec tunnel between the local terminal equipment and the opposite terminal equipment.
After the control security management and control device translates the first configuration information into second configuration information and sends the second configuration information to the opposite-end device, an IPsec tunnel is established between the local-end device and an interface corresponding to a default link of the opposite-end device, so that IPsec tunnel network configuration between the local-end device and the opposite-end device is realized.
According to the IPSec tunnel network configuration method provided by the embodiment of the disclosure, the first configuration information of the local terminal device in the IPSec tunnel link is submitted to the security control device, and when the local terminal device is determined to be allowed to access the target network, the security control device is controlled to translate the first configuration information into the second configuration information and send the second configuration information to the opposite terminal device, so that the target tunnel message of the local terminal device is sent to the opposite terminal device, and the IPSec tunnel network configuration between the local terminal device and the opposite terminal device is realized. After the control security control device translates the first configuration information in the local terminal device into the second configuration information of the opposite terminal device, the control security control device sends the translated second configuration information to the opposite terminal device, so that the IPSec configuration of the opposite terminal device in an IPSec tunnel link is realized, therefore, operation and maintenance personnel do not need to perform IPSec configuration on the opposite terminal device, and the configuration complexity of networking is reduced. In addition, when it is determined that both the local terminal device and the opposite terminal device are accessed to the target network, the security control device is controlled to send the second configuration information to the opposite terminal device, and then after an IPSec tunnel is established between the local terminal device and the opposite terminal device, the security of the IPSec tunnel network configuration is ensured.
Fig. 2 is a schematic flowchart of another IPSec tunnel network configuration method provided in the embodiment of the present disclosure, where the embodiment is based on the foregoing embodiment, further includes:
s131, when the local terminal equipment forbids to access the target network, the safety control equipment is controlled to send rejection information to the local terminal equipment.
Specifically, according to a matching policy in the security management and control device, after the policy that the local device forbids access is matched with the matching policy in the security management and control device, the security management and control device is controlled to send rejection information to the local device, and then an IPSec tunnel between the local device and the opposite device cannot be established.
According to the IPSec tunnel network configuration method provided by the embodiment of the disclosure, when the local terminal device is determined to be prohibited from accessing the target network, the security control device is controlled to send the rejection information to the local terminal device, so that the local terminal device is informed that the matched opposite terminal device is not found to establish the IPSec tunnel, the situation that the local terminal device sends the target tunnel message to the opposite terminal device and the opposite terminal device does not receive the message is avoided, and the security of the IPSec tunnel network configuration is improved.
Fig. 3 is a schematic flowchart of another IPSec tunnel network configuration method provided in an embodiment of the present disclosure, where the present embodiment is based on the foregoing embodiment, where after S110, the method further includes:
s111, acquiring application scenes of the local terminal equipment, wherein the application scenes comprise a network address conversion scene and a non-network address conversion scene.
Optionally, when the application scenario corresponding to the home terminal device is a non-network address translation scenario, submitting the first configuration information of the home terminal device in the IPSec tunnel link to the security management and control device, including:
and submitting the home terminal identification, the home terminal address, the first-stage and second-stage negotiation Hash algorithm and the encryption algorithm of the home terminal equipment in the IPSec tunnel link to the safety control equipment.
For example, in a non-network address translation scenario, when a local device in an IPSec peer in an IPSec VPN networking configures an IPSec tunnel, because the IPSec tunnel configuration has a certain symmetry, as in step S120 in fig. 2, after the local device configures first configuration information in an IPSec tunnel link, based on step S110, the local device and a security management and control device already establish a communication channel, and submit the first configuration information of the local device in the IPSec tunnel link to the security management and control device. The safety control device can judge whether the local terminal device is allowed to access the target network or not and judge whether the mutually protected subnets of the IPSec peer are allowed to access the network or not based on the configured control strategy, if the information is released, the safety control device is controlled to translate the first configuration information into the second configuration information to form opposite terminal configuration according to a symmetry principle and send the opposite terminal configuration to the opposite terminal device.
Optionally, when the application scenario corresponding to the home terminal device is a network address translation scenario, submitting first configuration information of the home terminal device in the IPSec tunnel link to the security management and control device, where the method includes:
and converting the local terminal address of the local terminal equipment in the IPSec tunnel link into a target address and submitting the target address to the safety control equipment.
Illustratively, in a network switching scenario, after a home terminal device in an IPSec peer in an IPSec VPN networking configures an IPSec tunnel, a target address after home terminal address conversion corresponding to the home terminal device needs to be submitted in the network switching scenario. In addition, after the security management and control device receives the IPSec tunnel configuration submitted by the local terminal device, the reliability of the configuration is evaluated and translated into the relevant configuration of the opposite terminal device for issuing.
The IPSec tunnel network configuration method provided in the embodiment of the present disclosure respectively corresponds to a network address conversion scenario and a non-network address conversion scenario, and submits first configuration information of a local device in an IPSec tunnel link to different first configuration information of a security management and control device. When the application scene is a non-network address conversion scene, the first configuration information comprises information such as a home terminal identification and a home terminal address, and when the application scene is a network conversion scene, the first configuration information is a target address converted by the home terminal address, so that the scene applicability of the IPSec tunnel network configuration method is improved.
Fig. 4 is a schematic flowchart of another IPSec tunnel network configuration method provided in an embodiment of the present disclosure, where the present embodiment is based on the foregoing embodiment, before S110, further includes:
s101, obtaining a matching strategy in IPSec VPN networking, wherein the matching strategy comprises bidirectional matching and non-bidirectional matching.
Specifically, a matching policy in the IPSec VPN networking is obtained, for example, when the obtained matching policy in the IPSec VPN networking is two-way matching, then the first configuration information in the IPSec tunnel link submitted by the network element in the IPSec VPN networking can match with the entire networking, so that the local device can apply for establishing the IPSec tunnel in the direction of the opposite device or the opposite device applies for establishing the IPSec tunnel in the local device, and at this time, the network element may be the local device or the opposite device.
And when the obtained matching rule in the IPSec VPN networking is non-bidirectional matching, defaulting the matching rule in the IPSec VPN networking to apply for establishing an IPSec tunnel from the local terminal equipment to the opposite terminal equipment, and applying for establishing the IPSec tunnel from the opposite terminal equipment to the local terminal equipment, wherein the IPSec tunnel cannot be matched.
According to the IPSec tunnel network configuration method provided by the embodiment of the disclosure, before a communication channel between the local terminal device and the security control device and a communication channel between the opposite terminal device and the security control device are established, a matching strategy in an IPSec VPN networking is obtained, and according to the obtained matching strategy in the IPSec VPN networking, the state of establishing an IPSec tunnel between the local terminal device and the opposite terminal device is achieved, namely, one-way establishment or two-way establishment is achieved.
Optionally, when the local device allows accessing the target network, before controlling the security management and control device to translate the first configuration information into the second configuration information and send the second configuration information to the peer device, the method further includes:
and judging whether the local terminal equipment is allowed to access the target network or not according to matching conditions, wherein the matching conditions comprise network information accessed by the local terminal equipment and network information accessed by opposite terminal equipment.
Specifically, the security management and control device may determine whether the peer device is allowed to access the target network through the matching condition. For example, the matching condition includes network information accessed by the local terminal device and network information accessed by the opposite terminal device. In addition, the control security management and control device needs to perform operations including but not limited to release (i.e. release of the second configuration information to be translated), rejection, triggering an alarm, triggering approval, accessing a concurrency limit, and the like.
Fig. 5 is a schematic structural diagram of an IPSec tunnel network configuration apparatus according to an embodiment of the present disclosure, and as shown in fig. 5, the IPSec tunnel network configuration apparatus includes:
a communication channel establishing module 510, configured to establish a communication channel between the local device and the peer device and the security management and control device;
a first information submitting module 520, configured to submit first configuration information of the local device in the IPSec tunnel link to the security management and control device;
a second information sending module 530, configured to control the security management and control device to translate the first configuration information into second configuration information and send the second configuration information to the peer device when the home device allows accessing the target network;
an IPSec tunnel establishing module 540, configured to establish an IPSec tunnel between the local device and the opposite device. .
In the IPSec tunnel network configuration apparatus provided in the embodiment of the present disclosure, the first information submitting module submits, to the security control device, the first configuration information of the local device in the IPSec tunnel link, the second information sending module controls the security control device to translate the first configuration information into the second configuration information and send the second configuration information to the peer device when determining that the local device is allowed to access the target network, and the IPSec tunnel establishing module establishes the IPSec tunnel between the local device and the peer device. After the control security control device translates the first configuration information in the local terminal device into the second configuration information of the opposite terminal device, the control security control device sends the translated second configuration information to the opposite terminal device, so that the IPSec configuration of the opposite terminal device in an IPSec tunnel link is realized, therefore, operation and maintenance personnel do not need to perform IPSec configuration on the opposite terminal device, and the configuration complexity of networking is reduced. In addition, when it is determined that both the local terminal device and the opposite terminal device access the target network, the security control device is controlled to send the second configuration information to the opposite terminal device, so that the security of the IPSec tunnel network configuration is ensured.
Fig. 6 is a schematic structural diagram of an electronic device provided in an embodiment of the present disclosure. As shown in fig. 6, the electronic device includes a processor 610, a memory 620, an input device 630, and an output device 640; the number of the processors 610 in the electronic device may be one or more, and one processor 610 is taken as an example in fig. 6; the processor 610, the memory 620, the input device 630, and the output device 640 in the electronic apparatus may be connected by a bus or other means, and fig. 6 illustrates an example of connection by a bus.
The memory 620 serves as a computer-readable storage medium for storing application programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the IPSec tunnel network configuration method in the embodiment of the present invention. The processor 610 executes various functional applications and data processing of the electronic device by running the application program, instructions and modules stored in the memory 620, that is, implements the IPSec tunnel network configuration method provided by the embodiment of the present invention.
The memory 620 may mainly include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the terminal, and the like. Further, the memory 620 may include high speed random access memory, and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the memory 620 may further include memory located remotely from the processor 610, which may be connected to a computer device through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The input device 630 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the electronic device, and may include a keyboard, a mouse, and the like. The output device 640 may include a display device such as a display screen.
The embodiment of the disclosure also provides a storage medium containing computer executable instructions, and the computer executable instructions are used for realizing the IPSec tunnel network configuration method provided by the embodiment of the invention when being executed by a computer processor.
Of course, the storage medium provided by the embodiment of the present invention contains computer-executable instructions, and the computer-executable instructions are not limited to the operations of the method described above, and may also perform related operations in the IPSec tunnel network configuration method provided by any embodiment of the present invention.
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by the application programs and the necessary general hardware, and certainly, the present invention can also be implemented by hardware, but the former is a better embodiment in many cases. With this understanding, the technical solutions of the present invention may be embodied in the form of a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk, an optical disk, or the like of a computer, which includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It should be noted that, in the embodiment of the IPSec tunnel network configuration apparatus, each included unit and module are only divided according to functional logic, but are not limited to the above division as long as the corresponding function can be implemented; in addition, specific names of the functional units are only for convenience of distinguishing from each other, and are not used for limiting the protection scope of the present invention.
It is noted that, in this document, relational terms such as "first" and "second," and the like, may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.
The foregoing are merely exemplary embodiments of the present disclosure, which enable those skilled in the art to understand or practice the present disclosure. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
Claims (7)
1. An IPSec tunnel network configuration method is applied to an IPSec peer in an IPSec VPN network, and when the IPSec VPN network is operated, the IPSec peer can be configured as a local terminal device or an opposite terminal device, and the method is characterized by comprising the following steps:
establishing communication channels between the local terminal equipment and the opposite terminal equipment and between the opposite terminal equipment and the safety control equipment;
submitting first configuration information of the local terminal equipment in an IPSec tunnel link to the safety control equipment;
when the local terminal device allows to access a target network, controlling the security management and control device to translate the first configuration information into second configuration information and sending the second configuration information to the opposite terminal device;
establishing an IPSec tunnel between the local terminal equipment and the opposite terminal equipment;
before submitting the first configuration information of the local terminal device in the IPSec tunnel link to the security management and control device, the method further includes:
acquiring an application scene of the local terminal equipment, wherein the application scene comprises a network address conversion scene and a non-network address conversion scene;
the submitting the first configuration information of the local terminal device in the IPSec tunnel link to the security management and control device includes:
when the application scene is a non-network address conversion scene, submitting the home terminal identification, the home terminal address, the first-stage and second-stage negotiation Hash algorithm and the encryption algorithm of the home terminal equipment in an IPSec tunnel link to the safety control equipment;
and when the application scene is a network address conversion scene, converting the local terminal address of the local terminal equipment in the IPSec tunnel link into a target address and submitting the target address to the safety control equipment.
2. The method of claim 1, further comprising:
and when the local terminal equipment forbids to access the target network, controlling the safety control equipment to send rejection information to the local terminal equipment.
3. The method according to claim 1, wherein before establishing the communication channel between the local end device and the peer end device and the security management and control device, the method comprises:
and acquiring a matching strategy in IPSec VPN networking, wherein the matching strategy comprises bidirectional matching and non-bidirectional matching.
4. The method according to claim 1, wherein before controlling the security management and control device to translate the first configuration information into the second configuration information and send the second configuration information to the peer device when the home device allows access to the target network, the method further includes:
and judging whether the local terminal equipment is allowed to access the target network or not according to matching conditions, wherein the matching conditions comprise network information accessed by the local terminal equipment and network information accessed by opposite terminal equipment.
5. An IPSec tunnel network configuration apparatus, comprising:
the communication channel establishing module is used for establishing communication channels between the local terminal equipment and the opposite terminal equipment and the safety control equipment;
the first information submitting module is used for submitting first configuration information of the local terminal equipment in an IPSec tunnel link to the safety control equipment;
a second information sending module, configured to control the security management and control device to translate the first configuration information into second configuration information and send the second configuration information to the peer device when the home device allows access to the target network;
an IPSec tunnel establishing module, configured to establish an IPSec tunnel between the local device and the peer device;
further comprising:
an application scene obtaining module, configured to obtain an application scene of the home device, where the application scene includes a network address translation scene and a non-network address translation scene;
the first information submission module includes:
when the application scene is a non-network address conversion scene, submitting the home terminal identification, the home terminal address, the first-stage and second-stage negotiation Hash algorithm and the encryption algorithm of the home terminal equipment in an IPSec tunnel link to the safety control equipment;
and when the application scene is a network address conversion scene, converting the local terminal address of the local terminal equipment in the IPSec tunnel link into a target address and submitting the target address to the safety control equipment.
6. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement the IPSec tunnel network configuration method of any of claims 1 to 4.
7. A computer-readable storage medium on which a computer program is stored, the program, when executed by a processor, implementing the IPSec tunnel network configuration method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110734540.2A CN113411245B (en) | 2021-06-30 | 2021-06-30 | IPSec tunnel network configuration method, IPSec tunnel network configuration device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110734540.2A CN113411245B (en) | 2021-06-30 | 2021-06-30 | IPSec tunnel network configuration method, IPSec tunnel network configuration device, electronic equipment and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113411245A CN113411245A (en) | 2021-09-17 |
| CN113411245B true CN113411245B (en) | 2022-08-12 |
Family
ID=77680406
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110734540.2A Active CN113411245B (en) | 2021-06-30 | 2021-06-30 | IPSec tunnel network configuration method, IPSec tunnel network configuration device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113411245B (en) |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109905310A (en) * | 2019-03-26 | 2019-06-18 | 杭州迪普科技股份有限公司 | Data transmission method, device, electronic equipment |
| CN112217655A (en) * | 2019-07-11 | 2021-01-12 | 奇安信科技集团股份有限公司 | Network equipment configuration method and device in SD-WAN system and computer equipment |
Family Cites Families (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9065802B2 (en) * | 2012-05-01 | 2015-06-23 | Fortinet, Inc. | Policy-based configuration of internet protocol security for a virtual private network |
| US10506082B2 (en) * | 2017-03-09 | 2019-12-10 | Fortinet, Inc. | High availability (HA) internet protocol security (IPSEC) virtual private network (VPN) client |
| CN110290093A (en) * | 2018-03-19 | 2019-09-27 | 杭州达乎科技有限公司 | The SD-WAN network architecture and network-building method, message forwarding method |
| CN112019418B (en) * | 2019-05-31 | 2022-04-19 | 中国电信股份有限公司 | Method and device for establishing IPSec tunnel based on brutal mode |
| CN112583690B (en) * | 2019-09-27 | 2022-08-19 | 华为技术有限公司 | Tunnel configuration method, device, system, equipment and storage medium |
| US11546302B2 (en) * | 2019-12-17 | 2023-01-03 | Fortinet, Inc. | Automatic establishment of network tunnels by an SDWAN controller based on group and role assignments of network devices |
| CN111988323B (en) * | 2020-08-24 | 2022-09-23 | 北京天融信网络安全技术有限公司 | IPSec tunnel establishment method, IPSec tunnel establishment device, network system and electronic equipment |
-
2021
- 2021-06-30 CN CN202110734540.2A patent/CN113411245B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109905310A (en) * | 2019-03-26 | 2019-06-18 | 杭州迪普科技股份有限公司 | Data transmission method, device, electronic equipment |
| CN112217655A (en) * | 2019-07-11 | 2021-01-12 | 奇安信科技集团股份有限公司 | Network equipment configuration method and device in SD-WAN system and computer equipment |
Non-Patent Citations (1)
| Title |
|---|
| 基于IPSec的VPN在校园网中的研究与设计;梁泽海;《信息与电脑(理论版)》;20180225(第04期);参见全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113411245A (en) | 2021-09-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11750589B2 (en) | System and method for secure application communication between networked processors | |
| US9401901B2 (en) | Self-configuring wireless network | |
| EP3396928B1 (en) | Method for managing network access rights and related device | |
| US11096051B2 (en) | Connection establishment method, device, and system | |
| US7940744B2 (en) | System, apparatus and method for automated wireless device configuration | |
| CN110740460B (en) | Network access method and device of equipment, network equipment and storage medium | |
| US20140247941A1 (en) | Self-configuring wireless network | |
| CN104717225B (en) | A kind of things-internet gateway access authentication method and system | |
| US20140204727A1 (en) | Redundant control of self-configuring wireless network | |
| US20170048700A1 (en) | Self-configuring wireless network | |
| US8204478B2 (en) | System for setting security in wireless network system using cluster function and method of controlling the same | |
| JPWO2016111246A1 (en) | Wireless terminal | |
| CN104301449A (en) | Method and device for modifying IP address | |
| US20160050567A1 (en) | Wireless Network System, Terminal Management Device, Wireless Relay Device, and Communications Method | |
| CN113411245B (en) | IPSec tunnel network configuration method, IPSec tunnel network configuration device, electronic equipment and storage medium | |
| CN112468448A (en) | Processing method and device of communication network, electronic equipment and readable storage medium | |
| CN105577485A (en) | Method and device for realizing household networking and G.hn equipment | |
| CN111147269B (en) | Access point configuration method, networking system, access point and storage medium | |
| CN108834141A (en) | A kind of novel things-internet gateway access authentication method and system | |
| KR20190111532A (en) | Operation method of communication node for access control in communication network based on multi hop | |
| EP4184894A1 (en) | Fire system interoperability protocol | |
| CN113992732B (en) | Terminal management control method, device, server and storage medium | |
| KR102571612B1 (en) | Proxy-based security methods and security systems through SSH tunneling | |
| CN111918286B (en) | Communication connection detection method, device and equipment | |
| CN110839034B (en) | Communication connection control method and related equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |