CN1150718C - Method for ensuring IP security on virtual tunnel interface of VPN - Google Patents
Method for ensuring IP security on virtual tunnel interface of VPN Download PDFInfo
- Publication number
- CN1150718C CN1150718C CNB011198303A CN01119830A CN1150718C CN 1150718 C CN1150718 C CN 1150718C CN B011198303 A CNB011198303 A CN B011198303A CN 01119830 A CN01119830 A CN 01119830A CN 1150718 C CN1150718 C CN 1150718C
- Authority
- CN
- China
- Prior art keywords
- ipsec
- virtual
- vpn
- tunnel
- private network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The present invention relates to a realization method for ensuring internet protocol security on a virtual tunnel interface of a virtual private network. An IPSec security technology guarantee method applied on an actual physical interface is transplanted to the virtual tunnel interface of the virtual private network VPN, so that all various messages which access the private network can all obtain the IPSec security technology guarantee no matter each of the messages belongs to which kind of protocol, and communication security is ensured. The present invention comprises the following steps: a, setting at least one item of access control list ACL (Access Control Lists); 2. defining how to apply the IPSec security technology guarantee method of the access control list ACL set in step 1; 3. setting the virtual tunnel interface; 4. applying the IPSec security technology guarantee method generated in step 2 to the virtual tunnel interface.
Description
Technical field
The present invention relates to a kind of method that guarantees Internet protocol IP message safe transmission, exactly, relate to a kind of implementation method that on the tunnel of Virtual Private Network virtual interface, guarantees the Internet protocol security, belong to the technical field that ensures communication safety in the transmission of digital information.
Background technology
The Internet protocol security IPSec (IP Security) is the standard of the IP layer message safe transmission of IETF formulation.On the mode of IP message encapsulation, the Internet protocol security IPSec provides the encapsulation of tunnel style, utilizes this characteristic can realize Virtual Private Network VPN function.In the process of the security protection technology means that IPSec is set, and if access control list ACL (Access Control Lists) combine, can realize different data flow is carried out different safety precautions.At present; conventional art is that the security protection technology measure that sets is applied on the actual physical interface, finishes the IP message that passes in and out this physical interface is carried out every technical guarantee means that data encryption (deciphering), checking, anti-replay-attack etc. ensure communication safety.If the every technical method that ensures communication safety of IPSec can only be applied on the actual physical interface, it just can only implement safeguard protection for the IP message that passes in and out on this actual physical interfaces.Yet, on the tunnel of Virtual Private Network VPN virtual interface, still can not use the every technical method that ensures communication safety of above-mentioned IP Sec.Ensure means if also can use the safe practice of above-mentioned IP Sec on the tunnel of Virtual Private Network VPN virtual interface, that will also provide the technology of safeguard protection can for the IP message of the tunnel virtual interface of this VPN of turnover.Will be subjected to numerous users' of Virtual Private Network VPN hearty welcome like this, undoubtedly.
For example, referring to shown in Figure 1, a certain station server D among the privately owned net C of user A visit another one among privately owned net B that private IP address arranged, between these two privately owned net B, the C then by Internet link to each other (this is the application example of a typical Virtual Private Network VPN).Privately owned net B is connected with Internet by a router R1.On router R1 and physical interface that Internet directly links to each other all is to be provided with the safe practice support method of using IPSec usually.This safe practice support method stipulates that all pass in and out this physical interface and application protocol is the tunnel encryption function that the IP message of transmission control protocol TCP (Transmission ControlProtocol) all should use IPSec.But this safe practice support method is not want to allow the IP message of other application protocols (for example User Datagram Protoco (UDP) UDP and common routed encapsulation GRE) also can use the encryption measures of IPSec.Yet, for all IP messages of supporting the different application layer protocol can both be realized Virtual Private Network VPN function, on router R1, created the tunnel virtual interface of a VPN, on this virtual interface, encapsulated common routed encapsulation GRE (GenericRouting Encapsulation) agreement, its address, opposite end of specifying the tunnel is that the Internet on the router R2 that links to each other with Internet of privately owned net C nets publicly-owned address, and determines that by routing module all IP messages to privately owned net C all will pass through this vpn tunneling virtual interface earlier.Partly (the data version: T1-080139-20010615-C-1.3) to how the application access control tabulation ACL (Access Control Lists) and the encapsulation characteristic of tunnel style combine 11-37 page or leaf in " Quidway series router user's manual configuration guide fascicle V1.3 " that the applicant publishes " configuration of routers for example "; method to the different safety precautions of different data flow realizations has been made specific description in detail again; promptly adopt following two operating procedures: at first be arranged to the one item missing access control list ACL, how definition uses the ipsec security technical guarantee method of the access control list ACL of above-mentioned steps setting then.Wherein first step and second step respectively with the 1st, 2 order and the 3rd~17 order corresponding (whole command content of router-A examples of configurations are because of being too concrete program command, so do not repeat them here in the relevant reference) of above-mentioned information document examples of configurations part.Like this; usually user A will think that all TCP messages by Internet can ensure communication safety through ipsec encryption, and the actual fact is: when the TCP message of the privately owned net C of all-access under the present situation transmits on Internet is not to be subjected to ipsec protection.
Summary of the invention
The purpose of this invention is to provide a kind of implementation method that on the tunnel of Virtual Private Network virtual interface, guarantees the Internet protocol security, that is to say, to use on a kind of tunnel virtual interface that offers Virtual Private Network VPN in the ipsec security technical guarantee method of generally having used on the actual physical interfaces, so that all kinds of messages of the privately owned net of all-access, no matter which quasi-protocol it belongs to, can both obtain the safe practice guarantee of IPSec, to ensure communication safety.
The object of the present invention is achieved like this: a kind of implementation method that guarantees the Internet protocol security on the tunnel of Virtual Private Network virtual interface, be the ipsec security technical guarantee method that will use on actual physical interfaces, graft application is to the tunnel virtual interface of Virtual Private Network VPN; Include following operating procedure:
(1) is arranged to the one item missing access control list ACL;
(2) how definition uses the ipsec security technical guarantee method of the access control list ACL of (1) step setting;
It is characterized in that: this method further includes following operating procedure:
(3) the tunnel virtual interface is set;
(4) on the tunnel virtual interface, use the ipsec security technical guarantee method that (2) step generates.
Characteristics of the present invention are the ipsec security technical guarantee methods that will use on physical interface, be transplanted on the tunnel virtual interface of Virtual Private Network VPN and use, like this, the benefit that all ipsec security technical guarantee methods are applied on the physical interface to be obtained, can obtain for example data encryption, authentication of message, anti-replay-attack etc. equally when on the vpn tunneling virtual interface, using.So if use the present invention, the TCP message that passes through the Internet transmission that the user A among Fig. 1 sends also can obtain the ipsec security technical protection.
Description of drawings
Fig. 1 uses the system composition schematic diagram of the first embodiment-user A of the inventive method by VPN access server D-.
Fig. 2 be use cellphone subscriber's nontransparent mode among the second embodiment-GPRS/WCDMA of the inventive method by the Internet access enterprise networks-system form schematic diagram.
Embodiment
Introduce method step of the present invention, characteristics and effect in detail below in conjunction with accompanying drawing:
Application example referring to the privately owned net VPN of a typical virtual shown in Figure 1: a certain station server D among the privately owned net C of user A visit another one among privately owned net B that private IP address arranged then links to each other by Internet between these two privately owned net B, the C.Wherein privately owned net B is connected with Internet by a router R1.On router R1 and physical interface that Internet directly links to each other, all be provided with the safe practice support method of using IPSec usually.The present invention then is the ipsec security technical guarantee method that will use on actual physical interfaces, is transplanted on the tunnel virtual interface of Virtual Private Network VPN again and uses.It specifically includes the following step: 1, be arranged to one item missing access control list ACL (Access Control Lists), 2, how definition uses the ipsec security technical guarantee method of the access control list ACL of the 1st step setting, 3, the tunnel virtual interface is set, 4, on the tunnel virtual interface, use the ipsec security technical guarantee method that the 2nd step generated.
Originally the ipsec security technical guarantee method of using on router R1 and physical interface that Internet links to each other is not want to allow the application layer protocol be that the message of common routed encapsulation GRE also uses the encryption function of IPSec, and adopts the method for GRE+IPSec to realize that the efficient of Virtual Private Network VPN compares obviously low with the efficient of the tunnel style realization VPN that directly uses IPSec.But, utilize method of the present invention can on the vpn tunneling virtual interface of router R1 encapsulation GRE agreement, directly use the safe practice support method of IPSec.At this moment, as long as condition meets (regulation that promptly meets the access control list ACL of mating in the safe practice support method of IPSec), just the safe practice support method of IPSec can have been used directly.
Method of the present invention has been implemented test in general packet radio service gprs/Wideband Code Division Multiple Access (WCDMA) WCDMA system, promptly have under the environment of the identical private IP address that different visit roll-call APN (AccessPoint Name) distributed different cellphone subscribers, the method of the application of the invention, promptly on the tunnel of VPN virtual interface, use the safe practice support method of IPSec, just can realize that each cellphone subscriber visits the application purpose of different APN by ipsec tunnel.The result who implements test is successful, produces a desired effect.
In order to allow the different cellphone subscribers that have identical private IP address visit different APN, the message of identical ip addresses must sent into different vpn tunneling virtual interfaces according to the different APN under it on the GGSN, so that different vpn tunnelings is advanced in encapsulation.The privately owned address of IP of the mobile phone MT that is two cellphone subscribers that belong to APN1 and APN2 shown in Figure 2 is identical situation, at this moment, if can only on actual physical interfaces, use the safe practice support method of IPSec, for the mode that can use IPSec transmit IP message safely, just can only take the transmission means (because ipsec protocol itself is just directly supported the VPN function) of certain VPN agreement (for example common routed encapsulation GRE)+this poor efficiency of IPSec, and can not use different safe practice support methods according to the different data streams of reality.Because through the IP message after the VPN encapsulation, their source and destination IP address all is identical, application layer protocol also is identical (VPN agreement), has not promptly had difference at IP layer they both, can't distinguish.Yet, use method of the present invention, on the vpn tunneling virtual interface, directly use the safe practice support method of IPSec, so, all above-mentioned shortcomings just can both overcome and solve.Two cellphone subscribers that belong to different access roll-call APN1 and APN2 among Fig. 2 and have a privately owned address of identical IP just can be by mobile phone MT or by portable computer TE (this moment need with the mobile phone MT that plays similar MODEM function), send into the safe practice support method that different vpn tunneling virtual interfaces is directly used IPSec according to the different APN under it (Access Point Name), promptly by the different APN of different ipsec tunnel visit (for example two enterprise network APN1 shown in Fig. 2 and APN2).
Claims (1)
1, a kind of implementation method that guarantees the Internet protocol security on the tunnel of Virtual Private Network virtual interface is the ipsec security technical guarantee method that will use on actual physical interfaces, and graft application is to the tunnel virtual interface of Virtual Private Network VPN; Include following operating procedure:
(1) is arranged to the one item missing access control list ACL;
(2) how definition uses the ipsec security technical guarantee method of the access control list ACL of (1) step setting;
It is characterized in that: this method further includes following operating procedure:
(3) the tunnel virtual interface is set;
(4) on the tunnel virtual interface, use the ipsec security technical guarantee method that (2) step generates.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011198303A CN1150718C (en) | 2001-06-29 | 2001-06-29 | Method for ensuring IP security on virtual tunnel interface of VPN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNB011198303A CN1150718C (en) | 2001-06-29 | 2001-06-29 | Method for ensuring IP security on virtual tunnel interface of VPN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1394042A CN1394042A (en) | 2003-01-29 |
| CN1150718C true CN1150718C (en) | 2004-05-19 |
Family
ID=4663745
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNB011198303A Expired - Fee Related CN1150718C (en) | 2001-06-29 | 2001-06-29 | Method for ensuring IP security on virtual tunnel interface of VPN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1150718C (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100576720C (en) * | 2004-05-19 | 2009-12-30 | 日本电波工业株式会社 | Constant-temperature type crystal oscillator |
Families Citing this family (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1643691B1 (en) * | 2003-07-04 | 2007-12-05 | Nippon Telegraph and Telephone Corporation | Remote access vpn mediation method and mediation device |
| US7978716B2 (en) | 2003-11-24 | 2011-07-12 | Citrix Systems, Inc. | Systems and methods for providing a VPN solution |
| US8146148B2 (en) * | 2003-11-19 | 2012-03-27 | Cisco Technology, Inc. | Tunneled security groups |
| US8495305B2 (en) | 2004-06-30 | 2013-07-23 | Citrix Systems, Inc. | Method and device for performing caching of dynamically generated objects in a data communication network |
| US7757074B2 (en) | 2004-06-30 | 2010-07-13 | Citrix Application Networking, Llc | System and method for establishing a virtual private network |
| US8739274B2 (en) | 2004-06-30 | 2014-05-27 | Citrix Systems, Inc. | Method and device for performing integrated caching in a data communication network |
| CN100385885C (en) * | 2004-07-09 | 2008-04-30 | 威达电股份有限公司 | Safety gateway with SSL protection function and method |
| ATE535078T1 (en) | 2004-07-23 | 2011-12-15 | Citrix Systems Inc | METHOD AND SYSTEM FOR SECURING REMOTE ACCESS TO PRIVATE NETWORKS |
| EP1771998B1 (en) | 2004-07-23 | 2015-04-15 | Citrix Systems, Inc. | Systems and methods for optimizing communications between network nodes |
| WO2006020823A1 (en) | 2004-08-13 | 2006-02-23 | Citrix Systems, Inc. | A method for maintaining transaction integrity across multiple remote access servers |
| US8954595B2 (en) | 2004-12-30 | 2015-02-10 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP buffering |
| US8549149B2 (en) | 2004-12-30 | 2013-10-01 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP multiplexing |
| US8706877B2 (en) | 2004-12-30 | 2014-04-22 | Citrix Systems, Inc. | Systems and methods for providing client-side dynamic redirection to bypass an intermediary |
| US7810089B2 (en) | 2004-12-30 | 2010-10-05 | Citrix Systems, Inc. | Systems and methods for automatic installation and execution of a client-side acceleration program |
| US8700695B2 (en) | 2004-12-30 | 2014-04-15 | Citrix Systems, Inc. | Systems and methods for providing client-side accelerated access to remote applications via TCP pooling |
| US7849269B2 (en) | 2005-01-24 | 2010-12-07 | Citrix Systems, Inc. | System and method for performing entity tag and cache control of a dynamically generated object not identified as cacheable in a network |
| US8255456B2 (en) | 2005-12-30 | 2012-08-28 | Citrix Systems, Inc. | System and method for performing flash caching of dynamically generated objects in a data communication network |
| US8301839B2 (en) | 2005-12-30 | 2012-10-30 | Citrix Systems, Inc. | System and method for performing granular invalidation of cached dynamically generated objects in a data communication network |
| US7921184B2 (en) | 2005-12-30 | 2011-04-05 | Citrix Systems, Inc. | System and method for performing flash crowd caching of dynamically generated objects in a data communication network |
| CN100440846C (en) * | 2007-01-26 | 2008-12-03 | 成都迈普产业集团有限公司 | Dynamic connection method for virtual private network |
| CN101499972B (en) * | 2009-03-16 | 2012-01-11 | 杭州华三通信技术有限公司 | IP security packet forwarding method and apparatus |
-
2001
- 2001-06-29 CN CNB011198303A patent/CN1150718C/en not_active Expired - Fee Related
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100576720C (en) * | 2004-05-19 | 2009-12-30 | 日本电波工业株式会社 | Constant-temperature type crystal oscillator |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1394042A (en) | 2003-01-29 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN1150718C (en) | Method for ensuring IP security on virtual tunnel interface of VPN | |
| KR100886551B1 (en) | Apparatus for traffic flow template packet filtering according to internet protocol version in mobile communication system and method thereof | |
| DE60110974T2 (en) | Intercepting method and apparatus for compensating adverse characteristics of a communication protocol | |
| DE69827252T2 (en) | ARCHITECTURE FOR VIRTUAL PRIVATE NETWORKS | |
| DE69834505T2 (en) | USING A TCP PROXY WITH PACKAGE DATA SERVICE TRANSMISSIONS IN A MOBILE NETWORK | |
| US8693502B2 (en) | Method, system and terminal for accessing packet data serving node | |
| CN1478232A (en) | System and method for secure network mobility | |
| KR100333530B1 (en) | Method for configurating VPN(Virtual Private Network) by using NAT(Network Address Translation) and computer readable record medium on which a program therefor is recorded | |
| CN1230085A (en) | Method and apparatus for communication using mobile internet in mobile communication network | |
| CN101567831B (en) | Method and device for transmitting and receiving messages among local area networks and communication system | |
| CN1256847A (en) | Data service in mobile communications network | |
| Hampel et al. | Seamless TCP mobility using lightweight MPTCP proxy | |
| KR20040075380A (en) | Method for encrypting data of access VPN | |
| US7680102B2 (en) | Method and system for connecting manipulation equipment between operator's premises and the internet | |
| CN101656961B (en) | Method and system for accessing mobile IP service of CDMA2000 system | |
| CN1645832A (en) | Method for building special operational maintaining channel in WCDMA system | |
| CN101951380B (en) | Access control method and device used therein in dual-stack lite network | |
| CN102045131B (en) | Service linkage control system and method | |
| CN1192565C (en) | Internet access method based on radio block network gateway | |
| GB2376854A (en) | Centralised security service for ISP environment | |
| US11968237B2 (en) | IPsec load balancing in a session-aware load balanced cluster (SLBC) network device | |
| CN1561040A (en) | Transmission method of universal radio transparent VPN network bridge system based on GRPS/CDMA 2000 1X | |
| KR20040004724A (en) | Wireless LAN service system providing proxy gateway and method thereof | |
| Rysavy | General packet radio service (GPRS) | |
| CN1323122A (en) | Resources preservation in 3G or a new generation telecommunication network III |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20040519 Termination date: 20170629 |