CN115134216A - Method, system and medium for protection and scheduling of different machine IPSEC tunnel depending on SDWAN - Google Patents
Method, system and medium for protection and scheduling of different machine IPSEC tunnel depending on SDWAN Download PDFInfo
- Publication number
- CN115134216A CN115134216A CN202210605209.5A CN202210605209A CN115134216A CN 115134216 A CN115134216 A CN 115134216A CN 202210605209 A CN202210605209 A CN 202210605209A CN 115134216 A CN115134216 A CN 115134216A
- Authority
- CN
- China
- Prior art keywords
- service
- communication device
- ipsec
- communication equipment
- communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 53
- 238000004891 communication Methods 0.000 claims abstract description 156
- 238000007726 management method Methods 0.000 claims description 52
- 238000004590 computer program Methods 0.000 claims description 14
- 238000012544 monitoring process Methods 0.000 claims description 10
- 238000010586 diagram Methods 0.000 description 9
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 2
- 230000015556 catabolic process Effects 0.000 description 2
- 238000006731 degradation reaction Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000004364 calculation method Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
- H04L41/0654—Management of faults, events, alarms or notifications using network fault recovery
- H04L41/0663—Performing the actions predefined by failover planning, e.g. switching to standby network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
Abstract
The application relates to a method, a system and a medium for protecting and scheduling different machine IPSEC tunnels depending on SDWAN, wherein the method is applied to unilateral path protection and comprises the following steps: respectively creating an IPSEC service on the first communication device and the second communication device through an upper management and control platform; the IPSEC service on the first communication equipment is allocated as a main service role, and the IPSEC service on the second communication equipment is allocated as a standby service role; the method and the device have the advantages that the upper management and control platform monitors the first communication equipment and the second communication equipment, if the situation that the main service on the first communication equipment cannot run is monitored, the standby service on the second communication equipment is started, and the main service is stopped.
Description
Technical Field
The application relates to the technical field of computer communication, in particular to a method, a system and a medium for protection and scheduling of a heterogeneous IPSEC tunnel depending on an SDWAN.
Background
Currently, a protection scheme for an IPSEC tunnel is mainly to automatically switch a service to a backup tunnel after a primary tunnel is disconnected for protection between different IPSEC tunnels in a single device, that is, tunnel connectivity configured by monitoring of the single device itself.
At present, no effective solution is provided for the problem that the IPSEC tunnel protection scheme among multiple devices in the related art is lack of efficient management.
Disclosure of Invention
The embodiment of the application provides a method, a system and a medium for protecting and scheduling a different machine IPSEC tunnel depending on an SDWAN (secure data network), so as to at least solve the problem that an IPSEC tunnel protection scheme among multiple devices in the related art is lack of efficient management.
In a first aspect, an embodiment of the present application provides a method for protecting and scheduling a heterogeneous IPSEC tunnel depending on an SDWAN, where the method is applied to unilateral path protection, and includes:
respectively creating an IPSEC service on the first communication device and the second communication device through an upper management and control platform;
allocating the IPSEC service on the first communication equipment as a main service role, and allocating the IPSEC service on the second communication equipment as a standby service role;
monitoring a first communication device and a second communication device through the upper management and control platform, and if it is monitored that the main service on the first communication device cannot run, starting a standby service on the second communication device and simultaneously stopping the main service.
In some embodiments, creating an IPSEC service on the first communication device and the second communication device through the upper management platform includes:
the method comprises the steps of establishing IPSEC service through an upper management and control platform, judging whether a communication device is on-line or not, respectively issuing an IPSEC service for a first communication device and a second communication device after the first communication device and the second communication device are on-line, and configuring protection parameters of the IPSEC service.
In some embodiments, allocating the IPSEC service on the first communication device as an active service role, and allocating the IPSEC service on the second communication device as a standby service role includes:
allocating IPSEC service on the first communication equipment as a main service role, wherein the state of the main service is an enabled state;
and allocating the IPSEC service on the second communication equipment as a standby service role, wherein the state of the standby service is an inactivated state.
In some embodiments, listening, by the upper management platform, to the first communication device and the second communication device includes:
and monitoring the first communication equipment and the second communication equipment through the upper management and control platform, and judging the running state of the communication equipment according to the return value of the protection parameter of the IPSEC service in the communication equipment.
In some embodiments, after enabling the standby service on the second communication device and simultaneously disabling the active service, the method further comprises:
and continuously monitoring the first communication equipment through the upper management and control platform, if the main service on the first communication equipment is monitored to be recovered to operate, starting the main service, and simultaneously stopping the standby service on the second communication equipment.
In some embodiments, the role assignment data, the service delivery data and the parameter configuration data are persistently stored in a local database.
In some of these embodiments, the communication device is a communication device that relies on a software defined wide area network.
In a second aspect, an embodiment of the present application provides a method for protecting and scheduling a heterogeneous IPSEC tunnel depending on an SDWAN, where the method is applied to full link path protection, and includes:
establishing corresponding IPSEC global service between a first link and a second link through an upper management and control platform, wherein the first link consists of a plurality of communication devices, and the second link also consists of a plurality of communication devices;
distributing a main global service role and a standby global service role for the IPSEC global service;
and monitoring the first link and the second link through the upper management and control platform, and starting standby global services between the links and simultaneously stopping the main global services if the main global services between the links cannot be operated.
In a third aspect, an embodiment of the present application provides a system for protecting and scheduling a heterogeneous IPSEC tunnel depending on an SDWAN, where the system is applied to unilateral path protection, and the system includes a service creation module and a service scheduling module;
the service creation module is used for creating an IPSEC service on the first communication device and the second communication device respectively through the upper management and control platform; allocating the IPSEC service on the first communication equipment as a main service role, and allocating the IPSEC service on the second communication equipment as a standby service role;
the service scheduling module is configured to monitor a first communication device and a second communication device through the upper management and control platform, and if it is monitored that a primary service on the first communication device cannot be operated, start a standby service on the second communication device, and simultaneously deactivate the primary service.
In a fourth aspect, an embodiment of the present application provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the SDWAN-compliant heterogeneous IPSEC tunnel protection scheduling method according to the first aspect and the second aspect.
Compared with the related art, the method, the system and the medium for protection and scheduling of the different machine IPSEC tunnel depending on the SDWAN are provided by the embodiment of the application, wherein the method is applied to single-side path protection, and the IPSEC service is respectively created on the first communication device and the second communication device through the upper management and control platform; the IPSEC service on the first communication equipment is allocated as a main service role, and the IPSEC service on the second communication equipment is allocated as a standby service role; the upper management and control platform monitors the first communication equipment and the second communication equipment, if the situation that the main service on the first communication equipment cannot run is monitored, the standby service on the second communication equipment is started, and the main service is stopped, so that the problem that an IPSEC tunnel protection scheme among multiple equipment is lack of efficient management is solved, the IPSEC tunnel states of different equipment are monitored through the upper management and control platform, and the management efficiency of IPSEC tunnel protection under a multi-equipment scene is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a first flowchart of steps of a method for protecting and scheduling a heterogeneous IPSEC tunnel over an SDWAN according to an embodiment of the present application;
fig. 2 is a flowchart of a second step of a method for scheduling heterogeneous IPSEC tunnel protection depending on SDWAN according to an embodiment of the present application;
fig. 3 is a block diagram of a system for protecting and scheduling a heterogeneous IPSEC tunnel over an SDWAN according to an embodiment of the present application;
fig. 4 is an internal structural diagram of an electronic device according to an embodiment of the present application.
Description of the drawings: 31. a service creation module; 32. and a service scheduling module.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be described and illustrated below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments provided in the present application without any inventive step are within the scope of protection of the present application.
It is obvious that the drawings in the following description are only examples or embodiments of the present application, and that it is also possible for a person skilled in the art to apply the present application to other similar contexts on the basis of these drawings without inventive effort. Moreover, it should be appreciated that in the development of any such actual implementation, as in any engineering or design project, numerous implementation-specific decisions must be made to achieve the developers' specific goals, such as compliance with system-related and business-related constraints, which may vary from one implementation to another.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment can be included in at least one embodiment of the specification. The appearances of the phrase in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. Those of ordinary skill in the art will explicitly and implicitly appreciate that the embodiments described herein may be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms referred to herein shall have the ordinary meaning as understood by those of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar words throughout this application are not to be construed as limiting in number, and may refer to the singular or the plural. The present application is directed to the use of the terms "including," "comprising," "having," and any variations thereof, which are intended to cover non-exclusive inclusions; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to the listed steps or elements, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. Reference to "connected," "coupled," and the like in this application is not intended to be limited to physical or mechanical connections, but rather can include electrical connections, whether direct or indirect. The term "plurality" as referred to herein means two or more. "and/or" describes an association relationship of associated objects, meaning that three relationships may exist, for example, "A and/or B" may mean: a exists alone, A and B exist simultaneously, and B exists alone. The character "/" generally indicates that the former and latter associated objects are in an "or" relationship. Reference herein to the terms "first," "second," "third," and the like, are merely to distinguish similar objects and do not denote a particular ordering for the objects.
An embodiment of the present application provides a method for protecting and scheduling a heterogeneous IPSEC tunnel based on an SDWAN, and fig. 1 is a first flowchart of steps of the method for protecting and scheduling a heterogeneous IPSEC tunnel based on an SDWAN according to an embodiment of the present application, and as shown in fig. 1, the method is applied to single-side path protection, and includes the following steps:
step S102, establishing IPSEC services on the first communication equipment and the second communication equipment respectively through an upper management and control platform;
specifically, an IPSEC service is created through an upper management and control platform, whether a communication device is on-line or not is judged, and when a first communication device and a second communication device are on-line, an IPSEC service is respectively issued for the first communication device and the second communication device, and protection parameters of the IPSEC service are configured. The protection parameter defines two return modes, one is to return a return value, and the other is not to return a return value. The method is used for the upper management and control platform to judge the running condition of the IPSEC service in the communication equipment.
It should be noted that the first communication device and the second communication device are communication devices supported by a Software Defined Wide Area Network (SDWAN). SDWAN is a service formed by applying SDN technology to a wide area network scenario, and is used to connect enterprise networks, data centers, internet applications, and cloud services across a wide geographic area. Furthermore, ipsec (internet Protocol security) is a suite of network layer-based, cryptographically-applied secure communication protocols. IPSEC does not specifically refer to which protocol, but rather an open family of protocols. Design goals of the IPSEC protocol: flexible security services are provided for network layer flows in IPV4 and IPV6 environments. IPSEC VPN: the secure virtual private network is implemented at an IP layer and is constructed based on an IPSEC protocol family. The security of protocol data of an upper layer of OSI is ensured by inserting a predefined header into a data packet, and the method is mainly used for protecting IP data packets of TCP, UDP, ICMP and tunnel.
Step S104, allocating IPSEC service on the first communication equipment as a main service role, and allocating IPSEC service on the second communication equipment as a standby service role;
specifically, the IPSEC service on the first communication device is allocated as a primary service role, and the state of the primary service is an enabled state; and allocating the IPSEC service on the second communication equipment to be a standby service role, wherein the state of the standby service is an inactivated state.
Step S106, monitoring the first communication device and the second communication device through the upper management and control platform, if the situation that the main service on the first communication device cannot run is monitored, starting the standby service on the second communication device, and simultaneously stopping the main service.
Specifically, the upper management and control platform monitors the first communication device and the second communication device, and judges the operating state of the communication device according to the return value of the protection parameter of the IPSEC service in the communication device. If the monitored return value of the protection parameter is the information of disconnection or degradation of the primary service, the operating state of the communication equipment is abnormal, that is, the primary service on the communication equipment cannot operate. In this case, the standby service on the second communication device is enabled while the active service is disabled.
Preferably, after step S106, the upper management and control platform continues to monitor the first communication device, and if it is monitored that the active service on the first communication device resumes running, the active service is enabled, and the standby service on the second communication device is disabled.
Through the steps S102 to S106 in the embodiment of the application, the problem that an IPSEC tunnel protection scheme between multiple devices is lack of efficient management is solved, the states of IPSEC tunnels of different devices are monitored through an upper management and control platform, and the management efficiency of IPSEC tunnel protection under a multi-device scene is improved.
An embodiment of the present application provides a method for protecting and scheduling a heterogeneous IPSEC tunnel based on an SDWAN, fig. 2 is a flowchart of a second step of the method for protecting and scheduling a heterogeneous IPSEC tunnel based on an SDWAN according to an embodiment of the present application, and as shown in fig. 2, the method is applied to full link path protection, and includes the following steps:
step S202, a corresponding IPSEC global service is established between a first link and a second link through an upper management and control platform, wherein the first link is composed of a plurality of communication devices, and the second link is also composed of a plurality of communication devices;
specifically, a corresponding IPSEC global service is created between the first link and the second link through the upper management and control platform, and protection parameters of the IPSEC global service are configured. The protection parameter defines two return modes, one is to return a return value, and the other is not to return a return value. The method is used for the upper management and control platform to judge the running condition of the IPSEC global service.
It should be noted that the IPSEC global service refers to end-to-end service (i.e. two single-point services in pair), such as: the company headquarters are provided with a communication device A and a communication device B, and the company office is provided with a communication device C and a communication device D; the communication device A is connected with the communication device C, the communication device B is connected with the communication device D, and an IPSEC service is established on A, B, C, D; then, the communication device a and the two IPSEC services on the communication device C form an IPSEC global service, and the communication device B and the two IPSEC services on the communication device D form an IPSEC global service.
Step S204, allocating a main global service role and a standby global service role for the IPSEC global service;
specifically, the state of the primary global service is an enabled state; the state of the standby global service is an inactive state.
Step S206, the first link and the second link are monitored through the upper management and control platform, if the master global service between the links cannot be operated, the standby global service between the links is started, and the master global service is stopped.
Specifically, the upper management and control platform monitors the communication equipment in the first link and the second link, and judges the running state of the communication equipment according to the return value of the protection parameter of the IPSEC global service. If the monitored return value of the protection parameter is the information of disconnection or degradation of the primary global service, the operation state of the communication equipment is abnormal, that is, the primary global service on the communication equipment cannot operate. In this case, the standby global traffic between the links is enabled while the active global traffic is disabled.
Preferably, after step S106, the upper management and control platform continues to monitor the communication devices in the first link and the second link, and if it is monitored that the primary global service resumes, the primary global service is enabled, and the standby global service between the links is disabled.
Through the steps S202 to S206 in the embodiment of the application, the problem that an IPSEC tunnel protection scheme among multiple devices is lack of efficient management is solved, the IPSEC tunnel states of different devices are monitored through an upper management and control platform, and the management efficiency of IPSEC tunnel protection in a multi-device scene is improved.
It should be noted that the steps illustrated in the above-described flow diagrams or in the flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order different than here.
The embodiment of the application provides a different-machine IPSEC tunnel protection scheduling system depending on an SDWAN, and fig. 3 is a structural block diagram of the different-machine IPSEC tunnel protection scheduling system depending on the SDWAN according to the embodiment of the application, and as shown in fig. 3, the system is applied to single-side path protection and comprises a service creation module 31 and a service scheduling module 32;
a service creation module 31, configured to create an IPSEC service on the first communication device and the second communication device through an upper management and control platform, respectively; the IPSEC service on the first communication equipment is allocated as a main service role, and the IPSEC service on the second communication equipment is allocated as a standby service role;
the service scheduling module 32 is configured to monitor the first communication device and the second communication device through the upper management and control platform, and if it is monitored that the main service on the first communication device cannot operate, start the standby service on the second communication device, and simultaneously deactivate the main service.
Through the service creation module 31 and the service scheduling module 32 in the embodiment of the application, the problem that an IPSEC tunnel protection scheme among multiple devices lacks efficient management is solved, the IPSEC tunnel states of different devices are monitored through an upper management and control platform, and the management efficiency of IPSEC tunnel protection in a multi-device scene is improved.
The above modules may be functional modules or program modules, and may be implemented by software or hardware. For a module implemented by hardware, the modules may be located in the same processor; or the modules can be respectively positioned in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory having a computer program stored therein and a processor configured to execute the computer program to perform the steps of any of the above method embodiments.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, wherein the transmission device is connected to the processor, and the input/output device is connected to the processor.
It should be noted that, for specific examples in this embodiment, reference may be made to the examples described in the foregoing embodiment and optional implementation manners, and details of this embodiment are not described herein again.
In addition, in combination with the method for protecting and scheduling the different machine IPSEC tunnel depending on the SDWAN in the above embodiment, the embodiment of the present application may provide a storage medium to implement. The storage medium having stored thereon a computer program; when executed by a processor, the computer program realizes any one of the above-mentioned embodiments of the method for heterogeneous IPSEC tunnel protection scheduling relying on SDWAN.
In one embodiment, a computer device is provided, which may be a terminal. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device comprises a nonvolatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of an operating system and computer programs in the non-volatile storage medium. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program when executed by a processor implements a method of heterogeneous IPSEC tunnel protection scheduling relying on SDWAN. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, a key, a track ball or a touch pad arranged on a shell of the computer equipment, an external keyboard, a touch pad or a mouse and the like.
In one embodiment, fig. 4 is a schematic diagram of an internal structure of an electronic device according to an embodiment of the present application, and as shown in fig. 4, there is provided an electronic device, which may be a server, and its internal structure diagram may be as shown in fig. 4. The electronic device comprises a processor, a network interface, an internal memory and a non-volatile memory connected by an internal bus, wherein the non-volatile memory stores an operating system, a computer program and a database. The processor is used for providing calculation and control capability, the network interface is used for communicating with an external terminal through network connection, the internal memory is used for providing an environment for an operating system and the running of a computer program, the computer program is executed by the processor to realize a different machine IPSEC tunnel protection scheduling method based on SDWAN, and the database is used for storing data.
It will be appreciated by those skilled in the art that the structure shown in fig. 4 is a block diagram of only a portion of the structure associated with the present application, and does not constitute a limitation on the electronic device to which the present application applies, and that a particular electronic device may include more or fewer components than shown in the drawings, or may combine certain components, or have a different arrangement of components.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
It should be understood by those skilled in the art that various features of the above-described embodiments can be combined in any combination, and for the sake of brevity, all possible combinations of features in the above-described embodiments are not described in detail, but rather, all combinations of features which are not inconsistent with each other should be construed as being within the scope of the present disclosure.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the invention. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present patent shall be subject to the appended claims.
Claims (10)
1. A method for protecting and scheduling a different machine IPSEC tunnel depending on an SDWAN is characterized in that the method is applied to single-side path protection and comprises the following steps:
respectively creating an IPSEC service on the first communication equipment and the second communication equipment through the upper management and control platform;
allocating the IPSEC service on the first communication equipment as a main service role, and allocating the IPSEC service on the second communication equipment as a standby service role;
monitoring a first communication device and a second communication device through the upper management and control platform, if it is monitored that a main service on the first communication device cannot run, starting a standby service on the second communication device, and simultaneously stopping the main service.
2. The method of claim 1, wherein creating an IPSEC service on the first communication device and the second communication device via the upper management platform comprises:
the method comprises the steps of establishing IPSEC service through an upper management and control platform, judging whether a communication device is on-line or not, respectively issuing an IPSEC service for a first communication device and a second communication device after the first communication device and the second communication device are on-line, and configuring protection parameters of the IPSEC service.
3. The method of claim 1, wherein assigning the IPSEC service on the first communication device as an active service role and assigning the IPSEC service on the second communication device as a standby service role comprises:
allocating IPSEC service on the first communication equipment as a main service role, wherein the state of the main service is an enabled state;
and allocating the IPSEC service on the second communication equipment as a standby service role, wherein the state of the standby service is an inactivated state.
4. The method of claim 2, wherein listening, by the upper management platform, for the first communication device and the second communication device comprises:
and monitoring the first communication equipment and the second communication equipment through the upper management and control platform, and judging the running state of the communication equipment according to the return value of the protection parameter of the IPSEC service in the communication equipment.
5. The method of claim 1, wherein after enabling the standby service on the second communication device while disabling the active service, the method further comprises:
and continuously monitoring the first communication equipment through the upper management and control platform, and if the main service on the first communication equipment is monitored to be recovered to operate, starting the main service and simultaneously stopping the standby service on the second communication equipment.
6. The method according to any one of claims 1 to 5, characterized in that the role assignment data, the service delivery data and the parameter configuration data are persistently stored in a local database.
7. The method of any of claims 1-5, wherein the communication device is a communication device that relies on a software defined wide area network.
8. A heterogeneous IPSEC tunnel protection scheduling method depending on SDWAN is characterized in that the method is applied to full link path protection and comprises the following steps:
establishing corresponding IPSEC global service between a first link and a second link through an upper management and control platform, wherein the first link consists of a plurality of communication devices, and the second link also consists of a plurality of communication devices;
distributing a main global service role and a standby global service role for the IPSEC global service;
and monitoring the first link and the second link through the upper management and control platform, and starting standby global services between the links and simultaneously stopping the main global services if the main global services between the links cannot be operated.
9. A different machine IPSEC tunnel protection scheduling system depending on SDWAN is characterized in that the system is applied to single-side path protection and comprises a service creation module and a service scheduling module;
the service creation module is used for respectively creating an IPSEC service on the first communication device and the second communication device through the upper management and control platform; allocating the IPSEC service on the first communication equipment as a main service role, and allocating the IPSEC service on the second communication equipment as a standby service role;
the service scheduling module is configured to monitor a first communication device and a second communication device through the upper management and control platform, and if it is monitored that a primary service on the first communication device cannot be operated, start a standby service on the second communication device, and simultaneously deactivate the primary service.
10. A computer readable storage medium having stored thereon a computer program, wherein the program when executed by a processor implements the SDWAN-compliant heterogeneous IPSEC tunnel protection scheduling method of any of claims 1 to 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210605209.5A CN115134216B (en) | 2022-05-30 | 2022-05-30 | Method, system and medium for protecting and scheduling different IPSEC tunnel based on SDWAN |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210605209.5A CN115134216B (en) | 2022-05-30 | 2022-05-30 | Method, system and medium for protecting and scheduling different IPSEC tunnel based on SDWAN |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115134216A true CN115134216A (en) | 2022-09-30 |
| CN115134216B CN115134216B (en) | 2024-04-12 |
Family
ID=83377946
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210605209.5A Active CN115134216B (en) | 2022-05-30 | 2022-05-30 | Method, system and medium for protecting and scheduling different IPSEC tunnel based on SDWAN |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115134216B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101931610A (en) * | 2009-06-22 | 2010-12-29 | 华为技术有限公司 | Internet protocol security link protection method and device |
| US20130103836A1 (en) * | 2011-10-21 | 2013-04-25 | Joseph Garcia Baniqued | Centralized Configuration with Dynamic Distributed Address Management |
| CN105704747A (en) * | 2014-11-25 | 2016-06-22 | 中兴通讯股份有限公司 | Method and device for base station to transmit control/service data reliably |
| US20160210209A1 (en) * | 2015-01-15 | 2016-07-21 | Cisco Technology, Inc. | High availability and failover |
| CN106533884A (en) * | 2016-11-28 | 2017-03-22 | 迈普通信技术股份有限公司 | Message transmission method, convergence device, switch and VRRP system |
| CN110024432A (en) * | 2016-11-29 | 2019-07-16 | 华为技术有限公司 | A kind of X2 business transmitting method and the network equipment |
| CN111385180A (en) * | 2018-12-28 | 2020-07-07 | 中国移动通信集团重庆有限公司 | Communication tunnel construction method, device, equipment and medium |
| CN111835639A (en) * | 2020-07-06 | 2020-10-27 | 杭州网银互联科技股份有限公司 | SD-WAN network intelligent link selection method based on cloud computing |
| CN113542098A (en) * | 2021-07-13 | 2021-10-22 | 中国电信股份有限公司 | Method, system, device and storage medium for establishing and switching SD-WAN tunnel |
| CN113676493A (en) * | 2021-09-29 | 2021-11-19 | 网宿科技股份有限公司 | Communication method based on MOBIKE protocol and electronic equipment |
| CN114036576A (en) * | 2021-10-29 | 2022-02-11 | 北京天融信网络安全技术有限公司 | Method and device for recovering ipsec tunnel and readable storage medium |
-
2022
- 2022-05-30 CN CN202210605209.5A patent/CN115134216B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101931610A (en) * | 2009-06-22 | 2010-12-29 | 华为技术有限公司 | Internet protocol security link protection method and device |
| US20130103836A1 (en) * | 2011-10-21 | 2013-04-25 | Joseph Garcia Baniqued | Centralized Configuration with Dynamic Distributed Address Management |
| CN105704747A (en) * | 2014-11-25 | 2016-06-22 | 中兴通讯股份有限公司 | Method and device for base station to transmit control/service data reliably |
| US20160210209A1 (en) * | 2015-01-15 | 2016-07-21 | Cisco Technology, Inc. | High availability and failover |
| CN106533884A (en) * | 2016-11-28 | 2017-03-22 | 迈普通信技术股份有限公司 | Message transmission method, convergence device, switch and VRRP system |
| CN110024432A (en) * | 2016-11-29 | 2019-07-16 | 华为技术有限公司 | A kind of X2 business transmitting method and the network equipment |
| CN111385180A (en) * | 2018-12-28 | 2020-07-07 | 中国移动通信集团重庆有限公司 | Communication tunnel construction method, device, equipment and medium |
| CN111835639A (en) * | 2020-07-06 | 2020-10-27 | 杭州网银互联科技股份有限公司 | SD-WAN network intelligent link selection method based on cloud computing |
| CN113542098A (en) * | 2021-07-13 | 2021-10-22 | 中国电信股份有限公司 | Method, system, device and storage medium for establishing and switching SD-WAN tunnel |
| CN113676493A (en) * | 2021-09-29 | 2021-11-19 | 网宿科技股份有限公司 | Communication method based on MOBIKE protocol and electronic equipment |
| CN114036576A (en) * | 2021-10-29 | 2022-02-11 | 北京天融信网络安全技术有限公司 | Method and device for recovering ipsec tunnel and readable storage medium |
Non-Patent Citations (2)
| Title |
|---|
| GOKUL GEETHA NARAYANAN; RA.K SARAVANAGURU: "Securing VM Migration Through IPSec Tunneling and Onion Routing Algorithm", IEEE, 10 March 2019 (2019-03-10) * |
| 李洁;陈震;孙蔚;周岐华;: "基于MPLS的VPN技术应用于企业网络出局线路备份的构想", 通信技术, no. 05, 10 May 2019 (2019-05-10) * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115134216B (en) | 2024-04-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11777790B2 (en) | Communications methods and apparatus for migrating a network interface and/or IP address from one Pod to another Pod in a Kubernetes system | |
| CN107231221B (en) | Method, device and system for controlling service flow among data centers | |
| WO2015058626A1 (en) | Virtual network function network elements management method, device and system | |
| EP3677009A1 (en) | Unified security policies across virtual private clouds with overlapping ip address blocks | |
| CN102447583B (en) | The method and device of the two-node cluster hot backup of network address translation apparatus | |
| JP6389956B2 (en) | Method and system for managing network traffic | |
| US11588679B2 (en) | System and method of establishing seamless remote access virtual private network connections | |
| CN108011759B (en) | VPN management method, device and system | |
| CN111641582B (en) | Safety protection method and device | |
| CN110771097A (en) | Connectivity monitoring for data tunneling between network device and application server | |
| US20190199679A1 (en) | Dynamically defining encryption spaces across multiple data centers | |
| CN109743316B (en) | Data transmission method, exit router, firewall and double firewall systems | |
| CN115843429A (en) | Method and apparatus for isolation support in network slicing | |
| CN113676493B (en) | Communication method based on MOBIKE protocol and electronic equipment | |
| CN102983988B (en) | A kind of proxy for equipment device and network administration apparatus | |
| WO2021209189A1 (en) | Server computer, method for providing an application, mobile communication network and method for providing access to a server computer | |
| CN115134216A (en) | Method, system and medium for protection and scheduling of different machine IPSEC tunnel depending on SDWAN | |
| CN112189360A (en) | Method and apparatus for operating and managing constrained devices within a network | |
| CN106169982B (en) | Method, device and system for processing expansion port | |
| CN110995829A (en) | Instance calling method and device and computer storage medium | |
| CN116208483A (en) | Method for realizing high-availability bare metal service, related device and storage medium | |
| Raza et al. | Highly available service access through proactive events execution in LTE NFV | |
| CN112217913B (en) | Method and device for negotiating IP address | |
| CN116094868A (en) | Selective formation and maintenance of tunnels within a mesh topology | |
| CN112039854A (en) | Data transmission method, device and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |