CN115134216B - Method, system and medium for protecting and scheduling different IPSEC tunnel based on SDWAN - Google Patents

Method, system and medium for protecting and scheduling different IPSEC tunnel based on SDWAN Download PDF

Info

Publication number
CN115134216B
CN115134216B CN202210605209.5A CN202210605209A CN115134216B CN 115134216 B CN115134216 B CN 115134216B CN 202210605209 A CN202210605209 A CN 202210605209A CN 115134216 B CN115134216 B CN 115134216B
Authority
CN
China
Prior art keywords
service
ipsec
communication device
communication equipment
communication
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210605209.5A
Other languages
Chinese (zh)
Other versions
CN115134216A (en
Inventor
郭永立
梁海峰
任利波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Cncr Information Technology Co ltd
Original Assignee
Hangzhou Cncr Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Cncr Information Technology Co ltd filed Critical Hangzhou Cncr Information Technology Co ltd
Priority to CN202210605209.5A priority Critical patent/CN115134216B/en
Publication of CN115134216A publication Critical patent/CN115134216A/en
Application granted granted Critical
Publication of CN115134216B publication Critical patent/CN115134216B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/06Management of faults, events, alarms or notifications
    • H04L41/0654Management of faults, events, alarms or notifications using network fault recovery
    • H04L41/0663Performing the actions predefined by failover planning, e.g. switching to standby network elements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Mobile Radio Communication Systems (AREA)

Abstract

The application relates to a method, a system and a medium for protecting and scheduling a heterogeneous IPSEC tunnel by an SDWAN, wherein the method is applied to single-side path protection and comprises the following steps: respectively creating an IPSEC service on the first communication device and the second communication device through the upper management and control platform; the IPSEC service on the first communication equipment is distributed to be a main service role, and the IPSEC service on the second communication equipment is distributed to be a standby service role; monitoring the first communication equipment and the second communication equipment through the upper management control platform, if the main service on the first communication equipment cannot be operated, enabling the standby service on the second communication equipment, and simultaneously disabling the main service.

Description

Method, system and medium for protecting and scheduling different IPSEC tunnel based on SDWAN
Technical Field
The application relates to the technical field of computer communication, in particular to a method, a system and a medium for protecting and scheduling a heterogeneous IPSEC tunnel by means of an SDWAN.
Background
At present, the protection scheme of the IPSEC tunnel is mainly aimed at the protection among different IPSEC tunnels in a single device, namely the single device monitors the configured tunnel connectivity and automatically switches the service to a standby tunnel after the connection of a main tunnel is disconnected.
At present, an effective solution is not proposed for the problem that an IPSEC tunnel protection scheme among multiple devices in the related technology lacks efficient management.
Disclosure of Invention
The embodiment of the application provides a method, a system and a medium for protecting and scheduling an IPSEC tunnel of a different machine by an SDWAN (software defined wan) so as to at least solve the problem that an IPSEC tunnel protection scheme among multiple devices in the related technology lacks efficient management.
In a first aspect, an embodiment of the present application provides a method for protecting and scheduling a heterogeneous IPSEC tunnel by using an SDWAN, where the method is applied to single-side path protection, and includes:
respectively creating an IPSEC service on the first communication device and the second communication device through the upper management and control platform;
the IPSEC service on the first communication equipment is distributed to be a main service role, and the IPSEC service on the second communication equipment is distributed to be a standby service role;
monitoring a first communication device and a second communication device through the upper management and control platform, and if the monitoring that the main service on the first communication device cannot run, starting the standby service on the second communication device and simultaneously stopping the main service.
In some of these embodiments, creating, by the upper management platform, an IPSEC service on the first communication device and the second communication device respectively includes:
and establishing IPSEC service through an upper management and control platform, judging whether the communication equipment is on line, respectively issuing an IPSEC service for the first communication equipment and the second communication equipment after the first communication equipment and the second communication equipment are on line, and configuring protection parameters of the IPSEC service.
In some embodiments, assigning IPSEC traffic on the first communications device as an active traffic role and assigning IPSEC traffic on the second communications device as a standby traffic role includes:
distributing IPSEC service on the first communication equipment as a main service role, wherein the state of the main service is an enabled state;
and distributing the IPSEC service on the second communication equipment into a standby service role, wherein the standby service is in a non-started state.
In some of these embodiments, listening, by the upper management platform, to the first communication device and the second communication device comprises:
and monitoring the first communication equipment and the second communication equipment through the upper management and control platform, and judging the running state of the communication equipment according to the return value of the protection parameters of the IPSEC service in the communication equipment.
In some of these embodiments, after enabling the standby service on the second communication device while disabling the active service, the method further comprises:
and continuing to monitor the first communication equipment through the upper management and control platform, and if the primary service on the first communication equipment is monitored to resume operation, starting the primary service, and simultaneously stopping the standby service on the second communication equipment.
In some of these embodiments, the role assignment data, the service delivery data, and the parameter configuration data are persisted to a local database.
In some of these embodiments, the communication device is a software defined wide area network based communication device.
In a second aspect, an embodiment of the present application provides a method for protecting and scheduling a heterogeneous IPSEC tunnel based on an SDWAN, where the method is applied to full link path protection, and includes:
creating a corresponding IPSEC global service between a first link and a second link through an upper management and control platform, wherein the first link is composed of a plurality of communication devices, and the second link is also composed of a plurality of communication devices;
distributing an active global service role and a standby global service role for the IPSEC global service;
and monitoring the first link and the second link through the upper management and control platform, and if the active global service between the links cannot be operated, enabling the standby global service between the links and simultaneously disabling the active global service.
In a third aspect, an embodiment of the present application provides a heterogeneous IPSEC tunnel protection scheduling system based on an SDWAN, where the system is applied to single-side path protection, and the system includes a service creation module and a service scheduling module;
the business creation module is used for creating an IPSEC business on the first communication equipment and the second communication equipment through the upper management and control platform respectively; the IPSEC service on the first communication equipment is distributed to be a main service role, and the IPSEC service on the second communication equipment is distributed to be a standby service role;
the service scheduling module is configured to monitor, through the upper management and control platform, the first communication device and the second communication device, and if it is monitored that the primary service on the first communication device cannot operate, enable the standby service on the second communication device, and simultaneously disable the primary service.
In a fourth aspect, an embodiment of the present application provides a computer readable storage medium, where a computer program is stored, where the program when executed by a processor implements the method for heterogeneous IPSEC tunnel protection scheduling based on an SDWAN according to the first and second aspects above.
Compared with the related art, the method, the system and the medium for protecting and scheduling the heterogeneous IPSEC tunnel by the SDWAN are provided, wherein the method is applied to single-side path protection, and an IPSEC service is respectively created on the first communication equipment and the second communication equipment through an upper management and control platform; the IPSEC service on the first communication equipment is distributed to be a main service role, and the IPSEC service on the second communication equipment is distributed to be a standby service role; monitoring the first communication equipment and the second communication equipment through the upper management control platform, if the main service on the first communication equipment cannot be operated, enabling the standby service on the second communication equipment, and simultaneously disabling the main service, thereby solving the problem that an IPSEC tunnel protection scheme among multiple equipment lacks efficient management, realizing monitoring the IPSEC tunnel states of different equipment through the upper management control platform, and improving the management efficiency of IPSEC tunnel protection in a multi-equipment scene.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
fig. 1 is a flowchart of steps of a method for protecting and scheduling a heterogeneous IPSEC tunnel by an SDWAN according to an embodiment of the present application;
fig. 2 is a second step flowchart of a heterogeneous IPSEC tunnel protection scheduling method based on an SDWAN according to an embodiment of the present application;
fig. 3 is a block diagram of a heterogeneous IPSEC tunnel protection scheduling system based on an SDWAN according to an embodiment of the present application;
fig. 4 is a schematic diagram of an internal structure of an electronic device according to an embodiment of the present application.
Description of the drawings: 31. a service creation module; 32. and a service scheduling module.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described and illustrated below with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden on the person of ordinary skill in the art based on the embodiments provided herein, are intended to be within the scope of the present application.
It is apparent that the drawings in the following description are only some examples or embodiments of the present application, and it is possible for those of ordinary skill in the art to apply the present application to other similar situations according to these drawings without inventive effort. Moreover, it should be appreciated that while such a development effort might be complex and lengthy, it would nevertheless be a routine undertaking of design, fabrication, or manufacture for those of ordinary skill having the benefit of this disclosure, and thus should not be construed as having the benefit of this disclosure.
Reference in the specification to "an embodiment" means that a particular feature, structure, or characteristic described in connection with the embodiment may be included in at least one embodiment of the application. The appearances of such phrases in various places in the specification are not necessarily all referring to the same embodiment, nor are separate or alternative embodiments mutually exclusive of other embodiments. It is to be expressly and implicitly understood by those of ordinary skill in the art that the embodiments described herein can be combined with other embodiments without conflict.
Unless defined otherwise, technical or scientific terms used herein should be given the ordinary meaning as understood by one of ordinary skill in the art to which this application belongs. Reference to "a," "an," "the," and similar terms herein do not denote a limitation of quantity, but rather denote the singular or plural. The terms "comprising," "including," "having," and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, article, or apparatus that comprises a list of steps or modules (elements) is not limited to only those steps or elements but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus. The terms "connected," "coupled," and the like in this application are not limited to physical or mechanical connections, but may include electrical connections, whether direct or indirect. The term "plurality" as used herein refers to two or more. "and/or" describes an association relationship of an association object, meaning that there may be three relationships, e.g., "a and/or B" may mean: a exists alone, A and B exist together, and B exists alone. The character "/" generally indicates that the context-dependent object is an "or" relationship. The terms "first," "second," "third," and the like, as used herein, are merely distinguishing between similar objects and not representing a particular ordering of objects.
The embodiment of the application provides a method for protecting and scheduling a heterogeneous IPSEC tunnel by an SDWAN, and fig. 1 is a step flow chart I of the method for protecting and scheduling the heterogeneous IPSEC tunnel by the SDWAN according to the embodiment of the application, as shown in fig. 1, the method is applied to single-side path protection and comprises the following steps:
step S102, respectively creating an IPSEC service on a first communication device and a second communication device through an upper management platform;
specifically, an IPSEC service is created through an upper management and control platform, whether the communication equipment is on line is judged, and after the first communication equipment and the second communication equipment are on line, an IPSEC service is respectively issued for the first communication equipment and the second communication equipment, and protection parameters of the IPSEC service are configured. The protection parameter defines two return modes, namely, return of a return value and no return of the return value. The IPSEC service management and control platform is used for judging the running condition of the IPSEC service in the communication equipment by the upper layer management and control platform.
It should be noted that the first communication device and the second communication device are communication devices under a software defined wide area network (Software Defined Wide Area Network or SDWAN). SDWAN is a service formed by applying SDN technology to wide area network scenarios, and is used to connect enterprise networks, data centers, internet applications, and cloud services over a wide geographic range. Furthermore, IPSEC (Internet Protocol Security) is a family of network-layer-based secure communication protocols that employ cryptography. IPSEC does not refer specifically to which protocol, but rather an open family of protocols. The design objective of the IPSEC protocol: flexible security services are provided for network flows in IPV4 and IPV6 environments. IPSEC VPN: and a secure virtual private network which is constructed based on IPSEC protocol family and is realized at an IP layer. The security of the OSI upper layer protocol data is ensured by inserting a predefined header in the data packet, and the method is mainly used for protecting TCP, UDP, ICMP and tunnel IP data packets.
Step S104, the IPSEC service on the first communication equipment is distributed to be a main service role, and the IPSEC service on the second communication equipment is distributed to be a standby service role;
specifically, the IPSEC service on the first communication equipment is distributed to be a main service role, and the state of the main service is an enabled state; and distributing the IPSEC service on the second communication equipment into a standby service role, wherein the state of the standby service is an inactive state.
And step S106, monitoring the first communication equipment and the second communication equipment through the upper layer control platform, and if the monitoring shows that the main service on the first communication equipment cannot be operated, starting the standby service on the second communication equipment and simultaneously stopping the main service.
Specifically, the upper layer control platform monitors the first communication device and the second communication device, and judges the running state of the communication device according to the return value of the protection parameter of the IPSEC service in the communication device. If the return value of the protection parameter is monitored to be the information of disconnection or degradation of the active service, the running state of the communication equipment is abnormal, namely the active service on the communication equipment cannot run. In this case, the standby service on the second communication device is enabled while the active service is disabled.
Preferably, after step S106, the upper management platform continues to monitor the first communication device, and if it is monitored that the active service on the first communication device resumes operation, the active service is started, and the standby service on the second communication device is stopped.
Through step S102 to step S106 in the embodiment of the application, the problem that an IPSEC tunnel protection scheme among multiple devices lacks efficient management is solved, the IPSEC tunnel states of different devices are monitored through an upper management control platform, and the management efficiency of IPSEC tunnel protection in a multi-device scene is improved.
The embodiment of the application provides a method for protecting and scheduling a heterogeneous IPSEC tunnel by an SDWAN, and fig. 2 is a step flow chart II of the method for protecting and scheduling a heterogeneous IPSEC tunnel by an SDWAN according to the embodiment of the application, as shown in fig. 2, the method is applied to full link path protection, and comprises the following steps:
step S202, creating a corresponding IPSEC global service between a first link and a second link through an upper management platform, wherein the first link is composed of a plurality of communication devices, and the second link is also composed of a plurality of communication devices;
specifically, a corresponding IPSEC global service is created between a first link and a second link through an upper layer management platform, and protection parameters of the IPSEC global service are configured. The protection parameter defines two return modes, namely, return of a return value and no return of the return value. The method is used for judging the running condition of the IPSEC global service by the upper management and control platform.
It should be noted that, the IPSEC global service refers to an end-to-end service (i.e., two single point services in pairs), such as: the corporate headquarter is provided with a communication device A and a communication device B, and the corporate office is provided with a communication device C and a communication device D; communication device a is connected to communication device C, communication device B is connected to communication device D, and IPSEC services are established on A, B, C, D; then two IPSEC services on communication device a and communication device C constitute an IPSEC global service and two IPSEC services on communication device B and communication device D constitute an IPSEC global service.
Step S204, distributing a main global service role and a standby global service role for IPSEC global service;
specifically, the state of the active global service is an enabled state; the state of the standby global service is the inactive state.
In step S206, the upper management platform monitors the first link and the second link, and if it is monitored that the active global service between the links cannot be operated, the standby global service between the links is activated, and the active global service is deactivated.
Specifically, the upper layer control platform monitors the communication equipment in the first link and the second link, and judges the running state of the communication equipment according to the return value of the protection parameter of the IPSEC global service. If the return value of the protection parameter is monitored to be the information of disconnection or degradation of the active global service, the running state of the communication equipment is abnormal, namely the active global service on the communication equipment cannot run. In this case, the inter-link backup global traffic is enabled while the primary global traffic is disabled.
Preferably, after step S106, the upper management platform continues to monitor the communication devices in the first link and the second link, and if it is monitored that the active global service resumes operation, the active global service is started, and the standby global service between links is stopped.
Through step S202 to step S206 in the embodiment of the application, the problem that an IPSEC tunnel protection scheme among multiple devices lacks efficient management is solved, the IPSEC tunnel states of different devices are monitored through an upper management control platform, and the management efficiency of IPSEC tunnel protection in a multi-device scene is improved.
It should be noted that the steps illustrated in the above-described flow or flow diagrams of the figures may be performed in a computer system, such as a set of computer-executable instructions, and that, although a logical order is illustrated in the flow diagrams, in some cases, the steps illustrated or described may be performed in an order other than that illustrated herein.
The embodiment of the application provides a heterogeneous IPSEC tunnel protection and scheduling system based on an SDWAN, and fig. 3 is a structural block diagram of the heterogeneous IPSEC tunnel protection and scheduling system based on the SDWAN according to the embodiment of the application, as shown in fig. 3, the system is applied to single-side path protection and comprises a service creation module 31 and a service scheduling module 32;
a service creation module 31, configured to create an IPSEC service on the first communication apparatus and the second communication apparatus respectively through the upper management platform; the IPSEC service on the first communication equipment is distributed to be a main service role, and the IPSEC service on the second communication equipment is distributed to be a standby service role;
the service scheduling module 32 is configured to monitor, through the upper management platform, the first communication device and the second communication device, and if it is monitored that the active service on the first communication device cannot be operated, enable the standby service on the second communication device, and simultaneously disable the active service.
By the service creation module 31 and the service scheduling module 32 in the embodiment of the application, the problem that an IPSEC tunnel protection scheme among multiple devices lacks efficient management is solved, the IPSEC tunnel states of different devices are monitored through an upper management control platform, and the management efficiency of IPSEC tunnel protection in a multi-device scene is improved.
The above-described respective modules may be functional modules or program modules, and may be implemented by software or hardware. For modules implemented in hardware, the various modules described above may be located in the same processor; or the above modules may be located in different processors in any combination.
The present embodiment also provides an electronic device comprising a memory having stored therein a computer program and a processor arranged to run the computer program to perform the steps of any of the method embodiments described above.
Optionally, the electronic apparatus may further include a transmission device and an input/output device, where the transmission device is connected to the processor, and the input/output device is connected to the processor.
It should be noted that, specific examples in this embodiment may refer to examples described in the foregoing embodiments and alternative implementations, and this embodiment is not repeated herein.
In addition, in combination with the method for protecting and scheduling the heterogeneous IPSEC tunnel by the SDWAN in the above embodiment, the embodiment of the present application may provide a storage medium to be implemented. The storage medium has a computer program stored thereon; the computer program when executed by the processor implements any of the above embodiments of the SDWAN-dependent heterogeneous IPSEC tunnel protection scheduling method.
In one embodiment, a computer device is provided, which may be a terminal. The computer device includes a processor, a memory, a network interface, a display screen, and an input device connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system and a computer program. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program when executed by the processor realizes a different IPSEC tunnel protection scheduling method based on the SDWAN. The display screen of the computer equipment can be a liquid crystal display screen or an electronic ink display screen, and the input device of the computer equipment can be a touch layer covered on the display screen, can also be keys, a track ball or a touch pad arranged on the shell of the computer equipment, and can also be an external keyboard, a touch pad or a mouse and the like.
In one embodiment, fig. 4 is a schematic diagram of an internal structure of an electronic device according to an embodiment of the present application, as shown in fig. 4, and an electronic device, which may be a server, may be provided, and an internal structure diagram thereof may be shown in fig. 4. The electronic device includes a processor, a network interface, an internal memory, and a non-volatile memory connected by an internal bus, where the non-volatile memory stores an operating system, computer programs, and a database. The processor is used for providing computing and control capability, the network interface is used for communicating with an external terminal through network connection, the internal memory is used for providing environment for the operation system and the running of the computer program, the computer program is executed by the processor to realize a heterogeneous IPSEC tunnel protection scheduling method based on an SDWAN, and the database is used for storing data.
It will be appreciated by those skilled in the art that the structure shown in fig. 4 is merely a block diagram of a portion of the structure associated with the present application and is not limiting of the electronic device to which the present application is applied, and that a particular electronic device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, storage, database, or other medium used in the various embodiments provided herein may include non-volatile and/or volatile memory. The nonvolatile memory can include Read Only Memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), memory bus direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM), among others.
It should be understood by those skilled in the art that the technical features of the above-described embodiments may be combined in any manner, and for brevity, all of the possible combinations of the technical features of the above-described embodiments are not described, however, they should be considered as being within the scope of the description provided herein, as long as there is no contradiction between the combinations of the technical features.
The above examples merely represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the invention. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application is to be determined by the claims appended hereto.

Claims (9)

1. The method is characterized by being applied to single-side path protection and comprises the following steps:
respectively creating an IPSEC service on the first communication device and the second communication device through the upper management and control platform;
distributing IPSEC service on the first communication equipment as a main service role, wherein the state of the main service is an enabled state; the IPSEC service on the second communication equipment is distributed to be a standby service role, the state of the standby service is a non-starting state, wherein the first communication equipment communicates with third communication equipment through the IPSEC service of the main service role, and the second communication equipment communicates with fourth communication equipment through the IPSEC service of the standby service role;
monitoring a first communication device and a second communication device through the upper management and control platform, and if the monitoring that the main service on the first communication device cannot run, starting the standby service on the second communication device and simultaneously stopping the main service.
2. The method of claim 1, wherein creating, by the upper management platform, one IPSEC service on the first communication device and the second communication device respectively comprises:
and establishing IPSEC service through an upper management and control platform, judging whether the communication equipment is on line, respectively issuing an IPSEC service for the first communication equipment and the second communication equipment after the first communication equipment and the second communication equipment are on line, and configuring protection parameters of the IPSEC service.
3. The method of claim 2, wherein listening to the first communication device and the second communication device through the upper management platform comprises:
and monitoring the first communication equipment and the second communication equipment through the upper management and control platform, and judging the running state of the communication equipment according to the return value of the protection parameters of the IPSEC service in the communication equipment.
4. The method of claim 1, wherein after enabling the backup service on the second communication device while disabling the active service, the method further comprises:
and continuing to monitor the first communication equipment through the upper management and control platform, and if the primary service on the first communication equipment is monitored to resume operation, starting the primary service, and simultaneously stopping the standby service on the second communication equipment.
5. The method according to any of claims 1-4, characterized in that the role assignment data, the traffic delivery data and the parameter configuration data are persisted in a local database.
6. The method of any of claims 1-4, wherein the communication device is a software defined wide area network (ww an) based communication device.
7. The method is characterized by being applied to full-link path protection and comprises the following steps:
the first link comprises a communication device A and a communication device B, and the second link comprises a communication device C and a communication device D, wherein the communication device A and the communication device C are connected and communicated by means of a software-defined wide area network SDWAN, and the communication device B and the communication device D are connected and communicated by means of the software-defined wide area network SDWAN;
creating IPSEC services on the communication device a and the communication device C respectively through an upper management and control platform to form a first IPSEC global service, and creating IPSEC services on the communication device B and the communication device D respectively through an upper management and control platform to form a second IPSEC global service;
distributing a main global service role for the first IPSEC global service, and distributing a standby global service role for the second IPSEC global service, wherein the state of the main global service is an enabled state; the state of the standby global service is an inactive state;
and monitoring the first link and the second link through the upper management and control platform, and if the active global service between the links cannot be operated, enabling the standby global service between the links and simultaneously disabling the active global service.
8. The system is characterized by being applied to single-side path protection and comprises a service creation module and a service scheduling module;
the business creation module is used for creating an IPSEC business on the first communication equipment and the second communication equipment through the upper management and control platform respectively; distributing IPSEC service on the first communication equipment as a main service role, wherein the state of the main service is an enabled state; the IPSEC service on the second communication equipment is distributed to be a standby service role, the state of the standby service is a non-starting state, wherein the first communication equipment communicates with third communication equipment through the IPSEC service of the main service role, and the second communication equipment communicates with fourth communication equipment through the IPSEC service of the standby service role;
the service scheduling module is configured to monitor, through the upper management and control platform, the first communication device and the second communication device, and if it is monitored that the primary service on the first communication device cannot operate, enable the standby service on the second communication device, and simultaneously disable the primary service.
9. A computer readable storage medium having stored thereon a computer program, which when executed by a processor implements the SDWAN-dependent heterogeneous IPSEC tunnel protection scheduling method according to any of claims 1 to 7.
CN202210605209.5A 2022-05-30 2022-05-30 Method, system and medium for protecting and scheduling different IPSEC tunnel based on SDWAN Active CN115134216B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210605209.5A CN115134216B (en) 2022-05-30 2022-05-30 Method, system and medium for protecting and scheduling different IPSEC tunnel based on SDWAN

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210605209.5A CN115134216B (en) 2022-05-30 2022-05-30 Method, system and medium for protecting and scheduling different IPSEC tunnel based on SDWAN

Publications (2)

Publication Number Publication Date
CN115134216A CN115134216A (en) 2022-09-30
CN115134216B true CN115134216B (en) 2024-04-12

Family

ID=83377946

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210605209.5A Active CN115134216B (en) 2022-05-30 2022-05-30 Method, system and medium for protecting and scheduling different IPSEC tunnel based on SDWAN

Country Status (1)

Country Link
CN (1) CN115134216B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101931610A (en) * 2009-06-22 2010-12-29 华为技术有限公司 Internet protocol security link protection method and device
CN105704747A (en) * 2014-11-25 2016-06-22 中兴通讯股份有限公司 Method and device for base station to transmit control/service data reliably
CN106533884A (en) * 2016-11-28 2017-03-22 迈普通信技术股份有限公司 Message transmission method, convergence device, switch and VRRP system
CN110024432A (en) * 2016-11-29 2019-07-16 华为技术有限公司 A kind of X2 business transmitting method and the network equipment
CN111385180A (en) * 2018-12-28 2020-07-07 中国移动通信集团重庆有限公司 Communication tunnel construction method, device, equipment and medium
CN111835639A (en) * 2020-07-06 2020-10-27 杭州网银互联科技股份有限公司 SD-WAN network intelligent link selection method based on cloud computing
CN113542098A (en) * 2021-07-13 2021-10-22 中国电信股份有限公司 Method, system, device and storage medium for establishing and switching SD-WAN tunnel
CN113676493A (en) * 2021-09-29 2021-11-19 网宿科技股份有限公司 Communication method based on MOBIKE protocol and electronic equipment
CN114036576A (en) * 2021-10-29 2022-02-11 北京天融信网络安全技术有限公司 Method and device for recovering ipsec tunnel and readable storage medium

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9137198B2 (en) * 2011-10-21 2015-09-15 Hewlett-Packard Development Company, L.P. Centralized configuration with dynamic distributed address management
US10061664B2 (en) * 2015-01-15 2018-08-28 Cisco Technology, Inc. High availability and failover

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101931610A (en) * 2009-06-22 2010-12-29 华为技术有限公司 Internet protocol security link protection method and device
CN105704747A (en) * 2014-11-25 2016-06-22 中兴通讯股份有限公司 Method and device for base station to transmit control/service data reliably
CN106533884A (en) * 2016-11-28 2017-03-22 迈普通信技术股份有限公司 Message transmission method, convergence device, switch and VRRP system
CN110024432A (en) * 2016-11-29 2019-07-16 华为技术有限公司 A kind of X2 business transmitting method and the network equipment
CN111385180A (en) * 2018-12-28 2020-07-07 中国移动通信集团重庆有限公司 Communication tunnel construction method, device, equipment and medium
CN111835639A (en) * 2020-07-06 2020-10-27 杭州网银互联科技股份有限公司 SD-WAN network intelligent link selection method based on cloud computing
CN113542098A (en) * 2021-07-13 2021-10-22 中国电信股份有限公司 Method, system, device and storage medium for establishing and switching SD-WAN tunnel
CN113676493A (en) * 2021-09-29 2021-11-19 网宿科技股份有限公司 Communication method based on MOBIKE protocol and electronic equipment
CN114036576A (en) * 2021-10-29 2022-02-11 北京天融信网络安全技术有限公司 Method and device for recovering ipsec tunnel and readable storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
Gokul Geetha Narayanan ; RA.K Saravanaguru.Securing VM Migration Through IPSec Tunneling and Onion Routing Algorithm.IEEE.2019,全文. *
基于MPLS的VPN技术应用于企业网络出局线路备份的构想;李洁;陈震;孙蔚;周岐华;;通信技术;20190510(第05期);全文 *

Also Published As

Publication number Publication date
CN115134216A (en) 2022-09-30

Similar Documents

Publication Publication Date Title
CN112470436B (en) Systems, methods, and computer-readable media for providing multi-cloud connectivity
CN105610632B (en) Virtual network equipment and related method
CN113596191B (en) Data processing method, network element equipment and readable storage medium
US11588679B2 (en) System and method of establishing seamless remote access virtual private network connections
CN109104364B (en) Designated forwarder election method and device
CN109450905B (en) Method, device and system for transmitting data
KR20160122992A (en) Integrative Network Management Method and Apparatus for Supplying Connection between Networks Based on Policy
CN102447583B (en) The method and device of the two-node cluster hot backup of network address translation apparatus
CN111935017B (en) Cross-network application calling method and device and routing equipment
US20180262387A1 (en) Restoring control-plane connectivity with a network management entity
CN113472622A (en) Method and equipment for transmitting service in network
US10708223B2 (en) Dynamically defining encryption spaces across multiple data centers
CN115225493B (en) Configuration generation method and device of networking node based on wireless
US10511544B2 (en) Path computation element protocol response and simple network management protocol confirmation for tunnel configuration
CN109743316B (en) Data transmission method, exit router, firewall and double firewall systems
CN113676493A (en) Communication method based on MOBIKE protocol and electronic equipment
CN114365454B (en) Distribution of stateless security functions
CN113824789A (en) Configuration method, device, equipment and storage medium of path descriptor
CN111130978B (en) Network traffic forwarding method and device, electronic equipment and machine-readable storage medium
CN115134216B (en) Method, system and medium for protecting and scheduling different IPSEC tunnel based on SDWAN
EP4181431A1 (en) Service transmission method and apparatus, network device, and storage medium
CN110086702B (en) Message forwarding method and device, electronic equipment and machine-readable storage medium
CN108259292B (en) Method and device for establishing tunnel
US12015544B1 (en) Backup route for network devices in multihoming configuration
CN115695206B (en) Method and device for determining network topology, computer equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant