CN115314308A - Tunnel detection system, method and device, electronic equipment and storage medium - Google Patents

Tunnel detection system, method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN115314308A
CN115314308A CN202210961955.8A CN202210961955A CN115314308A CN 115314308 A CN115314308 A CN 115314308A CN 202210961955 A CN202210961955 A CN 202210961955A CN 115314308 A CN115314308 A CN 115314308A
Authority
CN
China
Prior art keywords
tunnel
source
information
target
ipsec
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210961955.8A
Other languages
Chinese (zh)
Inventor
王微
石亚磊
王耀杰
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202210961955.8A priority Critical patent/CN115314308A/en
Publication of CN115314308A publication Critical patent/CN115314308A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/08Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters
    • H04L43/0805Monitoring or testing based on specific metrics, e.g. QoS, energy consumption or environmental parameters by checking availability

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Environmental & Geological Engineering (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application belongs to the technical field of communication, and discloses a system, a method, a device, electronic equipment and a storage medium for tunnel detection, wherein the method comprises the steps of receiving a tunnel detection request message sent by source equipment; acquiring source tunnel information in a tunnel detection request message; comparing target tunnel information and source tunnel information of the IPSec tunnel stored locally to obtain a first comparison result; comparing a first tunnel state in a target IKE negotiation process with a second tunnel state in a target safety database to obtain a second comparison result; and sending a tunnel detection response message to the source equipment based on the first comparison result and the second comparison result. Therefore, the tunnel detection is carried out through the tunnel information and the tunnel state, and the accuracy of the tunnel detection is improved.

Description

Tunnel detection system, method and device, electronic equipment and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a system, a method, an apparatus, an electronic device, and a storage medium for tunnel detection.
Background
Internet Protocol Security (IPsec) is used to provide Security services at an Internet Protocol (IP) layer to protect one or more paths (i.e., IPsec tunnels) between a device and the device (e.g., a Security gateway and a Security gateway). The Security Association (SA) is a logical connection that provides Security services for a particular data flow and is used to provide Security for IPsec data traffic.
For example, a plurality of IPsec tunnels are established between the source device and the target device, each IPsec tunnel corresponds to a pair of IPsec sas, and the pair of IPsec sas are an IPsec sa in the source device (i.e., source IPsec sa) and an IPsec sa in the target device (i.e., target IPsec sa), respectively. During communication, it is generally necessary to detect IPsec tunnels between different devices to determine whether the IPsec tunnels can be communicated.
In the prior art, a probe request message is usually sent to a corresponding target IPsec sa through each source IPsec sa, and whether each IPsec tunnel is abnormal is respectively determined according to whether each source IPsec sa receives a probe response message returned by the target IPsec sa. However, in this way, the detection results are often inaccurate.
Disclosure of Invention
Embodiments of the present application provide a system, a method, an apparatus, an electronic device, and a storage medium for detecting a tunnel, so as to improve accuracy of a detection result when the tunnel is detected.
On one hand, a system for detecting tunnels is provided, which comprises a source device and a target device, wherein the target device comprises a target IKE negotiation process, a target IPSecSA and a target security database, the source device comprises a source IPSecSA, at least one IPSec tunnel is established between the source device and the target device, and each IPSec tunnel corresponds to a pair of the source IPSecSA and the target IPSecSA;
the source device is to: acquiring source tunnel information of an IPSec tunnel, sending a tunnel detection request message containing the source tunnel information to target equipment, and receiving a tunnel detection response message returned by the target equipment;
the target device is to: the method comprises the steps of obtaining source tunnel information in a tunnel detection request message, comparing target tunnel information of a locally stored IPSec tunnel with the source tunnel information to obtain a first comparison result, comparing a first tunnel state in a target IKE negotiation process with a second tunnel state in a target safety database to obtain a second comparison result, and sending a tunnel detection response message to source equipment based on the first comparison result and the second comparison result, wherein the first tunnel state and the second tunnel state are both detected tunnel states of the IPSec tunnel.
In one embodiment, the source device is specifically configured to:
if the IPSec tunnels are determined to be multiple, sending a tunnel detection request message containing source tunnel information of the multiple IPSec tunnels to the target equipment;
and receiving a tunnel detection response message which is returned by the target equipment and contains the status detection result of each IPSec tunnel.
In one embodiment, the source device further includes a source security database, a source IKE negotiation process, and a first local database; the source device is specifically configured to:
comparing source tunnel information in a source IKE negotiation process with first tunnel information in a first local database and second tunnel information in a source safety database respectively;
if at least one of the first tunnel information and the second tunnel information is determined to be inconsistent with the source tunnel information, generating tunnel abnormal information, and sending a tunnel detection request message containing the source tunnel information and the tunnel abnormal information to the target device;
otherwise, sending the tunnel detection request message containing the source tunnel information to the target equipment.
In one embodiment, the target device is further provided with a second local database, the target tunnel information includes third tunnel information in the second local database and fourth tunnel information in the target security database, and the target device is specifically configured to:
decrypting the tunnel detection request message;
acquiring source tunnel information contained in the decrypted tunnel detection request message;
if the tunnel detection request message is determined not to contain the tunnel abnormal information of the source tunnel information, comparing the source tunnel information with the third tunnel information and the fourth tunnel information respectively to obtain a first comparison result;
and if the source tunnel information is consistent with the target tunnel information according to the first comparison result, comparing the first tunnel state with the second tunnel state to obtain a second comparison result.
In one embodiment, the target device is further configured to:
if the tunnel detection request message is determined to contain the tunnel abnormal information corresponding to the source tunnel information, deleting the target IPSecSA corresponding to the source tunnel information, and performing tunnel negotiation again based on the source tunnel information;
if the source tunnel information is determined to be inconsistent with the target tunnel information according to the first comparison result, performing tunnel negotiation again based on the source tunnel information;
and if the first tunnel state is determined to be inconsistent with the second tunnel state according to the second comparison result, performing tunnel negotiation again based on the source tunnel information.
In one aspect, a method for detecting a tunnel is provided, which is applied to a target device, where the target device includes a target IKE negotiation process, a target ipsec sa, and a target security database, and the method includes:
receiving a tunnel detection request message sent by source equipment; the tunnel detection request message comprises source tunnel information of IPSec tunnels established between the active device and the target device, each IPSec tunnel corresponds to a pair of source IPSecSA and target IPSecSA, and the source IPSecSA is positioned in the source device;
acquiring source tunnel information in a tunnel detection request message;
comparing target tunnel information and source tunnel information of the IPSec tunnel stored locally to obtain a first comparison result;
comparing a first tunnel state in a target IKE negotiation process with a second tunnel state in a target safety database to obtain a second comparison result; the first tunnel state and the second tunnel state are both tunnel states of the detected IPSec tunnel;
and sending a tunnel detection response message to the source equipment based on the first comparison result and the second comparison result.
In the implementation process, the tunnel detection is carried out through the tunnel information and the tunnel state, so that the accuracy of the tunnel detection is improved.
In one embodiment, comparing the target tunnel information of the locally stored IPSec tunnel with the source tunnel information to obtain a first comparison result, includes:
if multiple IPSec tunnels are determined, comparing the source tunnel information and the target tunnel information of each IPSec tunnel respectively to obtain a first comparison result of each IPSec tunnel;
comparing a first tunnel state in a target IKE negotiation process with a second tunnel state in a target safety database to obtain a second comparison result, wherein the second comparison result comprises the following steps:
and if multiple IPSec tunnels are determined, comparing the first tunnel state and the second tunnel state corresponding to each IPSec tunnel respectively to obtain a second comparison result of each IPSec tunnel.
In the implementation process, the tunnel detection is carried out through the same message containing the information of the plurality of source tunnels, so that the consumed system resources and transmission resources are reduced.
In one embodiment, the target device further includes a second local database, where the target tunnel information includes third tunnel information in the second local database and fourth tunnel information in the target security database, and compares the target tunnel information of the locally stored IPSec tunnel with the source tunnel information to obtain a first comparison result, where the method includes:
decrypting the tunnel detection request message;
acquiring source tunnel information contained in the decrypted tunnel detection request message;
if the tunnel detection request message does not contain the tunnel abnormal information corresponding to the source tunnel information, comparing the source tunnel information with the third tunnel information and the fourth tunnel information respectively to obtain a first comparison result.
In the implementation process, the tunnel detection is carried out through the tunnel information of different channels, and the accuracy and effectiveness of the tunnel detection are ensured.
In one embodiment, the method further comprises:
if the tunnel detection request message is determined to contain tunnel abnormal information corresponding to the source tunnel information, deleting the target IPSecSA corresponding to the source tunnel information, and performing tunnel negotiation again based on the source tunnel information, wherein the tunnel abnormal information represents that the IPSec tunnel is abnormal;
if the source tunnel information is determined to be inconsistent with the target tunnel information according to the first comparison result, performing tunnel negotiation again based on the source tunnel information;
and if the first tunnel state is determined to be inconsistent with the second tunnel state according to the second comparison result, performing tunnel negotiation again based on the source tunnel information.
In the implementation process, when the tunnel is determined to be abnormal through the comparison result, the tunnel negotiation is reestablished, and the timely maintenance of the tunnel is realized.
In one aspect, a device for tunnel detection is provided, which is applied to a target device, where the target device includes a target key exchange IKE negotiation process, a target internet protocol security IPSec security association SA, and a target security database, and includes:
a receiving unit, configured to receive a tunnel probe request message sent by a source device; the tunnel detection request message comprises source tunnel information of IPSec tunnels established between the active device and the target device, each IPSec tunnel corresponds to a pair of source IPSecSA and target IPSecSA, and the source IPSecSA is positioned in the source device;
an obtaining unit, configured to obtain source tunnel information in a tunnel detection request message;
the system comprises a first comparison unit, a second comparison unit and a third comparison unit, wherein the first comparison unit is used for comparing target tunnel information and source tunnel information of the IPSec tunnel stored locally to obtain a first comparison result;
the second comparison unit is used for comparing the first tunnel state in the target IKE negotiation process with the second tunnel state in the target safety database to obtain a second comparison result; the first tunnel state and the second tunnel state are both tunnel states of the detected IPSec tunnel;
and the sending unit is used for sending the tunnel detection response message to the source equipment based on the first comparison result and the second comparison result.
In one embodiment, the first comparison unit is configured to:
if multiple IPSec tunnels are determined, comparing the source tunnel information and the target tunnel information of each IPSec tunnel respectively to obtain a first comparison result of each IPSec tunnel;
comparing a first tunnel state in a target IKE negotiation process with a second tunnel state in a target safety database to obtain a second comparison result, wherein the second comparison result comprises the following steps:
if multiple IPSec tunnels are determined, the first tunnel state and the second tunnel state corresponding to each IPSec tunnel are respectively compared to obtain a second comparison result of each IPSec tunnel.
In one embodiment, a second local database is further provided in the target device, and the target tunnel information includes third tunnel information in the second local database and fourth tunnel information in the target security database: the first comparison unit is used for:
decrypting the tunnel detection request message;
acquiring source tunnel information contained in the decrypted tunnel detection request message;
if the tunnel detection request message does not contain the tunnel abnormal information corresponding to the source tunnel information, comparing the source tunnel information with the third tunnel information and the fourth tunnel information respectively to obtain a first comparison result.
In one embodiment, the sending unit is further configured to:
if the tunnel detection request message is determined to contain tunnel abnormal information corresponding to the source tunnel information, deleting the target IPSecSA corresponding to the source tunnel information, and performing tunnel negotiation again based on the source tunnel information, wherein the tunnel abnormal information represents that the IPSec tunnel is abnormal;
if the source tunnel information is determined to be inconsistent with the target tunnel information according to the first comparison result, performing tunnel negotiation again based on the source tunnel information;
and if the first tunnel state is determined to be inconsistent with the second tunnel state according to the second comparison result, performing tunnel negotiation again based on the source tunnel information.
In one aspect, an electronic device is provided, comprising a processor and a memory, the memory storing computer readable instructions which, when executed by the processor, perform the steps of the method provided in any of the various alternative implementations of tunnel detection described above.
In one aspect, a computer-readable storage medium is provided, on which a computer program is stored, which, when being executed by a processor, performs the steps of the method as provided in any of the various alternative implementations of tunnel detection described above.
In one aspect, a computer program product is provided which, when run on a computer, causes the computer to perform the steps of the method as provided in the various alternative implementations of tunnel detection as described in any of the above.
Additional features and advantages of the application will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the application. The objectives and other advantages of the application may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
To more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.
Fig. 1 is a schematic architecture diagram of a system for detecting a tunnel according to an embodiment of the present disclosure;
fig. 2 is a flowchart of a method for detecting a tunnel according to an embodiment of the present application;
fig. 3 is an interaction diagram of a method for detecting a tunnel according to an embodiment of the present application;
fig. 4 is a schematic view of an application scenario of gateway tunnel detection according to an embodiment of the present application;
fig. 5 is a block diagram illustrating a structure of a device for tunnel detection according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are only some embodiments of the present application, and not all embodiments. The components of the embodiments of the present application, generally described and illustrated in the figures herein, can be arranged and designed in a wide variety of different configurations. Thus, the following detailed description of the embodiments of the present application, presented in the accompanying drawings, is not intended to limit the scope of the claimed application, but is merely representative of selected embodiments of the application. All other embodiments, which can be derived by a person skilled in the art from the embodiments of the present application without making any creative effort, shall fall within the protection scope of the present application.
First, some terms referred to in the embodiments of the present application will be described to facilitate understanding by those skilled in the art.
The terminal equipment: may be a mobile terminal, a fixed terminal, or a portable terminal such as a mobile handset, station, unit, device, multimedia computer, multimedia tablet, internet node, communicator, desktop computer, laptop computer, notebook computer, netbook computer, tablet computer, personal communication system device, personal navigation device, personal digital assistant, audio/video player, digital camera/camcorder, positioning device, television receiver, radio broadcast receiver, electronic book device, gaming device, or any combination thereof, including the accessories and peripherals of these devices, or any combination thereof. It is also contemplated that the terminal device can support any type of interface to the user (e.g., wearable device), and the like.
A server: the cloud server can be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, and can also be a cloud server for providing basic cloud computing services such as cloud service, a cloud database, cloud computing, cloud functions, cloud storage, network service, cloud communication, middleware service, domain name service, security service, big data and artificial intelligence platform and the like.
IPSec: the security service is provided at the IP layer, which enables the system to select a security protocol as required, decide the algorithm used by the service, and place the keys required for the required service in the corresponding location. IPSec is used to protect one or more paths between a host and a host, between a security gateway and a security gateway, and between a security gateway and a host. The set of security services that IPSec can provide may include: access control, connectionless integrity, data source authentication, packet retransmission rejection (partial sequence integrity form), confidentiality, and limited transport stream confidentiality.
Internet Key Exchange (Internet Key Exchange, IKE): is a key management protocol standard that needs to be used with IPSec. IKE activity provides a secure key exchange and management mechanism over a User Datagram Protocol (UDP) layer. Although IPSec can be used alone, IKE enables IPSec to be more flexible, easily configurable, and with higher security.
SA is a logical connection that provides security services for a particular data flow. The parameters of this security service include a specific security protocol, security algorithm, keys, and data flow description. There are both IKE SAs and IPSec SAs. The IKE SA may be referred to as an IPSec one-phase SA, and is used to protect data security of the IKE negotiation phase. The IPSec SA, which may be referred to as an IPSec second-class SA, provides IPSec protection functions for data, and can be configured manually by a user for connection or established by IKE negotiation for security protection of IPSec data traffic.
Dead Peer Detection (DPD): the method is used for detecting whether the IPSec opposite terminal equipment exists or not and whether the IPSec opposite terminal equipment and the IPSec opposite terminal equipment can communicate or not. For example, the source device and the target device are IPSec peers of each other. By periodically sending DPD detection messages to IPSec opposite-end equipment, whether the IPSec opposite-end equipment exists is judged according to whether the IPSec opposite-end equipment replies the detection messages. The DPD is associated with the IKE SA, and when the DPD detects that the IPSec opposite-end equipment does not exist, the SA is deleted, and a new IKE SA and an IPSEC SA are re-tried to be established, so that tunnel blocking is avoided.
In order to improve the accuracy of a detection result when performing tunnel detection, embodiments of the present application provide a system, a method, an apparatus, an electronic device, and a storage medium for tunnel detection.
Fig. 1 is a schematic structural diagram of a system for detecting a tunnel according to an embodiment of the present disclosure. The system for detecting the tunnel comprises a source device and a target device. The source device and the target device can be servers or terminal devices.
The source device includes a first local database, a source Internet Key Exchange (IKE) negotiation process, a source ipsec sa, and a source security database. The target device contains a second local database, a target IKE negotiation process, a target IPSec SA, and a target security database.
It should be noted that the local databases (including the first local database and the second local database) and the security database (including the source security database and the target security database) are two different databases in the same electronic device. As one example, the secure database may be: a Security Policy Database (SPD) and a Security Association Database (SAD). The local database may be a database at the application layer.
The local database is used for storing first tunnel information of the IPSec tunnel, and the security database is used for storing second tunnel information of the IPSec tunnel. The first tunnel information and the second tunnel information are both used for indicating tunnel information of the same IPSec tunnel, and since update times and the like of the tunnel information of the IPSec tunnels in different databases are different, the tunnel information of the IPSec tunnels of the first database and the second database may be different. The IPSec tunnels may be one or more, and each IPSec tunnel corresponds to a pair of source IPSec sa and target IPSec sa.
The source device is to: the method comprises the steps of obtaining source tunnel information of an IPSec tunnel, sending a tunnel detection request message containing the source tunnel information to target equipment, and receiving a tunnel detection response message returned by the target equipment.
The target device is to: the method comprises the steps of obtaining source tunnel information in a tunnel detection request message, comparing target tunnel information of a locally stored IPSec tunnel with the source tunnel information to obtain a first comparison result, comparing a first tunnel state in a target IKE negotiation process with a second tunnel state in a target safety database to obtain a second comparison result, and sending a tunnel detection response message to source equipment based on the first comparison result and the second comparison result, wherein the first tunnel state and the second tunnel state are both detected tunnel states of the IPSec tunnel.
In one embodiment, if multiple IPSec tunnels are determined, a tunnel detection request message including source tunnel information of the multiple IPSec tunnels is sent to a target device; and receiving a tunnel detection response message which is returned by the target equipment and contains the status detection result of each IPSec tunnel.
In one embodiment, the source device is specifically configured to: comparing source tunnel information in a source IKE negotiation process with first tunnel information in a first local database and second tunnel information in a source security database respectively; if at least one of the first tunnel information and the second tunnel information is determined to be inconsistent with the source tunnel information, sending a tunnel detection request message containing the source tunnel information and the corresponding tunnel abnormal information to the target equipment; otherwise, sending the tunnel detection request message containing the source tunnel information to the target equipment.
In one embodiment, the target device is specifically configured to: decrypting the tunnel detection request message; acquiring source tunnel information contained in the decrypted tunnel detection request message; if the tunnel detection request message does not contain the tunnel abnormal information corresponding to the source tunnel information, comparing the source tunnel information with the third tunnel information and the fourth tunnel information respectively to obtain a first comparison result; and if the source tunnel information is consistent with the target tunnel information according to the first comparison result, comparing the first tunnel state with the second tunnel state to obtain a second comparison result.
In one embodiment, the target device is further configured to: if the tunnel detection request message is determined to contain the tunnel abnormal information corresponding to the source tunnel information, deleting the target IPSecSA corresponding to the source tunnel information, and performing tunnel negotiation again based on the source tunnel information; if the source tunnel information is determined to be inconsistent with the target tunnel information (namely the source tunnel information is inconsistent with the third tunnel information or inconsistent with the fourth tunnel information) according to the first comparison result, performing tunnel negotiation again based on the source tunnel information; and if the first tunnel state is determined to be inconsistent with the second tunnel state according to the second comparison result, performing tunnel negotiation again based on the source tunnel information.
Referring to fig. 2, a flowchart of a method for detecting a tunnel according to an embodiment of the present application is applied to the target device in fig. 1, and a tunnel detection method of the tunnel detection system in fig. 1 is described with reference to fig. 2, where the method includes the following specific implementation flows:
step 200: receiving a tunnel detection request message sent by a source device; the tunnel detection request message comprises source tunnel information of IPSec tunnels established between the active device and the target device, and each IPSec tunnel corresponds to a pair of source IPSecSA and target IPSecSA; step 201: acquiring source tunnel information in a tunnel detection request message; step 202: comparing target tunnel information and source tunnel information of the IPSec tunnel stored locally to obtain a first comparison result; step 203: comparing a first tunnel state in a target IKE negotiation process with a second tunnel state in a target safety database to obtain a second comparison result; the first tunnel state and the second tunnel state are both tunnel states of the detected IPSec tunnel; step 204: and sending a tunnel detection response message to the source equipment based on the first comparison result and the second comparison result.
In one embodiment, if there are multiple IPSec tunnels, to determine whether detecting the IPSec tunnel is abnormal, the implementation process of step 202: and comparing the source tunnel information and the target tunnel information of each IPSec tunnel respectively to obtain a first comparison result of each IPSec tunnel.
In one embodiment, the source tunnel information is compared with third tunnel information in the second local database and fourth tunnel information in the target security database, respectively, to obtain a first comparison result.
In one embodiment, if there are multiple IPSec tunnels, to determine whether detecting the IPSec tunnel is abnormal, the implementation process of step 203:
and comparing the first tunnel state and the second tunnel state corresponding to each IPSec tunnel respectively to obtain a second comparison result of each IPSec tunnel.
In an embodiment, if the tunnel information comparison is inconsistent or the tunnel status comparison is inconsistent, it is determined that an IPSec tunnel is abnormal, and the abnormal IPSec tunnel may be repaired, and the implementing process of the abnormality judgment and the tunnel repair of the IPSec tunnel may include at least one of the following manners:
mode 1: if the tunnel detection request message is determined to contain tunnel abnormal information corresponding to the source tunnel information, deleting the target IPSecSA corresponding to the source tunnel information, and performing tunnel negotiation again based on the source tunnel information, wherein the tunnel abnormal information represents that the IPSec tunnel is abnormal;
mode 2: if the source tunnel information is determined to be inconsistent with the target tunnel information according to the first comparison result, performing tunnel negotiation again based on the source tunnel information;
mode 3: and if the first tunnel state is determined to be inconsistent with the second tunnel state according to the second comparison result, performing tunnel negotiation again based on the source tunnel information.
Referring to fig. 3, an interaction diagram of a method for detecting a tunnel according to an embodiment of the present application is shown, and the method for detecting a tunnel in fig. 2 is specifically described with reference to fig. 3, where a specific implementation flow of the method is as follows:
s301: the source IKE negotiation process sends a first acknowledgement request message containing source tunnel information to the first local database.
The first acknowledgement request message includes source tunnel information of one or more IPSec tunnels.
Optionally, the source tunnel information may include tunnel identification information, a tunnel algorithm, a subnet, and the like, and is used to describe the IPSec tunnel.
S302: and the first local database returns a third comparison result between the first tunnel information and the source tunnel information to the source IKE negotiation process.
The first local database stores first tunnel information of one or more IPSec tunnels.
S303: the source IKE negotiation process sends a second acknowledgement request message to the source security database that sends the source tunnel information.
S304: and the source security database returns a fourth comparison result between the second tunnel information and the source tunnel information to the source IKE negotiation process.
S305: the source IKE negotiation process sends a tunnel probe request message to the target IKE negotiation process.
The tunnel detection request message includes source tunnel information and may also include tunnel exception information. If the third comparison result or the fourth comparison result is inconsistent, judging that the IPSec tunnel is abnormal, generating a tunnel abnormal message, and constructing a tunnel detection request message containing the source tunnel information and the tunnel abnormal message.
In an embodiment, when it is determined that the third comparison result or the fourth comparison result is inconsistent in comparison, tunnel anomaly information may be added to a message Data structure (e.g., a Notification Data structure), and a tunnel probe request message may be constructed based on the message Data structure and source tunnel information.
Optionally, the tunnel exception information is used to indicate that the IPSec tunnel is abnormal, and may further include a specific reason of the IPSec tunnel exception, and the like.
In one embodiment, the source IKE negotiation process may construct a DPD packet and send a DPD message (i.e., a tunnel probe request message) to the target IKE negotiation process based on the DPD packet.
Therefore, the source tunnel information in the source device can be checked (i.e. whether the tunnel is abnormal is detected) first, and then the tunnel detection request message is sent to the target device to wait for further tunnel state detection of the target device.
Further, the target IKE negotiation process decrypts the tunnel detection request message to obtain a decrypted tunnel detection request message.
Specifically, the target IKE negotiation process decrypts the tunnel detection request message, and if decryption is successful, the decrypted tunnel detection request message is obtained, otherwise, it is determined that the tunnel detection request message is abnormal, and verification fails.
Further, if it is determined that there is an exception in the IPSec tunnel, the IPSec tunnel with the exception may be deleted and reconstructed, and if it is determined that there is an exception in each IPSec tunnel, tunnel negotiation may be re-initiated, and S312 is performed.
In one embodiment, if there is one IPSec tunnel, that is, the tunnel detection request message only includes source tunnel information of one IPSec tunnel and tunnel exception information corresponding to the source tunnel information, the target IPSec sa corresponding to the IPSec tunnel is deleted based on the tunnel exception information, and tunnel negotiation is performed again. I.e., actively initiate negotiation to recreate the failed target IPSEC SA.
In one embodiment, if there are multiple IPSec tunnels, there may be some IPSec tunnels that are abnormal, and some IPSec tunnels are normal, then for any target IPSec tunnel that has an abnormality in each IPSec tunnel, the following steps may be performed: and deleting the target IPSec SA corresponding to the target IPSec tunnel based on the tunnel exception information of the target IPSec tunnel, and performing tunnel negotiation again.
And if the tunnel detection request message is determined to contain the tunnel abnormal information, determining the IPSec tunnel with the abnormality according to the tunnel abnormal information.
S306: the target IKE negotiation process sends a third acknowledgement request message containing the source tunnel information to the second local database.
S307: and the second local database returns a first comparison confirmation result between the third tunnel information and the source tunnel information to the target IKE negotiation process.
And the second local database stores third tunnel information of the IPSec tunnel. And if the number of the IPSec tunnels is multiple, the second local database compares the target tunnel information of each IPSec tunnel with the corresponding source tunnel information.
S308: the target IKE negotiation process sends a fourth acknowledgement message containing the source tunnel information to the target security database.
S309: and the target security database returns a second comparison confirmation result between the fourth tunnel information and the source tunnel information to the target IKE negotiation process.
It should be noted that the target tunnel information (i.e., the third tunnel information and the fourth tunnel information) and the source tunnel information are both tunnel information for describing the IPSec tunnel, and may be tunnel identification information, a tunnel algorithm, a subnet, and the like.
Specifically, the target IKE negotiation process obtains a first tunnel state stored locally and sends it to the target security database.
Further, if it is determined that the source tunnel information is inconsistent with the target tunnel information according to the first comparison result, the target IKE negotiation process performs tunnel negotiation again based on the source tunnel information, and performs S312.
S310: the target IKE negotiation process sends a status confirmation message containing the first tunnel status to the target security database.
S311: the target security database returns a second comparison between the first tunnel state and the second tunnel state to the target IKE negotiation process.
In one embodiment, if there are multiple IPSec tunnels, the target security database compares the first tunnel status and the second tunnel status corresponding to each IPSec tunnel, respectively, to obtain a second comparison result of each IPSec tunnel.
S312: and the target IKE negotiation process returns a tunnel detection response message to the source IKE negotiation process according to the received comparison results.
Specifically, the target IKE negotiation process sends a tunnel probe response message to the source device based on the first comparison result (i.e., the first comparison confirmation result and the second comparison confirmation result) and the second comparison result.
Further, if the source tunnel information is determined to be inconsistent with the target tunnel information according to the first comparison result, performing tunnel negotiation again based on the source tunnel information; and if the first tunnel state is determined to be inconsistent with the second tunnel state according to the second comparison result, performing tunnel negotiation again based on the source tunnel information.
Fig. 4 is a schematic view of an application scenario of gateway tunnel detection. The method of tunnel detection in fig. 3 is illustrated below with reference to fig. 4. In fig. 4, gateway a (i.e., source device) and gateway B (i.e., target device) are included. The source device includes: ipsec sa11, ipsec sa12, and ipsec sa12. The target device includes: ipsec sa21, ipsec sa22, and ipsec sa23.
The gateway a compares the source tunnel information of the IPSEC SA11, the IPSEC SA12, and the IPSEC SA12 with the first tunnel information of the first local database and the second tunnel information in the source security database, respectively, and if there is source tunnel information whose comparison result is inconsistent, generates corresponding tunnel abnormal information (for example, IPSEC SA information) and adds it to the Notification Data structure of the packet.
Gateway a sends a DPD message including the source tunnel information of each of ipsec sa11, ipsec sa12, and tunnel abnormality information corresponding to the source tunnel information in which an abnormality exists, to gateway B.
The network B decrypts the DPD message according to the IKESA key, if the DPD message contains tunnel abnormal information, deletes the IPSEC SA (namely the invalid IPSEC SA) corresponding to the abnormal source tunnel information from the IPSecSA21, the IPSecSA22 and the IPSecSA23, actively initiates negotiation, and reestablishes the invalid IPSEC SA; and aiming at the source tunnel information without abnormity, comparing the normal source tunnel information with the third tunnel information of the second local database and the fourth tunnel information in the target safety database, if the source tunnel information with inconsistent comparison results exists, considering that the corresponding tunnel fails, actively initiating negotiation, and reestablishing the failed IPSEC SA. Further, performing state comparison detection on each source tunnel information, if source tunnel information with inconsistent state comparison results exists, considering that a corresponding tunnel fails, actively initiating negotiation, and re-creating a failed IPSEC SA. Obviously, the source tunnel information is compared with the tunnel information and compared with the tunnel state, and if the comparison results are consistent, it is determined that there is no exception in the corresponding IPSec, and communication can be normally connected.
And finally, the gateway B generates a tunnel detection result based on each comparison result, and returns a tunnel detection response message containing the tunnel detection result to the gateway A. If the gateway a does not receive the tunnel detection response message within the response time, it is determined that the ipsec sa11, the ipsec sa12 and the ipsec sa12 are all invalid or do not exist, and the tunnel negotiation process is restarted.
In the embodiment of the application, the tunnel detection request message does not need to be sent for each IPSecSA, but the same tunnel detection request message is adopted to detect each IPSecSA, the number of message transmission is reduced, the consumed system resources and network transmission resources are reduced, the network robustness is further improved, the abnormal detection can be performed through the backup tunnel information and the tunnel state stored in the local database and the local security database respectively, the tunnel detection can be performed from a plurality of data sources, the effectiveness, the accuracy, the reliability and the detection efficiency of the tunnel detection are improved, the tunnel abnormal information is added into the extension information of the message and is notified to the target equipment, so that the target equipment can perform tunnel negotiation again aiming at the abnormal tunnel, the timely maintenance of the tunnel is ensured, and the effectiveness and the safety of data communication are improved.
Based on the same inventive concept, the embodiment of the present application further provides a device for tunnel detection, and as the principles of solving the problems of the device and the equipment are similar to those of a method for tunnel detection, the implementation of the device can refer to the implementation of the method, and repeated parts are not described again.
As shown in fig. 5, which is a schematic structural diagram of a device for tunnel detection provided in an embodiment of the present application, the device includes:
a receiving unit 501, configured to receive a tunnel probe request message sent by a source device; the tunnel detection request message comprises source tunnel information of IPSec tunnels established between the active device and the target device, each IPSec tunnel corresponds to a pair of source IPSecSA and target IPSecSA, and the source IPSecSA is positioned in the source device;
an obtaining unit 502, configured to obtain source tunnel information in a tunnel detection request message;
a first comparing unit 503, configured to compare target tunnel information of a locally stored IPSec tunnel with source tunnel information, to obtain a first comparison result;
a second comparing unit 504, configured to compare a first tunnel state in the target IKE negotiation process with a second tunnel state in the target security database, so as to obtain a second comparison result; the first tunnel status and the second tunnel status are both the tunnel status of the detected IPSec tunnel;
a sending unit 505, configured to send a tunnel probe response message to the source device based on the first comparison result and the second comparison result.
In one embodiment, the first comparison unit is used for 503:
if multiple IPSec tunnels are determined, comparing the source tunnel information and the target tunnel information of each IPSec tunnel respectively to obtain a first comparison result of each IPSec tunnel;
comparing a first tunnel state in a target IKE negotiation process with a second tunnel state in a target safety database to obtain a second comparison result, wherein the second comparison result comprises the following steps:
and if multiple IPSec tunnels are determined, comparing the first tunnel state and the second tunnel state corresponding to each IPSec tunnel respectively to obtain a second comparison result of each IPSec tunnel.
In one embodiment, a second local database is further provided in the target device, and the target tunnel information includes third tunnel information in the second local database and fourth tunnel information in the target security database: the first comparison unit is used for 503:
decrypting the tunnel detection request message;
acquiring source tunnel information contained in the decrypted tunnel detection request message;
if the tunnel detection request message does not contain the tunnel abnormal information corresponding to the source tunnel information, comparing the source tunnel information with the third tunnel information and the fourth tunnel information respectively to obtain a first comparison result.
In one embodiment, the sending unit is further configured to 505:
if the tunnel detection request message is determined to contain tunnel abnormal information corresponding to the source tunnel information, deleting the target IPSecSA corresponding to the source tunnel information, and performing tunnel negotiation again based on the source tunnel information, wherein the tunnel abnormal information represents that the IPSec tunnel is abnormal;
if the source tunnel information is determined to be inconsistent with the target tunnel information according to the first comparison result, performing tunnel negotiation again based on the source tunnel information;
and if the first tunnel state is determined to be inconsistent with the second tunnel state according to the second comparison result, performing tunnel negotiation again based on the source tunnel information.
In the system, method, apparatus, electronic device and storage medium for tunnel detection provided in the embodiments of the present application, a tunnel probe request message sent by a source device is received; the tunnel detection request message comprises source tunnel information of IPSec tunnels established between the active device and the target device, each IPSec tunnel corresponds to a pair of source IPSecSA and target IPSecSA, and the source IPSecSA is positioned in the source device; acquiring source tunnel information in a tunnel detection request message; comparing target tunnel information and source tunnel information of the locally stored IPSec tunnel to obtain a first comparison result; comparing a first tunnel state in a target IKE negotiation process with a second tunnel state in a target safety database to obtain a second comparison result; the first tunnel status and the second tunnel status are both the tunnel status of the detected IPSec tunnel; and sending a tunnel detection response message to the source equipment based on the first comparison result and the second comparison result. Therefore, the tunnel detection is carried out through the tunnel information and the tunnel state, and the accuracy of the tunnel detection is improved.
Fig. 6 shows a schematic structural diagram of an electronic device 6000. Referring to fig. 6, an electronic device 6000 includes: processor 6010 and memory 6020 may optionally further include a power supply 6030, a display unit 6040, and an input unit 6050.
The processor 6010 is a control center of the electronic apparatus 6000, and connects the respective components using various interfaces and wires, and performs various functions of the electronic apparatus 6000 by operating or executing software programs and/or data stored in the memory 6020, thereby integrally monitoring the electronic apparatus 6000.
In the embodiment of the present application, the processor 6010 executes the steps in the above embodiments when calling the computer program stored in the memory 6020.
Alternatively, processor 6010 may include one or more processing units; preferably, the processor 6010 may integrate an application processor, which mainly handles operating systems, user interfaces, applications, etc., and a modem processor, which mainly handles wireless communication. It is to be appreciated that the modem processor described above may not be integrated into processor 6010. In some embodiments, the processor, memory, and memory may be implemented on a single chip, or in some embodiments, they may be implemented separately on separate chips.
The memory 6020 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, various applications, and the like; the storage data area may store data created according to the use of the electronic device 6000, and the like. In addition, the memory 6020 may include high-speed random access memory and may also include non-volatile memory, such as at least one magnetic disk storage device, flash memory device, or other volatile solid-state storage device.
The electronic device 6000 further includes a power supply 6030 (e.g., a battery) for supplying power to various components, and the power supply may be logically connected to the processor 6010 through a power management system, so as to manage charging, discharging, and power consumption functions through the power management system.
The display unit 6040 may be used to display information input by the user or information provided to the user, various menus of the electronic device 6000, and the like, and in the embodiment of the present invention, the display unit is mainly used to display a display interface of each application in the electronic device 6000 and objects such as texts and pictures displayed in the display interface. The display unit 6040 may include a display panel 6041. The Display panel 6041 may be configured in the form of a Liquid Crystal Display (LCD), an Organic Light-Emitting Diode (OLED), or the like.
The input unit 6050 may be used to receive information such as numbers or characters input by a user. The input unit 6050 may include a touch panel 6051 and other input devices 6052. Touch panel 6051, also referred to as a touch screen, may collect touch operations by a user on or near the touch panel 6051 (e.g., operations by a user on or near touch panel 6051 using a finger, a stylus, or any other suitable object or attachment).
Specifically, the touch panel 6051 may detect a touch operation by the user, detect signals resulting from the touch operation, convert the signals into touch point coordinates, send the touch point coordinates to the processor 6010, receive a command sent from the processor 6010, and execute the command. In addition, the touch panel 6051 can be implemented by various types such as a resistive type, a capacitive type, an infrared ray, and a surface acoustic wave. Other input devices 6052 may include, but are not limited to, one or more of a physical keyboard, function keys (such as volume control keys, power on/off keys, etc.), a trackball, a mouse, a joystick, and the like.
Of course, the touch panel 6051 may cover the display panel 6041, and when the touch panel 6051 detects a touch operation thereon or nearby, the touch operation is transmitted to the processor 6010 to determine the type of the touch event, and then the processor 6010 provides a corresponding visual output on the display panel 6041 according to the type of the touch event. Although in fig. 6, the touch panel 6051 and the display panel 6041 are two separate components to implement the input and output functions of the electronic device 6000, in some embodiments, the touch panel 6051 and the display panel 6041 may be integrated to implement the input and output functions of the electronic device 6000.
The electronic device 6000 may also include one or more sensors, such as pressure sensors, gravitational acceleration sensors, proximity light sensors, and the like. Of course, the electronic device 6000 may also include other components such as a camera, which are not shown in fig. 6 and will not be described in detail since they are not the components used in this embodiment of the present application.
Those skilled in the art will appreciate that fig. 6 is merely an example of an electronic device and is not limiting of electronic devices and may include more or fewer components than those shown, or some components may be combined, or different components.
In an embodiment of the present application, a computer-readable storage medium has a computer program stored thereon, and when the computer program is executed by a processor, the communication device may perform the steps in the above embodiments.
For convenience of description, the above parts are described separately as modules (or units) according to functions. Of course, the functionality of the various modules (or units) may be implemented in the same one or more pieces of software or hardware when implementing the present application.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (15)

1. A system for tunnel detection is characterized by comprising a source device and a target device, wherein the target device comprises a target key exchange IKE negotiation process, a target Internet protocol security (IPSec) Security Alliance (SA) and a target security database, the source device comprises a source IPSec SA, at least one IPSec tunnel is established between the source device and the target device, and each IPSec tunnel corresponds to a pair of the source IPSec SA and the target IPSec SA;
the source device is to: acquiring source tunnel information of the IPSec tunnel, sending a tunnel detection request message containing the source tunnel information to the target equipment, and receiving a tunnel detection response message returned by the target equipment;
the target device is to: acquiring source tunnel information in the tunnel detection request message, comparing locally stored target tunnel information of the IPSec tunnel with the source tunnel information to acquire a first comparison result, comparing a first tunnel state in the target IKE negotiation process with a second tunnel state in the target security database to acquire a second comparison result, and sending the tunnel detection response message to the source equipment based on the first comparison result and the second comparison result, wherein the first tunnel state and the second tunnel state are detected tunnel states of the IPSec tunnel.
2. The system of claim 1, wherein the source device is specifically configured to:
if the IPSec tunnels are determined to be multiple, sending a tunnel detection request message containing source tunnel information of the multiple IPSec tunnels to the target equipment;
and receiving a tunnel detection response message which is returned by the target equipment and contains the state detection result of each IPSec tunnel.
3. The system of claim 1, wherein the source device further comprises a source security database, a source IKE negotiation process, and a first local database; the source device is specifically configured to:
comparing the source tunnel information in the source IKE negotiation process with first tunnel information in the first local database and second tunnel information in the source security database respectively;
if at least one of the first tunnel information and the second tunnel information is determined to be inconsistent with the source tunnel information, generating tunnel abnormal information, and sending a tunnel detection request message containing the source tunnel information and the tunnel abnormal information to the target device;
otherwise, sending the tunnel detection request message containing the source tunnel information to the target device.
4. The system according to any one of claims 1 to 3, wherein a second local database is further provided in the target device, the target tunnel information includes third tunnel information in the second local database and fourth tunnel information in a target security database, and the target device is specifically configured to:
decrypting the tunnel detection request message;
acquiring the source tunnel information contained in the decrypted tunnel detection request message;
if it is determined that the tunnel detection request message does not include the tunnel abnormal information of the source tunnel information, comparing the source tunnel information with the third tunnel information and the fourth tunnel information respectively to obtain the first comparison result;
and if the source tunnel information is consistent with the target tunnel information according to the first comparison result, comparing the first tunnel state with the second tunnel state to obtain a second comparison result.
5. The system of claim 4, wherein the target device is further to:
if the tunnel detection request message is determined to contain the tunnel abnormal information corresponding to the source tunnel information, deleting the target IPSecSA corresponding to the source tunnel information, and performing tunnel negotiation again based on the source tunnel information;
if the source tunnel information is determined to be inconsistent with the target tunnel information according to the first comparison result, performing tunnel negotiation again based on the source tunnel information;
and if the first tunnel state is determined to be inconsistent with the second tunnel state according to the second comparison result, performing tunnel negotiation again based on the source tunnel information.
6. A method for detecting tunnel is applied to target equipment, the target equipment comprises a target key exchange IKE negotiation process, a target Internet protocol security (IPSec) Security Association (SA) and a target security database, and the method comprises the following steps:
receiving a tunnel detection request message sent by a source device; the tunnel detection request message comprises source tunnel information of IPSec tunnels established between the source equipment and the target equipment, each IPSec tunnel corresponds to a pair of source IPSecSA and target IPSecSA, and the source IPSecSA is located in the source equipment;
acquiring source tunnel information in the tunnel detection request message;
comparing the locally stored target tunnel information of the IPSec tunnel with the source tunnel information to obtain a first comparison result;
comparing a first tunnel state in the target IKE negotiation process with a second tunnel state in the target safety database to obtain a second comparison result; the first tunnel state and the second tunnel state are both detected tunnel states of the IPSec tunnel;
and sending the tunnel detection response message to the source equipment based on the first comparison result and the second comparison result.
7. The method of claim 6, wherein the comparing the locally stored target tunnel information of the IPSec tunnel with the source tunnel information to obtain a first comparison result comprises:
if the IPSec tunnels are determined to be multiple, comparing the source tunnel information and the target tunnel information of each IPSec tunnel respectively to obtain a first comparison result of each IPSec tunnel;
the comparing the first tunnel state in the target IKE negotiation process with the second tunnel state in the target security database to obtain a second comparison result includes:
and if the plurality of IPSec tunnels are determined, comparing the first tunnel state and the second tunnel state corresponding to each IPSec tunnel respectively to obtain a second comparison result of each IPSec tunnel.
8. The method of claim 6, wherein a second local database is further disposed in the target device, the target tunnel information includes third tunnel information in the second local database and fourth tunnel information in the target security database, and the comparing the locally stored target tunnel information of the IPSec tunnel with the source tunnel information to obtain a first comparison result includes:
decrypting the tunnel detection request message;
acquiring source tunnel information contained in the decrypted tunnel detection request message;
if it is determined that the tunnel detection request message does not include the tunnel abnormal information corresponding to the source tunnel information, comparing the source tunnel information with the third tunnel information and the fourth tunnel information respectively to obtain the first comparison result.
9. The method of any one of claims 6-8, further comprising:
if the tunnel detection request message is determined to contain tunnel abnormal information corresponding to the source tunnel information, deleting target IPSec SA corresponding to the source tunnel information, and performing tunnel negotiation again based on the source tunnel information, wherein the tunnel abnormal information represents that the IPSec tunnel is abnormal;
if the source tunnel information is determined to be inconsistent with the target tunnel information according to the first comparison result, performing tunnel negotiation again based on the source tunnel information;
and if the first tunnel state is determined to be inconsistent with the second tunnel state according to the second comparison result, performing tunnel negotiation again based on the source tunnel information.
10. A device for tunnel detection is applied to a target device, where the target device includes a target key exchange IKE negotiation process, a target Internet protocol security (IPSec) Security Association (SA), and a target security database, and the device includes:
a receiving unit, configured to receive a tunnel probe request message sent by a source device; the tunnel detection request message comprises source tunnel information of IPSec tunnels established between the source equipment and the target equipment, each IPSec tunnel corresponds to a pair of source IPSecSA and target IPSecSA, and the source IPSecSA is located in the source equipment;
an obtaining unit, configured to obtain source tunnel information in the tunnel detection request message;
the first comparison unit is used for comparing the locally stored target tunnel information of the IPSec tunnel with the source tunnel information to obtain a first comparison result;
a second comparison unit, configured to compare a first tunnel state in the target IKE negotiation process with a second tunnel state in the target security database, to obtain a second comparison result; the first tunnel status and the second tunnel status are both detected tunnel statuses of the IPSec tunnel;
a sending unit, configured to send the tunnel probe response message to the source device based on the first comparison result and the second comparison result.
11. The apparatus of claim 10, wherein the first comparison unit is to:
if the plurality of IPSec tunnels are determined, comparing the source tunnel information and the target tunnel information of each IPSec tunnel respectively to obtain a first comparison result of each IPSec tunnel;
the comparing the first tunnel state in the target IKE negotiation process with the second tunnel state in the target security database to obtain a second comparison result includes:
and if the plurality of IPSec tunnels are determined, comparing the first tunnel state and the second tunnel state corresponding to each IPSec tunnel respectively to obtain a second comparison result of each IPSec tunnel.
12. The apparatus of claim 10, wherein a second local database is further disposed in the target device, and wherein the target tunnel information comprises third tunnel information in the second local database and fourth tunnel information in the target security database: the first comparison unit is used for:
decrypting the tunnel detection request message;
acquiring source tunnel information contained in the decrypted tunnel detection request message;
if it is determined that the tunnel detection request message does not include the tunnel abnormal information corresponding to the source tunnel information, comparing the source tunnel information with the third tunnel information and the fourth tunnel information respectively to obtain the first comparison result.
13. The apparatus of any of claims 10-12, wherein the sending unit is further to:
if the tunnel detection request message is determined to contain tunnel abnormal information corresponding to the source tunnel information, deleting target IPSec SA corresponding to the source tunnel information, and performing tunnel negotiation again based on the source tunnel information, wherein the tunnel abnormal information represents that the IPSec tunnel is abnormal;
if the source tunnel information is determined to be inconsistent with the target tunnel information according to the first comparison result, performing tunnel negotiation again based on the source tunnel information;
and if the first tunnel state is determined to be inconsistent with the second tunnel state according to the second comparison result, performing tunnel negotiation again based on the source tunnel information.
14. An electronic device comprising a processor and a memory, the memory storing computer readable instructions that, when executed by the processor, perform the method of any of claims 6-9.
15. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the method according to any one of claims 6-9.
CN202210961955.8A 2022-08-11 2022-08-11 Tunnel detection system, method and device, electronic equipment and storage medium Pending CN115314308A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210961955.8A CN115314308A (en) 2022-08-11 2022-08-11 Tunnel detection system, method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210961955.8A CN115314308A (en) 2022-08-11 2022-08-11 Tunnel detection system, method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN115314308A true CN115314308A (en) 2022-11-08

Family

ID=83860215

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210961955.8A Pending CN115314308A (en) 2022-08-11 2022-08-11 Tunnel detection system, method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN115314308A (en)

Similar Documents

Publication Publication Date Title
US20210336780A1 (en) Key updating method, apparatus, and system
US11924306B2 (en) System and method for improving internet communication by using intermediate nodes
US11456864B2 (en) Information storage method, device, and computer-readable storage medium
US9800598B2 (en) Detecting shared or compromised credentials through analysis of simultaneous actions
US20190236300A1 (en) Service processing method and apparatus, data sharing system, and storage medium
US9825932B2 (en) Storage system and method of storing and managing data
CN110417543B (en) Data encryption method, device and storage medium
CN104376353A (en) Two-dimension code generating method, terminal and server and two-dimension code reading method, terminal and server
WO2014108182A1 (en) Storage system and method of storing and managing data
CN104580167A (en) Data transmission method, device and system
US20140259167A1 (en) Behavior based application blacklisting
CN108763876B (en) Resource copyright checking method, device and equipment
WO2017067369A1 (en) Method and device for encrypting picture, method and device for decrypting picture, and equipment
CN114039726B (en) Key generation method, key acquisition method, related device and medium
CN114553612B (en) Data encryption and decryption method and device, storage medium and electronic equipment
CN115314308A (en) Tunnel detection system, method and device, electronic equipment and storage medium
CN108737341A (en) Method for processing business, terminal and server
CN114389802B (en) Information decryption method and device, electronic equipment and readable storage medium
CN111090894B (en) Method and device for reconstructing data of lock card
CN114430343A (en) Data synchronization method and device, electronic equipment and readable storage medium
CN115712889A (en) System, method, apparatus, electronic device, and medium for device authentication
CN116264523A (en) System, method, computer program product, device and medium for message subscription
CN114138344A (en) System checking method and terminal

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination