CN110120907B - Proposed group-based IPSec VPN tunnel communication method and device - Google Patents
Proposed group-based IPSec VPN tunnel communication method and device Download PDFInfo
- Publication number
- CN110120907B CN110120907B CN201910337633.4A CN201910337633A CN110120907B CN 110120907 B CN110120907 B CN 110120907B CN 201910337633 A CN201910337633 A CN 201910337633A CN 110120907 B CN110120907 B CN 110120907B
- Authority
- CN
- China
- Prior art keywords
- proposal
- offer
- group
- ipsec
- vpn tunnel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 78
- 238000004891 communication Methods 0.000 title claims abstract description 42
- 230000008569 process Effects 0.000 claims abstract description 38
- 230000004044 response Effects 0.000 claims description 89
- 230000000977 initiatory effect Effects 0.000 claims description 59
- 238000004590 computer program Methods 0.000 claims description 9
- 230000006855 networking Effects 0.000 abstract description 15
- 239000003999 initiator Substances 0.000 abstract description 9
- 238000010586 diagram Methods 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000007906 compression Methods 0.000 description 1
- 230000006835 compression Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明的实施例公开了一种基于提议组的IPSec VPN隧道的通信方法及装置,在欲创建IPSec VPN隧道的设备中配置用于协商建立IPSec SA的提议组。在创建IPSec VPN隧道的过程中,在协商建立第二阶段的IPSec SA的过程中,只要发起端配置的提议组中存在某一提议与响应端配置的提议组中的某一提议相同,便可在发起端和响应端协商建立IPSec SA。这种在设备上配置提议组的方法,相对于在设备上仅配置一个提议的方法,大大提高了协商建立IPSec SA的成功率。使得在两端都约定好配置的提议范围内,提议组的内容选项更多,简化了配置,使得二阶段的协商过程具有更高的灵活性,也大大提高了组网灵活性。
The embodiment of the present invention discloses a communication method and device for an IPSec VPN tunnel based on a proposal group. A proposal group for negotiating and establishing an IPSec SA is configured in a device that wants to create an IPSec VPN tunnel. In the process of creating an IPSec VPN tunnel, in the process of negotiating and establishing the IPSec SA of the second stage, as long as a proposal in the proposal group configured by the initiator is the same as a proposal in the proposal group configured by the responder, the The initiator and the responder negotiate to establish an IPSec SA. Compared with the method of configuring only one proposal on the device, this method of configuring a proposal group on the device greatly improves the success rate of negotiating and establishing an IPSec SA. Within the scope of the proposed configuration agreed upon by both ends, the proposal group has more content options, which simplifies the configuration, makes the two-stage negotiation process more flexible, and greatly improves the flexibility of networking.
Description
Technical Field
The invention relates to the technical field of VPN communication, in particular to a communication method and a device of an IPSec VPN tunnel based on an offer group.
Background
The ipsec (IP security) protocol, which was developed in the formulation of IPv6, is an open-standard framework for secure and secure communications over Internet Protocol (IP) networks by using encrypted security services. A key management protocol, referred to as the Internet key exchange protocol IKE, is included in the IPSec protocol, which dynamically authenticates IPSec peers, negotiates security services, and automatically generates shared keys. The security alliance SA records the strategy and strategy parameters of each IP security path, and the SA is the basis of IPSec and is an agreement established by two communication parties and determines a protocol, a transcoding mode, a key validity period and the like for protecting a data packet.
The IPSec VPN is a VPN (Virtual Private Network) technology that uses an IPSec protocol to implement remote access. Establishing an IPSec VPN tunnel for communication requires two stages of negotiation, namely, one stage of IKE SA and two stages of IPSec SA. In the process of negotiating and establishing the IPSec VPN tunnel, after the negotiation of IKE SA in one stage is completed, only if the proposal of negotiation IPSec SA configured by the initiating end and the proposal of negotiation IPSec SA configured by the responding end are the same proposal and the protection data stream is also matched (for example, the purpose of the initiating end is 1.1.1.0-2.2.2.0/24, and the purpose of the responding end is 2.2.2.0-1.1.1.0/24), the IPSec SA in the two stages can be established through the proposal negotiation, so that the IPSec VPN tunnel is established between the initiating end and the responding end, especially in the process of networking configuration, the same communication tunnel must be established through networking negotiation, the overall networking configuration is solidified, the configuration is complicated, and the networking is not flexible. For example, in a central networking (1 response end corresponds to 3 initiating ends), if an esp protocol is configured, the ipsec proposals of the three initiating ends must be messages of the esp protocol, otherwise, the establishment fails. This makes networking inflexible.
In the practical application process, the inventor finds that in the process of creating the IPSec VPN tunnel, the IPSec SA can be established only in the two-stage negotiation process under the condition that the proposals configured at the two ends are completely matched with the protection data stream, so that the flexibility of the two-stage negotiation process is poor, and the networking configuration is inflexible.
Disclosure of Invention
The embodiment of the invention provides a communication method and a device of an IPSec VPN tunnel based on an offer group, which are used for solving the problems that in the process of establishing the IPSec VPN tunnel in the prior art, the IPsec SA can be established only in the two-stage negotiation process under the condition that the offers configured at two ends are completely matched with the protection data stream, so that the flexibility of the two-stage negotiation process is poor, and the networking configuration is not flexible.
In view of the above technical problem, an embodiment of the present invention provides a communication method for an IPSec VPN tunnel based on an offer group, including:
in the process of establishing an IPSec VPN tunnel communicated with a response end, judging whether an IKE SA is established by negotiation with the response end;
if the IKE SA is established by negotiation with the response end, selecting a first proposal used for establishing IPSec SA by negotiation with the response end from a configured proposal group;
sending the first proposal to the response end to establish the IPSec VPN tunnel with the response end.
An embodiment of the present invention provides a communication apparatus based on an proposed group of IPSec VPN tunnels, including:
the system comprises a judging module, a sending module and a receiving module, wherein the judging module is used for judging whether an IKE SA is established by negotiation with a response end in the process of establishing an IPSec VPN tunnel for communicating with the response end;
a selecting module, configured to select a first offer for negotiating with the responder to establish an IPSec SA from a set of configured offers if the IKE SA is negotiated with the responder;
a sending module, configured to send the first offer to the response end, so as to establish the IPSec VPN tunnel with the response end.
An embodiment of the present invention provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of the proposed set of IPSec VPN tunnel based communication method described above when executing the program.
An embodiment of the present invention provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the proposed group-based IPSec VPN tunnel based communication method described above.
The embodiment of the invention provides a communication method and a device of an IPSec VPN tunnel based on an proposal group. In the process of establishing the IPSec VPN tunnel, in the process of negotiating and establishing the IPSec SA in the second stage, as long as a certain offer exists in the offer group configured by the initiating end and a certain offer in the offer group configured by the responding end, the IPSec SA can be negotiated and established at the initiating end and the responding end. Compared with the method of only configuring one proposal on the equipment, the method for configuring the proposal group on the equipment greatly improves the success rate of negotiating and establishing IPSec SA. In the proposal range of which the configuration is agreed at both ends, the content options of the proposal group are more, the configuration is simplified, the two-stage negotiation process has higher flexibility, and the networking flexibility is greatly improved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present invention, and those skilled in the art can also obtain other drawings according to the drawings without creative efforts.
Fig. 1 is a flowchart illustrating a communication method based on an IPSec VPN tunnel of an proposed group according to an embodiment of the present invention;
fig. 2 is a block diagram of a communication apparatus based on an IPSec VPN tunnel of an proposed group according to another embodiment of the present invention;
fig. 3 is a block diagram of an electronic device according to another embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention clearer, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are some, but not all, embodiments of the present invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In the existing process of creating IPSec VPN tunnel, no matter the device is used as the initiating end or the responding end, only one proposal for negotiating the establishment of two-stage IPSec SAs is configured on the device. Therefore, only if the proposals for negotiating IPSec SA configured on the originating side and the responding side are the same, an IPSec VPN tunnel can be created between the devices on both sides. This scenario, where only one proposal is configured on the devices at both ends, when negotiating IPSec SA at both ends, IPSec SA can be established only if the proposals and protection data flows configured at both ends match completely, making the configuration at both ends inflexible. The creating of the IPSec VPN tunnel needs to go through two-stage negotiation, where one-stage negotiation establishes an IKE SA, and the main purpose is to protect security of data transmitted during tunnel establishment (for example, data transmitted in two stages for negotiating the IPSec SA) and to authenticate devices at both ends. The two-phase negotiation establishes the IPSec SA, with the primary purpose of protecting the security of data transmitted in the tunnel (e.g., data packets transmitted in the established tunnel) after the tunnel is established. The proposal configured on the device includes data for negotiating the IPSec SA in two-stage transmission, for example, the proposal includes data for negotiating the encryption algorithm, authentication algorithm, compression algorithm, and lifetime of the IPSec SA in order to ensure the security of the data transmitted in the IPSec VPN tunnel.
To solve this technical problem, the present invention configures a proposal group on a device that creates an IPSec VPN tunnel, the proposal group including at least one (usually two or more) proposal for negotiating IPSec SA, and data included in each proposal for negotiating IPSec SA being different. When IPSec SA negotiation is carried out, only proposals which can be matched are required to be arranged in proposal groups at two ends, and IPSec VPN tunnels can be established at the two ends. The probability of successful IPSec SA negotiation is improved by configuring the proposal group on the equipment, and the flexibility of two-stage matching is improved.
The method provided by this embodiment is performed by an apparatus for performing communication by creating an IPSec VPN tunnel, where the apparatus may be a server, a terminal, a router, or a gateway, and this embodiment does not specifically limit this.
When the device is used as an initiating end, fig. 1 is a schematic flowchart of a communication method based on an proposed group of IPSec VPN tunnels, which is provided in this embodiment, and referring to fig. 1, the method includes:
101: in the process of establishing an IPSec VPN tunnel communicated with a response end, judging whether an IKE SA is established by negotiation with the response end;
102: if the IKE SA is established by negotiation with the response end, selecting a first proposal used for establishing IPSec SA by negotiation with the response end from a configured proposal group;
103: sending the first proposal to the response end to establish the IPSec VPN tunnel with the response end.
In the process of establishing an IPSec VPN tunnel with a response end, the device serving as an initiating end needs to determine whether an IKE SA has been successfully negotiated before performing two-stage IPSec SA negotiation. If so, the negotiation of the two-stage IPSec SA is carried out, otherwise, the negotiation of the two-stage IPSec SA cannot be carried out. After the IPSec SA is negotiated and established, an IPSec VPN tunnel is established with the response end, and communication can be carried out with the response end through the IPSec VPN tunnel.
An offer group including a plurality of offers for negotiating IPSec SA is configured in advance in the device as an originating end. When negotiating IPSec SA, the device selects one offer from the set of offers as a first offer to negotiate IPSec SA and sends the first offer to the responder. If the response end successfully matches the first proposal, the equipment establishes an IPSec VPN tunnel with the response end. If the response end fails to match the first proposal, the IPSec VPN tunnel between the response end and the response end cannot be established, at this time, the device serving as the initiating end can select other proposals from the proposal group as the first proposal, and establishes the IPSec VPN tunnel between the first proposal and the response end through the reselected first proposal. Thus, by setting the proposal group, the device as the initiator can flexibly select a proposal for performing two-stage negotiation. After the IPSec VPN tunnel is established with the response end in a failure mode, the IPSec VPN tunnel can be reselected and proposed to be established, and the probability of the IPSec VPN tunnel establishment with the response end in a success mode is increased. In addition, when the networking is established, a plurality of communication tunnels can be established according to the configured proposed groups, so that the success rate of the networking is improved, and the flexibility of the networking is greatly improved.
The embodiment provides a communication method of IPSec VPN tunnel based on an proposal group, and the proposal group used for negotiating and establishing IPSec SA is configured in the equipment for creating the IPSec VPN tunnel. In the process of establishing the IPSec VPN tunnel, in the process of negotiating and establishing the IPSec SA in the second stage, as long as a certain offer exists in the offer group configured by the initiating end and a certain offer in the offer group configured by the responding end, the IPSec SA can be negotiated and established at the initiating end and the responding end. Compared with the method of only configuring one proposal on the equipment, the method for configuring the proposal group on the equipment greatly improves the success rate of negotiating and establishing IPSec SA. In the proposal range of which the configuration is agreed at both ends, the content options of the proposal group are more, the configuration is simplified, the two-stage negotiation process has higher flexibility, and the networking flexibility is greatly improved.
When the device is used as an initiator, further, on the basis of the above embodiment, if the IKE SA is established in negotiation with the responder, selecting a first offer for establishing IPSec SA in negotiation with the responder from a set of configured offers includes:
if the IKE SA is established by negotiation with the response end, acquiring a preset first selection rule for selecting a proposal from the proposal group each time, and selecting a proposal for establishing IPSec SA by negotiation with the response end from the proposal group as the first proposal according to the first selection rule;
the first selection rule is polling selection, random selection or selection according to a set priority order.
For the device as the initiator, not only the proposal group is configured, but also a first selection rule is set that selects the first proposal for two-stage IPSec SA negotiation from the proposal group at a time. For example, if the first selection rule is polling selection, then an order is set for each offer in the offer group, and the offers are polled and selected in the order as a first offer to negotiate IPSec SAs; or, if the first selection rule is random selection, setting a certain random algorithm, and selecting the first proposal from the proposal group as the first proposal for negotiating the IPSec SA according to the random algorithm each time; alternatively, the first selection rule is to select according to a set priority order, then set a priority for each offer in the set of offers, each time selecting an offer that meets the priority requirements as the first offer to negotiate IPSec SAs, wherein the priority requirements to be met for the offers are reset each time. The selection of the proposal by the device as the initiating end can be governed by the first selection rule, which increases the controllability of the proposal selection and, at the same time, further increases the flexibility of IPSec SA negotiation.
When the device serves as an initiating end, further, on the basis of the foregoing embodiments, the sending the first offer to the responding end to establish the IPSec VPN tunnel with the responding end includes:
sending the first proposal to the response end, and receiving first feedback information sent by the response end whether the first proposal is successfully matched or not;
if the first feedback information is that the first proposal is successfully matched, the IPSec VPN tunnel is successfully established with the response end;
and if the first feedback information is that the matching of the first proposal fails, reselecting a proposal from the proposal group as the first proposal until the IPSec VPN tunnel is successfully established with the response end, or until the response end fails to match each proposal in the proposal group.
Further, said re-selecting a proposal from said set of proposals as said first proposal comprises: reselecting an offer from the set of offers as the first offer according to the first selection rule.
Further, still include: and if the matching of each proposal in the proposal group fails, the response end sends out prompt information which can not establish the IPSec VPN tunnel with the response end.
After the device serving as the initiating end sends the first proposal to the responding end, the responding end matches the first proposal and feeds back first feedback information whether the first proposal is successfully matched or not to the device. If the first feedback information received by the device is that the matching of the first proposal is successful, the IPSec VPN tunnel is successfully established with the response end, and the communication can be carried out through the IPSec VPN tunnel. If the first feedback information received by the device is that the matching of the first proposal fails, the device serving as the initiating end can reselect the first proposal for negotiating the IPSec SA from the proposal group, and establish the IPSec VPN tunnel with the responding end again through the reselected first proposal. Through the first feedback information of the response end, the device serving as the initiating end can reselect the first proposal to create the IPSec VPN tunnel in time under the condition that the matching of the first proposal fails, so that the efficiency of the negotiation process is realized.
It should be noted that, the above-mentioned device may not only be used as an initiating end, but also be used as a responding end, and when the device is used as a responding end, further, on the basis of the above-mentioned embodiments, the method further includes:
if a second proposal which is sent by an initiating end in the process of establishing the IPSec VPN tunnel and is used for negotiating and establishing the IPSec SA is received, judging whether a proposal which is successfully matched with the second proposal exists in the configured proposal group, if so, sending second feedback information which is successfully matched with the second proposal to the initiating end, otherwise, sending third feedback information which is failed to match the second proposal to the initiating end.
In the method provided by this embodiment, the device as the responder is also configured with an offer group for negotiating IPSec SA. When a second proposal of negotiating and establishing the IPSec SA, which is sent by an initiating end, is received, whether the proposal which is the same as the second proposal exists in a proposal group configured by the device is judged, if so, the second proposal is successfully matched, namely, an IPSec VPN tunnel can be established with a responding end, otherwise, the IPSec VPN tunnel cannot be established with the responding end. And when the second proposal is successfully matched, sending second feedback information to the initiating terminal, otherwise, sending third feedback information to the initiating terminal. And the initiating end is informed whether the IPSec VPN tunnel is established successfully or not in time through the second feedback information and the third feedback information, so that the initiating end switches a new first proposal in time to reinitiate the establishment of the IPSec VPN tunnel, and the negotiation process is ensured to be carried out in time and in order.
When the device serves as a responding end, further, on the basis of the foregoing embodiments, the determining whether there is a proposal that is successfully matched with the second proposal in the configured proposal group, if yes, sending second feedback information that the matching of the second proposal is successful to the initiating end, otherwise, sending third feedback information that the matching of the second proposal is failed to the initiating end, includes:
acquiring a preset second selection rule which is selected from the proposal group each time for matching the received proposal, and selecting the proposal for matching the second proposal from the proposal group as a target proposal according to the second selection rule;
if the target offer and the second offer are successfully matched, sending the second feedback information to the initiating end;
and if the target offer and the second offer are failed to be matched, reselecting an offer used for matching the second offer from the offer group as the target offer according to the second selection rule until the second feedback information is sent to the initiating terminal after the second offer is successfully matched, or until each offer in the offer group and the second offer are failed to be matched, and sending the third feedback information by the initiating terminal.
On the device as the responder, in addition to the proposal group configured for matching with the second proposal sent by the initiator, a second selection rule is set for selecting a target proposal matching with the second proposal each time. Each time the matching of the second offer fails, the target offer is reselected from the offer group according to a second selection rule, and it is determined whether the reselected target offer matches the second offer. For example, if the second selection rule is polling selection, an order is set for each offer in the offer group, and the polling selection offers are matched with the second offers according to the order; or, if the second selection rule is random selection, setting a random algorithm, and selecting the proposal from the proposal group to match with the second proposal according to the random algorithm each time; or the second selection rule is that the proposals in the proposal group are prioritized according to the set priority order, and the proposal meeting the priority requirement is selected to be matched with the second proposal every time, wherein the priority requirement to be met by the proposal is reset every time. The device acting as the responder can be governed by the second selection rule to select the proposal matched with the second proposal, so that the controllability of proposal selection is increased, and the flexibility of IPSec SA negotiation is further increased.
Specifically, in the communication method of the IPSec VPN tunnel based on the proposed group according to the embodiment of the present invention, on the premise of one-stage IKE SA negotiation establishment, an initiating end and a responding end implement two-stage IPSec SA negotiation through the proposed group. Each offer contained in the set of offers is an instance. When the device is acting as an initiator, an offer to negotiate IPSec SAs may be selected from a set of offers configured. So that there is an optional offer to negotiate with the responding end each time an IPSec VPN tunnel is negotiated to be established. When the device is used as a response end, for example, multiple initiating ends establish IPSec VPN tunnels with the response end, that is, the device is used as a central node to negotiate with multiple branches to establish the IPSec VPN tunnels. Each instance in the proposed set of device configurations corresponds to a proposal to negotiate IPSec SAs that may be matched. Since the initiator can configure any one or proposal group type to negotiate with the responder, the proposal selected by the initiator can negotiate successfully as long as the proposal is consistent with a certain proposal in the proposal group of the responder, and different types of IPSec tunnels can be created.
It can be seen that, by the communication method based on the proposed group of IPSec VPN tunnels provided by the present embodiment, the device as the initiating end is more flexible in configuring the proposals. For the device as the response end, multiple types of IPSec tunnels can be established when the device is used as the central node. The proposed group-based communication method for the IPSec VPN tunnel provided in this embodiment only optimizes proposed matching, and does not affect the matching principle and traffic encryption, decryption, and forwarding.
Fig. 2 shows a block diagram of a communication apparatus based on an proposed group of IPSec VPN tunnels according to an embodiment of the present invention, and referring to fig. 2, the communication apparatus based on an proposed group of IPSec VPN tunnels according to the embodiment includes a determining module 201, a selecting module 202 and a sending module 203, wherein,
a determining module 201, configured to determine, in a process of creating an IPSec VPN tunnel that communicates with a response end, whether an IKE SA is negotiated with the response end;
a selecting module 202, configured to select, if an IKE SA is negotiated with the responder, a first offer for negotiating IPSec SA with the responder from a set of configured offers;
a sending module 203, configured to send the first offer to the responding end, so as to establish the IPSec VPN tunnel with the responding end.
The communication apparatus based on the proposed group IPSec VPN tunnel according to this embodiment is suitable for the communication method based on the proposed group IPSec VPN tunnel according to the foregoing embodiment, and will not be described herein again.
The embodiment of the invention provides a communication device of IPSec VPN tunnel based on an proposal group, which configures the proposal group used for negotiating the establishment of IPSec SA in a device for creating the IPSec VPN tunnel. In the process of establishing the IPSec VPN tunnel, in the process of negotiating and establishing the IPSec SA in the second stage, as long as a certain offer exists in the offer group configured by the initiating end and a certain offer in the offer group configured by the responding end, the IPSec SA can be negotiated and established at the initiating end and the responding end. Compared with the method of only configuring one proposal on the equipment, the method for configuring the proposal group on the equipment greatly improves the success rate of negotiating and establishing IPSec SA. In the proposal range of which the configuration is agreed at both ends, the content options of the proposal group are more, the configuration is simplified, the two-stage negotiation process has higher flexibility, and the networking flexibility is greatly improved.
Further, on the basis of the foregoing embodiments, the selecting module is further configured to, if an IKE SA is negotiated with the responder, obtain a preset first selection rule for each selection of a proposal from the proposal group, and select, as the first proposal, a proposal for negotiating with the responder to establish an IPSec SA from the proposal group according to the first selection rule;
the first selection rule is polling selection, random selection or selection according to a set priority order.
Further, on the basis of the foregoing embodiments, the sending module is further configured to send the first offer to the responding end, and receive first feedback information sent by the responding end whether the matching of the first offer is successful; if the first feedback information is that the first proposal is successfully matched, the IPSec VPN tunnel is successfully established with the response end; and if the first feedback information is that the matching of the first proposal fails, reselecting a proposal from the proposal group as the first proposal until the IPSec VPN tunnel is successfully established with the response end, or until the response end fails to match each proposal in the proposal group.
Further, on the basis of the above embodiments, the system further comprises a response module;
the response module is configured to, if a second offer used for negotiating establishment of IPSec SA and sent by an initiating end in a process of creating an IPSec VPN tunnel is received, determine whether an offer successfully matched with the second offer exists in the configured offer group, if so, send second feedback information that the matching of the second offer is successful to the initiating end, and otherwise, send third feedback information that the matching of the second offer is unsuccessful to the initiating end.
Further, on the basis of the foregoing embodiments, the determining whether there is a proposal that is successfully matched with the second proposal in the configured proposal group, if yes, sending second feedback information that is successfully matched with the second proposal to the originating terminal, otherwise, sending third feedback information that is unsuccessfully matched with the second proposal to the originating terminal includes:
acquiring a preset second selection rule which is selected from the proposal group each time for matching the received proposal, and selecting the proposal for matching the second proposal from the proposal group as a target proposal according to the second selection rule;
if the target offer and the second offer are successfully matched, sending the second feedback information to the initiating end;
if the target offer and the second offer are failed to be matched, reselecting an offer for matching the second offer from the offer group as the target offer according to the second selection rule until the second feedback information is sent to the initiating terminal after the second offer is successfully matched, or until each offer in the offer group and the second offer are failed to be matched, the initiating terminal sends the third feedback information;
the second selection rule is polling selection, random selection or selection according to a set priority order.
Fig. 3 is a block diagram showing the structure of the electronic apparatus provided in the present embodiment.
Referring to fig. 3, the electronic device includes: a processor (processor)310, a communication Interface (communication Interface)320, a memory (memory)330 and a communication bus 340, wherein the processor 310, the communication Interface 320 and the memory 330 communicate with each other via the communication bus 340. The processor 310 may call logic instructions in the memory 330 to perform the following method: in the process of establishing an IPSec VPN tunnel communicated with a response end, judging whether an IKE SA is established by negotiation with the response end; if the IKE SA is established by negotiation with the response end, selecting a first proposal used for establishing IPSec SA by negotiation with the response end from a configured proposal group; sending the first proposal to the response end to establish the IPSec VPN tunnel with the response end.
In addition, the logic instructions in the memory 330 may be implemented in the form of software functional units and stored in a computer readable storage medium when the software functional units are sold or used as independent products. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The present embodiments provide a non-transitory computer readable storage medium having stored thereon a computer program, the computer program being executable by a processor to perform the method of: in the process of establishing an IPSec VPN tunnel communicated with a response end, judging whether an IKE SA is established by negotiation with the response end; if the IKE SA is established by negotiation with the response end, selecting a first proposal used for establishing IPSec SA by negotiation with the response end from a configured proposal group; sending the first proposal to the response end to establish the IPSec VPN tunnel with the response end.
The present embodiments disclose a computer program product comprising a computer program stored on a non-transitory computer readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the methods provided by the above-described method embodiments, for example, comprising: in the process of establishing an IPSec VPN tunnel communicated with a response end, judging whether an IKE SA is established by negotiation with the response end; if the IKE SA is established by negotiation with the response end, selecting a first proposal used for establishing IPSec SA by negotiation with the response end from a configured proposal group; sending the first proposal to the response end to establish the IPSec VPN tunnel with the response end.
The above-described embodiments of the electronic device and the like are merely illustrative, where the units described as separate parts may or may not be physically separate, and the parts displayed as units may or may not be physical units, may be located in one place, or may also be distributed on multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the embodiments of the present invention, and are not limited thereto; although embodiments of the present invention have been described in detail with reference to the foregoing embodiments, those skilled in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and the modifications or the substitutions do not make the essence of the corresponding technical solutions depart from the scope of the technical solutions of the embodiments of the present invention.
Claims (10)
1. A communication method of an proposed group-based IPSec VPN tunnel, comprising:
in the process of establishing an IPSec VPN tunnel communicated with a response end, judging whether an IKE SA is established by negotiation with the response end;
if the IKE SA is established by negotiation with the response end, selecting a first proposal used for establishing IPSec SA by negotiation with the response end from a configured proposal group;
sending the first proposal to the response end to establish the IPSec VPN tunnel with the response end;
wherein, if the IKE SA is established by negotiation with the responder, selecting a first offer for establishing IPSec SA by negotiation with the responder from a configured set of offers, comprises:
if the IKE SA is established by negotiation with the response end, acquiring a preset first selection rule for selecting a proposal from the proposal group each time, and selecting a proposal for establishing IPSec SA by negotiation with the response end from the proposal group as the first proposal according to the first selection rule;
the first selection rule is polling selection, random selection or selection according to a set priority order.
2. The method of claim 1, wherein sending the first offer to the responding peer for establishing the IPSec VPN tunnel with the responding peer comprises:
sending the first proposal to the response end, and receiving first feedback information sent by the response end whether the first proposal is successfully matched or not;
if the first feedback information is that the first proposal is successfully matched, the IPSec VPN tunnel is successfully established with the response end;
and if the first feedback information is that the matching of the first proposal fails, reselecting a proposal from the proposal group as the first proposal until the IPSec VPN tunnel is successfully established with the response end, or until the response end fails to match each proposal in the proposal group.
3. The proposed group-based IPSec VPN tunnel communication method according to claim 1, further comprising:
if a second proposal which is sent by an initiating end in the process of establishing the IPSec VPN tunnel and is used for negotiating and establishing the IPSec SA is received, judging whether a proposal which is successfully matched with the second proposal exists in the configured proposal group, if so, sending second feedback information which is successfully matched with the second proposal to the initiating end, otherwise, sending third feedback information which is failed to match the second proposal to the initiating end.
4. The method of claim 3, wherein the determining whether there is an offer matching the second offer successfully in the configured offer group, if yes, sending second feedback information that the matching of the second offer succeeds to the initiating end, otherwise, sending third feedback information that the matching of the second offer fails to the initiating end, comprises:
acquiring a preset second selection rule which is selected from the proposal group each time for matching the received proposal, and selecting the proposal for matching the second proposal from the proposal group as a target proposal according to the second selection rule;
if the target offer and the second offer are successfully matched, sending the second feedback information to the initiating end;
if the target offer and the second offer are failed to be matched, reselecting an offer for matching the second offer from the offer group as the target offer according to the second selection rule until the second feedback information is sent to the initiating terminal after the second offer is successfully matched, or until each offer in the offer group and the second offer are failed to be matched, the initiating terminal sends the third feedback information;
the second selection rule is polling selection, random selection or selection according to a set priority order.
5. A communication apparatus based on an proposed group of IPSec VPN tunnels, comprising:
the system comprises a judging module, a sending module and a receiving module, wherein the judging module is used for judging whether an IKE SA is established by negotiation with a response end in the process of establishing an IPSec VPN tunnel for communicating with the response end;
a selecting module, configured to select a first offer for negotiating with the responder to establish an IPSec SA from a set of configured offers if the IKE SA is negotiated with the responder;
a sending module, configured to send the first offer to the response end, so as to establish the IPSec VPN tunnel with the response end;
the selection module is further configured to, if an IKE SA is established in negotiation with the responder, obtain a preset first selection rule for selecting a proposal from the proposal group each time, and select, according to the first selection rule, a proposal for establishing IPSec SA in negotiation with the responder as the first proposal;
the first selection rule is polling selection, random selection or selection according to a set priority order.
6. The apparatus according to claim 5, wherein the sending module is further configured to send the first offer to the responder, and receive first feedback information sent by the responder whether the matching of the first offer is successful; if the first feedback information is that the first proposal is successfully matched, the IPSec VPN tunnel is successfully established with the response end; and if the first feedback information is that the matching of the first proposal fails, reselecting a proposal from the proposal group as the first proposal until the IPSec VPN tunnel is successfully established with the response end, or until the response end fails to match each proposal in the proposal group.
7. The proposed group-based IPSec VPN tunnel communication apparatus of claim 5, further comprising a response module;
the response module is configured to, if a second offer used for negotiating establishment of IPSec SA and sent by an initiating end in a process of creating an IPSec VPN tunnel is received, determine whether an offer successfully matched with the second offer exists in the configured offer group, if so, send second feedback information that the matching of the second offer is successful to the initiating end, and otherwise, send third feedback information that the matching of the second offer is unsuccessful to the initiating end.
8. The apparatus according to claim 7, wherein the determining whether there is an offer matching the second offer successfully in the configured offer group, if yes, sending second feedback information on successful matching of the second offer to the initiating end, otherwise, sending third feedback information on failed matching of the second offer to the initiating end comprises:
acquiring a preset second selection rule which is selected from the proposal group each time for matching the received proposal, and selecting the proposal for matching the second proposal from the proposal group as a target proposal according to the second selection rule;
if the target offer and the second offer are successfully matched, sending the second feedback information to the initiating end;
if the target offer and the second offer are failed to be matched, reselecting an offer for matching the second offer from the offer group as the target offer according to the second selection rule until the second feedback information is sent to the initiating terminal after the second offer is successfully matched, or until each offer in the offer group and the second offer are failed to be matched, the initiating terminal sends the third feedback information;
the second selection rule is polling selection, random selection or selection according to a set priority order.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor when executing the program implements the steps of the proposed set of IPSec VPN tunnel based communication method according to any of claims 1 to 4.
10. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor, implements the steps of the proposed group-based IPSec VPN tunnel based communication method according to any one of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910337633.4A CN110120907B (en) | 2019-04-25 | 2019-04-25 | Proposed group-based IPSec VPN tunnel communication method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910337633.4A CN110120907B (en) | 2019-04-25 | 2019-04-25 | Proposed group-based IPSec VPN tunnel communication method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110120907A CN110120907A (en) | 2019-08-13 |
| CN110120907B true CN110120907B (en) | 2021-05-25 |
Family
ID=67521500
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910337633.4A Active CN110120907B (en) | 2019-04-25 | 2019-04-25 | Proposed group-based IPSec VPN tunnel communication method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110120907B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114553507B (en) * | 2022-02-10 | 2024-02-09 | 新华三信息安全技术有限公司 | Security authentication method, device, equipment and machine-readable storage medium |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101262405A (en) * | 2008-04-11 | 2008-09-10 | 华南理工大学 | Network Processor-Based High-Speed Security Virtual Private Network Channel and Its Realization Method |
| CN103053143A (en) * | 2010-08-25 | 2013-04-17 | 瑞典爱立信有限公司 | Methods and arrangements for secure communication over an IP network |
| US8543139B2 (en) * | 2007-08-03 | 2013-09-24 | Airvana Llc | Distributed network |
| US8650618B2 (en) * | 2009-07-22 | 2014-02-11 | Cisco Technology, Inc. | Integrating service insertion architecture and virtual private network |
| CN105827661A (en) * | 2016-05-31 | 2016-08-03 | 宇龙计算机通信科技(深圳)有限公司 | Method and device for secure communication |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| JP3854954B2 (en) * | 2003-09-05 | 2006-12-06 | キヤノン株式会社 | Data sharing device |
-
2019
- 2019-04-25 CN CN201910337633.4A patent/CN110120907B/en active Active
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8543139B2 (en) * | 2007-08-03 | 2013-09-24 | Airvana Llc | Distributed network |
| CN101262405A (en) * | 2008-04-11 | 2008-09-10 | 华南理工大学 | Network Processor-Based High-Speed Security Virtual Private Network Channel and Its Realization Method |
| US8650618B2 (en) * | 2009-07-22 | 2014-02-11 | Cisco Technology, Inc. | Integrating service insertion architecture and virtual private network |
| CN103053143A (en) * | 2010-08-25 | 2013-04-17 | 瑞典爱立信有限公司 | Methods and arrangements for secure communication over an IP network |
| CN105827661A (en) * | 2016-05-31 | 2016-08-03 | 宇龙计算机通信科技(深圳)有限公司 | Method and device for secure communication |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110120907A (en) | 2019-08-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10148628B2 (en) | System and method for secure messaging in a hybrid peer-to-peer network | |
| US9350708B2 (en) | System and method for providing secured access to services | |
| US10411994B2 (en) | Multi-link convergence method, server, client, and system | |
| CN101478755B (en) | Network security HTTP negotiation method and related apparatus | |
| US20070283430A1 (en) | Negotiating vpn tunnel establishment parameters on user's interaction | |
| KR20160138057A (en) | Secure and simplified procedure for joining a social wi-fi mesh network | |
| CN1781278B (en) | System and method for providing end-to-end authentication in a network environment | |
| US20060168210A1 (en) | Facilitating legal interception of ip connections | |
| US9516065B2 (en) | Secure communication device and method | |
| CN113726795A (en) | Message forwarding method and device, electronic equipment and readable storage medium | |
| WO2009082950A1 (en) | Key distribution method, device and system | |
| CN102904792B (en) | Service carrying method and router | |
| CN110830351B (en) | Tenant management and service providing method and device based on SaaS service mode | |
| US20180183584A1 (en) | IKE Negotiation Control Method, Device and System | |
| WO2012040971A1 (en) | Key management method and system for routing protocol | |
| US20250097027A1 (en) | Communication device and method therein for facilitating ike communications | |
| CN110120907B (en) | Proposed group-based IPSec VPN tunnel communication method and device | |
| CN119675739A (en) | A lightweight method for secure access of mobile devices to satellite-to-ground networks | |
| CN108900584B (en) | Data transmission method and system for content distribution network | |
| EP2770778B1 (en) | Method, system, and enb for establishing secure x2 channel | |
| CN102469063A (en) | Routing protocol security alliance management method, device and system | |
| EP1863254B1 (en) | Negotiating VPN tunnel establishment parameters on user's interaction | |
| CN120034392B (en) | Communication methods and devices | |
| CN104038335A (en) | GD VPN (Group Domain Virtual Private Network) upgrading method and device | |
| CN103108325B (en) | A kind of information secure transmission method and system and access service node |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP03 | Change of name, title or address |
Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088 Patentee after: QAX Technology Group Inc. Address before: 100015 15, 17 floor 1701-26, 3 building, 10 Jiuxianqiao Road, Chaoyang District, Beijing. Patentee before: BEIJING QIANXIN TECHNOLOGY Co.,Ltd. |
|
| CP03 | Change of name, title or address |