CN109617922A - VPN protects the processing method of network segment conflict, device, electronic equipment - Google Patents
VPN protects the processing method of network segment conflict, device, electronic equipment Download PDFInfo
- Publication number
- CN109617922A CN109617922A CN201910069981.8A CN201910069981A CN109617922A CN 109617922 A CN109617922 A CN 109617922A CN 201910069981 A CN201910069981 A CN 201910069981A CN 109617922 A CN109617922 A CN 109617922A
- Authority
- CN
- China
- Prior art keywords
- branch end
- center
- network segment
- branch
- mark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides VPN processing method, device, electronic equipment and the machine readable storage medium of protection network segment conflict.In this application, the connection negotiation message that the branch end is sent is obtained, wherein the connection negotiation message includes at least branch end protection network segment, branch end mark;If what the branch end protected that network segment and the center-side saved protect, network segment conflicts and branch end mark identifies not identical with the branch end that the center-side has saved, and refuses the connection of the branch end;It is sent to the branch end and terminates negotiation packet; it realizes and is distinguished based on branch end protection network segment and branch end mark; it solves when two or more IPSec VPN branch ends respectively establish IPSec VPN with center-side; business is obstructed caused by there is conflict overlapping due to protection network segment, greatly user management is facilitated to safeguard.
Description
Technical field
This application involves fields of communication technology more particularly to the processing method of VPN protection network segment conflict, device, electronics to set
Standby and machine readable storage medium.
Background technique
Due to the fast development of economy and society, the raising of IT application in enterprises degree, a common demand is exactly various regions
Branch company or office need with enterprise headquarters across internet progress information exchange and transmitting, and VPN (Virtual
Private Network, Virtual Private Network) it is exactly a kind of remote access technology for coping with the demand.VPN presses tunnel protocol
Dividing includes multiple types, wherein tunnel protocol IPSec (Internet Protocol Security, internet security association
View) one of as above-mentioned tunnel protocol, based on IPSec VPN to the encryption of data be as unit of data packet, without
It is as unit of entire data flow, this is not only flexible but also helps to further increase the safety of IP data packet, can be effective
Guarding network attack.
VPN using IPSec as vpn tunneling agreement for interconnect the data of transfers on network provide high quality, can mutually grasp
Safety assurance make, based on cryptography.Pass through encryption and data source at IP layers between multiple communication parties based on IPSec VPN
The modes such as certification, provide the security services such as data confidentiality, data integrity, data origin authentication.
Summary of the invention
The application provides a kind of processing method of VPN protection network segment conflict, and the member that the method is applied to vpn system sets
Standby upper, when the vpn system is run, the member device can be configured to center-side or branch end, wherein the center-side
Refer to the side network equipment that an ipsec tunnel connects in the vpn system, the branch end refers to and the center-side phase
The other side network equipment of the corresponding ipsec tunnel connection, the center-side can correspond to multiple branch ends, work as institute
It states when holding centered on member device, which comprises
Obtain the connection negotiation message that the branch end is sent, wherein the connection negotiation message includes at least branch end
Network segment, branch end mark are protected, the branch end mark is used for branch end described in unique identification, the branch end protection network segment
The private network network segment corresponding to the ipsec tunnel network data to be encrypted for indicating the branch end and the center-side;
If the branch end protection network segment conflicts with the protection network segment that the center-side has saved and the branch end mark
It is not identical to know the branch end mark saved with the center-side, then refuses the connection of the branch end;
It is sent to the branch end and terminates negotiation packet.
Optionally, further includes:
If the branch end protection network segment conflicts with the protection network segment that the center-side has saved and the branch end mark
Knowledge is identical as the branch end mark that the center-side has saved, then allows the connection of the branch end;
The success response message of the connection negotiation message is sent to the branch end.
Optionally, further includes:
If the branch end protects network segment to protect network segment not conflict with what the center-side had saved, allow the branch
The connection at end;
Network segment and branch end mark is protected to save to the center-side branch end;
The success response message of the connection negotiation message is sent to the branch end.
Optionally, the branch end mark is generated based on the public network address of the corresponding outlet of the branch end.
Optionally, further includes:
If there are multiple public network addresses for the corresponding outlet of the branch end, common knowledge is configured for the multiple public network address
Other code, wherein the identification code is for identifying the shared branch end mark of multiple public network addresses under same branch end;
It is that the branch end generates the branch end mark based on the identification code.
Optionally, when the member device is branch end, comprising:
The connection negotiation message sent to the center-side is identified based on the branch end.
The application also provides a kind of processing unit of VPN protection network segment conflict, and described device is applied to the member of vpn system
In equipment, when the vpn system is run, the member device can be configured to center-side or branch end, wherein the center
End refers to the side network equipment that an ipsec tunnel connects in the vpn system, and the branch end refers to and the center-side
The other side network equipment of the corresponding ipsec tunnel connection, the center-side can correspond to multiple branch ends, when
When holding centered on the member device, described device includes:
Transceiver module, the connection negotiation message sent for obtaining the branch end, wherein the connection negotiation message is extremely
It less include branch end protection network segment, branch end mark, the branch end mark is for branch end described in unique identification, the branch
End protection network segment is used to indicate private network corresponding to the ipsec tunnel network data to be encrypted of the branch end and the center-side
Network segment;
Processing module, if for the branch end protection network segment conflict with the protection network segment that the center-side has saved and
The branch end mark and the branch end mark that the center-side has saved be not identical, then refuses the connection of the branch end;
The transceiver module is further, and Xiang Suoshu branch end, which is sent, terminates negotiation packet.
Optionally, the processing module is further, further includes:
If the branch end protection network segment conflicts with the protection network segment that the center-side has saved and the branch end mark
Knowledge is identical as the branch end mark that the center-side has saved, then allows the connection of the branch end;
The success response message of the connection negotiation message is sent to the branch end.
Optionally, the processing module is further, further includes:
If the branch end protects network segment to protect network segment not conflict with what the center-side had saved, allow the branch
The connection at end;
Network segment and branch end mark is protected to save to the center-side branch end;
The success response message of the connection negotiation message is sent to the branch end.
Optionally, the branch end mark is generated based on the public network address of the corresponding outlet of the branch end.
Optionally, the processing module is further, further includes:
If there are multiple public network addresses for the corresponding outlet of the branch end, common knowledge is configured for the multiple public network address
Other code, wherein the identification code is for identifying the shared branch end mark of multiple public network addresses under same branch end;
It is that the branch end generates the branch end mark based on the identification code.
Optionally, when the member device is branch end, the transceiver module is further, comprising:
The connection negotiation message sent to the center-side is identified based on the branch end.
The application also provides a kind of electronic equipment, including communication interface, processor, memory and bus, and the communication connects
Pass through bus between mouth, the processor and the memory to be connected with each other;
Machine readable instructions are stored in the memory, the processor is executed by calling the machine readable instructions
Above-mentioned method.
The application also provides a kind of machine readable storage medium, and the machine readable storage medium is stored with machine readable finger
It enables, the machine readable instructions realize the above method when being called and being executed by processor.
By above embodiments, the connection negotiation message that the branch end is sent is obtained, wherein the connection negotiation message
Including at least branch end protection network segment, branch end mark, the branch end, which identifies, is used for branch end described in unique identification, and described point
Branch end protection network segment is used to indicate private corresponding to the ipsec tunnel network data to be encrypted of the branch end and the center-side
Net network segment;If the branch end protection network segment conflicts with the protection network segment that the center-side has saved and the branch end identifies
The branch end mark saved with the center-side is not identical, then refuses the connection of the branch end;It is sent to the branch end
Negotiation packet is terminated, realizes and protects network segment and branch end mark to distinguish based on branch end, solve to work as two or more IPSec
When VPN branch end and center-side respectively establish IPSec VPN, business is obstructed caused by there is conflict overlapping due to protection network segment
The problem of, greatly user management is facilitated to safeguard.
Detailed description of the invention
Fig. 1 is a kind of flow chart of the processing method for VPN protection network segment conflict that an exemplary embodiment provides.
Fig. 2 is a kind of flow chart of the treatment process for VPN protection network segment conflict that an exemplary embodiment provides.
Fig. 3 is a kind of block diagram of the processing unit for VPN protection network segment conflict that an exemplary embodiment provides.
Fig. 4 is the hardware structure diagram for a kind of electronic equipment that an exemplary embodiment provides.
Specific embodiment
Example embodiments are described in detail here, and the example is illustrated in the accompanying drawings.Following description is related to
When attached drawing, unless otherwise indicated, the same numbers in different drawings indicate the same or similar elements.Following exemplary embodiment
Described in embodiment do not represent all embodiments consistent with the application.On the contrary, they be only with it is such as appended
The example of the consistent device and method of some aspects be described in detail in claims, the application.
It is only to be not intended to be limiting the application merely for for the purpose of describing particular embodiments in term used in this application.
It is also intended in the application and the "an" of singular used in the attached claims, " described " and "the" including majority
Form, unless the context clearly indicates other meaning.It is also understood that term "and/or" used herein refers to and wraps
It may be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the application
A little information should not necessarily be limited by these terms.These terms are only used to for same type of information being distinguished from each other out.For example, not departing from
In the case where the application range, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as
One information.Depending on context, word as used in this " if " can be construed to " ... when " or " when ...
When " or " in response to determination ".
In order to make those skilled in the art more fully understand the technical solution in the embodiment of the present application, below first to this Shen
Please embodiment be related to VPN protection network segment conflict processing the relevant technologies, be briefly described.
In some scenes, a vpn system generally includes multiple member devices, and the device role of the member device is
Configurable, it can be center-side, be also possible to branch end namely above-mentioned center-side and branch end is all the member of vpn system
Equipment, specifically, such as: the IPSec chain of a network equipment B to general headquarters is configured on the network equipment A of branch 1
Road, i.e., above-mentioned network equipment A are a branch end of vpn system, and abbreviation branch end A, above-mentioned network equipment B are vpn system
Center-side, abbreviation center-side B, vpn system are based on above-mentioned configuration and establish an ipsec tunnel, the tunnel abbreviation AB;In branch
The IPSec link of a network equipment B to general headquarters is configured on 2 network equipment C, i.e., above-mentioned network equipment C is vpn system
Another branch end, abbreviation branch end C, above-mentioned network equipment B are the center-side B of vpn system, and vpn system is based on above-mentioned configuration
Establish another ipsec tunnel, the tunnel abbreviation CB.The network equipment A of above-mentioned branch 1, branch 2 network equipment C
The branch end of as above-mentioned vpn system, network equipment B, that is, above-mentioned vpn system center-side of general headquarters, above are only exemplary one
Kind is possible, and there are a variety of possibility for actual capabilities, such as: above-mentioned vpn system may include the branch end of three or more.
Continuation illustrated with above-mentioned example, when above-mentioned two ipsec tunnels establish after, above-mentioned two branch end A, C with it is above-mentioned
Center-side B can transmit network data to be encrypted based on above-mentioned ipsec tunnel, wherein the network data to be encrypted respectively corresponds
The respective private network network segment of two branch ends A, C, the respective private network network segment of branch end A, C namely referred to as VPN catch net
Section, specifically, such as: the corresponding private network network segment 2.2.2.2/24 of branch end A network data to be encrypted, branch end C net to be encrypted
The corresponding private network network segment 2.2.2.2/24 of network data.Based on the above situation as it can be seen that now there are two branch end A, C network numbers to be encrypted
It is all that 2.2.2.2/24 namely VPN branch end protection network segment has conflict according to corresponding private network network segment, by existing ipsec protocol
It realizes, after center-side B receives the message of branch end A from the tunnel AB, its back message may be forwarded branch end from the tunnel CB
C enters the ipsec tunnel of mistake so as to cause back message, causes business obstructed, and it is only to show that above-mentioned private network network segment, which has conflict,
A kind of possibility of example, there are a variety of possibility for actual capabilities, for another example: above-mentioned two private network network segment includes i.e. two there are network segment mutually
There are intersections for a private network network segment, do not repeat specifically.
Based on this, the application proposes that a kind of processing scheme of VPN protection network segment conflict, the program are applied to vpn system
On member device, when the vpn system is run, the member device can be configured to center-side or branch end, wherein described
Center-side refers to the side network equipment that an ipsec tunnel in the vpn system connects, the branch end refer to it is described in
The other side network equipment of the corresponding ipsec tunnel connection in heart end, the center-side can correspond to multiple branches
End when holding centered on the member device, obtains the connection negotiation message that the branch end is sent, wherein the connection association
Business's text includes at least branch end protection network segment, branch end mark, and the branch end mark is used for branch end described in unique identification,
The ipsec tunnel network data institute to be encrypted that the branch end protection network segment is used to indicate the branch end and the center-side is right
The private network network segment answered;If the branch end protection network segment conflicts with the protection network segment that the center-side has saved and the branch
End mark and the branch end mark that the center-side has saved be not identical, then refuses the connection of the branch end;To the branch
End, which is sent, terminates negotiation packet.
The application is described below by specific embodiment and in conjunction with specific application scenarios.
Referring to FIG. 1, Fig. 1 is a kind of processing method for VPN protection network segment conflict that one embodiment of the application provides, it is described
Method is applied on the member device of vpn system, and when the vpn system is run, the member device can be configured to center-side
Or branch end, wherein the center-side refers to the side network equipment that an ipsec tunnel connects in the vpn system, institute
The other side network equipment that branch end refers to the ipsec tunnel connection corresponding with the center-side is stated, as the member
When holding centered on equipment, the above method executes following steps:
Step 102 obtains the connection negotiation message that the branch end is sent, wherein the connection negotiation message at least wraps
Branch end protection network segment, branch end mark are included, the branch end mark for branch end described in unique identification, protect by the branch end
Protective net section is used to indicate private network net corresponding to the ipsec tunnel network data to be encrypted of the branch end and the center-side
Section.
Here branch end refers to that the branch end A or branch end C of example as noted above or other branches are corresponding
Other branch ends.Here connection negotiation message includes at least branch end protection network segment, branch end mark, is based on the branch end pair
The public network address that should be exported generates the branch end mark, and continuation is illustrated with above-mentioned example, specifically, such as: the public affairs of branch end A
Net IP is 10.30.30.1, and the public network IP of branch end C is 10.20.20.1, the then connection negotiation that branch end A is sent to center-side B
Message includes at least branch end A and protects network segment 2.2.2.2/24, branch end A mark, wherein the branch end mark of the branch end A
Know, it is 10.30.30.1 generation based on the public network IP of branch end A that abbreviation branch, which identifies A, and specific generating algorithm can be based on upper
MD5 (MD5Message-Digest Algorithm, the Cryptographic Hash Function) value for stating public network IP is also possible to based on branch end A
Public network IP 10.30.30.1 unique identification;Similarly, branch end C is based on based on the public network IP of branch end C for 10.20.20.1
The 10.30.30.1 of the public network IP of the branch end C generates the branch end mark of the branch end C, and abbreviation branch identifies C.
Optionally, in the alternatively possible VPN networking shown, continuation is illustrated with above-mentioned example, the guarantor of branch 2
The public network gateway accessing that private network device in protective net section namely private network network segment is 10.20.20.1 except through the IP of branch end C
Outside public network, the public network gateway accessing public network that can also be 10.20.20.2 by another IP, i.e. branch 2 are corresponding, and there are two
A public network gateway: 10.20.20.1 and 10.20.20.2, then branch end C carries out the generating process of another branch end mark,
Example as shown in Figure 2 executes following steps:
Step 202 corresponds to for the branch end there are multiple public network gateways, configures identification code.
If there are multiple public network addresses for the corresponding outlet of the branch end, common knowledge is configured for the multiple public network address
Other code, wherein the identification code is for identifying the shared branch end mark of multiple public network addresses under same branch end.Specifically
Ground, above-mentioned identification code can be user and respectively correspond in above-mentioned branch end C matches on public network gateway 10.20.20.1,10.20.20.2
An identical identification strings are set, such as: " branchc-c2 ".
Step 204 is that the branch end generates the branch end mark based on the identification code.
Specifically, such as: above-mentioned branch end C be based on preset algorithm above-mentioned character string is handled, such as: to above-mentioned
Character string executes MD5 calculating and obtains calculating 16 bytes abstract, takes the preceding 8 byte character string ss of above-mentioned 16 byte abstract as branch end
The branch of C identifies.Based on the above process, following problem can solve: the multiple public network gateway outlets if it exists of same branch end, if
The branch of its connection negotiation message identifies difference, then the back message that will lead to its connection negotiation message can not be through corresponding IPSec
Tunnel returns, and causes business obstructed.
So far, process shown in Fig. 2 is completed, branch end C carries out the generating process of another branch end mark.Based on above-mentioned
Process, branch end A, C are based respectively on respective branch end and identify the connection negotiation message sent to above-mentioned center-side B.On
It states connection negotiation message and is based on ISAKMP (Internet Security Association Key Management
Protocol, internet security alliance Key Management Protocol) it is constructed, specifically, and such as: branch end A is by above-mentioned ISAKMP
The last one of the initial negotiation message in IKE (Internet Key Exchange, the Internet Key Exchange) stage of agreement
Vendor id field fills branch's mark of above-mentioned branch end A.
If step 104, the branch end protection network segment conflict and described with the protection network segment that the center-side has saved
Branch end mark and the branch end mark that the center-side has saved be not identical, then refuses the connection of the branch end.
Here protection network segment that center-side has saved and the branch end saved mark refer under some usual scenes,
If the branch end protects network segment to protect network segment not conflict with what the center-side had saved, center-side allows the branch end
Connection;Network segment and branch end mark is protected to save to the center-side branch end.
Specifically, continue to illustrate with above-mentioned exemplary process, in a kind of possible embodiment shown, center-side B
It is initial to protect network segment and the center-side without saving the corresponding protection network segment of any branch end and branch's mark, i.e. branch end A
What is saved protects network segment not conflict, when branch end A presses process described in above-mentioned steps 102 to the B connection negotiation of dispatching centre end
After message, the above-mentioned branch end A protection network segment and branch end mark that center-side B is then saved are please referred to exemplified by table 1:
Serial number | Protect network segment | Branch's mark |
1 | 2.2.2.2/24 | 10.30.30.1 (branch end A) |
Table 1
In center-side B after executing above-mentioned preservation operation, Xiang Shangshu branch end A sends the success of above-mentioned connection negotiation message
Response message.
In the alternatively possible embodiment shown, if branch end C only has a public network gateway 10.20.20.1, when
Branch end C by 10.20.20.1 by process described in above-mentioned steps 102 to after the B connection negotiation message of dispatching centre end, center
Protection network segment and the branch end mark for holding B to save, please refer to exemplified by table 2:
Table 2
In center-side B after executing above-mentioned preservation operation, Xiang Shangshu branch end C sends the success of above-mentioned connection negotiation message
Response message.
In the alternatively possible embodiment shown, if branch end protection network segment has been saved with the center-side
Protection network segment conflict and the branch end mark it is identical with the branch end mark that the center-side has saved, then permission described in
The connection of branch end.Specifically, such as: if branch end C can also be by another except through a public network gateway 10.20.20.1
One public network gateway 10.20.20.2, by process described in above-mentioned steps 102 to after the B connection negotiation message of dispatching centre end, when
After branch end C first time is from public network gateway 10.20.20.1 to dispatching centre end B connection negotiation message, the guarantor of center-side B preservation
Protective net section and branch end mark, please refer to exemplified by table 3:
Table 3
When branch end C second is from public network gateway 10.20.20.2 to dispatching centre end B connection negotiation message (referred to as second
Secondary connection negotiation message) after, the process as described in step 202 is referred to, above-mentioned connection negotiation message is taken branches of band and is identified as
Ss, protection network segment are 2.2.2.2/24, and center-side B checks above-mentioned table 3, find existing guarantor to protect network segment 2.2.2.2/24
Protective net section conflict, i.e. 2.2.2.2/24 conflict obtain branch corresponding to the protection network segment 2.2.2.2/24 of conflict from above-mentioned table 3
It is identified as ss, it is identical as branches of band mark is taken in above-mentioned second of connection negotiation message, i.e., it is all ss, then center-side B allows
Second of connection negotiation message of the branch end C passes through, and Xiang Suoshu branch end C sends above-mentioned second of connection negotiation message
Success response message.
In a kind of possible embodiment shown, specifically, continue to illustrate with above-mentioned exemplary process, such as: in
The table of protection network segment and branch end mark that heart end B has currently been saved is example as shown in Table 3 above.When branch end A presses above-mentioned step
Process described in rapid 102 is taken branches of band and is identified as to dispatching centre end B connection negotiation message, above-mentioned connection negotiation message
10.30.30.1, protection network segment is 2.2.2.2/24, and center-side B checks above-mentioned table 3 to protect network segment 2.2.2.2/24, is found
Existing protection network segment conflict, i.e. 2.2.2.2/24 conflict, the protection network segment 2.2.2.2/24 institute for obtaining conflict from above-mentioned table 3 are right
The branch answered is identified as ss, and branch end A connection negotiation message takes branches of band, and to be identified as 10.30.30.1 and ss not identical, then in
The connection of heart end B refusal branch end A.
Step 106, Xiang Suoshu branch end, which are sent, terminates negotiation packet.
Specifically, such as: as described in above-mentioned steps 104, center-side B refuse branch end A connection after, center-side B to
Branch end A, which is sent, terminates negotiation packet, and in a preferred embodiment, center-side B also will record the alarm of refusal connection,
Wherein, above-mentioned alarm at least records the branch's mark for having conflict branch end C, A, protection network segment 2.2.2.2/24.Based on above-mentioned announcement
It is alert, it can be convenient user's quick search and analysis conflict VPN protection network segment, make configuration adjustment in time.
So far, process shown in FIG. 1 is completed, the above method can be seen that applied to VPN system by process shown in FIG. 1
On the member device of system, when the vpn system is run, the member device can be configured to center-side or branch end, wherein
The center-side refers to the side network equipment that an ipsec tunnel connects in the vpn system, and the branch end refers to and institute
The other side network equipment of the corresponding ipsec tunnel connection of center-side is stated, the center-side can correspond to multiple described
Branch end when holding centered on the member device, obtains the connection negotiation message that the branch end is sent, wherein the company
Negotiation packet is connect including at least branch end protection network segment, branch end mark, the branch end mark is for described in unique identification points
Zhi Duan, the branch end protection network segment are used to indicate the ipsec tunnel network number to be encrypted of the branch end Yu the center-side
According to corresponding private network network segment;If the branch end protection network segment conflicts with the protection network segment that the center-side has saved and institute
It states the branch end that branch end mark has been saved with the center-side and identifies not identical, then refuse the connection of the branch end;To institute
It states branch end and sends termination negotiation packet.
Using the embodiment of the present application, realizes and protect network segment and branch end mark to distinguish based on branch end, solve when two
When a or above IPSec VPN branch end and center-side respectively establish IPSec VPN, because there is conflict overlapping in protection network segment
The obstructed problem of caused business, greatly facilitates user management to safeguard.
Fig. 3 is a kind of block diagram of the processing unit for VPN protection network segment conflict that one exemplary embodiment of the application provides.With
Above method embodiment is corresponding, described present invention also provides a kind of embodiment of the processing unit of VPN protection network segment conflict
Device is applied on the member device of vpn system, and when the vpn system is run, the member device can be configured to center-side
Or branch end, wherein the center-side refers to the side network equipment that an ipsec tunnel connects in the vpn system, institute
State the other side network equipment that branch end refers to the ipsec tunnel connection corresponding with the center-side, the center-side
Multiple branch ends can be corresponded to, when holding centered on the member device, please refer to a kind of VPN protection exemplified by Fig. 3
The processing unit 30 of network segment conflict, described device include:
Transceiver module 301, the connection negotiation message sent for obtaining the branch end, wherein the connection negotiation report
Text includes at least branch end protection network segment, branch end mark, and the branch end mark is described for branch end described in unique identification
Branch end protection network segment is used to indicate corresponding to the ipsec tunnel network data to be encrypted of the branch end and the center-side
Private network network segment;
Processing module 302, if conflicting for branch end protection network segment with the protection network segment that the center-side has saved
And the branch end mark and the branch end mark that the center-side has saved be not identical, then refuses the company of the branch end
It connects;
Further, Xiang Suoshu branch end is sent terminates negotiation packet to the transceiver module 301.
In the present embodiment, the processing module 302 is further, further includes:
If the branch end protection network segment conflicts with the protection network segment that the center-side has saved and the branch end mark
Knowledge is identical as the branch end mark that the center-side has saved, then allows the connection of the branch end;
The success response message of the connection negotiation message is sent to the branch end.
In the present embodiment, the processing module 302 is further, further includes:
If the branch end protects network segment to protect network segment not conflict with what the center-side had saved, allow the branch
The connection at end;
Network segment and branch end mark is protected to save to the center-side branch end;
The success response message of the connection negotiation message is sent to the branch end.
In the present embodiment, the branch end mark is generated based on the public network address of the corresponding outlet of the branch end.
In the present embodiment, the processing module 302 is further, further includes:
If there are multiple public network addresses for the corresponding outlet of the branch end, common knowledge is configured for the multiple public network address
Other code, wherein the identification code is for identifying the shared branch end mark of multiple public network addresses under same branch end;
It is that the branch end generates the branch end mark based on the identification code.
In the present embodiment, when the member device is branch end, the transceiver module 301 is further, comprising:
The connection negotiation message sent to the center-side is identified based on the branch end.
For device embodiment, since it corresponds essentially to embodiment of the method, so related place is referring to method reality
Apply the part explanation of example.The apparatus embodiments described above are merely exemplary, wherein described be used as separation unit
The module of explanation may or may not be physically separated, and the component shown as module can be or can also be with
It is not physical module, it can it is in one place, or may be distributed on multiple network modules.It can be according to actual
The purpose for needing to select some or all of the modules therein to realize application scheme.Those of ordinary skill in the art are not paying
Out in the case where creative work, it can understand and implement.
System, device, module or the module that above-described embodiment illustrates can specifically realize by computer chip or entity,
Or it is realized by the product with certain function.A kind of typically to realize that equipment is computer, the concrete form of computer can
To be personal computer, laptop computer, cellular phone, camera phone, smart phone, personal digital assistant, media play
In device, navigation equipment, E-mail receiver/send equipment, game console, tablet computer, wearable device or these equipment
The combination of any several equipment.
The embodiment of the processing unit of the VPN protection network segment conflict of the application can apply electronic equipment shown in Fig. 4
On.Installation practice can also be realized by software realization by way of hardware or software and hardware combining.With software reality
It is that machine readable storage is situated between by the processor of electronic equipment where it as the device on a logical meaning for existing
Corresponding computer program instructions run the machine-executable instruction of formation in matter after reading.For hardware view, such as Fig. 4 institute
Show, is a kind of hardware structure diagram of electronic equipment where the VPN of the application protects the processing unit of network segment conflict, in addition to Fig. 4 institute
Except the processor, communication interface, bus and the machine readable storage medium that show, the electronic equipment in embodiment where device is logical
Often according to the actual functional capability of the electronic equipment, it can also include other hardware, this is repeated no more.
Accordingly, it the embodiment of the present application also provides the hardware configuration of a kind of electronic equipment of Fig. 3 shown device, refers to
Fig. 4, Fig. 4 are the hardware structural diagram of a kind of electronic equipment provided by the embodiments of the present application.The equipment includes: communication interface
401, processor 402, machine readable storage medium 403 and bus 404;Wherein, communication interface 401, processor 402, machine can
It reads storage medium 403 and mutual communication is completed by bus 404.Wherein, communication interface 401, for carrying out network communication.Place
Reason device 402 can be a central processing unit (CPU), and processor 402 can execute to be stored in machine readable storage medium 403
Machine readable instructions, to realize process as described above.
Machine readable storage medium 403 referred to herein can be any electronics, magnetism, optics or other physical stores
Device may include or store information, such as executable instruction, data, etc..For example, machine readable storage medium may is that easily
Lose memory, nonvolatile memory or similar storage medium.Specifically, machine readable storage medium 403 can be RAM
(Radom Access Memory, random access memory), flash memory, memory driver (such as hard disk drive), solid state hard disk,
Any kind of storage dish (such as CD, DVD) perhaps similar storage medium or their combination.
So far, hardware configuration description shown in Fig. 4 is completed.
In addition, the embodiment of the present application also provides a kind of machine readable storage medium including machine-executable instruction, example
Such as the machine-readable readable storage medium storing program for executing 403 in Fig. 4, the machine-executable instruction can be by data processing equipment
Device 402 is managed to execute to realize data processing method described above.
The function of each unit and the realization process of effect are specifically detailed in the above method and correspond to step in above-mentioned apparatus
Realization process, details are not described herein.
Those skilled in the art after considering the specification and implementing the invention disclosed here, will readily occur to its of the application
Its embodiment.This application is intended to cover any variations, uses, or adaptations of the application, these modifications, purposes or
Person's adaptive change follows the general principle of the application and including the undocumented common knowledge in the art of the application
Or conventional techniques.The description and examples are only to be considered as illustrative, and the true scope and spirit of the application are by following
Claim is pointed out.
It should be understood that the application is not limited to the precise structure that has been described above and shown in the drawings, and
And various modifications and changes may be made without departing from the scope thereof.Scope of the present application is only limited by the accompanying claims.
The foregoing is merely the preferred embodiments of the application, not to limit the application, all essences in the application
Within mind and principle, any modification, equivalent substitution, improvement and etc. done be should be included within the scope of the application protection.
Claims (14)
1. a kind of processing method of VPN protection network segment conflict, the method are applied on the member device of vpn system, the VPN
When system is run, the member device can be configured to center-side or branch end, wherein the center-side refers to the VPN
The side network equipment that an ipsec tunnel connects in system, the branch end refer to corresponding with the center-side described
The other side network equipment of ipsec tunnel connection, the center-side can correspond to multiple branch ends, which is characterized in that when
When being held centered on the member device, which comprises
Obtain the connection negotiation message that the branch end is sent, wherein the connection negotiation message is protected including at least branch end
Network segment, branch end mark, the branch end mark is for branch end described in unique identification, and the branch end protection network segment is for referring to
Show private network network segment corresponding to the ipsec tunnel network data to be encrypted of the branch end and the center-side;
If branch end protection network segment conflict with the protection network segment that the center-side has saved and branch end mark and
The branch end mark that the center-side has saved is not identical, then refuses the connection of the branch end;
It is sent to the branch end and terminates negotiation packet.
2. the method according to claim 1, wherein further include:
If branch end protection network segment conflict with the protection network segment that the center-side has saved and branch end mark and
The branch end mark that the center-side has saved is identical, then allows the connection of the branch end;
The success response message of the connection negotiation message is sent to the branch end.
3. the method according to claim 1, wherein further include:
If the branch end protects network segment to protect network segment not conflict with what the center-side had saved, allow the branch end
Connection;
Network segment and branch end mark is protected to save to the center-side branch end;
The success response message of the connection negotiation message is sent to the branch end.
4. the method according to claim 1, wherein branch end mark is based on the corresponding outlet of the branch end
Public network address generate.
5. according to the method described in claim 4, it is characterized by further comprising:
If there are multiple public network addresses for the corresponding outlet of the branch end, common identification is configured for the multiple public network address
Code, wherein the identification code is for identifying the shared branch end mark of multiple public network addresses under same branch end;
It is that the branch end generates the branch end mark based on the identification code.
6. method according to claim 4 or 5, which is characterized in that when the member device is branch end, comprising:
The connection negotiation message sent to the center-side is identified based on the branch end.
7. a kind of processing unit of VPN protection network segment conflict, described device are applied on the member device of vpn system, the VPN
When system is run, the member device can be configured to center-side or branch end, wherein the center-side refers to the VPN
The side network equipment that an ipsec tunnel connects in system, the branch end refer to corresponding with the center-side described
The other side network equipment of ipsec tunnel connection, the center-side can correspond to multiple branch ends, which is characterized in that when
When holding centered on the member device, described device includes:
Transceiver module, the connection negotiation message sent for obtaining the branch end, wherein the connection negotiation message at least wraps
Branch end protection network segment, branch end mark are included, the branch end mark for branch end described in unique identification, protect by the branch end
Protective net section is used to indicate private network net corresponding to the ipsec tunnel network data to be encrypted of the branch end and the center-side
Section;
Processing module, if conflicting with the protection network segment that the center-side has saved and described for branch end protection network segment
Branch end mark and the branch end mark that the center-side has saved be not identical, then refuses the connection of the branch end;
The transceiver module is further, and Xiang Suoshu branch end, which is sent, terminates negotiation packet.
8. device according to claim 7, which is characterized in that the processing module is further, further includes:
If branch end protection network segment conflict with the protection network segment that the center-side has saved and branch end mark and
The branch end mark that the center-side has saved is identical, then allows the connection of the branch end;
The success response message of the connection negotiation message is sent to the branch end.
9. device according to claim 7, which is characterized in that the processing module is further, further includes:
If the branch end protects network segment to protect network segment not conflict with what the center-side had saved, allow the branch end
Connection;
Network segment and branch end mark is protected to save to the center-side branch end;
The success response message of the connection negotiation message is sent to the branch end.
10. device according to claim 7, which is characterized in that the branch end mark corresponds to based on the branch end
The public network address of mouth generates.
11. device according to claim 10, which is characterized in that the processing module is further, further includes:
If there are multiple public network addresses for the corresponding outlet of the branch end, common identification is configured for the multiple public network address
Code, wherein the identification code is for identifying the shared branch end mark of multiple public network addresses under same branch end;
It is that the branch end generates the branch end mark based on the identification code.
12. device described in 0 or 11 according to claim 1, which is characterized in that described when the member device is branch end
Transceiver module is further, comprising:
The connection negotiation message sent to the center-side is identified based on the branch end.
13. a kind of electronic equipment, which is characterized in that including communication interface, processor, memory and bus, the communication interface,
It is connected with each other between the processor and the memory by bus;
Machine readable instructions are stored in the memory, the processor is executed by calling the machine readable instructions as weighed
Benefit requires 1 to 6 described in any item methods.
14. a kind of machine readable storage medium, which is characterized in that the machine readable storage medium is stored with machine readable finger
It enables, the machine readable instructions realize method as claimed in any one of claims 1 to 6 when being called and being executed by processor.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910069981.8A CN109617922B (en) | 2019-01-24 | 2019-01-24 | Processing method and device for VPN protection network segment conflict, and electronic equipment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201910069981.8A CN109617922B (en) | 2019-01-24 | 2019-01-24 | Processing method and device for VPN protection network segment conflict, and electronic equipment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN109617922A true CN109617922A (en) | 2019-04-12 |
CN109617922B CN109617922B (en) | 2021-04-27 |
Family
ID=66017261
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201910069981.8A Active CN109617922B (en) | 2019-01-24 | 2019-01-24 | Processing method and device for VPN protection network segment conflict, and electronic equipment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN109617922B (en) |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101026591A (en) * | 2007-04-13 | 2007-08-29 | 杭州华为三康技术有限公司 | Network address confilict user inter-access method and route repeating device |
CN102088438A (en) * | 2009-12-03 | 2011-06-08 | 中兴通讯股份有限公司 | Method for solving address conflict of Internet protocol security (IPSec) Client and IPSec Client |
US8259571B1 (en) * | 2010-03-26 | 2012-09-04 | Zscaler, Inc. | Handling overlapping IP addresses in multi-tenant architecture |
CN103023898A (en) * | 2012-12-03 | 2013-04-03 | 杭州迪普科技有限公司 | Method and device for accessing intranet resource of virtual private network (VPN) server |
CN103248716A (en) * | 2012-02-09 | 2013-08-14 | 华为技术有限公司 | Distribution method, device and system of private network address |
CN105099849A (en) * | 2015-06-23 | 2015-11-25 | 杭州华三通信技术有限公司 | Method and equipment for establishing IPsec tunnel |
CN105591871A (en) * | 2015-10-16 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and device for configuration of auto discovery virtual private network (ADVPN) spoke |
CN105897583A (en) * | 2016-05-31 | 2016-08-24 | 迈普通信技术股份有限公司 | Message forwarding method and device |
CN109067934A (en) * | 2018-08-10 | 2018-12-21 | 新华三技术有限公司 | A kind of address conflict processing method and processing device |
-
2019
- 2019-01-24 CN CN201910069981.8A patent/CN109617922B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101026591A (en) * | 2007-04-13 | 2007-08-29 | 杭州华为三康技术有限公司 | Network address confilict user inter-access method and route repeating device |
CN102088438A (en) * | 2009-12-03 | 2011-06-08 | 中兴通讯股份有限公司 | Method for solving address conflict of Internet protocol security (IPSec) Client and IPSec Client |
US8259571B1 (en) * | 2010-03-26 | 2012-09-04 | Zscaler, Inc. | Handling overlapping IP addresses in multi-tenant architecture |
CN103248716A (en) * | 2012-02-09 | 2013-08-14 | 华为技术有限公司 | Distribution method, device and system of private network address |
CN103023898A (en) * | 2012-12-03 | 2013-04-03 | 杭州迪普科技有限公司 | Method and device for accessing intranet resource of virtual private network (VPN) server |
CN105099849A (en) * | 2015-06-23 | 2015-11-25 | 杭州华三通信技术有限公司 | Method and equipment for establishing IPsec tunnel |
CN105591871A (en) * | 2015-10-16 | 2016-05-18 | 杭州华三通信技术有限公司 | Method and device for configuration of auto discovery virtual private network (ADVPN) spoke |
CN105897583A (en) * | 2016-05-31 | 2016-08-24 | 迈普通信技术股份有限公司 | Message forwarding method and device |
CN109067934A (en) * | 2018-08-10 | 2018-12-21 | 新华三技术有限公司 | A kind of address conflict processing method and processing device |
Also Published As
Publication number | Publication date |
---|---|
CN109617922B (en) | 2021-04-27 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN110060162B (en) | Data authorization and query method and device based on block chain | |
CN110992027B (en) | Efficient transaction method and device for realizing privacy protection in block chain | |
JP6332766B2 (en) | Trusted Service Manager Trusted Security Zone Container for data protection and confidentiality | |
WO2019174187A1 (en) | Blockchain-based method for message communication between multiple terminals, terminal and storage medium | |
US20190173861A1 (en) | Sentinel appliance in an internet of things realm | |
US11133941B2 (en) | Method and apparatus for hardware based file/document expiry timer enforcement | |
CN111475849A (en) | Private data query method and device based on block chain account | |
CN111475829A (en) | Private data query method and device based on block chain account | |
US10470102B2 (en) | MAC address-bound WLAN password | |
TWI234975B (en) | Apparatus and method for resolving security association database update coherency in high-speed systems having multiple security channels | |
CN111461883A (en) | Transaction processing method and device based on block chain and electronic equipment | |
Safavi et al. | Cyber vulnerabilities on smart healthcare, review and solutions | |
US9635053B2 (en) | Computing system with protocol protection mechanism and method of operation thereof | |
US10129217B2 (en) | Secure shell authentication | |
CN107454590A (en) | A kind of data ciphering method, decryption method and wireless router | |
CN107864129B (en) | Method and device for ensuring network data security | |
CN104137508A (en) | Network node with network-attached stateless security offload device | |
CN110190956A (en) | Data transmission method, device, electronic equipment and machine readable storage medium | |
US20070150947A1 (en) | Method and apparatus for enhancing security on an enterprise network | |
CN111914279A (en) | Efficient and accurate privacy intersection system, method and device | |
CN109905310B (en) | Data transmission method and device and electronic equipment | |
CN117478303B (en) | Block chain hidden communication method, system and computer equipment | |
CN108322464B (en) | Key verification method and device | |
WO2021134424A1 (en) | Blockchain-based digital currency transaction method, apparatus and system | |
CN109617922A (en) | VPN protects the processing method of network segment conflict, device, electronic equipment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |