[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN103179225B - A kind of NAT table item keepalive method based on IPsec and equipment - Google Patents

A kind of NAT table item keepalive method based on IPsec and equipment Download PDF

Info

Publication number
CN103179225B
CN103179225B CN201310086924.3A CN201310086924A CN103179225B CN 103179225 B CN103179225 B CN 103179225B CN 201310086924 A CN201310086924 A CN 201310086924A CN 103179225 B CN103179225 B CN 103179225B
Authority
CN
China
Prior art keywords
ipsec
nat
ike
responder
initiator
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201310086924.3A
Other languages
Chinese (zh)
Other versions
CN103179225A (en
Inventor
杨超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
New H3C Technologies Co Ltd
Original Assignee
Hangzhou H3C Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou H3C Technologies Co Ltd filed Critical Hangzhou H3C Technologies Co Ltd
Priority to CN201310086924.3A priority Critical patent/CN103179225B/en
Publication of CN103179225A publication Critical patent/CN103179225A/en
Application granted granted Critical
Publication of CN103179225B publication Critical patent/CN103179225B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a kind of NAT table item keepalive method based on IPsec and equipment; the method includes: IPsec initiator sets up the IKE SA between this equipment and IPsec responder; and utilize described IKE SA to set up the IPsec SA between this equipment and described IPsec responder, and start described NAT message transmission timer corresponding for IKE SA;Described IPsec initiator is when described IKE SA or IPsec SA is deleted, it is judged that whether described IKE SA or IPsec SA is last SA in SA set;If it is, described IPsec initiator deletes described NAT message transmission timer;If it does not, described IPsec initiator retains described NAT message transmission timer.In the embodiment of the present invention, cutout can be avoided the occurrence of.

Description

A kind of NAT table item keepalive method based on IPsec and equipment
Technical field
The present invention relates to communication technical field, especially a kind of based on IPsec(IP Security, IP safety) NAT(Network Address Translation, network address translation) list item keepalive method and equipment.
Background technology
IPsec is three layer tunnel cryptographic protocol, be realize three-layer VPN (Virtual Private Network, VPN (virtual private network)) safe practice, and for IP layer provide following security service: (1) modem Close property: message is encrypted before by network transmission message by IPsec initiator;(2) data integrity: IPsec responder is docked receiving literary composition and is authenticated, to guarantee that message is not tampered with in transmitting procedure;(3) Data origin authentication: the IPsec initiator that IPsec responder can authenticate transmission IPsec message is the most legal; (4) anti-replay: IPsec responder can detect and reject message that is out-of-date or that repeat.
In order to realize above-mentioned security service, IPsec provides two kinds of security mechanisms such as certification and encryption;Certification The responder that mechanism makes IP communicate is able to confirm that the true identity of message initiator and message are in transmitting procedure In whether distorted;Encryption mechanism ensures the confidentiality of message by message is encrypted computing, anti- Only message is ravesdropping in transmitting procedure.Wherein, the AH(Authentication Header in IPsec agreement, Checking head) the protocol definition application process of certification, ESP(Encapsulating Security Payload, ESP) the protocol definition application process of encryption and optional authentication;IP communication is carried out actual Time, AH and ESP can be used according to actual demand for security simultaneously, or select to use one of which.
IPsec provides secure communication between the two endpoints, and two end points are referred to as IPsec peer-to-peer, It is respectively IPsec initiator and IPsec responder;Additionally, SA(Security Association, safety connection Alliance) it is agreement to some key element between IPsec peer-to-peer;Such as, use which kind of agreement (AH, ESP), Use which kind of protocol encapsulation pattern (transmission mode, tunnel mode), use which kind of AES etc.;Enter one Step, IKE(Internet Key Exchange, Internet key can be passed through between IPsec peer-to-peer Exchange) consult to set up SA information, as it is shown in figure 1, be the relation schematic diagram of IPsec and IKE.
Wherein, IKE uses two stages to be that IPsec carries out key agreement and sets up SA:(1) IPsec sends out Play side and IPsec responder sets up one each other by authentication and the passage of safeguard protection, i.e. Set up an IKE SA;(2) the IKE SA set up by the first stage is that IPsec consults security service, It is IPsec and consults concrete SA, set up the IPsec SA for the transmission of final IP Security.
As in figure 2 it is shown, NAT is the mistake that the IP address in IP heading is converted to another IP address Journey, and be used for realizing private network access public network, contribute to slowing down the exhaustion of IP available address space; Further, as it is shown on figure 3, NAPT(Network Address Port Translation, the network address Port translation) allow multiple home address to be mapped on same publicly-owned address, and NAPT maps IP simultaneously Address and port numbers: the i.e. source address from the IP message of different home addresses may map to same outside Address, but the port numbers of each IP message is converted into the different port number of this address, therefore, it is possible to share same One address, i.e. conversion between private network IP address+port numbers and public network IP address+port numbers.
In current networking application, the use of IPsec and NAT is the most universal, the most permissible Dispose IPsec and NAT device simultaneously;As shown in Figure 4, RT2(router) it is NAT device, PC1 (main frame) and RT1 are inside NAT, PC2 and RT3 is outside NAT;Between PC1 and PC2 When needing communication, need between RT1 and RT3, set up an IPsec link;Send out to RT3 at RT1 After sending ike negotiation message, NAT device needs to safeguard nat translation table item for this ike negotiation message, So that the ike negotiation message that RT3 responds can correctly be sent to RT1;This nat translation table item has necessarily Ageing time (this ageing time is to carry out on NAT device joining), if do not had in ageing time Have ike negotiation message through NAT device, then NAT device can delete this nat translation table item.
In prior art, in order to make the nat translation table item on NAT device not be deleted, RT1 needs week Phase property sends NAT table item keep-alive message (the transmission cycle defaults to 20 seconds);But, RT1 periodically sends out The precondition sending NAT table item keep-alive message (NAT Keepalive message) is that IKE SA exists, false If IKE SA does not exists, then RT1 will not send NAT table item keep-alive message to NAT device.
Owing to IKE SA and IPsec SA is not necessarily to exist simultaneously, when IKE SA does not exists, IPsec SA In the presence of, RT1 will not send NAT table item keep-alive message, and NAT device can be deleted after ageing time Nat translation table item;Therefore, in the case of IPsec passing through NAT, owing to there is no nat translation table item, RT3 can be caused to be sent to the flow of RT1 owing to nat translation table item cannot be hit, thus cutout occurs.
Summary of the invention
The embodiment of the present invention provides a kind of NAT table item keepalive method based on IPsec and equipment, when not depositing At IKE SA, and when there is IPsec SA, it is possible to send NAT table item keep-alive message, it is to avoid IPsec rings The flow that should just be sent to IPsec initiator cannot hit nat translation table item on NAT device.
In order to achieve the above object, the embodiment of the present invention provides a kind of NAT table item keep-alive based on IPsec Method, is applied to include in the network of IPsec initiator, NAT device and IPsec responder, the method Comprise the following steps:
Described IPsec initiator sets up the IKE SA between this equipment and described IPsec responder, and utilizes Described IKE SA sets up the IPsec SA between this equipment and described IPsec responder, and starts described IKE NAT message transmission timer corresponding for SA;
Described IPsec initiator is when described IKE SA or IPsec SA is deleted, it is judged that described IKE Whether SA or IPsec SA is last SA in SA set;Wherein, in an initial condition, Described SA set includes described IKE SA and all IPsec SA utilizing described IKE SA to set up;
If it is, described IPsec initiator deletes described NAT message transmission timer;
If it does not, described IPsec initiator retains described NAT message transmission timer;
Wherein, before described NAT message transmission timer is deleted, described IPsec initiator's cycle Property sends NAT table item keep-alive message by described NAT device to described IPsec responder.
After described IPsec initiator sets up the IKE SA between this equipment and described IPsec responder, Described IPsec initiator starts the first ageing timer for described IKE SA, and described first aging fixed Time device time-out after, described IPsec initiator deletes described IKE SA;
Described IPsec initiator utilizes described IKE SA to set up between this equipment and described IPsec responder IPsec SA after, described IPsec initiator starts the second ageing timer for described IPsec SA, And after described second ageing timer time-out, described IPsec initiator deletes described IPsec SA.
After described IPsec initiator deletes described NAT message transmission timer, described method also includes:
Described IPsec initiator stops sending NAT table item keep-alive message to described IPsec responder.
Described IPsec initiator sets up the IKE SA between this equipment and described IPsec responder, specifically wraps Include: described IPsec initiator sends ike negotiation by described NAT device to described IPsec responder Message, by described NAT device when receiving described ike negotiation message, builds for described ike negotiation message Vertical corresponding nat translation table item, and safeguard ageing timer for described nat translation table item;
Described IPsec initiator receives the IKE from described IPsec responder by described NAT device During negotiation packet, set up the IKE SA between this equipment and described IPsec responder.
Described NAT table item keep-alive message is for making to receive the described NAT of described NAT table item keep-alive message Equipment, updates the ageing timer of described nat translation table item.
The embodiment of the present invention provides a kind of IPsec initiator device, be applied to include described IPsec initiator, In the network of NAT device and IPsec responder, described IPsec initiator specifically includes:
Set up module, for setting up the IKE SA between this equipment and described IPsec responder, and utilize Described IKE SA sets up the IPsec SA between this equipment and described IPsec responder;
Judge module, for when described IKE SA or IPsec SA is deleted, it is judged that described IKE SA Or whether IPsec SA is last SA in SA set;Wherein, in an initial condition, described SA set includes described IKE SA and all IPsec SA utilizing described IKE SA to set up;
Maintenance module, for when setting up IKE SA, starts described NAT message corresponding for IKE SA and sends out Send intervalometer;When judged result is for being, delete described NAT message transmission timer;In judged result For time no, retain described NAT message transmission timer;
Sending module, before being deleted at described NAT message transmission timer, periodically through institute State NAT device and send NAT table item keep-alive message to described IPsec responder.
Also include: processing module, be used for when the IKE SA set up between this equipment and IPsec responder, Start the first ageing timer for described IKE SA, after described first ageing timer time-out, delete Described IKE SA;When the IPsec SA set up between this equipment and IPsec responder, for described IPsec SA starts the second ageing timer, after the second ageing timer time-out, deletes described IPsec SA.
Described sending module, be additionally operable to described NAT message transmission timer be deleted after, stop to Described IPsec responder sends NAT table item keep-alive message.
Described set up module, specifically for sending IKE by described NAT device to described IPsec responder Negotiation packet, by described NAT device when receiving described ike negotiation message, for described ike negotiation report Corresponding nat translation table item set up in literary composition, and safeguards ageing timer for described nat translation table item;
When receiving the ike negotiation message from described IPsec responder by described NAT device, set up IKE SA between this equipment and described IPsec responder.
Described NAT table item keep-alive message is for making to receive the described NAT of described NAT table item keep-alive message Equipment, updates the ageing timer of described nat translation table item.
Compared with prior art, the embodiment of the present invention at least has the advantage that in the embodiment of the present invention, Under IPsec passing through NAT environment, when there is not IKE SA, and when there is IPsec SA, it is possible to continue Send NAT table item keep-alive message, thus the flow avoiding IPsec responder to be sent to IPsec initiator exists Nat translation table item cannot be hit on NAT device, then avoid the occurrence of the phenomenon of cutout.
Accompanying drawing explanation
Fig. 1 is the relation schematic diagram of IPsec Yu IKE in prior art;
Fig. 2 is the processing procedure schematic diagram of NAT in prior art;
Fig. 3 is the processing procedure schematic diagram of NAPT in prior art;
Fig. 4 is the network diagram simultaneously disposing IPsec and NAT device in prior art;
Fig. 5 is the NAT table item keepalive method flow chart based on IPsec that the embodiment of the present invention provides;
Fig. 6 is the structural representation of the IPsec initiator that the embodiment of the present invention proposes.
Detailed description of the invention
Below in conjunction with the accompanying drawings the embodiment of the present invention is described in detail.
For problems of the prior art, the embodiment of the present invention proposes a kind of NAT based on IPsec List item keepalive method, the method is applied to include IPsec initiator (side apparatus in NAT), NAT device With in the network of IPsec responder (NAT outer side apparatus), at the network of IPsec cross-over NAT equipment Under environment, when there is not IKE SA, and when there is IPsec SA, IPsec initiator can continue to send NAT table item keep-alive message, thus avoid IPsec responder to be sent to the flow of IPsec initiator at NAT Nat translation table item cannot be hit on equipment, then avoid the occurrence of the phenomenon of cutout.
As it is shown in figure 5, should comprise the following steps by NAT table item keepalive method based on IPsec:
Step 501, IPsec initiator sets up the IKE SA between this equipment and IPsec responder, and opens Dynamic NAT message transmission timer corresponding for IKE SA.
In the embodiment of the present invention, IPsec initiator sets up the IKE SA between this equipment and IPsec responder, Specifically include: IPsec initiator sends ike negotiation message by NAT device to IPsec responder and (uses In the relevant information consulting SA);IPsec initiator is received from IPsec responder's by NAT device During ike negotiation message, set up the IKE SA between this equipment and IPsec responder.
In the embodiment of the present invention, IPsec initiator sends IKE by NAT device to IPsec responder and assists After Business's literary composition, in order to ensure that the ike negotiation message that IPsec responder sends can correctly be transferred to IPsec Initiator, then: NAT device is when receiving ike negotiation message, and it is right to need to set up for ike negotiation message The nat translation table item answered, and safeguard ageing timer for nat translation table item.
Concrete, NAT device is after receiving ike negotiation message, if not having IKE on NAT device The nat translation table item that negotiation packet is corresponding, then set up nat translation table item for ike negotiation message, for Nat translation table item sets ageing time (setting according to practical experience), and is nat translation table item Safeguard ageing timer;If there being the nat translation table item that ike negotiation message is corresponding on NAT device, Then update the ageing timer (i.e. to ageing timer reclocking) that nat translation table item is corresponding.
Application scenarios schematic diagram with Fig. 4 as the embodiment of the present invention, it is assumed that RT1 and RT3 is deployed with IPsec, Join IPsec strategy on the interface that RT1 with RT2 is connected, the interface that RT3 with RT2 is connected has been joined IPsec strategy, and on RT2, open nat feature, PC1 and PC2 is main frame, PC1 is at NAT Inner side, PC2 is outside NAT;Then: when PC1 needs to send data to PC2, RT1 is IPsec Initiator, RT3 is IPsec responder, and RT2 is NAT device.
RT1 receive PC1 need to PC2 send data after, according to route know outgoing interface be from The interface that body is connected with RT2, address is 17.17.17.12, and owing to having joined IPsec strategy on this interface, Therefore RT1 triggers the SA negotiations process of IPsec, to set up IPsec tunnel between RT1 and RT3. Further, during the foundation in IPsec tunnel, RT1 needs to be sent to RT3 by NAT device Ike negotiation message, and RT3 need by NAT device to RT1 return ike negotiation message.
In above process, sent after ike negotiation message to RT3 by RT2 at RT1, in order to protect Card RT3 can return ike negotiation message by RT2 to RT1, therefore needs on RT2 to safeguard IKE The nat translation table item that negotiation packet is corresponding;That is: on RT2, there is no the NAT that ike negotiation message is corresponding During transformation table entries, set up nat translation table item for ike negotiation message, and nat translation table item exists one Fixed ageing time (the upper craft of RT2 is joined), and from the beginning of setting up nat translation table item, for this NAT Transformation table entries safeguards ageing timer;If there being the nat translation table item that ike negotiation message is corresponding on RT2, Then have only to remove the timing that ageing timer is current, and restart this ageing timer.
In the embodiment of the present invention, in order to make the nat translation table item on NAT device not be deleted, this IPsec Initiator also needs to start NAT message transmission timer corresponding to IKE SA;Send out starting NAT message After sending intervalometer, IPsec initiator is periodically (time based on NAT message transmission timer determines) NAT table item keep-alive message (this message format plaintext version) is sent to IPsec responder by NAT device.
Wherein, this NAT table item keep-alive message is used for making to receive the NAT device of NAT table item keep-alive message, Update the ageing timer of nat translation table item.Concrete, due to the IP head of NAT table item keep-alive message Middle source address is identical with source address in the IP head of ike negotiation message, the IP head of NAT table item keep-alive message Middle destination address is identical with destination address in the IP head of ike negotiation message, NAT table item keep-alive message In UDP head, source port is identical with source port in the UDP head of ike negotiation message, NAT table item keep-alive report In the UDP head of literary composition, destination interface is identical with destination interface in the UDP head of ike negotiation message;And NAT Transformation table entries is set up by ike negotiation message, wherein can record the relevant information of ike negotiation message (source address and destination address, source port and destination interface in UDP head in IP head);Therefore NAT device After receiving NAT table item keep-alive message, it is possible to use seedbed in the IP head of NAT table item keep-alive message In location and destination address, UDP head, source port and destination interface match nat translation table item, and update The ageing timer of nat translation table item, i.e. refreshing ageing timer is initial value.
In the embodiment of the present invention, IPsec initiator sets up the IKE SA between this equipment and IPsec responder Afterwards, this IPsec initiator also needs to start the first ageing timer for IKE SA, and aging first After timer expiry, IPsec initiator needs to delete IKE SA;IKE is deleted further, it is also possible to manual SA.Additionally, after IPsec responder sets up the IKE SA between this equipment and IPsec initiator, should IPsec responder is also required to start the first ageing timer for IKE SA, and surpasses in the first ageing timer Time after, IPsec responder needs to delete IKE SA.Wherein, during above-mentioned first ageing timer aging Between the life cycle that negotiates for IPsec initiator and IPsec responder.
Step 502, IPsec initiator utilizes IKE SA determined by IKE SA(i.e. step 501) Set up the IPsec SA between this equipment and IPsec responder.
In the embodiment of the present invention, IPsec initiator utilize IKE SA set up this equipment and IPsec responder it Between IPsec SA after, this IPsec initiator also needs to start the second ageing timer for IPsec SA, And after the second ageing timer time-out, IPsec initiator needs to delete IPsec SA;Additionally, also may be used IPsec SA is deleted with manual;Additionally, IPsec responder sets up between this equipment and IPsec initiator After IPsec SA, this IPsec responder is also required to start the second ageing timer for IPsec SA, and After second ageing timer time-out, IPsec responder needs to delete IPsec SA.Wherein, above-mentioned second The life cycle that the ageing time of ageing timer is IPsec initiator and IPsec responder negotiates.
Step 503, IPsec initiator is deleted (aging deletion or hands at IKE SA or IPsec SA Work is deleted) time, it is judged that whether IKE SA or IPsec SA is last SA in SA set; Wherein, in an initial condition, SA set includes IKE SA and the institute utilizing this IKE SA to set up There is IPsec SA;If it is, perform step 504;If it is not, then perform step 505.
Based on the nat translation table item set up for ike negotiation message on NAT device, the IKE in SA set SA with IPsec SA is all corresponding with nat translation table item;IKE SA and IPsec SA Yu NAT conversion List item is corresponding refers to that it possesses identical five-tuple information (source address, destination address, source port, purpose Port, protocol type);Concrete, IPsec initiator is sent to IPsec responder by NAT device When ike negotiation message is to set up IKE SA, NAT device can set up NAT for ike negotiation message and turn Change list item, and IPsec initiator needs to utilize this IKE SA to set up multiple IPsec SA;In the process, All IKE SA and the IPsec SA set up are all corresponding with nat translation table item.
Step 504, IPsec initiator deletes NAT message transmission timer.
Step 505, IPsec initiator retains NAT message transmission timer.
In the embodiment of the present invention, before NAT message transmission timer is deleted, IPsec initiator needs NAT table item keep-alive message is sent to IPsec responder periodically through NAT device;At NAT message After transmission timer is deleted, IPsec initiator needs to stop sending NAT table item to IPsec responder Keep-alive message;Afterwards, owing to not receiving NAT table item keep-alive message on NAT device, therefore can cause The ageing timer time-out of nat translation table item, nat translation table item is deleted by NAT device.
In sum, in the embodiment of the present invention, under IPsec passing through NAT environment, when there is not IKE SA, And when there is IPsec SA, simply by the presence of the IKE SA corresponding with nat translation table item or IPsec SA, Then can continue to send NAT table item keep-alive message;And only as last SA(IKE SA or IPsec When SA) being deleted, just can delete NAT message transmission timer, and stop sending NAT table item keep-alive Message;Such that it is able to avoid IPsec responder to be sent to the flow of IPsec initiator nothing on NAT device Method hit nat translation table item, can avoid the occurrence of the phenomenon of cutout then.
Based on the inventive concept as said method, the embodiment of the present invention additionally provides a kind of IPsec and sends out Play method, apparatus, be applied to include in the network of described IPsec initiator, NAT device and IPsec responder, As shown in Figure 6, described IPsec initiator specifically includes:
Set up module 11, for setting up the IKE SA between this equipment and described IPsec responder, and profit The IPsec SA between this equipment and described IPsec responder is set up with described IKE SA;
Judge module 12, for when described IKE SA or IPsec SA is deleted, it is judged that described IKE Whether SA or IPsec SA is last SA in SA set;Wherein, in an initial condition, Described SA set includes described IKE SA and all IPsec SA utilizing described IKE SA to set up;
Maintenance module 13, for when setting up IKE SA, starts described NAT report corresponding for IKE SA Literary composition transmission timer;When judged result is for being, delete described NAT message transmission timer;Judging When result is no, retain described NAT message transmission timer;
Sending module 14, before being deleted at described NAT message transmission timer, periodically through Described NAT device sends NAT table item keep-alive message to described IPsec responder.
Described IPsec initiator also includes: processing module 15, for setting up this equipment and IPsec response During IKE SA between side, start the first ageing timer for described IKE SA, described first aging After timer expiry, delete described IKE SA;At the IPsec set up between this equipment and IPsec responder During SA, start the second ageing timer for described IPsec SA, in described second ageing timer time-out After, delete described IPsec SA.
Described sending module 14, is additionally operable to, after described NAT message transmission timer is deleted, stop NAT table item keep-alive message is sent to described IPsec responder.
Described set up module 11, specifically for being sent to described IPsec responder by described NAT device Ike negotiation message, by described NAT device when receiving described ike negotiation message, assists for described IKE Corresponding nat translation table item set up in Business's literary composition, and safeguards ageing timer for described nat translation table item;
When receiving the ike negotiation message from described IPsec responder by described NAT device, set up IKE SA between this equipment and described IPsec responder.
In the embodiment of the present invention, described NAT table item keep-alive message is used for making to receive described NAT table item keep-alive The described NAT device of message, updates the ageing timer of described nat translation table item.
Wherein, the modules of present invention dress can be integrated in one, it is also possible to separates and disposes.Above-mentioned Module can merge into a module, it is also possible to is further split into multiple submodule.
Through the above description of the embodiments, those skilled in the art is it can be understood that arrive this Invention can add the mode of required general hardware platform by software and realize, naturally it is also possible to by firmly Part, but a lot of in the case of the former is more preferably embodiment.Based on such understanding, the skill of the present invention The part that prior art is contributed by art scheme the most in other words can be with the form body of software product Revealing to come, this computer software product is stored in a storage medium, including some instructions in order to make Obtain a computer equipment (can be personal computer, server, or the network equipment etc.) to perform Method described in each embodiment of the present invention.
It will be appreciated by those skilled in the art that accompanying drawing is the schematic diagram of a preferred embodiment, in accompanying drawing Module or flow process not necessarily implement necessary to the present invention.
It will be appreciated by those skilled in the art that the module in the dress in embodiment can be retouched according to embodiment State in the dress carrying out being distributed in embodiment, it is also possible to carry out respective change and be disposed other than the present embodiment One or more dresses in.The module of above-described embodiment can merge into a module, it is also possible to enters One step splits into multiple submodule.
The invention described above embodiment sequence number, just to describing, does not represent the quality of embodiment.
The several specific embodiments being only the present invention disclosed above, but, the present invention is not limited to This, the changes that any person skilled in the art can think of all should fall into protection scope of the present invention.

Claims (10)

1. a network address translation NAT table item keepalive method based on the safe IPsec of IP, is applied to In network including IPsec initiator, NAT device and IPsec responder, it is characterised in that the method Comprise the following steps:
Described IPsec initiator sets up the cryptographic key exchanging safety connection between this equipment and described IPsec responder Alliance IKE SA, and utilize the IP peace that described IKE SA sets up between this equipment and described IPsec responder Full alliance IPsec SA, and start described NAT message transmission timer corresponding for IKE SA;
Described IPsec initiator is when described IKE SA or IPsec SA is deleted, it is judged that described IKE Whether SA or IPsec SA is last SA in security alliance SA set;Wherein, initially Under state, described SA set includes described IKE SA and utilizes what described IKE SA set up to own IPsec SA;
If it is, described IPsec initiator deletes described NAT message transmission timer;
If it does not, described IPsec initiator retains described NAT message transmission timer;
Wherein, before described NAT message transmission timer is deleted, described IPsec initiator's cycle Property sends NAT table item keep-alive message by described NAT device to described IPsec responder.
2. the method for claim 1, it is characterised in that
After described IPsec initiator sets up the IKE SA between this equipment and described IPsec responder, Described IPsec initiator starts the first ageing timer for described IKE SA, and described first aging fixed Time device time-out after, described IPsec initiator deletes described IKE SA;
Described IPsec initiator utilizes described IKE SA to set up between this equipment and described IPsec responder IPsec SA after, described IPsec initiator starts the second ageing timer for described IPsec SA, And after described second ageing timer time-out, described IPsec initiator deletes described IPsec SA.
3. the method for claim 1, it is characterised in that described IPsec initiator deletes described After NAT message transmission timer, described method also includes:
Described IPsec initiator stops sending NAT table item keep-alive message to described IPsec responder.
4. the method for claim 1, it is characterised in that described IPsec initiator sets up and originally sets IKE SA between standby and described IPsec responder, specifically includes:
Described IPsec initiator sends key by described NAT device to described IPsec responder and exchanges Ike negotiation message, by described NAT device when receiving described ike negotiation message, assists for described IKE Corresponding nat translation table item set up in Business's literary composition, and safeguards ageing timer for described nat translation table item;
Described IPsec initiator receives the IKE from described IPsec responder by described NAT device During negotiation packet, set up the IKE SA between this equipment and described IPsec responder.
5. method as claimed in claim 4, it is characterised in that
Described NAT table item keep-alive message is for making to receive the described NAT of described NAT table item keep-alive message Equipment, updates the ageing timer of described nat translation table item.
6. an IP safe IPsec initiator device, is applied to include described IPsec initiator, network In the network of address conversion NAT device and IP safe IPsec responder, it is characterised in that described IPsec Initiator specifically includes:
Set up module, for setting up the cryptographic key exchanging safety alliance between this equipment and described IPsec responder IKE SA, and utilize described IKE SA to set up the IP safety between this equipment and described IPsec responder Alliance IPsec SA;
Judge module, for when described IKE SA or IPsec SA is deleted, it is judged that described IKE SA Or whether IPsec SA is last SA in security alliance SA set;Wherein, in original state Under, described SA set includes described IKE SA and all IPsec utilizing described IKE SA to set up SA;
Maintenance module, for when setting up IKE SA, starts described NAT message corresponding for IKE SA and sends out Send intervalometer;When judged result is for being, delete described NAT message transmission timer;In judged result For time no, retain described NAT message transmission timer;
Sending module, before being deleted at described NAT message transmission timer, periodically through institute State NAT device and send NAT table item keep-alive message to described IPsec responder.
7. equipment as claimed in claim 6, it is characterised in that also include:
Processing module, for when the IKE SA set up between this equipment and IPsec responder, for described IKE SA starts the first ageing timer, after described first ageing timer time-out, deletes described IKE SA;When the IPsec SA set up between this equipment and IPsec responder, start for described IPsec SA Second ageing timer, after described second ageing timer time-out, deletes described IPsec SA.
8. equipment as claimed in claim 6, it is characterised in that
Described sending module, be additionally operable to described NAT message transmission timer be deleted after, stop to Described IPsec responder sends NAT table item keep-alive message.
9. equipment as claimed in claim 6, it is characterised in that
Described set up module, specifically for sending close by described NAT device to described IPsec responder Key exchange ike negotiation message, by described NAT device when receiving described ike negotiation message, for described Ike negotiation message sets up corresponding nat translation table item, and is that described nat translation table item safeguards aging fixed Time device;
When receiving the ike negotiation message from described IPsec responder by described NAT device, set up IKE SA between this equipment and described IPsec responder.
10. equipment as claimed in claim 9, it is characterised in that
Described NAT table item keep-alive message is for making to receive the described NAT of described NAT table item keep-alive message Equipment, updates the ageing timer of described nat translation table item.
CN201310086924.3A 2013-03-18 2013-03-18 A kind of NAT table item keepalive method based on IPsec and equipment Active CN103179225B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201310086924.3A CN103179225B (en) 2013-03-18 2013-03-18 A kind of NAT table item keepalive method based on IPsec and equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201310086924.3A CN103179225B (en) 2013-03-18 2013-03-18 A kind of NAT table item keepalive method based on IPsec and equipment

Publications (2)

Publication Number Publication Date
CN103179225A CN103179225A (en) 2013-06-26
CN103179225B true CN103179225B (en) 2016-12-28

Family

ID=48638843

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201310086924.3A Active CN103179225B (en) 2013-03-18 2013-03-18 A kind of NAT table item keepalive method based on IPsec and equipment

Country Status (1)

Country Link
CN (1) CN103179225B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104980405A (en) * 2014-04-10 2015-10-14 中兴通讯股份有限公司 Method and device for performing authentication header (AH) authentication on NAT (Network Address Translation)-traversal IPSEC (Internet Protocol Security) message
CN104125151A (en) * 2014-08-06 2014-10-29 汉柏科技有限公司 IPSec (Internet protocol security) packet forwarding method and system
CN104468870A (en) * 2014-12-31 2015-03-25 小米科技有限责任公司 Network address translation (NAT) window duration detection method and device
ES2877067T3 (en) * 2015-03-25 2021-11-16 Ericsson Telefon Ab L M Vivacity Check Configuration Using Internet Key Exchange Messages
CN109600277B (en) * 2018-12-05 2020-08-04 杭州迪普科技股份有限公司 IPSec tunnel keep-alive method and device based on NAT equipment

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1946062A (en) * 2006-10-10 2007-04-11 华为数字技术有限公司 Method and system for keep-alive conversation table in NAT device
CN102148810A (en) * 2010-02-04 2011-08-10 成都市华为赛门铁克科技有限公司 Security association lifetime detection method, device and system
CN102946352A (en) * 2012-10-31 2013-02-27 杭州华三通信技术有限公司 NAT table entry management method and equipment based on IPsec

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7143137B2 (en) * 2002-06-13 2006-11-28 Nvidia Corporation Method and apparatus for security protocol and address translation integration

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1946062A (en) * 2006-10-10 2007-04-11 华为数字技术有限公司 Method and system for keep-alive conversation table in NAT device
CN102148810A (en) * 2010-02-04 2011-08-10 成都市华为赛门铁克科技有限公司 Security association lifetime detection method, device and system
CN102946352A (en) * 2012-10-31 2013-02-27 杭州华三通信技术有限公司 NAT table entry management method and equipment based on IPsec

Also Published As

Publication number Publication date
CN103179225A (en) 2013-06-26

Similar Documents

Publication Publication Date Title
CN107018134B (en) Power distribution terminal safety access platform and implementation method thereof
US8327129B2 (en) Method, apparatus and system for internet key exchange negotiation
CN103179225B (en) A kind of NAT table item keepalive method based on IPsec and equipment
WO2017181894A1 (en) Method and system for connecting virtual private network by terminal, and related device
CN102946333B (en) A kind of DPD method based on IPsec and equipment
CN103152343B (en) Set up method and the network equipment in internet security Protocol virtual private network tunnel
CN105376239B (en) A kind of support mobile terminal carries out IPSec VPN message transmitting method and device
JPWO2008146395A1 (en) Network relay device, communication terminal, and encrypted communication method
CN106169952B (en) A kind of authentication method that internet Key Management Protocol is negotiated again and device
CN108769292A (en) Message data processing method and processing device
WO2015131609A1 (en) Method for implementing l2tp over ipsec access
CN109906625A (en) The method of the online safety chain layer connection of wireless local area
CN102946352B (en) A kind of nat translation table item management method and equipment based on IPsec
CN108307391A (en) A kind of terminal access method and system
CN103002041B (en) Communication method of equipment under network address translation (NAT) environment
US20020178356A1 (en) Method for setting up secure connections
US20180183584A1 (en) IKE Negotiation Control Method, Device and System
CN106537885A (en) Access to a node
CN105591748B (en) A kind of authentication method and device
CN104901796B (en) A kind of authentication method and equipment
US20220141027A1 (en) Automatic distribution of dynamic host configuration protocol (dhcp) keys via link layer discovery protocol (lldp)
CN108259157A (en) Identity authentication method and the network equipment in a kind of ike negotiation
CN105873059A (en) Joint identity authentication method and system for power distribution communication wireless private network
CN103139189B (en) Internet protocol security (IPSec) tunnel sharing method, IPSec tunnel sharing system and IPSec tunnel sharing equipment
CN116017429A (en) 5G network encryption networking method, system, device and storage medium

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CP03 Change of name, title or address
CP03 Change of name, title or address

Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No.

Patentee after: Xinhua three Technology Co., Ltd.

Address before: 310053 Hangzhou hi tech Industrial Development Zone, Zhejiang province science and Technology Industrial Park, No. 310 and No. six road, HUAWEI, Hangzhou production base

Patentee before: Huasan Communication Technology Co., Ltd.