CN109361590B - Method and device for solving business access obstruction - Google Patents

Method and device for solving business access obstruction Download PDF

Info

Publication number
CN109361590B
CN109361590B CN201811594076.6A CN201811594076A CN109361590B CN 109361590 B CN109361590 B CN 109361590B CN 201811594076 A CN201811594076 A CN 201811594076A CN 109361590 B CN109361590 B CN 109361590B
Authority
CN
China
Prior art keywords
port information
gateway device
response message
gateway
message
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201811594076.6A
Other languages
Chinese (zh)
Other versions
CN109361590A (en
Inventor
黄春平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201811594076.6A priority Critical patent/CN109361590B/en
Publication of CN109361590A publication Critical patent/CN109361590A/en
Application granted granted Critical
Publication of CN109361590B publication Critical patent/CN109361590B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application provides a method and a device for solving the problem of unavailable service access, wherein the method comprises the following steps: receiving a service request message, wherein the request message is sent by second gateway equipment and forwarded to first gateway equipment through transfer equipment; acquiring first port information, wherein the first port information is port information contained in a request message; and updating second port information by using the first port information, wherein the second port information is the port information which is used for adding a response message in a local encapsulation and de-encapsulation strategy of the first gateway equipment, and the second port information is the port information determined during communication negotiation between the first gateway equipment and the second gateway equipment before updating. By a port information updating mechanism, the problem of packet loss caused by incorrect port of a response message is solved, the stability of IPSec service access is ensured, the practicability and the usability of IPSec VPN are enhanced, keep-alive messages are not needed, and the problem of VPN service access obstruction in an NAT environment is well solved.

Description

Method and device for solving business access obstruction
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a method and an apparatus for solving a problem of a service access failure.
Background
Vpn (virtual Private network) is a virtual Private network, which is used to establish a Private network on a public network for encrypted communication. With the rapid development of economy and society, the degree of enterprise informatization is continuously improved, demands for information interaction between branch offices and headquarters of enterprises and information transfer between enterprises and clients are gradually released, and a VPN technology based on ipsec (internet Protocol security) is widely applied, and meanwhile, application scenarios of the VPN are more and more diversified, and the VPN is often applied to a more complex networking environment, wherein the VPN is more and more commonly deployed in a Network environment through which a NAT (Network Address Translation) passes.
After the VPN connection in the NAT environment is successfully established, if there is no more traffic, the previous service data packet information is deleted on the VPN device due to aging. When the next IPSec service forward packet (or called a request packet) passes through the NAT environment, the source port of the packet may change, for example, the packet source port encrypted by the VPN device as the initiator of the forward packet is 4500, and may become 53560 after being converted by the NAT device in the forwarding process. Therefore, the port information of the forward message is inconsistent with the port information of the decapsulation strategy stored by the VPN opposite-end device, and the reverse message (or called a response message) is encrypted and encapsulated according to the decapsulation strategy stored by the VPN device, so that the destination port of the encrypted and encapsulated forward message may be inconsistent with the source port of the forward message, which may cause the port of the forward request/reverse response message to be inconsistent, and further cause the response message to lose packets in the NAT environment, thereby causing the VPN service access to be unavailable.
In view of the situation that the service access is not available, in the prior art, one solution is to start an IPSec keep-alive mechanism, that is, keep the ports unchanged, so as to avoid the problem of packet loss due to port inconsistency. However, in the process of implementing the present invention, the inventor finds that if a keep-alive mechanism is started for a gateway outlet with a large number of VPN tunnels, keep-alive messages sent by each tunnel are also large, and when traffic data traffic is also large, network bandwidth may be congested, which affects bandwidth load. Therefore, the problem that the access of the IPSec service in the NAT environment is not smooth is not well solved in the prior art.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for solving the problem of blocked service access in some environments.
Specifically, the method is realized through the following technical scheme:
a method for resolving a service access denial, for a first gateway device, the method comprising:
receiving a service request message, wherein the request message is sent by a second gateway device and forwarded to the first gateway device through a transfer device;
acquiring first port information, wherein the first port information is port information contained in the request message;
and updating second port information by using the first port information, wherein the second port information is the port information which is used for being added to a response message in the local encapsulation and de-encapsulation strategy of the first gateway equipment, and the second port information is the port information determined during communication negotiation between the first gateway equipment and the second gateway equipment before updating.
An apparatus for resolving a service access denial, for a first gateway device, the apparatus comprising:
a message receiving unit, configured to receive a service request message, where the request message is sent by a second gateway device and forwarded to the first gateway device through a forwarding device;
a port information obtaining unit, configured to obtain first port information, where the first port information is port information included in the request packet;
and a port information updating unit, configured to update second port information using the first port information, where the second port information is port information used for adding to a response packet in the local decapsulation policy of the first gateway device, and the second port information is port information determined during communication negotiation between the first gateway device and the second gateway device before updating.
As can be seen from the above technical solutions provided by the present application, in the present solution, after the second gateway device sends the service request message to the first gateway device, the first gateway device extracts the first port information from the received request message, and then updating the port information in the local encapsulation strategy by using the first port information, so that through a port information updating mechanism, even if the port information changes when being forwarded by the transit device, the first gateway device can also encapsulate the correct port information to send the response message, thereby overcoming the problem of packet loss caused by incorrect port of the response message, effectively ensuring the stability of IPSec service access, enhancing the practicability and usability of IPSec VPN, and needing no keep-alive message, when the traffic data flow is large, the network bandwidth cannot be blocked, and the bandwidth load is not influenced, so that the problem that the VPN service cannot be accessed in the NAT environment is well solved.
Drawings
FIG. 1 is a flow chart illustrating a method for resolving a business access denial according to the present application;
FIG. 2 is a schematic diagram of a networking environment shown in the present application;
fig. 3 is a schematic diagram of a forward packet sending process shown in the present application;
fig. 4 is a schematic diagram of packet loss of a reverse packet shown in the present application;
FIG. 5 is a flow chart illustrating a method for resolving a business access denial according to the present application;
fig. 6 is a flowchart illustrating a process of a packet to be decapsulated passing through a first gateway device according to the present application;
fig. 7 is a flowchart illustrating a process of a packet to be encapsulated passing through a first gateway device according to the present application;
fig. 8 is a signaling diagram illustrating a method for solving the problem of the unavailable service access according to the present application;
fig. 9 is a schematic diagram of an apparatus for solving the problem of the service access failure according to the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Referring to fig. 1, fig. 1 is a flowchart illustrating a method for solving a problem of service access unavailability, where the method is applicable to a first gateway device, and includes the following steps:
step S101, receiving a service request message, wherein the request message is sent by a second gateway device and forwarded to the first gateway device through a transit device.
The embodiment is not limited to specific forms of the first gateway device, the second gateway device, the relay device, and specific contents of the service, and those skilled in the art may select and design themselves according to different needs/different scenarios, and these selections and designs may be used herein without departing from the spirit and the scope of the present invention.
The following description takes an example of IPSec service access in an NAT environment, where as an example, the relay device may be an NAT device, the service may be a service based on an IPSec protocol, and the first gateway device and the second gateway device may be VPN gateway devices:
IPSec, Internet Protocol Security, refers to a VPN technology that uses IPSec Protocol to implement remote access, and is used to provide end-to-end encryption and authentication services for public and private networks. The IPSec tunnel is a virtual connection communication channel established by two IPSec entities in the network. NAT traversal: the Network Address Translation can make internal Network using private Address connect to Internet or other IP Network, NAT route when sending data packet of internal Network to public Network, when header of IP packet converts private Address into legal IP Address, at the same time, source port is also converted into other port. Control messages and data messages of IPSec in NAT environment are encapsulated by UDP, and the destination port is 4500. The IPSec decapsulation information stored in the VPN device is the result of the control channel negotiation by default.
For example, please refer to fig. 2, where fig. 2 is a schematic diagram of a networking environment of the network shown in the present application. A, B, C in fig. 2 are three devices in the exemplary simplified network networking environment, where a (i.e., the second gateway device) and B (i.e., the first gateway device) are VPN gateway devices, C (i.e., the relay device) is an intermediate NAT device, a and C are in a public network environment, and B is an intranet device under C. An IPSec tunnel is established between a and B.
Step S102, obtaining first port information, wherein the first port information is the port information contained in the request message.
As an example, referring to fig. 3, fig. 3 is a schematic diagram of a forward packet sending process shown in this application, when IPSec service data is sent from a device a to a device B, a source port of a forward packet (i.e., a request packet P1) is 4500, but when the IPSec service data passes through a device C, the source port in the request packet P1 is changed, for example, to 53560. After receiving the request packet, the device B performs IPSec decapsulation, and in this step, the device B records port information (including source port and destination port records) of the request packet P1, and the source port acquired by the device B at this time is not 4500, but 53560, because 4500 has been modified by the device C to 53560.
Step S103, updating second port information by using the first port information, where the second port information is the port information used for adding to a response packet in the local decapsulation policy of the first gateway device, and the second port information is the port information determined during communication negotiation between the first gateway device and the second gateway device before updating.
And updating the second port information by using the first port information, namely replacing the original second port information by using the first port information.
The first and second gateway devices negotiate when establishing a point-to-point connection, so as to determine an encapsulation and decapsulation policy and store the policy locally, wherein the policy includes port information. For example, both the source port and the destination port in the add/drop policy are 4500, when the first gateway device sends a reverse packet (i.e., a response packet P2) to the second gateway device in the prior art, both the source port and the destination port included in the response packet P2 are 4500, as shown in fig. 4, for example, fig. 4 is a schematic diagram of packet loss of the reverse packet shown in this application. Since the source port of the request packet P1 is 53560 and the destination port is 4500, when the response packet P2 reaches the NAT device C, the device C does not have a forwarding policy that the source port and the destination port are 4500, and the ports of the forward request/reverse response packet are inconsistent, which causes the reverse response packet P2 to be discarded by the device C and cannot reach the request terminal a, so that the service requested by the device a is not available.
In this step, before the device B sends the response packet P2, the stored IPSec decapsulation policy-added port information is replaced with the received request packet P1 port information, for example, the destination port of the encapsulation policy is modified to be the source port 53560 of the request packet P1, so that after the response packet P2 reaches the device C, the device C detects that the port information of the response packet P2 is matched with the port information of the request packet P1, and can successfully perform NAT restoration operation, and then send the packet restored by NAT to the device a, so that the service packet smoothly reaches the device a, and the service is smooth.
Referring to fig. 5, in this embodiment or some other embodiments of the present invention, after updating the second port information using the first port information, the method may further include:
step S501, obtaining the response message. For example, the first gateway device obtains a response message for the request message from the inner layer.
Step S502, adding the second port information to the response packet.
It is easy to know that the second port information at this time is updated, that is, the original second port information is replaced by the first port information.
Step S503, sending the response packet to the transit device, so that the transit device forwards the response packet to the second gateway device.
In addition, as to how to add the second port information to the response packet, the embodiment of the present invention is not limited, and for example, adding the second port information to the response packet may include:
and filling the second port information in a UDP header when the response message is encapsulated.
In addition, in this embodiment or some other embodiments of the present invention, before acquiring the first port information, the method may further include:
judging whether the request message is matched with the local adding and de-encapsulating strategy or not;
if the local de-encapsulation strategy is matched, the request message is allowed to be de-encapsulated;
if the local adding and removing encapsulation strategies are not matched, the downward execution is not carried out, for example, the direct discarding is carried out, or if other adding and removing encapsulation strategies are matched, the processing is carried out according to other adding and removing encapsulation strategies.
After obtaining the response message, the method further includes:
judging whether the response message is matched with the local adding and de-encapsulating strategy or not;
if the local encapsulation strategy is matched, allowing the response message to be encapsulated;
if the local adding and removing encapsulation strategies are not matched, the downward execution is not carried out, for example, the direct discarding is carried out, or if other adding and removing encapsulation strategies are matched, the processing is carried out according to other adding and removing encapsulation strategies.
In the embodiment of the invention, after the second gateway device sends the service request message to the first gateway device, the first gateway device extracts the first port information from the received request message, and then updating the port information in the local encapsulation strategy by using the first port information, so that through a port information updating mechanism, even if the port information changes when being forwarded by the transit device, the first gateway device can also encapsulate the correct port information to send the response message, thereby overcoming the problem of packet loss caused by incorrect port of the response message, effectively ensuring the stability of IPSec service access, enhancing the practicability and usability of IPSec VPN, and needing no keep-alive message, when the traffic data flow is large, the network bandwidth cannot be blocked, and the bandwidth load is not influenced, so that the problem that the VPN service cannot be accessed in the NAT environment is well solved.
The following describes the processing flow of the packet to be decapsulated through the first gateway device, and the processing flow of the packet to be encapsulated through the first gateway device, respectively.
Referring to fig. 6, fig. 6 is a flowchart illustrating a process of a packet to be decapsulated passing through a first gateway device according to the present application.
Step S601, receives IPSec service request packet P1.
Step S602, determine whether the local IPSec decapsulation policy is matched.
And if the local IPSec decapsulation policy is matched, continuing downward execution, and if the local IPSec decapsulation policy is not matched, jumping to the step S606.
Step S603, the source and destination port information in the local policy is updated by using the source and destination port information in the packet P1.
Step S604, decapsulate IPSec service request packet P1.
Step S605, forward the decapsulated packet to the inner layer. The flow ends.
Step S606, discard the packet. The flow ends.
Referring to fig. 7, fig. 7 is a flowchart illustrating a process of a packet to be encapsulated passing through a first gateway device according to the present application.
Step S701, receiving an inner layer response message.
Step S702 determines whether the local IPSec encapsulation policy is matched.
If the local IPSec encapsulation policy is matched, the downward execution is continued, and if the local IPSec encapsulation policy is not matched, the process jumps to step S705.
Step S703, an inner layer response packet is encapsulated, where the port information used is the port information in the updated local policy.
Step S704, sending a response message P2 after the encapsulation is successful. The flow ends.
Step S705, discard the message. The flow ends.
Referring to fig. 8, fig. 8 is a signaling diagram illustrating a method for solving the problem of the unavailable service access according to the present application:
step S801, the VPN gateway device a sends an IPSec service request packet to the VPN gateway device B through the NAT device C.
In step S802, after receiving the request message, the NAT device C modifies the source port information from 4500 to 53560.
Step S803, the NAT device C forwards the modified request packet to the VPN gateway device B.
Step S804, after receiving the request message, the VPN gateway device B decapsulates and records the port information thereof, and replaces the original port information in the local decapsulation policy with the recorded port information.
Step S805, the VPN gateway device B sends the decapsulated packet to the inner layer device.
In step S806, the inner layer device performs processing.
Step S807, the inner layer device sends the response message to the VPN gateway device B.
Step S808, the VPN gateway device B adds the encapsulation packet, where the port information at this time is the port information in the replaced local addition/removal policy.
Step S809, the VPN gateway device B sends the encapsulated response packet to the NAT device C.
Step S810, the NAT device C detects that the port information of the response packet matches the port information of the request packet, and can perform NAT restoration operation.
Step S811, the message restored by the NAT is sent to the VPN gateway device a.
In the embodiment of the invention, after the second gateway device sends the service request message to the first gateway device, the first gateway device extracts the first port information from the received request message, and then updating the port information in the local encapsulation strategy by using the first port information, so that through a port information updating mechanism, even if the port information changes when being forwarded by the transit device, the first gateway device can also encapsulate the correct port information to send the response message, thereby overcoming the problem of packet loss caused by incorrect port of the response message, effectively ensuring the stability of IPSec service access, enhancing the practicability and usability of IPSec VPN, and needing no keep-alive message, when the traffic data flow is large, the network bandwidth cannot be blocked, and the bandwidth load is not influenced, so that the problem that the VPN service cannot be accessed in the NAT environment is well solved.
Referring to fig. 9, fig. 9 is a schematic diagram of an apparatus for solving the problem of the service access disable, where the apparatus may be used in a first gateway device, and the apparatus may include:
a message receiving unit 901, configured to receive a service request message, where the request message is sent by a second gateway device and forwarded to the first gateway device through a forwarding device.
As an example, the relay device is an NAT device, the service is a service based on an IPSec protocol, and the first gateway device and the second gateway device are VPN gateway devices.
A port information obtaining unit 902, configured to obtain first port information, where the first port information is port information included in the request packet.
A port information updating unit 903, configured to update second port information using the first port information, where the second port information is port information used for being added to a response packet in the local encapsulation and decapsulation policy of the first gateway device, and the second port information is, before being updated, port information determined when the first gateway device and the second gateway device negotiate in communication.
In this embodiment or some other embodiments of the present invention, the apparatus may further include:
a message sending unit, configured to obtain the response message; adding the second port information to the response message; and sending the response message to the transfer equipment so that the transfer equipment forwards the response message to the second gateway equipment.
In this embodiment or some other embodiments of the present invention, when the message sending unit is configured to add the second port information to the response message, the message sending unit is specifically configured to:
and filling the second port information in a UDP header when the response message is encapsulated.
In this embodiment or some other embodiments of the present invention, the apparatus may further include:
a policy matching unit, configured to determine whether the request packet matches the local decapsulation policy; if the local de-encapsulation strategy is matched, the request message is allowed to be de-encapsulated; judging whether the response message is matched with the local adding and de-encapsulating strategy or not; and if the local encapsulation strategy is matched, allowing the response message to be encapsulated.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
In the embodiment of the invention, after the second gateway device sends the service request message to the first gateway device, the first gateway device extracts the first port information from the received request message, and then updating the port information in the local encapsulation strategy by using the first port information, so that through a port information updating mechanism, even if the port information changes when being forwarded by the transit device, the first gateway device can also encapsulate the correct port information to send the response message, thereby overcoming the problem of packet loss caused by incorrect port of the response message, effectively ensuring the stability of IPSec service access, enhancing the practicability and usability of IPSec VPN, and needing no keep-alive message, when the traffic data flow is large, the network bandwidth cannot be blocked, and the bandwidth load is not influenced, so that the problem that the VPN service cannot be accessed in the NAT environment is well solved.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.

Claims (8)

1. A method for resolving a service access denial, the method being for a first gateway device, the method comprising:
receiving a service request message, wherein the request message is sent by a second gateway device and forwarded to the first gateway device through a transfer device;
acquiring first port information, wherein the first port information is port information contained in the request message;
updating second port information by using the first port information, wherein the second port information is the port information which is used for being added to a response message in the local encapsulation and de-encapsulation strategy of the first gateway equipment, and the second port information is the port information determined during communication negotiation between the first gateway equipment and the second gateway equipment before updating;
the transfer device is NAT equipment, the service is based on IPSec protocol, the first gateway device and the second gateway device are VPN gateway devices, the second gateway device and the transfer device are in a public network environment, and the first gateway device is an intranet device under the transfer device.
2. The method of claim 1, wherein after updating second port information using the first port information, the method further comprises:
acquiring the response message;
adding the second port information to the response message;
and sending the response message to the transfer equipment so that the transfer equipment forwards the response message to the second gateway equipment.
3. The method of claim 2, wherein adding the second port information to the response packet comprises:
and filling the second port information in a UDP header when the response message is encapsulated.
4. The method of claim 2, wherein:
prior to obtaining the first port information, the method further comprises:
judging whether the request message is matched with the local adding and de-encapsulating strategy or not;
if the local de-encapsulation strategy is matched, the request message is allowed to be de-encapsulated;
after obtaining the response message, the method further includes:
judging whether the response message is matched with the local adding and de-encapsulating strategy or not;
and if the local encapsulation strategy is matched, allowing the response message to be encapsulated.
5. An apparatus for resolving a service access denial, the apparatus being for a first gateway device, the apparatus comprising:
a message receiving unit, configured to receive a service request message, where the request message is sent by a second gateway device and forwarded to the first gateway device through a forwarding device;
a port information obtaining unit, configured to obtain first port information, where the first port information is port information included in the request packet;
a port information updating unit, configured to update second port information using the first port information, where the second port information is port information used for adding to a response packet in a local decapsulation policy of the first gateway device, and the second port information is, before updating, port information determined during communication negotiation between the first gateway device and the second gateway device;
the transfer device is NAT equipment, the service is based on IPSec protocol, the first gateway device and the second gateway device are VPN gateway devices, the second gateway device and the transfer device are in a public network environment, and the first gateway device is an intranet device under the transfer device.
6. The apparatus of claim 5, further comprising:
a message sending unit, configured to obtain the response message; adding the second port information to the response message; and sending the response message to the transfer equipment so that the transfer equipment forwards the response message to the second gateway equipment.
7. The apparatus according to claim 6, wherein the packet sending unit, when adding the second port information to the response packet, is specifically configured to:
and filling the second port information in a UDP header when the response message is encapsulated.
8. The apparatus of claim 6, further comprising:
a policy matching unit, configured to determine whether the request packet matches the local decapsulation policy; if the local de-encapsulation strategy is matched, the request message is allowed to be de-encapsulated; judging whether the response message is matched with the local adding and de-encapsulating strategy or not; and if the local encapsulation strategy is matched, allowing the response message to be encapsulated.
CN201811594076.6A 2018-12-25 2018-12-25 Method and device for solving business access obstruction Active CN109361590B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811594076.6A CN109361590B (en) 2018-12-25 2018-12-25 Method and device for solving business access obstruction

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811594076.6A CN109361590B (en) 2018-12-25 2018-12-25 Method and device for solving business access obstruction

Publications (2)

Publication Number Publication Date
CN109361590A CN109361590A (en) 2019-02-19
CN109361590B true CN109361590B (en) 2021-04-27

Family

ID=65329472

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811594076.6A Active CN109361590B (en) 2018-12-25 2018-12-25 Method and device for solving business access obstruction

Country Status (1)

Country Link
CN (1) CN109361590B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110086702B (en) * 2019-04-04 2021-09-21 杭州迪普科技股份有限公司 Message forwarding method and device, electronic equipment and machine-readable storage medium
CN114465755B (en) * 2021-12-15 2024-02-23 广西电网有限责任公司电力科学研究院 IPSec transmission abnormality-based detection method, device and storage medium

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104980405A (en) * 2014-04-10 2015-10-14 中兴通讯股份有限公司 Method and device for performing authentication header (AH) authentication on NAT (Network Address Translation)-traversal IPSEC (Internet Protocol Security) message
US20150304427A1 (en) * 2014-04-22 2015-10-22 Alcatel-Lucent Canada, Inc. Efficient internet protocol security and network address translation
CN107135118B (en) * 2016-02-29 2020-06-26 华为技术有限公司 Unicast communication method, gateway and VXLAN access equipment
CN106027508A (en) * 2016-05-11 2016-10-12 北京网御星云信息技术有限公司 Authentication encrypted data transmission method and device
CN108200071A (en) * 2018-01-11 2018-06-22 江苏农林职业技术学院 Support message information extraction and the IPSecNAT traversing methods and system that carry
CN108881519A (en) * 2018-08-08 2018-11-23 成都俊云科技有限公司 A kind of NAT penetrating method and device

Also Published As

Publication number Publication date
CN109361590A (en) 2019-02-19

Similar Documents

Publication Publication Date Title
US7590123B2 (en) Method of providing an encrypted multipoint VPN service
US7917948B2 (en) Method and apparatus for dynamically securing voice and other delay-sensitive network traffic
US6915436B1 (en) System and method to verify availability of a back-up secure tunnel
US6816462B1 (en) System and method to determine connectivity of a VPN secure tunnel
US20020016926A1 (en) Method and apparatus for integrating tunneling protocols with standard routing protocols
US7643488B2 (en) Method and apparatus for supporting multiple customer provisioned IPSec VPNs
WO2019005949A1 (en) Segment routing gateway
EP3593498B1 (en) Router device using flow duplication
US8817815B2 (en) Traffic optimization over network link
US20130061034A1 (en) Transparent Mode Encapsulation
JP2017529713A (en) Computer network packet flow controller
KR20140099598A (en) Method for providing service of mobile vpn
US7623500B2 (en) Method and system for maintaining a secure tunnel in a packet-based communication system
CN112751767B (en) Routing information transmission method and device and data center internet
JP2011508550A (en) Method, apparatus, and computer program for selective loading of security association information to a security enforcement point
CN110086798B (en) Method and device for communication based on public virtual interface
CN109361590B (en) Method and device for solving business access obstruction
US20070002768A1 (en) Method and system for learning network information
TWI493946B (en) Virtual private network communication system, routing device and method thereof
CA2680599A1 (en) A method and system for automatically configuring an ipsec-based virtual private network
CN109743758B (en) Multi-link communication method, communication device and communication system
US8074270B1 (en) Automatic configuration of network tunnels
Touch et al. Use of IPsec transport mode for dynamic routing
CN108322379B (en) Virtual private network VPN system and implementation method
US11750581B1 (en) Secure communication network

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant