CN104184675B - The IPSec VPN devices group system and its method of work of a kind of load balancing - Google Patents
The IPSec VPN devices group system and its method of work of a kind of load balancing Download PDFInfo
- Publication number
- CN104184675B CN104184675B CN201410460656.1A CN201410460656A CN104184675B CN 104184675 B CN104184675 B CN 104184675B CN 201410460656 A CN201410460656 A CN 201410460656A CN 104184675 B CN104184675 B CN 104184675B
- Authority
- CN
- China
- Prior art keywords
- address
- ipsec vpn
- security
- security strategy
- computing capability
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 12
- 238000011156 evaluation Methods 0.000 claims abstract description 13
- 238000012545 processing Methods 0.000 claims description 12
- 238000005538 encapsulation Methods 0.000 claims description 7
- 230000005641 tunneling Effects 0.000 claims description 7
- 230000001186 cumulative effect Effects 0.000 claims description 3
- 230000003993 interaction Effects 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 2
- 230000005540 biological transmission Effects 0.000 claims 1
- 238000005516 engineering process Methods 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 230000004888 barrier function Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 235000013399 edible fruits Nutrition 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides the IPSec VPN devices group system and its method of work of a kind of load balancing.The system includes some IPSec VPN devices, and every IPSec VPN device has run synchronization module, load management module, address transponder, data sorter in computing capability evaluation module, group.The present invention realize the IPSec VPN clusters being made up of different IPSec VPN devices work IP address is unique and effective load balancing and redundancy backup, the outbound IP datagram stationery processed by different IPSec VPN devices has identical source IP address, and the IP datagram of inbound text can realize the automatic distribution of load;The instant synchronization of sequence number and anti-playback window is realized between many distinct devices, zero interval seamless switching of load is realized.
Description
Technical field
The invention belongs to data communication field, it is related to a kind of IPSec VPN devices group system of load balancing and its work
Make method.
Background technology
IPSec:The abbreviation of Internet Protocol Security, represents Internet protocol safeties.It is a kind of
The frame structure of open standard, the security service by using encryption is enterprising in Internet agreements (IP) network to ensure
Row maintains secrecy and the communication of safety;
VPN:VPN(Virtual Private Network, abbreviation VPN) refer in common network
Set up the technology of dedicated network.Why it is referred to as virtual net, is primarily due between any two node of whole VPN
Connection do not have traditional private network needed for physical link end to end, but the net that framework is provided in common network service provider
Network platform, such as Internet, ATM (asynchronous transfer mode >, Frame Relay(Frame relay)Logical network Deng on, user
Data are transmitted in logical links.It covers encapsulation, encryption and the authentication link across shared network or public network
The extension of dedicated network.VPN mainly employs tunneling technique, encryption and decryption technology, key management technology and user and equipment body
Part authentication techniques.
Security strategy (SP):The general selector unique designation by quintuple form of security strategy, the five-tuple includes source
IP address, purpose IP address, source transport layer port, purpose transport layer port, transport layer protocol number, indicate clear data message
Processing mode:Abandon, bypass IPSec or processed using ipsec security alliance.
Security Association (SA):By triple unique mark, the triple includes Security Parameter Index to Security Association(SPI)、
Purpose IP address(Unicast address)And security protocol(AH or ESP)Identifier, indicates the algorithm of IPSec processing data bags, close
The specific parameter such as key, anti-playback window, packaged type.
Data are processed because IPSec VPN employ various safe practices, and is deployed in user network
At gateway, the requirement to equipment process performance and reliability be it is very high, can be using many IPSec VPN device clusters
Technology solves the problems, such as Performance And Reliability.
IPSec VPN technical characterstics of itself are the realization of many IPSec VPN devices clusters there is provided two big obstacles, one is
Tunnel encapsulation causes have different source IP address by the outbound IP datagram stationery of different IPSec VPN devices treatment, and enters
The IP datagram text stood is because destination address is different and cannot realize the automatic distribution of load;Two is sequence number and anti-playback window
As each data message updates, the instant synchronization of sequence number and anti-playback window cannot be realized between many distinct devices, therefore
There is problem in hot-swap during barrier.
The content of the invention
To solve the above problems, the invention provides a kind of IPSec VPN device group systems of load balancing, if including
Dry IPSec VPN devices, every IPSec VPN device has run synchronization module, load pipe in computing capability evaluation module, group
Reason module, address transponder, data sorter;
The IPSec VPN devices that computing capability evaluation module is used in same cluster carry out signature computing when starting,
Obtain the computing capability assessment result of IPSec VPN devices where it;
In group synchronization module be responsible for being carried out between all member devices in same cluster security strategy, Security Association,
The interaction and synchronization of presence and computing capability information simultaneously form globally consistent security strategy, Security Association and in wire
State;
Load management module obtains globally consistent security strategy, Security Association and in wire by synchronizing information in group
State, the difference according to each IPSec VPN devices computing capability in group carries out the distribution of data payload, and IPSec according to where it
The load distribution of VPN device sets the security strategy and Security Association that actually come into force;
The Pseudo Address information that address transponder is set according to all IPSec VPN devices unification in system, to from Intranet
Outbound IP datagram text carries out consistent response with the link layer address request of the IP datagram text from outer net inbound;
The data sorter executed security strategy of IPSec VPN devices or peace according to where whether data message is in it
Within full alliance, different processing paths are provided to IP datagram text out of the station.
Further, every IPSec VPN device in the cluster is respectively provided with a configurable ip multicast address, makees
It is address in group, synchronization module periodically by the security strategy of this TV station equipment, Security Association, presence and calculates energy in group
Force estimation result is delivered to other member devices of cluster by way of multicast, while also receiving other member devices by many
Security strategy, Security Association, presence and the computing capability assessment result for passing over are broadcast, the cluster is formed globally consistent
Security strategy and Security Association.
Further, each IPSec VPN devices of the device clusters have shared virtual ip address, common as the cluster
The IPSec vpn tunneling source IP address enjoyed, all outbound IP datagram texts processed by the cluster are all with each member of the cluster
The virtual ip address of collaborative share as the source IP address after tunnel encapsulation, and it is all with the virtual ip address be purpose IP address
Inbound IPSec messages will by cluster all online member device receive.
Further, computing capability evaluation module runs 10,000 2048 bit moulds RSA signatures long in the way of multithreading
Computing, and the signature speed in units of secondary/second is calculated, assess knot as the computing capability of IPSec VPN devices where it
Really.
The method of work of the IPSec VPN device group systems of above-mentioned load balancing comprises the following steps:
Step one:For same IPSec VPN devices cluster sets the shared virtual ip address of each member device, as this
The shared IPSec vpn tunneling source IP address of cluster;
Step 2:When IPSec VPN devices in same cluster are started, computing capability evaluation module is run, obtain every
The computing capability assessment result of individual IPSec VPN devices;
Step 3:Every IPSec VPN device in same cluster is respectively provided with a configurable ip multicast address, makees
It is address in group;
Step 4:Load management module carries out data payload according to the difference of each IPSec VPN devices computing capability in group
Distribution and the security strategy that actually comes into force and Security Association are set according to the load distribution of the machine;
Step 5:Under ethernet environment, the data message out of the station to each, to the virtual IP address of IPSec VPN clusters
Address or gateway ip address carry out link layer address parsing, that is, ask virtual ip address or corresponding 48 bit of gateway ip address
MAC Address;
Step 6:Whether data sorter is in the executed security strategy of the machine or peace according to the data message for receiving
Within the scope of full alliance, different processing paths are provided to IP datagram text out of the station.
Further, the step 4 is specially:
First, all devices in cluster are unified sequence by the order according to each member device real ip address from big to small
And number;For global safety strategy, according to source IP address, purpose IP address, source transport layer port, purpose transport layer port,
The five-tuple of transport layer protocol number sorts from big to small successively;For global safety alliance, according to purpose IP address, security parameter
Index, the triple of security protocol sort from big to small successively;
Then, it is the computing capability of each member device is cumulative as total computing capability, each member device computing capability with it is total
The load percentage that the ratio of computing capability is assigned to as the equipment, according to device numbering and load percentage respectively successively from the overall situation
Security strategy and global safety alliance obtain security strategy and the Security Association that this equipment actually comes into force, for every equipment, entirely
The actual security strategy for coming into force of the equipment and Security Association are removed in office's strategy and global alliance, it is remaining to belong to the equipment only more
New security strategy and Security Association;
Load management module regularly updates the safety for actually coming into force of this equipment according to synchronizing information in the group for periodically receiving
Strategy and Security Association and the security strategy for only updating and Security Association, if equipment failure, then assigned by the equipment
Load, i.e. the actual security strategy for coming into force of the equipment and Security Association will be reassigned to according to the computing capability of other equipment
Other equipment.
Further, in step 5, virtual ip address or the corresponding MAC Address of gateway ip address are set to configurable
Multicast MAC Address, address transponder is for all chains that the virtual ip address or gateway ip address to IPSec VPN clusters are carried out
Road layer address analysis request, the unified Multicast MAC Address responded to set, institute so out of the station is in need to be carried out at IPSec
The IP datagram out of the station text and ike negotiation message of reason can reach every equipment of cluster by multicast channel.
Further, in step 6, the data distribution device provides different processing paths to outbound IP datagram text
Specially:
For the data message being within the scope of the executed security strategy of the machine or Security Association, carry out normal
IPSec treatment;
For being in outside the executed security strategy of the machine or Security Association scope but in the security strategy that only updates and
Data message within the scope of Security Association, only carries out the renewal of sequence number or the checking of sequence number and the renewal of anti-playback window
And the renewal of security strategy and Security Association life cycle, and by the packet loss;
When equipment fault can not work in cluster, the load of the equipment will be by synchronization module and load management module in group
Other equipment is shared, zero interval seamless switching of load is realized.
Beneficial effects of the present invention are:
The work IP address that the present invention realizes the IPSEC VPN clusters being made up of different IPSEC VPN devices is unique
With effective load balancing and redundancy backup, it is not necessary to increase the distribution that special load-balancing device casing realizes load, drop
Low cost.New main controlled node can be re-elected in the case of main controlled node is faulty, it is to avoid Single Point of Faliure causes
Collective's failure of multimachine assembly, with a relatively high reliability.
Brief description of the drawings
Fig. 1 is IPSec VPN cluster load balances functional module structure schematic diagram of the present invention.
Specific embodiment
System of the present invention includes some IPSec VPN devices, and every IPSec VPN device has run computing capability
Synchronization module, load management module, address transponder, data sorter in evaluation module, group.
Computing capability evaluation module runs 10,000 2048 bit moulds for computing capability evaluation module in the way of multithreading
RSA signature computing long, and the signature speed in units of secondary/second is calculated, as the calculating of IPSec VPN devices where it
Capability evaluation result.
Synchronization module is responsible for carrying out security strategy SP, Security Association between all member devices in same cluster in group
The interaction and synchronization of SA, presence and computing capability information simultaneously form globally consistent security strategy, Security Association and online
State.
Load management module obtains globally consistent security strategy, Security Association and in wire by synchronizing information in group
State, the difference according to each IPSec VPN devices computing capability in group carries out the distribution of data payload and according to the load of the machine point
The security strategy and Security Association actually come into force with setting.
Address transponder according to the global Pseudo Address information for setting, to from the outbound IP datagram text of Intranet and from outer net
The link layer address request (being the MAC Address of 48 bits under ethernet environment) of the IP datagram text of inbound carries out consistent returning
Should.
Whether data sorter is within the executed security strategy of the machine or Security Association according to data message, to entering
Outbound IP datagram text provides different processing paths.
Every IPSec VPN device in the cluster is respectively provided with a configurable ip multicast address, used as logical in group
News address, synchronization module is periodically by the security strategy of this TV station equipment, Security Association, presence and computing capability assessment knot in group
Fruit is delivered to other member devices of cluster by way of multicast, while also receive other member devices being transmitted by multicast
Security strategy, Security Association, presence and the computing capability assessment result come, form the globally consistent security strategy of the cluster
And Security Association.
Each IPSec VPN devices of device clusters have shared virtual ip address, used as the IPSec that the cluster is shared
Vpn tunneling source IP address, what all outbound IP datagram texts processed by the cluster were all shared with each member device of the cluster
Virtual ip address is used as the source IP address after tunnel encapsulation, and all inbounds with the virtual ip address as purpose IP address
IPSec messages will be received by all online member device in cluster.
The specific works step of said system is illustrated with reference to Fig. 1.
Step one:For same IPSec VPN devices cluster sets the shared virtual ip address of each member device, as this
The shared IPSec vpn tunneling source IP address of cluster.All outbound IP datagram texts processed by the cluster are virtual all with this
IP address is used as the source IP address after tunnel encapsulation, and all inbound IPSec reports with the virtual ip address as purpose IP address
Text will be received by all online member device in cluster.
Step 2:When IPSec VPN devices in same cluster are started, computing capability evaluation module, the module are run
10,000 2048 bit moulds RSA signature computings long are run in the way of multithreading, and calculates the signature in units of secondary/second
Speed, as the computing capability assessment result of the IPSec VPN devices.
Step 3:Every IPSec VPN device in same cluster is respectively provided with a configurable ip multicast address, makees
It is address in group.Synchronization module periodically by the security strategy of this TV station equipment, Security Association, presence and calculates energy in group
Force estimation result is delivered to other member devices of cluster by way of multicast, while also receiving other member devices by many
Security strategy, Security Association, presence and the computing capability assessment result for passing over are broadcast, the cluster is formed globally consistent
Security strategy and Security Association.
Step 4:Load management module carries out data payload according to the difference of each IPSec VPN devices computing capability in group
Distribution and the security strategy that actually comes into force and Security Association are set according to the load distribution of the machine.First, set according to each member
All devices unification in cluster is sorted and numbered by standby real ip address order from big to small;For global safety strategy,
According to source IP address, purpose IP address, source transport layer port, purpose transport layer port, transport layer protocol number five-tuple successively
Sort from big to small;For global safety alliance, according to purpose IP address, Security Parameter Index, security protocol triple according to
It is secondary to sort from big to small.Then, the computing capability of each member device is cumulative as total computing capability, each member device calculates energy
The load percentage that power is assigned to the ratio of total computing capability as the equipment, according to device numbering and load percentage difference successively
Security strategy and the Security Association that this equipment actually comes into force are obtained from global safety strategy and global safety alliance, is set for every
It is standby, remove the actual security strategy for coming into force of the equipment and Security Association in global policies and global alliance, it is remaining to belong to this and set
The standby security strategy for only updating and Security Association.Load management module will be regularly updated according to synchronizing information in the group for periodically receiving
The security strategy for actually coming into force and Security Association of this equipment and the security strategy for only updating and Security Association, if equipment
Failure, then the actual security strategy for coming into force of the load assigned by the equipment, the i.e. equipment and Security Association will set according to other
Standby computing capability is reassigned to other equipment.
Step 5:Under ethernet environment, for each data message out of the station, all by IPSec VPN clusters
Virtual ip address or gateway ip address carry out link layer address parsing, that is, ask virtual ip address or gateway ip address corresponding 48
The MAC Address of bit.The MAC Address of corresponding 48 bit of virtual ip address or gateway ip address is set to can configure by the present invention
Multicast MAC Address, i.e., 01:00:5e is the MAC Address of prefix.Address transponder is for the virtual IP address to IPSec VPN clusters
All link layer address analysis requests that address or gateway ip address are carried out, the unified Multicast MAC Address responded to set.So
The IP datagram out of the station text for carrying out IPSec treatment in need out of the station and ike negotiation message can be by multicast channels
Reach every equipment of cluster.
Step 6:Whether data sorter is in the executed security strategy of the machine or peace according to the data message for receiving
Within the scope of full alliance, different processing paths are provided to IP datagram text out of the station.For being in the executed peace of the machine
Data message within the scope of full strategy or Security Association, carries out normal IPSec treatment(It is triggering ike negotiation, encryption and decryption, complete
Whole property verification/checking, the renewal of tunnel encapsulation/reconstruct, sequence number and anti-playback window, life cycle renewal etc.);For being in this
Outside the executed security strategy of machine or Security Association scope but within the scope of the security strategy and Security Association for only updating
Data message, only carries out sequence number(It is outbound)Renewal or sequence number checking and anti-playback window(Inbound)Renewal and peace
Full strategy and the renewal of Security Association life cycle, and by the packet loss.If equipment fault can not work in cluster, this sets
Standby load will share other equipment by synchronization module and load management module in group, show as each equipment it is actual come into force and
The change of the security strategy, Security Association that only update, and because each equipment can receive all of data message, sequence number and
The real-time update information such as anti-playback window, life cycle are always as data message is updated, so now only needing to adjust number
According to the processing path of message, any influence there is no on the operation conditions of whole system, zero interval of load can be realized
Seamless switching.
Beneficial effects of the present invention are:
The work IP address that the present invention realizes the IPSec VPN clusters being made up of different IPSec VPN devices is unique
With effective load balancing and redundancy backup, by different IPSec VPN devices process outbound IP datagram stationery have identical
Source IP address, and the IP datagram of inbound text can realize load automatic distribution;Realized between many distinct devices sequence number and
The instant synchronization of anti-playback window, realizes zero interval seamless switching of load.
Claims (7)
1. IPSec VPN device group systems of a kind of load balancing, it is characterised in that including some IPSec VPN devices, often
Platform IPSec VPN devices run computing capability evaluation module, group in synchronization module, load management module, address transponder,
Data sorter;
The IPSec VPN devices that computing capability evaluation module is used in same cluster carry out signature computing when starting, and obtain
The computing capability assessment result of IPSec VPN devices where it;
Synchronization module is responsible for being carried out between all member devices in same cluster security strategy, Security Association, online in group
The interaction and synchronization of state and computing capability information simultaneously form globally consistent security strategy, Security Association and presence;
Load management module obtains globally consistent security strategy, Security Association and presence, root by synchronizing information in group
The distribution of data payload is carried out according to the difference of each IPSec VPN devices computing capability in group, and IPSec VPN according to where it set
Standby load distribution sets the security strategy and Security Association for actually coming into force;
The Pseudo Address information that address transponder is set according to all IPSec VPN devices unifications in system, to outbound from Intranet
IP datagram text with from outer net inbound IP datagram text link layer address request carry out consistent response;
The data sorter executed security strategy of IPSec VPN devices or safety connection according to where whether data message is in it
Within alliance, different processing paths are provided to IP datagram text out of the station;The data sorter is to outbound IP datagram
Text provides different processing paths and is specially:
For the data message being within the scope of the executed security strategy of the machine or Security Association, normal IPSec is carried out
Treatment;Or,
For being in outside the executed security strategy of the machine or Security Association scope but in the security strategy and safety for only updating
Data message within the scope of alliance, only carry out the renewal of sequence number or the checking of sequence number and the renewal of anti-playback window and
Security strategy and the renewal of Security Association life cycle, and by the packet loss.
2. IPSec VPN device group systems of load balancing as claimed in claim 1, it is characterised in that in the cluster
Every IPSec VPN device be respectively provided with a configurable ip multicast address, as group in address, group in synchronization module
Periodically the security strategy of this TV station equipment, Security Association, presence and computing capability assessment result are passed by way of multicast
Other member devices of cluster are delivered to, while also receiving security strategy, safety that other member devices are passed over by multicast
Alliance, presence and computing capability assessment result, form the globally consistent security strategy of the cluster and Security Association.
3. IPSec VPN device group systems of load balancing as claimed in claim 1, it is characterised in that the equipment collection
Each IPSec VPN devices of group have shared virtual ip address, as the IPSec vpn tunneling source IP address that the cluster is shared,
The virtual ip address that all outbound IP datagram texts processed by the cluster are all shared using each member device of the cluster is used as tunnel
Source IP address after road encapsulation, and all inbound IPSec messages with the virtual ip address as purpose IP address will be by cluster
All online member device receive.
4. IPSec VPN device group systems of load balancing as claimed in claim 1, it is characterised in that computing capability is commented
Estimate module and 10,000 2048 bit moulds RSA signature computings long are run in the way of multithreading, and calculate in units of secondary/second
Signature speed, as the computing capability assessment result of IPSec VPN devices where it.
5. the method for work of the IPSec VPN device group systems of the load balancing as any one of claim 1 ~ 4, its
It is characterised by, comprises the following steps:
Step one:For same IPSec VPN devices cluster sets the shared virtual ip address of each member device, as the cluster
Shared IPSec vpn tunneling source IP address;
Step 2:When IPSec VPN devices in same cluster are started, computing capability evaluation module is run, obtain each
The computing capability assessment result of IPSec VPN devices;
Step 3:Every IPSec VPN device in same cluster is respectively provided with a configurable ip multicast address, used as group
Interior address;
Step 4:Load management module carries out dividing for data payload according to the difference of each IPSec VPN devices computing capability in group
Load distribution with and according to the machine sets the security strategy and Security Association for actually coming into force;
Step 5:Under ethernet environment, the data message out of the station to each, to the virtual ip address of IPSec VPN clusters
Or gateway ip address carries out link layer address parsing, that is, ask the MAC of virtual ip address or corresponding 48 bit of gateway ip address
Address;
Step 6:Whether data sorter is in the executed security strategy of the machine or safety connection according to the data message for receiving
Within the scope of alliance, different processing paths are provided to IP datagram text out of the station;The data sorter is to outbound IP numbers
Different processing paths are provided according to message to be specially:
For the data message being within the scope of the executed security strategy of the machine or Security Association, normal IPSec is carried out
Treatment;
For being in outside the executed security strategy of the machine or Security Association scope but in the security strategy and safety for only updating
Data message within the scope of alliance, only carry out the renewal of sequence number or the checking of sequence number and the renewal of anti-playback window and
Security strategy and the renewal of Security Association life cycle, and by the packet loss.
6. the method for work of the IPSec VPN device group systems of load balancing as claimed in claim 5, it is characterised in that
The step 4 is specially:
First, all devices unification in cluster is sorted and compiled by the order according to each member device real ip address from big to small
Number;For global safety strategy, according to source IP address, purpose IP address, source transport layer port, purpose transport layer port, transmission
The five-tuple of layer protocol number sorts from big to small successively;For global safety alliance, according to purpose IP address, security parameter rope
Draw, the triple of security protocol sorts from big to small successively;
Then, it is the computing capability of each member device is cumulative as total computing capability, each member device computing capability and total calculating
The load percentage that the ratio of ability is assigned to as the equipment, according to device numbering and load percentage respectively successively from global safety
Strategy and global safety alliance obtain security strategy and the Security Association that this equipment actually comes into force, for every equipment, global plan
The actual security strategy for coming into force of the equipment and Security Association slightly and in global alliance are removed, it is remaining to belong to what the equipment only updated
Security strategy and Security Association;
Load management module regularly updates the security strategy for actually coming into force of this equipment according to synchronizing information in the group for periodically receiving
With Security Association and the security strategy for only updating and Security Association, it is if equipment failure, then negative assigned by the equipment
Carry, i.e. the actual security strategy for coming into force of the equipment and Security Association will be reassigned to other according to the computing capability of other equipment
Equipment.
7. the method for work of the IPSec VPN device group systems of load balancing as claimed in claim 5, it is characterised in that
In step 5, virtual ip address or the corresponding MAC Address of gateway ip address are set to configurable Multicast MAC Address, address
Transponder please for all link layer address parsing that the virtual ip address or gateway ip address to IPSec VPN clusters are carried out
Ask, the unified Multicast MAC Address responded to set, the IP numbers out of the station for carrying out IPSec treatment in need so out of the station
Every equipment of cluster can be reached by multicast channel according to message and ike negotiation message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410460656.1A CN104184675B (en) | 2014-09-12 | 2014-09-12 | The IPSec VPN devices group system and its method of work of a kind of load balancing |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410460656.1A CN104184675B (en) | 2014-09-12 | 2014-09-12 | The IPSec VPN devices group system and its method of work of a kind of load balancing |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104184675A CN104184675A (en) | 2014-12-03 |
| CN104184675B true CN104184675B (en) | 2017-05-31 |
Family
ID=51965433
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410460656.1A Active CN104184675B (en) | 2014-09-12 | 2014-09-12 | The IPSec VPN devices group system and its method of work of a kind of load balancing |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104184675B (en) |
Families Citing this family (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104954222A (en) * | 2015-05-22 | 2015-09-30 | 东南大学 | Tunnel-mode ESP (electronic stability program) hardware encapsulating device on basis of IPSEC (internet protocol security) protocols |
| WO2017070973A1 (en) * | 2015-10-31 | 2017-05-04 | 华为技术有限公司 | Internet protocol security tunnel establishing method, user equipment and base station |
| CN108322330B (en) * | 2017-12-26 | 2021-03-02 | 成都卫士通信息产业股份有限公司 | IPSEC VPN serial number and anti-replay window synchronization method and device |
| CN112714069A (en) * | 2021-01-06 | 2021-04-27 | 上海交通大学 | Method for lowering shunting module to network card hardware in IPSec security gateway environment |
| CN113312151B (en) * | 2021-06-23 | 2024-07-05 | 哈尔滨工程大学 | Load balancing method of IPSecVPN cluster |
| CN116016529A (en) * | 2022-12-27 | 2023-04-25 | 南方电网数字电网研究院有限公司 | IPSec VPN equipment load balancing management method and device |
| CN115987670A (en) * | 2022-12-29 | 2023-04-18 | 湖北天融信网络安全技术有限公司 | Method and device for updating security association of IPSec VPN, electronic equipment and storage medium |
| CN116155477B (en) * | 2023-04-18 | 2023-07-18 | 湖北省楚天云有限公司 | An IPsec anti-replay method and system based on dynamic sliding window |
| CN117240455A (en) * | 2023-10-16 | 2023-12-15 | 北京环宇博亚科技有限公司 | An encryption system based on IPsec link encryption method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8104081B2 (en) * | 2005-11-15 | 2012-01-24 | Avaya Inc. | IP security with seamless roaming and load balancing |
| US8364948B2 (en) * | 2004-07-02 | 2013-01-29 | Hewlett-Packard Development Company, L.P. | System and method for supporting secured communication by an aliased cluster |
| CN103107973A (en) * | 2011-11-09 | 2013-05-15 | 中兴通讯股份有限公司 | High availability method and high availability device for achieving security protocol |
| CN103200094A (en) * | 2013-03-14 | 2013-07-10 | 成都卫士通信息产业股份有限公司 | Method for achieving gateway dynamic load distribution |
-
2014
- 2014-09-12 CN CN201410460656.1A patent/CN104184675B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8364948B2 (en) * | 2004-07-02 | 2013-01-29 | Hewlett-Packard Development Company, L.P. | System and method for supporting secured communication by an aliased cluster |
| US8104081B2 (en) * | 2005-11-15 | 2012-01-24 | Avaya Inc. | IP security with seamless roaming and load balancing |
| CN103107973A (en) * | 2011-11-09 | 2013-05-15 | 中兴通讯股份有限公司 | High availability method and high availability device for achieving security protocol |
| CN103200094A (en) * | 2013-03-14 | 2013-07-10 | 成都卫士通信息产业股份有限公司 | Method for achieving gateway dynamic load distribution |
Non-Patent Citations (2)
| Title |
|---|
| 《基于IPSec的分布式集群VPN应用研究》;尹建平;《中国优秀博硕士学位论文全文数据库(硕士) 信息科技辑》;20070515;全文 * |
| 《基于负载均衡的高吞吐量IPsec VPN系统》;周振斌,唐剑琪;《计算机工程与应用》;20121221;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104184675A (en) | 2014-12-03 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104184675B (en) | The IPSec VPN devices group system and its method of work of a kind of load balancing | |
| CN104270298B (en) | Message forwarding method and device in a kind of VXLAN networks | |
| CN103475655B (en) | A kind of method realizing IPSecVPN main/slave link switching at runtime | |
| CN104009926B (en) | Multicast method in EVI network and edge device ED | |
| US9515845B2 (en) | Utility communication method and system | |
| CN103067290B (en) | The VPN tunnel implementation of load balancing network is adapted to based on virtual network interface card | |
| CN100566294C (en) | Unicast Reverse Path Forwarding Method | |
| US10284471B2 (en) | AIA enhancements to support lag networks | |
| CN112822103B (en) | Information reporting method, information processing method and equipment | |
| CN103220287B (en) | Utilize the method that ACL carries out business coupling to message | |
| CN104104570A (en) | Aggregation processing method in IRF (Intelligent Resilient Framework) system and device | |
| US20110182184A1 (en) | Method and apparatus for increasing the scalability of the ethernet oam | |
| CN104468310A (en) | Power communication system and method | |
| EP2911355A1 (en) | Method and device for flow path negotiation in link aggregation group | |
| CN107948086A (en) | A kind of data packet sending method, device and mixed cloud network system | |
| CN103973673B (en) | The method and apparatus for dividing virtual firewall | |
| CN101272310A (en) | Method and device for automatic protection switching of Ethernet ring network | |
| WO2009069874A8 (en) | System and method for reassembling packets in relay node | |
| CN103414631A (en) | Openflow controller channel encryption optimization method suitable for electric power applications | |
| CN102255765A (en) | Bidirectional forwarding detection method and device | |
| CN100481805C (en) | Ring shape Ethernet and service loading implementation method thereof | |
| CN103812752B (en) | In a kind of power telecom network between VLAN resource-sharing method | |
| CN102918807B (en) | Method and routing equipment for BFD session establishment | |
| CN104883337B (en) | The implementation method and device of looped network user security | |
| CN104604186B (en) | Network system and communication device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CP01 | Change in the name or title of a patent holder |
Address after: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee after: China Electronics Technology Network Security Technology Co.,Ltd. Address before: No. 333, Yunhua Road, high tech Zone, Chengdu, Sichuan 610041 Patentee before: CHENGDU WESTONE INFORMATION INDUSTRY Inc. |
|
| CP01 | Change in the name or title of a patent holder |