CN102025742A - Negotiation method and device of internet key exchange (IKE) message - Google Patents
Negotiation method and device of internet key exchange (IKE) message Download PDFInfo
- Publication number
- CN102025742A CN102025742A CN201010592414XA CN201010592414A CN102025742A CN 102025742 A CN102025742 A CN 102025742A CN 201010592414X A CN201010592414X A CN 201010592414XA CN 201010592414 A CN201010592414 A CN 201010592414A CN 102025742 A CN102025742 A CN 102025742A
- Authority
- CN
- China
- Prior art keywords
- opposite end
- response message
- negotiation packet
- negotiation
- receive
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
Abstract
The embodiment of the invention discloses an negotiation method and device of an internet key exchange (IKE) message, wherein the method comprises the following steps: sending the last negotiation message needing to be sent by the device; judging whether the opposite terminal response message is received or not; and establishing a security association (SA) if the opposite terminal response message is received, and otherwise, sending the last negotiation message again. According to the embodiment of the invention, the quality of IKE negotiations at the first stage and the in second stage can be improved.
Description
Technical field
The present invention relates to communication technical field, particularly relate to a kind of machinery of consultation and equipment of IKE message.
Background technology
Before IPsec (IP Security, IP communication security agreement) sends a packet, need set up a SA (Security Association, Security Association) earlier.IKE (Internet Key Exchange, internet key exchange) is a kind of mixed type agreement, is used for dynamically setting up SA.Wherein, IKE is a kind of cipher key change and management agreement, be used to IPsec that cipher key service is provided, be based upon on the framework by SA and ISAKMP (Internet Security Association and Key Management Protocal, internet security association and key management protocol) definition.Simultaneously, IKE has also realized the part of functions of two kinds of key management technology Oakley and SKEME.IKE has continued to use basis, the pattern of Oakley and the sharing and the key updating technology of SKEME of ISAKMP, thereby has defined checking encrypted material generation technique, and consults sharing policy.Wherein, Oakley defining mode, the stage that the ISAKMP definition is consulted.
Ike negotiation has two stages, and in the phase I, an IKE SA is created in ike negotiation, and this IKE SA is authenticated, for the further IKE communication of communicating pair provides confidentiality, data integrity and data source authentication service; In second stage, use the IKE SA that has set up to consult to create an IPsecSA.Wherein, the negotiations process in each stage can realize by different pattern again, as, the phase I can be realized consulting by holotype or Aggressive Mode, and second stage is realized consulting by quick mode.
See also Fig. 1, it is to realize the negotiations process schematic diagram that the phase I consults by holotype.As shown in Figure 1, finish the negotiation of phase I by 6 negotiation packets of mutual transmitting-receiving between negotiation initiator and the negotiate response person.Preceding four negotiation packets expressly exchange, and latter two negotiation packet is encrypted exchange.Except holotype, can also realize the negotiation of phase I by Aggressive Mode.See also Fig. 2, it is to realize the negotiations process schematic diagram that the phase I consults by Aggressive Mode.As shown in Figure 2, can finish the negotiation of phase I by 3 negotiation packets of mutual transmitting-receiving between negotiation initiator and the negotiate response person.After the negotiation of finishing the phase I, enter the negotiation of second stage.See also Fig. 3, it is to realize the negotiations process schematic diagram that second stage is consulted by quick mode.As shown in Figure 3, finish the negotiation of second stage between negotiation initiator and the negotiate response person by mutual 3 negotiation packets.
But, the inventor finds under study for action, in each negotiations process, because the instability of network, break down or congested as network, last negotiation packet of each negotiations process is lost in transmission easily, thereby caused a side who consults among the both sides to finish negotiation, and the opposing party does not finish negotiation.In the phase I, after the side in consulting both sides occurred consulting failure, VPN (Virtual PrivateNetwork, Virtual Private Network) network was in that IKE is overtime is unavailable before wearing out.In second stage, after the negotiate response person in consulting both sides occurred consulting failure, negotiate response person all lost the message that receives owing to can not separate secret meeting behind the message that receives the negotiation initiator transmission.Simultaneously, because the negotiation initiator continuation sends packet to invalid respondent's SA (security Association, Security Association), thereby wasted bandwidth and made these packets fall into the black hole.
Summary of the invention
In order to solve the problems of the technologies described above, the embodiment of the invention provides a kind of machinery of consultation and equipment of IKE message, can be successful with the negotiation that guarantees phase I and second stage, improve the quality of ike negotiation.
The embodiment of the invention discloses following technical scheme:
A kind of machinery of consultation of IKE message comprises: send last negotiation packet that self need send; Judge whether to receive the opposite end response message; When receiving described opposite end response message, set up security alliance SA, otherwise, resend described last negotiation packet.
A kind of equipment of realizing the IKE message negotiation comprises: transmitting element is used to send last negotiation packet that self need send; Judging unit is used to judge whether to receive the opposite end response message; Negotiation element is used for setting up security alliance SA when receiving described opposite end response message; Retransmission unit is used for resending described last negotiation packet when not receiving described opposite end response message.
As can be seen from the above-described embodiment, after sending last negotiation packet that self need send, judge whether to receive the opposite end response message, if receive the opposite end response message, expression is consulted successfully to set up Security Association, if do not receive the opposite end response message, not success is consulted in expression, resends last negotiation packet, has improved the quality of ike negotiation thus.Simultaneously, prevent when the successful the opposing party of side negotiation fails that a direction of consulting is successfully consulted the side transmission encryption message of failure because of falling into the black hole waste bandwidth.
Description of drawings
In order to be illustrated more clearly in the embodiment of the invention or technical scheme of the prior art, to do to introduce simply to the accompanying drawing of required use in embodiment or the description of the Prior Art below, apparently, accompanying drawing in describing below only is some embodiments of the present invention, for those of ordinary skills, under the prerequisite of not paying creative work, can also obtain other accompanying drawing according to these accompanying drawings.
Fig. 1 realizes the negotiations process schematic diagram that the phase I consults by holotype;
Fig. 2 realizes the negotiations process schematic diagram that the phase I consults by Aggressive Mode;
Fig. 3 realizes the negotiations process schematic diagram that second stage is consulted by quick mode;
Fig. 4 is a kind of flow chart of an embodiment of machinery of consultation of IKE message;
Fig. 5 is a kind of flow chart of another embodiment of machinery of consultation of IKE message;
Fig. 6 is a kind of flow chart of another embodiment of machinery of consultation of IKE message;
Fig. 7 is a schematic diagram being realized the negotiations process of phase I IKE message under the network failure by Aggressive Mode;
Fig. 8 is a kind of flow chart of another embodiment of machinery of consultation of IKE message;
Fig. 9 is a kind of method flow diagram that sends last negotiation packet of negotiations process;
Figure 10 is the structure chart of an a kind of embodiment of the equipment of realizing the IKE message negotiation.
Embodiment
For above-mentioned purpose of the present invention, feature and advantage can be become apparent more, the embodiment of the invention is described in detail below in conjunction with accompanying drawing.
Embodiment one
See also Fig. 4, it is the flow chart of an embodiment of the machinery of consultation of a kind of IKE message of the application.May further comprise the steps:
Step 401: send last negotiation packet that self need send;
Step 402: judge whether to receive the opposite end response message, if, enter step 403, otherwise, step 404 entered;
Wherein, the described opposite end response message that whether receives is specially: judge whether in preset time, to receive the opposite end response message, if, judge to receive described opposite end response message, otherwise, judge not receive described opposite end response message.Perhaps, under Aggressive Mode, judge whether first negotiation packet of next stage arrived before the response message of described opposite end, if, judge not receive described opposite end response message, otherwise, judge to receive described opposite end response message.
Perhaps,
Under Aggressive Mode, judge whether first negotiation packet of preset time or next stage arrived before the response message of opposite end, if, judge not receive described opposite end response message, otherwise, judge to receive described opposite end response message.
Described preset time can be times * 2+5s, and wherein, times is for retransmitting the number of times of described last negotiation packet.
Need to prove that the embodiment of the present application does not limit preset time, except adopting above-mentioned numerical value, can also set arbitrarily according to user's application demand.
Step 403: when receiving described opposite end response message, set up security alliance SA;
Step 404: when not receiving described opposite end response message, resend described last negotiation packet.
Wherein, describedly resend described last negotiation packet and be specially: transfer described last negotiation packet, and send described last negotiation packet of transferring;
Perhaps,
Under holotype, initiate negotiations process again, in the described negotiations process of initiating again, send described last negotiation packet.
In the embodiment of the present application, can also set the life cycle of message.When the life cycle of message arrived, each executive agent no longer sent this message.For example, in holotype, when the life cycle of holotype negotiation packet (6) arrives,, can not send holotype negotiation packet (6) to negotiation initiator again even negotiate response person receives holotype negotiation packet (5) again yet.
The life cycle phase I of message can be 60s, can be 50s in second stage.Need to prove that the embodiment of the present application does not limit life cycle, except adopting above-mentioned numerical value, can also set arbitrarily according to user's application demand.
By above-mentioned enforcement as can be seen, after sending last negotiation packet that self need send, judge whether to receive the opposite end response message, if receive the opposite end response message, expression is consulted successfully to set up Security Association, if do not receive the opposite end response message, not success is consulted in expression, resends last negotiation packet.Improved the quality of ike negotiation thus.Simultaneously, prevent when the successful the opposing party of side negotiation fails that a direction of consulting is successfully consulted the side transmission encryption message of failure because of falling into the black hole waste bandwidth.
Embodiment two
In the present embodiment, to judge whether that receiving the opposite end response message in preset time is example, illustrates the machinery of consultation of message.See also Fig. 5, it is the flow chart of another embodiment of the machinery of consultation of a kind of IKE message of the application.May further comprise the steps:
Step 501: in the preset time of consulting after a side is sending last negotiation packet that self need send, when not receiving the negotiate response message of consulting the opposite end transmission, send last negotiation packet that self need send to consulting the other side again;
For example, in the phase I, when realizing the negotiation of phase I by holotype, send last negotiation packet that it should send by negotiation initiator to negotiate response person, be holotype negotiation packet (5), send to negotiation initiator by negotiate response person again and reply negotiation packet, i.e. holotype negotiation packet (6).
When realizing the negotiation of phase I by Aggressive Mode, send last negotiation packet that it should send by negotiate response person to negotiation initiator, be barbarous formula negotiation packet (2), send to negotiate response person by negotiation initiator again and reply negotiation packet, i.e. Aggressive Mode negotiation packet (3).
In second stage, when realizing the negotiation of second stage by quick mode, send last negotiation packet that it should send by negotiate response person to negotiation initiator, be quick mode negotiation packet (2), send to negotiate response person by negotiation initiator again and reply negotiation packet, i.e. quick mode negotiation packet (3).
When realizing the negotiation of phase I,, will send holotype negotiation packet (5) to negotiate response person again if in the preset time of negotiation initiator after sending holotype negotiation packet (5), do not receive holotype negotiation packet (6) by holotype.
When realizing the negotiation of phase I by Aggressive Mode, if in the preset time of negotiate response person after sending Aggressive Mode negotiation packet (2), do not receive Aggressive Mode negotiation packet (3), will send Aggressive Mode negotiation packet (2) to negotiation initiator again.
When realizing the negotiation of second stage by quick mode, if in the preset time of negotiate response person after sending quick mode negotiation packet (2), do not receive quick mode negotiation packet (3), will send quick mode negotiation packet (2) to negotiation initiator again.
Described preset time can be times * 2+5s, and wherein, times is for retransmitting the number of times of described last negotiation packet.
Need to prove that the embodiment of the present application does not limit preset time, except adopting above-mentioned numerical value, can also set arbitrarily according to user's application demand.
In addition, in the embodiment of the present application, when the life cycle of message arrived, each executive agent no longer sent this message.For example, in holotype, when the life cycle of holotype negotiation packet (6) arrives,, can not send holotype negotiation packet (6) to negotiation initiator again even negotiate response person receives holotype negotiation packet (5) again yet.The life cycle phase I of message can be 60s, can be 50s in second stage.Need to prove that the embodiment of the present application does not limit life cycle, except adopting above-mentioned numerical value, can also set arbitrarily according to user's application demand.
Also need to prove, under holotype, when negotiation initiator does not have the negotiate response message of negotiate response person's transmission in preset time, except resending last negotiation packet that self need send, also can be by initiating negotiation again, again the negotiations process of initiating sends last negotiation packet that self need send to negotiate response person once more again.
Step 502: in the preset time of consulting after a side is sending last negotiation packet that self need send, when receiving the negotiate response message of consulting the opposite end transmission, set up Security Association.
As can be seen from the above-described embodiment, after sending last negotiation packet that self need send, judge whether in preset time, to receive the opposite end response message, if receive the opposite end response message in preset time, expression is consulted successfully to set up Security Association, if in preset time, do not receive the opposite end response message, not success is consulted in expression, resends last negotiation packet, has improved the quality of ike negotiation thus.Simultaneously, prevent when the successful the opposing party of side negotiation fails that a direction of consulting is successfully consulted the side transmission encryption message of failure because of falling into the black hole waste bandwidth.
Embodiment three
Present embodiment provides the machinery of consultation of another kind of IKE message.The IKE report negotiation method of present embodiment is only applicable to Aggressive Mode.See also Fig. 6, it is a kind of flow chart of another embodiment of machinery of consultation of IKE message.This method may further comprise the steps:
Step 601: under Aggressive Mode, after sending last negotiation packet that self need send as negotiate response person, if before the negotiate response message that receives the negotiation initiator transmission, received first negotiation packet of second stage, resend last negotiation packet that self need send;
For example, see also Fig. 7, it is a schematic diagram being realized the negotiations process of phase I IKE message under the network failure by Aggressive Mode.As shown in Figure 7, for negotiation initiator, because it has finished the negotiations process of phase I, and enters the negotiations process of second stage, therefore, negotiation initiator can continue to send first negotiation packet of second stage to negotiate response person.And this moment, negotiate response person did not still receive last negotiation packet, and for negotiate response person, the phase I does not set up, so negotiate response person can send last negotiation packet that self need send to negotiation initiator again.
Step 602: after sending last negotiation packet self need send as negotiate response person,, set up Security Association if before receiving first negotiation packet of second stage, received the negotiate response message that negotiation initiator sends.
Simultaneously, need to prove that in the embodiment of the present application, when the life cycle of message arrived, each executive agent no longer sent this message.For example, in Aggressive Mode, when the life cycle of Aggressive Mode negotiation packet (3) arrives,, can not send Aggressive Mode negotiation packet (3) to negotiate response person again even negotiation initiator is received Aggressive Mode negotiation packet (2) again yet.The life cycle phase I of message can be 60s, can be 50s in second stage.Need to prove that the embodiment of the present application does not limit life cycle, except adopting above-mentioned numerical value, can also set arbitrarily according to user's application demand.
As can be seen from the above-described embodiment, after sending last negotiation packet that self need send, judge whether before the negotiate response message that receives the negotiation initiator transmission, to have received first negotiation packet opposite end response message of second stage, if expression is consulted successfully to set up Security Association, if not, not success is consulted in expression, resends last negotiation packet, has improved the quality of ike negotiation thus.Simultaneously, prevent when the successful the opposing party of side negotiation fails that a direction of consulting is successfully consulted the side transmission encryption message of failure because of falling into the black hole waste bandwidth.
Embodiment four
Present embodiment provides the machinery of consultation of another kind of IKE message.The IKE report negotiation method of present embodiment is only applicable under the Aggressive Mode, for negotiate response person, if the preset time cycle arrives before receiving described opposite end response message, negotiate response person arrives the back at preset time and resends last negotiation packet that self need send to negotiation initiator, if first negotiation packet of second stage arrives before receiving described opposite end response message, negotiate response person resends last negotiation packet that self need send to negotiation initiator after receiving first negotiation packet of second stage.See also Fig. 8, it is the flow chart of another embodiment of the machinery of consultation of a kind of IKE message of the application.This method may further comprise the steps:
Step 801: under Aggressive Mode, after sending last negotiation packet that self need send as negotiate response person, if preset time arrives before receiving described opposite end response message, perhaps first negotiation packet of next stage arrives before receiving described opposite end response message, resends last negotiation packet that self need send;
Step 802: after sending last negotiation packet self need send as negotiate response person, if received the negotiate response message that negotiation initiator sends arrive and receive first negotiation packet of next stage at preset time before, set up Security Association.
Simultaneously, need to prove that in the embodiment of the present application, when the life cycle of message arrived, each executive agent no longer sent this message.For example, in Aggressive Mode, when the life cycle of Aggressive Mode negotiation packet (3) arrives,, can not send Aggressive Mode negotiation packet (3) to negotiate response person again even negotiation initiator is received Aggressive Mode negotiation packet (2) again yet.
The life cycle of message can be 60s in the phase I, can be 50s in second stage.Need to prove that the embodiment of the present application does not limit life cycle, except adopting above-mentioned numerical value, can also set arbitrarily according to user's application demand.
As can be seen from the above-described embodiment, after sending last negotiation packet that self need send, judgement received first negotiation packet of next stage earlier before preset time arrives, perhaps preset time arrives before receiving first negotiation packet of next stage, expression is consulted successfully, set up Security Association, if received the negotiate response message that negotiation initiator sends arrive and receive first negotiation packet of next stage at preset time before, not success is consulted in expression, resend last negotiation packet, improved the quality of ike negotiation thus.Simultaneously, prevent when the successful the opposing party of side negotiation fails that a direction of consulting is successfully consulted the side transmission encryption message of failure because of falling into the black hole waste bandwidth.
Embodiment five
To be described in detail in below in the different mode in two stages of ike negotiation, when consult a side ((be negotiate response person under holotype, perhaps when Aggressive Mode be down negotiation initiator) the specific implementation process of last negotiation packet of transmission negotiations process.See also Fig. 9, it is a kind of method flow diagram that sends last negotiation packet of negotiations process, and implementation step is as follows:
Step 901: according to logical condition (initiator^ (step%2)) ﹠amp; ﹠amp; (status==ready) judge whether the current negotiation packet that will send is last negotiation packet of negotiations process,, enter step 902 if this logical condition is true; If this logical condition is false, process ends;
Wherein, initiator represents the sender's of the current negotiation packet that will send sign, if the sender is a negotiation initiator, then initiator is 1, if negotiate response person, then initiator is 0.Step represents negotiation step, and step is since 0 counting, and step represented that negotiation step was 1 at 0 o'clock, by that analogy.Status represents the sequence number of the current negotiation packet that will send, and status is since 1 counting, and status is that the current negotiation packet that will send of 1 expression is message (1), if last negotiation packet of negotiations process, status is ready.
Be not difficult to find that if the type of the current negotiation packet that will send is last negotiation packet of negotiations process, its logical condition is true according to this logical condition.
Step 902: according to logical condition (last_sent﹠amp; ﹠amp; (flags﹠amp; MSG_LAST)) judge whether to preserve last negotiation packet that will send,, enter step 903,, enter step 904 if logical condition is true if logical condition is false;
Step 903: the type flags of last negotiation packet that will send is made as MSG_LAST, and last negotiation packet that will send is recorded among the variable last_sent, sends last negotiation packet, process ends;
Step 904: send last negotiation packet, process ends.
Wherein, (1) if holotype, it is 0 that initiator is then arranged, by negotiate response person according to logical condition (last_sent﹠amp; ﹠amp; (flags﹠amp; MSG_LAST)) judge whether to preserve this message.If (last_sent﹠amp; ﹠amp; (flags﹠amp; MSG_LAST)) condition is false, illustrate and send this last negotiation packet for the first time, then need flags is made as MSG_LAST, last negotiation packet (6) that will send for the first time is recorded in and preserves among the variable last_sent simultaneously, and sends this message; If logical condition is true, explanation is to repeat to send last negotiation packet, because last negotiation packet is preserved when sending for the first time, preserve with regard to not needing this moment again, gets final product but directly retransmit this message.
(2) if Aggressive Mode, it is 1 that initiator is then arranged, by negotiation initiator according to logical condition (last_sent﹠amp; ﹠amp; (flags﹠amp; MSG_LAST)) be to judge whether to preserve this message.If (last_sent﹠amp; ﹠amp; (flags﹠amp; MSG_LAST)) condition is false, illustrate and send this last negotiation packet for the first time, then need flags is made as MSG_LAST, last negotiation packet (3) that will send for the first time is recorded in and preserves among the variable last_sent simultaneously, and sends this message; If condition is true, then explanation is to repeat to send last negotiation packet, because last negotiation packet is preserved when sending for the first time, preserve with regard to not needing this moment again, gets final product but directly retransmit this message.
(3) if quick mode, it is 1 that initiator is arranged equally, by the promoter according to logical condition (last_sent﹠amp; ﹠amp; (flags﹠amp; MSG_LAST)) be to judge whether to preserve this message.If (last_sent﹠amp; ﹠amp; (flags﹠amp; MSG_LAST)) condition is false, illustrates to send this last message for the first time, then needs flags is made as MSG_LAST, and last negotiation packet (3) that will send for the first time is recorded in and preserves among the variable last_sent simultaneously, and sends this message; If condition is true, then explanation has been to repeat to send last negotiation packet, because last negotiation packet is preserved when sending for the first time, preserve with regard to not needing this moment again, gets final product but directly retransmit this message.
As can be seen from the above-described embodiment, after sending last negotiation packet that self need send, judge whether to receive the opposite end response message, if receive the opposite end response message, expression is consulted successfully to set up Security Association, if do not receive the opposite end response message, not success is consulted in expression, resends last negotiation packet, has improved the quality of ike negotiation thus.Simultaneously, prevent when the successful the opposing party of side negotiation fails that a direction of consulting is successfully consulted the side transmission encryption message of failure because of falling into the black hole waste bandwidth.
Embodiment six
Corresponding with the repeating method of above-mentioned a kind of negotiation packet, the embodiment of the invention also provides a kind of retransmission system of negotiation packet.See also Figure 10, the structure chart of an embodiment of the equipment that it realizes the IKE message negotiation for the application is a kind of comprises: transmitting element 1001, judging unit 1002, negotiation element 1003 and retransmission unit 1004, wherein,
Transmitting element 1001 is used to send last negotiation packet that self need send;
Judging unit 1002 is used to judge whether to receive the opposite end response message;
Wherein, judging unit 1002 comprises: first judgment sub-unit, be used to judge whether in preset time, receive the opposite end response message, if, judge to receive described opposite end response message, otherwise, judge not receive described opposite end response message.
Perhaps,
Second judgment sub-unit is used under Aggressive Mode, and whether first negotiation packet of next stage arrived before the response message of described opposite end, if, judge not receive described opposite end response message, otherwise, judge to receive described opposite end response message.
Perhaps,
The 3rd judgment sub-unit is used under Aggressive Mode, judges whether first negotiation packet of preset time or next stage arrived before the response message of opposite end, if, judge not receive described opposite end response message, otherwise, judge to receive described opposite end response message.
Wherein, retransmission unit 1004 comprises: the first retransmission subpacket unit is used to transfer described last negotiation packet, and sends described last negotiation packet of transferring;
Perhaps,
The second retransmission subpacket unit is used for initiating negotiations process again under holotype, sends described last negotiation packet in the described negotiations process of initiating again.
As can be seen from the above-described embodiment, after sending last negotiation packet that self need send, judge whether to receive the opposite end response message, if receive the opposite end response message, expression is consulted successfully to set up Security Association, if do not receive the opposite end response message, not success is consulted in expression, resends last negotiation packet.Improved the quality of ike negotiation thus.Simultaneously, prevent when the successful the opposing party of side negotiation fails that a direction of consulting is successfully consulted the side transmission encryption message of failure because of falling into the black hole waste bandwidth.
The repeating method of negotiation packet and retransmission system are applicable between main frame and the main frame among the application, between main frame and the gateway, and set up the IPSec way between gateway and the gateway.Set up the IPsec tunnel between the public network, flow is encrypted.Fire compartment wall A and B can be used as the negotiation initiator and the negotiate response person of negotiations process.In addition, the repeating method of negotiation packet and retransmission system also are applicable to the personnel that travel outside among the application, and can become template this moment with firewall configuration.The PC that links to each other with public network goes up client software is installed.When the data of needs visits general headquarters, each PC sets up an own tunnel separately, protects the transmission data on public network.
Need to prove, one of ordinary skill in the art will appreciate that all or part of flow process that realizes in the foregoing description method, be to instruct relevant hardware to finish by computer program, described program can be stored in the computer read/write memory medium, this program can comprise the flow process as the embodiment of above-mentioned each side method when carrying out.Wherein, described storage medium can be magnetic disc, CD, read-only storage memory body (Read-Only Memory, ROM) or at random store memory body (Random AccessMemory, RAM) etc.
More than the machinery of consultation and the equipment of a kind of IKE message provided by the present invention is described in detail, used specific embodiment herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.
Claims (10)
1. the machinery of consultation of an IKE message is characterized in that, comprising:
Send last negotiation packet that self need send;
Judge whether to receive the opposite end response message;
When receiving described opposite end response message, set up security alliance SA, otherwise, resend described last negotiation packet.
2. method according to claim 1 is characterized in that, describedly judges whether to receive the opposite end response message and is specially:
Judge whether in preset time, to receive the opposite end response message, if, judge to receive described opposite end response message, otherwise, judge not receive described opposite end response message.
3. method according to claim 1 is characterized in that, describedly judges whether to receive the opposite end response message and is specially:
Under Aggressive Mode, judge whether first negotiation packet of next stage arrived before the response message of described opposite end, if, judge not receive described opposite end response message, otherwise, judge to receive described opposite end response message.
4. method according to claim 1 is characterized in that, describedly judges whether to receive the opposite end response message and is specially:
Under Aggressive Mode, judge whether first negotiation packet of preset time or next stage arrived before the response message of opposite end, if, judge not receive described opposite end response message, otherwise, judge to receive described opposite end response message.
5. according to any described method among the claim 1-4, it is characterized in that, describedly resend described last negotiation packet and be specially:
Transfer described last negotiation packet, and send described last negotiation packet of transferring;
Perhaps,
Under holotype, initiate negotiations process again, in the described negotiations process of initiating again, send described last negotiation packet.
6. method according to claim 2 is characterized in that, described preset time is times * 2+5s, and wherein, times is for retransmitting the number of times of described last negotiation packet.
7. an equipment of realizing the IKE message negotiation is characterized in that, comprising:
Transmitting element is used to send last negotiation packet that self need send;
Judging unit is used to judge whether to receive the opposite end response message;
Negotiation element is used for setting up security alliance SA when receiving described opposite end response message;
Retransmission unit is used for resending described last negotiation packet when not receiving described opposite end response message.
8. equipment according to claim 7 is characterized in that, described judging unit comprises:
First judgment sub-unit is used to judge whether receive the opposite end response message in preset time, if, judge to receive described opposite end response message, otherwise, judge not receive described opposite end response message.
9. equipment according to claim 7 is characterized in that, described judging unit comprises:
Second judgment sub-unit is used under Aggressive Mode, judges whether first negotiation packet of next stage arrived before the response message of described opposite end, if, judge not receive described opposite end response message, otherwise, judge to receive described opposite end response message.
10. according to any described equipment among the claim 7-9, it is characterized in that described retransmission unit comprises:
The first retransmission subpacket unit is used to transfer described last negotiation packet, and sends described last negotiation packet of transferring;
Perhaps,
The second retransmission subpacket unit is used for initiating negotiations process again under holotype, sends described last negotiation packet in the described negotiations process of initiating again.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010592414XA CN102025742A (en) | 2010-12-16 | 2010-12-16 | Negotiation method and device of internet key exchange (IKE) message |
| PCT/CN2011/083230 WO2012079462A1 (en) | 2010-12-16 | 2011-11-30 | Method and device for internet key exchange (ike) message negotiation |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201010592414XA CN102025742A (en) | 2010-12-16 | 2010-12-16 | Negotiation method and device of internet key exchange (IKE) message |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN102025742A true CN102025742A (en) | 2011-04-20 |
Family
ID=43866596
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201010592414XA Pending CN102025742A (en) | 2010-12-16 | 2010-12-16 | Negotiation method and device of internet key exchange (IKE) message |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN102025742A (en) |
| WO (1) | WO2012079462A1 (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102420770A (en) * | 2011-12-27 | 2012-04-18 | 汉柏科技有限公司 | Method and equipment for negotiating internet key exchange (IKE) message |
| WO2012079462A1 (en) * | 2010-12-16 | 2012-06-21 | 成都市华为赛门铁克科技有限公司 | Method and device for internet key exchange (ike) message negotiation |
| CN102868522A (en) * | 2012-09-12 | 2013-01-09 | 汉柏科技有限公司 | Processing method for abnormality of IKE (internet key exchange) negotiation |
| CN103392323A (en) * | 2012-12-25 | 2013-11-13 | 华为技术有限公司 | IPSEC negotiation method, apparatus, equipment and system |
| CN104104573A (en) * | 2014-08-06 | 2014-10-15 | 汉柏科技有限公司 | Method and system for controlling IPsec tunnel of network devices |
| CN115378764A (en) * | 2022-08-19 | 2022-11-22 | 山石网科通信技术股份有限公司 | Communication method, communication apparatus, storage medium, and electronic apparatus |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030142823A1 (en) * | 2002-01-25 | 2003-07-31 | Brian Swander | Method and apparatus for fragmenting and reassembling internet key exchange data packets |
| CN101527729A (en) * | 2009-05-05 | 2009-09-09 | 杭州华三通信技术有限公司 | Reliable IKE message negotiation method, device and system thereof |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102025742A (en) * | 2010-12-16 | 2011-04-20 | 成都市华为赛门铁克科技有限公司 | Negotiation method and device of internet key exchange (IKE) message |
-
2010
- 2010-12-16 CN CN201010592414XA patent/CN102025742A/en active Pending
-
2011
- 2011-11-30 WO PCT/CN2011/083230 patent/WO2012079462A1/en active Application Filing
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030142823A1 (en) * | 2002-01-25 | 2003-07-31 | Brian Swander | Method and apparatus for fragmenting and reassembling internet key exchange data packets |
| CN101527729A (en) * | 2009-05-05 | 2009-09-09 | 杭州华三通信技术有限公司 | Reliable IKE message negotiation method, device and system thereof |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2012079462A1 (en) * | 2010-12-16 | 2012-06-21 | 成都市华为赛门铁克科技有限公司 | Method and device for internet key exchange (ike) message negotiation |
| CN102420770A (en) * | 2011-12-27 | 2012-04-18 | 汉柏科技有限公司 | Method and equipment for negotiating internet key exchange (IKE) message |
| CN102420770B (en) * | 2011-12-27 | 2014-03-12 | 汉柏科技有限公司 | Method and equipment for negotiating internet key exchange (IKE) message |
| CN102868522A (en) * | 2012-09-12 | 2013-01-09 | 汉柏科技有限公司 | Processing method for abnormality of IKE (internet key exchange) negotiation |
| CN103392323A (en) * | 2012-12-25 | 2013-11-13 | 华为技术有限公司 | IPSEC negotiation method, apparatus, equipment and system |
| CN103392323B (en) * | 2012-12-25 | 2016-09-28 | 华为技术有限公司 | A kind of method and apparatus of IPSEC negotiation |
| CN104104573A (en) * | 2014-08-06 | 2014-10-15 | 汉柏科技有限公司 | Method and system for controlling IPsec tunnel of network devices |
| CN115378764A (en) * | 2022-08-19 | 2022-11-22 | 山石网科通信技术股份有限公司 | Communication method, communication apparatus, storage medium, and electronic apparatus |
| CN115378764B (en) * | 2022-08-19 | 2024-04-05 | 山石网科通信技术股份有限公司 | Communication method, device, storage medium and electronic device |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2012079462A1 (en) | 2012-06-21 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Rahman et al. | Security analysis of IoT protocols: A focus in CoAP | |
| Bonetto et al. | Secure communication for smart IoT objects: Protocol stacks, use cases and practical examples | |
| CN102801695B (en) | Virtual private network (VPN) communication equipment and data pack transmission method thereof | |
| CN101197664B (en) | Method, system and device for key management protocol negotiation | |
| CN105376239B (en) | A kind of support mobile terminal carries out IPSec VPN message transmitting method and device | |
| CN103608787B (en) | Data transmission method, system and device | |
| CN102055733B (en) | Method, device and system for negotiating business bearing tunnels | |
| CN103716196B (en) | A kind of network equipment and detection method | |
| CN102025742A (en) | Negotiation method and device of internet key exchange (IKE) message | |
| WO2010003335A1 (en) | Method, system and device for negotiating security association (sa) in ipv6 network | |
| US10187478B2 (en) | Dynamic detection of inactive virtual private network clients | |
| CN104219217A (en) | SA (security association) negotiation method, device and system | |
| Naoui et al. | Trusted third party based key management for enhancing LoRaWAN security | |
| Dhall et al. | Implementation of IPSec protocol | |
| CN102006298A (en) | Method and device for realizing load sharing of access gateway | |
| CN101478389B (en) | Multi-stage security supporting mobile IPSec transmission authentication method | |
| Rescorla | Writing protocol models | |
| CN100592265C (en) | Method, system and computer system for guaranteeing communication safety by route packet quantity | |
| JP7188855B2 (en) | SECURITY ASSOCIATION SA REKEY METHOD, NETWORK DEVICE AND NETWORK SYSTEM | |
| Fuchs et al. | IoT and HIP's opportunistic mode | |
| CN114765805A (en) | Communication method, network equipment, base station and computer readable storage medium | |
| Fuentes-Samaniego et al. | An analysis of secure m2m communication in wsns using dtls | |
| JP7204913B2 (en) | Security Association SA Rekey | |
| CN104509046B (en) | A kind of data communications method, equipment and system | |
| Dai et al. | Security in IP-based Internet of Things |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C53 | Correction of patent of invention or patent application | ||
| CB02 | Change of applicant information |
Address after: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Applicant after: Huawei Symantec Technologies Co., Ltd. Address before: 611731 Chengdu high tech Zone, Sichuan, West Park, Qingshui River Applicant before: Chengdu Huawei Symantec Technologies Co., Ltd. |
|
| COR | Change of bibliographic data |
Free format text: CORRECT: APPLICANT; FROM: CHENGDU HUAWEI SYMANTEC TECHNOLOGY CO., LTD. TO: HUAWEI DIGITAL TECHNOLOGY (CHENGDU) CO., LTD. |
|
| C02 | Deemed withdrawal of patent application after publication (patent law 2001) | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20110420 |