Embodiment
To combine the accompanying drawing in the embodiment of the invention below, the technical scheme in the embodiment of the invention is carried out clear, intactly description, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills are not making the every other embodiment that is obtained under the creative work prerequisite, all belong to the scope of the present invention's protection.
Embodiment one:
See also Fig. 1, a kind of method flow diagram of setting up network tunnel that Fig. 1 provides for the embodiment of the invention.As shown in Figure 1, this method can comprise:
101: whether first node accepts outside the connection to the log-on message of virtual special network server inquiry Section Point to confirm Section Point, and the log-on message of Section Point comprises at least whether Section Point accepts the outside information that connects;
Wherein, the node described in present embodiment and the follow-up embodiment includes but not limited to computer and other user terminals in the VPN network etc.
In the present embodiment; When first node request and Section Point communicate; Can be from the log-on message of virtual special network server inquiry Section Point; At least comprise in the log-on message whether Section Point accepts the outside information that connects, and this information is used to indicate Section Point whether can set up the directly-connected network tunnel.
For instance, please consult Fig. 2 in the lump, the method flow diagram of setting up query node log-on message in the network tunnel process that Fig. 2 provides for present embodiment.As shown in Figure 2, first node to the log-on message of virtual special network server inquiry Section Point specifically can for:
201: first node sends query messages to virtual special network server, and this query messages is used to inquire about the log-on message of Section Point;
202: the log-on message that receives the Section Point of virtual special network server transmission.
Further, be sent in the query messages of virtual special network server, can also comprise the title of Section Point and/or the current real IP address of Section Point at first node.
For instance; The current real IP address of Section Point is meant the legal address of Section Point in internet (Internet); Specifically can be Internet protocol (IP) address of Section Point in the Internet network; Or IP address and address transmission control protocol (TCP, Transmission Control Protocol)/UDP (UDP, User DatagramProtocol) port combination after of Section Point in the Internet network; Or Section Point other addresss of service in the Internet network with web page address (URL, Uniform Resource Locator) expression.
For instance, the log-on message of the Section Point that sends of the reception virtual special network server in 202 specifically can for:
Current real IP address, the virtual ip address of the Section Point that the reception virtual special network server sends and the information of whether accepting outside connection.
Wherein, if Section Point is accepted the outside information that connects, then first node can be set up the directly-connected network tunnel under the direct channel pattern according to the current real IP address and the Section Point of Section Point; Otherwise if Section Point is not accepted outside the connection, then first node can be set up the indirect network tunnel under the virtual switch pattern according to the virtual ip address and the Section Point of Section Point.
If, the current real IP address and the virtual ip address of the known Section Point of first node, then the log-on message of the Section Point that sends of the reception virtual special network server in 202 can be the outside information that connects of whether accepting of Section Point.
The log-on message of the Section Point in the present embodiment can also comprise other relevant information of Section Point except comprising the current real IP of Section Point address, virtual ip address and whether accepting the outside information that connects.
102:, set up corresponding network tunnel with Section Point according to the log-on message that inquires.
For instance, after first node receives the log-on message of Section Point, can accept outside the connection, then set up corresponding network tunnel with Section Point if find Section Point.Please consult Fig. 3 in the lump, a kind of method flow diagram of setting up network tunnel that Fig. 3 provides for present embodiment.As shown in Figure 3, first node and Section Point are set up corresponding network tunnel and can be comprised:
301: first node sends the network tunnel request of setting up to Section Point;
302: first node receives the response that Section Point sends, thus the network tunnel between foundation and the Section Point.
In addition, first node can also be inquired about the log-on message of first node to virtual special network server;
Wherein, the log-on message of first node comprises at least whether first node accepts the outside information that connects;
For instance, after first node receives the log-on message of Section Point, can accept outside the connection if find Section Point, and first node is accepted outside the connection, then sets up corresponding network tunnel with Section Point.Please consult Fig. 4 in the lump, a kind of method flow diagram of setting up network tunnel that Fig. 4 provides for present embodiment.As shown in Figure 4, first node and Section Point are set up corresponding network tunnel and can be comprised:
401: first node sends to Section Point and is used to point out Section Point to set up the message of network tunnel to first node;
402: first node receives the network tunnel request of setting up that Section Point sends;
403: first node sends response to Section Point, thus the network tunnel between foundation and the Section Point.
For instance, after first node receives the log-on message of Section Point, do not accept outside the connection, and first node do not accept outside the connection yet, then set up corresponding network tunnel with Section Point if find Section Point.Please consult Fig. 5 in the lump, a kind of method flow diagram of setting up network tunnel that Fig. 5 provides for present embodiment.As shown in Figure 5, first node and Section Point are set up corresponding network tunnel and can be comprised:
501: first node sends the network tunnel request of setting up to virtual special network server;
502: first node receives the response that virtual special network server sends, thereby sets up the network tunnel between first node and the virtual special network server;
503: first node sends to Section Point and sets up network tunnel message, so that Section Point and virtual special network server are set up network tunnel.
At this moment; Virtual special network server is as the transferring equipment between first node and the Section Point; Be used to receive the communication data of first node transmission and be forwarded to Section Point; Receive the communication data of Section Point transmission simultaneously and be forwarded to first node, like this, set up the network tunnel between first node and the Section Point indirectly.
Need to prove that understanding at first node after the registration message of Section Point and first node, the concrete real process of setting up network tunnel with Section Point is that those skilled in the art are familiar with, present embodiment is not further described at this.
Above-mentioned a kind of method of setting up network tunnel that the embodiment of the invention one is provided has been carried out detailed introduction; The embodiment of the invention makes first node in the VPN network before setting up network tunnel with Section Point; Can from virtual special network server, inquire about the log-on message of Section Point and the log-on message of first node; Thereby can understand Section Point and first node and whether accept outside the connection; And then set up corresponding network tunnel with Section Point, and to have avoided when two nodes can only connect with the virtual switch pattern, such two nodes also carry out the trial that the directly-connected network tunnel is set up; From can having reduced waste of network resources, and improve the efficient of setting up network tunnel.
Embodiment two:
See also Fig. 6, a kind of data processing method flow chart that Fig. 6 provides for the embodiment of the invention.As shown in Figure 6, this method can comprise:
601: virtual special network server receives the message that first node sends, and this message is used to inquire about the log-on message of Section Point;
In the present embodiment, the message that first node sends can also be further used for inquiring about the log-on message of first node.
602: the log-on message of the Section Point that virtual special network server will be stored in advance is sent to first node, so that first node and Section Point are set up corresponding network tunnel.
For instance, first node can receive the current real IP of Section Point address, the virtual ip address of virtual special network server transmission and whether accept the outside information that connects;
And receive the current real IP of first node address, the virtual ip address of virtual special network server transmission and whether accept the outside information that connects.
Wherein, the log-on message of the Section Point in the present embodiment includes but not limited to the current real IP of Section Point address, virtual ip address and whether accepts the outside information that connects;
Equally, the log-on message of the first node in the present embodiment includes but not limited to the current real IP of first node address, virtual ip address and whether accepts the outside information that connects.
Further; The current real IP address of Section Point is meant the legal address of Section Point in the Internet network; Specifically can be the net IP address of Section Point in the Internet network; Or IP address and address TCP/UDP port combination after of Section Point in the Internet network, or Section Point other addresss of service of representing with URL in the Internet network;
In like manner; The current real IP address of first node is meant the legal address of first node in the Internet network; Specifically can be the IP address of first node in the Internet network; Or IP address and address TCP/UDP port combination after of first node in the Internet network, or first node other addresss of service of representing with URL in the Internet network.
Method according to the embodiment of the invention provides before above-mentioned 201, can also comprise:
Virtual special network server receives the access request message of first node transmission and the access request message that Section Point sends, and wherein, the access request message that first node sends comprises the nodename and the current real IP address of first node;
The access request message that Section Point sends comprises the nodename and the current real IP address of Section Point;
Virtual special network server distributes virtual ip address to first node, and whether definite first node accept outside the connection, and distributes virtual ip address to Section Point, and whether definite Section Point accepts outside the connection;
The virtual ip address of virtual special network server storage first node title, current real IP address, distribution and the corresponding relation of whether accepting the outside information that is connected, and the virtual ip address of storage Section Point title, current real IP address, distribution and the corresponding relation of whether accepting the information that the outside is connected.And; With the nodename of said first node and Section Point, current true Internet protocol address, virtual Internet protocol address and indicate said first node and whether Section Point accepts the log-on message of the outside information that connects as first node and Section Point.
Wherein, above-mentioned definite first node whether accept outside connect specifically can for:
After having distributed virtual ip address to first node; Connection request from network tunnel to the first node transmission that once set up is to judge whether first node accepts outside the connection; After receiving the response that first node returns; Confirm the outside connection of first node acceptance, promptly " whether accepting outside the connection " attribute of first node is " OK "; Otherwise if can't receive the response that first node returns at the appointed time, the affirmation first node is not accepted outside the connection, and promptly " whether accepting outside the connection " attribute of first node is " NO ".
Equally, can confirm in a manner mentioned above whether Section Point accepts outside the connection.
In the present embodiment, it is identical that first node and Section Point are set up the method for introducing among concrete realization and the embodiment one of corresponding network tunnel, no longer repeats here.
Above-mentioned a kind of data processing method that the embodiment of the invention two is provided has been carried out detailed introduction; In the embodiment of the invention; Virtual special network server can be according to the request of first node, and the log-on message of Section Point and first node is sent to first node, makes that like this first node can be before setting up network tunnel with Section Point; Understand Section Point and first node and whether accept outside the connection; And then set up corresponding network tunnel with Section Point, and to have avoided when two nodes can only connect with the virtual switch pattern, such two nodes also carry out the trial that the directly-connected network tunnel is set up; From can having reduced waste of network resources, and improve the efficient of setting up network tunnel.
Embodiment three:
See also Fig. 7, the structure chart of a kind of VPN node that Fig. 7 provides for the embodiment of the invention.As shown in Figure 7, the VPN node can comprise:
Query unit 701 is used for the log-on message to virtual special network server inquiry Section Point, whether accepts outside the connection to confirm Section Point, and the log-on message of Section Point comprises at least whether Section Point accepts the outside information that connects;
Set up network tunnel unit 702, be used for setting up corresponding network tunnel with Section Point according to the log-on message that inquires.
For instance, the described corresponding network tunnel of present embodiment comprises directly-connected network tunnel and the indirect network tunnel under the virtual switch pattern under the direct channel pattern.
Please consult Fig. 8, the structural representation of a kind of query unit that Fig. 8 provides for the embodiment of the invention three in the lump.As shown in Figure 8, query unit 701 can comprise:
Send subelement 7011, be used for sending query messages to virtual special network server, said query messages comprises the log-on message of inquiring about Section Point;
Receive subelement 7012, be used to receive the log-on message of the Section Point that virtual special network server sends.
Preferably, the log-on message of Section Point can include but not limited to the current real IP of Section Point address, virtual ip address and whether accept the outside information that connects.
Please consult Fig. 9 in the lump, a kind of structural representation of setting up the network tunnel unit that Fig. 9 provides for the embodiment of the invention.As shown in Figure 9, setting up network tunnel unit 702 can comprise:
First sets up subelement 7021, is used for when Section Point is accepted outside the connection, sending the network tunnel request of setting up to Section Point; Receive the response that Section Point sends, thus the network tunnel between foundation and the Section Point.
For instance, query unit 701 can also be used for the log-on message to virtual special network server inquiry first node; Wherein, the log-on message of first node comprises at least whether first node accepts the outside information that connects.
Like this, setting up network tunnel unit 702 can comprise:
Second sets up subelement 7022; Be used for not accepting outside the connection at Section Point; And when first node is accepted outside the connection, send to Section Point and to be used to point out Section Point to set up the message of network tunnel, receive the network tunnel request of setting up that Section Point sends to first node; To the response of Section Point transmission, thus the network tunnel between foundation and the Section Point.
The 3rd sets up subelement 7023, be used for not accepting outside the connection at Section Point, and first node sends the network tunnel request of setting up to virtual special network server when not accepting outside the connection; Receive the response that virtual special network server sends, thus the network tunnel between foundation and the virtual special network server; Set up network tunnel message to the Section Point transmission,, thereby set up the network tunnel between first node and the Section Point so that Section Point is set up network tunnel to virtual special network server.
At this moment; Virtual special network server is as the transferring equipment between first node and the Section Point; Be used to receive the communication data of first node transmission and be forwarded to Section Point; Receive the communication data of Section Point transmission simultaneously and be forwarded to first node, like this, set up the network tunnel between first node and the Section Point indirectly.
Need to prove that method and the process that Section Point is set up network tunnel to virtual special network server is that method and the process of setting up network tunnel to virtual special network server with first node are identical, present embodiment is not given unnecessary details at this.
Above-mentioned a kind of VPN node that the embodiment of the invention three is provided has carried out detailed introduction; Reception subelement 7012 in the query unit 701 of the first node that the embodiment of the invention provides can be before first node and Section Point be set up network tunnel; The log-on message of inquiry Section Point and the log-on message of first node from virtual special network server; Thereby make and to set up that Section Point can be understood in network tunnel unit 702 and whether first node accepts outside the connection; And then set up corresponding network tunnel with Section Point, and to have avoided when two nodes can only connect with the virtual switch pattern, two nodes also carry out the trial that the directly-connected network tunnel is set up; From can having reduced waste of network resources, and improve the efficient of setting up network tunnel.
Embodiment four:
See also Figure 10, the structure chart of a kind of virtual special network server that Figure 10 provides for the embodiment of the invention.Shown in figure 10, virtual special network server can comprise:
Receiving element 1001 is used to receive the message that first node sends, and said message is used to inquire about the log-on message of Section Point;
Transmitting element 1002; The log-on message of the Section Point that is used for storing in advance is sent to said first node; So that said first node and said Section Point are set up corresponding network tunnel, the log-on message of said Section Point comprises at least whether said Section Point accepts the outside information that connects.
In the present embodiment; The message that the first node that receiving element 1001 receives sends can also be further used for inquiring about the log-on message of first node; Then transmitting element 1002 can also further send the log-on message of first node to first node, and the log-on message of first node comprises at least whether first node accepts the outside information that connects
For instance, the described corresponding network tunnel of present embodiment comprises directly-connected network tunnel and the indirect network tunnel under the virtual switch pattern under the direct channel pattern.
Preferably, the log-on message of Section Point can include but not limited to the current real IP of Section Point address, virtual ip address and whether accept the outside information that connects;
Equally, the log-on message of first node can include but not limited to current real IP address, the virtual ip address of first node and whether accept the outside information that connects.
Preferably, receiving element 1001 can also be used to receive the access request message of first node transmission and the access request message that Section Point sends;
Wherein, the access request message of first node transmission comprises the nodename and the current real IP address of first node; The access request message that Section Point sends comprises the nodename and the current real IP address of Section Point;
Then the virtual special network server that provides of the embodiment of the invention can also comprise:
Allocation units 1003, the access request message that the first node that is used for receiving according to access unit 1001 sends distributes virtual ip address to first node, and the information of whether accepting outside connection of definite first node;
And the access request message that sends of the Section Point that is used for receiving according to access unit 1001, distribute the virtual ip address of Section Point, and definite Section Point whether accept the outside information that connects.
Memory cell 1004, virtual ip address that is used to store the nodename of first node, current real IP address, distribution and the corresponding relation of whether accepting the outside information that is connected;
And the virtual ip address of nodename, the current real IP address of storage Section Point, distribution and the corresponding relation of whether accepting the outside information that is connected; And with the nodename of said first node and Section Point, current true Internet protocol address, virtual Internet protocol address and indicate said first node and whether Section Point accepts the log-on message of the outside information that connects as first node and Section Point.
Preferably; Allocation units 1003 are being given after first node and Section Point distributed virtual ip address respectively; Connection request from network tunnel to the first node transmission that once set up is to judge whether first node accepts outside the connection; After receiving the response that first node returns at the appointed time, confirm that then first node accepts outside the connection; Otherwise,, confirm that then first node do not accept outside the connection if can't receive the response that first node returns at the appointed time;
And, send the connection request once set up network tunnel to Section Point judging whether Section Point accepts outside the connection, after receiving the response that Section Point returns at the appointed time, confirm that then Section Point accepts outside connection; Otherwise,, confirm that then Section Point do not accept outside the connection if can't receive the response that Section Point returns at the appointed time.
Further; The current real IP address of Section Point is meant the legal address of Section Point in the Internet network; Specifically can be the net IP address of Section Point in the Internet network; Or IP address and address TCP/UDP port combination after of Section Point in the Internet network, or Section Point other addresss of service of representing with URL in the Internet network;
In like manner; The current real IP address of first node is meant the legal address of first node in the Internet network; Specifically can be the IP address of first node in the Internet network; Or IP address and address TCP/UDP port combination after of first node in the Internet network, or first node other addresss of service of representing with URL in the Internet network.
Above-mentioned a kind of virtual special network server that the embodiment of the invention four is provided has carried out detailed introduction; Receiving element 1001 in the virtual special network server that the embodiment of the invention provides can receive the request of first node; Transmitting element 1002 can be according to the request of first node, and the log-on message of Section Point and first node is sent to first node, makes that like this first node can be before setting up network tunnel with Section Point; Understand Section Point and first node and whether accept outside the connection; And then set up corresponding network tunnel with Section Point, and to have avoided when two nodes can only connect with the virtual switch pattern, such two nodes also carry out the trial that the directly-connected network tunnel is set up; From can having reduced waste of network resources, and improve the efficient of setting up network tunnel.
Embodiment five:
See also Figure 11, the structure chart of a kind of virtual private network system that Figure 11 provides for the embodiment of the invention.Shown in figure 11, virtual private network system can comprise:
VPN node 1101 and virtual special network server 1102; Wherein,
VPN node 1101; Be used for log-on message to virtual special network server 1102 inquiry Section Points; To confirm whether Section Point accepts outside the connection, and the log-on message of Section Point comprises at least whether Section Point accepts the outside information that connects; According to the log-on message that inquires, set up corresponding network tunnel with Section Point;
Virtual special network server 1102 is used to receive the message that VPN node 1101 sends, and this message is used to inquire about the log-on message of Section Point; The log-on message of the Section Point of storing in advance is sent to VPN node 1101; So that VPN node 1101 is set up corresponding network tunnel with Section Point, the log-on message of Section Point comprises at least whether Section Point accepts the outside information that connects.
Need to prove, the VPN node structure that the structure of the VPN node 1101 that present embodiment is introduced and the foregoing description three are introduced, function is identical, and present embodiment is not repeated at this; The virtual special network server structure that the structure of the virtual special network server 1102 that present embodiment is introduced and the foregoing description four are introduced, function is identical, and present embodiment is not repeated at this yet.
See also Figure 12, a kind of VPN network diagram that Figure 12 provides for the embodiment of the invention.Shown in figure 12, the VPN network that present embodiment provided can comprise vpn server and VPN node.
Wherein, the VPN node can include but not limited to computer and other user terminals; Wherein, Vpn server must have legal address in the Internet network (address format can be IP address, IP address and TCP/UDP port combination, or other addresss of service of representing with URL), and can use its legal Internet address to receive the data message from the Internet network.
Wherein, vpn server need possess node registering functional and information searching function.Promptly when some nodes inserts the VPN network, the virtual ip address that vpn server need distribute first node in the VPN network, to use for node; And with the nodename of first node, current real IP address and the virtual ip address that distributes, whether accept outside connect even information such as encryption parameter are registered;
Vpn server allows node in the VPN network according to the log-on message of other VPN node of information inquiries such as virtual ip address of the nodename of other VPN node and/or other VPN node.
Wherein, the node in the present embodiment should possess and vpn server between communication function; And the request function of setting up network tunnel in initiation and the VPN network between other node; Simultaneously, the node in the present embodiment also should possess and receives in the VPN network other node and set up the function of the request of network tunnel with it; Simultaneously, the node in the present embodiment also should possess so more can, promptly can know the log-on message of other node and the log-on message of first node, and set up corresponding network tunnel with other node.
Wherein, corresponding network tunnel comprises directly-connected network tunnel and the indirect network tunnel under the virtual switch pattern under the direct channel pattern.
Shown in figure 12, have 4 Net-connected computers in the VPN network, title is respectively: ID-1, ID-2ID-3, ID-4; Wherein ID-1 and ID-2 are the computers that has legitimate ip address in the Internet net, allow to accept to connect from the Internet network; ID-3 and ID-4 are in the NAT network, do not possess the Internet legal address, and the network that does not allow to accept from Internet connects.
In VPN network shown in Figure 7, the network service between each node has following three kinds of different situations:
1), can directly set up network bi-directional between the node and connect, between ID-1 and ID-2, any node can initiatively be set up network tunnel to another node;
2), only can directly set up unidirectional connection between the node; Between ID-1 and ID-3; Because ID-3 is in and does not possess legitimate ip address within the NAT network, therefore only allow initiatively to set up network tunnel, and do not allow to set up network tunnel to ID-3 by ID-1 to ID-1 by ID-3;
3), can not directly connect between the node; Between ID-3 and ID-4; Because ID-3 and ID-4 are in and do not possess legitimate ip address in the NAT network; Therefore can't set up direct tunnel between ID-3 and the ID-4, ID-3 and ID-4 can only respectively and set up network tunnel between the vpn server, and the communication data between ID-3 and the ID-4 must be via the vpn server transfer.
Suppose that ID-1 need communicate with ID-2, ID-3 in the VPN network shown in Figure 12, then:
1) ID-1 inquires about the log-on message of ID-2, ID-3 to vpn server.
2) ID-1 is to the log-on message of vpn server inquiry ID-1.
Wherein, for 1), ID-1 sends out query messages to vpn server, and this query messages is used for the log-on message to vpn server inquiry ID-2; Wherein, the current real IP address of this query messages title that can comprise ID-2 and/ID-2;
ID-1 sends out query messages to vpn server, and this query messages is used for the log-on message to vpn server inquiry ID-3; Wherein, the current real IP address of this query messages title that can comprise ID-3 and/ID-3;
For 2), ID-1 sends out query messages to vpn server, and this query messages is used for the log-on message to vpn server inquiry ID-1; Wherein, the current real IP address of this query messages title that can comprise ID-1 and/ID-1.
Vpn server receives after the query messages of ID-1 transmission, the log-on message of inquiry ID-2, ID-3, and ID-1 takes place to give.The registration message of node ID-1, ID-2ID-3, ID-4 in the VPN network shown in Figure 3 that table 1 expression vpn server is stored in advance.
Table 1
Node |
Nodename |
Current real IP address |
Virtual ip address |
Whether accept outside the connection |
ID-1 |
NID-1 |
IP1:P1 |
VIP1 |
OK |
ID-2 |
NID-2 |
IP2:P2 |
VIP2 |
OK |
ID-3 |
NID-3 |
IP3:P3 |
VIP3 |
NO |
ID-4 |
NID-4 |
IP4:P4 |
VIP4 |
NO |
Wherein, because ID-3, ID-4 be in the NAT device, so the current real IP address of ID-3, ID-4 is actually the real IP address of ID-3, NAT device that ID-4 uses.
3) vpn server receives respectively after the query messages of ID-1 transmission, and the log-on message of inquiry ID-2 is: title is NID-2, and true address is IP2:P2, and virtual ip address VIP2 allows to accept outside connection;
The log-on message of inquiry ID-3 is: title is NID-3, and true address is IP3:P3, and virtual ip address VIP3 does not allow to accept outside the connection;
The log-on message of inquiry ID-1 is: title is NID-1, and true address is IP1:P1, and virtual ip address VIP1 allows to accept outside the connection.
4) vpn server is according to the log-on message of the ID-2 that inquires, ID-3, ID-1, and the log-on message with ID-2, ID-3, ID-1 sends to ID-1 respectively.
Certainly; Vpn server also can a selected part ID-2, the log-on message of ID-3, ID-1 sends to ID-1; Such as being IP2:P2 with the true address in the log-on message of ID-2, allowing the acceptance outside to connect; Not allowing in the log-on message of ID-3 accepted outside the connection, and the true address in the log-on message of ID-1 is IP1:P1, allows to accept outside the connection to send to ID-1.
5) ID-1 receives after the log-on message of ID-2 that vpn server sends, ID-3, ID-1, finds that ID-2 point accepts outside the connection, and then ID-1 sets up the network tunnel request to the ID-2 transmission; If receive the response that ID-2 sends, then accomplish the directly-connected network tunnel under the direct channel pattern between ID-1 and the ID-2;
Find that ID-3 does not accept outside the connection, and ID-1 accepts outside the connection, then ID-1 sends to ID-3 and is used to point out ID-3 initiatively to set up the message of network tunnel to ID-1; Receive the network tunnel request of setting up that ID-3 sends; After the response that ID-3 sends, accomplish the indirect network tunnel under the virtual switch pattern between ID-1 and the ID-3.
Suppose that again ID-3 need communicate with ID-4 in the VPN network shown in Figure 12, then:
1) ID-3 is to the log-on message of vpn server inquiry ID-4.
2) ID-3 is to the log-on message of vpn server inquiry ID-4.
Wherein, for 1), ID-3 sends out query messages to vpn server, and this query messages is used for the log-on message to vpn server inquiry ID-4; Wherein, the current real IP address of this query messages title that can comprise ID-4 and/ID-4;
ID-3 sends out query messages to vpn server, and this query messages is used for the log-on message to vpn server inquiry ID-3; Wherein, the current real IP address of this query messages title that can comprise ID-3 and/ID-3.
3) vpn server receives after the query messages of ID-3 transmission, and the log-on message of inquiry ID-4 is: title is NID-4, and true address is IP4:P4, and virtual ip address VIP4 does not allow to accept outside the connection;
The log-on message of inquiry ID-3 is: title is NID-3, and true address is IP3:P3, and virtual ip address VIP3 does not allow to accept outside the connection.
4) vpn server is according to the ID-4 that inquires, the log-on message of ID-3, and the log-on message with ID-4, ID-3 sends to ID-3 respectively.
Certainly, vpn server also can a selected part ID-4, the log-on message of ID-3 sends to ID-3, and such as not allowing in the log-on message of ID-4 being accepted outside the connection, not allowing in the log-on message of ID-3 accepted outside the connection to send to ID-3.
5) ID-3 receives after the log-on message of ID-4 that vpn server sends, ID-3; Find that ID-4 does not accept outside the connection; And ID-3 does not accept outside the connection yet, explains between ID-3 and the ID-4 and can't set up direct-connected network tunnel, and then ID-3 sends the network tunnel request of setting up to vpn server; After the response that receives the vpn server transmission, the network tunnel between completion and the vpn server;
And; ID-3 sends to ID-4 and sets up network tunnel message; So that ID-4 sets up network tunnel to vpn server, thereby set up the network tunnel of ID-4 and vpn server, at this moment; Vpn server receives the communication data of ID-3 transmission and is forwarded to ID-4 as the transferring equipment between ID-3 and the ID-4; Simultaneously, receive the communication data of ID-4 transmission and be forwarded to ID-3, like this, set up the network tunnel between ID-3 and the ID-4 indirectly.
Need to prove, the registration message of the ID-1 of vpn server storage in advance, ID-2, ID-3, ID-4 in the present embodiment, particularly:
The access request message that vpn server reception ID-1, ID-2, ID-3, ID-4 send respectively, wherein, the access request message that ID-1, ID-2, ID-3, ID-4 send separately comprises nodename and current real IP address separately;
Distributes virtual ip address for respectively ID-1, ID-2, ID-3, ID-4, and confirm ID-1 respectively, the information of whether accepting outside connection of ID-2, ID-3, ID-4;
The virtual ip address of separately nodename of storage ID-1, ID-2, ID-3, ID-4, current real IP address, distribution and the corresponding relation of whether accepting the outside information that is connected.
Wherein, the above-mentioned outside information that connects of whether accepting of confirming ID-1, ID-2, ID-3, ID-4 respectively is specially:
Giving respectively after ID-1, ID-2, ID-3, ID-4 distributed virtual ip address separately, respectively to ID-1, ID-2, ID-3, ID-4 send once set up network tunnel connection request to judge whether ID-1, ID-2, ID-3, ID-4 accept outside connection;
After receiving the response that ID-1, ID-2 return at the appointed time, think that ID-1, ID-2 accept outside the connection, promptly ID-1, ID-2, " whether accepting outside the connection " attribute are " OK "; When receiving the response that ID-3, ID-4 return at the appointed time, think that ID-3, ID-4 do not accept outside the connection, promptly " whether accepting outside the connection " attribute of ID-3, ID-4 is " NO ".
In addition, if node itself has been stored the log-on message of first node, then node only needs to get final product to the log-on message of vpn server inquiry Section Point, need not to inquire about to vpn server once more the log-on message of first node.
Above-mentioned a kind of VPN network that the embodiment of the invention five is provided is introduced; In the VPN network that the embodiment of the invention provides, node can be inquired about the log-on message of other node and the log-on message of first node from vpn server before setting up network tunnel with other node; Thereby can understand other node and first node and whether accept outside the connection; And then set up corresponding network tunnel with other node, and to have avoided when two nodes can only connect with the virtual switch pattern, such two nodes also carry out the trial that the directly-connected network tunnel is set up; From can having reduced waste of network resources, and improve the efficient of setting up network tunnel.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be accomplished through the relevant hardware of program command; Aforesaid program can be stored in the computer read/write memory medium; This program the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as read-only memory (ROM), random access device (RAM), magnetic disc or CD.
More than to a kind of method of setting up network tunnel that the embodiment of the invention provided; Data processing method and relevant device have carried out detailed introduction; Used concrete example among this paper principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that on embodiment and range of application, all can change, in sum, this description should not be construed as limitation of the present invention.