CN111277481B - Method, device, equipment and storage medium for establishing VPN tunnel - Google Patents

Method, device, equipment and storage medium for establishing VPN tunnel Download PDF

Info

Publication number
CN111277481B
CN111277481B CN202010022644.6A CN202010022644A CN111277481B CN 111277481 B CN111277481 B CN 111277481B CN 202010022644 A CN202010022644 A CN 202010022644A CN 111277481 B CN111277481 B CN 111277481B
Authority
CN
China
Prior art keywords
cpe
address information
external network
vcpe
nat
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202010022644.6A
Other languages
Chinese (zh)
Other versions
CN111277481A (en
Inventor
张力园
樊俊诚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Original Assignee
Qianxin Technology Group Co Ltd
Secworld Information Technology Beijing Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Qianxin Technology Group Co Ltd, Secworld Information Technology Beijing Co Ltd filed Critical Qianxin Technology Group Co Ltd
Priority to CN202010022644.6A priority Critical patent/CN111277481B/en
Publication of CN111277481A publication Critical patent/CN111277481A/en
Application granted granted Critical
Publication of CN111277481B publication Critical patent/CN111277481B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method, a device, equipment and a storage medium for establishing a VPN tunnel, wherein the method comprises the following steps: receiving a connection establishment request message sent by the CPE; wherein the CPE is located in a branch node of the SD-WAN, and the connection request message comprises: identification information of the CPE; networking configuration is carried out to determine the identity identification information of the connection object corresponding to the identity identification information of the CPE; the connection object is a vCPE located in a cloud service node of the SD-WAN, the cloud service node further comprises a first NAT device, and the vCPE is connected with the control platform through the first NAT device; and sending first external network IP address information corresponding to the identification information of the connection object to the CPE so that the CPE utilizes the first external network IP address information and establishes a virtual private network VPN tunnel between the CPE and the VPN through the first NAT equipment.

Description

Method, device, equipment and storage medium for establishing VPN tunnel
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a method, an apparatus, a device, and a storage medium for establishing a VPN tunnel.
Background
SD-WAN (Software-Defined WAN) is a service formed by applying SDN (Software Defined Network) technology to a wide area Network scenario; the SD-WAN can replace the traditional wide area network (MPLS-VPN, IPSec-VPN and the like) to connect enterprise networks, data centers, Internet applications and cloud services in a wide geographic range, and can help users to reduce the expenditure of wide area networks and improve the network connection flexibility; SD-WAN can be currently divided into four technical architectures: the system comprises an overlay architecture, a cloud architecture, an integration architecture and a native architecture, wherein the cloud architecture is the favorite architecture mode of cloud merchants and service merchants and is also a recommendation architecture of SD-WAN large-scale branch deployment. In the cloud architecture, a vCPE (virtual Customer Premise Equipment) is deployed in a cloud service node of the SD-WAN, and the vCPE needs to access the internet through an NAT (Network Address Translation) manner. Because the vCPE is located behind the NAT device of the cloud service node, a CPE (Customer Premise Equipment) in a branch node of the SD-WAN cannot directly communicate with the vCPE, and a message sent by the CPE to the vCPE is discarded by the NAT device; therefore, how to solve the technical problem that how to directly establish a VPN (Virtual Private Network) tunnel between the CPE and the vCPE becomes an urgent solution for those skilled in the art.
Disclosure of Invention
The invention aims to provide a method, a device, equipment and a storage medium for establishing a VPN tunnel, which can realize the direct establishment of the VPN tunnel between CPE and vCPE.
According to an aspect of the present invention, there is provided a method for establishing a VPN tunnel, which is applied to a control platform of an SD-WAN, the method including:
receiving a connection establishment request message sent by Customer Premises Equipment (CPE); wherein the CPE is located in a branch node of the SD-WAN, and the connection request message comprises: identification information of the CPE;
networking configuration is carried out to determine the identity identification information of the connection object corresponding to the identity identification information of the CPE; the connection object is virtual client equipment vCPE located in a cloud service node of the SD-WAN, the cloud service node further comprises first network address interaction NAT equipment, and the vCPE is connected with the control platform through the first NAT equipment;
and sending first external network IP address information corresponding to the identification information of the connection object to the CPE so that the CPE utilizes the first external network IP address information and establishes a virtual private network VPN tunnel between the CPE and the VPN through the first NAT equipment.
Optionally, before the step of receiving the connection establishment request message sent by the customer premises equipment CPE, the method further includes:
receiving a configuration parameter message forwarded by the first NAT device; wherein the configuration parameter message is sent by the vcCPE to the first NAT device;
analyzing the identity identification information and the external network IP address information of the vCPE from the configuration parameter message;
and establishing a corresponding relation between the identity identification information and the external network IP address information.
Optionally, when a VPN tunnel is established between the CPE and the vCPE, the method further includes:
receiving a probe message forwarded by the first NAT device; wherein the probe message is a message sent by the vcCPE to the first NAT device;
analyzing second external network IP address information from the detection message;
judging whether the first external network IP address information is consistent with the second external network IP address information;
and if the two pieces of external network IP address information are not consistent, the second external network IP address information is sent to the CPE so that the CPE can reestablish a VPN tunnel between the CPE and the second external network IP address information through the first NAT equipment.
Optionally, the method further includes:
analyzing third external network IP address information of the CPE from the connection establishing request message;
and sending the third external network IP address information to the vCPE through the first NAT equipment so that the vCPE utilizes the third external network IP address information and establishes a VPN tunnel between the vCPE and the first NAT equipment.
Optionally, the step of receiving a connection establishment request message sent by the customer premises equipment CPE specifically includes:
receiving a connection establishment request message forwarded by the second NAT equipment; wherein the connection establishment request message is a message sent by the CPE to the second NAT device, and the second NAT device is located in the branch node.
Optionally, the step of sending the first external network IP address information to the CPE specifically includes:
and sending the first external network IP address information to the CPE through the second NAT equipment.
In order to achieve the above object, the present invention further provides an apparatus for establishing a VPN tunnel, which is applied to a control platform of an SD-WAN, the apparatus including:
the receiving module is used for receiving a connection establishment request message sent by Customer Premises Equipment (CPE); wherein the CPE is located in a branch node of the SD-WAN, and the connection request message comprises: identification information of the CPE;
the configuration module is used for carrying out networking configuration so as to determine the identity identification information of the connection object corresponding to the identity identification information of the CPE; the connection object is virtual client equipment vCPE located in a cloud service node of the SD-WAN, the cloud service node further comprises first network address interaction NAT equipment, and the vCPE is connected with the control platform through the first NAT equipment;
and the sending module is used for sending the first external network IP address information corresponding to the identity identification information of the connection object to the CPE so that the CPE utilizes the first external network IP address information and establishes a virtual private network VPN tunnel between the CPE and the VPN through the first NAT equipment.
Optionally, the receiving module is further configured to:
receiving a configuration parameter message forwarded by the first NAT device; wherein the configuration parameter message is a message sent by the vcCPE to the first NAT device;
the configuration module is further configured to:
analyzing the identity identification information and the external network IP address information of the vCPE from the configuration parameter message;
the sending module is further configured to establish a corresponding relationship between the identification information and the external network IP address information.
In order to achieve the above object, the present invention further provides a computer device, which specifically includes: a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the above-introduced steps of the method of establishing a VPN tunnel when executing the computer program.
In order to achieve the above object, the present invention further provides a computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, realizes the above-introduced steps of the method for establishing a VPN tunnel.
The method, the device, the equipment and the storage medium for establishing the VPN tunnel provided by the invention take the control platform as a transfer server, the CPE and the vCPE both initiate connection to the control platform so that the control platform can acquire the external network IP address information of the CPE and the vCPE, thereby carrying out networking configuration on the control platform and sending the tunnel configuration file containing the external network IP address information of the opposite end to the CPE and the vCPE, so that the CPE and the vCPE have the external network IP address information of the opposite end and can send a tunnel negotiation message, thereby establishing the VPN tunnel between the CPE and the vCPE.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the invention. Also, like reference numerals are used to refer to like parts throughout the drawings. In the drawings:
FIG. 1 is a schematic diagram of a component structure of an SD-WAN framework provided in the first embodiment;
fig. 2 is an alternative flowchart of a method for establishing a VPN tunnel according to an embodiment;
fig. 3 is an alternative flowchart of the method for establishing a VPN tunnel according to the second embodiment;
fig. 4 is an alternative schematic structural diagram of an apparatus for establishing a VPN tunnel according to a third embodiment;
fig. 5 is a schematic diagram of an alternative hardware architecture of the computer device according to the fourth embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
The following describes a method, an apparatus, a device, and a storage medium for establishing a VPN tunnel according to the present invention with reference to the accompanying drawings.
Example one
The embodiment of the invention provides a method for establishing a VPN tunnel, which is particularly applied to a control platform in an SD-WAN framework shown in figure 1, wherein the SD-WAN framework comprises the following steps: the system comprises a control platform, a plurality of cloud service nodes and a plurality of branch nodes, wherein each cloud service node is provided with NAT equipment and vCPE, and each branch node is provided with CPE; fig. 2 is an optional flowchart of a method for establishing a VPN tunnel according to an embodiment of the present invention, and as shown in fig. 2, the method specifically includes the following steps:
step S201: receiving a connection establishment request message sent by Customer Premises Equipment (CPE); wherein the CPE is located in a branch node of the SD-WAN, and the connection request message comprises: identification information of the CPE.
Specifically, if a second NAT device is not set in the branch node, that is, the CPE is in an extranet environment, the CPE directly sends a connection establishment request message to the control platform;
if a second NAT device is disposed in the branch node, that is, the CPE is in an intranet environment, and the CPE needs to connect to the internet through the second NAT device, step S201 specifically includes:
receiving a connection establishment request message forwarded by the second NAT equipment; the connection establishment request message is a message sent by the CPE to the second NAT device, the second NAT device is located in the branch node, and the CPE is connected to the control platform through the second NAT device.
The connection establishing request message is used for requesting to establish a VPN tunnel between the VPN and the vCPE.
In this embodiment, no matter the CPE is in the intranet environment or the extranet environment, the VPN tunnel may be established with the vCPE located behind the NAT device in the cloud service node through the management and control platform.
Step S202: networking configuration is carried out to determine the identity identification information of the connection object corresponding to the identity identification information of the CPE; the connection object is virtual client equipment vCPE located in a cloud service node of the SD-WAN, the cloud service node further comprises first network address interaction NAT equipment, and the vCPE is connected with the control platform through the first NAT equipment.
Specifically, before step S202, the method further includes:
step A1: receiving a configuration parameter message forwarded by the first NAT device; wherein the configuration parameter message is a message sent by the vcCPE to the first NAT device;
in this embodiment, since the cloud service node is provided with the first NAT device, the vCPE is in an intranet environment, and when the vCPE needs to connect to the internet, the intranet IP address information and the intranet port information of the vCPE need to be converted into the extranet IP address information and the extranet port information by the first NAT device according to the session table entry set in the first NAT device.
Step A2: analyzing the identity identification information and the external network IP address information of the vCPE from the configuration parameter message;
further, step a2, includes:
and acquiring the identity identification information of the vCPE contained in the configuration parameter message, and acquiring the external network IP address information of the vCPE by acquiring the source IP address information of the configuration parameter message.
Step A3: and establishing a corresponding relation between the identity identification information and the external network IP address information.
In this embodiment, the identity identification information and the extranet IP address information of the vCPE in each cloud service node in the SD-WAN frame may be obtained in advance through the management and control platform, and the identity identification information and the extranet IP address information of each vCPE are stored respectively, so that the management and control platform feeds back the corresponding extranet IP address information of the vCPE to the CPE when the CPE needs to be connected to any vCPE in the later period. It should be further noted that, when the step of performing networking configuration to determine the identification information of the connection object corresponding to the identification information of the CPE is implemented, the identification information of the connection object corresponding to the identification information of the CPE may be determined through a preset configuration table, or the identification information of the connection object is added to the connection request message, or networking configuration is manually performed on the control platform by an administrator.
It should be further noted that the present embodiment is applied to an asymmetric NAT (also called ConeNAT) scenario; wherein ConeNAT is further subdivided into 3 classes, respectively Full Cone type, restored Cone type and restored Port Cone. Preferably, the NAT in this embodiment is specifically fullconnenat (full cone NAT).
Step S203: and sending first external network IP address information corresponding to the identification information of the connection object to the CPE so that the CPE utilizes the first external network IP address information and establishes a virtual private network VPN tunnel between the CPE and the VPN through the first NAT equipment.
Because a plurality of cloud service nodes exist in the SD-WAN framework, and the vCPE in each cloud service node sends a configuration parameter message to the control platform, the control platform stores the corresponding relationship between the identity identification information of the plurality of vCPE and the corresponding extranet IP address information; therefore, in step S203, it is necessary to determine the first external network IP address information corresponding to the identification information of the connection object, and send the first external network IP address information to the CPE.
Specifically, if no second NAT device is set in the branch node, that is, the CPE is in an extranet environment, the control platform directly sends the first extranet IP address information to the CPE;
if a second NAT device is disposed in the branch node, that is, the CPE is in an intranet environment, and the CPE needs to connect to the internet through the second NAT device, step S203 specifically includes:
and sending the first external network IP address information to the CPE through the second NAT equipment.
It should be further noted that, the control platform sends the first extranet IP address information to the CPE and also sends other tunnel configuration information for establishing a VPN tunnel to the CPE at the same time.
In this embodiment, since the NAT device is disposed in the cloud service node, and the vCPE needs to connect to the internet through the NAT device, the vCPE is in an intranet environment, and the external network IP address and the external network port information of the vCPE are dynamically configured by the NAT device; therefore, the CPE in the branch node cannot acquire the real-time extranet IP address of the vCPE, that is, the CPE cannot directly communicate with the vCPE. In order to solve the problem that the CPE cannot directly communicate with the vCPE, in this embodiment, the control platform is used as a transfer server, and the CPE and the vCPE both initiate connection to the control platform, so that the control platform obtains the extranet IP address information and the extranet port information of the CPE and the vCPE, performs networking configuration on the control platform, and sends a tunnel configuration file containing the extranet IP address information of the vCPE to the CPE, so that the CPE has the extranet IP address information of the vCPE and can send a tunnel negotiation message, thereby establishing a VPN tunnel between the CPE and the vCPE
Further, when a VPN tunnel is established between the CPE and the vCPE, the method further includes:
step B1: receiving a probe message forwarded by the first NAT device; wherein the probe message is a message sent by the vcCPE to the first NAT device;
in this embodiment, when a VPN tunnel is established between the CPE and the vCPE, the vCPE periodically sends a probe message to the control platform according to a set time interval; wherein the probe message includes identification information of the vcCPE.
Step B2: analyzing second external network IP address information from the detection message;
specifically, step B2 includes:
acquiring identity identification information contained in the detection message, and searching corresponding first external network IP address information according to the identity identification information in the detection message;
determining the second external network IP address information according to the source external network IP address information of the detection message; and the second external network IP address information is the external network IP address currently allocated to the vCPE by the first NAT equipment.
In practical application, because the address pool of the first NAT device changes, the external network address and the external network port allocated by the first NAT device to the vCPE change, which causes the VPN tunnel to be interrupted; therefore, in this embodiment, the vCPE periodically sends a detection message to the control platform through the first NAT device, so as to report real-time external network IP address information of the vCPE to the control platform.
Step B3: judging whether the first external network IP address information is consistent with the second external network IP address information;
step B4: and if the two pieces of external network IP address information are not consistent, the second external network IP address information is sent to the CPE so that the CPE can reestablish a VPN tunnel between the CPE and the second external network IP address information through the first NAT equipment.
In this embodiment, after the VPN tunnel is established between the CPE and the vCPE, the real-time extranet IP address information of the vCPE is also periodically obtained through the probe message, and when the extranet IP address information of the vCPE is found to be changed, the changed extranet IP address information of the vCPE is sent to the CPE, so that the CPE can establish the VPN tunnel with the vCPE again according to the changed extranet IP address information of the vCPE. In the prior art, after the VPN tunnel is established between the CPE and the vCPE, the first NAT device may re-allocate the external network IP address information to the vCPE, thereby causing disconnection of the VPN tunnel, in this embodiment, the current external network IP address information of the vCPE may be reported to the management and control platform in real time by using the detection message, and when the management and control platform finds that the external network IP address information of the vCPE changes, the changed external network IP address information of the vCPE is sent to the CPE, so that the CPE can establish tunnel connection with the vCPE again, thereby preventing disconnection of the VPN tunnel.
Still further, the method further comprises:
step C1: analyzing third external network IP address information of the CPE from the connection establishing request message;
step C2: and sending the third external network IP address information to the vCPE through the first NAT equipment so that the vCPE utilizes the third external network IP address information and establishes a VPN tunnel between the vCPE and the first NAT equipment.
In this embodiment, the control platform serves as a transfer server, and the CPE and the vCPE both initiate connection to the control platform, so that the control platform obtains the extranet IP address information of the CPE and the vCPE, performs networking configuration on the control platform, and sends a tunnel configuration file containing the extranet IP address information of the opposite end to the CPE and the vCPE, so that the CPE and the vCPE have the extranet IP address information of the opposite end and can send a tunnel negotiation message, and a VPN tunnel can be established between the CPE and the vCPE.
Example two
The embodiment of the present invention provides a method for establishing a VPN tunnel, which is specifically applied to an SD-WAN framework shown in fig. 1, where the SD-WAN framework includes: the system comprises a control platform, a plurality of cloud service nodes and a plurality of branch nodes, wherein each cloud service node is provided with NAT equipment and vCPE, and each branch node is provided with CPE; fig. 3 is an optional flowchart of a method for establishing a VPN tunnel according to an embodiment of the present invention, and as shown in fig. 3, the method specifically includes the following steps:
step S301: the vCPE sends a configuration parameter message to the control platform through the NAT equipment; wherein the configuration parameter message comprises: and the vCPE and the NAT equipment are positioned in the same cloud service node of the SD-WAN, and the vCPE is connected with the Internet through the NAT equipment.
Specifically, step S301 includes:
the vCPE acquires intranet IP address information and intranet port information of the vCPE, converts the intranet IP address information and the intranet port information into first external network IP address information and first external network port information through a session table entry in the NAT equipment, and sends the configuration parameter information to the control platform based on the first external network IP address information and the first external network port information.
Step S302: and the control platform analyzes the identity identification information and the first external network IP address information of the vCPE according to the configuration parameter message, and locally establishes the corresponding relation between the identity identification information of the vCPE and the first external network IP address information.
Specifically, the analyzing, by the control platform, the identity identification information and the first external network IP address information of the vCPE according to the configuration parameter message includes:
acquiring identity identification information contained in the configuration parameter message;
and determining the first external network IP address information according to the source address information of the configuration parameter message.
Step S303: CPE sends a connection establishment request message to the control platform; wherein the connection request message includes: identification information of the CPE.
Step S304: and the controller analyzes the second external network IP address information of the CPE according to the connection establishing request message.
Specifically, step S304 includes:
and determining the second external network IP address information according to the source address information of the connection establishing request message.
Step S305: and the control platform performs networking configuration to determine the identity identification information of the connection object corresponding to the identity identification information of the CPE.
And the connection object is vCPE located in a cloud service node of the SD-WAN.
Step S306: and the controller platform searches the corresponding first external network IP address information from local according to the identity identification information of the connection object.
Step S307: and the control platform sends the first external network IP address information to the CPE and sends the second external network IP address information to the vCPE through the NAT equipment.
Specifically, step S307 includes:
the control platform carries out networking configuration after acquiring the external network IP address information of the CPE and the vCPE so as to obtain a tunnel configuration file; wherein the tunnel configuration file comprises: the method comprises the steps that the external network IP address information of the CPE, the external network IP address information of the vCPE and the tunnel configuration information are obtained;
and the control platform respectively sends the tunnel configuration file to the CPE and the vCPE.
Step S308: and the CPE establishes a VPN tunnel between the CPE and the vCPE through the NAT equipment according to the IP address information of the first external network.
Specifically, step S308 includes:
after the CPE acquires the tunnel configuration file, acquiring first external network IP address information in the tunnel configuration file, and sending a tunnel negotiation message containing the first external network IP address information to the NAT equipment;
and the NAT equipment receives the tunnel negotiation message, converts the first external network IP address information into corresponding internal network IP address information through a session table entry, and forwards the tunnel negotiation message to the vCPE based on the internal network IP address information.
Further, the method further comprises:
step S309: after the VPN tunnel is established between the CPE and the vCPE, the vCPE regularly sends a detection message to the control platform through the NAT equipment according to a set time interval; wherein, the detection message includes: identity identification information of the vCPE;
step S310: the control platform analyzes the third external network IP address information of the vCPE according to the detection message;
and the third external network IP address information is distributed to the vCPE currently by the NAT equipment.
Step S311: the control platform searches a corresponding first external network IP address from local according to the identity identification information in the detection message, and compares the first external network IP address information with the third external network IP address information;
step S312: if the IP address information of the third external network is inconsistent with the IP address information of the second external network, the control platform sends the IP address information of the third external network to the CPE;
specifically, step S312 includes:
if the tunnel negotiation messages are inconsistent, the control platform locally updates the external network IP address information corresponding to the identity identification information of the vCPE, updates the corresponding tunnel negotiation messages and respectively sends the updated tunnel negotiation messages to the CPE and the vCPE.
Step S313: and the CPE reestablishes a VPN tunnel between the CPE and the vCPE through the NAT equipment according to the third external network IP address information.
EXAMPLE III
The embodiment of the invention provides a device for establishing a VPN tunnel, which is particularly applied to a control platform in an SD-WAN framework shown in figure 1; fig. 4 is an optional schematic structural diagram of a device for establishing a VPN tunnel according to a third embodiment of the present invention, and as shown in fig. 4, the device specifically includes the following components:
a receiving module 401, configured to receive a connection establishment request message sent by a Customer Premises Equipment (CPE); wherein the CPE is located in a branch node of the SD-WAN, and the connection request message comprises: identification information of the CPE;
a configuration module 402, configured to perform networking configuration to determine identity identification information of a connection object corresponding to the identity identification information of the CPE; the connection object is virtual client equipment vCPE located in a cloud service node of the SD-WAN, the cloud service node further comprises first network address interaction NAT equipment, and the vCPE is connected with the control platform through the first NAT equipment;
a sending module 403, configured to send first external network IP address information corresponding to the identification information of the connection object to the CPE, so that the CPE establishes a virtual private network VPN tunnel with the vCPE through the first NAT device by using the first external network IP address information.
Specifically, the receiving module 401 is further configured to:
before the step of receiving a connection establishment request message sent by a Customer Premises Equipment (CPE), receiving a configuration parameter message forwarded by the first NAT equipment; wherein the configuration parameter message is a message sent by the vcCPE to the first NAT device;
a configuration module 402, further configured to:
analyzing the identity identification information and the external network IP address information of the vCPE from the configuration parameter message;
the sending module 403 is further configured to establish a corresponding relationship between the identity information and the external network IP address information.
Further, the receiving module 401 is further configured to:
receiving a detection message forwarded by the first NAT device when a VPN tunnel is established between the CPE and the vCPE; wherein the probe message is a message sent by the vCPE to the first NAT device.
A configuration module 402, further configured to:
and analyzing the second external network IP address information from the detection message.
The device further comprises:
the judging module is used for judging whether the first external network IP address information is consistent with the second external network IP address information; and if the two pieces of external network IP address information are not consistent, the second external network IP address information is sent to the CPE so that the CPE can reestablish a VPN tunnel between the CPE and the second external network IP address information through the first NAT equipment.
Further, the configuration module 402 is further configured to:
and analyzing the third external network IP address information of the CPE from the connection establishing request message.
The sending module 403 is further configured to:
and sending the third external network IP address information to the vCPE through the first NAT equipment so that the vCPE utilizes the third external network IP address information and establishes a VPN tunnel between the vCPE and the first NAT equipment.
Further, the receiving module 401, when implementing the step of receiving the connection establishment request message sent by the customer premises equipment CPE, has a function of:
receiving a connection establishment request message forwarded by the second NAT equipment; wherein the connection establishment request message is a message sent by the CPE to the second NAT device, and the second NAT device is located in the branch node.
When the step of sending the first external network IP address information and the first external network port information to the CPE is implemented, the sending module 403 is specifically configured to:
and sending the first external network IP address information to the CPE through the second NAT equipment.
Example four
The embodiment also provides a computer device, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server or a rack server (including an independent server or a server cluster composed of a plurality of servers) capable of executing programs, and the like. As shown in fig. 5, the computer device 50 of the present embodiment includes at least but is not limited to: a memory 501, a processor 502 communicatively coupled to each other via a system bus. It is noted that FIG. 5 only shows the computer device 50 having the components 501 and 502, but it is understood that not all of the shown components are required and that more or fewer components may be implemented instead.
In this embodiment, the memory 501 (i.e., a readable storage medium) includes a flash memory, a hard disk, a multimedia card, a card-type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a read-only memory (ROM), an electrically erasable programmable read-only memory (EEPROM), a programmable read-only memory (PROM), a magnetic memory, a magnetic disk, an optical disk, and the like. In some embodiments, the storage 501 may be an internal storage unit of the computer device 50, such as a hard disk or a memory of the computer device 50. In other embodiments, the memory 501 may also be an external storage device of the computer device 50, such as a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), or the like, provided on the computer device 50. Of course, the memory 501 may also include both internal and external storage devices for the computer device 50. In the present embodiment, the memory 501 is generally used for storing an operating system and various types of application software installed in the computer device 50. Further, the memory 501 may also be used to temporarily store various types of data that have been output or are to be output.
Processor 502 may be a Central Processing Unit (CPU), controller, microcontroller, microprocessor, or other data Processing chip in some embodiments. The processor 502 generally serves to control the overall operation of the computer device 50.
Specifically, in this embodiment, the processor 502 is configured to execute a program of a method for establishing a VPN tunnel stored in the processor 502, and when the program of the method for establishing a VPN tunnel is executed, the following steps may be implemented:
receiving a connection establishment request message sent by Customer Premises Equipment (CPE); wherein the CPE is located in a branch node of the SD-WAN, and the connection request message comprises: identification information of the CPE;
networking configuration is carried out to determine the identity identification information of the connection object corresponding to the identity identification information of the CPE; the connection object is virtual client equipment vCPE located in a cloud service node of the SD-WAN, the cloud service node further comprises first network address interaction NAT equipment, and the vCPE is connected with the control platform through the first NAT equipment;
and sending first external network IP address information corresponding to the identification information of the connection object to the CPE so that the CPE utilizes the first external network IP address information and establishes a virtual private network VPN tunnel between the CPE and the VPN through the first NAT equipment.
The specific embodiment process of the above method steps can be referred to in the first embodiment, and the detailed description of this embodiment is not repeated here.
EXAMPLE five
The present embodiments also provide a computer readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card type memory (e.g., SD or DX memory, etc.), a Random Access Memory (RAM), a Static Random Access Memory (SRAM), a Read Only Memory (ROM), an Electrically Erasable Programmable Read Only Memory (EEPROM), a Programmable Read Only Memory (PROM), a magnetic memory, a magnetic disk, an optical disk, a server, an App application mall, etc., having stored thereon a computer program that when executed by a processor, performs the method steps of:
receiving a connection establishment request message sent by Customer Premises Equipment (CPE); wherein the CPE is located in a branch node of the SD-WAN, and the connection request message comprises: identification information of the CPE;
networking configuration is carried out to determine the identity identification information of the connection object corresponding to the identity identification information of the CPE; the connection object is virtual client equipment vCPE located in a cloud service node of the SD-WAN, the cloud service node further comprises first network address interaction NAT equipment, and the vCPE is connected with the control platform through the first NAT equipment;
and sending first external network IP address information corresponding to the identification information of the connection object to the CPE so that the CPE utilizes the first external network IP address information and establishes a virtual private network VPN tunnel between the CPE and the VPN through the first NAT equipment.
The specific embodiment process of the above method steps can be referred to in the first embodiment, and the detailed description of this embodiment is not repeated here.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims (8)

1. A method for establishing a VPN tunnel, which is applied to a control platform of an SD-WAN, and comprises the following steps:
receiving a connection establishment request message sent by Customer Premises Equipment (CPE); wherein the CPE is located in a branch node of the SD-WAN, and the connection request message comprises: identification information of the CPE;
networking configuration is carried out to determine the identity identification information of the connection object corresponding to the identity identification information of the CPE; the connection object is virtual client equipment vCPE located in a cloud service node of the SD-WAN, the cloud service node further comprises first network address interaction NAT equipment, and the vCPE is connected with the control platform through the first NAT equipment;
sending first external network IP address information corresponding to the identity identification information of the connection object to the CPE so that the CPE utilizes the first external network IP address information and establishes a virtual private network VPN tunnel between the CPE and the VPN through the first NAT equipment;
before the step of receiving a connection establishment request message sent by a customer premises equipment, CPE, the method further comprises:
receiving a configuration parameter message forwarded by the first NAT device; wherein the configuration parameter message is a message sent by the vcCPE to the first NAT device;
analyzing the identity identification information and the external network IP address information of the vCPE from the configuration parameter message;
and establishing a corresponding relation between the identity identification information and the external network IP address information.
2. Method for establishing a VPN tunnel according to claim 1, characterised in that when a VPN tunnel is established between the CPE and the vCPE, the method further comprises:
receiving a probe message forwarded by the first NAT device; wherein the probe message is a message sent by the vcCPE to the first NAT device;
analyzing second external network IP address information from the detection message;
judging whether the first external network IP address information is consistent with the second external network IP address information;
and if the two pieces of external network IP address information are not consistent, the second external network IP address information is sent to the CPE so that the CPE can reestablish a VPN tunnel between the CPE and the second external network IP address information through the first NAT equipment.
3. The method of establishing a VPN tunnel according to claim 1, further comprising:
analyzing third external network IP address information of the CPE from the connection establishing request message;
and sending the third external network IP address information to the vCPE through the first NAT equipment so that the vCPE utilizes the third external network IP address information and establishes a VPN tunnel between the vCPE and the first NAT equipment.
4. The method according to claim 1, wherein the step of receiving the connection establishment request message sent by the customer premises equipment CPE specifically comprises:
receiving a connection establishment request message forwarded by the second NAT equipment; wherein the connection establishment request message is a message sent by the CPE to the second NAT device, and the second NAT device is located in the branch node.
5. The method according to claim 4, wherein the step of sending the first extranet IP address information to the CPE specifically includes:
and sending the first external network IP address information to the CPE through the second NAT equipment.
6. An apparatus for establishing a VPN tunnel, applied to a control platform of an SD-WAN, the apparatus comprising:
the receiving module is used for receiving a connection establishment request message sent by Customer Premises Equipment (CPE); wherein the CPE is located in a branch node of the SD-WAN, and the connection request message comprises: identification information of the CPE;
the configuration module is used for carrying out networking configuration so as to determine the identity identification information of the connection object corresponding to the identity identification information of the CPE; the connection object is virtual client equipment vCPE located in a cloud service node of the SD-WAN, the cloud service node further comprises first network address interaction NAT equipment, and the vCPE is connected with the control platform through the first NAT equipment;
a sending module, configured to send first external network IP address information corresponding to the identification information of the connection object to the CPE, so that the CPE establishes a virtual private network VPN tunnel with the vCPE through the first NAT device by using the first external network IP address information;
in addition, the receiving module is further configured to:
receiving a configuration parameter message forwarded by the first NAT device; wherein the configuration parameter message is a message sent by the vcCPE to the first NAT device;
the configuration module is further configured to:
analyzing the identity identification information and the external network IP address information of the vCPE from the configuration parameter message;
the sending module is further configured to establish a corresponding relationship between the identification information and the external network IP address information.
7. A computer device, the computer device comprising: memory, processor and computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any of claims 1 to 5 when executing the computer program.
8. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 5.
CN202010022644.6A 2020-01-09 2020-01-09 Method, device, equipment and storage medium for establishing VPN tunnel Active CN111277481B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010022644.6A CN111277481B (en) 2020-01-09 2020-01-09 Method, device, equipment and storage medium for establishing VPN tunnel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010022644.6A CN111277481B (en) 2020-01-09 2020-01-09 Method, device, equipment and storage medium for establishing VPN tunnel

Publications (2)

Publication Number Publication Date
CN111277481A CN111277481A (en) 2020-06-12
CN111277481B true CN111277481B (en) 2021-09-24

Family

ID=71001571

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010022644.6A Active CN111277481B (en) 2020-01-09 2020-01-09 Method, device, equipment and storage medium for establishing VPN tunnel

Country Status (1)

Country Link
CN (1) CN111277481B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112532505A (en) * 2020-12-01 2021-03-19 长沙市同迅计算机科技有限公司 SD-WAN-based local area network communication method and device, readable storage medium and control equipment
CN113472913B (en) * 2021-06-25 2023-04-25 新华三信息安全技术有限公司 Communication method and device
CN115996157A (en) * 2021-10-15 2023-04-21 中兴通讯股份有限公司 Routing message processing method and device, storage medium and electronic device
CN116347487A (en) * 2021-12-24 2023-06-27 贵州白山云科技股份有限公司 Equipment networking method, device, medium and equipment

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106130850A (en) * 2016-08-22 2016-11-16 福建富士通信息软件有限公司 Individual line subscriber intellectuality cut-in method
CN106533883A (en) * 2016-11-16 2017-03-22 中国联合网络通信集团有限公司 Network private line establishment method, apparatus and system
CN106792821A (en) * 2016-12-27 2017-05-31 中国移动通信集团江苏有限公司 Connection control method and device based on virtual gateway
CN107147580A (en) * 2017-06-23 2017-09-08 北京佰才邦技术有限公司 The method and communication system of a kind of tunnel building
CN107666419A (en) * 2016-07-28 2018-02-06 中兴通讯股份有限公司 A kind of virtual broadband cut-in method, controller and system
CN109617906A (en) * 2019-01-03 2019-04-12 中国联合网络通信集团有限公司 A kind of cut-in method and device of mixed cloud

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3965160B2 (en) * 2003-01-21 2007-08-29 三星電子株式会社 Network connection device that supports communication between network devices located in different private networks
CN101572643B (en) * 2008-04-30 2011-06-22 成都市华为赛门铁克科技有限公司 Method and system for realizing data transmission among private networks
CN105978708B (en) * 2016-04-27 2019-11-12 赛特斯信息科技股份有限公司 The system and method for vCPE virtualization enterprise network is realized based on NFV
CN106685817B (en) * 2016-12-27 2020-05-12 中国移动通信集团江苏有限公司 Method and device for switching flow of box end equipment
CN108259299B (en) * 2017-06-23 2020-04-03 新华三技术有限公司 Forwarding table item generating method and device and machine-readable storage medium
CN108234318B (en) * 2018-03-20 2021-01-01 新华三技术有限公司 Method and device for selecting message forwarding tunnel

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107666419A (en) * 2016-07-28 2018-02-06 中兴通讯股份有限公司 A kind of virtual broadband cut-in method, controller and system
CN106130850A (en) * 2016-08-22 2016-11-16 福建富士通信息软件有限公司 Individual line subscriber intellectuality cut-in method
CN106533883A (en) * 2016-11-16 2017-03-22 中国联合网络通信集团有限公司 Network private line establishment method, apparatus and system
CN106792821A (en) * 2016-12-27 2017-05-31 中国移动通信集团江苏有限公司 Connection control method and device based on virtual gateway
CN107147580A (en) * 2017-06-23 2017-09-08 北京佰才邦技术有限公司 The method and communication system of a kind of tunnel building
CN109617906A (en) * 2019-01-03 2019-04-12 中国联合网络通信集团有限公司 A kind of cut-in method and device of mixed cloud

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
"VPN的NAT穿透研究及系统设计";李建等;《计算机工程与应用》;20040108;第5节 *

Also Published As

Publication number Publication date
CN111277481A (en) 2020-06-12

Similar Documents

Publication Publication Date Title
CN111277481B (en) Method, device, equipment and storage medium for establishing VPN tunnel
EP3605323B1 (en) Method for generating network slice template and for applying network slice template, and apparatus
CN107948135B (en) Data processing method and device supporting multiple API protocols
CN111970315A (en) Method, device and system for pushing message
US9544288B2 (en) Messaging gateway
CN113572689A (en) Microservice gateway management method, system, device, readable storage medium and product
CN104363507A (en) Video and audio recording and sharing method and system based on OTT set-top box
CN113037761B (en) Login request verification method and device, storage medium and electronic equipment
CN112202744B (en) Multi-system data communication method and device
CN103581353B (en) The method of automatic configuration and system of gateway device
US10225358B2 (en) Page push method, device, server and system
CN111885190B (en) Service request processing method and system
EP3018883B1 (en) Login method and system for client unit
CN113206879A (en) Terminal IP address automatic synchronization method, electronic equipment and storage medium
CN109962834B (en) Information processing method, system, terminal and computer storage medium
CN113612811B (en) Method, system, equipment and medium for client mounting in multiple channels
CN111654398B (en) Configuration updating method and device, computer equipment and readable storage medium
CN110635994B (en) Heterogeneous interconnection system and method based on self-adaptive detection
CN112217659A (en) Method and system for adding client terminal equipment in SD-WAN (secure digital-Wide area network) system
CN110677417A (en) Anti-crawler system and method
CN112468600B (en) Application message notification method, system and storage medium based on network matrix
US20190312929A1 (en) Information synchronization method and device
CN115766687B (en) Home gateway ipv6 file system and interaction method thereof
CN114827197B (en) Service communication method, device, equipment and medium based on Internet of things
CN113839792B (en) Network access configuration method and device, computer equipment and readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee after: Qianxin Technology Group Co.,Ltd.

Patentee after: Qianxin Wangshen information technology (Beijing) Co., Ltd

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee before: Qianxin Technology Group Co.,Ltd.

Patentee before: Wangshen information technology (Beijing) Co., Ltd