Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the invention, the technical scheme in the embodiment of the invention is clearly and completely described, obviously, described embodiment only is the present invention's part embodiment, rather than whole embodiment.Based on the embodiment among the present invention, those of ordinary skills belong to the scope of protection of the invention not making the every other embodiment that is obtained under the creative work prerequisite.
Embodiment one:
See also Fig. 1, a kind of method flow diagram of setting up network tunnel that Fig. 1 provides for the embodiment of the invention.As shown in Figure 1, this method can comprise:
101: whether first node accepts outside the connection to the log-on message of virtual special network server inquiry Section Point to determine Section Point, and the log-on message of Section Point comprises at least whether Section Point accepts the outside information that connects;
Wherein, the node described in present embodiment and the follow-up embodiment includes but not limited to computer in the VPN network and other user terminals etc.
In the present embodiment, when first node request and Section Point communicate, can be from the log-on message of virtual special network server inquiry Section Point, at least comprise in the log-on message whether Section Point accepts the outside information that connects, and this information is used to indicate Section Point whether can set up the directly-connected network tunnel.
For instance, see also Fig. 2, the method flow diagram of setting up query node log-on message in the network tunnel process that Fig. 2 provides for present embodiment.As shown in Figure 2, first node is specifically as follows to the log-on message of virtual special network server inquiry Section Point:
201: first node sends query messages to virtual special network server, and this query messages is used to inquire about the log-on message of Section Point;
202: the log-on message that receives the Section Point of virtual special network server transmission.
Further, be sent in the query messages of virtual special network server, can also comprise the title of Section Point and/or the current real IP address of Section Point at first node.
For instance, the current real IP address of Section Point is meant the legal address of Section Point in internet (Internet), specifically can be Internet protocol (IP) address of Section Point in the Internet network, or IP address and the transmission control protocol (TCP of Section Point in the Internet network, Transmission Control Protocol)/User Datagram Protoco (UDP) (UDP, User DatagramProtocol) address after the port combination, or Section Point other addresss of service in the Internet network with web page address (URL, Uniform Resource Locator) expression.
For instance, the log-on message of the Section Point that sends of the reception virtual special network server in 202 is specifically as follows:
Current real IP address, the virtual ip address of the Section Point that the reception virtual special network server sends and the information of whether accepting outside connection.
Wherein, if Section Point is accepted the outside information that connects, then first node can be set up directly-connected network tunnel under the direct channel pattern according to the current real IP address of Section Point and Section Point; Otherwise if Section Point is not accepted outside the connection, then first node can be set up indirect network tunnel under the virtual switch pattern according to the virtual ip address of Section Point and Section Point.
If, the current real IP address and the virtual ip address of the known Section Point of first node, then the log-on message of the Section Point that sends of the reception virtual special network server in 202 can be the outside information that connects of whether accepting of Section Point.
The log-on message of the Section Point in the present embodiment can also comprise other relevant information of Section Point except comprising the current real IP of Section Point address, virtual ip address and whether accepting the outside information that connects.
102:, set up corresponding network tunnel with Section Point according to the log-on message that inquires.
For instance, after first node receives the log-on message of Section Point, can accept outside the connection, then set up corresponding network tunnel with Section Point if find Section Point.See also Fig. 3, a kind of method flow diagram of setting up network tunnel that Fig. 3 provides for present embodiment.As shown in Figure 3, first node and Section Point are set up corresponding network tunnel and can be comprised:
301: first node sends the network tunnel request of setting up to Section Point;
302: first node receives the response that Section Point sends, thus the network tunnel between foundation and the Section Point.
In addition, first node can also be inquired about the log-on message of first node to virtual special network server; Wherein, the log-on message of first node comprises at least whether first node accepts the outside information that connects;
For instance, after first node receives the log-on message of Section Point, can accept outside the connection if find Section Point, and first node is accepted outside the connection, then sets up corresponding network tunnel with Section Point.See also Fig. 4, a kind of method flow diagram of setting up network tunnel that Fig. 4 provides for present embodiment.As shown in Figure 4, first node and Section Point are set up corresponding network tunnel and can be comprised:
401: first node sends to Section Point and is used to point out Section Point to set up the message of network tunnel to first node;
402: first node receives the network tunnel request of setting up that Section Point sends;
403: first node sends response to Section Point, thus the network tunnel between foundation and the Section Point.
For instance, after first node receives the log-on message of Section Point, do not accept outside the connection, and first node do not accept outside the connection yet, then set up corresponding network tunnel with Section Point if find Section Point.See also Fig. 5, a kind of method flow diagram of setting up network tunnel that Fig. 5 provides for present embodiment.As shown in Figure 5, first node and Section Point are set up corresponding network tunnel and can be comprised:
501: first node sends the network tunnel request of setting up to virtual special network server;
502: first node receives the response that virtual special network server sends, thereby sets up the network tunnel between first node and the virtual special network server;
503: first node sends to Section Point and sets up network tunnel message, so that Section Point and virtual special network server are set up network tunnel.
At this moment, virtual special network server is as the transferring equipment between first node and the Section Point, be used to receive the communication data of first node transmission and be forwarded to Section Point, receive the communication data of Section Point transmission simultaneously and be forwarded to first node, set up the network tunnel between first node and the Section Point like this, indirectly.
Need to prove that understanding at first node after the registration message of Section Point and first node, the concrete real process of setting up network tunnel with Section Point is that those skilled in the art are familiar with, present embodiment is not further described at this.
Above-mentioned a kind of method of setting up network tunnel that the embodiment of the invention one is provided is described in detail, the embodiment of the invention makes first node in the VPN network before setting up network tunnel with Section Point, can from virtual special network server, inquire about the log-on message of Section Point and the log-on message of first node, thereby can understand Section Point and first node and whether accept outside the connection, and then set up corresponding network tunnel with Section Point, avoided when two nodes can only connect with the virtual switch pattern, such two nodes also carry out the trial that the directly-connected network tunnel is set up, from can having reduced waste of network resources, and improve the efficient of setting up network tunnel.
Embodiment two:
See also Fig. 6, a kind of data processing method flow chart that Fig. 6 provides for the embodiment of the invention.As shown in Figure 6, this method can comprise:
601: virtual special network server receives the message that first node sends, and this message is used to inquire about the log-on message of Section Point;
In the present embodiment, the message that first node sends can also be further used for inquiring about the log-on message of first node.
602: the log-on message of the Section Point that virtual special network server will be stored in advance is sent to first node, so that first node and Section Point are set up corresponding network tunnel.
For instance, first node can receive the current real IP of Section Point address, the virtual ip address of virtual special network server transmission and whether accept the outside information that connects;
And receive the current real IP of first node address, the virtual ip address of virtual special network server transmission and whether accept the outside information that connects.
Wherein, the log-on message of the Section Point in the present embodiment includes but not limited to the current real IP of Section Point address, virtual ip address and whether accepts the outside information that connects;
Equally, the log-on message of the first node in the present embodiment includes but not limited to the current real IP of first node address, virtual ip address and whether accepts the outside information that connects.
Further, the current real IP address of Section Point is meant the legal address of Section Point in the Internet network, specifically can be the net IP address of Section Point in the Internet network, or Section Point in the Internet network the IP address and the address after the TCP/UDP port combination, or Section Point other addresss of service of representing with URL in the Internet network;
In like manner, the current real IP address of first node is meant the legal address of first node in the Internet network, specifically can be the IP address of first node in the Internet network, or first node in the Internet network the IP address and the address after the TCP/UDP port combination, or first node other addresss of service of representing with URL in the Internet network.
Method according to the embodiment of the invention provides before above-mentioned 201, can also comprise:
Virtual special network server receives the access request message of first node transmission and the access request message that Section Point sends, and wherein, the access request message that first node sends comprises the nodename and the current real IP address of first node;
The access request message that Section Point sends comprises the nodename and the current real IP address of Section Point;
Virtual special network server distributes virtual ip address to first node, and whether definite first node accept outside the connection, and distributes virtual ip address to Section Point, and whether definite Section Point accepts outside the connection;
The virtual ip address of virtual special network server storage first node title, current real IP address, distribution and the corresponding relation of whether accepting the outside information that is connected, and the virtual ip address of storage Section Point title, current real IP address, distribution and the corresponding relation of whether accepting the information that the outside is connected.And, with the nodename of described first node and Section Point, current true Internet protocol address, virtual Internet protocol address and indicate described first node and whether Section Point accepts the log-on message of the outside information that connects as first node and Section Point.
Whether wherein, above-mentioned definite first node is accepted to be specifically as follows outside the connection:
After having distributed virtual ip address to first node, connection request from network tunnel to the first node transmission that once set up is to judge whether first node accepts outside the connection, after receiving the response that first node returns, confirm the outside connection of first node acceptance, promptly " whether accepting outside the connection " attribute of first node is " OK "; Otherwise if can't receive the response that first node returns at the appointed time, the affirmation first node is not accepted outside the connection, and promptly " whether accepting outside the connection " attribute of first node is " NO ".
Equally, can confirm in a manner mentioned above whether Section Point accepts outside the connection.
In the present embodiment, it is identical that first node and Section Point are set up the method for introducing among the specific implementation of corresponding network tunnel and the embodiment one, no longer repeats herein.
Above-mentioned a kind of data processing method that the embodiment of the invention two is provided is described in detail, in the embodiment of the invention, virtual special network server can be according to the request of first node, the log-on message of Section Point and first node is sent to first node, make that like this first node can be before setting up network tunnel with Section Point, understand Section Point and first node and whether accept outside the connection, and then set up corresponding network tunnel with Section Point, avoided when two nodes can only connect with the virtual switch pattern, such two nodes also carry out the trial that the directly-connected network tunnel is set up, from can having reduced waste of network resources, and improve the efficient of setting up network tunnel.
Embodiment three:
See also Fig. 7, the structure chart of a kind of VPN (virtual private network) node that Fig. 7 provides for the embodiment of the invention.As shown in Figure 7, the VPN (virtual private network) node can comprise:
Query unit 701 is used for the log-on message to virtual special network server inquiry Section Point, whether accepts outside the connection to determine Section Point, and the log-on message of Section Point comprises at least whether Section Point accepts the outside information that connects;
Set up network tunnel unit 702, be used for setting up corresponding network tunnel with Section Point according to the log-on message that inquires.
For instance, the described corresponding network tunnel of present embodiment comprises directly-connected network tunnel under the direct channel pattern and the indirect network tunnel under the virtual switch pattern.
See also Fig. 8, the structural representation of a kind of query unit that Fig. 8 provides for the embodiment of the invention three.As shown in Figure 8, query unit 701 can comprise:
Send subelement 7011, be used for sending query messages to virtual special network server, described query messages comprises the log-on message of inquiring about Section Point;
Receive subelement 7012, be used to receive the log-on message of the Section Point that virtual special network server sends.
Preferably, the log-on message of Section Point can include but not limited to the current real IP of Section Point address, virtual ip address and whether accept the outside information that connects.
See also Fig. 9, a kind of structural representation of setting up the network tunnel unit that Fig. 9 provides for the embodiment of the invention.As shown in Figure 9, setting up network tunnel unit 702 can comprise:
First sets up subelement 7021, is used for sending the network tunnel request of setting up to Section Point when Section Point is accepted outside the connection; Receive the response that Section Point sends, thus the network tunnel between foundation and the Section Point.
For instance, query unit 701 can also be used for the log-on message to virtual special network server inquiry first node; Wherein, the log-on message of first node comprises at least whether first node accepts the outside information that connects.
Like this, setting up network tunnel unit 702 can comprise:
Second sets up subelement 7022, be used for not accepting outside the connection at Section Point, and when first node is accepted outside the connection, send to Section Point and to be used to point out Section Point to set up the message of network tunnel, receive the network tunnel request of setting up that Section Point sends to first node; To the response of Section Point transmission, thus the network tunnel between foundation and the Section Point.
The 3rd sets up subelement 7023, be used for not accepting outside the connection at Section Point, and first node sends the network tunnel request of setting up to virtual special network server when not accepting outside the connection; Receive the response that virtual special network server sends, thus the network tunnel between foundation and the virtual special network server; Send to Section Point and to set up network tunnel message,, thereby set up network tunnel between first node and the Section Point so that Section Point is set up network tunnel to virtual special network server.
At this moment, virtual special network server is as the transferring equipment between first node and the Section Point, be used to receive the communication data of first node transmission and be forwarded to Section Point, receive the communication data of Section Point transmission simultaneously and be forwarded to first node, set up the network tunnel between first node and the Section Point like this, indirectly.
Need to prove that it is that method and the process of setting up network tunnel to virtual special network server with first node is identical that Section Point is set up the method for network tunnel and process to virtual special network server, present embodiment is not given unnecessary details at this.
Above-mentioned a kind of VPN (virtual private network) node that the embodiment of the invention three is provided is described in detail, reception subelement 7012 in the query unit 701 of the first node that the embodiment of the invention provides can be before first node and Section Point be set up network tunnel, the log-on message of inquiry Section Point and the log-on message of first node from virtual special network server, thereby make and to set up that Section Point can be understood in network tunnel unit 702 and whether first node accepts outside the connection, and then set up corresponding network tunnel with Section Point, avoided when two nodes can only connect with the virtual switch pattern, two nodes also carry out the trial that the directly-connected network tunnel is set up, from can having reduced waste of network resources, and improve the efficient of setting up network tunnel.
Embodiment four:
See also Figure 10, the structure chart of a kind of virtual special network server that Figure 10 provides for the embodiment of the invention.As shown in figure 10, virtual special network server can comprise:
Receiving element 1001 is used to receive the message that first node sends, and described message is used to inquire about the log-on message of Section Point;
Transmitting element 1002, the log-on message that is used for the Section Point that will store in advance is sent to described first node, so that described first node and described Section Point are set up corresponding network tunnel, the log-on message of described Section Point comprises at least whether described Section Point accepts the outside information that connects.
In the present embodiment, the message that the first node that receiving element 1001 receives sends can also be further used for inquiring about the log-on message of first node, then transmitting element 1002 can also further send the log-on message of first node to first node, and the log-on message of first node comprises at least whether first node accepts the outside information that connects
For instance, the described corresponding network tunnel of present embodiment comprises directly-connected network tunnel under the direct channel pattern and the indirect network tunnel under the virtual switch pattern.
Preferably, the log-on message of Section Point can include but not limited to the current real IP of Section Point address, virtual ip address and whether accept the outside information that connects;
Equally, the log-on message of first node can include but not limited to current real IP address, the virtual ip address of first node and whether accept the outside information that connects.
Preferably, receiving element 1001 can also be used to receive the access request message of first node transmission and the access request message that Section Point sends;
Wherein, the access request message of first node transmission comprises the nodename and the current real IP address of first node; The access request message that Section Point sends comprises the nodename and the current real IP address of Section Point;
Then the virtual special network server that provides of the embodiment of the invention can also comprise:
Allocation units 1003, the access request message that the first node that is used for receiving according to access unit 1001 sends distributes virtual ip address to first node, and the information of whether accepting outside connection of definite first node;
And be used for the access request message that the Section Point that receives according to access unit 1001 sends, distribute the virtual ip address of Section Point, and definite Section Point whether accept the outside information that connects.
Memory cell 1004, virtual ip address that is used to store the nodename of first node, current real IP address, distribution and the corresponding relation of whether accepting the outside information that is connected;
And the virtual ip address of nodename, the current real IP address of storage Section Point, distribution and the corresponding relation of whether accepting the outside information that is connected, and with the nodename of described first node and Section Point, current true Internet protocol address, virtual Internet protocol address and indicate described first node and whether Section Point accepts the log-on message of the outside information that connects as first node and Section Point.
Preferably, allocation units 1003 are being given after first node and Section Point distributed virtual ip address respectively, connection request from network tunnel to the first node transmission that once set up is to judge whether first node accepts outside the connection, after receiving the response that first node returns at the appointed time, confirm that then first node accepts outside the connection; Otherwise,, confirm that then first node do not accept outside the connection if can't receive the response that first node returns at the appointed time;
And, send the connection request once set up network tunnel to Section Point judging whether Section Point accepts outside the connection, after receiving the response that Section Point returns at the appointed time, confirm that then Section Point accepts outside connection; Otherwise,, confirm that then Section Point do not accept outside the connection if can't receive the response that Section Point returns at the appointed time.
Further, the current real IP address of Section Point is meant the legal address of Section Point in the Internet network, specifically can be the net IP address of Section Point in the Internet network, or Section Point in the Internet network the IP address and the address after the TCP/UDP port combination, or Section Point other addresss of service of representing with URL in the Internet network;
In like manner, the current real IP address of first node is meant the legal address of first node in the Internet network, specifically can be the IP address of first node in the Internet network, or first node in the Internet network the IP address and the address after the TCP/UDP port combination, or first node other addresss of service of representing with URL in the Internet network.
Above-mentioned a kind of virtual special network server that the embodiment of the invention four is provided is described in detail, receiving element 1001 in the virtual special network server that the embodiment of the invention provides can receive the request of first node, transmitting element 1002 can be according to the request of first node, the log-on message of Section Point and first node is sent to first node, make that like this first node can be before setting up network tunnel with Section Point, understand Section Point and first node and whether accept outside the connection, and then set up corresponding network tunnel with Section Point, avoided when two nodes can only connect with the virtual switch pattern, such two nodes also carry out the trial that the directly-connected network tunnel is set up, from can having reduced waste of network resources, and improve the efficient of setting up network tunnel.
Embodiment five:
See also Figure 11, the structure chart of a kind of virtual private network system that Figure 11 provides for the embodiment of the invention.As shown in figure 11, virtual private network system can comprise:
VPN (virtual private network) node 1101 and virtual special network server 1102; Wherein,
VPN (virtual private network) node 1101, be used for log-on message to virtual special network server 1102 inquiry Section Points, to determine whether Section Point accepts outside the connection, and the log-on message of Section Point comprises at least whether Section Point accepts the outside information that connects; According to the log-on message that inquires, set up corresponding network tunnel with Section Point;
Virtual special network server 1102 is used to receive the message that VPN (virtual private network) node 1101 sends, and this message is used to inquire about the log-on message of Section Point; The log-on message of Section Point of storage in advance is sent to VPN (virtual private network) node 1101, so that VPN (virtual private network) node 1101 is set up corresponding network tunnel with Section Point, the log-on message of Section Point comprises at least whether Section Point accepts the outside information that connects.
Need to prove, the VPN (virtual private network) node structure that the structure of the VPN (virtual private network) node 1101 that present embodiment is introduced and the foregoing description three are introduced, function is identical, and present embodiment is not repeated at this; The virtual special network server structure that the structure of the virtual special network server 1102 that present embodiment is introduced and the foregoing description four are introduced, function is identical, and present embodiment is not repeated at this yet.
See also Figure 12, a kind of VPN network diagram that Figure 12 provides for the embodiment of the invention.As shown in figure 12, the VPN network that present embodiment provided can comprise vpn server and VPN node.Wherein, the VPN node can include but not limited to computer and other user terminals; Wherein, vpn server must have legal address in the Internet network (address format can be IP address, IP address and TCP/UDP port combination or other addresss of service of representing with URL), and can use its legal Internet address to receive data message from the Internet network.
Wherein, vpn server need possess node registering functional and information searching function.Promptly when some nodes inserts the VPN network, the virtual ip address that vpn server need distribute first node to use in the VPN network for node; And with the nodename of first node, current real IP address and the virtual ip address that distributes, whether accept outside connect even information such as encryption parameter are registered;
Vpn server allows node in the VPN network according to the log-on message of other VPN node of information inquiries such as virtual ip address of the nodename of other VPN node and/or other VPN node.
Wherein, the node in the present embodiment should possess and vpn server between communication function; And the request function of setting up network tunnel in initiation and the VPN network between other node; Simultaneously, the node in the present embodiment also should possess and receives in the VPN network other node and set up the function of the request of network tunnel with it; Simultaneously, the node in the present embodiment also should possess so more can, promptly can know the log-on message of other node and the log-on message of first node, and set up corresponding network tunnel with other node.
Wherein, corresponding network tunnel comprises directly-connected network tunnel under the direct channel pattern and the indirect network tunnel under the virtual switch pattern.
As shown in figure 12, have 4 Net-connected computers in the VPN network, title is respectively: ID-1, ID-2ID-3, ID-4; Wherein ID-1 and ID-2 are the computers that has legitimate ip address in the Internet net, allow to accept to connect from the Internet network; ID-3 and ID-4 are in the NAT network, do not possess the Internet legal address, and the network that does not allow to accept from Internet connects.
In VPN network shown in Figure 7, the network service between each node has following three kinds of different situations:
1), can directly set up network bi-directional between the node and connect, between ID-1 and ID-2, any one node can initiatively be set up network tunnel to another node;
2), only can directly set up unidirectional connection between the node, between ID-1 and ID-3, because ID-3 is in and does not possess legitimate ip address within the NAT network, therefore only allow initiatively to set up network tunnel, and do not allow to set up network tunnel to ID-3 by ID-1 to ID-1 by ID-3;
3), can not directly connect between the node, between ID-3 and ID-4, because ID-3 and ID-4 are in and do not possess legitimate ip address in the NAT network, therefore can't set up direct tunnel between ID-3 and the ID-4, ID-3 and ID-4 can only respectively and set up network tunnel between the vpn server, the communication data between ID-3 and the ID-4 must be via the vpn server transfer.
Suppose that ID-1 need communicate with ID-2, ID-3 in the VPN network shown in Figure 12, then:
1) ID-1 inquires about the log-on message of ID-2, ID-3 to vpn server.
2) ID-1 is to the log-on message of vpn server inquiry ID-1.
Wherein, for 1), ID-1 sends out query messages to vpn server, and this query messages is used for the log-on message to vpn server inquiry ID-2; Wherein, this query messages can comprise ID-2 title and/the current real IP address of ID-2;
ID-1 sends out query messages to vpn server, and this query messages is used for the log-on message to vpn server inquiry ID-3; Wherein, this query messages can comprise ID-3 title and/the current real IP address of ID-3;
For 2), ID-1 sends out query messages to vpn server, and this query messages is used for the log-on message to vpn server inquiry ID-1; Wherein, this query messages can comprise ID-1 title and/the current real IP address of ID-1.
Vpn server receives after the query messages of ID-1 transmission, the log-on message of inquiry ID-2, ID-3, and ID-1 takes place to give.The registration message of node ID-1, ID-2ID-3, ID-4 in the VPN network shown in Figure 3 that table 1 expression vpn server is stored in advance.
Table 1
Node |
Nodename |
Current real IP address |
Virtual ip address |
Whether accept outside the connection |
ID-1 |
NID-1 |
IP1:P1 |
VIP1 |
OK |
ID-2 |
NID-2 |
IP2:P2 |
VIP2 |
OK |
ID-3 |
NID-3 |
IP3:P3 |
VIP3 |
NO |
ID-4 |
NID-4 |
IP4:P4 |
VIP4 |
NO |
Wherein, because ID-3, ID-4 be in the NAT device, so the current real IP address of ID-3, ID-4 is actually the real IP address of ID-3, NAT device that ID-4 uses.
3) vpn server receives respectively after the query messages of ID-1 transmission, and the log-on message of inquiry ID-2 is: title is NID-2, and true address is IP2:P2, and virtual ip address VIP2 allows to accept outside connection;
The log-on message of inquiry ID-3 is: title is NID-3, and true address is IP3:P3, and virtual ip address VIP3 does not allow to accept outside the connection;
The log-on message of inquiry ID-1 is: title is NID-1, and true address is IP1:P1, and virtual ip address VIP1 allows to accept outside the connection.
4) vpn server is according to the ID-2, the ID-3 that inquire, the log-on message of ID-1, and the log-on message with ID-2, ID-3, ID-1 sends to ID-1 respectively.
Certainly, vpn server also can selected part ID-2, ID-3, the log-on message of ID-1 sends to ID-1, such as being IP2:P2 with the true address in the log-on message of ID-2, allowing the acceptance outside to connect, not allowing in the log-on message of ID-3 accepted outside the connection, and the true address in the log-on message of ID-1 is IP1:P1, allows to accept outside the connection to send to ID-1.
5) ID-1 receives after the log-on message of ID-2, ID-3 that vpn server sends, ID-1, finds that ID-2 point accepts outside the connection, and then ID-1 sets up the network tunnel request to the ID-2 transmission; If receive the response that ID-2 sends, then finish the directly-connected network tunnel under the direct channel pattern between ID-1 and the ID-2;
Find that ID-3 does not accept outside the connection, and ID-1 accepts outside the connection, then ID-1 sends to ID-3 and is used to point out ID-3 initiatively to set up the message of network tunnel to ID-1; Receive the network tunnel request of setting up that ID-3 sends; After the response that ID-3 sends, finish the indirect network tunnel under the virtual switch pattern between ID-1 and the ID-3.
Suppose that again ID-3 need communicate with ID-4 in the VPN network shown in Figure 12, then:
1) ID-3 is to the log-on message of vpn server inquiry ID-4.
2) ID-3 is to the log-on message of vpn server inquiry ID-4.
Wherein, for 1), ID-3 sends out query messages to vpn server, and this query messages is used for the log-on message to vpn server inquiry ID-4; Wherein, this query messages can comprise ID-4 title and/the current real IP address of ID-4;
ID-3 sends out query messages to vpn server, and this query messages is used for the log-on message to vpn server inquiry ID-3; Wherein, this query messages can comprise ID-3 title and/the current real IP address of ID-3.
3) vpn server receives after the query messages of ID-3 transmission, and the log-on message of inquiry ID-4 is: title is NID-4, and true address is IP4:P4, and virtual ip address VIP4 does not allow to accept outside the connection;
The log-on message of inquiry ID-3 is: title is NID-3, and true address is IP3:P3, and virtual ip address VIP3 does not allow to accept outside the connection.
4) vpn server is according to the ID-4 that inquires, the log-on message of ID-3, and the log-on message with ID-4, ID-3 sends to ID-3 respectively.
Certainly, the log-on message that vpn server also can selected part ID-4, ID-3 sends to ID-3, and such as not allowing in the log-on message of ID-4 being accepted outside the connection, not allowing in the log-on message of ID-3 accepted outside the connection to send to ID-3.
5) ID-3 receives after the log-on message of ID-4, ID-3 that vpn server sends, find that ID-4 does not accept outside the connection, and ID-3 does not accept outside the connection yet, illustrates between ID-3 and the ID-4 and can't set up direct-connected network tunnel, and then ID-3 sends the network tunnel request of setting up to vpn server; After receiving the response that vpn server sends, finish and vpn server between network tunnel;
And, ID-3 sends to ID-4 and sets up network tunnel message, so that ID-4 sets up network tunnel to vpn server, thereby set up the network tunnel of ID-4 and vpn server, at this moment, vpn server receives the communication data of ID-3 transmission and is forwarded to ID-4 as the transferring equipment between ID-3 and the ID-4; Simultaneously, receive the communication data of ID-4 transmission and be forwarded to ID-3, like this, set up the network tunnel between ID-3 and the ID-4 indirectly.
Need to prove that vpn server needs ID-1, the ID-2 of storage in advance, the registration message of ID-3, ID-4 in the present embodiment, particularly:
The access request message that vpn server reception ID-1, ID-2, ID-3, ID-4 send respectively, wherein, the access request message that ID-1, ID-2, ID-3, ID-4 send separately comprises nodename and current real IP address separately;
Distribute virtual ip address for respectively ID-1, ID-2, ID-3, ID-4, and determine the outside information that connects of whether accepting of ID-1, ID-2, ID-3, ID-4 respectively;
The virtual ip address of separately nodename of storage ID-1, ID-2, ID-3, ID-4, current real IP address, distribution and the corresponding relation of whether accepting the outside information that is connected.
Wherein, the above-mentioned outside information that connects of whether accepting of determining ID-1, ID-2, ID-3, ID-4 respectively is specially:
After having distributed virtual ip address separately to ID-1, ID-2, ID-3, ID-4 respectively, once set up the connection request of network tunnel to judge whether ID-1, ID-2, ID-3, ID-4 accept outside the connection to ID-1, ID-2, ID-3, ID-4 transmission respectively;
After receiving the response that ID-1, ID-2 return at the appointed time, think that ID-1, ID-2 accept outside the connection, promptly ID-1, ID-2, " whether accepting outside the connection " attribute are " OK "; When receiving the response that ID-3, ID-4 return at the appointed time, think that ID-3, ID-4 do not accept outside the connection, promptly " whether accepting outside the connection " attribute of ID-3, ID-4 is " NO ".
In addition, if node itself has been stored the log-on message of first node, then node only needs to get final product to the log-on message of vpn server inquiry Section Point, need not to inquire about to vpn server once more the log-on message of first node.
Above-mentioned a kind of VPN network that the embodiment of the invention five is provided is introduced, in the VPN network that the embodiment of the invention provides, node is before setting up network tunnel with other node, can from vpn server, inquire about the log-on message of other node and the log-on message of first node, thereby can understand other node and first node and whether accept outside the connection, and then set up corresponding network tunnel with other node, avoided when two nodes can only connect with the virtual switch pattern, such two nodes also carry out the trial that the directly-connected network tunnel is set up, from can having reduced waste of network resources, and improve the efficient of setting up network tunnel.
One of ordinary skill in the art will appreciate that: all or part of step that realizes said method embodiment can be finished by the relevant hardware of program command, aforesaid program can be stored in the computer read/write memory medium, this program is carried out the step that comprises said method embodiment when carrying out; And aforesaid storage medium comprises: various media that can be program code stored such as read-only memory (ROM), random access device (RAM), magnetic disc or CD.
More than to a kind of method of setting up network tunnel that the embodiment of the invention provided, data processing method and relevant device are described in detail, used specific case herein principle of the present invention and execution mode are set forth, the explanation of above embodiment just is used for helping to understand method of the present invention and core concept thereof; Simultaneously, for one of ordinary skill in the art, according to thought of the present invention, the part that all can change in specific embodiments and applications, in sum, this description should not be construed as limitation of the present invention.