CN102137100A - Method for constructing IP (Internet Protocol) layer SSL VPN (Secure Socket Layer Virtual Private Network) tunnel - Google Patents
Method for constructing IP (Internet Protocol) layer SSL VPN (Secure Socket Layer Virtual Private Network) tunnel Download PDFInfo
- Publication number
- CN102137100A CN102137100A CN2011100485206A CN201110048520A CN102137100A CN 102137100 A CN102137100 A CN 102137100A CN 2011100485206 A CN2011100485206 A CN 2011100485206A CN 201110048520 A CN201110048520 A CN 201110048520A CN 102137100 A CN102137100 A CN 102137100A
- Authority
- CN
- China
- Prior art keywords
- tunnel
- ssl vpn
- vpn tunneling
- layer
- encryption
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Abstract
The invention discloses a method for constructing an IP (Internet Protocol) layer SSL VPN (Secure Socket Layer Virtual Private Network) tunnel, comprising the following steps of: negotiating control connection by an SSL protocol to obtain encryption suite and encryption parameters, and constructing the control connection by using the encryption suite and the encryption parameters by the SSL protocol; and constructing data connection by using the encryption suite and the encryption parameters by the DTLS (Datagram Transport Layer Security) protocol. In the invention, the IP layer SSL VPN tunnel is constructed by utilizing an SSL+DTLS manner, and the encryption suite and the encryption parameters obtained by the SSL protocol negotiation are directly used when the data connection is constructed by utilizing the DTLS protocol, thus the consumption of system performance is reduced.
Description
Technical field
The present invention relates to network safety filed, particularly a kind of method that makes up IP layer SSL vpn tunneling.
Background technology
Sometimes will transmit important or responsive data on the network, Netscape company (Netscape) has proposed ssl protocol (Secure Socket Layer, safe socket character agreement), can guarantee the confidentiality and the reliability of network service.IETF (Internet Engineering Task Force, the Internet engineering duty group) has done standardization with ssl protocol, and is referred to as TLS (Transport Layer Security, safe transmission layer protocol) agreement.
Application on the TCP (Transmission Control Protocol, transmission control protocol) can guarantee safety with tls protocol, but tls protocol can not be used for guaranteeing the safety of UDP (User Datagram Protocol, User Datagram Protoco (UDP)).Datagram (datagram) tls protocol is called for short the DTLS agreement, proposes expansion on the tls protocol framework, makes it to support UDP, promptly becomes a version of supporting datagram transmission of tls protocol.
SSL VPN (Virtual Private Network, VPN (virtual private network)) solves the simplest safest technical solution of the responsive company data of remote user access.Existing SSL VPN technologies mainly contain: agent way, network reverse proxy mode and IP layer tunnel style.At present, the mode of structure IP layer SSL vpn tunneling comprises: SSL mode and SSL+DTLS mode.Wherein the SSL mode uses TCP to transmit flow in all SSL vpn tunnelings fully, and its transmission is simultaneously protected relevant flow with the reliability that connects, so can cause the waste of certain flow like this.And the SSL+DTLS mode is to use ssl protocol to consult and set up control connection, uses the DTLS agreement to set up the transmission that data connect and finish flow in the SSL vpn tunneling.Though solved the waste problem of SSL vpn tunneling to bandwidth like this, introduced the another one problem: ssl protocol needs to consult once when setting up control connection; Under this mode, DTLS also needs to consult once when setting up the data connection.And each algorithm of consulting to obtain encryption suite and encryption parameter is the part of consumption systems performance, and consults not bring any security advantages for the second time.
Summary of the invention
(1) technical problem that will solve
The technical problem to be solved in the present invention is the method how a kind of IP of structure layer SSL vpn tunneling is provided, to reduce the consumption to systematic function.
(2) technical scheme
For solving the problems of the technologies described above, the invention provides a kind of method of the IP of structure layer SSL vpn tunneling, this method may further comprise the steps:
S1: consult control connection by ssl protocol, obtain encryption suite and encryption parameter, and use described encryption suite and encryption parameter to set up control connection by ssl protocol;
S2:, use described encryption suite and encryption parameter to set up data and be connected by the DTLS agreement.
Preferably, described SSL vpn tunneling is implemented between two gateways or is implemented between gateway and the client.
Preferably, when described SSL vpn tunneling is implemented between gateway and the client, further comprising the steps of before described step S2: by described control connection, Transport endpoint safety inspection strategy and check result.
Preferably, before described step S1, also comprise step S0: trigger tunnel negotiation.
Preferably, when described SSL vpn tunneling is implemented between two gateways, after the system start-up, automatically perform described step S0: trigger tunnel negotiation;
When described SSL vpn tunneling is implemented between gateway and the client, when the user logins, automatically perform described step S0: trigger tunnel negotiation.
Preferably, the data connection uses Record (record) layer of described DTLS agreement that data encapsulation is become the tunneling data newspaper among the described step S2.
Preferably, described tunneling data newspaper comprises tunnel shell and tunnel kernel; Described tunnel shell comprises tunnel IP head, UDP head and DTLS Record head; Described tunnel kernel comprises IP load in the IP head and tunnel in the tunnel.
Preferably, described tunnel IP head comprises tunnel source IP and tunnel purpose IP, and described UDP head comprises source port and destination interface, and the IP head comprises main frame source IP and main frame purpose IP in the described tunnel.
Preferably, consult the control connection process among the described step S1, finish by the handshake procedure of described ssl protocol.
Preferably, encryption suite among the described step S1 and encryption parameter are stored in the internal memory, for directly using among the described step S2.
(3) beneficial effect
The method of structure IP layer SSL vpn tunneling of the present invention when utilizing the DTLS agreement to set up the data connection, is directly used the encryption suite and the encryption parameter that obtain by the ssl protocol negotiation, has reduced the consumption to systematic function.
Description of drawings
Fig. 1 is the method flow diagram of the described structure of embodiment of the invention IP layer SSL vpn tunneling;
Fig. 2 is the described tunneling data newspaper of an embodiment of the invention structure chart.
Embodiment
Below in conjunction with drawings and Examples, the specific embodiment of the present invention is described in further detail.Following examples are used to illustrate the present invention, but are not used for limiting the scope of the invention.
Fig. 1 is the method flow diagram of the described structure of embodiment of the invention IP layer SSL vpn tunneling, and referring to Fig. 1, this method may further comprise the steps:
S1: consult control connection by ssl protocol, obtain encryption suite and encryption parameter, and use described encryption suite and encryption parameter to set up control connection by ssl protocol;
Described negotiation control connection also comprises: the step of finishing certificate verification.
S2:, use described encryption suite and encryption parameter to set up data and be connected by the DTLS agreement.
The SSL vpn tunneling comprises control connection and is connected two parts with data, consults to have obtained encryption suite and encryption parameter by ssl protocol among the step S1, sets up control connection; When in step S2, setting up data and connect, directly use ssl protocol among the step S1 to consult encryption suite and the encryption parameter that obtains, reduced consumption systematic function by the DTLS agreement.
Preferably, described SSL vpn tunneling is implemented between two gateways or is implemented between gateway and the client.The SSL vpn tunneling of agent way and network reverse proxy mode does not have well to solve gateway to the data protection between gateway, generally only is applied to gateway to the data protection between the client.And IP layer SSL vpn tunneling of the present invention both can be applicable between two gateways, also can be applicable to have wider range of application between gateway and the client.
Preferably, when described SSL vpn tunneling is implemented between gateway and the client, further comprising the steps of before described step S2: by described control connection, Transport endpoint safety inspection strategy and check result.
Preferably, before described step S1, also comprise step S0: trigger tunnel negotiation.
Preferably, when described SSL vpn tunneling is implemented between two gateways, after the system start-up, automatically perform described step S0: trigger tunnel negotiation;
When described SSL vpn tunneling is implemented between gateway and the client, when the user logins, automatically perform described step S0: trigger tunnel negotiation.
Preferably, the data connection uses the Record layer of described DTLS agreement that data encapsulation is become the tunneling data newspaper among the described step S2.The Record layer is most basic one deck in the DTLS agreement, and encrypted content must be transmitted based on the Record layer.
Fig. 2 is the described tunneling data newspaper of an embodiment of the invention structure chart, and referring to Fig. 2, preferably, described tunneling data newspaper comprises tunnel shell 1 and tunnel kernel 2; Described tunnel shell comprises tunnel IP 1.1, UDP 1.2 and DTLS Record 1.3; Described tunnel kernel comprises in the tunnel IP load 2.2 in IP 2.1 and the tunnel.Suppose that the SSL vpn tunneling is implemented between two gateways, when the client of protecting when first gateway produced the data that need protection, data were as IP load 2.2 in the tunnel, were installed earlier in the tunnel additional IP 2.1, formed tunnel kernel 2; And then quilt is installed additional tunnel shell 1; Connect by data at last and send to second gateway.After second gateway receives above-mentioned data, at first remove tunnel shell 1; Be transmitted to corresponding client then, obtain protected data after the parsing.
Preferably, described tunnel IP 1.1 comprises tunnel source IP and tunnel purpose IP, and described UDP 1.2 comprises source port and destination interface, and IP 2.1 comprises main frame source IP and main frame purpose IP in the described tunnel.
To the SSL vpn tunneling between gateway, tunnel source IP and tunnel purpose IP are respectively the IP of two gateways for gateway; Source port among the UDP 1.2 and destination interface are the SSL VPN data tunnel ports on the gateway; Host ip in the private network that main frame source IP and main frame purpose IP can be protected for the two ends gateway, it also can be certain virtual IP address, gateway is changed this virtual IP address, and then obtains real host ip.
For the SSL vpn tunneling between client-to-gateway, tunnel source IP and tunnel purpose IP are respectively client ip and gateway IP; Source port among the UDP 1.2 and destination interface are the SSL VPN data tunnel ports on client and the gateway; Main frame source IP and main frame purpose IP are respectively can be by the IP of the main frame in the private network of IP of the private network of SSL vpn gateway and protection thereof identification and the protection of SSL vpn gateway.
Preferably, consult the control connection process among the described step S1, finish by the handshake procedure of described ssl protocol.Directly the handshake procedure that uses ssl protocol itself to comprise is convenient to applying of the inventive method.
Preferably, encryption suite among the described step S1 and encryption parameter are stored in the internal memory, for directly using among the described step S2.
Encryption suite that negotiation obtains among the step S1 and encryption parameter are not dropped, but have been stored in the internal memory after being used to set up control connection.Like this, when step S2 sets up the data connection, can directly use aforementioned encryption suite and encryption parameter, omit the process of consulting once more, save systematic function.
Above execution mode only is used to illustrate the present invention; and be not limitation of the present invention; the those of ordinary skill in relevant technologies field; under the situation that does not break away from the spirit and scope of the present invention; can also make various variations and modification; therefore all technical schemes that are equal to also belong to category of the present invention, and scope of patent protection of the present invention should be defined by the claims.
Claims (10)
1. method that makes up IP layer SSL vpn tunneling is characterized in that this method may further comprise the steps:
S1: consult control connection by ssl protocol, obtain encryption suite and encryption parameter, and use described encryption suite and encryption parameter to set up control connection by ssl protocol;
S2:, use described encryption suite and encryption parameter to set up data and be connected by the DTLS agreement.
2. the method for structure IP layer SSL vpn tunneling as claimed in claim 1 is characterized in that described SSL vpn tunneling is implemented between two gateways or is implemented between gateway and the client.
3. the method for structure IP layer SSL vpn tunneling as claimed in claim 2, it is characterized in that, when described SSL vpn tunneling is implemented between gateway and the client, further comprising the steps of before described step S2: by described control connection, Transport endpoint safety inspection strategy and check result.
4. the method for structure IP layer SSL vpn tunneling as claimed in claim 1 is characterized in that, before described step S1, also comprises step S0: trigger tunnel negotiation.
5. the method for structure IP layer SSL vpn tunneling as claimed in claim 4 is characterized in that,
When described SSL vpn tunneling is implemented between two gateways, after the system start-up, automatically perform described step S0: trigger tunnel negotiation;
When described SSL vpn tunneling is implemented between gateway and the client, when the user logins, automatically perform described step S0: trigger tunnel negotiation.
6. the method for structure IP layer SSL vpn tunneling as claimed in claim 1 is characterized in that, the data connection uses the Record layer of described DTLS agreement that data encapsulation is become the tunneling data newspaper among the described step S2.
7. the method for structure IP layer SSL vpn tunneling as claimed in claim 6 is characterized in that described tunneling data newspaper comprises tunnel shell and tunnel kernel; Described tunnel shell comprises tunnel IP head, UDP head and DTLS Record head; Described tunnel kernel comprises IP load in the IP head and tunnel in the tunnel.
8. the method for structure IP layer SSL vpn tunneling as claimed in claim 7, it is characterized in that, described tunnel IP head comprises tunnel source IP and tunnel purpose IP, and described UDP head comprises source port and destination interface, and the IP head comprises main frame source IP and main frame purpose IP in the described tunnel.
9. the method for structure IP layer SSL vpn tunneling as claimed in claim 1 is characterized in that, consults the control connection process among the described step S1, finishes by the handshake procedure of described ssl protocol.
10. the method for structure IP layer SSL vpn tunneling as claimed in claim 1 is characterized in that encryption suite among the described step S1 and encryption parameter are stored in the internal memory, for directly using among the described step S2.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100485206A CN102137100B (en) | 2011-03-01 | 2011-03-01 | Method for constructing IP (Internet Protocol) layer SSL VPN (Secure Socket Layer Virtual Private Network) tunnel |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2011100485206A CN102137100B (en) | 2011-03-01 | 2011-03-01 | Method for constructing IP (Internet Protocol) layer SSL VPN (Secure Socket Layer Virtual Private Network) tunnel |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102137100A true CN102137100A (en) | 2011-07-27 |
| CN102137100B CN102137100B (en) | 2013-12-11 |
Family
ID=44296755
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2011100485206A Expired - Fee Related CN102137100B (en) | 2011-03-01 | 2011-03-01 | Method for constructing IP (Internet Protocol) layer SSL VPN (Secure Socket Layer Virtual Private Network) tunnel |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN102137100B (en) |
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016119747A1 (en) * | 2015-01-30 | 2016-08-04 | Huawei Technologies Co., Ltd. | System and method for communicating in an ssl vpn |
| CN110601950A (en) * | 2019-10-08 | 2019-12-20 | 河南省云安大数据安全防护产业技术研究院有限公司 | VPN gateway system based on DTLS protocol and implementation method |
| US10572932B2 (en) | 2017-01-27 | 2020-02-25 | Walmart Apollo, Llc | System for providing optimal shopping routes in retail store and method of using same |
| US10657580B2 (en) | 2017-01-27 | 2020-05-19 | Walmart Apollo, Llc | System for improving in-store picking performance and experience by optimizing tote-fill and order batching of items in retail store and method of using same |
| US10699328B2 (en) | 2017-04-17 | 2020-06-30 | Walmart Apollo, Llc | Systems to fulfill a picked sales order and related methods therefor |
| US10810542B2 (en) | 2017-05-11 | 2020-10-20 | Walmart Apollo, Llc | Systems and methods for fulfilment design and optimization |
| US10846645B2 (en) | 2017-04-28 | 2020-11-24 | Walmart Apollo, Llc | Systems and methods for real-time order delay management |
| CN112887976A (en) * | 2019-11-29 | 2021-06-01 | 北京华耀科技有限公司 | VPN network automatic recovery system and method of intelligent terminal |
| US11126953B2 (en) | 2017-06-14 | 2021-09-21 | Walmart Apollo, Llc | Systems and methods for automatically invoking a delivery request for an in-progress order |
| US11657347B2 (en) | 2020-01-31 | 2023-05-23 | Walmart Apollo, Llc | Systems and methods for optimization of pick walks |
| US11669886B2 (en) | 2017-07-13 | 2023-06-06 | Walmart Apollo, Llc | Systems and methods for determining an order collection start time |
| US11868958B2 (en) | 2020-01-31 | 2024-01-09 | Walmart Apollo, Llc | Systems and methods for optimization of pick walks |
| US11941577B2 (en) | 2017-06-28 | 2024-03-26 | Walmart Apollo, Llc | Systems and methods for automatically requesting delivery drivers for online orders |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080052769A1 (en) * | 2004-05-31 | 2008-02-28 | Manuel Leone | Method And System For A Secure Connection In Communication Networks |
| CN101286896A (en) * | 2008-06-05 | 2008-10-15 | 上海交通大学 | IPSec VPN protocol drastic detecting method based on flows |
| CN101299667A (en) * | 2008-06-05 | 2008-11-05 | 华为技术有限公司 | Authentication method, system, client equipment and server |
-
2011
- 2011-03-01 CN CN2011100485206A patent/CN102137100B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080052769A1 (en) * | 2004-05-31 | 2008-02-28 | Manuel Leone | Method And System For A Secure Connection In Communication Networks |
| CN101286896A (en) * | 2008-06-05 | 2008-10-15 | 上海交通大学 | IPSec VPN protocol drastic detecting method based on flows |
| CN101299667A (en) * | 2008-06-05 | 2008-11-05 | 华为技术有限公司 | Authentication method, system, client equipment and server |
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2016119747A1 (en) * | 2015-01-30 | 2016-08-04 | Huawei Technologies Co., Ltd. | System and method for communicating in an ssl vpn |
| US10572932B2 (en) | 2017-01-27 | 2020-02-25 | Walmart Apollo, Llc | System for providing optimal shopping routes in retail store and method of using same |
| US10657580B2 (en) | 2017-01-27 | 2020-05-19 | Walmart Apollo, Llc | System for improving in-store picking performance and experience by optimizing tote-fill and order batching of items in retail store and method of using same |
| US11270372B2 (en) | 2017-01-27 | 2022-03-08 | Walmart Apollo, Llc | System for improving in-store picking performance and experience by optimizing tote-fill and order batching of items in retail store and method of using same |
| US11461831B2 (en) | 2017-04-17 | 2022-10-04 | Walmart Apollo, Llc | Systems to fulfill a picked sales order and related methods therefor |
| US11508000B2 (en) | 2017-04-17 | 2022-11-22 | Walmart Apollo, Llc | Systems to fulfill a picked sales order and related methods therefor |
| US10699328B2 (en) | 2017-04-17 | 2020-06-30 | Walmart Apollo, Llc | Systems to fulfill a picked sales order and related methods therefor |
| US10796357B2 (en) | 2017-04-17 | 2020-10-06 | Walmart Apollo, Llc | Systems to fulfill a picked sales order and related methods therefor |
| US10825076B2 (en) | 2017-04-17 | 2020-11-03 | Walmart Apollo Llc | Systems to fulfill a picked sales order and related methods therefor |
| US11494829B2 (en) | 2017-04-17 | 2022-11-08 | Walmart Apollo, Llc | Systems to fulfill a picked sales order and related methods therefor |
| US10846645B2 (en) | 2017-04-28 | 2020-11-24 | Walmart Apollo, Llc | Systems and methods for real-time order delay management |
| US10810542B2 (en) | 2017-05-11 | 2020-10-20 | Walmart Apollo, Llc | Systems and methods for fulfilment design and optimization |
| US11126953B2 (en) | 2017-06-14 | 2021-09-21 | Walmart Apollo, Llc | Systems and methods for automatically invoking a delivery request for an in-progress order |
| US11734642B2 (en) | 2017-06-14 | 2023-08-22 | Walmart Apollo, Llc | Systems and methods for automatically invoking a delivery request for an in-progress order |
| US11941577B2 (en) | 2017-06-28 | 2024-03-26 | Walmart Apollo, Llc | Systems and methods for automatically requesting delivery drivers for online orders |
| US11669886B2 (en) | 2017-07-13 | 2023-06-06 | Walmart Apollo, Llc | Systems and methods for determining an order collection start time |
| CN110601950A (en) * | 2019-10-08 | 2019-12-20 | 河南省云安大数据安全防护产业技术研究院有限公司 | VPN gateway system based on DTLS protocol and implementation method |
| CN112887976A (en) * | 2019-11-29 | 2021-06-01 | 北京华耀科技有限公司 | VPN network automatic recovery system and method of intelligent terminal |
| CN112887976B (en) * | 2019-11-29 | 2023-06-30 | 北京华耀科技有限公司 | VPN network automatic recovery system and method of intelligent terminal |
| US11657347B2 (en) | 2020-01-31 | 2023-05-23 | Walmart Apollo, Llc | Systems and methods for optimization of pick walks |
| US11868958B2 (en) | 2020-01-31 | 2024-01-09 | Walmart Apollo, Llc | Systems and methods for optimization of pick walks |
Also Published As
| Publication number | Publication date |
|---|---|
| CN102137100B (en) | 2013-12-11 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102137100B (en) | Method for constructing IP (Internet Protocol) layer SSL VPN (Secure Socket Layer Virtual Private Network) tunnel | |
| US10581803B1 (en) | Application-aware connection rules for network access client | |
| AU2021201714B2 (en) | Client(s) to cloud or remote server secure data or file object encryption gateway | |
| US11792169B2 (en) | Cloud storage using encryption gateway with certificate authority identification | |
| US10250571B2 (en) | Systems and methods for offloading IPSEC processing to an embedded networking device | |
| US8443435B1 (en) | VPN resource connectivity in large-scale enterprise networks | |
| US20110113236A1 (en) | Methods, systems, and computer readable media for offloading internet protocol security (ipsec) processing using an ipsec proxy mechanism | |
| US20170034213A1 (en) | Efficient Use of IPSEC Tunnels in Multi-Path Environment | |
| US20200044893A1 (en) | Providing on-demand vpn connectivity on a per-application basis | |
| US20150058946A1 (en) | Connectivity services application programming interface | |
| CA3066728A1 (en) | Cloud storage using encryption gateway with certificate authority identification | |
| JP2010020777A (en) | Zero-install ip security | |
| US20220217126A1 (en) | Apparatus and method for secure router device | |
| CN103179225A (en) | IPsec-based (internet protocol security-based) keep-alive method and equipment for NAT (network address translation) entries | |
| KR101971995B1 (en) | Method for decryping secure sockets layer for security | |
| US20120216033A1 (en) | Communication system, printing device, and sa establishment method | |
| WO2023024540A1 (en) | Methods and apparatus for processing message and obtaining sa information, system, and medium | |
| WO2023070572A1 (en) | Communication device and method therein for facilitating ipsec communications | |
| JP2012160941A (en) | Information processing device, information processing method and program | |
| Wu | Implementation of virtual private network based on IPSec protocol | |
| CN102843281B (en) | Method for accessing local network | |
| CN117544396A (en) | IPSec virtual private network client and method | |
| JP4724636B2 (en) | Protocol processing system and protocol processing method | |
| Kuang | Application Research of Computer Network Load Certification Constructing VPN Tunnel Technology | |
| Wang et al. | Research on secure information transmission based on internet of things numerical control system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| PP01 | Preservation of patent right | ||
| PP01 | Preservation of patent right |
Effective date of registration: 20180823 Granted publication date: 20131211 |
|
| PD01 | Discharge of preservation of patent | ||
| PD01 | Discharge of preservation of patent |
Date of cancellation: 20210823 Granted publication date: 20131211 |
|
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20131211 Termination date: 20190301 |