CN102281161A - Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method - Google Patents

Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method Download PDF

Info

Publication number
CN102281161A
CN102281161A CN2011102734148A CN201110273414A CN102281161A CN 102281161 A CN102281161 A CN 102281161A CN 2011102734148 A CN2011102734148 A CN 2011102734148A CN 201110273414 A CN201110273414 A CN 201110273414A CN 102281161 A CN102281161 A CN 102281161A
Authority
CN
China
Prior art keywords
vpnagent
vpn
tunnel
vpnctroler
module
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN2011102734148A
Other languages
Chinese (zh)
Other versions
CN102281161B (en
Inventor
张启飞
陈小平
杨文青
吕红兵
平玲娣
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Zhejiang University ZJU
Original Assignee
Zhejiang University ZJU
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Zhejiang University ZJU filed Critical Zhejiang University ZJU
Priority to CN201110273414.8A priority Critical patent/CN102281161B/en
Publication of CN102281161A publication Critical patent/CN102281161A/en
Application granted granted Critical
Publication of CN102281161B publication Critical patent/CN102281161B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Abstract

The invention discloses a multi-agent virtual private network (VPN) tunnel concurrent testing system and a multi-agent load balancing method. A VPN control end requests a VPN agent end of a capacity vector through a request command; and the VPN control end distributes tunnel number to VPN agents according to the returned capacity vector, so that dynamic load balance is realized. The VPN agent end initiates establishment and revocation of a tunnel by receiving the command of the control end. The VPN agent end periodically sends state information to the system while finishing establishment and revocation of the tunnel, and the VPN control end can monitor the current load of the system in real time. By adopting a multi-agent mode, concurrent test of the real environment can be furthest simulated, and the tunnel can be concurrently established on each agent. The centralized control method is convenient to control and easy to implement.

Description

Act on behalf of vpn tunneling concurrent test system more and act on behalf of load-balancing method more
Technical field
The invention belongs to the network security architecture field, relate in particular to and a kind ofly more act on behalf of vpn tunneling concurrent test system and act on behalf of load-balancing method more.
Background technology
Along with the acceleration of world economic integration process, the effect of trans-corporation in world's economic activity is obvious day by day, and the expense of trans-regional Intranet interconnection is obvious day by day, and traditional private-line mode costs an arm and a leg.The appearance of Virtual Private Network (Virtual Private Network; VPN) solved long-distance user, remote branch secure access to the company's internal network resource; can guarantee safe transmission on the passage of encrypting; between client and corporate gateway (Gateway), set up a virtual tunnel; this tunnel adopts high-intensity cryptographic algorithm protection on the basis through authentication, can guarantee the security attributes such as data security, integrality on the tunnel.And the tunnel is based upon the tunnel on the Internet, can realize designated lane on the net at public Internet.For the load performance (linear speed, total tunnel number, throughput etc.) of measuring vpn gateway, need a plurality of clients of simulation to bring in the maximum performance of measuring gateway, but general gate performance is very powerful, single agency (VPNAgent) can not make gateway reach maximum performance, so need a plurality of agencies, but before measuring and do not know the ability of gateway, so how many agencies can not determine needs, the just configuration that need repeat according to the situation of test, cause two problems easily: (1) does not reach performance, repeated configuration; (2) may partly act on behalf of excess load, and it is very low partly to act on behalf of load, causes the wasting of resources and fault.
Summary of the invention
The objective of the invention is at the deficiencies in the prior art, provide a kind of and act on behalf of vpn tunneling concurrent test system more and act on behalf of load-balancing method more.
The objective of the invention is to be achieved through the following technical solutions: act on behalf of vpn tunneling concurrent test system a kind of, it comprises VPN control end, VPN agent list, vpn gateway and application server more; Wherein, described VPN control end is connected by the IPv4 network with the VPN agent list, the VPN agent list has two to be connected with vpn gateway, bottom is set up the tunnel by the IPv6 network and is connected, the upper strata is set up application data by the IPv6 network and is connected, and vpn gateway is transmitted the application data bag to application server.
Further, described VPN agent list comprises several VPN agencies, and each VPN agency is connected with the VPN control end by the IPv4 network respectively.
Further, described VPN control end comprises: basic configuration module, application data layer configuration module, advanced configuration module, L2tp configuration module, IKEv1 configuration module, IKEv2 configuration module, IKEv2+EAP configuration module, communication module, XML package module, real-time status display module and control end primary module; Described control end primary module call XML package module encapsulation user's order and parameter are the XML form, and the calling communication module sends data after the XML package module encapsulation of data; When communication module was received packet, call XML package module decapsulation XML formatted data was called the real-time status display module then.
A kind ofly use the above-mentioned load-balancing method of acting on behalf of of acting on behalf of vpn tunneling concurrent test system, this method comprises the steps: more more
(1) VPNCtroler operates in the Windows system, and VPNAgent runs on Windows or the linux system, and a plurality of VPNAgent forms VPNCluster; On the high performance blade server of the general operation of VPNServer, in actual environment as the gateway of internal network and external network;
(2) tunnel is based upon between VPNAgent and the VPNServer, by the load balancing between the centralized control realization VPNAgent of VPNCtroler;
(3) application server (APPServer) runs on after the VPNServer, is certain service of carrying on the tunnel, comprises FTP service, HTTP service, UDP message service and tcp data service;
(4) VPNCtroler by the IPv4 network of present large scale deployment realize with VPNAgent between communicate by letter, the tunnel of VPNAgent and VPNServer is based on IPv4 or IPv6;
(5) VPNCtroler is as required to VPNAgent request current energy force vector and payload values thereof, VPNAgent returns its ability vector sum payload values at once after receiving the request of VPNCtroler, VPNCtroler selects weighing vector W according to the tunnel type when Pretesting after receiving the response of VPNAgent, calculates actual ability value then
Figure 2011102734148100002DEST_PATH_IMAGE001
, at last the normalization of practical capacity value is obtained normalized value
Figure 229122DEST_PATH_IMAGE002
(6) obtain a normalized vector after the VPNCtroler process step (5)
Figure 2011102734148100002DEST_PATH_IMAGE003
, the VPNCtroler basis
Figure 610818DEST_PATH_IMAGE002
Pro rate tunnel number and throughput;
(7) about the load balancing step of linear speed test, the linear speed index is the tunnel number that can set up for interior VPNServer between the measuring unit, in order better to meet the requirement of testing linear speed;
(8) VPNAgent and APPServer set up after the tunnel, carry data on the tunnel, and an end of data comes from the application request program (APPClient) on the VPNAgent, and the data other end is application server (APPServer);
(9) VPNAgent timing tunnel state, the statistical information data that system is current sends to VPNCtroler, and VPNCtroler comes out by interface display;
(10) after communication data passes through the form encapsulation of XML between VPNAgent and the VPNCtroler, adopt Socket to send.
Further, described step (7) realizes by following substep:
(a) VPNCtroler distributes the newly-built tunnel number of fixed value, sends to each VPNAgent, and VPNAgent sets up the tunnel of VPNCtroler apportioning cost quantity;
(b) each VPNAgent collects own energy force vector during setting up the tunnel
Figure 986436DEST_PATH_IMAGE001
, VPNAgent will collect then
Figure 344736DEST_PATH_IMAGE001
Send to VPNCtroler;
(c) if VPNAgent does not beam back in preset time
Figure 817306DEST_PATH_IMAGE001
, VPNCtroler will send a request message to VPNAgent, ask its energy force vector;
(d) VPNCtroler send a request message after collecting all VPNAgent energy force vectors, requires VPNAgent to remove all tunnels;
(e) VPNCtroler distributes new tunnel number according to rapid (5) and (6) after the set time is waited in step (d) back.
The invention has the beneficial effects as follows, the present invention has realized a kind of distributed vpn tunneling test macros of acting on behalf of more, each is acted on behalf of distributed earth and is arranged in local network, the initiation tunnel test that each agency can walk abreast, the initiation tunnel test that each agency is concurrent can be simulated near real environment for use; Native system is distributed many agencies in addition, is easy to expansion, for current large-scale blade vpn gateway server, can go out its unit interval tunnel by extend testing and set up speed, indexs such as maximum tunnel number.The present invention has designed a kind of method of acting on behalf of load balancing more in addition, can realize the dynamic load leveling between a plurality of VPN agencies, thereby economizes on resources and reduce fault.
Description of drawings
Fig. 1 is a system configuration of the present invention;
Fig. 2 is the modular structure figure of control end of the present invention;
Fig. 3 is the modular structure figure of agent side of the present invention.
Embodiment
Below in conjunction with the drawings and specific embodiments the utility model is further specified.
The present invention proposes the method that realizes load balancing between a kind of distributed multi-agent vpn tunneling test macro and the VPN agent side (VPNAgent), a plurality of agencies are distributed in each place in the network in the system, mutually without perception, all VPN agencies constitute one VPN bunch (VPNCluster) together between them; Control end in the system (VPNCtroler) is positioned on the logical machine of a Daepori, and communicating by letter between VPNCtroler and the VPNAgent is to adopt present ubiquitous IPV4 agreement.Vpn gateway in the system (VPNServer) is the IUT(Implementation Under Test of system), generally be positioned on the high performance blade server, and the tunnel is present between VPNAgent and the VPNServer; Application server in the system (APPServer) is positioned at after the VPNServer, is transmitted to APPServer behind the data process VPNAgent of VPNAgent and the VPNServer tunnel.
On above-mentioned distributed multi-agent vpn tunneling test macro basis, realized the load balancing between many agencies.In the former test environment, the tunnel number that static earlier configuration VPNAgent sets up, linear speed (the tunnel number that the unit interval sets up) and throughput, be separate between each VPNAgent, can only rule of thumb come to carry out static configuration by the keeper by VPNCtroler.The present invention has designed a kind of centralized implementation algorithms of acting on behalf of load balancing more, VPNCtroler comes to distribute tunnel number for VPNAgent according to the ability vector information of returning of VPNAgent, if some VPNAgent loads are too high, then do not distribute new tunnel or distribute a spot of tunnel number for it.Through operation after a while, each VPNAgent has obtained corresponding load, and this load is suitable with corresponding VPNAgent ability, ability takies percentage, network by the CPU of current machine and takies percentage, EMS memory occupation percentage, disk and take percentage, the representative of I/O byte number, uses vector
Figure 868438DEST_PATH_IMAGE004
The expression ability, the tunnel that the present invention relates to comprises: L2tp, L2tp Over IpSec, Ikev1, Ikev2, Ikev2+EAP be totally 5 kinds of tunnels, and it is different that every kind of tunnel requires CPU, internal memory etc., so provide a weighing vector
Figure 2011102734148100002DEST_PATH_IMAGE005
, be multiplied by corresponding weighing vector for different tunnels with energy force vector C and obtain the practical capacity value
Figure 229887DEST_PATH_IMAGE006
, VPNCtroler goes out the practical capacity value according to the ability vector calculation that VPNAgent returns, and uses method for normalizing to calculate the normalization ability value of each VPNAgent at last
Figure 2011102734148100002DEST_PATH_IMAGE007
, VPNCtroler is according to the pro rate tunnel number of VPNAgent normalized value, throughput equivalence.Thereby can dynamically realize load balancing between each VPNAgent.
Overall system structure of the present invention as shown in Figure 1, structure comprises following several sections:
A plurality of agencies are distributed in each place in the network in the system, and perception mutually between them is among all VPNAgent(Fig. 1 102) constitute among a VPNCluster(Fig. 1 103 together); Among VPNCtroler(Fig. 1 in the system 101) be positioned on the logical machine of a Daepori, communicating by letter between VPNCtroler and the VPNAgent is to adopt present ubiquitous IPV4 agreement, and all exists between VPNCtroler and each VPNAgent and be connected.Vpn gateway in the system (VPNServer) (among Fig. 1 104) is the IUT(Implementation Under Test of system), generally be positioned on the high performance blade server, and the tunnel is present between VPNAgent and the VPNServer, and the tunnel is based on the tunnel of IPv6 agreement; Application server in the system (APPServer) (among Fig. 1 105) is positioned at after the VPNServer, and the data of VPNAgent are transmitted to APPServer after through the tunnel between VPNAgent and VPNServer.Being connected between VPNServer and the APPServer is IPv4 or IPv6.
106 is control connections among Fig. 1, is present between VPNCtroler and the VPNAgent, be used for VPNCtroler to the control of VPNAgent and VPNAgent to the VPNCtroler return data.107 is that the tunnel connects among Fig. 1, is present between VPNAgent and the VPNServer.108 is that data connect among Fig. 1, comprises 2 parts: a part is on tunnel 107 connects, and the client that is equivalent in the actual environment is passed through the borde gateway that unsafe the Internet arrives company, is the tunnel carryings by safety in order to guarantee this part data of safety; Another part is equivalent to the internal network in the actual environment between VPNServer and APPServer, be considered to safe, so do not need protecting tunnel.
Overall system structure of the present invention comprises VPN control end 101 as shown in Figure 1, VPN agent list 103, vpn gateway 104, application server 105.VPN control end 101 is connected by the IPv4 network with VPN agent list 103, VPN agent list 103 has 2 to be connected with vpn gateway 104, bottom is set up the tunnel by the IPv6 network and is connected, the upper strata is set up application data by the IPv6 network and is connected, and vpn gateway 104 is transmitted the application data bag to application server 105.
VPN agent list 103 comprises several VPN agencies 102.Each VPN agency 102 is connected with VPN control end 101 by the IPv4 network respectively.
VPN control end 101 is graphic user interfaces, and the configuration of accepting the user is initiated the tunnel then and set up and cancel; After initiating tunnel foundation order,, distribute to each VPNAgent corresponding tunnel number according to the ability vector calculation that each VPNAgent returns to VPNAgent request energy force vector; Dynamically update the state information that VPNAgent regularly beams back.
VPN agent list 103 is set of a plurality of VPN agencies 102, and each set element does not need perception mutually.Each agency is the core of system, is responsible for communicating by letter with VPN control end 101; Be responsible for collecting the energy force vector of VPNAgent; Be responsible for collecting the current state information of VPNAgent; The foundation of charge tunnel; Be responsible for sending and receiving application data; Cancelling of charge tunnel;
Vpn gateway 104 is IUT, and promptly tested equipment is responsible for setting up the tunnel with VPNAgent, safeguards tunnel state; Transmit packet.
Application server 105 is application server gateways, is the UDP message server in the native system, tcp data server, ftp server, one of http server.
The concrete structure of VPN control end 101 as shown in Figure 2, comprise: basic configuration module 201, application data layer configuration module 202, advanced configuration module 203, L2tp configuration module 204, IKEv1 configuration module 205, IKEv2 configuration module 206, IKEv2+EAP configuration module 207, communication module 208, XML package module 209 and real-time status display module 210, control end primary module 211.Control end primary module call XML package module 209 encapsulation users' order and parameter are the XML form, and calling communication module 208 sends data after XML package module 209 encapsulation of data.When communication module 208 was received packet, call XML package module decapsulation XML formatted data was called real-time status display module 210 then.
The characteristics and the function of each module are as follows:
Basic configuration module 201 is basic configuration modules, comprises agency's IPv4 address and agency's port, the IPv6 address of VPNServer, IPv6 address and the negotiate address of VPNAgent, unit interval tunnel number, tunnel sum.
Application data layer configuration module 202 is application data configuration modules, comprises the application layer protocol selection, and the optional agreement of native system has UDP, TCP, FTP, HTTP4 kind agreement; Server ip address and port; Load length; The flow size.
Advanced configuration module 203 is advanced configuration modules, comprises the off-line strategy in tunnel; Consult the failure number of retries and the time interval; Daily record is provided with.
Communication module 208 is communication modules, is responsible for sending data and monitoring reception data.
XML package module 209 is XML package modules, is responsible for data are carried out the XML encapsulation and the XML file is resolved.
Real-time status display module 210 is real-time status display modules, to the state information real-time update that receives to the interface.
L2tp configuration module 204 is L2tp configuration modules, comprises the LNS server address; Certification mode, native system have CHAP and two kinds of certification modes of PAP; The aaa authentication username and password.
IKEv1 configuration module 205 is IKEv1 configuration modules, comprises the pattern in stage 1, and native system has holotype and Aggressive Mode; Stage 1 cryptographic algorithm, identifying algorithm, certification mode, D-H group; IPSEC agreement in stage 2, the AH identifying algorithm, ESP encrypts and identifying algorithm; The senior time interval that transmission keep-alive packet is set; The IKE SA time, the IPSEC SA time.
IKEv2 configuration module 206 is IKEv2 configuration modules, comprises the authentication mode in stage 1, and native system has 2 kinds, with name with the IP address; Stage 1 cryptographic algorithm, identifying algorithm, certification mode, D-H group; IPSEC agreement in stage 2, the AH identifying algorithm, ESP encrypts and identifying algorithm; The senior time interval that transmission keep-alive packet is set; The IKE SA time, the IPSEC SA time.
IKEv2+EAP configuration module 207 is IKEv2+EAP configuration modules, comprises the authentication mode in stage 1, and native system has 2 kinds, with name with the IP address; Stage 1 cryptographic algorithm, identifying algorithm, certification mode, D-H group; IPSEC agreement in stage 2, the AH identifying algorithm, ESP encrypts and identifying algorithm; The username and password of EAP authentication; The senior time interval that transmission keep-alive packet is set; The IKE SA time, the IPSEC SA time.
VPN agent list 103 is the set that are made of a plurality of agencies, not contact between a plurality of agencies.Single agency's concrete structure as shown in Figure 3, comprise VPN agent side ability computing module 301, VPN agent side master control module 302, VPN agent side XML package module 303 and VPN agent side XML decapsulation module 304, VPN agent side communication module 305, VPN agent side tunnel traffic generation module 306, VPN agent side tunnel generation module 307, module 308 is removed in VPN agent side tunnel, VPN agent side state generation module 309:
VPNAgent master control module 302 is cores of whole system, controls other several modules operation according to different tunnel test-types.VPN agent side communication module 305 is modules of the bottom, use the packet of Socket programming reception from VPNCtroler, VPN agent side XML package module 303 also is the module of relative bottom module with VPN agent side XML decapsulation module 304, give VPN agent side XML decapsulation module 304 through the data message after 305 processing of VPN agent side communication module, VPN agent side XML decapsulation module 304 can the analyzing XML file, parses order and parameter that VPNCtroler transmits; Same VPN agent side XML package module 303 is given VPN agent side communication module 305 after data and parameter are packaged into the XML file, and VPN agent side communication module 305 sends to VPNCtroler by the mode of Socket with packet.
It is that module is removed in tunnel generation module and tunnel that module 308 is removed in VPN agent side tunnel generation module 307 and VPN agent side tunnel, when carrying out linear speed test and tunnel sum test, VPNAgent master control module invokes module 307, module 307 can initiate to set up corresponding tunnel according to configuration, every kind of tunnel has corresponding configuration parameters, comprises cryptographic algorithm, completeness check algorithm, authentication method, Diffie-Hellman group.Hold consultation with VPNServer according to selected parameter and to set up corresponding tunnel,, differ several times as the CPU calculating of DES-CBC and AES-256 cipher mode correspondence for different parameters.
The kind that the tunnel is set up in negotiation comprises: L2tp, L2tp Over IpSec, Ikev1, Ikev2, Ikev2+EAP.
Cryptographic algorithm comprises: DES-CBC, 3DES-CBC, AES-128, AES-192, AES-256.
Completeness check algorithm: SHA1-128, SHA1-256, MD5
Authentication method: wildcard (PSK), certificate verification
VPN agent side ability computing module 301 is ability computing modules, calculates current CPU every time T and takies percentage, network and take percentage, EMS memory occupation percentage, disk and take percentage, I/O byte number, is expressed as vector
Figure 391878DEST_PATH_IMAGE004
, when module 302 request energy force vectors, module 301 computing capabilitys vector mean value
Figure 391058DEST_PATH_IMAGE008
The time T size definition is 100ms, and N is the number of time interval T.
VPN agent side tunnel traffic generation module 306 is flow generation modules, and the parameter of transmitting according to VPNCtroler generates corresponding flow, comprises tcp data flow, UDP message flow, ftp flow amount, HTTP flow.
VPN agent side state generation module 309 is state generation modules, is responsible for system's current state is regularly returned to VPNCtroler, comprises the tunnel number of current success negotiation, the tunnel number of failure, the tunnel number of consulting, throughput, draw throughput.Wherein fixed time interval is T=1 second.
Vpn gateway 104 is IUT, i.e. the tested equipment of system.
Application server 105 is application servers, and the server of various application layers is provided, and the application layer services of native system has UDP message, tcp data, FTP data, HTTP data.Several application services are monitored on 5003,5004 ports respectively 5001,5002.And every kind of service all is to adopt multithreading, can concurrent connecting.Use for UDP, the data that application server just simply sends VPNAgent are returned; Use for TCP, after application server connected, the data that VPNAgent is sent were returned equally; Use for FTP, comprise a large amount of downlink datas and a spot of upstream data; For the HTTP data, VPNAgent selects data, and HTTP makes corresponding response according to the action of sending, and comprises GET and POST action.
Of the present invention in the load balancing that has realized on the said system structure between a plurality of agencies, its realization comprises the steps:
1, VPNCtroler operates in the Windows system, and VPNAgent runs on Windows or the linux system, and a plurality of VPNAgent forms VPNCluster.On the high performance blade server of the general operation of VPNServer, in actual environment as the gateway of internal network and external network.
2, the tunnel is based upon between VPNAgent and the VPNServer, by the load balancing between the centralized control realization VPNAgent of VPNCtroler.
3, application server (APPServer) runs on after the VPNServer, is certain service of carrying on the tunnel, has used four kinds of services among the present invention, is respectively the FTP service, HTTP service, UDP message service, tcp data service.
4, VPNCtroler by the IPv4 network of present large scale deployment realize with VPNAgent between communicate by letter, the tunnel of VPNAgent and VPNServer is based on IPv4 or IPv6.
5, VPNCtroler is as required to VPNAgent request current energy force vector and payload values thereof, VPNAgent returns its ability vector sum payload values at once after receiving the request of VPNCtroler, VPNCtroler selects weighing vector W according to the tunnel type when Pretesting after receiving the response of VPNAgent, calculates actual ability value then
Figure 675409DEST_PATH_IMAGE001
, at last the normalization of practical capacity value is obtained normalized value
Figure 25619DEST_PATH_IMAGE002
Last mask body computing formula comprises:
1)
Figure 53618DEST_PATH_IMAGE005
2)
Figure 2011102734148100002DEST_PATH_IMAGE009
3)
Figure 549715DEST_PATH_IMAGE006
4)
Figure 677070DEST_PATH_IMAGE007
The tunnel type of last mask body has:
L2tp、L2tp?Over?IpSec?、Ikev1、Ikev2、Ikev2+EAP。
6, obtain a normalized vector after the VPNCtroler process step (5)
Figure 576893DEST_PATH_IMAGE003
, the VPNCtroler basis
Figure 579222DEST_PATH_IMAGE002
Pro rate tunnel number and throughput.
7, about the load balancing step of linear speed test, the linear speed index is the tunnel number that can set up for interior VPNServer between the measuring unit, and in order better to meet the requirement of testing linear speed, the method below we have designed may further comprise the steps:
1) VPNCtroler distributes the newly-built tunnel number of fixed value, sends to each VPNAgent, and VPNAgent sets up the tunnel of VPNCtroler apportioning cost quantity.
2) each VPNAgent collects own energy force vector during setting up the tunnel , VPNAgent will collect then
Figure 179148DEST_PATH_IMAGE001
Send to VPNCtroler.
3) if VPNAgent does not beam back in preset time
Figure 503950DEST_PATH_IMAGE001
, VPNCtroler will send a request message to VPNAgent, ask its energy force vector.
4) VPNCtroler send a request message after collecting all VPNAgent energy force vectors, requires VPNAgent to remove all tunnels.
5) VPNCtroler distributes new tunnel number according to rapid (5) and (6) after waiting for the set time after the step 4).
8, VPNAgent and APPServer set up after the tunnel, carry data on the tunnel, and an end of data comes from the application request program (APPClient) on the VPNAgent, and the data other end is application server (APPServer).
9, VPNAgent timing tunnel state, the statistical information data that system is current sends to VPNCtroler, and VPNCtroler comes out by interface display.
10, after communication data passes through the form encapsulation of XML between VPNAgent and the VPNCtroler, adopt Socket to send.

Claims (5)

1. act on behalf of vpn tunneling concurrent test system more one kind, it is characterized in that, it comprises VPN control end, VPN agent list, vpn gateway and application server; Wherein, described VPN control end is connected by the IPv4 network with the VPN agent list, the VPN agent list has two to be connected with vpn gateway, bottom is set up the tunnel by the IPv6 network and is connected, the upper strata is set up application data by the IPv6 network and is connected, and vpn gateway is transmitted the application data bag to application server.
2. act on behalf of vpn tunneling concurrent test system according to claim 1 is described more, it is characterized in that, described VPN agent list comprises several VPN agencies, and each VPN agency is connected with the VPN control end by the IPv4 network respectively.
3. according to the described vpn tunneling concurrent test systems of acting on behalf of of claim 1 more, it is characterized in that described VPN control end comprises: basic configuration module, application data layer configuration module, advanced configuration module, L2tp configuration module, IKEv1 configuration module, IKEv2 configuration module, IKEv2+EAP configuration module, communication module, XML package module, real-time status display module and control end primary module; Described control end primary module call XML package module encapsulation user's order and parameter are the XML form, and the calling communication module sends data after the XML package module encapsulation of data; When communication module was received packet, call XML package module decapsulation XML formatted data was called the real-time status display module then.
4. an application rights requires the 1 described load-balancing methods of acting on behalf of of acting on behalf of vpn tunneling concurrent test system more more, it is characterized in that it comprises the steps:
(1) VPNCtroler operates in the Windows system, and VPNAgent runs on Windows or the linux system, and a plurality of VPNAgent forms VPNCluster; On the high performance blade server of the general operation of VPNServer, in actual environment as the gateway of internal network and external network;
(2) tunnel is based upon between VPNAgent and the VPNServer, by the load balancing between the centralized control realization VPNAgent of VPNCtroler;
(3) application server (APPServer) runs on after the VPNServer, is certain service of carrying on the tunnel, comprises FTP service, HTTP service, UDP message service and tcp data service;
(4) VPNCtroler by the IPv4 network of present large scale deployment realize with VPNAgent between communicate by letter, the tunnel of VPNAgent and VPNServer is based on IPv4 or IPv6;
(5) VPNCtroler is as required to VPNAgent request current energy force vector and payload values thereof, VPNAgent returns its ability vector sum payload values at once after receiving the request of VPNCtroler, VPNCtroler selects weighing vector W according to the tunnel type when Pretesting after receiving the response of VPNAgent, calculates actual ability value then
Figure 727307DEST_PATH_IMAGE001
, at last the normalization of practical capacity value is obtained normalized value
Figure 2011102734148100001DEST_PATH_IMAGE002
(6) obtain a normalized vector after the VPNCtroler process step (5) , the VPNCtroler basis
Figure 50283DEST_PATH_IMAGE002
Pro rate tunnel number and throughput;
(7) about the load balancing step of linear speed test, the linear speed index is the tunnel number that can set up for interior VPNServer between the measuring unit, in order better to meet the requirement of testing linear speed;
(8) VPNAgent and APPServer set up after the tunnel, carry data on the tunnel, and an end of data comes from the application request program (APPClient) on the VPNAgent, and the data other end is application server (APPServer);
(9) VPNAgent timing tunnel state, the statistical information data that system is current sends to VPNCtroler, and VPNCtroler comes out by interface display;
(10) after communication data passes through the form encapsulation of XML between VPNAgent and the VPNCtroler, adopt Socket to send.
5. act on behalf of load-balancing method according to claim 4 is described more, it is characterized in that described step (7) realizes by following substep:
(a) VPNCtroler distributes the newly-built tunnel number of fixed value, sends to each VPNAgent, and VPNAgent sets up the tunnel of VPNCtroler apportioning cost quantity;
(b) each VPNAgent collects own energy force vector during setting up the tunnel
Figure 445492DEST_PATH_IMAGE001
, VPNAgent will collect then Send to VPNCtroler;
(c) if VPNAgent does not beam back in preset time
Figure 144644DEST_PATH_IMAGE001
, VPNCtroler will send a request message to VPNAgent, ask its energy force vector;
(d) VPNCtroler send a request message after collecting all VPNAgent energy force vectors, requires VPNAgent to remove all tunnels;
(e) VPNCtroler distributes new tunnel number according to rapid (5) and (6) after the set time is waited in step (d) back.
CN201110273414.8A 2011-09-15 2011-09-15 Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method Expired - Fee Related CN102281161B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201110273414.8A CN102281161B (en) 2011-09-15 2011-09-15 Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201110273414.8A CN102281161B (en) 2011-09-15 2011-09-15 Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method

Publications (2)

Publication Number Publication Date
CN102281161A true CN102281161A (en) 2011-12-14
CN102281161B CN102281161B (en) 2014-04-16

Family

ID=45106358

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201110273414.8A Expired - Fee Related CN102281161B (en) 2011-09-15 2011-09-15 Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method

Country Status (1)

Country Link
CN (1) CN102281161B (en)

Cited By (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067290A (en) * 2012-11-30 2013-04-24 成都卫士通信息产业股份有限公司 Virtual Private Network (VPN) tunnel implementation method based on virtual network adapter adaptable load balancing network
CN103441894A (en) * 2013-08-20 2013-12-11 迈普通信技术股份有限公司 Method and system for L2TP concurrent connection performance test
CN104731635A (en) * 2014-12-17 2015-06-24 华为技术有限公司 Virtual machine access control method and virtual machine access control system
CN106559779A (en) * 2016-11-30 2017-04-05 上海斐讯数据通信技术有限公司 A kind of data transmission method, device and system
CN103716209B (en) * 2013-12-31 2017-12-19 北京神州绿盟信息安全科技股份有限公司 A kind of tunnel concurrent test system and equipment
CN108540559A (en) * 2018-04-16 2018-09-14 北京航空航天大学 A kind of SDN controllers for supporting IPSec VPN load balancing
CN111091900A (en) * 2019-11-25 2020-05-01 中电健康云科技有限公司 Medical grading diagnosis and treatment method and system based on block chain intelligent contracts
CN114244621A (en) * 2021-12-24 2022-03-25 北京科电航宇空间技术有限公司 High-safety-intensity communication system with multi-level fragmentation
CN115174433A (en) * 2022-07-07 2022-10-11 东软睿驰汽车技术(大连)有限公司 Simulation method, simulation device and simulation system for multi-terminal access gateway

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1642109A (en) * 2004-09-30 2005-07-20 迈普(四川)通信技术有限公司 Method for realizing communication load equilibrium and gateway, central gateway thereof
CN1856790A (en) * 2003-07-22 2006-11-01 基诺技术公司 Information access using ontologies
CN101753401A (en) * 2008-12-03 2010-06-23 北京天融信科技有限公司 A method for realizing backup and load of IPSec virtual private network tunnel
WO2010069058A1 (en) * 2008-12-17 2010-06-24 Nortel Networks Limited Secure remote access public communication environment

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1856790A (en) * 2003-07-22 2006-11-01 基诺技术公司 Information access using ontologies
CN1642109A (en) * 2004-09-30 2005-07-20 迈普(四川)通信技术有限公司 Method for realizing communication load equilibrium and gateway, central gateway thereof
CN101753401A (en) * 2008-12-03 2010-06-23 北京天融信科技有限公司 A method for realizing backup and load of IPSec virtual private network tunnel
WO2010069058A1 (en) * 2008-12-17 2010-06-24 Nortel Networks Limited Secure remote access public communication environment

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
王宇等: "多服务器负载平衡和QoS策略的研究与实现", 《装备指挥技术学院学报》, vol. 13, no. 6, 31 December 2002 (2002-12-31), pages 80 - 82 *

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067290B (en) * 2012-11-30 2016-06-01 成都卫士通信息产业股份有限公司 The VPN tunnel implementation of load balancing network is adapted to based on virtual network interface card
CN103067290A (en) * 2012-11-30 2013-04-24 成都卫士通信息产业股份有限公司 Virtual Private Network (VPN) tunnel implementation method based on virtual network adapter adaptable load balancing network
CN103441894A (en) * 2013-08-20 2013-12-11 迈普通信技术股份有限公司 Method and system for L2TP concurrent connection performance test
CN103716209B (en) * 2013-12-31 2017-12-19 北京神州绿盟信息安全科技股份有限公司 A kind of tunnel concurrent test system and equipment
CN104731635B (en) * 2014-12-17 2018-10-19 华为技术有限公司 A kind of virtual machine access control method and virtual machine access control system
CN104731635A (en) * 2014-12-17 2015-06-24 华为技术有限公司 Virtual machine access control method and virtual machine access control system
CN106559779B (en) * 2016-11-30 2020-10-30 上海斐讯数据通信技术有限公司 Data transmission method, device and system
CN106559779A (en) * 2016-11-30 2017-04-05 上海斐讯数据通信技术有限公司 A kind of data transmission method, device and system
CN108540559A (en) * 2018-04-16 2018-09-14 北京航空航天大学 A kind of SDN controllers for supporting IPSec VPN load balancing
CN108540559B (en) * 2018-04-16 2020-12-18 北京航空航天大学 SDN controller supporting IPSec VPN load balancing
CN111091900A (en) * 2019-11-25 2020-05-01 中电健康云科技有限公司 Medical grading diagnosis and treatment method and system based on block chain intelligent contracts
CN114244621A (en) * 2021-12-24 2022-03-25 北京科电航宇空间技术有限公司 High-safety-intensity communication system with multi-level fragmentation
CN114244621B (en) * 2021-12-24 2023-11-28 北京科电航宇空间技术有限公司 High-safety intensity communication system with multi-level fragmentation
CN115174433A (en) * 2022-07-07 2022-10-11 东软睿驰汽车技术(大连)有限公司 Simulation method, simulation device and simulation system for multi-terminal access gateway

Also Published As

Publication number Publication date
CN102281161B (en) 2014-04-16

Similar Documents

Publication Publication Date Title
CN102281161B (en) Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method
CN106209413B (en) Communication means, the Centralized Controller equipment of network and the network equipment in network
CN104753887B (en) Security management and control implementation method, system and cloud desktop system
CN202206418U (en) Traffic management device, system and processor
CN104247367B (en) Lift IPsec performances and anti-eavesdrop security
Khan et al. Design and implementation of security gateway for synchrophasor based real-time control and monitoring in smart grid
CN104219217B (en) Security association negotiation method, device and system
CN103929299B (en) Self-securing lightweight network message transmitting method with address as public key
CN104823412B (en) Peer-to-peer brings back to life the method and device of detection
CN104065398B (en) A kind of electric power communication network network merges method for designing and the system of test platform
CN105072213B (en) A kind of two-way traversing method of IPSec NAT, system and vpn gateway
CN110213233B (en) Simulation method and simulation platform for defending against power grid distributed denial of service attack and establishment method thereof
CN115085943B (en) Edge computing method and platform for safe encryption of electric power Internet of things in north and south directions
CN101471839B (en) Method for asynchronously implementing IPSec vpn through multi-nuclear
CN105635076B (en) A kind of media transmission method and equipment
Kimmerlin et al. Network expansion in OpenStack cloud federations
CN104038931B (en) Adapted electrical communication system and its communication means based on LTE network
CN107135190A (en) The data traffic ownership recognition methods connected based on Transport Layer Security and device
CN104254062B (en) A kind of direct connected link communication means and relevant device, system
Gourisetti et al. A cyber secure communication architecture for multi-site hardware_in_the_loop Co_simulation of DER control
Hamad et al. Implementation and performance evaluation of embedded ipsec in microkernel os
CN105591869B (en) A kind of method and apparatus selecting L2TP Network Server
CN107277044B (en) The method and device of publication and access network encryption lock service
Li et al. SDN-based access authentication and automatic configuration for IPsec
Li et al. SDIG: Toward software-defined IPsec gateway

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20140416

Termination date: 20140915

EXPY Termination of patent right or utility model