CN102281161B - Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method - Google Patents

Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method Download PDF

Info

Publication number
CN102281161B
CN102281161B CN 201110273414 CN201110273414A CN102281161B CN 102281161 B CN102281161 B CN 102281161B CN 201110273414 CN201110273414 CN 201110273414 CN 201110273414 A CN201110273414 A CN 201110273414A CN 102281161 B CN102281161 B CN 102281161B
Authority
CN
Grant status
Grant
Patent type
Prior art keywords
multi
agent
system
method
private
Prior art date
Application number
CN 201110273414
Other languages
Chinese (zh)
Other versions
CN102281161A (en )
Inventor
张启飞
陈小平
杨文青
吕红兵
平玲娣
Original Assignee
浙江大学
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Grant date

Links

Abstract

本发明公开了一种多代理VPN隧道并发测试系统及多代理负载均衡方法,VPN控制端通过请求命令向VPN代理端请求其能力向量;VPN控制端通过根据返回的能力向量来为VPN代理分配隧道数目,从而实现动态的负载均衡。 The present invention discloses a multi-agent concurrent VPN tunnel test system and method for load balancing multiple proxy, VPN vector control terminal capability request to the VPN which the agent side by request command; VPN control terminal returned by the vector according to the capability to proxy distribution for the VPN tunnel the number, in order to achieve dynamic load balancing. VPN代理端通过接收控制端的命令来发起隧道的建立和撤销。 VPN Agent to initiate the establishment and disestablishment of the tunnel command received by the control terminal. 在VPN代理端完成隧道的建立和撤销同时还定时的发送给系统状态信息,VPN控制端能实时地监控系统当前荷载。 To complete the establishment and disestablishment of the VPN tunnel end proxy also sent to the timing system status information, VPN control terminal of the current real-time load monitoring system. 本发明采用多代理的方式,能最大程度模拟出真实环境并行测试,并且在每台代理上能并发的建立隧道。 The present invention employs a multi-way agents, to the greatest extent parallel test simulate the real environment, and on each of the agent can be concurrently established tunnel. 基于集中式的控制方法控制方便且易于实现。 Easy to control and easy to implement on a centralized control method.

Description

多代理VPN隧道并发测试系统及多代理负载均衡方法 Multi-agent concurrent VPN tunnel test systems and multi-agent load balancing method

技术领域 FIELD

[0001] 本发明属于网络安全体系结构领域,尤其涉及一种多代理VPN隧道并发测试系统及多代理负载均衡方法。 [0001] The present invention belongs to the field of network security system configuration, particularly, to a multi-agent concurrent VPN tunnel test system and method for load balancing multiple agents.

背景技术 Background technique

[0002] 随着世界经济一体化进程的加速,跨国公司在世界经济活动中的作用日益明显,跨地区的企业内部网络互连的开销日益明显,传统的专线方式价格昂贵。 [0002] With the acceleration of world economic integration, multinational corporations in world economic activity has become increasingly evident in the role of trans-regional enterprise internal network interconnection overhead increasingly clear that traditional green way expensive. 虚拟专用网的出现(Virtual Private Network, VPN)解决了远程用户、远程分支机构对公司内部网络资源的安全访问,可以保证在加密的通道上安全传输,在客户端和公司网关(Gateway )之间建立一条虚拟的隧道,这条隧道在经过认证的基础上采用高强度的加密算法保护,能够保证隧道上的数据保密性、完整性等安全属性。 The emergence of virtual private network (Virtual Private Network, VPN) addresses the remote users, remote offices secure access to internal network resources, you can ensure secure transmission over an encrypted channel, client and corporate gateway (Gateway) between the establishment of a virtual tunnel, this tunnel passing certification on the basis of the use of high-strength encryption algorithm to protect, to ensure data confidentiality on the tunnel, integrity and other security attributes. 而隧道建立在Internet上的虚拟通道,可以在公用的Internet网上实现专用通道。 The tunnel to create a virtual channel on the Internet can be achieved in a common dedicated channel on Internet. 为了测量VPN网关的荷载性能(线速、总隧道数、吞吐量等),需要模拟多个客户端来测量网关的最大性能,但是一般网关性能非常强大,单个代理(VPNAgent)不可能使网关达到最大性能,所以需要多个代理,但是在测量之前并不知道网关的能力,所以不能确定需要多少代理,就需要根据测试的情况重复的配置,容易造成两个问题:(I)达不到性能,重复配置;(2)可能部分代理超荷载,而部分代理荷载很低,造成资源浪费和故障。 To measure the performance of VPN gateway load (linear velocity, the total number of tunnels, throughput, etc.), need to simulate a plurality of client to measure the maximum performance of the gateway, but in general the gateway performance is very strong, a single agent (VPNAgent) so that the gateway can not reach maximum performance, it requires multiple agents, but did not know before the measurement capability of the gateway, it can not determine how many agents need, you need to repeat the test configuration according to the situation, is likely to cause two problems: (I) can not reach performance repeat configuration; (2) may be partially Overload agents, and some agents load is low, resulting in waste of resources and failure.

发明内容 SUMMARY

[0003] 本发明的目的在于针对现有技术的不足,提供一种多代理VPN隧道并发测试系统及多代理负载均衡方法。 [0003] The object of the present invention is for the deficiencies of the prior art, there is provided a multi-agent concurrent VPN tunnel test system and method for load balancing multiple agents.

[0004] 本发明的目的是通过以下技术方案来实现的:一种多代理VPN隧道并发测试系统,它包括VPN控制端、VPN代理集合、VPN网关和应用服务器;其中,所述VPN控制端和VPN代理集合通过IPv4网络连接,VPN代理集合和VPN网关有两个连接,底层通过IPv6网络建立隧道连接,上层通过IPv6网络建立应用数据连接,并且VPN网关转发应用数据包给应用服务器。 [0004] The object of the present invention is achieved by the following technical solutions: A multi-agent concurrent VPN tunnel testing system, which includes a control terminal VPN, VPN collection of agents, VPN gateway and an application server; wherein the control terminal and VPN VPN is connected through a set of IPv4 network proxy, and collection of agents VPN tunnel connection with a VPN gateway two connections established through the underlying IPv6 network, the upper layer application data connection established over an IPv6 network, and the VPN gateway application forwards the data packet to the application server.

[0005] 进一步地,所述VPN代理集合包括若干个VPN代理,各VPN代理分别通过IPv4网络与VPN控制端连接。 [0005] Further, the set comprises a plurality of VPN VPN proxy agent, each agent is connected through the VPN network and VPN IPv4 control terminal.

[0006] 进一步地,所述VPN控制端包括:基本配置模块、应用数据层配置模块、高级配置模块、L2tp配置模块、IKEvl配置模块、IKEv2配置模块、IKEv2+EAP配置模块、通信模块、XML封装模块、实时状态显示模块和控制端主模块;所述控制端主模块调用XML封装模块封装用户的命令和参数为XML格式,XML封装模块封装数据之后调用通信模块发送数据;当通信模块收到数据包时,调用XML封装模块解封装XML格式数据,然后调用实时状态显示模块。 [0006] Further, the VPN control terminal comprising: a basic configuration module, the application layer data configuration module, advanced configuration module, a configuration module L2tp, IKEvl configuration module, the IKEv2 configuration module, IKEv2 + EAP configuration module, a communication module, XML package module, real-time status display module and a control terminal of the main module; end of the main control module invokes the XML module package user package commands and parameters in XML format, XML after encapsulation module encapsulates the data call communication module to transmit data; when the communication module receives the data when the packet, decapsulates the encapsulation module calls the XML data in XML format, and then call the real-time status display module.

[0007] 一种应用上述多代理VPN隧道并发测试系统的多代理负载均衡方法,该方法包括如下步骤: [0007] The multi-agent system VPN tunnel test multi-agent concurrent load balancing method of application, the method comprising the steps of:

[0008] (I) VPNCtroler 运行在Windows 系统上,VPNAgent 运行于Windows 或者Linux 系统上,并且多个VPNAgent组成VPNCluster ;VPNServer 一般运行高性能的刀片服务器上,在实际环境中作为内部网络和外部网络的网关; [0008] (I) VPNCtroler running on a Windows system, VPNAgent running on Windows or Linux system, and consisting of a plurality of VPNAgent VPNCluster; VPNServer typically runs on a high performance blade servers, as the internal and external networks in an actual environment gateway;

[0009] (2)隧道建立在VPNAgent和VPNServer之间,通过VPNCtroler的集中控制实现VPNAgent间的负载均衡; [0009] (2) and a tunnel established between VPNAgent VPNServer, load balancing among VPNAgent VPNCtroler by the centralized control;

[0010] (3)应用服务器(APPServer)运行于VPNServer之后,是在隧道上承载的某种服务,包括FTP服务、HTTP服务、UDP数据服务和TCP数据服务; [0010] (3) Application Server (AppServer) running after VPNServer, a service is carried in the tunnel, including FTP service, HTTP service, UDP and TCP data services, data services;

[0011] (4) VPNCtroler通过目前大规模部署的IPv4网络来实现与VPNAgent间的通信,VPNAgent和VPNServer的隧道是基于IPv4或者IPv6的; [0011] (4) VPNCtroler current IPv4 network is achieved by large-scale deployment of a communication, VPNAgent and VPNServer VPNAgent tunnel between the IPv4 or IPv6 is based;

[0012] (5) VPNCtroler根据需要向VPNAgent请求当前的能力向量及其荷载值,VPNAgent收到VPNCtroler的请求后马上返回其能力向量和荷载值,VPNCtroler收到VPNAgent的响应后根据当前测试的隧道类型选择加权向量W,然后计算出实际的能力值C',最后将实际能力值归一化得到归一化值; [0012] (5) VPNCtroler necessary to VPNAgent request current capabilities and load value vector, the vector and the ability to return to its load value immediately after receiving the request VPNCtroler of VPNAgent, VPNCtroler receives a response tunnel type according VPNAgent current test select the weight vector W, then the ability to calculate the actual value of C ', the last real capacity values ​​were normalized to obtain the normalized value;

[0013] (6) VPNCtroler 经过步骤(5)后得到一个归一化向量= U,VPNCtroler根据的比例分配隧道数和吞吐量; [0013] (6) VPNCtroler after step (5) to obtain a vector of a = U, and the ratio of the tunnel number allocated according to certain VPNCtroler normalization;

[0014] (7)关于线速测试的负载均衡步骤,线速指标是为了测试单位之间内VPNServer能够建立的隧道数目,为了更好符合测试线速的要求; [0014] (7) the step of load balancing on the test line speed, line speed indicator is the number of tunnels to be established between the test unit VPNServer, the line speed in order to better meet the test requirements;

[0015] (8 )VPNAg ent和APPServer建立隧道之后,在隧道上承载数据,数据的一端来自于VPNAgent上的应用请求程序(APPClient),数据另一端是应用服务器(APPServer); [0015] (8) VPNAg ent AppServer and after establishing the tunnel, the tunnel data carried on one end of the data from the application program a request (appclient) on VPNAgent, the other end of the data application server (AppServer);

[0016] (9) VPNAgent定时将系统当前的隧道状态、统计信息数据发送给VPNCtroler,VPNCtroler通过界面显示出来; [0016] (9) VPNAgent tunnel current timing state of the system, data is transmitted to statistics VPNCtroler, VPNCtroler displayed through the interface;

[0017] (IO)VPNAgent与VPNCtroler之间通信数据通过XML的形式封装后,采用Socket发送。 [0017] (IO) and VPNCtroler VPNAgent between the communication data through XML packaged form, using Socket transmission.

[0018] 进一步地,所述步骤(7)通过以下子步骤来实现: [0018] Further, the step (7) is achieved by the following sub-steps:

[0019] (a) VPNCtroler分配固定值的新建隧道数,发送给各个VPNAgent,VPNAgent建立VPNCtroler分配值数量的隧道; [0019] (a) VPNCtroler tunnel number allocated new fixed value, transmitted to the respective VPNAgent, VPNAgent established number of assigned values ​​VPNCtroler tunnel;

[0020] (b)各个VPNAgent收集自己在建立隧道期间的能力向量Cf',然后VPNAgent将收集的:发送给VPNCtroler ; [0020] (b) establishing in each of their ability to collect VPNAgent vector Cf 'during the tunnel, and then the collected VPNAgent: transmitting to VPNCtroler;

[0021] (c)如果在给定时间内VPNAgent没有发回C, ,VPNCtroler将向VPNAgent发送请求消息,请求其能力向量; [0021] (c) if C VPNAgent not sent back within a given time,, VPNCtroler VPNAgent will send a request message, requesting its capabilities vector;

[0022] (d )VPNCtro I er收集到所有VPNAgent能力向量之后发送请求消息,要求VPNAgent清除所有的隧道; After [0022] (d) VPNCtro I er VPNAgent ability to collect all vector request message sent requires VPNAgent remove all tunnels;

[0023] (e ) VPNCtro I er在步骤(d )后等待固定时间后按照骤(5 )和(6 )分配新的隧道数。 [0023] (e) VPNCtro I er after the step (d) waiting for a fixed time according to step (5) is assigned a new number, and a tunnel (6).

[0024] 本发明的有益效果是,本发明实现了一种分布式的多代理VPN隧道测试系统,各个代理分布式地位于本地网络中,各个代理能并行的发起隧道测试,每个代理并发的发起隧道测试,能够模拟接近真实的使用环境;另外本系统是分布式的多代理,易于扩展,对于当前大型的刀片VPN网关服务器,能够通过扩展测试出其单位时间隧道建立速度,最大隧道数等指标。 [0024] Advantageous effects of the present invention, the present invention realizes a multi-agent distributed VPN tunnel test system, each agent distributively located in the local network, each agent can initiate a tunnel parallel test, each agent concurrent initiated tunnel tested to simulate realistic use of the environment; in addition the distributed multi-agent system is easy to extend, for the current large blade VPN gateway server to test its speed per unit time by extending the tunnel is established, the maximum number of tunnels, etc. index. 另外本发明设计了一种多代理负载均衡的方法,能够实现多个VPN代理间的动态负载均衡,从而节约资源和减少故障。 Further the present invention contemplates a method for multi-agent load balancing, dynamic load balancing can be achieved among the plurality of VPN agent, thereby saving resources and reducing failures.

附图说明 BRIEF DESCRIPTION

[0025] 图1是本发明的系统结构; [0025] FIG. 1 is a system configuration according to the present invention;

[0026] 图2是本发明的控制端的模块结构图; [0026] FIG. 2 is a block configuration diagram of the control terminal of the present invention;

[0027] 图3是本发明的代理端的模块结构图。 [0027] FIG. 3 is a block configuration diagram of the Agent of the invention.

具体实施方式 detailed description

[0028] 下面结合附图和具体实施方式对本实用新型进一步说明。 [0028] The following further illustrate the present invention in conjunction with the accompanying drawings and specific embodiments pair.

[0029] 本发明提出了一种分布式多代理VPN隧道测试系统及VPN代理端(VPNAgent)之间实现负载均衡的方法,系统中多个代理分布于网络中的各个地方,它们之间互相不用感知,所有的VPN代理一起构成一个VPN簇(VPNCluster);系统中的控制端(VPNCtroler)位于一台普通的机器上,VPNCtroler与VPNAgent之间的通信是采用目前普遍存在的IPV4协议。 A method of load balancing [0029] The present invention provides a multi-agent distributed test system and VPN tunnel VPN Agent (VPNAgent) between a plurality of agent system in various places in the distribution network, they are not mutually between sensing, all VPN proxy cluster together form a VPN (VPNCluster); the system control terminal (VPNCtroler) located in an ordinary machine, and the communication between the VPNCtroler VPNAgent is employed prevailing IPV4 protocol. 系统中的VPN 网关(VPNServer)是系统的IUT (Implementation Under Test), 一般位于高性能的刀片服务器上,并且隧道存在于VPNAgent与VPNServer之间;系统中应用服务器(APPServer)位于VPNServer 之后,VPNAgent 的数据经过VPNAgent 与VPNServer 隧道后转发给APPServer。 The VPN gateway system (VPNServer) system is IUT (Implementation Under Test), generally located on a high performance blade, and a tunnel exists between VPNAgent and VPNServer; System Application Server (AppServer) located after VPNServer, VPNAgent of forwards the data to APPServer after VPNAgent and VPNServer tunnel.

[0030] 在上述分布式多代理VPN隧道测试系统基础上实现了多代理间的负载均衡。 [0030] multi-agent systems in VPN tunnel testing to achieve the above-mentioned distributed load balancing across multi-agency basis. 在以前的测试环境中,先静态的配置VPNAgent建立的隧道数、线速(单位时间建立的隧道数目)以及吞吐量,各个VPNAgent之间是相互独立的,只能由管理员根据经验来通过VPNCtroler进行静态的配置。 Before the test environment, the number of tunnels to static configuration VPNAgent established, wire-speed (per unit time the number of tunnels built) and throughput are independent of each other between the various VPNAgent, only by administrators empirically by VPNCtroler static configuration. 本发明设计了一种集中式多代理负载均衡的实现算法,VPNCtroler根据VPNAgent的返回的能力向量信息来为VPNAgent分配隧道数,如果某一个VPNAgent荷载过高,则不为其分配新的隧道或分配少量的隧道数目。 The present invention contemplates a multi-agent centralized load balancing algorithm, VPNCtroler tunnel number allocated VPNAgent vector according to the capability information returned VPNAgent if one VPNAgent load is too high, not to allocate a new tunnel for dispensing or a small number of tunnels. 经过一段时间运行,每个VPNAgent都得到了相应的荷载,并且这个荷载是与对应VPNAgent能力相当的,能力由当前机器的CPU占用百分比、网络占用百分比、内存占用百分比、磁盘占用百分比、1/0字节数代表,使用向 After a period of operation, have been VPNAgent each corresponding load, and this load is equivalent to the corresponding VPNAgent capacity, percentage of capacity occupied by the current machine CPU, network occupation percentage, the percentage of memory occupied, disk usage percentage, 1/0 representative of the number of bytes used to

量C= 表示能力,本发明涉及的隧道包括:L2tp、L2tp Over IpSec Represents the amount of C = ability to tunnel the present invention includes: L2tp, L2tp Over IpSec

、IkevU Ikev2、Ikev2+EAP共5种隧道,每种隧道对CPU、内存等要求不一样,所以给出一个加权向量,=,对于不同的隧道用能力向量C乘上对应的加权向量得到实际能力值6={4,4,(7画,€^€1>(',^画,,抛焉} , VPNCtroler根据VPNAgent返回的能力向量计算出实际能力值,最后使用归一化方法计算得到各个 , IkevU Ikev2, Ikev2 + EAP total of 5 tunnel, the tunnel is not the same for each CPU, memory requirements, it is given a weighting vector, =, with the ability for different tunnel vector C is multiplied by the corresponding weight vector to give the actual ability value 6 = {4,4, (7 Videos, € ^ € 1> ( ', ^ ,, Videos thrown Yan}, VPNCtroler vector is calculated based on the ability of the actual return VPNAgent ability value, the final normalization method using the respective calculated

VPNAgent的归一化能力值 Normalized ability value of VPNAgent

Figure CN102281161BD00061

根据VPNAgent归一化值的比例分配 Allocation according to the ratio of normalized values ​​VPNAgent

隧道数,吞吐量等值。 Number of tunnels, throughput equivalent. 从而可以动态实现各个VPNAgent间负载均衡。 Dynamic load balancing can be achieved between the various VPNAgent.

[0031] 本发明的整体系统结构如图1所示,结构包括如下几个部分: [0031] The overall system configuration of the present invention shown in Figure 1, the structure comprises the following parts:

[0032] 系统中多个代理分布于网络中的各个地方,它们之间不用互相感知,所有的VPNAgent (图1 中102) —起构成一个VPNCluster (图1 中103);系统中的VPNCtroler(图1中101)位于一台普通的机器上,VPNCtroler与VPNAgent之间的通信是采用目前普遍存在的IPV4协议,且VPNCtroler与每一个VPNAgent之间都存在连接。 [0032] system where a plurality of various agents distributed in the network, they are not perceived between each other, all VPNAgent (102 in FIG. 1) - constituted from a VPNCluster (103 in FIG. 1); system VPNCtroler (FIG. located in a normal machine 1 in 101), and the communication between the VPNCtroler VPNAgent is employed prevailing IPV4 protocol, and there is a connection between VPNCtroler with each VPNAgent. 系统中的VPN网关(VPNServer)(图1 中104)是系统的IUT (Implementation Under Test), 一般位于高性能的刀片服务器上,并且隧道存在于VPNAgent与VPNServer之间,隧道是基于IPv6协议的隧道;系统中应用服务器(APPServer)(图1中105)位于VPNServer之后,VPNAgent的数据经过VPNAgent 与VPNServer 间的隧道后转发给APPServer。 The VPN gateway system (VPNServer) (104 in FIG. 1) is a system IUT (Implementation Under Test), generally located on a high performance blade, and a tunnel exists between VPNAgent and VPNServer, the tunnel based on the tunnel IPv6 protocol ; system application server (AppServer) (105 in FIG. 1) is located after VPNServer, VPNAgent data is forwarded to AppServer after the tunnel between VPNAgent VPNServer. VPNServer 与APPServer之间的连接是IPv4或者IPv6。 And the connection between the VPNServer APPServer is IPv4 or IPv6.

[0033] 图1中106是控制连接,存在于VPNCtroler与VPNAgent之间,用于VPNCtroler对VPNAgent的控制以及VPNAgent向VPNCtroler返回数据。 [0033] FIG. 1 is a control connection 106, and present between VPNCtroler VPNAgent, for VPNCtroler of VPNAgent VPNAgent control and return data to VPNCtroler. 图1中107是隧道连接,存在于VPNAgent与VPNServer之间。 Figure 1 is a tunnel connection 107 exists between VPNAgent and VPNServer. 图1中108是数据连接,包含2个部分:一部分在隧道107连接之上,相当于实际环境中的客户端通过不安全的互联网到达公司的边界网关,为了保证安全这部分数据是由安全的隧道承载;另一部分在VPNServer与APPServer之间,相当于实际环境中的内部网络,被认为是安全的,所以不需要隧道保护。 Figure 1 is a data connection 108, comprising two parts: on a tunnel connection 107, corresponding to the actual environment reaches the client's secure Internet border gateway, in order to ensure the security of data that is part of the security tunnel carrier; and a further portion between VPNServer AppServer, corresponds to the internal network of the real environment, is considered safe, so no tunnel protection.

[0034] 本发明的整体系统结构如图1所示,包括VPN控制端101,VPN代理集合103,VPN网关104,应用服务器105。 [0034] The overall system configuration of the present invention shown in Figure 1, comprises a control terminal 101 VPN, VPN collection agent 103, VPN gateway 104, the application server 105. VPN控制端101和VPN代理集合103通过IPv4网络连接,VPN代理集合103和VPN网关104有2个连接,底层通过IPv6网络建立隧道连接,上层通过IPv6网络建立应用数据连接,并且VPN网关104转发应用数据包给应用服务器105。 VPN control terminal 101 and the VPN agent set 103 connected through an IPv4 network, VPN proxy set 103 and the VPN gateway 104 has two connections, bottom-establish a tunnel through an IPv6 network, application data is connected to the upstream established via IPv6 network and VPN gateway 104 forwards the application packet to the application server 105.

[0035] VPN代理集合103包括若干个VPN代理102。 [0035] VPN agent 103 comprises a plurality of set proxy 102 VPN. 各VPN代理102分别通过IPv4网络与VPN控制端101连接。 Each VPN proxy 102 are connected through an IPv4 network 101 and VPN control terminal.

[0036] VPN控制端101是一个图形用户界面,接受用户的配置然后发起隧道建立和撤销;在发起隧道建立命令之后,向VPNAgent请求能力向量,根据各VPNAgent返回的能力向量计算分配给各VPNAgent相应的隧道数;动态更新VPNAgent定时发回的状态信息。 [0036] VPN control terminal 101 is a graphical user interface, accepting user configuration then initiates tunnel establishment and disestablishment; after initiating the tunnel establishment command, the VPNAgent the request ability vector calculation assigned to each VPNAgent appropriate based on the ability vectors of VPNAgent returned the number of tunnels; VPNAgent dynamically update the timing status information sent back.

[0037] VPN代理集合103是多个VPN代理102的集合,每个集合元素互相不需要感知。 [0037] VPN agent collection set 103 is a plurality of VPN agent 102, each element of each set need not perceived. 每个代理是系统的核心,负责与VPN控制端101通信;负责收集VPNAgent的能力向量;负责收集VPNAgent当前的状态信息;负责隧道的建立;负责发送和接收应用数据;负责隧道的撤销; Each agent is the core of the system is responsible for controlling the communication terminal 101 and the VPN; VPNAgent responsible for collecting ability of the vector; VPNAgent collect current state information; responsible for establishing the tunnel; of tunnel withdrawn; the application responsible for sending and receiving data;

[0038] VPN网关104是IUT,即被测试设备,负责与VPNAgent建立隧道,维护隧道状态;转发数据包。 [0038] VPN gateway 104 is an IUT, i.e., test equipment, VPNAgent responsible for establishing a tunnel, maintenance tunnel state; forwarding data packets.

[0039] 应用服务器105是应用服务器网关,本系统中是UDP数据服务器,TCP数据服务器,FTP服务器,HTTP服务器之一。 [0039] The application gateway server 105 is a server application, the present system is a UDP server, TCP data server, FTP server, HTTP server one.

[0040] VPN控制端101的具体结构如图2所示,包括:基本配置模块201、应用数据层配置模块202、高级配置模块203、L2tp配置模块204、IKEvl配置模块205、IKEv2配置模块206、IKEv2+EAP配置模块207、通信模块208、XML封装模块209和实时状态显示模块210,控制端主模块211。 [0040] VPN specific configuration of the control terminal 101 shown in Figure 2, comprising: a basic configuration module 201, the application layer data configuration module 202, advanced configuration module 203, L2tp configuration module 204, IKEvl configuration module 205, IKEv2 configuration module 206, IKEv2 + EAP configuration module 207, communication module 208, XML package module 209 and real-time status display module 210, the main control module 211 ends. 控制端主模块调用XML封装模块209封装用户的命令和参数为XML格式,XML封装模块209封装数据之后调用通信模块208发送数据。 Side of the main control module invokes XML packaging module 209 packages the user commands and parameters in XML format, transmitting a data call communication module 208 after encapsulation module 209 encapsulates the data XML. 当通信模块208收到数据包时,调用XML封装模块解封装XML格式数据,然后调用实时状态显示模块210。 When the communication module 208 receives the data packet, decapsulates the encapsulation module calls the XML data in XML format, and then calls the real-time status display module 210.

[0041] 各模块的特点和功能如下: [0041] The features and functions of each module are as follows:

[0042] 基本配置模块201是基本配置模块,包括代理的IPv4地址及代理的端口,VPNServer的IPv6地址,VPNAgent的IPv6地址及协商地址,单位时间隧道数,隧道总数。 [0042] The basic configuration is a basic module configuration module 201, the IPv4 address and port of the proxy agent comprising, VPNServer the IPv6 address of the IPv6 address and the address VPNAgent negotiation, the number of units of time a tunnel, the total number of tunnels.

[0043] 应用数据层配置模块202是应用数据配置模块,包括应用层协议选择,本系统可选协议有m)P,TCP, FTP, HTTP4种协议;服务器IP地址及端口;荷载长度;流量大小。 [0043] Application data configuration module 202 is the application layer data configuration module, including an application layer protocol option, the present system optionally agreement m) P, TCP, FTP, HTTP4 of protocols; server IP address and port; load length; traffic volume .

[0044] 高级配置模块203是高级配置模块,包括隧道的离线策略;协商失败重试次数及时间间隔;日志设置。 [0044] Advanced Configuration module 203 is an advanced configuration module, including offline strategies tunnel; negotiation failed retries and time interval; log settings.

[0045] 通信模块208是通信模块,负责发送数据和监听接收数据。 [0045] The communication module 208 is a communication module responsible for sending data and receiving data monitor.

[0046] XML封装模块209是XML封装模块,负责对数据进行XML封装和XML文件进行解析。 [0046] XML is an XML package module package module 209 is responsible for data encapsulation and XML parsing an XML file.

[0047] 实时状态显示模块210是实时状态显示模块,对接收到的状态信息实时更新到界面上。 [0047] Real-time status display module 210 is a real-time status information display module status, the received real-time updates to the interface.

[0048] L2tp配置模块204是L2tp配置模块,包括LNS服务器地址;认证模式,本系统有CHAP和PAP两种认证模式;AAA认证用户名和密码。 [0048] The configuration module 204 is L2tp L2tp configuration module, comprising a LNS server address; authentication mode, the system has two authentication CHAP and PAP mode; the AAA authentication user name and password.

[0049] IKEvl配置模块205是IKEvl配置模块,包括阶段I的模式,本系统有主模式和野蛮模式;阶段I加密算法,认证算法,认证模式,DH组;阶段2中IPSEC协议,AH认证算法,ESP加密和认证算法;高级设置发送保活数据包的时间间隔;IKE SA时间,IPSEC SA时间。 [0049] IKEvl configuration module 205 is IKEvl configuration module, comprising a Phase I mode, the system has a main mode and aggressive mode; Phase I encryption algorithm, authentication algorithm, the authentication mode, DH group; Phase 2 IPSEC protocol, the AH authentication algorithm , ESP encryption and authentication algorithms; advanced settings keep-alive packet sending interval; IKE SA time, IPSEC SA time.

[0050] IKEv2配置模块206是IKEv2配置模块,包括阶段I的认证方式,本系统有2种,以名字和以IP地址;阶段I加密算法,认证算法,认证模式,DH组;阶段2中IPSEC协议,AH认证算法,ESP加密和认证算法;高级设置发送保活数据包的时间间隔;IKE SA时间,IPSECSA时间。 [0050] IKEv2 Configuration module 206 is IKEv2 configuration module, including authentication Phase I, the present system there are two kinds, in the name and the IP address; Phase I encryption algorithm, authentication algorithm, the authentication mode, DH group; Phase 2 IPSEC protocol, AH authentication algorithm, ESP encryption and authentication algorithms; advanced provided keep alive packet transmission intervals; IKE SA time, IPSECSA time.

[0051 ] IKEv2+EAP配置模块207是IKEv2+EAP配置模块,包括阶段I的认证方式,本系统有2种,以名字和以IP地址;阶段I加密算法,认证算法,认证模式,DH 组;阶段2中IPSEC协议,AH认证算法,ESP加密和认证算法;EAP认证的用户名和密码;高级设置发送保活数据包的时间间隔;IKE SA时间,IPSEC SA时间。 [0051] IKEv2 + EAP configuration module 207 are IKEv2 + EAP configuration module, including authentication Phase I, the present system there are two kinds, in the name and the IP address; Phase I encryption algorithm, authentication algorithm, the authentication mode, DH group; phase 2 IPSEC protocol, AH authentication algorithm, ESP encryption and authentication algorithms; EAP authentication username and password; advanced settings keep-alive packet sending interval; IKE SA time, IPSEC SA time.

[0052] VPN代理集合103是由多个代理构成的集合,多个代理间没有联系。 [0052] VPN collection agent 103 is a collection of a plurality of agents configured, there is no connection between a plurality of agents. 单个代理的具体结构如图3所示,包括VPN代理端能力计算模块301,VPN代理端主控制模块302,VPN代理端XML封装模块303和VPN代理端XML解封装模块304,VPN代理端通信模块305,VPN代理端隧道流量生成模块306,VPN代理端隧道生成模块307,VPN代理端隧道清除模块308,VPN代理端状态生成模块309: Single agent specific configuration shown in Figure 3, including computing capabilities VPN Agent module 301, 302, VPN Agent XML package module 303 VPN and VPN Agent Agent XML master control module decapsulating module 304, communication module VPN Agent 305, VPN tunnel agent traffic generation module 306, VPN tunnel agent generation module 307, VPN tunnel clearing agent module 308, VPN module 309 generates a proxy end state:

[0053] VPNAgent主控制模块302是整个系统的核心,根据不同的隧道测试类型控制其它几个的模块运行。 [0053] VPNAgent master control module 302 is the core of the system, the control module operates according to several other types of tests tunnel. VPN代理端通信模块305是最底层的模块,使用Socket编程接收来自VPNCtroler的数据包,VPN代理端XML封装模块303和VPN代理端XML解封装模块304也是相对底层模块的模块,经过VPN代理端通信模块305处理后的数据报文交给VPN代理端XML解封装模块304,VPN代理端XML解封装模块304可以解析XML文件,解析出VPNCtroler传递的命令和参数;同样VPN代理端XML封装模块303将数据和参数封装成XML文件后交给VPN代理端通信模块305,VPN代理端通信模块305通过Socket的方式将数据包发送给VPNCtroler。 VPN proxy terminal communication module 305 is the bottom of the module, receives packets from VPNCtroler use Socket programming, VPN Agent XML package module 303 and VPN Agent XML decapsulation module 304 is relatively module bottom module, through the VPN proxy correspondent data packet processing module 305 to the VPN solution 304 agent XML, XML VPN agent module package decapsulation module 304 may parse the XML file, parses the command and parameters passed VPNCtroler; XML same VPN agent encapsulation module 303 parameters and data encapsulated in the XML file to the agent client communication module 305 VPN, VPN proxy terminal communication module 305 sends the data packet to VPNCtroler by way Socket.

[0054] VPN代理端隧道生成模块307和VPN代理端隧道清除模块308是隧道生成模块和隧道清除模块,进行线速测试和隧道总数测试时,VPNAgent主控制模块调用模块307,模块307会根据配置发起建立相应的隧道,每种隧道会有相应的配置参数,包括加密算法、完整性校验算法、认证方法、Diffie-Hellman组。 [0054] VPN tunnel generation Agent Agent module 307 and VPN tunnel for tunnel generation module 308 is a module and tunnel clearing module, when the total number of line speed tunnel tests and tests, VPNAgent main control module invokes module 307, a configuration module 307 will initiates the establishment of the appropriate tunnel, the tunnel will each corresponding configuration parameters, including encryption, integrity check algorithm, an authentication method, Diffie-Hellman group. 根据选定的参数与VPNServer进行协商建立相应的隧道,对于不同的参数,如DES-CBC和AES-256加密方式对应的CPU计算相差数倍。 Negotiate to establish the corresponding parameters according to the selected tunnel and VPNServer, for different parameters, such as DES-CBC and AES-256 encryption is calculated corresponding to several times the CPU. [0055]协商建立隧道的种类包括:L2tp、L2tp Over IpSec、Ikevl、Ikev2、Ikev2+EAP。 [0055] consultations kind of tunneling include: L2tp, L2tp Over IpSec, Ikevl, Ikev2, Ikev2 + EAP.

[0056]加密算法包括:DES-CBC、3DES-CBC、AES-128、AES-192、AES-256。 [0056] encryption algorithm comprises: DES-CBC, 3DES-CBC, AES-128, AES-192, AES-256.

[0057]完整性校验算法:SHA1-128、SHA1-256、MD5 [0057] integrity check algorithm: SHA1-128, SHA1-256, MD5

[0058] 认证方法:预共享密钥(PSK)、证书认证 [0058] authentication method: Pre-Shared Key (PSK), Certificate

[0059] VPN代理端能力计算模块301是能力计算模块,每隔时间T计算当前的CPU占用百分比、网络占用百分比、内存占用百分比、磁盘占用百分比、I/o字节数,表示为向量 [0059] VPN Agent capacity calculation module 301 is the ability calculation module, the time interval T to calculate a current percentage of CPU utilization, network occupation percentage, the percentage of memory footprint, the percentage of disk usage, I / o bytes, represented as a vector

Figure CN102281161BD00091

,当模块302请求能力向量时,模块301计算能力向量平均值 When the capacity request vector module 302, module 301 computing the average vector

Figure CN102281161BD00092

. 时间T 大小定义为iooms,N是时间间隔T的个数。 Size is defined as the time T iooms, N is the number of the time interval T.

[0060] VPN代理端隧道流量生成模块306是流量生成模块,根据VPNCtroler传递的参数生成相应的流量,包括TCP数据流量、UDP数据流量、FTP流量、HTTP流量。 [0060] VPN Tunnel Agent 306 is a traffic flow generating module generating module to generate the corresponding flow according to the parameters VPNCtroler transmitted, the data traffic comprising TCP, UDP data traffic, FTP traffic, HTTP traffic.

[0061] VPN代理端状态生成模块309是状态生成模块,负责将系统当前状态定时返回给VPNCtro I er,包括当前成功协商的隧道数、失败的隧道数、正在协商的隧道数、吞吐量、平局吞吐量。 [0061] VPN module 309 generates a proxy end state is a state generation module, is responsible for the timing of the current state of the system returns to the VPNCtro I er, including the number of the tunnel is successfully negotiated, the number of failed tunnel, the tunnel number being negotiated, certain draw throughput. 其中定时间隔为T=I秒。 Wherein the timing interval is T = I seconds.

[0062] VPN网关104是IUT,即系统的被测试设备。 [0062] VPN gateway 104 is IUT, i.e. the system device to be tested.

[0063] 应用服务器105是一台应用服务器,提供各种应用层的服务器,本系统的应用层服务有UDP数据,TCP数据,FTP数据,HTTP数据。 [0063] The application server 105 is an application server, the server offers a variety of application layer, the application layer service data of the system are UDP, TCP data, FTP data, HTTP data. 几种应用服务分别在5001,5002, 5003, 5004端口上监听。 Several application services are listening on 5001, 5002, 5003, 5004 port. 并且每种服务都是采用多线程方式,能并发建立连接。 And each service is using multiple threads can concurrently establish a connection. 对于UDP应用,应用服务器只是简单将VPNAgent发过来的数据返回;对于TCP应用,应用服务器建立连接之后,同样将VPNAgent发过来的数据返回;对于FTP应用,包含大量的下行数据和少量的上行数据;对于HTTP数据,VPNAgent选择数据,HTTP根据发送来的动作做出相应的响应,包括GET和POST动作。 For UDP applications, the application server simply to VPNAgent sent over data return; for TCP application, after the application server to establish a connection, likewise VPNAgent sent over data return; for FTP applications, contains a large amount of downlink data and a small amount of uplink data; for HTTP data, VPNAgent selection data, HTTP respond accordingly transmitted according to the operation, including GET and POST operation.

[0064] 本发明的在上述系统结构上实现了多个代理间的负载均衡,其实现包括如下步骤: [0064] the present invention on the system configuration to achieve load balancing among the plurality of agents that achieves comprising the steps of:

[0065] KVPNCtroler 运行在Windows 系统上,VPNAgent 运行于Windows 或者Linux 系统上,并且多个VPNAgent组成VPNCluster。 [0065] KVPNCtroler running on a Windows system, VPNAgent runs on Windows or Linux systems, and more VPNAgent composed VPNCluster. VPNServer —般运行高性能的刀片服务器上,在实际环境中作为内部网络和外部网络的网关。 VPNServer - like running on the high performance blades, as an internal network and the external network gateway in the actual environment.

[0066] 2、隧道建立在VPNAgent和VPNServer之间,通过VPNCtro Ier的集中控制实现VPNAgent间的负载均衡。 [0066] 2, and a tunnel established between VPNAgent VPNServer, load balancing among VPNAgent by the centralized control VPNCtro Ier.

[0067] 3、应用服务器(APPServer)运行于VPNServer之后,是在隧道上承载的某种服务,本发明中使用了四种服务,分别是FTP服务,HTTP服务,UDP数据服务,TCP数据服务。 [0067] 3, the application server (AppServer) VPNServer after running, is carried in a service tunnel, the present invention uses four services are FTP service, HTTP service, UDP data services, TCP data service.

[0068] 4、VPNCtroler通过目前大规模部署的IPv4网络来实现与VPNAgent间的通信,VPNAgent和VPNServer的隧道是基于IPv4或者IPv6的。 [0068] 4, VPNCtroler current IPv4 network is achieved by large-scale deployment of a communication, VPNAgent and VPNServer VPNAgent tunnel between the IPv4 or IPv6-based.

[0069] 5、VPNCtroler根据需要向VPNAgent请求当前的能力向量及其荷载值,VPNAgent收到VPNCtroler的请求后马上返回其能力向量和荷载值,VPNCtroler收到VPNAgent的响应后根据当前测试的隧道类型选择加权向量W,然后计算出实际的能力值最后将实际能力值归一化得到归一化值Cm。 [0069] 5, VPNCtroler necessary to VPNAgent request current capabilities and load value vector, the vector and the ability to return to its load value immediately after receiving the request VPNCtroler of VPNAgent, VPNCtroler VPNAgent receives the response current test according to the selection of the type of tunnel the weight vector W, then calculate the actual value of the last actual capacity capacity values ​​were normalized to obtain the normalized value Cm.

[0070] 上面具体计算公式包括:[0071] [0070] DETAILED above formula include: [0071]

Figure CN102281161BD00101

[0075] 上面具体的隧道类型有: [0075] The above concrete tunnel types:

[0076] L2tp、L2tp Over IpSec、Ikevl、Ikev2、Ikev2+EAP。 [0076] L2tp, L2tp Over IpSec, Ikevl, Ikev2, Ikev2 + EAP.

[0077] 6、VPNCtro I er 经过步骤(5 )后得到一个归一化向量 [0077] 6, VPNCtro I er obtained through step a normalized vector (5)

Figure CN102281161BD00102

VPNCtroler根据口.的比例分配隧道数和吞吐量。 The VPNCtroler port. Tunnel number and the distribution ratio of throughput.

[0078] 7、关于线速测试的负载均衡步骤,线速指标是为了测试单位之间内VPNServer能够建立的隧道数目,为了更好符合测试线速的要求,我们设计了下面的方法,包括以下步骤: [0078] 7, load balancing step on the line speed test, line speed indicator is the number of tunnels between the test unit to within VPNServer can be established, in order to better meet the requirements of line-rate testing, we designed the following methods, including the following step:

[0079] I) VPNCtroler分配固定值的新建隧道数,发送给各个VPNAgent,VPNAgent建立VPNCtroler分配值数量的隧道。 [0079] I) VPNCtroler new tunnel number allocated a fixed value, transmitted to the respective VPNAgent, VPNAgent establish VPNCtroler number assigned value of the tunnel.

[0080] 2)各个VPNAgent收集自己在建立隧道期间的能力向量C',然后VPNAgent将收集的发送给VPNCtroler。 [0080] 2) the establishment of their respective ability to collect VPNAgent vector C 'during the tunnel, and to send the collected VPNCtroler VPNAgent.

[0081] 3)如果在给定时间内VPNAgent没有发回C',VPNCtroler将向VPNAgent发送请求消息,请求其能力向量。 [0081] 3) If VPNAgent is not sent back within a given time C ', VPNCtroler VPNAgent will send a request message, requesting its capabilities vector.

[0082] 4) VPNCtroler收集到所有VPNAgent能力向量之后发送请求消息,要求VPNAgent清除所有的隧道。 After [0082] 4) VPNCtroler VPNAgent ability to collect all vector request message sent requires VPNAgent remove all tunnels.

[0083] 5) VPNCtroler在步骤4)后等待固定时间后按照骤(5)和(6)分配新的隧道数。 After the [0083] 5) VPNCtroler step 4) after waiting for a fixed time according to step (5) is assigned a new number, and a tunnel (6).

[0084] 8、VPNAgent和APPServer建立隧道之后,在隧道上承载数据,数据的一端来自于VPNAgent上的应用请求程序(APPClient),数据另一端是应用服务器(APPServer)。 [0084] 8, VPNAgent AppServer and after establishing the tunnel, the tunnel data carried on one end of the data from the application program a request (appclient) on VPNAgent, the other end of the data application server (APPServer).

[0085] 9、VPNAgent定时将系统当前的隧道状态、统计信息数据发送给VPNCtro I er,VPNCtroler通过界面显示出来。 [0085] 9, VPNAgent tunnel current timing state of the system, data is transmitted to statistics VPNCtro I er, VPNCtroler displayed through the interface.

[0086] 10、VPNAgent与VPNCtroler之间通信数据通过XML的形式封装后,米用Socket发送。 [0086] 10, the communication data between VPNAgent VPNCtroler and encapsulated by XML form, rice transmission Socket.

Claims (2)

  1. 1.一种多代理负载均衡方法,该方法在多代理VPN隧道并发测试系统上实现,所述多代理VPN隧道并发测试系统包括VPN控制端VPNCtroIer、VPN代理集合VPNCluster、VPN网关VPNServer和应用服务器;所述VPN控制端和VPN代理集合通过IPv4网络连接,VPN代理集合和VPN网关有两个连接,底层通过IPv6网络建立隧道连接,上层通过IPv6网络建立应用数据连接,并且VPN网关转发应用数据包给应用服务器;所述VPN代理集合包括若干个VPN代理Agent,各VPN代理分别通过IPv4网络与VPN控制端连接;所述VPN控制端包括:基本配置模块、应用数据层配置模块、高级配置模块、L2tp配置模块、IKEvl配置模块、IKEv2配置模块、IKEv2+EAP配置模块、通信模块、XML封装模块、实时状态显示模块和控制端主模块;所述控制端主模块调用XML封装模块封装用户的命令和参数为XML格式,XML封装模块封装数据之后调用通信 A multi-agent load balancing method in a multi-agent concurrent VPN tunnels implemented on the test system, the multi-agent system comprising a concurrent test VPN tunnel VPN control terminal VPNCtroIer, VPN collection of agents VPNCluster, VPN gateway and application server VPNServer; the VPN and VPN control terminal connected through a collection of agents IPv4 network, VPN proxy and the VPN gateway set has two connections, the underlying IPv6 network through a tunnel established, the upper layer application data connection established over an IPv6 network, and the VPN gateway forwards the packet to the application the application server; the set comprises a plurality of VPN agent - agent VPN agent, each agent is connected through the VPN network and VPN IPv4 control terminal; wherein the VPN control terminal comprising: a basic configuration module, the application layer data configuration module, advanced configuration module L2tp configuration module, IKEvl configuration module, the IKEv2 configuration module, IKEv2 + EAP configuration module, a communication module, XML encapsulation module, real-time status display module and a control terminal of the main module; end of the main control module invokes the XML module package user package commands and parameters XML format, call communication module package after package data XML 模块发送数据;当通信模块收到数据包时,调用XML封装模块解封装XML格式数据,然后调用实时状态显示模块;其特征在于,它包括如下步骤: (DVPNCtroler运行在Windows系统上,VPNAgent运行于Windows或者Linux系统上,并且多个VPNAgent组成VPNCluster ;VPNServer位于高性能的刀片服务器上,在实际环境中作为内部网络和外部网络的网关; (2)隧道建立在VPNAgent和VPNServer之间,通过VPNCtroler的集中控制实现VPNAgent间的负载均衡; (3)应用服务器APPServer运行于VPNServer之后,是在隧道上承载的某种服务,包括FTP服务、HTTP服务、UDP数据服务和TCP数据服务; (4) VPNCtroler通过目前大规模部署的IPv4网络来实现与VPNAgent间的通信,VPNAgent和VPNServer的隧道是基于IPv4或者IPv6的; (5 ) VPNCtro I er根据需要向VPNAgent请求当前的能力向量及其荷载值,VPNAgent收到VPNCtroler的请求后马上返回其能力向量和荷 Means for transmitting data; when the communication module receives a data packet, decapsulates the encapsulation module calls the XML data in XML format, and then calls the real-time status display module; characterized in that it comprises the steps of: (DVPNCtroler running on a Windows system, VPNAgent run on the system and the composition of the plurality VPNAgent Windows or Linux VPNCluster; VPNServer blade located on performance, as a gateway to the internal network and the external network in a real environment; (2) and a tunnel established between VPNAgent VPNServer, through the VPNCtroler centralized control load balancing between VPNAgent; (3) after the application running on the server APPServer VPNServer, a service is carried in the tunnel, including FTP service, HTTP service, UDP and TCP data services, data services; (4) VPNCtroler by currently communications, VPNAgent VPNServer and large-scale deployment of the tunnel between the IPv4 network is achieved based on the VPNAgent of IPv4 or IPv6; (5) VPNCtro I er request current capabilities and a vector load values ​​needed to VPNAgent, VPNAgent received immediately returned to its charge and the capacity vector after the request VPNCtroler 值,能力由当前机器的CPU占用百分比、网络占用百分比、内存占用百分比、磁盘占用百分比、I/O字节数代表,使用向量C={Cepu,Cnet, Cmem, Cdisk, CiJ表示能力;VPNCtroler收到VPNAgent的响应后根据当前测试的隧道类型选择加权向量W= {ffcpu, Wnet, Wmem, Wdisk, WiJ,然后计算出实际的能力值C' = {Ccpu,Cnet,Cmem,^diskJ Ci。 Value, the current capacity of the machine occupied by the percentage of CPU, network occupation percentage, the percentage of memory usage, disk usage percentage, I / O represents the number of bytes, using the vector C = {Cepu, Cnet, Cmem, Cdisk, CiJ representation capability; VPNCtroler yield in response to the selection of the weighting vector W VPNAgent tunneling current test type = {ffcpu, Wnet, Wmem, Wdisk, WiJ, and then calculate the actual capacity value C '= {Ccpu, Cnet, Cmem, ^ diskJ Ci. }父^cpuJ ^netJ Wmem,评犯成,^i0 },最后将实际能力值归一化得到归一化值 Parent} ^ cpuJ ^ netJ Wmem, to make assessment, ^ i0}, and finally the ability of the actual values ​​were normalized to obtain the normalized value
    Figure CN102281161BC00021
    (6) VPNCtroler 经过步骤(5)后得到一个归一化向量Cnor= {Cnorl, Cnor2...CnorJ,VPNCtroler根据该归一化向量CnOT的比例分配隧道数和吞吐量; (7)关于线速测试的负载均衡步骤,线速指标是为了测试单位时间内VPNServer能够建立的隧道数目,为了更好符合测试线速的要求; (8) VPNAgent和APPServer建立隧道之后,在隧道上承载数据,数据的一端来自于VPNAgent上的应用请求程序APPClient,数据另一端是应用服务器APPServer ; (9) VPNAgent定时将系统当前的隧道状态、统计信息数据发送给VPNCtroler,VPNCtroler通过界面显示出来; (10)VPNAgent与VPNCtroler之间通信数据通过XML的形式封装后,采用Socket发送。 (6) VPNCtroler after step (5) to obtain a normalized vector Cnor = {Cnorl, Cnor2 ... CnorJ, VPNCtroler tunnel and a certain number of allocated according to the ratio of the normalized vector of CnOT; (7) on line speed load balancing step of the test, line speed indicator for the number of test per unit time VPNServer tunnel can be established, in order to better meet the requirements of the test linear velocity; (8) VPNAgent APPServer and after establishing the tunnel, carrying data, data on tunnel One end from the application requestor on VPNAgent aPPClient, data other end application server APPServer; (9) VPNAgent timing of the current link state of the system, the statistics data to VPNCtroler, VPNCtroler displayed through the interface; (10) VPNAgent and VPNCtroler after data communication between the package through XML form, using Socket transmission.
  2. 2.根据权利要求1所述多代理负载均衡方法,其特征在于,所述步骤(7)通过以下子步骤来实现:(a ) VPNCtro I er分配固定值的新建隧道数,发送给各个VPNAgent,VPNAgent建立VPNCtroler分配值数量的隧道; (b)各个VPNAgent收集自己在建立隧道期间的能力向量C',然后VPNAgent将收集的C,发送给VPNCtroler ; (c)如果在给定时间内VPNAgent没有发回C' ,VPNCtroler将向VPNAgent发送请求消息,请求其能力向量; (d) VPNCtroler收集到所有VPNAgent能力向量之后发送请求消息,要求VPNAgent清除所有的隧道;(e) VPNCtrole r在步骤(d)后等待固定时间后按照步骤(5)和(6)分配新的隧道数。 2. The method of the multi-agent load balancing according to claim 1, wherein said step (7) is achieved by the sub-steps of: (a) VPNCtro I er tunnel number allocated new fixed value, transmitted to the respective VPNAgent, VPNAgent established number VPNCtroler assigned value of the tunnel; (b) each VPNAgent collect their own during the establishment of the tunnel capacity vector C ', then VPNAgent the collected C, is sent to VPNCtroler; (c) if VPNAgent within a given time is not sent back C ', VPNCtroler VPNAgent will send a request message, requesting its capabilities vector; (d) VPNCtroler VPNAgent ability to collect all vector request message after transmitting the request VPNAgent remove all tunnels; (e) VPNCtrole r wait after step (d) after a fixed time according to step (5) is assigned a new number, and a tunnel (6).
CN 201110273414 2011-09-15 2011-09-15 Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method CN102281161B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201110273414 CN102281161B (en) 2011-09-15 2011-09-15 Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201110273414 CN102281161B (en) 2011-09-15 2011-09-15 Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method

Publications (2)

Publication Number Publication Date
CN102281161A true CN102281161A (en) 2011-12-14
CN102281161B true CN102281161B (en) 2014-04-16

Family

ID=45106358

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201110273414 CN102281161B (en) 2011-09-15 2011-09-15 Multi-agent virtual private network (VPN) tunnel concurrent testing system and multi-agent load balancing method

Country Status (1)

Country Link
CN (1) CN102281161B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103067290B (en) * 2012-11-30 2016-06-01 成都卫士通信息产业股份有限公司 Adapt to network load balancing based on the virtual network adapter vpn tunnel Implementation
CN103441894A (en) * 2013-08-20 2013-12-11 迈普通信技术股份有限公司 Method and system for L2TP concurrent connection performance test
CN103716209B (en) * 2013-12-31 2017-12-19 北京神州绿盟信息安全科技股份有限公司 A tunneling concurrent test systems and equipment
CN104731635A (en) * 2014-12-17 2015-06-24 华为技术有限公司 Virtual machine access control method and virtual machine access control system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1642109A (en) 2004-09-30 2005-07-20 迈普(四川)通信技术有限公司 Method for realizing communication load equilibrium and gateway, central gateway thereof
CN101753401A (en) 2008-12-03 2010-06-23 北京天融信科技有限公司 A method for realizing backup and load of IPSec virtual private network tunnel

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7761480B2 (en) * 2003-07-22 2010-07-20 Kinor Technologies Inc. Information access using ontologies
US8893260B2 (en) * 2008-12-17 2014-11-18 Rockstar Consortium Us Lp Secure remote access public communication environment

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1642109A (en) 2004-09-30 2005-07-20 迈普(四川)通信技术有限公司 Method for realizing communication load equilibrium and gateway, central gateway thereof
CN101753401A (en) 2008-12-03 2010-06-23 北京天融信科技有限公司 A method for realizing backup and load of IPSec virtual private network tunnel

Also Published As

Publication number Publication date Type
CN102281161A (en) 2011-12-14 application

Similar Documents

Publication Publication Date Title
US6915436B1 (en) System and method to verify availability of a back-up secure tunnel
US20060245414A1 (en) System, method and computer program product for communicating with a private network
US20130083691A1 (en) Methods and apparatus for a self-organized layer-2 enterprise network architecture
US6816462B1 (en) System and method to determine connectivity of a VPN secure tunnel
US20140330982A1 (en) Facilitating secure network traffic by an application delivery controller
US20110231652A1 (en) Proxy ssl authentication in split ssl for client-side proxy agent resources with content insertion
US6829709B1 (en) Validation of network communication tunnels
US8250643B2 (en) Communication device, communication system, communication method, and program
US20060174336A1 (en) VPN and firewall integrated system
US6668282B1 (en) System and method to monitor and determine if an active IPSec tunnel has become disabled
US20090063701A1 (en) Layers 4-7 service gateway for converged datacenter fabric
CN102025617A (en) Method and device for controlling congestion of Ethernet
US20140092884A1 (en) Methods and apparatus for a common control protocol for wired and wireless nodes
CN103428771A (en) Communication method, software defined network SDN switch and communication system
CN102301663A (en) OSPF packets processing method and related equipment
CN102082690A (en) Passive finding equipment and method of network topology
US7768939B1 (en) Network proxy with asymmetric connection connectivity
CN101557405A (en) Portal authentication method and corresponding gateway equipment and server thereof
CN101778045A (en) Message transmission method, device and network system
US8005958B2 (en) Virtual interface
CN101212374A (en) Method and system for remote access to campus network resources
CN101022340A (en) Intelligent control method for realizing city Ethernet exchanger switch-in security
US20140280829A1 (en) Device and related method for dynamic traffic mirroring
US20160014126A1 (en) Facilitating a Secure 3 Party Network Session by a Network Device
CN102065125A (en) Method for realizing embedded secure socket layer virtual private network (SSL VPN)

Legal Events

Date Code Title Description
C06 Publication
C10 Entry into substantive examination
C14 Grant of patent or utility model
EXPY Termination of patent right or utility model