SSL VPN communication method based on data link layer
Technical field
The present invention relates to a kind of network data communication method, particularly to a kind of communication means based on SSL VPN technologies.
Background technology
With the popularization of Internet network technology, virtual private network(Virtual Private Network)Technology
Prominent position in network Development manifests all the more.In recent years in order to the safer VPN that provides the user with services, more next
More users select to use SSL VPN.SSL VPN is the VPN technologies based on HTTPS, also includes supporting the application of SSL
Program, for example:Email client, such as Microsoft Outlook or Eudora.It utilizes ssl protocol to provide
Authentication based on certificate, data encryption and message integrity verification mechanism, are that user's remote access company's internal network carries
Supply safety assurance.SSLVPN is often referred to as " no client ", because current most computers, in shipment, have all been pacified
Fill the Web browser supporting HTTP and HTTPS.
Common SSL VPN is the agreement encapsulating more than IP or IP layer using SSL, such as UDP, TCP, HTTP
Deng the data of more than IP or IP layer therefore can only be transmitted.Due to its support IP layer more than agreement it is impossible to support IP layer with
Lower such as IPX, the agreement such as NetBT, AppleTalk, Nbf, NWlink, PPP, PPPoE, MPLS.
Content of the invention
The purpose of the present invention is the weak point for overcoming prior art, provides one kind to be communicated based on data link layer
SSL VPN connected mode, all packed transmission to the data of all data link layers of specified destination by sending, realization
Penetrated based on the data of data link layer, thus solving irrealizable two sons of traditional SSLVPN and IPSec VPN
The demand of the full protocol communication of overall network is set up between network, such as, WINS agreement, VoIP protocol, DHCP protocol etc.
Penetrate.
The present invention proposes technical scheme below:
A kind of SSL VPN communication method based on data link layer, based on the service end network being connected by wide area network and
Client is realized, and described service end network includes SSL vpn gateway, switch and terminal unit it is characterised in that including following
Step:
A client initiates connection request to service end gateway;
B service end gateway carries out the checking of standard SSL to client after receiving connection request;
SSL VPN encryption safe passage is set up between C client and service end network;
When sending data between D service end network and client, the SSL vpn gateway of transmitting terminal encapsulates what switch transmitted
The data being sent to client in need, and by SSL VPN channel transfer to receiving terminal;
E receiving terminal by the data receiving unpack, and to local terminal transmission.
As one kind preferably, the proof procedure of described step B includes:
The SSL vpn gateway of B1 service end carries out authentication to described connection request;
The SSL vpn gateway of B2 service end carries out password authentification or PKI certification authentication to described connection request.
As one kind preferably, described client is LAN, and described LAN includes SSL vpn gateway, switch and PC.
As one kind preferably, described step D includes:The eth1 mouth of the SSL vpn gateway of transmitting terminal receives we's exchange
What machine transmitted the data being sent to receiving terminal in need, after these data are packaged, is sent out by ssl tunneling from eth0 mouth
Deliver to the eth0 mouth of receiving terminal SSL vpn gateway;Described step E includes:Receiving terminal SSL vpn gateway enters to the data receiving
After row unpacks, deliver to this end switch by eth1 oral instructions.
Improve as a kind of, at least one group of described LAN quantity.
As one kind preferably, described client is terminal unit.
As a kind of preferred, further comprising the steps of before described step A:
A embeds a client application at the portal site of service end SSL vpn gateway;
B client rs PC passes through browser access service end SSL vpn gateway;
C downloads client application in client rs PC, runs this client application and pacifies in client rs PC
Dress SSL VPN client Agent.
As one kind preferably, described step D is:
When service end network is to client transmission data, the eth1 mouth of the SSL vpn gateway of service end receives we
What switch transmitted the data being sent to receiving terminal in need, after these data are packaged, passes through SSL tunnel from eth0 mouth
Road sends to client NIC;
When client is to service end network transmission data, the SSL VPN client Agent of client is wanted all
Send to the data encapsulation packing of service end network, be sent to the SSL VPN net of service end service end by network interface card through ssl tunneling
The eth0 mouth closing;
Described step E is:When service end network is to client transmission data, the SSL VPN client agency of client
Program unpacks to the data receiving;When client is to service end network transmission data, service end SSL vpn gateway pair
After the data receiving is unpacked, deliver to this end switch by eth1 oral instructions.
As one kind preferably, described terminal unit is PC, mobile phone or PDA.
There is provided technical scheme by the present invention, be present SSL vpn gateway or application program increased based on link layer
Communication function is so that SSL VPN can support the software using data link layer protocol, so that multiple sub-network is merged into one
Big network.Initiate communication request between sub-network transparent just as in LAN intercommunication, can transport between sub-network
Any agreement of row, including WINS, the LAN protocol more than data link layer such as icmp, DNS, DHCP, VoIP, can be real
One big LAN of composition.
Brief description
Fig. 1 is network connection schematic diagram in embodiment one;
The flow chart of steps of the communication means that Fig. 2 provides for the present invention;
Fig. 3 is data flow figure when accessing mutually between PC in embodiment one;
Fig. 4 is client network expander graphs in embodiment one;
Fig. 5 is network connection schematic diagram in embodiment two;
Fig. 6 is data flow figure when accessing mutually between PC in embodiment two;
Specific implementation method
Below in conjunction with Figure of description, the specific embodiment of the present invention is described in further detail.
First embodiment:
Two groups of LAN A and B as shown in Figure 1, are equipped with SSL vpn gateway in A network and B network.A network includes
SSL vpn gateway A, switch A sum platform PC, the wherein eth0 mouth of SSL vpn gateway A is connected with INTERNET, eth1 mouth with
Switch A connects, and PC is connected with switch A 2;B network includes the SSL vpn gateway B connecting by netting twine, switch b sum
Station terminal equipment, the eth0 mouth of gateway B is connected with INTERNET, and eth1 mouth is connected with switch b, terminal unit and switch b
Connect.In this example gateway A is configured to service end, gateway B is configured to client.In this example, set as terminal using PC
Standby, in addition to PC, terminal unit can also adopt mobile phone, and PDA etc. can realize the terminal unit remotely accessing.
It is equality that VPN sets up both sides, either initiates request to gateway B device from gateway A and sets up tunnel still from net
Closing B device and initiate request to gateway A equipment setting up tunnel is all equality.
As shown in Fig. 2 Client-SSL vpn gateway B active sends connection request to service end SSL vpn gateway A.
Service end carries out the checking of standard SSL to client after receiving connection request, and verification step is as follows:
(1)Service end SSL vpn gateway A carries out authentication first to Client-SSL VPN gateway B, and checking is not passed through
Then send error message to gateway B;
(2)Authentication can also carry out password authentification or PKI certification authentication after passing through, checking is not passed through then to client
SSL vpn gateway B sends error message.Verification mode can be arranged on the service end SSL VPN gateway A configuration page.
The built-in CA of service end, can generate PKI certificate, it is possible to use third party's root certificate.The certificate or the 3rd that server is issued
Square certificate should import in Client-SSL vpn gateway B in advance.
Above-mentioned be verified after, establish SSL VPN encryption safe passage between A network and B network.
When A network is to B network transmission data, by the eth1 mouth of our data is activation to gateway A, gateway A will for switch A
All data that will be sent to B network that switch A sends integrally are packed and are encapsulated and from eth0 mouth by the SSL tunnel establishing
Road sends to the eth0 mouth of Client-SSL vpn gateway B.Because switch is in data link layer, gateway receives and exchanges
All data of machine are transmission that the data of data link layer is all received and packed, it is achieved thereby that being based on data link layer
Data penetrate.In order to increase the safety of data transmission, the process of described data packing is entered preferably past default algorithm
Row encapsulation.Gateway B is unpacked after eth0 mouth receives packet, and this process preferably uses default and packing algorithm
Respective algorithms are carried out, and the data after unpacking is delivered to our switch b by eth1 oral instructions by gateway B.
When B network is to A network transmission data, switch b is by our data is activation to the eth1 mouth sending to gateway B, net
Close B switch b is sent all data being sent to B network and integrally pack encapsulation pass through the SSL establishing from eth0 mouth
Tunnel sends to the eth0 mouth of gateway A, in order to increase the safety of data transmission, the process of described data packing preferably past
Default algorithm is packaged.Gateway A is unpacked after eth0 mouth receives packet, and this process preferably uses default
Carry out with packing algorithm respective algorithms, gateway A by unpack after data deliver to our switch A by eth1 oral instructions.
Eth1 mouth in order to ensure the SSL vpn gateway of A network and B network can receive what our switch transmission came
All data, eth1 mouth should be set to promiscuous mode.
Specifically, when accessing mutually between two LANs, such as the PC1 in A network will access in B network
During PC3, typically know machine name, domain name or the IP address of PC3, as shown in figure 3, concrete data transfer procedure is as follows:
Parsing machine name or domain name first:
If it is known that PC3 domain name or machine name, PC1 can be sent to the domain name on A network to the access request of PC3
Server, also can issue the name server on B network simultaneously.Detailed process is as follows:This DNS request can be through the friendship of A network
The A that changes planes is sent on the eth1 mouth of gateway A, and because the eth1 mouth of gateway A is arranged to promiscuous mode, therefore gateway A can receive
Pack to DNS request and to it, the ssl tunneling by having built up is sent to the eth0 mouth of gateway B immediately.Gateway B receives
Send the request to the name server of client network to after this DNS request, client domain name server receives above-mentioned
After DNS request, it is parsed, and send a DNS response back to, this response is sent in client network.Due to gateway B's
Eth1 mouth is also arranged to promiscuous mode, and the therefore eth1 mouth of gateway B3 can receive this response and it be packed, then
It is sent to the eth1 mouth of gateway A by ssl tunneling.After gateway A receives response, this response is sent on service end network,
After PC1 in service end network receives this DNS response, you can know the IP address information of PC3.
Subsequently PC1 accesses PC3 by the IP of PC3:
When the IP address of PC1 and PC3 is in the same network segment, PC1 also needs first to parse the MAC Address of PC3.Detailed process
As follows:PC1 first sends ARP request to network A, and similar with the request of dns resolution, this ARP request is captured by the eth1 mouth of gateway A
And transmit to gateway B, the eth0 mouth of gateway B unpacks after receiving request, and is sent on B network, after PC3 receives, meeting
Send arp reply, response is captured by the eth1 mouth of gateway B and transmits to gateway A, after response is unpacked by the eth0 of gateway A
It is dealt on A network by eth1 mouth, PC1 thereby is achieved the MAC Address of PC3.
Subsequently can mutually send communication data between PC1 and PC3:
When PC1 sends communication data to PC3, this data is received by the eth1 mouth of gateway A and transmits to gateway B,
The eth0 mouth of gateway B unpacks after receiving packet, and is sent on B network, and PC3 can receive the communication data from PC1.
When PC3 sends communication data to PC1, this data is received by the eth1 mouth of gateway B and transmits to gateway A,
The eth0 mouth of gateway A unpacks after receiving packet, and is sent on B network, and PC3 can receive the communication data from PC1.
In order to further enhance Information Security, SSL vpn gateway is when carrying out data packing and unpacking preferably through pre-
If algorithm carry out.
By using the present invention provide communication means so that the data of data link layer can between A network and B network
Completely transmitted, because LAN works in a data link layer, therefore, it is possible to realize wearing of any agreement in LAN
Thoroughly, the eth1 mouth being equivalent to the SSL vpn gateway equipment having a stealthy netting twine from A network is connected to the SSL VPN of B network
The eth1 mouth of gateway device(In FIG, this stealthy netting twine dotted line marks)So that PC1 in A network is to the PC3 in B network
Initiate communication request just as the same transparent with PC3 communication in A network internal.
As shown in figure 4, aforementioned B network can expand to mutually isostructural C network, D network, E network etc., according to equipment type
Number and throughput difference, the catenet of interconnection can be set up between the LAN of different scales, can transport between this network
Any agreement of row, including WINS, the LAN protocol that more than 2 layers of icmp, DNS, DHCP, VoIP etc., composition one that can be real
Individual large-scale LAN.
Embodiment two:
As shown in figure 5, A network is including SSL vpn gateway A, the LAN of switch A sum platform PC, wherein gateway A
Eth0 mouth is connected with INTERNET, and eth1 mouth is connected with switch A, and PC is connected with switch A.One station terminal equipment passes through
The Internet connects to A network eth0 mouth, and terminal unit is client here, and in this example, terminal unit is PC.
In this example, embed a client application at the portal site of gateway A, client rs PC 5 passes through browser
Enter its portal site when accessing gateway A, portal site provides the download link of client application.Click on this link,
Client application can be downloaded in client rs PC, run this client application and SSL can be installed in client rs PC
VPN client Agent.
When client rs PC needs by browser access A network, client sends connection request to SSL vpn gateway A;
Gateway A carries out the checking of standard SSL to client after receiving connection request:
(1)Gateway A carries out authentication first to client, and checking is not passed through then to send error message to client;
(2)Authentication carries out password authentification or PKI certification authentication after passing through, checking is not passed through then to send mistake to client
False information.Verification mode can be arranged on the service end SSL VPN gateway A configuration page.The built-in CA of service end, permissible
Generate PKI certificate, it is possible to use third party's root certificate.
After being verified, between client rs PC and gateway A, SSL VPN encryption safe passage is set up by browser.
When A network is to client rs PC transmission data, service end switch A is by our all data is activations to gateway A
Eth1 mouth, wherein eth1 mouth are set to promiscuous mode, and gateway A is by all data packings receiving and from eth0 mouth through ssl tunneling
Send the network interface card to client rs PC.After the network interface card of client rs PC receives packet, SSL VPN client Agent by its
Unpack.
When client rs PC is to A network transmission data, our all data are beaten by Client-SSL VPN client Agent
Bag passes through network interface card, sends through ssl tunneling to the eth0 mouth of gateway A;Gateway A carries out de-packaging operation to packet, and passes through eth1
We are delivered in oral instructions.
For assuring data security, the process of above-mentioned packing and unpacking should be carried out through algorithm set in advance.
Specifically, when PC1 will access PC3, essentially identical with embodiment one as shown in Figure 6, distinctive points are, client
There is no switch, and a kind of function of gateway B of embodiment is undertaken by the SSL VPN client Agent in PC3.
Other computers in client rs PC and A network have identical to access the authority of A network, and any LAN protocol
Can run, the eth1 mouth being equivalent to the SSL vpn gateway equipment having a stealthy netting twine from A network is connected to B network
SSL vpn gateway equipment eth1 mouth(In Figure 5, this stealthy netting twine dotted line marks).
Can be multiple stage by the PC of linking Internet A network, in the present embodiment, in addition to PC, client also may be used
To adopt mobile phone, PDA etc. can realize the terminal unit remotely accessing.When client adopts mobile phone, client can be passed through
The mobile radio networks such as GSM, CDMA are connected with INTERNET.