CN104104569B - Set up the method and server of vpn tunneling - Google Patents
Set up the method and server of vpn tunneling Download PDFInfo
- Publication number
- CN104104569B CN104104569B CN201310111430.6A CN201310111430A CN104104569B CN 104104569 B CN104104569 B CN 104104569B CN 201310111430 A CN201310111430 A CN 201310111430A CN 104104569 B CN104104569 B CN 104104569B
- Authority
- CN
- China
- Prior art keywords
- server
- tunnel
- parameters
- vpn tunneling
- mark
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The embodiment of the invention discloses method, device and the server for setting up vpn tunneling, this method includes:Server obtains the negotiation data bag transmitted between the first VM and the 2nd VM;Determine that the first VM and the 2nd VM is the VM that the server is carried according to negotiation data bag;For the first VM and the 2nd VM generation vpn tunneling common parameters;It is the shared tunnel descriptor SA of the first VM and the 2nd VM generations according to vpn tunneling common parameter, completes the foundation of vpn tunneling.It is that two VM generate vpn tunneling common parameter by server when setting up vpn tunneling between two VM for belonging to same server using the embodiment of the present invention, therefore reduces the triviality of vpn tunneling foundation, improves vpn tunneling and set up speed;Also, due to SA need not be set up respectively for two VM, but shared SA is set up for two VM, thus reduce the memory consumption of server.
Description
Technical field
The present invention relates to network communication technology field, VPN is more particularly to set up(Virtual Private
Network, abbreviation VPN) tunnel method and server.
Background technology
VPN refers to the technology that dedicated network is set up in common network, and VPN supports to set up vpn tunneling between communicating pair, with
Just transmitting procedure is encrypted, improves transmission security.The communicating pair for setting up vpn tunneling can be virtual machine(Virtual
Machine, VM), VM refer to by software simulate have complete hardware system function, operate in a completely isolated environment
Complete computer, many VM can be generally simulated on a physical server, can also be in many physical services
Many VM are simulated on device.In application VPN in the prior art, can set up VPN between the VM on same physical server
Vpn tunneling is set up between VM on tunnel or different physical servers.During vpn tunneling is set up, communication is double
Square VM is according to the parameter of each self-configuring, key and certificate etc., by repeatedly consulting the vpn tunneling common parameter of determination both sides, its
Middle vpn tunneling common parameter includes enciphering and deciphering algorithm, identifying algorithm, key, certificate etc., it is determined that after vpn tunneling common parameter,
Each self-generatings of communicating pair VM include the tunnel descriptor of vpn tunneling common parameter(Security Association, SA), with
This completes the tunnel building between communicating pair VM.
Inventor is had found in the research process to prior art, and VPN tunnels are set up between the VM on same physical server
, it is necessary to carry out the common parameter for repeatedly consulting just to can determine that vpn tunneling between communicating pair VM during road, therefore negotiations process is compared
Cumbersome, the speed for setting up secure tunnel is slower.
The content of the invention
The method and server for setting up vpn tunneling are provided in the embodiment of the present invention, it is of the prior art same to solve
Negotiations process is cumbersome when vpn tunneling is set up between the VM on physical server, sets up slow problem.
In order to solve the above-mentioned technical problem, the embodiment of the invention discloses following technical scheme:
First aspect includes there is provided a kind of method for setting up VPN vpn tunneling, methods described:
Server obtains the negotiation data bag transmitted between the first virtual machine VM and the 2nd VM, and the negotiation data bag is used for
Request sets up vpn tunneling between the first VM and the 2nd VM;
The server determines that the first VM and the 2nd VM holds for the server according to the negotiation data bag
The VM of load;
The server is the first VM and the 2nd VM generation vpn tunneling common parameters;
The server is that the first VM and the 2nd VM generates shared tunnel according to the vpn tunneling common parameter
Descriptor SA, completes the foundation of the vpn tunneling
With reference in a first aspect, in the first possible implementation of first aspect, the server is according to the association
Quotient data bag determines that the first VM and the 2nd VM is the VM that the server is carried, including:
The server obtains the first VM carried in the negotiation data bag mark and the mark of the 2nd VM
Know;
When the VM marks of the server admin include the mark and the mark of the 2nd VM of the first VM, institute
State server and determine that the first VM and the 2nd VM is the VM that the server is carried.
With reference in a first aspect, or first aspect the first possible implementation, may at second of first aspect
Implementation in, the server be the first VM and the 2nd VM generation vpn tunneling common parameter, including:
The server obtains the first parameters for tunnel set of the first VM respectively, and the 2nd VM the second tunnel
Road parameter sets;
The server obtains the shared parameter by the first parameters for tunnel set and the second parameters for tunnel set
The parameters for tunnel of composition is occured simultaneously;
When including a parameters for tunnel in parameters for tunnel common factor, one parameters for tunnel is defined as described
Vpn tunneling common parameter;
When including at least two parameters for tunnel in parameters for tunnel common factor, selected from least two parameters for tunnel
The parameters for tunnel of a highest priority is selected as the vpn tunneling common parameter.
With reference in a first aspect, or first aspect the first possible implementation, or second of first aspect may
Implementation, in the third possible implementation of first aspect, the server is according to the public ginseng of the vpn tunneling
Number is the shared SA of the first VM and the 2nd VM generations, including:
The server adds the VPN tunnels in a SA structure for the first VM and the 2nd VM generations
Road common parameter, and the first VM mark and the 2nd VM mark, generation simultaneously be mapped to the first VM and
The shared SA of 2nd VM.
With reference in a first aspect, or first aspect the first possible implementation, or second of first aspect may
Implementation, or first aspect the third possible implementation, in the 4th kind of possible implementation of first aspect
In, before the generation vpn tunneling common parameter for the first VM and the 2nd VM, in addition to:
The server is sent to the first VM and the 2nd VM respectively stops negotiation message, and the stopping is consulted to disappear
Cease for notifying the first VM and the 2nd VM to stop consulting the vpn tunneling common parameter.
Second aspect includes there is provided a kind of server, the server:
Acquiring unit, for obtaining the negotiation data bag transmitted between the first virtual machine VM and the 2nd VM, the negotiation number
It is used to ask to set up vpn tunneling between the first VM and the 2nd VM according to bag;
Determining unit, the negotiation data bag for being obtained according to the acquiring unit determines the first VM and described
2nd VM is the VM that the server is carried;
Generation unit, for determining that the first VM and the 2nd VM belong to the server when the determining unit
When, it is the first VM and the 2nd VM generation vpn tunneling common parameters;
Set up unit, for the vpn tunneling common parameter that is generated according to the generation unit for the first VM and
The shared tunnel descriptor SA of 2nd VM generations, completes the foundation of the vpn tunneling.
With reference to second aspect, in the first possible implementation of second aspect, the determining unit includes:
Mark obtains subelement, the first VM carried for obtaining in the negotiation data bag mark and described the
Two VM mark;
Belong to determination subelement, including the mark for the VM marks when server admin obtains what subelement was obtained
When the mark and the mark of the 2nd VM of the first VM, determine that the first VM and the 2nd VM holds for the server
The VM of load.
With reference to the first possible implementation of second aspect, or second aspect, second in second aspect may
Implementation in, the generation unit includes:
Parameter acquiring subelement, the first parameters for tunnel set for obtaining the first VM respectively, and described second
VM the second parameters for tunnel set;
Occur simultaneously and obtain subelement, for obtaining by the first parameters for tunnel set and the second parameters for tunnel set
The parameters for tunnel of shared parameter composition is occured simultaneously;
Parameter determination subelement, will be one during for including a parameters for tunnel in occuring simultaneously when the parameters for tunnel
Parameters for tunnel is defined as the vpn tunneling common parameter, when including at least two parameters for tunnel in parameters for tunnel common factor,
The parameters for tunnel of a highest priority is selected to be used as the vpn tunneling common parameter from least two parameters for tunnel.
It is possible with reference to the first possible implementation of second aspect, or second aspect, or second of second aspect
Implementation, it is described to set up unit in the third possible implementation of second aspect, specifically for for described
The vpn tunneling common parameter is added in one SA structure of one VM and the 2nd VM generations, and the first VM
The mark of mark and the 2nd VM, generation is mapped to the first VM and the 2nd VM shared SA simultaneously.
It is possible with reference to the first possible implementation of second aspect, or second aspect, or second of second aspect
Implementation, or second aspect the third possible implementation, in the 4th kind of possible implementation of second aspect
In, in addition to:
Transmitting element, for determining that the first VM and the 2nd VM belong to the server when the determining unit
When, sent to the first VM and the 2nd VM stop negotiation message respectively, the stopping negotiation message being used to notify described
First VM and the 2nd VM stops consulting the vpn tunneling common parameter.
The third aspect includes there is provided a kind of server, the server:Bus, and the place connected by the bus
Device and memory are managed, wherein,
The memory, the configuration parameter for preserving VM in the server;
The processor, for obtaining the negotiation data bag transmitted between the first virtual machine VM and the 2nd VM, the negotiation
Packet is used to ask to set up vpn tunneling between the first VM and the 2nd VM, when true according to the negotiation data bag
It is the first VM and the 2nd VM generations when fixed first VM and the 2nd VM are the VM that the server is carried
Vpn tunneling common parameter, and be that the first VM and the 2nd VM generates shared tunnel according to the vpn tunneling common parameter
Descriptor SA, completes the foundation of the vpn tunneling;
The memory, is additionally operable to preserve the shared SA that the processor generates for the first VM and the 2nd VM.
With reference to the third aspect, in the first possible implementation of the third aspect, the processor, specifically for obtaining
The first VM carried in the negotiation data bag mark and the mark of the 2nd VM is taken, when the server admin
When VM marks include the mark and the mark of the 2nd VM of the first VM, determine that the first VM and the 2nd VM are
The VM of the server carrying.
With reference to the first possible implementation of the third aspect, or the third aspect, second in the third aspect may
Implementation in, the processor, the first parameters for tunnel set specifically for obtaining the first VM respectively, and described
2nd VM the second parameters for tunnel set, obtains being total to by the first parameters for tunnel set and the second parameters for tunnel set
The parameters for tunnel being made up of parameter is occured simultaneously, when including a parameters for tunnel in parameters for tunnel common factor, by one tunnel
Road parameter is defined as the vpn tunneling common parameter, when including at least two parameters for tunnel in parameters for tunnel common factor, from
The parameters for tunnel of a highest priority is selected to be used as the vpn tunneling common parameter at least two parameters for tunnel.
It is possible with reference to the first possible implementation of the third aspect, or the third aspect, or second of the third aspect
Implementation, in the third possible implementation of the third aspect, the processor, specifically for for described first
Add the vpn tunneling common parameter in one SA structure of VM and the 2nd VM generations, and the first VM mark
Know the mark with the 2nd VM, generation is mapped to the first VM and the 2nd VM shared SA simultaneously.
It is possible with reference to the first possible implementation of the third aspect, or the third aspect, or second of the third aspect
Implementation, or the third aspect the third possible implementation, in the 4th kind of possible implementation of the third aspect
In, the processor is additionally operable to when it is determined that the first VM and the 2nd VM belong to the server, respectively to described
One VM and the 2nd VM, which is sent, stops negotiation message, and the stopping negotiation message being used to notify the first VM and described second
VM stops consulting the vpn tunneling common parameter.
In the embodiment of the present invention, server obtains the negotiation data bag transmitted between the first VM and the 2nd VM, according to negotiation
It is the first VM and the 2nd VM generation public ginsengs of vpn tunneling when packet determines the VM that the first VM and the 2nd VM carries for server
Number, and be that the first VM and the 2nd VM generates shared SA according to the vpn tunneling common parameter, the foundation of vpn tunneling is completed with this.Should
With the embodiment of the present invention, when setting up vpn tunneling between two VM for belonging to same server, without entering between the two VM
Row repeatedly consults the common parameter that interaction determines vpn tunneling, but is that two VM generate vpn tunneling common parameter by server,
Therefore the triviality of vpn tunneling foundation is reduced, vpn tunneling is improved and sets up speed;Also, due to that need not be two VM difference
SA is set up, but shared SA is set up for two VM, the memory consumption of server is thus reduced.
Brief description of the drawings
In order to illustrate more clearly about the embodiment of the present invention or technical scheme of the prior art, below will be to embodiment or existing
There is the accompanying drawing used required in technology description to be briefly described, it should be apparent that, for those of ordinary skill in the art
Speech, without having to pay creative labor, can also obtain other accompanying drawings according to these accompanying drawings.
Fig. 1 is the VPN configuration diagrams of the application embodiment of the present invention;
Fig. 2 is one embodiment flow chart of the method provided in an embodiment of the present invention for setting up vpn tunneling;
Fig. 3 is another embodiment flow chart of the method provided in an embodiment of the present invention for setting up vpn tunneling;
Fig. 4 is one embodiment block diagram of server provided in an embodiment of the present invention;
Fig. 5 is another embodiment block diagram of server provided in an embodiment of the present invention;
Fig. 6 is another embodiment block diagram of server provided in an embodiment of the present invention.
Embodiment
Following examples of the present invention provide method, device and the server for setting up vpn tunneling.
In order that those skilled in the art more fully understand the technical scheme in the embodiment of the present invention, and make of the invention real
Applying the above-mentioned purpose of example, feature and advantage can be more obvious understandable, below in conjunction with the accompanying drawings to technical side in the embodiment of the present invention
Case is described in further detail.
Referring to Fig. 1, for the VPN configuration diagrams of the application embodiment of the present invention:
Multiple VM can be included in server in Fig. 1, it is exemplary in such as Fig. 1 to show VM1 and VM2, and to VM
The virtual platform being managed collectively(Hypervisor), virtual platform is the metaoperating system in a kind of virtual environment, is passed through
Virtual platform can access all physical equipments including disk and internal memory on server, and virtual platform can not only be coordinated
The access of hardware resource, can also apply protection between each virtual machine, when startup of server and when performing virtual platform, it
All VM operating system can be loaded, while each appropriate internal memory of VM, central processing unit can be distributed to(Central
Processing Unit, CPU), network and disk etc..In Fig. 1, void can be further divided into according to function in virtual platform
It can be by the server by virtual platform to intend server in key-course module and virtual switch module, the embodiment of the present invention
Vpn tunneling is set up between the VM of carrying.The process for setting up vpn tunneling to the present invention with reference to specific embodiment is described.
It is one embodiment flow chart for the method that the present invention sets up vpn tunneling referring to Fig. 2:
Step 201:Server obtains the negotiation data bag transmitted between the first VM and the 2nd VM, and the negotiation data bag is used for
Request sets up vpn tunneling between the first VM and the 2nd VM.
Wherein, the negotiation data bag includes the tunnel negotiation request data package and second that the first VM is sent to the 2nd VM
VM is into the first VM the present embodiment, and when needing to set up vpn tunneling between the first VM and the 2nd VM, the first VM is needed to the 2nd VM
Tunnel negotiation request data package is sent, the 2nd VM is received after the tunnel negotiation request data package, tunnel negotiation is returned to the first VM
Confirm packet.Wherein, such as the first VM is the VM in the server, then when being interacted between the first VM and the 2nd VM, the service
Device can obtain the tunnel negotiation request data package transmitted between the first VM and the 2nd VM and tunnel negotiation confirms packet.
Step 202:Server determines that the first VM and the 2nd VM is the VM that the server is carried according to negotiation data bag.
Because tunnel negotiation request data package and tunnel negotiation confirm to carry the first VM mark and the in packet
Two VM mark, therefore server gets tunnel negotiation request data package and tunnel negotiation is confirmed after packet, can be therefrom
The first VM mark and the 2nd VM mark are obtained, the mark of all VM due to saving server carrying in server,
Therefore when server admin VM mark include the first VM mark and the 2nd VM mark when, server determine the first VM with
2nd VM is the VM that the server is carried.
In the embodiment of the present invention, VM mark can include VM Internet protocol(Internet Protocol, IP)Ground
Location or VM virtual medium MAC layer(Virtual Media Access Control, VMAC)Address etc., herein
It is not limited, as long as can recognize that VM.
Step 203:Server is the first VM and the 2nd VM generation vpn tunneling common parameters.
Because vpn tunneling common parameter includes polytype parameter, calculated for example, enciphering and deciphering algorithm, certification can be included
Method, key, certificate etc., therefore server can be respectively that each VM generates various types of vpn tunneling common parameters, all classes
The vpn tunneling common parameter of type constitutes each VM vpn tunneling common parameter.
Wherein, server is when generating the vpn tunneling common parameter of each type:The server obtains the first VM respectively
The first parameters for tunnel set, and the 2nd VM the second parameters for tunnel set, obtain by the first parameters for tunnel set and second
The parameters for tunnel of the shared parameter composition of parameters for tunnel set is occured simultaneously, when including a parameters for tunnel in parameters for tunnel common factor,
One parameters for tunnel is defined as the first VM and described second common parameter, at least two are included in parameters for tunnel is occured simultaneously
During parameters for tunnel, the parameters for tunnel of a highest priority is selected to be used as the first VM and the 2nd VM from least two parameters for tunnel
Common parameter.
Step 204:Server is that the first VM and the 2nd VM generates shared SA according to vpn tunneling common parameter, is completed with this
The foundation of vpn tunneling.
In the prior art, consulted between the first VM and the 2nd VM after all common parameters, the first VM and the 2nd VM are needed
Each to set up SA structures and preserve the common parameter.In the present embodiment, due to being that the first VM and the 2nd VM is generated by server
Vpn tunneling common parameter, therefore server only needs to generate a SA structure for the first VM and the 2nd VM, in the SA structures
It is middle addition vpn tunneling common parameter, and the first VM mark and the 2nd VM mark, formed a shared SA, simultaneously map
To the first VM and the 2nd VM.
As seen from the above-described embodiment, when setting up vpn tunneling between two VM for belonging to same server, without this two
Carry out repeatedly consulting the common parameter that interaction determines vpn tunneling between individual VM, but be that two VM generate vpn tunneling by server
Common parameter, therefore the triviality of vpn tunneling foundation is reduced, improve vpn tunneling and set up speed;Also, due to that need not be
Two VM set up SA respectively, but set up shared SA for two VM, thus reduce the memory consumption of server.
It is another embodiment flow chart for the method that the present invention sets up vpn tunneling referring to Fig. 3, the embodiment is retouched in detail
The process that server sets up vpn tunneling for the VM in the server is stated:
Step 301:Server obtains the negotiation data bag transmitted between the first VM and the 2nd VM, and the negotiation data bag is used for
Request sets up vpn tunneling between the first VM and the 2nd VM.
In the present embodiment, when needing to set up vpn tunneling between the first VM and the 2nd VM, the first VM needs to send out to the 2nd VM
Tunnel negotiation request data package is sent, the 2nd VM is received after the tunnel negotiation request data package, it is true to return to tunnel negotiation to the first VM
Recognize packet.Wherein, such as the first VM is the VM in the server, then when being interacted between the first VM and the 2nd VM, the server
The tunnel negotiation request data package transmitted between the first VM and the 2nd VM can be obtained and tunnel negotiation confirms packet.
In the present embodiment, server may get the polytype packet transmitted by VM, and now server can be with
According to the port numbers of transmission packet come the type of distinguishes data bag.
Step 302:Server according to negotiation data bag judge the first VM and the 2nd VM whether be the server carry VM,
If so, then performing step 303;Otherwise, step 306 is performed.
Because tunnel negotiation request data package and tunnel negotiation confirm to carry the first VM mark and the in packet
Two VM mark, therefore server gets tunnel negotiation request data package and tunnel negotiation is confirmed after packet, can be therefrom
The first VM mark and the 2nd VM mark are obtained, the mark of all VM due to saving server carrying in server,
Therefore when server admin VM mark include the first VM mark and the 2nd VM mark when, server determine the first VM with
2nd VM is the VM that the server is carried.In the embodiment of the present invention, VM mark can be VM IP address or VM
VMAC addresses etc. can recognize VM other marks.
All VM of server carrying IP address can be preserved on server by IP address list, when VM mark
For VM IP address when, server is got after the first VM IP address and the 2nd VM IP address, can be arranged in the IP address
The first VM IP address and the 2nd VM IP address are searched in table respectively, when two IP address are all stored in the IP address list
When, then can determine the first VM and the 2nd VM be all the server carrying VM, when only one of which IP address with being stored in the IP
When in the list of location, then it is the VM of server carrying that can determine only one of which VM.VMAC address columns can be passed through on server
Table preserves all VM of server carrying VMAC addresses, and when the VM VMAC addresses for being designated VM, server is got
Behind first VM VMAC addresses and the 2nd VM VMAC addresses, the first VM VMAC can be searched respectively in the IP address list
Address and the 2nd VM VMAC addresses, when two VMAC addresses are all stored in the VMAC address lists, then can determine
One VM and the 2nd VM are the VM of server carrying.
Step 303:Server is sent to the first VM and the 2nd VM respectively stops negotiation message.
When the first VM and the 2nd VM belong to the server, then the server can be sent out to the first VM and the 2nd VM respectively
Stopping negotiation message being sent, the stopping negotiation message being used to notify the first VM and the 2nd VM to stop consulting vpn tunneling common parameter.
Step 304:Server is the first VM and the 2nd VM generation vpn tunneling common parameters.
Because vpn tunneling common parameter includes polytype parameter, calculated for example, enciphering and deciphering algorithm, certification can be included
Method, authentication mode etc., wherein, enciphering and deciphering algorithm can include symmetrical DEA(Data Encryption
Algorithm, DES)Algorithm, 3DES algorithms, Advanced Encryption Standard(Advanced Encryption Standard, AES)Calculate
Method etc., identifying algorithm can include Message Digest Algorithm 5(Message Digest Algorithm, MD5)Algorithm, peace
Full hash algorithm(Secure Hash Algorithm, SHA1)Algorithm etc., authentication mode can include key, certificate etc..Therefore
Server can be respectively that each VM generates various types of vpn tunneling common parameters, all types of vpn tunneling common parameters
Constitute each VM vpn tunneling common parameter.
In the embodiment of the present invention, server is that each VM carried on the server is assigned with memory space respectively, each
The various parameters for tunnel for the VM initial configurations are saved in VM memory space, therefore the server is in generation each type
Vpn tunneling common parameter when:The server obtains the first VM the first parameters for tunnel collection from the first VM memory space respectively
Close, and obtain from the 2nd VM memory space the 2nd VM the second parameters for tunnel set, and obtain by the first parameters for tunnel collection
Close the parameters for tunnel constituted with the shared parameter of the second parameters for tunnel set to occur simultaneously, comprising a tunnel in parameters for tunnel is occured simultaneously
During parameter, a parameters for tunnel is defined as the first VM and described second common parameter, included when in parameters for tunnel common factor
During at least two parameters for tunnel, the parameters for tunnel of a highest priority is selected to be used as the first VM from least two parameters for tunnel
With the 2nd VM common parameter.So that parameters for tunnel is enciphering and deciphering algorithm as an example, when server is obtained from the first VM memory space
Being allocated to the first VM enciphering and deciphering algorithm includes DES algorithms, 3DES algorithms, is obtained from the 2nd VM memory space and is allocated to second
VM enciphering and deciphering algorithm includes DES algorithms, 3DES algorithms, aes algorithm, then the first VM and the 2nd VM enciphering and deciphering algorithm, which occurs simultaneously, is
DES algorithms and 3DES algorithms, when the priority of 3DES algorithms is higher than DES algorithms, server can select 3DES algorithm conducts
First VM and the 2nd VM public enciphering and deciphering algorithm.
Step 305:Server is that the first VM and the 2nd VM generates shared SA according to vpn tunneling common parameter, is completed with this
The foundation of vpn tunneling, terminates current process.
In the prior art, consulted between the first VM and the 2nd VM after all common parameters, the first VM and the 2nd VM are needed
Each to set up a SA structure, and generate SA after preserving the common parameter by the SA structures.In the present embodiment, due to
It is that the first VM and the 2nd VM generates vpn tunneling common parameter by server, therefore server is only needed to as the first VM and the 2nd VM
Generate a SA structure, and in the SA structures add vpn tunneling common parameter, and the first VM mark and the 2nd VM
Mark, shared SA is generated with this, the shared SA is mapped to the first VM and the 2nd VM simultaneously.
Step 306:First VM and the 2nd VM consults vpn tunneling common parameter according to existing vpn tunneling negotiations process, terminates
Current process.
When only a VM belongs to the server in the first VM and the 2nd VM, then the server does not perform other flows,
Consult vpn tunneling common parameter according to existing vpn tunneling negotiations process by the first VM and the 2nd VM pole, will not be repeated here.
As seen from the above-described embodiment, when setting up vpn tunneling between two VM for belonging to same server, without this two
Carry out repeatedly consulting the common parameter that interaction determines vpn tunneling between individual VM, but be that two VM generate vpn tunneling by server
Common parameter, therefore the triviality of vpn tunneling foundation is reduced, improve vpn tunneling and set up speed;Also, due to that need not be
Two VM set up SA respectively, but set up shared SA for two VM, thus reduce the memory consumption of server;For belonging to not
With two VM of server, still can the compatible existing process of setting up for setting up vpn tunneling, therefore vpn tunneling set up it is flexible
Property is larger.
With reference to the VPN configuration diagrams shown in Fig. 1, the process of vpn tunneling is set up in description using the VPN frameworks:
Assuming that to set up vpn tunneling between VM1 and VM2, then VM1 sends tunnel to VM2 by virtual switch module and assisted
Business's request data package, and VM2 return to tunnel negotiation to VM1 by virtual switch module and confirm packet;Virtual controlling layer
Module can get all types of packets in the server, be assisted when being identified from these packets comprising above-mentioned tunnel
Business's request data package and tunnel negotiation are confirmed after packet, can be confirmed according to the tunnel negotiation request data package and tunnel negotiation
The VM1 and VM2 IP address included in packet determines that VM1 and VM2 belong to the server, then virtual controlling layer module can be with
Vpn tunneling common parameter is generated for the VM1 and VM2, and shared SA is set up for the VM1 and VM2, common parameter is generated and sets up altogether
The process for enjoying SA may refer to the specific descriptions of earlier figures 2 and Fig. 3 embodiments, will not be repeated here.
Embodiment with the method that the present invention sets up vpn tunneling is corresponding, and present invention also offers the dress for setting up vpn tunneling
Put the embodiment with server.
It is one embodiment block diagram of server provided in an embodiment of the present invention referring to Fig. 4:
The device includes:Acquiring unit 410, determining unit 420, generation unit 430 and set up unit 440.
Wherein, acquiring unit 410, for obtaining the negotiation data bag transmitted between the first virtual machine VM and the 2nd VM, institute
State negotiation data bag be used for ask set up vpn tunneling between the first VM and the 2nd VM;
Determining unit 420, the negotiation data bag for being obtained according to the acquiring unit 410 determines the first VM
It is the VM that the server is carried with the 2nd VM;
Generation unit 430, for determining that the first VM and the 2nd VM belong to the clothes when the determining unit 420
It is the first VM and the 2nd VM generation vpn tunneling common parameters during business device;
Unit 440 is set up, is described for the vpn tunneling common parameter that is generated according to the generation unit 430
The shared tunnel descriptor SA of one VM and the 2nd VM generations, completes the foundation of the vpn tunneling.
Optionally, the acquiring unit 410, can be specifically for obtaining the tunnel that the first VM is sent to the 2nd VM
Request data package is consulted in road, and acquisition the 2nd VM is returned according to the tunnel negotiation request data package to the first VM
Tunnel negotiation confirm packet.
Optionally, the determining unit 420 can include(Not shown in Fig. 4):Mark obtains subelement, for obtaining
State the first VM carried in negotiation data bag mark and the mark of the 2nd VM;Belong to determination subelement, for working as
The VM marks of server admin include mark and the 2nd VM that the mark obtains the first VM that subelement is obtained
Mark when, determine the first VM and the 2nd VM be the server carry VM.
Optionally, the generation unit 430 can be with(Not shown in Fig. 4)Including:Parameter acquiring subelement, for obtaining respectively
Take the first parameters for tunnel set of the first VM, and the 2nd VM the second parameters for tunnel set;Occuring simultaneously, it is single to obtain son
Member, joins for obtaining the tunnel being made up of the shared parameter of the first parameters for tunnel set and the second parameters for tunnel set
Number occurs simultaneously;Parameter determination subelement, for when including a parameters for tunnel in parameters for tunnel common factor, by one tunnel
Road parameter is defined as the first VM and the 2nd VM common parameter, and at least two are included in the parameters for tunnel is occured simultaneously
During parameters for tunnel, the parameters for tunnel of a highest priority is selected to be used as the first VM from least two parameters for tunnel
With the common parameter of the 2nd VM.
When setting up vpn tunneling between server provided in an embodiment of the present invention, two VM for belonging to same server,
Without carrying out repeatedly consulting the common parameter that interaction determines vpn tunneling between the two VM, but it is two VM by the server
Vpn tunneling common parameter is generated, therefore reduces the triviality of vpn tunneling foundation, vpn tunneling is improved and sets up speed;Also,
Due to SA need not be set up respectively for two VM, but shared SA is set up for two VM, thus reduce the memory consumption of server;
Two VM for belonging to different server, still can the compatible existing process of setting up for setting up vpn tunneling, therefore vpn tunneling
The flexibility of foundation is larger.
Optionally, it is described to set up unit 440, can be specifically in one generated for the first VM and the 2nd VM
Add the vpn tunneling common parameter in individual SA structures, and the first VM mark and the mark of the 2nd VM, it is raw
Into the shared SA for being mapped to the first VM and the 2nd VM simultaneously.
It is another embodiment block diagram of server provided in an embodiment of the present invention referring to Fig. 5:
The device includes:Acquiring unit 510, determining unit 520, transmitting element 530, generation unit 540 and set up unit
550。
Wherein, acquiring unit 510, for obtaining the negotiation data bag transmitted between the first virtual machine VM and the 2nd VM, institute
State negotiation data bag be used for ask set up vpn tunneling between the first VM and the 2nd VM;
Determining unit 520, the negotiation data bag for being obtained according to the acquiring unit 510 determines the first VM
It is the VM that the server is carried with the 2nd VM;
Transmitting element 530, for determining that the first VM and the 2nd VM belong to the clothes when the determining unit 520
During business device, sent to the first VM and the 2nd VM stop negotiation message respectively, the stopping negotiation message being used to notify
First VM and the 2nd VM stop consulting the vpn tunneling common parameter;
Generation unit 540, for determining that the first VM and the 2nd VM belong to the clothes when the determining unit 520
It is the first VM and the 2nd VM generation vpn tunneling common parameters during business device;
Unit 550 is set up, is described for the vpn tunneling common parameter that is generated according to the generation unit 540
The shared tunnel descriptor SA of one VM and the 2nd VM generations, the foundation of vpn tunneling is completed with this.
Optionally, the acquiring unit 510, can be specifically for obtaining the tunnel that the first VM is sent to the 2nd VM
Request data package is consulted in road, and acquisition the 2nd VM is returned according to the tunnel negotiation request data package to the first VM
Tunnel negotiation confirm packet.
Optionally, the determining unit 520 can include(Not shown in Fig. 5):Mark obtains subelement, for obtaining
State the first VM carried in negotiation data bag mark and the mark of the 2nd VM;Belong to determination subelement, for working as
The VM marks of server admin include mark and the 2nd VM that the mark obtains the first VM that subelement is obtained
Mark when, determine the first VM and the 2nd VM be the server carry VM.
Optionally, the generation unit 540 can be with(Not shown in Fig. 5)Including:Parameter acquiring subelement, for obtaining respectively
Take the first parameters for tunnel set of the first VM, and the 2nd VM the second parameters for tunnel set;Occuring simultaneously, it is single to obtain son
Member, joins for obtaining the tunnel being made up of the shared parameter of the first parameters for tunnel set and the second parameters for tunnel set
Number occurs simultaneously;Parameter determination subelement, for when including a parameters for tunnel in parameters for tunnel common factor, by one tunnel
Road parameter is defined as the first VM and the 2nd VM common parameter, and at least two are included in the parameters for tunnel is occured simultaneously
During parameters for tunnel, the parameters for tunnel of a highest priority is selected to be used as the first VM from least two parameters for tunnel
With the common parameter of the 2nd VM.
Optionally, it is described to set up unit 550, can be specifically in one generated for the first VM and the 2nd VM
Add the vpn tunneling common parameter in individual SA structures, and the first VM mark and the mark of the 2nd VM, it is raw
Into the shared SA for being mapped to the first VM and the 2nd VM simultaneously.
It is another embodiment block diagram of server provided in an embodiment of the present invention referring to Fig. 6:
The server includes:Bus 610, and the processor 620 and memory 630 connected by the bus 610.
Wherein, the memory 630, the configuration parameter for preserving VM in the server;
The processor 620, for obtaining the negotiation data bag transmitted between the first virtual machine VM and the 2nd VM, the association
Quotient data bag is used to ask to set up vpn tunneling between the first VM and the 2nd VM, when according to the negotiation data bag
It is the first VM and the 2nd VM generations when determining the VM that the first VM and the 2nd VM carries for the server
Vpn tunneling common parameter, and be that the first VM and the 2nd VM generates shared tunnel according to the vpn tunneling common parameter
Descriptor SA, completes the foundation of the vpn tunneling;
The memory 630, it is being total to that the first VM and the 2nd VM is set up to be additionally operable to preserve the processor 620
Enjoy SA.
Optionally, the processor 620, can be specifically for obtaining the tunnel that the first VM is sent to the 2nd VM
Consult request data package, and obtain what the 2nd VM was returned according to the tunnel negotiation request data package to the first VM
Tunnel negotiation confirms packet.
Optionally, the processor 620, can be specifically for obtaining the first VM carried in the negotiation data bag
Mark and the 2nd VM mark, when the VM marks of the server admin include the mark of the first VM and described
During the 2nd VM mark, it is the VM that the server is carried to determine the first VM and the 2nd VM.
Optionally, the processor 620, can be specifically for obtaining the first parameters for tunnel collection of the first VM respectively
Close, and the 2nd VM the second parameters for tunnel set, obtain by the first parameters for tunnel set and second tunnel
The parameters for tunnel of the shared parameter composition of parameter sets is occured simultaneously, when including a parameters for tunnel in parameters for tunnel common factor,
One parameters for tunnel is defined as to the first VM and the 2nd VM common parameter, when in parameters for tunnel common factor
During comprising at least two parameters for tunnel, the parameters for tunnel of a highest priority is selected to make from least two parameters for tunnel
For the first VM and the 2nd VM common parameter.
Optionally, the processor 620, can be specifically in one generated for the first VM and the 2nd VM
Add the vpn tunneling common parameter in SA structures, and the first VM mark and the mark of the 2nd VM, generation
The first VM and the 2nd VM shared SA are mapped to simultaneously.
Optionally, the processor 620, can be also used for it is determined that the first VM and the 2nd VM belong to the clothes
During business device, sent to the first VM and the 2nd VM stop negotiation message respectively, the stopping negotiation message being used to notify
First VM and the 2nd VM stop consulting the vpn tunneling common parameter.
As seen from the above-described embodiment, server, which obtains the vpn tunneling transmitted between the first VM and the 2nd VM and set up, consults number
It is the first VM and when setting up negotiation data bag according to vpn tunneling and determining that the first VM and the 2nd VM belong to the server according to bag
Two VM generate vpn tunneling common parameter, and are that the first VM and the 2nd VM sets up shared SA according to the vpn tunneling common parameter.Should
With the embodiment of the present invention, when setting up vpn tunneling between two VM for belonging to same server, without entering between the two VM
Row repeatedly consults the common parameter that interaction determines vpn tunneling, but is that two VM generate vpn tunneling common parameter by server,
Therefore the triviality of vpn tunneling foundation is reduced, vpn tunneling is improved and sets up speed;Also, due to that need not be two VM difference
SA is set up, but shared SA is set up for two VM, the memory consumption of server is thus reduced.
It is required that those skilled in the art can be understood that the technology in the embodiment of the present invention can add by software
The mode of general hardware platform realize.Understood based on such, the technical scheme in the embodiment of the present invention substantially or
Say that the part contributed to prior art can be embodied in the form of software product, the computer software product can be deposited
Storage is in storage medium, such as ROM/RAM, magnetic disc, CD, including some instructions are to cause a computer equipment(Can be with
It is personal computer, server, or network equipment etc.)Perform some part institutes of each embodiment of the invention or embodiment
The method stated.
Each embodiment in this specification is described by the way of progressive, identical similar portion between each embodiment
Divide mutually referring to what each embodiment was stressed is the difference with other embodiment.It is real especially for system
Apply for example, because it is substantially similar to embodiment of the method, so description is fairly simple, related part is referring to embodiment of the method
Part explanation.
The embodiments of the present invention described above are not intended to limit the scope of the present invention.It is any in the present invention
Spirit and principle within the modifications, equivalent substitutions and improvements made etc., should be included in the scope of the protection.
Claims (10)
1. a kind of method for setting up VPN vpn tunneling, it is characterised in that methods described includes:
Server obtains the negotiation data bag transmitted between the first virtual machine VM and the 2nd VM, and the negotiation data bag is used to ask
Vpn tunneling is set up between the first VM and the 2nd VM;
The server determines what the first VM and the 2nd VM carried for the server according to the negotiation data bag
VM;
The server is the first VM and the 2nd VM generation vpn tunneling common parameters;
The server is that the first VM and the 2nd VM generates shared tunnel description according to the vpn tunneling common parameter
SA is accorded with, the foundation of the vpn tunneling is completed.
2. according to the method described in claim 1, it is characterised in that the server is according to being determined the negotiation data bag
First VM and the 2nd VM is the VM that the server is carried, including:
The server obtains the first VM carried in the negotiation data bag mark and the mark of the 2nd VM;
When the VM marks of the server admin include the mark and the mark of the 2nd VM of the first VM, the clothes
Business device determines that the first VM and the 2nd VM is the VM that the server is carried.
3. method according to claim 1 or 2, it is characterised in that the server is the first VM and described second
VM generates vpn tunneling common parameter, including:
The server obtains the first parameters for tunnel set of the first VM respectively, and the second tunnel of the 2nd VM is joined
Manifold is closed;
The server is obtained and is made up of the shared parameter of the first parameters for tunnel set and the second parameters for tunnel set
Parameters for tunnel occur simultaneously;
When including a parameters for tunnel in parameters for tunnel common factor, one parameters for tunnel is defined as the SA structures
Body common parameter;
When including at least two parameters for tunnel in parameters for tunnel common factor, one is selected from least two parameters for tunnel
The parameters for tunnel of individual highest priority is used as the vpn tunneling common parameter.
4. according to the method described in claim 1, it is characterised in that the server is according to the vpn tunneling common parameter
The shared SA of first VM and the 2nd VM generation, including:
It is public that the server adds the vpn tunneling in a SA structure for the first VM and the 2nd VM generations
With the mark and the mark of the 2nd VM of parameter, and the first VM, generation is mapped to the first VM and described simultaneously
2nd VM shared SA.
5. according to the method described in claim 1, it is characterised in that described for the first VM and the 2nd VM generations VPN
Before tunnel common parameter, in addition to:
The server is sent to the first VM and the 2nd VM respectively stops negotiation message, and the stopping negotiation message being used
Stop consulting the vpn tunneling common parameter in notifying the first VM and the 2nd VM.
6. a kind of server, it is characterised in that the server includes:
Acquiring unit, for obtaining the negotiation data bag transmitted between the first virtual machine VM and the 2nd VM, the negotiation data bag
For asking to set up vpn tunneling between the first VM and the 2nd VM;
Determining unit, the negotiation data bag for being obtained according to the acquiring unit determines the first VM and described second
VM is the VM that the server is carried;
Generation unit, for when the determining unit determines that the first VM and the 2nd VM belong to the server, being
First VM and the 2nd VM generate vpn tunneling common parameter;
Unit is set up, the vpn tunneling common parameter for being generated according to the generation unit is the first VM and described
The shared tunnel descriptor SA of 2nd VM generations, completes the foundation of the vpn tunneling.
7. server according to claim 6, it is characterised in that the determining unit includes:
Mark obtains subelement, the first VM carried for obtaining in the negotiation data bag mark and the 2nd VM
Mark;
Belong to determination subelement, including the mark for the VM marks when server admin obtains described in subelement acquisition
When the first VM mark and the mark of the 2nd VM, determine what the first VM and the 2nd VM carried for the server
VM。
8. the server according to claim 6 or 7, it is characterised in that the generation unit includes:
Parameter acquiring subelement, the first parameters for tunnel set for obtaining the first VM respectively, and the 2nd VM's
Second parameters for tunnel set;
Occur simultaneously and obtain subelement, for obtaining by the shared of the first parameters for tunnel set and the second parameters for tunnel set
The parameters for tunnel of parameter composition is occured simultaneously;
Parameter determination subelement, for when including a parameters for tunnel in parameters for tunnel common factor, by one tunnel
Parameter is defined as the first VM and the 2nd VM common parameter, and at least two tunnels are included in the parameters for tunnel is occured simultaneously
During road parameter, from least two parameters for tunnel select the parameters for tunnel of a highest priority as the first VM and
The common parameter of 2nd VM.
9. server according to claim 6, it is characterised in that
It is described to set up unit, specifically for adding institute in a SA structure for the first VM and the 2nd VM generations
State vpn tunneling common parameter, and the first VM mark and the mark of the 2nd VM, generation is mapped to described the simultaneously
One VM and the 2nd VM shared SA.
10. server according to claim 6, it is characterised in that also include:
Transmitting element, for when the determining unit determines that the first VM and the 2nd VM belong to the server, dividing
Do not sent to the first VM and the 2nd VM and stop negotiation message, the stopping negotiation message being used to notify the first VM
Stop consulting the vpn tunneling common parameter with the 2nd VM.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310111430.6A CN104104569B (en) | 2013-04-01 | 2013-04-01 | Set up the method and server of vpn tunneling |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310111430.6A CN104104569B (en) | 2013-04-01 | 2013-04-01 | Set up the method and server of vpn tunneling |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104104569A CN104104569A (en) | 2014-10-15 |
| CN104104569B true CN104104569B (en) | 2017-08-29 |
Family
ID=51672386
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310111430.6A Active CN104104569B (en) | 2013-04-01 | 2013-04-01 | Set up the method and server of vpn tunneling |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104104569B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN111083091B (en) * | 2018-10-19 | 2022-08-02 | 中兴通讯股份有限公司 | Tunnel creation method, device and storage medium |
| CN110535746B (en) * | 2019-09-04 | 2021-10-22 | 达闼机器人有限公司 | Virtual private network VPN sharing method and device, electronic equipment and storage medium |
Family Cites Families (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20030005328A1 (en) * | 2001-06-29 | 2003-01-02 | Karanvir Grewal | Dynamic configuration of IPSec tunnels |
| US7779152B2 (en) * | 2003-01-24 | 2010-08-17 | Nokia Corporation | Establishing communication tunnels |
| CN101207546A (en) * | 2006-12-18 | 2008-06-25 | 华为技术有限公司 | Method for dynamically establishing tunnel, tunnel server and system thereof |
| CN101364976B (en) * | 2007-08-07 | 2013-12-18 | 阿里巴巴集团控股有限公司 | Method and apparatus for establishing communication channel and data communication system |
| CN101369987B (en) * | 2007-08-16 | 2011-09-28 | 阿里巴巴集团控股有限公司 | Method and apparatus for establishing communication channel |
| CN101557337B (en) * | 2009-05-04 | 2012-08-29 | 成都市华为赛门铁克科技有限公司 | Network tunnel establishing method, data transmission method, communication system and relevant equipment |
| CN101667144B (en) * | 2009-09-29 | 2013-02-13 | 北京航空航天大学 | Virtual machine communication method based on shared memory |
| CN102075339B (en) * | 2009-11-23 | 2014-03-19 | 中国电信股份有限公司 | VPN management platform, and implementation method and system for VPN service |
-
2013
- 2013-04-01 CN CN201310111430.6A patent/CN104104569B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN104104569A (en) | 2014-10-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11196727B2 (en) | Scaling IPsec processing on a virtual machine | |
| US10333919B2 (en) | System and method for traversing a NAT device with IPSec AH authentication | |
| US12015722B2 (en) | Methods and systems for cryptographic identity based network microsegmentation | |
| US20190327112A1 (en) | Dynamic scaling of virtual private network connections | |
| EP2374242B1 (en) | Providing local secure network access to remote services | |
| US8281387B2 (en) | Method and apparatus for supporting a virtual private network architecture on a partitioned platform | |
| EP2356568B1 (en) | Providing access to configurable private computer networks | |
| US10476850B2 (en) | Supporting unknown unicast traffic using policy-based encryption virtualized networks | |
| KR101982960B1 (en) | Improving virtualization application performance by disabling unnecessary features | |
| WO2013173973A1 (en) | Network communication method and device | |
| US10986075B2 (en) | Distributing packets across processing cores | |
| US20070110245A1 (en) | Method, apparatus and system for protecting security keys on a wireless platform | |
| WO2020063528A1 (en) | Method, apparatus and system for communication between virtual machines in data center | |
| WO2020092225A1 (en) | Authorization with a preloaded certificate | |
| US10659440B2 (en) | Optimizing utilization of security parameter index (SPI) space | |
| JP2016502795A (en) | Data flow processing method and apparatus | |
| WO2023125480A1 (en) | Access object authentication method, apparatus and system | |
| US10630659B2 (en) | Scalable security key architecture for network encryption | |
| CN111818081B (en) | Virtual encryption machine management method, device, computer equipment and storage medium | |
| US20180302378A1 (en) | Context specific keys | |
| CN104104569B (en) | Set up the method and server of vpn tunneling | |
| WO2012126432A2 (en) | Method, device and system for data transmission | |
| CN105245430A (en) | Virtual machine communication data encryption method and system | |
| CN112019418B (en) | Method and device for establishing IPSec tunnel based on brutal mode | |
| US20240031336A1 (en) | Virtual private network enhancement using multiple cores |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |