CN104426732A - High-speed transmission tunnel realization method and system - Google Patents
High-speed transmission tunnel realization method and system Download PDFInfo
- Publication number
- CN104426732A CN104426732A CN201310362224.2A CN201310362224A CN104426732A CN 104426732 A CN104426732 A CN 104426732A CN 201310362224 A CN201310362224 A CN 201310362224A CN 104426732 A CN104426732 A CN 104426732A
- Authority
- CN
- China
- Prior art keywords
- vpn
- ssl
- udp
- tcp
- tunnel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a high-speed transmission tunnel realization method. The method, except the TCP-based transmission step, comprises establishing an SSL connection with a VPN server side at a VPN client side, and carrying out encryption transmission on VPN configuration; switching the SSL connection into an SSL VPN tunnel, and meanwhile, establishing a DTLS VPN tunnel; judging the protocol type of the VPN client side; and enabling flow of non-TCP/UDP to continue to pass through the SSL VPN tunnel, and enabling the flow of the TCP/UDP to pass through the DTLS VPN tunnel. According to the method and system, the problem of double retransmission of TCP flow overtime retransmission and retransmission of the SSL VPN tunnel itself is solved, and meanwhile, the problems of poor transmission real-time performance of a UDP application in the TCP tunnel and packet loss caused by the reason that the non-TCP/UDP protocol data passes through the UDP tunnel are solved.
Description
Technical field
The present invention relates to field of network transmission, particularly a kind of implementation method of high-speed transfer tunnel and system.
Background technology
SSL (Secure Socket Layer, be called for short SSL) and successor's secure transport layers (Transport Layer Security, be called for short TLS) be for network communication provides a kind of security protocol of data security and data integrity, SSL and TLS is designed to based on reliable transport-layer protocol TCP, and provides safe transmission pellucidly for upper layer application.
SSL VPN refers to and adopts SSL/TLS agreement to realize a kind of novel remote access technology of secure tunnel, at present adopt by the VPN manufacturer of the overwhelming majority.
Datagram Transport Layer security protocol (Datagram Transport Layer Security, be called for short DTLS) is the solution UDP(User Datagram Protocol User Datagram Protoco (UDP) proposed by IETF) standard of application protocol transmission security.DTLSv1.0 formally issued in 2006, corresponding expansion has been done for the packet loss of udp protocol and the characteristic such as out of order in the basis of TLS1.1, the transport layer of a safety can be provided for UDP application protocol, and can ensure, with TLS, there is identical fail safe.
Current traditional SSL vpn tunneling scheme refers to and uses TCP to transmit the data on flows in all SSLVPN tunnels completely, and this implementation has very large defective in following:
1) dual re-transmission can be there is to the tcp data flow in tunnel, thus cause the performance of SSL VPN sharply to decline, especially at packet loss, postpone on very serious wide area network.Connect because SSL vpn tunneling itself is also a TCP, after TCP when network condition is bad in tunnel connects generation packet loss, TCP bag not only in tunnel can retransmit, and SSL vpn tunneling itself also can retransmit, the phenomenon of this dual re-transmission can cause the quantity of retransmission packet exponentially level increase, aggravation network congestion, this dual re-transmission be simultaneously determined by the reliable transport mechanism of Transmission Control Protocol, be inevitable.
2) some restriction is produced to the UDP application in tunnel, such as to the higher online game of some requirement of real-times, Video chat, voice-enabled chat and VOIP(Voice over Internet Protocol by analog signal figure, do real-time transmission on ip networks with the form of data packet) etc. inherently in order to pursue the high efficiency of udp protocol and this kind of application designed.After this kind of UDP application is placed into TCP tunnel, inevitably affect by the Transmission Control Protocol in tunnel itself, be limited by the one hand the transmission restriction (time delay such as caused because of the transmitting of TCP and congestion control) in TCP tunnel, and in fact this kind of application itself allows packet loss and preferentially ensures real-time, also run counter to the original intention that this kind of application protocol designs based on UDP on the other hand.
Chinese patent CN102137100 discloses a kind of method building IP layer SSL vpn tunneling, it mainly solves because ssl protocol and DTLS agreement need secondary to consult to connect the consumption problem of the systematic function caused, main solution first consults control connection by ssl protocol, uses described encryption suite and encryption parameter to set up data cube computation again after obtaining encryption suite and encryption parameter by DTLS agreement.The method is the data on flows in the SSL vpn tunneling adopting UDP tunnel transmission all, and TCP tunnel does not transmit any data on flows, only for connection control.Although avoid the problem of dual re-transmission, but whole data traffics is walked UDP tunnel and is also brought certain limitation, one is packet loss can occur to some important application in VPN, such as ICMP(Internet Control Message Protocol Internet Control Message agreement) etc. the protocol data of a series of non-TCP/UDP, two is lack enough flexibilities to meet different users and the specific demand of system manager.
Summary of the invention
For overcoming Problems existing in prior art, the object of this invention is to provide a kind of implementation method and system of high-speed transfer tunnel, in order to solve the dual retransmit issue that TCP flow amount Retransmission timeout and SSL vpn tunneling itself retransmit, solve simultaneously UDP be applied in TCP tunnel transmit the not good enough problem of real-time and solution by no means TCP/UDP protocol data walk the packet loss problem that UDP tunnel produces.
The present invention is a kind of implementation method of high-speed transfer tunnel, comprises the method according to Transmission Control Protocol transmission, further comprising the steps of:
Step one, sets up SSL in VPN client with vpn server end and is connected, and encrypted transmission VPN configures;
Step 2, switches SSL and connects for SSL vpn tunneling, set up DTLS vpn tunneling simultaneously;
Step 3, judges VPN client protocol type;
Step 4, for the flow of non-TCP/UDP, allows it continue to walk SSL vpn tunneling, for the flow of TCP/UDP, allows it walk described DTLS vpn tunneling.
Further, when VPN client is configured with flow management strategy, then above-mentioned steps one also comprises the step of encrypted transmission flowtube reason strategy, correspondingly, between above-mentioned steps two and step 3, also comprise the flow management strategy configured according to VPN client (comprising the administrative staff of client VPN device) and select SSL vpn tunneling or the step of DTLS vpn tunneling.
The present invention is a kind of system of high-speed transfer tunnel, connect vpn server end by VPN client by SSL vpn tunneling to form, wherein, include protocol type judge module in described VPN client, be connected with DTSL vpn tunneling in VPN client and vpn server end simultaneously.
Described VPN client also includes flow management strategy module.
The method and system that the present invention discloses, solve the dual retransmit issue that TCP flow amount Retransmission timeout and SSL vpn tunneling itself retransmit, solve UDP simultaneously and be applied in TCP tunnel and transmit the not good enough and non-TCP/UDP protocol data of real-time and walk the packet loss problem that UDP tunnel produces.
Accompanying drawing explanation
Fig. 1 is the inventive method step schematic diagram;
Fig. 2 is a kind of embodiment schematic block diagram of present system application.
Embodiment
In the following description, many ins and outs are proposed in order to make reader understand the application better.But persons of ordinary skill in the art may appreciate that even without these ins and outs with based on the many variations of following execution mode and amendment, is also each claim of the application technical scheme required for protection.
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with accompanying drawing, embodiments of the present invention are described in further detail.
As shown in Figure 1, the implementation method in a kind of high-speed transfer tunnel of the present invention, comprises the method according to Transmission Control Protocol transmission, further comprising the steps of:
Step one, sets up SSL in VPN client with vpn server end and is connected, and encrypted transmission VPN configures;
Step 2, switches SSL and connects for SSL vpn tunneling, set up DTLS vpn tunneling simultaneously;
Step 3, judges VPN client protocol type;
Step 4, for the flow of non-TCP/UDP, allows it continue to walk SSL vpn tunneling, for the flow of TCP/UDP, allows it walk described DTLS vpn tunneling.
For another example Fig. 1, further, when VPN client is configured with flow management strategy, then above-mentioned steps one also comprises the step of encrypted transmission flowtube reason strategy, correspondingly, between above-mentioned steps two and step 3, also comprise the flow management strategy configured according to VPN client (comprising the administrative staff of VPN device) and select SSL vpn tunneling or the step of DTLS vpn tunneling.
For the flow of non-TCP/UDP, it is allowed to continue to walk SSL vpn tunneling, the flow of described non-TCP/UDP, such as ICMP agreement, because they itself do not provide the reliability as Transmission Control Protocol, when VPN client uses PING order to detect the working condition of vpn tunneling, if there is the expection that packet loss will affect result.Meanwhile, described non-TCP/UDP agreement, the possible problem not considering packet loss itself, in time being accessed by VPN, suggestion selects SSL vpn tunneling to ensure reliability.
For the flow of TCP/UDP, it is allowed to walk described DTLS vpn tunneling.DTLS VPN transmits based on UDP, be non-reliable transport protocol due to UDP and can not re-transmission be produced, like this when TCP flow amount generation packet loss in DTLS vpn tunneling, TCP flow amount connection only in DTLS vpn tunneling can retransmit, and thus fundamentally can avoid the dual re-transmission phenomenon of TCP flow amount.And for common UDP data on flows, in fact can select wherein any one tunnel, certainly under the prerequisite not having flow management strategy, we can first-selected DTLS vpn tunneling, because UDP application allows packet loss, and DTLS has the fail safe the same with TLS, so we can adopt DTLS VPN to realize secure tunnel completely.
Simultaneously for the data on flows of this kind of UDP application higher to transmission requirement of real-time in tunnel, we can adopt completely and put under surveillance strategy and carry out requirement it must be transmitted by the DTLS vpn tunneling based on UDP, because the tunnel of UDP without any flow control, the real-time of this kind of UDP application can be ensured, described UDP application comprises TFTP(Trivial File Transfer Protocol, TFTP), SNMP (Simple Network Management Protocol, Simple Network Management Protocol), NFS(Network File System NFS), DNS (Domain Name System domain name system), online game, Video chat, voice-enabled chat and VOIP etc. are suitable for the application of udp protocol transmission.
For flow management strategy, it embodies enough flexibilities of twin tunnel scheme.VPN client oneself not only can be allowed to select which flow to walk which tunnel, and the administrative staff of VPN device also can adjust the distribution of data traffic according to the actual requirements, various network condition and some specific demands can be tackled simultaneously.The custom protocol that such as user designs based on UDP, may based on design of local area network, do not consider packet loss, when the words of being accessed by VPN just simply can not walk DTLS vpn tunneling according to above-mentioned mode, for this special case, can be solved by flow management strategy.Meanwhile, the administrative staff of VPN device also may be had to have other special demand, need to customize which flow and walk which tunnel.
More than conclusion, the key of the inventive method realizes SSL VPN and DTLS VPN twin tunnel mechanism to support various network application: for the flow of non-TCP/UDP, allow it continue to walk SSL vpn tunneling; For the flow of TCP/UDP, it is allowed to walk DTLS vpn tunneling.Simultaneously for arranging and easy to usely also can increasing a flow management strategy step, allow VPN client oneself select which flow to walk which tunnel, make twin tunnel scheme have enough flexibilities, to tackle various network condition and some specific demands.
The present invention also can use self-defining agreement to realize UDP tunnel for TCP/UDP flow.
As shown in Figure 2, be the embodiment schematic block diagram of the system in a kind of high-speed transfer tunnel of the present invention, this system is connected vpn server end 400 and unit Intranet 500 etc. by SSL vpn tunneling 200 with DTSLVPN tunnel 300 by VPN client 100 to form; ICP/IP protocol stack 110, routing module 120, Microsoft Loopback Adapter 130 and VPN scheduler module 140 is included in described VPN client, protocol type judge module 141 is included in VPN scheduler module, can also include flow management strategy module 142, described VPN client can be the equipment that PC, panel computer, smart mobile phone etc. can be used for connecting Internet ruton letter simultaneously; Described vpn server end includes VPN service module 410 and ICP/IP protocol stack 420 etc.
It should be noted that, the each unit mentioned in the present invention's each equipment execution mode is all logical block, physically, a logical block can be a physical location, also can be a part for a physical location, can also realize with the combination of multiple physical location, the Physical realization of these logical blocks itself is not most important, and the combination of the function that these logical blocks realize is only the key solving technical problem proposed by the invention.In addition, in order to outstanding innovative part of the present invention, the present invention does not introduce above-mentioned each equipment execution mode and the unit not too close with solving technical problem relation proposed by the invention, but this does not show to there is not the said equipment execution mode and other is about implementation unit.
Although by referring to some of the preferred embodiment of the invention, to invention has been diagram and describing, but those of ordinary skill in the art should be understood that and can do various change to it in the form and details, and without departing from the spirit and scope of the present invention.
Claims (4)
1. the implementation method in high-speed transfer tunnel, comprises the method according to Transmission Control Protocol transmission, it is characterized in that further comprising the steps of:
Step one, sets up SSL in VPN client with vpn server end and is connected, and encrypted transmission VPN configures;
Step 2, switches SSL and connects for SSL vpn tunneling, set up DTLS vpn tunneling simultaneously;
Step 3, judges VPN client protocol type;
Step 4, for the flow of non-TCP/UDP, allows it continue to walk SSL vpn tunneling, for the flow of TCP/UDP, allows it walk described DTLS vpn tunneling.
2. the implementation method in a kind of high-speed transfer tunnel according to claim 1, it is characterized in that being configured with flow management strategy when VPN client, then above-mentioned steps one also comprises the step of encrypted transmission flowtube reason strategy, correspondingly, between above-mentioned steps two and step 3, also comprise and select SSL vpn tunneling or the step of DTLS vpn tunneling according to the flow management strategy of VPN client configuration.
3. a high-speed transfer tunnel realize system, connect vpn server end by VPN client by SSL vpn tunneling to form, it is characterized in that including protocol type judge module in described VPN client, be connected with DTSL vpn tunneling in VPN client and vpn server end accordingly.
4. a kind of high-speed transfer tunnel according to claim 3 realize system, it is characterized in that described VPN client also includes flow management strategy module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310362224.2A CN104426732A (en) | 2013-08-19 | 2013-08-19 | High-speed transmission tunnel realization method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201310362224.2A CN104426732A (en) | 2013-08-19 | 2013-08-19 | High-speed transmission tunnel realization method and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN104426732A true CN104426732A (en) | 2015-03-18 |
Family
ID=52974738
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201310362224.2A Pending CN104426732A (en) | 2013-08-19 | 2013-08-19 | High-speed transmission tunnel realization method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104426732A (en) |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721491A (en) * | 2016-03-22 | 2016-06-29 | 同济大学 | High-speed magnetic levitation traffic simulation orientated communication method |
| CN106797335A (en) * | 2016-11-29 | 2017-05-31 | 深圳前海达闼云端智能科技有限公司 | Data transmission method, data transmission device, electronic equipment and computer program product |
| WO2018094654A1 (en) * | 2016-11-24 | 2018-05-31 | 深圳前海达闼云端智能科技有限公司 | Vpn transmission tunnel scheduling method and device, and vpn client-end server |
| CN108243083A (en) * | 2016-12-27 | 2018-07-03 | 中国电信股份有限公司 | Internet of Things flow control methods, terminal, platform and system |
| US10673725B2 (en) | 2018-09-28 | 2020-06-02 | Hewlett Packard Enterprise Development Lp | Determining operating statuses of applications in different datacenters and switching access between the applications |
| CN112583685A (en) * | 2019-09-27 | 2021-03-30 | 厦门网宿有限公司 | Data transmission method and device of Ipsec VPN |
| CN112887976A (en) * | 2019-11-29 | 2021-06-01 | 北京华耀科技有限公司 | VPN network automatic recovery system and method of intelligent terminal |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080052769A1 (en) * | 2004-05-31 | 2008-02-28 | Manuel Leone | Method And System For A Secure Connection In Communication Networks |
| CN101360045A (en) * | 2007-07-30 | 2009-02-04 | 佳能株式会社 | Method for the transmission of data packets in a tunnel storage means and tunnel end-point |
| CN102377629A (en) * | 2010-08-20 | 2012-03-14 | 成都市华为赛门铁克科技有限公司 | Method and device for communicating with server in IMS (IP multimedia subsystem) core network by using terminal to pass through private network as well as network system |
| CN102801695A (en) * | 2011-05-27 | 2012-11-28 | 华耀(中国)科技有限公司 | Communication equipment for virtual private network and data packet transmission method for communication equipment |
-
2013
- 2013-08-19 CN CN201310362224.2A patent/CN104426732A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20080052769A1 (en) * | 2004-05-31 | 2008-02-28 | Manuel Leone | Method And System For A Secure Connection In Communication Networks |
| CN101360045A (en) * | 2007-07-30 | 2009-02-04 | 佳能株式会社 | Method for the transmission of data packets in a tunnel storage means and tunnel end-point |
| CN102377629A (en) * | 2010-08-20 | 2012-03-14 | 成都市华为赛门铁克科技有限公司 | Method and device for communicating with server in IMS (IP multimedia subsystem) core network by using terminal to pass through private network as well as network system |
| CN102801695A (en) * | 2011-05-27 | 2012-11-28 | 华耀(中国)科技有限公司 | Communication equipment for virtual private network and data packet transmission method for communication equipment |
Non-Patent Citations (1)
| Title |
|---|
| 赵华,周利华: "《一种基于DTLS协议的VPN方案设计》", 《电子科技》 * |
Cited By (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105721491A (en) * | 2016-03-22 | 2016-06-29 | 同济大学 | High-speed magnetic levitation traffic simulation orientated communication method |
| CN105721491B (en) * | 2016-03-22 | 2018-10-26 | 同济大学 | A kind of communication means for being emulated towards high speed Maglev |
| WO2018094654A1 (en) * | 2016-11-24 | 2018-05-31 | 深圳前海达闼云端智能科技有限公司 | Vpn transmission tunnel scheduling method and device, and vpn client-end server |
| CN106797335A (en) * | 2016-11-29 | 2017-05-31 | 深圳前海达闼云端智能科技有限公司 | Data transmission method, data transmission device, electronic equipment and computer program product |
| CN106797335B (en) * | 2016-11-29 | 2020-04-07 | 深圳前海达闼云端智能科技有限公司 | Data transmission method, data transmission device, electronic equipment and computer program product |
| CN108243083A (en) * | 2016-12-27 | 2018-07-03 | 中国电信股份有限公司 | Internet of Things flow control methods, terminal, platform and system |
| CN108243083B (en) * | 2016-12-27 | 2021-06-04 | 中国电信股份有限公司 | Internet of things flow control method, terminal, platform and system |
| US10673725B2 (en) | 2018-09-28 | 2020-06-02 | Hewlett Packard Enterprise Development Lp | Determining operating statuses of applications in different datacenters and switching access between the applications |
| CN112583685A (en) * | 2019-09-27 | 2021-03-30 | 厦门网宿有限公司 | Data transmission method and device of Ipsec VPN |
| CN112887976A (en) * | 2019-11-29 | 2021-06-01 | 北京华耀科技有限公司 | VPN network automatic recovery system and method of intelligent terminal |
| CN112887976B (en) * | 2019-11-29 | 2023-06-30 | 北京华耀科技有限公司 | VPN network automatic recovery system and method of intelligent terminal |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107852365B (en) | Method and apparatus for dynamic VPN policy model | |
| CN104426732A (en) | High-speed transmission tunnel realization method and system | |
| CN105706393B (en) | The method and system of operator's order is supported in link aggregation group | |
| US9059902B2 (en) | Procedures, apparatuses, systems, and computer-readable media for operating primary and backup network elements | |
| US8306039B2 (en) | Methods and systems for automatic transport path selection for multi-homed entities in stream control transmission protocol | |
| US20160006695A1 (en) | Secure Remote Computer Network | |
| US8638692B2 (en) | System and method for end-to-end automatic configuration of network elements using a link-level protocol | |
| CN104541483B (en) | When for connectivity fault the method and system re-routed is enabled for home network | |
| WO2009056034A1 (en) | Method, system and equipment to establish bfd detection for lsp tunnel | |
| Lin et al. | WE-bridge: West-east bridge for SDN inter-domain network peering | |
| US20100054152A1 (en) | ERSPAN dynamic session negotiation | |
| FI123673B (en) | Method, system, and element for general-purpose traffic management and communications routing | |
| US11647069B2 (en) | Secure remote computer network | |
| EP4080850A1 (en) | Onboarding virtualized network devices to cloud-based network assurance system | |
| EP4017089A2 (en) | Network policy application based on session state | |
| CN108353027A (en) | A kind of software defined network system for detecting port failure | |
| CN100420196C (en) | Method for realizing remote accession management for network equipment in NAT | |
| US9614816B2 (en) | Dynamic encryption for tunneled real-time communications | |
| JP2009055418A (en) | Communicating system, relay device, terminal, relay processing method, and its program | |
| US6826623B1 (en) | Detecting a dead gateway for subsequent non-TCP transmission by sending a first TCP packet and deleting an ARP entry associated with the gateway | |
| CN105991629B (en) | TCP connection method for building up and device | |
| US20090052446A1 (en) | Communications Interface | |
| Becke | Revisiting the IETF multipath extensions on transport layer | |
| CN101895559B (en) | Method for passing through network and firewall for agency | |
| CN103139065A (en) | Data transmission method based on internet protocol security (Ipsec) |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20150318 |
|
| WD01 | Invention patent application deemed withdrawn after publication |