Summary of the invention
Based on this, be necessary the problem loaded down with trivial details for the process of setting up Virtual Private Network passage, provide one to buildThe method and apparatus of vertical Virtual Private Network passage.
Set up a method for Virtual Private Network passage, described method comprises:
The Virtual Private Network facility registration request that carries the first Virtual Private Network equipment physical label is sent toRegistrar;
Receive described registrar request returned according to described Virtual Private Network facility registration with described firstThe address of the key that Virtual Private Network equipment physical label is corresponding and the second Virtual Private Network equipment;
Be encrypted acquisition enciphered message according to described key to setting up the required information of Virtual Private Network passage,And according to the address of described the second Virtual Private Network equipment by described enciphered message send to described second virtual speciallyUse net equipment, the key pair that described the second Virtual Private Network equipment utilization is got from described registrarDescribed enciphered message deciphers to set up Virtual Private Network passage.
In an embodiment, described method also comprises therein:
Described registrar extracts described first from the described Virtual Private Network facility registration request receivingVirtual Private Network equipment physical label, from described registrar search whether record described first virtual speciallyWith net equipment physical label, if extract corresponding with described the first Virtual Private Network equipment physical label closeThe address of key and described the second Virtual Private Network equipment also sends to described the first Virtual Private Network equipment.
In an embodiment, described method also comprises therein:
Described registrar extracts described the first Virtual Private Network equipment physical label, and looks in encryption libraryLook for the algorithm mark corresponding with described the first Virtual Private Network equipment physical label, according to the algorithm mark findingKnow corresponding key schedule and generate key.
In an embodiment, the described registrar of described reception is according to described Virtual Private Network equipment thereinThe key corresponding with described the first Virtual Private Network equipment physical label that registration request returns and second virtual speciallyAfter address with net equipment, also comprise:
Send first according to the address of described the second Virtual Private Network equipment to described the second Virtual Private Network equipmentThe digital certificate of Virtual Private Network equipment;
Receive described the second Virtual Private Network equipment to the feedback sending after being verified of described digital certificateInformation;
Carry out described required to setting up Virtual Private Network passage according to described key in response to described feedback informationInformation is encrypted the step that obtains enciphered message.
In an embodiment, described method also comprises therein:
In the time detecting that described Virtual Private Network passage interrupts, resend for setting up described virtual privateThe enciphered message in Netcom road is to re-establish described VPN passage;
In the time setting up the described Virtual Private Network passage frequency of failure and reach preset times, failure information is uploadedTo described registrar.
The above-mentioned method of setting up Virtual Private Network passage, in the time of the first Virtual Private Network equipment access network, toRegistrar sends the request of Virtual Private Network facility registration, in the request of Virtual Private Network facility registration, has carriedThe first Virtual Private Network equipment physical label, registrar receive the request of Virtual Private Network facility registration itAfter, the information of setting up Virtual Private Network passage corresponding with the first VPN device identification is sent toThe first Virtual Private Network equipment, the first Virtual Private Network equipment is according to the information and second of setting up Virtual Private NetworkVirtual Private Network equipment is set up Virtual Private Network passage. Like this, setting up in the process of Virtual Private Network passage,Do not need the first Virtual Private Network equipment to be configured, in the time of the first Virtual Private Network equipment access network,Can automatically set up Virtual Private Network passage, make to set up Virtual Private Network passage more simple, efficient.
Set up a device for Virtual Private Network passage, described device comprises:
Request sending module, for carrying the Virtual Private Network of the first Virtual Private Network equipment physical labelFacility registration request sends to registrar;
Set up information receiving module, note according to described Virtual Private Network equipment for receiving described registrarKey and second virtual private corresponding with described the first Virtual Private Network equipment physical label that volume request is returnedThe address of net equipment;
Path Setup module, for carrying out setting up the required information of Virtual Private Network passage according to described keyEncrypt and obtain enciphered message, and according to the address of described the second Virtual Private Network equipment, described enciphered message is sent outGive described the second Virtual Private Network equipment, described the second Virtual Private Network equipment utilization is taken from described registrationThe key that business device gets deciphers to set up Virtual Private Network passage to described enciphered message.
In an embodiment, described registrar is for establishing from the described Virtual Private Network receiving thereinIn standby registration request, extract described the first Virtual Private Network equipment physical label, search from described registrarWhether record described the first Virtual Private Network equipment physical label, if extract with described first virtual speciallyWith the address of key corresponding to net equipment physical label and described the second Virtual Private Network equipment and described in sending toThe first Virtual Private Network equipment.
In an embodiment, described registrar is used for extracting described the first Virtual Private Network equipment thereinPhysical label, and in encryption library, search the algorithm corresponding with described the first Virtual Private Network equipment physical labelMark, identifies corresponding key schedule according to the algorithm finding and generates key.
In an embodiment, described device also comprises therein:
Certificate sending module, for according to the address of described the second Virtual Private Network equipment to described second virtualPrivate network equipment sends the digital certificate of the first Virtual Private Network equipment;
Feedback information receiver module, for receiving described the second Virtual Private Network equipment to described digital certificateThe feedback information that is verified rear transmission;
Described Path Setup module also for carry out in response to described feedback information described according to described key to buildingThe vertical required information of Virtual Private Network passage is encrypted the step that obtains enciphered message.
In an embodiment, described device also comprises therein:
Passage re-establishes module, in the time detecting that described Virtual Private Network passage interrupts, again sends outSend enciphered message for setting up described Virtual Private Network passage to re-establish described Virtual Private Network rutonRoad;
Transmission module on failure information, for reaching default time when setting up the described Virtual Private Network passage frequency of failureWhen number, failure information is uploaded to described registrar.
The above-mentioned method of setting up Virtual Private Network passage, in the time of the first Virtual Private Network equipment access network, toRegistrar sends the request of Virtual Private Network facility registration, in the request of Virtual Private Network facility registration, has carriedThe first Virtual Private Network equipment physical label, registrar receive the request of Virtual Private Network facility registration itAfter, the information of setting up Virtual Private Network passage corresponding with the first VPN device identification is sent toThe first Virtual Private Network equipment, the first Virtual Private Network equipment is according to the information and second of setting up Virtual Private NetworkVirtual Private Network equipment is set up Virtual Private Network passage. Like this, setting up in the process of Virtual Private Network passage,Do not need the first Virtual Private Network equipment to be configured, in the time of the first Virtual Private Network equipment access network,Can automatically set up Virtual Private Network passage, make to set up Virtual Private Network passage more simple, efficient.
Detailed description of the invention
In order to make object of the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing and realityExecute example, the present invention is further elaborated. Only should be appreciated that specific embodiment described hereinOnly, in order to explain the present invention, be not intended to limit the present invention.
Fig. 1 is the applied environment figure that sets up Virtual Private Network channel system in an embodiment. Virtual Private NetworkDevice registering system comprises registrar 102, first network connection device 104, second network connection device106, the first Virtual Private Network equipment 108, the second Virtual Private Network equipment 110, first terminal 112 andTwo terminals 114. Wherein registrar 102 is connected to internet, and the first Virtual Private Network equipment 108 passes throughFirst network connection device 104 is connected to internet, and the second Virtual Private Network equipment 110 is special by secondNet equipment 106 is connected to internet, 106 of first network connection device 104 and second network connection devicesHolding the dynamic assignment network address, can be specifically switch or router. The first Virtual Private Network equipment 108With the second Virtual Private Network equipment 110 at the different network segments. First terminal 112 is that the first Virtual Private Network is establishedTerminal in the standby 108 place network segments, is connected with the first Virtual Private Network equipment 108 by network. Second eventuallyEnd 114 is terminals in the second Virtual Private Network equipment 110 place network segments, virtual special with second by networkConnect with net equipment 110.
As shown in Figure 2, in one embodiment, provide a kind of method of setting up Virtual Private Network passage, thisEmbodiment is applied to the first Virtual Private Network in the Virtual Private Network device registering system in Fig. 1 with the methodOn equipment 108, illustrate. The method specifically comprises the steps:
Step 202, please by the Virtual Private Network facility registration that carries the first Virtual Private Network equipment physical labelAsk and send to registrar.
Particularly, the first Virtual Private Network equipment 108 is being connected to by first network connection device 104 mutuallyWhen networking, the first Virtual Private Network equipment 108 obtains net from the address pool of first network connection device 104Network address and segment number. Segment number is the unique identification for distinguishing the network segment, and segment number specifically can be passed through netNetwork address and subnet mask are determined. The first Virtual Private Network equipment 108 is getting the network address and the network segmentAfter number, send the request of Virtual Private Network facility registration to registrar 102. Virtual Private Network equipment noteVolume request comprises the first Virtual Private Network equipment physical label, the network address and segment number. First is virtualPrivate network equipment physical label is the unique identification of the first Virtual Private Network equipment 108, can be specifically physicsAddress or factory number etc. The second Virtual Private Network equipment 110 is connecting by second network connection device 106While receiving internet, the second Virtual Private Network equipment 110 also can be from the address of second network connection device 106In pond, obtain the network address and segment number, and to registrar 102 send Virtual Private Network facility registration pleaseAsk. Registrar 102 receives after the request of Virtual Private Network facility registration, extracts Virtual Private Network equipmentInformation in registration request, and by the information of extracting and the first Virtual Private Network equipment physical label or secondVirtual Private Network equipment physical label corresponding stored.
In one embodiment, in registrar 102, can obtain in advance Virtual Private Network equipment physical labelAnd be stored in registrar 102, registrar 102 is receiving the first Virtual Private Network equipment 108The request of Virtual Private Network facility registration time, extract the first Virtual Private Network equipment physical label, whether searchStore the first Virtual Private Network equipment physical label, if find, extracted and the first virtual privateThe address of the key that net equipment physical label is corresponding and the second Virtual Private Network equipment and send to first virtual speciallyWith net equipment 108; If do not find, can return to the first Virtual Private Network equipment 108 letter of registration failureBreath.
Step 204, receives registrar request is returned according to Virtual Private Network facility registration virtual with firstThe address of the key that private network equipment physical label is corresponding and the second Virtual Private Network equipment.
Particularly, in registrar 102, be preset with and the first Virtual Private Network equipment physical label orKey corresponding to two Virtual Private Network equipment physical labels, and with the first Virtual Private Network equipment physical labelThe second corresponding Virtual Private Network equipment physical label, the second Virtual Private Network equipment 110 is for firstVirtual Private Network equipment 108 is set up the Virtual Private Network equipment of Virtual Private Network.
Registrar 102 receives the Virtual Private Network equipment note that the first Virtual Private Network equipment 108 sendsAfter volume request, by the information storage in the request of Virtual Private Network facility registration, and extract the first virtual privateNet equipment physical label is searched corresponding key and the second Virtual Private Network equipment physical label, and extracts and theThe network address and the net of the second Virtual Private Network equipment 110 that two Virtual Private Network equipment physical labels are correspondingSegment number, registrar 102 is by the network address of the key finding, the second Virtual Private Network equipment 110And segment number sends to the first Virtual Private Network equipment 108. Registrar 102 receive second virtualAfter the Virtual Private Network facility registration request that private network equipment 110 sends, will with the second Virtual Private Network equipmentThe network address of the key that physical label is corresponding and the first Virtual Private Network equipment 106 and segment number send toTwo Virtual Private Network equipment 110.
Step 206, is encrypted to obtain and adds secret letter setting up the required information of Virtual Private Network passage according to keyBreath, and according to the address of the second Virtual Private Network equipment, enciphered message is sent to the second Virtual Private Network equipment,The key that the second Virtual Private Network equipment utilization is got from registrar is deciphered to set up to enciphered messageVirtual Private Network passage.
Particularly, the first Virtual Private Network equipment 108 receives the key and that registrar 102 returnsBehind the network address of two Virtual Private Network equipment 110, utilize the key returning to setting up virtual private passage instituteThe information needing is encrypted, and sets up the required information of virtual private passage and specifically can comprise that setting up passage usesAES, random number and protocol version at least one. Protocol version can be specifically SSLThe version number of (SecureSocketsLayer, SSL) agreement. The first Virtual Private Network equipment 108By being encrypted generation enciphered message to setting up tunnel information needed, establish according to the second Virtual Private NetworkEnciphered message is sent to the second Virtual Private Network equipment 110 by standby 110 the network address. The second Virtual Private NetworkEquipment 110 utilizes the key getting from registrar 102 to be decrypted enciphered message, extracts whereinCome to set up and encrypt with the first Virtual Private Network equipment 108 for setting up the AES of Virtual Private Network passageVirtual Private Network passage. Virtual Private Network passage can be based on SSL (SecureSocketsLayer, safetySocket layer) agreement set up encrypted tunnel, AES can be specifically 3DES algorithm or AES256 algorithm.
In one embodiment, setting up the first Virtual Private Network equipment 108 place network segments and second virtualThe private network equipment 110 place network segments have been set up after VPN passage, the first Virtual Private Network equipment 108First terminal 112 in the network segment of place can directly be established by Virtual Private Network passage and the second Virtual Private NetworkThe second terminal 114 in the standby 110 place network segments communicates.
In the present embodiment, setting up in the process of Virtual Private Network passage, do not need the first Virtual Private NetworkEquipment is configured, and in the time of the first Virtual Private Network equipment access network, can automatically set up Virtual Private NetworkPassage, makes to set up Virtual Private Network passage more simple, efficient.
In one embodiment, this method of setting up Virtual Private Network also comprises: registrar extracts firstVirtual Private Network equipment physical label, and in encryption library, search and the first Virtual Private Network equipment physical labelCorresponding algorithm mark, identifies corresponding key schedule according to the algorithm finding and generates key.
Particularly, in registrar 102, be preset with encryption library, in encryption library, be provided with multiple for setting upThe AES in tunnel can be specifically that (DataEncryptionStandard-3, third generation data add 3DESData Encryption Standard) (AdvancedEncryptionStandard-256 uses 256 keys for algorithm, AES256Advanced Encryption Standard) algorithm and SHA (SecureHashAlgorithm, Secure Hash Algorithm) algorithm etc.,Every kind of algorithm has unique algorithm mark, and is provided with that Virtual Private Network equipment physical label and algorithm identifyCorresponding relation. When registrar 102 receives the void that carries the first Virtual Private Network equipment physical labelWhile intending the request of private network facility registration, search the algorithm mark corresponding with the first Virtual Private Network equipment physical labelKnow, and extraction algorithm identifies corresponding AES in encryption library, and generate according to the AES extractingCorresponding key.
In the present embodiment, by registrar 102, encryption library being set, can be according to different virtualPrivate network equipment physical label searches corresponding key schedule in encryption library, and according in encryption libraryDifferent key schedules generates different keys, and sets up different Virtual Private Network encrypted tunnels, makesVirtual Private Network encrypted tunnel is safer.
As shown in Figure 3, in one embodiment, provide a kind of method of setting up Virtual Private Network passage, shouldMethod specifically comprises the step of Virtual Private Network device certificate checking, and these step concrete steps are as follows:
Step 302, sends first according to the address of the second Virtual Private Network equipment to the second Virtual Private Network equipmentThe digital certificate of Virtual Private Network equipment.
Particularly, the first Virtual Private Network equipment 108 sends the first void to the second Virtual Private Network equipment 110Intend the digital certificate of private network equipment 108. In digital certificate, specifically comprise the first Virtual Private Network equipment 108Identity information, at least one in the period of validity of certificate signature and digital certificate.
Step 304, the second Virtual Private Network equipment that receives is to the feedback sending after being verified of digital certificateInformation.
Particularly, the second Virtual Private Network equipment 110 receives that the first Virtual Private Network equipment 108 sendsDigital certificate, the identity information in extraction digital certificate and certificate signature are to the first Virtual Private Network equipment 108Identity verify, after being verified, send to the first Virtual Private Network equipment 108 letter being verifiedBreath; If checking is not passed through, send authentication failed information to the first Virtual Private Network equipment 108.
Step 306, in response to feedback information, enters setting up the required information of Virtual Private Network passage according to keyRow is encrypted and is obtained enciphered message.
Particularly, the first Virtual Private Network equipment 108 receives the checking of the second Virtual Private Network equipment 110After information, the first Virtual Private Network equipment 108 can utilize key to setting up Virtual Private Network passage instituteThe information needing is encrypted generation enciphered message, and enciphered message is sent to the second Virtual Private Network equipment110。
In the present embodiment, by the second Virtual Private Network equipment 110 to the first Virtual Private Network equipment 108Digital certificate is verified, has increased the safety verification step before setting up Virtual Private Network passage, is testingCard by after could further set up Virtual Private Network passage, improved the security of Virtual Private Network passage.
As shown in Figure 4, in one embodiment, provide a kind of method of setting up Virtual Private Network passage, shouldMethod specifically also comprises the step that re-establishes Virtual Private Network passage, and this step is specific as follows:
Step 402, in the time detecting that Virtual Private Network passage interrupts, resends for setting up virtual privateThe enciphered message in Netcom road is to re-establish VPN passage.
Concrete, the first Virtual Private Network equipment 108 is detecting in the Virtual Private Network passage of having set upWhen disconnected, can extract enciphered message, and enciphered message is sent to the second Virtual Private Network equipment 110 againMake the second virtual patent network equipment 110 again decipher to re-establish Virtual Private Network passage to enciphered message.
In one embodiment, the first Virtual Private Network equipment 108 starts timing in the time sending enciphered message,Between institute's timing, reach Preset Time, Virtual Private Network passage is established not yet, and passage failure time set up in recordNumber, sends enciphered message again. Preset Time can be 3 seconds to 10 seconds, or 3 seconds to 5 seconds.
Step 404, in the time setting up the Virtual Private Network passage frequency of failure and reach preset times, by failure informationUpload to registrar.
Particularly, when the Virtual Private Network Path Setup frequency of failure of the first Virtual Private Network equipment 108While reaching preset times, failure information uploads to registrar 102. Failure information can comprise the first voidIntend private network equipment physical label, the network address of the first Virtual Private Network equipment 108, the second virtual privateAt least one in the network address of net equipment physical label and the second Virtual Private Network equipment 110.
In the present embodiment, in the time that the first Virtual Private Network equipment 108 detects that Virtual Private Network passage interrupts,Re-establish Virtual Private Network passage, to ensure the unimpeded of Virtual Private Network passage, improved Virtual Private NetworkThe security reliability of passage.
As shown in Figure 5, in one embodiment, provide a kind of device 500 of setting up Virtual Private Network passage,This device comprises: request sending module 502, set up information receiving module 504 and Path Setup module 506.
Request sending module 502, for carrying the virtual private of the first Virtual Private Network equipment physical labelThe request of net facility registration sends to registrar.
Set up information receiving module 504, for receiving registrar according to the request of Virtual Private Network facility registrationThe key corresponding with the first Virtual Private Network equipment physical label returning and the ground of the second Virtual Private Network equipmentLocation.
Path Setup module 506, for adding setting up the required information of Virtual Private Network passage according to keyClose acquisition enciphered message, and according to the address of the second Virtual Private Network equipment, enciphered message is sent to the second voidIntend private network equipment, make key that the second Virtual Private Network equipment utilization gets from registrar to encryptingDecrypts information is to set up Virtual Private Network passage.
In the present embodiment, setting up in the process of Virtual Private Network passage, do not need the first Virtual Private NetworkEquipment is configured, and in the time of the first Virtual Private Network equipment access network, can automatically set up Virtual Private NetworkPassage, makes to set up Virtual Private Network passage more simple, efficient.
In one embodiment, registrar is for the Virtual Private Network facility registration request from receivingExtract the first Virtual Private Network equipment physical label, from registrar search whether record first virtual speciallyWith net equipment physical label, if extract the key corresponding with the first Virtual Private Network equipment physical label withThe address of the second Virtual Private Network equipment also sends to the first Virtual Private Network equipment.
In the present embodiment, registrar 106 extracts Virtual Private Network equipment physical label from registration request,With the identity of checking Virtual Private Network equipment, after being verified, return to the letter of setting up Virtual Private Network passageBreath, the information security of Virtual Private Network passage is set up in guarantee.
In one embodiment, registrar is used for extracting the first Virtual Private Network equipment physical label, andIn encryption library, search the algorithm mark corresponding with the first Virtual Private Network equipment physical label, according to findingAlgorithm identify corresponding key schedule and generate key.
In the present embodiment, by registrar 102, encryption library being set, can be according to different virtualPrivate network equipment physical label searches corresponding key schedule in encryption library, and according in encryption libraryDifferent key schedules generates different keys, and sets up different Virtual Private Network encrypted tunnels, makesVirtual Private Network encrypted tunnel is safer.
As shown in Figure 6, in one embodiment, set up Virtual Private Network lane device 500 and also comprise: cardBook sending module 508 and feedback information receiver module 510.
Certificate sending module 508, for according to the address of the second Virtual Private Network equipment to the second Virtual Private NetworkEquipment sends the digital certificate of the first Virtual Private Network equipment.
Feedback information receiver module 510, for receiving the second Virtual Private Network equipment in the checking to digital certificateBy the feedback information of rear transmission.
Path Setup module 508 is also in response to feedback information, according to key to setting up virtual private NetcomThe required information in road is encrypted acquisition enciphered message.
In the present embodiment, by the second Virtual Private Network equipment 110 to the first Virtual Private Network equipment 108Digital certificate is verified, has increased the safety verification step before setting up Virtual Private Network passage, is testingCard by after could further set up Virtual Private Network passage, improved the security of Virtual Private Network passage.
As shown in Figure 7, in one embodiment, the device 500 of setting up Virtual Private Network passage also comprises:Passage re-establishes transmission module 514 on module 512 and failure information.
Passage re-establishes module 512, in the time detecting that Virtual Private Network passage interrupts, resendsThe enciphered message that is used for setting up Virtual Private Network passage is to re-establish VPN passage.
Transmission module 514 on failure information, for reaching preset times when setting up the Virtual Private Network passage frequency of failureTime, failure information is uploaded to registrar.
In the present embodiment, in the time that the first Virtual Private Network equipment 108 detects that Virtual Private Network passage interrupts,Re-establish Virtual Private Network passage, to ensure the unimpeded of Virtual Private Network passage, improved Virtual Private NetworkThe security reliability of passage, and failure information is uploaded to registrar 102, commissioning staff can be according to mistakeThe information of losing is fixed a breakdown.
Each technical characterictic of the above embodiment can combine arbitrarily, for making to describe succinctly, not rightThe all possible combination of each technical characterictic in above-described embodiment is all described, but, as long as these skillsThere is not contradiction in the combination of art feature, is all considered to be the scope that this description is recorded.
The above embodiment has only expressed several embodiment of the present invention, and it describes comparatively concrete and detailed,But can not therefore be construed as limiting the scope of the patent. It should be pointed out that for this areaThose of ordinary skill, without departing from the inventive concept of the premise, can also make some distortion and changeEnter, these all belong to protection scope of the present invention. Therefore, the protection domain of patent of the present invention should be with appended powerProfit requires to be as the criterion.