CN106027354A - Backflow method and device for VPN (Virtual Private Network) client - Google Patents
Backflow method and device for VPN (Virtual Private Network) client Download PDFInfo
- Publication number
- CN106027354A CN106027354A CN201610335493.3A CN201610335493A CN106027354A CN 106027354 A CN106027354 A CN 106027354A CN 201610335493 A CN201610335493 A CN 201610335493A CN 106027354 A CN106027354 A CN 106027354A
- Authority
- CN
- China
- Prior art keywords
- vpn
- address
- private network
- message
- network address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 54
- 238000013507 mapping Methods 0.000 claims abstract description 56
- 238000012545 processing Methods 0.000 claims abstract description 13
- 230000004044 response Effects 0.000 claims description 27
- 230000008569 process Effects 0.000 claims description 24
- 230000006399 behavior Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000005538 encapsulation Methods 0.000 description 5
- 230000032683 aging Effects 0.000 description 4
- 230000008859 change Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 241001522296 Erithacus rubecula Species 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 238000010992 reflux Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
- H04L12/4675—Dynamic sharing of VLAN information amongst network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/74—Address processing for routing
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention provides a backflow method and device for a VPN (Virtual Private Network) client. The method comprises the steps of obtaining a VPN private network address corresponding to the VPN client, and establishing a mapping relationship between the VPN private network address and a VPN gateway; sending the mapping relationship between the VPN private network address and the VPN gateway to another network device, thereby enabling the other network device to send a message to the VPN gateway by employing the mapping relationship when receiving the message of which destination IP (Internet Protocol) address is the VPN private network address; and receiving the message of which destination IP address is the VPN private network address, processing the message and forwarding the processed message to the VPN client by employing a routing table. Through application of the embodiment of the method and the device, the message is flowed back to the corresponding VPN client by the VPN gateway through establishment of the mapping relationship.
Description
Technical Field
The present application relates to the field of network communication technologies, and in particular, to a method and an apparatus for refluxing a VPN client.
Background
A VPN (Virtual Private Network) Network refers to a Private Network established over a public Network. As shown in fig. 1, each VPN gateway is configured with the same VPN private network address segment, when a VPN client and a VPN gateway are connected, a load balancing device allocates a VPN gateway to the VPN client, such as VPN gateway 1, and VPN gateway 1 allocates a VPN private network address to the VPN gateway, and then the VPN client sends a message to an intranet server through VPN gateway 1 and a switch using the VPN private network address, at this time, a route for sending the message to the intranet server through VPN gateway 1 may be configured on the switch in a static configuration manner, so that the message returned by the intranet server is forwarded to VPN gateway 1 by the switch, and the message may be returned to the VPN client through VPN gateway 1 by the switch. However, when the VPN client and the VPN gateway establish a connection again, the load balancing device may allocate another VPN gateway to the VPN client, such as the VPN gateway 2, and the VPN gateway 2 may allocate a VPN private network address to the VPN client, and then the VPN client sends a message to the intranet server through the VPN gateway 2 and the switch using the VPN private network address, and when the intranet server sends a message with a destination IP address of the VPN private network address to the switch, because the switch is configured with a route for sending the message to the intranet server through the VPN gateway 1, the switch cannot forward the message to the VPN gateway 2, and the message cannot flow back to the VPN client.
Disclosure of Invention
In view of this, the present application provides a method and an apparatus for reflowing a VPN client, so as to solve the problem that a packet cannot be reflowed to the VPN client.
According to a first aspect of embodiments of the present application, there is provided a method for reflowing a VPN client, where the method is applied to a VPN gateway, and the method includes:
acquiring a VPN private network address corresponding to a VPN client, and establishing a mapping relation between the VPN private network address and the VPN gateway;
sending the mapping relation between the VPN private network address and the VPN gateway to other network equipment, so that the other network equipment sends a message to the VPN gateway by using the mapping relation when receiving the message with a destination IP address as the VPN private network address;
and receiving a message with a destination IP address as the VPN private network address, processing the message, and forwarding the processed message to the VPN client by using a routing table.
According to a second aspect of the embodiments of the present application, there is provided a reflow apparatus of a VPN client, the apparatus being applied to a VPN gateway, the apparatus including:
the acquisition unit is used for acquiring a VPN private network address corresponding to the VPN client;
a mapping relationship establishing unit, configured to establish a mapping relationship between the VPN private network address and the VPN gateway;
a first sending unit, configured to send a mapping relationship between the VPN private network address and the VPN gateway to another network device, so that when receiving a packet whose destination IP address is the VPN private network address, the other network device sends the packet to the VPN gateway by using the mapping relationship;
a receiving unit, configured to receive a packet whose destination IP address is the VPN private network address;
and the forwarding unit is used for processing the message and forwarding the processed message to the VPN client by utilizing a routing table.
By applying the embodiment of the application, after acquiring the VPN private network address corresponding to the VPN client, the VPN gateway establishes the mapping relation between the VPN private network address and the VPN gateway, and sends the mapping relation between the VPN private network address and the VPN gateway to other network equipment, so that when other network equipment receives a message with a destination IP address as the VPN private network address, the message is sent to the VPN gateway by using the mapping relation, and after receiving the message with the destination IP address as the VPN private network address, the VPN gateway processes the message, and forwards the processed message to the VPN client by using a routing table. Based on the above implementation manner, after acquiring the VPN private network address corresponding to the VPN client, the VPN gateway establishes a mapping relationship between the VPN private network address and the VPN gateway, and notifies other network devices of the mapping relationship, so that when receiving a message whose destination IP address is the VPN private network address, the other network devices can forward the message to the VPN gateway, thereby enabling the message to flow back to the corresponding VPN client. And the VPN private network address is only used by the VPN client, and the VPN private network address cannot be changed because the VPN client changes the IP address, so that the access behavior of a VPN user can be audited conveniently.
Drawings
Fig. 1 is a schematic application scenario diagram of a backflow method and apparatus for a VPN client according to an exemplary embodiment of the present application;
fig. 2 is a flowchart illustrating an embodiment of a reflow method of a VPN client according to an exemplary embodiment of the present application;
fig. 3 is a flowchart illustrating an embodiment of another VPN client reflow method according to an illustrative embodiment of the present application;
fig. 4 is a hardware block diagram of a VPN device according to an exemplary embodiment of the present application;
fig. 5 is a block diagram illustrating an embodiment of a reflow apparatus of a VPN client according to an exemplary embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of apparatus and methods consistent with certain aspects of the present application, as detailed in the appended claims.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the appended claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein refers to and encompasses any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. The word "if" as used herein may be interpreted as "at … …" or "when … …" or "in response to a determination", depending on the context.
Referring to fig. 1, an application scenario diagram of a backflow method and apparatus for a VPN client according to an exemplary embodiment of the present application is shown, where the backflow method and apparatus includes a VPN client, a load balancing device, a VPN gateway, a switch, and an intranet server. The VPN client is used for accessing data resources of an intranet server and can be a computer, a tablet device, a mobile phone and the like; the load balancing equipment is used for distributing the message sent by the VPN client to the VPN gateway or forwarding the message sent by the VPN gateway to the VPN client; the VPN gateway is used for distributing VPN private network addresses for the VPN client and forwarding a message sent by the load balancing equipment to the switch or forwarding the message sent by the switch to the load balancing equipment; the switch is used for forwarding the message sent by the intranet server to the VPN gateway or forwarding the message sent by the VPN gateway to the intranet server; the intranet server is used for providing data resources for the VPN client.
Referring to fig. 2, a flowchart of an embodiment of a backflow method for a VPN client according to an exemplary embodiment of the present application is shown, where the embodiment is applied to a VPN gateway, and includes the following steps:
step 201: and acquiring a VPN private network address corresponding to the VPN client, and establishing a mapping relation between the VPN private network address and the VPN gateway.
Aiming at the process of acquiring the VPN private network address corresponding to the VPN client, the VPN gateway receives a negotiation message which is sent by the VPN client and carries user information, and searches a binding relation table by using the user information to acquire the corresponding VPN private network address.
The binding relationship table may record a corresponding relationship between user information and a VPN private network address, and since an IP (Internet Protocol) address of a VPN client may change but the user information does not change, the VPN private network address may uniquely correspond to one VPN user, and a VPN private network address segment is configured in the VPN gateway, where the range of the VPN private network address segment is within a network segment range of an interface address of the VPN gateway, and the VPN private network address segment does not include an interface address of an existing VPN gateway in the network in order to avoid address conflict, when the VPN gateway configures the binding relationship table, an unused VPN private network address is selected for each VPN user, and the user information of the VPN user and the VPN private network address are added to the binding relationship table.
Based on the above description, it can be known that, since a binding relationship table is stored in all VPN gateways, one VPN private network address corresponds to only one VPN user, and corresponds to only one VPN private network address no matter how the IP address of the VPN client is changed or no matter which VPN gateway is allocated to, the VPN private network address is allocated by using the user information, and the access behavior of the VPN user can be conveniently audited.
In addition, after acquiring the corresponding private network address of the VPN, the VPN gateway sends a negotiation response message carrying the private network address of the VPN to the VPN client, and at this time, the VPN client and the VPN gateway are successfully connected, and the VPN private network address can be used to send a message to the intranet server to access the data resource of the intranet server.
For the process of establishing the mapping relationship between the VPN private network address and the VPN gateway, the VPN gateway may establish an association table between the VPN private network address and a Media Access Control (MAC) address of the VPN gateway, where all VPN private network addresses corresponding to the MAC address of the VPN gateway are recorded in the association table, that is, messages accessing data resources of the intranet server by using the VPN private network addresses are all forwarded by the VPN gateway, or messages returned by the intranet server to VPN clients to which the VPN private network addresses point are all forwarded to the VPN gateway by a switch (as shown in fig. 1).
In addition, a virtual MAC address of the VPN gateway can be generated according to the VPN private network address, an association table of the VPN private network address and the virtual MAC address is established, for example, the virtual MAC address structure is 02: ff: xx: xx: xx: xx, and if the VPN private network address is 1.1.1.1, the generated virtual MAC address can be 02: ff:01:01:01: 01.
Step 202: and sending the mapping relation between the VPN private network address and the VPN gateway to other network equipment so that the other network equipment sends a message to the VPN gateway by using the mapping relation when receiving the message with the destination IP address as the VPN private network address.
In order to send the mapping relationship between the VPN private network address and the VPN gateway to other network devices, the VPN gateway may send a gratuitous ARP (address resolution Protocol) message to the other network devices in a broadcast manner, so that the other network devices record the correspondence between the VPN private network address and the MAC address of the VPN gateway.
And the source IP address carried by the free ARP message is the VPN private network address, the source MAC address carried by the free ARP message is the MAC address of the VPN gateway, and the carried destination IP address and the carried destination MAC address are both broadcast addresses, namely 255.255.255.255 and FF-FF-FF-FF-FF. Therefore, all network devices in the network receive the gratuitous ARP message, and the network devices record the corresponding relation between the VPN private network address and the corresponding MAC address.
Based on the above description, the VPN gateway notifies other network devices of the VPN private network address on the VPN gateway through the gratuitous ARP packet, so that when receiving the packet with the destination IP address as the VPN private network address, the other network devices can forward the packet to the VPN gateway, thereby returning the packet to the corresponding VPN client.
It should be noted that, since the VPN private network addresses recorded by these network devices and the correspondence between the VPN private network addresses and the MAC addresses are both provided with the aging timer, after the VPN client is successfully connected to the VPN gateway, if the VPN client does not have any operation after the aging timer expires, the VPN private network addresses and the corresponding MAC addresses will be aged off. Therefore, when a network device (such as the switch in fig. 1) receives a message that a destination IP address sent by an intranet server is the VPN private network address, if the corresponding MAC address cannot be found, an ARP request message is sent to the network device to which the VPN private network address points, so as to obtain the MAC address corresponding to the VPN private network address. The source IP address and the source MAC address carried by the ARP request message point to a certain network device, the carried destination IP address is the VPN private network address, and the carried destination MAC address is a broadcast MAC address, namely FF-FF-FF-FF-FF.
Therefore, when receiving an ARP request message whose destination IP address is the VPN private network address, the VPN gateway obtains the MAC address corresponding to the VPN private network address from the association table, and uses the VPN private network address as the source IP address of an ARP response message, and uses the MAC address as the source MAC address of the ARP response message, and sends the ARP response message, where the destination IP address and the destination MAC address carried in the ARP response message are the source IP address and the source MAC address carried in the ARP request message, respectively. When the certain network equipment receives the ARP response message, the message with the destination IP address as the VPN private network address is forwarded to the VPN gateway pointed by the MAC address.
Step 203: and receiving a message with a destination IP address as the VPN private network address, processing the message, and forwarding the processed message to the VPN client by using a routing table.
Aiming at the process of receiving the message with the destination IP address as the VPN private network address, when the VPN gateway receives the message, the destination IP address carried by the message can be used for searching the policy routing table, if the destination IP address is searched, the destination IP address carried by the message is indicated as the VPN private network address, and the message is determined to be the message to be subjected to VPN processing.
The policy routing table is pre-configured for the VPN gateway, records a corresponding relationship between a VPN private network address and a VPN virtual output interface, and indicates that the packet needs to be processed by VPN, that is, encapsulated, if the destination IP address of the packet can be found in the policy routing table.
For the process of processing the packet, the VPN gateway may obtain corresponding encapsulation information by using the destination IP address, and perform encapsulation processing on the packet, that is, add a new IP header, where the destination IP address in the encapsulation information is an IP address of the VPN client.
In view of the process of forwarding the processed packet to the VPN client by using the routing table, the VPN gateway may search the routing table by using a destination IP address carried by the processed packet, and if the destination IP address is found, obtain a corresponding egress interface, and forward the processed packet to the VPN client from the egress interface.
The routing table records the corresponding relationship between the IP address of the VPN client and the output interface.
It should be noted that, when receiving an exit notification packet sent by a VPN client, the VPN gateway disconnects the VPN client, and deletes a VPN private network address carried in the exit notification packet from the association table. Therefore, when the VPN client accesses the VPN service again, if the load balancing equipment distributes the load balancing equipment to other VPN gateways, the other VPN gateways can add the VPN private network address into the local association table.
In the embodiment, after acquiring a VPN private network address corresponding to a VPN client, a VPN gateway establishes a mapping relationship between the VPN private network address and the VPN gateway, and sends the mapping relationship between the VPN private network address and the VPN gateway to other network devices, so that when the other network devices receive a packet whose destination IP address is the VPN private network address, the packet is sent to the VPN gateway by using the mapping relationship, and after receiving the packet whose destination IP address is the VPN private network address, the VPN gateway processes the packet, and forwards the processed packet to the VPN client by using a routing table. Based on the above implementation manner, after acquiring the VPN private network address corresponding to the VPN client, the VPN gateway establishes a mapping relationship between the VPN private network address and the VPN gateway, and notifies other network devices of the mapping relationship, so that when receiving a message whose destination IP address is the VPN private network address, the other network devices can forward the message to the VPN gateway, thereby enabling the message to flow back to the corresponding VPN client. And the VPN private network address is only used by the VPN client, and the VPN private network address cannot be changed because the VPN client changes the IP address, so that the access behavior of a VPN user can be audited.
Referring to fig. 3, a flowchart of an embodiment of a backflow method for a VPN client according to an exemplary embodiment of the present application is shown, where the embodiment is described in detail in conjunction with the application scenario shown in fig. 1, and includes the following steps:
step 301: and the VPN client sends a negotiation message to the load balancing equipment.
And when the VPN client needs to access the VPN service, sending a negotiation message carrying user information to the load balancing equipment.
Step 302: and the load balancing equipment sends the negotiation message to the VPN gateway.
The load balancing device distributes the negotiation messages to the VPN gateways, such as the VPN gateway 1, using a load balancing algorithm, such as a weighted round robin algorithm.
Step 303: the VPN gateway acquires a VPN private network address corresponding to a VPN client and establishes a mapping relation between the VPN private network address and the VPN gateway.
A process of acquiring a VPN private network address corresponding to a VPN client for a VPN gateway and establishing a mapping relationship between the VPN private network address and the VPN gateway is performed, as described in step 201, and is not described again.
As shown in table 1, it is an exemplary binding relationship table, and it is assumed that the negotiation packet is sent by the VPN client 1, the user information carried in the negotiation packet is user 1, and the obtained VPN private network address is 10.1.0.4, as described in step 302, the VPN gateway 1 adds 10.1.0.4 to the local association table, which is an exemplary association table as shown in table 2.
| User information | VPN private network address |
| User 1 | 10.1.0.4 |
| User 2 | 10.1.0.5 |
TABLE 1
| Serial number | VPN private network address | MAC address |
| 1 | 10.1.0.4 | Native MAC address |
| 2 | 10.1.0.5 | Local MAC address |
TABLE 2
Based on the above description, it can be known that, since all VPN gateways store a binding relationship table, a VPN private network address corresponds to only one VPN user, and corresponds to only one VPN private network address no matter how the IP address of the VPN client is changed or no matter which VPN gateway is allocated to, the VPN private network address is allocated by using the user information, and thus, the access behavior of the user can be conveniently audited.
Step 304: and the VPN gateway sends a negotiation response message carrying the VPN private network address to the load balancing equipment.
Step 305: and the load balancing equipment forwards the negotiation response message to the VPN client.
When receiving the negotiation response message, the VPN client indicates that the connection with the VPN gateway is successful, and can send a message to the intranet server by using the VPN private network address to access the data resource of the intranet server.
Step 306: and the VPN gateway sends the mapping relation between the VPN private network address and the VPN gateway to a switch.
Specifically, the VPN gateway sends a gratuitous ARP message to other network devices (including switches) in a broadcast manner, wherein a source IP address carried by the gratuitous ARP message is the VPN private network address, a source MAC address carried by the gratuitous ARP message is the MAC address of the VPN gateway, and both a destination IP address and a destination MAC address carried by the gratuitous ARP message are broadcast addresses, namely 255.255.255.255.255.255.255.ff and FF-FF. Thus, the switch receives a gratuitous ARP message.
Based on the above description, the VPN gateway notifies other network devices of the VPN private network address on the VPN gateway through the gratuitous ARP packet, so that when receiving the packet with the destination IP address as the VPN private network address, the other network devices can forward the packet to the VPN gateway, thereby returning the packet to the corresponding VPN client.
It should be noted that the execution order of step 306 and step 304 is not limited.
Step 307: and the switch records the mapping relation between the VPN private network address and the VPN gateway.
Specifically, when the switch receives the gratuitous ARP message, the switch records the corresponding relationship between the VPN private network address and the corresponding MAC address carried in the gratuitous ARP message. As described in step 302 and step 303, since the private network address corresponding to the VPN client 1 is 10.1.0.4, the correspondence relationship between 10.1.0.4 and the MAC address of the VPN gateway 1 can be recorded in the local storage medium.
Step 308: and the intranet server sends a message to the switch.
After receiving a message for accessing the data resource sent by the VPN client, the intranet server adds the corresponding data resource to the message content and sends the message to the switch. For example, assuming that the address of the intranet server is 10.3.0.254, as shown in step 303, the VPN client 1 uses 10.1.0.4 to send a message for accessing data resources to the intranet server 10.3.0.254, so that the source IP address carried by the message returned by the intranet server is 10.3.0.254 and the destination IP address is 10.1.0.4. As shown in table 3, an exemplary message format.
TABLE 3
Step 309: the exchanger uses the destination IP address carried by the message to search the corresponding relation between the VPN private network address and the MAC address, and transmits the message to the VPN gateway.
As described in step 307 and step 308, the destination IP address 10.1.0.4 carried in the packet may find the MAC address of the corresponding VPN gateway 1, so that the switch forwards the packet to the VPN gateway 1.
It should be noted that, since the VPN private network addresses and the correspondence relationships between the VPN private network addresses and the MAC addresses recorded by the network devices (including the switches) are both provided with the aging timers, after the VPN client is successfully connected to the VPN gateway, if the VPN client does not have any operation after the aging timers are expired, the VPN private network addresses and the corresponding MAC addresses will be aged off. Therefore, when a certain network device receives a message sent by an intranet server and the destination IP address of which is the private network address of the VPN, if the corresponding MAC address cannot be found, an ARP request message is sent to the network device to which the private network address of the VPN points, so as to obtain the MAC address corresponding to the private network address of the VPN. The specific obtaining process is as described in step 202, and is not described in detail.
Specifically, the source IP address and the source MAC address carried by the ARP request message both point to a switch, the carried destination IP address is 10.1.0.4, and the carried destination MAC address is a broadcast MAC address, that is, FF-FF. When receiving an ARP request message with a destination IP address of 10.1.0.4, the VPN gateway 1 obtains a MAC address corresponding to 10.1.0.4 from the local association table, that is, the MAC address of the VPN gateway 1, uses 10.1.0.4 as the source IP address of the ARP response message, uses the MAC address as the source MAC address of the ARP response message, uses the source IP address and the source MAC address carried in the ARP request message as the destination IP address and the destination MAC address of the ARP response message, and sends the ARP response message. And when the switch receives the ARP response message, forwarding the message with the destination IP address of 10.1.0.4 to the VPN gateway 1 pointed by the MAC address.
Step 310: and the VPN gateway processes the message and forwards the processed message to load balancing equipment by using a routing table.
When receiving the message, the VPN gateway may first search the policy routing table using the destination IP address carried in the message, and if the destination IP address is found, determine that the message is a message to be processed by the VPN.
The policy routing table is pre-configured for the VPN gateway, and records a VPN private network address and a VPN virtual output interface, and if the destination IP address of the packet can be found in the policy routing table, it indicates that the packet needs to be processed by VPN, that is, encapsulated.
The process for processing the packet is as described in step 203, and is not described again.
The encapsulation information includes a destination IP address (IP address of the VPN client) and a source IP address (IP address of the VPN gateway), the VPN gateway obtains the source IP address (IP address of the VPN client) and the destination IP address (IP address of the VPN gateway) from the negotiation packet carried in the negotiation packet after the load balancing device receives the negotiation packet from the VPN client and distributes the negotiation packet to the VPN gateway, and the VPN gateway records a correspondence between the VPN private network address and the encapsulation information after obtaining the VPN private network address corresponding to the VPN client.
For example, assuming that the IP address of the VPN client 1 is 1.1.1.1 and the IP address of the VPN gateway 1 is 10.2.0.1, as described in step 308, the source IP address and the destination IP address carried in the packet returned by the intranet server are 10.3.0.254 and 10.1.0.4, respectively, after the VPN gateway 1 is encapsulated, the source IP address and the destination IP address carried in the packet are 10.2.0.1 and 1.1.1.1. As shown in table 4, an exemplary encapsulated message format is shown.
TABLE 4
The process of forwarding the processed packet to the load balancing device by using the routing table is as described in step 203, and is not described again.
It should be noted that, when receiving an exit notification packet sent by a VPN client, the VPN gateway disconnects the VPN client, and deletes a VPN private network address carried in the exit notification packet from the local association table. Therefore, when the VPN client accesses the VPN service again, if the load balancing equipment distributes the load balancing equipment to other VPN gateways, the other VPN gateways can add the VPN private network address into the local association table.
Step 311: and the load balancing equipment forwards the message to the VPN client.
As shown in step 310, the load balancing device forwards the packet to the VPN client 1 to which 1.1.1.1 is directed.
In the embodiment, after acquiring a VPN private network address corresponding to a VPN client, a VPN gateway establishes a mapping relationship between the VPN private network address and the VPN gateway, and sends the mapping relationship between the VPN private network address and the VPN gateway to other network devices, so that when the other network devices receive a packet whose destination IP address is the VPN private network address, the packet is sent to the VPN gateway by using the mapping relationship, and after receiving the packet whose destination IP address is the VPN private network address, the VPN gateway processes the packet, and forwards the processed packet to the VPN client by using a routing table. Based on the above implementation manner, after acquiring the VPN private network address corresponding to the VPN client, the VPN gateway establishes a mapping relationship between the VPN private network address and the VPN gateway, and notifies other network devices of the mapping relationship, so that when receiving a message whose destination IP address is the VPN private network address, the other network devices can forward the message to the VPN gateway, thereby enabling the message to flow back to the corresponding VPN client. And the VPN private network address is only used by the VPN client, and the VPN private network address cannot be changed because the VPN client changes the IP address, so that the access behavior of a VPN user can be audited.
Corresponding to the foregoing embodiments of the reflow method of the VPN client, the present application also provides embodiments of a reflow apparatus of the VPN client.
The embodiment of the backflow device of the VPN client can be applied to a VPN gateway. The device embodiments may be implemented by software, or by hardware, or by a combination of hardware and software. The software implementation is taken as an example, and is formed by reading corresponding computer program instructions in the nonvolatile memory into the memory for operation through the processor of the device where the software implementation is located as a logical means. In terms of hardware, as shown in fig. 4, the hardware structure diagram of the device where the backflow device of the VPN client is located is shown in fig. 4, except for the processor, the memory, the network interface, and the nonvolatile memory shown in fig. 4, the device where the device is located in the embodiment may also include other hardware according to the actual function of the device, which is not described again.
Referring to fig. 5, a block diagram of an embodiment of a reflow apparatus of a VPN client according to an exemplary embodiment of the present application is shown, where the embodiment is applied to a VPN gateway, and the apparatus includes: an obtaining unit 510, a mapping relationship establishing unit 520, a first sending unit 530, a receiving unit 540, and a forwarding unit 550.
The acquiring unit 510 is configured to acquire a VPN private network address corresponding to a VPN client;
the mapping relationship establishing unit 520 is configured to establish a mapping relationship between the VPN private network address and the VPN gateway;
the first sending unit 530 is configured to send the mapping relationship between the VPN private network address and the VPN gateway to other network devices, so that when receiving a packet whose destination IP address is the VPN private network address, the other network devices send the packet to the VPN gateway by using the mapping relationship;
the receiving unit 540 is configured to receive a message whose destination IP address is the VPN private network address;
the forwarding unit 550 is configured to process the packet, and forward the processed packet to the VPN client by using a routing table.
In an optional implementation manner, the obtaining unit 510 is specifically configured to receive a negotiation packet that carries user information and is sent by the VPN client; searching a binding relation table by using the user information to obtain a corresponding VPN private network address; the binding relation table records the corresponding relation between user information and VPN private network addresses;
the device further comprises (not shown in fig. 5):
and the second sending unit is used for sending a negotiation response message carrying the VPN private network address to the VPN client after the acquisition unit acquires the corresponding VPN private network address.
In another optional implementation manner, the mapping relationship establishing unit 520 is specifically configured to establish an association table between the VPN private network address and the MAC address of the VPN gateway; or generating a virtual MAC address of the VPN gateway according to the VPN private network address; and establishing an association table of the VPN private network address and the virtual MAC address.
In another optional implementation manner, the first sending unit 530 is specifically configured to send a gratuitous ARP packet to another network device in a broadcast manner, so that the other network device records a correspondence between the VPN private network address and the MAC address of the VPN gateway; wherein, the source IP address carried by the free ARP message is the VPN private network address, and the source MAC address carried by the free ARP message is the MAC address of the VPN gateway; and/or, receiving an ARP request message with a destination IP address as the VPN private network address; acquiring an MAC address corresponding to the VPN private network address from the association table; using the VPN private network address as a source IP address of an ARP response message, and using the MAC address as a source MAC address of the ARP response message; and sending the ARP response message.
In another optional implementation manner, the receiving unit 540 is specifically configured to receive a message; searching a policy routing table by using the destination IP address carried by the message; the policy routing table records the corresponding relation between the VPN private network address and the VPN virtual interface; and if the target IP address is found, executing the process of processing the message.
The implementation process of the functions and actions of each unit in the above device is specifically described in the implementation process of the corresponding step in the above method, and is not described herein again.
For the device embodiments, since they substantially correspond to the method embodiments, reference may be made to the partial description of the method embodiments for relevant points. The above-described embodiments of the apparatus are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules can be selected according to actual needs to achieve the purpose of the scheme of the application. One of ordinary skill in the art can understand and implement it without inventive effort.
In the embodiment, after acquiring a VPN private network address corresponding to a VPN client, a VPN gateway establishes a mapping relationship between the VPN private network address and the VPN gateway, and sends the mapping relationship between the VPN private network address and the VPN gateway to other network devices, so that when the other network devices receive a packet whose destination IP address is the VPN private network address, the packet is sent to the VPN gateway by using the mapping relationship, and after receiving the packet whose destination IP address is the VPN private network address, the VPN gateway processes the packet, and forwards the processed packet to the VPN client by using a policy routing table. Based on the above implementation manner, after acquiring the VPN private network address corresponding to the VPN client, the VPN gateway establishes a mapping relationship between the VPN private network address and the VPN gateway, and notifies other network devices of the mapping relationship, so that when receiving a message whose destination IP address is the VPN private network address, the other network devices can forward the message to the VPN gateway, thereby enabling the message to flow back to the corresponding VPN client. And the VPN private network address is only used by the VPN client, and the VPN private network address cannot be changed because the VPN client changes the IP address, so that the access behavior of a VPN user can be audited.
The above description is only exemplary of the present application and should not be taken as limiting the present application, as any modification, equivalent replacement, or improvement made within the spirit and principle of the present application should be included in the scope of protection of the present application.
Claims (10)
1. A backflow method for a VPN client, the method being applied to a VPN gateway, the method comprising:
acquiring a VPN private network address corresponding to a VPN client, and establishing a mapping relation between the VPN private network address and the VPN gateway;
sending the mapping relation between the VPN private network address and the VPN gateway to other network equipment, so that the other network equipment sends a message to the VPN gateway by using the mapping relation when receiving the message with a destination Internet Protocol (IP) address as the VPN private network address;
and receiving a message with a destination IP address as the VPN private network address, processing the message, and forwarding the processed message to the VPN client by using a routing table.
2. The method according to claim 1, wherein the process of obtaining the VPN private network address corresponding to the VPN client specifically includes:
receiving a negotiation message which is sent by the VPN client and carries user information;
searching a binding relation table by using the user information to obtain a corresponding VPN private network address; the binding relation table records the corresponding relation between user information and VPN private network addresses;
after acquiring the corresponding VPN private network address, the method further includes: and sending a negotiation response message carrying the VPN private network address to the VPN client.
3. The method according to claim 1, wherein said process of establishing a mapping relationship between said VPN private network address and said VPN gateway specifically comprises:
establishing an association table of the VPN private network address and a Media Access Control (MAC) address of the VPN gateway; or,
generating a virtual MAC address of the VPN gateway according to the VPN private network address; and establishing an association table of the VPN private network address and the virtual MAC address.
4. The method according to claim 3, wherein said process of sending the mapping relationship between the VPN private network address and the VPN gateway to other network devices specifically comprises:
sending a free Address Resolution Protocol (ARP) message to other network equipment in a broadcasting mode so that the other network equipment records the corresponding relation between the VPN private network address and the MAC address of the VPN gateway; wherein, the source IP address carried by the free ARP message is the VPN private network address, and the source MAC address carried by the free ARP message is the MAC address of the VPN gateway; and/or the presence of a gas in the gas,
receiving an ARP request message with a destination IP address as the VPN private network address; acquiring an MAC address corresponding to the VPN private network address from the association table; using the VPN private network address as a source IP address of an ARP response message, and using the MAC address as a source MAC address of the ARP response message; and sending the ARP response message.
5. The method according to claim 1, wherein the process of receiving the packet with the destination IP address being the VPN private network address specifically comprises:
receiving a message;
searching a policy routing table by using the destination IP address carried by the message; the policy routing table records the corresponding relation between the VPN private network address and the VPN virtual output interface;
and if the target IP address is found, executing the process of processing the message.
6. A reflow apparatus of a VPN client, the apparatus being applied to a VPN gateway, the apparatus comprising:
the acquisition unit is used for acquiring a VPN private network address corresponding to the VPN client;
a mapping relationship establishing unit, configured to establish a mapping relationship between the VPN private network address and the VPN gateway;
a first sending unit, configured to send a mapping relationship between the VPN private network address and the VPN gateway to another network device, so that when receiving a packet whose destination IP address is the VPN private network address, the other network device sends the packet to the VPN gateway by using the mapping relationship;
a receiving unit, configured to receive a packet whose destination IP address is the VPN private network address;
and the forwarding unit is used for processing the message and forwarding the processed message to the VPN client by utilizing a routing table.
7. The apparatus according to claim 6, wherein the obtaining unit is specifically configured to receive a negotiation packet that carries user information and is sent by the VPN client; searching a binding relation table by using the user information to obtain a corresponding VPN private network address; the binding relation table records the corresponding relation between user information and VPN private network addresses;
the device further comprises:
and the second sending unit is used for sending a negotiation response message carrying the VPN private network address to the VPN client after the acquisition unit acquires the corresponding VPN private network address.
8. The apparatus according to claim 6, wherein the mapping relationship establishing unit is specifically configured to establish an association table between the VPN private network address and a media access control MAC address of the VPN gateway; or generating a virtual MAC address of the VPN gateway according to the VPN private network address; and establishing an association table of the VPN private network address and the virtual MAC address.
9. The apparatus according to claim 8, wherein the first sending unit is specifically configured to send a gratuitous Address Resolution Protocol (ARP) message to another network device in a broadcast manner, so that the other network device records a correspondence between the VPN private network address and the MAC address of the VPN gateway; wherein, the source IP address carried by the free ARP message is the VPN private network address, and the source MAC address carried by the free ARP message is the MAC address of the VPN gateway; and/or, receiving an ARP request message with a destination IP address as the VPN private network address; acquiring an MAC address corresponding to the VPN private network address from the association table; using the VPN private network address as a source IP address of an ARP response message, and using the MAC address as a source MAC address of the ARP response message; and sending the ARP response message.
10. The apparatus according to claim 6, wherein the receiving unit is specifically configured to receive a message; searching a policy routing table by using the destination IP address carried by the message; the policy routing table records the corresponding relation between the VPN private network address and the VPN virtual interface; and if the target IP address is found, executing the process of processing the message.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610335493.3A CN106027354B (en) | 2016-05-19 | 2016-05-19 | The reflow method and device of VPN client |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610335493.3A CN106027354B (en) | 2016-05-19 | 2016-05-19 | The reflow method and device of VPN client |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106027354A true CN106027354A (en) | 2016-10-12 |
| CN106027354B CN106027354B (en) | 2019-03-15 |
Family
ID=57096024
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610335493.3A Active CN106027354B (en) | 2016-05-19 | 2016-05-19 | The reflow method and device of VPN client |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106027354B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108924165A (en) * | 2018-08-24 | 2018-11-30 | 北京和利时工业软件有限公司 | A kind of Intranet remote access method and its device and Intranet gateway |
| CN111711568A (en) * | 2020-04-17 | 2020-09-25 | 新华三技术有限公司成都分公司 | Message processing method and processing device |
| CN113472753A (en) * | 2021-06-12 | 2021-10-01 | 广州鲁邦通智能科技有限公司 | Multi-tenant network isolation method, data center and communication system |
| CN116033020A (en) * | 2022-12-27 | 2023-04-28 | 中国联合网络通信集团有限公司 | Method, device, equipment and storage medium for enhancing physical gateway computing power |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040083295A1 (en) * | 2002-10-24 | 2004-04-29 | 3Com Corporation | System and method for using virtual local area network tags with a virtual private network |
| CN101132420A (en) * | 2007-10-16 | 2008-02-27 | 杭州华三通信技术有限公司 | Link overwriting method and device based on SSL VPN |
| CN101197856A (en) * | 2007-12-27 | 2008-06-11 | 北京交通大学 | IP address space planning-free and private domain name access method in VPN network |
| US7640319B1 (en) * | 2003-09-30 | 2009-12-29 | Nortel Networks Limited | Gateway shared by multiple virtual private networks |
| CN102075339A (en) * | 2009-11-23 | 2011-05-25 | 中国电信股份有限公司 | VPN management platform, and implementation method and system for VPN service |
| CN102223365A (en) * | 2011-06-03 | 2011-10-19 | 杭州华三通信技术有限公司 | User access method and device based on SSL (Secure Socket Layer) VPN (Virtual Private Network) gateway cluster |
| CN102694738A (en) * | 2012-06-15 | 2012-09-26 | 北京傲天动联技术有限公司 | Virtual private network (VPN) gateway and method for forwarding messages at VPN gateway |
| CN103200094A (en) * | 2013-03-14 | 2013-07-10 | 成都卫士通信息产业股份有限公司 | Method for achieving gateway dynamic load distribution |
-
2016
- 2016-05-19 CN CN201610335493.3A patent/CN106027354B/en active Active
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20040083295A1 (en) * | 2002-10-24 | 2004-04-29 | 3Com Corporation | System and method for using virtual local area network tags with a virtual private network |
| US7640319B1 (en) * | 2003-09-30 | 2009-12-29 | Nortel Networks Limited | Gateway shared by multiple virtual private networks |
| CN101132420A (en) * | 2007-10-16 | 2008-02-27 | 杭州华三通信技术有限公司 | Link overwriting method and device based on SSL VPN |
| CN101197856A (en) * | 2007-12-27 | 2008-06-11 | 北京交通大学 | IP address space planning-free and private domain name access method in VPN network |
| CN102075339A (en) * | 2009-11-23 | 2011-05-25 | 中国电信股份有限公司 | VPN management platform, and implementation method and system for VPN service |
| CN102223365A (en) * | 2011-06-03 | 2011-10-19 | 杭州华三通信技术有限公司 | User access method and device based on SSL (Secure Socket Layer) VPN (Virtual Private Network) gateway cluster |
| CN102694738A (en) * | 2012-06-15 | 2012-09-26 | 北京傲天动联技术有限公司 | Virtual private network (VPN) gateway and method for forwarding messages at VPN gateway |
| CN103200094A (en) * | 2013-03-14 | 2013-07-10 | 成都卫士通信息产业股份有限公司 | Method for achieving gateway dynamic load distribution |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108924165A (en) * | 2018-08-24 | 2018-11-30 | 北京和利时工业软件有限公司 | A kind of Intranet remote access method and its device and Intranet gateway |
| CN111711568A (en) * | 2020-04-17 | 2020-09-25 | 新华三技术有限公司成都分公司 | Message processing method and processing device |
| CN113472753A (en) * | 2021-06-12 | 2021-10-01 | 广州鲁邦通智能科技有限公司 | Multi-tenant network isolation method, data center and communication system |
| CN116033020A (en) * | 2022-12-27 | 2023-04-28 | 中国联合网络通信集团有限公司 | Method, device, equipment and storage medium for enhancing physical gateway computing power |
| CN116033020B (en) * | 2022-12-27 | 2024-05-10 | 中国联合网络通信集团有限公司 | Method, device, equipment and storage medium for enhancing physical gateway computing power |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106027354B (en) | 2019-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11146627B1 (en) | Techniques for utilizing network destination identifiers simultaneously announced from multiple locations | |
| US10187459B2 (en) | Distributed load balancing system, health check method, and service node | |
| US9882866B2 (en) | Address allocating method, apparatus, and system | |
| RU2464722C2 (en) | Method, device and system for distribution of messages | |
| US10033736B2 (en) | Methods, systems, and computer readable media for remote authentication dial-in user service (radius) topology hiding | |
| CN103401800B (en) | A kind of balancing link load method and apparatus | |
| US8478891B1 (en) | Employing socket ranges to ascertain layer 2 addresses | |
| CN102075591A (en) | Method, device and system for acquiring media access control address | |
| CN106027354B (en) | The reflow method and device of VPN client | |
| EP3614650B1 (en) | Separation of forwarding plane and control plane of cgn | |
| CN107547665B (en) | Method, equipment and system for allocating DHCP (dynamic host configuration protocol) address | |
| CN107580079B (en) | Message transmission method and device | |
| US11533275B2 (en) | Method and apparatus for allocating server in wireless communication system | |
| CN109040243A (en) | A kind of message processing method and device | |
| CN102857547B (en) | The method and apparatus of distributed caching | |
| CN107547339B (en) | Method and device for feeding back MAC address of gateway media access control | |
| CN109246024B (en) | Method, device, terminal equipment and storage medium for load sharing in networking | |
| US20190158584A1 (en) | Load balancing method and related apparatus | |
| US9860171B2 (en) | Large scale message routing in a distributed network | |
| CN106878485B (en) | Message processing method and device | |
| EP3503484A1 (en) | Message transmission method, device and network system | |
| WO2016177185A1 (en) | Method and apparatus for processing media access control (mac) address | |
| US9705794B2 (en) | Discovery of network address allocations and translations in wireless communication systems | |
| CN116866297A (en) | Address matching method, device, communication equipment and storage medium of dual-domain private network | |
| CN107547684B (en) | IPv6 address allocation method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant after: Hangzhou Dipu Polytron Technologies Inc Address before: Binjiang District and Hangzhou city in Zhejiang Province Road 310051 No. 68 in the 6 storey building Applicant before: Hangzhou Dipu Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |