CN106506354B - Message transmission method and device - Google Patents
Message transmission method and device Download PDFInfo
- Publication number
- CN106506354B CN106506354B CN201610971698.0A CN201610971698A CN106506354B CN 106506354 B CN106506354 B CN 106506354B CN 201610971698 A CN201610971698 A CN 201610971698A CN 106506354 B CN106506354 B CN 106506354B
- Authority
- CN
- China
- Prior art keywords
- ssl vpn
- vpn gateway
- message
- address
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/28—Routing or path finding of packets in data switching networks using route fault recovery
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/40—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass for recovering from a failure of a protocol instance or entity, e.g. service redundancy protocols, protocol state redundancy or protocol service redirection
Abstract
The application provides a message transmission method and a device, and the method comprises the following steps: issuing a route carrying a group address to a neighbor network device of the SSL VPN gateway so that the neighbor network device sends a message with a destination IP address as the group address to the SSL VPN gateway in a gateway group; receiving a message sent by the neighbor network equipment; if the message is a session negotiation request message and the SSL VPN gateway is a main SSL VPN gateway, determining a server which can be accessed by the first terminal equipment and encrypted authentication information corresponding to the first terminal equipment, sending a response message carrying an IP address of the server and the encrypted authentication information to the first terminal equipment, and sending the authenticated encryption information to each standby SSL VPN gateway. By the technical scheme, the processing performance of the SSL VPN gateway is improved, the user experience is improved, and service interruption is avoided.
Description
Technical Field
The present application relates to the field of communications technologies, and in particular, to a method and an apparatus for transmitting a packet.
Background
SSL (Secure Sockets Layer) VPN (Virtual Private Network) is a VPN technology based on SSL, and can fully utilize mechanisms provided by SSL protocol, such as identity authentication, data encryption, and message integrity verification, to establish Secure connection for communication of application Layer.
In a network with the SSL VPN gateway, terminal equipment sends a session negotiation request message to the SSL VPN gateway, and the SSL VPN gateway distributes authentication encryption information for the terminal equipment and sends the authentication encryption information to the terminal equipment. When the terminal equipment sends the data message, the authentication encryption information is used for carrying out encryption and other processing on the data message, and after the SSL VPN gateway receives the data message, the SSL VPN gateway carries out decryption and other processing on the data message and sends the data message to the server. The mode can ensure the transmission safety of the data message.
At present, if more than two SSL VPN gateways are deployed in a network, different SSL VPN gateways provide services for different terminal devices. When a certain SSL VPN gateway is offline, the terminal equipment accessed to the SSL VPN gateway is forced to be offline and then is accessed to other SSL VPN gateways again, so that the user experience is influenced, and the service of the terminal equipment is interrupted.
Disclosure of Invention
The application provides a message transmission method, apply to the virtual private network SSL VPN gateway of safe socket layer in the gateway group, the said gateway group includes a main SSL VPN gateway and at least one and prepares SSL VPN gateway, every SSL VPN gateway in the said gateway group uses the same group address, the method includes:
issuing a route carrying the group address to a neighbor network device of the SSL VPN gateway so that the neighbor network device sends a message with a destination IP address as the group address to the SSL VPN gateway in the gateway group;
receiving a message sent by the neighbor network equipment;
if the message is a session negotiation request message and the SSL VPN gateway is a standby SSL VPN gateway, sending the session negotiation request message to a main SSL VPN gateway;
if the message is a session negotiation request message and the SSL VPN gateway is a main SSL VPN gateway, determining a server which can be accessed by first terminal equipment and corresponds to a source IP address of the session negotiation request message and encryption authentication information corresponding to the first terminal equipment, sending a response message carrying the IP address of the server and the encryption authentication information to the first terminal equipment, and sending the authentication encryption information to each standby SSL VPN gateway.
The application provides a message transmission device is applied to the virtual private network SSL VPN gateway in the safe socket layer in the gateway group, the gateway group includes a main SSL VPN gateway and at least one and prepares for SSL VPN gateway, each SSL VPN gateway in the gateway group uses the same group address, the device includes:
a sending module, configured to issue a route carrying the group address to a neighboring network device of the SSL VPN gateway, so that the neighboring network device sends a packet with a destination IP address as the group address to the SSL VPN gateway in the gateway group;
the receiving module is used for receiving the message sent by the neighbor network equipment;
the sending module is further configured to send the session negotiation request message to the master SSL VPN gateway when the message is a session negotiation request message and the local SSL VPN gateway is the standby SSL VPN gateway;
a determining module, configured to determine, when the packet is a session negotiation request packet and a local SSL VPN gateway is a master SSL VPN gateway, a server that a first terminal device corresponding to a source IP address of the session negotiation request packet can access and encrypted authentication information corresponding to the first terminal device;
the sending module is further configured to send, when the SSL VPN gateway is the master SSL VPN gateway, a response packet carrying the IP address of the server and the encryption authentication information to the first terminal device, and send the authentication encryption information to each standby SSL VPN gateway.
Based on the technical scheme, in the embodiment of the application, at least two SSL VPN gateways can be deployed in the network, and load sharing is performed between the at least two SSL VPN gateways, so that one SSL VPN gateway is prevented from providing services for a large number of terminal devices, the processing performance of the SSL VPN gateway is improved, and the SSL VPN gateway cannot become a performance bottleneck. In addition, both the main SSL VPN gateway and the standby SSL VPN gateway in the gateway group can issue routes carrying the group address to the neighbor network devices of the SSL VPN gateway, so that equivalent routes reaching the group address can be formed on the neighbor network devices. In addition, the main SSL VPN gateway and the standby SSL VPN gateway both store encrypted authentication information corresponding to the terminal equipment. Based on this, after the neighbor network device receives the message from the terminal device, if the destination IP address of the message is the group address, the neighbor network device can send the message to any SSL VPN gateway in the gateway group based on the equivalent route, so that the message of one terminal device can be shared by different SSL VPN gateways, instead of one SSL VPN gateway processing the message of the terminal device. Therefore, when a certain SSL VPN gateway is offline, routing convergence can be automatically carried out, and the message is sent to the rest SSL VPN gateways, namely, the terminal equipment can be seamlessly switched to other SSL VPN gateways, so that the service can be protected in time, any influence on the user can not be caused, the user experience is improved, the service interruption is avoided, the reliability and stability of user access are improved, and the timely flow protection among the SSL VPN gateways is realized.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments of the present application or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments described in the present application, and other drawings can be obtained by those skilled in the art according to the drawings.
Fig. 1 is a flowchart of a message transmission method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of an application scenario in an embodiment of the present application;
fig. 3 is a hardware structure diagram of an SSL VPN gateway in an embodiment of the present application;
fig. 4 is a block diagram of a message transmission apparatus according to an embodiment of the present application.
Detailed Description
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the application. As used in this application and the claims, the singular forms "a", "an", and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It should also be understood that the term "and/or" as used herein is meant to encompass any and all possible combinations of one or more of the associated listed items.
It is to be understood that although the terms first, second, third, etc. may be used herein to describe various information, such information should not be limited to these terms. These terms are only used to distinguish one type of information from another. For example, first information may also be referred to as second information, and similarly, second information may also be referred to as first information, without departing from the scope of the present application. Depending on the context, moreover, the word "if" as used may be interpreted as "at … …" or "when … …" or "in response to a determination".
The embodiment of the application provides a message transmission method which can be applied to SSL VPN gateways in a gateway group. The gateway group may include a primary SSL VPN gateway and at least one standby SSL VPN gateway, each SSL VPN gateway within the gateway group using the same group address (i.e., IP address).
In one example, for each SSL VPN gateway in the gateway group, one SSL VPN gateway may be configured as a primary SSL VPN gateway, and the remaining other SSL VPN gateways may be configured as standby SSL VPN gateways. The main SSL VPN gateway is responsible for processing a session negotiation request message from the terminal equipment and executing operations such as authentication and authorization and the like for the terminal equipment. The standby SSL VPN gateway is not responsible for executing authentication, authorization and other operations for the terminal equipment, but directly forwards the session negotiation request message received by the standby SSL VPN gateway to the main SSL VPN gateway. The main SSL VPN gateway and the standby SSL VPN gateway can process data messages from the terminal equipment. When the main SSL VPN gateway is abnormal, the standby SSL VPN gateway becomes a new main SSL VPN gateway and is responsible for processing a session negotiation request message from the terminal equipment and executing the operations of authentication, authorization and the like on the terminal equipment.
Referring to fig. 1, a flowchart of a message transmission method is shown, where the method may be applied to SSL VPN gateways (a primary SSL VPN gateway or a standby SSL VPN gateway) in a gateway group, and the method may include the following steps:
In one example, when there are multiple SSL VPN gateways, the SSL VPN gateways may be grouped into a gateway group, and each SSL VPN gateway within the gateway group uses the same group address. Moreover, the terminal device does not need to pay attention to the actual IP address of each SSL VPN gateway in the gateway group, and only needs to know the group address (for example, the user can know the group address and configure the group address on the terminal device), the session negotiation request message or data message with the destination IP address as the group address can be sent.
Each SSL VPN gateway in the gateway group may issue a route carrying the group address to a neighboring network device of the SSL VPN gateway, so that an equivalent route to the group address is formed on the neighboring network device. After receiving a message (such as a session negotiation request message or a data message) from a terminal device, a neighbor network device may send the message to any SSL VPN gateway in a gateway group, such as a master SSL VPN gateway or a standby SSL VPN gateway, if a destination IP address of the message is the group address.
In one example, after receiving the session negotiation request message (the session negotiation request message directly sent by the first terminal device to the primary SSL VPN gateway, or the session negotiation request message forwarded by the standby SSL VPN gateway to the primary SSL VPN gateway), the primary SSL VPN gateway parses identity information (such as a user name and a password) from the session negotiation request message, and authenticates the first terminal device by using the identity information. And if the authentication is successful, determining a server which can be accessed by the first terminal equipment and the encrypted authentication information corresponding to the first terminal equipment. And if the authentication fails, sending a response message of the authentication failure to the first terminal equipment.
In one example, for the process of "determining a server that can be accessed by the first terminal device", a mapping relationship between the identity information and the resource may be configured on the primary SSL VPN gateway, and information of the server providing each resource (such as an IP address of the server) may be configured on the primary SSL VPN gateway. Based on this, after the main SSL VPN gateway parses the identity information from the session negotiation request message, the resource corresponding to the identity information may be obtained, and the IP address of the server providing the resource may be determined. The resource may be an FTP (File Transfer Protocol) resource, a WEB resource, a File storage resource, or the like.
In one example, for certain authentication encryption information, including but not limited to: the information such as encryption algorithm, exchange encryption key, message integrity verification algorithm, etc. is not limited to this authentication encryption information.
After receiving the response message, the first terminal device can analyze the IP address and the encryption authentication information of the server from the response message, and send a data message by using the IP address and the encryption authentication information.
In one example, the data packet sent by each terminal device is sent to a primary SSL VPN gateway or a standby SSL VPN gateway in the gateway group by the neighboring network device. Based on this, after the main SSL VPN gateway or the standby SSL VPN gateway receives the message sent by the neighbor network device, if the message is a data message, the inner layer message included in the data message is decrypted by using the authentication encryption information corresponding to the second terminal device, and the decrypted inner layer message is sent to the server corresponding to the destination IP address of the inner layer message. The second terminal device is a terminal device corresponding to the outer layer source IP address of the data message.
In an example, if the message is a session negotiation request message and the SSL VPN gateway is a master SSL VPN gateway, before sending a response message carrying an IP address of the server and the encrypted authentication information to the first terminal device, a UDP (User data Protocol) port identifier may be further allocated to the first terminal device, and the UDP port identifier is sent to each of the slave SSL VPN gateways. And, the response message also carries the UDP port identifier, where the UDP port identifier is used to add the UDP port identifier to an outer layer header when the first terminal device sends the data message.
In an example, after receiving the data response message sent by the server, the primary SSL VPN gateway or the standby SSL VPN gateway may encrypt the data response message by using the authentication encryption information corresponding to the third terminal device, so as to obtain an encrypted data message. And the third terminal equipment is the terminal equipment corresponding to the destination IP address of the data response message. And then, packaging the encrypted data message, wherein the outer layer source IP address of the packaged encrypted data message is a group address, and the source port is a UDP port identifier corresponding to the third terminal equipment. And then, sending the packaged encrypted data message to the third terminal equipment.
Based on the technical scheme, in the embodiment of the application, at least two SSL VPN gateways can be deployed in the network, and load sharing is performed between the at least two SSL VPN gateways, so that one SSL VPN gateway is prevented from providing services for a large number of terminal devices, the processing performance of the SSL VPN gateway is improved, and the SSL VPN gateway cannot become a performance bottleneck. In addition, both the main SSL VPN gateway and the standby SSL VPN gateway in the gateway group can issue routes carrying the group address to the neighbor network devices of the SSL VPN gateway, so that equivalent routes reaching the group address can be formed on the neighbor network devices. In addition, the main SSL VPN gateway and the standby SSL VPN gateway both store encrypted authentication information corresponding to the terminal equipment. Based on this, after the neighbor network device receives the message from the terminal device, if the destination IP address of the message is the group address, the neighbor network device can send the message to any SSL VPN gateway in the gateway group based on the equivalent route, so that the message of one terminal device can be shared by different SSL VPN gateways, instead of one SSL VPN gateway processing the message of the terminal device. Therefore, when a certain SSL VPN gateway is offline, routing convergence can be automatically carried out, and the message is sent to the rest SSL VPN gateways, namely, the terminal equipment can be seamlessly switched to other SSL VPN gateways, so that the service can be protected in time, any influence on the user can not be caused, the user experience is improved, the service interruption is avoided, the reliability and stability of user access are improved, and the timely flow protection among the SSL VPN gateways is realized.
The above process of the embodiment of the present application will be described in detail below with reference to the application scenario shown in fig. 2.
In fig. 2, devices such as an end device, a network device R1, an SSL VPN gateway 1, an SSL VPN gateway 2, a network device R2, a server 1, and a server 2 may be included. The IP address of the terminal device is 100.1.1.1, the IP address of the server 1 is 20.1.1.254, and the IP address of the server 2 is 30.1.1.254. The SSL VPN gateway 1 and the SSL VPN gateway 2 are located in the same gateway group, the SSL VPN gateway 1 is a primary SSL VPN gateway, the SSL VPN gateway 2 is a standby SSL VPN gateway, the group address of the gateway group is 1.1.1.254, and the TCP port of the gateway group is identified as TCP port 443 (default TCP SSL port).
In the application scenario, the message transmission method may include the following steps:
step 1, the SSL VPN gateway 1 externally issues a route carrying an IP address 1.1.1.254 and a TCP port 443; network device R1, network device R2 may learn routes to carry IP address 1.1.1.254 and TCP port 443. The SSL VPN gateway 2 externally issues a route carrying an IP address 1.1.1.254 and a TCP port 443; network device R1, network device R2 may each learn routes that carry IP address 1.1.1.254 and TCP port 443. The network devices R1 and R2 may learn two routes to the IP address 1.1.1.254, which are on the network devices R1 and R2, forming equivalent routes.
And 2, logging in an SSL VPN page by the user, inputting identity information such as a user name and a password, and inputting information such as a group address 1.1.1.254 and a TCP port 443 of the SSL VPN gateway. The terminal device generates a session negotiation request message by using the identity information, the group address 1.1.1.254 and the TCP port 443, and sends the session negotiation request message. The source IP address of the session negotiation request message may be 100.1.1.1, the destination IP address may be 1.1.1.254, and the destination TCP port may be 443.
Step 3, after receiving the session negotiation request message, the network device R1 may send the session negotiation request message to the SSL VPN gateway 1 or the SSL VPN gateway 2, taking the sending to the SSL VPN gateway 2 as an example for explanation, because two routes of the destination IP address 1.1.1.254 exist locally, and the SSL VPN gateway 1 and the VPN SSL VPN gateway 2 are the next hops corresponding to the destination IP address 1.1.1.254.
And 4, after the SSL VPN gateway 2 receives the session negotiation request message, the SSL VPN gateway 2 is a standby SSL VPN gateway, so that the session negotiation request message is sent to the SSL VPN gateway 1.
And 5, after receiving the session negotiation request message, the SSL VPN gateway 1 analyzes identity information from the session negotiation request message, and authenticates the terminal equipment by using the identity information. If the authentication is successful, step 6 is executed. If the authentication fails, sending a response message of the authentication failure to the terminal equipment, and ending the process.
Step 6, the SSL VPN gateway 1 allocates a UDP port identifier 4430 to the terminal device (for example, randomly selects a UDP port identifier), and allocates a virtual Access IP address 10.1.1.1 and a virtual Access MAC (Media Access Control) address (for example, virtual MAC1) to the terminal device.
In one example, a virtual IP segment, such as 10.1.1.0/24, may be preconfigured on the SSL VPN gateway 1, and when the SSL VPN gateway 1 assigns a virtual access IP address to the terminal device, it may directly select an available IP address 10.1.1.1 from the virtual IP segment and mark that the IP address is not available. Similarly, a virtual MAC range may be configured in advance on the SSL VPN gateway 1, and when the SSL VPN gateway 1 allocates a virtual access MAC address to the terminal device, an available MAC address (e.g. virtual MAC1) may be directly selected from the virtual MAC range, and the MAC address is marked as unavailable. Moreover, the virtual IP network segment and the virtual MAC range are also preconfigured on the server, and the server only processes the data packets whose source IP address belongs to the virtual IP network segment and whose source MAC address belongs to the virtual MAC range.
And 7, the SSL VPN gateway 1 determines that the terminal equipment can access the server 1 and the server 2, determines the IP address 20.1.1.254 of the server 1 and the IP address 30.1.1.254 of the server 2, and determines authentication encryption information corresponding to the terminal equipment. The authentication encryption information may include, but is not limited to: the information such as encryption algorithm, exchange encryption key, message integrity verification algorithm, etc. is not limited to this authentication encryption information.
And step 8, the SSL VPN gateway 1 sends a response message carrying the UDP port identifier 4430, the virtual access IP address 10.1.1, the virtual MAC1, the IP address 20.1.1.254 of the server 1, the IP address 30.1.1.254 of the server 2 and the authentication encryption information to the terminal equipment, and sends a notification message carrying the authentication encryption information, the UDP port identifier 4430 and the IP address 100.1.1.1 to the SSL VPN gateway 2.
Step 9, the SSL VPN gateway 1 and the SSL VPN gateway 2 store the authentication encryption information, the UDP port id 4430 and the IP address 100.1.1.1 in the local storage medium.
Step 10, after receiving the response message from the SSL VPN gateway 1, the terminal device parses the UDP port identifier 4430, the virtual access IP address 10.1.1.1, the virtual MAC1, the IP address 20.1.1.254 of the server 1, the IP address 30.1.1.254 of the server 2, and the authentication encryption information from the response message, and sends a data message to the server 1 or the server 2 using the above information.
In one example, during the process of sending the data packet to the server 1(IP address 20.1.1.254), the terminal device may generate an inner layer packet, where the source IP address of the inner layer packet is the virtual access IP address 10.1.1.1, the destination IP address is the IP address 20.1.1.254 of the server 1, the source MAC address is the virtual MAC1, and the destination MAC address is any MAC. And then, the terminal equipment encrypts the inner layer message by using the authentication encryption information to obtain an encrypted data message. And then, the terminal equipment encapsulates the outer layer message header before the encrypted data message to obtain a data message. The source IP address of the outer header is 100.1.1.1, and the destination IP address is the group address 1.1.1.254 of the SSL VPN gateway.
It should be noted that, unlike the conventional method, the datagram is not a TCP type datagram but a UDP type datagram. Therefore, the data packet does not carry the source TCP port and the destination TCP port, but carries the source UDP port and the destination UDP port. The source UDP port may be any port identifier, and the destination UDP port is the UDP port identifier 4430.
Similarly, for the process of sending the data packet to the server 2(IP address 30.1.1.254) by the terminal device, the process is similar to the process of sending the data packet to the server 1 by the terminal device, and is not repeated here.
In an example, the reason why the data packet is of the UDP type instead of the TCP type will be described in the subsequent process of the embodiment of the present application, and details are not described herein again.
Step 11, after the network device R1 receives the data packet, because two routes of the destination IP address 1.1.1.254 exist locally, the SSL VPN gateway 1 and the VPN SSL gateway 2 are both next hops corresponding to the destination IP address 1.1.1.254, and therefore, the data packet may be sent to the SSL VPN gateway 1 or SSL VPN gateway 2, which is described by taking sending the data packet to the SSL VPN gateway 1 as an example.
In an example, if the SSL VPN gateway 1 fails, that is, after the SSL VPN gateway 1 is not online, the network device R1 deletes the SSL VPN gateway 1 from the next hop corresponding to 1.1.1.254 when detecting that the SSL VPN gateway 1 fails, so that the network device R1 only sends the data message of the destination IP address 1.1.1.254 to the SSL VPN gateway 2. Similarly, if the SSL VPN gateway 2 fails, that is, after the SSL VPN gateway 2 is not online, the network device R1 deletes the SSL VPN gateway 2 from the next hop corresponding to 1.1.1.254 when detecting that the SSL VPN gateway 2 fails, so that the network device R1 only sends the data message of the destination IP address 1.1.1.254 to the SSL VPN gateway 1.
Step 12, after receiving the data packet, the SSL VPN gateway 1 determines authentication encryption information corresponding to the outer layer source IP address 100.1.1.1 of the data packet, and decrypts the inner layer packet included in the data packet by using the authentication encryption information.
And step 13, the SSL VPN gateway 1 sends the decrypted inner layer message to the server 1. The source IP address of the inner layer packet is virtual access IP address 10.1.1.1, the destination IP address is IP address 20.1.1.254 of server 1, the source MAC address is virtual MAC1, and the destination MAC address is any MAC.
Step 14, after receiving the inner layer message, the server 1 returns a data response message to the terminal device. The source IP address of the data response packet may be the IP address 20.1.1.254 of the server 1, the destination IP address may be the virtual access IP address 10.1.1.1, the source MAC address may be the MAC address of the server 1, and the destination MAC address may be the virtual MAC 1.
Step 15, after receiving the data response message, the network device R2 performs load sharing, and forwards the data response message to the SSL VPN gateway 1 or SSL VPN gateway 2. For convenience of description, the network device R2 will forward the data response message to the SSL VPN gateway 2 for illustration.
In one example, virtual IP network segments, such as 10.1.1.0/24, may be preconfigured on SSL VPN gateway 1 and SSL VPN gateway 2. Moreover, the SSL VPN gateway 1 may publish a route carrying the IP network segment 10.1.1.0/24 to the outside, and the network device R2 may learn a route carrying the IP network segment 10.1.1.0/24. The SSL VPN gateway 2 can externally release the route carrying the IP network segment 10.1.1.0/24, and the network device R2 can learn the route carrying the IP network segment 10.1.1.0/24. Thus, network device R2 may learn two routes to IP segment 10.1.1.0/24, which on network device R2 may form an equivalent route. To sum up, after receiving the data response packet, the network device R2 may forward the data response packet to the SSL VPN gateway 1 or SSL VPN gateway 2 because the destination IP address is the IP address 10.1.1.1, and the IP address 10.1.1 may match two routes of the IP segment 10.1.1.0/24.
And step 16, after receiving the data response message, the SSL VPN gateway 2 encrypts the data response message by using the authentication encryption information to obtain an encrypted data message. And encapsulating the encrypted data message, wherein an outer layer source IP address of the encapsulated encrypted data message is a group address 1.1.1.254, a source UDP port is a UDP port identifier 4430, a target IP address is an IP address 100.1.1.1 of the terminal equipment, and a target UDP port is any port identifier. And sending the encrypted data message after encapsulation.
After receiving the data response message, the SSL VPN gateway 2 may determine the IP address 100.1.1.1 of the terminal device based on the destination IP address (10.1.1.1) and the destination MAC address (virtual MAC1), then find the authentication encryption information and the UDP port identifier 4430 corresponding to the IP address 100.1.1.1, then encrypt the data response message using the authentication encryption information, and record the UDP port identifier 4430 in the outer source UDP port of the encrypted data message after encapsulation when encapsulating the encrypted data message.
It should be noted that, unlike the conventional method, the encapsulated encrypted data packet is not a TCP type packet, but a UDP type packet. Therefore, the message carries not the source TCP port and the destination TCP port, but the source UDP port and the destination UDP port. The source UDP port may be the UDP port identifier 4430, and the destination UDP port may be any port identifier.
In an example, the reason why the encapsulated encrypted data packet adopts the UDP type instead of the TCP type will be described in the subsequent process of the embodiment of the present application, and details are not described here again.
Step 17, after receiving the encapsulated encrypted data message, the network device R1 sends the encapsulated encrypted data message to the terminal device. The terminal equipment strips off an outer layer message header from the packaged encrypted data message to obtain an encrypted data message, and decrypts the encrypted data message by using the authentication encryption information to obtain a data response message, namely the data response message returned by the server.
Thus, the process of the terminal device accessing the server resources in the VPN network is completed.
The reason why the message is of the UDP type is explained in detail below.
If the terminal device sends a TCP-type data packet to the SSL VPN gateway 1 (that is, the information of the TCP port carried by the outer packet header), only the response packet returned by the SSL VPN gateway 1 is considered as the response packet of the data packet by the terminal device, and the terminal device can continue to send the data packet, and for the response packet returned by the SSL VPN gateway 2, the terminal device does not consider as the response packet of the data packet, so that the response packet is discarded, and the terminal device continues to wait for the response packet, thereby causing transmission abnormality.
In fact, no matter whether the network device R1 sends the data packet to the SSL VPN gateway 1 or SSL VPN gateway 2, or the network device R2 sends the response packet to the SSL VPN gateway 1 or SSL VPN gateway 2, in order to implement the load sharing function, the data packet/response packet will be sent to the SSL VPN gateway 1 or SSL VPN gateway 2, so that the above problem of abnormal transmission may occur.
Different from this, if the terminal device sends a UDP type data packet to the SSL VPN gateway 1 (that is, the outer packet header carries information of a UDP port), the terminal device considers that the terminal device is a response packet of the data packet, regardless of a response packet returned by the SSL VPN gateway 1 or a response packet returned by the SSL VPN gateway 2, and the terminal device can continue to send the data packet, thereby avoiding transmission abnormality. Based on this, in this embodiment of the application, the terminal device sends a UDP-type data packet to the SSL VPN gateway (that is, the outer header carries the UDP port identifier 4430), and the SSL VPN gateway sends a UDP-type response packet to the terminal device (that is, the outer header carries the UDP port identifier 4430).
Based on the same application concept as the method, the embodiment of the application further provides a message transmission device applied to the SSL VPN gateways in the gateway group, where the gateway group includes a main SSL VPN gateway and at least one standby SSL VPN gateway, and each SSL VPN gateway in the gateway group uses the same group address. The message transmission device can be implemented by software, or by hardware or a combination of hardware and software. Taking a software implementation as an example, as a logical device, the device is formed by reading a corresponding computer program instruction in a nonvolatile memory through a processor of an SSL VPN gateway where the device is located. From a hardware aspect, as shown in fig. 3, for a hardware structure diagram of an SSL VPN gateway where the message transmission device provided by the present application is located, in addition to the processor and the nonvolatile memory shown in fig. 3, the SSL VPN gateway may further include other hardware, such as a forwarding chip, a network interface, and a memory, which are responsible for processing a message; from the hardware structure, the SSL VPN gateway may also be a distributed device, and may include a plurality of interface cards, so as to perform the extension of message processing on the hardware level.
As shown in fig. 4, a structure diagram of a message transmission apparatus proposed in the present application includes:
a sending module 11, configured to issue a route carrying the group address to a neighboring network device of the SSL VPN gateway, so that the neighboring network device sends a packet with a destination IP address as the group address to the SSL VPN gateway in the gateway group;
a receiving module 12, configured to receive a message sent by the neighbor network device;
the sending module 11 is further configured to send the session negotiation request message to the primary SSL VPN gateway when the message is a session negotiation request message and the SSL VPN gateway is the standby SSL VPN gateway;
a determining module 13, configured to determine, when the packet is a session negotiation request packet and the SSL VPN gateway is a master SSL VPN gateway, a server that can be accessed by a first terminal device corresponding to a source IP address of the session negotiation request packet and encrypted authentication information corresponding to the first terminal device;
the sending module 11 is further configured to send, when the SSL VPN gateway is the master SSL VPN gateway, a response packet carrying the IP address of the server and the encryption authentication information to the first terminal device, and send the authentication encryption information to each standby SSL VPN gateway.
After the receiving module 12 receives the message sent by the neighbor network device;
the sending module 11 is further configured to, when the packet is a data packet, perform decryption processing on an inner layer packet included in the data packet by using authentication encryption information corresponding to a second terminal device; the second terminal device is a terminal device corresponding to an outer source IP address of the data message; and sending the decrypted inner layer message to a server corresponding to the destination IP address of the inner layer message.
If the message is a session negotiation request message and the SSL VPN gateway is a main SSL VPN gateway; the determining module 13 is further configured to parse identity information from the session negotiation request packet, and authenticate the first terminal device by using the identity information; and if the authentication is successful, determining a server which can be accessed by the first terminal equipment and the encrypted authentication information corresponding to the first terminal equipment.
If the message is a session negotiation request message and the SSL VPN gateway is a main SSL VPN gateway; the determining module 13 is further configured to allocate a user datagram protocol UDP port identifier to the first terminal device; the sending module 12 is further configured to send the UDP port identifier to each standby SSL VPN gateway; the response message also carries the UDP port identifier, where the UDP port identifier is used to add the UDP port identifier to an outer layer message header when the first terminal device sends a data message.
The sending module 11 is further configured to, after receiving a data response packet sent by the server, encrypt the data response packet by using authentication encryption information corresponding to the third terminal device, to obtain an encrypted data packet; the third terminal device is a terminal device corresponding to the destination IP address of the data response packet; encapsulating the encrypted data message, wherein an outer layer source IP address of the encapsulated encrypted data message is the group address, and a source port is a UDP port identifier corresponding to the third terminal device; and sending the packaged encrypted data message to the third terminal equipment.
The modules of the device can be integrated into a whole or can be separately deployed. The modules can be combined into one module, and can also be further split into a plurality of sub-modules.
Through the above description of the embodiments, those skilled in the art will clearly understand that the present application can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better embodiment. Based on such understanding, the technical solutions of the present application may be essentially or partially implemented in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute the methods described in the embodiments of the present application. Those skilled in the art will appreciate that the drawings are merely schematic representations of one preferred embodiment and that the blocks or flow diagrams in the drawings are not necessarily required to practice the present application.
Those skilled in the art will appreciate that the modules in the devices in the embodiments may be distributed in the devices in the embodiments according to the description of the embodiments, and may be correspondingly changed in one or more devices different from the embodiments. The modules of the above embodiments may be combined into one module, or further split into multiple sub-modules. The above-mentioned serial numbers of the embodiments of the present application are merely for description and do not represent the merits of the embodiments.
The disclosure of the present application is only a few specific embodiments, but the present application is not limited to these, and any variations that can be made by those skilled in the art are intended to fall within the scope of the present application.
Claims (8)
1. A message transmission method is characterized in that the method is applied to SSL VPN gateways of a secure socket layer virtual private network in a gateway group, the gateway group comprises a main SSL VPN gateway and at least one standby SSL VPN gateway, and the SSL VPN gateways in the gateway group use the same group address, and the method comprises the following steps:
issuing a route carrying the group address to a neighbor network device of the SSL VPN gateway so that the neighbor network device sends a message with a destination IP address as the group address to the SSL VPN gateway in the gateway group; the SSL VPN gateway is a main SSL VPN gateway or a standby SSL VPN gateway;
receiving a message sent by the neighbor network equipment;
if the message is a session negotiation request message and the SSL VPN gateway is a standby SSL VPN gateway, sending the session negotiation request message to a main SSL VPN gateway;
if the message is a session negotiation request message and the SSL VPN gateway is a main SSL VPN gateway, determining a server which can be accessed by first terminal equipment and corresponds to a source IP address of the session negotiation request message and encryption authentication information corresponding to the first terminal equipment, sending a response message carrying the IP address of the server and the encryption authentication information to the first terminal equipment, and sending the encryption authentication information to each standby SSL VPN gateway;
if the message is a session negotiation request message and the SSL VPN gateway is a master SSL VPN gateway, before sending a response message carrying the IP address of the server and the encrypted authentication information to the first terminal device, the method further includes:
allocating a User Datagram Protocol (UDP) port identifier to the first terminal equipment;
sending the UDP port identification to each standby SSL VPN gateway;
the response message also carries the UDP port identifier, where the UDP port identifier is used to add the UDP port identifier to an outer layer message header when the first terminal device sends a data message.
2. The method of claim 1, wherein after receiving the packet sent by the neighbor network device, the method further comprises:
if the message is a data message, decrypting an inner layer message included in the data message by using encrypted authentication information corresponding to second terminal equipment; the second terminal device is a terminal device corresponding to an outer source IP address of the data message;
and sending the decrypted inner layer message to a server corresponding to the destination IP address of the inner layer message.
3. The method according to claim 1, wherein if the packet is a session negotiation request packet and the SSL VPN gateway is a master SSL VPN gateway, before determining a server accessible to the first terminal device corresponding to the source IP address of the session negotiation request packet and the encrypted authentication information corresponding to the first terminal device, the method further comprises:
analyzing identity information from the session negotiation request message, and authenticating the first terminal equipment by using the identity information;
and if the authentication is successful, executing a process of determining a server which can be accessed by the first terminal equipment and the encrypted authentication information corresponding to the first terminal equipment.
4. The method of claim 1, further comprising:
after receiving a data response message sent by a server, encrypting the data response message by using encryption authentication information corresponding to third terminal equipment to obtain an encrypted data message; the third terminal device is a terminal device corresponding to the destination IP address of the data response packet;
encapsulating the encrypted data message, wherein an outer layer source IP address of the encapsulated encrypted data message is the group address, and a source port is a UDP port identifier corresponding to the third terminal device;
and sending the packaged encrypted data message to the third terminal equipment.
5. A message transmission apparatus, applied to a secure socket layer virtual private network SSL VPN gateway in a gateway group, where the gateway group includes a main SSL VPN gateway and at least one standby SSL VPN gateway, and each SSL VPN gateway in the gateway group uses the same group address, the apparatus comprising:
a sending module, configured to issue a route carrying the group address to a neighboring network device of the SSL VPN gateway, so that the neighboring network device sends a packet with a destination IP address as the group address to the SSL VPN gateway in the gateway group; the SSL VPN gateway is a main SSL VPN gateway or a standby SSL VPN gateway;
the receiving module is used for receiving the message sent by the neighbor network equipment;
the sending module is further configured to send the session negotiation request message to the master SSL VPN gateway when the message is a session negotiation request message and the local SSL VPN gateway is the standby SSL VPN gateway;
a determining module, configured to determine, when the packet is a session negotiation request packet and a local SSL VPN gateway is a master SSL VPN gateway, a server that a first terminal device corresponding to a source IP address of the session negotiation request packet can access and encrypted authentication information corresponding to the first terminal device;
the sending module is further configured to send a response message carrying the IP address of the server and the encryption authentication information to the first terminal device and send the encryption authentication information to each standby SSL VPN gateway when the SSL VPN gateway is a master SSL VPN gateway;
if the message is a session negotiation request message and the SSL VPN gateway is a main SSL VPN gateway; the determining module is further configured to allocate a User Datagram Protocol (UDP) port identifier to the first terminal device; the sending module is further configured to send the UDP port identifier to each standby SSL VPN gateway; the response message also carries the UDP port identifier, where the UDP port identifier is used to add the UDP port identifier to an outer layer message header when the first terminal device sends a data message.
6. The apparatus of claim 5,
after the receiving module receives the message sent by the neighbor network device;
the sending module is further configured to, when the packet is a data packet, perform decryption processing on an inner layer packet included in the data packet by using encrypted authentication information corresponding to a second terminal device; the second terminal device is a terminal device corresponding to an outer source IP address of the data message; and sending the decrypted inner layer message to a server corresponding to the destination IP address of the inner layer message.
7. The apparatus of claim 5,
if the message is a session negotiation request message and the SSL VPN gateway is a main SSL VPN gateway;
the determining module is further configured to parse identity information from the session negotiation request packet, and authenticate the first terminal device by using the identity information; and if the authentication is successful, determining a server which can be accessed by the first terminal equipment and the encrypted authentication information corresponding to the first terminal equipment.
8. The apparatus of claim 5,
the sending module is further configured to encrypt the data response message by using the encryption authentication information corresponding to the third terminal device after receiving the data response message sent by the server, so as to obtain an encrypted data message; the third terminal device is a terminal device corresponding to the destination IP address of the data response packet; encapsulating the encrypted data message, wherein an outer layer source IP address of the encapsulated encrypted data message is the group address, and a source port is a UDP port identifier corresponding to the third terminal device; and sending the packaged encrypted data message to the third terminal equipment.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610971698.0A CN106506354B (en) | 2016-10-31 | 2016-10-31 | Message transmission method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201610971698.0A CN106506354B (en) | 2016-10-31 | 2016-10-31 | Message transmission method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106506354A CN106506354A (en) | 2017-03-15 |
| CN106506354B true CN106506354B (en) | 2021-02-26 |
Family
ID=58323126
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201610971698.0A Active CN106506354B (en) | 2016-10-31 | 2016-10-31 | Message transmission method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106506354B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108401262A (en) * | 2018-02-06 | 2018-08-14 | 武汉斗鱼网络科技有限公司 | A kind of method and device that terminal applies communication data is obtained and analyzed |
| CN110505244B (en) * | 2019-09-19 | 2020-06-02 | 南方电网数字电网研究院有限公司 | Remote tunnel access technology gateway and server |
| CN112995120A (en) * | 2019-12-18 | 2021-06-18 | 北京国双科技有限公司 | Data monitoring method and device |
| CN110995564B (en) * | 2019-12-31 | 2021-11-12 | 北京天融信网络安全技术有限公司 | Message transmission method, device and secure network system |
| CN113766434B (en) * | 2021-10-08 | 2022-03-04 | 亿次网联(杭州)科技有限公司 | File sharing method and device, home cloud server and storage medium |
| CN116781428B (en) * | 2023-08-24 | 2023-11-07 | 湖南马栏山视频先进技术研究院有限公司 | Forwarding system based on VPN flow |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9219781B2 (en) * | 2013-04-06 | 2015-12-22 | Citrix Systems, Inc. | Systems and methods for GSLB preferred backup list |
| CN105393220A (en) * | 2013-05-15 | 2016-03-09 | 思杰系统有限公司 | Systems and methods for deploying a spotted virtual server in a cluster system |
| US9438701B2 (en) * | 2012-05-05 | 2016-09-06 | Citrix Systems, Inc. | Systems and methods for a SPDY to HTTP gateway |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101286884B (en) * | 2008-05-15 | 2010-07-28 | 杭州华三通信技术有限公司 | Method for implementing non-status multi-host backup and proxy gateway |
| US8613072B2 (en) * | 2009-02-26 | 2013-12-17 | Microsoft Corporation | Redirection of secure data connection requests |
| CN101902400A (en) * | 2010-07-21 | 2010-12-01 | 成都市华为赛门铁克科技有限公司 | Gateway load balancing method, system and client device |
| CN102223365B (en) * | 2011-06-03 | 2014-02-12 | 杭州华三通信技术有限公司 | User access method and device based on SSL (Secure Socket Layer) VPN (Virtual Private Network) gateway cluster |
| US9900379B2 (en) * | 2013-04-06 | 2018-02-20 | Citrix Systems, Inc. | Systems and methods for startup round robin enhancement |
| CN104702476B (en) * | 2013-12-05 | 2018-07-31 | 华为技术有限公司 | Message processing method based on distributed network gate and network virtualization marginal point |
-
2016
- 2016-10-31 CN CN201610971698.0A patent/CN106506354B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9438701B2 (en) * | 2012-05-05 | 2016-09-06 | Citrix Systems, Inc. | Systems and methods for a SPDY to HTTP gateway |
| US9219781B2 (en) * | 2013-04-06 | 2015-12-22 | Citrix Systems, Inc. | Systems and methods for GSLB preferred backup list |
| CN105393220A (en) * | 2013-05-15 | 2016-03-09 | 思杰系统有限公司 | Systems and methods for deploying a spotted virtual server in a cluster system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106506354A (en) | 2017-03-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106506354B (en) | Message transmission method and device | |
| US10708245B2 (en) | MACsec for encrypting tunnel data packets | |
| US11165604B2 (en) | Method and system used by terminal to connect to virtual private network, and related device | |
| KR101680955B1 (en) | Multi-tunnel virtual private network | |
| US7774837B2 (en) | Securing network traffic by distributing policies in a hierarchy over secure tunnels | |
| US8713305B2 (en) | Packet transmission method, apparatus, and network system | |
| ES2596177T3 (en) | Method, equipment and network system for communicating a terminal with an infrastructure server of an IP multimedia subsystem (IMS) through a private network | |
| CN103188351B (en) | IPSec VPN traffic method for processing business and system under IPv6 environment | |
| CN111385259B (en) | Data transmission method, device, related equipment and storage medium | |
| CN110690961B (en) | Quantum network function virtualization method and device | |
| KR101743559B1 (en) | Virtual private network, internet cafe network using the same, and manager apparatus for the same | |
| CN104168173A (en) | Method and device for terminal to achieve private network traversal to be in communication with server in IMS core network and network system | |
| EP3861690B1 (en) | Securing mpls network traffic | |
| CN112367163B (en) | Quantum network virtualization method and device | |
| US20190207776A1 (en) | Session management for communications between a device and a dtls server | |
| US9473466B2 (en) | System and method for internet protocol security processing | |
| US20080072033A1 (en) | Re-encrypting policy enforcement point | |
| CN108924157B (en) | Message forwarding method and device based on IPSec VPN | |
| CN112887187B (en) | Method, system, device, equipment and medium for establishing communication between equipment | |
| Maerien et al. | MASY: MAnagement of Secret keYs for federated mobile wireless sensor networks | |
| US20240114013A1 (en) | Packet processing method, client end device, server end device, and computer-readable medium | |
| KR101329968B1 (en) | Method and system for determining security policy among ipsec vpn devices | |
| US20080222693A1 (en) | Multiple security groups with common keys on distributed networks | |
| CN103067282A (en) | Data backup method, device and system | |
| WO2016082363A1 (en) | User data management method and apparatus |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| CB02 | Change of applicant information |
Address after: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant after: Xinhua three Technology Co., Ltd. Address before: 310052 Binjiang District Changhe Road, Zhejiang, China, No. 466, No. Applicant before: Huasan Communication Technology Co., Ltd. |
|
| CB02 | Change of applicant information | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |