CN111669356B - Method for processing network isolation space in batch in IPsec VPN server and IPsec VPN server - Google Patents
Method for processing network isolation space in batch in IPsec VPN server and IPsec VPN server Download PDFInfo
- Publication number
- CN111669356B CN111669356B CN201910176728.2A CN201910176728A CN111669356B CN 111669356 B CN111669356 B CN 111669356B CN 201910176728 A CN201910176728 A CN 201910176728A CN 111669356 B CN111669356 B CN 111669356B
- Authority
- CN
- China
- Prior art keywords
- network isolation
- isolation space
- target
- tunnel
- ipsec vpn
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
- H04L41/0889—Techniques to speed-up the configuration process
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0485—Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for processing network isolation spaces in batch in a VPN server and the VPN server, wherein the IPsec VPN server is provided with a plurality of network isolation spaces, and the method comprises the following steps: allocating a unique identifier for each network isolation space, and setting a configuration file of each network isolation space; the configuration file of the network isolation space comprises configuration information of at least one tunnel, wherein the configuration information of the tunnel comprises a unique identifier of the network isolation space; receiving a control instruction sent by a controller of the IPsec VPN, wherein the control instruction carries a plurality of unique identifiers pointing to a network isolation space; and carrying out batch processing on the network isolation spaces respectively pointed by the unique identifiers and the configuration files of the pointed network isolation spaces according to the control instruction. According to the technical scheme, the network isolation space in the VPN server can be processed in batches.
Description
Technical Field
The invention relates to the technical field of internet, in particular to a method for processing network isolation spaces in batches in an IPsec VPN server and the IPsec VPN server.
Background
Currently, in order to improve security of Network data transmission, VPN (Virtual Private Network) technology is increasingly used. Among them, a VPN server based on IPsec (Internet Protocol Security) can implement functions such as confidentiality, integrity, source authentication, and retransmission prevention of data, and thus the IPsec VPN server becomes a mainstream VPN server.
In order to improve the performance of the IPsec VPN server, a user mode protocol stack may be modified for the IPsec VPN server, so as to implement fast forwarding of a packet. In addition, a plurality of network isolation spaces can be opened in the same IPsec VPN server, and services can be provided for different users through the network isolation spaces. However, the IPsec VPN server conforming to the native mechanism often can only process a single network isolation space, but cannot process a plurality of network isolation spaces in batch, and therefore, the native mechanism in the existing IPsec VPN server is not well compatible with the IPsec VPN server after modification.
Disclosure of Invention
The application aims to provide a method for processing network isolation spaces in batches in an IPsec VPN server and the VPN server, which can process the network isolation spaces in the IPsec VPN server in batches.
In order to achieve the above object, an aspect of the present application provides a method for batch processing network isolation spaces in a VPN server, where a plurality of network isolation spaces are disposed on an IPsec VPN server, and the method includes: allocating a unique identifier for each network isolation space, and setting a configuration file of each network isolation space; the configuration file of the network isolation space comprises configuration information of at least one tunnel, wherein the configuration information of the tunnel comprises a unique identifier of the network isolation space; receiving a control instruction sent by a controller of the IPsec VPN, wherein the control instruction carries a plurality of unique identifiers pointing to a network isolation space; and the control instruction performs batch processing on the network isolation spaces respectively pointed by the unique identifiers according to the configuration file of the network isolation space pointed by the unique identifier carried by the control instruction.
In order to achieve the above object, another aspect of the present application further provides an IPsec VPN server, where a plurality of network isolation spaces are disposed on the IPsec VPN server, and the IPsec VPN server includes: the spatial information configuration unit is used for allocating a unique identifier for each network isolation space and setting a configuration file of each network isolation space; the configuration file of the network isolation space comprises configuration information of at least one tunnel, wherein the configuration information of the tunnel comprises a unique identifier of the network isolation space; the IPsec VPN control device comprises a control instruction receiving unit, a control instruction receiving unit and a control instruction transmitting unit, wherein the control instruction receiving unit is used for receiving a control instruction transmitted by a controller of the IPsec VPN, and the control instruction carries a plurality of unique identifiers pointing to a network isolation space; and the batch processing unit is used for carrying out batch processing on the network isolation spaces respectively pointed by the unique identifiers according to the configuration files of the network isolation spaces pointed by the unique identifiers carried by the control instruction.
In order to achieve the above object, another aspect of the present application further provides an IPsec VPN server, where the IPsec VPN server includes a memory and a processor, the memory is used for storing a computer program, and the computer program, when executed by the processor, implements the method for batch processing of network isolation spaces in the IPsec VPN server.
As can be seen from the above, according to the technical scheme provided by the present application, a unique identifier may be respectively allocated to each network isolation space in the IPsec VPN server, and an individual configuration file may be set for each network isolation space. When the network isolation space is to be processed, the controller may send a control instruction, where the control instruction may carry a number of unique identifiers pointing to the network isolation space. After receiving a control instruction carrying a unique identifier, the IPsec VPN server may perform batch processing on the network isolation spaces to which the unique identifiers respectively point and the configuration files of the network isolation spaces to which the unique identifiers point according to the control instruction. Therefore, according to the technical scheme provided by the application, the unique identifiers of the network isolation spaces can be added into the control instruction by distributing the unique identifiers to the network isolation spaces, and then batch processing can be performed on the network isolation spaces and the configuration files thereof.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings required to be used in the description of the embodiments are briefly introduced below, and it is obvious that the drawings in the description below are only some embodiments of the present invention, and it is obvious for those skilled in the art that other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic structural diagram of a system in which an IPsec VPN server is located in an embodiment of the present invention;
fig. 2 is a flow diagram of a method for bulk processing of network isolation spaces in an IPsec VPN server in an embodiment of the invention;
FIG. 3 is a schematic diagram of various processing methods for a network isolation space and its configuration file according to an embodiment of the present invention;
fig. 4 is a functional block diagram of an IPsec VPN server in an embodiment of the invention;
fig. 5 is a schematic block diagram of an IPsec VPN server in an embodiment of the invention;
fig. 6 is a schematic structural diagram of a computer terminal in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
The application provides a method for processing network isolation spaces in batches in an IPsec VPN server, and the method can be applied to the IPsec VPN server. Referring to fig. 1, a client may access various network resources through an IPsec VPN server. The IPsec VPN server may be connected to a controller of the IPsec VPN, and the controller may send various control instructions to the IPsec VPN server. In the IPsec VPN server, a plurality of network isolation spaces may be preset, and the network isolation spaces may be divided based on a user mode protocol stack technology.
It should be noted that, in the prior art, when the network isolation spaces are divided based on the kernel-mode technology, an IPsec VPN application program running in each network isolation space needs to correspond to one process, and therefore, as the number of the network isolation spaces increases, the number of processes required in the IPsec VPN server also increases, which increases the load of the IPsec VPN server. However, when the network isolation space is divided based on the user mode protocol stack technology in the application, a plurality of network isolation spaces can be divided in the same process, and a corresponding IPsec VPN application program can be run in each network isolation space. Therefore, a plurality of network isolation spaces can be uniformly managed through a single process, and the process overhead of the IPsec VPN server can be saved.
In addition, when the physical network card receives a data packet sent from an external device, the data packet generally needs to be copied into the kernel system, and then copied into the VPN application program from the kernel system. That is, an IPsec VPN server implemented based on kernel-mode technology usually needs to perform a process of copying a packet many times. When the physical network card receives a data packet sent by an external device, the IPsec VPN application program can directly acquire the data packet from the physical network card, so that the repeated copying process of the data packet is avoided, and the expense of the IPsec VPN server is further saved.
Referring to fig. 2, a method for bulk processing of a network quarantine space in an IPsec VPN server provided by the present application may include the following steps.
S1: allocating a unique identifier for each network isolation space, and setting a configuration file of each network isolation space; the configuration file of the network isolation space comprises configuration information of at least one tunnel, and the configuration information of the tunnel comprises a unique identifier of the network isolation space.
In this embodiment, in order to provide services to different users simultaneously in the same IPsec VPN server, a user mode protocol stack technique may be adopted, a plurality of mutually independent network isolation spaces are divided in the IPsec VPN server, and each network isolation space may establish a connection with a corresponding user. In practical applications, different terminal devices may be provided for the same user, and the terminal devices of the same user may be connected to the same network isolation space. Referring to fig. 1, in order to avoid mutual interference between different terminal devices, each terminal device may establish a communication connection with the IPsec VPN server through an independent tunnel.
In this embodiment, a unique identifier may be assigned to each of the plurality of network quarantine spaces in the IPsec VPN server and the unique identifier may be the name of the network quarantine space. In addition, respective configuration files can be set for each network isolation space, and the configuration files can include information such as a network address, port information, a maximum connection number, connection timeout time, an http server connected by the IPsec VPN, and the like of a user corresponding to the network isolation space. In practical applications, the unique identifier may be a unique character string calculated according to a hash algorithm, may be a string of numbers generated randomly, may be a non-repeating pointer, or may be a non-repeating file name of a configuration file.
In this embodiment, when setting the configuration file of the network isolation space, it is necessary to determine the above listed items of information in the configuration file, and these items of information can be used as resources required by the network isolation space during normal operation. In the existing IPsec VPN system, the types of resources used by each network isolation space may be collected in a preset configuration file, and the types of the resources may include at least one of a monitoring IP address, a monitoring port identifier, a process identifier file, a page storage location, a web page name, a maximum connection number, a heartbeat packet transmission interval, and a certificate storage location, for example. Of course, in practical applications, the types of the resources may include more or less kinds according to requirements. In the prior art, only a few limited resource types such as a monitored IP address, a maximum connection number, and the like in the preset configuration file can be split according to a network isolation space. However, in this embodiment, in order to set a corresponding configuration file for the created network isolation space, most resource types in the preset configuration file may be divided. Specifically, when a configuration file is set for the created current network isolation space, the resource type required by the current network isolation space may be predetermined, and then, the resource type required by the current network isolation space may be split from the resource types recorded by the preset configuration file. It should be noted that, because only the resource type is recorded in the preset configuration file, not the real resource, the resource type split from the preset configuration file is not erased from the preset configuration file, but continues to remain in the preset configuration file. Thus, when the required resource types are split from the preset configuration file by a plurality of different network isolation spaces, repeated resource types can be obtained. After the resource type required by the current network isolation space is obtained by splitting the preset configuration file, the split resource type can be set in the configuration file of the current network isolation space, so that the setting process of the configuration file is completed.
As can be seen from the above, since the network resource space can be represented by the unique identifier, when the resource type is split for each network isolation space, it can be actually regarded that the resource is split for the preset configuration file in units of the unique identifier inside the IPsec VPN, and finally each unique identifier has an independent resource type. Meanwhile, as the same resource type can be split by a plurality of different network isolation spaces, repeated contents may exist among the configured configuration files.
In the prior art, in the virtualized IPsec VPN, network isolation spaces and IPsec VPN processes are in one-to-one correspondence, and each IPsec VPN process is only responsible for its corresponding network isolation space. This results in a great deal of process resources being wasted when the configuration files of the network isolation spaces are started or other operations are performed. In view of this, in one embodiment of the present application, after setting the configuration files of the respective network quarantine spaces, a single IPsec VPN process may be created and the configuration files of the plurality of network quarantine spaces may be managed by the single IPsec VPN process. That is, in this embodiment, an independent IPsec VPN process is not established for each network isolation space, but a plurality of network isolation spaces and their configuration files created are managed by a single IPsec VPN process. In this way, the configuration files of the plurality of network isolation spaces can be started in batch subsequently by using the single IPsec VPN process, thereby avoiding process resource waste caused in the process of starting the plurality of configuration files.
In this embodiment, since a plurality of tunnels may exist in the same network isolation space at the same time, different configuration information may be set for different tunnels. Specifically, in the configuration information of the tunnel, various pieces of information related to the terminal device may be stored. For example, the configuration information of the tunnel may include information such as a network address, port information, a maximum connection number, and connection timeout time of the terminal device. In addition, in order to distinguish the tunnels of different network isolation spaces, a unique identifier of the network isolation space in which the tunnel is located may be marked in the configuration information of the tunnel. Specifically, as shown in fig. 1, the unique identifier of the first network isolation space may be ns1, and then ns1 may be marked in the configuration information of each tunnel in the configuration file of the network isolation space. Therefore, according to the configuration information of the tunnel, the network isolation space to which the tunnel belongs currently can be known.
Specifically, after performing communication negotiation with the network isolation space in the IPsec VPN server, the terminal device may mark the unique identifier of the network isolation space in Security Association (SA) information obtained through the negotiation. Subsequently, when a tunnel is established through the SA, the unique identifier of the network isolation space may also be noted in the configuration information of the tunnel. The communication negotiation process may be used to determine information such as a communication protocol, an encapsulation mode of the protocol, an encryption algorithm, a shared key for protecting data in a specific stream, and a lifetime of the key, which are used between the VPN server and the terminal device.
S3: receiving a control instruction sent by a controller of the IPsec VPN, wherein the control instruction carries a plurality of unique identifiers pointing to a network isolation space.
In this embodiment, when a new network isolation space needs to be created in the IPsec VPN server, or an operation such as deletion or reloading is performed on the created network isolation space, a corresponding control instruction may be generated by the controller. In practical applications, the control command usually has a certain format, and the format may be predetermined between the controller and the IPsec VPN server. Specifically, the format may define that at least three types of information are included in the control instruction: the method comprises the steps of presetting standard characters, command characters used for characterizing operation types and unique identifiers of network isolation spaces. The preset standard character may be used to characterize a type of data currently sent by the controller as a control instruction, and the preset standard character may be, for example, an IPsec VPN cmd. The commander used for characterizing the operation type can have different expression forms according to the operation type. For example, for creating a new network isolation space, the corresponding commander may be add netns; for deleting a created network isolation space, the corresponding designator may be del netns; for reloading the created network isolation space, the corresponding commander may be reloadnetns. The unique identifier may be an object to which the control instruction is directed. If the control command is processed only for one network isolation space, only one unique identifier may be carried in the control command. If the control instruction needs to perform batch processing on a plurality of network isolation spaces, the control instruction needs to carry a unique identifier of each network isolation space to be processed. For example, if two network isolation spaces with unique identifiers of ns1 and ns2 currently need to be reloaded in bulk, the generated control command may be:
IPsec VPN_cmd reload_netns<ns1><ns2>
of course, the preset standard characters, commands and the like mentioned in the above components of the preset format are only exemplified for the convenience of explaining the technical solution of the present application, and do not mean that the technical solution of the present application is limited to the preset standard characters and commands exemplified above. In addition, the components of the preset format may also be agreed in advance by the controller and the IPsec VPN server according to different actual situations, which is not limited in this application.
S5: and the control instruction carries out batch processing on the network isolation spaces respectively pointed by the unique identifiers according to the configuration files of the network isolation spaces pointed by the unique identifiers carried by the control instruction.
In this embodiment, after receiving the control command, the IPsec VPN server may parse the commander and the unique identifier therein to determine what operation should be performed on which (or which) network isolated resources. If the control instruction only carries one unique identifier, the network isolation space pointed by the unique identifier and the configuration file of the pointed network isolation space can be processed separately according to the control instruction, so that other network isolation spaces and configuration files cannot be influenced. And if the control instruction carries a plurality of unique identifiers, the configuration files of the network isolation spaces respectively pointed by the unique identifiers and the pointed network isolation spaces can be processed in batches according to the control instruction, so that the network isolation spaces can be processed in batches through one control instruction.
In practical applications, whether batch processing or individual processing, the manner of processing the network isolation space and the configuration file may include various situations. Specifically, referring to fig. 3, a processing manner may include creating a new network isolation space, allocating a unique identifier to the new network isolation space, and setting a configuration file of the new network isolation space. In addition, a network isolation space that has been created and a configuration file for the network isolation space may also be deleted. Moreover, the configuration file of the created network isolation space can be modified, and the corresponding network isolation space is reloaded according to the modified configuration file. The three processing modes may respectively correspond to add netns, del netns, and reload netns in the exemplary control command.
In this embodiment, if the control instruction is a new creation or addition instruction that characterizes a new network isolation space, a new network isolation space may be created in the IPsec VPN server, and a unique identifier carried in the control instruction and a configuration file for setting the new network isolation space are allocated to the new network isolation space. Specifically, after receiving the control instruction, the VPN server may identify the number of unique identifiers carried in the control instruction, and create an equal amount of new network isolation space in the IPsec VPN server according to the identified number. For example, if the control command carries 2 unique identifiers, the IPsec VPN server may create 2 new network isolation spaces. Then, the unique identifier carried in the control instruction can be sequentially allocated to each new network isolation space created. For example, the two unique identifiers carried in the control command are ns1 and ns2, and then the unique identifiers of the two new network isolation spaces created may be ns1 and ns 2.
In an embodiment, if the control instruction is a delete instruction indicating to delete a network quarantine space, the IPsec VPN server may delete one or more network quarantine spaces that have been created and delete a configuration file of the one or more network quarantine spaces according to the control instruction. Specifically, the IPsec VPN server may identify each unique identifier carried in the control instruction, determine a target network isolation space to which each unique identifier points, and then delete the target network isolation space and delete the configuration file of the target network isolation space.
In one embodiment, after a configuration file for a certain network isolation space is modified, the configuration file before modification and the modified configuration file can be stored simultaneously. Thus, if a configuration file of a certain network isolation space has been modified, the network isolation space may correspond to two versions of the configuration file. The configuration file before modification can be used as the original configuration file, and the modified configuration file can be used as the current configuration file. If the control instruction received by the IPsec VPN server is a reload instruction representing reloading the network isolation space, the current configuration file of the target network isolation space pointed by the reload instruction can be obtained, and the current configuration file is compared with the original configuration file. If the content in the current configuration file and the content in the original configuration file are not changed, the network isolation space does not need to be reloaded at this time, and therefore the current reloading operation can be abandoned. And if the content in the current configuration file and the original configuration file is changed, the reloading operation can be executed on the target network isolation space according to the current configuration file.
In this embodiment, since the configuration files of the plurality of network isolated spaces are managed by the single IPsec VPN process, the configuration files of the plurality of network isolated spaces can be started in batch by using the single IPsec VPN process, and the plurality of network isolated spaces can be processed in batch according to the control instruction, thereby improving the efficiency of batch processing.
Referring to fig. 1, in one embodiment, an IPsec VPN server may be provided with a plurality of configuration files for network quarantine spaces. Such as profile a and profile B in fig. 1. The timing of these profile loads can also be determined as a practical matter. Specifically, the configuration file of each network isolation space may be loaded when the IPsec VPN server is initialized, or after the IPsec VPN server is run, the configuration file of the network isolation space to which the load instruction points may be loaded after receiving the load instruction sent by the controller.
In one embodiment, the controller may also batch process tunnels within the network isolation space. Specifically, the control command sent by the controller may have some other optional fields besides the unique identifier pointing to the network isolation space. In one application example, the field of the tunnel identification may be carried in the following manner:
IPsec VPN_cmd reload_netns<ns1>[conn1]
in the above control command, conn1 may represent a tunnel identifier, and the tunnel identifier is located behind the unique identifier, so as to form an association relationship with the unique identifier, which indicates that the tunnel pointed to by the tunnel identifier is located in the network isolation space pointed to by the unique identifier.
In this way, if there is at least one target unique identifier associated with a tunnel identifier in the plurality of unique identifiers carried in the control instruction, batch processing may be performed on the target tunnels pointed to by the tunnel identifiers associated with the target unique identifiers in the target network isolation space pointed to by the target unique identifiers, and batch processing may be performed on the configuration information of the target tunnels in the configuration file of the target network isolation space.
Specifically, if the control instruction is an instruction for characterizing that a target tunnel is newly created in the target network isolation space, the target tunnel may be added in the target network isolation space, and configuration information of the target tunnel is added in a configuration file of the target network isolation space, where the configuration information of the target tunnel may include a series of information such as a tunnel identifier of the target tunnel and a unique identifier of the target network isolation space.
In another embodiment, if the control instruction is an instruction for deleting a target tunnel in the target network isolation space, the target tunnel may be deleted in the target network isolation space, and the configuration information of the target tunnel may be deleted in a configuration file of the target network isolation space.
In another embodiment, if the control instruction is an instruction for representing reloading of the target tunnel in the target network isolation space, the current configuration information of the target tunnel in the configuration file of the target network isolation space may be read, and the current configuration information of the target tunnel may be compared with the original configuration information. The current configuration information may be configuration information to be applied by the target tunnel, and the original configuration information may be configuration information currently used by the target tunnel. If the content in the current configuration information and the original configuration information of the target tunnel changes, it indicates that the configuration information to be applied is different from the configuration information currently used, so that a reload operation can be performed on the target tunnel in the target network isolation space according to the current configuration information of the target tunnel, so that the target tunnel is configured according to the modified configuration information.
In an embodiment, if the configuration information of all tunnels in a certain network isolation space is to be processed uniformly, the path identifier where the configuration file of the network isolation space is located may be marked in the control instruction. Specifically, the control instruction may also carry an assigned path identifier of a network isolation space in the following manner;
IPsec VPN_cmd reload_netns<ns1>[file path]
the file path may be a path identifier where a configuration file of the network isolation space with a unique identifier of ns1 is located.
It should be noted that, in addition to the unique identifier of the network isolation space, the above-mentioned assigned path identifier and tunnel identifier may be default. Therefore, the control instruction sent by the controller can process the whole network isolation space, can uniformly process the configuration information of all tunnels in the network isolation space, and can process the configuration information of a single tunnel in the network isolation space.
In an embodiment, each access resource may be allocated to each network isolation space in the IPsec VPN server, and an access right may be set for the access resource. The access resource may be, for example, an image resource, a video resource, an audio resource, a text resource, and the like. For example, there are currently three users connected to the IPsec VPN server, where user a only allows access to image resources, user B can access image resources and video resources, and user C can access all resources. In this way, for the three network isolation spaces corresponding to the three users, the resources allowed to be accessed by the three users can be allocated. In addition, when a user accesses resources, the IPsec VPN server can limit the access mode through the access authority. The access right may include, for example, an upper limit of access speed, an upper limit of access time period, an upper limit of access times, and the like. For example, user B can only access at the speed of 1M/s at the maximum when accessing video resources. When accessing the image resource, the user A can only access the image resource at 18 to 24 points of each day. The limitations of these access modes can be expressed by access rights. Therefore, independent access resources and access rights can be set for different network isolation spaces, and personalized setting can be realized.
In this way, for a client connected to the IPsec VPN server, a target network isolation space in which a tunnel between the client and the IPsec VPN server is located may be determined, so that the client accesses access resources allocated in the target isolation space according to an access right set in the target network isolation space.
Referring to fig. 4, the present application further provides an IPsec VPN server, where a plurality of network isolation spaces are disposed on the IPsec VPN server, and the IPsec VPN server includes:
the spatial information configuration unit is used for allocating a unique identifier for each network isolation space and setting a configuration file of each network isolation space; the configuration file of the network isolation space comprises configuration information of at least one tunnel, wherein the configuration information of the tunnel comprises a unique identifier of the network isolation space;
the IPsec VPN control device comprises a control instruction receiving unit, a control instruction receiving unit and a control instruction transmitting unit, wherein the control instruction receiving unit is used for receiving a control instruction transmitted by a controller of the IPsec VPN, and the control instruction carries a plurality of unique identifiers pointing to a network isolation space;
and the batch processing unit is used for carrying out batch processing on the network isolation spaces respectively pointed by the unique identifiers according to the configuration files of the network isolation spaces pointed by the unique identifiers carried by the control instruction.
In one embodiment, the batch processing unit includes:
and the new establishing module is used for establishing a new network isolation space in the IPsec VPN server if the control instruction is a new establishing or adding instruction for representing a new network isolation space, distributing a unique identifier carried in the control instruction to the new network isolation space and setting a configuration file of the new network isolation space.
In one embodiment, the batch processing unit includes:
and the deleting module is used for deleting the created one or more network isolation spaces and deleting the configuration files of the one or more network isolation spaces in the IPsec VPN server according to the control instruction if the control instruction is a deleting instruction for representing the deletion of the network isolation spaces.
In one embodiment, the batch processing unit includes:
the comparison module is used for acquiring a current configuration file of a target network isolation space pointed by the reloading instruction if the control instruction is the reloading instruction for representing reloading of the network isolation space, and comparing the current configuration file with an original configuration file of the target network isolation space;
and the reloading module is used for executing reloading operation on the target network isolation space according to the current configuration file if the contents in the current configuration file and the original configuration file are changed.
In one embodiment, among the number of unique identifiers, there is at least one target unique identifier associated with the tunnel identification. Accordingly, the IPsec VPN server further comprises:
and the tunnel batch processing unit is used for determining a target tunnel pointed by the tunnel identifier associated with the target unique identifier in a target network isolation space pointed by the target unique identifier, and performing batch processing on the target tunnel according to the configuration information of the target tunnel.
Referring to fig. 5, the present application further provides an IPsec VPN server, where the IPsec VPN server includes a memory and a processor, where the memory is used to store a computer program, and the computer program, when executed by the processor, implements the method for batch processing of network isolation spaces in the IPsec VPN server.
Referring to fig. 6, in the present application, the technical solution in the above embodiment can be applied to the computer terminal 10 shown in fig. 6. The computer terminal 10 may include one or more (only one shown) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission module 106 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 6 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 6, or have a different configuration than shown in FIG. 6.
The memory 104 may be used to store software programs and modules of application software, and the processor 102 executes various functional applications and data processing by executing the software programs and modules stored in the memory 104. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
As can be seen from the above, according to the technical scheme provided by the present application, a unique identifier may be respectively allocated to each network isolation space in the IPsec VPN server, and an individual configuration file may be set for each network isolation space. When the network isolation space is to be processed, the controller may send a control instruction, where the control instruction may carry a number of unique identifiers pointing to the network isolation space. After receiving a control instruction carrying a unique identifier, the IPsec VPN server may perform batch processing on the network isolation spaces to which the unique identifiers respectively point and the configuration files of the network isolation spaces to which the unique identifiers point according to the control instruction. Therefore, according to the technical scheme provided by the application, the unique identifiers of the network isolation spaces can be added into the control instruction by distributing the unique identifiers to the network isolation spaces, and then batch processing can be performed on the network isolation spaces and the configuration files thereof.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (15)
1. A method for batch processing of network isolation spaces in an IPsec VPN server is characterized in that a plurality of network isolation spaces are arranged on the IPsec VPN server, and the method comprises the following steps:
allocating a unique identifier for each network isolation space, and setting a configuration file of each network isolation space; the configuration file of the network isolation space comprises configuration information of at least one tunnel, wherein the configuration information of the tunnel comprises a unique identifier of the network isolation space;
receiving a control instruction sent by a controller of the IPsec VPN, wherein the control instruction carries a plurality of unique identifiers pointing to a network isolation space;
and carrying out batch processing on the network isolation spaces respectively pointed by the unique identifiers and the configuration files of the pointed network isolation spaces according to the control instruction.
2. The method of claim 1, wherein the control instructions batch processing the network isolation space and the configuration file comprises:
if the control instruction is a new establishment or addition instruction for representing a new network isolation space, a new network isolation space is established in the IPsec VPN server, and a unique identifier carried in the control instruction and a configuration file for setting the new network isolation space are distributed to the new network isolation space.
3. The method of claim 2, wherein creating a new network quarantine space in the IPsec VPN server and assigning a unique identifier carried in the control directive to the new network quarantine space comprises:
and identifying the number of the unique identifiers carried in the control command, creating new network isolation spaces with the same amount in the IPsec VPN server according to the identified number, and sequentially distributing the unique identifiers carried in the control command to the created new network isolation spaces.
4. The method of claim 1, wherein the control instructions batch processing the network isolation space and the configuration file comprises:
if the control instruction is a deletion instruction for representing deletion of a network isolation space, identifying each unique identifier carried in the control instruction, determining a target network isolation space to which each unique identifier points in the IPsec VPN server, and deleting the target network isolation space and a configuration file of the target network isolation space.
5. The method of claim 1, wherein batching the network isolation space and the configuration file according to the control instruction comprises:
if the control instruction is a reloading instruction representing a reloading network isolation space, acquiring a current configuration file of a target network isolation space pointed by the reloading instruction, and comparing the current configuration file with an original configuration file of the target network isolation space;
and if the content in the current configuration file and the original configuration file changes, according to the current configuration file, reloading the target network isolation space.
6. The method according to claim 1, wherein the control instructions include at least: a commander for characterizing the type of operation and a unique identifier of the network isolation space.
7. The method according to claim 1 or 6, characterized in that among said number of unique identifiers there is at least one target unique identifier associated with a tunnel identification;
accordingly, the method further comprises:
and in a target network isolation space pointed by the target unique identifier, determining a target tunnel pointed by the tunnel identifier associated with the target unique identifier, and carrying out batch processing on the target tunnel according to the configuration information of the target tunnel.
8. The method of claim 7, wherein batching the target tunnels comprises:
if the control instruction is an instruction for representing that a target tunnel is newly established in the target network isolation space, adding the target tunnel in the target network isolation space, and adding configuration information of the target tunnel in a configuration file of the target network isolation space, wherein the configuration information of the target tunnel comprises a tunnel identifier of the target tunnel and a unique identifier of the target network isolation space;
if the control instruction is an instruction for deleting the target tunnel in the target network isolation space, and deleting the configuration information of the target tunnel in the configuration file of the target network isolation space;
if the control instruction is an instruction for representing reloading of the target tunnel in the target network isolation space, reading the current configuration information of the target tunnel in the configuration file of the target network isolation space, and comparing the current configuration information of the target tunnel with the original configuration information; and if the content in the current configuration information and the original configuration information of the target tunnel changes, according to the current configuration information of the target tunnel, executing reloading operation aiming at the target tunnel in the target network isolation space.
9. The method of claim 1, further comprising:
distributing respective access resources for each network isolation space in the IPsec VPN server, and setting access authority for the access resources;
correspondingly, for a client side which establishes connection with the IPsec VPN server, a target network isolation space where a tunnel between the client side and the IPsec VPN server is located is determined, so that the client side can access the access resources distributed in the target isolation space according to the access authority set in the target network isolation space.
10. An IPsec VPN server, wherein a plurality of network isolation spaces are provided on the IPsec VPN server, the IPsec VPN server comprising:
the spatial information configuration unit is used for allocating a unique identifier for each network isolation space and setting a configuration file of each network isolation space; the configuration file of the network isolation space comprises configuration information of at least one tunnel, wherein the configuration information of the tunnel comprises a unique identifier of the network isolation space;
the IPsec VPN control device comprises a control instruction receiving unit, a control instruction receiving unit and a control instruction transmitting unit, wherein the control instruction receiving unit is used for receiving a control instruction transmitted by a controller of the IPsec VPN, and the control instruction carries a plurality of unique identifiers pointing to a network isolation space;
and the batch processing unit is used for carrying out batch processing on the network isolation spaces respectively pointed by the unique identifiers and the configuration files of the pointed network isolation spaces according to the control instruction.
11. An IPsec VPN server as claimed in claim 10, characterised in that the bulk handling unit comprises:
and the new establishing module is used for establishing a new network isolation space in the IPsec VPN server if the control instruction is a new establishing or adding instruction for representing a new network isolation space, distributing a unique identifier carried in the control instruction to the new network isolation space and setting a configuration file of the new network isolation space.
12. An IPsec VPN server as claimed in claim 10, characterised in that the bulk handling unit comprises:
and the deleting module is used for deleting the created one or more network isolation spaces and deleting the configuration files of the one or more network isolation spaces in the IPsec VPN server according to the control instruction if the control instruction is a deleting instruction for representing the deletion of the network isolation spaces.
13. An IPsec VPN server as claimed in claim 10, characterised in that the bulk handling unit comprises:
the comparison module is used for acquiring a current configuration file of a target network isolation space pointed by the reloading instruction if the control instruction is the reloading instruction for representing reloading of the network isolation space, and comparing the current configuration file with an original configuration file of the target network isolation space;
and the reloading module is used for executing reloading operation on the target network isolation space according to the current configuration file if the contents in the current configuration file and the original configuration file are changed.
14. An IPsec VPN server as claimed in claim 10, characterized in that among the number of unique identifiers there is at least one target unique identifier associated with a tunnel identification;
accordingly, the IPsec VPN server further comprises:
and the tunnel batch processing unit is used for determining a target tunnel pointed by the tunnel identifier associated with the target unique identifier in a target network isolation space pointed by the target unique identifier, and performing batch processing on the target tunnel according to the configuration information of the target tunnel.
15. An IPsec VPN server, characterized in that the IPsec VPN server comprises a memory and a processor, the memory being adapted to store a computer program which, when executed by the processor, carries out the method of any of the claims 1 to 9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910176728.2A CN111669356B (en) | 2019-03-08 | 2019-03-08 | Method for processing network isolation space in batch in IPsec VPN server and IPsec VPN server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910176728.2A CN111669356B (en) | 2019-03-08 | 2019-03-08 | Method for processing network isolation space in batch in IPsec VPN server and IPsec VPN server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111669356A CN111669356A (en) | 2020-09-15 |
| CN111669356B true CN111669356B (en) | 2022-05-27 |
Family
ID=72382105
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910176728.2A Active CN111669356B (en) | 2019-03-08 | 2019-03-08 | Method for processing network isolation space in batch in IPsec VPN server and IPsec VPN server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111669356B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114531272B (en) * | 2022-01-10 | 2024-02-23 | 网宿科技股份有限公司 | HTTPS request processing method and device based on national secret and international algorithm |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107181703A (en) * | 2017-03-29 | 2017-09-19 | 云络动力(北京)科技有限公司 | A kind of virtual switch control plane and the method for User space data-plane communication |
| CN109150688A (en) * | 2018-10-22 | 2019-01-04 | 网宿科技股份有限公司 | IPSec VPN data transmission method and device |
| CN109324908A (en) * | 2017-07-31 | 2019-02-12 | 华为技术有限公司 | The vessel isolation method and device of Netlink resource |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20170123931A1 (en) * | 2011-08-12 | 2017-05-04 | Nexenta Systems, Inc. | Object Storage System with a Distributed Namespace and Snapshot and Cloning Features |
-
2019
- 2019-03-08 CN CN201910176728.2A patent/CN111669356B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107181703A (en) * | 2017-03-29 | 2017-09-19 | 云络动力(北京)科技有限公司 | A kind of virtual switch control plane and the method for User space data-plane communication |
| CN109324908A (en) * | 2017-07-31 | 2019-02-12 | 华为技术有限公司 | The vessel isolation method and device of Netlink resource |
| CN109150688A (en) * | 2018-10-22 | 2019-01-04 | 网宿科技股份有限公司 | IPSec VPN data transmission method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111669356A (en) | 2020-09-15 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| WO2023087938A1 (en) | Data processing method, programmable network card device, physical server, and storage medium | |
| CN103259762B (en) | A kind of file encryption based on cloud storage, decryption method and system | |
| CN110784361A (en) | Virtualized cloud honey network deployment method, device, system and computer-readable storage medium | |
| CN111786867B (en) | Data transmission method and server | |
| CN111786869B (en) | Data transmission method between servers and server | |
| CN108347472B (en) | Configuration method of IP address, cloud server, cloud platform and readable storage medium | |
| US20160241535A1 (en) | Terminal authentication and registration system, method for authenticating and registering terminal, and storage medium | |
| US20230231915A1 (en) | Bare-metal connection storage method and system, and apparatus | |
| CN111786868B (en) | Data transmission method between servers and strongswan server | |
| US20200285506A1 (en) | Method for batch processing nginx network isolation spaces and nginx server | |
| CN111669356B (en) | Method for processing network isolation space in batch in IPsec VPN server and IPsec VPN server | |
| WO2016008212A1 (en) | Terminal as well as method for detecting security of terminal data interaction, and storage medium | |
| US11431795B2 (en) | Method, apparatus and storage medium for resource configuration | |
| CN111669310B (en) | Batch processing method for network isolation space in pptp vpn and pptp vpn server | |
| CN111835613B (en) | Data transmission method of VPN server and VPN server | |
| CN110278558B (en) | Message interaction method and WLAN system | |
| CN111669355B (en) | Method for batch processing of nginx network isolation space and nginx server | |
| CN111786870B (en) | Data transmission method and strongswan server | |
| CN116846669A (en) | Network traffic processing method, device, computer equipment, storage medium and product | |
| CN111669423B (en) | Batch processing method and system of network isolation space based on user mode protocol stack | |
| CN111669358B (en) | Method and device for processing vrouter network isolation spaces in batch | |
| CN111669283B (en) | Batch processing method for network isolation space in openvpn and openvpn server | |
| CN113904871A (en) | Network slice access method, PCF entity, terminal and communication system | |
| CN111669357B (en) | Method for batch processing of haproxy network isolation space and haproxy proxy server | |
| CN111061682A (en) | Data caching method, data reading method, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |