CN112787940A - Multi-level VPN encryption transmission method, system, equipment and storage medium - Google Patents

Multi-level VPN encryption transmission method, system, equipment and storage medium Download PDF

Info

Publication number
CN112787940A
CN112787940A CN202110107389.XA CN202110107389A CN112787940A CN 112787940 A CN112787940 A CN 112787940A CN 202110107389 A CN202110107389 A CN 202110107389A CN 112787940 A CN112787940 A CN 112787940A
Authority
CN
China
Prior art keywords
vpn
data
transmission method
encryption
encrypted
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202110107389.XA
Other languages
Chinese (zh)
Inventor
萧景东
李斌
吕帅亿
王佰玲
孙云霄
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Weihai Tianzhiwei Network Space Safety Technology Co ltd
Harbin Institute of Technology Weihai
Original Assignee
Weihai Tianzhiwei Network Space Safety Technology Co ltd
Harbin Institute of Technology Weihai
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Weihai Tianzhiwei Network Space Safety Technology Co ltd, Harbin Institute of Technology Weihai filed Critical Weihai Tianzhiwei Network Space Safety Technology Co ltd
Priority to CN202110107389.XA priority Critical patent/CN112787940A/en
Publication of CN112787940A publication Critical patent/CN112787940A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/02Topology update or discovery
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2592Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention relates to a multi-stage VPN encryption transmission method, a system, equipment and a storage medium, wherein the multi-stage VPN comprises a VPN client and a VPN server, and the method comprises the following steps: and the VPN client establishes a communication tunnel with the VPN server through a link of 3 hops or more than 3 hops by using a set-mark and the NAT. The invention makes attackers not easy to track and locate the server. The client IP is more covert. Easy to implement and maintain.

Description

Multi-level VPN encryption transmission method, system, equipment and storage medium
Technical Field
The invention relates to a multi-level VPN encryption transmission method, a system, equipment and a storage medium, belonging to the technical field of network communication.
Background
VPN (Virtual Private Network) is defined as a temporary and secure connection established through a public internet, and is a secure and stable tunnel passing through a disordered public Network, and the purpose of using the tunnel to encrypt data several times to safely use the internet can be achieved.
The VPN simulates a point-to-point special line on a public network through a private tunnel technology so as to achieve the aim of safe data transmission. If a special line is to be emulated, data is usually encrypted to ensure the security of the transmitted data. When information is transmitted between local area networks, the encryption function of the VPN gateway can ensure that the information is transmitted on an unsafe network in a ciphertext mode. Thus, even if the information is intercepted, its contents cannot be peeped and tampered with. The information transmission between local area networks connected through the Internet is ensured to be safe and confidential.
Since VPN is a secure private virtual network temporarily established on Internet, the user saves the expense of renting a private line, and in terms of operating capital expenditure, except for purchasing VPN equipment, the enterprise pays only a certain Internet access fee to the ISP of the location of the enterprise, and also saves the toll fee. This is why VPNs are cheap.
With the explosion of the Internet and electronic commerce, the best way for economic globalization is to develop Internet-based business applications. With the increasing frequency of business activities, enterprises begin to allow business partners and suppliers to access local area networks of the enterprises, so that information exchange ways are greatly simplified, and information exchange speed is increased. These collaborations and connections are dynamic and are maintained and strengthened by the network, and as a result, enterprises find that such information exchange not only adds complexity to the network, but also raises administrative and security issues, since the Internet is a global and open TCP/IP technology-based, unmanageable Internet, and thus, Internet-based commerce activities face unprofitable information threats and security risks.
Currently, mainstream VPN software mainly uses tunneling protocols such as GRE, PPTP, L2TP, and the like to construct a VPN tunnel.
GRE is mainly used for a tunnel formed between a source route and a terminating route. For example, the tunneled message is encapsulated with a new header (GRE header) and then placed in the tunnel with the tunnel end address. When the message reaches the end point of the tunnel, the GRE message header is stripped off, and the target address of the original message is continuously addressed. GRE tunnels are typically point-to-point, i.e., the tunnel has only one source address and one destination address. However, there are also implementations that allow point-to-multipoint, i.e. one source address to multiple destination addresses. This time, it is combined with the Next-hop routing Protocol (NHRP). NHRP is mainly to establish shortcuts between routes.
GRE tunnels are attractive for establishing VPNs. From an architectural point of view, a VPN is like a collection of tunnels through a common host network. Each point of the ordinary host network can be configured into one or more tunnels using its address and the physical connection formed by the route. In GRE tunneling, the ingress address uses the address space of the ordinary host network, while the original message flowing in the tunnel uses the address space of the VPN, which in turn requires that the end point of the tunnel should be configured as the intersection between the VPN and the ordinary host network. The method has the advantages that the routing information of the VPN is separated from the routing information of the ordinary host network, and a plurality of VPNs can repeatedly utilize the same address space without conflict, so that the VPNs are separated from the host network. Thereby meeting the key requirement of VPN that globally unique address space may not be used. Tunnels can also encapsulate numerous protocol families, reducing the number of functions that implement VPN functions. Also, it is important for the architecture supported by many VPNs to support multiple protocols in the same format while preserving the functionality of the protocols. IP route filtering host networks cannot provide this service, and only tunneling can isolate the VPN private protocol from the host network. Another feature of a tunnel technology based VPN implementation is the isolation of the host network environment from the VPN routing environment. The host network can be seen as a point-to-point collection of circuits to the VPN, which can use its routing protocol to traverse a virtual network that meets the VPN management requirements. Also, the host network is designed with a routing that meets the network requirements, without being constrained by the routing protocols of the VPN customer network.
Although GRE tunneling has many advantages, it also has disadvantages as a VPN mechanism, such as high management cost, large number of tunnels, etc. Because GREs are manually configured, the cost and number of tunnels required to configure and maintain a tunnel is directly related — each time the end point of a tunnel changes, the tunnel is reconfigured. Tunnels may also be automatically configured, but have disadvantages such as inability to take into account relevant routing information, performance issues, and ease of looping issues. Once a loop is formed, the efficiency of routing is greatly deteriorated. In addition, the traffic classification mechanism is to identify the traffic type by a good level of granularity. If the traffic classification process is performed by identifying the message (before entering the tunnel), the ability of the routing rate and the service performance are affected. The GRE tunneling technique is used in routers and can meet the requirements of Extranet VPNI and Intranet VPN. In a remote access VPN, however, most users dial-up. This can be solved by L2TP and PPTP.
L2TP is a combination of L2F (Layer 2 Forwarding) and PPTP. But because the Windows desktop operating system of the PC includes PPTP, PPTP is still popular. The tunnel is established in two ways, namely a user initialization tunnel and a TNAS initialization (Network Access Server) tunnel. The former is commonly referred to as "active" tunneling and the latter as "forced" tunneling. An "active" tunnel is established by a user requesting for a particular purpose, while a "forced" tunnel is established without any action or selection from the user. L2TP as a "forced" tunnel model is an important mechanism for a dial-up user to establish a connection with another point in the network. Firstly, a user establishes connection with the NAS through a Modem; the user accesses the server identity authentication through the NAS (network attached storage) L2TP, and the NAS and the L2TP access server dynamically establish an L2TP tunnel on the basis of the policy configuration file or the negotiation between the NAS and the policy server; establishing a Point-to-Point Protocol (PPP) access service tunnel between the user and the L2TP access server; the user obtains VPN service through the tunnel.
In contrast, PPTP as an "active" tunnel model allows the end system to be configured to establish a discontinuous, point-to-point tunnel with PPTP servers at arbitrary locations. And, the PPTP negotiation and the tunnel establishment process have no participation of the intermediate NAS. The NAS functions only to provide network services. The PPTP establishing process includes establishing connection between the user and NAS via serial port in dialing P access mode to obtain network service, and positioning PPTP access server via routing information; the user forms a PPTP virtual interface, the user negotiates and authenticates with the PPTP access server through the interface to establish a PPP access service tunnel; the user obtains VPN service through the tunnel.
In L2TP, the user does not perceive the presence of the NAS as if a connection was established directly with the PPTP access server. Whereas in PPTP, the PPTP tunnel is transparent to NAS; the NAS does not need to know the existence of the PPTP access server, but simply handles the PPTP traffic as ordinary IP traffic.
Whether L2TP or PPTP is used to implement a VPN depends on whether control is placed in the NAS or the user. L2TP is more secure than PPTP because the L2TP access server is able to determine where the user came from. L2TP is primarily intended for use with relatively centralized, fixed VPN users, whereas PPTP is more suitable for mobile users.
Although the existing mainstream VPN software uses different tunnel protocols, VPN tunnel links all adopt a mode that a VPN client is directly connected with a VPN server, and then the VPN server forwards plaintext data of a user to a target network. After the attacker locks the VPN server, the attacker can directly locate the IP where the VPN client is located, which may further cause the user to be directly attacked. Thus, the mainstream VPN software is not as secure as the data source protection.
Disclosure of Invention
Aiming at the defects of the prior art, the invention provides a multi-level VPN encryption transmission method and a multi-level VPN encryption transmission system;
the invention also provides a computer device and a storage medium;
the invention configures the route table of the router to divide the sub-networks of the routes between different hops. And marking the specific flow by using set-mark, and enabling the marked specific flow to pass through a specific routing path, thereby realizing switching among multi-hop VPNs and further realizing encrypted transmission of the specific flow.
Interpretation of terms:
1. NAT (Network Address Translation), proposed in 1994. The NAT method can be used when some hosts inside the private network have been assigned a local IP address (i.e., a private address used only within the private network) but now want to communicate with hosts on the internet (without encryption).
2. The/etc/iproute 2/rt _ table file, the correspondence of routing table sequence number and table name is in the/etc/iproute 2/rt _ table file, which can be edited manually.
3. And a MARK instruction and a MARK MARK of the iptables component are used for marking a specific data packet so that the iptables can be matched with the TC to carry out QOS flow limitation or policy-applying routing.
4. AES Encryption, AES decryption, Advanced Encryption Standard (english: Advanced Encryption Standard, abbreviation: AES), also known as Rijndael Encryption method in cryptography.
5. The DH algorithm, DH being an acronym for Diffie-Hellman, is a key exchange protocol proposed by Whitefield and Martin Hellman in 1976.
6. Private key decryption, decrypting data using a single private key. Since any party with a key can decrypt data using the key, the key must be protected from unauthorized agents.
The technical scheme of the invention is as follows:
a multi-level VPN encryption transmission method, wherein the multi-level VPN comprises a VPN client and a VPN server, and the method comprises the following steps: and the VPN client establishes a communication tunnel with the VPN server through a link of 3 hops or more than 3 hops by using a set-mark and the NAT.
According to the preferred embodiment of the present invention, the VPN client establishes a communication tunnel with the VPN server via a link of 3 hops or more than 3 hops by using a set-mark and an NAT, and the method includes the following steps:
(1) configuring a routing table: configuring a routing table of a route of a communication tunnel between a VPN client and a VPN server through a link, and enabling a source address to be a set link path of data flow of a VPN client address;
(2) marking specific data: marking data of a specific source address according to the source address of the data; the specific data refers to data traffic of which the source address is a VPN client address;
(3) encrypting the marking data: encrypting the marked data in the step (2) once in each hop;
(4) letting specially marked data take a specific route: enabling the encrypted data in the step (3) to use the routing table configured in the step (1) and sending the encrypted data to the VPN server;
(5) and the VPN server decrypts the received data: the VPN server decrypts the received data to obtain the original information sent by the VPN client, and multi-hop VPN encryption transmission of the data between the VPN client and the VPN server is achieved.
Further preferably, in the step (1), the routing path for data transmission is modified by configuring/etc/iproute 2/rt _ table file, so that the source address is the set link path for the data traffic of the VPN client address.
Further preferably, in the step (2), the MARK is marked on the specific data by using a MARK command of the iptables component.
Further preferably, the step (3) comprises the following steps:
A. carrying out AES encryption on the marked data in the step (2), and sending the data to a next hop route after the AES encryption;
B. b, encrypting the data received by the next hop route and encrypted by the AES in the step A by using a public key through a DH algorithm, and sending the encrypted data to the next hop route;
C. and B, encrypting the data received by the next hop route and encrypted by the public key in the step B until the data reaches the VPN server.
For the communication tunnel with more than three hops, each subsequent transit route can customize whether to encrypt and what algorithm to use for encryption.
Further preferably, the step (5) comprises the following steps:
D. carrying out first decryption on the received data by using a private key;
E. and carrying out AES decryption on the data obtained after the first decryption so as to obtain the original information sent by the VPN client.
A multi-level VPN encryption transmission system comprises a configuration module, a marking module, an encryption module, a sending module and a decryption module which are connected in sequence;
the configuration module is used for realizing the step (1); the marking module is used for realizing the step (2); the encryption module is used for realizing the step (3); the sending module is used for realizing the step (4); the decryption module is used for realizing the step (5).
A computer device comprising a memory storing a computer program and a processor implementing the steps of a multi-level VPN encryption transmission method when executing the computer program.
A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out the steps of the multi-level VPN encrypted transmission method.
The invention has the beneficial effects that:
1. the method for realizing the multi-level VPN encryption transmission technology is realized by using a set-mark and NAT, and a VPN client establishes a communication tunnel with a VPN server through a link with 3 hops or more than 3 hops, so that an attacker is not easy to track and position the server.
2. The user communication tunnel is realized by adopting a multi-hop link node, the client is connected to a target network by at least 2 hops, and the client IP has more concealment.
3. The invention realizes multi-stage VPN transmission by using set-mark and NAT, and is easy to realize and maintain.
4. The invention has the practical range of communication and confidential information transmission among personal users, network service providers, small and medium-sized enterprises and organizations, and has very wide application prospect.
Drawings
FIG. 1 is a flow chart of a multi-stage VPN encryption transmission method of the present invention;
FIG. 2 is a schematic diagram of a multi-level VPN encryption transmission topology of the present invention;
fig. 3 is a schematic structural diagram of the multi-stage VPN encryption transmission system according to the present invention.
Detailed Description
The invention is further defined in the following, but not limited to, the figures and examples in the description.
Example 1
A multi-level VPN encryption transmission method, wherein the multi-level VPN comprises a VPN client and a VPN server, and the method comprises the following steps: and the VPN client establishes a communication tunnel with the VPN server through a link of 3 hops or more than 3 hops by using the set-mark and the NAT.
Example 2
A multi-stage VPN encryption transmission method according to embodiment 1 is as shown in fig. 1, and the difference is that:
by using set-mark and NAT, VPN client end establishes communication tunnel with VPN server end through 3-hop or more than 3-hop link, including the following steps:
(1) configuring a routing table: configuring a routing table of a route of a communication tunnel between a VPN client and a VPN server through a link, and enabling a source address to be a set link path of data flow of a VPN client address;
(2) marking specific data: marking data of a specific source address according to the source address of the data; the specific data refers to data traffic of which the source address is a VPN client address;
(3) encrypting the marking data: encrypting the marked data in the step (2) once in each hop;
(4) letting specially marked data take a specific route: enabling the encrypted data in the step (3) to use the routing table configured in the step (1) and sending the encrypted data to the VPN server;
(5) and the VPN server decrypts the received data: the VPN server decrypts the received data to obtain the original information sent by the VPN client, and multi-hop VPN encryption transmission of the data between the VPN client and the VPN server is achieved.
In the step (1), a routing path of data transmission is modified through configuring/etc/iproute 2/rt _ table files, so that a source address is a set link path for data traffic of a VPN client address.
In the step (2), the MARK is marked on the specific data by using a MARK instruction of the iptables component.
The implementation step of the step (3) comprises the following steps:
A. carrying out AES encryption on the marked data in the step (2), and sending the data to a next hop route after the AES encryption;
B. b, encrypting the data received by the next hop route and encrypted by the AES in the step A by using a public key through a DH algorithm, and sending the encrypted data to the next hop route;
C. and B, encrypting the data received by the next hop route and encrypted by the public key in the step B until the data reaches the VPN server.
For the communication tunnel with more than three hops, each subsequent transit route can customize whether to encrypt and what algorithm to use for encryption.
The implementation step of the step (5) comprises the following steps:
D. carrying out first decryption on the received data by using a private key;
E. and carrying out AES decryption on the data obtained after the first decryption so as to obtain the original information sent by the VPN client.
Example 3
The multi-level VPN encryption transmission method according to embodiment 2 is different in that:
implementing a multi-hop VPN using set-mark and NAT, as shown in FIG. 2, includes:
the client sends data to the first hop;
first hop, 139.129.13.90:
VPNs:tun100(10.100.0.1/16)VPNc:tun101(10.101.0.2/16)
second hop, 119.28.152.184:
VPNs:tun101(10.101.0.1/16)
VPNc:tun102(10.102.0.2/16)
third hop, 161.117.191.113
VPNs:tun102(10.102.0.1/16)
1) Setting a first-hop route, wherein the setting instruction is as follows:
echo"100css100">>/etc/iproute2/rt_table
ip route flush table 100# flushes routes of existing routing table 100
ip route add default via 10.101.0.2 dev tun101 table 100# sets the default route of table 100 to tun101
IP route add 119.28.152.184 via 172.31.95.253 dev eth0# 2 jump IP address physical network card routing
Data usage routing table 100 with ip rule add fwmark 0x10 table 100# marked as 0x10
Data of iptables-t-rule-A PREROUTING-i tun100-s 10.100.0.0/16-j MARK-set-MARK 0x10# with source address of tun100 network card is marked with 0x10
iptables-tnat-A POSTROUTING-s 10.100.0.0/16-o tun101-j MASQUERED # A packet with a source address of tun100 is replaced by a packet with a source address of tun101
2) And setting a second hop route, wherein the setting instruction is as follows:
echo"101css101">>/etc/iproute2/rt_table
ip route flush table 101
ip route add default via 10.102.0.2 dev tun102 table 101
IP route add 161.117.191.113 via 172.29.0.1 dev eth0# 3 rd hop IP address physical network card routing
ip rule add fwmark 0x11 table 101
iptables-t mangle-A PREROUTING-i tun101-s 10.101.0.0/16-j MARK--set-mark 0x11
iptables-t nat-A POSTROUTING-s 10.101.0.0/16-o tun102-j MASQUERADE
3) Setting a third hop route, wherein the setting instruction is as follows:
iptables-t nat-A POSTROUTING-s 10.102.0.0/16-o eth0-j MASQUERADE
all HTTP and HTTPS flows are enabled to go through VPN, and the method can be used when a website needs to be accelerated;
VPNc is installed on the server, the VPNs address is 10.7.0.1, and the virtual network card is tun 0;
ip route add default via 10.7.0.1 dev tun0 table 100
ip rule add fwmark 0x10 table 100
iptables-t mangle-A PREROUTING-p tcp--dport 443-j MARK--set-mark 0x10
iptables-t mangle-A PREROUTING-p tcp--dport 80-j MARK--set-mark 0x10
example 4
A multi-level VPN encryption transmission system, as shown in fig. 3, includes a configuration module, a marking module, an encryption module, a sending module and a decryption module, which are connected in sequence; the configuration module is used for realizing the step (1); the marking module is used for realizing the step (2); the encryption module is used for realizing the step (3); the sending module is used for realizing the step (4); and the decryption module is used for realizing the step (5).
Example 5
A computer device comprising a memory storing a computer program and a processor implementing the steps of the multi-level VPN encryption transmission method of embodiment 1 or 2 when the processor executes the computer program.
Example 6
A computer-readable storage medium on which a computer program is stored, the computer program, when executed by a processor, implementing the steps of the multi-stage VPN encryption transmission method of embodiment 1 or 2.

Claims (9)

1. A multi-level VPN encryption transmission method is characterized in that the multi-level VPN comprises a VPN client and a VPN server, and the method comprises the following steps: and the VPN client establishes a communication tunnel with the VPN server through a link of 3 hops or more than 3 hops by using a set-mark and the NAT.
2. The multi-stage VPN encryption transmission method according to claim 1, wherein the VPN client establishes a communication tunnel with the VPN server through a link of 3 hops or more than 3 hops by using a set-mark and NAT, comprising the steps of:
(1) configuring a routing table: configuring a routing table of a route of a communication tunnel between a VPN client and a VPN server through a link, and enabling a source address to be a set link path of data flow of a VPN client address;
(2) marking specific data: marking data of a specific source address according to the source address of the data; the specific data refers to data traffic of which the source address is a VPN client address;
(3) encrypting the marking data: encrypting the marked data in the step (2) once in each hop;
(4) letting specially marked data take a specific route: enabling the encrypted data in the step (3) to use the routing table configured in the step (1) and sending the encrypted data to the VPN server;
(5) and the VPN server decrypts the received data: the VPN server decrypts the received data to obtain the original information sent by the VPN client, and multi-hop VPN encryption transmission of the data between the VPN client and the VPN server is achieved.
3. The multi-level VPN encrypted transmission method according to claim 2, wherein in step (1), the data transmission routing path is modified by configuring/etc/iproute 2/rt _ table file, so that the source address is the set link path for the data traffic of the VPN client address.
4. The multi-stage VPN encrypted transmission method according to claim 2, wherein in step (2), the specific data is marked with a MARK command of an iptables component.
5. The multi-level VPN encrypted transmission method according to claim 2, wherein the step (3) is implemented by:
A. carrying out AES encryption on the marked data in the step (2), and sending the data to a next hop route after the AES encryption;
B. b, encrypting the data received by the next hop route and encrypted by the AES in the step A by using a public key through a DH algorithm, and sending the encrypted data to the next hop route;
C. and B, encrypting the data received by the next hop route and encrypted by the public key in the step B until the data reaches the VPN server.
6. The multi-level VPN encrypted transmission method according to claim 2, wherein the step (5) is implemented by:
D. carrying out first decryption on the received data by using a private key;
E. and carrying out AES decryption on the data obtained after the first decryption so as to obtain the original information sent by the VPN client.
7. A multi-level VPN encryption transmission system for realizing the multi-level VPN encryption transmission method of any one of claims 1-6, which is characterized by comprising a configuration module, a marking module, an encryption module, a sending module and a decryption module which are connected in sequence;
the configuration module is used for realizing the step (1); the marking module is used for realizing the step (2); the encryption module is used for realizing the step (3); the sending module is used for realizing the step (4); the decryption module is used for realizing the step (5).
8. A computer device comprising a memory storing a computer program and a processor implementing the steps of the multi-level VPN encryption transmission method according to any one of claims 1-6 when the processor executes the computer program.
9. A computer-readable storage medium, having stored thereon a computer program which, when executed by a processor, performs the steps of the multi-level VPN encrypted transmission method according to any one of claims 1 to 6.
CN202110107389.XA 2021-01-27 2021-01-27 Multi-level VPN encryption transmission method, system, equipment and storage medium Pending CN112787940A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110107389.XA CN112787940A (en) 2021-01-27 2021-01-27 Multi-level VPN encryption transmission method, system, equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110107389.XA CN112787940A (en) 2021-01-27 2021-01-27 Multi-level VPN encryption transmission method, system, equipment and storage medium

Publications (1)

Publication Number Publication Date
CN112787940A true CN112787940A (en) 2021-05-11

Family

ID=75757977

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110107389.XA Pending CN112787940A (en) 2021-01-27 2021-01-27 Multi-level VPN encryption transmission method, system, equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112787940A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114237786A (en) * 2021-11-18 2022-03-25 中国南方电网有限责任公司 Operation response processing method, device, equipment and storage medium of multi-level system

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1507230A (en) * 2002-12-10 2004-06-23 ��Ϊ�������޹�˾ Method of realizing special multiple-protocol label exchanging virtual network
US20070165638A1 (en) * 2006-01-13 2007-07-19 Cisco Technology, Inc. System and method for routing data over an internet protocol security network
CN101695160A (en) * 2009-10-20 2010-04-14 清华大学 Stream directional transmission method based on strategy route
CN102624619A (en) * 2012-03-09 2012-08-01 上海大亚科技有限公司 Method for performing message forwarding route selection based on source address under multi-default gateway condition
CN107040445A (en) * 2017-03-13 2017-08-11 安徽新华博信息技术股份有限公司 A kind of implementation method of multi-hop vpn tunneling
CN110290044A (en) * 2019-06-26 2019-09-27 普联技术有限公司 A kind of shunt method, device and the storage medium of VPN network and core network

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1507230A (en) * 2002-12-10 2004-06-23 ��Ϊ�������޹�˾ Method of realizing special multiple-protocol label exchanging virtual network
US20070165638A1 (en) * 2006-01-13 2007-07-19 Cisco Technology, Inc. System and method for routing data over an internet protocol security network
CN101695160A (en) * 2009-10-20 2010-04-14 清华大学 Stream directional transmission method based on strategy route
CN102624619A (en) * 2012-03-09 2012-08-01 上海大亚科技有限公司 Method for performing message forwarding route selection based on source address under multi-default gateway condition
CN107040445A (en) * 2017-03-13 2017-08-11 安徽新华博信息技术股份有限公司 A kind of implementation method of multi-hop vpn tunneling
CN110290044A (en) * 2019-06-26 2019-09-27 普联技术有限公司 A kind of shunt method, device and the storage medium of VPN network and core network

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114237786A (en) * 2021-11-18 2022-03-25 中国南方电网有限责任公司 Operation response processing method, device, equipment and storage medium of multi-level system

Similar Documents

Publication Publication Date Title
US10841341B2 (en) Policy-based configuration of internet protocol security for a virtual private network
CN106375493B (en) Cross-network communication method and proxy server
US7373660B1 (en) Methods and apparatus to distribute policy information
US7231664B2 (en) System and method for transmitting and receiving secure data in a virtual private group
US20090199290A1 (en) Virtual private network system and method
TW201201554A (en) Network topology concealment using address permutation
WO2017196284A2 (en) System and method for programmable network based encryption in software defined networks
Zhipeng et al. VPN: a boon or trap?: a comparative study of MPLs, IPSec, and SSL virtual private networks
US20240098061A1 (en) Secure private traffic exchange in a unified network service
JP2005277498A (en) Communication system
CN112787940A (en) Multi-level VPN encryption transmission method, system, equipment and storage medium
Liyanage et al. Secure hierarchical virtual private LAN services for provider provisioned networks
Forbacha et al. Design and Implementation of a Secure Virtual Private Network Over an Open Network (Internet)
US20090106449A1 (en) Method and apparatus for providing dynamic route advertisement
Zhang et al. Application research of MPLS VPN all-in-one campus card network based on IPSec
WO2001091418A2 (en) Distributed firewall system and method
Nandhini et al. VPN blocker and recognizing the pattern of IP address
Jayasekara Advanced Computer Networks For A Company: Case Study Analysis
US11750581B1 (en) Secure communication network
Vitalii et al. MPLS VPN TECHNOLOGY
Marković et al. Analysis of packet switching in VoIP telephony at the command post of tactical level units
Arega Design and Implementation of an IPsec VPN Tunnel to Connect the Head Office and Branch Office of Hijra Bank
Mwape Performance evaluation of internet protocol security (IPSec) over multiprotocol label switching (MPLS).
Nahid Network Virtualization & Modeling of VPN Security
SINGH et al. TRAFFIC ENGINEERING BASED VPN SECURITY IN WIRELESS MESH NETWORK

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20210511