CN113067910B

CN113067910B - NAT traversal method and device, electronic equipment and storage medium

Info

Publication number: CN113067910B
Application number: CN202010003261.4A
Authority: CN
Inventors: 韩瑞波; 李振强; 李晗
Original assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Current assignee: China Mobile Communications Group Co Ltd; China Mobile Communications Ltd Research Institute
Priority date: 2020-01-02
Filing date: 2020-01-02
Publication date: 2023-05-09
Anticipated expiration: 2040-01-02
Also published as: CN113067910A

Abstract

The invention discloses a NAT traversal method, a NAT traversal device, electronic equipment and a storage medium. The method comprises the following steps: determining the type of the first NAT equipment, the type of the second NAT equipment and public network address information after NAT corresponding to the second CPE; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE; and configuring an IPSEC tunnel and tunnel address information based on the type of the first NAT device, the type of the second NAT device and the public network address information after NAT corresponding to the second CPE.

Description

NAT traversal method and device, electronic equipment and storage medium

Technical Field

The present invention relates to mobile communication technology, and in particular, to a network address translation (NAT, network Address Translation) traversal method, apparatus, electronic device, and storage medium.

Background

Internet security protocol (IPSEC, internet Protocol Security) tunnels are used to establish trust and security between a source address and a destination address based on an end-to-end security mode. An IPSEC tunnel running on a public network must have a public network address at least at one of the two ends, otherwise the IPSEC tunnel cannot be established.

Disclosure of Invention

In view of the above, the present invention is directed to a NAT traversal method, apparatus, electronic device and storage medium.

In order to achieve the above purpose, the technical scheme of the invention is realized as follows:

the embodiment of the invention provides a NAT traversal method, which is applied to first customer premise equipment (CPE, customer Premise Equipment), and comprises the following steps:

determining the type of the first NAT equipment, the type of the second NAT equipment and public network address information after NAT corresponding to the second CPE; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE;

and configuring an IPSEC tunnel and tunnel address information based on the type of the first NAT device, the type of the second NAT device and the public network address information after NAT corresponding to the second CPE.

In the above solution, the determining the type of the second NAT device includes:

and receiving the type of the second NAT equipment transmitted by the server.

In the above scheme, the method further comprises:

sending a first test message to a server; the first test message is used for requesting the server to send a first result message;

and receiving a first result message sent by the server, determining the type of the NAT equipment connected with the server based on the first result message, and sending the determined type of the NAT equipment connected with the server.

In the above scheme, when the type of the first NAT device is a full cone NAT and the type of the second NAT device is a basic NAT; determining NAT-post public network address information corresponding to the second CPE includes:

receiving a message sent by a second CPE;

and determining public network address information after NAT corresponding to the second CPE based on the received message.

In the above scheme, the method further comprises:

sending a second test message to the server; the second test message is used for determining public network address information after NAT corresponding to the first CPE by the server.

In the above scheme, the method further comprises:

based on the configured IPSEC tunnel, sending a message with a target address being any address; and the message with the target address being any address is used for punching holes in the first NAT equipment.

In the above scheme, the configuring IPSEC tunnel and tunnel address information includes:

configuring an encapsulation mode of an IPSEC tunnel as a tunnel mode and configuring to adopt a NAT-T mode;

configuring a source address in the tunnel address information based on private network address information of the first CPE;

and configuring a destination address in the tunnel address information based on the public network address information corresponding to the second CPE after NAT.

In the above scheme, when the type of the first NAT device is a basic NAT and the type of the second NAT device is a full cone NAT; determining NAT-post public network address information corresponding to the second CPE includes:

and receiving public network address information which is sent by the server and corresponds to the second CPE and is subjected to NAT.

In the above scheme, the method further comprises:

sending a message to a second CPE; the sent message is used for the second CPE to determine public network address information after NAT corresponding to the first CPE.

In the above solution, in the case where the type of the first NAT device is a full cone NAT and the type of the second NAT device is a network address port translation (NAPT, network Address Port Translation), or in the case where the type of the first NAT device is a NAPT and the type of the second NAT device is a full cone NAT; determining NAT-post public network address information corresponding to the second CPE includes:

In the above scheme, the method further comprises:

and sending a message based on the configured IPSEC tunnel and tunnel address information, wherein the sent message is used for punching holes in the first NAT equipment.

In the above scheme, the NAPT includes at least one of the following: symmetric NAT, full cone NAT, address limited cone NAT, port limited cone NAT.

In the above scheme, the tunnel address information includes at least one of the following:

private network address information of the first CPE and public network address information after NAT corresponding to the second CPE.

In the above scheme, the public network address information includes: public network address and port number.

In the above scheme, the message includes: an internet protocol (IP, internet Protocol) header, a User Datagram Protocol (UDP) header, an authentication portion, an Encapsulating Security Payload (ESP) authentication;

Wherein the authentication section includes: an ESP header and an encryption section; the encryption section includes: original IP header, transmission control protocol (TCP, transmission Control Protocol), DATA (DATA), ESP trailer.

The embodiment of the invention also provides a NAT traversal method, which is applied to the server and comprises the following steps:

determining the type of the first NAT device and the type of the second NAT device; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE;

transmitting the type of the second NAT device to the first CPE; transmitting the type of the first NAT device to the second CPE;

under the condition that the type of the first NAT equipment and the equipment of the second NAT meet preset conditions, public network address information after NAT corresponding to the first CPE is determined, and the public network address information after NAT corresponding to the first CPE is sent to the second CPE; and/or determining public network address information after NAT corresponding to the second CPE, and sending the public network address information after NAT corresponding to the second CPE to the first CPE;

the public network address information is used for configuring an IPSEC tunnel and tunnel address information.

In the above scheme, when the type of the first NAT device is a full cone NAT and the type of the second NAT device is a basic NAT, the NAT-processed public network address information corresponding to the first CPE is determined, and the NAT-processed public network address information corresponding to the first CPE is sent to the second CPE.

In the above scheme, when the type of the first NAT device is a basic NAT and the type of the second NAT device is a full cone NAT, the NAT-processed public network address information corresponding to the second CPE is determined, and the NAT-processed public network address information corresponding to the second CPE is sent to the first CPE.

In the above solution, in the case where the type of the first NAT device is a full cone NAT and the type of the second NAT device is NAPT, or in the case where the type of the first NAT device is NAPT and the type of the second NAT device is a full cone NAT, the NAT-processed public network address information corresponding to the first CPE is determined, and the NAT-processed public network address information corresponding to the first CPE is sent to the second CPE; and determining the public network address information after NAT corresponding to the second CPE, and sending the public network address information after NAT corresponding to the second CPE to the first CPE.

In the above scheme, the NAPT includes at least one of the following:

symmetric NAT, full cone NAT, address limited cone NAT, port limited cone NAT.

In the above solution, the determining the type of the first NAT device and the type of the second NAT device includes:

receiving a first test message sent by a first CPE, and sending a first result message based on the first test message; the first result message is used for the first CPE to determine the type of a first NAT device connected with the first CPE; receiving the type of a self-connected first NAT device sent by the first CPE;

receiving a third test message sent by a second CPE, and sending a second result message based on the third test message; the second result message is used for the second CPE to determine the type of the second NAT equipment connected with the second CPE; and receiving the type of the self-connected second NAT equipment sent by the second CPE.

In the above solution, the determining NAT-post public network address information corresponding to the first CPE includes:

receiving a second test message sent by the first CPE; determining public network address information after NAT corresponding to the first CPE based on a second test message sent by the first CPE;

the determining public network address information after NAT corresponding to the second CPE includes:

receiving a fourth test message sent by the second CPE; and determining public network address information after NAT corresponding to the second CPE based on a fourth test message sent by the second CPE.

The embodiment of the invention also provides a NAT traversal device, which is applied to the first CPE, and comprises: a first processing module and a second processing module;

the first processing module is configured to determine a type of the first NAT device, a type of the second NAT device, and NAT-processed public network address information corresponding to the second CPE; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE;

the second processing module is configured to configure an IPSEC tunnel and tunnel address information based on the type of the first NAT device, the type of the second NAT device, and the NAT-processed public network address information corresponding to the second CPE.

In the above solution, the first processing module is configured to receive a type of the second NAT device sent by the server.

In the above scheme, the first processing module is further configured to send a first test packet to the server; the first test message is used for requesting the server to send a first result message;

In an embodiment, in a case where the type of the first NAT device is a full cone NAT and the type of the second NAT device is a basic NAT; the first processing module is specifically configured to receive a message sent by the second CPE;

In the above scheme, the first processing module is further configured to send a second test packet to the server; the second test message is used for determining public network address information after NAT corresponding to the first CPE by the server.

Specifically, the first processing module is further configured to send a message with a target address being any address based on the configured IPSEC tunnel; and the message with the target address being any address is used for punching holes in the first NAT equipment.

Specifically, the second processing module is configured to configure an encapsulation mode of the IPSEC tunnel as a tunnel mode, and configure the IPSEC tunnel to adopt a NAT-T mode;

In the above scheme, when the type of the first NAT device is a basic NAT and the type of the second NAT device is a full cone NAT; the first processing module is specifically configured to receive NAT-processed public network address information corresponding to the second CPE sent by the server.

In the above scheme, the first processing module is further configured to send a message to the second CPE; the sent message is used for the second CPE to determine public network address information after NAT corresponding to the first CPE.

The second processing module is configured to configure an encapsulation mode of the IPSEC tunnel as a tunnel mode and configure the IPSEC tunnel to adopt a NAT-T mode;

In the above solution, in the case where the type of the first NAT device is a full cone NAT and the type of the second NAT device is a NAPT, or in the case where the type of the first NAT device is a NAPT and the type of the second NAT device is a full cone NAT; the first processing module is specifically configured to receive NAT-processed public network address information corresponding to the second CPE sent by the server.

In the above scheme, the second processing module is configured to configure an encapsulation mode of the IPSEC tunnel as a tunnel mode, and configure to use a NAT-T mode;

In the above scheme, the first processing module is further configured to send a message based on the configured IPSEC tunnel and tunnel address information, where the sent message is used to punch a hole in the first NAT device.

In the above scheme, the message includes: IP header, UDP header, authentication portion, ESP authentication;

wherein the authentication section includes: an ESP header and an encryption section; the encryption section includes: original IP header, TCP, DATA, ESP tail.

The embodiment of the invention also provides a NAT traversal device, which is applied to the server and comprises: the system comprises a third processing module, a fourth processing module and a fifth processing module; wherein,,

the third processing module is configured to determine a type of the first NAT device and a type of the second NAT device; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE;

the fourth processing module is configured to send, to the first CPE, a type of the second NAT device; transmitting the type of the first NAT device to the second CPE;

the fifth processing module is configured to determine NAT-processed public network address information corresponding to the first CPE and send the NAT-processed public network address information corresponding to the first CPE to the second CPE when the type of the first NAT device and the second NAT device satisfy preset conditions; and/or determining public network address information after NAT corresponding to the second CPE, and sending the public network address information after NAT corresponding to the second CPE to the first CPE;

In the above solution, the fifth processing module is configured to determine the NAT-processed public network address information corresponding to the first CPE and send the NAT-processed public network address information corresponding to the first CPE to the second CPE when the type of the first NAT device is a full cone NAT and the type of the second NAT device is a basic NAT.

In the above solution, the fifth processing module is configured to determine the NAT-processed public network address information corresponding to the second CPE and send the NAT-processed public network address information corresponding to the second CPE to the first CPE when the type of the first NAT device is a basic NAT and the type of the second NAT device is a full cone NAT.

In the above solution, the fifth processing module is configured to determine, when the type of the first NAT device is a full cone NAT and the type of the second NAT device is a NAPT, or when the type of the first NAT device is a NAPT and the type of the second NAT device is a full cone NAT, the NAT-processed public network address information corresponding to the first CPE, and send the NAT-processed public network address information corresponding to the first CPE to the second CPE; and determining the public network address information after NAT corresponding to the second CPE, and sending the public network address information after NAT corresponding to the second CPE to the first CPE.

In the above scheme, the NAPT includes at least one of the following:

symmetric NAT, full cone NAT, address limited cone NAT, port limited cone NAT.

In the above scheme, the third processing module is configured to receive a first test packet sent by a first CPE, and send a first result packet based on the first test packet; the first result message is used for the first CPE to determine the type of a first NAT device connected with the first CPE; receiving the type of a self-connected first NAT device sent by the first CPE;

In the above scheme, the third processing module is further configured to receive a second test packet sent by the first CPE; determining public network address information after NAT corresponding to the first CPE based on a second test message sent by the first CPE;

the third processing module is further configured to receive a fourth test packet sent by the second CPE; and determining public network address information after NAT corresponding to the second CPE based on a fourth test message sent by the second CPE.

The embodiment of the invention also provides an electronic device, which comprises a memory, a processor and a computer program stored on the memory and capable of running on the processor, wherein the processor realizes the steps of the NAT traversal method of any one of the first CPE side when executing the program; or,

The steps of the NAT traversal method according to any one of the above server sides are implemented when the processor executes the program.

The embodiment of the invention also provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, performs the steps of the NAT traversal method according to any one of the above first CPE sides; or,

The NAT traversal method, the NAT traversal device, the electronic equipment and the storage medium provided by the embodiment of the invention determine the type of the first NAT equipment, the type of the second NAT equipment and the public network address information after NAT corresponding to the second CPE; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE; and configuring an IPSEC tunnel and tunnel address information based on the type of the first NAT device, the type of the second NAT device and the public network address information after NAT corresponding to the second CPE. By adopting the technical scheme of the embodiment of the invention, the IPSEC tunnel can be established under the scene that both ends are connected with NAT equipment, namely, the network address is not shared.

Drawings

Fig. 1 is a diagram of an existing IPSEC tunnel establishment architecture;

fig. 2 is another architecture diagram of the conventional IPSEC tunnel establishment

Fig. 3 is a schematic flow chart of a NAT traversal method according to an embodiment of the present invention;

fig. 4 is a schematic flow chart of another NAT traversal method according to an embodiment of the present invention;

fig. 5 is a schematic diagram of a scenario in which one end traverses NAT according to an embodiment of the present invention;

fig. 6 is a flowchart of another NAT traversal method according to an embodiment of the present invention;

fig. 7 is a schematic structural diagram of a second packet according to an embodiment of the present invention;

fig. 8 is a schematic structural diagram of a third packet according to an embodiment of the present invention;

fig. 9 is a schematic structural diagram of a NAT traversal apparatus according to an embodiment of the present invention;

fig. 10 is a schematic structural diagram of another NAT traversal apparatus according to an embodiment of the present invention;

fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed Description

The related art of the IPSEC tunnel will be described before the present invention will be described in further detail with reference to the embodiments.

An IPSEC tunnel running on a public network must have a public network address at least at one of the two ends, otherwise the IPSEC tunnel cannot be established. Fig. 1 is a diagram of an existing IPSEC tunnel establishment architecture; at least one end of the two tunnels shown in fig. 1 has a public network address (NAT device is not connected), i.e. an IPSEC tunnel can be established.

Fig. 2 is another architecture diagram of the existing IPSEC tunnel establishment, and as shown in fig. 2, both ends have no public network address (both are connected to NAT devices), so that the IPSEC tunnel cannot be actually established.

The present invention will be described in further detail with reference to examples.

Fig. 3 is a schematic flow chart of a NAT traversal method according to an embodiment of the present invention; as shown in fig. 3, the NAT traversal method is applied to the first CPE; the method comprises the following steps:

step 301, determining a type of the first NAT device, a type of the second NAT device, and NAT-processed public network address information corresponding to the second CPE; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE;

step 302, configuring an IPSEC tunnel and tunnel address information based on the type of the first NAT device, the type of the second NAT device, and the NAT-processed public network address information corresponding to the second CPE.

Specifically, the determining the type of the second NAT device includes:

and receiving the type of the second NAT equipment transmitted by the server.

The second CPE determines the type of the NAT device connected to the second CPE through corresponding interaction with the server to detect the type of the NAT device, and sends the obtained result to the server, so that the server may send the type of the second NAT device to the first CPE based on the received result.

Specifically, the method further comprises:

Here, the first CPE determines the type of the NAT device connected to itself (i.e., the first NAT device) through corresponding interaction with the server to detect the type of the NAT device (including sending the first test message and receiving the first result message).

Specifically, in the case that the type of the first NAT device is a full cone NAT and the type of the second NAT device is a basic NAT; determining NAT-post public network address information corresponding to the second CPE includes:

receiving a message sent by a second CPE;

Here, the received packet includes or carries NAT-post public network address information corresponding to the second CPE.

Here, it may be understood that the second CPE sends a message, where the sent message includes or carries an address, the message is received by the first CPE after passing through the NAT, and the displayed address is public network address information after passing through the NAT corresponding to the second CPE, that is, the first CPE may determine public network address information after passing through the NAT corresponding to the second CPE based on the received message.

Specifically, the method further comprises:

Here, it may be understood that the first CPE sends a message, where the sent message includes or carries an address, the message is received by the server after passing through the NAT, and the displayed address is public network address information after passing through the NAT corresponding to the first CPE, that is, the server may determine public network address information after passing through the NAT corresponding to the first CPE based on the received message.

Specifically, the method further comprises:

Specifically, the configuring IPSEC tunnel and tunnel address information includes:

Here, the working modes of the IPSEC tunnel include a tunnel (tunnel) mode, that is, the entire IP packet sent by the CPE is used to calculate an authentication header (AH, authentication Header) or an encapsulation security payload (ESP, encapsulating Security Payload) header, where the AH or ESP header and the ESP encrypted data are encapsulated in a new IP packet. Typically, tunnel mode applies to communication between two gateways.

NAT-T mode refers to supporting the transmission mode of ESP to coexist with NAT in a one-to-many fashion by encapsulating ESP protocol packets into user datagram protocol (UDP, user Datagram Protocol) packets (adding new IP header and UDP header in addition to the IP header of the original ESP protocol) so that NAT treats it as if it were a normal UDP packet.

Specifically, by adopting the NAT-T mode, the transmitted message comprises: an internet protocol (IP, internet Protocol) header, a User Datagram Protocol (UDP) header, an authentication portion, an Encapsulating Security Payload (ESP) authentication;

Specifically, in the case that the type of the first NAT device is a basic NAT and the type of the second NAT device is a full cone NAT; determining NAT-post public network address information corresponding to the second CPE includes:

Here, the server determines the NAT-processed public network address information corresponding to the second CPE, and may send the NAT-processed public network address information corresponding to the second CPE to the first CPE.

Specifically, the method further comprises:

The first CPE sends a message to the second CPE, the sent message carries corresponding address information, the message is received by the second CPE after passing through the NAT, and the address determined by the second CPE based on the message is public network address information corresponding to the first CPE after passing through the NAT.

It should be noted that, the first CPE in the case where the type of the first NAT device is a full cone NAT and the type of the second NAT device is a basic NAT is the second CPE in the case where the type of the first NAT device is a basic NAT and the type of the second NAT device is a full cone NAT;

and the second CPE in the case that the type of the first NAT equipment is the full cone NAT and the type of the second NAT equipment is the basic NAT is the first CPE in the case that the type of the first NAT equipment is the basic NAT and the type of the second NAT equipment is the full cone NAT.

The operation performed by the CPE at both ends is described by the above description for both cases.

Specifically, in the case where the type of the first NAT device is a full cone NAT and the type of the second NAT device is a NAPT, or in the case where the type of the first NAT device is a NAPT and the type of the second NAT device is a full cone NAT; determining NAT-post public network address information corresponding to the second CPE includes:

Specifically, the method further comprises:

Specifically, the NAPT includes at least one of: symmetric NAT, full cone NAT, address limited cone NAT, port limited cone NAT.

It should be noted that, when the type of the first NAT device is a full cone NAT, and the type of the second NAT device is NAPT, the first CPE is the second CPE when the type of the first NAT device is NAPT, and the type of the second NAT device is a full cone NAT; otherwise, the second CPE in the case that the type of the first NAT device is a full cone NAT and the type of the second NAT device is NAPT is the first CPE in the case that the type of the first NAT device is NAPT and the type of the second NAT device is a full cone NAT.

In the case where the type of the first NAT device is a full cone NAT and the type of the second NAT device is a NAPT, or in the case where the type of the first NAT device is a NAPT and the type of the second NAT device is a full cone NAT, the first CPE and the second CPE operate the same.

Specifically, the tunnel address information includes at least one of:

Specifically, the public network address information includes: public network address and port number.

Specifically, the message includes: an Internet Protocol (IP) header, a User Datagram Protocol (UDP) header, an authentication portion, an Encapsulating Security Payload (ESP) authentication;

wherein the authentication section includes: an ESP header and an encryption section; the encryption section includes: original IP header, transmission control protocol TCP, DATA, ESP trailer.

Fig. 4 is a schematic flow chart of a NAT traversal method according to an embodiment of the present invention; as shown in fig. 4, the NAT traversal method is applied to a server, and the method includes:

step 401, determining the type of the first NAT device and the type of the second NAT device; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE;

Step 402, sending the type of the second NAT device to the first CPE; transmitting the type of the first NAT device to the second CPE;

step 403, determining public network address information after NAT corresponding to the first CPE and sending the public network address information after NAT corresponding to the first CPE to the second CPE when the type of the first NAT device and the second NAT device meet preset conditions; and/or determining public network address information after NAT corresponding to the second CPE, and sending the public network address information after NAT corresponding to the second CPE to the first CPE;

Specifically, in the case that the type of the first NAT device is a full cone NAT and the type of the second NAT device is a basic NAT (i.e., in the case that the type of the first NAT device and the second NAT device satisfy a preset condition), the NAT-processed public network address information corresponding to the first CPE is determined, and the NAT-processed public network address information corresponding to the first CPE is sent to the second CPE.

Specifically, in the case that the type of the first NAT device is a basic NAT and the type of the second NAT device is a full cone NAT (i.e., in the case that the type of the first NAT device and the second NAT device satisfy another preset condition), the NAT-processed public network address information corresponding to the second CPE is determined, and the NAT-processed public network address information corresponding to the second CPE is sent to the first CPE.

Specifically, in the case that the type of the first NAT device is a full cone NAT and the type of the second NAT device is NAPT, or in the case that the type of the first NAT device is NAPT and the type of the second NAT device is a full cone NAT (i.e., in the case that the type of the first NAT device and the type of the second NAT device satisfy yet another preset condition), determining the NAT public network address information corresponding to the first CPE, and transmitting the NAT public network address information corresponding to the first CPE to the second CPE; and determining the public network address information after NAT corresponding to the second CPE, and sending the public network address information after NAT corresponding to the second CPE to the first CPE.

Specifically, the NAPT includes at least one of:

symmetric NAT, full cone NAT, address limited cone NAT, port limited cone NAT.

Specifically, the determining the type of the first NAT device and the type of the second NAT device includes:

Specifically, the determining public network address information of the corresponding CPE after passing through the NAT includes:

The second test message has the same function as the fourth test message, and can determine public network address information after NAT corresponding to the first CPE for the second test message sent by the first CPE; and determining public network address information after NAT corresponding to the second CPE according to the fourth test message sent by the second CPE.

NAT traversal at both ends is described in detail below in conjunction with the methods shown in fig. 3 and 4.

In an embodiment, the two ends include a CPEA and a CPEB, where the CPEA is connected to a first NAT device, and the type of the first NAT device is a full cone NAT; the CPEB is connected with a second NAT device, and the type of the second NAT device is basic NAT; the method for NAT traversal at the two ends comprises the following steps:

step 01, the CPEA interacts with a server (specifically, sends a first test message) to determine the type of the first NAT equipment, and sends the type of the first NAT equipment to the server; and the CPEB interacts with the server (specifically, sends a third test message) to determine the type of the second NAT equipment and sends the second NAT equipment to the server;

step 02, the server sends the type of the second NAT equipment to the CPEA; transmitting the type of the first NAT device to the CPEB;

step 03, the server determines public network address information after NAT corresponding to CPEA based on the second test message, and sends the public network address information after NAT corresponding to CPEA to CPEB;

step 04, CPEA configures IPSEC tunnel to adopt tunnel mode encapsulation and opens NAT-T mode, the source address is local private network address and internet key exchange protocol (IKE, internet Key Exchange) port number (4500), based on the above configuration, message with target address as arbitrary address is sent for punching hole in first NAT device;

Step 05, configuring an IPSEC tunnel by CPEB, adopting a tunnel mode to package, starting an NAT-T mode, wherein a source address is a private network address of a local end and a port number AAA (after passing through NAT equipment with a basic NAT type, the port number is still AAA), and transmitting a message packet to CPEA based on the configuration;

step 06, after the CPEA receives the message sent by the CPEB, determining public network address information corresponding to the CPEB after NAT;

and step 07, carrying out conventional message interaction between CPEA and CPEB through an IPSEC tunnel.

In another embodiment, the two ends include a CPEA and a CPEB, the CPEA is connected to a first NAT device, and the type of the first NAT device is a full cone NAT; the CPEB is connected with a second NAT device, and the type of the second NAT device is NAPT; the method for NAT traversal at the two ends comprises the following steps:

step 11, the CPEA interacts with the server (specifically, sends a first test message) to determine the type of the first NAT equipment, and sends the first test message to the server; and the CPEB interacts with the server (specifically, sends a third test message) to determine the type of the second NAT equipment and sends the second NAT equipment to the server;

step 12, the server sends the type of the second NAT equipment to the CPEA; transmitting the type of the first NAT device to the CPEB;

Step 13, the server determines public network address information after NAT corresponding to the CPEA based on the second test message (the first test message may also be directly adopted), and sends the public network address information after NAT corresponding to the CPEA to the CPEB;

step 14, the server determines the public network address information after NAT corresponding to the CPEA based on the fourth test message (the third test message may also be directly adopted), and sends the public network address information after NAT corresponding to the CPEA to the CPEB;

step 15, the server sends a message for informing the CPEB of only the public network address information after NAT conversion to the CPEA; the server sends a message for informing CPEA of only NAT-converted public network address information to CPEB;

here, the public network address information after NAT corresponding to the CPEB specifically includes: public network address and port number BBB (NAT translation front port number is AAA).

Here, the NAT-post public network address information corresponding to the CPEA specifically includes: public network address and port number CCC (NAT translation front port number is IKE port number 4500);

step 16, configuring IPSEC by CPEA, adopting tunnel mode to package, and starting NAT-T mode, based on the configuration, sending a message with a source address being a local private network address and an IKE port number 4500, a destination address being a public network address and a port number BBB after NAT corresponding to CPEB, and the sent message being used for punching holes in CPEA connected NAT equipment;

Step 17, configuring IPSEC by CPEB, adopting tunnel mode to package, and starting NAT-T mode, based on the configuration, sending a message with source address being local private network address and port number AAA, destination address being public network address and port CCC (NAT front port number is IKE port number 4500) after NAT corresponding to CPEA, and using the sent message to punch holes on CPEB connected NAT equipment;

and step 18, establishing an IPSEC tunnel between the CPEA and the CPEB through the configuration, and forwarding the conventional message between the CPEA and the CPEB through the IPSEC tunnel.

Here, each type of NAT in the methods shown in fig. 3 and 4 will be described.

NAT can be largely divided into two categories: basic NAT, NAPT (Network Address Port Translation); wherein,,

the basic NAT is generally suitable for static binding of a public network address and an intranet host under a situation that a NAT device has a plurality of public network internet protocol (IP, internet Protocol) addresses (hereinafter referred to as public network addresses), and this type of NAT device is fewer.

The NAPT is a commonly used NAT type that can map an internal address to a separate IP address in the external network, with a port number selected by the NAT device added to the address. According to different mapping modes, NAPT can be classified into symmetric NAT and conical NAT, where the conical NAT includes: full cone NAT, address limited cone NAT, and port limited cone NAT.

Specifically, NAPT is the most commonly used NAT category in public networks, and is divided into the following four categories:

1. symmetric NAT (Symmetric NAT)

The symmetric NAT maps all requests from the same intranet address and port to the same destination address and port to the same public network address and port. If the same intranet host uses the same intranet address and port to send a message to another destination address, different mappings are used. Unlike port-limited NAT, which maps all requests to the same public network IP address and port, symmetric NAT maps differently for different requests.

2. Full cone NAT (Full Cone NAT)

The full cone NAT maps all requests from one internal IP address and port to the same external IP address and port. And any external host can realize communication with the internal host by sending a message to the mapped external address. This is a relatively loose strategy, and as long as the mapping relationship between the IP address and port of the internal network and the IP address and port of the public network is established, all hosts on the Internet can access hosts behind the NAT device.

3. Address-limiting conical NAT (Address Restricted Cone NAT)

The address limiting cone NAT also maps all requests from the same internal IP address and port to the same public network IP address and port. However, unlike a full cone NAT, the public network host address can send a message to the intranet host if and only if the internal host has previously sent a message to the public network host address.

4. Port-limiting conical NAT (Port Restricted Cone NAT)

The port-restricted cone NAT is similar to the address-restricted cone NAT, but is more stringent. The port limiting conical NAT increases the limitation of the port number, and the public network host address and the port number can communicate with the intranet host only when the intranet host has previously sent a message to the public network host address and the port number.

The following description is made for the operation modes of the IPSec tunnel, including two operation modes:

1. transmission (transport) mode: only the transport layer data is used to calculate the AH or ESP header, which is placed after the original IP header. Typically, the transmission mode applies to communication between two hosts, or between a host and a gateway.

2. Tunnel (tunnel) mode: the entire IP packet of the user is used to calculate the AH or ESP header, and the AH or ESP encrypted user data is encapsulated in a new IP packet. In general, tunnel mode applies to communication between two gateways (referred to herein as the mode employed).

The conventional tunneling mode of ESP, because NAT alters the external IP without altering the original IP that is encrypted, allows coexistence with NAT only in this case, but only in a 1-to-1 fashion.

NAT-T supports the transmission mode of ESP to coexist with NAT in a 1-to-many fashion by encapsulating ESP protocol packets into UDP packets (adding new IP header and UDP header in addition to the IP header of the original ESP protocol) so that NAT treats it just as it would a normal UDP packet. The final data forwarding message format is shown in fig. 5.

Fig. 6 is a flowchart of another NAT traversal method according to an embodiment of the present invention; as shown in fig. 6, in order to implement NAT traversal at two ends of an IPSEC tunnel, a NAT traversal method according to an embodiment of the present invention includes: detecting the type of the NAT equipment; after determining the type of the NAT equipment, configuring an IPSEC tunnel and related address information of the CPE according to the type of the NAT equipment.

The detecting the type of the NAT device comprises the following steps: and combining with other protocols (refer to the protocols involved in interaction with the NAT detection server, such as an IP protocol, etc.), the client side gateway CPEA and the client side gateway CPEB respectively carry out message interaction through the server (equivalent to the server in the method shown in fig. 3 and 4 and capable of adopting a public network free server or being doubled by a controller) for NAT detection, and detect the types of NAT devices which the CPEA and the CPEB respectively need to traverse, namely the types of NAT devices connected by the CPEA and the types of NAT devices connected by the CPEB.

The configuring the IPSEC tunnel and the related address information comprises the following steps:

configuring IPSEC to adopt a tunnel mode;

configuring tunnel address information; for each CPE, the tunnel address information includes: private network address of home terminal, public network address after NAT of opposite terminal.

The following describes the method of the embodiment of the present invention described above using different types of NAT devices.

In the first embodiment, after the message interaction with the NAT probe server, the type of the NAT device connected to the CPEA is determined to be the basic NAT, and the type of the NAT device connected to the CPEB is determined to be the basic NAT.

The NAT traversal method comprises the following steps:

step 111, the NAT probe Server sends a first message to the CPEB to inform the NAT probe Server of the NAT-post-public network address information (including a public network address and a port number CCC, the port number before translation being IKE port number 4500) recorded by the NAT probe Server corresponding to the CPEA;

step 112, the CPEA configures IPSEC to adopt a 'tunnel mode' package, and starts a NAT-T mode, configures and sends a second message; the source address information of the second message comprises a local private network address and an IKE port number 4500, and the destination address is any address; here, a message with a destination address being any address is configured to be used for punching holes in the NAT device connected by the CPEA;

Step 113, the CPEB configures IPSEC to adopt a "tunnel mode" encapsulation, and opens a NAT-T mode, and configures a third packet, where source address information of the third packet includes a local private network address and a port number AAA, and a destination address is a public network address after NAT and a port number CCC corresponding to the CPEA (a port number before NAT is the IKE port number 4500); and the CPEB sends the third message to the CPEA, so that after the CPEA receives the third message, the public network address and the port corresponding to the CPEB after NAT are obtained based on the third message.

Step 114, through the configuration, an IPSEC tunnel is established between the CPEA and the CPEB, and conventional message forwarding is performed between the CPEA and the CPEB through the IPSEC tunnel.

In the second embodiment, after the message interaction with the NAT probe server, the type of the NAT device connected to the CPEA is determined to be a full cone NAT, and the type of the NAT device connected to the CPEB is determined to be a full cone NAT. The NAT traversal method comprises the following steps:

step 211, the NAT probe Server sends a first message to the CPEA to inform the NAT probe Server of the NAT-processed public network address information recorded by the NAT probe Server and corresponding to the CPEB, which specifically includes: public network address and port number BBB (NAT translation front port number is AAA).

Step 212, the NAT probe Server sends a packet to the CPEB to inform the NAT probe Server of the NAT-post-public network address information corresponding to the CPEA, which specifically includes: public network address and port number CCC (NAT translation front port number is IKE port number 4500);

213, CPEA configures IPSEC to adopt a 'tunnel mode' encapsulation and starts NAT-T mode, the source address is a local private network address and an IKE port 4500, the destination address is a public network address and a port BBB corresponding to CPEB after NAT, and based on the configuration, a second message is sent and is used for punching holes in CPEA connected NAT equipment;

fig. 7 is a schematic structural diagram of a second packet according to an embodiment of the present invention; as shown in fig. 7, the source address of the second packet is a local private network address and IKE port 4500, and the destination address is a public network address after NAT and a port BBB (NAT front port number is AAA) corresponding to CPEB.

Step 214, configuring IPSEC by CPEB, adopting "tunnel mode" to package, and starting NAT-T mode, wherein the source address is local private network address and port number AAA, the destination address is public network address and port CCC (NAT front port number is IKE port number 4500) after NAT corresponding to CPEA, and based on the configuration, sending a third message, wherein the third message is used for punching holes in CPEB connected NAT equipment;

Fig. 8 is a schematic structural diagram of a third packet according to an embodiment of the present invention; as shown in fig. 8, the source address of the third packet is a private network address of the home terminal and a port number AAA (the port number is BBB after NAT conversion), and the port number of the destination address is a port CCC (the port number of the NAT front is IKE port number 4500).

Step 215, through the above configuration, an IPSEC tunnel is established between the CPEA and the CPEB, and conventional message forwarding is performed between the CPEA and the CPEB through the IPSEC tunnel.

In the third embodiment, after the message interaction with the NAT probe server, the type of the NAT device connected to the CPEA is determined to be a full cone NAT, and the type of the NAT device connected to the CPEB is determined to be an address limited cone NAT.

Here, the address limiting cone NAT maps the same homologous co-port IP packet NAT (i.e., all requests from the same internal IP address and port map to the same public IP address and port); however, unlike a full cone NAT, a public network host can send a message to an intranet host if and only if the internal host has previously sent a message to the public network host address.

Aiming at the scene that the CPEB connected NAT equipment is the address limiting conical NAT, the same method as the embodiment is adopted for processing.

In the fourth embodiment, after the message interaction with the NAT probe server, it is determined that the type of the NAT device connected to the CPEA is a full cone NAT, and the type of the NAT device connected to the CPEB is a port limited cone NAT.

Here, the port-limited cone NAT, which is also the same source as the port-like IP message NAT mapping (i.e., mapping all requests from the same internal IP address and port to the same public network IP address and port), however, adds the limitation of the port number to the port-limited cone NAT, and the public network host can communicate with the internal host if and only if the internal host has previously sent a message to the public network host address.

And aiming at the scene that CPEB connected NAT equipment is a port limiting conical NAT, processing is carried out by adopting the same method as the embodiment.

In the fifth embodiment, after the message interaction with the NAT probe server, the type of the NAT device connected to the CPEA is determined to be a full cone NAT, and the type of the NAT device connected to the CPEB is determined to be a symmetric NAT.

Here, the symmetric NAT will map all requests from the same internal IP address and port to the same public network IP address and port. If the same intranet host uses the same intranet address and port to send a message to another destination address, different mappings are used.

The type of the CPEA connected NAT equipment is a complete cone NAT, which is a looser strategy, so long as the mapping relation between the IP address and the port of the internal network and the IP address and the port of the public network is established (namely, after the CPEA connected NAT equipment is successfully perforated), all hosts on the Internet can access the hosts behind the NAT (namely, CPEA);

i.e. the destination address sent by the CPEB is always the NAT-post public network address and port number CCC corresponding to the CPEA. Therefore, for the scenario that the NAT device connected to the CPEB is a symmetric NAT, the same method as that of the above embodiment may be adopted for processing.

The type of probing NAT device is further described below.

Taking CPEA connected NAT equipment as an example (the detection method of CPEB connected NAT equipment is the same, so only one of them is used as an example for illustration), the NAT detection server receives a first test message sent by CPEA; the first test message includes address information (IP address and port) of the CPEA, and the NAT probe server determines that the following steps are performed after the first test message is received.

The first step: detecting whether CPE is located behind NAT;

the client of CPEA establishes UDP socket, send data packet (namely the above-mentioned first test message) to the (IP-1, port-1) of the server with UDP socket established, require the server to return address information (IP and Port) of CPE, the client begins to receive the data packet immediately after sending the request, can presume socket Timeout (300 ms), prevent the infinite blocking; this process was repeated several times. If the response from the server is not acceptable every time it times out, it means that the CPEA cannot perform UDP communication, and it may be that the firewall or NAT device blocks UDP communication.

When the client of the CPEA can receive the response of the server, comparing (IP, port) returned by the server with (LocalIP, localPort) of the CPE socket, and if the (IP, port) and (LocalIP, localPort) of the CPEA are identical, determining that the CPEA is not behind the NAT device; if the CPEA is different from the NAT device, the CPEA is determined to be behind the NAT device, and the type of the NAT device needs to be further detected.

And a second step of: detecting whether the NAT is a full cone NAT;

the client of CPEA establishes UDP socket, sends data packet to the (IP-1, port-1) of server with UDP socket established, require server to respond to the client with another pair (IP-2, port-2), the server responds to the request and returns a data packet, the client begins to receive data packet immediately after sending the request, can presume socket Timeout (300 ms), prevent infinite blocking, repeat this process several times. If the response UDP packet returned by the server from (IP-2, port-2) can be accepted, the NAT is a full cone NAT; if the response of the server cannot be received after each timeout, the CPEA connected NAT device is not a full cone NAT, the specific type is required to be detected in the next step, and the next step is carried out.

And a third step of: detecting whether the NAT equipment is a symmetric NAT;

The client of CPEA establishes UDP socket, send the data packet to (IP-1, port-1) of the server with UDP socket that is established, require server return IP and Port of the client, the client begins to receive the data packet immediately after sending the request, can presume socket Timeout (300 ms), prevent the infinite blocking; repeating this process until a response is received;

sending a packet to the server (IP-2, port-2) with another socket in the same way requires the server to return IP and Port.

Comparing the (IP, port) returned by the two processes from the server, if the (IP, port) returned by the two processes are different, describing the process as symmetrical NAT, otherwise, restricting the conical NAT, and specifically, judging whether the process is Port restricting the conical NAT to enter the next detection;

fourth step: detecting that the NAT is an address-limited cone-shaped NAT or a port-limited cone-shaped NAT;

the client of CPEA establishes UDP socket, send data packet to the (IP-1, port-1) of the server with UDP socket established, require server to respond with IP-1 and a Port different from Port-1 send a UDP data packet, the client begins to receive the data packet immediately after sending the request, presume socket Timeout (300 ms), prevent the infinite blocking; this process was repeated several times. If the response of the server is not acceptable every time the response is overtime, the description is a port limit cone type NAT, and if the response of the server can be received, the description is an address limit cone type NAT.

The data packet sent by the client of the CEPA described above may be the first test packet in fig. 3 and fig. 4, and correspondingly, the data packet sent by the server is the first feedback result packet.

The server to which the NAT traversal method in the embodiment of the invention is applied can adopt a public network free server or be doubled by a public network controller, namely, the public network free server or the public network controller is subjected to function expansion to realize the scheme.

It should be noted that, the above method for detecting the type of the NAT device is just an embodiment, and in the embodiment of the present invention, other methods may be adopted to detect, and after the type of the NAT device connected is determined after detection, the result is sent to the server, and then sent to the CPE at the opposite end through the server. For example: after the CPEA determines the type of the connected NAT equipment through interaction with the server, the CPEA sends a result to the server, and the server can send the result to the CPEB; and vice versa.

Fig. 9 is a schematic structural diagram of a NAT traversal apparatus according to an embodiment of the present invention; as shown in fig. 9, the NAT traversal apparatus, applied to a first CPE, includes: a first processing module and a second processing module;

Specifically, the first processing module is configured to receive a type of the second NAT device sent by the server.

Specifically, the first processing module is further configured to send a first test packet to a server; the first test message is used for requesting the server to send a first result message;

Specifically, the first processing module is further configured to send a second test packet to the server; the second test message is used for determining public network address information after NAT corresponding to the first CPE by the server.

In an embodiment, in a case where the type of the first NAT device is a basic NAT and the type of the second NAT device is a full cone NAT; the first processing module is specifically configured to receive NAT-processed public network address information corresponding to the second CPE sent by the server.

Specifically, the first processing module is further configured to send a message to a second CPE; the sent message is used for the second CPE to determine public network address information after NAT corresponding to the first CPE.

In an embodiment, in a case where the type of the first NAT device is a full cone NAT and the type of the second NAT device is a NAPT, or in a case where the type of the first NAT device is a NAPT and the type of the second NAT device is a full cone NAT; the first processing module is specifically configured to receive NAT-processed public network address information corresponding to the second CPE sent by the server.

The first processing module is further configured to send a message based on the configured IPSEC tunnel and tunnel address information, where the sent message is used to punch a hole in the first NAT device.

The tunnel address information includes at least one of:

The public network address information comprises: public network address and port number.

The message comprises: IP header, UDP header, authentication portion, ESP authentication;

Fig. 10 is a schematic structural diagram of another NAT traversal apparatus according to an embodiment of the present invention; as shown in fig. 10, the NAT traversal apparatus is applied to a server, and the apparatus includes: the system comprises a third processing module, a fourth processing module and a fifth processing module; wherein,,

Specifically, the fifth processing module is specifically configured to determine the NAT-processed public network address information corresponding to the first CPE and send the NAT-processed public network address information corresponding to the first CPE to the second CPE when the type of the first NAT device is a full cone NAT and the type of the second NAT device is a basic NAT.

Specifically, the fifth processing module is specifically configured to determine the NAT-processed public network address information corresponding to the second CPE and send the NAT-processed public network address information corresponding to the second CPE to the first CPE when the type of the first NAT device is a basic NAT and the type of the second NAT device is a full cone NAT.

Specifically, the fifth processing module is specifically configured to determine, when the type of the first NAT device is a full cone NAT and the type of the second NAT device is a NAPT, or when the type of the first NAT device is a NAPT and the type of the second NAT device is a full cone NAT, the NAT-processed public network address information corresponding to the first CPE, and send the NAT-processed public network address information corresponding to the first CPE to the second CPE; and determining the public network address information after NAT corresponding to the second CPE, and sending the public network address information after NAT corresponding to the second CPE to the first CPE.

Specifically, the NAPT includes at least one of:

symmetric NAT, full cone NAT, address limited cone NAT, port limited cone NAT.

Specifically, the third processing module is configured to receive a first test packet sent by a first CPE, and send a first result packet based on the first test packet; the first result message is used for the first CPE to determine the type of a first NAT device connected with the first CPE; receiving the type of a self-connected first NAT device sent by the first CPE;

Specifically, the third processing module is further configured to receive a second test packet sent by the first CPE; determining public network address information after NAT corresponding to the first CPE based on a second test message sent by the first CPE;

Fig. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention; as shown in fig. 11, the apparatus 110 includes: a processor 1101 and a memory 1102 for storing a computer program capable of running on the processor; wherein when the electronic device is applied to the first CPE, the processor 1101 is configured to execute, when executing the computer program:

in an embodiment, the processor 1101 is further configured to execute, when the computer program is executed: determining the type of the first NAT equipment, the type of the second NAT equipment and public network address information after NAT corresponding to the second CPE; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE;

Specifically, the electronic device executes the method shown in fig. 3, which belongs to the same concept as the NAT traversal method embodiment shown in fig. 3, and the detailed implementation process of the electronic device is detailed in the method embodiment, which is not described herein again.

As another embodiment, when the electronic device is applied to a server, the processor 1101 is configured to execute, when running the computer program: determining the type of the first NAT device and the type of the second NAT device; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE;

Specifically, the electronic device executes the method shown in fig. 4, which belongs to the same concept as the NAT traversal method embodiment shown in fig. 4, and the detailed implementation process of the electronic device is detailed in the method embodiment, which is not described herein again.

In practical applications, the apparatus 110 may further include: at least one network interface 1103. The various components in electronic device 110 are coupled together by bus system 1104. It is to be appreciated that the bus system 1104 is employed to facilitate connected communications between the components. The bus system 1104 includes a power bus, a control bus, and a status signal bus in addition to the data bus. But for clarity of illustration, the various buses are labeled as bus system 1104 in fig. 11. Wherein the number of the processors 1101 may be at least one. The network interface 1103 is used for wired or wireless communication between the electronic device 110 and other devices.

The memory 1102 in embodiments of the present invention is used to store various types of data to support the operation of the electronic device 110.

The method disclosed in the above embodiment of the present invention may be applied to the processor 1101 or implemented by the processor 1101. The processor 1101 may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuitry in hardware in the processor 1101 or instructions in software. The Processor 1101 may be a general purpose Processor, a DiGital Signal Processor (DSP), or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like. The processor 1101 may implement or perform the methods, steps and logic blocks disclosed in embodiments of the present invention. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in the embodiment of the invention can be directly embodied in the hardware of the decoding processor or can be implemented by combining hardware and software modules in the decoding processor. The software modules may be located in a storage medium including memory 1102 and processor 1101 reads information from memory 1102 and performs the steps of the methods described above in connection with the hardware.

In an exemplary embodiment, the electronic device 110 may be implemented by one or more application specific integrated circuits (ASIC, application Specific Integrated Circuit), DSPs, programmable logic devices (PLD, programmable Logic Device), complex programmable logic devices (CPLD, complex Programmable Logic Device), field-programmable gate arrays (FPGA, field-Programmable Gate Array), general purpose processors, controllers, microcontrollers (MCU, micro Controller Unit), microprocessors (Microprocessor), or other electronic components for performing the aforementioned methods.

The embodiment of the present invention also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a processor, performs: determining the type of the first NAT equipment, the type of the second NAT equipment and public network address information after NAT corresponding to the second CPE; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE;

and configuring an IPSEC tunnel and tunnel address information based on the type of the first NAT device, the type of the second NAT device and the public network address information after NAT corresponding to the second CPE. Specifically, when the computer program is executed by the processor, the method shown in fig. 3 is executed, which belongs to the same concept as the NAT traversal method embodiment shown in fig. 3, and the detailed implementation process of the computer program is referred to as a method embodiment, which is not described herein.

A computer readable storage medium provided by an embodiment of the present invention has a computer program stored thereon, and as another implementation manner, the computer program is executed by a processor to perform: determining the type of the first NAT device and the type of the second NAT device; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE;

Specifically, when the computer program is executed by the processor, the method shown in fig. 4 may be executed, which belongs to the same concept as the NAT traversal method embodiment shown in fig. 4, and the specific implementation process is detailed in the method embodiment, which is not described herein again.

In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other ways. The above described device embodiments are only illustrative, e.g. the division of the units is only one logical function division, and there may be other divisions in practice, such as: multiple units or components may be combined or may be integrated into another system, or some features may be omitted, or not performed. In addition, the various components shown or discussed may be coupled or directly coupled or communicatively coupled to each other via some interface, whether indirectly coupled or communicatively coupled to devices or units, whether electrically, mechanically, or otherwise.

The units described as separate units may or may not be physically separate, and units displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units; some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.

In addition, each functional unit in each embodiment of the present invention may be integrated in one processing unit, or each unit may be separately used as one unit, or two or more units may be integrated in one unit; the integrated units may be implemented in hardware or in hardware plus software functional units.

Those of ordinary skill in the art will appreciate that: all or part of the steps for implementing the above method embodiments may be implemented by hardware associated with program instructions, where the foregoing program may be stored in a computer readable storage medium, and when executed, the program performs steps including the above method embodiments; and the aforementioned storage medium includes: a mobile storage device, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk or an optical disk, or the like, which can store program codes.

Alternatively, the above-described integrated units of the present invention may be stored in a computer-readable storage medium if implemented in the form of software functional modules and sold or used as separate products. Based on such understanding, the technical solutions of the embodiments of the present invention may be embodied in essence or a part contributing to the prior art in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute all or part of the methods described in the embodiments of the present invention. And the aforementioned storage medium includes: a removable storage device, ROM, RAM, magnetic or optical disk, or other medium capable of storing program code.

The foregoing is merely illustrative of the present invention, and the present invention is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.

Claims

1. A network address translation, NAT, traversal method for use with a first customer premise equipment, CPE, the method comprising:

under the condition that the type of the first NAT equipment and the type of the second NAT equipment meet preset conditions, public network address information after NAT corresponding to the second CPE is determined, an encapsulation mode of an internet security protocol (IPSEC) tunnel is configured to be a tunnel mode, and NAT-T mode is configured to be adopted;

the type of the first NAT device and the type of the second NAT device meeting a preset condition comprises one of the following:

the type of the first NAT equipment is a full cone NAT, and the type of the second NAT equipment is a basic NAT;

The first NAT device is of a full cone NAT type, and the second NAT device is of a full cone NAT type;

the type of the first NAT equipment is a full cone NAT, and the type of the second NAT equipment is an address limiting cone NAT;

the type of the first NAT equipment is a full cone NAT, and the type of the second NAT equipment is a port limiting cone NAT;

the type of the first NAT equipment is a full cone NAT, and the type of the second NAT equipment is a symmetrical NAT;

configuring a source address in tunnel address information based on private network address information of the first CPE;

2. The method of claim 1, wherein the determining the type of the second NAT device comprises:

and receiving the type of the second NAT equipment transmitted by the server.

3. The method according to claim 2, wherein the method further comprises:

4. The method of claim 1, wherein if the type of the first NAT device is a full cone NAT and the type of the second NAT device is a base NAT; determining NAT-post public network address information corresponding to the second CPE includes:

receiving a message sent by a second CPE;

5. The method according to claim 4, wherein the method further comprises:

6. The method according to claim 4, wherein the method further comprises:

7. A method according to any one of claims 1 to 3, wherein if the type of the first NAT device is a full cone NAT and the type of the second NAT device is a network address port translating NAPT; determining NAT-post public network address information corresponding to the second CPE includes:

8. The method of claim 7, wherein the method further comprises:

9. The method according to claim 1, wherein the method further comprises:

10. The method of claim 7, wherein the NAPT comprises at least one of: symmetric NAT, full cone NAT, address limited cone NAT, port limited cone NAT.

11. The method of claim 1, wherein the tunnel address information comprises at least one of:

12. The method of claim 11, wherein the public network address information comprises: public network address and port number.

13. The method according to claim 4, 8 or 9, wherein the message comprises: an Internet Protocol (IP) header, a User Datagram Protocol (UDP) header, an authentication part and an encapsulating security load (ESP) authentication;

14. A NAT traversal method for use with a server, the method comprising:

under the condition that the type of the first NAT equipment and the type of the second NAT equipment meet preset conditions, public network address information after NAT corresponding to the first CPE is determined, and the public network address information after NAT corresponding to the first CPE is sent to the second CPE; and/or determining public network address information after NAT corresponding to the second CPE, and sending the public network address information after NAT corresponding to the second CPE to the first CPE;

the public network address information is used for configuring an encapsulation mode of an IPSEC tunnel to be a tunnel mode, configuring to be in a NAT-T mode and configuring tunnel address information;

the first NAT device is of a full cone NAT type, and the second NAT device is of a symmetrical NAT type.

15. The method of claim 14, wherein the NAT-enabled public network address information corresponding to the first CPE is determined and sent to the second CPE if the type of the first NAT device is a full cone NAT and the type of the second NAT device is a base NAT.

16. The method of claim 14, wherein, if the type of the first NAT device is a full cone NAT and the type of the second NAT device is a NAPT, determining NAT-post public network address information corresponding to the first CPE, and sending the NAT-post public network address information corresponding to the first CPE to the second CPE; and determining the public network address information after NAT corresponding to the second CPE, and sending the public network address information after NAT corresponding to the second CPE to the first CPE.

17. The method of claim 16, wherein the NAPT comprises at least one of:

symmetric NAT, full cone NAT, address limited cone NAT, port limited cone NAT.

18. The method of claim 14, wherein the public network address information comprises: public network address and port number.

19. The method of claim 14, wherein the determining the type of the first NAT device and the type of the second NAT device comprises:

20. The method of claim 14, wherein the determining NAT-filtered public network address information corresponding to the first CPE comprises:

21. A NAT traversal apparatus for use with a first CPE, the apparatus comprising: a first processing module and a second processing module;

the first processing module is used for determining the type of the first NAT equipment and the type of the second NAT equipment; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE;

the second processing module is configured to determine public network address information after NAT corresponding to the second CPE when the type of the first NAT device and the type of the second NAT device meet a preset condition, configure an encapsulation mode of an internet security protocol IPSEC tunnel as a tunnel mode, and configure to use a NAT-T mode;

22. A NAT traversal apparatus for use with a server, the apparatus comprising: the system comprises a third processing module, a fourth processing module and a fifth processing module; wherein,,

the fifth processing module is configured to determine NAT-processed public network address information corresponding to the first CPE and send the NAT-processed public network address information corresponding to the first CPE to the second CPE when the type of the first NAT device and the type of the second NAT device satisfy a preset condition; and/or determining public network address information after NAT corresponding to the second CPE, and sending the public network address information after NAT corresponding to the second CPE to the first CPE;

23. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any one of claims 1 to 13 when the program is executed by the processor; or,

the processor, when executing the program, implements the steps of the method of any of claims 14 to 20.

24. A computer readable storage medium having stored thereon a computer program, characterized in that the computer program when executed by a processor realizes the steps of the method according to any of claims 1 to 13; or,