CN115225313A - High-reliability cloud network virtual private network communication method and device - Google Patents

High-reliability cloud network virtual private network communication method and device Download PDF

Info

Publication number
CN115225313A
CN115225313A CN202210621700.7A CN202210621700A CN115225313A CN 115225313 A CN115225313 A CN 115225313A CN 202210621700 A CN202210621700 A CN 202210621700A CN 115225313 A CN115225313 A CN 115225313A
Authority
CN
China
Prior art keywords
vpn
packet
authentication
client
vpn gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210621700.7A
Other languages
Chinese (zh)
Other versions
CN115225313B (en
Inventor
董恩焕
苏昆林
杨家海
祝顺民
王之梁
张世泽
文荣
任伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Alibaba Cloud Computing Ltd
Original Assignee
Tsinghua University
Alibaba Cloud Computing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University, Alibaba Cloud Computing Ltd filed Critical Tsinghua University
Priority to CN202210621700.7A priority Critical patent/CN115225313B/en
Publication of CN115225313A publication Critical patent/CN115225313A/en
Application granted granted Critical
Publication of CN115225313B publication Critical patent/CN115225313B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention discloses a highly reliable cloud network virtual private network communication method and a highly reliable cloud network virtual private network communication device, wherein the method comprises the following steps: sending an IP packet with a preset format to a first VPN gateway based on a VPN client, performing first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, establishing first transmission between the VPN client and the first VPN gateway, and performing second identity authentication of the VPN client and the second VPN gateway based on an authentication request packet sent by the first transmission when the VPN client is switched from the first VPN gateway to the second VPN gateway to establish second transmission; and sending a detection request packet to the VPN gateway associated with the transmission through the VPN client based on the first transmission and the second transmission so as to finish the detection between the VPN client and the VPN gateway associated with the transmission. The invention can construct a tunnel for data transmission between the VPN client and the VPN gateway, and the IP packet for constructing the transmission tunnel has a structure similar to that of a TCP packet widely used in the Internet, thereby being beneficial to the improvement of the reliability of data transmission between the VPN client and the VPN gateway.

Description

High-reliability cloud network virtual private network communication method and device
Technical Field
The invention relates to the technical field of network communication transmission, in particular to a high-reliability cloud network virtual private network communication method and device.
Background
A cloud network VPN is a layered network built on a public network (e.g., the internet), which is a hypothetical network, rather than a real private network, but the VPN preserves the security of the private network. A common way to build a VPN on the internet is to establish a tunnel through the internet between a VPN client and a VPN gateway. The VPN client and the VPN gateway ensure the integrity and confidentiality of data communicated through the tunnel. The existing approach is to use the IPSec protocol to construct a tunnel between the VPN client and the VPN gateway. The IPSec packet generated by the method can be discarded by devices in the network in the process of transmitting on the Internet, and the prior art often uses the IPSec protocol to construct the IPSec packet to transmit data between the VPN client and the VPN gateway.
The IPSec packet is easily recognized by the devices in the internet as an abnormal packet and is discarded, and a tunnel constructed based on the IPSec packet is also vulnerable in the internet, so how to avoid discarding the packet transmitted on the tunnel between the VPN client and the VPN gateway by the devices in the internet is urgent to solve.
Disclosure of Invention
The present invention is directed to solving, at least to some extent, one of the technical problems in the related art.
Therefore, the invention aims to provide a highly reliable cloud network virtual private network communication method which can be applied to a VPN communication scene, can be used for constructing a data transmission tunnel between a VPN client and a VPN gateway and is beneficial to the improvement of the reliability of data transmission between the VPN client and the VPN gateway.
Another object of the present invention is to provide a highly reliable cloud network virtual private network communication device.
In order to achieve the above object, in one aspect, the present invention provides a highly reliable cloud network virtual private network communication method, including:
sending an IP packet with a preset format to a first VPN gateway based on a VPN client, performing first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, and establishing first transmission between the VPN client and the first VPN gateway, wherein the IP packet with the preset format is an IP packet with an online VPN header packet type;
when the VPN client is switched from the first VPN gateway to a second VPN gateway to establish second transmission, performing second identity authentication of the VPN client and the second VPN gateway based on an authentication request packet sent by the first transmission;
and sending a detection request packet to a VPN gateway associated with transmission through the VPN client based on the first transmission and the second transmission so as to finish the detection between the VPN client and the VPN gateway associated with transmission.
In addition, the highly reliable cloud network virtual private network communication method according to the above embodiment of the present invention may further have the following additional technical features:
further, in an embodiment of the present invention, the method further includes: determining the corresponding packet type of the VPN header according to the data in the IP packet with the preset format; wherein the packet type of the VPN header includes at least one of: the IP packet of the online, the authentication request packet, the authentication reply packet, the authentication completion packet, the detection request packet, the detection reply packet, the ESP packet, the WireGuard packet and the RAW packet.
Further, in one embodiment of the present invention, the method further comprises: when the IP address and the port number of the VPN client change, a TCP connection abnormal termination packet RST is sent to the VPN client through the first VPN gateway, and first identity authentication of the VPN client and the first VPN gateway is carried out again according to the configuration information.
Further, in an embodiment of the present invention, before sending the IP packet whose packet type is online to the first VPN gateway, the method further includes: establishing a connection with the first VPN gateway by using a VPN client to simulate a TCP behavior, specifically: sending a SYN packet of TCP connection establishment to a first VPN gateway by utilizing the VPN client; receiving the SYN packet by utilizing the first VPN gateway, and replying a SYN + ACK packet to the VPN client; and receiving the SYN + ACK packet by using the VPN client, and sending an ACK packet to the first VPN gateway.
Further, in an embodiment of the present invention, the performing the first identity authentication of the VPN client and the first VPN gateway according to the configuration information includes: sending the online IP packet to the first VPN gateway through the VPN client, determining whether the online IP packet carries out position marking on low-frequency detection information or not according to the configuration information, if the configuration information indicates that the low-frequency detection information is used, marking the position as 1, otherwise marking the position as 0; triggering first identity authentication based on the online IP packet, and sending a first authentication request packet to the VPN client by using the first VPN gateway; receiving the first authentication request packet by using the VPN client, sending a first authentication reply packet to the first VPN gateway, receiving the first authentication reply packet by using the first VPN gateway, and sending a first authentication completion packet to the VPN client if the authentication information of the first authentication reply packet is correct; wherein the first authentication reply packet includes information used by the first VPN gateway to verify the identity of the VPN client.
Further, in an embodiment of the present invention, after the first identity authentication is completed, the method further includes: performing data interaction between the VPN client and the first VPN gateway; wherein the data interaction comprises: and according to the configuration information, performing one of FEC encoding, ESP tunnel encapsulation using IPSec, wireaguard tunnel encapsulation or RAW mode transmission data.
Further, in an embodiment of the present invention, the format of the control information part of the authentication request packet includes: version, sequence number, IP, and port number; the format of the control information part of the authentication reply packet comprises the following steps: version, sequence number, IP, port number, and authentication information.
Further, in an embodiment of the present invention, when the VPN client switches from the first VPN gateway to a second VPN gateway to establish a second transmission, performing a second identity authentication between the VPN client and the second VPN gateway based on the first transmission and according to an authentication request packet includes: when the VPN client is switched from the first VPN gateway to a second VPN gateway, triggering second identity authentication, and sending a second authentication request packet to the VPN client through the second VPN gateway; receiving the second authentication request packet by using the VPN client, sending a second authentication reply packet to the second VPN gateway, receiving the second authentication reply through the second VPN gateway, and sending a second authentication completion packet to the VPN client if the authentication information of the second authentication reply is correct; wherein the second authentication reply packet includes information used by the second VPN gateway to verify the identity of the VPN client.
Further, in an embodiment of the present invention, the sending, by the VPN client, a probe request packet to a VPN gateway associated with transmission to complete probing between the VPN client and the VPN gateway associated with transmission includes: sending the detection request packet to the VPN gateway associated with the transmission by utilizing the VPN client; and receiving the detection request packet by using the VPN gateway associated with transmission, and sending the detection reply packet to the VPN client so as to finish the detection between the VPN client and the VPN gateway associated with transmission.
The high-reliability cloud network virtual private network communication method provided by the embodiment of the invention can be applied to a VPN communication scene, can be used for constructing a tunnel for data transmission between a VPN client and a VPN gateway, and is beneficial to the improvement of the reliability of data transmission between the VPN client and the VPN gateway because an IP packet for constructing the transmission tunnel is similar to a TCP packet structure widely used in the Internet.
In order to achieve the above object, another aspect of the present invention provides a highly reliable cloud network virtual private network communication apparatus, including:
the first transmission module is used for sending an IP packet with a preset format to a first VPN gateway based on a VPN client, carrying out first identity authentication on the VPN client and the first VPN gateway according to preset configuration information, and establishing first transmission between the VPN client and the first VPN gateway, wherein the IP packet with the preset format is an IP packet with an online VPN header packet type;
a second transmission module, configured to perform second identity authentication between the VPN client and a second VPN gateway based on an authentication request packet sent by the first transmission when the VPN client switches from the first VPN gateway to the second VPN gateway to establish second transmission;
and the period detection module is used for sending a detection request packet to a VPN gateway associated with transmission through the VPN client based on the first transmission and the second transmission so as to finish the detection between the VPN client and the VPN gateway associated with the transmission.
Further, the above apparatus further comprises: the type determining module is used for determining the corresponding packet type of the VPN header according to the data in the IP packet with the preset format; wherein the packet type of the VPN header includes at least one of: the IP packet of the online, the authentication request packet, the authentication reply packet, the authentication completion packet, the detection request packet, the detection reply packet, the ESP packet, the WireGuard packet and the RAW packet.
Further, the above apparatus further comprises: and the port change module is used for sending a TCP connection abnormal termination packet RST to the VPN client through the first VPN gateway when the IP address and the port number of the VPN client are changed, and re-performing the first identity authentication of the VPN client and the first VPN gateway according to the configuration information.
Further, the above apparatus further comprises: the connection simulation module is configured to establish a connection with a first VPN gateway by using a VPN client to simulate a TCP behavior, and specifically includes:
the first connection submodule is used for sending a SYN packet of TCP connection establishment to the first VPN gateway by utilizing the VPN client;
the second connection sub-module is used for receiving the SYN packet by using the first VPN gateway and replying the SYN + ACK packet to the VPN client;
and the third connection submodule is used for receiving the SYN + ACK packet by using the VPN client and sending the ACK packet to the first VPN gateway.
Further, the first transmission module includes:
a location marking module, configured to send the online IP packet to the first VPN gateway through the VPN client, determine, according to the configuration information, whether the online IP packet performs location marking on low-frequency detection information, and mark the location as 1 if the configuration information indicates that the low-frequency detection information is used, otherwise mark the location as 0;
a first identity authentication module, configured to trigger a first identity authentication based on the online IP packet, and send a first authentication request packet to the VPN client by using the first VPN gateway;
a first authentication completion module, configured to receive the first authentication request packet by using the VPN client, send a first authentication reply packet to the first VPN gateway, receive the first authentication reply packet by using the first VPN gateway, and send a first authentication completion packet to the VPN client if authentication information of the first authentication reply packet is correct; wherein the first authentication reply packet includes information used by the first VPN gateway to verify the identity of the VPN client.
Further, after the first authentication completion module, the method further includes: the data interaction module is used for carrying out data interaction between the VPN client and the first VPN gateway; wherein, the data interaction comprises: and according to the configuration information, performing one of FEC encoding, ESP tunnel encapsulation using IPSec, wireaguard tunnel encapsulation or RAW mode transmission data.
Further, the second transmission module includes:
the second identity authentication module is used for triggering second identity authentication when the VPN client is switched from the first VPN gateway to a second VPN gateway, and sending a second authentication request packet to the VPN client through the second VPN gateway;
a second authentication completion module, configured to receive the second authentication request packet by using the VPN client, send a second authentication reply packet to the second VPN gateway, receive the second authentication reply through the second VPN gateway, and send a second authentication completion packet to the VPN client if authentication information returned by the second authentication is correct; wherein the second authentication reply packet includes information used by the second VPN gateway to verify the identity of the VPN client.
Further, the cycle detection module includes:
a detection request module, configured to send the detection request packet to the VPN gateway associated with transmission by using the VPN client;
and the detection reply module is used for receiving the detection request packet by using the VPN gateway related to transmission and sending the detection reply packet to the VPN client so as to finish detection between the VPN client and the VPN gateway related to transmission.
The high-reliability cloud network virtual private network communication device provided by the embodiment of the invention can be applied to a VPN communication scene, can be used for constructing a tunnel for data transmission between a VPN client and a VPN gateway, and is beneficial to the improvement of the reliability of data transmission between the VPN client and the VPN gateway, and an IP packet for constructing the transmission tunnel is similar to a TCP packet structure widely used in the Internet.
The invention has the beneficial effects that:
the invention can be applied to VPN communication scenes and can be used for constructing a tunnel for data transmission between a VPN client and a VPN gateway. Products that can be applied include, but are not limited to, the construction of tenant networks in cloud networks, and cloud or intercommunication in SD-WAN (Software Defined Wide Area Network) products, such as Customer-Premises Equipment (CPE).
IPSec containers are easily identified by devices in the internet as anomalous packets and dropped, and tunnels constructed based on IPSec packets are therefore vulnerable in the internet. The present invention mimics TCP behavior, allowing devices in the internet to recognize packets transmitted in tunnels as TCP packets that are ubiquitous in the internet, rather than the uncommon IPSec packets. The invention is beneficial to improving the reliability of data transmission between the VPN client and the VPN gateway.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the present invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings of which:
fig. 1 is a schematic diagram of a format of an IP packet between a VPN client and a VPN gateway according to an embodiment of the present invention;
fig. 2 is a flowchart of a highly reliable cloud network virtual private network communication method according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a format of a control information portion of an authentication request packet according to an embodiment of the present invention;
FIG. 4 is a diagram illustrating a format of a control message portion of an authentication reply packet according to an embodiment of the invention;
fig. 5 is a schematic structural diagram of a highly reliable cloud-network vpn communication apparatus according to an embodiment of the present invention.
Detailed Description
It should be noted that, in the present application, the embodiments and features of the embodiments may be combined with each other without conflict. The present invention will be described in detail below with reference to the embodiments with reference to the attached drawings.
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be obtained by a person skilled in the art without making any creative effort based on the embodiments in the present invention, shall fall within the protection scope of the present invention.
The following describes a highly reliable cloud network virtual private network communication method and apparatus proposed according to an embodiment of the present invention with reference to the accompanying drawings.
Fig. 2 is a flowchart of a highly reliable cloud network virtual private network communication method according to an embodiment of the present invention.
As shown in fig. 2, the method includes, but is not limited to, the following steps:
s1, an IP packet in a preset format is sent to a first VPN gateway based on a VPN client, first identity authentication of the VPN client and the first VPN gateway is carried out according to preset configuration information, and first transmission between the VPN client and the first VPN gateway is established, wherein the IP packet in the preset format is an IP packet with an online VPN header packet type.
It is to be understood that the present invention defines the format of IP packets between a cloud network VPN client and a VPN gateway, as shown in fig. 1. The format of the IP packet comprises an IP head, a TCP head, a VPN head, data or control information and integrity check; wherein the IP header and the TCP header follow the definition of the TCP/IP protocol of the computer network. Figure 1 omits possible IP header and TCP header option fields following the IP header and TCP header. The TCP header is followed by a VPN header defined by the present invention, which is fixed to 20 bytes in length. The last 12 bytes of the entire IP packet are used for integrity checking of the packet. The length of the packet body between the VPN header and the integrity check field is variable, the packet can be divided into two types according to the content of the packet body, if the packet body information is data, the packet is called as a data packet, and if the packet body information is control information, the packet is called as a control packet. The first 3 bits (bit) of the 1 st byte of the VPN header are a flag bit field and the last 5 bits are a packet type field. The tag bit field contains three possible tags that are not compatible with each other, their name, meaning and impact on the packet format as shown in table 1. The packet type field describes the specific packet types, which are also incompatible with each other, and their names, meanings and influences on the packet format are shown in table 2. The "VPN ID" field of the VPN header is used to uniquely identify the VPN tunnel that the VPN client can use.
Table 1 possible marking of VPN header flag fields
Figure BDA0003677035700000061
Figure BDA0003677035700000071
Table 2 VPN header packet type field possible packet types
Figure BDA0003677035700000072
Figure BDA0003677035700000081
It is to be appreciated that this process occurs when VPN client first use is initiated, the VPN controller pushes the VPN configuration to the VPN client and the plurality of VPN gateways. The configuration comprises the following steps: information such as a VPN ID for the VPN client, a key required for tunnel encryption corresponding to the VPN ID, a key required for VPN client authentication, whether FEC encoding is performed or whether low frequency probe information is performed. The VPN gateway establishes a session for each VPN client based on this information.
As an example, for "establish a connection between a VPN client and a gateway": the VPN client sends a packet of TCP establish connection, i.e. SYN packet, to the VPN gateway emulating TCP behavior. The packet comprises an IP header and a TCP header, the packet body is cut off to the TCP header, and the format completely imitates a SYN packet of three-way handshake when TCP establishes connection. After receiving the packet, the VPN gateway continues to imitate the process of establishing connection with TCP, and replies to the VPN client with a SYN + ACK packet in the same format as the SYN + ACK packet of the three-way handshake when establishing connection with TCP. After receiving the SYN + ACK packet, the VPN client sends an ACK packet to the VPN gateway that mimics the three-way handshake when the TCP establishes a connection.
After the three-way handshake, the VPN client sends the "online" packet mentioned in table 2 to the VPN gateway, and according to the configuration information received by the VPN client in the process of "VPN controller pushing VPN configuration", the VPN client determines whether the "online" packet sets the "low frequency detection" flag position to 1. The "online" packet triggers the process of the VPN gateway authenticating the identity to the VPN client. The VPN gateway will first send an "authentication request" packet to the VPN client, starting the process of identity authentication. The format of the control information part of the authentication request packet in the invention is shown in fig. 3. After receiving the authentication request, the VPN client sends an authentication reply packet to the VPN gateway. The format of the control information part of the authentication reply packet in the invention is shown in FIG. 4. The embedded VPN gateway may be used to verify the identity of the VPN client. After receiving the authentication reply, the VPN gateway sends an authentication completion packet to the VPN client if the authentication information is correct. As shown in fig. 3 and fig. 4, the partial formats of the "authentication request" packet control information and the "authentication reply" packet control information in the present invention are respectively illustrated. The control information part format of the authentication request packet comprises the following steps: version, sequence number, IP, and port number; the control information part format of the authentication reply packet comprises the following steps: version, sequence number, IP, port number, and authentication information.
After the authentication is passed, data interaction is carried out between the VPN client and the VPN gateway. The data packet may be FEC encoded according to configuration information pushed to the VPN client in the process of "VPN controller pushes VPN configuration", and may transmit data in manners of IPSec ESP tunnel encapsulation, wireGuard tunnel encapsulation, or RAW decapsulation.
And S2, when the VPN client is switched from the first VPN gateway to the second VPN gateway to establish second transmission, performing second identity authentication of the VPN client and the second VPN gateway based on an authentication request packet sent by the first transmission.
It is understood that the IP address and port number of the VPN client may change, and when the IP address and port number of the VPN client change, the VPN gateway sends a RST packet of TCP to the VPN client, as if the TCP connection were terminated from the perspective of a device in the internet. Then, the process of establishing connection transmission between the VPN client and the VPN gateway is carried out again between the VPN client and the VPN gateway.
Further, when the VPN client switches from one VPN gateway to another VPN gateway, the authentication process needs to be performed again with the new VPN gateway, that is, the new VPN gateway first sends an "authentication request" packet to the VPN client to start the identity authentication process. After receiving the authentication request, the VPN client sends an authentication reply packet to the new VPN gateway. The new VPN gateway is included with information that can be used to verify the identity of the VPN client. After receiving the authentication reply, the new VPN gateway sends an authentication completion packet to the VPN client if the authentication information is correct.
And S3, based on the first transmission and the second transmission, sending a detection request packet to the VPN gateway associated with the transmission through the VPN client so as to complete the detection between the VPN client and the VPN gateway associated with the transmission.
Specifically, the VPN client periodically sends a probe request packet to the VPN gateway. After receiving the periodic detection request packet, the VPN gateway sends a periodic detection reply packet to the VPN client.
The high-reliability cloud network virtual private network communication method provided by the embodiment of the invention can be applied to a VPN communication scene, can be used for constructing a tunnel for data transmission between a VPN client and a VPN gateway, and is beneficial to the improvement of the reliability of data transmission between the VPN client and the VPN gateway, and an IP packet for constructing the transmission tunnel has a structure similar to that of a TCP packet widely used in the Internet.
In order to implement the foregoing embodiments, as shown in fig. 5, a highly reliable cloud network virtual private network communication apparatus 10 is further provided in this embodiment, where the apparatus 10 includes: a first transmission module 100, a second transmission module 200, and a period detection module 300.
A first transmission module 100, configured to send an IP packet in a preset format to a first VPN gateway based on a VPN client, perform first identity authentication between the VPN client and the first VPN gateway according to preset configuration information, and establish first transmission between the VPN client and the first VPN gateway, where the IP packet in the preset format is an IP packet with an online VPN header packet type;
a second transmission module 200, configured to perform second identity authentication between the VPN client and the second VPN gateway based on an authentication request packet sent by the first transmission when the VPN client is switched from the first VPN gateway to the second VPN gateway to establish second transmission;
the period detection module 300 is configured to send a detection request packet to the VPN gateway associated with transmission through the VPN client based on the first transmission and the second transmission, so as to complete detection between the VPN client and the VPN gateway associated with transmission.
Further, the above apparatus 10 further includes: the type determining module is used for determining the packet type of the corresponding VPN header according to the data in the IP packet with the preset format; wherein the packet type of the VPN header includes at least one of: an online IP packet, an authentication request packet, an authentication reply packet, an authentication completion packet, a probe request packet, a probe reply packet, an ESP packet, a WireGuard packet, and a RAW packet.
Further, the above apparatus 10 further includes: and the port change module is used for sending a TCP connection abnormal termination packet RST to the VPN client through the first VPN gateway when the IP address and the port number of the VPN client are changed, and re-performing the first identity authentication of the VPN client and the first VPN gateway according to the configuration information.
Further, the above apparatus 10 further includes: the connection simulation module is configured to establish a connection with a first VPN gateway by using a VPN client to simulate a TCP behavior, and specifically includes:
the first connection submodule is used for sending a SYN packet of TCP connection establishment to the first VPN gateway by utilizing the VPN client;
the second connection sub-module is used for receiving the SYN packet by using the first VPN gateway and replying the SYN + ACK packet to the VPN client;
and the third connection submodule is used for receiving the SYN + ACK packet by using the VPN client and sending the ACK packet to the first VPN gateway.
Further, the first transmission module 100 includes:
the system comprises a position marking module, a first VPN gateway and a second VPN gateway, wherein the position marking module is used for sending an online IP packet to the first VPN gateway through a VPN client, determining whether the online IP packet carries out position marking on low-frequency detection information or not according to configuration information, marking the position as 1 if the configuration information indicates that the low-frequency detection information is used, and otherwise marking the position as 0;
the first identity authentication module is used for triggering first identity authentication based on an online IP packet and sending a first authentication request packet to the VPN client by utilizing a first VPN gateway;
the first authentication completion module is used for receiving the first authentication request packet by using the VPN client, sending a first authentication reply packet to the first VPN gateway, receiving the first authentication reply packet by using the first VPN gateway, and sending the first authentication completion packet to the VPN client if the authentication information of the first authentication reply packet is correct; the first authentication reply packet comprises information used by the first VPN gateway for verifying the identity of the VPN client.
Further, after the first authentication completion module, the method further includes: the data interaction module is used for carrying out data interaction between the VPN client and the first VPN gateway; wherein, the data interaction comprises: and according to the configuration information, performing one of FEC encoding, ESP tunnel encapsulation using IPSec, wireaguard tunnel encapsulation or RAW mode transmission data.
Further, the second transmission module 200 includes:
the second identity authentication module is used for triggering second identity authentication when the VPN client is switched from the first VPN gateway to the second VPN gateway, and sending a second authentication request packet to the VPN client through the second VPN gateway;
the second authentication completion module is used for receiving the second authentication request packet by using the VPN client, sending a second authentication reply packet to the second VPN gateway, receiving a second authentication reply through the second VPN gateway, and sending a second authentication completion packet to the VPN client if the authentication information returned by the second authentication is correct; the second authentication reply packet comprises information used by the second VPN gateway to verify the identity of the VPN client.
Further, the cycle detection module 300 includes:
the detection request module is used for sending a detection request packet to the VPN gateway which is associated with the transmission by utilizing the VPN client;
and the detection reply module is used for receiving the detection request packet by using the VPN gateway related to transmission and sending a detection reply packet to the VPN client so as to finish the detection between the VPN client and the VPN gateway related to transmission.
The high-reliability cloud network virtual private network communication device provided by the embodiment of the invention can be applied to a VPN communication scene, can be used for constructing a tunnel for data transmission between a VPN client and a VPN gateway, and is beneficial to the improvement of the reliability of data transmission between the VPN client and the VPN gateway, and an IP packet for constructing the transmission tunnel has a structure similar to that of a TCP packet widely used in the Internet.
It should be noted that the above explanation of the embodiment of the highly reliable cloud network vpn method is also applicable to the highly reliable cloud network vpn apparatus of the embodiment, and is not repeated here.
Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defined as "first" or "second" may explicitly or implicitly include at least one such feature. In the description of the present invention, "a plurality" means at least two, e.g., two, three, etc., unless specifically limited otherwise.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above are not necessarily intended to refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Moreover, various embodiments or examples and features of various embodiments or examples described in this specification can be combined and combined by one skilled in the art without being mutually inconsistent.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.

Claims (10)

1. A high-reliability cloud network virtual private network communication method is characterized by comprising the following steps:
sending an IP packet with a preset format to a first VPN gateway based on a VPN client, performing first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, and establishing first transmission between the VPN client and the first VPN gateway, wherein the IP packet with the preset format is an IP packet with an online VPN header packet type;
when the VPN client is switched from the first VPN gateway to a second VPN gateway to establish second transmission, performing second identity authentication of the VPN client and the second VPN gateway based on an authentication request packet sent by the first transmission;
and sending a detection request packet to a VPN gateway associated with transmission through the VPN client based on the first transmission and the second transmission so as to finish the detection between the VPN client and the VPN gateway associated with transmission.
2. The method of claim 1, further comprising: determining the corresponding packet type of the VPN header according to the data in the IP packet with the preset format; wherein the packet type of the VPN header includes at least one of: the IP packet of the online, the authentication request packet, the authentication reply packet, the authentication completion packet, the detection request packet, the detection reply packet, the ESP packet, the WireGuard packet and the RAW packet.
3. The method of claim 2, further comprising: when the IP address and the port number of the VPN client change, a TCP connection abnormal termination packet RST is sent to the VPN client through the first VPN gateway, and first identity authentication of the VPN client and the first VPN gateway is carried out again according to the configuration information.
4. The method according to claim 3, further comprising, before sending the IP packet of the preset format to the first VPN gateway based on the VPN client: establishing a connection with the first VPN gateway by using a VPN client to simulate a TCP behavior, specifically:
sending a SYN packet of TCP connection establishment to a first VPN gateway by utilizing the VPN client;
receiving the SYN packet by using the first VPN gateway, and replying a SYN + ACK packet to the VPN client;
and receiving the SYN + ACK packet by using the VPN client, and sending an ACK packet to the first VPN gateway.
5. The method of claim 4, wherein said performing a first identity authentication of said VPN client and said first VPN gateway according to said configuration information comprises:
sending the online IP packet to the first VPN gateway through the VPN client, determining whether the online IP packet carries out position marking on low-frequency detection information or not according to the configuration information, if the configuration information indicates that the low-frequency detection information is used, marking the position as 1, otherwise marking the position as 0;
triggering first identity authentication based on the online IP packet, and sending a first authentication request packet to the VPN client by using the first VPN gateway;
receiving the first authentication request packet by using the VPN client, sending a first authentication reply packet to the first VPN gateway, receiving the first authentication reply packet by using the first VPN gateway, and sending a first authentication completion packet to the VPN client if the authentication information of the first authentication reply packet is correct; wherein the first authentication reply packet includes information used by the first VPN gateway to verify the identity of the VPN client.
6. The method of claim 5, further comprising, after the first authentication is complete:
performing data interaction between the VPN client and the first VPN gateway; wherein the data interaction comprises: and according to the configuration information, performing one of FEC encoding, ESP tunnel encapsulation using IPSec, wireaguard tunnel encapsulation or RAW mode transmission data.
7. The method of claim 6, wherein the control information part format of the authentication request packet comprises: version, sequence number, IP, and port number;
the control information part format of the authentication reply packet comprises the following steps: version, sequence number, IP, port number, and authentication information.
8. The method of claim 7, wherein said performing a second authentication of said VPN client and said second VPN gateway based on said first transmission and according to an authentication request packet when said VPN client switches from said first VPN gateway to said second VPN gateway to establish a second transmission comprises:
when the VPN client is switched from the first VPN gateway to a second VPN gateway, triggering second identity authentication, and sending a second authentication request packet to the VPN client through the second VPN gateway;
receiving the second authentication request packet by using the VPN client, sending a second authentication reply packet to the second VPN gateway, receiving the second authentication reply through the second VPN gateway, and sending a second authentication completion packet to the VPN client if the authentication information of the second authentication reply is correct; wherein the second authentication reply packet includes information used by the second VPN gateway to verify the identity of the VPN client.
9. The method of claim 8, wherein sending, by said VPN client, a probe request packet to a transport associated VPN gateway to complete probing between said VPN client and said transport associated VPN gateway comprises:
sending the detection request packet to the VPN gateway associated with the transmission by utilizing the VPN client;
and receiving the detection request packet by using the VPN gateway associated with transmission, and sending the detection reply packet to the VPN client so as to finish the detection between the VPN client and the VPN gateway associated with transmission.
10. A highly reliable cloud network virtual private network communication apparatus, comprising:
the first transmission module is used for sending an IP packet with a preset format to a first VPN gateway based on a VPN client, carrying out first identity authentication on the VPN client and the first VPN gateway according to preset configuration information, and establishing first transmission between the VPN client and the first VPN gateway, wherein the IP packet with the preset format is an IP packet with an online VPN header packet type;
a second transmission module, configured to perform second identity authentication between the VPN client and a second VPN gateway based on an authentication request packet sent by the first transmission when the VPN client switches from the first VPN gateway to the second VPN gateway to establish second transmission;
and the period detection module is used for sending a detection request packet to a VPN gateway associated with transmission through the VPN client based on the first transmission and the second transmission so as to finish the detection between the VPN client and the VPN gateway associated with the transmission.
CN202210621700.7A 2022-06-02 2022-06-02 High-reliability cloud network virtual private network communication method and device Active CN115225313B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210621700.7A CN115225313B (en) 2022-06-02 2022-06-02 High-reliability cloud network virtual private network communication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210621700.7A CN115225313B (en) 2022-06-02 2022-06-02 High-reliability cloud network virtual private network communication method and device

Publications (2)

Publication Number Publication Date
CN115225313A true CN115225313A (en) 2022-10-21
CN115225313B CN115225313B (en) 2023-08-29

Family

ID=83607926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210621700.7A Active CN115225313B (en) 2022-06-02 2022-06-02 High-reliability cloud network virtual private network communication method and device

Country Status (1)

Country Link
CN (1) CN115225313B (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101026516A (en) * 2006-02-22 2007-08-29 迈世亚(北京)科技有限公司 Method for establishing virtual personal network connection
CN101072157A (en) * 2007-06-08 2007-11-14 迈普(四川)通信技术有限公司 Virtual special net load backup system and its establishing method and data forwarding method
CN101262409A (en) * 2008-04-23 2008-09-10 华为技术有限公司 Virtual private network VPN access method and device
US20090144817A1 (en) * 2007-12-03 2009-06-04 Chendil Kumar Techniques for high availability of virtual private networks (vpn's)
CN104735051A (en) * 2013-12-23 2015-06-24 三星Sds株式会社 System and method for controlling virtual private network access
CN112260926A (en) * 2020-10-16 2021-01-22 上海叠念信息科技有限公司 Data transmission system, method, device, equipment and storage medium of virtual private network
CN112422396A (en) * 2020-11-04 2021-02-26 郑州信大捷安信息技术股份有限公司 TCP network transmission acceleration method and system based on SSLVPN channel
CN113645115A (en) * 2020-04-27 2021-11-12 中国电信股份有限公司 Virtual private network access method and system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101026516A (en) * 2006-02-22 2007-08-29 迈世亚(北京)科技有限公司 Method for establishing virtual personal network connection
CN101072157A (en) * 2007-06-08 2007-11-14 迈普(四川)通信技术有限公司 Virtual special net load backup system and its establishing method and data forwarding method
US20090144817A1 (en) * 2007-12-03 2009-06-04 Chendil Kumar Techniques for high availability of virtual private networks (vpn's)
CN101262409A (en) * 2008-04-23 2008-09-10 华为技术有限公司 Virtual private network VPN access method and device
CN104735051A (en) * 2013-12-23 2015-06-24 三星Sds株式会社 System and method for controlling virtual private network access
CN113645115A (en) * 2020-04-27 2021-11-12 中国电信股份有限公司 Virtual private network access method and system
CN112260926A (en) * 2020-10-16 2021-01-22 上海叠念信息科技有限公司 Data transmission system, method, device, equipment and storage medium of virtual private network
CN112422396A (en) * 2020-11-04 2021-02-26 郑州信大捷安信息技术股份有限公司 TCP network transmission acceleration method and system based on SSLVPN channel

Also Published As

Publication number Publication date
CN115225313B (en) 2023-08-29

Similar Documents

Publication Publication Date Title
KR100651715B1 (en) Method for generating and accepting address automatically in IPv6-based Internet and data structure thereof
CN101729513B (en) Network authentication method and device
CN111083161A (en) Data transmission processing method and device and Internet of things equipment
CN102065423B (en) Node access authentication method, access authenticated node, access node and communication system
US20110321145A1 (en) Method for Ensuring Security of Computers Connected to a Network
JP2004295891A (en) Method for authenticating packet payload
WO2010003335A1 (en) Method, system and device for negotiating security association (sa) in ipv6 network
US10277586B1 (en) Mobile authentication with URL-redirect
CN103259768A (en) Method, system and device of message authentication
CN113904809B (en) Communication method, device, electronic equipment and storage medium
CN108632044A (en) A kind of information interaction system based on Self-certified code
CN111343083B (en) Instant messaging method, instant messaging device, electronic equipment and readable storage medium
US20080126795A1 (en) Method, system, and apparatus for transmitting syslog protocol messages
EP4236137A1 (en) Data transmission method and apparatus, device, system, and storage medium
CN106131177A (en) A kind of message processing method and device
CN100353711C (en) Communication system, communication apparatus, operation control method, and program
CN111586017A (en) Method and device for authenticating communication user
CN115225313B (en) High-reliability cloud network virtual private network communication method and device
WO2023036348A1 (en) Encrypted communication method and apparatus, device, and storage medium
CN103401751A (en) Method and device for establishing IPSEC (Internet Protocol Security) tunnels
Bittau et al. TCP-ENO: Encryption negotiation option
CN100592265C (en) Method, system and computer system for guaranteeing communication safety by route packet quantity
CN102714617B (en) Connection establishment method, device and communication system
CN111614688A (en) Generic protocol for blockchains
CN114040389B (en) High-speed safe transmission method suitable for application scene of Internet of things

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant