CN115225313B - A highly reliable cloud network virtual private network communication method and device - Google Patents

A highly reliable cloud network virtual private network communication method and device Download PDF

Info

Publication number
CN115225313B
CN115225313B CN202210621700.7A CN202210621700A CN115225313B CN 115225313 B CN115225313 B CN 115225313B CN 202210621700 A CN202210621700 A CN 202210621700A CN 115225313 B CN115225313 B CN 115225313B
Authority
CN
China
Prior art keywords
vpn
packet
client
authentication
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210621700.7A
Other languages
Chinese (zh)
Other versions
CN115225313A (en
Inventor
董恩焕
苏昆林
杨家海
祝顺民
王之梁
张世泽
文荣
任伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Alibaba Cloud Computing Ltd
Original Assignee
Tsinghua University
Alibaba Cloud Computing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University, Alibaba Cloud Computing Ltd filed Critical Tsinghua University
Priority to CN202210621700.7A priority Critical patent/CN115225313B/en
Publication of CN115225313A publication Critical patent/CN115225313A/en
Application granted granted Critical
Publication of CN115225313B publication Critical patent/CN115225313B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a highly reliable cloud network virtual private network communication method and a device, wherein the method comprises the following steps: based on the VPN client, sending an IP packet in a preset format to a first VPN gateway, carrying out first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, establishing first transmission between the VPN client and the first VPN gateway, and when the VPN client is switched from the first VPN gateway to a second VPN gateway to establish second transmission, carrying out second identity authentication of the VPN client and the second VPN gateway based on an authentication request packet sent by the first transmission; based on the first transmission and the second transmission, a detection request packet is sent to the VPN gateway associated with transmission through the VPN client so as to finish detection between the VPN client and the VPN gateway associated with transmission. The application can construct a tunnel for data transmission between the VPN client and the VPN gateway, and the IP packet for constructing the transmission tunnel has a structure similar to a widely used TCP packet in the Internet, thereby being beneficial to improving the reliability of data transmission between the VPN client and the VPN gateway.

Description

一种高可靠的云网络虚拟专用网络通信方法和装置A highly reliable cloud network virtual private network communication method and device

技术领域technical field

本发明涉及网络通信传输技术领域,尤其涉及一种高可靠的云网络虚拟专用网络通信方法和装置。The invention relates to the technical field of network communication transmission, in particular to a highly reliable cloud network virtual private network communication method and device.

背景技术Background technique

云网络VPN是建立在公共网络(如互联网)上的层叠网络,它是一个假想的网络,而非真正的专用的网络,但VPN保留了专用网络的安全性。在互联网上构建VPN常见的方式是在VPN客户端和VPN网关之间建立一条通过互联网的隧道。VPN客户端和VPN网关保障了经过该隧道通信的数据的完整性和机密性。现有的方式是使用IPSec协议来构建VPN客户端和VPN网关之间的隧道。通过这种方法生成的IPSec包在互联网上传输的过程中可能会被网络中的设备丢弃,现有技术往往使用IPSec协议构建IPSec包来传输VPN客户端和VPN网关之间的数据。Cloud network VPN is a layered network built on a public network (such as the Internet). It is an imaginary network rather than a real private network, but the VPN retains the security of a private network. A common way to construct a VPN on the Internet is to establish a tunnel through the Internet between the VPN client and the VPN gateway. The VPN client and VPN gateway guarantee the integrity and confidentiality of the data communicated through the tunnel. The existing way is to use the IPSec protocol to build a tunnel between the VPN client and the VPN gateway. The IPSec packet generated by this method may be discarded by devices in the network during transmission on the Internet. The prior art often uses the IPSec protocol to construct the IPSec packet to transmit data between the VPN client and the VPN gateway.

IPSec包容易被互联网中的设备识别为异常包而丢弃,基于IPSec包构建的隧道也因此在互联网中比较脆弱,因此如何能够避免互联网中的设备丢弃VPN客户端和VPN网关之间隧道上传输的包,亟待解决。IPSec packets are easily recognized as abnormal packets by devices on the Internet and discarded. Tunnels based on IPSec packets are therefore relatively fragile in the Internet. Therefore, how to prevent devices on the Internet from discarding traffic transmitted on the tunnel between the VPN client and the VPN gateway? package, which needs to be resolved urgently.

发明内容Contents of the invention

本发明旨在至少在一定程度上解决相关技术中的技术问题之一。The present invention aims to solve one of the technical problems in the related art at least to a certain extent.

为此,本发明的目的在于提出一种高可靠的云网络虚拟专用网络通信方法,可以应用于VPN通信场景,可以用来构建VPN客户端和VPN网关之间数据传输的隧道,有助于VPN客户端和VPN网关之间数据传输可靠性的提升。For this reason, the object of the present invention is to propose a kind of highly reliable cloud network virtual private network communication method, can be applied to VPN communication scene, can be used for constructing the tunnel of data transmission between VPN client and VPN gateway, contribute to VPN Improved reliability of data transmission between client and VPN gateway.

本发明的另一个目的在于提出一种高可靠的云网络虚拟专用网络通信装置。Another object of the present invention is to provide a highly reliable cloud network virtual private network communication device.

为达上述目的,本发明一方面提出了一种高可靠的云网络虚拟专用网络通信方法,包括:In order to achieve the above purpose, the present invention proposes a highly reliable cloud network virtual private network communication method on the one hand, including:

基于VPN客户端向第一VPN网关发送预设格式的IP包,并根据预设的配置信息进行所述VPN客户端和所述第一VPN网关的第一身份认证,建立所述VPN客户端与所述第一VPN网关之间的第一传输,其中,所述预设格式的IP包为VPN头中包类型为上线的IP包;Based on the VPN client sending an IP packet of a preset format to the first VPN gateway, and performing first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, establishing the VPN client and the first VPN gateway The first transmission between the first VPN gateways, wherein the IP packet in the preset format is an IP packet whose packet type in the VPN header is online;

当所述VPN客户端从所述第一VPN网关切换到第二VPN网关建立第二传输时,基于所述第一传输发送的认证请求包进行所述VPN客户端和所述第二VPN网关的第二身份认证;When the VPN client is switched from the first VPN gateway to the second VPN gateway to establish a second transmission, the VPN client and the second VPN gateway are authenticated based on the authentication request packet sent by the first transmission. Second identity authentication;

基于所述第一传输、第二传输,通过所述VPN客户端向传输关联的VPN网关发送探测请求包,以完成所述VPN客户端和所述传输关联的VPN网关之间的探测。Based on the first transmission and the second transmission, the VPN client sends a detection request packet to the VPN gateway associated with the transmission, so as to complete the detection between the VPN client and the VPN gateway associated with the transmission.

另外,根据本发明上述实施例的高可靠的云网络虚拟专用网络通信方法还可以具有以下附加的技术特征:In addition, the highly reliable cloud network virtual private network communication method according to the above-mentioned embodiments of the present invention may also have the following additional technical features:

进一步地,在本发明的一个实施例中,所述方法,还包括:根据所述预设格式的IP包中的数据确定对应的所述VPN头的包类型;其中,所述VPN头的包类型包括下述中的至少一种:所述上线的IP包、所述认证请求包、认证回复包、认证完成包、所述探测请求包探测回复包、ESP包、WireGuard包和RAW包。Further, in an embodiment of the present invention, the method further includes: determining the corresponding packet type of the VPN header according to the data in the IP packet of the preset format; wherein, the packet of the VPN header The type includes at least one of the following: the online IP packet, the authentication request packet, the authentication reply packet, the authentication completion packet, the probe request packet, the probe reply packet, the ESP packet, the WireGuard packet and the RAW packet.

进一步地,在本发明的一个实施例中,所述方法还包括:当所述VPN客户端的IP地址和端口号发生变化时,通过所述第一VPN网关向所述VPN客户端发送TCP连接异常终止包RST,并根据所述配置信息重新进行所述VPN客户端和所述第一VPN网关的第一身份认证。Further, in an embodiment of the present invention, the method further includes: when the IP address and port number of the VPN client change, sending a TCP connection exception to the VPN client through the first VPN gateway Terminate the RST packet, and re-perform the first identity authentication of the VPN client and the first VPN gateway according to the configuration information.

进一步地,在本发明的一个实施例中,在向所述第一VPN网关发送所述包类型为上线的IP包之前,还包括:利用VPN客户端模仿TCP行为与所述第一VPN网关建立连接,具体为:利用所述VPN客户端向第一VPN网关发送TCP建立连接的SYN包;利用所述第一VPN网关接收所述SYN包,并向所述VPN客户端回复SYN+ACK包;利用所述VPN客户端接收所述SYN+ACK包,并向所述第一VPN网关发送ACK包。Further, in an embodiment of the present invention, before sending the IP packet whose packet type is online to the first VPN gateway, it also includes: using a VPN client to imitate TCP behavior to establish an IP packet with the first VPN gateway. Connecting, specifically: using the VPN client to send a SYN packet for establishing a TCP connection to the first VPN gateway; using the first VPN gateway to receive the SYN packet, and replying a SYN+ACK packet to the VPN client; Using the VPN client to receive the SYN+ACK packet, and send an ACK packet to the first VPN gateway.

进一步地,在本发明的一个实施例中,所述根据所述配置信息进行所述VPN客户端和所述第一VPN网关的第一身份认证,包括:通过所述VPN客户端向所述第一VPN网关发送所述上线的IP包,根据所述配置信息,确定所述上线的IP包是否将低频探测信息进行位置标记,如果所述配置信息指示使用所述低频探测信息,则将所述位置标记为1,否则将所述位置标记为0;基于所述上线的IP包触发第一身份认证,利用所述第一VPN网关向所述VPN客户端送第一认证请求包;利用所述VPN客户端接收所述第一认证请求包,并向所述第一VPN网关发送第一认证回复包,利用所述第一VPN网关接收所述第一认证回复包,如果所述第一认证回复包的认证信息无误,向所述VPN客户端发送第一认证完成包;其中,所述第一认证回复包,包括所述第一VPN网关用来验证所述VPN客户端身份的信息。Further, in an embodiment of the present invention, performing the first identity authentication of the VPN client and the first VPN gateway according to the configuration information includes: sending the VPN client to the first VPN gateway through the VPN client. A VPN gateway sends the online IP packet, and according to the configuration information, determines whether the online IP packet is marked with the low-frequency detection information, and if the configuration information indicates that the low-frequency detection information is used, the The position is marked as 1, otherwise the position is marked as 0; the first identity authentication is triggered based on the online IP packet, and the first authentication request packet is sent to the VPN client by the first VPN gateway; The VPN client receives the first authentication request packet, and sends a first authentication reply packet to the first VPN gateway, and uses the first VPN gateway to receive the first authentication reply packet, if the first authentication reply The authentication information of the packet is correct, and a first authentication completion packet is sent to the VPN client; wherein, the first authentication reply packet includes information used by the first VPN gateway to verify the identity of the VPN client.

进一步地,在本发明的一个实施例中,在所述第一身份认证完成之后,还包括:进行所述VPN客户端和所述第一VPN网关之间数据交互;其中,所述数据交互包括:根据所述配置信息,进行FEC编码、使用IPSec的ESP隧道封装、使用WireGuard隧道封装或者不封装RAW方式传输数据中的一种。Further, in an embodiment of the present invention, after the first identity authentication is completed, further comprising: performing data interaction between the VPN client and the first VPN gateway; wherein, the data interaction includes : According to the configuration information, perform one of FEC encoding, ESP tunnel encapsulation using IPSec, WireGuard tunnel encapsulation or RAW without encapsulation to transmit data.

进一步地,在本发明的一个实施例中,所述认证请求包的控制信息部分格式,包括:版本、序列号、IP和端口号;所述认证回复包的控制信息部分格式,包括:版本、序列号、IP、端口号和认证信息。Further, in one embodiment of the present invention, the format of the control information part of the authentication request packet includes: version, serial number, IP and port number; the format of the control information part of the authentication reply packet includes: version, Serial number, IP, port number and authentication information.

进一步地,在本发明的一个实施例中,所述当所述VPN客户端从所述第一VPN网关切换到第二VPN网关建立第二传输时,基于所述第一传输并根据认证请求包进行所述VPN客户端和所述第二VPN网关的第二身份认证,包括:当所述VPN客户端从所述第一VPN网关切换到第二VPN网关上时,触发第二身份认证,通过所述第二VPN网关向所述VPN客户端发送第二认证请求包;利用所述VPN客户端接收所述第二认证请求包,并向所述第二VPN网关发送第二认证回复包,通过所述第二VPN网关接收所述第二认证回复,如果所述第二认证回复的认证信息无误,向所述VPN客户端发送第二认证完成包;其中,所述第二认证回复包,包括所述第二VPN网关用来验证所述VPN客户端身份的信息。Further, in an embodiment of the present invention, when the VPN client switches from the first VPN gateway to the second VPN gateway to establish the second transmission, based on the first transmission and according to the authentication request packet Performing the second identity authentication of the VPN client and the second VPN gateway includes: when the VPN client is switched from the first VPN gateway to the second VPN gateway, triggering the second identity authentication, by The second VPN gateway sends a second authentication request packet to the VPN client; uses the VPN client to receive the second authentication request packet, and sends a second authentication reply packet to the second VPN gateway, through The second VPN gateway receives the second authentication reply, and if the authentication information of the second authentication reply is correct, sends a second authentication complete packet to the VPN client; wherein, the second authentication reply packet includes Information used by the second VPN gateway to verify the identity of the VPN client.

进一步地,在本发明的一个实施例中,所述通过所述VPN客户端向传输关联的VPN网关发送探测请求包,以完成所述VPN客户端和所述传输关联的VPN网关之间的探测,包括:利用所述VPN客户端向所述传输关联的VPN网关发送所述探测请求包;利用所述传输关联的VPN网关接收到所述探测请求包,并向所述VPN客户端发送所述探测回复包,以完成所述VPN客户端和传输关联的VPN网关之间的探测。Further, in an embodiment of the present invention, the VPN client sends a detection request packet to the VPN gateway associated with the transmission, so as to complete the detection between the VPN client and the VPN gateway associated with the transmission , including: using the VPN client to send the detection request packet to the VPN gateway associated with the transmission; receiving the detection request packet by the VPN gateway associated with the transmission, and sending the detection request packet to the VPN client. A probe reply packet to complete the probe between the VPN client and the transport associated VPN gateway.

本发明实施例的高可靠的云网络虚拟专用网络通信方法,可以应用于VPN通信场景,可以用来构建VPN客户端和VPN网关之间数据传输的隧道,构建传输隧道的IP包与互联网中广泛使用的TCP包结构相似,有助于VPN客户端和VPN网关之间数据传输可靠性的提升。The highly reliable cloud network virtual private network communication method in the embodiment of the present invention can be applied to a VPN communication scene, and can be used to construct a tunnel for data transmission between a VPN client and a VPN gateway, and the IP packets for constructing a transmission tunnel are widely used in the Internet. The TCP packet structure used is similar, which helps to improve the reliability of data transmission between the VPN client and the VPN gateway.

为达到上述目的,本发明另一方面提出了一种高可靠的云网络虚拟专用网络通信装置,包括:In order to achieve the above purpose, another aspect of the present invention proposes a highly reliable cloud network virtual private network communication device, including:

第一传输模块,用于基于VPN客户端向第一VPN网关发送预设格式的IP包,并根据预设的配置信息进行所述VPN客户端和所述第一VPN网关的第一身份认证,建立所述VPN客户端与所述第一VPN网关之间的第一传输,其中,所述预设格式的IP包为VPN头中包类型为上线的IP包;The first transmission module is configured to send an IP packet in a preset format to the first VPN gateway based on the VPN client, and perform first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, Establishing a first transmission between the VPN client and the first VPN gateway, wherein the IP packet in the preset format is an IP packet whose packet type in the VPN header is online;

第二传输模块,用于当所述VPN客户端从所述第一VPN网关切换到第二VPN网关建立第二传输时,基于所述第一传输发送的认证请求包进行所述VPN客户端和所述第二VPN网关的第二身份认证;The second transmission module is used for when the VPN client is switched from the first VPN gateway to the second VPN gateway to establish a second transmission, based on the authentication request packet sent by the first transmission, the VPN client and The second identity authentication of the second VPN gateway;

周期探测模块,用于基于所述第一传输、第二传输,通过所述VPN客户端向传输关联的VPN网关发送探测请求包,以完成所述VPN客户端和所述传输关联的VPN网关之间的探测。A periodic detection module, configured to send a detection request packet to the VPN gateway associated with the transmission through the VPN client based on the first transmission and the second transmission, so as to complete the connection between the VPN client and the VPN gateway associated with the transmission. Between detection.

进一步地,上述装置还包括:类型确定模块,用于根据所述预设格式的IP包中的数据确定对应的所述VPN头的包类型;其中,所述VPN头的包类型包括下述中的至少一种:所述上线的IP包、所述认证请求包、认证回复包、认证完成包、所述探测请求包探测回复包、ESP包、WireGuard包和RAW包。Further, the above device further includes: a type determining module, configured to determine the corresponding packet type of the VPN header according to the data in the IP packet of the preset format; wherein, the packet type of the VPN header includes the following: At least one of: the online IP packet, the authentication request packet, the authentication reply packet, the authentication completion packet, the probe request packet, the probe reply packet, the ESP packet, the WireGuard packet, and the RAW packet.

进一步地,上述装置还包括:端口变化模块,用于当所述VPN客户端的IP地址和端口号发生变化时,通过所述第一VPN网关向所述VPN客户端发送TCP连接异常终止包RST,并根据所述配置信息重新进行所述VPN客户端和所述第一VPN网关的第一身份认证。Further, the above device further includes: a port change module, configured to send a TCP connection abnormal termination packet RST to the VPN client through the first VPN gateway when the IP address and port number of the VPN client change, And perform the first identity authentication of the VPN client and the first VPN gateway again according to the configuration information.

进一步地,上述装置还包括:模仿连接模块,用于利用VPN客户端模仿TCP行为与第一VPN网关建立连接,具体包括:Further, the above device also includes: an imitation connection module, configured to use the VPN client to imitate TCP behavior to establish a connection with the first VPN gateway, specifically including:

第一连接子模块,用于利用VPN客户端向第一VPN网关发送TCP建立连接的SYN包;The first connection submodule is configured to use the VPN client to send a SYN packet for establishing a TCP connection to the first VPN gateway;

第二连接子模块,用于利用第一VPN网关接收SYN包,并向VPN客户端回复SYN+ACK包;The second connection submodule is used to receive the SYN packet by using the first VPN gateway, and reply the SYN+ACK packet to the VPN client;

第三连接子模块,用于利用VPN客户端接收SYN+ACK包,并向第一VPN网关发送ACK包。The third connection sub-module is configured to use the VPN client to receive the SYN+ACK packet, and send the ACK packet to the first VPN gateway.

进一步地,上述第一传输模块,包括:Further, the above-mentioned first transmission module includes:

位置标记模块,用于通过所述VPN客户端向所述第一VPN网关发送所述上线的IP包,根据所述配置信息,确定所述上线的IP包是否将低频探测信息进行位置标记,如果所述配置信息指示使用所述低频探测信息,则将所述位置标记为1,否则将所述位置标记为0;A location marking module, configured to send the online IP packet to the first VPN gateway through the VPN client, and determine whether the online IP packet performs location marking on the low-frequency detection information according to the configuration information, if The configuration information indicates that the low-frequency detection information is used, and the position is marked as 1, otherwise, the position is marked as 0;

第一身份认证模块,用于基于所述上线的IP包触发第一身份认证,利用所述第一VPN网关向所述VPN客户端送第一认证请求包;A first identity authentication module, configured to trigger first identity authentication based on the online IP packet, and send a first authentication request packet to the VPN client by using the first VPN gateway;

第一认证完成模块,用于利用所述VPN客户端接收所述第一认证请求包,并向所述第一VPN网关发送第一认证回复包,利用所述第一VPN网关接收所述第一认证回复包,如果所述第一认证回复包的认证信息无误,向所述VPN客户端发送第一认证完成包;其中,所述第一认证回复包,包括所述第一VPN网关用来验证所述VPN客户端身份的信息。The first authentication completion module is configured to use the VPN client to receive the first authentication request packet, and send a first authentication reply packet to the first VPN gateway, and use the first VPN gateway to receive the first authentication request packet. An authentication reply packet, if the authentication information of the first authentication reply packet is correct, send a first authentication completion packet to the VPN client; wherein, the first authentication reply packet includes the first VPN gateway used to verify Information about the identity of the VPN client.

进一步地,在上述第一认证完成模块之后,还包括:数据交互模块,用于进行VPN客户端和第一VPN网关之间数据交互;其中,数据交互包括:根据所述配置信息,进行FEC编码、使用IPSec的ESP隧道封装、使用WireGuard隧道封装或者不封装RAW方式传输数据中的一种。Further, after the above-mentioned first authentication completion module, it also includes: a data interaction module for performing data interaction between the VPN client and the first VPN gateway; wherein, the data interaction includes: performing FEC encoding according to the configuration information , use IPSec ESP tunnel encapsulation, use WireGuard tunnel encapsulation or RAW without encapsulation to transmit data.

进一步地,上述第二传输模块,包括:Further, the above-mentioned second transmission module includes:

第二身份认证模块,用于当所述VPN客户端从所述第一VPN网关切换到第二VPN网关上时,触发第二身份认证,通过所述第二VPN网关向所述VPN客户端发送第二认证请求包;The second identity authentication module is used to trigger the second identity authentication when the VPN client is switched from the first VPN gateway to the second VPN gateway, and send the VPN client to the VPN client through the second VPN gateway. The second authentication request packet;

第二认证完成模块,用于利用所述VPN客户端接收所述第二认证请求包,并向所述第二VPN网关发送第二认证回复包,通过所述第二VPN网关接收所述第二认证回复,如果所述第二认证回复的认证信息无误,向所述VPN客户端发送第二认证完成包;其中,所述第二认证回复包,包括所述第二VPN网关用来验证所述VPN客户端身份的信息。The second authentication completion module is configured to use the VPN client to receive the second authentication request packet, and send a second authentication reply packet to the second VPN gateway, and receive the second authentication request packet through the second VPN gateway. An authentication reply, if the authentication information of the second authentication reply is correct, send a second authentication completion packet to the VPN client; wherein, the second authentication reply packet includes the second authentication reply packet used by the second VPN gateway to verify the Information about the identity of the VPN client.

进一步地,上述周期探测模块,包括:Further, the above-mentioned cycle detection module includes:

探测请求模块,用于利用所述VPN客户端向所述传输关联的VPN网关发送所述探测请求包;A probe request module, configured to use the VPN client to send the probe request packet to the VPN gateway associated with the transmission;

探测回复模块,用于利用所述传输关联的VPN网关接收到所述探测请求包,并向所述VPN客户端发送所述探测回复包,以完成所述VPN客户端和传输关联的VPN网关之间的探测。A probe reply module, configured to use the VPN gateway associated with the transmission to receive the probe request packet, and send the probe reply packet to the VPN client, so as to complete the connection between the VPN client and the VPN gateway associated with the transmission. Between detection.

本发明实施例的高可靠的云网络虚拟专用网络通信装置,可以应用于VPN通信场景,可以用来构建VPN客户端和VPN网关之间数据传输的隧道,构建传输隧道的IP包与互联网中广泛使用的TCP包结构相似,有助于VPN客户端和VPN网关之间数据传输可靠性的提升。The highly reliable cloud network virtual private network communication device of the embodiment of the present invention can be applied to VPN communication scenarios, and can be used to construct a tunnel for data transmission between a VPN client and a VPN gateway, and the IP packets for constructing a transmission tunnel are widely used in the Internet. The TCP packet structure used is similar, which helps to improve the reliability of data transmission between the VPN client and the VPN gateway.

本发明的有益效果为:The beneficial effects of the present invention are:

本发明可以应用于VPN通信场景,可以用来构建VPN客户端和VPN网关之间数据传输的隧道。可以应用的产品包括但不仅限于云网络中租户网络的构建和SD-WAN(SoftwareDefined Wide Area Network,软件定义广域网)产品中用户设备(Customer-PremisesEquipment,CPE)上云或互相通信等。The present invention can be applied to the VPN communication scene, and can be used to construct a data transmission tunnel between the VPN client and the VPN gateway. Applicable products include but are not limited to the construction of tenant networks in cloud networks and SD-WAN (Software Defined Wide Area Network, software-defined wide area network) product (Customer-Premises Equipment, CPE) on the cloud or communicate with each other.

IPSec包容易被互联网中的设备识别为异常包而丢弃,基于IPSec包构建的隧道也因此在互联网中比较脆弱。本发明模仿TCP行为,令互联网中的设备将隧道中传输的包识别为在互联网中普遍存在的TCP包而不是少见的IPSec包。本发明有助于VPN客户端和VPN网关之间数据传输可靠性的提升。IPSec packets are easily recognized as abnormal packets by devices on the Internet and discarded. Therefore, tunnels built based on IPSec packets are relatively vulnerable on the Internet. The invention imitates the TCP behavior, so that the equipment in the Internet recognizes the packets transmitted in the tunnel as the TCP packets commonly existing in the Internet instead of the rare IPSec packets. The invention helps to improve the reliability of data transmission between the VPN client and the VPN gateway.

本发明附加的方面和优点将在下面的描述中部分给出,部分将从下面的描述中变得明显,或通过本发明的实践了解到。Additional aspects and advantages of the invention will be set forth in part in the description which follows, and in part will be obvious from the description, or may be learned by practice of the invention.

附图说明Description of drawings

本发明上述的和/或附加的方面和优点从下面结合附图对实施例的描述中将变得明显和容易理解,其中:The above and/or additional aspects and advantages of the present invention will become apparent and easy to understand from the following description of the embodiments in conjunction with the accompanying drawings, wherein:

图1为根据本发明实施例的VPN客户端和VPN网关之间IP包的格式示意图;Fig. 1 is a schematic diagram of the format of an IP packet between a VPN client and a VPN gateway according to an embodiment of the present invention;

图2为根据本发明实施例的高可靠的云网络虚拟专用网络通信方法的流程图;2 is a flowchart of a highly reliable cloud network virtual private network communication method according to an embodiment of the present invention;

图3为根据本发明实施例的认证请求包控制信息部分格式示意图;FIG. 3 is a schematic diagram of the format of the control information part of the authentication request packet according to an embodiment of the present invention;

图4为根据本发明实施例的认证回复包控制信息部分格式示意图;FIG. 4 is a schematic diagram of the format of the control information part of the authentication reply packet according to an embodiment of the present invention;

图5为根据本发明实施例的高可靠的云网络虚拟专用网络通信装置结构示意图。Fig. 5 is a schematic structural diagram of a highly reliable cloud network virtual private network communication device according to an embodiment of the present invention.

具体实施方式Detailed ways

需要说明的是,在不冲突的情况下,本申请中的实施例及实施例中的特征可以相互组合。下面将参考附图并结合实施例来详细说明本发明。It should be noted that, in the case of no conflict, the embodiments in the present application and the features in the embodiments can be combined with each other. The present invention will be described in detail below with reference to the accompanying drawings and examples.

为了使本技术领域的人员更好地理解本发明方案,下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分的实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都应当属于本发明保护的范围。In order to enable those skilled in the art to better understand the solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below in conjunction with the drawings in the embodiments of the present invention. Obviously, the described embodiments are only It is an embodiment of a part of the present invention, but not all embodiments. Based on the embodiments of the present invention, all other embodiments obtained by persons of ordinary skill in the art without making creative efforts shall fall within the protection scope of the present invention.

下面参照附图描述根据本发明实施例提出的高可靠的云网络虚拟专用网络通信方法及装置。The highly reliable cloud network virtual private network communication method and device proposed according to the embodiments of the present invention will be described below with reference to the accompanying drawings.

图2是本发明一个实施例的高可靠的云网络虚拟专用网络通信方法的流程图。Fig. 2 is a flowchart of a highly reliable cloud network virtual private network communication method according to an embodiment of the present invention.

如图2所示,该方法包括但不限于以下步骤:As shown in Figure 2, the method includes but is not limited to the following steps:

S1,基于VPN客户端向第一VPN网关发送预设格式的IP包,并根据预设的配置信息进行VPN客户端和第一VPN网关的第一身份认证,建立VPN客户端与第一VPN网关之间的第一传输,其中,预设格式的IP包为VPN头中包类型为上线的IP包。S1, based on the VPN client sending an IP packet in a preset format to the first VPN gateway, and performing the first identity authentication of the VPN client and the first VPN gateway according to the preset configuration information, and establishing the VPN client and the first VPN gateway The first transmission between, wherein, the IP packet with the preset format is an IP packet whose packet type in the VPN header is online.

可以理解的是,本发明定义了云网络VPN客户端和VPN网关之间IP包的格式,如图1所示。IP包的格式包括IP头、TCP头、VPN头、数据或控制信息和完整性校验;其中,IP头和TCP头遵循计算机网络TCP/IP协议的定义。图1略去了IP头和TCP头之后可能的IP头和TCP头的选项字段。TCP头之后是本发明定义的VPN头,它的长度固定为20字节。整个IP包最后12字节用于该包的完整性校验。VPN头与完整性校验字段之间的包体长度可变,根据此处包体内容可将该包分成两类,如果此处包体信息为数据,则称该包为数据包,如果此处包体信息为控制信息,则称该包为控制包。VPN头的第1字节的前3位(bit)为标记位字段,后5位为包类型字段。标记位字段包含三种可能的标记,它们互不兼容,它们的名称、含义和对包格式的影响如表格1所示。包类型字段描述了具体的包类型,它们也互不兼容,它们的名称、含义和对包格式的影响如表格2所示。VPN头的“VPN ID”字段是用来唯一标识VPN客户端可以使用的VPN隧道。It can be understood that the present invention defines the format of the IP packet between the cloud network VPN client and the VPN gateway, as shown in FIG. 1 . The format of the IP packet includes an IP header, a TCP header, a VPN header, data or control information, and an integrity check; wherein, the IP header and the TCP header follow the definition of the computer network TCP/IP protocol. Figure 1 omits the option fields of the IP header and the TCP header that may follow the IP header and the TCP header. After the TCP header is the VPN header defined by the present invention, and its length is fixed at 20 bytes. The last 12 bytes of the entire IP packet are used for integrity check of the packet. The length of the packet body between the VPN header and the integrity check field is variable. According to the content of the packet body here, the packet can be divided into two types. If the packet body information here is data, the packet is called a data packet. If this If the packet body information is control information, the packet is called a control packet. The first 3 bits (bits) of the first byte of the VPN header are the flag bit field, and the last 5 bits are the packet type field. The flag bit field contains three possible flags, which are incompatible with each other, and their names, meanings, and impact on the packet format are shown in Table 1. The package type field describes the specific package type, and they are also incompatible with each other. Their names, meanings and impact on the package format are shown in Table 2. The "VPN ID" field of the VPN header is used to uniquely identify the VPN tunnel that the VPN client can use.

表格1 VPN头标记位字段可能的标记Table 1 Possible flags of the VPN header flag field

表格2 VPN头包类型字段可能的包类型Table 2 Possible packet types in the VPN header packet type field

可以理解的是,该过程发生在VPN客户端首次使用被初始化时,VPN控制器向VPN客户端和多个VPN网关推送VPN配置。配置包括:针对此VPN客户端的VPN ID、对应该VPN ID的隧道加密时需要的密钥、VPN客户端认证需要的密钥,是否进行FEC编码或是否进行低频探测信息等信息。VPN网关基于这些信息为每个VPN客户端建立会话。It can be understood that this process occurs when the VPN client is initialized for the first time, and the VPN controller pushes the VPN configuration to the VPN client and multiple VPN gateways. The configuration includes: the VPN ID for this VPN client, the key required for tunnel encryption corresponding to this VPN ID, the key required for VPN client authentication, whether to perform FEC encoding or whether to perform low-frequency detection information, etc. The VPN gateway establishes a session for each VPN client based on this information.

作为一种示例,为“VPN客户端和网关之间建连传输”:VPN客户端模仿TCP行为向VPN网关发送TCP建立连接的包,即SYN包。该包包含IP头和TCP头,包体截止到TCP头,格式完全模仿TCP建立连接时三次握手的SYN包。VPN网关收到该包后,继续模仿TCP建立连接的过程,它会回复VPN客户端一个SYN+ACK包,该包与TCP建立连接时三次握手的SYN+ACK包格式相同。当VPN客户端收到SYN+ACK包后,它会向VPN网关发出模仿TCP建立连接时三次握手的ACK包。As an example, "connection establishment transmission between the VPN client and the gateway": the VPN client imitates the TCP behavior and sends a TCP connection establishment packet, that is, a SYN packet, to the VPN gateway. The packet contains IP header and TCP header, and the packet body ends at the TCP header. The format completely imitates the SYN packet of the three-way handshake when TCP establishes a connection. After the VPN gateway receives the packet, it continues to imitate the TCP connection establishment process, and it will reply a SYN+ACK packet to the VPN client, which is in the same format as the SYN+ACK packet of the three-way handshake when the TCP connection is established. When the VPN client receives the SYN+ACK packet, it will send an ACK packet to the VPN gateway that imitates the three-way handshake when TCP establishes a connection.

三次握手之后,VPN客户端会向VPN网关发送表格2提及的“上线”包,根据“VPN控制器推送VPN配置”过程中VPN客户端收到的配置信息,VPN客户端会决定该“上线”包是否将“低频探测”标记位置为1。“上线”包会触发VPN网关向VPN客户端认证身份的过程。VPN网关会首先向VPN客户端发送“认证请求”包,启动身份认证的过程。本发明中“认证请求”包控制信息部分格式,如图3所示。VPN客户端在收到“认证请求”后,会向VPN网关发送“认证回复”包。本发明中“认证回复”包控制信息部分格式如图4所示。内含VPN网关可以用来验证VPN客户端身份的信息。VPN网关在收到“认证回复”后,如果“认证信息”无误,会向VPN客户端发送“认证完成”包。如图3和图4所示,分别为本发明中“认证请求”包控制信息部分格式和“认证回复”包控制信息部分格式的示意图。认证请求包的控制信息部分格式,包括:版本、序列号、IP和端口号;认证回复包的控制信息部分格式,包括:版本、序列号、IP、端口号和认证信息。After the three-way handshake, the VPN client will send the "go online" packet mentioned in Table 2 to the VPN gateway. According to the configuration information received by the VPN client during the process of "VPN controller pushes VPN configuration", the VPN client will determine the "go online" packet. " package whether to set the "low frequency detection" flag bit to 1. The "go online" packet will trigger the VPN gateway to authenticate the identity of the VPN client. The VPN gateway will first send an "authentication request" packet to the VPN client to start the identity authentication process. The format of the control information part of the "authentication request" packet in the present invention is shown in FIG. 3 . After the VPN client receives the "authentication request", it will send the "authentication reply" packet to the VPN gateway. The format of the control information part of the "Authentication Reply" packet in the present invention is shown in FIG. 4 . Contains information that the VPN gateway can use to verify the identity of the VPN client. After the VPN gateway receives the "authentication reply", if the "authentication information" is correct, it will send an "authentication complete" packet to the VPN client. As shown in Fig. 3 and Fig. 4, they are schematic diagrams of the format of the control information part of the "authentication request" packet and the part of the control information of the "authentication reply" packet in the present invention, respectively. The format of the control information part of the authentication request packet includes: version, serial number, IP and port number; the format of the control information part of the authentication reply packet includes: version, serial number, IP, port number and authentication information.

认证通过后,VPN客户端和VPN网关之间会进行数据交互。数据包根据“VPN控制器推送VPN配置”过程中推送给VPN客户端的配置信息,可能会进行FEC编码,可能使用IPSec的ESP隧道封装、可能使用WireGuard隧道封装或者不封装RAW等方式传输数据。After the authentication is passed, data exchange will take place between the VPN client and the VPN gateway. According to the configuration information pushed to the VPN client during the process of "VPN controller pushing VPN configuration", the data packet may be FEC encoded, may be encapsulated by IPSec's ESP tunnel, may be encapsulated by WireGuard tunnel or not encapsulated in RAW, etc. to transmit data.

S2,当VPN客户端从第一VPN网关切换到第二VPN网关建立第二传输时,基于第一传输发送的认证请求包进行VPN客户端和第二VPN网关的第二身份认证。S2. When the VPN client switches from the first VPN gateway to the second VPN gateway to establish the second transmission, perform second identity authentication of the VPN client and the second VPN gateway based on the authentication request packet sent by the first transmission.

可以理解的是,VPN客户端的IP地址和端口号可能会发生变化,当VPN客户端的IP地址和端口号发生变化时,VPN网关会向VPN客户端发送TCP的RST包,从互联网中的设备角度看就像是终止了这个TCP连接。然后,VPN客户端和VPN网关之间重新进行“VPN客户端和网关之间建连传输”的过程。It is understandable that the IP address and port number of the VPN client may change. When the IP address and port number of the VPN client change, the VPN gateway will send a TCP RST packet to the VPN client. From the perspective of devices on the Internet It looks like the TCP connection is terminated. Then, the process of "connection establishment and transmission between the VPN client and the gateway" is performed again between the VPN client and the VPN gateway.

进一步地,当VPN客户端从一个VPN网关切换到另外一个VPN网关上时,需要和新的VPN网关重新进行认证过程,即VPN新网关会首先向VPN客户端发送“认证请求”包,启动身份认证的过程。VPN客户端在收到“认证请求”后,会向VPN新网关发送“认证回复”包。内含VPN新网关可以用来验证VPN客户端身份的信息。VPN新网关在收到“认证回复”后,如果“认证信息”无误,会向VPN客户端发送“认证完成”包。Furthermore, when a VPN client switches from one VPN gateway to another, it needs to re-authenticate with the new VPN gateway, that is, the new VPN gateway will first send an "authentication request" packet to the VPN client to activate the identity The process of certification. After the VPN client receives the "authentication request", it will send an "authentication reply" packet to the new VPN gateway. Contains information that the new VPN gateway can use to verify the identity of the VPN client. After the new VPN gateway receives the "authentication reply", if the "authentication information" is correct, it will send the "authentication complete" packet to the VPN client.

S3,基于第一传输、第二传输,通过VPN客户端向传输关联的VPN网关发送探测请求包,以完成VPN客户端和传输关联的VPN网关之间的探测。S3. Based on the first transmission and the second transmission, the VPN client sends a detection request packet to the VPN gateway associated with the transmission, so as to complete the detection between the VPN client and the VPN gateway associated with the transmission.

具体的,VPN客户端周期性向VPN网关发送的探测请求包。收到“周期探测请求”包后,VPN网关向VPN客户端发送的“周期探测回复包”。Specifically, the VPN client periodically sends a detection request packet to the VPN gateway. After receiving the "period detection request" packet, the VPN gateway sends the "period detection reply packet" to the VPN client.

根据本发明实施例的高可靠的云网络虚拟专用网络通信方法,可以应用于VPN通信场景,可以用来构建VPN客户端和VPN网关之间数据传输的隧道,构建传输隧道的IP包与互联网中广泛使用的TCP包结构相似,有助于VPN客户端和VPN网关之间数据传输可靠性的提升。The highly reliable cloud network virtual private network communication method according to the embodiment of the present invention can be applied to VPN communication scenarios, and can be used to construct a tunnel for data transmission between the VPN client and the VPN gateway, and the IP packets that construct the transmission tunnel can communicate with those in the Internet. The widely used TCP packet structure is similar, which helps to improve the reliability of data transmission between VPN clients and VPN gateways.

为了实现上述实施例,如图5所示,本实施例中还提供了高可靠的云网络虚拟专用网络通信装置10,该装置10包括:第一传输模块100、第二传输模块200和周期探测模块300。In order to realize the above-mentioned embodiment, as shown in FIG. 5 , a highly reliable cloud network virtual private network communication device 10 is also provided in this embodiment, and the device 10 includes: a first transmission module 100, a second transmission module 200 and a periodic detection Module 300.

第一传输模块100,用于基于VPN客户端向第一VPN网关发送预设格式的IP包,并根据预设的配置信息进行所述VPN客户端和第一VPN网关的第一身份认证,建立VPN客户端与第一VPN网关之间的第一传输,其中,预设格式的IP包为VPN头中包类型为上线的IP包;The first transmission module 100 is configured to send an IP packet in a preset format to the first VPN gateway based on the VPN client, and perform first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, and establish The first transmission between the VPN client and the first VPN gateway, wherein the IP packet in the preset format is an IP packet whose packet type in the VPN header is online;

第二传输模块200,用于当VPN客户端从第一VPN网关切换到第二VPN网关建立第二传输时,基于第一传输发送的认证请求包进行VPN客户端和第二VPN网关的第二身份认证;The second transmission module 200 is used to perform the second communication between the VPN client and the second VPN gateway based on the authentication request packet sent by the first transmission when the VPN client is switched from the first VPN gateway to the second VPN gateway to establish the second transmission. Authentication;

周期探测模块300,用于基于第一传输、第二传输,通过VPN客户端向传输关联的VPN网关发送探测请求包,以完成VPN客户端和传输关联的VPN网关之间的探测。The periodic detection module 300 is configured to send a detection request packet to the VPN gateway associated with the transmission through the VPN client based on the first transmission and the second transmission, so as to complete the detection between the VPN client and the VPN gateway associated with the transmission.

进一步地,上述装置10还包括:类型确定模块,用于根据预设格式的IP包中的数据确定对应的VPN头的包类型;其中,VPN头的包类型包括下述中的至少一种:上线的IP包、认证请求包、认证回复包、认证完成包、探测请求包探测回复包、ESP包、WireGuard包和RAW包。Further, the above-mentioned device 10 also includes: a type determination module, configured to determine the packet type of the corresponding VPN header according to the data in the IP packet of the preset format; wherein, the packet type of the VPN header includes at least one of the following: Online IP packets, authentication request packets, authentication reply packets, authentication complete packets, probe request packets, probe reply packets, ESP packets, WireGuard packets, and RAW packets.

进一步地,上述装置10还包括:端口变化模块,用于当VPN客户端的IP地址和端口号发生变化时,通过第一VPN网关向VPN客户端发送TCP连接异常终止包RST,并根据配置信息重新进行VPN客户端和第一VPN网关的第一身份认证。Further, the above-mentioned device 10 also includes: a port change module, configured to send a TCP connection abnormal termination packet RST to the VPN client through the first VPN gateway when the IP address and port number of the VPN client change, and restart the connection according to the configuration information. Perform first identity authentication of the VPN client and the first VPN gateway.

进一步地,上述装置10还包括:模仿连接模块,用于利用VPN客户端模仿TCP行为与第一VPN网关建立连接,具体包括:Further, the above-mentioned device 10 also includes: an imitation connection module, configured to use the VPN client to imitate TCP behavior to establish a connection with the first VPN gateway, specifically including:

第一连接子模块,用于利用VPN客户端向第一VPN网关发送TCP建立连接的SYN包;The first connection submodule is configured to use the VPN client to send a SYN packet for establishing a TCP connection to the first VPN gateway;

第二连接子模块,用于利用第一VPN网关接收SYN包,并向VPN客户端回复SYN+ACK包;The second connection submodule is used to receive the SYN packet by using the first VPN gateway, and reply the SYN+ACK packet to the VPN client;

第三连接子模块,用于利用VPN客户端接收SYN+ACK包,并向第一VPN网关发送ACK包。The third connection sub-module is configured to use the VPN client to receive the SYN+ACK packet, and send the ACK packet to the first VPN gateway.

进一步地,上述第一传输模块100,包括:Further, the above-mentioned first transmission module 100 includes:

位置标记模块,用于通过VPN客户端向第一VPN网关发送上线的IP包,根据配置信息,确定上线的IP包是否将低频探测信息进行位置标记,如果配置信息指示使用低频探测信息,则将位置标记为1,否则将位置标记为0;The position marking module is used to send the online IP packet to the first VPN gateway through the VPN client, and according to the configuration information, determine whether the online IP packet carries out the position marking of the low-frequency detection information, and if the configuration information indicates that the low-frequency detection information is used, then the The position is marked as 1, otherwise the position is marked as 0;

第一身份认证模块,用于基于上线的IP包触发第一身份认证,利用第一VPN网关向所述VPN客户端送第一认证请求包;The first identity authentication module is configured to trigger the first identity authentication based on the online IP packet, and utilize the first VPN gateway to send the first authentication request packet to the VPN client;

第一认证完成模块,用于利用VPN客户端接收第一认证请求包,并向第一VPN网关发送第一认证回复包,利用第一VPN网关接收第一认证回复包,如果第一认证回复包的认证信息无误,向VPN客户端发送第一认证完成包;其中,第一认证回复包,包括第一VPN网关用来验证VPN客户端身份的信息。The first authentication completion module is configured to use the VPN client to receive the first authentication request packet, and send the first authentication reply packet to the first VPN gateway, and utilize the first VPN gateway to receive the first authentication reply packet, if the first authentication reply packet The authentication information is correct, and the first authentication completion packet is sent to the VPN client; wherein, the first authentication reply packet includes information used by the first VPN gateway to verify the identity of the VPN client.

进一步地,在上述第一认证完成模块之后,还包括:数据交互模块,用于进行VPN客户端和第一VPN网关之间数据交互;其中,数据交互包括:根据配置信息,进行FEC编码、使用IPSec的ESP隧道封装、使用WireGuard隧道封装或者不封装RAW方式传输数据中的一种。Further, after the above-mentioned first authentication completion module, it also includes: a data interaction module for performing data interaction between the VPN client and the first VPN gateway; wherein, the data interaction includes: performing FEC encoding, using One of IPSec's ESP tunnel encapsulation, WireGuard tunnel encapsulation, or RAW without encapsulation.

进一步地,上述第二传输模块200,包括:Further, the above-mentioned second transmission module 200 includes:

第二身份认证模块,用于当VPN客户端从第一VPN网关切换到第二VPN网关上时,触发第二身份认证,通过第二VPN网关向VPN客户端发送第二认证请求包;The second identity authentication module is used to trigger the second identity authentication when the VPN client is switched from the first VPN gateway to the second VPN gateway, and send the second authentication request packet to the VPN client through the second VPN gateway;

第二认证完成模块,用于利用VPN客户端接收第二认证请求包,并向第二VPN网关发送第二认证回复包,通过第二VPN网关接收第二认证回复,如果第二认证回复的认证信息无误,向VPN客户端发送第二认证完成包;其中,第二认证回复包,包括第二VPN网关用来验证VPN客户端身份的信息。The second authentication completion module is used to use the VPN client to receive the second authentication request packet, and send the second authentication reply packet to the second VPN gateway, and receive the second authentication reply through the second VPN gateway, if the authentication of the second authentication reply If the information is correct, a second authentication completion packet is sent to the VPN client; wherein, the second authentication reply packet includes information used by the second VPN gateway to verify the identity of the VPN client.

进一步地,上述周期探测模块300,包括:Further, the above cycle detection module 300 includes:

探测请求模块,用于利用VPN客户端向传输关联的VPN网关发送探测请求包;A probe request module, configured to send a probe request packet to the VPN gateway associated with the transmission by using the VPN client;

探测回复模块,用于利用传输关联的VPN网关接收到探测请求包,并向VPN客户端发送探测回复包,以完成VPN客户端和传输关联的VPN网关之间的探测。The detection reply module is used for receiving the detection request packet by the VPN gateway associated with the transmission, and sending the detection reply packet to the VPN client, so as to complete the detection between the VPN client and the VPN gateway associated with the transmission.

根据本发明实施例的高可靠的云网络虚拟专用网络通信装置,可以应用于VPN通信场景,可以用来构建VPN客户端和VPN网关之间数据传输的隧道,构建传输隧道的IP包与互联网中广泛使用的TCP包结构相似,有助于VPN客户端和VPN网关之间数据传输可靠性的提升。The highly reliable cloud network virtual private network communication device according to the embodiment of the present invention can be applied to VPN communication scenarios, and can be used to construct a tunnel for data transmission between the VPN client and the VPN gateway, and the IP packets that construct the transmission tunnel can communicate with those in the Internet. The widely used TCP packet structure is similar, which helps to improve the reliability of data transmission between VPN clients and VPN gateways.

需要说明的是,前述对高可靠的云网络虚拟专用网络通信方法实施例的解释说明也适用于该实施例的高可靠的云网络虚拟专用网络通信装置,此处不再赘述。It should be noted that the foregoing explanations of the embodiment of the highly reliable cloud network virtual private network communication method are also applicable to the highly reliable cloud network virtual private network communication device of this embodiment, and will not be repeated here.

此外,术语“第一”、“第二”仅用于描述目的,而不能理解为指示或暗示相对重要性或者隐含指明所指示的技术特征的数量。由此,限定有“第一”、“第二”的特征可以明示或者隐含地包括至少一个该特征。在本发明的描述中,“多个”的含义是至少两个,例如两个,三个等,除非另有明确具体的限定。In addition, the terms "first" and "second" are used for descriptive purposes only, and cannot be interpreted as indicating or implying relative importance or implicitly specifying the quantity of indicated technical features. Thus, the features defined as "first" and "second" may explicitly or implicitly include at least one of these features. In the description of the present invention, "plurality" means at least two, such as two, three, etc., unless otherwise specifically defined.

在本说明书的描述中,参考术语“一个实施例”、“一些实施例”、“示例”、“具体示例”、或“一些示例”等的描述意指结合该实施例或示例描述的具体特征、结构、材料或者特点包含于本发明的至少一个实施例或示例中。在本说明书中,对上述术语的示意性表述不必须针对的是相同的实施例或示例。而且,描述的具体特征、结构、材料或者特点可以在任一个或多个实施例或示例中以合适的方式结合。此外,在不相互矛盾的情况下,本领域的技术人员可以将本说明书中描述的不同实施例或示例以及不同实施例或示例的特征进行结合和组合。In the description of this specification, descriptions referring to the terms "one embodiment", "some embodiments", "example", "specific examples", or "some examples" mean that specific features described in connection with the embodiment or example , structure, material or characteristic is included in at least one embodiment or example of the present invention. In this specification, the schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the described specific features, structures, materials or characteristics may be combined in any suitable manner in any one or more embodiments or examples. In addition, those skilled in the art can combine and combine different embodiments or examples and features of different embodiments or examples described in this specification without conflicting with each other.

尽管上面已经示出和描述了本发明的实施例,可以理解的是,上述实施例是示例性的,不能理解为对本发明的限制,本领域的普通技术人员在本发明的范围内可以对上述实施例进行变化、修改、替换和变型。Although the embodiments of the present invention have been shown and described above, it can be understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and those skilled in the art can make the above-mentioned The embodiments are subject to changes, modifications, substitutions and variations.

Claims (7)

1.一种高可靠的云网络虚拟专用网络通信方法,其特征在于,包括以下步骤:1. A highly reliable cloud network virtual private network communication method, is characterized in that, comprises the following steps: 基于VPN客户端向第一VPN网关发送预设格式的IP包,并根据预设的配置信息进行所述VPN客户端和所述第一VPN网关的第一身份认证,建立所述VPN客户端与所述第一VPN网关之间的第一传输,其中,所述预设格式的IP包为VPN头中包类型为上线的IP包;所述上线的IP包仅用于控制包中,VPN客户端和VPN网关在VPN客户端上线后,进行三次握手,再之后VPN客户端向VPN网关发送所述上线的IP包;Based on the VPN client sending an IP packet of a preset format to the first VPN gateway, and performing first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, establishing the VPN client and the first VPN gateway The first transmission between the first VPN gateways, wherein the IP packet in the preset format is an IP packet whose packet type in the VPN header is the online IP packet; the online IP packet is only used in the control packet, and the VPN client After the VPN client goes online, the client and the VPN gateway perform a three-way handshake, and then the VPN client sends the online IP packet to the VPN gateway; 当所述VPN客户端从所述第一VPN网关切换到第二VPN网关建立第二传输时,基于所述第一传输发送的认证请求包进行所述VPN客户端和所述第二VPN网关的第二身份认证;When the VPN client is switched from the first VPN gateway to the second VPN gateway to establish a second transmission, the VPN client and the second VPN gateway are authenticated based on the authentication request packet sent by the first transmission. Second identity authentication; 基于所述第一传输、第二传输,通过所述VPN客户端向传输关联的VPN网关发送探测请求包,以完成所述VPN客户端和所述传输关联的VPN网关之间的探测;Based on the first transmission and the second transmission, sending a detection request packet to the VPN gateway associated with the transmission through the VPN client, so as to complete the detection between the VPN client and the VPN gateway associated with the transmission; 所述方法还包括:当所述VPN客户端的IP地址和端口号发生变化时,通过所述第一VPN网关向所述VPN客户端发送TCP连接异常终止包RST,并根据所述配置信息重新进行所述VPN客户端和所述第一VPN网关的第一身份认证;The method further includes: when the IP address and port number of the VPN client change, sending a TCP connection abnormal termination packet RST to the VPN client through the first VPN gateway, and redo the process according to the configuration information. First identity authentication of the VPN client and the first VPN gateway; 在基于VPN客户端向第一VPN网关发送预设格式的IP包之前,还包括:利用VPN客户端模仿TCP行为与所述第一VPN网关建立连接,具体为:Before the IP packet of the preset format is sent to the first VPN gateway based on the VPN client, it also includes: using the VPN client to imitate TCP behavior to establish a connection with the first VPN gateway, specifically: 利用所述VPN客户端向第一VPN网关发送TCP建立连接的SYN包;Utilize the VPN client to send a SYN packet for TCP connection establishment to the first VPN gateway; 利用所述第一VPN网关接收所述SYN包,并向所述VPN客户端回复SYN+ACK包;receiving the SYN packet by using the first VPN gateway, and replying a SYN+ACK packet to the VPN client; 利用所述VPN客户端接收所述SYN+ACK包,并向所述第一VPN网关发送ACK包;using the VPN client to receive the SYN+ACK packet, and send an ACK packet to the first VPN gateway; 所述根据所述配置信息进行所述VPN客户端和所述第一VPN网关的第一身份认证,包括:The first identity authentication of the VPN client and the first VPN gateway according to the configuration information includes: 通过所述VPN客户端向所述第一VPN网关发送所述上线的IP包,根据所述配置信息,确定所述上线的IP包是否将低频探测信息进行位置标记,如果所述配置信息指示使用所述低频探测信息,则将所述位置标记为1,否则将所述位置标记为0;Send the online IP packet to the first VPN gateway through the VPN client, and determine whether the online IP packet will mark the location of the low-frequency detection information according to the configuration information, if the configuration information indicates the use of For the low-frequency detection information, mark the position as 1, otherwise mark the position as 0; 基于所述上线的IP包触发第一身份认证,利用所述第一VPN网关向所述VPN客户端送第一认证请求包;Triggering first identity authentication based on the online IP packet, using the first VPN gateway to send a first authentication request packet to the VPN client; 利用所述VPN客户端接收所述第一认证请求包,并向所述第一VPN网关发送第一认证回复包,利用所述第一VPN网关接收所述第一认证回复包,如果所述第一认证回复包的认证信息无误,向所述VPN客户端发送第一认证完成包;其中,所述第一认证回复包,包括所述第一VPN网关用来验证所述VPN客户端身份的信息。Using the VPN client to receive the first authentication request packet, and sending a first authentication reply packet to the first VPN gateway, using the first VPN gateway to receive the first authentication reply packet, if the first authentication reply packet is used, The authentication information of an authentication reply packet is correct, and a first authentication completion packet is sent to the VPN client; wherein, the first authentication reply packet includes information used by the first VPN gateway to verify the identity of the VPN client . 2.根据权利要求1所述的方法,其特征在于,所述方法,还包括:根据所述预设格式的IP包中的数据确定对应的所述VPN头的包类型;其中,所述VPN头的包类型包括下述中的至少一种:所述上线的IP包、所述认证请求包、认证回复包、认证完成包、所述探测请求包探测回复包、ESP包、WireGuard包和RAW包。2. The method according to claim 1, further comprising: determining the packet type of the corresponding VPN header according to the data in the IP packet of the preset format; wherein, the VPN The packet type of the header includes at least one of the following: the online IP packet, the authentication request packet, the authentication reply packet, the authentication completion packet, the probe request packet, the probe reply packet, the ESP packet, the WireGuard packet, and the RAW Bag. 3.根据权利要求1所述的方法,其特征在于,在所述第一身份认证完成之后,还包括:3. The method according to claim 1, further comprising: after the first identity authentication is completed: 进行所述VPN客户端和所述第一VPN网关之间数据交互;其中,所述数据交互包括:根据所述配置信息,进行FEC编码、使用IPSec的ESP隧道封装、使用WireGuard隧道封装或者不封装RAW方式传输数据中的一种。Perform data interaction between the VPN client and the first VPN gateway; wherein, the data interaction includes: performing FEC encoding, encapsulation using IPSec's ESP tunnel, encapsulation using a WireGuard tunnel or no encapsulation according to the configuration information One of the data transmitted in RAW mode. 4.根据权利要求3所述的方法,其特征在于,所述认证请求包的控制信息部分格式,包括:版本、序列号、IP和端口号;4. The method according to claim 3, wherein the format of the control information part of the authentication request packet includes: version, serial number, IP and port number; 所述认证回复包的控制信息部分格式,包括:版本、序列号、IP、端口号和认证信息。The format of the control information part of the authentication reply packet includes: version, serial number, IP, port number and authentication information. 5.根据权利要求4所述的方法,其特征在于,所述当所述VPN客户端从所述第一VPN网关切换到第二VPN网关建立第二传输时,基于所述第一传输并根据认证请求包进行所述VPN客户端和所述第二VPN网关的第二身份认证,包括:5. The method according to claim 4, wherein when the VPN client is switched from the first VPN gateway to the second VPN gateway to establish a second transmission, based on the first transmission and according to The authentication request packet performs the second identity authentication of the VPN client and the second VPN gateway, including: 当所述VPN客户端从所述第一VPN网关切换到第二VPN网关上时,触发第二身份认证,通过所述第二VPN网关向所述VPN客户端发送第二认证请求包;When the VPN client is switched from the first VPN gateway to the second VPN gateway, a second identity authentication is triggered, and a second authentication request packet is sent to the VPN client through the second VPN gateway; 利用所述VPN客户端接收所述第二认证请求包,并向所述第二VPN网关发送第二认证回复包,通过所述第二VPN网关接收所述第二认证回复,如果所述第二认证回复的认证信息无误,向所述VPN客户端发送第二认证完成包;其中,所述第二认证回复包,包括所述第二VPN网关用来验证所述VPN客户端身份的信息。Use the VPN client to receive the second authentication request packet, and send a second authentication reply packet to the second VPN gateway, receive the second authentication reply through the second VPN gateway, if the second The authentication information of the authentication reply is correct, and a second authentication completion packet is sent to the VPN client; wherein, the second authentication reply packet includes information used by the second VPN gateway to verify the identity of the VPN client. 6.根据权利要求5所述的方法,其特征在于,所述通过所述VPN客户端向传输关联的VPN网关发送探测请求包,以完成所述VPN客户端和所述传输关联的VPN网关之间的探测,包括:6. The method according to claim 5, wherein the VPN client sends a detection request packet to the VPN gateway associated with the transmission to complete the connection between the VPN client and the VPN gateway associated with the transmission. Interval detection, including: 利用所述VPN客户端向所述传输关联的VPN网关发送所述探测请求包;using the VPN client to send the probe request packet to the VPN gateway associated with the transport; 利用所述传输关联的VPN网关接收到所述探测请求包,并向所述VPN客户端发送所述探测回复包,以完成所述VPN客户端和传输关联的VPN网关之间的探测。The VPN gateway associated with the transport receives the probe request packet, and sends the probe reply packet to the VPN client, so as to complete the probe between the VPN client and the VPN gateway associated with the transport. 7.一种高可靠的云网络虚拟专用网络通信装置,其特征在于,包括:7. A highly reliable cloud network virtual private network communication device, characterized in that it comprises: 第一传输模块,用于基于VPN客户端向第一VPN网关发送预设格式的IP包,并根据预设的配置信息进行所述VPN客户端和所述第一VPN网关的第一身份认证,建立所述VPN客户端与所述第一VPN网关之间的第一传输,其中,所述预设格式的IP包为VPN头中包类型为上线的IP包;所述上线的IP包仅用于控制包中,VPN客户端和VPN网关在VPN客户端上线后,进行三次握手,再之后VPN客户端向VPN网关发送所述上线的IP包;The first transmission module is configured to send an IP packet in a preset format to the first VPN gateway based on the VPN client, and perform first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, Establishing the first transmission between the VPN client and the first VPN gateway, wherein the IP packet in the preset format is an IP packet whose packet type in the VPN header is an online IP packet; the online IP packet is only used In the control packet, the VPN client and the VPN gateway perform a three-way handshake after the VPN client goes online, and then the VPN client sends the online IP packet to the VPN gateway; 第二传输模块,用于当所述VPN客户端从所述第一VPN网关切换到第二VPN网关建立第二传输时,基于所述第一传输发送的认证请求包进行所述VPN客户端和所述第二VPN网关的第二身份认证;The second transmission module is used for when the VPN client is switched from the first VPN gateway to the second VPN gateway to establish a second transmission, based on the authentication request packet sent by the first transmission, the VPN client and The second identity authentication of the second VPN gateway; 周期探测模块,用于基于所述第一传输、第二传输,通过所述VPN客户端向传输关联的VPN网关发送探测请求包,以完成所述VPN客户端和所述传输关联的VPN网关之间的探测;A periodic detection module, configured to send a detection request packet to the VPN gateway associated with the transmission through the VPN client based on the first transmission and the second transmission, so as to complete the connection between the VPN client and the VPN gateway associated with the transmission. detection between 还包括:当所述VPN客户端的IP地址和端口号发生变化时,通过所述第一VPN网关向所述VPN客户端发送TCP连接异常终止包RST,并根据所述配置信息重新进行所述VPN客户端和所述第一VPN网关的第一身份认证;It also includes: when the IP address and port number of the VPN client change, sending a TCP connection abnormal termination packet RST to the VPN client through the first VPN gateway, and performing the VPN again according to the configuration information First identity authentication of the client and the first VPN gateway; 在所述第一传输模块之前,还包括:利用VPN客户端模仿TCP行为与所述第一VPN网关建立连接,具体为:Before the first transmission module, it also includes: using a VPN client to imitate TCP behavior to establish a connection with the first VPN gateway, specifically: 利用所述VPN客户端向第一VPN网关发送TCP建立连接的SYN包;Utilize the VPN client to send a SYN packet for TCP connection establishment to the first VPN gateway; 利用所述第一VPN网关接收所述SYN包,并向所述VPN客户端回复SYN+ACK包;receiving the SYN packet by using the first VPN gateway, and replying a SYN+ACK packet to the VPN client; 利用所述VPN客户端接收所述SYN+ACK包,并向所述第一VPN网关发送ACK包;using the VPN client to receive the SYN+ACK packet, and send an ACK packet to the first VPN gateway; 所述第一传输模块,还用于:The first transmission module is also used for: 通过所述VPN客户端向所述第一VPN网关发送所述上线的IP包,根据所述配置信息,确定所述上线的IP包是否将低频探测信息进行位置标记,如果所述配置信息指示使用所述低频探测信息,则将所述位置标记为1,否则将所述位置标记为0;Send the online IP packet to the first VPN gateway through the VPN client, and determine whether the online IP packet will mark the location of the low-frequency detection information according to the configuration information, if the configuration information indicates the use of For the low-frequency detection information, mark the position as 1, otherwise mark the position as 0; 基于所述上线的IP包触发第一身份认证,利用所述第一VPN网关向所述VPN客户端送第一认证请求包;Triggering first identity authentication based on the online IP packet, using the first VPN gateway to send a first authentication request packet to the VPN client; 利用所述VPN客户端接收所述第一认证请求包,并向所述第一VPN网关发送第一认证回复包,利用所述第一VPN网关接收所述第一认证回复包,如果所述第一认证回复包的认证信息无误,向所述VPN客户端发送第一认证完成包;其中,所述第一认证回复包,包括所述第一VPN网关用来验证所述VPN客户端身份的信息。Using the VPN client to receive the first authentication request packet, and sending a first authentication reply packet to the first VPN gateway, using the first VPN gateway to receive the first authentication reply packet, if the first authentication reply packet is used, The authentication information of an authentication reply packet is correct, and a first authentication completion packet is sent to the VPN client; wherein, the first authentication reply packet includes information used by the first VPN gateway to verify the identity of the VPN client .
CN202210621700.7A 2022-06-02 2022-06-02 A highly reliable cloud network virtual private network communication method and device Active CN115225313B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210621700.7A CN115225313B (en) 2022-06-02 2022-06-02 A highly reliable cloud network virtual private network communication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210621700.7A CN115225313B (en) 2022-06-02 2022-06-02 A highly reliable cloud network virtual private network communication method and device

Publications (2)

Publication Number Publication Date
CN115225313A CN115225313A (en) 2022-10-21
CN115225313B true CN115225313B (en) 2023-08-29

Family

ID=83607926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210621700.7A Active CN115225313B (en) 2022-06-02 2022-06-02 A highly reliable cloud network virtual private network communication method and device

Country Status (1)

Country Link
CN (1) CN115225313B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101026516A (en) * 2006-02-22 2007-08-29 迈世亚(北京)科技有限公司 Method for establishing virtual personal network connection
CN101072157A (en) * 2007-06-08 2007-11-14 迈普(四川)通信技术有限公司 Virtual special net load backup system and its establishing method and data forwarding method
CN101262409A (en) * 2008-04-23 2008-09-10 华为技术有限公司 Virtual private network VPN access method and device
CN104735051A (en) * 2013-12-23 2015-06-24 三星Sds株式会社 System and method for controlling virtual private network access
CN112260926A (en) * 2020-10-16 2021-01-22 上海叠念信息科技有限公司 Data transmission system, method, device, equipment and storage medium of virtual private network
CN112422396A (en) * 2020-11-04 2021-02-26 郑州信大捷安信息技术股份有限公司 TCP network transmission acceleration method and system based on SSLVPN channel
CN113645115A (en) * 2020-04-27 2021-11-12 中国电信股份有限公司 Virtual private network access method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8020203B2 (en) * 2007-12-03 2011-09-13 Novell, Inc. Techniques for high availability of virtual private networks (VPN's)

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101026516A (en) * 2006-02-22 2007-08-29 迈世亚(北京)科技有限公司 Method for establishing virtual personal network connection
CN101072157A (en) * 2007-06-08 2007-11-14 迈普(四川)通信技术有限公司 Virtual special net load backup system and its establishing method and data forwarding method
CN101262409A (en) * 2008-04-23 2008-09-10 华为技术有限公司 Virtual private network VPN access method and device
CN104735051A (en) * 2013-12-23 2015-06-24 三星Sds株式会社 System and method for controlling virtual private network access
CN113645115A (en) * 2020-04-27 2021-11-12 中国电信股份有限公司 Virtual private network access method and system
CN112260926A (en) * 2020-10-16 2021-01-22 上海叠念信息科技有限公司 Data transmission system, method, device, equipment and storage medium of virtual private network
CN112422396A (en) * 2020-11-04 2021-02-26 郑州信大捷安信息技术股份有限公司 TCP network transmission acceleration method and system based on SSLVPN channel

Also Published As

Publication number Publication date
CN115225313A (en) 2022-10-21

Similar Documents

Publication Publication Date Title
Tschofenig et al. Transport layer security (tls)/datagram transport layer security (dtls) profiles for the internet of things
JP4504713B2 (en) How to authenticate the packet payload
US5918019A (en) Virtual dial-up protocol for network communication
CN101729513B (en) Network authentication method and device
US6754712B1 (en) Virtual dial-up protocol for network communication
WO2010003335A1 (en) Method, system and device for negotiating security association (sa) in ipv6 network
EP1746801A2 (en) Transmission of packet data over a network with a security protocol
CN102377524B (en) Fragment processing method and system
US20110321145A1 (en) Method for Ensuring Security of Computers Connected to a Network
CN113904809B (en) Communication method, device, electronic equipment and storage medium
US20030177358A1 (en) Method for key agreement for a cryptographic secure point - to - multipoint connection
JP2008538266A (en) Incompatible transport security protocol
US11924248B2 (en) Secure communications using secure sessions
US20220263811A1 (en) Methods and Systems for Internet Key Exchange Re-Authentication Optimization
US8683572B1 (en) Method and apparatus for providing continuous user verification in a packet-based network
Fossati RFC 7925: Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things
WO2023036348A1 (en) Encrypted communication method and apparatus, device, and storage medium
CN109040059B (en) Protected TCP communication method, communication device and storage medium
WO2009082950A1 (en) Key distribution method, device and system
CN111343083B (en) Instant messaging method, instant messaging device, electronic equipment and readable storage medium
CN102025742A (en) Negotiation method and device of internet key exchange (IKE) message
CN115225313B (en) A highly reliable cloud network virtual private network communication method and device
CN114760093A (en) Communication method and device
Dellaverson et al. A quick look at QUIC
CN114614984B (en) Time-sensitive network secure communication method based on cryptographic algorithm

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant