CN115225313B - High-reliability cloud network virtual private network communication method and device - Google Patents

High-reliability cloud network virtual private network communication method and device Download PDF

Info

Publication number
CN115225313B
CN115225313B CN202210621700.7A CN202210621700A CN115225313B CN 115225313 B CN115225313 B CN 115225313B CN 202210621700 A CN202210621700 A CN 202210621700A CN 115225313 B CN115225313 B CN 115225313B
Authority
CN
China
Prior art keywords
vpn
packet
authentication
client
gateway
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210621700.7A
Other languages
Chinese (zh)
Other versions
CN115225313A (en
Inventor
董恩焕
苏昆林
杨家海
祝顺民
王之梁
张世泽
文荣
任伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Tsinghua University
Alibaba Cloud Computing Ltd
Original Assignee
Tsinghua University
Alibaba Cloud Computing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Tsinghua University, Alibaba Cloud Computing Ltd filed Critical Tsinghua University
Priority to CN202210621700.7A priority Critical patent/CN115225313B/en
Publication of CN115225313A publication Critical patent/CN115225313A/en
Application granted granted Critical
Publication of CN115225313B publication Critical patent/CN115225313B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a highly reliable cloud network virtual private network communication method and a device, wherein the method comprises the following steps: based on the VPN client, sending an IP packet in a preset format to a first VPN gateway, carrying out first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, establishing first transmission between the VPN client and the first VPN gateway, and when the VPN client is switched from the first VPN gateway to a second VPN gateway to establish second transmission, carrying out second identity authentication of the VPN client and the second VPN gateway based on an authentication request packet sent by the first transmission; based on the first transmission and the second transmission, a detection request packet is sent to the VPN gateway associated with transmission through the VPN client so as to finish detection between the VPN client and the VPN gateway associated with transmission. The application can construct a tunnel for data transmission between the VPN client and the VPN gateway, and the IP packet for constructing the transmission tunnel has a structure similar to a widely used TCP packet in the Internet, thereby being beneficial to improving the reliability of data transmission between the VPN client and the VPN gateway.

Description

High-reliability cloud network virtual private network communication method and device
Technical Field
The application relates to the technical field of network communication transmission, in particular to a highly reliable cloud network virtual private network communication method and device.
Background
A cloud network VPN is a layered network built on a public network (such as the internet) that is a fictitious network, not a truly private network, but the VPN retains the security of the private network. A common way to build a VPN over the internet is to establish a tunnel through the internet between the VPN client and the VPN gateway. The VPN client and VPN gateway ensure the integrity and confidentiality of data communicated through the tunnel. An existing approach is to use IPSec protocols to construct tunnels between VPN clients and VPN gateways. IPSec packets generated by this method may be discarded by devices in the network during transmission over the internet, and the prior art often uses the IPSec protocol to construct IPSec packets to transmit data between the VPN client and the VPN gateway.
The IPSec packet is easily identified by the device in the internet as an abnormal packet and discarded, and the tunnel constructed based on the IPSec packet is also fragile in the internet, so how to avoid the device in the internet from discarding the packet transmitted in the tunnel between the VPN client and the VPN gateway is needed to be solved.
Disclosure of Invention
The present application aims to solve at least one of the technical problems in the related art to some extent.
Therefore, the application aims to provide a highly reliable cloud network virtual private network communication method which can be applied to VPN communication scenes, can be used for constructing a tunnel for data transmission between a VPN client and a VPN gateway, and is beneficial to improving the reliability of data transmission between the VPN client and the VPN gateway.
Another object of the present application is to provide a highly reliable cloud network virtual private network communication device.
In order to achieve the above objective, in one aspect, the present application provides a highly reliable cloud network virtual private network communication method, including:
based on a VPN client, sending an IP packet with a preset format to a first VPN gateway, and carrying out first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, establishing first transmission between the VPN client and the first VPN gateway, wherein the IP packet with the preset format is an IP packet with an online packet type in a VPN header;
when the VPN client is switched from the first VPN gateway to a second VPN gateway to establish second transmission, performing second identity authentication of the VPN client and the second VPN gateway based on an authentication request packet sent by the first transmission;
and based on the first transmission and the second transmission, sending a detection request packet to a VPN gateway associated with transmission through the VPN client so as to finish detection between the VPN client and the VPN gateway associated with transmission.
In addition, the highly reliable cloud network virtual private network communication method according to the above embodiment of the present application may further have the following additional technical features:
further, in one embodiment of the present application, the method further comprises: determining the packet type of the corresponding VPN header according to the data in the IP packet in the preset format; wherein the packet type of the VPN header includes at least one of: the online IP packet, the authentication request packet, the authentication reply packet, the authentication completion packet, the probe request packet, the probe reply packet, the ESP packet, the WirelGuard packet and the RAW packet.
Further, in one embodiment of the present application, the method further comprises: when the IP address and port number of the VPN client are changed, a TCP connection abnormal termination packet RST is sent to the VPN client through the first VPN gateway, and first identity authentication of the VPN client and the first VPN gateway is carried out again according to the configuration information.
Further, in one embodiment of the present application, before sending the IP packet with the packet type of up line to the first VPN gateway, the method further includes: establishing connection with the first VPN gateway by using VPN client to simulate TCP behavior, specifically: sending a SYN packet for establishing connection by TCP to a first VPN gateway by using the VPN client; receiving the SYN packet by using the first VPN gateway, and replying a SYN+ACK packet to the VPN client; and receiving the SYN+ACK packet by using the VPN client and sending an ACK packet to the first VPN gateway.
Further, in an embodiment of the present application, the performing the first identity authentication of the VPN client and the first VPN gateway according to the configuration information includes: sending the online IP packet to the first VPN gateway through the VPN client, determining whether the online IP packet marks the position of low-frequency detection information according to the configuration information, marking the position as 1 if the configuration information indicates that the low-frequency detection information is used, otherwise marking the position as 0; triggering first authentication based on the online IP packet, and sending a first authentication request packet to the VPN client by using the first VPN gateway; receiving the first authentication request packet by using the VPN client, sending a first authentication reply packet to the first VPN gateway, receiving the first authentication reply packet by using the first VPN gateway, and sending a first authentication completion packet to the VPN client if the authentication information of the first authentication reply packet is correct; wherein the first authentication reply packet includes information that the first VPN gateway uses to verify the VPN client identity.
Further, in one embodiment of the present application, after the first authentication is completed, the method further includes: performing data interaction between the VPN client and the first VPN gateway; wherein the data interaction comprises: and according to the configuration information, performing FEC coding, ESP tunnel encapsulation using IPSec, and transmitting data in a RAW mode by using a Wirelguard tunnel encapsulation or non-encapsulation mode.
Further, in one embodiment of the present application, the control information part format of the authentication request packet includes: version, serial number, IP and port number; the control information part format of the authentication reply packet includes: version, serial number, IP, port number, and authentication information.
Further, in one embodiment of the present application, when the VPN client switches from the first VPN gateway to a second VPN gateway, the establishing a second transmission, based on the first transmission, and according to an authentication request packet, the performing second authentication of the VPN client and the second VPN gateway includes: triggering second identity authentication when the VPN client is switched from the first VPN gateway to a second VPN gateway, and sending a second authentication request packet to the VPN client through the second VPN gateway; receiving the second authentication request packet by using the VPN client, sending a second authentication reply packet to the second VPN gateway, receiving the second authentication reply by using the second VPN gateway, and sending a second authentication completion packet to the VPN client if the authentication information of the second authentication reply is correct; wherein the second authentication reply packet includes information that the second VPN gateway uses to verify the VPN client identity.
Further, in one embodiment of the present application, the sending, by the VPN client, a probe request packet to a transmission-associated VPN gateway to complete probing between the VPN client and the transmission-associated VPN gateway includes: transmitting the probe request packet to the transmission-associated VPN gateway by using the VPN client; and receiving the detection request packet by using the VPN gateway associated with transmission, and sending the detection reply packet to the VPN client so as to finish detection between the VPN client and the VPN gateway associated with transmission.
The highly reliable cloud network virtual private network communication method of the embodiment of the application can be applied to VPN communication scenes, can be used for constructing a tunnel for data transmission between a VPN client and a VPN gateway, has an IP packet for constructing the transmission tunnel similar to a TCP packet widely used in the Internet in structure, and is beneficial to improving the reliability of data transmission between the VPN client and the VPN gateway.
In order to achieve the above object, another aspect of the present application provides a highly reliable cloud network virtual private network communication device, including:
the first transmission module is used for sending an IP packet with a preset format to a first VPN gateway based on a VPN client, carrying out first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, and establishing first transmission between the VPN client and the first VPN gateway, wherein the IP packet with the preset format is an IP packet with an online packet type in a VPN header;
a second transmission module, configured to perform second identity authentication of the VPN client and the second VPN gateway based on an authentication request packet sent by the first transmission when the VPN client switches from the first VPN gateway to the second VPN gateway to establish second transmission;
and the period detection module is used for sending detection request packets to the VPN gateway associated with transmission through the VPN client based on the first transmission and the second transmission so as to finish detection between the VPN client and the VPN gateway associated with transmission.
Further, the apparatus further includes: the type determining module is used for determining the packet type of the corresponding VPN header according to the data in the IP packet in the preset format; wherein the packet type of the VPN header includes at least one of: the online IP packet, the authentication request packet, the authentication reply packet, the authentication completion packet, the probe request packet, the probe reply packet, the ESP packet, the WirelGuard packet and the RAW packet.
Further, the apparatus further includes: and the port change module is used for sending a TCP connection abnormal termination packet RST to the VPN client through the first VPN gateway when the IP address and the port number of the VPN client are changed, and re-carrying out first identity authentication of the VPN client and the first VPN gateway according to the configuration information.
Further, the apparatus further includes: the emulation connection module is used for establishing connection with the first VPN gateway by utilizing the emulation TCP behavior of the VPN client, and specifically comprises the following steps:
a first connection sub-module, configured to send a SYN packet for establishing a connection by using TCP to a first VPN gateway by using a VPN client;
the second connection submodule is used for receiving the SYN packet by using the first VPN gateway and replying a SYN+ACK packet to the VPN client;
and the third connection submodule is used for receiving the SYN+ACK packet by using the VPN client and sending the ACK packet to the first VPN gateway.
Further, the first transmission module includes:
the position marking module is used for sending the online IP packet to the first VPN gateway through the VPN client, determining whether the online IP packet marks the position of low-frequency detection information according to the configuration information, marking the position as 1 if the configuration information indicates that the low-frequency detection information is used, and marking the position as 0 if the configuration information indicates that the low-frequency detection information is used;
the first identity authentication module is used for triggering first identity authentication based on the online IP packet, and sending a first authentication request packet to the VPN client by utilizing the first VPN gateway;
the first authentication completion module is used for receiving the first authentication request packet by using the VPN client, sending a first authentication reply packet to the first VPN gateway, receiving the first authentication reply packet by using the first VPN gateway, and sending a first authentication completion packet to the VPN client if the authentication information of the first authentication reply packet is correct; wherein the first authentication reply packet includes information that the first VPN gateway uses to verify the VPN client identity.
Further, after the first authentication completion module, the method further includes: the data interaction module is used for carrying out data interaction between the VPN client and the first VPN gateway; wherein, the data interaction includes: and according to the configuration information, performing FEC coding, ESP tunnel encapsulation using IPSec, and transmitting data in a RAW mode by using a Wirelguard tunnel encapsulation or non-encapsulation mode.
Further, the second transmission module includes:
the second identity authentication module is used for triggering second identity authentication when the VPN client is switched from the first VPN gateway to a second VPN gateway, and sending a second authentication request packet to the VPN client through the second VPN gateway;
the second authentication completion module is used for receiving the second authentication request packet by using the VPN client, sending a second authentication reply packet to the second VPN gateway, receiving the second authentication reply by the second VPN gateway, and sending a second authentication completion packet to the VPN client if the authentication information of the second authentication reply is correct; wherein the second authentication reply packet includes information that the second VPN gateway uses to verify the VPN client identity.
Further, the cycle detection module includes:
a detection request module, configured to send the detection request packet to the VPN gateway associated with the transmission by using the VPN client;
and the detection reply module is used for receiving the detection request packet by using the VPN gateway associated with transmission and sending the detection reply packet to the VPN client so as to finish detection between the VPN client and the VPN gateway associated with transmission.
The highly reliable cloud network virtual private network communication device of the embodiment of the application can be applied to VPN communication scenes, can be used for constructing a tunnel for data transmission between a VPN client and a VPN gateway, has an IP packet for constructing the transmission tunnel similar to a TCP packet widely used in the Internet in structure, and is beneficial to improving the reliability of data transmission between the VPN client and the VPN gateway.
The beneficial effects of the application are as follows:
the application can be applied to VPN communication scenes and can be used for constructing a tunnel for data transmission between a VPN client and a VPN gateway. Products that may be applied include, but are not limited to, the construction of tenant networks in cloud networks and the cloud or intercommunication on Customer-equipment (CPE) in SD-WAN (Software Defined Wide Area Network ) products, etc.
IPSec packets are easily identified by devices in the internet as anomalous packets and discarded, and tunnels constructed based on IPSec packets are therefore vulnerable in the internet. The present application mimics TCP behavior and allows devices in the internet to recognize packets transported in tunnels as TCP packets that are ubiquitous in the internet rather than rare IPSec packets. The application is beneficial to improving the reliability of data transmission between the VPN client and the VPN gateway.
Additional aspects and advantages of the application will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the application.
Drawings
The foregoing and/or additional aspects and advantages of the application will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
fig. 1 is a schematic diagram of the format of an IP packet between a VPN client and a VPN gateway according to an embodiment of the present application;
FIG. 2 is a flow chart of a method of highly reliable cloud network virtual private network communication according to an embodiment of the application;
FIG. 3 is a schematic diagram of a portion format of an authentication request packet control information according to an embodiment of the present application;
FIG. 4 is a schematic diagram of a portion format of an authentication reply packet control information according to an embodiment of the present application;
fig. 5 is a schematic structural diagram of a highly reliable cloud network virtual private network communication device according to an embodiment of the present application.
Detailed Description
It should be noted that, without conflict, the embodiments of the present application and features of the embodiments may be combined with each other. The application will be described in detail below with reference to the drawings in connection with embodiments.
In order that those skilled in the art will better understand the present application, a technical solution in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present application without making any inventive effort, shall fall within the scope of the present application.
The following describes a highly reliable cloud network virtual private network communication method and device according to an embodiment of the present application with reference to the accompanying drawings.
Fig. 2 is a flow chart of a highly reliable cloud network virtual private network communication method of one embodiment of the application.
As shown in fig. 2, the method includes, but is not limited to, the steps of:
s1, sending an IP packet with a preset format to a first VPN gateway based on a VPN client, and carrying out first identity authentication of the VPN client and the first VPN gateway according to preset configuration information to establish first transmission between the VPN client and the first VPN gateway, wherein the IP packet with the preset format is an IP packet with a packet type in a VPN header being online.
It will be appreciated that the present application defines the format of IP packets between a cloud network VPN client and a VPN gateway, as shown in fig. 1. The format of the IP packet comprises an IP header, a TCP header, a VPN header, data or control information and integrity check; wherein the IP header and the TCP header follow the definition of the computer network TCP/IP protocol. The optional fields of the IP header and TCP header that may follow the IP header and TCP header are omitted from fig. 1. The TCP header is followed by the VPN header defined by the present application, which is fixed to 20 bytes in length. The last 12 bytes of the entire IP packet are used for the integrity check of the packet. The length of the packet body between the VPN head and the integrity check field is variable, the packet can be divided into two types according to the content of the packet body, if the packet body information is data, the packet is called as a data packet, and if the packet body information is control information, the packet is called as a control packet. The first 3 bits (bits) of the 1 st byte of the VPN header are the tag bit field and the last 5 bits are the packet type field. The tag bit field contains three possible tags that are incompatible with each other, their name, meaning and effect on the packet format are shown in table 1. The packet type field describes the specific packet type, which are also incompatible with each other, their name, meaning and effect on the packet format as shown in table 2. The "VPN ID" field of the VPN header is a VPN tunnel that is used to uniquely identify the VPN client that can be used.
Table 1 VPN header tag bit field possible tag
Table 2 VPN header packet type field possible packet types
It will be appreciated that this process occurs when the VPN client is first initialized for use, and the VPN controller pushes VPN configurations to the VPN client and the plurality of VPN gateways. The configuration comprises: information such as FEC encoding or low-frequency probe information is performed on the VPN ID of the VPN client, a key required for tunnel encryption corresponding to the VPN ID, and a key required for VPN client authentication. The VPN gateway establishes a session for each VPN client based on this information.
As an example, a connection transfer is established between a VPN client and a gateway: the VPN client emulates TCP behavior and sends packets for TCP to establish a connection, i.e. SYN packets, to the VPN gateway. The packet contains an IP header and a TCP header, and the packet body is cut off to the TCP header, and the format completely mimics a SYN packet of a three-way handshake when TCP establishes a connection. After receiving the packet, the VPN gateway continues to simulate the TCP connection establishment procedure, and replies a syn+ack packet to the VPN client, where the packet has the same format as the syn+ack packet of the three-way handshake when the TCP connection is established. When the VPN client receives the syn+ack packet, it sends an ACK packet to the VPN gateway that mimics the three-way handshake when TCP establishes a connection.
After the three-way handshake, the VPN client sends an "online" packet mentioned in table 2 to the VPN gateway, and according to configuration information received by the VPN client in the process of pushing VPN configuration by the VPN controller, the VPN client determines whether the "online" packet marks "low-frequency probing" as 1. The "online" packet may trigger the process of the VPN gateway authenticating the identity to the VPN client. The VPN gateway will first send an "authentication request" packet to the VPN client, initiating the process of identity authentication. The "authentication request" package control information part format in the present application is shown in fig. 3. After receiving the authentication request, the VPN client sends an authentication reply packet to the VPN gateway. The format of the control information part of the "authentication reply" packet in the present application is shown in fig. 4. The included VPN gateway may be used to verify information of the VPN client identity. After receiving the authentication reply, the VPN gateway sends an authentication completion packet to the VPN client if the authentication information is correct. As shown in fig. 3 and fig. 4, the format of the "authentication request" packet control information part and the format of the "authentication reply" packet control information part in the present application are respectively shown. The control information part format of the authentication request packet includes: version, serial number, IP and port number; the control information part format of the authentication reply packet includes: version, serial number, IP, port number, and authentication information.
After passing the authentication, the VPN client and the VPN gateway can perform data interaction. The data packet may be FEC encoded according to configuration information pushed to the VPN client in the VPN configuration pushing process by the VPN controller, and may be transmitted by using ESP tunnel encapsulation by IPSec, or by using WireGuard tunnel encapsulation or non-encapsulation of RAW.
S2, when the VPN client is switched from the first VPN gateway to the second VPN gateway to establish second transmission, second identity authentication of the VPN client and the second VPN gateway is carried out based on an authentication request packet sent by the first transmission.
It will be appreciated that the IP address and port number of the VPN client may change, and when the IP address and port number of the VPN client change, the VPN gateway will send the RST packet of TCP to the VPN client, as if the TCP connection were terminated from a device point of view in the internet. Then, the process of establishing connection transmission between the VPN client and the gateway is performed again between the VPN client and the VPN gateway.
Further, when the VPN client switches from one VPN gateway to another VPN gateway, the authentication process needs to be re-performed with the new VPN gateway, i.e. the VPN new gateway will first send an "authentication request" packet to the VPN client, and start the process of identity authentication. After receiving the authentication request, the VPN client sends an authentication reply packet to the VPN new gateway. The included VPN new gateway may be used to verify information of the VPN client identity. After receiving the authentication reply, the VPN new gateway sends an authentication completion packet to the VPN client if the authentication information is correct.
And S3, based on the first transmission and the second transmission, sending a detection request packet to the VPN gateway associated with transmission through the VPN client so as to finish detection between the VPN client and the VPN gateway associated with transmission.
Specifically, the VPN client periodically sends probe request packets to the VPN gateway. After receiving the "periodic probe request" packet, the VPN gateway sends a "periodic probe reply packet" to the VPN client.
The highly reliable cloud network virtual private network communication method provided by the embodiment of the application can be applied to VPN communication scenes, can be used for constructing a tunnel for data transmission between a VPN client and a VPN gateway, has an IP packet for constructing the transmission tunnel similar to a TCP packet widely used in the Internet in structure, and is beneficial to improving the reliability of data transmission between the VPN client and the VPN gateway.
In order to implement the above embodiment, as shown in fig. 5, there is further provided a highly reliable cloud network virtual private network communication apparatus 10, where the apparatus 10 includes: a first transmission module 100, a second transmission module 200, and a period detection module 300.
The first transmission module 100 is configured to send an IP packet with a preset format to a first VPN gateway based on a VPN client, and perform first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, so as to establish first transmission between the VPN client and the first VPN gateway, where the IP packet with the preset format is an IP packet with an online packet type in a VPN header;
a second transmission module 200, configured to perform second identity authentication of the VPN client and the second VPN gateway based on an authentication request packet sent by the first transmission when the VPN client switches from the first VPN gateway to the second VPN gateway to establish the second transmission;
the period probing module 300 is configured to send, based on the first transmission and the second transmission, a probing request packet to a VPN gateway associated with the transmission through the VPN client, so as to complete probing between the VPN client and the VPN gateway associated with the transmission.
Further, the apparatus 10 further includes: the type determining module is used for determining the packet type of the corresponding VPN header according to the data in the IP packet in the preset format; wherein the packet type of the VPN header includes at least one of: an online IP packet, an authentication request packet, an authentication reply packet, an authentication completion packet, a probe request packet probe reply packet, an ESP packet, a WireGuard packet, and a RAW packet.
Further, the apparatus 10 further includes: and the port change module is used for sending a TCP connection abnormal termination packet RST to the VPN client through the first VPN gateway when the IP address and the port number of the VPN client are changed, and re-carrying out first identity authentication of the VPN client and the first VPN gateway according to the configuration information.
Further, the apparatus 10 further includes: the emulation connection module is used for establishing connection with the first VPN gateway by utilizing the emulation TCP behavior of the VPN client, and specifically comprises the following steps:
a first connection sub-module, configured to send a SYN packet for establishing a connection by using TCP to a first VPN gateway by using a VPN client;
the second connection submodule is used for receiving the SYN packet by using the first VPN gateway and replying a SYN+ACK packet to the VPN client;
and the third connection submodule is used for receiving the SYN+ACK packet by using the VPN client and sending the ACK packet to the first VPN gateway.
Further, the first transmission module 100 includes:
the position marking module is used for sending an online IP packet to the first VPN gateway through the VPN client, determining whether the online IP packet carries out position marking on the low-frequency detection information according to the configuration information, marking the position as 1 if the configuration information indicates that the low-frequency detection information is used, and marking the position as 0 if the configuration information indicates that the low-frequency detection information is used;
the first identity authentication module is used for triggering first identity authentication based on an online IP packet, and sending a first authentication request packet to the VPN client by using a first VPN gateway;
the first authentication completion module is used for receiving the first authentication request packet by using the VPN client, sending a first authentication reply packet to the first VPN gateway, receiving the first authentication reply packet by using the first VPN gateway, and sending the first authentication completion packet to the VPN client if the authentication information of the first authentication reply packet is correct; the first authentication reply packet includes information that the first VPN gateway uses to verify the identity of the VPN client.
Further, after the first authentication completion module, the method further includes: the data interaction module is used for carrying out data interaction between the VPN client and the first VPN gateway; wherein, the data interaction includes: and according to the configuration information, performing FEC coding, ESP tunnel encapsulation using IPSec, and transmitting data in a RAW mode by using a Wirelguard tunnel encapsulation or non-encapsulation mode.
Further, the second transmission module 200 includes:
the second identity authentication module is used for triggering second identity authentication when the VPN client is switched from the first VPN gateway to the second VPN gateway, and sending a second authentication request packet to the VPN client through the second VPN gateway;
the second authentication completion module is used for receiving the second authentication request packet by using the VPN client, sending a second authentication reply packet to the second VPN gateway, receiving the second authentication reply through the second VPN gateway, and sending the second authentication completion packet to the VPN client if the authentication information of the second authentication reply is correct; wherein the second authentication reply packet includes information that the second VPN gateway uses to verify the identity of the VPN client.
Further, the cycle detection module 300 includes:
the detection request module is used for sending detection request packets to the VPN gateway associated with transmission by using the VPN client;
and the detection reply module is used for receiving the detection request packet by using the VPN gateway associated with transmission and sending the detection reply packet to the VPN client so as to finish detection between the VPN client and the VPN gateway associated with transmission.
The highly reliable cloud network virtual private network communication device provided by the embodiment of the application can be applied to VPN communication scenes, can be used for constructing a tunnel for data transmission between a VPN client and a VPN gateway, has an IP packet for constructing the tunnel similar to a TCP packet widely used in the Internet in structure, and is beneficial to improving the reliability of data transmission between the VPN client and the VPN gateway.
It should be noted that the foregoing explanation of the embodiment of the method for highly reliable cloud network virtual private network communication is also applicable to the highly reliable cloud network virtual private network communication device of the embodiment, which is not described herein again.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present application, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present application. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
While embodiments of the present application have been shown and described above, it will be understood that the above embodiments are illustrative and not to be construed as limiting the application, and that variations, modifications, alternatives and variations may be made to the above embodiments by one of ordinary skill in the art within the scope of the application.

Claims (7)

1. The highly reliable cloud network virtual private network communication method is characterized by comprising the following steps of:
based on a VPN client, sending an IP packet with a preset format to a first VPN gateway, and carrying out first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, establishing first transmission between the VPN client and the first VPN gateway, wherein the IP packet with the preset format is an IP packet with an online packet type in a VPN header; the online IP packet is only used in a control packet, after the VPN client and the VPN gateway are online at the VPN client, three-way handshake is carried out, and then the VPN client sends the online IP packet to the VPN gateway;
when the VPN client is switched from the first VPN gateway to a second VPN gateway to establish second transmission, performing second identity authentication of the VPN client and the second VPN gateway based on an authentication request packet sent by the first transmission;
based on the first transmission and the second transmission, sending a detection request packet to a VPN gateway associated with transmission through the VPN client so as to finish detection between the VPN client and the VPN gateway associated with transmission;
the method further comprises the steps of: when the IP address and port number of the VPN client are changed, a TCP connection abnormal termination packet RST is sent to the VPN client through the first VPN gateway, and first identity authentication of the VPN client and the first VPN gateway is carried out again according to the configuration information;
before the VPN client sends the IP packet with the preset format to the first VPN gateway, the method further includes: establishing connection with the first VPN gateway by using VPN client to simulate TCP behavior, specifically:
sending a SYN packet for establishing connection by TCP to a first VPN gateway by using the VPN client;
receiving the SYN packet by using the first VPN gateway, and replying a SYN+ACK packet to the VPN client;
receiving the SYN+ACK packet by using the VPN client and sending an ACK packet to the first VPN gateway;
the performing the first authentication of the VPN client and the first VPN gateway according to the configuration information includes:
sending the online IP packet to the first VPN gateway through the VPN client, determining whether the online IP packet marks the position of low-frequency detection information according to the configuration information, marking the position as 1 if the configuration information indicates that the low-frequency detection information is used, otherwise marking the position as 0;
triggering first authentication based on the online IP packet, and sending a first authentication request packet to the VPN client by using the first VPN gateway;
receiving the first authentication request packet by using the VPN client, sending a first authentication reply packet to the first VPN gateway, receiving the first authentication reply packet by using the first VPN gateway, and sending a first authentication completion packet to the VPN client if the authentication information of the first authentication reply packet is correct; wherein the first authentication reply packet includes information that the first VPN gateway uses to verify the VPN client identity.
2. The method according to claim 1, characterized in that the method further comprises: determining the packet type of the corresponding VPN header according to the data in the IP packet in the preset format; wherein the packet type of the VPN header includes at least one of: the online IP packet, the authentication request packet, the authentication reply packet, the authentication completion packet, the probe request packet, the probe reply packet, the ESP packet, the WirelGuard packet and the RAW packet.
3. The method of claim 1, further comprising, after the first authentication is completed:
performing data interaction between the VPN client and the first VPN gateway; wherein the data interaction comprises: and according to the configuration information, performing FEC coding, ESP tunnel encapsulation using IPSec, and transmitting data in a RAW mode by using a Wirelguard tunnel encapsulation or non-encapsulation mode.
4. A method according to claim 3, wherein the control information part format of the authentication request packet comprises: version, serial number, IP and port number;
the control information part format of the authentication reply packet includes: version, serial number, IP, port number, and authentication information.
5. The method of claim 4, wherein said performing a second authentication of said VPN client and said second VPN gateway based on said first transmission and according to an authentication request packet when said VPN client switches from said first VPN gateway to said second VPN gateway establishes a second transmission, comprises:
triggering second identity authentication when the VPN client is switched from the first VPN gateway to a second VPN gateway, and sending a second authentication request packet to the VPN client through the second VPN gateway;
receiving the second authentication request packet by using the VPN client, sending a second authentication reply packet to the second VPN gateway, receiving the second authentication reply by using the second VPN gateway, and sending a second authentication completion packet to the VPN client if the authentication information of the second authentication reply is correct; wherein the second authentication reply packet includes information that the second VPN gateway uses to verify the VPN client identity.
6. The method of claim 5, wherein said sending, by the VPN client, a probe request packet to a transport-associated VPN gateway to complete probing between the VPN client and the transport-associated VPN gateway comprises:
transmitting the probe request packet to the transmission-associated VPN gateway by using the VPN client;
and receiving the detection request packet by using the VPN gateway associated with transmission, and sending the detection reply packet to the VPN client so as to finish detection between the VPN client and the VPN gateway associated with transmission.
7. A highly reliable cloud network virtual private network communication apparatus, comprising:
the first transmission module is used for sending an IP packet with a preset format to a first VPN gateway based on a VPN client, carrying out first identity authentication of the VPN client and the first VPN gateway according to preset configuration information, and establishing first transmission between the VPN client and the first VPN gateway, wherein the IP packet with the preset format is an IP packet with an online packet type in a VPN header; the online IP packet is only used in a control packet, after the VPN client and the VPN gateway are online at the VPN client, three-way handshake is carried out, and then the VPN client sends the online IP packet to the VPN gateway;
a second transmission module, configured to perform second identity authentication of the VPN client and the second VPN gateway based on an authentication request packet sent by the first transmission when the VPN client switches from the first VPN gateway to the second VPN gateway to establish second transmission;
the period detection module is used for sending a detection request packet to a VPN gateway associated with transmission through the VPN client based on the first transmission and the second transmission so as to finish detection between the VPN client and the VPN gateway associated with transmission;
further comprises: when the IP address and port number of the VPN client are changed, a TCP connection abnormal termination packet RST is sent to the VPN client through the first VPN gateway, and first identity authentication of the VPN client and the first VPN gateway is carried out again according to the configuration information;
before the first transmission module, the method further comprises: establishing connection with the first VPN gateway by using VPN client to simulate TCP behavior, specifically:
sending a SYN packet for establishing connection by TCP to a first VPN gateway by using the VPN client;
receiving the SYN packet by using the first VPN gateway, and replying a SYN+ACK packet to the VPN client;
receiving the SYN+ACK packet by using the VPN client and sending an ACK packet to the first VPN gateway;
the first transmission module is further configured to:
sending the online IP packet to the first VPN gateway through the VPN client, determining whether the online IP packet marks the position of low-frequency detection information according to the configuration information, marking the position as 1 if the configuration information indicates that the low-frequency detection information is used, otherwise marking the position as 0;
triggering first authentication based on the online IP packet, and sending a first authentication request packet to the VPN client by using the first VPN gateway;
receiving the first authentication request packet by using the VPN client, sending a first authentication reply packet to the first VPN gateway, receiving the first authentication reply packet by using the first VPN gateway, and sending a first authentication completion packet to the VPN client if the authentication information of the first authentication reply packet is correct; wherein the first authentication reply packet includes information that the first VPN gateway uses to verify the VPN client identity.
CN202210621700.7A 2022-06-02 2022-06-02 High-reliability cloud network virtual private network communication method and device Active CN115225313B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210621700.7A CN115225313B (en) 2022-06-02 2022-06-02 High-reliability cloud network virtual private network communication method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210621700.7A CN115225313B (en) 2022-06-02 2022-06-02 High-reliability cloud network virtual private network communication method and device

Publications (2)

Publication Number Publication Date
CN115225313A CN115225313A (en) 2022-10-21
CN115225313B true CN115225313B (en) 2023-08-29

Family

ID=83607926

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210621700.7A Active CN115225313B (en) 2022-06-02 2022-06-02 High-reliability cloud network virtual private network communication method and device

Country Status (1)

Country Link
CN (1) CN115225313B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101026516A (en) * 2006-02-22 2007-08-29 迈世亚(北京)科技有限公司 Method for establishing virtual personal network connection
CN101072157A (en) * 2007-06-08 2007-11-14 迈普(四川)通信技术有限公司 Virtual special net load backup system and its establishing method and data forwarding method
CN101262409A (en) * 2008-04-23 2008-09-10 华为技术有限公司 Virtual private network VPN access method and device
CN104735051A (en) * 2013-12-23 2015-06-24 三星Sds株式会社 System and method for controlling virtual private network access
CN112260926A (en) * 2020-10-16 2021-01-22 上海叠念信息科技有限公司 Data transmission system, method, device, equipment and storage medium of virtual private network
CN112422396A (en) * 2020-11-04 2021-02-26 郑州信大捷安信息技术股份有限公司 TCP network transmission acceleration method and system based on SSLVPN channel
CN113645115A (en) * 2020-04-27 2021-11-12 中国电信股份有限公司 Virtual private network access method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8020203B2 (en) * 2007-12-03 2011-09-13 Novell, Inc. Techniques for high availability of virtual private networks (VPN's)

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101026516A (en) * 2006-02-22 2007-08-29 迈世亚(北京)科技有限公司 Method for establishing virtual personal network connection
CN101072157A (en) * 2007-06-08 2007-11-14 迈普(四川)通信技术有限公司 Virtual special net load backup system and its establishing method and data forwarding method
CN101262409A (en) * 2008-04-23 2008-09-10 华为技术有限公司 Virtual private network VPN access method and device
CN104735051A (en) * 2013-12-23 2015-06-24 三星Sds株式会社 System and method for controlling virtual private network access
CN113645115A (en) * 2020-04-27 2021-11-12 中国电信股份有限公司 Virtual private network access method and system
CN112260926A (en) * 2020-10-16 2021-01-22 上海叠念信息科技有限公司 Data transmission system, method, device, equipment and storage medium of virtual private network
CN112422396A (en) * 2020-11-04 2021-02-26 郑州信大捷安信息技术股份有限公司 TCP network transmission acceleration method and system based on SSLVPN channel

Also Published As

Publication number Publication date
CN115225313A (en) 2022-10-21

Similar Documents

Publication Publication Date Title
USRE49053E1 (en) System and method for an adaptive TCP SYN cookie with time validation
Tschofenig et al. Transport layer security (tls)/datagram transport layer security (dtls) profiles for the internet of things
EP1463265B1 (en) Method and apparatus for authenticating packet payloads via message authentication codes
US7418511B2 (en) Secured TCP/IP communication system for devices and private networks connected to the internet
EP1564959B1 (en) System and method for trivial file transfer protocol including broadcasting function
EP1746801A2 (en) Transmission of packet data over a network with a security protocol
CN111083161A (en) Data transmission processing method and device and Internet of things equipment
CN113904809B (en) Communication method, device, electronic equipment and storage medium
US20110321145A1 (en) Method for Ensuring Security of Computers Connected to a Network
US10277586B1 (en) Mobile authentication with URL-redirect
JP2008538266A (en) Incompatible transport security protocol
EP3937457A1 (en) Secure communications using secure sessions
CN111343083B (en) Instant messaging method, instant messaging device, electronic equipment and readable storage medium
Fossati RFC 7925: Transport Layer Security (TLS)/Datagram Transport Layer Security (DTLS) Profiles for the Internet of Things
CN109040059B (en) Protected TCP communication method, communication device and storage medium
CN102025742A (en) Negotiation method and device of internet key exchange (IKE) message
CN106131177A (en) A kind of message processing method and device
CN100353711C (en) Communication system, communication apparatus, operation control method, and program
CN115225313B (en) High-reliability cloud network virtual private network communication method and device
EP3414877B1 (en) Technique for transport protocol selection and setup of a connection between a client and a server
Bittau et al. TCP-ENO: Encryption negotiation option
CN115643297A (en) Link establishment method and device, nonvolatile storage medium and computer equipment
CN111614688A (en) Generic protocol for blockchains
CN114040389B (en) High-speed safe transmission method suitable for application scene of Internet of things
JP3841417B2 (en) Communication connection method, server computer, and program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant