CN115913818A - VPN terminal communication method, VPN center terminal and storage medium - Google Patents

Abstract

The application provides a VPN terminal communication method, a VPN center terminal and a storage medium, which can solve the problem that a VPN tunnel established based on an IPSec protocol in the related technology is difficult to realize communication in a dynamic NAT environment, thereby improving the accuracy and efficiency of information data transmission in the VPN tunnel. The method comprises the following steps: receiving a data packet of a VPN terminal; acquiring a security parameter index and a public network IP in a data packet; confirming that the security parameter index is the first security parameter index but no public network IP exists in the database; updating the IP of the first public network; decrypting encrypted data in a data packet based on the first key; and sending the decrypted data to the server.

Description

VPN terminal communication method, VPN center terminal and storage medium

Technical Field

The present application relates to the field of communications, and in particular, to a VPN terminal communication method, a VPN center terminal, and a storage medium.

Background

With the continuous expansion of network space, the IPv4 address will be exhausted. The NAT (English: network Address Translation; chinese: network Address Translation) technology enables a plurality of devices in the private network to access the public network by using one external IP address, thereby greatly slowing down the speed of IPv4 address exhaustion. The NAT includes Static NAT (Static NAT), dynamic NAT (PooledNAT), and network address Port Translation NAPT (network address Port Translation). When the dynamic NAT converts the private IP address of the internal network into the public IP address, the IP address is uncertain and random.

The IPSec VPN is a VPN (Virtual Private Network) technology that uses an IPSec Protocol to implement remote access. The IPSec VPN builds a safe and reliable communication channel (tunnel) for the two private networks through a VPN center end and a VPN terminal which are positioned in the two private networks on a public network based on a cryptographic technology.

IPSec VPN is a point-to-point communication technology, i.e. the VPN central end and VPN terminals at both ends of the tunnel must know the network addresses of the opposite ends. However, the public network IP address of the VPN terminal may change in the dynamic NAT environment, so that the VPN central end sends data to the IP address before the change, and the data cannot reach the VPN terminal.

Disclosure of Invention

The embodiment of the application provides a VPN terminal communication method, a VPN center terminal and a storage medium, which can solve the problem that a VPN tunnel established based on an IPSec protocol in the related technology is difficult to realize communication in a dynamic NAT environment, thereby improving the accuracy and efficiency of information data transmission in the VPN tunnel.

In order to achieve the purpose, the following technical scheme is adopted in the application:

in a first aspect, a VPN terminal communication method is provided, which is applied to a VPN center. The VPN central end is provided with a database, and the database is stored with a first key, a first security parameter index, a first local area network internal IP address and a first public network IP in an associated manner; the VPN terminal communication method comprises the following steps: receiving a data packet of a VPN terminal; acquiring a security parameter index and a public network IP in the data packet; confirming that the security parameter index is the first security parameter index but the public network IP does not exist in the database; updating the first public network IP; decrypting encrypted data in the data packet based on the first key; and sending the decrypted data to a server.

Based on the VPN terminal communication method, the public network IP of the VPN terminal is stored in association with the security parameter index, when the public network IP of the VPN terminal in the environment of dynamic NAT changes, the security parameter index in the interactive data packet does not change, and then the public network IP of the VPN terminal can be updated according to the security parameter index, so that the problem that the communication of a VPN tunnel established based on an IPSec protocol in the related technology is difficult to realize in the environment of dynamic NAT can be solved, and the accuracy and the efficiency of information data transmission in the VPN tunnel are improved.

Optionally, the method further comprises: receiving feedback data from the server; confirming that the target IP of the feedback data is the internal IP address of the first local area network; encrypting the feedback data based on the first key; and sending the encrypted feedback data to the VPN terminal based on the first public network IP.

Optionally, the method further comprises: receiving a registration application of a first VPN terminal; the registration application comprises a key negotiation request of the first VPN terminal, a local area network internal IP address allocation request of terminal equipment and a first public network IP of the first VPN terminal, and the terminal equipment is connected with the first VPN terminal; acquiring a first key and a first security parameter index corresponding to the key based on the key negotiation between the IPSec protocol and the first VPN terminal; allocating a first local area network internal IP address for the terminal equipment; storing the first key, the first security parameter index, the first local area network internal IP address, and the first public network IP association in a database; and sending the first local area network internal IP address to the first VPN terminal.

Optionally, the allocating a first local area network internal IP address to the terminal device includes: selecting an IP address from an IP address pool as a first local area network internal IP address; and deleting the IP address in the IP address pool.

Optionally, the method further comprises: receiving feedback data to be sent to the first VPN terminal from a server; encrypting the feedback data based on the first key; and sending the encrypted feedback data to the first VPN terminal based on the first public network IP.

Optionally, the method further comprises: confirming that the data of the first VPN terminal are not received within a preset time period; and deleting the first key, the first security parameter index and the first public network IP.

Optionally, the method further comprises: receiving an instruction for indicating to delete the first VPN terminal information; and deleting the first key, the first security parameter index and the first public network IP.

In a second aspect, a VPN central terminal is provided, which includes a transceiver module, a processing module, and a storage module; the storage module stores a database, and the database stores a first key, a first security parameter index, a first local area network internal IP address and a first public network IP in an associated manner; the receiving and transmitting module is used for receiving a data packet of a VPN terminal; the processing module is used for acquiring a security parameter index and a public network IP in the data packet, and confirming that the security parameter index is the first security parameter index but the public network IP does not exist in the database; the processing module is further configured to update the first public network IP and decrypt encrypted data in the data packet based on the first key; the transceiver module is also used for sending the decrypted data to the server.

Optionally, the transceiver module is further configured to receive feedback data from the server; the processing module is further configured to confirm that a target IP of the feedback data is an internal IP address of the first local area network, and encrypt the feedback data based on the first key; the transceiver module is further configured to send the encrypted feedback data to the VPN terminal based on the first public network IP.

Optionally, the VPN central side according to the second aspect may further include a storage module, where the storage module stores a program or instructions. When the processing module executes the program or the instructions, the VPN center terminal is enabled to execute the VPN terminal communication method according to the first aspect.

In addition, the technical effect of the VPN central end according to the second aspect may refer to the technical effect of the VPN terminal communication method according to the first aspect, and details are not repeated here.

In a third aspect, a computer-readable storage medium is provided, comprising: computer programs or instructions; the computer program or instructions, when run on a computer, cause the computer to perform the VPN terminal communication method as described in the implementation of the first aspect.

In a fourth aspect, a computer program product is provided, which comprises a computer program or instructions that, when run on a computer, cause the computer to perform the VPN terminal communication method according to the implementation manner of the first aspect.

Drawings

Fig. 1 is a schematic diagram of an architecture of VPN communication according to an embodiment of the present application;

fig. 2 is a schematic flowchart of a VPN terminal access method according to an embodiment of the present application;

fig. 3 is a schematic flowchart of a VPN terminal communication method according to an embodiment of the present application;

fig. 4 is a schematic flowchart of a VPN terminal communication method based on an IPSec protocol according to an embodiment of the present application;

fig. 5 is a first schematic structural diagram of a VPN central end according to an embodiment of the present application;

fig. 6 is a schematic structural diagram of a VPN center according to an embodiment of the present application.

Detailed Description

The technical solution in the present application will be described below with reference to the accompanying drawings.

The technical solution of the embodiment of the present application may be applied to various communication systems, for example, a wireless fidelity (WiFi) system, a vehicle-to-any object (V2X) communication system, a device-to-device (D2D) communication system, a vehicle networking communication system, a 4th generation (4 g) mobile communication system, such as a Long Term Evolution (LTE) system, a Worldwide Interoperability for Microwave Access (WiMAX) communication system, a fifth generation (5 g) mobile communication system, such as a new radio, NR) system, and a future communication system, such as a sixth generation (6 g) mobile communication system.

This application is intended to present various aspects, embodiments or features around a system that may include a number of devices, components, modules, and the like. It is to be understood and appreciated that the various systems may include additional devices, components, modules, etc. and/or may not include all of the devices, components, modules etc. discussed in connection with the figures. Furthermore, a combination of these schemes may also be used.

In addition, in the embodiments of the present application, words such as "exemplarily", "for example", etc. are used for indicating as examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the term using examples is intended to present concepts in a concrete fashion.

In the embodiment of the present application, "information", "signal", "message", "channel", "signaling" may be used in combination, and it should be noted that the intended meaning is consistent when the difference is not emphasized. "of", "corresponding", and "corresponding" may sometimes be used in combination, it being noted that the intended meaning is consistent when no distinction is made.

The network architecture and the service scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not form a limitation on the technical solution provided in the embodiment of the present application, and it can be known by a person of ordinary skill in the art that the technical solution provided in the embodiment of the present application is also applicable to similar technical problems with the evolution of the network architecture and the occurrence of a new service scenario.

For the convenience of understanding the embodiment of the present application, a VPN terminal communication system based on an IPSec protocol, which is applicable to the embodiment of the present application, will be first described in detail by taking the architecture of VPN communication shown in fig. 1 as an example.

As shown in fig. 1, the architecture of VPN communication includes a VPN terminal communication system based on the IPSec protocol. The VPN terminal communication system includes a first VPN terminal, a second VPN terminal, and a VPN center terminal. The first VPN terminal is provided with a first terminal equipment interface and is connected with the first terminal equipment through the first terminal equipment interface. The second VPN terminal is provided with a second terminal equipment interface and is connected with the first terminal equipment through the second terminal equipment interface. The VPN center end is provided with a server interface and is connected with the server through the server interface.

The first VPN terminal may negotiate a key with the VPN center terminal based on the IPSec protocol, generate a first key after negotiation, and construct a first VPN tunnel between the first VPN terminal and the VPN center terminal. When the first VPN terminal and the VPN center terminal carry out data interaction, the interaction data can be encrypted through the first secret key so as to guarantee the safety of the interaction data.

The second VPN terminal may negotiate a key with the VPN center terminal based on the IPSec protocol, generate a second key after negotiation, and construct a second VPN tunnel between the second VPN terminal and the VPN center terminal. When the second VPN terminal and the VPN center terminal carry out data interaction, the interaction data can be encrypted through the second secret key so as to guarantee the safety of the interaction data.

For example, when the first terminal device performs data interaction with the second terminal device, the first terminal device may pass through the first VPN tunnel and the second VPN tunnel. And a first data packet generated by the first terminal equipment is uploaded to the first VPN terminal through the first terminal equipment interface. The first VPN terminal encrypts a first data packet of the first terminal device based on the first key and sends the encrypted first data packet to the VPN central terminal. And the VPN central terminal decrypts the first data packet based on the first key, encrypts the decrypted data based on the second key to form a second data packet and sends the second data packet to the second VPN terminal. The second VPN terminal decrypts the second data packet based on the second key.

Optionally, as shown in fig. 1, the VPN termination communication system may further include a first public network router connected to the first VPN termination and a second public network router connected to the second VPN termination. The first public Network router is used for executing NAT (Network Address Translation; chinese: network Address Translation) processing on the first data packet and sending the processed first data packet to the VPN center terminal. And the second public network router is used for performing NAT processing on the second data packet and sending the processed second data packet to the second VPN terminal.

Optionally, as shown in fig. 1, the VPN terminal communication system may further include a first quantum random number generator connected to the first VPN terminal, a central quantum random number generator connected to the VPN central end, and a second quantum random number generator connected to the second VPN terminal.

It should be noted that, when the first VPN terminal negotiates a key with the VPN center based on the IPSec protocol and the second VPN terminal negotiates a key with the VPN center based on the IPSec protocol, the random numbers need to be sent to each other. In order to improve the security, the first VPN terminal may send the quantum random number generated by the first quantum random number generator to the VPN central terminal, and the VPN central terminal may send the quantum random number generated by the central quantum random number generator to the first VPN terminal; the second VPN terminal may send the quantum random number generated by the second quantum random number generator to the VPN hub, and the VPN hub may send the quantum random number generated by the central quantum random number generator to the second VPN terminal.

The first terminal device and the second terminal device may also be referred to as a user equipment, an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user equipment. The terminal device in the embodiment of the present application may be a mobile phone (mobile phone), a tablet computer (Pad), a computer with a wireless transceiving function, a Virtual Reality (VR) terminal device, an Augmented Reality (AR) terminal device, a wireless terminal in industrial control (industrial control), a wireless terminal in unmanned driving (self), a wireless terminal in remote medical (remote), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation safety (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), a vehicle-mounted terminal, an RSU with a terminal function, and the like. The terminal device of the present application may also be an on-board module, an on-board component, an on-board chip, or an on-board unit that is built in the vehicle as one or more components or units, and the vehicle may implement the communication method provided by the present application through the built-in on-board module, the on-board component, the on-board chip, or the on-board unit.

It should be noted that the scheme in the embodiment of the present application may also be applied to other communication systems, and the corresponding names may also be replaced with names of corresponding functions in other communication systems.

It should be appreciated that fig. 1 is a simplified schematic diagram of an example for ease of understanding only, and that other network devices, and/or other terminal devices, not shown in fig. 1, may also be included in the VPN communication system.

The following describes a communication method that can be implemented by the framework of VPN communication in fig. 1 with reference to fig. 2 to 4.

Example one

Exemplarily, fig. 2 is a schematic flowchart of a VPN terminal access method according to an embodiment of the present application. The VPN terminal access method may be applied to communication between a VPN center terminal and any VPN terminal two nodes shown in fig. 1.

As shown in fig. 2, the VPN terminal access method is applied to a VPN central terminal. The VPN terminal access method can comprise the following steps:

s201, receiving a registration application of a first VPN terminal; the registration application includes a key agreement request of the first VPN terminal, a local area network internal IP address allocation request of a terminal device, and a first public network IP of the first VPN terminal, where the terminal device is connected to the first VPN terminal. In fig. 1, the terminal device is a first terminal device.

S202, acquiring a first key and a first security parameter index corresponding to the first key based on IPSec protocol and the first VPN terminal key negotiation.

S203, distributing the first local area network internal IP address for the terminal equipment.

Optionally, allocating a first local area network internal IP address to the terminal device includes the following steps: selecting an IP address from an IP address pool as a first local area network internal IP address; and deleting the IP address in the IP address pool.

S204, the first key, the first security parameter index, the first local area network internal IP address and the first public network IP are stored in an associated mode.

It should be noted that the first key, the first security parameter index, and the first local area network internal IP address are stored in association with each other at the VPN center and the first VPN terminal.

S205, sending the first local area network internal IP address to the first VPN terminal.

After step S205 is executed, the VPN terminal access method may further include the following steps: the VPN central end receives a data packet of a VPN terminal; the VPN central terminal acquires a security parameter index in the data packet; the VPN central terminal confirms that the security parameter index is the first security parameter index; based on the first secret key, the VPN central terminal decrypts the encrypted data in the data packet; and the VPN central terminal sends the decrypted data to the server.

The security parameter index is an unencrypted part in the data packet, and the security parameter index in the data packet can be obtained by the VPN central terminal without decryption.

It should be noted that, when it is confirmed that the security parameter index is not the first security parameter index and the other security parameter indexes already stored, the data packet may not be processed.

Further, after confirming that the security parameter index is the first security parameter index, the VPN terminal access method may further include the steps of: the VPN central end acquires a public network IP in the data packet; the VPN central terminal confirms that the public network IP is different from the first public network IP; and the VPN central terminal updates the first public network IP, namely the public network IP in the data packet is used as the first public network IP.

Optionally, the VPN terminal access method may further include the steps of: the VPN center end receives feedback data needing to be sent to the first VPN terminal from a server; the VPN central terminal encrypts the feedback data based on the first secret key; and based on the first public network IP, the VPN central terminal sends the encrypted feedback data to the first VPN terminal.

Optionally, the VPN terminal access method may further include the steps of: the VPN center end confirms that the data of the first VPN terminal are not received within a preset time period; and the VPN central terminal deletes the first key, the first security parameter index and the first public network IP. The preset time period may be a time period set manually, and this is not limited in this application.

Optionally, the VPN terminal access method may further include the steps of: the VPN central terminal receives an instruction for indicating to delete the first VPN terminal information; and the VPN central terminal deletes the first secret key, the first security parameter index and the first public network IP.

Referring to fig. 1, the first terminal device and the second terminal device are located in two different lans, which results in that the addresses of the lans originally allocated to the two terminal devices are 192.168.1.101, which may result in that the first terminal device and the second terminal device are not easily identified by the VPN central end. Based on the VPN terminal access method in this embodiment, the VPN central end may allocate different local area network internal addresses to the first terminal device and the second terminal device, where the local area network address allocated to the first terminal device is 10.1.2.57, and the local area network address allocated to the first terminal device is 10.1.2.60.

And after the local area network address is distributed, explaining the data flow of the first terminal equipment accessing the server.

The first terminal device sends a data packet to the first VPN terminal, and at this time, the source IP of the data packet is 192.168.1.101, and the destination IP is the IP address 192.168.0.100 of the server.

The first VPN terminal performs SNAT (Source NAT; source address modification) processing on the data packet and performs IPSec protocol encapsulation (i.e., encryption) to obtain a first ESP (encapsulating Security Payload) packet, where a Source IP of the first ESP packet includes a local area network address of 10.1.2.57 assigned to the first terminal device and an IP address 192.168.1.200 of the first VPN terminal, and a destination IP includes an IP address of 192.168.0.100 of the server and an IP address of 172.221.75.64 of the VPN central terminal.

Then, the first VPN terminal transmits the first ESP packet to the first public network router. The first public network router performs NAT processing on the first ESP packet, and at this time, the source IP of the processed first ESP packet is 172.221.6.88, and the destination IP is 172.221.75.64 of the VPN central end.

And then, the first public network router uploads the first ESP packet to the VPN center end, and the VPN center end decrypts the data based on the first secret key and delivers the decrypted data to the server. At this time, the source IP of the decrypted data is the local area network address 10.1.2.57 of the first terminal device, and the destination IP is the IP address 192.168.0.100 of the server. The VPN central side needs to check whether the first public network IP is changed at this stage, and if the first public network IP is different from the previously stored public network IP address, the first public network IP is updated.

The server processes the received decrypted data, and if a response is needed, the server sends feedback data to the VPN center end. At this time, the source IP of the feedback data is the IP address 192.168.0.100 of the server, and the destination IP is the local area network address 10.1.2.57 of the first terminal device.

And then, the VPN central terminal encapsulates the fed back data into a second ESP packet by using an IPSec protocol. At this time, the source IP of the second ESP packet is the IP address 172.221.75.64 of the VPN central end, and the destination IP is the first public network IP address 172.221.6.88.

Then, the VPN center sends a second ESP packet to the first public network router. And the first public network router performs NAT processing on the second ESP packet, wherein the source IP of the processed second ESP packet is the IP address 172.221.75.64 of the VPN center end, and the destination IP is the IP address 192.168.1.200 of the first VPN terminal.

And then, the first public network router sends the processed second ESP packet to the first VPN terminal. And the first VPN terminal decrypts based on the first secret key and converts the destination IP address of the decrypted feedback data according to the process of SNAT processing of the first ESP packet.

That is, the source IP of the processed feedback data is the IP address 192.168.0.100 of the server, the destination IP is the local area network address 10.1.2.57 allocated to the first terminal device, the destination IP needs to be converted, and the converted destination IP is 192.168.1.101. Because the feedback data at this time is converted into the same local area network address as the second terminal device in the local area network where the first terminal device is located, no conflict is caused.

And finally, the first terminal equipment receives the responded feedback data. At this time, the source IP of the feedback data is the IP address 192.168.0.100 of the server, and the destination IP is 192.168.1.101.

Based on the VPN terminal access method, the VPN center end distributes the internal address of the local area network to the terminal equipment under the VPN terminal, and then the VPN center end can distribute different internal addresses of the local area network to the terminal equipment in different local area networks, so that the problem that the VPN center end cannot identify the terminal equipment under the VPN terminal in different local area networks using NAT technology in the related technology can be solved, and the accuracy and the efficiency of information data transmission in a VPN tunnel are improved.

Example two

Exemplarily, fig. 3 is a schematic flowchart of a VPN terminal communication method according to an embodiment of the present application. The VPN terminal communication method can be applied to communication between a VPN center terminal and any VPN terminal two nodes shown in fig. 1.

As shown in fig. 3, the VPN terminal communication method is applied to a VPN center, where the VPN center is provided with a database, and the database stores a first key, a first security parameter index, a first local area network internal IP address, and a first public network IP in association with each other. The VPN terminal communication method may include the steps of:

s301, receiving a data packet of a VPN terminal.

S302, the security parameter index and the public network IP in the data packet are obtained.

S303, confirming that the security parameter index is the first security parameter index but the public network IP does not exist in the database.

S304, updating the first public network IP.

S305, decrypting the encrypted data in the data packet based on the first key.

S306, the decrypted data is sent to the server.

Optionally, the VPN terminal communication method may further include the steps of: the VPN center end receives feedback data from the server; the VPN central terminal confirms that the target IP of the feedback data is the IP address in the first local area network; based on the first secret key, the VPN central terminal encrypts the feedback data; and based on the first public network IP, the VPN central terminal sends the encrypted feedback data to the VPN terminal.

Optionally, the VPN terminal communication method may further include the steps of: the VPN center end receives a registration application of a first VPN terminal; the registration application comprises a key negotiation request of the first VPN terminal, a local area network internal IP address distribution request of terminal equipment and a first public network IP of the first VPN terminal, and the terminal equipment is connected with the first VPN terminal; the VPN center terminal negotiates with the first VPN terminal key based on an IPSec protocol to obtain a first key and a first security parameter index corresponding to the key; the VPN central terminal distributes a first local area network internal IP address for the terminal equipment; the VPN central terminal stores the first key, the first security parameter index, the first local area network internal IP address and the first public network IP association in a database; and the VPN center end sends the internal IP address of the first local area network to the first VPN terminal.

Wherein, the allocating the first local area network internal IP address for the terminal device comprises the following steps: the VPN center end selects an IP address from the IP address pool as an internal IP address of the first local area network; and the VPN central end deletes the IP address in the IP address pool.

Optionally, the VPN terminal communication method may further include the steps of: the VPN center end receives feedback data needing to be sent to the first VPN terminal from a server; based on the first secret key, the VPN central terminal encrypts the feedback data; and based on the first public network IP, the VPN central terminal sends the encrypted feedback data to the first VPN terminal.

Optionally, the VPN terminal communication method may further include the steps of: the VPN center end receives feedback data needing to be sent to the first VPN terminal from a server; the VPN central terminal encrypts the feedback data based on the first secret key; and based on the first public network IP, the VPN central terminal sends the encrypted feedback data to the first VPN terminal.

Optionally, the VPN terminal communication method may further include the steps of: the VPN central terminal confirms that the data of the first VPN terminal are not received within a preset time period; and the VPN central terminal deletes the first key, the first security parameter index and the first public network IP. The preset time period may be a time period set manually, and this is not limited in this application.

Optionally, the VPN terminal communication method may further include the steps of: the VPN central terminal receives an instruction for indicating to delete the first VPN terminal information; and the VPN central terminal deletes the first key, the first security parameter index and the first public network IP.

Based on the VPN terminal communication method, the public network IP of the VPN terminal is stored in association with the security parameter index, when the public network IP of the VPN terminal in the environment of dynamic NAT changes, the security parameter index in the interactive data packet does not change, and then the public network IP of the VPN terminal can be updated according to the security parameter index, so that the problem that the communication of a VPN tunnel established based on an IPSec protocol in the related technology is difficult to realize in the environment of dynamic NAT can be solved, and the accuracy and the efficiency of information data transmission in the VPN tunnel are improved.

EXAMPLE III

Illustratively, with continued reference to fig. 1, the architecture of the VPN communication includes a VPN terminal access system. The VPN terminal access system comprises a first VPN terminal and a VPN center terminal.

The first VPN terminal is used for sending a registration application to the VPN center terminal. The registration application includes a key agreement request of the first VPN terminal, a local area network internal IP address allocation request of a terminal device, and a first public network IP of the first VPN terminal, where the terminal device is connected to the first VPN terminal.

The VPN central side is based on the IPSec protocol for: negotiating with the first VPN terminal key to obtain a first key and a first security parameter index corresponding to the key; distributing a first local area network internal IP address for the terminal equipment, and storing the first key, the first security parameter index, the first local area network internal IP address and the first public network IP in an associated manner; and sending the first local area network internal IP address to the first VPN terminal.

The first VPN terminal is further configured to allocate the first local area network internal IP address to the terminal device.

Optionally, the VPN central side is further configured to select an IP address from an IP address pool as a first local area network internal IP address, and delete the IP address from the IP address pool.

Optionally, the first VPN terminal is further configured to: encrypting data based on the first key to generate a data packet, and sending the data packet to the VPN central terminal; wherein, the data packet comprises a security parameter index. The VPN central end is further configured to: acquiring the security parameter index in the data packet; decrypting encrypted data in the data packet based on the first key after confirming that the security parameter index is the first security parameter index; and sending the decrypted data to the server.

Optionally, after confirming that the security parameter index is the first security parameter index, the VPN gateway further is configured to: acquiring a public network IP in the data packet; confirming that the public network IP is different from the first public network IP; and updating the first public network IP.

Optionally, the VPN central side is further configured to: receiving feedback data needing to be sent to the first VPN terminal from a server, and encrypting the feedback data based on the first secret key; and sending the encrypted feedback data to the first VPN terminal based on the first public network IP. The first VPN terminal is further configured to: decrypting the feedback data based on the first key.

Optionally, the VPN center is further configured to delete the first key, the first security parameter index, and the first public network IP after confirming that the data of the first VPN terminal is not received within a preset time period.

Optionally, the VPN central end is further configured to delete the first key, the first security parameter index, and the first public network IP after receiving an instruction for instructing to delete the first VPN terminal information.

A VPN terminal access method based on the VPN terminal access system in this embodiment may include the following steps: the first VPN terminal sends a registration application to the VPN center terminal; the registration application comprises a key negotiation request of the first VPN terminal, a local area network internal IP address allocation request of terminal equipment and a first public network IP of the first VPN terminal, and the terminal equipment is connected with the first VPN terminal; the VPN center terminal negotiates with the first VPN terminal key based on an IPSec protocol to obtain a first key and a first security parameter index corresponding to the key; the VPN central terminal distributes a first local area network internal IP address for the terminal equipment, and stores the first key, the first security parameter index, the first local area network internal IP address and the first public network IP in an associated mode; the VPN center end sends the first local area network internal IP address to the first VPN terminal; and the first VPN terminal distributes the internal IP address of the first local area network for the terminal equipment.

Optionally, the allocating, by the VPN central side, the first local area network internal IP address to the terminal device may include the following steps: and the VPN central terminal selects an IP address from the IP address pool as an internal IP address of the first local area network and deletes the IP address from the IP address pool.

Optionally, a VPN terminal access method based on the VPN terminal access system in this embodiment may further include the following steps: the first VPN terminal encrypts data based on the first secret key to generate a data packet and sends the data packet to the VPN central terminal; wherein, the data packet comprises a security parameter index; the VPN central terminal acquires the security parameter index in the data packet, and decrypts encrypted data in the data packet based on the first key after confirming that the security parameter index is the first security parameter index; and the VPN central terminal sends the decrypted data to a server.

Based on the VPN terminal access system, the VPN center end distributes the internal addresses of the local area network to the terminal devices under the VPN terminal, and then the VPN center end can distribute the internal addresses of different local area networks to the terminal devices in different local area networks, so that the problem that the terminal devices under the VPN terminals in different local area networks using the NAT technology cannot be identified by the VPN center end in the related technology can be solved, and the accuracy and the efficiency of information data transmission in a VPN tunnel are improved.

Example four

Illustratively, with continued reference to fig. 1, the framework of VPN communication comprises a VPN terminating communication system. The VPN terminal communication system includes a first VPN terminal and a VPN center terminal. The VPN central end is provided with a database, and the database is stored with a first key, a first security parameter index, a first local area network internal IP address and a first public network IP in an associated mode.

The first VPN terminal is configured to: encrypting data based on the first key to generate a data packet, and sending the data packet to the VPN central terminal; wherein, the data packet comprises a security parameter index.

The VPN central end is used for acquiring a security parameter index and a public network IP in the data packet, and updating the first public network IP after confirming that the security parameter index is the first security parameter index but the public network IP does not exist in the database; and decrypting the encrypted data in the data packet based on the first key, and sending the decrypted data to a server.

Optionally, the VPN central side is further configured to: receiving feedback data from the server; after the target IP of the feedback data is confirmed to be the IP address in the first local area network, encrypting the feedback data based on the first secret key; and sending the encrypted feedback data to the VPN terminal based on the first public network IP. The first VPN terminal is further configured to decrypt the feedback data based on the first key.

Optionally, the first VPN terminal is further configured to send a registration application to the VPN center terminal; the registration application includes a key agreement request of the first VPN terminal, a local area network internal IP address allocation request of a terminal device, and a first public network IP of the first VPN terminal, where the terminal device is connected to the first VPN terminal.

The VPN center terminal is also used for negotiating with the first VPN terminal key based on an IPSec protocol to obtain a first key and a first security parameter index corresponding to the key; distributing a first local area network internal IP address for the terminal equipment, and storing the first key, the first security parameter index, the first local area network internal IP address and the first public network IP association in a database; and sending the first local area network internal IP address to the first VPN terminal.

The first VPN terminal is further configured to allocate the first local area network internal IP address to the terminal device.

Optionally, the VPN central side is further configured to select an IP address from an IP address pool as a first local area network internal IP address, and delete the IP address from the IP address pool.

Optionally, the VPN central side is further configured to: receiving feedback data needing to be sent to the first VPN terminal from a server, and encrypting the feedback data based on the first secret key; and sending the encrypted feedback data to the first VPN terminal based on the first public network IP. The first VPN terminal is further configured to: decrypting the feedback data based on the first key.

Optionally, the VPN central end is further configured to delete the first key, the first security parameter index, and the first public network IP in the database after confirming that the data of the first VPN terminal is not received within a preset time period.

Optionally, the VPN central side is further configured to delete the first key, the first security parameter index, and the first public network IP in the database after receiving an instruction for instructing to delete the first VPN terminal information.

A VPN terminal communication method based on the VPN terminal communication system in this embodiment may include the following steps: the first VPN terminal encrypts data based on a preset first secret key to generate a data packet and sends the data packet to a VPN center end; wherein, the data packet comprises a security parameter index; the VPN central terminal acquires a security parameter index and a public network IP in the data packet, and updates the first public network IP in a database after confirming that the security parameter index is the first security parameter index in a preset database but the public network IP does not exist in the database; and the VPN central terminal decrypts the encrypted data in the data packet based on the first key corresponding to the first security parameter cable and sends the decrypted data to a server.

Optionally, a VPN terminal communication method based on the VPN terminal communication system in this embodiment may further include the following steps: the VPN center end receives feedback data from the server, and encrypts the feedback data based on the first key after confirming that a target IP of the feedback data is an internal IP address of a first local area network; the VPN central terminal sends the encrypted feedback data to the VPN terminal based on the first public network IP; and the first VPN terminal decrypts the feedback data based on the first secret key.

Optionally, a VPN terminal communication method based on the VPN terminal communication system in this embodiment may further include the following steps: the first VPN terminal sends a registration application to the VPN center terminal; the registration application comprises a key negotiation request of the first VPN terminal, a local area network internal IP address distribution request of terminal equipment and a first public network IP of the first VPN terminal, and the terminal equipment is connected with the first VPN terminal; the VPN center terminal negotiates with the first VPN terminal key based on an IPSec protocol to obtain a first key and a first security parameter index corresponding to the key; the VPN central terminal distributes a first local area network internal IP address for the terminal equipment, and stores the first key, the first security parameter index, the first local area network internal IP address and the first public network IP association in a database; the VPN center end sends the first local area network internal IP address to the first VPN terminal; and the first VPN terminal distributes the internal IP address of the first local area network for the terminal equipment.

Based on the VPN terminal communication system, the public network IP of the VPN terminal is stored in association with the security parameter index, when the public network IP of the VPN terminal in the environment of dynamic NAT changes, the security parameter index in the interactive data packet does not change, and then the public network IP of the VPN terminal can be updated according to the security parameter index, so that the problem that the VPN tunnel established based on the IPSec protocol in the related technology is difficult to realize communication in the environment of dynamic NAT can be solved, and the accuracy and the efficiency of information data transmission in the VPN tunnel are improved.

EXAMPLE five

Exemplarily, fig. 4 is a schematic flowchart of a VPN terminal communication method based on an IPSec protocol according to an embodiment of the present application. The VPN terminal communication method may be applied to communication between a VPN central end and any two VPN terminal nodes shown in fig. 1.

As shown in fig. 4, the VPN terminal access method is applied to a VPN center, where the VPN center presets a first key, a first security parameter index, a first local area network internal IP address, and a first public network IP, and stores the first key, the first security parameter index, the first local area network internal IP address, and the first public network IP in an associated manner. The VPN terminal communication method may include the steps of:

s401, receive a data packet of a first VPN terminal.

S402, obtaining the security parameter index and the public network IP in the data packet.

S403, confirming that the security parameter index is a preset first security parameter index but the public network IP is different from the preset first public network IP.

S404, updating the first public network IP.

S405, decrypting the encrypted data in the data packet based on a preset first key. Wherein the first key corresponds to the first security parameter index; the encrypted data comprises a second local area network internal IP address and first communication data communicated with second terminal equipment; the second terminal device is connected to the second VPN terminal.

S406, encrypting the first communication data based on a preset second secret key. Wherein the second key corresponds to the second local area network internal IP address.

S407, sending the encrypted first communication data to the second VPN terminal.

Optionally, the VPN terminal communication method may further include the following steps: receiving a feedback data packet of the second VPN terminal; acquiring a security parameter index and a public network IP in the feedback data packet; confirming that the security parameter index in the feedback data packet is a preset second security parameter index but the public network IP is different from a preset second public network IP; updating the second public network IP; decrypting the encrypted data in the feedback data packet based on the second key; the encrypted data in the feedback data packet comprises a first local area network internal IP address and second communication data communicated with the first terminal equipment; the first terminal equipment is connected to the first VPN terminal; encrypting the second communication data based on the first key; and sending the encrypted second communication data to the first VPN terminal.

Optionally, the VPN terminal communication method may further include the following steps: receiving registration applications of a first VPN terminal and a second VPN terminal; the registration application comprises a key negotiation request of the first VPN terminal and the second VPN terminal, a local area network internal IP address distribution request of the first terminal device and the second terminal device, a first public network IP of the first VPN terminal and a second public network IP of the second VPN terminal; acquiring a first key, a first security parameter index corresponding to the first key, a second key and a first security parameter index corresponding to the second key based on IPSec protocol and key agreement of the first VPN terminal and the second VPN terminal; correspondingly allocating a first local area network internal IP address and a second local area network internal IP address to the first terminal equipment and the second terminal equipment; storing the first key, the first security parameter index, the first local area network internal IP address and the first public network IP, and the second key, the second security parameter index, the second local area network internal IP address and the second public network IP in an associated manner; and correspondingly sending the first local area network internal IP address and the second local area network internal IP address to the first VPN terminal and the second VPN terminal.

Optionally, the allocating a first local area network internal IP address and a second local area network internal IP address to the first terminal device and the second terminal device correspondingly may include the following steps: selecting two IP addresses from the IP address pool as a first local area network internal IP address and a second local area network internal IP address respectively; deleting two of the IP addresses in the IP address pool.

Optionally, the VPN terminal communication method may further include the following steps: confirming that the data of the first VPN terminal is not received within a preset time period; and deleting the first key, the first security parameter index and the first public network IP.

Optionally, the VPN terminal communication method may further include the following steps: confirming that the data of the second VPN terminal is not received within a preset time period; and deleting the second key, the second security parameter index and the second public network IP.

Optionally, the VPN terminal communication method may further include the following steps: receiving an instruction for indicating to delete the first VPN terminal information; and deleting the first key, the first security parameter index and the first public network IP.

Optionally, the VPN terminal communication method may further include the following steps: receiving an instruction for instructing to delete the second VPN terminal information; and deleting the second key, the second security parameter index and the second public network IP.

Based on the VPN terminal communication method, the public network IP of the VPN terminal is stored in association with the security parameter index, when the public network IP of the VPN terminal in the environment of dynamic NAT changes, the security parameter index in the interactive data packet does not change, and then the public network IP of the VPN terminal can be updated according to the security parameter index, so that the problem that the communication of a VPN tunnel established based on an IPSec protocol in the related technology is difficult to realize in the environment of dynamic NAT can be solved, and the accuracy and the efficiency of information data transmission in the VPN tunnel are improved.

EXAMPLE six

Illustratively, continuing to refer to fig. 1, the framework of VPN communication includes an IPSec protocol based end-point communication system. The VPN terminal communication system includes a first VPN terminal, a second VPN terminal, and a VPN center terminal. The VPN central end is provided with a database, and the database is stored with a first key, a first security parameter index, a first local area network internal IP address and a first public network IP in an associated manner, and is stored with a second key, a second security parameter index, a second local area network internal IP address and a second public network IP in an associated manner.

The first VPN terminal is configured to: encrypting data based on the first key to generate a data packet, and sending the data packet to the VPN central terminal; wherein, the data packet comprises a first security parameter index; the data includes the second local area network internal IP address and first communication data communicated with a second terminal device, and the second terminal device is connected to a second VPN terminal.

The VPN central end is used for: acquiring a first security parameter index and a public network IP in the data packet, and updating the first public network IP when the public network IP is confirmed to be different from a preset first public network IP; decrypting encrypted data in the data packet based on the first key; encrypting the first communication data based on the second key; and sending the encrypted first communication data to the second VPN terminal.

The second VPN terminal is configured to: decrypting the encrypted first communication data based on the second key.

Optionally, the second VPN terminal is further configured to: encrypting a first local area network internal IP address and second communication data communicated with the first terminal device based on the second key to generate a feedback data packet; and sending the feedback data packet to the VPN central terminal. The feedback data packet includes the second security parameter index, and the first terminal device is connected to the first VPN terminal.

The VPN central end is further configured to: acquiring the second security parameter index and the public network IP in the feedback data packet; when the public network IP is confirmed to be different from a preset second public network IP, updating the second public network IP; decrypting the feedback data packet based on the second key to obtain the first local area network internal IP address and the second communication data; encrypting the second communication data based on the first key; and sending the encrypted second communication data to the first VPN terminal.

The first VPN terminal is further configured to: decrypting the encrypted second communication data based on the first key.

Optionally, the first VPN terminal and the second VPN terminal are further configured to send a registration application to the VPN center terminal; the registration application includes a key agreement request of the first VPN terminal and the second VPN terminal, a local area network internal IP address allocation request of the first terminal device and the second terminal device, a first public network IP of the first VPN terminal, and a second public network IP of the second VPN terminal.

The VPN central side is further configured to: acquiring a first key, a first security parameter index corresponding to the first key, a second key and a first security parameter index corresponding to the second key based on IPSec protocol and key agreement of the first VPN terminal and the second VPN terminal; correspondingly allocating a first local area network internal IP address and a second local area network internal IP address to the first terminal equipment and the second terminal equipment; storing the first key, the first security parameter index, the first local area network internal IP address and the first public network IP, and the second key, the second security parameter index, the second local area network internal IP address and the second public network IP association in the database.

The VPN central side is further configured to: and correspondingly sending the first local area network internal IP address and the second local area network internal IP address to the first VPN terminal and the second VPN terminal.

The first VPN terminal is further configured to allocate the first local area network internal IP address to the first terminal device.

The second VPN terminal is further configured to allocate the second local area network internal IP address to the second terminal device.

Optionally, the VPN central side is further configured to select an IP address from an IP address pool as a first local area network internal IP address, and delete the IP address from the IP address pool.

Optionally, the VPN central end is further configured to select an IP address from an IP address pool as an internal IP address of the second local area network, and delete the IP address from the IP address pool.

Optionally, the VPN center is further configured to delete the first key, the first security parameter index, and the first public network IP when it is determined that the data of the first VPN terminal is not received within a preset time period.

Optionally, the VPN central end is further configured to delete the second key, the second security parameter index, and the second public network IP when it is confirmed that the data of the second VPN terminal is not received within a preset time period.

Optionally, the VPN center is further configured to delete the first key, the first security parameter index, and the first public network IP when receiving an instruction for instructing to delete the first VPN terminal information.

Optionally, the VPN central end is further configured to delete the second key, the second security parameter index, and the second public network IP when receiving an instruction for instructing to delete the second VPN terminal information.

A VPN terminal communication method based on the VPN terminal communication system in this embodiment may include the following steps: the first VPN terminal encrypts data based on a preset first secret key to generate a data packet and sends the data packet to a VPN center end; wherein, the data packet comprises a first security parameter index; the data comprises a second local area network internal IP address and first communication data communicated with second terminal equipment, and the second terminal equipment is connected to a second VPN terminal; the VPN central terminal acquires a first security parameter index and a public network IP in the data packet, and updates the first public network IP in a database after confirming that the first security parameter index exists in a preset database but the public network IP does not exist in the database; the VPN central terminal decrypts encrypted data in the data packet based on a first key corresponding to the first security parameter; the VPN central terminal encrypts the first communication data based on a second key corresponding to the database and the internal IP address of the second local area network; the VPN center end sends the encrypted first communication data to the second VPN terminal; and the second VPN terminal decrypts the encrypted first communication data based on the second secret key.

Based on the VPN terminal communication system, the public network IP of the VPN terminal is stored in association with the security parameter index, when the public network IP of the VPN terminal in the environment of dynamic NAT changes, the security parameter index in the interactive data packet does not change, and then the public network IP of the VPN terminal can be updated according to the security parameter index, so that the problem that the VPN tunnel established based on the IPSec protocol in the related technology is difficult to realize communication in the environment of dynamic NAT can be solved, and the accuracy and the efficiency of information data transmission in the VPN tunnel are improved.

The VPN communication method provided by the embodiment of the present application is described in detail above with reference to fig. 2 to 4. The following describes in detail a VPN central side for executing the VPN terminal communication method according to the embodiment of the present application with reference to fig. 5 to 6.

Exemplarily, fig. 5 is a first structural diagram of a VPN central end according to an embodiment of the present application. As shown in fig. 5, the VPN central end 500 includes: a processing module 501, a transceiver module 502 and a storage module (not shown in fig. 5). The storage module stores a database, and the database stores a first key, a first security parameter index, a first local area network internal IP address and a first public network IP in an associated manner. For ease of illustration, fig. 5 shows only the main components of the VPN central side.

The transceiver module 502 is configured to receive a data packet of the VPN terminal.

The processing module 501 is configured to obtain a security parameter index and a public network IP in the data packet, and confirm that the security parameter index is the first security parameter index but the public network IP does not exist in the database.

The processing module 501 is further configured to update the first public network IP, and decrypt encrypted data in the data packet based on the first key.

The transceiver module 502 is further configured to send the decrypted data to the server.

Optionally, the transceiver module 502 is further configured to receive feedback data from the server.

The processing module 501 is further configured to confirm that the target IP of the feedback data is the first local area network internal IP address, and encrypt the feedback data based on the first key.

The transceiver module 502 is further configured to send the encrypted feedback data to the VPN terminal based on the first public network IP.

Optionally, the transceiver module 502 may include a receiving module and a transmitting module. The transceiver module 502 is used to implement the sending function and the receiving function of the VPN center 500.

Optionally, the VPN hub end 500 may further include a storage module (not shown in fig. 5) that stores programs or instructions. When the processing module 501 executes the program or the instructions, the VPN center terminal 500 is enabled to execute the VPN terminal communication method illustrated in fig. 2.

It should be understood that the processing module 501 involved in the VPN center terminal 500 may be implemented by a processor or a processor-related circuit component, and may be a processor or a processing unit; the transceiver module 502 may be implemented by a transceiver or transceiver-related circuit component, and may be a transceiver or transceiver unit.

It should be noted that the VPN central side 500 may be a network device, a chip (system) or other component or assembly that can be disposed in the network device, or a device including a terminal device or a network device, which is not limited in this application.

In addition, the technical effect of the VPN central terminal 500 may refer to the technical effect of the VPN terminal communication method shown in fig. 2, and is not described herein again.

Exemplarily, fig. 6 is a schematic structural diagram two of the VPN central end according to the embodiment of the present application. The VPN central end may be a network device, or may be a chip (system) or other component or assembly that may be disposed on the network device. As shown in fig. 6, the VPN central side 600 may comprise a processor 601. Optionally, the VPN hub end 600 may further comprise a memory 602 and/or a transceiver 603. Wherein the processor 601 is coupled to the memory 602 and the transceiver 603, such as may be connected via a communication bus.

The following describes each constituent element of the VPN central side 600 in detail with reference to fig. 6:

the processor 601 is a control center of the VPN central side 600, and may be a single processor or a collective name of multiple processing elements. For example, the processor 601 is one or more Central Processing Units (CPUs), or may be an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application, such as: one or more microprocessors (digital signal processors), or one or more Field Programmable Gate Arrays (FPGAs).

Alternatively, the processor 601 may perform various functions of the VPN hub end 600 by running or executing software programs stored in the memory 602 and invoking data stored in the memory 602.

In particular implementations, processor 601 may include one or more CPUs, such as CPU0 and CPU1 shown in fig. 6, as one embodiment.

In a specific implementation, the VPN hub 600 may also include a plurality of processors, such as the processor 601 and the processor 604 shown in fig. 2, as an embodiment. Each of these processors may be a single-Core Processor (CPU) or a multi-Core Processor (CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).

The memory 602 is configured to store a software program for executing the scheme of the present application, and the processor 601 controls the execution of the software program.

Alternatively, the memory 602 may be a read-only memory (ROM) or other type of static storage device that may store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to these. The memory 602 may be integrated with the processor 601, or may be separate and coupled to the processor 601 through an interface circuit (not shown in fig. 6) of the VPN hub 600, which is not specifically limited in this embodiment of the present application.

A transceiver 603 for communication with other VPN hubs. For example, the VPN hub end 600 is a terminal device, and the transceiver 603 may be used to communicate with a network device or another terminal device. As another example, the VPN central side 600 is a network device, and the transceiver 603 may be used to communicate with a terminal device or another network device.

Optionally, the transceiver 603 may include a receiver and a transmitter (not separately shown in fig. 6). Wherein the receiver is configured to perform a receiving function and the transmitter is configured to perform a transmitting function.

Alternatively, the transceiver 603 may be integrated with the processor 601, or may exist independently, and is coupled to the processor 601 through an interface circuit (not shown in fig. 6) of the VPN hub 600, which is not specifically limited in this embodiment of the present application.

It should be noted that the structure of the VPN center end 600 shown in fig. 6 does not constitute a limitation to the VPN center end, and an actual VPN center end may include more or less components than those shown, or combine some components, or arrange different components.

In addition, the technical effect of the VPN central end 600 may refer to the technical effect of the VPN terminal communication method described in the foregoing method embodiment, and details are not described here.

An embodiment of the present application further provides a chip system, including: a processor coupled to a memory for storing a program or instructions that, when executed by the processor, cause the system-on-chip to implement the method of any of the above method embodiments.

Optionally, the system on a chip may have one or more processors. The processor may be implemented by hardware or by software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory.

Optionally, the memory in the system-on-chip may also be one or more. The memory may be integrated with the processor or may be separate from the processor, which is not limited in this application. For example, the memory may be a non-transitory processor, such as a read only memory ROM, which may be integrated with the processor on the same chip or separately disposed on different chips, and the type of the memory and the arrangement of the memory and the processor are not particularly limited in this application.

The system-on-chip may be, for example, a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), a system on chip (SoC), a Central Processing Unit (CPU), a Network Processor (NP), a digital signal processing circuit (DSP), a Microcontroller (MCU), a Programmable Logic Device (PLD), or other integrated chips.

It should be understood that the processor in the embodiments of the present application may be a Central Processing Unit (CPU), and the processor may also be other general purpose processors, digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.

It will also be appreciated that the memory in the embodiments of the subject application can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable PROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of Random Access Memory (RAM) are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), synchlink DRAM (SLDRAM), and direct bus RAM (DRRAM).

The above embodiments may be implemented in whole or in part by software, hardware (e.g., circuitry), firmware, or any combination thereof. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions or computer programs. The procedures or functions according to the embodiments of the present application are wholly or partially generated when the computer instructions or the computer program are loaded or executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, data center, etc., that contains one or more collections of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.

It should be understood that the term "and/or" herein is merely one type of association relationship that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. In addition, the "/" in this document generally indicates that the former and latter associated objects are in an "or" relationship, but may also indicate an "and/or" relationship, which may be understood with particular reference to the former and latter text.

In the present application, "at least one" means one or more, "a plurality" means two or more. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple.

It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.

Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

It can be clearly understood by those skilled in the art that, for convenience and simplicity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.

In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.

The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.

In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.

The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a portable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, an optical disk, or other various media capable of storing program codes.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A VPN terminal communication method is characterized in that the method is applied to a VPN center end, the VPN center end is provided with a database, and the database is stored with a first key, a first security parameter index, a first local area network internal IP address and a first public network IP in an associated mode; the VPN terminal communication method comprises the following steps:

receiving a data packet of a VPN terminal;

acquiring a security parameter index and a public network IP in the data packet;

confirming that the security parameter index is the first security parameter index but the public network IP does not exist in the database;

updating the first public network IP;

decrypting encrypted data in the data packet based on the first key;

and sending the decrypted data to the server.

2. The VPN terminal communication method according to claim 1, further comprising:

receiving feedback data from the server;

confirming that the target IP of the feedback data is the internal IP address of the first local area network;

encrypting the feedback data based on the first key;

and sending the encrypted feedback data to the VPN terminal based on the first public network IP.

3. The VPN terminal communication method according to claim 1, further comprising:

receiving a registration application of a first VPN terminal; the registration application comprises a key negotiation request of the first VPN terminal, a local area network internal IP address allocation request of terminal equipment and a first public network IP of the first VPN terminal, and the terminal equipment is connected with the first VPN terminal;

acquiring a first key and a first security parameter index corresponding to the key based on IPSec protocol and the key negotiation of the first VPN terminal;

allocating a first local area network internal IP address for the terminal equipment;

storing the first key, the first security parameter index, the first local area network internal IP address and the first public network IP association in a database;

and sending the first local area network internal IP address to the first VPN terminal.

4. The VPN terminal communication method according to claim 3, wherein said assigning a first local area network internal IP address to said terminal device comprises:

selecting an IP address from the IP address pool as a first local area network internal IP address;

and deleting the IP address in the IP address pool.

5. The VPN terminal communication method according to any one of claims 1 to 4, further comprising:

receiving feedback data to be sent to the first VPN terminal from a server;

encrypting the feedback data based on the first key;

and sending the encrypted feedback data to the first VPN terminal based on the first public network IP.

6. The VPN terminal communication method according to claim 5, further comprising:

confirming that the data of the first VPN terminal is not received within a preset time period;

and deleting the first key, the first security parameter index and the first public network IP.

7. The VPN terminal communication method according to claim 5, further comprising:

receiving an instruction for indicating to delete the first VPN terminal information;

and deleting the first key, the first security parameter index and the first public network IP.

8. A VPN center end is characterized by comprising a transceiver module, a processing module and a storage module; wherein,

the storage module stores a database, and the database stores a first key, a first security parameter index, a first local area network internal IP address and a first public network IP in an associated manner;

the receiving and sending module is used for receiving a data packet of a VPN terminal;

the processing module is used for acquiring a security parameter index and a public network IP in the data packet, and confirming that the security parameter index is the first security parameter index but the public network IP does not exist in the database;

the processing module is further configured to update the first public network IP, and decrypt encrypted data in the data packet based on the first key;

the transceiver module is also used for sending the decrypted data to the server.

9. The VPN hub of claim 8,

the transceiver module is further configured to receive feedback data from the server;

the processing module is further configured to confirm that a target IP of the feedback data is an internal IP address of the first local area network, and encrypt the feedback data based on the first key;

the transceiver module is further configured to send the encrypted feedback data to the VPN terminal based on the first public network IP.

10. A computer-readable storage medium, characterized in that the computer-readable storage medium comprises a computer program or instructions which, when run on a computer, cause the computer to perform the VPN terminal communication method according to any one of claims 1-7.

Images