CN116801239A - Point-to-point virtual communication method and system based on SM4 cryptographic - Google Patents

Abstract

The application provides a point-to-point virtual communication method and a point-to-point virtual communication system based on a national secret SM4, which belong to the technical field of power system data communication, wherein local network information is configured at a local 5G CPE terminal and is stored in a network configuration file; reading local network parameters of the network configuration file, and analyzing out the network parameters; creating a virtual tunnel network card; configuring a routing strategy at a local 5G CPE terminal; after the configuration of the routing strategy is completed, the virtual tunnel network card repackages the power service communication message sent to the opposite-end local area network; after the encapsulation is completed, a virtual private network tunnel is opened, and the virtual private network tunnel shields the IP address of the local area network by means of the public network, so that the local area network and the opposite local area network form a private network communication channel. The application does not need to utilize intermediate gateway equipment or an intermediate server to forward the communication message to the opposite local area network, but establishes the point-to-point direct connection between the local area networks. And the influence of abnormality of intermediate equipment on each local area network is avoided.

Description

Point-to-point virtual communication method and system based on SM4 cryptographic

Technical Field

The application belongs to the technical field of data communication of power systems, and particularly relates to a point-to-point virtual communication method and system based on SM4 of China.

Background

With the continuous deep and perfect construction of a novel power system, mass power terminal equipment is connected into each link of power grid production, and the running state of the power grid is perceived and measured in real time. The power business data perceived by the terminal are transmitted to the master station by means of the power communication network, and are interacted with the master station, so that safe and stable operation of the power grid is ensured. In the process, the power service data sequentially passes through the terminal, the access network, the bearing network and the core network and finally reaches the main station of the city company. The terminal and the master station respectively belong to different local area networks, and data are required to be transmitted and interacted between different local area networks in different areas.

Secondly, the power communication network carries huge power business data, the data are critical to the safety of the power network, and risks of network intrusion, data tampering and information leakage are faced at any time in the data transmission process. Therefore, when data is transmitted across the local area network, what measures are taken are considered, so that network attack and information leakage can be prevented, and the safety and privacy of the power service are ensured.

Based on the above two purposes, the current solutions are: firstly, a wire private network is laid between local area networks, and the two local area networks establish a physical link through the wire private network to realize data transmission and protection; secondly, by using the vpn technology of IPSec or SSL mode, a logic channel is established between different local area networks by means of the existing public network resources to form a point-to-point virtual private network, so that users of different local area networks are logically in the same network, and mutual communication, data isolation and encryption are realized.

Scheme one for 1: and (3) a wired private network technology. The defects are that: for two local area networks with longer distance, the optical cable laying period is long, 1 line is newly added when one local area network is newly added, and the laying cost is high; sometimes, the crossing areas among local area networks are complex, so that the construction difficulty is high; after construction is completed, the laid optical cable needs to be protected from being damaged by insects and ants, and the overhaul and maintenance costs are high.

Scheme two in 1: IPSec, SSL-mode vpn technology. The defects are that: firstly, VPN technical protocols of IPSec and SSL modes are complex, when a virtual private network is established between two different local area networks, a site is required to be respectively deployed with a special VPN gateway, a local area network transmits data to the gateway, data interaction is carried out at the gateway, and the data are transmitted to an opposite local area network by the gateway, so that communication between the local area network and the opposite local area network is realized. Typically, such gateway devices are connected to multiple local area networks, and if an abnormality occurs in the gateway, the network of the multiple local area networks will be affected. Secondly, when the IPSec and SSL VPN build the point-to-point virtual private network, more than ten kinds of information such as SA type, DPD enabling, ESP algorithm, gateway public network IP address, IKE version and the like are required to be configured on CPE equipment at two ends, and some identity verification certificates are required to be configured, and the certificates are required to be updated frequently, so that the complexity of use and maintenance is greatly increased. Thirdly, the VPN technology generally uses AES, DES and other foreign encryption algorithms to encrypt data, and the technology depends on the foreign algorithm technology and has a certain threat to the security of the power grid.

Disclosure of Invention

The application provides a point-to-point virtual communication method based on a national security SM4, which can establish a direct connection tunnel between local area networks, omit intermediate equipment such as an intermediate gateway and a central server, and eliminate the influence of the abnormality of the intermediate equipment on the local area networks.

The point-to-point virtual communication method based on the SM4 cryptographic comprises the following steps:

s1: configuring local network information on a 5G CPE terminal of a local area network and storing the local network information in a network configuration file;

s2: reading local network parameters of the network configuration file, analyzing the network parameters, initializing a communication protocol, and creating a communication process;

s3: creating a virtual tunnel network card according to a preset local tunnel IP address, and defining the IP address of the virtual tunnel network card as the local tunnel IP address;

s4: if the virtual tunnel network card is successfully established, configuring a routing strategy in a 5G CPE terminal of the local area network;

s5: after the configuration of the routing strategy is completed, the virtual tunnel network card repackages the power service communication message sent to the opposite-end local area network;

s6: after the encapsulation is completed, a virtual private network tunnel is opened, and the virtual private network tunnel shields the IP address of the local area network by means of the public network, so that the local area network and the opposite local area network form a private network communication channel.

It should be further noted that, the home network information configured in step S1 includes: the local tunnel IP, the public network IP of the local and the opposite terminal local area network IP information.

It should be further noted that, step S2 reads the local network parameters based on the netifd procedure call protocol script.

It should be further noted that the routing policy in step S4 includes: defining a communication message sent to an opposite-end local area network;

setting the next hop address as the IP address of the tunnel network card, and setting the next hop network card equipment as the tunnel network card.

It should be further noted that, if the virtual tunnel network card fails to be created, the network configuration file is called, and whether the information in the network configuration file is wrong is judged;

if so, the network configuration information of the 5G CPE terminal of the local area network is refreshed in real time based on the protocol configuration script, and the original network configuration file is updated.

It should be further noted that the packaging method in step S5 includes: an IP header is newly added to the original IP message header, the destination address of the newly added IP header is set as the opposite public network IP, and the source address is set as the local public network IP.

In the method, before the local area network sends data to the opposite local area network, an SM4 algorithm is called at a tunnel interface of the virtual private network to encrypt the data sent by the tunnel network card;

after receiving the data, the opposite-end local area network decrypts the received data based on a preset SM4 algorithm.

The application also provides a point-to-point virtual communication system based on SM4, which comprises: a home terminal 5G CPE terminal and a peer terminal 5G CPE terminal;

the home terminal 5G CPE terminal configures home terminal network information and stores the home terminal network information in a network configuration file;

the local end 5G CPE terminal reads local end network parameters of the network configuration file based on the communication starting instruction, analyzes the network parameters, initializes a communication protocol and creates a communication process; creating a virtual tunnel network card according to a preset local tunnel IP address, and defining the IP address of the virtual tunnel network card as the local tunnel IP address;

after the virtual tunnel network card is successfully established, configuring a routing strategy; the virtual tunnel network card is used for repackaging the power service communication message to be sent;

after the encapsulation is completed, a virtual private network tunnel is opened, and the virtual private network tunnel shields the IP address of the local area network by means of the public network, so that the local end 5G CPE terminal and the opposite end 5G CPE terminal form a private network communication channel.

It should be further noted that the home terminal 5G CPE terminal and the peer terminal 5G CPE terminal are respectively configured with a national cipher SM4 algorithm.

From the above technical scheme, the application has the following advantages:

based on the point-to-point virtual communication method based on the SM4, the application re-encapsulates the local area network power service communication message, opens the tunnel of the point-to-point power grid service by means of the public network, establishes the virtual private network of the point-to-point power grid service, and saves the cost of deploying the wired private network.

The method of the application does not need to use intermediate gateway equipment or an intermediate server to forward the communication message to the opposite local area network, but establishes the point-to-point direct connection between the local area network and the local area network. The cost of the intermediate gateway or the central server is omitted, and the influence of the abnormality of the intermediate equipment on each local area network is avoided.

In the implementation process, a routing strategy is configured in a 5G CPE terminal of a local area network, and a power service communication message sent to an opposite-end local area network is repackaged; the IP address of the tunnel network card at the home end, the public network IP of the home end and the opposite end and the IP 4 information of the local area network at the opposite end are encapsulated, so that the configuration is greatly simplified, the operation is simple, and the use is convenient.

The application also adopts the SM4 encryption algorithm of the national cipher to encrypt the communication data at the tunnel interface, replaces the conventional foreign encryption algorithms such as AES, DES and the like, and strengthens the autonomous controllability of the network security of the power grid.

Drawings

In order to more clearly illustrate the technical solutions of the present application, the drawings that are needed in the description will be briefly introduced below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings can be obtained according to these drawings without inventive effort for a person skilled in the art.

Fig. 1 is a schematic diagram of a point-to-point virtual communication system based on a national secret SM 4;

fig. 2 is a flowchart of a point-to-point virtual communication method based on the state secret SM 4.

Detailed Description

As shown in fig. 1, the peer-to-peer virtual communication system architecture based on the national secret SM4 provided by the present application may include a home 5G CPE terminal, a peer 5G CPE terminal and a network. The network is the medium used to provide the communication link between the home 5G CPE terminal and the peer 5G CPE terminal. The network may include various connection types, such as wired, wireless communication links, or fiber optic cables, among others. The network also includes, but is not limited to, the internet, a wide area network, a metropolitan area network, a local area network, a virtual private network (VirtualPrivateNetwork, VPN), and the like.

It should be understood that the number of home 5G CPE terminals and peer 5G CPE terminals in fig. 1 is merely illustrative. There may be any number of home 5G CPE terminals and peer 5G CPE terminals, as desired for implementation. For example, the server may be a server cluster formed by a plurality of servers.

The home 5G CPE terminal and the peer 5G CPE terminal are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the embodiments of the application described and/or claimed herein.

It should be noted that the home 5G CPE terminal and the peer 5G CPE terminal may each include a central processing unit (CPU, central Processing Unit) that may perform various appropriate actions and processes according to a program stored in a Read-Only Memory (ROM) or a program loaded from a storage section into a random access Memory (RAM, random Access Memory). And a communication section including a network interface card such as a LAN (Local Area Network ) card, a modem, or the like. The communication section performs communication processing via a network such as the internet.

Hereinafter, various embodiments of the present disclosure will be more fully described. The present disclosure is capable of various embodiments and of modifications and variations therein. However, it should be understood that: there is no intention to limit the various embodiments of the disclosure to the specific embodiments disclosed herein, but rather the disclosure is to be interpreted to cover all modifications, equivalents, and/or alternatives falling within the spirit and scope of the various embodiments of the disclosure.

Hereinafter, the terms "comprises" or "comprising" as may be used in various embodiments of the present disclosure indicate the presence of the disclosed functions, operations or elements, and are not limiting of the addition of one or more functions, operations or elements. Furthermore, as used in various embodiments of the present disclosure, the terms "comprises," "comprising," and their cognate terms are intended to refer to a particular feature, number, step, operation, element, component, or combination of the foregoing, and should not be interpreted as first excluding the existence of or increasing likelihood of one or more other features, numbers, steps, operations, elements, components, or combinations of the foregoing.

The terminology used in the various embodiments of the disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the various embodiments of the disclosure. As used herein, the singular is intended to include the plural as well, unless the context clearly indicates otherwise. Unless otherwise defined, all terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which various embodiments of this disclosure belong. The terms (such as those defined in commonly used dictionaries) will be interpreted as having a meaning that is the same as the context of the relevant art and will not be interpreted in an idealized or overly formal sense unless expressly so defined herein in the various embodiments of the disclosure.

The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.

Referring to fig. 2, a flowchart of a point-to-point virtual communication method based on the cryptographic SM4 in an embodiment is shown, where the method includes:

s1: and configuring local network information on a 5G CPE terminal of the local area network, and storing the local network information in a network configuration file.

In an exemplary embodiment, the 5G CPE terminal is Customer Premise Equipment, and the customer premise equipment, 5G CPE terminal, is configured with local network information. The local network information can be preconfigured into the 5G CPE terminal, and can be updated based on actual needs so as to meet the communication requirements.

The home network information may include: network information such as a local tunnel IP, a public network IP of the local end and the opposite end, an opposite end local area network IP and the like is stored in a network configuration file.

S2: and reading local network parameters of the network configuration file, analyzing the network parameters, initializing a communication protocol, and creating a communication process.

In an exemplary manner, the network parameters of the network configuration file can be read based on a netifd process calling protocol script, that is, the netifd process calling protocol script reads, analyzes and format dump parameters such as a local tunnel IP, a public network IP of the local and the opposite, and an opposite local area network IP, so as to complete protocol initialization, and create a communication process, which can be a VPN process. Virtual network creation between the home terminal 5G CPE terminal and the opposite terminal 5G CPE terminal can be realized based on the VPN process, and safe (encrypted) data transmission tunnel service is provided between the home terminal 5G CPE terminal and the opposite terminal 5G CPE terminal.

Alternatively, the kernel API may be accessed on a netlink event based on a netifd process call protocol script. The netifd process call protocol script may take the following form:

a. /lib/network/*.sh；

b. /sbin/ifup；

c. etc/hotplug.d. script.

netifd may maintain compatibility with existing/etc/config/network formats.

S3: creating a virtual tunnel network card according to a preset local tunnel IP address, and defining the IP address of the virtual tunnel network card as the local tunnel IP address;

s4: if the virtual tunnel network card is successfully established, configuring a routing strategy in a 5G CPE terminal of the local area network;

specifically, if the tunnel network card is successfully created, a routing policy is configured in a 5G CPE terminal of the local area network, where the routing policy includes: the communication message sent to the opposite terminal 5G CPE terminal is set as the IP address of the tunnel network card, and the next-hop network card equipment is the tunnel network card; if the tunnel network card fails to be created due to the fact that the network configuration file is wrong, the protocol script refreshes the network configuration information of the CPE at the home terminal in real time.

S5: after the configuration of the routing strategy is completed, the virtual tunnel network card repackages the power service communication message sent to the opposite-end local area network;

it will be appreciated that after the routing policy setting is completed. The virtual tunnel network card will repackage the power service communication message sent to the opposite local area network. The encapsulation mode is to add a layer of IP header to the header of the original IP message, the destination address of the newly added IP header is set as the opposite public network IP, and the source address is set as the local public network IP.

S6: after the encapsulation is completed, a virtual private network tunnel is opened, and the virtual private network tunnel shields the IP address of the local area network by means of the public network, so that the local area network and the opposite local area network form a private network communication channel.

According to the embodiment of the application, in order to ensure the communication safety, the communication interaction of the data message in the local area networks at both ends is plaintext transmission, and the plaintext transmission does not meet the requirement of a power grid on the data safety and is easy to suffer from network attack and information leakage. Therefore, the SM4 algorithm is called at the tunnel interface to encrypt the data sent by the tunnel network card.

That is, before the local area network sends data to the opposite local area network, the SM4 algorithm is called at the tunnel interface of the virtual private network to encrypt the data sent by the tunnel network card; after receiving the data, the opposite-end local area network decrypts the received data based on a preset SM4 algorithm. Encrypted transmission is achieved and decryption is performed after receiving the data.

And the local 5G CPE terminal and the opposite terminal 5G CPE terminal are both preset with an SM4 algorithm, and encryption and decryption processing can be performed based on the SM4 algorithm.

It should be understood that the sequence number of each step in the foregoing embodiment does not mean that the execution sequence of each process should be determined by the function and the internal logic, and should not limit the implementation process of the embodiment of the present application.

Based on the point-to-point virtual communication method based on the SM4, the application re-encapsulates the local area network power service communication message, opens the tunnel of the point-to-point power grid service by means of the public network, establishes the virtual private network of the point-to-point power grid service, and saves the cost of deploying the wired private network.

The method of the application does not need to use intermediate gateway equipment or an intermediate server to forward the communication message to the opposite local area network, but establishes the point-to-point direct connection between the local area network and the local area network. The cost of the intermediate gateway or the central server is omitted, and the influence of the abnormality of the intermediate equipment on each local area network is avoided.

In the implementation process, a routing strategy is configured in a 5G CPE terminal of a local area network, and a power service communication message sent to an opposite-end local area network is repackaged; the IP address of the tunnel network card at the home end, the public network IP of the home end and the opposite end and the IP 4 information of the local area network at the opposite end are encapsulated, so that the configuration is greatly simplified, the operation is simple, and the use is convenient.

The application also adopts the SM4 encryption algorithm of the national cipher to encrypt the communication data at the tunnel interface, replaces the conventional foreign encryption algorithms such as AES, DES and the like, and strengthens the autonomous controllability of the network security of the power grid.

The following is an embodiment of a state-secret SM4 based point-to-point virtual communication system provided by the embodiments of the present disclosure, where the state-secret SM4 based point-to-point virtual communication system and the state-secret SM4 based point-to-point virtual communication method of the foregoing embodiments belong to the same inventive concept, and details that are not described in detail in the state-secret SM4 based point-to-point virtual communication system embodiment may refer to the foregoing state-secret SM4 based point-to-point virtual communication method embodiment.

The system comprises: a home terminal 5G CPE terminal and a peer terminal 5G CPE terminal; the home terminal 5G CPE terminal configures home terminal network information and stores the home terminal network information in a network configuration file; the local end 5G CPE terminal reads local end network parameters of the network configuration file based on the communication starting instruction, analyzes the network parameters, initializes a communication protocol and creates a communication process; and creating a virtual tunnel network card according to the preset IP address of the local tunnel, and defining the IP address of the virtual tunnel network card as the IP address of the local tunnel.

After the virtual tunnel network card is successfully established, configuring a routing strategy; and the power service communication message to be sent is repackaged by the virtual tunnel network card.

After the encapsulation is completed, a virtual private network tunnel is opened, and the virtual private network tunnel shields the IP address of the local area network by means of the public network, so that the local end 5G CPE terminal and the opposite end 5G CPE terminal form a private network communication channel. The home terminal 5G CPE terminal and the opposite terminal 5G CPE terminal are respectively configured with a national encryption SM4 algorithm.

Therefore, the application can realize the intercommunication between local area networks by means of the existing public network without paving the special line of the point-to-point optical cable, thereby greatly shortening the construction period and saving the economic cost and the maintenance cost.

When the local area network terminal communicates, intermediate equipment such as a gateway and a central server is omitted, equipment cost is saved, and meanwhile, the influence of abnormality of the intermediate equipment on each local area network is avoided. The configuration is simple in use and easy to deploy, besides the configuration of the two CPE (customer premise equipment) information of the local area network, the configuration of other equipment and information is not available, the later operation and maintenance are convenient, and if a newly added local area network exists in the network, the original network is not changed, and only one CPE equipment is needed to be newly accessed.

When the 5G CPE terminals communicate, the encryption mode of tunnel communication adopts the SM4 cryptographic algorithm, and the encryption method does not depend on foreign encryption algorithm, so that the autonomous and controllable safety of the power grid network is enhanced.

Those of ordinary skill in the art will appreciate that the elements and algorithm steps described in connection with the embodiments disclosed herein may be embodied in electronic hardware, in computer software, or in a combination of the two, and that the elements and steps of the examples have been generally described in terms of function in the foregoing description to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of devices, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. Two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. In addition, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices, or elements, or may be an electrical, mechanical, or other form of connection.

Furthermore, the described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the application. One skilled in the relevant art will recognize, however, that the application may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known methods, devices, implementations, or operations are not shown or described in detail to avoid obscuring aspects of the application.

In embodiments of the present application, computer program code for carrying out operations of the present disclosure may be written in one or more programming languages, including but not limited to an object oriented programming language such as Java, smalltalk, C ++ and conventional procedural programming languages, such as the "C" programming language or similar programming languages.

The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. Various modifications to these embodiments will be readily apparent to those skilled in the art, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the application. Thus, the present application is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.

Claims (9)

1. A point-to-point virtual communication method based on a national secret SM4, which is characterized in that the method comprises the following steps:

s1: configuring local network information on a 5G CPE terminal of a local area network and storing the local network information in a network configuration file;

s2: reading local network parameters of the network configuration file, analyzing the network parameters, initializing a communication protocol, and creating a communication process;

s3: creating a virtual tunnel network card according to a preset local tunnel IP address, and defining the IP address of the virtual tunnel network card as the local tunnel IP address;

s4: if the virtual tunnel network card is successfully established, configuring a routing strategy in a 5G CPE terminal of the local area network;

s5: after the configuration of the routing strategy is completed, the virtual tunnel network card repackages the power service communication message sent to the opposite-end local area network;

s6: after the encapsulation is completed, a virtual private network tunnel is opened, and the virtual private network tunnel shields the IP address of the local area network by means of the public network, so that the local area network and the opposite local area network form a private network communication channel.

2. The point-to-point virtual communication method based on the state secret SM4 according to claim 1, wherein the home network information configured in step S1 includes: the local tunnel IP, the public network IP of the local and the opposite terminal local area network IP information.

3. The peer-to-peer virtual communication method based on the cryptographic SM4 as recited in claim 1, wherein step S2 reads the home network parameters based on a netifd procedure call protocol script.

4. The method for peer-to-peer virtual communication based on the national secret SM4 according to claim 1, wherein the routing policy in step S4 comprises:

defining a communication message sent to an opposite-end local area network;

setting the next hop address as the IP address of the tunnel network card, and setting the next hop network card equipment as the tunnel network card.

5. The method for peer-to-peer virtual communication based on the national security SM4 as recited in claim 4, wherein if the virtual tunnel network card fails to be created, a network configuration file is fetched, and whether information in the network configuration file is wrong is judged;

if so, the network configuration information of the 5G CPE terminal of the local area network is refreshed in real time based on the protocol configuration script, and the original network configuration file is updated.

6. The peer-to-peer virtual communication method based on the secret SM4 as recited in claim 1, wherein the encapsulating manner in step S5 includes: an IP header is newly added to the original IP message header, the destination address of the newly added IP header is set as the opposite public network IP, and the source address is set as the local public network IP.

7. The point-to-point virtual communication method based on the national secret SM4 as recited in claim 1, wherein in the method, before the local area network sends data to the opposite local area network, an SM4 algorithm is called at a virtual private network tunnel interface to encrypt the data sent by the tunnel network card;

after receiving the data, the opposite-end local area network decrypts the received data based on a preset SM4 algorithm.

8. A point-to-point virtual communication system based on a state secret SM4, wherein the system adopts the point-to-point virtual communication method based on the state secret SM4 according to any one of claims 1 to 7;

the system comprises: a home terminal 5G CPE terminal and a peer terminal 5G CPE terminal;

the home terminal 5G CPE terminal configures home terminal network information and stores the home terminal network information in a network configuration file;

the local end 5G CPE terminal reads local end network parameters of the network configuration file based on the communication starting instruction, analyzes the network parameters, initializes a communication protocol and creates a communication process; creating a virtual tunnel network card according to a preset local tunnel IP address, and defining the IP address of the virtual tunnel network card as the local tunnel IP address;

after the virtual tunnel network card is successfully established, configuring a routing strategy; the virtual tunnel network card is used for repackaging the power service communication message to be sent;

after the encapsulation is completed, a virtual private network tunnel is opened, and the virtual private network tunnel shields the IP address of the local area network by means of the public network, so that the local end 5G CPE terminal and the opposite end 5G CPE terminal form a private network communication channel.

9. The system of claim 8, wherein the home 5G CPE terminal and the peer 5G CPE terminal are each configured with a national cipher SM4 algorithm.