CN117254976B - National standard IPsec VPN realization method, device and system based on VPP and electronic equipment - Google Patents

Abstract

The application provides a national standard IPsec VPN realization method, device and system based on VPP and electronic equipment, relating to the field of network security and being used for enabling the IPsec VPN to call hardware password equipment. The method comprises the following steps: receiving a first network data packet sent by a first sending device, wherein the first network data packet is an IPsec VPN data packet, and the agreed encryption algorithm of the first network data packet is a national commercial encryption algorithm realized on hardware encryption equipment; and decrypting and decapsulating the first network data packet based on the VPP framework to obtain a decapsulated data packet. Based on the VPP framework, encapsulating a seventh network data packet according to an encapsulation mode, an encryption algorithm and a secret key corresponding to the security association; and forwarding the encapsulated seventh network data packet based on the VPP frame according to the destination address of the encapsulated seventh network data packet.

Description

National standard IPsec VPN realization method, device and system based on VPP and electronic equipment

Technical Field

The present application relates to the field of network security, and in particular, to a method, an apparatus, a system, and an electronic device for implementing a national standard IPsec VPN based on VPP.

Background

IPsec (internet security protocol, internet Protocol Security) is an open standard security framework that can be used to guarantee confidentiality, integrity and replay protection of IP data messages transmitted over a network. IPsec is not a single protocol, it enables secure transmission of IP data messages through two security protocols, AH (Authentication Header) and ESP (Encapsulating Security Payload), and further provides key agreement through IKE (network key exchange protocol, internet Key Exchange) protocols, establishing and maintaining security association/security association (SA, security Association) services.

IPsec VPN (Internet Protocol Security Virtual Private Network) technology based on IPsec has the advantage of flexible transparent deployment at the network layer, and is one of the mainstream VPN technologies commonly used. The IPsec VPN architecture consists mainly of AH, ESP and IKE protocol suites. In general, IPsec VPN can be built through a Linux kernel protocol stack and XFRM framework co-implementation. Under the national cipher standard, the IPsec VPN needs to use the national commercial cipher to encrypt and decrypt, for example, in the stage of establishing a secure connection, the SM2 algorithm in the national commercial cipher needs to be called to identify the identity of the communicating party and exchange protection information, but because the SM2 operation is based on elliptic curve point operation under GF (p), the SM2 algorithm is complex and has low efficiency due to the fact that the SM2 operation involves computationally intensive large number operation. And as the XFM framework processes the ESP message or the AH message, an encryption algorithm registered in the Linux kernel is required to be called to encrypt and decrypt the message, thereby causing soft interrupt of the Linux kernel. The idle waiting time is not allowed to occur during the soft interrupt, otherwise, the kernel is crashed, and the idle waiting time occurs when the hardware password device is called to encrypt and decrypt the message. Therefore, the IPsec VPN cooperatively realized by the Linux kernel protocol stack and the XFM framework can only realize partial national commercial cryptographic algorithm at a software level, and can not encrypt and decrypt messages by using hardware cryptographic equipment.

Therefore, how to invoke a hardware cryptographic device in an IPsec VPN to implement a national commercial cryptographic algorithm is a technical problem to be solved.

Disclosure of Invention

The application provides a national standard IPsec VPN realization method, device and system based on VPP and electronic equipment, which are used for solving the problem of calling hardware password equipment in the IPsec VPN.

In a first aspect, the present application provides a VPP-based national standard IPsec VPN implementation method, which is applied to a server of a Linux system, and the method includes: the method comprises the steps that a first network data packet sent by first sending equipment is received, the first sending equipment and a server are in safety association, the first network data packet is an IPsec VPN data packet, a destination address of the first network data packet points to the server, a contracted packaging mode of the first network data packet is a packaging mode based on an ESP protocol and/or an AH protocol, a contracted encryption algorithm of the first network data packet is a national commercial encryption algorithm realized on hardware encryption equipment, the hardware encryption equipment is in communication connection with the server, and a safety strategy corresponding to the first network data packet indicates that the network data packet is IPsec traffic; based on the VPP framework, decrypting and decapsulating the first network data packet according to the agreed encapsulation mode, the agreed encryption algorithm and the agreed secret key to obtain an decapsulated data packet.

As can be seen from the above technical solutions, in the VPP-based national standard IPsec VPN implementation method provided in the embodiments of the present application, the method is based on a VPP framework, receives a first network data packet, and decrypts and decapsulates the first network data packet transmitted by the IPsec VPN. Compared with the similar technology, the decryption and the decapsulation of the data packet are processed through the Linux kernel protocol stack, but the hardware password equipment cannot be called because of soft interruption when the Linux kernel protocol stack processes the data packet.

In one possible implementation manner, before receiving the first network data packet sent by the first sending device, the national standard IPsec VPN implementation method based on VPP further includes: receiving a second network data packet sent by the first sending device, wherein a destination address of the second network data packet points to a server, and a destination port of the second network data packet points to a preset port; based on the VPP framework, the security association is established with the first sending equipment based on a network key exchange protocol, and security association information is generated, wherein the security association information comprises an appointed packaging mode, an appointed encryption algorithm and an appointed key.

In one possible implementation manner, based on the VPP framework, the decrypting and decapsulating the first network data packet according to the agreed encapsulation mode, the agreed encryption algorithm and the agreed key to obtain a decapsulated data packet includes: based on the VPP framework, sending the first network data packet to a data packet queue to be processed of the hardware password equipment; based on the VPP framework, a decapsulated data packet sent by the hardware password equipment is received, and the decapsulated data packet is obtained by decapsulating and decrypting a first network data packet in a data packet queue to be processed by the hardware password equipment based on a contract encapsulation mode, a contract encryption algorithm and a contract key.

In one possible implementation manner, the physical network port of the server belongs to a first network naming space where the VPP framework is located, and the Linux kernel protocol stack of the server belongs to a second network naming space; the first network naming space also comprises a virtual host interface and first virtual Ethernet equipment, wherein the virtual host interface is bridged with the physical network port and is in communication connection with the first virtual Ethernet equipment; the second network namespace also includes a second virtual ethernet device, the first virtual ethernet device being communicatively coupled to the second virtual ethernet device.

In one possible implementation manner, the physical network port of the server belongs to a first network naming space where the VPP framework is located, and the Linux kernel protocol stack of the server belongs to a second network naming space; the method further comprises the steps of: creating a virtual host interface in the first network naming space, and bridging the virtual host interface and a physical network port of a server based on the VPP framework; a first virtual Ethernet device is created in a first network namespace, a second virtual Ethernet device is created in a second network namespace, the first virtual Ethernet device is communicatively coupled to the virtual host interface, and the second virtual Ethernet device is communicatively coupled to the first virtual Ethernet device.

In one possible implementation manner, the national standard IPsec VPN implementation method based on VPP further includes: receiving a third network data packet sent by the second sending device, wherein a destination address indicated by the third network data packet is a second virtual Ethernet device; and under the condition that the destination address indicated by the third network data packet is the second virtual Ethernet equipment, the third network data packet is sent to a second network naming space to which the second virtual Ethernet equipment belongs based on the communication connection of the physical network port, the virtual host interface, the first virtual Ethernet equipment and the second virtual Ethernet equipment of the server, and is forwarded to an application corresponding to a Linux system for processing through a Linux kernel protocol stack.

In one possible implementation manner, the national standard IPsec VPN implementation method based on VPP further includes: receiving a fourth network data packet sent by the third sending device, wherein a destination address of the fourth network data packet points to the server, and the packaging mode of the fourth network data packet is based on an ESP protocol and/or an AH protocol, so that the third sending device and the server are not in security association; and forwarding the fourth network data packet according to a preset strategy based on the VPP framework.

In one possible implementation manner, the national standard IPsec VPN implementation method based on VPP further includes: receiving a fifth network data packet sent by the fourth sending device, wherein the fifth network data packet is packaged based on other packaging modes except the appointed packaging mode; the fifth network data packet is forwarded to a protocol stack of a virtual network other than the IPsec VPN for processing based on the VPP framework.

In one possible implementation manner, the national standard IPsec VPN implementation method based on VPP further includes: receiving a sixth network data packet sent by a fifth sending device, wherein the destination address of the sixth network data packet does not point to the server; based on the VPP framework, forwarding the network data packet according to the destination address of the sixth network data packet.

In one possible implementation manner, the national standard IPsec VPN implementation method based on VPP further includes: receiving a seventh network data packet, wherein a receiving device indicated by a destination address of the seventh network data packet has a security association with a server, and a security policy corresponding to the seventh network data packet indicates that the seventh network data packet is IPsec traffic; based on the VPP framework, encapsulating the seventh network data packet according to an encapsulation mode based on an ESP protocol and/or an AH protocol and a national commercial cryptography algorithm; and forwarding the encapsulated seventh network data packet based on the VPP frame according to the destination address of the encapsulated seventh network data packet.

In a second aspect, the present application provides a VPP-based national standard IPsec VPN implementation method, which is applied to a server of a Linux system, and includes: receiving a network data packet, wherein a receiving device indicated by a destination address of the network data packet has a security association with a server, and a security policy corresponding to the network data packet indicates that the network data packet is IPsec traffic; based on the VPP framework, encapsulating the network data packet according to an encapsulation mode, an encryption algorithm and a secret key corresponding to the security association; the packaging mode corresponding to the security association is based on an ESP protocol and/or an AH protocol, the encryption algorithm corresponding to the security association is a national commercial encryption algorithm realized on hardware encryption equipment, and the hardware encryption equipment is in communication connection with a server; and forwarding the encapsulated network data packet based on the VPP frame according to the destination address of the encapsulated network data packet.

In a third aspect, the present application provides a VPP-based national standard IPsec VPN implementation apparatus, where the VPP-based national standard IPsec VPN implementation apparatus includes: a data packet receiving unit and a decapsulating unit; the data packet receiving unit is used for receiving a first network data packet sent by first sending equipment, the sending equipment and the server are in safety association, the first network data packet is an IPsec VPN data packet, a destination address of the first network data packet points to the server, a contracted packaging mode of the first network data packet is a packaging mode based on an ESP protocol and/or an AH protocol, a contracted encryption algorithm of the first network data packet is a national commercial encryption algorithm realized on hardware encryption equipment, the hardware encryption equipment is in communication connection with the server, and a safety strategy corresponding to the first network data packet indicates that the network data packet is an IPsec flow; the decapsulation unit is used for decrypting and decapsulating the first network data packet according to the agreed encapsulation mode, the agreed encryption algorithm and the agreed secret key based on the VPP framework to obtain a decapsulated data packet.

In one possible implementation manner, the VPP-based national standard IPsec VPN implementation apparatus further includes an information provisioning unit, configured to receive, before receiving the first network data packet sent by the first sending device, a second network data packet sent by the first sending device, a destination address of the second network data packet pointing to the server, and a destination port of the second network data packet pointing to a preset port; based on the VPP framework, the security association is established with the first sending equipment based on a network key exchange protocol, and security association information is generated, wherein the security association information comprises an appointed packaging mode, an appointed encryption algorithm and an appointed key.

In one possible implementation manner, the decapsulating unit is specifically configured to send, based on the VPP framework, the first network data packet to a to-be-processed data packet queue of the hardware cryptographic device; based on the VPP framework, a decapsulated data packet sent by the hardware password equipment is received, and the decapsulated data packet is obtained by decapsulating and decrypting a first network data packet in a data packet queue to be processed by the hardware password equipment based on a contract encapsulation mode, a contract encryption algorithm and a contract key.

In one possible implementation manner, the physical network port of the device belongs to a first network naming space where the VPP framework is located, and the Linux kernel protocol stack of the device belongs to a second network naming space; the first network naming space also comprises a virtual host interface and first virtual Ethernet equipment, wherein the virtual host interface is bridged with the physical network port and is in communication connection with the first virtual Ethernet equipment; the second network namespace also includes a second virtual ethernet device, the first virtual ethernet device being communicatively coupled to the second virtual ethernet device.

In one possible implementation manner, the data packet receiving unit is further configured to receive a third network data packet sent by the second sending device, where a destination address indicated by the third network data packet is the second virtual ethernet device. The national standard IPsec VPN realization device based on VPP further comprises a forwarding unit, wherein the forwarding unit is used for sending the third network data packet to a second network naming space to which the second virtual Ethernet device belongs based on the communication connection of the physical network port, the virtual host interface, the first virtual Ethernet device and the second virtual Ethernet device of the device when the destination address indicated by the third network data packet is the second virtual Ethernet device, and forwarding the third network data packet to an application corresponding to a Linux system for processing through a Linux kernel protocol stack.

In one possible implementation manner, the data packet receiving unit is further configured to receive a fourth network data packet sent by the third sending device, where a destination address of the fourth network data packet points to the device, and an encapsulation manner of the fourth network data packet is an encapsulation manner based on an ESP protocol and/or an AH protocol, and the third sending device and the device have no security association; and the forwarding unit is also used for forwarding the fourth network data packet according to a preset strategy based on the VPP framework.

In one possible implementation manner, the data packet receiving unit is further configured to receive a fifth network data packet sent by the fourth sending device, where the fifth network data packet is encapsulated based on an encapsulation mode other than the agreed encapsulation mode; the fifth network data packet is forwarded to a protocol stack of a virtual network other than the IPsec VPN for processing based on the VPP framework.

In one possible implementation manner, the data packet receiving unit is further configured to receive a sixth network data packet sent by the fifth sending device, where a destination address of the sixth network data packet does not point to the device; and the forwarding unit is also used for forwarding the network data packet according to the destination address of the sixth network data packet based on the VPP framework.

In one possible implementation manner, the data packet receiving unit is further configured to receive a seventh network data packet, where a receiving device indicated by a destination address of the seventh network data packet has a security association with the server, and a security policy corresponding to the seventh network data packet indicates that the seventh network data packet is IPsec traffic; the national standard IPsec VPN realization device based on VPP also comprises an encapsulation unit, wherein the encapsulation unit is used for encapsulating the seventh network data packet based on the VPP framework according to an encapsulation mode based on an ESP protocol and/or an AH protocol and a national commercial cryptographic algorithm; and the forwarding unit is further used for forwarding the encapsulated seventh network data packet based on the VPP frame according to the destination address of the encapsulated seventh network data packet.

In a fourth aspect, the present application provides a VPP-based national standard IPsec VPN implementation apparatus, including: the device comprises a data packet receiving unit, an encapsulation unit and a forwarding unit; the data packet receiving unit is used for receiving a network data packet, the receiving equipment indicated by the destination address of the network data packet has a security association with the server, and the security policy corresponding to the network data packet indicates that the network data packet is IPsec traffic; the encapsulation unit is used for encapsulating the network data packet based on the VPP framework according to an encapsulation mode, an encryption algorithm and a secret key corresponding to the security association; the packaging mode corresponding to the security association is based on an ESP protocol and/or an AH protocol, the encryption algorithm corresponding to the security association is a national commercial encryption algorithm realized on hardware encryption equipment, and the hardware encryption equipment is in communication connection with the device; and the forwarding unit is used for forwarding the encapsulated network data packet based on the VPP frame according to the destination address of the encapsulated network data packet.

In a fifth aspect, the present application provides a VPP-based national standard IPsec VPN implementation system, including a transmitting device, a first server, a second server, and a hardware cryptographic device; the sending device has a security association with the first server, and the first server has a security association with the second server; the first server and the second server are provided with Linux systems; the sending equipment is used for sending an original network data packet to the first server based on the VPP framework, wherein the original network data packet is IPsec traffic; the first server is used for packaging the original network data packet based on the VPP framework according to a contract packaging mode, a contract encryption algorithm and a contract key corresponding to the security association to obtain a first network data packet; forwarding the first network data packet to a second server based on the VPP frame according to the destination address of the first network data packet; the agreed encapsulation mode is an encapsulation mode based on an ESP protocol and/or an AH protocol, and the agreed encryption algorithm comprises a national commercial encryption algorithm realized on hardware encryption equipment; the second server is used for receiving the first network data packet, decrypting and decapsulating the first network data packet based on the VPP framework according to the agreed encapsulation mode, the agreed encryption algorithm and the agreed secret key, and obtaining the decapsulated data packet.

In a sixth aspect, an embodiment of the present application provides an electronic device, including: a memory and a processor; the memory is coupled to the processor; the memory is for storing computer program code, the computer program code comprising computer instructions; the processor executes the computer instructions, so that the electronic device executes the national standard IPsec VPN implementation method based on VPP as in the first aspect and any one of the possible design manners thereof.

In a seventh aspect, the present application provides a computer-readable storage medium comprising: computer software instructions; when the computer software instructions are run in the VPP-based national standard IPsec VPN implementation apparatus, causing the VPP-based national standard IPsec VPN implementation apparatus to implement the method of the first aspect.

In an eighth aspect, the present application provides a computer program product which, when run on a VPP-based national standard IPsec VPN-implementing apparatus, causes the VPP-based national standard IPsec VPN-implementing apparatus to perform the steps of the related method described in the first aspect above, to implement the method of the first aspect above.

The advantageous effects of the second aspect to the eighth aspect may refer to corresponding descriptions of the first aspect, and are not repeated.

Drawings

Fig. 1 is a schematic structural diagram of a VPP-based national standard IPsec VPN implementation system provided in the present application;

fig. 2 is a schematic hardware configuration diagram of a computing device of a server 101 and any one of sending devices in a VPP-based national standard IPsec VPN implementation system provided in the present application;

fig. 3 is a schematic flow chart of a VPP-based national standard IPsec VPN implementation method provided in the present application;

fig. 4 is a schematic diagram of network data packet transmission provided by a VPP-based national standard IPsec VPN implementation method provided by the present application;

fig. 5 is a schematic diagram of a flow chart of processing a network data packet in a VPP frame in a VPP-based national standard IPsec VPN implementation method provided in the present application;

fig. 6 is a second schematic flow chart of processing a network data packet in a VPP frame in the VPP-based national standard IPsec VPN implementation method provided in the present application;

fig. 7 is a network structure diagram of a server of a VPP-based national standard IPsec VPN implementation method provided in the present application;

fig. 8 is a data packet processing flow chart I of a VPP-based national standard IPsec VPN implementation method provided by the present application;

fig. 9 is a second packet processing flow chart of a VPP-based national standard IPsec VPN implementation method provided in the present application;

Fig. 10 is a second flow chart of a VPP-based national standard IPsec VPN implementation method provided in the present application;

fig. 11 is a schematic structural diagram of a VPP-based national standard IPsec VPN implementation apparatus provided in the present application;

fig. 12 is a schematic structural diagram II of a national standard IPsec VPN implementation apparatus based on VPP provided in the present application.

Detailed Description

The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.

It should be noted that, in the embodiments of the present application, words such as "exemplary" or "such as" are used to mean serving as an example, instance, or illustration. Any embodiment or design described herein as "exemplary" or "for example" should not be construed as preferred or advantageous over other embodiments or designs. Rather, the use of words such as "exemplary" or "such as" is intended to present related concepts in a concrete fashion.

In order to clearly describe the technical solutions of the embodiments of the present application, in the embodiments of the present application, the terms "first", "second", and the like are used to distinguish the same item or similar items having substantially the same function and effect, and those skilled in the art will understand that the terms "first", "second", and the like are not limited in number and execution order.

The background technology can know that the IPsec VPN can be built through the cooperation of the Linux kernel protocol stack and the XFM framework.

However, under the national security standard, the IPsec VPN needs to use a national commercial password to encrypt and decrypt, for example, in the stage of establishing a secure connection, the SM2 algorithm in the national commercial password needs to be called to identify the identity of the communicating party and exchange protection information, but because the SM2 operation is based on elliptic curve point operation under GF (p), the SM2 algorithm is complex and has low efficiency due to the fact that the SM2 operation involves computationally intensive large number operation.

And as the XFM framework processes the ESP message or the AH message, an encryption algorithm registered in the Linux kernel is required to be called to realize the encryption and decryption of the message, so that the soft interrupt of the Linux kernel can be caused, and if the hardware password device is called to encrypt and decrypt the message, the null waiting can occur in the soft interrupt. The idle waiting time is not allowed to occur during the soft interrupt, otherwise, the kernel is crashed, and the idle waiting time occurs when the hardware password device is called to encrypt and decrypt the message. Therefore, the IPsec VPN cooperatively realized by the Linux kernel protocol stack and the XFM framework can only realize partial national commercial cryptographic algorithm at a software level, and can not encrypt and decrypt messages by using hardware cryptographic equipment.

Aiming at the problem, the application provides a national standard IPsec VPN realization method, device, system and electronic equipment based on VPP, which are used for solving the problem of calling hardware password equipment in the IPsec VPN.

In one possible implementation manner, the embodiment of the present application provides a VPP-based national standard IPsec VPN implementation method, which is applicable to a VPP-based national standard IPsec VPN implementation system shown in fig. 1, where the system includes a server 101 and a plurality of transmitting devices, and the server 101 is communicatively connected to the plurality of transmitting devices.

It should be understood that the number of the servers 101 and the transmitting devices may be plural, and in fig. 1, one server 101 and one first transmitting device 102 are illustrated as an example.

The server 101 may receive a first network data packet sent by the first sending device 102, where the first sending device 102 has a security association with the server 101, the first network data packet is an IPsec VPN data packet, a destination address of the first network data packet points to the server 101, a contracted encapsulation mode of the first network data packet is an encapsulation mode based on an ESP protocol and/or an AH protocol, a contracted encryption algorithm of the first network data packet is a national commercial encryption algorithm implemented on a hardware cryptographic device, the hardware cryptographic device is in communication connection with the server 101, and a security policy corresponding to the first network data packet indicates that the network data packet is IPsec traffic; based on the VPP framework, decrypting and decapsulating the first network data packet according to the agreed encapsulation mode, the agreed encryption algorithm and the agreed secret key to obtain an decapsulated data packet.

In one possible implementation manner, the server 101 may receive, before receiving the first network data packet sent by the first sending device 102, a second network data packet sent by the first sending device 102, where a destination address of the second network data packet points to the server 101, and a destination port of the second network data packet points to a preset port; based on the VPP framework, a security association is established with the first transmitting device 102 based on the network key exchange protocol, and security association information is generated, where the security association information includes a contract packaging mode, a contract encryption algorithm, and a contract key.

In one possible implementation, the server 101 may send the first network data packet to a pending data packet queue of the hardware cryptographic device based on the VPP framework; based on the VPP framework, a decapsulated data packet sent by the hardware password equipment is received, and the decapsulated data packet is obtained by decapsulating and decrypting a first network data packet in a data packet queue to be processed by the hardware password equipment based on a contract encapsulation mode, a contract encryption algorithm and a contract key.

In one possible implementation, the server 101 may create a virtual host interface in the first network namespace and bridge the virtual host interface with the physical portal of the server 101 based on the VPP framework; a first virtual Ethernet device is created in a first network namespace, a second virtual Ethernet device is created in a second network namespace, the first virtual Ethernet device is communicatively coupled to the virtual host interface, and the second virtual Ethernet device is communicatively coupled to the first virtual Ethernet device.

In one possible implementation manner, the VPP-based national standard IPsec VPN implementation system further includes a second transmitting device. The server 101 may receive a third network data packet sent by the second sending device, where a destination address indicated by the third network data packet is a second virtual ethernet device; and when the destination address indicated by the network data packet is the second virtual ethernet device, sending the third network data packet to a second network naming space to which the second virtual ethernet device belongs based on the physical network port of the server 101, the virtual host interface, the communication connection of the first virtual ethernet device and the second virtual ethernet device, and forwarding the third network data packet to an application corresponding to the Linux system for processing through a Linux kernel protocol stack.

In one possible implementation manner, the VPP-based national standard IPsec VPN implementation system further includes a third transmitting device. The server 101 may receive a fourth network data packet sent by the third sending device, where a destination address of the fourth network data packet points to the server 101, and an encapsulation mode of the fourth network data packet is an encapsulation mode based on an ESP protocol and/or an AH protocol, and the third sending device and the server 101 have no security association; and forwarding the fourth network data packet according to a preset strategy based on the VPP framework.

In one possible implementation, the server 101 may forward the network data packet to a protocol stack of a virtual network other than the IPsec VPN based on the VPP framework in the case that the network data packet is encapsulated based on an encapsulation other than the agreed encapsulation.

In one possible implementation manner, the VPP-based national standard IPsec VPN implementation system further includes a fourth transmitting device. The server 101 may receive a fifth network data packet sent by the fourth sending device, where a destination address of the fifth network data packet does not point to the server 101; based on the VPP framework, forwarding the network data packet according to the destination address of the fifth network data packet.

In one possible implementation, the VPP-based national standard IPsec VPN implementation system further includes devices in a subnet to which the server 101 is connected. The server 101 may receive a sixth network data packet, where the sixth network data packet is a network data packet sent by a device in a subnet connected to the server 101, and a security association exists between a receiving device indicated by a destination address of the sixth network data packet and the server 101, and a security policy corresponding to the sixth network data packet indicates that the sixth network data packet is IPsec traffic; based on the VPP framework, encapsulating the sixth network data packet according to an encapsulation mode, an encryption algorithm and a secret key corresponding to the security association; and forwarding the encapsulated sixth network data packet based on the VPP frame according to the destination address of the encapsulated sixth network data packet.

It should be understood that the first transmitting device 102, the second transmitting device, the third transmitting device, the fourth transmitting device, and the fifth transmitting device may be different transmitting devices, wherein the two transmitting devices may also be the same transmitting device.

The server 101 and any sending device may be electronic devices such as a desktop computer, a tablet computer, a notebook computer, a handheld computer, a wearable electronic device, a handheld computer, and an Ultra-mobile Personal Computer (UMPC), which is not limited in this embodiment of the present application.

The server 101 and any sending device in this embodiment of the present application may be a computing device as shown in fig. 2, where the computing device includes a processor 201, a memory 202, a communication interface 203, and a bus 204. The processor 201, the memory 202 and the communication interface 203 may be connected via a bus 204.

The processor 201 is a control center of a computing device, and may be one processor or a collective term of a plurality of processing elements. For example, the processor 201 may be a general-purpose central processing unit (central processing unit, CPU), or may be another general-purpose processor. Wherein the general purpose processor may be a microprocessor or any conventional processor or the like.

As one example, processor 201 may include one or more CPUs, such as CPU 0 and CPU 1 shown in fig. 2.

Memory 202 may be, but is not limited to, read-only memory (ROM) or other type of static storage device that can store static information and instructions, random access memory (random access memory, RAM) or other type of dynamic storage device that can store information and instructions, as well as electrically erasable programmable read-only memory (EEPROM), magnetic disk storage or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer.

In a possible implementation, the memory 202 may exist separately from the processor 201, and the memory 202 may be connected to the processor 201 through the bus 204 for storing instructions or program code. The processor 201, when calling and executing instructions or program code stored in the memory 202, is capable of implementing the model deployment method provided in the embodiments of the present application.

In the embodiment of the present application, the software program stored in the memory 202 is different and the functions implemented are different for the training device. The functions performed with respect to the respective devices will be described in connection with the following flowcharts.

In another possible implementation, the memory 202 may also be integrated with the processor 201.

A communication interface 203 for connecting the computing device with other devices via a communication network, which may be ethernet, a radio access network (radio access network, RAN), a wireless local area network (wireless local area networks, WLAN), etc. The communication interface 203 may include a receiving unit for receiving data, and a transmitting unit for transmitting data.

Bus 204 may be an industry standard architecture (Industry Standard Architecture, ISA) bus, an external device interconnect (Peripheral Component Interconnect, PCI) bus, or an extended industry standard architecture (Extended Industry Standard Architecture, EISA) bus, among others. The bus may be classified as an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in fig. 2, but not only one bus or one type of bus.

It should be noted that the structure shown in fig. 2 is not limiting of the computing device, and the computing device may include more or less components than those shown in fig. 2, or may combine some components, or a different arrangement of components.

The application provides a VPP-based national standard IPsec VPN implementation method, which can be applied to a computing device shown in fig. 2, and as shown in fig. 3, the VPP-based national standard IPsec VPN implementation method in the embodiment of the method can include S101 to S102.

S101, a first network data packet sent by a first sending device is received.

The first sending device and the server are in security association, the first network data packet is an IPsec VPN data packet, a destination address of the first network data packet points to the server, a contracted packaging mode of the first network data packet is a packaging mode based on an ESP protocol and/or an AH protocol, a contracted encryption algorithm of the first network data packet is a national commercial encryption algorithm which is implemented on hardware encryption equipment, the hardware encryption equipment is in communication connection with the server, and a security policy corresponding to the first network data packet indicates that the network data packet is IPsec traffic.

IPsec (Internet Protocol Security) is a security communication protocol family based on network layer and application cryptography, and is one of technologies for implementing VPN. IPsec protects point-to-point communications, such as host-to-host, host and gateway communications, which operate at the IP layer (network layer), encrypting and validating packets at the IP layer. The two communication parties establish an IPsec tunnel through IPsec, and the IP data packet is encrypted and transmitted through the IPsec tunnel, so that the security of data transmission in unsafe network environments such as Internet is effectively ensured.

Three protocols important in the IPsec VPN communication flow are IKE protocol (Internet Key Exchange, internet key exchange protocol), AH protocol (Authentication Header, authentication header protocol) and ESP protocol (Encapsulating Security Payload, encapsulating security payload protocol).

Before any two points (two peer communication entities) in the IPsec VPN, such as the actual transmission of payload data between the first entity and the second entity, the first entity and the second entity establish a security association (Security Association) via the IKE protocol and generate at least one SA parameter, which is uniquely determined by 3 parameters, including a security parameter index (a 32-bit string that uniquely identifies the SA), a source/destination IP address (a destination IP address for outgoing packets, a source IP address for incoming packets), and a security protocol flag (indicating that the SA employs the AH and/or ESP protocol). The agreed SA parameters may be used to encrypt and decrypt data and authenticate data during IPsec VPN communications by the first entity and the second entity. Because the source/destination IP address in the SA parameters is fixed and irreversible, only one unidirectional communication can be supported by one SA parameter, and a pair of SA parameters may be generated by two-way communication. In addition, in the IKE protocol phase, the first entity and the second entity agree on encryption (decryption) algorithms and keys for the communication.

Of course, through the IKE protocol, the first entity and the second entity may further perform more information conventions to further ensure data security during the IPsec VPN communication, which is not specifically described and limited in this application.

Taking the communication of two peer-to-peer communication bodies, which are a server and a first sending device in the application as point-to-point, as an example, the first sending device and the server have a security association, the agreed encapsulation mode of the first network data packet is an encapsulation mode based on ESP protocol and/or AH protocol, which corresponds to a security protocol flag in the security association, and the agreed encryption algorithm and the agreed secret key of the first network data packet are corresponding to the encryption (decryption) algorithm and the secret key when the first entity and the second entity are also agreed in communication in the IKE protocol stage.

In addition, after receiving the data packet, the communication entity in the IPsec VPN manages a Policy when the data packet traffic passes through the IPsec boundary according to a Security Policy (SP). For example, for inbound traffic (packets of traffic entering the protection domain from the unprotected domain), it is first determined whether the network packet is an unprotected network packet or IPsec traffic protected via the ESP/AH protocol based on the IP header protocol fields. Only the data packet of the IPsec flow can further query the SA between two communication entities, so that corresponding processing is performed according to the SA parameters.

As can be seen, such a first network packet is a packet that the transmitting apparatus transmits to the server through the IPsec VPN and that needs to be subjected to IPsec VPN processing in S101.

S102, based on the VPP framework, decrypting and decapsulating the first network data packet according to the agreed encapsulation mode, the agreed encryption algorithm and the agreed secret key to obtain a decapsulated data packet.

The VPP framework (Vector Packet Processing ) is an extensible open source framework that provides the functionality of an open-box, ready-to-use network switch or router, supporting many standard network functions (e.g., L2 switching, L3 routing, NAT, encapsulation). VPP, also known as a high performance network data plane, aims to provide powerful network data processing capabilities for application scenarios such as network function virtualization (NFV, network Functions Virtualization), SD-WAN (software defined wide area network, software-defined networking in a wide area network), edge routers, etc. The support of the plug-in by the VPP framework also expands the functions it can implement. It can be seen that the VPP framework can be used to build any type of packet processing application, such as load balancing, firewalls, IDSs, host stacks.

Therefore, the VPP framework can replace functions in Linux kernel protocol stacks, especially network protocol stacks, such as functions of receiving, forwarding, decapsulating data packets through a network, and the like. Therefore, based on the VPP framework, the first network data packet can be decrypted and decapsulated according to the agreed encapsulation mode, the agreed encryption algorithm and the agreed secret key corresponding to the security association of the first network data packet, and the decapsulated data packet is obtained.

As can be seen from the above technical solutions, in the VPP-based national standard IPsec VPN implementation method provided in the embodiments of the present application, the method receives a first network data packet in the IPsec VPN, and decrypts and decapsulates the first network data packet transmitted by the IPsec VPN based on the VPP framework. Compared with the similar technology, the decryption and the decapsulation of the data packet are processed through the Linux kernel protocol stack, but the hardware password equipment cannot be called because of soft interruption when the Linux kernel protocol stack processes the data packet.

In one possible implementation, before receiving the first network data packet sent by the first sending device, the method further includes: and receiving a second network data packet sent by the first sending device, wherein the destination address of the second network data packet points to the server, and the destination port of the second network data packet points to the preset port. Based on the VPP framework, the security association is established with the first sending equipment based on a network key exchange protocol, and security association information is generated, wherein the security association information comprises an appointed packaging mode, an appointed encryption algorithm and an appointed key.

It should be appreciated that in the IKE phase in IPsec, the communication entity may receive the negotiation packets in the IKE phase via a fixed port, e.g. a port number 500. In the case where NAT (Network Address Translation) exists in the transmission path, the negotiation packet in the IKE phase may also be received through the port having the port number 4500. The preset port refers to a port with the port number of 500 or a port with the port number of 4500, and a data packet generally sent to the port is a negotiation data packet in the IKE stage, which can be used for establishing a security association and exchanging security association information. The process of establishing the security association may be implemented based on the VPP framework, and the SAD (SA Database) of the security association information may also be managed by the VPP framework.

For example, as shown in fig. 4, the server may receive the second network packet sent by the first sending device through a port with a port number of 500, and process the second network packet through a Unix Socket (Socket). For example, the server sends the second network data packet to IKE software (software for implementing IKE protocol), invokes an algorithm interface of the hardware cryptographic device, and generates a secret key between the server and the first sending device.

For another example, as shown in fig. 4, to establish a security association between the server and the first sending device, the server may generate an IKE negotiation message through IKE software and send the IKE negotiation message to the VPP framework through a Punt socket (or C API), and the VPP framework may send the IKE negotiation message to the first sending device from the bound sending portal.

In one possible implementation manner, based on the VPP framework, the decrypting and decapsulating the first network data packet according to the agreed encapsulation mode, the agreed encryption algorithm and the agreed key to obtain a decapsulated data packet includes: based on the VPP framework, sending the first network data packet to a hardware password device; and receiving a decapsulated data packet sent by the hardware password equipment, wherein the decapsulated data packet is obtained by decapsulating and decrypting a first network data packet in a data packet queue to be processed by the hardware password equipment based on a contract encapsulation mode, a contract encryption algorithm and a contract key.

As can be seen from the above technical solutions, in fig. 4, in the VPP-based national standard IPsec VPN implementation method provided in this embodiment, the processing of the network data packet does not pass through the Linux kernel protocol stack, compared with the similar technology in which the IKE negotiation needs to be performed through the Linux kernel protocol stack, the SAD (SA Database) of the IPsec VPN in this method is also managed by the VPP framework, so that the method can also be processed only based on the VPP framework in the subsequent communication process of the IPsec VPN. The method is realized without passing through the Linux kernel protocol stack, so that the method is convenient to be applied to Linux systems of various versions due to the processing requirement of data packets and the modification of source codes of the Linux kernel protocol stack.

In one possible implementation manner, based on the VPP framework, the decrypting and decapsulating the first network data packet according to the agreed encapsulation mode, the agreed encryption algorithm and the agreed key to obtain a decapsulated data packet includes: based on the VPP framework, the first network data packet is sent to the hardware cryptographic device. And receiving a decapsulated data packet sent by the hardware password equipment, wherein the decapsulated data packet is obtained by decapsulating and decrypting a first network data packet in a data packet queue to be processed by the hardware password equipment based on a contract encapsulation mode, a contract encryption algorithm and a contract key.

Node nodes in the VPP framework are processing flows of data packets, the data packets flow among different nodes for processing, and the VPP framework comprises three nodes, namely an Internal node, a Process node and an Input node. As shown in fig. 5, the processing flow of the first network packet in each node in the VPP framework is shown. Firstly, a data packet is acquired through a data packet acquisition Node (IP 4-Michain), and further, the data packet enters a data packet processing judging Node, namely Esp-Encrypt-Tun, esp-Encrypt-Tun is a Graph Node processed by an IPsec data plane of a VPP framework, so that whether the data packet needs to be processed can be judged. In the case of a data packet to be processed, it will look up a table for the received network data by SA and submit the pre-stored cryptake index number in SA to the default processing function of the encryption algorithm for encryption along with the data pointer and length to be encrypted. The SA Lookup node (SA Lookup) performs SA Lookup on the first network packet, after the SA corresponding to the first network packet is found, the results in the first network packet and the SA are sent to an encryption processing node (Process Crypto), a VPP encryption instance node (VPP Crypto Instance) and a hardware encryption node (Crypto Handler) for processing, and after encryption is finished, the original path is returned to the encryption processing node (Process Crypto) and is transmitted to an Output node (Interface-Output) for Output. The data packets that failed to process are discarded by the discard node (Drop Fail Packets) node. When the data packet is not required to be encrypted, the data packet processing judging node (Esp-Encrypt-Tun) outputs the data packet through the Output node (Interface-Output).

In one possible implementation manner, based on the VPP framework, the decrypting and decapsulating the first network data packet according to the agreed encapsulation mode, the agreed encryption algorithm and the agreed key to obtain a decapsulated data packet includes: based on the VPP framework, the first network data packet is sent to a pending data packet queue of the hardware cryptographic device. Based on the VPP framework, a decapsulated data packet sent by the hardware password equipment is received, and the decapsulated data packet is obtained by decapsulating and decrypting a first network data packet in a data packet queue to be processed by the hardware password equipment based on a contract encapsulation mode, a contract encryption algorithm and a contract key.

As shown in fig. 6, after processing by the SA Lookup node (SA Lookup), the encryption queue node (entity) may use the encryption algorithm interface after registering the encryption algorithm interface by registering the encryption instance (Registed Crypto Instance) to invoke the encryption algorithm in the hardware cryptographic device for placing the data packet (including the first network data packet) into the pending data packet queue of the hardware cryptographic device. The hardware cryptographic device (handle) performs encryption processing corresponding to SA on the data packet to be encrypted, calls a callback node (Callback Function) to return the encrypted data packet through a data packet return node (Packets Dispatch), and outputs the encrypted data packet through an Output node (Interface-Output).

As can be seen from the above embodiments, in the VPP-based national standard IPsec VPN implementation method provided in the present embodiment, after the data packet is put into the queue, the data packet is processed by the Handware, i.e. the hardware cryptographic device, and the data packet to be processed does not need to wait for returning in the processing process, which belongs to an asynchronous processing flow, so that the processing efficiency of the data packet can be improved.

In one possible implementation, the physical portal of the server belongs to a first network namespace where the VPP framework is located, and the Linux kernel protocol stack of the server belongs to a second network namespace. The first network namespace further includes a virtual host interface and a first virtual ethernet device, the virtual host interface bridging the physical network port, the virtual host interface communicatively coupled to the first virtual ethernet device. The second network namespace also includes a second virtual ethernet device, the first virtual ethernet device being communicatively coupled to the second virtual ethernet device.

It should be appreciated that network namespaces are intended to isolate network devices from protocol stacks, all of which can only belong to one namespace, and virtual network devices can then be associated into a specified namespace. Veth is a pair of virtual ethernet devices that are connected together by a virtual link. They are typically used to create network topologies like bridges or tunnels. One of the devices may be considered a network interface of a virtual machine or container and the other device is connected to the network stack of the host.

Because the VPP framework and the Linux kernel protocol stack belong to two network namespaces, the VPP framework occupies the physical network port of the server based on the requirement of the IPsec VPN. Then, for the Linux kernel protocol stack in the second network naming space and the upper application corresponding to the Linux system, the corresponding network data packet cannot be obtained directly through network connection, so that the interfaces in the two network naming spaces are connected in a communication manner by establishing a physical network port, a virtual host interface, a first virtual ethernet device and a second virtual ethernet device, and the Linux kernel protocol stack in the second network naming space and the upper application corresponding to the Linux system can also obtain the network data packet through the connection transmission line.

As shown in fig. 7, the two physical ports of the server, physical port GR1 and physical port GR2, belong to a first network namespace where the VPP framework is located, and a kernel protocol stack (Linux kernel protocol stack) and an upper layer application (Linux upper layer application) of the server belong to a second network namespace. Fig. 7 also includes a first virtual ethernet device (Veth 0), a second virtual ethernet device (Veth 1), and a virtual Host interface (Host-interface). The physical network port GR1 is a receiving data network port, the physical network port GR2 is a transmitting data network port, and the corresponding network 1 and the corresponding network 2 may be any one of a subnet or a public network.

In one possible implementation manner, the national standard IPsec VPN implementation method based on VPP is that the physical network port of the server belongs to a first network namespace where the VPP framework is located, and the Linux kernel protocol stack of the server belongs to a second network namespace. The method further comprises the steps of: creating a virtual host interface in the first network namespace and bridging the virtual host interface with a physical portal of the server based on the VPP framework. A first virtual Ethernet device is created in a first network namespace, a second virtual Ethernet device is created in a second network namespace, the first virtual Ethernet device is communicatively coupled to the virtual host interface, and the second virtual Ethernet device is communicatively coupled to the first virtual Ethernet device.

In one possible implementation manner, the national standard IPsec VPN implementation method based on VPP further includes: and receiving a third network data packet sent by the second sending device, wherein the destination address indicated by the third network data packet is the second virtual Ethernet device. And under the condition that the destination address indicated by the third network data packet is the second virtual Ethernet equipment, the third network data packet is sent to a second network naming space to which the second virtual Ethernet equipment belongs based on the communication connection of the physical network port, the virtual host interface, the first virtual Ethernet equipment and the second virtual Ethernet equipment of the server, and is forwarded to an application corresponding to a Linux system for processing through a Linux kernel protocol stack.

It can be known that, when the destination address indicated by the third network data packet is the second virtual ethernet device, the third network data packet is characterized as a Linux kernel protocol stack or a data packet that needs to be received by a Linux upper layer application. With the above embodiment and the schematic diagram of fig. 7, after the network port GR1 receiving the data receives the third network packet, the third network packet may be sent to the second network namespace through the communication connection between the VPP bridge domain and the first virtual ethernet device (Veth 0) and the second virtual ethernet device (Veth 1) through the virtual Host interface (Host-interface), so that the Linux kernel protocol stack or the Linux upper layer application may receive the corresponding third network packet.

As can be seen from the above embodiments, in the VPP-based national standard IPsec VPN implementation method provided by the present application, in the case that the VPP framework occupies the network port of the server, by the manner of the embodiment of the present application, the normal use of the Linux kernel protocol stack and the network function of the upper layer application of the Linux system can be not affected,

in one possible implementation manner, the national standard IPsec VPN implementation method based on VPP further includes: and receiving a fourth network data packet sent by the third sending device, wherein the destination address of the fourth network data packet points to the server, the encapsulation mode of the fourth network data packet is based on an ESP protocol and/or an AH protocol, and the third sending device and the server are not in security association. And forwarding the fourth network data packet according to a preset strategy based on the VPP framework.

It should be appreciated that packets received in network transmissions may be forwarded based on forwarding policies (e.g., preset policies as described above) that are eligible. For example, a preset policy may be set in the server, where the preset policy is an encapsulation manner based on an ESP protocol and/or an AH protocol, and in a case where the sending device of the data packet and the server do not have security management, the data packet is forwarded to another port of the server or to another server based on the VPP framework.

In the above technical solution, since the packet is typically an IPsec traffic packet in the case where the packet is encapsulated by the ESP protocol and/or the AH protocol, the fourth network packet is encapsulated by the ESP protocol and/or the AH protocol, but the third transmitting device of the transmitted fourth network packet has no security association with the server, and the packet does not conform to the condition of being received by the server and processed by the IPsec VPN, such fourth network packet may be discarded or forwarded according to a preset policy.

In one possible implementation manner, the national standard IPsec VPN implementation method based on VPP further includes: and receiving a fifth network data packet sent by the fourth sending device, wherein the fifth network data packet is packaged based on other packaging modes except the appointed packaging mode. The fifth network data packet is forwarded to a protocol stack of a virtual network other than the IPsec VPN for processing based on the VPP framework.

Since there may be other protocol stacks of the virtual network in the server, and the IPsec VPN only encapsulates the virtual network with the ESP protocol and/or the AH protocol, when receiving the fifth network packet encapsulated in other manners, the fifth network packet may be forwarded to the corresponding other protocol stacks for corresponding processing.

In one possible implementation manner, the national standard IPsec VPN implementation method based on VPP further includes: and receiving a sixth network data packet sent by the fifth sending device, wherein the destination address of the sixth network data packet does not point to the server. Based on the VPP framework, forwarding the network data packet according to the destination address of the sixth network data packet.

According to the above embodiment, in the implementation method of the national standard IPsec VPN of the VPP, processing of different data packets may be as shown in fig. 8.

In one possible implementation manner, the national standard IPsec VPN implementation method based on VPP further includes: receiving a seventh network data packet, wherein a receiving device indicated by a destination address of the seventh network data packet has a security association with a server, and a security policy corresponding to the seventh network data packet indicates that the seventh network data packet is IPsec traffic; based on the VPP framework, encapsulating the seventh network data packet according to an encapsulation mode based on an ESP protocol and/or an AH protocol and a national commercial cryptography algorithm; and forwarding the encapsulated seventh network data packet based on the VPP frame according to the destination address of the encapsulated seventh network data packet.

According to the above embodiment, in the implementation method of the national standard IPsec VPN of the VPP, the processing of the encapsulated packet may be as shown in fig. 9. In the case that the data packet is the seventh network data packet, that is, the receiving device indicated by the destination address of the data packet has a Security Association (SA) with the server, the corresponding Security Policy (SP) indicates that the seventh network data packet is IPsec traffic, and the server encapsulates the data packet according to the encapsulation mode, the encryption algorithm and the key corresponding to the Security Association (SA) in an encapsulation mode of ESP protocol and/or AH protocol, and invokes the cryptographic algorithm interface to encrypt the data packet. In the case where the packet is not the seventh packet, the packet may be routed according to the routing forwarding of the packet, if the packet is not IPsec traffic. For example, in the case where the packet is directed to the first virtual ethernet device, the packet is data of a Linux upper layer application of the packet data server, and thus the packet should be sent to the Linux kernel protocol stack. In the event that a packet does not point to any address, the packet may be discarded. In the case where the data packet points to another routing address, the data packet may be forwarded according to the routing address. Further, if the packet belongs to IPsec traffic, but the destination address to which the packet points is not a Security Association (SA) and a Security Policy (SP) at the server, the packet is not a seventh network packet, and may be discarded or forwarded through a preset forwarding policy.

In another possible implementation manner, the application proposes another implementation method of national standard IPsec VPN based on VPP, including the following S201 to S203, as shown in fig. 10.

S201, receiving a network data packet.

The receiving device indicated by the destination address of the network data packet has a security association with the server, and the security policy corresponding to the network data packet indicates that the network data packet is IPsec traffic.

S202, based on the VPP framework, the network data packet is packaged according to the packaging mode, the encryption algorithm and the secret key corresponding to the security association.

The agreed encapsulation mode corresponding to the security association is an encapsulation mode based on an ESP protocol and/or an AH protocol, the encryption algorithm corresponding to the security association is a national commercial encryption algorithm realized on hardware encryption equipment, and the hardware encryption equipment is in communication connection with a server.

It should be understood that, since the receiving device indicated by the destination address of the network packet has a security association with the server, the security policy corresponding to the network packet indicates that the network packet is IPsec traffic, and thus the network packet is a packet that should be sent to the receiving device through IPsec VPN processing. The security association usually also agrees with the encapsulation mode, the encryption algorithm and the key in the establishment period (IKE period), and the server can encapsulate the network data packet based on the VPP framework according to the encapsulation mode, the encryption algorithm and the key corresponding to the security association.

S203, forwarding the encapsulated network data packet based on the VPP frame according to the destination address of the encapsulated network data packet.

According to the technical scheme, whether the receiving equipment indicated by the destination address of the network data packet has security association with the server or not is judged, and whether the security policy corresponding to the network data packet indicates that the network data packet is IPsec traffic or not. After determining whether the network data packet needs to be processed by the IPsec VPN and transmitting the network data packet to the receiving device, when determining that the network data packet needs to be processed by the IPsec VPN, encapsulating the network data packet based on the VPP framework according to an encapsulation mode, an encryption algorithm and a key corresponding to the security association, and forwarding the encapsulated network data packet based on the VPP framework according to a destination address of the encapsulated network data packet. Therefore, in the process, the method can finish operation based on the VPP framework without passing through the Linux kernel, so that the problem that hardware password equipment cannot be called due to soft interruption when a Linux kernel protocol stack processes a data packet is avoided, and the method can call the hardware password equipment to encrypt the network data packet.

In one possible embodiment, the present application provides a VPP-based national standard IPsec VPN implementation apparatus, as shown in fig. 11, including:

The data packet receiving unit 301 is configured to receive a first network data packet sent by a first sending device, where the sending device has a security association with a server, a destination address of the first network data packet points to the server, a contract packaging mode of the first network data packet is a packaging mode based on an ESP protocol and/or an AH protocol, a contract encryption algorithm of the first network data packet is a national commercial cryptographic algorithm implemented on a hardware cryptographic device, the hardware cryptographic device is in communication connection with a device, and a security policy corresponding to the first network data packet indicates that the network data packet is IPsec traffic.

The decapsulating unit 302 is configured to decrypt and decapsulate the first network data packet according to the agreed encapsulation mode, the agreed encryption algorithm, and the agreed key based on the VPP framework, to obtain a decapsulated data packet.

In one possible implementation manner, the VPP-based national standard IPsec VPN implementation apparatus further includes an information provisioning unit, configured to receive, before receiving the first network data packet sent by the first sending device, a second network data packet sent by the first sending device, a destination address of the second network data packet pointing to the server, and a destination port of the second network data packet pointing to a preset port; based on the VPP framework, the security association is established with the first sending equipment based on a network key exchange protocol, and security association information is generated, wherein the security association information comprises an appointed packaging mode, an appointed encryption algorithm and an appointed key.

In one possible implementation, the decapsulating unit 302 is specifically configured to send, based on the VPP framework, the first network data packet to a to-be-processed data packet queue of the hardware cryptographic device; based on the VPP framework, a decapsulated data packet sent by the hardware password equipment is received, and the decapsulated data packet is obtained by decapsulating and decrypting a first network data packet in a data packet queue to be processed by the hardware password equipment based on a contract encapsulation mode, a contract encryption algorithm and a contract key.

In one possible implementation manner, the physical network port of the device belongs to a first network naming space where the VPP framework is located, and the Linux kernel protocol stack of the device belongs to a second network naming space; the first network naming space also comprises a virtual host interface and first virtual Ethernet equipment, wherein the virtual host interface is bridged with the physical network port and is in communication connection with the first virtual Ethernet equipment; the second network namespace also includes a second virtual ethernet device, the first virtual ethernet device being communicatively coupled to the second virtual ethernet device.

In a possible implementation manner, the packet receiving unit 301 is further configured to receive a third network packet sent by the second sending device, where a destination address indicated by the third network packet is the second virtual ethernet device. The national standard IPsec VPN realization device based on VPP further comprises a forwarding unit, wherein the forwarding unit is used for sending the third network data packet to a second network naming space to which the second virtual Ethernet device belongs based on the communication connection of the physical network port, the virtual host interface, the first virtual Ethernet device and the second virtual Ethernet device of the device when the destination address indicated by the third network data packet is the second virtual Ethernet device, and forwarding the third network data packet to an application corresponding to a Linux system for processing through a Linux kernel protocol stack.

In one possible implementation manner, the packet receiving unit 301 is further configured to receive a fourth network packet sent by the third sending device, where a destination address of the fourth network packet points to a device, and an encapsulation manner of the fourth network packet is an encapsulation manner based on an ESP protocol and/or an AH protocol, and the third sending device and the device have no security association; and the forwarding unit is also used for forwarding the fourth network data packet according to a preset strategy based on the VPP framework.

In one possible implementation manner, the packet receiving unit 301 is further configured to receive a fifth network packet sent by the fourth sending device, where the fifth network packet is encapsulated based on an encapsulation mode other than the agreed encapsulation mode; the fifth network data packet is forwarded to a protocol stack of a virtual network other than the IPsec VPN for processing based on the VPP framework.

In a possible implementation manner, the packet receiving unit 301 is further configured to receive a sixth network packet sent by the fifth sending device, where a destination address of the sixth network packet does not point to the device; and the forwarding unit is also used for forwarding the network data packet according to the destination address of the sixth network data packet based on the VPP framework.

In a possible implementation manner, the packet receiving unit 301 is further configured to receive a seventh network packet, where a security association exists between a receiving device indicated by a destination address of the seventh network packet and a server, and a security policy corresponding to the seventh network packet indicates that the seventh network packet is IPsec traffic; the national standard IPsec VPN realization device based on VPP also comprises an encapsulation unit, wherein the encapsulation unit is used for encapsulating the seventh network data packet based on the VPP framework according to an encapsulation mode based on an ESP protocol and/or an AH protocol and a national commercial cryptographic algorithm; and the forwarding unit is further used for forwarding the encapsulated seventh network data packet based on the VPP frame according to the destination address of the encapsulated seventh network data packet.

In another possible embodiment, as shown in fig. 12, the present application provides a VPP-based national standard IPsec VPN implementation apparatus, where the apparatus includes: packet receiving unit 401, encapsulating unit 402, and forwarding unit 403.

The packet receiving unit 401 is configured to receive a network packet, where a receiving device indicated by a destination address of the network packet has a security association with a server, and a security policy corresponding to the network packet indicates that the network packet is IPsec traffic.

An encapsulation unit 402, configured to encapsulate the network data packet according to an encapsulation manner, an encryption algorithm, and a key corresponding to the security association based on the VPP framework; the encapsulation mode corresponding to the security association is an encapsulation mode based on an ESP protocol and/or an AH protocol, the encryption algorithm corresponding to the security association is a national commercial encryption algorithm realized on hardware encryption equipment, and the hardware encryption equipment is in communication connection with the device.

A forwarding unit 403, configured to forward the encapsulated network data packet based on the VPP frame according to the destination address of the encapsulated network data packet.

In one possible implementation manner, the application also provides a national standard IPsec VPN implementation system based on VPP, which comprises a sending device, a first server, a second server and a hardware password device; the sending device has a security association with the first server, and the first server has a security association with the second server; and the first server and the second server are provided with Linux systems.

And the sending device is used for sending the original network data packet to the first server based on the VPP framework, wherein the original network data packet is the IPsec traffic.

The first server is used for packaging the original network data packet based on the VPP framework according to a contract packaging mode, a contract encryption algorithm and a contract key corresponding to the security association to obtain a first network data packet; forwarding the first network data packet to a second server based on the VPP frame according to the destination address of the first network data packet; the agreed encapsulation mode is an encapsulation mode based on an ESP protocol and/or an AH protocol, and the agreed encryption algorithm comprises a national commercial encryption algorithm implemented on hardware encryption equipment.

The second server is used for receiving the first network data packet, decrypting and decapsulating the first network data packet based on the VPP framework according to the agreed encapsulation mode, the agreed encryption algorithm and the agreed secret key, and obtaining the decapsulated data packet.

From the foregoing description of the embodiments, it will be apparent to those skilled in the art that, for convenience and brevity of description, only the above-mentioned division of functional modules is used as an example, in practical application, the above-mentioned functional allocation may be implemented by different functional modules according to needs, that is, the internal structure of the VPP-based national standard IPsec VPN implementation apparatus is divided into different functional modules, so as to implement all or part of the functions described above.

Embodiments of the present application also provide a computer-readable storage medium. All or part of the flow in the above method embodiments may be implemented by computer instructions to instruct related hardware, and the program may be stored in the above computer readable storage medium, and the program may include the flow in the above method embodiments when executed. The computer readable storage medium may be any of the foregoing embodiments or memory. The computer readable storage medium may be an external storage device of the VPP-based national standard IPsec VPN implementation apparatus, for example, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) card, a flash card (flash card) or the like provided in the VPP-based national standard IPsec VPN implementation apparatus. Further, the computer readable storage medium may further include both an internal storage unit and an external storage device of the VPP-based national standard IPsec VPN implementation apparatus. The computer readable storage medium is used for storing the computer program and other programs and data required by the VPP-based national standard IPsec VPN implementation apparatus. The above-described computer-readable storage medium may also be used to temporarily store data that has been output or is to be output.

Embodiments of the present application also provide a computer program product, which includes a computer program, when the computer program product runs on a computer, causes the computer to execute any of the VPP-based national standard IPsec VPN implementation methods provided in the embodiments above.

Although the present application has been described herein in connection with various embodiments, other variations to the disclosed embodiments can be understood and effected by those skilled in the art in practicing the claimed application, from a review of the figures, the disclosure, and the appended claims. In the claims, the word "Comprising" does not exclude other elements or steps, and the "a" or "an" does not exclude a plurality. A single processor or other unit may fulfill the functions of several items recited in the claims. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.

Although the present application has been described in connection with specific features and embodiments thereof, it will be apparent that various modifications and combinations can be made without departing from the spirit and scope of the application. Accordingly, the specification and drawings are merely exemplary illustrations of the present application as defined in the appended claims and are considered to cover any and all modifications, variations, combinations, or equivalents that fall within the scope of the present application. It will be apparent to those skilled in the art that various modifications and variations can be made in the present application without departing from the spirit or scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims and the equivalents thereof, the present application is intended to cover such modifications and variations.

The foregoing is merely a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any changes or substitutions within the technical scope of the present disclosure should be covered in the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.

Claims (10)

1. A national standard IPsec VPN realization method based on VPP is characterized by being applied to a server of a Linux system and comprising the following steps:

receiving a second network data packet sent by a first sending device, wherein a destination address of the second network data packet points to the server, and a destination port of the second network data packet points to a preset port;

based on a VPP framework, establishing security association with the first sending equipment based on a network key exchange protocol, and generating security association information, wherein the security association information comprises an appointed packaging mode, an appointed encryption algorithm and an appointed key;

wherein for an IKE phase, the establishing the security association with the first sending device based on a network key exchange protocol comprises:

generating an IKE negotiation message through IKE software, sending the IKE negotiation message to the VPP framework, and sending the IKE negotiation message to the first sending equipment from a bound sending network port through the VPP framework so as to establish the security association;

Receiving a first network data packet sent by the first sending device, wherein the first sending device has a security association with the server, the first network data packet is an IPsec VPN data packet, a destination address of the first network data packet points to the server, a contracted packaging mode of the first network data packet is a packaging mode based on an ESP protocol and/or an AH protocol, a contracted encryption algorithm of the first network data packet comprises a national commercial encryption algorithm implemented on a hardware encryption device, the hardware encryption device is in communication connection with the server, and the first network data packet is IPsec traffic;

the VPP framework comprises data including an encryption queue node, a callback node, a data packet return node and an output node;

placing the first network data packet into a data packet queue to be processed of the hardware password equipment through the encryption queue node;

after registering an encryption algorithm interface through a registration encryption instance, calling an encryption algorithm in the hardware password equipment by using the encryption algorithm interface;

the callback node responds to the call of the hardware password equipment to acquire a decapsulated data packet sent by the hardware password equipment, wherein the decapsulated data packet is obtained by the hardware password equipment by decapsulating and decrypting the first network data packet in the data packet queue to be processed based on the agreed encapsulation mode, the agreed encryption algorithm and the agreed secret key;

Returning the decapsulated data packet to the output node through the data packet return node;

outputting the decapsulated data packet through the output node;

the physical network port of the server belongs to a first network naming space where the VPP framework is located, and the Linux kernel protocol stack of the server belongs to a second network naming space; the first network naming space further comprises a virtual host interface and first virtual Ethernet equipment, wherein the virtual host interface is bridged with the physical network port, and the virtual host interface is in communication connection with the first virtual Ethernet equipment; the second network namespace further includes a second virtual ethernet device, and the first virtual ethernet device is communicatively connected to the second virtual ethernet device, so that an upper layer application of the server obtains a network data packet through the communication connection between the first virtual ethernet device and the second virtual ethernet device.

2. The VPP-based national standard IPsec VPN implementation method according to claim 1, wherein a physical network port of the server belongs to a first network namespace where the VPP framework is located, and a Linux kernel protocol stack of the server belongs to a second network namespace; the method further comprises the steps of:

Creating a virtual host interface in the first network naming space, and bridging the virtual host interface and a physical network port of the server based on the VPP framework;

and creating a first virtual Ethernet device in the first network naming space, and creating a second virtual Ethernet device in the second network naming space, wherein the first virtual Ethernet device is in communication connection with the virtual host interface, and the second virtual Ethernet device is in communication connection with the first virtual Ethernet device.

3. The VPP-based national standard IPsec VPN implementation method according to claim 1 or 2, characterized in that the method further comprises:

receiving a third network data packet sent by a second sending device, wherein a destination address indicated by the third network data packet is the second virtual Ethernet device;

based on the physical network port of the server, the virtual host interface, the communication connection of the first virtual Ethernet device and the second virtual Ethernet device, the third network data packet is sent to the second network naming space to which the second virtual Ethernet device belongs, and is forwarded to an application corresponding to the Linux system for processing through the Linux kernel protocol stack.

4. The VPP-based national standard IPsec VPN implementation method of claim 1, further comprising:

receiving a fourth network data packet sent by a third sending device, wherein a destination address of the fourth network data packet points to the server, the packaging mode of the fourth network data packet is an ESP protocol and/or AH protocol-based packaging mode, and the third sending device and the server are not in security association;

forwarding the fourth network data packet according to a preset strategy based on the VPP framework;

and/or the number of the groups of groups,

receiving a fifth network data packet sent by fourth sending equipment, wherein the fifth network data packet is packaged based on other packaging modes except the appointed packaging mode;

forwarding the fifth network data packet to a protocol stack of a virtual network except the IPsec VPN based on the VPP framework for processing;

and/or the number of the groups of groups,

receiving a sixth network data packet sent by a fifth sending device, wherein the destination address of the sixth network data packet does not point to the server;

forwarding the network data packet according to the destination address of the sixth network data packet based on the VPP framework.

5. The VPP-based national standard IPsec VPN implementation method of claim 1, further comprising:

receiving a seventh network data packet, wherein a receiving device indicated by a destination address of the seventh network data packet has a security association with the server, and the seventh network data packet is IPsec traffic;

based on the VPP framework, encapsulating the seventh network data packet according to the encapsulation mode based on the ESP protocol and/or the AH protocol, the national commercial cryptography algorithm and a secret key agreed with a destination device, wherein the national commercial cryptography is implemented on the hardware cryptography device;

and forwarding the encapsulated seventh network data packet based on the VPP frame according to the destination address of the encapsulated seventh network data packet.

6. A national standard IPsec VPN realization method based on VPP is characterized by being applied to a server of a Linux system and comprising the following steps:

receiving a second network data packet sent by a first sending device, wherein a destination address of the second network data packet points to the server, and a destination port of the second network data packet points to a preset port;

based on a VPP framework, establishing security association with the first sending equipment based on a network key exchange protocol, and generating security association information, wherein the security association information comprises an appointed packaging mode, an appointed encryption algorithm and an appointed key;

Wherein for an IKE phase, the establishing the security association with the first sending device based on a network key exchange protocol comprises:

generating an IKE negotiation message through IKE software, sending the IKE negotiation message to the VPP framework, and sending the IKE negotiation message to the first sending equipment from a bound sending network port through the VPP framework so as to establish the security association;

receiving a network data packet, wherein the security association exists between receiving equipment indicated by a destination address of the network data packet and the server, and the network data packet is IPsec traffic; the packaging mode corresponding to the security association is based on an ESP protocol and/or an AH protocol, the encryption algorithm corresponding to the security association comprises a national commercial encryption algorithm realized on hardware encryption equipment, and the hardware encryption equipment is in communication connection with the server; the VPP framework comprises data including an encryption queue node, a callback node, a data packet return node and an output node;

placing the network data packet into a data packet queue to be processed of the hardware password equipment through the encryption queue node;

after registering an encryption algorithm interface through a registration encryption instance, calling an encryption algorithm in the hardware password equipment by using the encryption algorithm interface;

The callback node responds to the call of the hardware password equipment to acquire an encapsulated network data packet sent by the hardware password equipment, wherein the encapsulated network data packet is obtained by encrypting and encapsulating the network data packet in the data packet queue to be processed by the hardware password equipment based on the agreed encapsulation mode, the agreed encryption algorithm and the agreed secret key;

returning the encapsulated network data packet to the output node through the data packet returning node;

outputting the encapsulated network data packet through the output node;

forwarding the encapsulated network data packet based on the VPP frame according to the destination address of the encapsulated network data packet;

the physical network port of the server belongs to a first network naming space where the VPP framework is located, and the Linux kernel protocol stack of the server belongs to a second network naming space; the first network naming space further comprises a virtual host interface and first virtual Ethernet equipment, wherein the virtual host interface is bridged with the physical network port, and the virtual host interface is in communication connection with the first virtual Ethernet equipment; the second network namespace further includes a second virtual ethernet device, and the first virtual ethernet device is communicatively connected to the second virtual ethernet device, so that an upper layer application of the server obtains a network data packet through the communication connection between the first virtual ethernet device and the second virtual ethernet device.

7. A VPP-based national standard IPsec VPN implementation apparatus, wherein the apparatus is applied to a server of a Linux system, the apparatus comprising: the system comprises a data packet receiving unit, a decapsulation unit and an information provision unit;

the information appointing unit is used for receiving a second network data packet sent by the first sending device, wherein the destination address of the second network data packet points to the server, and the destination port of the second network data packet points to a preset port; based on a VPP framework, establishing security association with the first sending equipment based on a network key exchange protocol, and generating security association information, wherein the security association information comprises an appointed packaging mode, an appointed encryption algorithm and an appointed key;

the information appointing unit is specifically configured to generate an IKE negotiation message through IKE software, send the IKE negotiation message to the VPP framework, and send the IKE negotiation message to the first sending device from a bound sending portal through the VPP framework to establish the security association;

the data packet receiving unit is configured to receive a first network data packet sent by the first sending device, where the first network data packet is an IPsec VPN data packet, the first sending device has a security association with the device, a destination address of the first network data packet points to the device, a contracted encapsulation mode of the first network data packet is an encapsulation mode based on an ESP protocol and/or an AH protocol, a contracted encryption algorithm of the first network data packet is a national commercial encryption algorithm implemented on a hardware cryptographic device, the hardware cryptographic device is in communication connection with the device, and a security policy corresponding to the first network data packet indicates that the network data packet is IPsec traffic; the VPP framework comprises data including an encryption queue node, a callback node, a data packet return node and an output node; the decapsulation unit is configured to put the first network data packet into a to-be-processed data packet queue of the hardware cryptographic device through the encryption queue node; after registering an encryption algorithm interface through a registration encryption instance, calling an encryption algorithm in the hardware password equipment by using the encryption algorithm interface; the callback node responds to the call of the hardware password equipment to acquire a decapsulated data packet sent by the hardware password equipment, wherein the decapsulated data packet is obtained by the hardware password equipment by decapsulating and decrypting the first network data packet in the data packet queue to be processed based on the agreed encapsulation mode, the agreed encryption algorithm and the agreed secret key; returning the decapsulated data packet to the output node through the data packet return node; outputting the decapsulated data packet through the output node;

The physical network port of the server belongs to a first network naming space where the VPP framework is located, and the Linux kernel protocol stack of the server belongs to a second network naming space; the first network naming space further comprises a virtual host interface and first virtual Ethernet equipment, wherein the virtual host interface is bridged with the physical network port, and the virtual host interface is in communication connection with the first virtual Ethernet equipment; the second network namespace further includes a second virtual ethernet device, and the first virtual ethernet device is communicatively connected to the second virtual ethernet device, so that an upper layer application of the server obtains a network data packet through the communication connection between the first virtual ethernet device and the second virtual ethernet device.

8. A VPP-based national standard IPsec VPN implementation apparatus, wherein the apparatus is applied to a server of a Linux system, the apparatus comprising: the system comprises a data packet receiving unit, an encapsulation unit, a forwarding unit and an information contract unit;

the information appointing unit is used for receiving a second network data packet sent by the first sending device, wherein the destination address of the second network data packet points to the device, and the destination port of the second network data packet points to a preset port; based on a VPP framework, establishing security association with the first sending equipment based on a network key exchange protocol, and generating security association information, wherein the security association information comprises an appointed packaging mode, an appointed encryption algorithm and an appointed key;

The information appointing unit is specifically configured to generate an IKE negotiation message through IKE software, send the IKE negotiation message to the VPP framework, and send the IKE negotiation message to the first sending device from a bound sending portal through the VPP framework to establish the security association;

the data packet receiving unit is configured to receive a network data packet, where a receiving device indicated by a destination address of the network data packet has a security association with the server, and a security policy corresponding to the network data packet indicates that the network data packet is IPsec traffic;

the VPP framework comprises data including an encryption queue node, a callback node, a data packet return node and an output node; the encapsulation unit is used for placing the network data packet into a data packet queue to be processed of hardware password equipment through the encryption queue node; after registering an encryption algorithm interface through a registration encryption instance, calling an encryption algorithm in the hardware password equipment by using the encryption algorithm interface; the callback node responds to the call of the hardware password equipment to acquire an encapsulated network data packet sent by the hardware password equipment, wherein the encapsulated network data packet is obtained by encrypting and encapsulating the network data packet in the data packet queue to be processed by the hardware password equipment based on the agreed encapsulation mode, the agreed encryption algorithm and the agreed secret key; returning the encapsulated network data packet to the output node through the data packet returning node; outputting the encapsulated network data packet through the output node;

The forwarding unit is used for forwarding the encapsulated network data packet based on the VPP frame according to the destination address of the encapsulated network data packet;

the physical network port of the server belongs to a first network naming space where the VPP framework is located, and the Linux kernel protocol stack of the server belongs to a second network naming space; the first network naming space further comprises a virtual host interface and first virtual Ethernet equipment, wherein the virtual host interface is bridged with the physical network port, and the virtual host interface is in communication connection with the first virtual Ethernet equipment; the second network namespace further includes a second virtual ethernet device, and the first virtual ethernet device is communicatively connected to the second virtual ethernet device, so that an upper layer application of the server obtains a network data packet through the communication connection between the first virtual ethernet device and the second virtual ethernet device.

9. The national standard IPsec VPN realization system based on VPP is characterized by comprising a transmitting device, a first server, a second server and a hardware password device; the first server has a security association with the second server; the first server and the second server are provided with Linux systems; the sending device is configured to send a second network data packet to the first server, where a destination address of the second network data packet points to the first server, and a destination port of the second network data packet points to a preset port;

The first server is configured to establish a security association with the sending device based on a VPP framework and a network key exchange protocol, and generate security association information, where the security association information includes a contract packaging mode, a contract encryption algorithm and a contract key;

wherein for the IKE phase, the establishing the security association with the sending device based on a network key exchange protocol includes:

generating an IKE negotiation message through IKE software, sending the IKE negotiation message to the VPP framework, and sending the IKE negotiation message to the sending equipment from a bound sending network port through the VPP framework so as to establish the security association;

the sending device is further configured to send an original network data packet to the first server based on the VPP framework, where the original network data packet is IPsec traffic;

the VPP framework comprises data including an encryption queue node, a callback node, a data packet return node and an output node; the first server is configured to put the original network data packet into a to-be-processed data packet queue of the hardware cryptographic device through the encryption queue node; after registering an encryption algorithm interface through a registration encryption instance, calling an encryption algorithm in the hardware password equipment by using the encryption algorithm interface; the callback node responds to the call of the hardware password equipment to acquire a first network data packet sent by the hardware password equipment, wherein the first network data packet is obtained by encrypting and packaging the original network data packet in the data packet queue to be processed by the hardware password equipment based on the appointed packaging mode, the appointed encryption algorithm and the appointed secret key; returning the first network data packet to the output node through the data packet returning node; outputting the first network data packet through the output node; forwarding the first network data packet to the second server based on the VPP frame according to the destination address of the first network data packet; the agreed encapsulation mode is an encapsulation mode based on an ESP protocol and/or an AH protocol, and the agreed encryption algorithm comprises a national commercial encryption algorithm realized on the hardware encryption equipment;

The physical network port of the first server belongs to a first network naming space where the VPP framework is located, and the Linux kernel protocol stack of the first server belongs to a second network naming space; the first network naming space further comprises a virtual host interface and first virtual Ethernet equipment, wherein the virtual host interface is bridged with the physical network port, and the virtual host interface is in communication connection with the first virtual Ethernet equipment; the second network naming space further comprises second virtual Ethernet equipment, and the first virtual Ethernet equipment is in communication connection with the second virtual Ethernet equipment, so that an upper layer application of the first server obtains a network data packet through the communication connection between the first virtual Ethernet equipment and the second virtual Ethernet equipment;

the second server is configured to receive the first network data packet, decrypt and decapsulate the first network data packet based on the VPP framework according to the contract packaging mode, the contract encryption algorithm and the contract key, and obtain an decapsulated data packet.

10. An electronic device comprising a processor and a memory, the memory configured to store computer instructions, the processor configured to invoke and execute the computer instructions from the memory to implement the VPP-based national standard IPsec VPN implementation method according to any one of claims 1-6.