CN215990843U - VPN terminal communication system based on IPSec protocol - Google Patents
VPN terminal communication system based on IPSec protocol Download PDFInfo
- Publication number
- CN215990843U CN215990843U CN202121779602.3U CN202121779602U CN215990843U CN 215990843 U CN215990843 U CN 215990843U CN 202121779602 U CN202121779602 U CN 202121779602U CN 215990843 U CN215990843 U CN 215990843U
- Authority
- CN
- China
- Prior art keywords
- vpn
- terminal
- address
- key
- data packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000004891 communication Methods 0.000 title claims abstract description 110
- 238000012545 processing Methods 0.000 claims description 26
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 16
- 230000005540 biological transmission Effects 0.000 abstract description 9
- 238000000034 method Methods 0.000 description 65
- 230000006870 function Effects 0.000 description 11
- 230000003993 interaction Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 7
- 230000008859 change Effects 0.000 description 6
- 238000010586 diagram Methods 0.000 description 6
- 238000004590 computer program Methods 0.000 description 5
- 230000002452 interceptive effect Effects 0.000 description 5
- 230000003287 optical effect Effects 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 238000013519 translation Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000010295 mobile communication Methods 0.000 description 3
- 230000003068 static effect Effects 0.000 description 3
- 238000003491 array Methods 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000003190 augmentative effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000005538 encapsulation Methods 0.000 description 1
- 230000014509 gene expression Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 230000011664 signaling Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The application provides a VPN terminal communication system based on IPSec protocol, which can solve the problem that the VPN tunnel established based on IPSec protocol in the related technology is difficult to realize communication in the environment of dynamic NAT, thereby improving the accuracy and efficiency of information data transmission in the VPN tunnel. The VPN terminal communication system includes: the system comprises a first VPN terminal, a second VPN terminal and a VPN center terminal; the first VPN terminal is provided with a first terminal equipment interface, the second VPN terminal is provided with a second terminal equipment interface, and the VPN center end is provided with a server interface.
Description
Technical Field
The present application relates to the field of communications, and in particular, to a VPN terminal communication system based on an IPSec protocol.
Background
With the continuous expansion of network space, the IPv4 address is about to be exhausted. The NAT (English: Network Address Translation; Chinese: Network Address Translation) technology enables a plurality of devices in the private Network to access the public Network by using one external IP Address, and the speed of IPv4 Address exhaustion is greatly slowed down.
The IPSec VPN is a VPN (Virtual Private Network) technology that uses an IPSec Protocol to implement remote access. The IPSec VPN builds a safe and reliable communication channel (tunnel) for the two private networks through a VPN center end and a VPN terminal which are positioned in the two private networks on a public network based on a cryptographic technology.
Although IPSec VPN is a relatively mature technology, when terminal devices connected to different VPN terminals are located in different lans using NAT technology, network addresses of terminal devices in different lans may conflict (that is, IP addresses in the lans of terminal devices in two different VPN terminals are the same), which may result in that a VPN center end cannot identify terminal devices in different VPN terminals.
SUMMERY OF THE UTILITY MODEL
The embodiment of the application provides a VPN terminal communication system based on an IPSec protocol, which can solve the problem that a VPN tunnel established based on the IPSec protocol in the related technology is difficult to realize communication in a dynamic NAT environment, thereby improving the accuracy and efficiency of information data transmission in the VPN tunnel.
In order to achieve the purpose, the technical scheme is as follows:
in a first aspect, a VPN terminal communication system based on an IPSec protocol is provided. The VPN terminal communication system includes: the VPN system comprises a first VPN terminal, a second VPN terminal and a VPN center terminal; the first VPN terminal is provided with a first terminal equipment interface, the second VPN terminal is provided with a second terminal equipment interface, and the VPN center end is provided with a server interface; the first VPN terminal is configured to: based on a first key negotiated by an IPSec protocol and the VPN central terminal, encrypting a first data packet of a first terminal device and sending the encrypted first data packet to the VPN central terminal; the VPN central terminal is used for: decrypting the first data packet based on the first key, encrypting the decrypted data to form a second data packet based on a second key negotiated by an IPSec protocol and the second VPN terminal, and sending the second data packet to the second VPN terminal; the second VPN terminal is configured to: and decrypting the second data packet based on the second key, and sending the decrypted second data packet to second terminal equipment.
Based on the VPN terminal communication system, the public network IP of the VPN terminal is stored in association with the security parameter index, when the public network IP of the VPN terminal in the environment of dynamic NAT changes, the security parameter index in the interactive data packet does not change, and then the public network IP of the VPN terminal can be updated according to the security parameter index, so that the problem that the communication of a VPN tunnel established based on an IPSec protocol in the related technology is difficult to realize in the environment of dynamic NAT can be solved, and the accuracy and the efficiency of information data transmission in the VPN tunnel are improved.
Optionally, the method further comprises: the first public network router is connected with the first VPN terminal and used for executing network address conversion processing on the first data packet and sending the processed first data packet to the VPN center end; and the second public network router is connected to the second VPN terminal and is used for executing network address conversion processing on the second data packet and sending the processed second data packet to the second VPN terminal.
Optionally, the method further comprises: the first quantum random number generator is connected to the first VPN terminal and used for generating quantum random numbers when negotiating a key with the VPN central terminal; the central quantum random number generator is connected to the VPN central end and used for generating quantum random numbers when negotiating keys with the first VPN terminal or the second VPN terminal; and the second quantum random number generator is connected to the second VPN terminal and is used for generating quantum random numbers when negotiating keys with the VPN central terminal.
Drawings
Fig. 1 is a schematic diagram of an architecture of VPN communication according to an embodiment of the present application;
fig. 2 is a schematic flowchart of a VPN terminal access method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a VPN terminal communication method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of a VPN terminal communication method based on an IPSec protocol according to an embodiment of the present application;
fig. 5 is a first schematic structural diagram of a VPN central end according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a VPN center according to an embodiment of the present application.
Detailed Description
The technical solution in the present application will be described below with reference to the accompanying drawings.
The technical solution of the embodiment of the present application may be applied to various communication systems, for example, a wireless fidelity (WiFi) system, a vehicle to any object (V2X) communication system, a device-to-device (D2D) communication system, an internet of vehicles communication system, a 4th generation (4G) mobile communication system, such as a Long Term Evolution (LTE) system, a Worldwide Interoperability for Microwave Access (WiMAX) communication system, a fifth generation (5G) mobile communication system, such as a new radio, NR) system, and a future communication system, such as a sixth generation (6G) mobile communication system.
This application is intended to present various aspects, embodiments or features around a system that may include a number of devices, components, modules, and the like. It is to be understood and appreciated that the various systems may include additional devices, components, modules, etc. and/or may not include all of the devices, components, modules etc. discussed in connection with the figures. Furthermore, a combination of these schemes may also be used.
In addition, in the embodiments of the present application, words such as "exemplarily", "for example", etc. are used for indicating as examples, illustrations or explanations. Any embodiment or design described herein as "exemplary" is not necessarily to be construed as preferred or advantageous over other embodiments or designs. Rather, the term using examples is intended to present concepts in a concrete fashion.
In the embodiment of the present invention, "information", "signal", "message", "channel", "signaling" may be used in combination, and it should be noted that the meaning to be expressed is consistent when the difference is not emphasized. "of", "corresponding", and "corresponding" may sometimes be used in combination, it being noted that the intended meaning is consistent when no distinction is made.
The network architecture and the service scenario described in the embodiment of the present application are for more clearly illustrating the technical solution of the embodiment of the present application, and do not form a limitation on the technical solution provided in the embodiment of the present application, and as a person of ordinary skill in the art knows that along with the evolution of the network architecture and the appearance of a new service scenario, the technical solution provided in the embodiment of the present application is also applicable to similar technical problems.
For the convenience of understanding the embodiment of the present application, a VPN terminal communication system based on an IPSec protocol, which is applicable to the embodiment of the present application, will be first described in detail by taking the architecture of VPN communication shown in fig. 1 as an example.
As shown in fig. 1, the architecture of VPN communication includes a VPN terminal communication system based on the IPSec protocol. The VPN terminal communication system includes a first VPN terminal, a second VPN terminal, and a VPN center terminal. The first VPN terminal is provided with a first terminal equipment interface and is connected with the first terminal equipment through the first terminal equipment interface. The second VPN terminal is provided with a second terminal equipment interface and is connected with the first terminal equipment through the second terminal equipment interface. The VPN center end is provided with a server interface and is connected with the server through the server interface.
The first VPN terminal may negotiate a key with the VPN center terminal based on the IPSec protocol, generate a first key after negotiation, and construct a first VPN tunnel between the first VPN terminal and the VPN center terminal. When the first VPN terminal and the VPN center terminal carry out data interaction, the interaction data can be encrypted through the first secret key so as to guarantee the safety of the interaction data.
The second VPN terminal may negotiate a key with the VPN center terminal based on the IPSec protocol, generate a second key after negotiation, and construct a second VPN tunnel between the second VPN terminal and the VPN center terminal. When the second VPN terminal and the VPN center terminal carry out data interaction, the interaction data can be encrypted through the second secret key so as to guarantee the safety of the interaction data.
For example, when the first terminal device performs data interaction with the second terminal device, the first terminal device may pass through the first VPN tunnel and the second VPN tunnel. And a first data packet generated by the first terminal equipment is uploaded to the first VPN terminal through the first terminal equipment interface. The first VPN terminal encrypts a first data packet of the first terminal device based on the first key and sends the encrypted first data packet to the VPN central terminal. The VPN central terminal decrypts the first data packet based on the first key, encrypts the decrypted data based on the second key to form a second data packet and sends the second data packet to the second VPN terminal. The second VPN terminal decrypts the second data packet based on the second key.
Optionally, as shown in fig. 1, the VPN termination communication system may further include a first public network router connected to the first VPN termination and a second public network router connected to the second VPN termination. The first public Network router is used for executing NAT (Network Address Translation; Chinese: Network Address Translation) processing on the first data packet and sending the processed first data packet to the VPN center terminal. And the second public network router is used for executing NAT processing on the second data packet and sending the processed second data packet to the second VPN terminal.
Optionally, as shown in fig. 1, the VPN terminal communication system may further include a first quantum random number generator connected to the first VPN terminal, a central quantum random number generator connected to the VPN central end, and a second quantum random number generator connected to the second VPN terminal.
It should be noted that, when the first VPN terminal negotiates a key with the VPN center based on the IPSec protocol and the second VPN terminal negotiates a key with the VPN center based on the IPSec protocol, the random numbers need to be sent to each other. In order to improve the security, the first VPN terminal may send the quantum random number generated by the first quantum random number generator to the VPN central terminal, and the VPN central terminal may send the quantum random number generated by the central quantum random number generator to the first VPN terminal; the second VPN terminal may transmit the quantum random number generated by the second quantum random number generator to the VPN hub terminal, and the VPN hub terminal may transmit the quantum random number generated by the central quantum random number generator to the second VPN terminal.
The first terminal device and the second terminal device may also be referred to as a user equipment, an access terminal, a subscriber unit, a subscriber station, a mobile station, a remote terminal, a mobile device, a user terminal, a wireless communication device, a user agent, or a user equipment. The terminal device in the embodiment of the present application may be a mobile phone (mobile phone), a tablet computer (Pad), a computer with a wireless transceiving function, a Virtual Reality (VR) terminal device, an Augmented Reality (AR) terminal device, a wireless terminal in industrial control (industrial control), a wireless terminal in unmanned driving (self), a wireless terminal in remote medical (remote), a wireless terminal in smart grid (smart grid), a wireless terminal in transportation safety (transportation safety), a wireless terminal in smart city (smart city), a wireless terminal in smart home (smart home), a vehicle-mounted terminal, an RSU with a terminal function, and the like. The terminal device of the present application may also be an on-board module, an on-board component, an on-board chip, or an on-board unit that is built in the vehicle as one or more components or units, and the vehicle may implement the communication method provided by the present application through the built-in on-board module, the on-board component, the on-board chip, or the on-board unit.
It should be noted that the scheme in the embodiment of the present application may also be applied to other communication systems, and the corresponding names may also be replaced with names of corresponding functions in other communication systems.
It should be appreciated that fig. 1 is a simplified schematic diagram of an example for ease of understanding only, and that other network devices, and/or other terminal devices, not shown in fig. 1, may also be included in the VPN communication system.
The communication method that can be implemented by the framework of the VPN communication in fig. 1 will be described in detail below with reference to fig. 2 to 4.
Example one
Exemplarily, fig. 2 is a schematic flowchart of a VPN terminal access method according to an embodiment of the present application. The VPN terminal access method may be applied to communication between a VPN center terminal and any VPN terminal two nodes shown in fig. 1.
As shown in fig. 2, the VPN terminal access method is applied to a VPN central terminal. The VPN terminal access method can comprise the following steps:
s201, receiving a registration application of a first VPN terminal; the registration application includes a key agreement request of the first VPN terminal, a local area network internal IP address allocation request of a terminal device, and a first public network IP of the first VPN terminal, where the terminal device is connected to the first VPN terminal. In fig. 1, the terminal device is a first terminal device.
S202, acquiring a first key and a first security parameter index corresponding to the first key based on IPSec protocol and the first VPN terminal key negotiation.
S203, distributing the first local area network internal IP address for the terminal equipment.
Optionally, allocating a first local area network internal IP address to the terminal device includes the following steps: selecting an IP address from the IP address pool as a first local area network internal IP address; and deleting the IP address in the IP address pool.
S204, the first key, the first security parameter index, the first local area network internal IP address and the first public network IP are stored in an associated mode.
It should be noted that the first key, the first security parameter index, and the first local area network internal IP address are stored in association with each other at the VPN center and the first VPN terminal.
S205, sending the first local area network internal IP address to the first VPN terminal.
After step S205 is executed, the VPN terminal access method may further include the following steps: the VPN central end receives a data packet of a VPN terminal; the VPN central terminal acquires a security parameter index in the data packet; the VPN central terminal confirms that the security parameter index is the first security parameter index; based on the first secret key, the VPN central terminal decrypts the encrypted data in the data packet; and the VPN central terminal sends the decrypted data to the server.
The security parameter index is an unencrypted part in the data packet, and the security parameter index in the data packet can be obtained by the VPN central terminal without decryption.
It should be noted that, when it is confirmed that the security parameter index is not the first security parameter index and the other security parameter indexes already stored, the data packet may not be processed.
Further, after confirming that the security parameter index is the first security parameter index, the VPN terminal access method may further include the steps of: the VPN central terminal acquires a public network IP in the data packet; the VPN central terminal confirms that the public network IP is different from the first public network IP; and the VPN central terminal updates the first public network IP, namely the public network IP in the data packet is used as the first public network IP.
Optionally, the VPN terminal access method may further include the steps of: the VPN center end receives feedback data needing to be sent to the first VPN terminal from a server; the VPN central terminal encrypts the feedback data based on the first secret key; and based on the first public network IP, the VPN central terminal sends the encrypted feedback data to the first VPN terminal.
Optionally, the VPN terminal access method may further include the steps of: the VPN central terminal confirms that the data of the first VPN terminal are not received within a preset time period; and the VPN central terminal deletes the first key, the first security parameter index and the first public network IP. The preset time period may be a time period set manually, and this is not limited in this application.
Optionally, the VPN terminal access method may further include the steps of: the VPN central terminal receives an instruction for indicating to delete the first VPN terminal information; and the VPN central terminal deletes the first key, the first security parameter index and the first public network IP.
Referring to fig. 1, the first terminal device and the second terminal device are located in two different lans, which results in that the addresses of the lans originally allocated to the two terminal devices are 192.168.1.101, which may result in that the first terminal device and the second terminal device are not easily identified by the VPN central end. Based on the VPN terminal access method in this embodiment, the VPN center may allocate different local area network internal addresses to the first terminal device and the second terminal device, where the local area network address allocated to the first terminal device is 10.1.2.57, and the local area network address allocated to the first terminal device is 10.1.2.60.
And after the local area network address is distributed, explaining the data flow of the first terminal equipment accessing the server.
The first terminal device sends a packet to the first VPN terminal, and the source IP of the packet is 192.168.1.101, and the destination IP is IP address 192.168.0.100 of the server.
The first VPN terminal performs SNAT (Source NAT; Source address modification) processing on the data packet and performs IPSec protocol encapsulation (i.e., encryption) on the data packet to obtain a first ESP (encapsulated Security Payload) packet, where a Source IP of the first ESP packet includes 10.1.2.57 a local area network address allocated to the first terminal device and 192.168.1.200 a IP address of the first VPN terminal, and a destination IP includes 192.168.0.100 an IP address of the server and 172.221.75.64 an IP address of the VPN central terminal.
Next, the first VPN terminal sends a first ESP packet to the first public network router. The first public network router performs NAT processing on the first ESP packet, and at this time, the source IP of the processed first ESP packet is the first public network IP address 172.221.6.88, and the destination IP is the IP address 172.221.75.64 of the VPN center.
And then, the first public network router uploads the first ESP packet to the VPN center end, and the VPN center end decrypts the data based on the first secret key and delivers the decrypted data to the server. At this time, the source IP of the decrypted data is the local network address 10.1.2.57 of the first terminal device, and the destination IP is the IP address 192.168.0.100 of the server. The VPN central side at this stage needs to check whether there is a change in the first public network IP, and if it is different from the previously stored public network IP address, the first public network IP is updated.
The server processes the received decrypted data, and if a response is needed, the server sends feedback data to the VPN center end. At this time, the source IP of the feedback data is the IP address 192.168.0.100 of the server, and the destination IP is the local network address 10.1.2.57 of the first terminal device.
And then, the VPN central terminal encapsulates the fed back data into a second ESP packet by using an IPSec protocol. At this time, the source IP of the second ESP packet is the IP address 172.221.75.64 of the VPN gateway, and the destination IP is the first public network IP address 172.221.6.88.
Then, the VPN central end sends a second ESP packet to the first public network router. The first public network router performs NAT processing on the second ESP packet, and at this time, the source IP of the processed second ESP packet is the IP address 172.221.75.64 of the VPN center end, and the destination IP is the IP address 192.168.1.200 of the first VPN terminal.
And then, the first public network router sends the processed second ESP packet to the first VPN terminal. And the first VPN terminal decrypts based on the first secret key and converts the destination IP address of the decrypted feedback data according to the process of SNAT processing of the first ESP packet.
That is, the source IP of the processed feedback data is the IP address 192.168.0.100 of the server, the destination IP is the lan address 10.1.2.57 allocated to the first terminal device, the destination IP needs to be converted, and the converted destination IP is 192.168.1.101. Because the feedback data at this time is converted into the same local area network address as the second terminal device in the local area network where the first terminal device is located, no conflict is caused.
And finally, the first terminal equipment receives the responded feedback data. At this time, the source IP of the feedback data is the IP address 192.168.0.100 of the server, and the destination IP is 192.168.1.101.
Based on the VPN terminal access method, the VPN center end distributes the internal address of the local area network to the terminal equipment under the VPN terminal, and then the VPN center end can distribute different internal addresses of the local area network to the terminal equipment in different local area networks, so that the problem that the VPN center end cannot identify the terminal equipment under the VPN terminal in different local area networks using NAT technology in the related technology can be solved, and the accuracy and the efficiency of information data transmission in a VPN tunnel are improved.
Example two
Exemplarily, fig. 3 is a schematic flowchart of a VPN terminal communication method according to an embodiment of the present application. The VPN terminal communication method can be applied to communication between a VPN center terminal and any VPN terminal two nodes shown in fig. 1.
As shown in fig. 3, the VPN terminal communication method is applied to a VPN center, where the VPN center is provided with a database, and the database stores a first key, a first security parameter index, a first local area network internal IP address, and a first public network IP in an associated manner. The VPN terminal communication method may include the steps of:
s301, receiving a data packet of a VPN terminal.
S302, the security parameter index and the public network IP in the data packet are obtained.
S303, confirming that the security parameter index is the first security parameter index but the public network IP does not exist in the database.
S304, updating the first public network IP.
S305, decrypting the encrypted data in the data packet based on the first key.
S306, the decrypted data is sent to the server.
Optionally, the VPN terminal communication method may further include the steps of: the VPN central terminal receives feedback data from the server; the VPN central terminal confirms that the target IP of the feedback data is the IP address in the first local area network; based on the first secret key, the VPN central terminal encrypts the feedback data; and based on the first public network IP, the VPN central terminal sends the encrypted feedback data to the VPN terminal.
Optionally, the VPN terminal communication method may further include the steps of: the VPN center end receives a registration application of a first VPN terminal; the registration application comprises a key negotiation request of the first VPN terminal, a local area network internal IP address allocation request of terminal equipment and a first public network IP of the first VPN terminal, and the terminal equipment is connected with the first VPN terminal; the VPN center terminal negotiates with the first VPN terminal key based on an IPSec protocol to obtain a first key and a first security parameter index corresponding to the key; the VPN central terminal distributes a first local area network internal IP address for the terminal equipment; the VPN central terminal stores the first key, the first security parameter index, the first local area network internal IP address and the first public network IP association in a database; and the VPN center end sends the internal IP address of the first local area network to the first VPN terminal.
Wherein, the allocating the first local area network internal IP address for the terminal device comprises the following steps: the VPN center end selects an IP address from the IP address pool as an internal IP address of the first local area network; and the VPN central terminal deletes the IP address in the IP address pool.
Optionally, the VPN terminal communication method may further include the steps of: the VPN center end receives feedback data needing to be sent to the first VPN terminal from a server; based on the first secret key, the VPN central terminal encrypts the feedback data; and based on the first public network IP, the VPN central terminal sends the encrypted feedback data to the first VPN terminal.
Optionally, the VPN terminal communication method may further include the steps of: the VPN center end receives feedback data needing to be sent to the first VPN terminal from a server; the VPN central terminal encrypts the feedback data based on the first secret key; and based on the first public network IP, the VPN central terminal sends the encrypted feedback data to the first VPN terminal.
Optionally, the VPN terminal communication method may further include the steps of: the VPN central terminal confirms that the data of the first VPN terminal are not received within a preset time period; and the VPN central terminal deletes the first key, the first security parameter index and the first public network IP. The preset time period may be a time period set manually, and this is not limited in this application.
Optionally, the VPN terminal communication method may further include the steps of: the VPN central terminal receives an instruction for indicating to delete the first VPN terminal information; and the VPN central terminal deletes the first key, the first security parameter index and the first public network IP.
Based on the VPN terminal communication method, the public network IP of the VPN terminal is stored in association with the security parameter index, when the public network IP of the VPN terminal in the environment of dynamic NAT changes, the security parameter index in the interactive data packet does not change, and then the public network IP of the VPN terminal can be updated according to the security parameter index, so that the problem that the communication of a VPN tunnel established based on an IPSec protocol in the related technology is difficult to realize in the environment of dynamic NAT can be solved, and the accuracy and the efficiency of information data transmission in the VPN tunnel are improved.
EXAMPLE III
Illustratively, with continued reference to fig. 1, the architecture of the VPN communication includes a VPN terminal access system. The VPN terminal access system comprises a first VPN terminal and a VPN center terminal.
The first VPN terminal is used for sending a registration application to the VPN center terminal. The registration application includes a key agreement request of the first VPN terminal, a local area network internal IP address allocation request of a terminal device, and a first public network IP of the first VPN terminal, and the terminal device is connected to the first VPN terminal.
The VPN central side is based on the IPSec protocol for: negotiating with the first VPN terminal key to obtain a first key and a first security parameter index corresponding to the key; distributing a first local area network internal IP address for the terminal equipment, and storing the first key, the first security parameter index, the first local area network internal IP address and the first public network IP in an associated manner; and sending the first local area network internal IP address to the first VPN terminal.
The first VPN terminal is further configured to allocate the first local area network internal IP address to the terminal device.
Optionally, the VPN central side is further configured to select an IP address from an IP address pool as a first local area network internal IP address, and delete the IP address from the IP address pool.
Optionally, the first VPN terminal is further configured to: encrypting data based on the first key to generate a data packet, and sending the data packet to the VPN central terminal; wherein, the data packet comprises a security parameter index. The VPN central end is further configured to: acquiring the security parameter index in the data packet; decrypting encrypted data in the data packet based on the first key after confirming that the security parameter index is the first security parameter index; and sending the decrypted data to the server.
Optionally, after confirming that the security parameter index is the first security parameter index, the VPN gateway further is configured to: acquiring a public network IP in the data packet; confirming that the public network IP is different from the first public network IP; and updating the first public network IP.
Optionally, the VPN central side is further configured to: receiving feedback data needing to be sent to the first VPN terminal from a server, and encrypting the feedback data based on the first secret key; and sending the encrypted feedback data to the first VPN terminal based on the first public network IP. The first VPN terminal is further configured to: decrypting the feedback data based on the first key.
Optionally, the VPN central end is further configured to delete the first key, the first security parameter index, and the first public network IP after confirming that the data of the first VPN terminal is not received within a preset time period.
Optionally, the VPN central end is further configured to delete the first key, the first security parameter index, and the first public network IP after receiving an instruction for instructing to delete the first VPN terminal information.
A VPN terminal access method based on the VPN terminal access system in this embodiment may include the following steps: the first VPN terminal sends a registration application to the VPN center terminal; the registration application comprises a key negotiation request of the first VPN terminal, a local area network internal IP address allocation request of terminal equipment and a first public network IP of the first VPN terminal, and the terminal equipment is connected with the first VPN terminal; the VPN center terminal negotiates with the first VPN terminal key based on an IPSec protocol to obtain a first key and a first security parameter index corresponding to the key; the VPN central terminal distributes a first local area network internal IP address for the terminal equipment, and stores the first key, the first security parameter index, the first local area network internal IP address and the first public network IP in an associated mode; the VPN center end sends the first local area network internal IP address to the first VPN terminal; and the first VPN terminal distributes the internal IP address of the first local area network for the terminal equipment.
Optionally, the allocating, by the VPN central side, the first local area network internal IP address to the terminal device may include the following steps: and the VPN central terminal selects an IP address from the IP address pool as an internal IP address of the first local area network and deletes the IP address from the IP address pool.
Optionally, a VPN terminal access method based on the VPN terminal access system in this embodiment may further include the following steps: the first VPN terminal encrypts data based on the first secret key to generate a data packet and sends the data packet to the VPN central terminal; wherein, the data packet comprises a security parameter index; the VPN central terminal acquires the security parameter index in the data packet, and decrypts encrypted data in the data packet based on the first key after confirming that the security parameter index is the first security parameter index; and the VPN central terminal sends the decrypted data to a server.
Based on the VPN terminal access system, the VPN center end distributes the internal address of the local area network for the terminal equipment under the VPN terminal, and then the VPN center end can distribute different internal addresses of the local area network for the terminal equipment in different local area networks, so that the problem that the VPN center end cannot identify the terminal equipment under the VPN terminal in different local area networks using NAT technology in the related technology can be solved, and the accuracy and the efficiency of information data transmission in a VPN tunnel are improved.
Example four
Illustratively, with continued reference to fig. 1, the framework of VPN communication comprises a VPN terminating communication system. The VPN terminal communication system includes a first VPN terminal and a VPN center terminal. The VPN central end is provided with a database, and the database is stored with a first key, a first security parameter index, a first local area network internal IP address and a first public network IP in an associated mode.
The first VPN terminal is configured to: encrypting data based on the first key to generate a data packet, and sending the data packet to the VPN central terminal; wherein, the data packet comprises a security parameter index.
The VPN central terminal is used for acquiring a security parameter index and a public network IP in the data packet, and updating the first public network IP after confirming that the security parameter index is the first security parameter index but the public network IP does not exist in the database; and decrypting the encrypted data in the data packet based on the first key, and sending the decrypted data to a server.
Optionally, the VPN central side is further configured to: receiving feedback data from the server; after the target IP of the feedback data is confirmed to be the IP address in the first local area network, encrypting the feedback data based on the first secret key; and sending the encrypted feedback data to the VPN terminal based on the first public network IP. The first VPN terminal is further configured to decrypt the feedback data based on the first key.
Optionally, the first VPN terminal is further configured to send a registration application to the VPN center terminal; the registration application includes a key agreement request of the first VPN terminal, a local area network internal IP address allocation request of a terminal device, and a first public network IP of the first VPN terminal, where the terminal device is connected to the first VPN terminal.
The VPN center terminal is also used for negotiating with the first VPN terminal key based on an IPSec protocol to obtain a first key and a first security parameter index corresponding to the key; distributing a first local area network internal IP address for the terminal equipment, and storing the first key, the first security parameter index, the first local area network internal IP address and the first public network IP association in a database; and sending the first local area network internal IP address to the first VPN terminal.
The first VPN terminal is further configured to allocate the first local area network internal IP address to the terminal device.
Optionally, the VPN central side is further configured to select an IP address from an IP address pool as a first local area network internal IP address, and delete the IP address from the IP address pool.
Optionally, the VPN central side is further configured to: receiving feedback data needing to be sent to the first VPN terminal from a server, and encrypting the feedback data based on the first secret key; and sending the encrypted feedback data to the first VPN terminal based on the first public network IP. The first VPN terminal is further configured to: decrypting the feedback data based on the first key.
Optionally, the VPN central end is further configured to delete the first key, the first security parameter index, and the first public network IP in the database after confirming that the data of the first VPN terminal is not received within a preset time period.
Optionally, the VPN central side is further configured to delete the first key, the first security parameter index, and the first public network IP in the database after receiving an instruction for instructing to delete the first VPN terminal information.
A VPN terminal communication method based on the VPN terminal communication system in this embodiment may include the following steps: the first VPN terminal encrypts data based on a preset first secret key to generate a data packet and sends the data packet to a VPN center end; wherein, the data packet comprises a security parameter index; the VPN central terminal acquires a security parameter index and a public network IP in the data packet, and updates the first public network IP in a database after confirming that the security parameter index is the first security parameter index in a preset database but the public network IP does not exist in the database; and the VPN central terminal decrypts the encrypted data in the data packet based on the first key corresponding to the first security parameter cable and sends the decrypted data to a server.
Optionally, a VPN terminal communication method based on the VPN terminal communication system in this embodiment may further include the following steps: the VPN center end receives feedback data from the server, and encrypts the feedback data based on the first key after confirming that a target IP of the feedback data is an internal IP address of a first local area network; the VPN central terminal sends the encrypted feedback data to the VPN terminal based on the first public network IP; and the first VPN terminal decrypts the feedback data based on the first secret key.
Optionally, a VPN terminal communication method based on the VPN terminal communication system in this embodiment may further include the following steps: the first VPN terminal sends a registration application to the VPN center terminal; the registration application comprises a key negotiation request of the first VPN terminal, a local area network internal IP address allocation request of terminal equipment and a first public network IP of the first VPN terminal, and the terminal equipment is connected with the first VPN terminal; the VPN center terminal negotiates with the first VPN terminal key based on an IPSec protocol to obtain a first key and a first security parameter index corresponding to the key; the VPN central terminal distributes a first local area network internal IP address for the terminal equipment, and stores the first key, the first security parameter index, the first local area network internal IP address and the first public network IP association in a database; the VPN center end sends the first local area network internal IP address to the first VPN terminal; and the first VPN terminal distributes the internal IP address of the first local area network for the terminal equipment.
Based on the VPN terminal communication system, the public network IP of the VPN terminal is stored in association with the security parameter index, when the public network IP of the VPN terminal in the environment of dynamic NAT changes, the security parameter index in the interactive data packet does not change, and then the public network IP of the VPN terminal can be updated according to the security parameter index, so that the problem that the communication of a VPN tunnel established based on an IPSec protocol in the related technology is difficult to realize in the environment of dynamic NAT can be solved, and the accuracy and the efficiency of information data transmission in the VPN tunnel are improved.
EXAMPLE five
Exemplarily, fig. 4 is a schematic flowchart of a VPN terminal communication method based on an IPSec protocol according to an embodiment of the present application. The VPN terminal communication method may be applied to communication between a VPN central end and any two VPN terminal nodes shown in fig. 1.
As shown in fig. 4, the VPN terminal access method is applied to a VPN center, where the VPN center presets a first key, a first security parameter index, a first local area network internal IP address, and a first public network IP, and stores the first key, the first security parameter index, the first local area network internal IP address, and the first public network IP in an associated manner. The VPN terminal communication method may include the steps of:
s401, receive a data packet of a first VPN terminal.
S402, obtaining the security parameter index and the public network IP in the data packet.
S403, confirming that the security parameter index is a preset first security parameter index but the public network IP is different from the preset first public network IP.
S404, updating the first public network IP.
S405, decrypting the encrypted data in the data packet based on a preset first key. Wherein the first key corresponds to the first security parameter index; the encrypted data comprises a second local area network internal IP address and first communication data communicated with second terminal equipment; the second terminal device is connected to the second VPN terminal.
S406, encrypting the first communication data based on a preset second secret key. Wherein the second key corresponds to the second local area network internal IP address.
S407, sending the encrypted first communication data to the second VPN terminal.
Optionally, the VPN terminal communication method may further include the following steps: receiving a feedback data packet of the second VPN terminal; acquiring a security parameter index and a public network IP in the feedback data packet; confirming that the security parameter index in the feedback data packet is a preset second security parameter index but the public network IP is different from a preset second public network IP; updating the second public network IP; decrypting the encrypted data in the feedback data packet based on the second key; the encrypted data in the feedback data packet comprises a first local area network internal IP address and second communication data communicated with the first terminal equipment; the first terminal equipment is connected to the first VPN terminal; encrypting the second communication data based on the first key; and sending the encrypted second communication data to the first VPN terminal.
Optionally, the VPN terminal communication method may further include the following steps: receiving registration applications of a first VPN terminal and a second VPN terminal; the registration application comprises a key negotiation request of the first VPN terminal and the second VPN terminal, a local area network internal IP address distribution request of the first terminal device and the second terminal device, a first public network IP of the first VPN terminal and a second public network IP of the second VPN terminal; acquiring a first key, a first security parameter index corresponding to the first key, a second key and a first security parameter index corresponding to the second key based on IPSec protocol and key agreement of the first VPN terminal and the second VPN terminal; correspondingly allocating a first local area network internal IP address and a second local area network internal IP address to the first terminal equipment and the second terminal equipment; storing the first key, the first security parameter index, the first local area network internal IP address and the first public network IP, and the second key, the second security parameter index, the second local area network internal IP address and the second public network IP in an associated manner; and correspondingly sending the first local area network internal IP address and the second local area network internal IP address to the first VPN terminal and the second VPN terminal.
Optionally, the allocating a first local area network internal IP address and a second local area network internal IP address to the first terminal device and the second terminal device correspondingly may include the following steps: selecting two IP addresses from the IP address pool as a first local area network internal IP address and a second local area network internal IP address respectively; deleting two of the IP addresses in the IP address pool.
Optionally, the VPN terminal communication method may further include the following steps: confirming that the data of the first VPN terminal is not received within a preset time period; and deleting the first key, the first security parameter index and the first public network IP.
Optionally, the VPN terminal communication method may further include the following steps: confirming that the data of the second VPN terminal is not received within a preset time period; and deleting the second key, the second security parameter index and the second public network IP.
Optionally, the VPN terminal communication method may further include the following steps: receiving an instruction for indicating to delete the first VPN terminal information; and deleting the first key, the first security parameter index and the first public network IP.
Optionally, the VPN terminal communication method may further include the following steps: receiving an instruction for instructing to delete the second VPN terminal information; and deleting the second key, the second security parameter index and the second public network IP.
Based on the VPN terminal communication method, the public network IP of the VPN terminal is stored in association with the security parameter index, when the public network IP of the VPN terminal in the environment of dynamic NAT changes, the security parameter index in the interactive data packet does not change, and then the public network IP of the VPN terminal can be updated according to the security parameter index, so that the problem that the communication of a VPN tunnel established based on an IPSec protocol in the related technology is difficult to realize in the environment of dynamic NAT can be solved, and the accuracy and the efficiency of information data transmission in the VPN tunnel are improved.
EXAMPLE six
Illustratively, continuing to refer to fig. 1, the framework of VPN communication includes an IPSec protocol based end-point communication system. The VPN terminal communication system includes a first VPN terminal, a second VPN terminal, and a VPN center terminal. The VPN central end is provided with a database, and the database is stored with a first key, a first security parameter index, a first local area network internal IP address and a first public network IP in an associated manner, and is stored with a second key, a second security parameter index, a second local area network internal IP address and a second public network IP in an associated manner.
The first VPN terminal is configured to: encrypting data based on the first key to generate a data packet, and sending the data packet to the VPN central terminal; wherein, the data packet comprises a first security parameter index; the data includes the second local area network internal IP address and first communication data communicated with a second terminal device, and the second terminal device is connected to a second VPN terminal.
The VPN central terminal is used for: acquiring a first security parameter index and a public network IP in the data packet, and updating the first public network IP when the public network IP is confirmed to be different from a preset first public network IP; decrypting encrypted data in the data packet based on the first key; encrypting the first communication data based on the second key; and sending the encrypted first communication data to the second VPN terminal.
The second VPN terminal is configured to: decrypting the encrypted first communication data based on the second key.
Optionally, the second VPN terminal is further configured to: encrypting a first local area network internal IP address and second communication data communicated with the first terminal device based on the second key to generate a feedback data packet; and sending the feedback data packet to the VPN central terminal. The feedback data packet includes the second security parameter index, and the first terminal device is connected to the first VPN terminal.
The VPN central end is further configured to: acquiring the second security parameter index and the public network IP in the feedback data packet; when the public network IP is confirmed to be different from a preset second public network IP, updating the second public network IP; decrypting the feedback data packet based on the second key to obtain the first local area network internal IP address and the second communication data; encrypting the second communication data based on the first key; and sending the encrypted second communication data to the first VPN terminal.
The first VPN terminal is further configured to: decrypting the encrypted second communication data based on the first key.
Optionally, the first VPN terminal and the second VPN terminal are further configured to send a registration application to the VPN center terminal; the registration application includes a key agreement request of the first VPN terminal and the second VPN terminal, a local area network internal IP address allocation request of the first terminal device and the second terminal device, a first public network IP of the first VPN terminal, and a second public network IP of the second VPN terminal.
The VPN central end is further configured to: acquiring a first key, a first security parameter index corresponding to the first key, a second key and a first security parameter index corresponding to the second key based on IPSec protocol and key agreement of the first VPN terminal and the second VPN terminal; correspondingly allocating a first local area network internal IP address and a second local area network internal IP address to the first terminal equipment and the second terminal equipment; storing the first key, the first security parameter index, the first local area network internal IP address and the first public network IP, and the second key, the second security parameter index, the second local area network internal IP address and the second public network IP association in the database.
The VPN central end is further configured to: and correspondingly sending the first local area network internal IP address and the second local area network internal IP address to the first VPN terminal and the second VPN terminal.
The first VPN terminal is further configured to allocate the first local area network internal IP address to the first terminal device.
The second VPN terminal is further configured to allocate the second local area network internal IP address to the second terminal device.
Optionally, the VPN central side is further configured to select an IP address from an IP address pool as a first local area network internal IP address, and delete the IP address from the IP address pool.
Optionally, the VPN central end is further configured to select an IP address from an IP address pool as an internal IP address of the second local area network, and delete the IP address from the IP address pool.
Optionally, the VPN central end is further configured to delete the first key, the first security parameter index, and the first public network IP when it is confirmed that the data of the first VPN terminal is not received within a preset time period.
Optionally, the VPN central end is further configured to delete the second key, the second security parameter index, and the second public network IP when it is confirmed that the data of the second VPN terminal is not received within a preset time period.
Optionally, the VPN central end is further configured to delete the first key, the first security parameter index, and the first public network IP when receiving an instruction for instructing to delete the first VPN terminal information.
Optionally, the VPN central end is further configured to delete the second key, the second security parameter index, and the second public network IP when receiving an instruction for instructing to delete the second VPN terminal information.
A VPN terminal communication method based on the VPN terminal communication system in this embodiment may include the following steps: the first VPN terminal encrypts data based on a preset first secret key to generate a data packet and sends the data packet to a VPN center end; wherein, the data packet comprises a first security parameter index; the data comprises a second local area network internal IP address and first communication data communicated with second terminal equipment, and the second terminal equipment is connected to a second VPN terminal; the VPN central terminal acquires a first security parameter index and a public network IP in the data packet, and updates the first public network IP in a database after confirming that the first security parameter index exists in a preset database but the public network IP does not exist in the database; the VPN central terminal decrypts encrypted data in the data packet based on a first key corresponding to the first security parameter; the VPN central terminal encrypts the first communication data based on a second key corresponding to the database and the internal IP address of the second local area network; the VPN center end sends the encrypted first communication data to the second VPN terminal; and the second VPN terminal decrypts the encrypted first communication data based on the second secret key.
Based on the VPN terminal communication system, the public network IP of the VPN terminal is stored in association with the security parameter index, when the public network IP of the VPN terminal in the environment of dynamic NAT changes, the security parameter index in the interactive data packet does not change, and then the public network IP of the VPN terminal can be updated according to the security parameter index, so that the problem that the communication of a VPN tunnel established based on an IPSec protocol in the related technology is difficult to realize in the environment of dynamic NAT can be solved, and the accuracy and the efficiency of information data transmission in the VPN tunnel are improved.
The VPN communication method provided by the embodiment of the present application is described in detail above with reference to fig. 2 to 4. The following describes in detail a VPN headend for executing the VPN terminal communication method according to the embodiment of the present application with reference to fig. 5 to 6.
Exemplarily, fig. 5 is a first structural diagram of a VPN central end according to an embodiment of the present application. As shown in fig. 5, the VPN central end 500 includes: a processing module 501 and a transceiver module 502. For ease of illustration, fig. 5 shows only the major components of the VPN central side.
The transceiver module 502 is configured to receive a registration application of a first VPN terminal; the registration application includes a key agreement request of the first VPN terminal, a local area network internal IP address allocation request of a terminal device, and a first public network IP of the first VPN terminal, where the terminal device is connected to the first VPN terminal.
The processing module 501 is configured to negotiate with the first VPN terminal key based on an IPSec protocol.
The transceiver module 502 is further configured to obtain a first key and a first security parameter index corresponding to the first key.
The processing module 501 is further configured to allocate a first local area network internal IP address to the terminal device.
The processing module 501 is further configured to store the first key, the first security parameter index, and the first public network IP in an associated manner.
The transceiver module 502 is further configured to send the first local area network internal IP address to the first VPN terminal.
Optionally, the processing module 501 is further configured to select an IP address from an IP address pool as the first local area network internal IP address, and delete the IP address from the IP address pool.
Optionally, the transceiver module 502 may include a receiving module and a transmitting module. The transceiver module 502 is used to implement the sending function and the receiving function of the VPN center 500.
Optionally, the VPN hub end 500 may further include a storage module (not shown in fig. 5) that stores programs or instructions. The processing module 501, when executing the program or the instructions, enables the VPN center terminal 500 to perform the VPN terminal access method illustrated in fig. 2.
It should be understood that the processing module 501 involved in the VPN center terminal 500 may be implemented by a processor or a processor-related circuit component, and may be a processor or a processing unit; the transceiver module 502 may be implemented by a transceiver or transceiver-related circuit component, and may be a transceiver or transceiver unit.
It should be noted that the VPN central side 500 may be a network device, a chip (system) or other component or assembly that can be disposed in the network device, or a device including a terminal device or a network device, which is not limited in this application.
In addition, the technical effect of the VPN central terminal 500 may refer to the technical effect of the VPN terminal access method shown in fig. 2, and is not described herein again.
Exemplarily, fig. 6 is a schematic structural diagram two of the VPN central end according to the embodiment of the present application. The VPN central end may be a network device, or may be a chip (system) or other component or assembly that may be disposed on the network device. As shown in fig. 6, the VPN central side 600 may comprise a processor 601. Optionally, the VPN hub end 600 may further comprise a memory 602 and/or a transceiver 603. Wherein the processor 601 is coupled to the memory 602 and the transceiver 603, such as may be connected via a communication bus.
The following describes each component of the VPN hub 600 in detail with reference to fig. 6:
the processor 601 is a control center of the VPN hub 600, and may be a single processor or a collective name of multiple processing elements. For example, the processor 601 is one or more Central Processing Units (CPUs), or may be an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application, such as: one or more microprocessors (digital signal processors), or one or more Field Programmable Gate Arrays (FPGAs).
Alternatively, the processor 601 may perform various functions of the VPN hub end 600 by running or executing software programs stored in the memory 602 and invoking data stored in the memory 602.
In particular implementations, processor 601 may include one or more CPUs such as CPU0 and CPU1 shown in fig. 6 as an example.
In a specific implementation, the VPN hub 600 may also include a plurality of processors, such as the processor 601 and the processor 604 shown in fig. 2, as an embodiment. Each of these processors may be a single-Core Processor (CPU) or a multi-Core Processor (CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
The memory 602 is configured to store a software program for executing the scheme of the present application, and the processor 601 controls the execution of the software program.
Alternatively, the memory 602 may be, but is not limited to, a read-only memory (ROM) or other type of static storage device that may store static information and instructions, a Random Access Memory (RAM) or other type of dynamic storage device that may store information and instructions, an electrically erasable programmable read-only memory (EEPROM), a compact disc read-only memory (CD-ROM) or other optical disk storage, optical disk storage (including compact disc, laser disc, optical disc, digital versatile disc, blu-ray disc, etc.), magnetic disk storage media or other magnetic storage devices, or any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 602 may be integrated with the processor 601, or may be separate and coupled to the processor 601 through an interface circuit (not shown in fig. 6) of the VPN hub 600, which is not specifically limited in this embodiment of the present application.
A transceiver 603 for communication with other VPN hubs. For example, the VPN central side 600 is an end device, and the transceiver 603 may be used to communicate with a network device or another end device. As another example, the VPN central side 600 is a network device, and the transceiver 603 may be used to communicate with a terminal device or another network device.
Optionally, the transceiver 603 may include a receiver and a transmitter (not separately shown in fig. 6). Wherein the receiver is configured to implement a receive function and the transmitter is configured to implement a transmit function.
Alternatively, the transceiver 603 may be integrated with the processor 601, or may exist independently, and is coupled to the processor 601 through an interface circuit (not shown in fig. 6) of the VPN hub 600, which is not specifically limited in this embodiment of the present application.
It should be noted that the structure of the VPN center end 600 shown in fig. 6 does not constitute a limitation to the VPN center end, and an actual VPN center end may include more or less components than those shown, or combine some components, or arrange different components.
In addition, the technical effect of the VPN central end 600 may refer to the technical effect of the VPN terminal access method described in the foregoing method embodiment, and details are not described here.
An embodiment of the present application further provides a chip system, including: a processor coupled to a memory for storing a program or instructions that, when executed by the processor, cause the system-on-chip to implement the method of any of the above method embodiments.
Optionally, the system on a chip may have one or more processors. The processor may be implemented by hardware or by software. When implemented in hardware, the processor may be a logic circuit, an integrated circuit, or the like. When implemented in software, the processor may be a general-purpose processor implemented by reading software code stored in a memory.
Optionally, the memory in the system-on-chip may also be one or more. The memory may be integrated with the processor or may be separate from the processor, which is not limited in this application. For example, the memory may be a non-transitory processor, such as a read only memory ROM, which may be integrated with the processor on the same chip or separately disposed on different chips, and the type of the memory and the arrangement of the memory and the processor are not particularly limited in this application.
The system-on-chip may be, for example, a Field Programmable Gate Array (FPGA), an Application Specific Integrated Circuit (ASIC), a system on chip (SoC), a Central Processing Unit (CPU), a Network Processor (NP), a digital signal processing circuit (DSP), a Microcontroller (MCU), a Programmable Logic Device (PLD), or other integrated chips.
It should be understood that the processor in the embodiments of the present application may be a Central Processing Unit (CPU), and the processor may also be other general purpose processors, Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like.
It will also be appreciated that the memory in the embodiments of the subject application can be either volatile memory or nonvolatile memory, or can include both volatile and nonvolatile memory. The non-volatile memory may be a read-only memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an electrically Erasable EPROM (EEPROM), or a flash memory. Volatile memory can be Random Access Memory (RAM), which acts as external cache memory. By way of example, but not limitation, many forms of Random Access Memory (RAM) are available, such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), Enhanced SDRAM (ESDRAM), synchlink DRAM (SLDRAM), and direct bus RAM (DRRAM).
The above embodiments may be implemented in whole or in part by software, hardware (e.g., circuitry), firmware, or any combination thereof. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. The procedures or functions according to the embodiments of the present application are wholly or partially generated when the computer instructions or the computer program are loaded or executed on a computer. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored on a computer readable storage medium or transmitted from one computer readable storage medium to another computer readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more collections of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.
It should be understood that the term "and/or" herein is merely one type of association relationship that describes an associated object, meaning that three relationships may exist, e.g., a and/or B may mean: a exists alone, A and B exist simultaneously, and B exists alone, wherein A and B can be singular or plural. In addition, the "/" in this document generally indicates that the former and latter associated objects are in an "or" relationship, but may also indicate an "and/or" relationship, which may be understood with particular reference to the former and latter text.
In the present application, "at least one" means one or more, "a plurality" means two or more. "at least one of the following" or similar expressions refer to any combination of these items, including any combination of the singular or plural items. For example, at least one (one) of a, b, or c, may represent: a, b, c, a-b, a-c, b-c, or a-b-c, wherein a, b, c may be single or multiple.
It should be understood that, in the various embodiments of the present application, the sequence numbers of the above-mentioned processes do not mean the execution sequence, and the execution sequence of each process should be determined by its function and inherent logic, and should not constitute any limitation to the implementation process of the embodiments of the present application.
Those of ordinary skill in the art will appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the implementation. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It is clear to those skilled in the art that, for convenience and brevity of description, the specific working processes of the above-described systems, apparatuses and units may refer to the corresponding processes in the foregoing method embodiments, and are not described herein again.
In the several embodiments provided in the present application, it should be understood that the disclosed system, apparatus and method may be implemented in other ways. For example, the above-described apparatus embodiments are merely illustrative, and for example, the division of the units is only one logical division, and other divisions may be realized in practice, for example, a plurality of units or components may be combined or integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, devices or units, and may be in an electrical, mechanical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit.
The functions, if implemented in the form of software functional units and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: various media capable of storing program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk.
The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (3)
1. A VPN terminal communication system based on IPSec protocol is characterized in that the system comprises a first VPN terminal, a second VPN terminal and a VPN center terminal; the first VPN terminal is provided with a first terminal equipment interface, the second VPN terminal is provided with a second terminal equipment interface, and the VPN center end is provided with a server interface;
the first VPN terminal is configured to: based on a first key negotiated by an IPSec protocol and the VPN central terminal, encrypting a first data packet of a first terminal device and sending the encrypted first data packet to the VPN central terminal;
the VPN central terminal is used for: decrypting the first data packet based on the first key, encrypting the decrypted data to form a second data packet based on a second key negotiated by an IPSec protocol and the second VPN terminal, and sending the second data packet to the second VPN terminal;
the second VPN terminal is configured to: and decrypting the second data packet based on the second key, and sending the decrypted second data packet to second terminal equipment.
2. The VPN terminal communication system according to claim 1, further comprising:
the first public network router is connected with the first VPN terminal and used for executing network address conversion processing on the first data packet and sending the processed first data packet to the VPN center end;
and the second public network router is connected to the second VPN terminal and is used for executing network address conversion processing on the second data packet and sending the processed second data packet to the second VPN terminal.
3. The VPN terminal communication system according to claim 1, further comprising:
the first quantum random number generator is connected to the first VPN terminal and used for generating quantum random numbers when negotiating a key with the VPN central terminal;
the central quantum random number generator is connected to the VPN central end and used for generating quantum random numbers when negotiating keys with the first VPN terminal or the second VPN terminal;
and the second quantum random number generator is connected to the second VPN terminal and is used for generating quantum random numbers when negotiating keys with the VPN central terminal.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202121779602.3U CN215990843U (en) | 2021-08-02 | 2021-08-02 | VPN terminal communication system based on IPSec protocol |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202121779602.3U CN215990843U (en) | 2021-08-02 | 2021-08-02 | VPN terminal communication system based on IPSec protocol |
Publications (1)
Publication Number | Publication Date |
---|---|
CN215990843U true CN215990843U (en) | 2022-03-08 |
Family
ID=80576745
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202121779602.3U Expired - Fee Related CN215990843U (en) | 2021-08-02 | 2021-08-02 | VPN terminal communication system based on IPSec protocol |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN215990843U (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115460596A (en) * | 2022-09-13 | 2022-12-09 | 浙江九州量子信息技术股份有限公司 | Quantum encryption wifi application system, device and method |
-
2021
- 2021-08-02 CN CN202121779602.3U patent/CN215990843U/en not_active Expired - Fee Related
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115460596A (en) * | 2022-09-13 | 2022-12-09 | 浙江九州量子信息技术股份有限公司 | Quantum encryption wifi application system, device and method |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103051510B (en) | The method and apparatus that network strategy unloads to the safety and efficiently of network interface unit | |
US9602470B2 (en) | Network device, IPsec system and method for establishing IPsec tunnel using the same | |
CN106506354B (en) | Message transmission method and device | |
CN104619040A (en) | Method and system for quickly connecting WIFI equipment | |
US11877334B2 (en) | Facilitating over-the-air address rotation | |
CN114547583A (en) | Identity authentication system, method, device, equipment and computer readable storage medium | |
CN215990843U (en) | VPN terminal communication system based on IPSec protocol | |
CN113556340B (en) | Portable VPN terminal, data processing method and storage medium | |
CN111357305B (en) | Communication method, equipment, system and storage medium of movable platform | |
CN115865314A (en) | VPN terminal communication system and method | |
CN115913818A (en) | VPN terminal communication method, VPN center terminal and storage medium | |
CN112640506B (en) | Bluetooth node pairing method and related device | |
WO2014172836A1 (en) | Method and apparatus for accessing network, and network system | |
CN115868189A (en) | Method, vehicle, terminal and system for establishing vehicle safety communication | |
CN103905389A (en) | Relay equipment-based security association, data transmission method, device and system | |
CN115706681A (en) | VPN terminal communication method based on IPSec protocol, VPN center terminal and storage medium | |
CN115883281A (en) | VPN terminal access system and method | |
CN115701693A (en) | VPN terminal access method based on IPSec protocol, VPN center terminal and storage medium | |
CN115701692A (en) | VPN terminal communication system and method based on IPSec protocol | |
CN115988453A (en) | Data receiving and transmitting system and method | |
WO2022094936A1 (en) | Access method, device, and cloud platform device | |
WO2021237753A1 (en) | Communication method and apparatus | |
CN109150793A (en) | A kind of method for secret protection and equipment | |
CN115277036A (en) | Communication method, network device, and computer-readable storage medium | |
US11606199B2 (en) | Management of groups of connected objects using wireless communication protocols |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
GR01 | Patent grant | ||
GR01 | Patent grant | ||
CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20220308 |
|
CF01 | Termination of patent right due to non-payment of annual fee |