WO2012022145A1 - 终端穿越私网与ims核心网中服务器通信的方法、装置及网络系统 - Google Patents

终端穿越私网与ims核心网中服务器通信的方法、装置及网络系统 Download PDF

Info

Publication number
WO2012022145A1
WO2012022145A1 PCT/CN2011/071659 CN2011071659W WO2012022145A1 WO 2012022145 A1 WO2012022145 A1 WO 2012022145A1 CN 2011071659 W CN2011071659 W CN 2011071659W WO 2012022145 A1 WO2012022145 A1 WO 2012022145A1
Authority
WO
WIPO (PCT)
Prior art keywords
tunnel
address
terminal
service
packet
Prior art date
Application number
PCT/CN2011/071659
Other languages
English (en)
French (fr)
Inventor
陈爱平
聂成蛟
张战兵
Original Assignee
成都市华为赛门铁克科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 成都市华为赛门铁克科技有限公司 filed Critical 成都市华为赛门铁克科技有限公司
Priority to EP11817673.4A priority Critical patent/EP2590368B1/en
Priority to EP16156425.7A priority patent/EP3096497B1/en
Priority to ES11817673.4T priority patent/ES2596177T3/es
Publication of WO2012022145A1 publication Critical patent/WO2012022145A1/zh
Priority to US13/770,014 priority patent/US9172559B2/en
Priority to US14/827,644 priority patent/US9813380B2/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1016IP multimedia subsystem [IMS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/166Implementing security features at a particular protocol layer at the transport layer

Definitions

  • the present invention relates to the field of communications technologies, and in particular, to a method, device, and network system for a terminal to traverse a private network to communicate with a server in an IMS core network. Background technique
  • IMS Internet Protocol Media Subsystem
  • the terminal To access the IMS core network, the terminal needs to traverse the private network (such as the enterprise network connected to the terminal). Specifically, the private network IP address is used inside the enterprise network, and the NAT device is deployed at the edge of the enterprise network. The terminal needs to access the NAT device.
  • the prior art provides a method for traversing a private network.
  • an IPSec VPN (Internet Protocol Security VPN) gateway is separately deployed in an enterprise network and an IMS network, so as to pass the IPSec VPN gateway of the subordinate enterprise.
  • An IPSec VPN tunnel is established between the network and the IMS network, and the routes of the terminals in the enterprise network are aggregated to the IPSec VPN gateway in the enterprise network, and the operations of encapsulating/decapsulating the service data are performed.
  • IPSec VPN Internet Protocol Security VPN
  • the terminal goes to the IMS core network
  • the route of the service data sent by the terminal is modified, and the service data is first routed to the IPSec VPN gateway in the enterprise network, and the IPSec VPN gateway encapsulates the service data, and then transmits the data to the IMS core network through the IPSec VPN tunnel.
  • the IPSec VPN gateway, the IPSec VPN gateway in the core network decapsulates the service data and sends it to the server in the IMS core network.
  • the embodiment of the invention provides a method, a device and a network system for a terminal to traverse a private network and a server in the IMS core network.
  • the terminal can traverse the private network and the public network (that is, the IMS core network) without changing the enterprise network. Communicate.
  • a method for a terminal to traverse a private network to communicate with a server in an IMS core network including:
  • the terminal sets the source address of the service data to be sent to the virtual IP address and the destination address to the address of the intranet server, and obtains the first service packet, where the virtual IP address is the multimedia subsystem IMS core network is the terminal. Assigned address;
  • the IP address is the IP address of the terminal and the destination IP address is the IP address of the secure tunnel gateway.
  • a method for a terminal to traverse a private network to communicate with a server in an IMS core network including:
  • the secure tunnel gateway receives the first tunnel packet through the tunnel between the secure tunnel gateway and the terminal.
  • the source IP address of the first tunnel text is the IP address of the terminal and the destination IP address is the IP address of the secure tunnel gateway.
  • a terminal includes: a communication capability component, where the communication capability component includes:
  • a first data aggregation module configured to set a source IP address of the service data to be sent to a virtual IP address, and set the destination address to an address of the intranet server, to obtain a first service packet, where the virtual IP address is a multimedia subsystem An address assigned by the IMS core network to the terminal;
  • the first tunnel transmission module is configured to encapsulate the first service packet into a first tunnel packet, where the source IP address of the first tunnel is the IP address of the terminal, and the destination IP address is a secure tunnel gateway.
  • the IP address of the first tunnel packet is sent to the secure tunnel gateway by using the virtual private network VPN tunnel between the terminal and the secure tunnel gateway.
  • the service packet is sent to the intranet server.
  • a secure tunnel gateway including:
  • the first receiving module is configured to receive the first tunnel packet by using the tunnel between the secure tunnel gateway and the terminal.
  • the source IP address of the first tunnel text is the IP address of the terminal, and the destination IP address is the IP address of the secure tunnel gateway.
  • An address encapsulation module configured to decapsulate the first tunnel >3 ⁇ 4 text
  • a first sending module configured to send, to the intranet server, the first service packet obtained by decapsulating the decapsulation module, where
  • the source address of the first service packet is a virtual IP address
  • the destination address is an intranet server address.
  • a network system comprising: a security tunnel gateway and an intranet server, the security tunnel gateway, configured to receive the first tunnel and the tunnel through the tunnel between the secure tunnel gateway and the terminal; wherein, the first tunnel is the source of the text
  • the IP address is the IP address of the terminal, and the destination IP address is the IP address of the secure tunnel gateway.
  • the first tunnel packet is decapsulated to obtain the first service packet, and the source address of the first service packet is virtual.
  • the IP address and the destination address are the intranet server addresses; the first service packet is sent to the intranet server; the second service packet sent by the intranet server is received, and the source address of the second service packet is the intranet.
  • the address and the destination address of the server are virtual IP addresses.
  • the second service packet is encapsulated into a second tunnel.
  • the source IP address of the second tunnel is the IP address of the secure tunnel gateway.
  • the IP address is the IP address of the terminal; the second tunnel is sent to the terminal through the tunnel between the secure tunnel gateway and the terminal;
  • the intranet server is configured to receive the first service packet sent by the secure tunnel gateway, and send the second service packet to the secure tunnel gateway.
  • the terminal sets the virtual IP address assigned by the IMS core network as the communication address between the terminal and the intranet server, and sets the source address of the service data to be sent as the virtual IP address and the destination address as the address of the intranet server, and After being encapsulated into a tunnel packet, the tunnel is transmitted to the secure tunnel gateway through the tunnel between the terminal and the secure tunnel gateway.
  • the secure tunnel gateway can send the service packet whose source IP address is the virtual IP address and whose destination address is the intranet server address to the intranet server. In this way, the service data between the intranet server and the terminal can be transmitted through the secure tunnel gateway.
  • the terminal can traverse the private network and communicate with the server in the public network without changing the enterprise network where the terminal is located.
  • the security tunnel gateway in the embodiment of the present invention acts as an intermediate device, and decapsulates the tunnel packet from the terminal and sends the packet to the intranet server, so that the terminal and the server in the IMS core network transmit service data, so that the terminal does not need to be modified.
  • the enterprise network can make the terminal traverse the private network and communicate with the servers in the public network.
  • FIG. 1 is a flowchart of a method for a terminal to traverse a private network and a server in an IMS core network according to an embodiment of the present invention
  • FIG. 1B is a flowchart of still another method for a terminal to traverse a private network and a server in an IMS core network according to an embodiment of the present disclosure
  • 2A is a flowchart of another method for communicating with a server in an IMS core network through a private network according to an embodiment of the present invention
  • 2B is a flowchart of a method for communicating with a server in a IMS core network through a private network according to an embodiment of the present invention
  • FIG. 3 is a flowchart of establishing a VPN tunnel according to an embodiment of the present invention.
  • FIG. 5 is a flowchart of data security traversal of an IMS service according to an embodiment of the present invention.
  • FIG. 6 is a flowchart of another IMS service data security traversal according to an embodiment of the present invention
  • FIG. 7 is a structural diagram of a terminal according to an embodiment of the present invention.
  • FIG. 8 is a structural diagram of a secure tunnel gateway according to an embodiment of the present invention.
  • FIG. 9 is a structural diagram of a network system according to an embodiment of the present invention. detailed description
  • an embodiment of the present invention provides a method for a terminal to traverse a private network to communicate with a server in an IMS core network, where the method is provided by the terminal side, and the method includes:
  • the terminal sets the source address of the service data to be sent to the virtual IP address, and the destination address is set to the address of the intranet server, and obtains the first service packet, where the virtual IP address is the multimedia subsystem IMS core network.
  • the address assigned by the terminal is the source address of the service data to be sent to the virtual IP address, and the destination address is set to the address of the intranet server, and obtains the first service packet, where the virtual IP address is the multimedia subsystem IMS core network.
  • the process of obtaining the first service packet by the terminal includes: setting the source address of the service data to be sent to the virtual IP address, setting the destination address to the address of the intranet server, and setting the source port of the service data to be sent to the terminal.
  • Service port set the destination port of the data to be sent as the service port of the intranet server.
  • the embodiments of the present invention and the subsequent embodiments are applicable to the following environments:
  • the terminal is located in a private network.
  • a private network For example, in an enterprise network, if the terminal wants to communicate with a server in the IMS core network, the terminal needs to traverse the private network and the IMS core network.
  • the intranet server communicates.
  • the virtual IP address is allocated by a Security Tunnel Gateway (STG), and the secure tunnel gateway is located at the edge of the IMS core network.
  • the Security Tunnel Gateway (STG) may be the VPN gateway described in the subsequent embodiments.
  • the tunnel between the terminal and the secure tunnel gateway may be a User Datagram Protocol (UDP) VPN tunnel, a Security Socket Layer (SSL) VPN tunnel, or a Hyper Text Transfer Protocol (HTTP) VPN. tunnel.
  • UDP User Datagram Protocol
  • SSL Security Socket Layer
  • HTTP Hyper Text Transfer Protocol
  • the virtual IP address may also be allocated by a Dynamic Host Configuration Protocol (DHCP) server of the IMS core network.
  • DHCP Dynamic Host Configuration Protocol
  • the UDP VPN tunnel contains data ⁇ transport layer security protocol (Datagram Transport) Layer Security, DTLS) VPN tunnel.
  • Data Transport Datagram Transport
  • DTLS Transport Layer Security
  • the first service packet is encapsulated into a first tunnel packet, where a source IP address of the first tunnel packet is an IP address of the terminal, and a destination IP address is an IP address of the security tunnel gateway.
  • the process of encapsulating the first tunnel>3 ⁇ 4 text includes: setting the source IP address of the first service text to the IP address of the terminal, the IP address being the real IP address of the terminal, and setting the destination IP address of the first service.
  • the address is the IP address of the secure tunnel gateway. Set the source port of the first service >3 ⁇ 4 text as the tunnel port of the terminal, and set the destination port of the first service as the tunnel port of the secure tunnel gateway.
  • the first tunnel packet is sent to the secure tunnel gateway by using the virtual private network VPN tunnel between the terminal and the secure tunnel gateway, so that the secure tunnel gateway sends the first service packet in the first tunnel packet.
  • the text is sent to the intranet server.
  • FIG. 1B is a flowchart of a method for a terminal to traverse a private network to communicate with a server in an IMS core network according to an embodiment of the present invention.
  • the embodiment shown in FIG. 1B describes that when a terminal needs to receive service data of an intranet server,
  • the method for receiving the service data sent by the server in the IMS core network, as shown in FIG. 1B, the method includes:
  • the terminal receives the second tunnel text through the tunnel, where the source IP address of the second tunnel >3 ⁇ 4 text is the IP address of the secure tunnel gateway, and the destination IP address is the IP address of the terminal;
  • the second tunnel packet is decapsulated to obtain a second service packet, where the source address of the second service packet is an address of the intranet server, and the destination address is a virtual IP address.
  • the method in which the terminal of the embodiment shown in FIG. 1A and FIG. 1B traverses the private network and communicates with the server in the IMS core network can be used in combination.
  • the embodiment shown in FIG. 1A describes a process in which a terminal traverses a private network to send service data to a server in an IMS core network.
  • the embodiment shown in FIG. 1B describes that a terminal traverses a private network to receive service data sent by a server in an IMS core network. the process of.
  • the service data is transmitted through the UDP VPN tunnel, and the service control information is transmitted through the SSL VPN tunnel.
  • the method further includes:
  • the SSL VPN tunnel sends the first service control information to the secure tunnel gateway, for example, sending a request to the security gateway to allocate a virtual
  • the information of the IP address or when the terminal needs to release the VPN tunnel, may send the indication information of the VPN tunnel to the secure tunnel gateway through the SSL VPN tunnel; or the terminal receives the secure tunnel gateway by using the SSL VPN tunnel.
  • the second service control information sent For example, after the secure tunnel gateway allocates a virtual IP address to the terminal, the terminal receives the virtual IP address assigned by the secure tunnel gateway through the SSL VPN tunnel.
  • the terminal sets the virtual IP address assigned by the IMS core network as the communication address between the terminal and the intranet server, and sets the source address of the service data to be sent as the virtual IP address and the destination address as the address of the intranet server, and After being encapsulated into a tunnel packet, the tunnel is transmitted to the secure tunnel gateway through the tunnel between the terminal and the secure tunnel gateway.
  • the secure tunnel gateway can send the service packet whose source IP address is the virtual IP address and whose destination address is the intranet server address to the intranet server.
  • the received tunnel packet is decapsulated, and the service message whose source address is the address of the intranet server and the destination address is the virtual IP address is obtained, so that the security tunnel can be implemented.
  • the gateway transmits the service data between the intranet server and the terminal, and the terminal can traverse the private network to communicate with the server in the public network without changing the enterprise network where the terminal is located.
  • an embodiment of the present invention provides a method for a terminal to traverse a private network to communicate with a server in an IMS core network. The method is described in the following manner.
  • the secure tunnel gateway receives the first tunnel packet through the tunnel between the secure tunnel gateway and the terminal.
  • the source IP address of the first tunnel packet is the IP address of the terminal, and the destination IP address is the IP address of the secure tunnel gateway. .
  • the virtual IP address is allocated by the secure tunnel gateway, and the tunnel between the secure tunnel gateway and the terminal may be a User Datagram Protocol (UDP) tunnel, a Security Socket Layer (SSL) tunnel, or Hypertext Transfer Protocol (HTTP) P channel.
  • UDP User Datagram Protocol
  • SSL Security Socket Layer
  • HTTP Hypertext Transfer Protocol
  • the secure tunnel gateway decapsulates the first tunnel >3 ⁇ 4 text to obtain a first service, the source address of the first service packet is a virtual IP address, and the destination address is an intranet server address.
  • FIG. 2B is a flowchart of a method for communicating with a server in an IMS core network through a private network according to an embodiment of the present invention.
  • the embodiment described in FIG. 2B describes a service report sent by an intranet server from a security tunnel gateway side.
  • a method for transmitting a message to a terminal through a VPN tunnel as shown in FIG. 2B, the method includes:
  • the secure tunnel gateway receives the second service packet sent by the intranet server, where the source address of the second service packet is the address and the destination address of the intranet server is a virtual IP address.
  • the second service >3 ⁇ 4 text is encapsulated into a second tunnel text, where the source IP address of the second tunnel >3 ⁇ 4 text is the IP address of the secure tunnel gateway, and the destination IP address is the IP address of the terminal;
  • FIG. 2A and FIG. 2B both describe that the terminal traverses the private network from the security tunnel gateway side.
  • the method for the server communication in the IMS core network describes the process of transmitting the service message sent by the terminal through the VPN tunnel to the server in the IMS core network from the security tunnel gateway side, and the implementation shown in FIG. 2B
  • the method of transmitting the service packet sent by the server in the IMS core network to the terminal through the VPN tunnel is described in the example of the security tunnel. In the actual application, the method described in the embodiment shown in FIG. 2A and FIG. 2B can be used in combination.
  • the service data is transmitted through the UDP VPN tunnel, and the service control information is transmitted through the SSL VPN tunnel.
  • the method further includes: The second service control information is sent to the terminal by using the SSL VPN tunnel. For example, after the secure tunnel gateway allocates a virtual IP address to the terminal, the secure tunnel gateway sends a virtual IP address to the terminal through the SSL VPN tunnel.
  • the secure tunnel gateway uses the SSL VPN tunnel to receive the first service control information sent by the terminal. For example, when the terminal needs to translate the VPN tunnel, the SSL tunnel may send an indication of releasing the VPN tunnel to the secure tunnel gateway.
  • the security tunnel gateway in the embodiment of the present invention acts as an intermediate device, and decapsulates the tunnel packet from the terminal and sends the packet to the intranet server, and encapsulates the service packet from the intranet server into a tunnel packet and sends the packet to the terminal. Transmitting service data between the server and the server in the IMS core network, so that the terminal can traverse the private network and the server in the public network without changing the enterprise network where the terminal is located. I have communicated.
  • FIG. 3 is a flowchart of establishing a VPN tunnel according to an embodiment of the present invention.
  • the VPN tunnel establishment process specifically includes:
  • the terminal determines whether the application layer proxy server related information is configured, and if yes, sends an establishment proxy connection request message to the application layer proxy server, and if not, executes 303.
  • the service module of the terminal invokes the interface of the tunnel transmission module in the communication capability component of the terminal, triggers the tunnel transmission module to determine whether the application layer proxy server related information is configured, and sends a proxy connection request message when the determination result is yes.
  • the request for establishing a VPN tunnel is directly sent to the VPN secure tunnel gateway.
  • the communication capability component in each embodiment of the present invention includes three modules, a tunnel transmission module, an encryption and decryption module, and a data aggregation module. This step is specifically performed by the tunneling module.
  • the application layer proxy server related information includes an application layer proxy server type, an IP address, and a port; the application layer proxy server type includes an HTTP proxy server, an HTTPS proxy server, a SOCKS proxy server, and the like.
  • the user decides whether to go through the application layer proxy server according to the network condition between the enterprise network and the VPN gateway (ie, the secure tunnel gateway). If the application layer proxy server needs to connect to the VPN gateway, it needs to be at the terminal. Configure the type, IP address, and port of the application layer proxy server.
  • the application layer proxy server returns a proxy connection response message to the terminal.
  • the step may specifically be that the application layer proxy server returns a proxy connection response message to the tunnel transmission module in the terminal.
  • the process of establishing a proxy connection between a terminal and different types of application layer proxy servers is different, and the number of interactions required may be different, but there is no special requirement for the NAT device when establishing a proxy connection, so a proxy connection request message is established and The response message can traverse all normal NAT devices.
  • the terminal sends a request message for establishing a VPN tunnel to the VPN gateway.
  • the tunnel transmission module in the terminal sends a request for establishing a VPN tunnel to the VPN gateway. Message.
  • the VPN gateway returns a response message for establishing a VPN tunnel to the terminal.
  • the VPN tunnel in this embodiment may include three types of tunnels: SSL VPN, HTTP VPN, and UDP VPN.
  • the VPN gateway returns a response message for establishing a VPN tunnel to the tunnel transmission module in the terminal.
  • step 303 needs to send a request message for establishing a VPN tunnel to the VPN gateway through the application layer proxy server, and correspondingly, in step 304, the VPN gateway passes the application layer proxy server to the terminal. Send a response message to establish a VPN tunnel.
  • the terminal uses the VPN tunnel to initiate a request for configuration information to the VPN gateway.
  • the tunnel transmission module in the terminal initiates a message requesting configuration information to the VPN gateway.
  • the VPN gateway returns the configuration information to the terminal by using the VPN tunnel.
  • the configuration information includes: an IP address/mask of the intranet server, and a virtual IP address/mask assigned by the VPN gateway to the terminal.
  • the IP address of the intranet server can be a specific IP address or multiple IP address segments. In this case, the intranet server is in multiple network segments.
  • the VPN gateway returns the configuration information to the tunnel transmission module in the terminal, the tunnel transmission module parses the configuration information, and sends the configuration information to the data aggregation module, and the data aggregation module configures the terminal address as a virtual IP address/mask according to the configuration information. And configuring an address/mask of the intranet server that communicates with the terminal, and then notifying the tunneling module that the setting is completed; the tunneling transmitting module sends the indication information indicating that the tunnel establishment is completed to the service module in the terminal.
  • Steps 303-304 can be specifically implemented as follows:
  • the terminal first attempts to establish a UDP tunnel: The terminal sends a request for establishing a UDP tunnel to the VPN gateway, and can carry the identity information in the request message, and the VPN gateway can verify the validity of the identity by performing information interaction with the authentication server, to the terminal. The verification result is returned. If the terminal is legal and the enterprise network firewall is open to a specific UDP port, the UDP tunnel is established successfully. Otherwise, the UDP tunnel fails to be established.
  • the UDP tunnel described in this section contains UDP plaintext tunnels and UDP. A dense tunnel and a UDP-based DTLS (Datagram Transport Layer Security) tunnel.
  • the SOCKS V5 proxy server, the HTTP proxy server, and the HTTPS proxy server exist at the same time, if the UDP tunnel needs to be established through the application layer proxy server, the UDP tunnel is required to be established through the SOCK5 VS proxy server, compared to other HTTP tunnels and SSL. For tunnels, UDP tunnels can improve voice quality.
  • the terminal attempts to establish an SSL tunnel: the terminal sends a request for establishing an SSL tunnel to the VPN gateway, and can carry the identity information in the request message.
  • the VPN VPN gateway can verify the validity of the identity by performing information interaction with the authentication server, and return to the terminal. If the identity of the terminal is legal and the enterprise network firewall is open to a specific SSL port, the SSL tunnel is established successfully. Otherwise, the SSL tunnel establishment fails. After the SSL tunnel is successfully established, the UDP tunnel can be further established. Specifically, the UDP connection establishment request can be sent to detect whether the path between the terminal and the VPN gateway is connected. If the path is available, the IMS negotiates with the VPN gateway through the SSL tunnel. UDP tunnel key to establish a UDP tunnel.
  • the UDP tunnel described in this section contains UDP plaintext tunnels, UDP encrypted tunnels, and UDP-based DTLS (Datagram Transport Layer Security) tunnels. It can be understood that if an SSL tunnel needs to be established through the application layer proxy server, an SSL tunnel is required to be established through the HTTPS proxy server.
  • UDP plaintext tunnels UDP encrypted tunnels
  • UDP-based DTLS Datagram Transport Layer Security
  • the terminal attempts to establish an HTTP tunnel:
  • the terminal sends a request for establishing an HTTP tunnel to the VPN gateway, and can carry the identity information in the request message, and the VPN gateway can verify the validity of the identity by performing information interaction with the authentication server, and return to the terminal. Verification result; If the terminal is legal and the enterprise network firewall is open to the HTTP port, the HTTP tunnel is established successfully.
  • the SSL tunnel key is negotiated with the VPN gateway through the HTTP tunnel, so that the SSL tunnel key is used to encrypt the service data transmitted in the HTTP tunnel. It can be understood that if an HTTP tunnel needs to be established through the application layer proxy server, an HTTP tunnel is required to be established through the HTTP proxy server.
  • the terminal may first try to establish a service connection directly with the intranet server in the IMS core network by using the existing method, because the IMS service requires more UDP ports to be opened on the firewall deployed in the enterprise network and the IMS network, if The port development of the firewall does not meet the requirements of the IMS service, and the attempt to establish a service connection between the terminal and the intranet server fails.
  • the UDP VPN is requested to be established by using the foregoing manner provided by the embodiment of the present invention.
  • a tunnel, an SSL VPN tunnel, or an HTTP VPN tunnel may be used.
  • the UDP VPN tunnel, the SSL VPN tunnel, or the HTTP VPN tunnel may be requested to be established by using the foregoing manner provided by the embodiment of the present invention.
  • FIG. 4 is a flowchart of performing identity authentication by using a VPN tunnel according to an embodiment of the present invention, where the process of performing identity authentication through a VPN tunnel includes:
  • the terminal sends a terminal identification code to the VPN gateway through the VPN tunnel.
  • the VPN gateway determines whether the terminal is allowed to establish a VPN tunnel by using a local or external subscription record and a terminal identification code, and returns an authentication result to the terminal, that is, a result of identifying whether the terminal can establish a VPN tunnel.
  • the terminal When the terminal is allowed to establish a VPN tunnel, the terminal sends the user identity information to the VPN gateway through the VPN tunnel.
  • the user identity information includes: a username and a password.
  • the VPN gateway verifies the identity of the user according to the identity information of the user, and returns a verification result.
  • the identity of the user may be verified according to the locally stored subscription user information or the subscription information of the external server.
  • the terminal also sends a message through the VPN tunnel to request the VPN gateway to authenticate the component caller, that is, request the VPN gateway to verify whether the terminal can use the communication capability component, and perform the function of the communication capability component, that is, whether the terminal can establish a VPN and perform Data aggregation.
  • the execution body of each step shown in FIG. 4 is a tunnel transmission module in the terminal.
  • FIG. 5 is a flowchart of the IMS service data security traversal provided by the embodiment of the present invention.
  • the terminal actively communicates with the intranet server in the IMS core network, specifically, the IMS service data.
  • the safe crossing process includes:
  • the terminal sets the source address of the service data to be sent to the virtual IP address, and the destination address is set to the address of the intranet server, and sets the source port of the service data to be sent as the service port of the terminal and the destination port as the intranet.
  • the service port of the server obtains the first service packet and encrypts the first service packet.
  • the source IP address of the encrypted packet is the real IP address of the terminal, the destination IP address is the IP address of the VPN gateway, and the source port.
  • the tunnel port of the terminal the destination port is the tunnel port of the VPN gateway, and the first tunnel message is obtained, and then the tunnel between the terminal and the VPN gateway is used to send the first tunnel packet to the VPN gateway.
  • the terminal includes a communication capability component, and the communication capability component includes three modules, a data aggregation module, an encryption and decryption module, and a tunnel transmission module.
  • the data aggregation module includes: a first data convergence module and a second data.
  • the aggregation module, the encryption and decryption module includes an encryption module and a decryption module
  • the tunnel transmission module includes: a first tunnel transmission module and a second tunnel transmission module.
  • the terminal can obtain the first service packet in two ways.
  • the first mode is as follows:
  • the service module of the terminal triggers the first data aggregation module to be sent by calling the interface provided by the first data aggregation module in the terminal.
  • the source address of the service data is set to the virtual IP address, and the destination address is set to the address of the intranet server.
  • the source port of the service data to be sent is set as the service port of the terminal, and the destination port is set as the service port of the intranet server.
  • the method is: the first data aggregation module in the terminal captures the to-be-sent service data in a communication interface provided by the operating system, sets a source address of the to-be-sent service data as a virtual IP address, and sets a destination address as an intranet.
  • the address of the server, the source port is set to the service port of the terminal, and the destination port is set to the service port of the intranet server.
  • the communication interface provided by the operating system may be a virtual network card
  • the encryption module in the terminal encrypts the first service packet
  • the first tunnel transmission module in the terminal sets the source IP address of the encrypted packet to be the real IP address of the terminal, and the destination IP address is the IP address of the VPN gateway.
  • the source port is the tunnel port of the terminal, and the destination port is the tunnel port of the VPN gateway.
  • the first tunnel packet is obtained, and then the tunnel between the terminal and the VPN gateway is used to send the first tunnel packet to the VPN gateway.
  • the encryption module in the terminal uses an SSL tunnel key to encrypt the first service packet.
  • the VPN gateway After receiving the first tunnel packet, the VPN gateway decapsulates and decrypts the first tunnel packet, and obtains the first service packet whose source address is the virtual IP address and the destination address is the IP address of the intranet server. Send the first service packet to the intranet server.
  • the VPN gateway uses the SSL tunnel key to decrypt the first tunnel packet.
  • the intranet server After receiving the first service packet, the intranet server sends a response message to the terminal, and sends the source address to the VPN gateway as the IP address of the intranet server, the destination address as the virtual IP address, and the source port as the intranet.
  • the destination port is the second service packet of the service port of the terminal.
  • the intranet server broadcasts an Adressing Resolution Protocol (ARP) message carrying the virtual IP address, so as to query which VPN gateway the virtual IP address belongs to, and the VPN gateway that has assigned the virtual IP address to the intranet server.
  • ARP Adressing Resolution Protocol
  • the ARP response message is sent, and the MAC address of the VPN gateway is carried in the ARP response message, and the intranet server sends the second service packet to the VPN gateway according to the MAC address.
  • the VPN gateway encrypts and encapsulates the received second service packet into a second tunnel packet, and sends a second tunnel packet to the terminal by using a tunnel between the VPN gateway and the terminal.
  • the VPN gateway encrypts the second service packet by using the SSL tunnel key.
  • the terminal After receiving the second tunnel packet sent by the VPN gateway, the terminal decapsulates and decrypts the received second tunnel packet to obtain a second service packet, and extracts service data from the second service packet.
  • the second tunnel transmission module in the terminal receives the second tunnel packet sent by the VPN gateway, decapsulates the second tunnel packet, and removes the source IP address (the IP address of the VPN gateway) in the second tunnel packet. ) and the destination IP address (the real IP address of the terminal), the source port (the tunnel port of the VPN gateway), and the destination port (the tunnel port of the terminal). Then, the decryption module in the terminal decrypts the decapsulated packet to obtain a second service packet, and the second data convergence module removes the second decrypted packet.
  • the source IP address of the service packet (the IP address of the intranet server) and the destination IP address (virtual IP address), the source port (the service port of the intranet server), and the destination port (the service port of the terminal), extract the second service report.
  • Business data in the text (the IP address of the intranet server) and the destination IP address (virtual IP address), the source port (the service port of the intranet server), and the destination port (the service port of the terminal), extract the second service report.
  • the first mode is: the service module of the terminal obtains the second data aggregation module from the terminal.
  • the service data in the second service packet is as follows: The second data aggregation module of the terminal embeds the extracted service data into a communication interface provided by the operating system, and the service module in the terminal provides communication from the operating system.
  • the service data in the second service packet is obtained in the interface.
  • the transmission of service data is transmitted through a VPN tunnel (such as the foregoing UDP VPN tunnel, SSL VPN tunnel, and HTTP VPN tunnel), and these tunnels can pass through NAT devices such as routers, firewalls, and switches with NAT functions. Therefore, it is possible to prevent the NAT device from performing access control, address modification, and the like on the service data, so as to avoid communication failure between the terminal and the intranet server due to the operation of the NAT device.
  • the UDP VPN tunnel can traverse the SOCKS V5 proxy server
  • the SSL VPN tunnel can traverse the HTTPS proxy server
  • the HTTP VPN tunnel can traverse the HTTP proxy server, so when the terminal communicates with the intranet server, the corresponding application layer proxy server can be prevented from being served.
  • the data performs operations such as access control and address modification, so as to avoid communication failure between the terminal and the intranet server due to the operation of the application layer proxy server.
  • the embodiment uses the virtual IP address as the address for the terminal to communicate with the intranet server, and communicates with the intranet server through the VPN gateway, so that the enterprise network does not need to perform additional route conversion, and the enterprise network does not need to be changed.
  • FIG. 6 is a flowchart of the IMS service data security traversal provided by the embodiment of the present invention.
  • the intranet server in the IMS core network actively communicates with the terminal.
  • the IMS service data security traversal process includes:
  • the intranet server sends a service packet whose source address is the IP address of the intranet server, the destination IP address is the virtual IP address, the source port is the service port of the intranet server, and the destination port is the service port of the terminal.
  • the intranet server broadcasts the ARP message carrying the virtual IP address, so as to query which VPN gateway the virtual IP address belongs to, and the virtual network is allocated.
  • the VPN gateway of the IP address sends an ARP reply message to the intranet server, and the ARP response message carries the IP address of the VPN gateway.
  • the intranet server sends the source address to the VPN gateway as the IP address of the intranet server according to the IP address.
  • the service address is a virtual IP address.
  • the VPN gateway encrypts and encapsulates the received service packet to obtain a tunnel packet, and sends a tunnel to the terminal by using the established tunnel.
  • the terminal After receiving the tunnel packet sent by the VPN gateway, the terminal performs decapsulation and decryption, obtains a service packet, and obtains service data in the service packet.
  • the service data transmission is transmitted through a VPN tunnel (such as the foregoing UDP VPN tunnel, SSL VPN tunnel, and HTTP VPN tunnel).
  • VPN tunnels can pass NAT devices such as routers, firewalls, and switches with NAT functions. Therefore, these NAT devices can prevent access control and address modification of service data. This prevents terminals from being operated due to NAT operations. Communication with the intranet server failed.
  • the UDP VPN tunnel can traverse the SOCKS V5 proxy server
  • the SSL VPN tunnel can traverse the HTTPS proxy server
  • the HTTP VPN tunnel can traverse the HTTP proxy server, so when the terminal communicates with the intranet server, the corresponding application layer proxy server can be prevented from being served.
  • the data performs operations such as access control and address modification, so as to avoid communication failure between the terminal and the intranet server due to the operation of the application layer proxy server.
  • the embodiment uses the virtual IP address as the address for the terminal to communicate with the intranet server, and communicates with the intranet server through the VPN gateway, so that the enterprise network does not need to perform additional route conversion, and the enterprise network does not need to be changed.
  • the terminal periodically sends a keep-alive message to the VPN gateway, or according to the set time direction.
  • the VPN gateway sends a keep-alive message to maintain the established tunnel.
  • the service data can be transmitted through the UDP VPN tunnel.
  • the specific transmission mode is as described in the foregoing embodiment, and the terminal can also pass the SSL.
  • the VPN tunnel transmits service control information. After the specific terminal encrypts the first service control information to be sent, the source IP address of the encrypted control information is the real IP address of the terminal, and the destination IP address is the IP address of the VPN gateway. Then, it is sent to the VPN gateway; after receiving the VPN gateway, the VPN gateway decapsulates and decrypts to obtain the first control information. Similarly, the VPN gateway can send the second control information to the terminal by using the SSL VPN tunnel. In this way, service data can be transmitted through a less secure UDP VPN tunnel, and service control information can be transmitted through a highly secure SSL VPN tunnel.
  • an embodiment of the present invention provides a terminal, including:
  • the first data aggregation module 701 is configured to set a source address of the service data to be sent to a virtual IP address, and set the destination address to an address of the intranet server, to obtain a first service packet, where the virtual IP address is a multimedia sub- The address assigned by the system IMS core network to the terminal;
  • the first tunnel transmission module 702 is configured to encapsulate the first service packet into a first tunnel packet, where a source IP address of the first tunnel text is an IP address of the terminal, and a destination IP address is a secure tunnel gateway.
  • the first service in the first tunnel packet is sent by the secure tunnel gateway to the secure tunnel gateway by using the virtual private network VPN tunnel between the terminal and the secure tunnel gateway.
  • the packet is sent to the intranet server.
  • the terminal in order to receive the service data sent by the intranet server, the terminal may further include:
  • the second tunnel transmission module 703 is configured to: when the terminal needs to receive the service data of the intranet server, receive the second tunnel text through the tunnel, and decapsulate the second tunnel >3 ⁇ 4 text; wherein, the second tunnel ⁇
  • the source IP address of the port is the IP address of the secure tunnel gateway and the destination IP address is the IP address of the terminal.
  • a second data convergence module 704 configured to decapsulate the second service from the second tunnel transmission module
  • the service data is obtained in the packet, where the source address of the second service packet is the address of the intranet server, and the destination address is a virtual IP address.
  • the terminal may further include:
  • the service module 705 is specifically configured to: when the terminal needs to send the service data, trigger the first data aggregation module to set the source address of the service data to be sent to a virtual IP address, the destination address, by using an interface provided by the first data aggregation module.
  • the address is set to the address of the intranet server.
  • the service data in the second service packet is obtained from the second data aggregation module.
  • the first data convergence module 701 is configured to: when the terminal needs to send the service data, capture the to-be-sent service data in the communication interface provided by the operating system, and set the source address of the to-be-sent service data as a virtual IP address.
  • the destination address is set to the address of the intranet server; wherein the service data to be sent is sent by the service module 705 to the communication interface provided by the operating system. In this way, the business module and the communication capability component do not need to be tightly coupled.
  • the second data aggregation module 704 is configured to: when the terminal needs to receive the service data of the intranet server, extract the service data in the second service packet, and insert the extracted service data into the communication interface provided by the operating system, so that The service module in the terminal is configured to obtain the service data in the second service packet from the communication interface provided by the operating system.
  • the terminal in order to ensure the security of the packets transmitted on the VPN tunnel, the terminal may further include:
  • the encryption module 706 is configured to encrypt the first service packet by using an SSL tunnel key when the VPN tunnel between the terminal and the secure tunnel gateway is an HTTP VPN tunnel.
  • the decryption module 707 is configured to decrypt the packet decapsulated by the second tunnel transmission module by using the SSL tunnel key when the VPN tunnel between the terminal and the secure tunnel gateway is an HTTP VPN tunnel.
  • the SSL tunnel key is obtained by the terminal in advance through negotiation with the secure tunnel gateway by using the HTTP tunnel.
  • the first tunnel transmission module 701 is specifically configured to encapsulate the first service packet encrypted by the encryption module 706 into a first tunnel packet, and use the VPN tunnel between the terminal and the secure tunnel gateway to The tunnel packet is sent to the secure tunnel gateway.
  • Second data convergence mode Block 704 is specifically configured to obtain service data from the packet decrypted by the decryption module 707.
  • the terminal may adopt the first data convergence module 701, the first tunnel transmission module 702, and the first The second tunnel transmission module 703 and the second data aggregation module 704 process and transmit the service data.
  • the third tunnel transmission module 708 and/or the fourth tunnel transmission module 709 may also be used to process and transmit the service control information, where:
  • the third tunnel transmission module 708 is configured to send the first service control information to the service security tunnel gateway by using the SSL VPN tunnel; and/or,
  • the fourth tunnel transmission module 709 is configured to receive the second service control information sent by the service security tunnel gateway by using the SSL VPN tunnel.
  • the method further includes: a first tunnel establishing unit 710, configured to establish a UDP VPN tunnel;
  • the second tunnel establishing unit 711 is configured to negotiate a UDP tunnel key with the secure tunnel gateway through the established SSL tunnel to establish a UDP tunnel.
  • the terminal sets the virtual IP address assigned by the IMS core network as the communication address between the terminal and the intranet server, and sets the source address of the service data to be sent as the virtual IP address and the destination address as the address of the intranet server, and After being encapsulated into a tunnel packet, the tunnel is transmitted to the secure tunnel gateway through the tunnel between the terminal and the secure tunnel gateway.
  • the secure tunnel gateway can send the service packet whose source IP address is the virtual IP address and whose destination address is the intranet server address to the intranet server.
  • the received tunnel packet is decapsulated, and the service message whose source address is the address of the intranet server and the destination address is the virtual IP address is obtained, so that the security tunnel can be implemented.
  • the gateway transmits the service data between the intranet server and the terminal, and the terminal can traverse the private network to communicate with the server in the public network without changing the enterprise network where the terminal is located.
  • the embodiment of the present invention provides a secure tunnel gateway, which includes: a tunnel transmission module 80, the tunnel transmission module 80 includes: a first receiving module 801, a decapsulation module 802, and a first sending module 803.
  • the first receiving module 801 is configured to receive the first tunnel by using a tunnel between the secure tunnel gateway and the terminal.
  • the source IP address of the first tunnel text is the IP address of the terminal, and the destination IP address is the IP address of the secure tunnel gateway;
  • the decapsulation module 802 is configured to decapsulate the first tunnel packet.
  • the first sending module 803 is configured to send the first service packet obtained by decapsulating the decapsulation module to the intranet server, where the source address of the first service packet is a virtual IP address, and the destination address is an intranet. server address.
  • the method further includes: a tunnel transmission module 90, wherein the tunnel transmission module 90 specifically includes:
  • the second receiving module 804 is configured to receive a second service packet sent by the intranet server, where a source address of the second service packet is an address and a destination address of the intranet server is a virtual IP address.
  • the encapsulating module 805 is configured to encapsulate the second service text into a second tunnel text, where the source IP address of the second tunnel text is an IP address of the secure tunnel gateway, and the destination IP address is an IP address of the terminal;
  • the second sending unit 806 is configured to send a second tunnel message to the terminal by using a tunnel between the secure tunnel gateway and the terminal.
  • the terminal in order to ensure the security of the packets transmitted on the VPN tunnel, the terminal may further include:
  • the cryptographic module 807 is configured to: when the VPN tunnel between the terminal and the secure tunnel gateway is an HTTP VPN tunnel, encrypt the second service packet by using an SSL tunnel key;
  • the decryption module 808 is configured to decrypt the packet obtained by decapsulating the decapsulation module by using the SSL tunnel key to obtain the first service packet when the VPN tunnel between the terminal and the secure tunnel gateway is an HTTP VPN tunnel.
  • the SSL tunnel key is obtained by the terminal being negotiated with the secure tunnel gateway in advance by the HTTP tunnel.
  • the encapsulating module 805 is specifically configured to encapsulate the encrypted second service packet into a second tunnel packet.
  • a sending module 803 is specifically configured to send the first service packet obtained by decrypting the decrypting module 808 to an intranet server.
  • the terminal can use the UDP VPN tunnel initial service packet to transmit the service control information by using the S SL VPN tunnel, and then another method in the present invention.
  • the method further includes:
  • the third sending module 809 is further configured to send the second service control information to the terminal by using the SSL VPN tunnel; and the fourth receiving module 810 is further configured to receive, by using the SSL VPN tunnel, the second A business control information.
  • the method further includes: a first tunnel establishment module 811, configured to establish an SSL tunnel with the terminal;
  • the second tunnel establishing module 812 is configured to negotiate a UDP tunnel key with the terminal through the established SSL tunnel to establish a UDP tunnel.
  • the security tunnel gateway in the embodiment of the present invention acts as an intermediate device, and decapsulates the tunnel packet from the terminal and sends the packet to the intranet server, and encapsulates the service packet from the intranet server into a tunnel packet and sends the packet to the terminal.
  • the service data is transmitted between the servers in the IMS core network, so that the terminal does not need to change the enterprise network where the terminal is located, so that the terminal can traverse the private network and communicate with the server in the public network.
  • an embodiment of the present invention provides a network system, which mainly includes the secure tunnel gateway 901 and the intranet server 902 in the foregoing embodiment.
  • the function and structure of the secure tunnel gateway are similar to those in the foregoing embodiment. This will not be repeated here.
  • the network system provided by the embodiment of the present invention uses the secure tunnel gateway as an intermediate device to decapsulate the tunnel packet from the terminal and send it to the intranet server, and encapsulate the service packet from the intranet server into a tunnel packet and then send the packet to the terminal.
  • the terminal In order to transmit service data between the terminal and the server in the IMS core network, the terminal can traverse the private network and communicate with the server in the public network without changing the enterprise network where the terminal is located.
  • the storage medium may be a magnetic disk, an optical disk, a read-only memory (ROM), or a random access memory (RAM).

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Description

终端穿越私网与 IMS核心网中服务器通信的方法、 装置及网 絡系统 本申请要求于 2010 年 8 月 20 日提交中国专利局、 申请号为 201010264191.4、 发明名称为 "终端穿越私网与 IMS核心网中服务器通信的 方法、 装置及网络系统" 的中国专利申请的优先权, 其全部内容通过引用结 合在本申请中。 技术领域
本发明涉及通信技术领域, 特别涉及一种终端穿越私网与 IMS核心网中 服务器通信的方法、 装置及网络系统。 背景技术
互联网协议多媒体子系统( Internet Protocol Media Subsystem, IMS )是 一个基于 IP技术的、 与接入无关的网络架构, 它是能被移动网络与固定网络 共用的融合核心网, 即能够为使用 2.5G、 3G、 WLAN和固定宽带等不同接入 手段的用户提供融合的业务, 被业界认为是下一代网络的基石出。
终端要接入 IMS核心网, 需要穿越私网 (比如终端所接入的企业网络), 具体的, 由于企业网络内部使用私网 IP地址, 企业网络边缘部署 NAT设备, 终 端需要穿越 NAT设备接入 IMS核心网的服务器, 或者, 如果企业网络边缘部署 应用层代理服务器,则终端需要穿越应用层代理服务器接入 IMS核心网的服务 器。
现有技术提供一种穿越私网的方法, 具体的, 在企业网络和 IMS网络中分 别部署 IPSec VPN (互联网协议安全虚拟专用, Internet Protocol Security VPN ) 网关, 以便通过所部属的 IPSec VPN网关在企业网络和 IMS网络间建立 IPSec VPN隧道, 并将企业网络中的终端的路由聚合到企业网络中的 IPSec VPN网 关, 由其执行业务数据的封装 /解封装等操作。 具体的, 当终端向 IMS核心网 发送业务数据时, 修改终端所发送的业务数据的路由, 将该业务数据先路由 到企业网络中的 IPSec VPN网关, IPSec VPN网关对业务数据进行封装, 然后 通过 IPSec VPN隧道传送到 IMS核心网中的 IPSec VPN网关, 核心网中的 IPSec VPN网关对业务数据进行解封装后发送给 IMS核心网中的服务器。
现有技术需要在企业侧网络中部署 IPSec VPN网关, 并且需要修改终端的 数据路由, 对企业网络的改动很大。 发明内容
本发明实施例提供一种终端穿越私网与 IMS 核心网中服务器通信的方 法、 装置及网络系统, 不需要改动企业网络, 终端就可以穿越私网, 与公网 (即 IMS核心网 ) 中服务器进行通信。
有鉴于此, 本发明实施例提供:
一种终端穿越私网与 IMS核心网中服务器通信的方法, 包括:
终端将待发送业务数据的源地址设置为虚拟 IP地址、 目的地址设置为内 网服务器的地址, 得到第一业务报文, 其中, 所述虚拟 IP地址是多媒体子系 统 IMS核心网为所述终端分配的地址;
将所述第一业务报文封装成第一隧道报文, 其中所述第一隧道报文的源
IP地址为终端的 IP地址、 目的 IP地址为安全隧道网关的 IP地址;
利用所述终端与安全隧道网关间的虚拟专用网 VPN 隧道, 将所述第一隧 道报文发送给安全隧道网关, 使所述安全隧道网关将第一隧道报文中的第一 业务报文发送给内网服务器。
一种终端穿越私网与 IMS核心网中服务器通信的方法, 包括:
安全隧道网关通过安全隧道网关与终端间的隧道接收第一隧道报文; 其 中, 所述第一隧道 文的源 IP地址为终端的 IP地址、 目的 IP地址为安全隧 道网关的 IP地址;
对所述第一隧道报文进行解封装, 得到第一业务报文, 所述第一业务报 文的源地址为虚拟 IP地址、 目的地址为内网服务器地址; 将所述第一业务报 文向内网服务器发送。
一种终端, 包括: 通信能力组件, 所述通信能力组件包括:
第一数据汇聚模块,用于将待发送业务数据的源地址设置为虚拟 IP地址、 目的地址设置为内网服务器的地址, 得到第一业务报文; 其中, 所述虚拟 IP 地址是多媒体子系统 IMS核心网为所述终端分配的地址;
第一隧道传输模块, 用于将所述第一业务报文封装成第一隧道报文, 其 中所述第一隧道^艮文的源 IP地址为终端的 IP地址、 目的 IP地址为安全隧道 网关的 IP地址; 利用所述终端与安全隧道网关间的虚拟专用网 VPN隧道, 将 所述第一隧道报文发送给安全隧道网关, 使所述安全隧道网关将第一隧道报 文中的第一业务报文发送给内网服务器。
一种安全隧道网关, 包括:
第一接收模块, 用于通过安全隧道网关与终端间的隧道接收第一隧道报 文; 其中, 所述第一隧道 文的源 IP地址为终端的 IP地址、 目的 IP地址为 安全隧道网关的 IP地址;解封装模块,用于对所述第一隧道 >¾文进行解封装; 第一发送模块, 用于将解封装模块解封装后得到的第一业务报文向内网 服务器发送, 其中, 所述第一业务报文的源地址为虚拟 IP地址、 目的地址为 内网服务器地址。
一种网络系统, 包括: 安全隧道网关和内网服务器, 安全隧道网关, 用 于通过安全隧道网关与终端间的隧道接收第一隧道 ·艮文; 其中, 所述第一隧 道才艮文的源 IP地址为终端的 IP地址、 目的 IP地址为安全隧道网关的 IP地 址; 对所述第一隧道报文进行解封装, 得到第一业务报文, 所述第一业务报 文的源地址为虚拟 IP地址、 目的地址为内网服务器地址; 将所述第一业务报 文向内网服务器发送; 接收内网服务器发送的第二业务报文, 所述第二业务 报文的源地址为内网服务器的地址、 目的地址为虚拟 IP地址; 将所述第二业 务 ·艮文封装成第二隧道 ·艮文, 其中, 第二隧道>¾文的源 IP地址为安全隧道网 关的 IP地址、 目的 IP地址为终端的 IP地址; 通过安全隧道网关与终端间的 隧道向所述终端发送第二隧道 4艮文; 内网服务器, 用于接收安全隧道网关发送的第一业务报文, 向安全隧道 网关发送第二业务 ·艮文。
本发明实施例中终端将 IMS核心网分配的虚拟 IP地址作为终端与内网服 务器的通信地址, 将待发送业务数据的源地址设置为虚拟 IP地址、 目的地址 设置为内网服务器的地址, 并封装成隧道报文后通过终端与安全隧道网关间 的隧道传输到安全隧道网关, 使安全隧道网关能够将源地址为虚拟 IP地址、 目的地址为内网服务器地址的业务报文发送给内网服务器, 这样, 就能够实 现通过安全隧道网关传输内网服务器与终端间的业务数据, 不需要改动终端 所在的企业网络, 就可以使终端穿越私网, 与公网中的服务器进行通信。
本发明实施例中的安全隧道网关作为中间设备, 将来自终端的隧道报文 解封装后发送给内网服务器, 以便终端与 IMS核心网中的服务器间传输业务 数据, 这样不需要改动终端所在的企业网络, 就可以使终端穿越私网, 与公 网中的服务器进行通信了。 附图说明
图 1 A是本发明实施例提供的一种终端穿越私网与 IMS核心网中服务器通 信的方法流程图;
图 1 B为本发明实施例提供的又一种终端穿越私网与 IMS核心网中服务器 通信的方法流程图;
图 2A是本发明实施例提供的另一种终端穿越私网与 IMS核心网中服务器 通信的方法流程图;
图 2B是本发明实施例提供的再一种终端穿越私网与 IMS核心网中服务器 通信的方法流程图;
图 3为本发明实施例提供的 VPN隧道建立流程图;
图 4为本发明实施例提供的终端身份认证流程图;
图 5为本发明实施例提供的一种 IMS业务数据安全穿越流程图;
图 6为本发明实施例提供的另一种 IMS业务数据安全穿越流程图; 图 7为本发明实施例提供的终端结构图;
图 8为本发明实施例提供的安全隧道网关结构图;
图 9为本发明实施例提供的网络系统结构图。 具体实施方式
参阅图 1A,本发明实施例提供一种终端穿越私网与 IMS核心网中服务器 通信的方法, 该方法从终端侧描述本发明实施例提供的技术方案, 该方法包 括:
101、终端将待发送业务数据的源地址设置为虚拟 IP地址、 目的地址设置 为内网服务器的地址, 得到第一业务报文, 其中, 所述虚拟 IP地址是多媒体 子系统 IMS核心网为所述终端分配的地址。
其中, 终端具体获得第一业务报文的过程包括: 将待发送业务数据的源 地址设置为虚拟 IP地址、 目的地址设置为内网服务器的地址, 将待发送业务 数据的源端口设置为终端的业务端口, 将待发送数据的目的端口设置为内网 服务器的业务端口。
本发明实施例及后续各实施例可适用于如下环境, 终端位于私网中, 比 如企业网络中, 终端想与 IMS核心网中的服务器进行通信, 则终端需要穿越 私网与 IMS核心网中的内网服务器进行通信。
其中,所述虚拟 IP地址是由安全隧道网关( Security Tunnel Gateway STG ) 分配的,该安全隧道网关位于 IMS核心网的边缘。所述安全隧道网关( Security Tunnel Gateway STG )可以是后续各实施例中描述的 VPN网关。 终端与安全 隧道网关间的隧道可以是用户数据报协议(User Datagram Protocol, UDP ) VPN隧道, 安全套接层( Security Socket Layer, SSL ) VPN隧道或者超文本 传输协议 ( Hyper Text Transfer Protocol , HTTP ) VPN隧道。
其中, 所述虚拟 IP 地址也可以是由 IMS 核心网的动态主机设置协议 (Dynamic Host Configuration Protocol, DHCP)服务器分配的。
所述 UDP VPN 隧道包含数据艮传输层安全协议(Datagram Transport Layer Security, DTLS ) VPN隧道。
102、 将所述第一业务报文封装成第一隧道报文, 其中所述第一隧道报文 的源 IP地址为终端的 IP地址、 目的 IP地址为安全隧道网关的 IP地址。
其中, 具体的封装第一隧道 >¾文的过程包括: 设置第一业务 文的源 IP 地址为终端的 IP地址, 这个 IP地址为终端真实的 IP地址, 设置第一业务才艮 文的目的 IP地址为安全隧道网关的 IP地址,设置第一业务 >¾文的源端口为终 端的隧道端口, 设置第一业务 ^艮文的目的端口为安全隧道网关的隧道端口。
103、 利用所述终端与安全隧道网关间的虚拟专用网 VPN 隧道, 将所述 第一隧道报文发送给安全隧道网关, 使所述安全隧道网关将第一隧道报文中 的第一业务报文发送给内网服务器。
图 1B为本发明实施例提供的又一种终端穿越私网与 IMS核心网中服务 器通信的方法流程图, 图 1B所述实施例描述了当终端需要接收内网服务器的 业务数据时, 穿越私网接收 IMS核心网中服务器发送的业务数据的方法, 如 图 1B所示, 该方法包括:
104、 终端通过所述隧道接收第二隧道 文, 其中, 第二隧道>¾文的源 IP 地址为安全隧道网关的 IP地址、 目的 IP地址为终端的 IP地址;
105、 对所述第二隧道报文进行解封装得到第二业务报文; 其中, 所述第 二业务报文的源地址为内网服务器的地址、 目的地址为虚拟 IP地址;
106、 获得所述第二业务报文中的业务数据。
实际应用中, 图 1A与图 1B所示的实施例终端穿越私网与 IMS核心网中 服务器通信的方法可以结合使用。图 1A所示的实施例描述了终端穿越私网向 IMS核心网中的服务器发送业务数据的过程, 图 1B所示的实施例描述了终端 穿越私网接收 IMS核心网中的服务器发送的业务数据的过程。
当终端与安全隧道网关间的 VPN隧道同时存在 UDP VPN隧道和 SSL VPN隧道时, 则通过 UDP VPN隧道传输业务数据, 通过 SSL VPN隧道传输 业务控制信息, 具体的, 该方法还包括: 终端利用所述 SSL VPN隧道向所述 安全隧道网关发送第一业务控制信息, 比如, 向安全网关发送请求分配虚拟 IP地址的信息, 或者, 当终端需要释放 VPN隧道时, 可以通过 SSL VPN隧 道向安全隧道网关发送译放 VPN隧道的指示信息; 或者, 所述终端利用所述 SSL VPN隧道接收所述安全隧道网关发送的第二业务控制信息。 比如, 在安 全隧道网关为终端分配虚拟 IP地址后,终端通过 SSL VPN隧道接收安全隧道 网关分配的虚拟 IP地址。
本发明实施例中终端将 IMS核心网分配的虚拟 IP地址作为终端与内网服 务器的通信地址, 将待发送业务数据的源地址设置为虚拟 IP地址、 目的地址 设置为内网服务器的地址, 并封装成隧道报文后通过终端与安全隧道网关间 的隧道传输到安全隧道网关, 使安全隧道网关能够将源地址为虚拟 IP地址、 目的地址为内网服务器地址的业务报文发送给内网服务器; 当需要接收内网 服务器的业务数据时, 将接收的隧道报文进行解封装, 得到源地址为内网服 务器的地址、 目的地址为虚拟 IP地址的业务 文, 这样, 就能够实现通过安 全隧道网关传输内网服务器与终端间的业务数据, 不需要改动终端所在的企 业网络, 就可以使终端穿越私网, 与公网中的服务器进行通信。
参阅图 2A,本发明实施例提供一种终端穿越私网与 IMS核心网中服务器 通信的方法, 该方法从安全隧道网关侧描述本发明实施例提供的技术方案, 描述包括:
201、 安全隧道网关通过安全隧道网关与终端间的隧道接收第一隧道报 文; 其中, 所述第一隧道报文的源 IP地址为终端的 IP地址、 目的 IP地址为 安全隧道网关的 IP地址。
其中, 所述虚拟 IP地址是由安全隧道网关分配的, 安全隧道网关与终端 间的隧道可以是用户数据报协议( User Datagram Protocol , UDP )隧道, 安 全套接层( Security Socket Layer, SSL )隧道或者超文本传输协议 ( Hyper Text Transfer Protocol , HTTP ) P遂道。
202、安全隧道网关对所述第一隧道 >¾文进行解封装,得到第一业务 ·艮文, 所述第一业务报文的源地址为虚拟 IP地址、 目的地址为内网服务器地址。
203、 安全隧道网关将所述第一业务报文向内网服务器发送。 图 2B是本发明实施例提供的再一种终端穿越私网与 IMS核心网中服务 器通信的方法流程图, 图 2B所述的实施例从安全隧道网关侧描述了将内网服 务器发送的业务报文通过 VPN隧道传输给终端的方法, 如图 2B所示, 该方 法包括:
204、 安全隧道网关接收内网服务器发送的第二业务报文, 所述第二业务 报文的源地址为内网服务器的地址、 目的地址为虚拟 IP地址;
205、 将所述第二业务>¾文封装成第二隧道 文, 其中, 第二隧道>¾文的 源 IP地址为安全隧道网关的 IP地址、 目的 IP地址为终端的 IP地址;
206、 通过安全隧道网关与终端间的隧道向所述终端发送第二隧道 4艮文。 图 2A与图 2B所示的实施例均从安全隧道网关侧描述了终端穿越私网与
IMS核心网中服务器通信的方法,图 2A所示的实施例从安全隧道网关侧描述 了将终端通过 VPN隧道发送的业务报文传输给 IMS核心网中的服务器的过 程, 图 2B所示的实施例从安全隧道网关侧描述了将 IMS核心网中的服务器 发送的业务报文通过 VPN隧道传输给终端的过程, 实际应用中, 图 2A与图 2B所示的实施例所述方法可以结合使用。
当终端与安全隧道网关间的 VPN隧道同时存在 UDP VPN隧道和 SSL VPN隧道时, 则通过 UDP VPN隧道传输业务数据, 通过 SSL VPN隧道传输 业务控制信息, 具体的, 该方法还包括: 安全隧道网关利用所述 SSL VPN隧 道向所述终端发送第二业务控制信息; 比如, 在安全隧道网关为终端分配虚 拟 IP地址后 , 安全隧道网关通过 SSL VPN隧道向终端发送虚拟 IP地址。 或 者,安全隧道网关利用所述 SSL VPN隧道接收终端发送的第一业务控制信息, 比如, 当终端需要译放 VPN隧道时, 可以通过 SSL VPN隧道向安全隧道网 关发送释放 VPN隧道的指示信息。
本发明实施例中的安全隧道网关作为中间设备, 将来自终端的隧道报文 解封装后发送给内网服务器, 将来自内网服务器的业务报文封装成隧道报文 后发送给终端, 以便终端与 IMS核心网中的服务器间传输业务数据, 这样不 需要改动终端所在的企业网络, 就可以使终端穿越私网, 与公网中的服务器 进行通信了。
如下对本发明实施例提供的技术方案进行详细介绍:
图 3示出了本发明实施例提供的 VPN隧道建立流程图, VPN隧道建立过 程具体包括:
301、 终端判断是否配置了应用层代理服务器相关信息, 如果是, 则向应 用层代理服务器发送建立代理连接请求消息, 如果否, 则执行 303。
具体的, 终端的业务模块调用终端中通信能力组件中的隧道传输模块的 接口, 触发隧道传输模块判断是否配置了应用层代理服务器相关信息, 并在 判断结果为是时发送建立代理连接请求消息, 在判断结果为否时直接向 VPN 安全隧道网关发送建立 VPN隧道的请求。 本发明各实施例中的通信能力组件 包括三个模块, 隧道传输模块、 加解密模块和数据汇聚模块。 该步骤具体是 由隧道传输模块执行的。
其中, 应用层代理服务器相关信息包括应用层代理服务器类型、 IP 地址 和端口;应用层代理服务器类型包括 HTTP代理服务器、 HTTPS代理服务器、 SOCKS代理服务器等。 在该步骤之前, 是由用户根据企业网络到 VPN网关 (即安全隧道网关)之间的网络情况决定是否需要经过应用层代理服务器, 如果需要经过应用层代理服务器连接到 VPN网关, 则需要在终端上配置应用 层代理服务器的类型、 IP地址、 端口。
302、 应用层代理服务器向终端返回建立代理连接响应消息。
该步骤具体可以是应用层代理服务器向终端中的隧道传输模块返回建立 代理连接响应消息。
终端与不同类型的应用层代理服务器之间建立代理连接的过程不一样, 并且需要进行交互的次数也可能会不同, 但是建立代理连接时对 NAT设备没 有任何特殊要求, 因此建立代理连接请求消息和响应消息可以穿越所有正常 的 NAT设备。
303、 终端向 VPN网关发送建立 VPN隧道的请求消息。
具体的, 终端中的隧道传输模块向 VPN网关发送建立 VPN隧道的请求 消息。
304、 VPN网关向终端返回建立 VPN隧道的响应消息。
该实施例中的 VPN隧道可以包括 SSL VPN、 HTTP VPN, UDP VPN三种 隧道类型。 具体的, VPN网关向终端中的隧道传输模块返回建立 VPN隧道的 响应消息。
当终端需要通过应用层代理服务器连接到 VPN网关时, 则步骤 303需要 通过应用层代理服务器向 VPN网关发送建立 VPN隧道的请求消息, 相应的, 在步骤 304中 VPN网关通过应用层代理服务器向终端发送建立 VPN隧道的 响应消息。
305、 VPN隧道建立成功后, 终端利用 VPN隧道向 VPN网关发起请求配 置信息的报文。
具体的, 终端中的隧道传输模块向 VPN网关发起请求配置信息的报文。
306、 VPN网关利用 VPN隧道向终端返回配置信息。
其中, 配置信息包括: 内网服务器的 IP地址 /掩码、 VPN 网关分配给终 端的虚拟 IP地址 /掩码。 内网服务器的 IP地址可以是某些具体的 IP地址, 也 可以是多个 IP地址段, 此时该内网服务器在多个网段内。
具体的, VPN 网关向终端中的隧道传输模块返回配置信息, 隧道传输模 块解析配置信息, 并将配置信息发送给数据汇聚模块, 数据汇聚模块根据配 置信息配置终端地址为虚拟 IP地址 /掩码,并配置与终端通信的内网服务器的 地址 /掩码, 然后通知隧道传输模块设置完成; 隧道传输模块向终端中的业务 模块发送指示隧道建立完成的指示信息。
步骤 303-304可以具体采用如下方式实现:
1、 终端首先尝试建立 UDP隧道: 终端向 VPN网关发送建立 UDP隧道 的请求, 并可以在请求消息中携带身份信息, VPN 网关可以通过与认证服务 器进行信息交互来校验身份的合法性, 向终端返回校验结果; 如果终端身份 合法且企业网络防火墙开放了特定的 UDP端口, 则 UDP隧道建立成功, 否 则, UDP隧道建立失败。 本节所述的 UDP隧道, 包含 UDP明文隧道、 UDP 力口密隧道和基于 UDP的 DTLS ( Datagram Transport Layer Security ) 隧道。 可 以理解的是, 在 SOCKS V5代理服务器、 HTTP代理服务器、 HTTPS代理服 务器同时存在时, 如果需要通过应用层代理服务器建立 UDP隧道, 要求经过 SOCK5 VS代理服务器建立 UDP隧道, 相对于其他 HTTP隧道、 SSL隧道来 说, UDP隧道能提高语音质量。
2、终端尝试建立 SSL隧道:终端向 VPN网关发送建立 SSL隧道的请求, 并可以在请求消息中携带身份信息, VPNVPN网关可以通过与认证服务器进 行信息交互来校验身份的合法性, 向终端返回校验结果; 如果终端身份合法 且企业网络防火墙开放了特定的 SSL端口,则 SSL隧道建立成功,否则, SSL 隧道建立失败。 在 SSL隧道建立成功之后, 可以进一步建立 UDP隧道, 具体 的, 可以先发送 UDP连接建立请求以便探测终端到 VPN网关间的路径是否 已通,如果路径已通,则 IMS通过 SSL隧道与 VPN网关协商 UDP隧道密钥 , 以便建立 UDP隧道。 本节所述的 UDP隧道, 包含 UDP明文隧道、 UDP加密 隧道和基于 UDP的 DTLS ( Datagram Transport Layer Security ) 隧道。 可以理 解的是, 如果需要通过应用层代理服务器建立 SSL隧道, 则要求通过 HTTPS 代理服务器建立 SSL隧道。
3、 终端尝试建立 HTTP隧道: 终端向 VPN网关发送建立 HTTP隧道的 请求, 并可以在请求消息中携带身份信息, VPN 网关可以通过与认证服务器 进行信息交互来校验身份的合法性, 向终端返回校验结果; 如果终端身份合 法且企业网络防火墙开放了 HTTP端口, 则 HTTP隧道建立成功。 在隧道建 立成功之后, 再通过 HTTP隧道与 VPN网关协商 SSL隧道密钥, 以便后续利 用 SSL隧道密钥对 HTTP隧道中传输的业务数据进行加密。 可以理解的是, 如果需要通过应用层代理服务器建立 HTTP隧道, 则要求通过 HTTP代理服 务器建立 HTTP隧道。
需要说明的是, 如果当前需要进行的业务的安全性较低但性能要求高, 则可以选择建立 UDP隧道, 如果当前需要进行的业务的安全性较高, 则可以 选择建立 SSL隧道。 可选的, 终端可以首先尝试采用现有的方式直接与 IMS核心网中的内网 服务器建立业务连接, 由于 IMS业务要求在企业网络和 IMS网络中部署的防 火墙上面开放较多的 UDP端口,如果防火墙的端口开发不满足 IMS业务的需 求, 则会导致终端直接和内网服务器之间建立业务连接的尝试失败, 在建立 业务连接失败之后, 再采用本发明实施例提供的上述方式请求建立 UDP VPN 隧道、 SSL VPN隧道或者 HTTP VPN隧道; 或者, 也可以直接采用本发明实 施例提供的上述方式请求建立 UDP VPN隧道、 SSL VPN隧道或者 HTTP VPN 隧道。
图 4示出了本发明实施例提供的通过 VPN隧道进行身份认证的流程图, 其中, 通过 VPN隧道进行身份认证的过程包括:
401、 终端通过 VPN隧道向 VPN网关发送终端标识码。
402、 VPN网关通过本地或外部的签约记录和终端标识码, 确定是否允许 该终端建立 VPN 隧道, 并向终端返回认证结果, 即标识终端是否可以建立 VPN隧道的结果。
403、 当允许该终端建立 VPN隧道时, 终端通过 VPN隧道向 VPN网关 发送用户身份信息。
其中, 用户身份信息包括: 用户名和密码。
404、 VPN网关根据用户身份信息, 对用户的身份进行校验, 并返回校验 结果。
具体的, 可以根据本地存储的签约用户信息或者外部服务器的签约用户 信息, 对用户的身份进行校验。
其中, 终端也通过 VPN隧道发送消息请求 VPN网关对组件调用者进行 认证, 即请求 VPN网关校验该终端是否可以使用通信能力组件, 执行通信能 力组件的功能, 即该终端是否可以建立 VPN和进行数据汇聚。
其中, 图 4所示的各步骤的执行主体为终端中的隧道传输模块。
图 5示出了本发明实施例提供的 IMS业务数据安全穿越流程图, 该方法 中终端主动与 IMS核心网中的内网服务器进行通信, 具体的, IMS业务数据 安全穿越过程包括:
501-502、 终端将待发送业务数据的源地址设置为虚拟 IP地址、 目的地址 设置为内网服务器的地址, 将待发送业务数据的源端口设置为终端的业务端 口、 目的端口设置为内网服务器的业务端口, 得到第一业务报文, 对第一业 务报文进行加密,设置加密后的报文的源 IP地址为终端的真实 IP地址、 目的 IP地址为 VPN网关的 IP地址、 源端口为终端的隧道端口, 目的端口为 VPN 网关的隧道端口, 得到第一隧道 4艮文, 然后利用终端与 VPN网关间的隧道向 VPN网关发送第一隧道报文。
如前所述, 终端中包括通信能力组件, 通信能力组件中包括三大模块, 数据汇聚模块, 加解密模块和隧道传输模块, 具体的, 数据汇聚模块包括: 第一数据汇聚模块和第二数据汇聚模块, 加解密模块包括加密模块和解密模 块, 隧道传输模块包括: 第一隧道传输模块和第二隧道传输模块。
终端获得第一业务报文具体可以有两种实现方式: 第一种方式为: 终端 的业务模块通过调用终端中的第一数据汇聚模块提供的接口, 触发所述第一 数据汇聚模块将待发送业务数据的源地址设置为虚拟 IP地址, 目的地址设置 为内网服务器的地址, 将待发送业务数据的源端口设置为终端的业务端口、 目的端口设置为内网服务器的业务端口; 第二种方式为: 所述终端中的第一 数据汇聚模块在操作系统提供的通信接口捕获所述待发送业务数据, 将所述 待发送业务数据的源地址设置为虚拟 IP地址, 目的地址设置为内网服务器的 地址, 源端口设置为终端的业务端口、 目的端口设置为内网服务器的业务端 口。 其中, 操作系统提供的通信接口可以是虚拟网卡驱动口或传输层驱动接 口 ( Transport Driver Interface , TDI )。
然后终端中的加密模块对第一业务报文进行加密, 终端中的第一隧道传 输模块设置加密后的报文的源 IP地址为终端的真实 IP地址, 目的 IP地址为 VPN网关的 IP地址, 源端口为终端的隧道端口 , 目的端口为 VPN网关的隧 道端口, 得到第一隧道报文, 然后利用终端与 VPN网关间的隧道向 VPN网 关发送第一隧道报文。 具体的, 如果采用的 VPN隧道为 HTTP VPN隧道, 则 该步骤中终端中的加密模块采用 SSL隧道密钥, 对第一业务报文进行加密。 503-504、 VPN网关收到第一隧道报文后, 对第一隧道报文进行解封装、 解密,得到源地址为虚拟 IP地址、 目的地址为内网服务器的 IP地址的第一业 务报文, 向内网服务器发送第一业务报文。
其中, 如果采用 HTTP隧道, 则该步骤中 VPN网关采用 SSL隧道密钥对 第一隧道报文进行解密。
505、 内网服务器收到第一业务报文后, 如果需要向终端回复响应报文, 则向 VPN网关发送源地址为内网服务器的 IP地址、目的地址为虚拟 IP地址、 源端口为内网服务器的业务端口, 目的端口为终端的业务端口的第二业务报 文。
具体的, 内网服务器广播携带该虚拟 IP 地址的地址解析协议(Adress resolution protocol, ARP )消息, 以便查询该虚拟 IP地址属于哪个 VPN网关, 曾分配过这个虚拟 IP地址的 VPN网关向内网服务器发送 ARP应答消息, 在 ARP应答消息中携带该 VPN网关的 MAC地址 , 内网服务器根据该 MAC地 址, 向 VPN网关发送第二业务报文。
506-507、 VPN网关对所接收的第二业务报文进行加密、 封装成第二隧道 报文, 利用 VPN网关与终端间的隧道向终端发送第二隧道报文。
其中, 如果采用 HTTP隧道, 则该步骤中 VPN网关采用 SSL隧道密钥对 第二业务报文进行加密。
508、 终端接收到 VPN 网关发送的第二隧道报文之后, 对所接收的第二 隧道报文进行解封装、 解密得到第二业务报文, 从第二业务报文中提取业务 数据。
具体的, 终端中的第二隧道传输模块接收到 VPN网关发送的第二隧道报 文, 对第二隧道报文进行解封装, 去除第二隧道报文中的源 IP地址(VPN网 关的 IP地址 )和目的 IP地址(终端的真实 IP地址), 源端口 ( VPN网关的 隧道端口), 目的端口 (终端的隧道端口)。 然后终端中的解密模块对解封装 后的报文进行解密得到第二业务报文, 第二数据汇聚模块去除解密后的第二 业务报文的源 IP地址(内网服务器的 IP地址)和目的 IP地址(虚拟 IP地址), 源端口 (内网服务器的业务端口), 目的端口 (终端的业务端口), 提取第二 业务报文中的业务数据。
其中, 如果位于终端上层的业务模块想获取第二业务报文中的业务数据 , 可以有如下两种实现方式: 第一种方式为: 终端的业务模块从终端中的第二 数据汇聚模块获得第二业务报文中的业务数据; 第二种方式为: 终端的第二 数据汇聚模块将所提取的业务数据植入操作系统提供的通信接口, 终端中的 业务模块从所述操作系统提供的通信接口中获取第二业务报文中的业务数 据。
本发明实施例中业务数据的传输都是通过 VPN隧道(比如前述 UDP VPN 隧道、 SSL VPN隧道和 HTTP VPN隧道 )传输的, 这些隧道都能够穿过具备 NAT功能的路由器、 防火墙、 交换机等 NAT设备, 因此可以防止这些 NAT 设备对业务数据进行访问控制、 地址修改等操作, 这样可以避免由于 NAT设 备的操作导致的终端与内网服务器之间的通信失败。 并且, UDP VPN隧道可 以穿越 SOCKS V5代理服务器, SSL VPN隧道能够穿越 HTTPS代理服务器, HTTP VPN隧道能够穿越 HTTP代理服务器, 所以在终端与内网服务器通信 时, 可以防止相应的应用层代理服务器对业务数据进行访问控制、 地址修改 等操作, 这样可以避免由于应用层代理服务器操作导致的终端与内网服务器 之间的通信失败。 而且该实施例将虚拟 IP地址作为终端与内网服务器通信的 地址, 通过 VPN网关与内网服务器进行通信, 无需企业网络做额外的路由转 换, 不需要改动企业网络。
图 6示出了本发明实施例提供的 IMS业务数据安全穿越流程图, 该方法 中 IMS核心网中的内网服务器主动与终端进行通信, 具体的, IMS业务数据 安全穿越过程包括:
601、 内网服务器向 VPN网关发送源地址为内网服务器的 IP地址、 目的 地址为虚拟 IP地址、 源端口为内网服务器的业务端口、 目的地址为终端的业 务端口的业务报文。 具体的,内网服务器需要向某个虚拟 IP地址对应的终端发送业务数据时, 该内网服务器广播携带该虚拟 IP地址的 ARP消息 , 以便查询该虚拟 IP地址 属于哪个 VPN网关, 曾分配这个虚拟 IP地址的 VPN网关向内网服务器发送 ARP应答消息, 在 ARP应答消息中携带该 VPN网关的 IP地址, 内网服务器 根据该 IP地址, 向 VPN网关发送源地址为内网服务器的 IP地址、 目的地址 为虚拟 IP地址的业务 4艮文。
602-603、 VPN网关对所接收的业务报文进行加密、封装后得到隧道报文, 利用已建立的隧道向终端发送隧道 ·艮文。
该步骤的具体实现方式参见上述步骤 506-507 的相应描述, 在此不再贅 述。
604、 终端接收到 VPN 网关发送的隧道报文后, 进行解封装、 解密, 得 到业务报文, 并获取业务报文中的业务数据。
该步骤的具体实现方式参见上述步骤 508的相应描述, 在此不再贅述. 本发明实施例中业务数据的传输都是通过 VPN隧道(比如前述 UDP VPN 隧道、 SSL VPN隧道和 HTTP VPN隧道 )传输的, 这些隧道都能够穿过具备 NAT功能的路由器、 防火墙、 交换机等 NAT设备, 因此可以防止这些 NAT 设备对业务数据进行访问控制、 地址修改等操作, 这样可以避免由于 NAT设 备的操作导致的终端与内网服务器之间的通信失败。 并且, UDP VPN隧道可 以穿越 SOCKS V5代理服务器, SSL VPN隧道能够穿越 HTTPS代理服务器, HTTP VPN隧道能够穿越 HTTP代理服务器, 所以在终端与内网服务器通信 时, 可以防止相应的应用层代理服务器对业务数据进行访问控制、 地址修改 等操作, 这样可以避免由于应用层代理服务器操作导致的终端与内网服务器 之间的通信失败。 而且该实施例将虚拟 IP地址作为终端与内网服务器通信的 地址, 通过 VPN网关与内网服务器进行通信, 无需企业网络做额外的路由转 换, 不需要改动企业网络。
需要说明的,在上述实施例建立 UDP VPN隧道、 SSL VPN隧道或者 HTTP VPN隧道之后, 终端会定期向 VPN网关发送保活报文, 或按照设定的时间向 VPN网关发送保活报文, 以便维持已建立的隧道。
需要说明的 , 当终端与 VPN网关间存在两个 VPN隧道 , 即 UDP VPN隧 道和 SSL VPN隧道时, 可以通过 UDP VPN隧道传输业务数据, 具体传输方 式如上述实施例所述, 终端还可以通过 SSL VPN隧道传输业务控制信息, 具 体的终端将待发送的第一业务控制信息进行加密后, 设置加密后的控制信息 的源 IP地址为终端的真实 IP地址, 目的 IP地址为 VPN网关的 IP地址, 然 后向 VPN网关发送; VPN网关收到后进行解封装,解密,得到第一控制信息。 同理, VPN网关可以利用 SSL VPN隧道向终端发送第二控制信息。 这样, 可 以实现通过安全性较低的 UDP VPN 隧道传输业务数据, 通过安全性较高的 SSL VPN隧道传输业务控制信息。 参阅图 7, 本发明实施例提供一种终端, 其包括:
第一数据汇聚模块 701 , 用于将待发送业务数据的源地址设置为虚拟 IP 地址、 目的地址设置为内网服务器的地址, 得到第一业务报文; 其中, 所述 虚拟 IP地址是多媒体子系统 IMS核心网为所述终端分配的地址;
第一隧道传输模块 702, 用于将所述第一业务报文封装成第一隧道报文, 其中所述第一隧道 文的源 IP地址为终端的 IP地址、 目的 IP地址为安全隧 道网关的 IP地址; 利用所述终端与安全隧道网关间的虚拟专用网 VPN隧道, 将所述第一隧道报文发送给安全隧道网关, 使所述安全隧道网关将第一隧道 报文中的第一业务报文发送给内网服务器。
进一步的, 在本发明另一个实施例中, 为了接收内网服务器发送的业务 数据, 该终端还可以包括:
第二隧道传输模块 703 , 用于当终端需要接收内网服务器的业务数据时, 通过所述隧道接收第二隧道 文, 对所述第二隧道 >¾文进行解封装; 其中, 第二隧道^艮文的源 IP地址为安全隧道网关的 IP地址、 目的 IP地址为终端的 IP地址。
第二数据汇聚模块 704,用于从第二隧道传输模块解封装得到的第二业务 报文中获取业务数据, 其中, 所述第二业务报文的源地址为内网服务器的地 址、 目的地址为虚拟 IP地址。
进一步的, 在本发明另一个实施例中, 该终端还可以包括:
业务模块 705, 具体用于当终端需要发送业务数据时, 通过调用第一数据 汇聚模块提供的接口 , 触发所述第一数据汇聚模块将待发送业务数据的源地 址设置为虚拟 IP地址, 目的地址设置为内网服务器的地址; 当终端需要接收 内网服务器的业务数据时, 从第二数据汇聚模块获得第二业务报文中的业务 数据。
具体的, 第一数据汇聚模块 701 , 用于当终端需要发送业务数据时, 在操 作系统提供的通信接口捕获所述待发送业务数据, 将所述待发送业务数据的 源地址设置为虚拟 IP地址, 目的地址设置为内网服务器的地址; 其中, 待发 送业务数据是由业务模块 705发送到操作系统提供的通信接口的。 采用这种 方式, 使业务模块与通信能力组件不需要紧密耦合。
所述第二数据汇聚模块 704,用于当终端需要接收内网服务器的业务数据 时, 提取第二业务报文中的业务数据, 将所提取的业务数据植入操作系统提 供的通信接口, 使终端中的业务模块能够从所述操作系统提供的通信接口中 获取所述第二业务报文中的业务数据。
在本发明另一个实施例中, 为了保证 VPN隧道上传输的报文的安全性, 该终端还可以包括:
加密模块 706, 用于在终端与安全隧道网关间的 VPN隧道为 HTTP VPN 隧道时, 利用 SSL隧道密钥对第一业务报文进行加密;
解密模块 707, 用于在终端与安全隧道网关间的 VPN隧道为 HTTP VPN 隧道时,利用 SSL隧道密钥对第二隧道传输模块解封装得到的报文进行解密。
其中, 所述 SSL隧道密钥是所述终端预先通过所述 HTTP隧道与安全隧 道网关协商得到的。 此时, 第一隧道传输模块 701 具体用于将加密模块 706 加密后的第一业务报文封装成第一隧道报文, 利用所述终端与安全隧道网关 间的 VPN隧道, 将所述第一隧道报文发送给安全隧道网关。 第二数据汇聚模 块 704具体用于从解密模块 707解密得到的报文中获取业务数据。 当终端与安全隧道网关间存在两条 VPN隧道,比如 UDP VPN隧道和 SSL VPN隧道时,在本发明又一个实施例中,终端可以采用第一数据汇聚模块 701、 第一隧道传输模块 702、第二隧道传输模块 703和第二数据汇聚模块 704处理 和传输业务数据, 此外, 还可以采用第三隧道传输模块 708和 /或第四隧道传 输模块 709处理和传输业务控制信息, 其中:
第三隧道传输模块 708, 用于利用所述 SSL VPN隧道向所述业务安全隧 道网关发送第一业务控制信息; 和 /或,
第四隧道传输模块 709, 用于利用所述 SSL VPN隧道接收所述业务安全 隧道网关发送的第二业务控制信息。
为了建立上述两条 VPN隧道, 在本发明又一个实施例中, 还包括: 第一隧道建立单元 710, 用于建立 UDP VPN隧道;
第二隧道建立单元 711 , 用于通过已建立的 SSL隧道与所述安全隧道网 关协商 UDP隧道密钥, 以便建立 UDP隧道。
本发明实施例中终端将 IMS核心网分配的虚拟 IP地址作为终端与内网服 务器的通信地址, 将待发送业务数据的源地址设置为虚拟 IP地址、 目的地址 设置为内网服务器的地址, 并封装成隧道报文后通过终端与安全隧道网关间 的隧道传输到安全隧道网关, 使安全隧道网关能够将源地址为虚拟 IP地址、 目的地址为内网服务器地址的业务报文发送给内网服务器; 当需要接收内网 服务器的业务数据时, 将接收的隧道报文进行解封装, 得到源地址为内网服 务器的地址、 目的地址为虚拟 IP地址的业务 文, 这样, 就能够实现通过安 全隧道网关传输内网服务器与终端间的业务数据, 不需要改动终端所在的企 业网络, 就可以使终端穿越私网, 与公网中的服务器进行通信。
参阅图 8, 本发明实施例提供一种安全隧道网关, 其包括: 隧道传输模块 一 80, 隧道传输模块一 80包括: 第一接收模块 801 , 解封装模块 802, 和第 一发送模块 803 ,
第一接收模块 801 ,用于通过安全隧道网关与终端间的隧道接收第一隧道 •艮文; 其中, 所述第一隧道 文的源 IP地址为终端的 IP地址、 目的 IP地址 为安全隧道网关的 IP地址;
解封装模块 802, 用于对所述第一隧道报文进行解封装;
第一发送模块 803 ,用于将解封装模块解封装后得到的第一业务报文向内 网服务器发送, 其中, 所述第一业务报文的源地址为虚拟 IP地址、 目的地址 为内网服务器地址。
进一步, 在本发明另一个实施例中, 为了向终端传输内网服务器的发送 的业务 文, 还包括: 隧道传输模块一 90, 其中, 隧道传输模块一 90具体包 括:
第二接收模块 804, 用于接收内网服务器发送的第二业务报文, 所述第二 业务报文的源地址为内网服务器的地址、 目的地址为虚拟 IP地址;
封装模块 805, 用于将所述第二业务 文封装成第二隧道 文, 其中, 第 二隧道 文的源 IP地址为安全隧道网关的 IP地址、 目的 IP地址为终端的 IP 地址;
第二发送单元 806,用于通过安全隧道网关与终端间的隧道向所述终端发 送第二隧道报文。
在本发明另一个实施例中, 为了保证 VPN隧道上传输的报文的安全性, 该终端还可以包括:
加密模块 807, 用于在所述终端与安全隧道网关间的 VPN隧道为 HTTP VPN隧道时, 利用 SSL隧道密钥对所述第二业务报文进行加密;
解密模块 808, 用于在所述终端与安全隧道网关间的 VPN隧道为 HTTP VPN隧道时,利用 SSL隧道密钥对解封装模块解封装所得到的报文进行解密, 得到第一业务报文。
其中, 所述 SSL隧道密钥是所述终端预先通过所述 HTTP隧道与安全隧 道网关协商得到的; 封装模块 805 具体用于将加密后的第二业务报文封装成 第二隧道报文; 第一发送模块 803具体用于将解密模块 808解密后得到的第 一业务报文向内网服务器发送。 当终端与安全隧道网关间存在两条 VPN隧道,比如 UDP VPN隧道和 SSL VPN隧道时 , 终端可以利用 UDP VPN隧道初始业务报文 , 利用 S SL VPN隧 道传输业务控制信息, 则在本发明又一个实施例中, 还包括:
第三发送模块 809, 还用于利用所述 SSL VPN隧道向所述终端发送第二 业务控制信息; 和, 第四接收模块 810, 还用于利用所述 SSL VPN隧道接收 所述终端发送的第一业务控制信息。
其中, 为了建立上述两条隧道, 在本发明又一个实施例中, 还包括: 第一隧道建立模块 811 , 用于与终端间建立 SSL隧道;
第二隧道建立模块 812,用于通过已建立的 SSL隧道与所述终端协商 UDP 隧道密钥 , 以便建立 UDP隧道。
本发明实施例中的安全隧道网关作为中间设备, 将来自终端的隧道报文 解封装后发送给内网服务器, 将来自内网服务器的业务报文封装成隧道报文 后发送给终端, 以便终端与 IMS核心网中的服务器间传输业务数据, 这样不 需要改动终端所在的企业网络, 就可以使终端穿越私网, 与公网中的服务器 进行通信了。
参阅图 9, 本发明实施例提供一种网络系统, 其主要包括上述实施例中的 安全隧道网关 901和内网服务器 902,其中安全隧道网关的功能和结构与上述 实施例中的描述相似, 在此不再贅述。
本发明实施例提供的网络系统利用安全隧道网关作为中间设备, 将来自 终端的隧道报文解封装后发送给内网服务器, 将来自内网服务器的业务报文 封装成隧道报文后发送给终端, 以便终端与 IMS核心网中的服务器间传输业 务数据, 这样不需要改动终端所在的企业网络, 就可以使终端穿越私网, 与 公网中的服务器进行通信了。
需要说明的是, 对于前述的各方法实施例, 为了简单描述, 故将其都表 述为一系列的动作组合, 但是本领域技术人员应该知悉, 本发明并不受所描 述的动作顺序的限制, 因为依据本发明, 某些步骤可以采用其他顺序或者同 时进行。 其次, 本领域技术人员也应该知悉, 说明书中所描述的实施例均属 于优选实施例, 所涉及的动作和模块并不一定是本发明所必须的。 在上述实施例中, 对各个实施例的描述都各有侧重, 某个实施例中没有 详述的部分, 可以参见其他实施例的相关描述。
本领域普通技术人员可以理解实现上述实施例方法中的全部或部分流 程, 是可以通过计算机程序来指令相关的硬件来完成, 所述的程序可存储于 计算机可读取存储介质中, 该程序在执行时, 可包括如上述各方法的实施例 的流程。其中, 所述的存储介质可为磁碟、光盘、只读存储记忆体(Read-Only Memory, ROM )或随机存^ ^己忆体 ( Random Access Memory, RAM )等。
以上对本发明所提供的一种终端穿越私网与 IMS核心网中服务器通信的 方法、 装置及网络系统进行了详细介绍, 对于本领域的一般技术人员, 依据 本发明实施例的思想, 在具体实施方式及应用范围上均会有改变之处, 综上 所述, 本说明书内容不应理解为对本发明的限制。

Claims

权 利 要 求
1、 一种终端穿越私网与 IMS核心网中服务器通信的方法, 其特征在于, 包括:
终端将待发送业务数据的源地址设置为虚拟 IP地址、 目的地址设置为内 网服务器的地址, 得到第一业务报文, 其中, 所述虚拟 IP地址是多媒体子系 统 IMS核心网为所述终端分配的地址;
将所述第一业务报文封装成第一隧道报文, 其中所述第一隧道报文的源 IP地址为终端的 IP地址、 目的 IP地址为安全隧道网关的 IP地址;
利用所述终端与安全隧道网关间的虚拟专用网 VPN隧道, 将所述第一隧 道报文发送给安全隧道网关, 使所述安全隧道网关将第一隧道报文中的第一 业务报文发送给内网服务器。
2、 根据权利要求 1所述的方法, 其特征在于,
所述将待发送业务数据的源地址设置为虚拟 IP地址、 目的地址设置为内 网服务器的地址包括:
终端的业务模块通过调用终端中的第一数据汇聚模块提供的接口, 触发 所述第一数据汇聚模块将待发送业务数据的源地址设置为虚拟 IP地址, 目的 地址设置为内网服务器的地址;
或者,
所述终端中的第一数据汇聚模块在操作系统提供的通信接口捕获所述待 发送业务数据, 将所述待发送业务数据的源地址设置为虚拟 IP地址, 目的地 址设置为内网服务器的地址。
3、 根据权利要求 1所述的方法, 其特征在于,
所述终端与安全隧道网关间的 VPN隧道为超文本传输协议 HTTP VPN隧 道;
在将所述第一业务报文封装成第一隧道报文之前, 该方法还包括: 利用 SSL隧道密钥对第一业务 文进行加密; 其中, 所述 SSL隧道密钥 是所述终端预先通过所述 HTTP隧道与安全隧道网关协商得到的; 将所述第一业务"¾文封装成第一隧道 "¾文具体为:
将加密后的第一业务报文封装成第一隧道报文。
4、 根据权利要求 1所述的方法, 其特征在于, 该方法还包括: 当终端需要接收内网服务器的业务数据时, 终端通过所述隧道接收第二 隧道 4艮文, 其中, 第二隧道^艮文的源 IP地址为安全隧道网关的 IP地址、 目的 IP地址为终端的 IP地址;
对所述第二隧道报文进行解封装得到第二业务报文; 其中, 所述第二业 务报文的源地址为内网服务器的地址、 目的地址为虚拟 IP地址;
获得所述第二业务报文中的业务数据。
5、 根据权利要求 4所述的方法, 其特征在于,
所述终端与安全隧道网关间的 VPN隧道为 HTTP VPN隧道;
在对所述第二隧道 文进行解封装之后, 该方法还包括:
利用 SSL隧道密钥对解封装得到的报文进行解密; 其中, 所述 SSL隧道 密钥是所述终端预先通过所述 HTTP隧道与安全隧道网关协商得到的;
所述第二业务报文为解密后得到的报文。
6、 根据权利要求 1所述的方法, 其特征在于,
所述终端与安全隧道网关间的 VPN隧道为用户数据 4艮协议 UDP VPN隧 道;
当所述终端与安全隧道网关间还存在安全套接层 SSL VPN隧道时, 该方 法还包括:
所述终端利用所述 SSL VPN隧道向所述安全隧道网关发送第一业务控制 信息;
或者,
所述终端利用所述 SSL VPN隧道接收所述安全隧道网关发送的第二业务 控制信息。
7、 根据权利要求 6所述的方法, 其特征在于, 该方法还包括: 所述终端与安全隧道网关间先建立 SSL隧道, 通过已建 立的 SSL隧道与所述安全隧道网关协商 UDP隧道密钥,以便建立 UDP隧道。
8、 一种终端穿越私网与 IMS核心网中服务器通信的方法, 其特征在于, 包括:
安全隧道网关通过安全隧道网关与终端间的隧道接收第一隧道报文; 其 中, 所述第一隧道 ^艮文的源 IP地址为终端的 IP地址、 目的 IP地址为安全隧 道网关的 IP地址;
对所述第一隧道报文进行解封装, 得到第一业务报文, 所述第一业务报 文的源地址为虚拟 IP地址、 目的地址为内网服务器地址;
将所述第一业务报文向内网服务器发送。
9、 根据权利要求 8所述的方法, 其特征在于,
所述终端与安全隧道网关间的 VPN隧道为 HTTP VPN隧道;
在对所述第一隧道报文进行解封装之后, 还包括:
利用 SSL隧道密钥对解封装后的报文进行解密, 其中, 所述 SSL隧道密 钥是所述终端预先通过所述 HTTP隧道与安全隧道网关协商得到的;
所述第一业务报文为解密得到的报文。
10、 根据权利要求 8所述的方法, 其特征在于, 还包括:
安全隧道网关接收内网服务器发送的第二业务报文, 所述第二业务报文 的源地址为内网服务器的地址、 目的地址为虚拟 IP地址;
将所述第二业务"¾文封装成第二隧道 文, 其中, 第二隧道>¾文的源 IP 地址为安全隧道网关的 IP地址、 目的 IP地址为终端的 IP地址;
通过安全隧道网关与终端间的隧道向所述终端发送第二隧道 ·艮文。
11、 根据权利要求 10所述的方法, 其特征在于,
所述终端与安全隧道网关间的 VPN隧道为 HTTP VPN隧道;
在将所述第二业务报文封装成第二隧道报文之前, 该方法还包括: 利用 SSL隧道密钥对所述第二业务报文进行加密;
所述将所述第二业务报文封装成第二隧道报文具体: 将加密后的报文封装成第二隧道报文。
12、 根据权利要求 10所述的方法, 其特征在于,
所述终端与安全隧道网关间的 VPN隧道为 UDP VPN隧道;
当所述终端与安全隧道网关间还存在 SSL VPN隧道时, 该方法还包括: 所述安全隧道网关利用所述 SSL VPN隧道向所述终端发送第二业务控制 信息;
或者,
所述安全隧道网关利用所述 SSL VPN隧道接收所述终端发送的第一业务 控制信息。
13、 一种终端, 其特征在于, 包括: 通信能力组件, 所述通信能力组件 包括:
第一数据汇聚模块,用于将待发送业务数据的源地址设置为虚拟 IP地址、 目的地址设置为内网服务器的地址, 得到第一业务报文; 其中, 所述虚拟 IP 地址是多媒体子系统 IMS核心网为所述终端分配的地址;
第一隧道传输模块, 用于将所述第一业务报文封装成第一隧道报文, 其 中所述第一隧道 ^艮文的源 IP地址为终端的 IP地址、 目的 IP地址为安全隧道 网关的 IP地址; 利用所述终端与安全隧道网关间的虚拟专用网 VPN隧道,将 所述第一隧道报文发送给安全隧道网关, 使所述安全隧道网关将第一隧道报 文中的第一业务报文发送给内网服务器。
14、 根据权利要求 13所述的终端, 其特征在于,
第二隧道传输模块, 用于当终端需要接收内网服务器的业务数据时, 通 过所述隧道接收第二隧道 文, 对所述第二隧道 >¾文进行解封装; 其中, 第 二隧道 文的源 IP地址为安全隧道网关的 IP地址、 目的 IP地址为终端的 IP 地址;
第二数据汇聚模块, 用于从第二隧道传输模块解封装得到的第二业务报 文中获取业务数据, 其中, 所述第二业务报文的源地址为内网服务器的地址、 目的地址为虚拟 IP地址, 或者 用于当终端需要接收内网服务器的业务数据时, 提取第二业务报文中的 业务数据, 将所提取的业务数据植入操作系统提供的通信接口, 使终端中的 业务模块能够从所述操作系统提供的通信接口中获取所述第二业务报文中的 业务数据。
15、 根据权利要求 13所述的终端, 其特征在于,
所述终端与安全隧道网关间的 VPN隧道为 UDP VPN隧道; 当所述终端 与安全隧道网关间还存在 SSL VPN隧道时, 还包括:
第三隧道传输模块, 用于利用所述 SSL VPN隧道向所述业务安全隧道网 关发送第一业务控制信息;
或者,
第四隧道传输模块, 用于利用所述 SSL VPN隧道接收所述业务安全隧道 网关发送的第二业务控制信息。
16、 根据权利要求 15所述的终端, 其特征在于, 还包括:
第一隧道建立单元, 用于建立 UDP VPN隧道;
第二隧道建立单元, 用于通过已建立的 SSL隧道与所述安全隧道网关协 商 UDP隧道密钥 , 以便建立 UDP隧道。
17、 一种安全隧道网关, 其特征在于, 包括:
第一接收模块, 用于通过安全隧道网关与终端间的隧道接收第一隧道报 文; 其中, 所述第一隧道报文的源 IP地址为终端的 IP地址、 目的 IP地址为 安全隧道网关的 IP地址;
解封装模块, 用于对所述第一隧道 ^¾文进行解封装;
第一发送模块, 用于将解封装模块解封装后得到的第一业务报文向内网 服务器发送, 其中, 所述第一业务报文的源地址为虚拟 IP地址、 目的地址为 内网服务器地址。
18、 根据权利要求 17所述的安全隧道网关, 其特征在于, 还包括: 第二接收模块, 用于接收内网服务器发送的第二业务报文, 所述第二业 务报文的源地址为内网服务器的地址、 目的地址为虚拟 IP地址; 封装模块, 用于将所述第二业务报文封装成第二隧道报文, 其中, 第二 隧道 文的源 IP地址为安全隧道网关的 IP地址、 目的 IP地址为终端的 IP地 址;
第二发送单元, 用于通过安全隧道网关与终端间的隧道向所述终端发送 第二隧道报文。
19、 根据权利要求 17所述的安全隧道网关, 其特征在于,
所述终端与安全隧道网关间的 VPN隧道为 UDP VPN隧道; 当所述终端 与安全隧道网关间还存在 SSL VPN隧道时, 还包括:
第三发送模块, 还用于利用所述 SSL VPN隧道向所述终端发送第二业务 控制信息;
第四接收模块, 还用于利用所述 SSL VPN隧道接收所述终端发送的第一 业务控制信息。
20、 一种网络系统, 其特征在于, 包括: 安全隧道网关和内网服务器, 安全隧道网关, 用于通过安全隧道网关与终端间的隧道接收第一隧道才艮 文; 其中, 所述第一隧道报文的源 IP地址为终端的 IP地址、 目的 IP地址为 安全隧道网关的 IP地址; 对所述第一隧道 >¾文进行解封装, 得到第一业务才艮 文,所述第一业务报文的源地址为虚拟 IP地址、 目的地址为内网服务器地址; 将所述第一业务报文向内网服务器发送; 接收内网服务器发送的第二业务报 文, 所述第二业务报文的源地址为内网服务器的地址、 目的地址为虚拟 IP地 址; 将所述第二业务报文封装成第二隧道报文, 其中, 第二隧道报文的源 IP 地址为安全隧道网关的 IP地址、 目的 IP地址为终端的 IP地址; 通过安全隧 道网关与终端间的隧道向所述终端发送第二隧道 ·艮文;
内网服务器, 用于接收安全隧道网关发送的第一业务报文, 向安全隧道 网关发送第二业务 ·艮文。
PCT/CN2011/071659 2010-08-20 2011-03-10 终端穿越私网与ims核心网中服务器通信的方法、装置及网络系统 WO2012022145A1 (zh)

Priority Applications (5)

Application Number Priority Date Filing Date Title
EP11817673.4A EP2590368B1 (en) 2010-08-20 2011-03-10 Method, equipment and network system for terminal communicating with ip multimedia subsystem(ims) core network server by traversing private network
EP16156425.7A EP3096497B1 (en) 2010-08-20 2011-03-10 Method, apparatus, and network system for terminal to traverse private network to communicate with server in ims core network
ES11817673.4T ES2596177T3 (es) 2010-08-20 2011-03-10 Método, equipo y sistema de red para hacer comunicar un terminal con un servidor de infraestructura de un subsistema multimedia IP (IMS) atravesando una red privada
US13/770,014 US9172559B2 (en) 2010-08-20 2013-02-19 Method, apparatus, and network system for terminal to traverse private network to communicate with server in IMS core network
US14/827,644 US9813380B2 (en) 2010-08-20 2015-08-17 Method, apparatus, and network system for terminal to traverse private network to communicate with server in IMS core network

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201010264191.4 2010-08-20
CN201010264191.4A CN102377629B (zh) 2010-08-20 2010-08-20 终端穿越私网与ims核心网中服务器通信的方法、装置及网络系统

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/770,014 Continuation US9172559B2 (en) 2010-08-20 2013-02-19 Method, apparatus, and network system for terminal to traverse private network to communicate with server in IMS core network

Publications (1)

Publication Number Publication Date
WO2012022145A1 true WO2012022145A1 (zh) 2012-02-23

Family

ID=45604730

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/071659 WO2012022145A1 (zh) 2010-08-20 2011-03-10 终端穿越私网与ims核心网中服务器通信的方法、装置及网络系统

Country Status (5)

Country Link
US (2) US9172559B2 (zh)
EP (2) EP2590368B1 (zh)
CN (1) CN102377629B (zh)
ES (1) ES2596177T3 (zh)
WO (1) WO2012022145A1 (zh)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111866865A (zh) * 2020-07-30 2020-10-30 冯田旺 一种数据传输方法、无线专网建立方法及系统
CN112738661A (zh) * 2020-12-15 2021-04-30 广西广播电视信息网络股份有限公司 一种在i-pon网络的广播通道上实现双向下行加速的方法
CN113709119A (zh) * 2021-08-12 2021-11-26 南京华盾电力信息安全测评有限公司 一种密码安全网关、系统及使用方法

Families Citing this family (41)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP5871733B2 (ja) * 2011-07-04 2016-03-01 コニンクリーケ・ケイピーエヌ・ナムローゼ・フェンノートシャップ 時間インジケータを用いたトリガリング
EP2837156B1 (en) * 2012-04-09 2018-08-22 Telefonaktiebolaget LM Ericsson (publ) Method, apparatus and computer readable medium for providing quality of service functionality supporting a plurality of different data streams in a single ims session for machine-to-machine mtm device communications
CN102932467B (zh) * 2012-11-08 2015-11-25 华为技术有限公司 数据包的传输方法和装置
CN104426732A (zh) * 2013-08-19 2015-03-18 华耀(中国)科技有限公司 一种高速传输隧道的实现方法及系统
KR101502490B1 (ko) * 2013-10-18 2015-03-13 주식회사 케이티 네트워크 트래픽을 감시하는 가입자 단말 및 보안 감시 노드
FR3013541B1 (fr) * 2013-11-19 2021-02-19 Oberthur Technologies Procede et dispositif pour la connexion a un service distant
CN103607403A (zh) * 2013-11-26 2014-02-26 北京星网锐捷网络技术有限公司 一种nat网络环境下使用安全域的方法、装置和系统
CN105471596B (zh) * 2014-08-04 2019-05-07 新华三技术有限公司 网络管理的方法和装置
CN105337831B (zh) 2014-08-08 2018-10-09 华为技术有限公司 虚拟专用网络的实现方法及客户端设备
US9473466B2 (en) * 2014-10-10 2016-10-18 Freescale Semiconductor, Inc. System and method for internet protocol security processing
CN104468625B (zh) * 2014-12-26 2018-07-13 浙江宇视科技有限公司 拨号隧道代理装置、利用拨号隧道穿越nat的方法
CN104539752B (zh) * 2014-12-31 2018-03-09 浙江宇视科技有限公司 多级域平台间的访问方法及系统
US20160226815A1 (en) * 2015-01-30 2016-08-04 Huawei Technologies Co., Ltd. System and method for communicating in an ssl vpn
US10084642B2 (en) * 2015-06-02 2018-09-25 ALTR Solutions, Inc. Automated sensing of network conditions for dynamically provisioning efficient VPN tunnels
CN106454754B (zh) * 2015-08-12 2020-01-31 成都鼎桥通信技术有限公司 数据传输方法及宽带集群系统
CN106559851B (zh) * 2015-09-24 2019-11-12 成都鼎桥通信技术有限公司 LTE宽带集群系统IPSec级联组网实现方法及系统
US10484282B2 (en) 2016-01-12 2019-11-19 International Business Machines Corporation Interconnecting multiple separate openflow domains
CN105872128B (zh) * 2016-05-31 2019-03-08 浙江宇视科技有限公司 虚拟ip地址的分配方法及装置
US10447591B2 (en) 2016-08-30 2019-10-15 Oracle International Corporation Executing multiple virtual private network (VPN) endpoints associated with an endpoint pool address
US10572932B2 (en) 2017-01-27 2020-02-25 Walmart Apollo, Llc System for providing optimal shopping routes in retail store and method of using same
US10657580B2 (en) 2017-01-27 2020-05-19 Walmart Apollo, Llc System for improving in-store picking performance and experience by optimizing tote-fill and order batching of items in retail store and method of using same
US10699328B2 (en) 2017-04-17 2020-06-30 Walmart Apollo, Llc Systems to fulfill a picked sales order and related methods therefor
US10846645B2 (en) 2017-04-28 2020-11-24 Walmart Apollo, Llc Systems and methods for real-time order delay management
US10810542B2 (en) 2017-05-11 2020-10-20 Walmart Apollo, Llc Systems and methods for fulfilment design and optimization
CN110771097B (zh) * 2017-05-12 2022-11-22 诺基亚通信公司 用于网络设备与应用服务器之间的数据隧道传输的连接性监测
US11126953B2 (en) 2017-06-14 2021-09-21 Walmart Apollo, Llc Systems and methods for automatically invoking a delivery request for an in-progress order
US11126954B2 (en) 2017-06-28 2021-09-21 Walmart Apollo, Llc Systems and methods for automatically requesting delivery drivers for online orders
US10909612B2 (en) 2017-07-13 2021-02-02 Walmart Apollo Llc Systems and methods for determining an order collection start time
CN109379206B (zh) 2017-08-07 2022-04-22 华为技术有限公司 网络功能信息的管理方法及相关设备
US11323426B2 (en) * 2017-10-19 2022-05-03 Check Point Software Technologies Ltd. Method to identify users behind a shared VPN tunnel
US11038923B2 (en) * 2018-02-16 2021-06-15 Nokia Technologies Oy Security management in communication systems with security-based architecture using application layer security
CN109327513B (zh) * 2018-09-21 2021-12-17 京东方科技集团股份有限公司 交互方法、装置及计算机可读存储介质
US11876798B2 (en) * 2019-05-20 2024-01-16 Citrix Systems, Inc. Virtual delivery appliance and system with remote authentication and related methods
CN112887976B (zh) * 2019-11-29 2023-06-30 北京华耀科技有限公司 智能终端的vpn网络自动恢复系统及方法
CN111147451A (zh) * 2019-12-09 2020-05-12 云深互联(北京)科技有限公司 一种基于云平台的业务系统安全访问方法、装置及系统
US11657347B2 (en) 2020-01-31 2023-05-23 Walmart Apollo, Llc Systems and methods for optimization of pick walks
US11868958B2 (en) 2020-01-31 2024-01-09 Walmart Apollo, Llc Systems and methods for optimization of pick walks
CN111885036B (zh) * 2020-07-16 2022-08-16 武汉秒开网络科技有限公司 一种通过路由器穿透内网实现多设备访问的方法及系统
US11411772B1 (en) * 2021-04-15 2022-08-09 Blackberry Limited Establishing tunneling connection over restrictive networks
CN113556340B (zh) * 2021-07-21 2023-09-26 国网四川省电力公司乐山供电公司 一种便携式vpn终端、数据处理方法及存储介质
CN115022059A (zh) * 2022-06-13 2022-09-06 中国银行股份有限公司 一种量子通信方法及装置

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030108041A1 (en) * 2001-12-07 2003-06-12 Nortell Networks Limited Tunneling scheme optimized for use in virtual private netwoks
CN101159657A (zh) * 2007-10-16 2008-04-09 华为技术有限公司 一种实现私网穿越的方法、设备及服务器
CN101778045A (zh) * 2010-01-27 2010-07-14 成都市华为赛门铁克科技有限公司 报文传输方法、装置及网络系统

Family Cites Families (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6574661B1 (en) * 1997-09-26 2003-06-03 Mci Communications Corporation Integrated proxy interface for web based telecommunication toll-free network management using a network manager for downloading a call routing tree to client
CA2428712A1 (en) * 2000-11-13 2002-05-30 Ecutel System and method for secure network mobility
WO2002048830A2 (en) * 2000-12-11 2002-06-20 Phlair, Inc. System and method for detecting and reporting online activity using real-time content-based network monitoring
FI20011949A0 (fi) * 2001-10-05 2001-10-05 Stonesoft Corp Virtuaalisen yksityisverkon hallinta
AU2002368164A1 (en) * 2002-08-05 2004-02-25 Nokia Corporation A method of speeding up the registration procedure in a cellular network
US7602788B2 (en) * 2002-11-04 2009-10-13 At&T Intellectual Property I, L.P. Peer to peer SVC-based DSL service
DE10329877A1 (de) * 2003-07-02 2005-01-27 Siemens Ag Verfahren zum Betrieb eines Sprach-Endgerätes an einer abgesetzten Nebenstellenanlage, Kommunikationsanordnung und Sprach-Endgerät
US7558862B1 (en) * 2004-12-09 2009-07-07 LogMeln, Inc. Method and apparatus for remotely controlling a computer with peer-to-peer command and data transfer
EP1840748A4 (en) * 2004-12-20 2012-08-22 Fujitsu Ltd REPETITION PROGRAM, COMMUNICATION PROGRAM, AND FIREWALL SYSTEM
US20070074283A1 (en) * 2005-09-26 2007-03-29 Marian Croak Method and apparatus for activating alternative virtual private network protocols
ATE436161T1 (de) * 2005-10-04 2009-07-15 Swisscom Ag Verfahren zur anpassung der sicherheitseinstellungen einer kommunikationsstation und kommunikationsstation
US7716731B2 (en) * 2005-10-24 2010-05-11 Cisco Technology, Inc. Method for dynamically tunneling over an unreliable protocol or a reliable protocol, based on network conditions
US20080095070A1 (en) * 2005-12-05 2008-04-24 Chan Tat K Accessing an IP multimedia subsystem via a wireless local area network
US20070150946A1 (en) * 2005-12-23 2007-06-28 Nortel Networks Limited Method and apparatus for providing remote access to an enterprise network
CN101090362B (zh) 2006-06-20 2010-04-14 中兴通讯股份有限公司 一种分组域中单隧道协商的方法
US9137043B2 (en) * 2006-06-27 2015-09-15 International Business Machines Corporation System, method and program for determining a network path by which to send a message
JP4732974B2 (ja) * 2006-07-27 2011-07-27 株式会社日立製作所 パケット転送制御方法およびパケット転送装置
US7809003B2 (en) * 2007-02-16 2010-10-05 Nokia Corporation Method for the routing and control of packet data traffic in a communication system
US8910272B2 (en) * 2008-02-28 2014-12-09 Hob Gmbh & Co. Kg Computer communication system for communication via public networks
JP5074290B2 (ja) * 2008-05-13 2012-11-14 株式会社日立国際電気 冗長切替システム、冗長管理装置およびアプリケーション処理装置
EP2166724A1 (en) * 2008-09-23 2010-03-24 Panasonic Corporation Optimization of handovers to untrusted non-3GPP networks
US8893260B2 (en) * 2008-12-17 2014-11-18 Rockstar Consortium Us Lp Secure remote access public communication environment
CN101753634B (zh) 2008-12-19 2013-01-30 华为技术有限公司 一种私网穿越的方法,系统和装置
US8181019B2 (en) * 2009-06-22 2012-05-15 Citrix Systems, Inc. Systems and methods for managing CRLS for a multi-core system
US20120023241A1 (en) * 2010-07-26 2012-01-26 Cisco Technology, Inc. SSL Cache Session Selection

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030108041A1 (en) * 2001-12-07 2003-06-12 Nortell Networks Limited Tunneling scheme optimized for use in virtual private netwoks
CN101159657A (zh) * 2007-10-16 2008-04-09 华为技术有限公司 一种实现私网穿越的方法、设备及服务器
CN101778045A (zh) * 2010-01-27 2010-07-14 成都市华为赛门铁克科技有限公司 报文传输方法、装置及网络系统

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111866865A (zh) * 2020-07-30 2020-10-30 冯田旺 一种数据传输方法、无线专网建立方法及系统
CN111866865B (zh) * 2020-07-30 2023-07-14 北京意瑞联科技有限公司 一种数据传输方法、5g专网建立方法及系统
CN112738661A (zh) * 2020-12-15 2021-04-30 广西广播电视信息网络股份有限公司 一种在i-pon网络的广播通道上实现双向下行加速的方法
CN112738661B (zh) * 2020-12-15 2022-05-31 广西广播电视信息网络股份有限公司 一种在i-pon网络的广播通道上实现双向下行加速的方法
CN113709119A (zh) * 2021-08-12 2021-11-26 南京华盾电力信息安全测评有限公司 一种密码安全网关、系统及使用方法

Also Published As

Publication number Publication date
CN102377629B (zh) 2014-08-20
ES2596177T3 (es) 2017-01-05
EP2590368A4 (en) 2013-08-14
US20150358281A1 (en) 2015-12-10
EP2590368A1 (en) 2013-05-08
EP3096497B1 (en) 2020-06-24
US9813380B2 (en) 2017-11-07
EP3096497A1 (en) 2016-11-23
US20130170502A1 (en) 2013-07-04
US9172559B2 (en) 2015-10-27
EP2590368B1 (en) 2016-07-20
CN102377629A (zh) 2012-03-14

Similar Documents

Publication Publication Date Title
WO2012022145A1 (zh) 终端穿越私网与ims核心网中服务器通信的方法、装置及网络系统
CN104168173B (zh) 终端穿越私网与ims核心网中服务器通信的方法、装置及网络系统
US8725885B1 (en) Securely establishing ice relay connections
JP4081724B1 (ja) クライアント端末、中継サーバ、通信システム、及び通信方法
CN103188351B (zh) IPv6环境下IPSec VPN通信业务处理方法与系统
US20050223111A1 (en) Secure, standards-based communications across a wide-area network
US20110113236A1 (en) Methods, systems, and computer readable media for offloading internet protocol security (ipsec) processing using an ipsec proxy mechanism
CN108769292B (zh) 报文数据处理方法及装置
CN109906625B (zh) 无线局域网上的安全链路层连接的方法
WO2003043250A1 (en) Enabling secure communication in a clustered or distributed architecture
WO2013166696A1 (zh) 数据传输方法、系统及装置
WO2006134505A1 (en) Method, system and network elements for establishing media protection over networks
Liyanage et al. Securing virtual private LAN service by efficient key management
WO2009082950A1 (fr) Procédé, dispositif et système de distribution de clés
TWI493946B (zh) 虛擬私有網路通信系統、路由裝置及其方法
WO2016066027A1 (zh) 一种媒体传输方法和设备
Liyanage et al. Secure hierarchical virtual private LAN services for provider provisioned networks
JP2011077887A (ja) パケット転送システム、パケット転送方法、通信装置及びパケット転送プログラム
US20240022402A1 (en) A Method for Tunneling an Internet Protocol Connection Between Two Endpoints
WO2015003379A1 (zh) 一种数据通信方法、设备和系统
EP2579537A1 (en) Method for securing data communication
CN115766063A (zh) 数据传输方法、装置、设备及介质
Chandra et al. VPN for remote digital evidence acquisition
Al-Abaychi et al. Evaluation of VPNs

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11817673

Country of ref document: EP

Kind code of ref document: A1

REEP Request for entry into the european phase

Ref document number: 2011817673

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2011817673

Country of ref document: EP

NENP Non-entry into the national phase

Ref country code: DE