WO2016106560A1 - Remote access implementation method, device and system - Google Patents

Remote access implementation method, device and system Download PDF

Info

Publication number
WO2016106560A1
WO2016106560A1 PCT/CN2014/095582 CN2014095582W WO2016106560A1 WO 2016106560 A1 WO2016106560 A1 WO 2016106560A1 CN 2014095582 W CN2014095582 W CN 2014095582W WO 2016106560 A1 WO2016106560 A1 WO 2016106560A1
Authority
WO
WIPO (PCT)
Prior art keywords
vpn
vpn server
address
verification code
server
Prior art date
Application number
PCT/CN2014/095582
Other languages
French (fr)
Chinese (zh)
Inventor
张亚军
和江涛
吴向阳
刘晓
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to PCT/CN2014/095582 priority Critical patent/WO2016106560A1/en
Priority to CN201480038036.7A priority patent/CN105493453B/en
Publication of WO2016106560A1 publication Critical patent/WO2016106560A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0485Networking architectures for enhanced packet encryption processing, e.g. offloading of IPsec packet processing or efficient security association look-up
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities

Definitions

  • the present invention relates to the field of communications, and in particular, to a method, apparatus, and system for implementing remote access.
  • VPN Virtual Private Network
  • TP Tunneling Protocol
  • insecure network for example, the Internet
  • a company employee travels to a foreign country, it needs to access the server resources in the intranet of the enterprise headquarters. This access belongs to remote access.
  • This access belongs to remote access.
  • the foreign employees By setting up a VPN gateway in the internal network, the foreign employees connect to the Internet through the Internet after connecting to the Internet, and then enter the intranet through the VPN gateway, so that foreign employees can access the intranet resources, in order to ensure data security.
  • the communication data between the VPN gateway and the clients used by the foreign employees are encrypted.
  • IPSec Internet Protocol Security
  • IPSec Internet Protocol Security
  • IETF Internet Engineering Task Force
  • IPSec VPN exposes a Site-to-Site scenario (ie, site-to-site or gateway-to-gateway): for example, a company's headquarters and branches are distributed in two different places on the Internet, each using a VPN gateway to establish a VPN tunnel. Secure interconnection.
  • Site-to-Site scenario ie, site-to-site or gateway-to-gateway
  • a company's headquarters and branches are distributed in two different places on the Internet, each using a VPN gateway to establish a VPN tunnel. Secure interconnection.
  • the premise of this method is that it needs to be configured according to the agreed parameters on the respective VPN gateways, and the encryption algorithm, the key and the subnet are determined in advance, and the configuration and negotiation methods are complicated.
  • the object of the present invention is to provide a method, device and system for implementing remote access, which solves the problem that the configuration and negotiation mode of the VPN gateway in the existing IPSec VPN technology is complicated.
  • an embodiment of the present invention provides a method for implementing a remote access private network of a user terminal, where the method is applied to a remote access system, where the remote access system includes a VPN server and a VPN gateway in a private network.
  • the public network IP address of the VPN gateway is configured in the VPN server, and the method includes:
  • the VPN server generates a verification code message, and sends the verification code message to the VPN gateway, where the verification code message includes an identifier of the VPN server;
  • the VPN server receives the private network IP address segment and the encryption key returned by the VPN gateway, where the private network IP address segment and the encryption key are specifically verified by the VPN gateway to verify the identifier of the VPN server. After being allocated for the VPN server;
  • the VPN server performs system configuration according to the private network IP address segment and an encryption key
  • the VPN server receives a login request sent by the user terminal, allocates an IP address to the user terminal in the private network IP address segment, and transmits the data sent by the user terminal to the VPN gateway by using the encryption key.
  • the VPN server is further configured with an RSA private key, and correspondingly, the public key corresponding to the RSA private key is configured in the VPN gateway,
  • the VPN server generates a verification code message, and sending the verification code message to the VPN gateway includes:
  • the VPN server encrypts the verification code message by using the RSA private key, and sends the encrypted verification code message to the VPN gateway, so that the VPN gateway uses the RSA private key to correspond to
  • the public key decrypts the verification code message, and obtains and verifies the identifier of the VPN server.
  • the method before the VPN server sends the verification code message to the VPN gateway, the method further includes:
  • the VPN server receives a configuration instruction, and stores the RSA private key and a public network IP address of the VPN gateway.
  • the VPN server is further provided with an activation password.
  • the method further includes:
  • the VPN server verifies the activation password carried in the activation request.
  • the VPN server is configured with a filtering rule to limit
  • the port opened on the VPN server is a port used for VPN data transmission, and the open address is a public network IP address of the VPN gateway.
  • the identifier of the VPN server is a device serial number of the VPN server.
  • the activation password includes at least one of a password, a fingerprint, a palm print, or an iris.
  • an embodiment of the present invention provides another method for implementing a remote access private network of a user terminal, which is applied to a remote access system, where the remote access system includes a VPN server, a third-party authentication center, and a private network.
  • the remote access system includes a VPN server, a third-party authentication center, and a private network.
  • a VPN gateway where the VPN server is configured with a public network IP address of the VPN gateway, and the method includes:
  • the VPN server generates a verification code message, and sends the verification code message to the third-party authentication center, where The verification code message includes an identifier of the VPN server;
  • the VPN server receives the private network IP address segment and the encryption key of the VPN gateway, and the private network IP address segment and the encryption key are specifically verified by the third-party authentication center for the identifier of the VPN server. After the request, the VPN gateway is requested to be allocated to the VPN server;
  • the VPN server performs system configuration according to the private network IP address segment and an encryption key
  • the VPN server receives a login request sent by the user terminal, allocates an IP address to the user terminal in the private network IP address segment, and transmits the data sent by the user terminal to the VPN gateway by using the encryption key.
  • the VPN server is further configured with an RSA private key
  • the third-party authentication center is configured with a public corresponding to the RSA private key. key
  • the VPN server generates a verification code message, and the sending the verification code message to the third-party authentication center includes:
  • the VPN server encrypts the verification code message by using the RSA private key, and sends the encrypted verification code message to the third-party authentication center, so that the third-party authentication center uses the
  • the public key corresponding to the RSA private key decrypts the verification code packet, and obtains and verifies the identifier of the VPN server.
  • the VPN server is configured with a filtering rule to limit the open port on the VPN server to The port used for VPN data transmission and the port that interacts with the third-party authentication center, the open address is the IP address of the third-party authentication center, and the public network IP address of the VPN gateway.
  • an embodiment of the present invention provides a system for implementing a remote access private network of a user terminal, where the remote access system includes a VPN server and a VPN gateway in a private network, where the VPN server is configured with the VPN.
  • the public IP address of the gateway is configured with the public IP address of the gateway.
  • the VPN server is configured to generate a verification code message, and send the verification code message to the VPN gateway, where the verification code message includes an identifier of the VPN server;
  • the VPN gateway is configured to allocate a private network IP address segment and an encryption key to the VPN server after verifying the identifier of the VPN server, and configure the private network IP address segment and the encryption key Sent to the VPN server;
  • the VPN server is further configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, and perform system configuration according to the private network IP address segment and an encryption key;
  • the VPN server is further configured to receive a login request sent by the user terminal, allocate an IP address to the user terminal in the private network IP address segment, and transmit the user terminal to the VPN gateway by using the encryption key.
  • the VPN server is further configured with an RSA private key, and correspondingly, the public key corresponding to the RSA private key is configured in the VPN gateway.
  • the VPN server is specifically configured to encrypt the verification code message by using the RSA private key, and encrypt the encrypted message. Sending the verification code message to the VPN gateway;
  • the VPN gateway is specifically configured to decrypt the verification code packet by using a public key corresponding to the RSA private key, and obtain and verify the identifier of the VPN server.
  • the VPN server receives a configuration command, and stores the RSA private key and the public network of the VPN gateway. IP address.
  • the VPN server is further configured with an activation password.
  • the VPN server is further configured to receive and verify an activation request sent by the user terminal, where the activation request carries an activation password.
  • the VPN server is configured with a filtering rule
  • the port used for VPN data transmission is defined by the port that is open on the VPN server, and the open address is the public network IP address of the VPN gateway.
  • the embodiment of the present invention further provides a system for implementing a remote access private network of a user terminal, where the system includes a VPN server and a VPN gateway in a private network, where the VPN server is configured with the VPN gateway.
  • Public IP address
  • the VPN server is configured to generate a verification code message, and send the verification code message to the third-party authentication center, where the verification code message includes an identifier of the VPN server;
  • the VPN gateway is configured to receive a notification message that is sent by the third-party authentication center after the identity verification of the VPN server is passed, where the notification message carries the identifier of the VPN server;
  • the VPN gateway is further configured to allocate a private network IP address segment and an encryption key to the VPN server, and send the private network IP address segment and an encryption key to the VPN server;
  • the VPN server is further configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, and perform system configuration according to the private network IP address segment and an encryption key;
  • the VPN server is further configured to receive a login request sent by the user terminal, allocate an IP address to the user terminal in the private network IP address segment, and transmit the user terminal to the VPN gateway by using the encryption key.
  • the system further includes a third-party authentication center,
  • the third-party authentication center is configured to verify the identifier of the VPN server.
  • the VPN server is further configured with an RSA private key
  • the third-party authentication center is configured The public key corresponding to the RSA private key
  • the VPN server is configured to encrypt the verification code message by using the RSA private key, and send the encrypted verification code message to the third-party authentication center;
  • the third-party authentication center is configured to decrypt the verification code message by using a public key corresponding to the RSA private key, and obtain and verify the identifier of the VPN server.
  • the VPN server is configured with a filtering rule to limit the open port on the VPN server for performing VPN data transmission.
  • the port used and the port interacting with the third-party authentication center, the open address is the IP address of the third-party authentication center, and the public network IP address of the VPN gateway.
  • an embodiment of the present invention provides a VPN server that implements a remote access private network of a user terminal, where the VPN server is configured with a public network IP address of a VPN gateway in the private network.
  • a generating unit configured to generate a verification code message, where the verification code message includes an identifier of the VPN server;
  • a sending unit configured to send the verification code message generated by the generating unit to the VPN gateway;
  • a receiving unit configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, where the private network IP address segment and the encryption key are specifically configured by the VPN gateway to verify the identifier of the VPN server After being passed through for the VPN server;
  • a configuration unit configured to perform system configuration according to the private network IP address segment and the encryption key received by the receiving unit
  • the receiving unit is further configured to receive a login request sent by the user terminal;
  • a data transmission unit configured to: after the receiving unit receives the login request, allocate an IP address to the user terminal in the private network IP address segment, and use the encryption key to transmit to the VPN gateway The data sent by the user terminal.
  • the VPN server is further configured with an RSA private key
  • the generating unit is specifically configured to encrypt the verification code message by using the RSA private key
  • the sending unit is configured to send the encrypted verification code message generated by the generating unit to the VPN gateway, so that the VPN gateway uses the public key corresponding to the RSA private key to The verification code message is decrypted, and the identifier of the VPN server is obtained and verified.
  • the receiving unit is further configured to receive a configuration instruction, and store the RSA private key and a public network IP address of the VPN gateway. .
  • the receiving unit is further configured to receive an activation request sent by the user terminal, where the activation request carries the activation password;
  • the VPN server further includes an authentication unit, configured to verify the activation password carried in the activation request received by the receiving unit.
  • the embodiment of the invention provides a method, a system and a device for realizing a remote access of a user terminal to a private network.
  • an IP address of a VPN gateway in a private network is configured in a VPN server, and after the user terminal activates the VPN server, The VPN server sends a verification code message to the VPN gateway, and the VPN gateway authenticates the VPN server.
  • the VPN gateway allocates a private network address segment and an encryption key to the VPN server.
  • the VPN gateway sends the private network address segment and the encryption key to the VPN server, so that the VPN server allocates an IP address to the user terminal in the private network address segment, and uses the encryption key.
  • the key encrypts the data passed to the VPN gateway. Therefore, the user terminal accesses the intranet through the VPN server, and the above-mentioned secure encryption and authentication mechanism ensures the end-to-end security process from user access to data transmission.
  • FIG. 1 is a schematic flowchart of a method for implementing a remote access private network of a user terminal according to an embodiment of the present invention
  • FIG. 2 is a schematic structural diagram of a system for remote access according to an embodiment of the present invention.
  • FIG. 3 is a schematic flowchart of a method for implementing a remote access private network of a user terminal according to an embodiment of the present invention
  • FIG. 4 is a schematic flowchart of another method for implementing a remote access private network of a user terminal according to an embodiment of the present invention
  • FIG. 5 is a schematic flowchart of another method for implementing a remote access private network of a user terminal according to an embodiment of the present invention
  • FIG. 6 is a schematic structural diagram of a system for implementing a remote access private network of a user terminal according to an embodiment of the present invention
  • FIG. 7 is a schematic structural diagram of another system for implementing a remote access private network of a user terminal according to an embodiment of the present invention.
  • FIG. 8 is a schematic structural diagram of a VPN server for implementing a remote access private network of a user terminal according to an embodiment of the present invention
  • FIG. 9 is a schematic structural diagram of a VPN server hardware according to an embodiment of the present invention.
  • FIG. 1 is a schematic flowchart of a method for implementing a remote access private network of a user terminal according to an embodiment of the present invention.
  • the method is applied to a remote access system, where the remote access system includes a VPN server and a private network.
  • a VPN gateway in which the public IP address of the VPN gateway is configured, the method includes:
  • Step 101 The VPN server generates a verification code message, and sends the verification code message to the VPN gateway, where the verification code message includes an identifier of the VPN server.
  • Step 102 The VPN server receives a private network IP address segment and an encryption key returned by the VPN gateway, where the private network IP address segment and the encryption key are specifically used by the VPN gateway to identify the VPN server. After the verification is passed, it is allocated to the VPN server;
  • Step 103 The VPN server performs system configuration according to the private network IP address segment and an encryption key.
  • Step 104 The VPN server receives a login request sent by the user terminal, allocates an IP address to the user terminal in the private network IP address segment, and transmits the user terminal to the VPN gateway by using the encryption key. The data.
  • the VPN server is configured with the IP address of the VPN gateway in the private network.
  • the VPN server sends a verification code message to the VPN gateway, and the VPN gateway pairs the VPN.
  • the server performs authentication.
  • the VPN gateway allocates a private network address segment and an encryption key to the VPN server, and the VPN gateway sends the private network address segment and the encryption key to the VPN server. So that the VPN server allocates an IP address to the user terminal in the private network address segment, and encrypts data transmitted to the VPN gateway by using the encryption key. Therefore, the user terminal accesses the intranet through the VPN server, and the above-mentioned secure encryption and authentication mechanism ensures the end-to-end security process from user access to data transmission.
  • the RSA private key may be set in the VPN server.
  • the public key corresponding to the RSA private key is configured in the VPN gateway, so that the VPN server can use the RSA private key pair to send to the VPN.
  • the gateway's verification code message is encrypted.
  • the VPN server encrypts the verification code message by using the RSA private key, and sends the encrypted verification code message to the VPN gateway, so that the VPN gateway uses the RSA.
  • the public key corresponding to the private key decrypts the verification code message, and obtains and verifies the identifier of the VPN server.
  • the VPN server receives a configuration instruction, and stores the RSA private key and a public network IP address of the VPN gateway.
  • the user terminal When the user terminal needs to access the VPN gateway of the headquarters through the VPN server, the user terminal sends an activation request to the VPN server, where the activation request carries the activation password; and the VPN server verifies the activation carried in the activation request.
  • a password, the activation password including at least one of a password, a fingerprint, a palm print, or an iris.
  • the identifier of the VPN server is a device serial number of the VPN server.
  • FIG. 2 is a schematic structural diagram of a system for remote access according to an embodiment of the present invention.
  • a user terminal is connected to a public network through a VPN server, and then connected to a VPN gateway of an internal private network of the enterprise, through a VPN gateway and an intranet. get on data transmission.
  • the VPN server presets the parameters for connecting to the headquarters, including the public IP address of the headquarters, and further includes the private key required for channel encryption and the activation password.
  • the VPN server itself provides wireless and wired access capabilities, and can perform MAC address filtering on the accessed terminals.
  • the user terminal accesses the VPN server to access the headquarters through the high-security authentication mode (WPA2). After the VPN server is activated, it will automatically interact with the VPN gateway at the headquarters to implement identity authentication, configuration negotiation, and automatic configuration. Each time the VPN server starts a new connection or changes its IP address, it needs to be reactivated to provide the service.
  • WPA2 high-security authentication mode
  • the VPN server Before the user terminal performs remote access through the VPN server, the VPN server needs to be initially configured to achieve the available purposes. Specifically, in a real-life scenario, the employee may apply for a VPN server to the headquarters before the employee travels, and the initial configuration of the VPN server may be performed by the headquarters IT manager.
  • the initial configuration may include the following:
  • the shared RSA private key is written in the VPN server by the dedicated device, and the public key corresponding to the RSA is stored in the headquarters system, and the RSA private key can be stored in the chip of the VPN server, so that the external system cannot be Read to
  • the activation password is set on the VPN server, and the activation password may be a password, a fingerprint, a palm print, an iris, or the like, which is not limited by the embodiment of the present invention
  • Open the qualified port and address on the VPN server For example, open only the port (500 or 4500) used for VPN data transmission and the public IP address of the VPN gateway on the VPN server.
  • the filtering rule can be set on the VPN server, and the filtering rule is for the IP address and the port, so that the VPN server can only access the VPN gateway and cannot access other public network addresses.
  • the third-party authentication center is responsible for verifying the VPN server, it is also required to set a filtering rule on the VPN server to limit the open port on the VPN server for VPN data transmission.
  • the port and the port interacting with the third-party authentication center, the open address are the IP address of the third-party authentication center, and the public network IP address of the VPN gateway.
  • the embodiment of the invention provides a VPN server, and the remote terminal accesses the VPN gateway of the intranet through the VPN server, so as to provide a simple, secure and convenient plug-and-play VPN service for the mobile office.
  • a schematic flowchart of a method for implementing a remote access private network of a user terminal includes:
  • Step 301 Connect the VPN server to the Internet, and start the VPN server.
  • the VPN server obtains a public network IP address. Specifically, it can be configured through static manual configuration, Dynamic Host Configuration Protocol (DHCP), or Ethernet.
  • DHCP Dynamic Host Configuration Protocol
  • Ethernet A public IP address is obtained by means of a point-to-point protocol over Ethernet (PPOE).
  • PPOE point-to-point protocol over Ethernet
  • Step 302 The user sends an activation request to the VPN server through the user terminal, so that the VPN server performs legality verification on the user.
  • the user can activate the VPN server by inputting an activation password, scanning a fingerprint, or a palm print according to the activation mode set by the VPN server.
  • This embodiment of the present invention does not limit this.
  • Step 303 The VPN server generates an authentication message, where the authentication message includes a verification code message, and the content of the message is a device serial number of the VPN server, and the VPN server encrypts the verification code message in the authentication message by using a preset RSA private key. And signing, sending an authentication message to the VPN gateway of the headquarters;
  • Step 304 The VPN gateway of the headquarters receives the authentication message, and after obtaining the encrypted verification code message, decrypts the verification code message by using the public key corresponding to the RSA private key stored in advance, and decrypts the obtained device.
  • the serial number is verified to determine whether the device serial number is registered in the system. If the device device serial number is known and the device has not been registered in the system, the verification is passed.
  • Step 305 After the verification is completed, the VPN gateway of the headquarters allocates an IP address segment of the private network to the VPN server, and an encryption key for subsequent VPN transmission, and the encryption key may be a symmetric key.
  • Step 306 The VPN gateway of the headquarters encrypts and signs the private network IP address segment and the encryption key by using the RSA public key, and carries the encrypted private network IP address segment and the encryption key in the authentication response message and sends the message to the VPN. server;
  • Step 307 The VPN server decrypts the packet in the received authentication response message, and obtains a private network IP address segment and an encryption key allocated by the VPN gateway to the VPN server.
  • Step 308 The VPN server automatically performs VPN configuration according to the received private network IP address segment and the encryption key.
  • Step 309 The user accesses the VPN server through the user terminal, and the VPN server performs legality verification on the access user. After the verification is passed, the user terminal allocates an IP address in the private network IP address segment.
  • the user can access the VPN server through the high-security authentication mode (WPA2) of the user terminal, and start to access the data of the headquarters.
  • WPA2 high-security authentication mode
  • the VPN server authenticates the connection validity of the password in the access mode.
  • Step 310 The user terminal and the headquarters VPN gateway use the standard IPSec VPN protocol for data interaction, and use Data Encryption Standard (DES) to encrypt data.
  • DES Data Encryption Standard
  • the VPN server in the initial configuration, is configured with the IP address of the VPN gateway in the private network.
  • the VPN server sends the verification code message to the VPN gateway.
  • the VPN server authenticates the VPN server.
  • the VPN gateway allocates a private network address segment and an encryption key to the VPN server, and the VPN gateway uses the private network address segment and the encryption key.
  • the third-party authentication center is The entire system is provided with Specific vendor-independent authentication services and a unified VPN device delivery service.
  • the third-party authentication center provides the initial configuration for the VPN server.
  • the third-party authentication center authenticates the VPN server accordingly. After the initial configuration of the VPN server, the user remotely accesses the intranet through the VPN server.
  • the method includes:
  • Step 401 The VPN server is connected to the Internet and obtains a public network IP address.
  • the public network IP address is obtained by static manual configuration, DHCP, or PPOE.
  • Step 402 The user sends an activation request to the VPN server through the user terminal, so that the VPN server performs legality verification on the user.
  • the user can activate the VPN server by inputting an activation password, scanning a fingerprint, or a palm print according to the activation mode set by the VPN server.
  • This embodiment of the present invention does not limit this.
  • Step 403 The VPN server generates an authentication message, where the authentication message includes a verification code message, and the content of the message is a device serial number of the VPN server, and the VPN server uses the preset RSA private key to encrypt the verification code message in the authentication message. And signing, sending the encrypted verification code message to the third-party authentication center;
  • Step 404 The third-party authentication center receives the authentication message, and after obtaining the encrypted verification code message, decrypts the encrypted verification code message by using the public key corresponding to the RSA private key stored in advance, and decrypts the encrypted verification code message.
  • the obtained device serial number is checked to determine whether the device serial number is registered in the system. If the device device serial number is a known unregistered device, the verification is passed.
  • Step 405 After the verification is passed, the third-party authentication center sends a notification message to the VPN gateway of the headquarters, where the notification message carries the identifier and IP address information of the VPN server.
  • Step 406 The VPN gateway of the headquarters allocates an IP address segment of the private network to the VPN server, and an encryption key for subsequent VPN transmission.
  • the encryption key may be a symmetric key.
  • Step 407 The VPN gateway of the headquarters encrypts and signs the private network IP address segment and the encryption key by using the RSA public key, and carries the encrypted private network IP address segment and the encryption key in the distribution message and sends the message to the VPN server. ;
  • Step 408 The VPN server decrypts the received distribution message, and obtains a private network IP address segment and an encryption key allocated by the VPN gateway to the VPN server.
  • Step 409 The VPN server automatically performs VPN configuration according to the received private network IP address segment and the encryption key.
  • Step 410 The user accesses the VPN server through the user terminal, and the VPN server performs legality verification on the access user. After the verification is passed, the user terminal allocates an IP address in the private network IP address segment.
  • the user can access the VPN server through the high-security authentication mode (WPA2) of the user terminal, and start to access the data of the headquarters.
  • WPA2 high-security authentication mode
  • the VPN server authenticates the connection validity of the password in the access mode.
  • Step 411 The user terminal communicates with the VPN gateway of the headquarters using a standard IPSec VPN protocol, and uses Data Encryption Standard (DES) to encrypt data.
  • DES Data Encryption Standard
  • the VPN server performs activation password verification to determine whether the user has the qualification to activate the VPN server.
  • the VPN server performs user identity verification to determine whether the user has the user authentication. Qualification of accessing intranet data through the VPN server.
  • the embodiment of the present invention provides a secure and convenient remote access mode.
  • the third-party authentication center serves as the management center of the VPN server, and the IP address of the third-party authentication center is pre-configured in the VPN server, and the user accesses through the VPN server.
  • the VPN server is connected to the third-party authentication center to perform VPN server authentication.
  • the third-party authentication center applies to the VPN gateway of the headquarters to allocate a private network address segment to the VPN server.
  • the encryption key the VPN gateway sends the private network address segment and the encryption key to the VPN server, so that the VPN server allocates an IP address to the user terminal in the private network address segment, and utilizes
  • the encryption key encrypts data passed to the VPN gateway. Therefore, the user terminal accesses the intranet through the VPN server, and the above-mentioned secure encryption and authentication mechanism ensures the end-to-end security process from user access to data transmission.
  • the embodiment of the present invention further provides another schematic diagram of a method for implementing a remote access private network of a user terminal, where the method is applied to a remote access system, where the remote access system includes a VPN server and a third party.
  • a public network IP address of the VPN gateway is configured in the authentication center and the VPN gateway in the private network, and the method includes:
  • Step 501 The VPN server generates a verification code message, and sends the verification code message to the third-party authentication center, where the verification code message includes an identifier of the VPN server.
  • Step 502 The VPN server receives the VPN gateway to return a private network IP address segment and an encryption key, where the private network IP address segment and the encryption key are specifically the identifier of the third-party authentication center in the VPN server. After the verification is passed, requesting the VPN gateway to allocate the VPN server;
  • Step 503 The VPN server performs system configuration according to the private network IP address segment and the encryption key.
  • Step 504 The VPN server receives a login request sent by the user terminal, allocates an IP address to the user terminal in the private network IP address segment, and transmits the user terminal to the VPN gateway by using the encryption key.
  • the data The data.
  • the third-party authentication center checks the VPN server. After the verification is passed, the VPN gateway of the private network allocates the private network IP address segment and the encryption key to the VPN server. a key, such that when the user terminal accesses the private network through the VPN server, the VPN server can assign the IP address in the private network IP address segment to the user terminal, and use the encryption key to transmit to the VPN gateway.
  • the data sent by the user terminal is described, thereby realizing the transmission of user data to the private network.
  • the VPN server is further configured with an RSA private key, and correspondingly, the third-party authentication center is configured. There is a public key corresponding to the RSA private key,
  • the VPN server encrypts the verification code message by using the RSA private key, and sends the encrypted verification code message to the third-party authentication center, so that the third-party authentication center uses the
  • the public key corresponding to the RSA private key decrypts the verification code packet, and obtains and verifies the identifier of the VPN server.
  • a filtering rule may be set in the VPN server to limit a port opened on the VPN server to a port used for VPN data transmission, and
  • the port interacted by the third-party authentication center, the open address is the IP address of the third-party authentication center, and the public network IP address of the VPN gateway.
  • the embodiment of the present invention further provides a system structure for implementing a remote access private network of a user terminal.
  • the remote access system includes a VPN server 601 and a private network.
  • a VPN gateway 602 wherein the VPN server 601 is configured with a public network IP address of the VPN gateway 602.
  • the VPN server 601 is configured to generate a verification code message, and send the verification code message to the VPN gateway 602, where the verification code message includes an identifier of the VPN server 601.
  • the VPN gateway 602 is configured to allocate a private network IP address segment and an encryption key to the VPN server 601 after verifying the identifier of the VPN server 601, and configure the private network IP address segment and Sending an encryption key to the VPN server 601;
  • the VPN server 601 is further configured to receive a private network IP address segment and an encryption key returned by the VPN gateway 602, and perform system configuration according to the private network IP address segment and an encryption key;
  • the VPN server 601 is further configured to receive a login request sent by the user terminal, allocate an IP address to the user terminal in the private network IP address segment, and transmit the identifier to the VPN gateway 602 by using the encryption key. The data sent by the user terminal.
  • the VPN server 601 is further configured with an RSA private key
  • the VPN gateway 602 is configured with a public key corresponding to the RSA private key.
  • the VPN server 601 is specifically configured to use the RSA private key to encrypt the verification code message, and send the encrypted verification code message to the VPN gateway 602;
  • the VPN gateway 602 is specifically configured to decrypt the verification code message by using a public key corresponding to the RSA private key, and obtain and verify the identifier of the VPN server 601.
  • the VPN server 601 is further configured to receive a configuration command, and store the RSA private key and a public network IP address of the VPN gateway 602.
  • the VPN server 601 is further provided with an activation password, and the VPN server 601 is further configured to receive and verify. An activation request sent by the user terminal, where the activation request carries an activation password.
  • the VPN server 601 is configured with a filtering rule to limit the port opened on the VPN server 601 to a port used for VPN data transmission, and the open address is a public network IP address of the VPN gateway 602.
  • the embodiment of the present invention further provides another system structure for implementing a remote access private network of a user terminal.
  • the system includes a VPN server 701 and a VPN gateway 702 in a private network.
  • the public network IP address of the VPN gateway 702 is configured in the VPN server 701.
  • the VPN server 701 is configured to generate a verification code message, and send the verification code message to the third-party authentication center, where the verification code message includes an identifier of the VPN server 701.
  • the VPN gateway 702 is configured to receive a notification message that is sent by the third-party authentication center after the identifier verification of the VPN server 701 is passed, where the notification message carries the identifier of the VPN server 701.
  • the VPN gateway 702 is further configured to allocate a private network IP address segment and an encryption key to the VPN server 701, and send the private network IP address segment and an encryption key to the VPN server 701;
  • the VPN server 701 is further configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, and perform system configuration according to the private network IP address segment and an encryption key;
  • the VPN server 701 is further configured to receive a login request sent by the user terminal, allocate an IP address to the user terminal in the private network IP address segment, and transmit the identifier to the VPN gateway 702 by using the encryption key. The data sent by the user terminal.
  • system further includes a third-party authentication center 703, and the third-party authentication center 703 is configured to check the identifier of the VPN server 701.
  • the VPN server 701 is further configured with an RSA private key, and correspondingly, the third-party authentication center 703 is configured with a public key corresponding to the RSA private key.
  • the VPN server 701 is specifically configured to encrypt the verification code message by using the RSA private key, and send the encrypted verification code message to the third-party authentication center 703;
  • the third-party authentication center 703 is specifically configured to decrypt the verification code message by using a public key corresponding to the RSA private key, and obtain and verify the identifier of the VPN server 701.
  • the VPN server 701 is further configured to receive a configuration command, and store the RSA private key and a public network IP address of the VPN gateway.
  • the VPN server 701 is further provided with an activation password.
  • the VPN server 701 is further configured to receive and verify an activation request sent by the user terminal, where the activation request carries an activation password.
  • a filtering rule is set in the VPN server 701 to limit the open port on the VPN server 701.
  • the port used for the VPN data transmission and the open address are the public network IP address of the VPN gateway 702.
  • a VPN server for implementing a remote access private network of a user terminal is provided in an embodiment of the present invention, where the VPN server is configured with a public network IP address of a VPN gateway in the private network.
  • a generating unit 801 configured to generate a verification code message, where the verification code message includes an identifier of the VPN server;
  • the sending unit 802 is configured to send the verification code message generated by the generating unit 801 to the VPN gateway;
  • the receiving unit 803 is configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, where the private network IP address segment and the encryption key are specifically configured by the VPN gateway to identify the VPN server. After the verification is passed, it is allocated for the VPN server;
  • the configuration unit 804 is configured to perform system configuration according to the private network IP address segment and the encryption key received by the receiving unit 803;
  • the receiving unit 803 is further configured to receive a login request sent by the user terminal;
  • a data transmission unit 805, configured to: after the receiving unit 803 receives the login request, allocate an IP address to the user terminal in the private network IP address segment, and use the encryption key to the VPN gateway. Transmitting data transmitted by the user terminal.
  • the RSA private key is also configured in the VPN server.
  • the generating unit 801 is specifically configured to encrypt the verification code message by using the RSA private key.
  • the sending unit 802 is specifically configured to send the encrypted verification code message generated by the generating unit 801 to the VPN gateway, so that the VPN gateway uses a public key pair corresponding to the RSA private key.
  • the verification code message is decrypted, and the identifier of the VPN server is obtained and verified.
  • the receiving unit 803 is further configured to receive a configuration instruction, and store the RSA private key and a public network IP address of the VPN gateway.
  • the receiving unit 803 is further configured to receive an activation request sent by the user terminal, where the activation request carries the activation password;
  • the VPN server further includes an authentication unit 806, configured to verify the activation password carried in the activation request received by the receiving unit 803.
  • the embodiment of the present invention further provides a VPN server, as shown in FIG. 9, comprising: a receiver 901, a transmitter 902, a processor 903, and a memory 904; wherein the memory 904 can be applied to storage of various configuration information in an initial configuration process. . specific,
  • the memory 904 is configured to store a public network IP address of a VPN gateway in the private network
  • the processor 903 is configured to generate a verification code message, where the verification code message includes an identifier of the VPN server;
  • the transmitter 902 is configured to send the verification code message generated by the processor 903 to the VPN gateway;
  • the receiver 901 is configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, and receive a login request sent by the user terminal, where the private network IP address segment and the encryption key are specifically the VPN gateway. After the verification of the identifier of the VPN server is performed, the VPN server is allocated;
  • the processor 903 is further configured to perform system configuration according to the private network IP address segment and the encryption key received by the receiver 901, and allocate an IP address to the user terminal in the private network IP address segment. Transmitting, by the encryption key, data sent by the user terminal to the VPN gateway.
  • the processor 903 is specifically configured to encrypt the verification code message by using the RSA private key.
  • the transmitter 902 is specifically configured to send the encrypted verification code message generated by the processor 903 to the VPN gateway, so that the VPN gateway uses a public key pair corresponding to the RSA private key.
  • the verification code message is decrypted, and the identifier of the VPN server is obtained and verified.
  • the receiver 901 is further configured to receive a configuration instruction, where the configuration command includes the RSA private key and a public network IP address of the VPN gateway.
  • the receiver 901 is further configured to receive an activation request sent by the user terminal, where the activation request carries the activation password;
  • the processor 903 is further configured to verify the activation password carried in the activation request received by the receiver 901.
  • the VPN server in the initial configuration, is configured with the IP address of the VPN gateway in the private network.
  • the VPN server sends the verification code message to the VPN gateway.
  • the VPN server authenticates the VPN server.
  • the VPN gateway allocates a private network address segment and an encryption key to the VPN server, and the VPN gateway uses the private network address segment and the encryption key.
  • each embodiment in this specification is described in a progressive manner, and the embodiments are the same. Similar parts can be referred to each other, and each embodiment focuses on differences from other embodiments.
  • the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment.
  • the apparatus and system embodiments described above are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment. Those of ordinary skill in the art can understand and implement without any creative effort.

Abstract

Provided are a method, system and device for enabling a user terminal to have access to a private network remotely. During initial configuration, an IP address of a VPN gateway in a private network is configured in a VPN server; and when a user terminal activates the VPN server, the VPN server sends a verification code message to the VPN gateway, the VPN gateway authenticates the VPN server, after the authentication is passed, the VPN gateway allocates a private network address field and an encryption key for the VPN server, and the VPN gateway sends the private network address field and the encryption key to the VPN server, such that the VPN server allocates the IP address for the user terminal in the private network address field, and data transferred to the VPN gateway is encrypted by utilizing the encryption key. Thus, the user terminal can have access to an enterprise intranet via the VPN server, and an end-to-end security flow from user access to data transmission is ensured by means of the above-mentioned secure encryption and authentication mechanism.

Description

一种实现远程接入的方法、装置及系统Method, device and system for realizing remote access 技术领域Technical field
本发明涉及通信领域,尤其是涉及一种实现远程接入的方法、装置及系统。The present invention relates to the field of communications, and in particular, to a method, apparatus, and system for implementing remote access.
背景技术Background technique
虚拟专用网(Virtual Private Network,VPN)在企业网络中广泛应用,通过在公用网络上建立专用网络进行加密通信。VPN利用已加密的通道协议(Tunneling Protocol,TP)来达到保密、发送端认证、消息准确性等私人消息安全效果,可以用不安全的网络(例如:互联网)来发送可靠、安全的消息。Virtual Private Network (VPN) is widely used in enterprise networks to establish encrypted communication over public networks. The VPN uses the encrypted Tunneling Protocol (TP) to achieve private message security such as confidentiality, sender authentication, and message accuracy. It can use an insecure network (for example, the Internet) to send reliable and secure messages.
例如,某公司员工出差到外地,需要接入企业总部内网中的服务器资源,这种接入就属于远程接入。通过在内网中架设一台VPN网关,外地员工在当地连上互联网后,通过互联网连接VPN网关,然后通过VPN网关进入企业内网,使得外地员工可以访问到内网资源,为了保证数据安全,VPN网关和外地员工使用的客户端之间的通讯数据都进行加密处理。For example, if a company employee travels to a foreign country, it needs to access the server resources in the intranet of the enterprise headquarters. This access belongs to remote access. By setting up a VPN gateway in the internal network, the foreign employees connect to the Internet through the Internet after connecting to the Internet, and then enter the intranet through the VPN gateway, so that foreign employees can access the intranet resources, in order to ensure data security. The communication data between the VPN gateway and the clients used by the foreign employees are encrypted.
IPSec(Internet Protocol Security)VPN即指采用IPSec协议来实现远程接入的一种VPN技术,是由互联网工程任务组(Internet Engineering Task Force,IETF)定义的安全标准框架,用以提供公用和专用网络的端对端加密和验证服务。IPSec VPN公开了Site-to-Site场景(即站点到站点或者网关到网关):例如,某公司的总部与分支机构分布在互联网的两个不同的地方,各使用一个VPN网关建立VPN隧道,实现安全互联。但是,这种方式的前提是需要在各自的VPN网关上按照约定好的参数进行配置,并且预先协商确定加密算法、密钥和子网等等,配置及协商方式复杂。IPSec (Internet Protocol Security) VPN refers to a VPN technology that uses IPSec protocol to implement remote access. It is a security standard framework defined by the Internet Engineering Task Force (IETF) to provide public and private networks. End-to-end encryption and authentication services. IPSec VPN exposes a Site-to-Site scenario (ie, site-to-site or gateway-to-gateway): for example, a company's headquarters and branches are distributed in two different places on the Internet, each using a VPN gateway to establish a VPN tunnel. Secure interconnection. However, the premise of this method is that it needs to be configured according to the agreed parameters on the respective VPN gateways, and the encryption algorithm, the key and the subnet are determined in advance, and the configuration and negotiation methods are complicated.
发明内容Summary of the invention
本发明的目的在于提供一种实现远程接入的方法、装置及系统,以解决现有IPSec VPN技术中VPN网关配置及协商方式复杂的问题。The object of the present invention is to provide a method, device and system for implementing remote access, which solves the problem that the configuration and negotiation mode of the VPN gateway in the existing IPSec VPN technology is complicated.
第一方面,本发明实施例提供了一种实现用户终端远程接入专用网络的方法,所述方法应用于远程接入系统,所述远程接入系统包括VPN服务器和专用网络中的VPN网关,所述VPN服务器中配置有所述VPN网关的公网IP地址,所述方法包括:In a first aspect, an embodiment of the present invention provides a method for implementing a remote access private network of a user terminal, where the method is applied to a remote access system, where the remote access system includes a VPN server and a VPN gateway in a private network. The public network IP address of the VPN gateway is configured in the VPN server, and the method includes:
所述VPN服务器生成验证码报文,将所述验证码报文发送给所述VPN网关,所述验证码报文包括所述VPN服务器的标识; The VPN server generates a verification code message, and sends the verification code message to the VPN gateway, where the verification code message includes an identifier of the VPN server;
所述VPN服务器接收所述VPN网关返回的私网IP地址段和加密密钥,所述私网IP地址段和加密密钥具体为所述VPN网关在对所述VPN服务器的标识进行校验通过后为所述VPN服务器分配的;The VPN server receives the private network IP address segment and the encryption key returned by the VPN gateway, where the private network IP address segment and the encryption key are specifically verified by the VPN gateway to verify the identifier of the VPN server. After being allocated for the VPN server;
所述VPN服务器根据所述私网IP地址段和加密密钥进行系统配置;The VPN server performs system configuration according to the private network IP address segment and an encryption key;
所述VPN服务器接收用户终端发送的登陆请求,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。The VPN server receives a login request sent by the user terminal, allocates an IP address to the user terminal in the private network IP address segment, and transmits the data sent by the user terminal to the VPN gateway by using the encryption key.
结合第一方面,在第一方面第一种可能的实施方式中,所述VPN服务器中还配置有RSA私钥,相应地,所述VPN网关中配置有所述RSA私钥对应的公钥,With reference to the first aspect, in a first possible implementation manner of the first aspect, the VPN server is further configured with an RSA private key, and correspondingly, the public key corresponding to the RSA private key is configured in the VPN gateway,
所述VPN服务器生成验证码报文,将所述验证码报文发送给所述VPN网关包括:The VPN server generates a verification code message, and sending the verification code message to the VPN gateway includes:
所述VPN服务器使用所述RSA私钥对所述验证码报文进行加密,将加密后的所述验证码报文发送给所述VPN网关,以使得所述VPN网关使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。The VPN server encrypts the verification code message by using the RSA private key, and sends the encrypted verification code message to the VPN gateway, so that the VPN gateway uses the RSA private key to correspond to The public key decrypts the verification code message, and obtains and verifies the identifier of the VPN server.
结合第一方面第一种可能的实现方式,在第二种可能的实现方式中,在所述VPN服务器将所述验证码报文发送给所述VPN网关前,所述方法还包括:With the first possible implementation of the first aspect, in a second possible implementation, before the VPN server sends the verification code message to the VPN gateway, the method further includes:
所述VPN服务器接收配置指令,存储所述RSA私钥以及所述VPN网关的公网IP地址。The VPN server receives a configuration instruction, and stores the RSA private key and a public network IP address of the VPN gateway.
结合第一方面、第一方面第一种可能的实现方式或第一方面第二种可能的实现方式,在第三种可能的实现方式中,所述VPN服务器中还设置有激活口令,在所述VPN服务器生成验证码报文之前,所述方法还包括:With the first aspect, the first possible implementation of the first aspect, or the second possible implementation of the first aspect, in a third possible implementation, the VPN server is further provided with an activation password. Before the VPN server generates the verification code message, the method further includes:
所述VPN服务器接收用户终端发送的激活请求,所述激活请求中携带所述激活口令;Receiving, by the VPN server, an activation request sent by the user terminal, where the activation request carries the activation password;
所述VPN服务器验证所述激活请求中携带的所述激活口令。The VPN server verifies the activation password carried in the activation request.
结合第一方面、第一方面第一种可能的实现方式或第一方面第二种可能的实现方式,在第四种可能的实现方式中,,所述VPN服务器中设置有过滤规则,以限定所述VPN服务器上开放的端口为进行VPN数据传输使用的端口、开放的地址为所述VPN网关的公网IP地址。With reference to the first aspect, the first possible implementation manner of the first aspect, or the second possible implementation manner of the first aspect, in a fourth possible implementation manner, the VPN server is configured with a filtering rule to limit The port opened on the VPN server is a port used for VPN data transmission, and the open address is a public network IP address of the VPN gateway.
结合第一方面,在第五种可能的实现方式中,所述VPN服务器的标识为所述所述VPN服务器的设备序列号。In conjunction with the first aspect, in a fifth possible implementation, the identifier of the VPN server is a device serial number of the VPN server.
结合第一方面第三种可能的实现方式,在第六种可能的实现方式中,所述激活口令包括密码、指纹、掌纹或虹膜中的至少一个。In conjunction with the third possible implementation of the first aspect, in a sixth possible implementation, the activation password includes at least one of a password, a fingerprint, a palm print, or an iris.
第二方面,本发明实施例提供了另一种实现用户终端远程接入专用网络的方法,应用于远程接入系统,所述远程接入系统包括VPN服务器、第三方认证中心以及专用网络中的VPN网关,所述VPN服务器中配置有所述VPN网关的公网IP地址,所述方法包括:In a second aspect, an embodiment of the present invention provides another method for implementing a remote access private network of a user terminal, which is applied to a remote access system, where the remote access system includes a VPN server, a third-party authentication center, and a private network. a VPN gateway, where the VPN server is configured with a public network IP address of the VPN gateway, and the method includes:
所述VPN服务器生成验证码报文,将所述验证码报文发送给所述第三方认证中心,所述 验证码报文包括所述VPN服务器的标识;The VPN server generates a verification code message, and sends the verification code message to the third-party authentication center, where The verification code message includes an identifier of the VPN server;
所述VPN服务器接收所述VPN网关返回私网IP地址段和加密密钥,所述私网IP地址段和加密密钥具体为所述第三方认证中心在对所述VPN服务器的标识进行校验通过后请求所述VPN网关为所述VPN服务器分配的;The VPN server receives the private network IP address segment and the encryption key of the VPN gateway, and the private network IP address segment and the encryption key are specifically verified by the third-party authentication center for the identifier of the VPN server. After the request, the VPN gateway is requested to be allocated to the VPN server;
所述VPN服务器根据所述私网IP地址段和加密密钥进行系统配置;The VPN server performs system configuration according to the private network IP address segment and an encryption key;
所述VPN服务器接收用户终端发送的登陆请求,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。The VPN server receives a login request sent by the user terminal, allocates an IP address to the user terminal in the private network IP address segment, and transmits the data sent by the user terminal to the VPN gateway by using the encryption key.
结合第二方面,在第二方面第一种可能的实现方式中,所述VPN服务器中还配置有RSA私钥,相应地,所述第三方认证中心中配置有所述RSA私钥对应的公钥,With reference to the second aspect, in a first possible implementation manner of the second aspect, the VPN server is further configured with an RSA private key, and correspondingly, the third-party authentication center is configured with a public corresponding to the RSA private key. key,
所述VPN服务器生成验证码报文,将所述验证码报文发送给所述第三方认证中心包括:The VPN server generates a verification code message, and the sending the verification code message to the third-party authentication center includes:
所述VPN服务器使用所述RSA私钥对所述验证码报文进行加密,将加密后的所述验证码报文发送给所述第三方认证中心,以使得所述第三方认证中心使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。The VPN server encrypts the verification code message by using the RSA private key, and sends the encrypted verification code message to the third-party authentication center, so that the third-party authentication center uses the The public key corresponding to the RSA private key decrypts the verification code packet, and obtains and verifies the identifier of the VPN server.
结合第二方面或第二方面第一种可能的实现方式,在第二方面第二种可能的实现方式中,所述VPN服务器中设置有过滤规则,以限定所述VPN服务器上开放的端口为进行VPN数据传输使用的端口以及与所述第三方认证中心交互的端口、开放的地址为所述第三方认证中心的IP地址以及所述VPN网关的公网IP地址。With reference to the second aspect or the first possible implementation manner of the second aspect, in a second possible implementation manner of the second aspect, the VPN server is configured with a filtering rule to limit the open port on the VPN server to The port used for VPN data transmission and the port that interacts with the third-party authentication center, the open address is the IP address of the third-party authentication center, and the public network IP address of the VPN gateway.
第三方面,本发明实施例提供了一种实现用户终端远程接入专用网络的系统,所述远程接入系统包括VPN服务器和专用网络中的VPN网关,所述VPN服务器中配置有所述VPN网关的公网IP地址,In a third aspect, an embodiment of the present invention provides a system for implementing a remote access private network of a user terminal, where the remote access system includes a VPN server and a VPN gateway in a private network, where the VPN server is configured with the VPN. The public IP address of the gateway,
所述VPN服务器,用于生成验证码报文,将所述验证码报文发送给所述VPN网关,所述验证码报文包括所述VPN服务器的标识;The VPN server is configured to generate a verification code message, and send the verification code message to the VPN gateway, where the verification code message includes an identifier of the VPN server;
所述VPN网关,用于在对所述VPN服务器的标识进行校验通过后,为所述VPN服务器分配私网IP地址段和加密密钥,并将所述私网IP地址段和加密密钥发送给所述VPN服务器;The VPN gateway is configured to allocate a private network IP address segment and an encryption key to the VPN server after verifying the identifier of the VPN server, and configure the private network IP address segment and the encryption key Sent to the VPN server;
所述VPN服务器,还用于接收所述VPN网关返回的私网IP地址段和加密密钥,并根据所述私网IP地址段和加密密钥进行系统配置;The VPN server is further configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, and perform system configuration according to the private network IP address segment and an encryption key;
所述VPN服务器,还用于接收用户终端发送的登陆请求,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。The VPN server is further configured to receive a login request sent by the user terminal, allocate an IP address to the user terminal in the private network IP address segment, and transmit the user terminal to the VPN gateway by using the encryption key. The data sent.
结合第三方面,在第三方面第一种可能的实施方式中,,所述VPN服务器中还配置有RSA私钥,相应地,所述VPN网关中配置有所述RSA私钥对应的公钥,With reference to the third aspect, in a first possible implementation manner of the third aspect, the VPN server is further configured with an RSA private key, and correspondingly, the public key corresponding to the RSA private key is configured in the VPN gateway. ,
所述VPN服务器,具体用于使用所述RSA私钥对所述验证码报文进行加密,将加密后的 所述验证码报文发送给所述VPN网关;The VPN server is specifically configured to encrypt the verification code message by using the RSA private key, and encrypt the encrypted message. Sending the verification code message to the VPN gateway;
所述VPN网关,具体用于使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。The VPN gateway is specifically configured to decrypt the verification code packet by using a public key corresponding to the RSA private key, and obtain and verify the identifier of the VPN server.
结合第三方面第一种可能的实现方式,在第三方面第二种可能的实现方式中,所述VPN服务器接收还用于配置指令,存储所述RSA私钥以及所述VPN网关的公网IP地址。With reference to the first possible implementation manner of the third aspect, in a second possible implementation manner of the third aspect, the VPN server receives a configuration command, and stores the RSA private key and the public network of the VPN gateway. IP address.
结合第三方面、第三方面第一种可能的实现方式或第三方面第二种可能的实现方式,在第三方面第三种可能的实现方式中,所述VPN服务器中还设置有激活口令,In combination with the third aspect, the first possible implementation manner of the third aspect, or the second possible implementation manner of the third aspect, in a third possible implementation manner of the third aspect, the VPN server is further configured with an activation password. ,
所述VPN服务器,还用于接收并验证用户终端发送的激活请求,所述激活请求中携带激活口令。The VPN server is further configured to receive and verify an activation request sent by the user terminal, where the activation request carries an activation password.
结合第三方面、第三方面第一种可能的实现方式或第三方面第二种可能的实现方式,在第三方面第四种可能的实现方式中,所述VPN服务器中设置有过滤规则,以限定所述VPN服务器上开放的端口为进行VPN数据传输使用的端口、开放的地址为所述VPN网关的公网IP地址。With reference to the third aspect, the first possible implementation manner of the third aspect, or the second possible implementation manner of the third aspect, in a fourth possible implementation manner of the third aspect, the VPN server is configured with a filtering rule, The port used for VPN data transmission is defined by the port that is open on the VPN server, and the open address is the public network IP address of the VPN gateway.
第四方面,本发明实施例还提供了一种实现用户终端远程接入专用网络的系统,所述系统包括VPN服务器以及专用网络中的VPN网关,所述VPN服务器中配置有所述VPN网关的公网IP地址,In a fourth aspect, the embodiment of the present invention further provides a system for implementing a remote access private network of a user terminal, where the system includes a VPN server and a VPN gateway in a private network, where the VPN server is configured with the VPN gateway. Public IP address,
所述VPN服务器,用于生成验证码报文,将所述验证码报文发送给所述第三方认证中心,所述验证码报文包括所述VPN服务器的标识;The VPN server is configured to generate a verification code message, and send the verification code message to the third-party authentication center, where the verification code message includes an identifier of the VPN server;
所述VPN网关,用于接收第三方认证中心在对所述VPN服务器的标识校验通过后发送的通知消息,所述通知消息中携带所述VPN服务器的标识;The VPN gateway is configured to receive a notification message that is sent by the third-party authentication center after the identity verification of the VPN server is passed, where the notification message carries the identifier of the VPN server;
所述VPN网关,还用于为所述VPN服务器分配私网IP地址段和加密密钥,并经所述私网IP地址段和加密密钥发送给所述VPN服务器;The VPN gateway is further configured to allocate a private network IP address segment and an encryption key to the VPN server, and send the private network IP address segment and an encryption key to the VPN server;
所述VPN服务器,还用于接收所述VPN网关返回的私网IP地址段和加密密钥,并根据所述私网IP地址段和加密密钥进行系统配置;The VPN server is further configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, and perform system configuration according to the private network IP address segment and an encryption key;
所述VPN服务器,还用于接收用户终端发送的登陆请求,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。The VPN server is further configured to receive a login request sent by the user terminal, allocate an IP address to the user terminal in the private network IP address segment, and transmit the user terminal to the VPN gateway by using the encryption key. The data sent.
结合第四方面,在第四方面第一种可能的实现方式中,所述系统还包括第三方认证中心,With reference to the fourth aspect, in a first possible implementation manner of the fourth aspect, the system further includes a third-party authentication center,
所述第三方认证中心,用于对所述VPN服务器的标识进行校验。The third-party authentication center is configured to verify the identifier of the VPN server.
结合第四方面第一种可能的实现方式,在第四方面第二种可能的实现方式中,所述VPN服务器中还配置有RSA私钥,相应地,所述第三方认证中心中配置有所述RSA私钥对应的公钥, With reference to the first possible implementation manner of the fourth aspect, in the second possible implementation manner of the fourth aspect, the VPN server is further configured with an RSA private key, and correspondingly, the third-party authentication center is configured The public key corresponding to the RSA private key,
所述VPN服务器,具体用于使用所述RSA私钥对所述验证码报文进行加密,将加密后的所述验证码报文发送给所述第三方认证中心;The VPN server is configured to encrypt the verification code message by using the RSA private key, and send the encrypted verification code message to the third-party authentication center;
所述第三方认证中心,具体用于使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。The third-party authentication center is configured to decrypt the verification code message by using a public key corresponding to the RSA private key, and obtain and verify the identifier of the VPN server.
结合第四方面第二种可能的实现方式,在第四方面第三种可能的实现方式中,所述VPN服务器中设置有过滤规则,以限定所述VPN服务器上开放的端口为进行VPN数据传输使用的端口以及与所述第三方认证中心交互的端口、开放的地址为所述第三方认证中心的IP地址以及所述VPN网关的公网IP地址。In conjunction with the second possible implementation of the fourth aspect, in a third possible implementation manner of the fourth aspect, the VPN server is configured with a filtering rule to limit the open port on the VPN server for performing VPN data transmission. The port used and the port interacting with the third-party authentication center, the open address is the IP address of the third-party authentication center, and the public network IP address of the VPN gateway.
第五方面,本发明实施例提供了一种实现用户终端远程接入专用网络的VPN服务器,所述VPN服务器中配置有所述专用网络中的VPN网关的公网IP地址,In a fifth aspect, an embodiment of the present invention provides a VPN server that implements a remote access private network of a user terminal, where the VPN server is configured with a public network IP address of a VPN gateway in the private network.
生成单元,用于生成验证码报文,所述验证码报文包括所述VPN服务器的标识;a generating unit, configured to generate a verification code message, where the verification code message includes an identifier of the VPN server;
发送单元,用于将所述生成单元生成的所述验证码报文发送给所述VPN网关;a sending unit, configured to send the verification code message generated by the generating unit to the VPN gateway;
接收单元,用于接收所述VPN网关返回的私网IP地址段和加密密钥,所述私网IP地址段和加密密钥具体为所述VPN网关在对所述VPN服务器的标识进行校验通过后为所述VPN服务器分配的;a receiving unit, configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, where the private network IP address segment and the encryption key are specifically configured by the VPN gateway to verify the identifier of the VPN server After being passed through for the VPN server;
配置单元,用于根据所述接收单元接收到的所述私网IP地址段和加密密钥进行系统配置;a configuration unit, configured to perform system configuration according to the private network IP address segment and the encryption key received by the receiving unit;
所述接收单元,还用于接收用户终端发送的登陆请求;The receiving unit is further configured to receive a login request sent by the user terminal;
数据传输单元,用于在所述接收单元接收到所述登陆请求后,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。a data transmission unit, configured to: after the receiving unit receives the login request, allocate an IP address to the user terminal in the private network IP address segment, and use the encryption key to transmit to the VPN gateway The data sent by the user terminal.
结合第五方面,在第五方面第一种可能的实现方式中,所述VPN服务器中还配置有RSA私钥,With reference to the fifth aspect, in a first possible implementation manner of the fifth aspect, the VPN server is further configured with an RSA private key,
所述生成单元,具体用于使用所述RSA私钥对所述验证码报文进行加密;The generating unit is specifically configured to encrypt the verification code message by using the RSA private key;
所述发送单元,具体用于将所述生成单元生成的加密后的所述验证码报文发送给所述VPN网关,以使得所述VPN网关使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。The sending unit is configured to send the encrypted verification code message generated by the generating unit to the VPN gateway, so that the VPN gateway uses the public key corresponding to the RSA private key to The verification code message is decrypted, and the identifier of the VPN server is obtained and verified.
结合第五方面第一种可能的实现方式,在第二种可能的实现方式中,所述接收单元,还用于接收配置指令,存储所述RSA私钥以及所述VPN网关的公网IP地址。With reference to the first possible implementation manner of the fifth aspect, in a second possible implementation manner, the receiving unit is further configured to receive a configuration instruction, and store the RSA private key and a public network IP address of the VPN gateway. .
结合第五方面,在第五方面第三种可能的实现方式中,所述接收单元,还用于接收用户终端发送的激活请求,所述激活请求中携带所述激活口令; With reference to the fifth aspect, in a third possible implementation manner of the fifth aspect, the receiving unit is further configured to receive an activation request sent by the user terminal, where the activation request carries the activation password;
相应地,所述VPN服务器还包括鉴权单元,用于验证所述接收单元接收到的所述激活请求中携带的所述激活口令。Correspondingly, the VPN server further includes an authentication unit, configured to verify the activation password carried in the activation request received by the receiving unit.
本发明实施例提供了一种实现用户终端远程接入专用网络的方法、系统和装置,初始配置时,在VPN服务器中配置有专用网络中VPN网关的IP地址,当用户终端激活VPN服务器后,所述VPN服务器将验证码报文发送给所述VPN网关,由VPN网关对所述VPN服务器进行鉴权,在鉴权通过后,VPN网关为所述VPN服务器分配私网地址段和加密密钥,所述VPN网关将所述私网地址段和加密密钥发送给所述VPN服务器,以使得所述VPN服务器在所述私网地址段内为用户终端分配IP地址,并利用所述加密密钥对传递到所述VPN网关的数据进行加密。从而实现了用户终端通过VPN服务器接入到企业内网,通过上述安全的加密和认证机制,保证了从用户接入到数据传输的端到端安全流程。The embodiment of the invention provides a method, a system and a device for realizing a remote access of a user terminal to a private network. In an initial configuration, an IP address of a VPN gateway in a private network is configured in a VPN server, and after the user terminal activates the VPN server, The VPN server sends a verification code message to the VPN gateway, and the VPN gateway authenticates the VPN server. After the authentication is passed, the VPN gateway allocates a private network address segment and an encryption key to the VPN server. The VPN gateway sends the private network address segment and the encryption key to the VPN server, so that the VPN server allocates an IP address to the user terminal in the private network address segment, and uses the encryption key. The key encrypts the data passed to the VPN gateway. Therefore, the user terminal accesses the intranet through the VPN server, and the above-mentioned secure encryption and authentication mechanism ensures the end-to-end security process from user access to data transmission.
附图说明DRAWINGS
为了更清楚地说明本发明实施例或现有技术中的技术方案,下面将对实施例中所需要使用的附图作简单地介绍,显而易见地,下面描述中的附图仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性劳动性的前提下,还可以根据这些附图获得其他的附图。In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings to be used in the embodiments will be briefly described below. Obviously, the drawings in the following description are only some of the present invention. For the embodiments, other drawings may be obtained from those skilled in the art without any inventive labor.
图1是本发明实施例提供的一种实现用户终端远程接入专用网络的方法流程示意图;1 is a schematic flowchart of a method for implementing a remote access private network of a user terminal according to an embodiment of the present invention;
图2是本发明实施例提供的一种远程接入的系统结构示意图;2 is a schematic structural diagram of a system for remote access according to an embodiment of the present invention;
图3是本发明实施例提供的一种实现用户终端远程接入专用网络的方法流程示意图;3 is a schematic flowchart of a method for implementing a remote access private network of a user terminal according to an embodiment of the present invention;
图4是本发明实施例提供的另一种实现用户终端远程接入专用网络的方法流程示意图;4 is a schematic flowchart of another method for implementing a remote access private network of a user terminal according to an embodiment of the present invention;
图5是本发明实施例提供的另一种实现用户终端远程接入专用网络的方法流程示意图;5 is a schematic flowchart of another method for implementing a remote access private network of a user terminal according to an embodiment of the present invention;
图6是本发明实施例提供的一种实现用户终端远程接入专用网络的系统结构示意图;FIG. 6 is a schematic structural diagram of a system for implementing a remote access private network of a user terminal according to an embodiment of the present invention; FIG.
图7是本发明实施例提供的另一种实现用户终端远程接入专用网络的系统结构示意图FIG. 7 is a schematic structural diagram of another system for implementing a remote access private network of a user terminal according to an embodiment of the present invention; FIG.
图8是本发明实施例提供的一种实现用户终端远程接入专用网络的VPN服务器结构示意图;FIG. 8 is a schematic structural diagram of a VPN server for implementing a remote access private network of a user terminal according to an embodiment of the present invention; FIG.
图9是本发明实施例提供的一种VPN服务器硬件结构示意图。FIG. 9 is a schematic structural diagram of a VPN server hardware according to an embodiment of the present invention.
具体实施方式detailed description
下面将结合本发明实施例中的附图,对本发明实施例中的技术方案进行清楚、完整地描述,显然,所描述的实施例仅仅是本发明一部分实施例,而不是全部的实施例。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例, 都属于本发明保护的范围。The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, but not all embodiments. All other embodiments obtained by those of ordinary skill in the art based on the embodiments of the present invention without creative efforts, All fall within the scope of protection of the present invention.
如图1所示,为本发明实施例提供的一种实现用户终端远程接入专用网络的方法流程示意图,所述方法应用于远程接入系统,所述远程接入系统包括VPN服务器和专用网络中的VPN网关,所述VPN服务器中配置有所述VPN网关的公网IP地址,所述方法包括:FIG. 1 is a schematic flowchart of a method for implementing a remote access private network of a user terminal according to an embodiment of the present invention. The method is applied to a remote access system, where the remote access system includes a VPN server and a private network. a VPN gateway in which the public IP address of the VPN gateway is configured, the method includes:
步骤101:所述VPN服务器生成验证码报文,将所述验证码报文发送给所述VPN网关,所述验证码报文包括所述VPN服务器的标识;Step 101: The VPN server generates a verification code message, and sends the verification code message to the VPN gateway, where the verification code message includes an identifier of the VPN server.
步骤102:所述VPN服务器接收所述VPN网关返回的私网IP地址段和加密密钥,所述私网IP地址段和加密密钥具体为所述VPN网关在对所述VPN服务器的标识进行校验通过后为所述VPN服务器分配的;Step 102: The VPN server receives a private network IP address segment and an encryption key returned by the VPN gateway, where the private network IP address segment and the encryption key are specifically used by the VPN gateway to identify the VPN server. After the verification is passed, it is allocated to the VPN server;
步骤103:所述VPN服务器根据所述私网IP地址段和加密密钥进行系统配置;Step 103: The VPN server performs system configuration according to the private network IP address segment and an encryption key.
步骤104:所述VPN服务器接收用户终端发送的登陆请求,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。Step 104: The VPN server receives a login request sent by the user terminal, allocates an IP address to the user terminal in the private network IP address segment, and transmits the user terminal to the VPN gateway by using the encryption key. The data.
初始配置时,在VPN服务器中配置有专用网络中VPN网关的IP地址,当用户终端激活VPN服务器后,所述VPN服务器将验证码报文发送给所述VPN网关,由VPN网关对所述VPN服务器进行鉴权,在鉴权通过后,VPN网关为所述VPN服务器分配私网地址段和加密密钥,所述VPN网关将所述私网地址段和加密密钥发送给所述VPN服务器,以使得所述VPN服务器在所述私网地址段内为用户终端分配IP地址,并利用所述加密密钥对传递到所述VPN网关的数据进行加密。从而实现了用户终端通过VPN服务器接入到企业内网,通过上述安全的加密和认证机制,保证了从用户接入到数据传输的端到端安全流程。In the initial configuration, the VPN server is configured with the IP address of the VPN gateway in the private network. After the user terminal activates the VPN server, the VPN server sends a verification code message to the VPN gateway, and the VPN gateway pairs the VPN. The server performs authentication. After the authentication is passed, the VPN gateway allocates a private network address segment and an encryption key to the VPN server, and the VPN gateway sends the private network address segment and the encryption key to the VPN server. So that the VPN server allocates an IP address to the user terminal in the private network address segment, and encrypts data transmitted to the VPN gateway by using the encryption key. Therefore, the user terminal accesses the intranet through the VPN server, and the above-mentioned secure encryption and authentication mechanism ensures the end-to-end security process from user access to data transmission.
进一步的,VPN服务器中还可以设置RSA私钥,相应地,所述VPN网关中配置有所述RSA私钥对应的公钥,从而使得VPN服务器可以利用所述RSA私钥对发送给所述VPN网关的验证码报文进行加密。具体的,所述VPN服务器使用所述RSA私钥对所述验证码报文进行加密,将加密后的所述验证码报文发送给所述VPN网关,以使得所述VPN网关使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。Further, the RSA private key may be set in the VPN server. Correspondingly, the public key corresponding to the RSA private key is configured in the VPN gateway, so that the VPN server can use the RSA private key pair to send to the VPN. The gateway's verification code message is encrypted. Specifically, the VPN server encrypts the verification code message by using the RSA private key, and sends the encrypted verification code message to the VPN gateway, so that the VPN gateway uses the RSA. The public key corresponding to the private key decrypts the verification code message, and obtains and verifies the identifier of the VPN server.
所述VPN服务器接收配置指令,存储所述RSA私钥以及所述VPN网关的公网IP地址。The VPN server receives a configuration instruction, and stores the RSA private key and a public network IP address of the VPN gateway.
当用户终端需要通过VPN服务器接入总部的VPN网关时,用户终端向VPN服务器发送激活请求,所述激活请求中携带所述激活口令;所述VPN服务器验证所述激活请求中携带的所述激活口令,所述激活口令包括密码、指纹、掌纹或虹膜中的至少一个。When the user terminal needs to access the VPN gateway of the headquarters through the VPN server, the user terminal sends an activation request to the VPN server, where the activation request carries the activation password; and the VPN server verifies the activation carried in the activation request. A password, the activation password including at least one of a password, a fingerprint, a palm print, or an iris.
所述VPN服务器的标识为所述所述VPN服务器的设备序列号。The identifier of the VPN server is a device serial number of the VPN server.
如图2所示,为本发明实施例提供的一种远程接入的系统结构示意图,用户终端通过VPN服务器连接公网,进而连接到企业内部专用网络的VPN网关,通过VPN网关与企业内网进行 数据传输。其中,VPN服务器中预置了与总部进行连接的参数,包括总部的公网IP地址,进一步的,还包括进行通道加密所需的私钥,以及激活密码。VPN服务器本身提供无线和有线接入能力,并可以对接入的终端进行MAC地址过滤。用户终端通过高安全的认证方式(WPA2)接入VPN服务器访问总部。VPN服务器激活后会自动和总部的VPN网关进行交互,实现身份认证,配置协商以及自动配置等操作。VPN服务器每次开始新的连接,或者IP地址发生变化以后,都需要进行重新激活才可以提供服务。FIG. 2 is a schematic structural diagram of a system for remote access according to an embodiment of the present invention. A user terminal is connected to a public network through a VPN server, and then connected to a VPN gateway of an internal private network of the enterprise, through a VPN gateway and an intranet. get on data transmission. The VPN server presets the parameters for connecting to the headquarters, including the public IP address of the headquarters, and further includes the private key required for channel encryption and the activation password. The VPN server itself provides wireless and wired access capabilities, and can perform MAC address filtering on the accessed terminals. The user terminal accesses the VPN server to access the headquarters through the high-security authentication mode (WPA2). After the VPN server is activated, it will automatically interact with the VPN gateway at the headquarters to implement identity authentication, configuration negotiation, and automatic configuration. Each time the VPN server starts a new connection or changes its IP address, it needs to be reactivated to provide the service.
在用户终端通过VPN服务器进行远程接入之前,首先需要对VPN服务器进行初始配置,以达到可用的目的。具体的,在现实场景中,当员工出差前,可以向总部申领VPN服务器,由总部IT管理人员对VPN服务器进行初始配置,所述初始配置可以包括如下内容:Before the user terminal performs remote access through the VPN server, the VPN server needs to be initially configured to achieve the available purposes. Specifically, in a real-life scenario, the employee may apply for a VPN server to the headquarters before the employee travels, and the initial configuration of the VPN server may be performed by the headquarters IT manager. The initial configuration may include the following:
将总部的VPN网关的公网IP地址写入到VPN服务器中;Write the public IP address of the VPN gateway of the headquarters to the VPN server.
通过专用设备在VPN服务器中写入分配好的RSA私钥,与所述RSA相对应的公钥保存在总部系统中,所述RSA私钥可以存储在VPN服务器的芯片中,以使得外部系统无法读取到;The shared RSA private key is written in the VPN server by the dedicated device, and the public key corresponding to the RSA is stored in the headquarters system, and the RSA private key can be stored in the chip of the VPN server, so that the external system cannot be Read to
用户在总体IT管理员处申领VPN服务器时,在VPN服务器上设置激活口令,该激活口令可以为密码、指纹、掌纹或虹膜等等,本发明实施例对此并不进行限定;When the user applies for the VPN server at the overall IT administrator, the activation password is set on the VPN server, and the activation password may be a password, a fingerprint, a palm print, an iris, or the like, which is not limited by the embodiment of the present invention;
在VPN服务器上开放限定的端口和地址,例如,在VPN服务器上只开放供VPN数据传输使用的端口(500或4500)以及VPN网关的公网IP地址。具体的,可以在VPN服务器上设置过滤规则,所述过滤规则针对IP地址和端口,使得VPN服务器只能访问VPN网关,无法访问其他公网地址。另一方面,当由第三方认证中心负责对所述VPN服务器进行校验时,还需要在所述VPN服务器上设置过滤规则,以限定所述VPN服务器上开放的端口为进行VPN数据传输使用的端口以及与所述第三方认证中心交互的端口、开放的地址为所述第三方认证中心的IP地址以及所述VPN网关的公网IP地址。Open the qualified port and address on the VPN server. For example, open only the port (500 or 4500) used for VPN data transmission and the public IP address of the VPN gateway on the VPN server. Specifically, the filtering rule can be set on the VPN server, and the filtering rule is for the IP address and the port, so that the VPN server can only access the VPN gateway and cannot access other public network addresses. On the other hand, when the third-party authentication center is responsible for verifying the VPN server, it is also required to set a filtering rule on the VPN server to limit the open port on the VPN server for VPN data transmission. The port and the port interacting with the third-party authentication center, the open address are the IP address of the third-party authentication center, and the public network IP address of the VPN gateway.
本发明实施例提供了一种VPN服务器,远程终端通过该VPN服务器接入企业内网的VPN网关,以实现为移动办公提供简单、安全、方便的即插即用VPN服务。The embodiment of the invention provides a VPN server, and the remote terminal accesses the VPN gateway of the intranet through the VPN server, so as to provide a simple, secure and convenient plug-and-play VPN service for the mobile office.
如图3所示,为本发明实施例提供的一种实现用户终端远程接入专用网络的方法流程示意图,包括:As shown in FIG. 3, a schematic flowchart of a method for implementing a remote access private network of a user terminal according to an embodiment of the present invention includes:
步骤301:将VPN服务器连接到Internet,并启动VPN服务器,所述VPN服务器获取一个公网IP地址,具体的,可以通过静态手工配置、动态主机配置协议(Dynamic Host Configuration Protocol,DHCP)或者以太网上的点对点协议(Point-to-Point Protocol over Ethernet,PPOE)等方式获取公网IP地址。Step 301: Connect the VPN server to the Internet, and start the VPN server. The VPN server obtains a public network IP address. Specifically, it can be configured through static manual configuration, Dynamic Host Configuration Protocol (DHCP), or Ethernet. A public IP address is obtained by means of a point-to-point protocol over Ethernet (PPOE).
步骤302:用户通过用户终端向所述VPN服务器发送激活请求,以使得所述VPN服务器对所述用户进行合法性验证; Step 302: The user sends an activation request to the VPN server through the user terminal, so that the VPN server performs legality verification on the user.
根据在VPN服务器申领时设置的激活方式,用户可以通过输入激活密码、扫描指纹或者掌纹等方式激活VPN服务器,本发明实施例对此并不进行限定。The user can activate the VPN server by inputting an activation password, scanning a fingerprint, or a palm print according to the activation mode set by the VPN server. This embodiment of the present invention does not limit this.
步骤303:VPN服务器生成认证消息,所述认证消息包含验证码报文,报文内容为VPN服务器的设备序列号,VPN服务器使用预置的RSA私钥对认证消息中的验证码报文进行加密和签名,向总部的VPN网关发送认证消息;Step 303: The VPN server generates an authentication message, where the authentication message includes a verification code message, and the content of the message is a device serial number of the VPN server, and the VPN server encrypts the verification code message in the authentication message by using a preset RSA private key. And signing, sending an authentication message to the VPN gateway of the headquarters;
步骤304:总部的VPN网关接收所述认证消息,获取到加密后的验证码报文后,使用预先保存的所述RSA私钥对应的公钥对验证码报文进行解密,对解密得到的设备序列号进行校验,确定所述设备序列号是否已在系统中注册,如果设备设备序列号是已知的,且尚未在系统中注册过的设备,则校验通过Step 304: The VPN gateway of the headquarters receives the authentication message, and after obtaining the encrypted verification code message, decrypts the verification code message by using the public key corresponding to the RSA private key stored in advance, and decrypts the obtained device. The serial number is verified to determine whether the device serial number is registered in the system. If the device device serial number is known and the device has not been registered in the system, the verification is passed.
步骤305:校验完成后,总部的VPN网关为所述VPN服务器分配一个私网的IP地址段,以及后续进行VPN传输的加密密钥,所述加密密钥可以为对称密钥。Step 305: After the verification is completed, the VPN gateway of the headquarters allocates an IP address segment of the private network to the VPN server, and an encryption key for subsequent VPN transmission, and the encryption key may be a symmetric key.
步骤306:总部的VPN网关使用RSA公钥对私网IP地址段以及加密密钥进行加密并签名,将加密后的私网IP地址段以及加密密钥携带在认证响应消息中发送给所述VPN服务器;Step 306: The VPN gateway of the headquarters encrypts and signs the private network IP address segment and the encryption key by using the RSA public key, and carries the encrypted private network IP address segment and the encryption key in the authentication response message and sends the message to the VPN. server;
步骤307:VPN服务器对接收到的认证响应消息中的报文进行解密,获取到所述VPN网关为所述VPN服务器分配的私网IP地址段以及加密密钥;Step 307: The VPN server decrypts the packet in the received authentication response message, and obtains a private network IP address segment and an encryption key allocated by the VPN gateway to the VPN server.
步骤308:VPN服务器根据接收到的所述私网IP地址段以及加密密钥自动进行VPN配置;Step 308: The VPN server automatically performs VPN configuration according to the received private network IP address segment and the encryption key.
步骤309:用户通过用户终端接入VPN服务器,所述VPN服务器对接入用户进行合法性验证,验证通过后,为所述用户终端在所述私网IP地址段内分配IP地址;Step 309: The user accesses the VPN server through the user terminal, and the VPN server performs legality verification on the access user. After the verification is passed, the user terminal allocates an IP address in the private network IP address segment.
具体的,用户可以通过用户终端采用高安全的认证方式(WPA2)接入VPN服务器,开始访问总部的数据。VPN服务器对接入用户进行密码方式的连接合法性验证;Specifically, the user can access the VPN server through the high-security authentication mode (WPA2) of the user terminal, and start to access the data of the headquarters. The VPN server authenticates the connection validity of the password in the access mode.
步骤310:用户终端与总部的VPN网关使用标准的IPSec VPN协议进行数据交互,使用数据加密标准(Data Encryption Standard,DES)进行数据的加密。Step 310: The user terminal and the headquarters VPN gateway use the standard IPSec VPN protocol for data interaction, and use Data Encryption Standard (DES) to encrypt data.
在本发明实施例中,初始配置时,在VPN服务器中配置有专用网络中VPN网关的IP地址,当用户终端激活VPN服务器后,所述VPN服务器将验证码报文发送给所述VPN网关,由VPN网关对所述VPN服务器进行鉴权,在鉴权通过后,VPN网关为所述VPN服务器分配私网地址段和加密密钥,所述VPN网关将所述私网地址段和加密密钥发送给所述VPN服务器,以使得所述VPN服务器在所述私网地址段内为用户终端分配IP地址,并利用所述加密密钥对传递到所述VPN网关的数据进行加密。从而实现了用户终端通过VPN服务器接入到企业内网,通过上述安全的加密和认证机制,保证了从用户接入到数据传输的端到端安全流程。In the embodiment of the present invention, in the initial configuration, the VPN server is configured with the IP address of the VPN gateway in the private network. After the user terminal activates the VPN server, the VPN server sends the verification code message to the VPN gateway. The VPN server authenticates the VPN server. After the authentication is passed, the VPN gateway allocates a private network address segment and an encryption key to the VPN server, and the VPN gateway uses the private network address segment and the encryption key. Sending to the VPN server, so that the VPN server allocates an IP address to the user terminal in the private network address segment, and encrypts data transmitted to the VPN gateway by using the encryption key. Therefore, the user terminal accesses the intranet through the VPN server, and the above-mentioned secure encryption and authentication mechanism ensures the end-to-end security process from user access to data transmission.
如图4所示,为本方面实施例提供的另一种实现用户终端远程接入专用网络的方法流程示意图,与前述实施例不同的是,在本发明实施例中,由第三方认证中心为整个系统提供与 具体厂商无关的认证服务,并提供统一的VPN设备发放服务。在VPN申领时,第三方认证中心为VPN服务器提供初始配置;在用户通过VPN服务器接入到企业内网时,相应地,由第三方认证中心对VPN服务器进行认证。在对VPN服务器进行初始配置后,用户通过VPN服务器远程接入到企业内网中。As shown in FIG. 4, another schematic flowchart of a method for implementing a remote access private network of a user terminal according to an embodiment of the present disclosure is different from the foregoing embodiment. In the embodiment of the present invention, the third-party authentication center is The entire system is provided with Specific vendor-independent authentication services and a unified VPN device delivery service. When the VPN is applied, the third-party authentication center provides the initial configuration for the VPN server. When the user accesses the intranet through the VPN server, the third-party authentication center authenticates the VPN server accordingly. After the initial configuration of the VPN server, the user remotely accesses the intranet through the VPN server.
所述方法包括:The method includes:
步骤401:所述VPN服务器连接到互联网,获取一个公网IP地址,具体的,可以通过静态手工配置、DHCP或者PPOE等方式获取公网IP地址,本发明实施例对此并不限定。Step 401: The VPN server is connected to the Internet and obtains a public network IP address. Specifically, the public network IP address is obtained by static manual configuration, DHCP, or PPOE.
步骤402:用户通过用户终端向所述VPN服务器发送激活请求,以使得所述VPN服务器对所述用户进行合法性验证;Step 402: The user sends an activation request to the VPN server through the user terminal, so that the VPN server performs legality verification on the user.
根据在VPN服务器申领时设置的激活方式,用户可以通过输入激活密码、扫描指纹或者掌纹等方式激活VPN服务器,本发明实施例对此并不进行限定。The user can activate the VPN server by inputting an activation password, scanning a fingerprint, or a palm print according to the activation mode set by the VPN server. This embodiment of the present invention does not limit this.
步骤403:VPN服务器生成认证消息,所述认证消息包含验证码报文,报文内容为VPN服务器的设备序列号,VPN服务器使用预置的RSA私钥对认证消息中的验证码报文进行加密和签名,向第三方认证中心发送加密后的验证码报文;Step 403: The VPN server generates an authentication message, where the authentication message includes a verification code message, and the content of the message is a device serial number of the VPN server, and the VPN server uses the preset RSA private key to encrypt the verification code message in the authentication message. And signing, sending the encrypted verification code message to the third-party authentication center;
步骤404:第三方认证中心接收所述认证消息,获取到加密后的验证码报文后,使用预先保存的所述RSA私钥对应的公钥对加密后的验证码报文进行解密,对解密得到的设备序列号进行校验,确定所述设备序列号是否已在系统中注册,如果设备设备序列号是已知的未注册设备,则校验通过。Step 404: The third-party authentication center receives the authentication message, and after obtaining the encrypted verification code message, decrypts the encrypted verification code message by using the public key corresponding to the RSA private key stored in advance, and decrypts the encrypted verification code message. The obtained device serial number is checked to determine whether the device serial number is registered in the system. If the device device serial number is a known unregistered device, the verification is passed.
步骤405:校验通过后,第三方认证中心向总部的VPN网关发送通知消息,所述通知消息中携带所述VPN服务器的标识和IP地址信息;Step 405: After the verification is passed, the third-party authentication center sends a notification message to the VPN gateway of the headquarters, where the notification message carries the identifier and IP address information of the VPN server.
步骤406:总部的VPN网关为所述VPN服务器分配一个私网的IP地址段,以及后续进行VPN传输的加密密钥。具体的,所述加密密钥可以为对称密钥。Step 406: The VPN gateway of the headquarters allocates an IP address segment of the private network to the VPN server, and an encryption key for subsequent VPN transmission. Specifically, the encryption key may be a symmetric key.
步骤407:总部的VPN网关使用RSA公钥对私网IP地址段以及加密密钥进行加密并签名,将加密后的私网IP地址段以及加密密钥携带在分配消息中发送给所述VPN服务器;Step 407: The VPN gateway of the headquarters encrypts and signs the private network IP address segment and the encryption key by using the RSA public key, and carries the encrypted private network IP address segment and the encryption key in the distribution message and sends the message to the VPN server. ;
步骤408:VPN服务器对接收到的所述分配消息进行解密,获取所述VPN网关为所述VPN服务器分配的私网IP地址段以及加密密钥;Step 408: The VPN server decrypts the received distribution message, and obtains a private network IP address segment and an encryption key allocated by the VPN gateway to the VPN server.
步骤409:VPN服务器根据接收到的所述私网IP地址段以及加密密钥自动进行VPN配置;Step 409: The VPN server automatically performs VPN configuration according to the received private network IP address segment and the encryption key.
步骤410:用户通过用户终端接入VPN服务器,所述VPN服务器对接入用户进行合法性验证,验证通过后,为所述用户终端在所述私网IP地址段内分配IP地址;Step 410: The user accesses the VPN server through the user terminal, and the VPN server performs legality verification on the access user. After the verification is passed, the user terminal allocates an IP address in the private network IP address segment.
具体的,用户可以通过用户终端采用高安全的认证方式(WPA2)接入VPN服务器,开始访问总部的数据,VPN服务器对接入用户进行密码方式的连接合法性验证。 Specifically, the user can access the VPN server through the high-security authentication mode (WPA2) of the user terminal, and start to access the data of the headquarters. The VPN server authenticates the connection validity of the password in the access mode.
步骤411:用户终端与总部的VPN网关使用标准的IPSec VPN协议进行数据交互,使用数据加密标准(Data Encryption Standard,DES)进行数据的加密。Step 411: The user terminal communicates with the VPN gateway of the headquarters using a standard IPSec VPN protocol, and uses Data Encryption Standard (DES) to encrypt data.
需要说明的是,在前述激活过程中,VPN服务器进行激活口令验证,是确定用户是否具备激活VPN服务器的资质;在上述用户合法性验证过程中,VPN服务器进行用户身份验证,以确定用户是否具备通过VPN服务器访问总部内网数据的资质。It should be noted that, in the foregoing activation process, the VPN server performs activation password verification to determine whether the user has the qualification to activate the VPN server. In the above-mentioned user legality verification process, the VPN server performs user identity verification to determine whether the user has the user authentication. Qualification of accessing intranet data through the VPN server.
本发明实施例提供了一种安全方便的远程接入方式,第三方认证中心作为VPN服务器的管理中心,在VPN服务器中预先配置第三方认证中心的IP地址,当用户通过所述VPN服务器接入到企业内网时,VPN服务器连接到所述第三方认证中心进行VPN服务器鉴权,当鉴权通过后,所述第三方认证中心向总部的VPN网关申请为所述VPN服务器分配私网地址段和加密密钥,所述VPN网关将所述私网地址段和加密密钥发送给所述VPN服务器,以使得所述VPN服务器在所述私网地址段内为用户终端分配IP地址,并利用所述加密密钥对传递到所述VPN网关的数据进行加密。从而实现了用户终端通过VPN服务器接入到企业内网,通过上述安全的加密和认证机制,保证了从用户接入到数据传输的端到端安全流程。The embodiment of the present invention provides a secure and convenient remote access mode. The third-party authentication center serves as the management center of the VPN server, and the IP address of the third-party authentication center is pre-configured in the VPN server, and the user accesses through the VPN server. When the intranet is connected to the intranet, the VPN server is connected to the third-party authentication center to perform VPN server authentication. After the authentication is passed, the third-party authentication center applies to the VPN gateway of the headquarters to allocate a private network address segment to the VPN server. And the encryption key, the VPN gateway sends the private network address segment and the encryption key to the VPN server, so that the VPN server allocates an IP address to the user terminal in the private network address segment, and utilizes The encryption key encrypts data passed to the VPN gateway. Therefore, the user terminal accesses the intranet through the VPN server, and the above-mentioned secure encryption and authentication mechanism ensures the end-to-end security process from user access to data transmission.
如图5所示,本发明实施例还提供了另一种实现用户终端远程接入专用网络的方法流程示意图,该方法应用于远程接入系统,所述远程接入系统包括VPN服务器、第三方认证中心以及专用网络中的VPN网关,所述VPN服务器中配置有所述VPN网关的公网IP地址,所述方法包括:As shown in FIG. 5, the embodiment of the present invention further provides another schematic diagram of a method for implementing a remote access private network of a user terminal, where the method is applied to a remote access system, where the remote access system includes a VPN server and a third party. a public network IP address of the VPN gateway is configured in the authentication center and the VPN gateway in the private network, and the method includes:
步骤501:所述VPN服务器生成验证码报文,将所述验证码报文发送给所述第三方认证中心,所述验证码报文包括所述VPN服务器的标识;Step 501: The VPN server generates a verification code message, and sends the verification code message to the third-party authentication center, where the verification code message includes an identifier of the VPN server.
步骤502:所述VPN服务器接收所述VPN网关返回私网IP地址段和加密密钥,所述私网IP地址段和加密密钥具体为所述第三方认证中心在对所述VPN服务器的标识进行校验通过后请求所述VPN网关为所述VPN服务器分配的;Step 502: The VPN server receives the VPN gateway to return a private network IP address segment and an encryption key, where the private network IP address segment and the encryption key are specifically the identifier of the third-party authentication center in the VPN server. After the verification is passed, requesting the VPN gateway to allocate the VPN server;
步骤503:所述VPN服务器根据所述私网IP地址段和加密密钥进行系统配置;Step 503: The VPN server performs system configuration according to the private network IP address segment and the encryption key.
步骤504:所述VPN服务器接收用户终端发送的登陆请求,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。Step 504: The VPN server receives a login request sent by the user terminal, allocates an IP address to the user terminal in the private network IP address segment, and transmits the user terminal to the VPN gateway by using the encryption key. The data.
在本发明实施例中,VPN服务器被激活后,由第三方认证中心对VPN服务器进行校验,在校验通过后,专用网络的VPN网关为所述VPN服务器分配私网IP地址段和加密密钥,从而使得当用户终端通过VPN服务器接入到所述专用网络时,VPN服务器可以为用户终端分配私网IP地址段内的IP地址,并使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据,从而实现用户数据到专用网络的传输。In the embodiment of the present invention, after the VPN server is activated, the third-party authentication center checks the VPN server. After the verification is passed, the VPN gateway of the private network allocates the private network IP address segment and the encryption key to the VPN server. a key, such that when the user terminal accesses the private network through the VPN server, the VPN server can assign the IP address in the private network IP address segment to the user terminal, and use the encryption key to transmit to the VPN gateway The data sent by the user terminal is described, thereby realizing the transmission of user data to the private network.
进一步的,所述VPN服务器中还配置有RSA私钥,相应地,所述第三方认证中心中配置 有所述RSA私钥对应的公钥,Further, the VPN server is further configured with an RSA private key, and correspondingly, the third-party authentication center is configured. There is a public key corresponding to the RSA private key,
所述VPN服务器使用所述RSA私钥对所述验证码报文进行加密,将加密后的所述验证码报文发送给所述第三方认证中心,以使得所述第三方认证中心使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。The VPN server encrypts the verification code message by using the RSA private key, and sends the encrypted verification code message to the third-party authentication center, so that the third-party authentication center uses the The public key corresponding to the RSA private key decrypts the verification code packet, and obtains and verifies the identifier of the VPN server.
在第三方认证中心对所述VPN服务器进行初始配置的过程中,可以在所述VPN服务器中设置过滤规则,以限定所述VPN服务器上开放的端口为进行VPN数据传输使用的端口以及与所述第三方认证中心交互的端口、开放的地址为所述第三方认证中心的IP地址以及所述VPN网关的公网IP地址。通过限定该VPN服务器可以访问的地址和端口,可以使得该VPN服务器仅用于与专用网络连通,从而提高了网络传输的安全性。In a process of initial configuration of the VPN server by a third-party authentication center, a filtering rule may be set in the VPN server to limit a port opened on the VPN server to a port used for VPN data transmission, and The port interacted by the third-party authentication center, the open address is the IP address of the third-party authentication center, and the public network IP address of the VPN gateway. By defining the address and port that the VPN server can access, the VPN server can be used only to communicate with the private network, thereby improving the security of network transmission.
与前述方法实施例相对应,本发明实施例还提供了一种实现用户终端远程接入专用网络的系统结构示意图,如图6所示,所述远程接入系统包括VPN服务器601和专用网络中的VPN网关602,所述VPN服务器601中配置有所述VPN网关602的公网IP地址,Corresponding to the foregoing method embodiments, the embodiment of the present invention further provides a system structure for implementing a remote access private network of a user terminal. As shown in FIG. 6, the remote access system includes a VPN server 601 and a private network. a VPN gateway 602, wherein the VPN server 601 is configured with a public network IP address of the VPN gateway 602.
所述VPN服务器601,用于生成验证码报文,将所述验证码报文发送给所述VPN网关602,所述验证码报文包括所述VPN服务器601的标识;The VPN server 601 is configured to generate a verification code message, and send the verification code message to the VPN gateway 602, where the verification code message includes an identifier of the VPN server 601.
所述VPN网关602,用于在对所述VPN服务器601的标识进行校验通过后,为所述VPN服务器601分配私网IP地址段和加密密钥,并将所述私网IP地址段和加密密钥发送给所述VPN服务器601;The VPN gateway 602 is configured to allocate a private network IP address segment and an encryption key to the VPN server 601 after verifying the identifier of the VPN server 601, and configure the private network IP address segment and Sending an encryption key to the VPN server 601;
所述VPN服务器601,还用于接收所述VPN网关602返回的私网IP地址段和加密密钥,并根据所述私网IP地址段和加密密钥进行系统配置;The VPN server 601 is further configured to receive a private network IP address segment and an encryption key returned by the VPN gateway 602, and perform system configuration according to the private network IP address segment and an encryption key;
所述VPN服务器601,还用于接收用户终端发送的登陆请求,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关602传输所述用户终端发送的数据。The VPN server 601 is further configured to receive a login request sent by the user terminal, allocate an IP address to the user terminal in the private network IP address segment, and transmit the identifier to the VPN gateway 602 by using the encryption key. The data sent by the user terminal.
进一步的,所述VPN服务器601中还配置有RSA私钥,相应地,所述VPN网关602中配置有所述RSA私钥对应的公钥,Further, the VPN server 601 is further configured with an RSA private key, and correspondingly, the VPN gateway 602 is configured with a public key corresponding to the RSA private key.
所述VPN服务器601,具体用于使用所述RSA私钥对所述验证码报文进行加密,将加密后的所述验证码报文发送给所述VPN网关602;The VPN server 601 is specifically configured to use the RSA private key to encrypt the verification code message, and send the encrypted verification code message to the VPN gateway 602;
所述VPN网关602,具体用于使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器601的标识。The VPN gateway 602 is specifically configured to decrypt the verification code message by using a public key corresponding to the RSA private key, and obtain and verify the identifier of the VPN server 601.
在对所述VPN进行初始配置阶段,所述VPN服务器601还用于接收配置指令,存储所述RSA私钥以及所述VPN网关602的公网IP地址。In the initial configuration phase of the VPN, the VPN server 601 is further configured to receive a configuration command, and store the RSA private key and a public network IP address of the VPN gateway 602.
所述VPN服务器601中还设置有激活口令,所述VPN服务器601,还用于接收并验证用 户终端发送的激活请求,所述激活请求中携带激活口令。可选的,所述VPN服务器601中设置有过滤规则,以限定所述VPN服务器601上开放的端口为进行VPN数据传输使用的端口、开放的地址为所述VPN网关602的公网IP地址。The VPN server 601 is further provided with an activation password, and the VPN server 601 is further configured to receive and verify. An activation request sent by the user terminal, where the activation request carries an activation password. Optionally, the VPN server 601 is configured with a filtering rule to limit the port opened on the VPN server 601 to a port used for VPN data transmission, and the open address is a public network IP address of the VPN gateway 602.
另一方面,本发明实施例还提供了另一种实现用户终端远程接入专用网络的系统结构示意图,如图7所示,所述系统包括VPN服务器701以及专用网络中的VPN网关702,所述VPN服务器701中配置有所述VPN网关702的公网IP地址,On the other hand, the embodiment of the present invention further provides another system structure for implementing a remote access private network of a user terminal. As shown in FIG. 7, the system includes a VPN server 701 and a VPN gateway 702 in a private network. The public network IP address of the VPN gateway 702 is configured in the VPN server 701.
所述VPN服务器701,用于生成验证码报文,将所述验证码报文发送给所述第三方认证中心,所述验证码报文包括所述VPN服务器701的标识;The VPN server 701 is configured to generate a verification code message, and send the verification code message to the third-party authentication center, where the verification code message includes an identifier of the VPN server 701.
所述VPN网关702,用于接收第三方认证中心在对所述VPN服务器701的标识校验通过后发送的通知消息,所述通知消息中携带所述VPN服务器701的标识;The VPN gateway 702 is configured to receive a notification message that is sent by the third-party authentication center after the identifier verification of the VPN server 701 is passed, where the notification message carries the identifier of the VPN server 701.
所述VPN网关702,还用于为所述VPN服务器701分配私网IP地址段和加密密钥,并经所述私网IP地址段和加密密钥发送给所述VPN服务器701;The VPN gateway 702 is further configured to allocate a private network IP address segment and an encryption key to the VPN server 701, and send the private network IP address segment and an encryption key to the VPN server 701;
所述VPN服务器701,还用于接收所述VPN网关返回的私网IP地址段和加密密钥,并根据所述私网IP地址段和加密密钥进行系统配置;The VPN server 701 is further configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, and perform system configuration according to the private network IP address segment and an encryption key;
所述VPN服务器701,还用于接收用户终端发送的登陆请求,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关702传输所述用户终端发送的数据。The VPN server 701 is further configured to receive a login request sent by the user terminal, allocate an IP address to the user terminal in the private network IP address segment, and transmit the identifier to the VPN gateway 702 by using the encryption key. The data sent by the user terminal.
进一步的,所述系统还包括第三方认证中心703,所述第三方认证中心703,用于对所述VPN服务器701的标识进行校验。Further, the system further includes a third-party authentication center 703, and the third-party authentication center 703 is configured to check the identifier of the VPN server 701.
所述VPN服务器701中还配置有RSA私钥,相应地,所述第三方认证中心703中配置有所述RSA私钥对应的公钥,The VPN server 701 is further configured with an RSA private key, and correspondingly, the third-party authentication center 703 is configured with a public key corresponding to the RSA private key.
所述VPN服务器701,具体用于使用所述RSA私钥对所述验证码报文进行加密,将加密后的所述验证码报文发送给所述第三方认证中心703;The VPN server 701 is specifically configured to encrypt the verification code message by using the RSA private key, and send the encrypted verification code message to the third-party authentication center 703;
所述第三方认证中心703,具体用于使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器701的标识。The third-party authentication center 703 is specifically configured to decrypt the verification code message by using a public key corresponding to the RSA private key, and obtain and verify the identifier of the VPN server 701.
在VPN服务器的初始配置过程中,所述VPN服务器701还用于接收配置指令,存储所述RSA私钥以及所述VPN网关的公网IP地址。During the initial configuration of the VPN server, the VPN server 701 is further configured to receive a configuration command, and store the RSA private key and a public network IP address of the VPN gateway.
进一步的,初始配置过程中,所述VPN服务器701中还设置有激活口令,Further, in the initial configuration process, the VPN server 701 is further provided with an activation password.
所述VPN服务器701,还用于接收并验证用户终端发送的激活请求,所述激活请求中携带激活口令。The VPN server 701 is further configured to receive and verify an activation request sent by the user terminal, where the activation request carries an activation password.
所述VPN服务器701中设置有过滤规则,以限定所述VPN服务器701上开放的端口为进 行VPN数据传输使用的端口、开放的地址为所述VPN网关702的公网IP地址。A filtering rule is set in the VPN server 701 to limit the open port on the VPN server 701. The port used for the VPN data transmission and the open address are the public network IP address of the VPN gateway 702.
如图8所示,为本发明实施例提供的一种实现用户终端远程接入专用网络的VPN服务器,所述VPN服务器中配置有所述专用网络中的VPN网关的公网IP地址,As shown in FIG. 8 , a VPN server for implementing a remote access private network of a user terminal is provided in an embodiment of the present invention, where the VPN server is configured with a public network IP address of a VPN gateway in the private network.
生成单元801,用于生成验证码报文,所述验证码报文包括所述VPN服务器的标识;a generating unit 801, configured to generate a verification code message, where the verification code message includes an identifier of the VPN server;
发送单元802,用于将所述生成单元801生成的所述验证码报文发送给所述VPN网关;The sending unit 802 is configured to send the verification code message generated by the generating unit 801 to the VPN gateway;
接收单元803,用于接收所述VPN网关返回的私网IP地址段和加密密钥,所述私网IP地址段和加密密钥具体为所述VPN网关在对所述VPN服务器的标识进行校验通过后为所述VPN服务器分配的;The receiving unit 803 is configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, where the private network IP address segment and the encryption key are specifically configured by the VPN gateway to identify the VPN server. After the verification is passed, it is allocated for the VPN server;
配置单元804,用于根据所述接收单元803接收到的所述私网IP地址段和加密密钥进行系统配置;The configuration unit 804 is configured to perform system configuration according to the private network IP address segment and the encryption key received by the receiving unit 803;
所述接收单元803,还用于接收用户终端发送的登陆请求;The receiving unit 803 is further configured to receive a login request sent by the user terminal;
数据传输单元805,用于在所述接收单元803接收到所述登陆请求后,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。a data transmission unit 805, configured to: after the receiving unit 803 receives the login request, allocate an IP address to the user terminal in the private network IP address segment, and use the encryption key to the VPN gateway. Transmitting data transmitted by the user terminal.
所述VPN服务器中还配置有RSA私钥,The RSA private key is also configured in the VPN server.
所述生成单元801,具体用于使用所述RSA私钥对所述验证码报文进行加密;The generating unit 801 is specifically configured to encrypt the verification code message by using the RSA private key.
所述发送单元802,具体用于将所述生成单元801生成的加密后的所述验证码报文发送给所述VPN网关,以使得所述VPN网关使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。The sending unit 802 is specifically configured to send the encrypted verification code message generated by the generating unit 801 to the VPN gateway, so that the VPN gateway uses a public key pair corresponding to the RSA private key. The verification code message is decrypted, and the identifier of the VPN server is obtained and verified.
所述接收单元803,还用于接收配置指令,存储所述RSA私钥以及所述VPN网关的公网IP地址。The receiving unit 803 is further configured to receive a configuration instruction, and store the RSA private key and a public network IP address of the VPN gateway.
所述接收单元803,还用于接收用户终端发送的激活请求,所述激活请求中携带所述激活口令;The receiving unit 803 is further configured to receive an activation request sent by the user terminal, where the activation request carries the activation password;
相应地,所述VPN服务器还包括鉴权单元806,用于验证所述接收单元803接收到的所述激活请求中携带的所述激活口令。Correspondingly, the VPN server further includes an authentication unit 806, configured to verify the activation password carried in the activation request received by the receiving unit 803.
本发明实施例还提供一种VPN服务器,如图9所示,包括:接收器901、发射器902、处理器903以及存储器904;其中存储器904可以应用于初始配置过程中各种配置信息的存储。具体的,The embodiment of the present invention further provides a VPN server, as shown in FIG. 9, comprising: a receiver 901, a transmitter 902, a processor 903, and a memory 904; wherein the memory 904 can be applied to storage of various configuration information in an initial configuration process. . specific,
所述存储器904用于存储所述专用网络中的VPN网关的公网IP地址;The memory 904 is configured to store a public network IP address of a VPN gateway in the private network;
所述处理器903用于生成验证码报文,所述验证码报文包括所述VPN服务器的标识;The processor 903 is configured to generate a verification code message, where the verification code message includes an identifier of the VPN server;
所述发射器902用于将所述处理器903生成的所述验证码报文发送给所述VPN网关; The transmitter 902 is configured to send the verification code message generated by the processor 903 to the VPN gateway;
所述接收器901用于接收所述VPN网关返回的私网IP地址段和加密密钥,接收用户终端发送的登陆请求,所述私网IP地址段和加密密钥具体为所述VPN网关在对所述VPN服务器的标识进行校验通过后为所述VPN服务器分配的;The receiver 901 is configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, and receive a login request sent by the user terminal, where the private network IP address segment and the encryption key are specifically the VPN gateway. After the verification of the identifier of the VPN server is performed, the VPN server is allocated;
所述处理器903还用于根据所述接收器901接收到的所述私网IP地址段和加密密钥进行系统配置,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。The processor 903 is further configured to perform system configuration according to the private network IP address segment and the encryption key received by the receiver 901, and allocate an IP address to the user terminal in the private network IP address segment. Transmitting, by the encryption key, data sent by the user terminal to the VPN gateway.
所述存储器904中进一步存储有RSA私钥;Further storing an RSA private key in the memory 904;
所述处理器903,具体用于使用所述RSA私钥对所述验证码报文进行加密;The processor 903 is specifically configured to encrypt the verification code message by using the RSA private key.
所述发射器902,具体用于将所述处理器903生成的加密后的所述验证码报文发送给所述VPN网关,以使得所述VPN网关使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。The transmitter 902 is specifically configured to send the encrypted verification code message generated by the processor 903 to the VPN gateway, so that the VPN gateway uses a public key pair corresponding to the RSA private key. The verification code message is decrypted, and the identifier of the VPN server is obtained and verified.
所述接收器901还用于接收配置指令,所述配置指令中包括所述RSA私钥以及所述VPN网关的公网IP地址。The receiver 901 is further configured to receive a configuration instruction, where the configuration command includes the RSA private key and a public network IP address of the VPN gateway.
所述接收器901还用于接收用户终端发送的激活请求,所述激活请求中携带所述激活口令;The receiver 901 is further configured to receive an activation request sent by the user terminal, where the activation request carries the activation password;
所述处理器903,还用于验证所述接收器901接收到的所述激活请求中携带的所述激活口令。The processor 903 is further configured to verify the activation password carried in the activation request received by the receiver 901.
在本发明实施例中,初始配置时,在VPN服务器中配置有专用网络中VPN网关的IP地址,当用户终端激活VPN服务器后,所述VPN服务器将验证码报文发送给所述VPN网关,由VPN网关对所述VPN服务器进行鉴权,在鉴权通过后,VPN网关为所述VPN服务器分配私网地址段和加密密钥,所述VPN网关将所述私网地址段和加密密钥发送给所述VPN服务器,以使得所述VPN服务器在所述私网地址段内为用户终端分配IP地址,并利用所述加密密钥对传递到所述VPN网关的数据进行加密。从而实现了用户终端通过VPN服务器接入到企业内网,通过上述安全的加密和认证机制,保证了从用户接入到数据传输的端到端安全流程。In the embodiment of the present invention, in the initial configuration, the VPN server is configured with the IP address of the VPN gateway in the private network. After the user terminal activates the VPN server, the VPN server sends the verification code message to the VPN gateway. The VPN server authenticates the VPN server. After the authentication is passed, the VPN gateway allocates a private network address segment and an encryption key to the VPN server, and the VPN gateway uses the private network address segment and the encryption key. Sending to the VPN server, so that the VPN server allocates an IP address to the user terminal in the private network address segment, and encrypts data transmitted to the VPN gateway by using the encryption key. Therefore, the user terminal accesses the intranet through the VPN server, and the above-mentioned secure encryption and authentication mechanism ensures the end-to-end security process from user access to data transmission.
通过以上的实施方式的描述可知,本领域的技术人员可以清楚地了解到上述实施例方法中的全部或部分步骤可借助软件加必需的通用硬件平台的方式来实现。基于这样的理解,本发明的技术方案本质上或者说对现有技术做出贡献的部分可以以软件产品的形式体现出来,该计算机软件产品可以存储在存储介质中,如ROM/RAM、磁碟、光盘等,包括若干指令用以使得一台计算机设备(可以是个人计算机,资源管理服务器,或者诸如媒体网关等网络通信设备,等等)执行本发明各个实施例或者实施例的某些部分所述的方法。It can be clearly understood by those skilled in the art that all or part of the steps in the foregoing embodiment may be implemented by means of software plus a necessary general hardware platform. Based on such understanding, the technical solution of the present invention, which is essential or contributes to the prior art, may be embodied in the form of a software product, which may be stored in a storage medium such as a ROM/RAM or a disk. , an optical disk, etc., comprising instructions for causing a computer device (which may be a personal computer, a resource management server, or a network communication device such as a media gateway, etc.) to perform portions of various embodiments or embodiments of the present invention. The method described.
需要说明的是,本说明书中的各个实施例均采用递进的方式描述,各个实施例之间相同 相似的部分互相参见即可,每个实施例重点说明的都是与其他实施例的不同之处。尤其,对于设备及系统实施例而言,由于其基本相似于方法实施例,所以描述得比较简单,相关之处参见方法实施例的部分说明即可。以上所描述的设备及系统实施例仅仅是示意性的,其中作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部模块来实现本实施例方案的目的。本领域普通技术人员在不付出创造性劳动的情况下,即可以理解并实施。It should be noted that each embodiment in this specification is described in a progressive manner, and the embodiments are the same. Similar parts can be referred to each other, and each embodiment focuses on differences from other embodiments. In particular, for the device and the system embodiment, since it is basically similar to the method embodiment, the description is relatively simple, and the relevant parts can be referred to the description of the method embodiment. The apparatus and system embodiments described above are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, and the components displayed as units may or may not be physical units, ie may be located A place, or it can be distributed to multiple network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the embodiment. Those of ordinary skill in the art can understand and implement without any creative effort.
以上所述仅为本发明的较佳实施例而已,并非用于限定本发明的保护范围。凡在本发明的精神和原则之内所作的任何修改、等同替换、改进等,均包含在本发明的保护范围内。 The above is only the preferred embodiment of the present invention and is not intended to limit the scope of the present invention. Any modifications, equivalents, improvements, etc. made within the spirit and scope of the invention are intended to be included within the scope of the invention.

Claims (23)

  1. 一种实现用户终端远程接入专用网络的方法,其特征在于,所述方法应用于远程接入系统,所述远程接入系统包括虚拟专用网VPN服务器和专用网络中的VPN网关,所述VPN服务器中配置有所述VPN网关的公网IP地址,所述方法包括:A method for realizing remote access of a user terminal to a private network, wherein the method is applied to a remote access system, the remote access system comprising a virtual private network VPN server and a VPN gateway in a private network, the VPN A public network IP address of the VPN gateway is configured in the server, where the method includes:
    所述VPN服务器生成验证码报文,将所述验证码报文发送给所述VPN网关,所述验证码报文包括所述VPN服务器的标识;The VPN server generates a verification code message, and sends the verification code message to the VPN gateway, where the verification code message includes an identifier of the VPN server;
    所述VPN服务器接收所述VPN网关返回的私网IP地址段和加密密钥,所述私网IP地址段和加密密钥具体为所述VPN网关在对所述VPN服务器的标识进行校验通过后为所述VPN服务器分配的;The VPN server receives the private network IP address segment and the encryption key returned by the VPN gateway, where the private network IP address segment and the encryption key are specifically verified by the VPN gateway to verify the identifier of the VPN server. After being allocated for the VPN server;
    所述VPN服务器根据所述私网IP地址段和加密密钥进行系统配置;The VPN server performs system configuration according to the private network IP address segment and an encryption key;
    所述VPN服务器接收用户终端发送的登陆请求,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。The VPN server receives a login request sent by the user terminal, allocates an IP address to the user terminal in the private network IP address segment, and transmits the data sent by the user terminal to the VPN gateway by using the encryption key.
  2. 如权利要求1所述的方法,其特征在于,所述VPN服务器中还配置有RSA私钥,相应地,所述VPN网关中配置有所述RSA私钥对应的公钥,The method of claim 1, wherein the VPN server is further configured with an RSA private key, and correspondingly, the public key corresponding to the RSA private key is configured in the VPN gateway.
    所述VPN服务器生成验证码报文,将所述验证码报文发送给所述VPN网关包括:The VPN server generates a verification code message, and sending the verification code message to the VPN gateway includes:
    所述VPN服务器使用所述RSA私钥对所述验证码报文进行加密,将加密后的所述验证码报文发送给所述VPN网关,以使得所述VPN网关使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。The VPN server encrypts the verification code message by using the RSA private key, and sends the encrypted verification code message to the VPN gateway, so that the VPN gateway uses the RSA private key to correspond to The public key decrypts the verification code message, and obtains and verifies the identifier of the VPN server.
  3. 如权利要求2所述的方法,其特征在于,在所述VPN服务器将所述验证码报文发送给所述VPN网关前,所述方法还包括:The method of claim 2, wherein before the sending, by the VPN server, the verification code message to the VPN gateway, the method further comprises:
    所述VPN服务器接收配置指令,存储所述RSA私钥以及所述VPN网关的公网IP地址。The VPN server receives a configuration instruction, and stores the RSA private key and a public network IP address of the VPN gateway.
  4. 如权利要求1-3任一所述的方法,其特征在于,所述VPN服务器中还设置有激活口令,在所述VPN服务器生成验证码报文之前,所述方法还包括:The method according to any one of claims 1-3, wherein the VPN server is further provided with an activation password. Before the VPN server generates the verification code message, the method further includes:
    所述VPN服务器接收用户终端发送的激活请求,所述激活请求中携带所述激活口令;Receiving, by the VPN server, an activation request sent by the user terminal, where the activation request carries the activation password;
    所述VPN服务器验证所述激活请求中携带的所述激活口令。The VPN server verifies the activation password carried in the activation request.
  5. 如权利要求1-3任一所述的方法,其特征在于,所述VPN服务器中设置有过滤规则,以限定所述VPN服务器上开放的端口为进行VPN数据传输使用的端口、开放的地址为所述VPN网关的公网IP地址。The method according to any one of claims 1-3, wherein the VPN server is provided with a filtering rule to limit a port opened on the VPN server to a port used for VPN data transmission, and an open address is The public network IP address of the VPN gateway.
  6. 如权利要求1所述的方法,其特征在于,所述VPN服务器的标识为所述所述VPN服务器的设备序列号。 The method of claim 1 wherein the identity of the VPN server is a device serial number of the VPN server.
  7. 如权利要求4所述的方法,其特征在于,所述激活口令包括密码、指纹、掌纹或虹膜中的至少一个。The method of claim 4 wherein said activation password comprises at least one of a password, a fingerprint, a palm print or an iris.
  8. 一种实现用户终端远程接入专用网络的方法,其特征在于,应用于远程接入系统,所述远程接入系统包括VPN服务器、第三方认证中心以及专用网络中的VPN网关,所述VPN服务器中配置有所述VPN网关的公网IP地址,所述方法包括:A method for realizing a remote access private network of a user terminal, which is characterized in that it is applied to a remote access system, and the remote access system includes a VPN server, a third-party authentication center, and a VPN gateway in a private network, the VPN server The public network IP address of the VPN gateway is configured, and the method includes:
    所述VPN服务器生成验证码报文,将所述验证码报文发送给所述第三方认证中心,所述验证码报文包括所述VPN服务器的标识;The VPN server generates a verification code message, and sends the verification code message to the third-party authentication center, where the verification code message includes an identifier of the VPN server;
    所述VPN服务器接收所述VPN网关返回私网IP地址段和加密密钥,所述私网IP地址段和加密密钥具体为所述第三方认证中心在对所述VPN服务器的标识进行校验通过后请求所述VPN网关为所述VPN服务器分配的;The VPN server receives the private network IP address segment and the encryption key of the VPN gateway, and the private network IP address segment and the encryption key are specifically verified by the third-party authentication center for the identifier of the VPN server. After the request, the VPN gateway is requested to be allocated to the VPN server;
    所述VPN服务器根据所述私网IP地址段和加密密钥进行系统配置;The VPN server performs system configuration according to the private network IP address segment and an encryption key;
    所述VPN服务器接收用户终端发送的登陆请求,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。The VPN server receives a login request sent by the user terminal, allocates an IP address to the user terminal in the private network IP address segment, and transmits the data sent by the user terminal to the VPN gateway by using the encryption key.
  9. 如权利要求8所述的方法,其特征在于,所述VPN服务器中还配置有RSA私钥,相应地,所述第三方认证中心中配置有所述RSA私钥对应的公钥,The method of claim 8, wherein the VPN server is further configured with an RSA private key, and correspondingly, the public key corresponding to the RSA private key is configured in the third-party authentication center.
    所述VPN服务器生成验证码报文,将所述验证码报文发送给所述第三方认证中心包括:The VPN server generates a verification code message, and the sending the verification code message to the third-party authentication center includes:
    所述VPN服务器使用所述RSA私钥对所述验证码报文进行加密,将加密后的所述验证码报文发送给所述第三方认证中心,以使得所述第三方认证中心使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。The VPN server encrypts the verification code message by using the RSA private key, and sends the encrypted verification code message to the third-party authentication center, so that the third-party authentication center uses the The public key corresponding to the RSA private key decrypts the verification code packet, and obtains and verifies the identifier of the VPN server.
  10. 如权利要求8或9任一所述的方法,其特征在于,所述VPN服务器中设置有过滤规则,以限定所述VPN服务器上开放的端口为进行VPN数据传输使用的端口以及与所述第三方认证中心交互的端口、开放的地址为所述第三方认证中心的IP地址以及所述VPN网关的公网IP地址。The method according to any one of claims 8 or 9, wherein the VPN server is provided with a filtering rule to define an open port on the VPN server as a port for performing VPN data transmission and The port that the three-party authentication center interacts with, the open address is the IP address of the third-party authentication center and the public network IP address of the VPN gateway.
  11. 一种实现用户终端远程接入专用网络的系统,其特征在于,所述远程接入系统包括VPN服务器和专用网络中的VPN网关,所述VPN服务器中配置有所述VPN网关的公网IP地址,A system for realizing a remote access private network of a user terminal, wherein the remote access system comprises a VPN server and a VPN gateway in a private network, wherein the VPN server is configured with a public network IP address of the VPN gateway ,
    所述VPN服务器,用于生成验证码报文,将所述验证码报文发送给所述VPN网关,所述验证码报文包括所述VPN服务器的标识;The VPN server is configured to generate a verification code message, and send the verification code message to the VPN gateway, where the verification code message includes an identifier of the VPN server;
    所述VPN网关,用于在对所述VPN服务器的标识进行校验通过后,为所述VPN服务器分配私网IP地址段和加密密钥,并将所述私网IP地址段和加密密钥发送给所述VPN服务器; The VPN gateway is configured to allocate a private network IP address segment and an encryption key to the VPN server after verifying the identifier of the VPN server, and configure the private network IP address segment and the encryption key Sent to the VPN server;
    所述VPN服务器,还用于接收所述VPN网关返回的私网IP地址段和加密密钥,并根据所述私网IP地址段和加密密钥进行系统配置;The VPN server is further configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, and perform system configuration according to the private network IP address segment and an encryption key;
    所述VPN服务器,还用于接收用户终端发送的登陆请求,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。The VPN server is further configured to receive a login request sent by the user terminal, allocate an IP address to the user terminal in the private network IP address segment, and transmit the user terminal to the VPN gateway by using the encryption key. The data sent.
  12. 如权利要求11所述的系统,其特征在于,所述VPN服务器中还配置有RSA私钥,相应地,所述VPN网关中配置有所述RSA私钥对应的公钥,The system according to claim 11, wherein the VPN server is further configured with an RSA private key, and correspondingly, the public key corresponding to the RSA private key is configured in the VPN gateway.
    所述VPN服务器,具体用于使用所述RSA私钥对所述验证码报文进行加密,将加密后的所述验证码报文发送给所述VPN网关;The VPN server is configured to encrypt the verification code message by using the RSA private key, and send the encrypted verification code message to the VPN gateway;
    所述VPN网关,具体用于使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。The VPN gateway is specifically configured to decrypt the verification code packet by using a public key corresponding to the RSA private key, and obtain and verify the identifier of the VPN server.
  13. 如权利要求12所述的系统,其特征在于,The system of claim 12 wherein:
    所述VPN服务器还用于接收配置指令,存储所述RSA私钥以及所述VPN网关的公网IP地址。The VPN server is further configured to receive a configuration instruction, and store the RSA private key and a public network IP address of the VPN gateway.
  14. 如权利要求11-13所述的系统,其特征在于,所述VPN服务器中还设置有激活口令,The system according to any one of claims 11-13, wherein the VPN server is further provided with an activation password.
    所述VPN服务器,还用于接收并验证用户终端发送的激活请求,所述激活请求中携带激活口令。The VPN server is further configured to receive and verify an activation request sent by the user terminal, where the activation request carries an activation password.
  15. 如权利要求11-13所述的系统,其特征在于,所述VPN服务器中设置有过滤规则,以限定所述VPN服务器上开放的端口为进行VPN数据传输使用的端口、开放的地址为所述VPN网关的公网IP地址。The system according to any one of claims 11-13, wherein the VPN server is provided with a filtering rule to define a port opened on the VPN server as a port for performing VPN data transmission, and an open address is the Public IP address of the VPN gateway.
  16. 一种实现用户终端远程接入专用网络的系统,其特征在于,所述系统包括VPN服务器以及专用网络中的VPN网关,所述VPN服务器中配置有所述VPN网关的公网IP地址,A system for implementing a remote access private network of a user terminal, wherein the system includes a VPN server and a VPN gateway in a private network, where the VPN server is configured with a public network IP address of the VPN gateway.
    所述VPN服务器,用于生成验证码报文,将所述验证码报文发送给所述第三方认证中心,所述验证码报文包括所述VPN服务器的标识;The VPN server is configured to generate a verification code message, and send the verification code message to the third-party authentication center, where the verification code message includes an identifier of the VPN server;
    所述VPN网关,用于接收第三方认证中心在对所述VPN服务器的标识校验通过后发送的通知消息,所述通知消息中携带所述VPN服务器的标识;The VPN gateway is configured to receive a notification message that is sent by the third-party authentication center after the identity verification of the VPN server is passed, where the notification message carries the identifier of the VPN server;
    所述VPN网关,还用于为所述VPN服务器分配私网IP地址段和加密密钥,并经所述私网IP地址段和加密密钥发送给所述VPN服务器;The VPN gateway is further configured to allocate a private network IP address segment and an encryption key to the VPN server, and send the private network IP address segment and an encryption key to the VPN server;
    所述VPN服务器,还用于接收所述VPN网关返回的私网IP地址段和加密密钥,并根据所述私网IP地址段和加密密钥进行系统配置;The VPN server is further configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, and perform system configuration according to the private network IP address segment and an encryption key;
    所述VPN服务器,还用于接收用户终端发送的登陆请求,在所述私网IP地址段内为所 述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。The VPN server is further configured to receive a login request sent by the user terminal, where the private network IP address segment is The user terminal allocates an IP address, and transmits the data sent by the user terminal to the VPN gateway by using the encryption key.
  17. 如权利要求16所述的系统,其特征在于,所述系统还包括第三方认证中心,The system of claim 16 wherein said system further comprises a third party authentication center.
    所述第三方认证中心,用于对所述VPN服务器的标识进行校验。The third-party authentication center is configured to verify the identifier of the VPN server.
  18. 如权利要求17所述的系统,其特征在于,所述VPN服务器中还配置有RSA私钥,相应地,所述第三方认证中心中配置有所述RSA私钥对应的公钥,The system of claim 17, wherein the VPN server is further configured with an RSA private key, and correspondingly, the public key corresponding to the RSA private key is configured in the third-party authentication center.
    所述VPN服务器,具体用于使用所述RSA私钥对所述验证码报文进行加密,将加密后的所述验证码报文发送给所述第三方认证中心;The VPN server is configured to encrypt the verification code message by using the RSA private key, and send the encrypted verification code message to the third-party authentication center;
    所述第三方认证中心,具体用于使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。The third-party authentication center is configured to decrypt the verification code message by using a public key corresponding to the RSA private key, and obtain and verify the identifier of the VPN server.
  19. 如权利要求18所述的系统,其特征在于,所述VPN服务器中设置有过滤规则,以限定所述VPN服务器上开放的端口为进行VPN数据传输使用的端口以及与所述第三方认证中心交互的端口、开放的地址为所述第三方认证中心的IP地址以及所述VPN网关的公网IP地址。The system according to claim 18, wherein the VPN server is provided with a filtering rule to define a port open on the VPN server for use in performing VPN data transmission and interacting with the third-party authentication center. The port and the open address are the IP address of the third-party authentication center and the public network IP address of the VPN gateway.
  20. 一种实现用户终端远程接入专用网络的VPN服务器,其特征在于,所述VPN服务器中配置有所述专用网络中的VPN网关的公网IP地址,所述VPN服务器包括:A VPN server for realizing remote access to a private network of a user terminal, wherein the VPN server is configured with a public network IP address of a VPN gateway in the private network, and the VPN server includes:
    生成单元,用于生成验证码报文,所述验证码报文包括所述VPN服务器的标识;a generating unit, configured to generate a verification code message, where the verification code message includes an identifier of the VPN server;
    发送单元,用于将所述生成单元生成的所述验证码报文发送给所述VPN网关;a sending unit, configured to send the verification code message generated by the generating unit to the VPN gateway;
    接收单元,用于接收所述VPN网关返回的私网IP地址段和加密密钥,所述私网IP地址段和加密密钥具体为所述VPN网关在对所述VPN服务器的标识进行校验通过后为所述VPN服务器分配的;a receiving unit, configured to receive a private network IP address segment and an encryption key returned by the VPN gateway, where the private network IP address segment and the encryption key are specifically configured by the VPN gateway to verify the identifier of the VPN server After being passed through for the VPN server;
    配置单元,用于根据所述接收单元接收到的所述私网IP地址段和加密密钥进行系统配置;a configuration unit, configured to perform system configuration according to the private network IP address segment and the encryption key received by the receiving unit;
    所述接收单元,还用于接收用户终端发送的登陆请求;The receiving unit is further configured to receive a login request sent by the user terminal;
    数据传输单元,用于在所述接收单元接收到所述登陆请求后,在所述私网IP地址段内为所述用户终端分配IP地址,使用所述加密密钥向所述VPN网关传输所述用户终端发送的数据。a data transmission unit, configured to: after the receiving unit receives the login request, allocate an IP address to the user terminal in the private network IP address segment, and use the encryption key to transmit to the VPN gateway The data sent by the user terminal.
  21. 如权利要求20所述的VPN服务器,其特征在于,所述VPN服务器中还配置有RSA私钥,The VPN server according to claim 20, wherein the VPN server is further configured with an RSA private key.
    所述生成单元,具体用于使用所述RSA私钥对所述验证码报文进行加密;The generating unit is specifically configured to encrypt the verification code message by using the RSA private key;
    所述发送单元,具体用于将所述生成单元生成的加密后的所述验证码报文发送给所述 VPN网关,以使得所述VPN网关使用所述RSA私钥对应的公钥对所述验证码报文进行解密,获取并校验所述VPN服务器的标识。The sending unit is specifically configured to send the encrypted verification code message generated by the generating unit to the And the VPN gateway, so that the VPN gateway decrypts the verification code packet by using a public key corresponding to the RSA private key, and obtains and verifies the identifier of the VPN server.
  22. 如权利要求21所述的VPN服务器,其特征在于,A VPN server according to claim 21, wherein
    所述接收单元,还用于接收配置指令,存储所述RSA私钥以及所述VPN网关的公网IP地址。The receiving unit is further configured to receive a configuration instruction, and store the RSA private key and a public network IP address of the VPN gateway.
  23. 如权利要求20所述的VPN服务器,其特征在于,A VPN server according to claim 20, wherein
    所述接收单元,还用于接收用户终端发送的激活请求,所述激活请求中携带所述激活口令;The receiving unit is further configured to receive an activation request sent by the user terminal, where the activation request carries the activation password;
    相应地,所述VPN服务器还包括鉴权单元,用于验证所述接收单元接收到的所述激活请求中携带的所述激活口令。 Correspondingly, the VPN server further includes an authentication unit, configured to verify the activation password carried in the activation request received by the receiving unit.
PCT/CN2014/095582 2014-12-30 2014-12-30 Remote access implementation method, device and system WO2016106560A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/CN2014/095582 WO2016106560A1 (en) 2014-12-30 2014-12-30 Remote access implementation method, device and system
CN201480038036.7A CN105493453B (en) 2014-12-30 2014-12-30 It is a kind of to realize the method, apparatus and system remotely accessed

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2014/095582 WO2016106560A1 (en) 2014-12-30 2014-12-30 Remote access implementation method, device and system

Publications (1)

Publication Number Publication Date
WO2016106560A1 true WO2016106560A1 (en) 2016-07-07

Family

ID=55678513

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/095582 WO2016106560A1 (en) 2014-12-30 2014-12-30 Remote access implementation method, device and system

Country Status (2)

Country Link
CN (1) CN105493453B (en)
WO (1) WO2016106560A1 (en)

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106937278A (en) * 2017-05-09 2017-07-07 深圳市乃斯网络科技有限公司 Mobile terminal device obtains IP method and system automatically
CN111935213A (en) * 2020-06-29 2020-11-13 杭州创谐信息技术股份有限公司 Distributed trusted authentication virtual networking system and method
CN112351040A (en) * 2020-11-10 2021-02-09 宏图智能物流股份有限公司 Network request validity verification method applied to logistics network
CN114244762A (en) * 2021-12-14 2022-03-25 乾讯信息技术(无锡)有限公司 Method for realizing network VPN cipher machine based on non-IP address
CN114900374A (en) * 2022-07-13 2022-08-12 深圳市乙辰科技股份有限公司 Intelligent remote network resource intercommunication deployment method and system and cloud platform
CN116055220A (en) * 2023-03-20 2023-05-02 睿至科技集团有限公司 Internet of things terminal safety protection management and control method and system
CN116318876A (en) * 2023-02-16 2023-06-23 江苏特视智能科技有限公司 Special security gateway system for information board information release and operation method thereof

Families Citing this family (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106130864B (en) * 2016-07-06 2019-02-26 北京国电通网络技术有限公司 A kind of private clound cut-in method and device based on VPN
CN106330653A (en) * 2016-08-30 2017-01-11 成都极玩网络技术有限公司 Intelligent shunt gateway based on lightweight secure virtual private network
CN107135219B (en) * 2017-05-05 2020-04-28 四川长虹电器股份有限公司 Internet of things information secure transmission method
CN109495362B (en) * 2018-12-25 2020-12-11 新华三技术有限公司 Access authentication method and device
CN110278181B (en) * 2019-01-29 2021-09-17 广州金越软件技术有限公司 Instant protocol conversion system for cross-network data exchange
CN111538781B (en) * 2020-04-13 2023-01-13 深圳创客区块链技术有限公司 Block chain cross-chain key secure access method, device and storage medium
CN113645115B (en) * 2020-04-27 2023-04-07 中国电信股份有限公司 Virtual private network access method and system
CN114124584B (en) * 2022-01-28 2022-05-17 卓望数码技术(深圳)有限公司 Method, device and system for remotely accessing office network, network access equipment and medium

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030149899A1 (en) * 1999-01-29 2003-08-07 International Business Machines Corporation System and method for network address translation integration with IP security
JP2008199497A (en) * 2007-02-15 2008-08-28 Nippon Telegr & Teleph Corp <Ntt> Gateway device and authentication processing method
CN101820344A (en) * 2010-03-23 2010-09-01 中国电信股份有限公司 AAA server, home network access method and system
CN102571817A (en) * 2012-02-15 2012-07-11 华为技术有限公司 Method and device for accessing application server
CN102984045A (en) * 2012-12-05 2013-03-20 网神信息技术(北京)股份有限公司 Access method of Virtual Private Network and Virtual Private Network client

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE602004010519T2 (en) * 2003-07-04 2008-11-13 Nippon Telegraph And Telephone Corp. REMOTE ACCESS VPN TREATMENT PROCESS AND TREATMENT DEVICE
CN1581805A (en) * 2004-05-17 2005-02-16 深圳市深信服电子科技有限公司 VPN client end safety strategy exchange and storage method
CN102255920A (en) * 2011-08-24 2011-11-23 杭州华三通信技术有限公司 Method and device for sending VPN (Virtual Private Network) configuration information

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030149899A1 (en) * 1999-01-29 2003-08-07 International Business Machines Corporation System and method for network address translation integration with IP security
JP2008199497A (en) * 2007-02-15 2008-08-28 Nippon Telegr & Teleph Corp <Ntt> Gateway device and authentication processing method
CN101820344A (en) * 2010-03-23 2010-09-01 中国电信股份有限公司 AAA server, home network access method and system
CN102571817A (en) * 2012-02-15 2012-07-11 华为技术有限公司 Method and device for accessing application server
CN102984045A (en) * 2012-12-05 2013-03-20 网神信息技术(北京)股份有限公司 Access method of Virtual Private Network and Virtual Private Network client

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106937278A (en) * 2017-05-09 2017-07-07 深圳市乃斯网络科技有限公司 Mobile terminal device obtains IP method and system automatically
CN111935213A (en) * 2020-06-29 2020-11-13 杭州创谐信息技术股份有限公司 Distributed trusted authentication virtual networking system and method
CN111935213B (en) * 2020-06-29 2023-07-04 杭州创谐信息技术股份有限公司 Distributed trusted authentication-based virtual networking system and method
CN112351040A (en) * 2020-11-10 2021-02-09 宏图智能物流股份有限公司 Network request validity verification method applied to logistics network
CN112351040B (en) * 2020-11-10 2022-07-29 宏图智能物流股份有限公司 Network request validity verification method applied to logistics network
CN114244762A (en) * 2021-12-14 2022-03-25 乾讯信息技术(无锡)有限公司 Method for realizing network VPN cipher machine based on non-IP address
CN114900374A (en) * 2022-07-13 2022-08-12 深圳市乙辰科技股份有限公司 Intelligent remote network resource intercommunication deployment method and system and cloud platform
CN116318876A (en) * 2023-02-16 2023-06-23 江苏特视智能科技有限公司 Special security gateway system for information board information release and operation method thereof
CN116318876B (en) * 2023-02-16 2023-09-12 江苏特视智能科技有限公司 Special security gateway system for information board information release
CN116055220A (en) * 2023-03-20 2023-05-02 睿至科技集团有限公司 Internet of things terminal safety protection management and control method and system

Also Published As

Publication number Publication date
CN105493453A (en) 2016-04-13
CN105493453B (en) 2019-02-01

Similar Documents

Publication Publication Date Title
WO2016106560A1 (en) Remote access implementation method, device and system
TWI756439B (en) Network access authentication method, device and system
CN107040922B (en) Wireless network connecting method, apparatus and system
US9306911B2 (en) Credentials management in large scale virtual private network deployment
CN108881308B (en) User terminal and authentication method, system and medium thereof
JP2020080530A (en) Data processing method, device, terminal, and access point computer
TW201706900A (en) Method and device for authentication using dynamic passwords
CN102271134B (en) Method and system for configuring network configuration information, client and authentication server
US20170126623A1 (en) Protected Subnet Interconnect
WO2021109963A1 (en) Initial security configuration method, security module, and terminal
CN1658547B (en) Crytographic keys distribution method
WO2013166696A1 (en) Data transmission method, system and device
WO2021109967A1 (en) Initial configuration method and terminal device
US20070086462A1 (en) Dynamic tunnel construction method for securely accessing to a private LAN and apparatus therefor
CN106535089B (en) Machine-to-machine virtual private network
CN102231725A (en) Method, equipment and system for authenticating dynamic host configuration protocol message
US20230336529A1 (en) Enhanced privacy preserving access to a vpn service
US11870760B2 (en) Secure virtual personalized network
WO2009082950A1 (en) Key distribution method, device and system
CN103391286A (en) Full IP remote monitoring network system and safety authentication method
CN110519259B (en) Method and device for configuring communication encryption between cloud platform objects and readable storage medium
CN101827106A (en) DHCP safety communication method, device and system
CN112583599B (en) Communication method and device
TWI537744B (en) Private cloud routing server, private network service and smart device client architecture without utilizing a public cloud based routing server
WO2014201783A1 (en) Encryption and authentication method, system and terminal for ad hoc network

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 201480038036.7

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14909372

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 14909372

Country of ref document: EP

Kind code of ref document: A1