CN111835613A - Data transmission method of VPN server and VPN server - Google Patents
Data transmission method of VPN server and VPN server Download PDFInfo
- Publication number
- CN111835613A CN111835613A CN201910327880.6A CN201910327880A CN111835613A CN 111835613 A CN111835613 A CN 111835613A CN 201910327880 A CN201910327880 A CN 201910327880A CN 111835613 A CN111835613 A CN 111835613A
- Authority
- CN
- China
- Prior art keywords
- data
- message
- target
- data flow
- control flow
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4641—Virtual LANs, VLANs, e.g. virtual private networks [VPN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/12—Avoiding congestion; Recovering from congestion
- H04L47/125—Avoiding congestion; Recovering from congestion by balancing the load, e.g. traffic engineering
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L47/00—Traffic control in data switching networks
- H04L47/10—Flow control; Congestion control
- H04L47/20—Traffic policing
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Abstract
The invention discloses a data transmission method of a VPN server and the VPN server, wherein the VPN server comprises a physical network card, a control flow process, a load balancing unit and a plurality of processing cores, and a data flow process is established in the processing cores, wherein: the physical network card is used for receiving a data message sent by external equipment; the load balancing unit is used for forwarding the control flow message to the control flow process and distributing the data flow message among the plurality of processing cores; the control flow process is used for generating negotiation data according to the control flow message, and the negotiation data comprises a plurality of pieces of safety alliance information; and the data flow process established in the processing core is used for acquiring target security association information corresponding to a target data flow message from the control flow process and encrypting or decrypting the target data flow message based on the target security association information. The technical scheme provided by the application can improve the data transmission efficiency.
Description
Technical Field
The present invention relates to the field of internet technologies, and in particular, to a data transmission method for a VPN server and a VPN server.
Background
Currently, in order to improve security of Network data transmission, VPN (Virtual Private Network) technology is increasingly used. Among them, a VPN server based on IPsec (Internet Protocol Security) can implement functions such as confidentiality, integrity, source authentication, and retransmission prevention of data, and thus the IPsec VPN server becomes a mainstream VPN server.
The existing IPsec VPN server is usually realized based on a kernel mode, when a data message reaches a network card, the data message is firstly copied from the network card to a kernel system, and then the data message in the kernel system is copied to a VPN application program, so that the data message is processed through the VPN application program.
As can be seen from the above, the existing IPsec VPN server performs a process of copying data messages for multiple times. When the method is faced with huge user traffic, the number of copied data messages is increased, so that the load of the IPsec VPN server is increased, and the data transmission efficiency and the service quality are reduced.
Disclosure of Invention
An object of the present application is to provide a VPN server and a data transmission method thereof, which can improve data transmission efficiency.
In order to achieve the above object, an aspect of the present application provides a VPN server, where the VPN server includes a physical network card and a plurality of processing cores, each of the processing cores includes a load balancing unit, a control flow process, and a data flow process, and each of the processing cores includes a user mode protocol stack created in advance, where: the physical network card is used for receiving a data message sent by external equipment; the load balancing unit is configured to acquire the data packet from the physical network card, identify a control flow packet and a data flow packet in the data packet, forward the control flow packet to the control flow process, and distribute the data flow packet among the plurality of processing cores; the control flow process is used for generating negotiation data according to the control flow message, and the negotiation data comprises a plurality of pieces of safety alliance information; and the data flow process established in the processing core is used for receiving a target data flow message distributed to the processing core from the load balancing unit, acquiring target security alliance information corresponding to the target data flow message from the control flow process, encrypting or decrypting the target data flow message based on the target security alliance information, and forwarding the encrypted or decrypted data flow message.
In order to achieve the above object, another aspect of the present application further provides a data transmission method in a VPN server, where the method includes: acquiring a data message from a physical network card of the VPN server, identifying a control flow message and a data flow message in the data message, forwarding the control flow message to a control flow process, and distributing the data flow message among a plurality of processing cores of the VPN server; and acquiring target security alliance information corresponding to the target data stream message from the control stream process created in the target processing core aiming at any target processing core in the plurality of processing cores and the target data stream message distributed to the target processing core, encrypting or decrypting the target data stream message based on the target security alliance information, and forwarding the encrypted or decrypted data stream message.
In order to achieve the above object, another aspect of the present application further provides a VPN server, which includes a memory and a processor, wherein the memory is used for storing a computer program, and the computer program, when executed by the processor, implements the above data transmission method.
Therefore, the technical scheme provided by the application can improve the user mode protocol stack of the kernel mode VPN server. When the physical network card receives a data message sent by an external device, the load balancing unit may obtain the data message from the physical network card and identify a control flow message and a data flow message contained in the data message. The control flow messages can be forwarded to the control flow process by the load balancing unit for processing, and the data flow messages can be distributed among the processing cores by the load balancing unit, so that the data flow messages are processed by the data flow process established on the processing cores. When encrypting or decrypting a data flow message, a data flow process needs to use corresponding security alliance information (SA), and the SA can be obtained by a control flow process according to control flow message negotiation. Thus, after the control flow process completes the negotiation, the negotiation data may be generated, and the negotiation data may include each SA corresponding to the VPN connection. Subsequently, the data flow process interacts with the control flow, so that the SA corresponding to the data flow message can be obtained, the data flow message is encrypted and decrypted through the SA, and the encrypted and decrypted data flow message is forwarded. Therefore, according to the technical scheme provided by the application, the data message received by the physical network card can be directly processed by the control flow process and the data flow process of the user mode without the process of data copying for many times, so that the load of the VPN server is greatly reduced.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a schematic diagram of data distribution of a VPN server in an embodiment of the present invention;
fig. 2 is a functional block diagram of a VPN server according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of data transmission in an embodiment of the present invention;
FIG. 4 is a schematic diagram illustrating steps of a data transmission method according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a VPN server according to an embodiment of the present invention;
fig. 6 is a schematic structural diagram of a computer terminal in the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, embodiments of the present invention will be described in detail with reference to the accompanying drawings.
Referring to fig. 1, the VPN server provided in the present application may be improved based on an existing kernel-mode VPN server. Specifically, as shown in fig. 1, in the improved VPN server, both the control flow process and the data flow process may support a user mode protocol stack. When the VPN server receives data messages from the external device, the data messages can be sent directly to the user-mode VPN application. In practical applications, the data messages sent from the external device may include control flow messages and data flow messages. The data flow message may be processed by a data flow process in the application program, and the control flow message may be handed over to the control flow process for processing. Therefore, the processing efficiency of the data message can be improved by the way that the control flow process and the data flow process are mutually separated and cooperatively operated.
It should be noted that the external device may be an external network device or an internal network device. Therefore, the data message sent by the external device may be an encrypted message or an unencrypted internal message. In the VPN server, a process of encrypting or decrypting a data packet sent from an external device is required.
Specifically, referring to fig. 2, the VPN server provided in the present application may include a physical network card, a load balancing unit, a control flow process, and a plurality of processing cores, where each processing core may create a respective data flow process. The VPN server can perform data interaction with the external device, and a physical network card in the VPN server can receive a data message sent by the external device. In practical applications, the data packet may include a control flow packet and a data flow packet. The control flow packet may be generated by the VPN server and the external device in a communication negotiation process, and the communication negotiation process may be used to determine information such as a communication protocol used between the VPN server and the external device, an encapsulation mode of the protocol, an encryption algorithm, a shared key for protecting data in a specific flow, and a lifetime of the key. The data flow packet may be a data packet transmitted between the VPN server and the external device according to a result of the communication negotiation, and the data flow packet generally needs to be subjected to processes of encapsulation/decapsulation, encryption/decryption, and forwarding.
In this embodiment, after the physical network card receives the data messages sent by the external device, the data messages may be directly obtained by the VPN application in the user mode without first passing through the kernel system. Specifically, the load balancing unit in the VPN application may obtain the data packet received by the physical network card from the physical network card. In order to solve the problem of data replication, the load balancing unit may periodically acquire the data packet from the physical network card in a polling manner.
In one embodiment, after acquiring the data packet from the physical network card, the load balancing unit may further distinguish the type of the data packet. For the data flow messages in the data messages, the data flow messages can be directly handed to the data flow processes in the processing cores for processing, and for the control flow messages in the data messages, the control flow processes can be handed to for processing. Because the control flow process and the data flow process are both subjected to user mode transformation in the application, the load balancing unit can directly forward the control flow message to the control flow process.
In this embodiment, in order to further improve the processing efficiency of the data packet, the load balancing unit may distribute the data flow packet among the plurality of processing cores according to a pre-configured load balancing policy, so that the data flow packet distributed by the load balancing unit can be processed in parallel among the plurality of processing cores. The preconfigured load balancing policy may have a variety of implementations. These implementations may include Round Robin (Round Robin), Weighted Round Robin (Weighted Round Robin), Random (Random), hash (hash), minimum number of connections (leaseconnection), Weighted minimum number of connections (Weighted Least Connection), shortest response Time (leaseresponse Time), Consistent hash (Consistent Hashing), and so forth.
In this embodiment, the processing core may receive a target data flow packet allocated to itself, and may process the target data flow packet through the created data flow procedure. The data flow process usually needs to encrypt or decrypt the target data flow message, and when performing the encryption or decryption operation, a target SA matching the target data flow message needs to be selected.
In this embodiment, the SA may be negotiated by the control flow process and the external device. Specifically, referring to fig. 2, after the control flow process receives the control flow packet forwarded by the load balancing unit, if the VPN server communicates with the external negotiation client for the first time, the control flow process may create a new connection instance of the control flow packet, where the connection instance may be used to characterize a VPN tunnel between the VPN server and the negotiation client. If a connection instance has already been established between the VPN server and the negotiation client, the control flow process may directly query the connection instance of the control flow packet from the connection instance table. Thus, after the connection instance of the control flow message is obtained, the control flow process can perform communication negotiation with the negotiation client corresponding to the connection instance, so as to obtain negotiation data. In the application, the control flow process is also modified by the user mode protocol stack, so that the negotiation response message in the negotiation process can be sent to the negotiation client by the control flow process through the user mode protocol stack.
In this embodiment, the negotiation data may include an SA corresponding to each VPN connection on the VPN server. Generally, each VPN connection corresponds to one SA, so that a control flow process can obtain multiple SAs. After the control flow process acquires the plurality of SAs, a shared memory may be created, and the plurality of SAs included in the negotiation data may be stored in the shared memory. Thus, the data stream process in the processing core can acquire the target security association information corresponding to the target data stream message from the shared memory. Since the number of VPN connections on the VPN server is large, the number of SAs stored in the shared memory is also large. In order to improve the query efficiency of the SA, the VPN connection and the corresponding SA may be matched through a hash algorithm. Specifically, the data packet corresponding to the VPN connection may carry quadruplet information. The quadruplet information may contain a source IP address, a source port identification, a destination IP address and a destination port identification. The quadruple information carried in the data message may also be different for different VPN connections. Therefore, the SAs of the VPN connection can be distinguished by the quadruple information. Specifically, after receiving a target data stream packet allocated to the data stream process in the processing core, the data stream process in the processing core may extract quadruple information in the target data stream packet, and calculate a hash value of the quadruple information. Then, the hash value may be used as a key value (key value), the SA corresponding to the hash value may be queried in the shared memory, and the queried SA may be used as the target SA corresponding to the target data flow packet.
In this embodiment, after acquiring the target SA corresponding to the target data flow packet from the shared memory, the data flow process may encrypt or decrypt the target data flow packet through the target SA, and may forward the encrypted or decrypted data packet. In practical applications, the data flow process may perform encapsulation or decapsulation on the target data flow packet in addition to encrypting or decrypting the target data flow packet. Referring to fig. 3, if the terminal device wants to access an internal server of an enterprise through a VPN server, the terminal device may send an encrypted data packet to the VPN server. After receiving the encrypted data packet, the VPN server may first decapsulate the encrypted data packet. Generally, there are two encapsulation modes for IPsec: tunnel mode (tunnel) and transport (transport) mode. In tunnel mode, the IP packet in the data packet can be used to calculate AH (Authentication Header) or ESP (Encapsulating Security Payload), and the encrypted data of AH or ESP and ESP can be encapsulated in a new IP packet. In general, tunneling may be applied to communication between two security gateways. In transport mode, only the transport layer data will be used to calculate AH or ESP, and the AH or ESP header and ESP encrypted data may be placed after the header of the original IP packet. In general, the transport mode may be applied to communication between two hosts, or between one host and one security gateway.
In this embodiment, after decapsulating the data packet of the terminal device, the ESP may decrypt the encrypted data in the data packet by using the target SA, and forward the decrypted data packet to the internal server. In contrast, after receiving the unencrypted data sent by the internal server, the VPN server may perform ESP encryption on the data through the target SA, perform AH/ESP encapsulation on the ESP encrypted data, and send the encapsulated data to the terminal device.
In practical application, since the VPN server of the present application is improved to support the user mode protocol stack, the original kernel mode protocol stack also needs to be improved synchronously. In the prior art, after the data packet of the physical network card is copied to the kernel system, the packet header of the data packet may be removed through the protocol stack in the kernel state, and the remaining data packet data is copied to the VPN application program for processing. In the improved VPN server, the data packet received by the physical network card is directly sent to the VPN application program in the user mode, and at this time, the packet header of the data packet cannot be removed according to the protocol stack in the kernel mode. Therefore, in the improved VPN server, a user mode protocol stack needs to be created in advance, and the user mode protocol stack can be applied to the data flow process of each processing core. Thus, after the data flow process receives the target data flow message distributed to itself, the message header in the target data flow message can be removed through the pre-configured user mode protocol stack, and the remaining data body in the target data flow message is encrypted or decrypted.
In this embodiment, when encrypting or decrypting a data stream packet, a data stream process may analyze an encryption/decryption manner defined in a corresponding SA, and an actual encryption/decryption algorithm may be generally stored in another software system. Therefore, the data flow process needs to send a data flow packet to the software system, and perform encryption and decryption processing in the software system according to the encryption and decryption manner defined by the SA. To further improve the efficiency of encryption and decryption, in one embodiment, a hardware accelerator card (QAT) may be installed in the VPN server. Then, after the data flow process obtains the target security association information corresponding to the target data flow packet from the control flow process, the encryption and decryption manner included in the target security association information may be analyzed, the hardware accelerator card may encrypt or decrypt the target data flow packet according to the encryption and decryption manner obtained through the analysis, and the encrypted or decrypted data flow packet returned by the hardware accelerator card is received. Compared with a software system, the encryption and decryption performance of the hardware accelerator card is stronger, and the communication efficiency between the hardware accelerator card and the data stream process is higher, so that the overall encryption and decryption efficiency can be improved.
Referring to fig. 4, the present application further provides a data transmission method in a VPN server, and an execution subject of the method may be the above-mentioned user-mode VPN application. As shown in fig. 4, the method may include the following steps.
S1: and acquiring a data message from a physical network card of the VPN server, identifying a control flow message and a data flow message in the data message, forwarding the control flow message to a control flow process, and distributing the data flow message among a plurality of processing cores of the VPN server.
S3: and acquiring target security alliance information corresponding to the target data stream message from the control stream process created in the target processing core aiming at any target processing core in the plurality of processing cores and the target data stream message distributed to the target processing core, encrypting or decrypting the target data stream message based on the target security alliance information, and forwarding the encrypted or decrypted data stream message.
In one embodiment, the obtaining target security association information corresponding to the target data flow packet from the control flow process includes:
and inquiring a shared memory created by the control flow process, and reading target security association information corresponding to the target data flow message from the shared memory.
In one embodiment, the reading of the target security association information corresponding to the target data stream packet from the shared memory includes:
extracting quadruple information from the target data stream message;
and calculating a hash value of the quadruple information, and taking the safety alliance information corresponding to the hash value as the target safety alliance information in the plurality of safety alliance information in the shared memory.
In one embodiment, encrypting or decrypting the target data stream packet based on the target security association information includes:
and analyzing the encryption and decryption modes contained in the target security alliance information, encrypting or decrypting the target data stream message through a hardware accelerator card according to the encryption and decryption modes obtained by analysis, and receiving the encrypted or decrypted data stream message returned by the hardware accelerator card.
In one embodiment, the method further comprises:
after receiving the control flow message, the control flow process creates a connection instance of the control flow message, or inquires the connection instance of the control flow message from a connection instance table, and negotiates with a negotiation client corresponding to the connection instance to obtain negotiation data; and sending a negotiation response message in the negotiation process to the negotiation client through a user mode protocol stack.
Referring to fig. 5, the present application further provides a VPN server, where the VPN server includes a memory and a processor, the memory is used for storing a computer program, and the computer program, when executed by the processor, can implement the above-mentioned data transmission method.
Referring to fig. 6, in the present application, the technical solution in the above embodiment can be applied to the computer terminal 10 shown in fig. 6. The computer terminal 10 may include one or more (only one shown) processors 102 (the processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA), a memory 104 for storing data, and a transmission module 106 for communication functions. It will be understood by those skilled in the art that the structure shown in fig. 6 is only an illustration and is not intended to limit the structure of the electronic device. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 6, or have a different configuration than shown in FIG. 6.
The memory 104 may be used to store software programs and modules of application software, and the processor 102 executes various functional applications and data processing by executing the software programs and modules stored in the memory 104. The memory 104 may include high speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission device 106 is used for receiving or transmitting data via a network. Specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a Network adapter (NIC) that can be connected to other Network devices through a base station to communicate with the internet. In one example, the transmission device 106 can be a Radio Frequency (RF) module, which is used to communicate with the internet in a wireless manner.
Therefore, the technical scheme provided by the application can improve the user mode protocol stack of the kernel mode VPN server. When the physical network card receives a data message sent by an external device, the load balancing unit may obtain the data message from the physical network card and identify a control flow message and a data flow message contained in the data message. The control flow messages can be forwarded to the control flow process by the load balancing unit for processing, and the data flow messages can be distributed among the processing cores by the load balancing unit, so that the data flow messages are processed by the data flow process established on the processing cores. When encrypting or decrypting a data flow message, a data flow process needs to use corresponding security alliance information (SA), and the SA can be obtained by a control flow process according to control flow message negotiation. Thus, after the control flow process completes the negotiation, the negotiation data may be generated, and the negotiation data may include each SA corresponding to the VPN connection. Subsequently, the data flow process interacts with the control flow, so that the SA corresponding to the data flow message can be obtained, the data flow message is encrypted and decrypted through the SA, and the encrypted and decrypted data flow message is forwarded. Therefore, according to the technical scheme provided by the application, the data message received by the physical network card can be directly processed by the control flow process and the data flow process of the user mode without the process of data copying for many times, so that the load of the VPN server is greatly reduced.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, equivalents, improvements and the like that fall within the spirit and principle of the present invention are intended to be included therein.
Claims (15)
1. A VPN server is characterized in that the VPN server comprises a physical network card and a plurality of processing cores, the processing cores are provided with a load balancing unit, a control flow process and a data flow process, and the processing cores are provided with a pre-created user mode protocol stack, wherein:
the physical network card is used for receiving a data message sent by external equipment;
the load balancing unit is configured to acquire the data packet from the physical network card, identify a control flow packet and a data flow packet in the data packet, forward the control flow packet to the control flow process, and distribute the data flow packet among the plurality of processing cores;
the control flow process is used for generating negotiation data according to the control flow message, and the negotiation data comprises a plurality of pieces of safety alliance information;
and the data flow process established in the processing core is used for receiving a target data flow message distributed to the processing core from the load balancing unit, acquiring target security alliance information corresponding to the target data flow message from the control flow process, encrypting or decrypting the target data flow message based on the target security alliance information, and forwarding the encrypted or decrypted data flow message.
2. The VPN server according to claim 1, wherein the data flow packets distributed by the load balancing unit are processed in parallel among the plurality of processing cores.
3. The VPN server according to claim 1, wherein the load balancing unit obtains the data packet from the physical network card in a polling manner.
4. The VPN server according to claim 1, wherein the control flow process is further configured to create a shared memory and store the plurality of pieces of security association information in the negotiation data into the shared memory;
correspondingly, the data flow process in the processing core is further configured to obtain target security association information corresponding to the target data flow packet from the shared memory.
5. The VPN server according to claim 1, wherein the data flow process created in the processing core is further configured to remove a packet header in the target data flow packet through the user mode protocol stack, and encrypt or decrypt a remaining data body in the target data flow packet.
6. A VPN server as recited in claim 1, wherein said target data flow message comprises quad information; correspondingly, the data stream process created in the processing core is further configured to calculate a hash value of the quadruple information, and use security association information corresponding to the hash value as the target security association information.
7. The VPN server according to claim 1, wherein the data flow process created in the processing core is further configured to decapsulate the target data flow packet, decrypt the decapsulated data flow packet based on the target security association information, and forward the decrypted data flow packet;
or
And the data flow process established in the processing core is also used for encrypting the target data flow message based on the target security alliance information, packaging the encrypted data flow message and forwarding the packaged data flow message.
8. VPN server according to claim 1 or 7, wherein the VPN server further comprises a hardware acceleration card;
correspondingly, after the data flow process acquires the target security alliance information corresponding to the target data flow message from the control flow process, analyzing an encryption and decryption mode contained in the target security alliance information, encrypting or decrypting the target data flow message according to the encryption and decryption mode obtained through analysis by the hardware accelerator card, and receiving the encrypted or decrypted data flow message returned by the hardware accelerator card.
9. The VPN server according to claim 1, wherein after receiving the control flow packet forwarded by the load balancing unit, the control flow process creates a connection instance of the control flow packet, or queries a connection instance of the control flow packet from a connection instance table, and negotiates with a negotiation client corresponding to the connection instance to obtain negotiation data; and sending a negotiation response message in the negotiation process to the negotiation client through a user mode protocol stack.
10. A method of data transmission in a VPN server, the method comprising:
acquiring a data message from a physical network card of the VPN server, identifying a control flow message and a data flow message in the data message, forwarding the control flow message to a control flow process, and distributing the data flow message among a plurality of processing cores of the VPN server;
and acquiring target security alliance information corresponding to the target data stream message from the control stream process created in the target processing core aiming at any target processing core in the plurality of processing cores and the target data stream message distributed to the target processing core, encrypting or decrypting the target data stream message based on the target security alliance information, and forwarding the encrypted or decrypted data stream message.
11. The method of claim 10, wherein obtaining target security federation information corresponding to the target data flow packet from the control flow process comprises:
and inquiring a shared memory created by the control flow process, and reading target security association information corresponding to the target data flow message from the shared memory.
12. The method of claim 11, wherein reading the target security association information corresponding to the target data stream packet from the shared memory comprises:
extracting quadruple information from the target data stream message;
and calculating a hash value of the quadruple information, and taking the safety alliance information corresponding to the hash value as the target safety alliance information in the plurality of safety alliance information in the shared memory.
13. The method of claim 10, wherein encrypting or decrypting the target data flow packet based on the target security federation information comprises:
and analyzing the encryption and decryption modes contained in the target security alliance information, encrypting or decrypting the target data stream message through a hardware accelerator card according to the encryption and decryption modes obtained by analysis, and receiving the encrypted or decrypted data stream message returned by the hardware accelerator card.
14. The method of claim 10, further comprising:
after receiving the control flow message, the control flow process creates a connection instance of the control flow message, or inquires the connection instance of the control flow message from a connection instance table, and negotiates with a negotiation client corresponding to the connection instance to obtain negotiation data; and sending a negotiation response message in the negotiation process to the negotiation client through a user mode protocol stack.
15. A VPN server, characterized in that the VPN server comprises a memory for storing a computer program which, when executed by the processor, carries out the data transmission method according to any one of claims 10 to 14 and a processor.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910327880.6A CN111835613B (en) | 2019-04-23 | 2019-04-23 | Data transmission method of VPN server and VPN server |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910327880.6A CN111835613B (en) | 2019-04-23 | 2019-04-23 | Data transmission method of VPN server and VPN server |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111835613A true CN111835613A (en) | 2020-10-27 |
| CN111835613B CN111835613B (en) | 2022-07-08 |
Family
ID=72911419
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910327880.6A Active CN111835613B (en) | 2019-04-23 | 2019-04-23 | Data transmission method of VPN server and VPN server |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111835613B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113810397A (en) * | 2021-09-09 | 2021-12-17 | 山石网科通信技术股份有限公司 | Protocol data processing method and device |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1571399A (en) * | 2003-07-23 | 2005-01-26 | 华为技术有限公司 | Network safety processing equipment and method thereof |
| US20070271606A1 (en) * | 2006-05-17 | 2007-11-22 | Amann Keith R | Apparatus and method for establishing a VPN tunnel between a wireless device and a LAN |
| CN101527729A (en) * | 2009-05-05 | 2009-09-09 | 杭州华三通信技术有限公司 | Reliable IKE message negotiation method, device and system thereof |
| CN102098227A (en) * | 2011-03-03 | 2011-06-15 | 成都市华为赛门铁克科技有限公司 | Packet capture method and kernel module |
| CN103269284A (en) * | 2013-05-17 | 2013-08-28 | 汉柏科技有限公司 | Method for capturing real-time network data |
| CN105975433A (en) * | 2016-06-30 | 2016-09-28 | 瑞斯康达科技发展股份有限公司 | Message processing method and device |
| CN105991755A (en) * | 2015-05-21 | 2016-10-05 | 杭州迪普科技有限公司 | Service message distribution method and service message distribution device |
| CN106603376A (en) * | 2016-12-14 | 2017-04-26 | 东软集团股份有限公司 | Message processing method and virtual private network SSLVPN server |
| CN108322361A (en) * | 2018-01-24 | 2018-07-24 | 杭州迪普科技股份有限公司 | Service traffics statistical method and device in a kind of IPSec vpn tunnelings |
| CN108924157A (en) * | 2018-07-25 | 2018-11-30 | 杭州迪普科技股份有限公司 | A kind of message forwarding method and device based on IPSec VPN |
| CN109150688A (en) * | 2018-10-22 | 2019-01-04 | 网宿科技股份有限公司 | IPSec VPN data transmission method and device |
| US10212089B1 (en) * | 2017-09-21 | 2019-02-19 | Citrix Systems, Inc. | Encapsulating traffic entropy into virtual WAN overlay for better load balancing |
-
2019
- 2019-04-23 CN CN201910327880.6A patent/CN111835613B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1571399A (en) * | 2003-07-23 | 2005-01-26 | 华为技术有限公司 | Network safety processing equipment and method thereof |
| US20070271606A1 (en) * | 2006-05-17 | 2007-11-22 | Amann Keith R | Apparatus and method for establishing a VPN tunnel between a wireless device and a LAN |
| CN101527729A (en) * | 2009-05-05 | 2009-09-09 | 杭州华三通信技术有限公司 | Reliable IKE message negotiation method, device and system thereof |
| CN102098227A (en) * | 2011-03-03 | 2011-06-15 | 成都市华为赛门铁克科技有限公司 | Packet capture method and kernel module |
| CN103269284A (en) * | 2013-05-17 | 2013-08-28 | 汉柏科技有限公司 | Method for capturing real-time network data |
| CN105991755A (en) * | 2015-05-21 | 2016-10-05 | 杭州迪普科技有限公司 | Service message distribution method and service message distribution device |
| CN105975433A (en) * | 2016-06-30 | 2016-09-28 | 瑞斯康达科技发展股份有限公司 | Message processing method and device |
| CN106603376A (en) * | 2016-12-14 | 2017-04-26 | 东软集团股份有限公司 | Message processing method and virtual private network SSLVPN server |
| US10212089B1 (en) * | 2017-09-21 | 2019-02-19 | Citrix Systems, Inc. | Encapsulating traffic entropy into virtual WAN overlay for better load balancing |
| CN108322361A (en) * | 2018-01-24 | 2018-07-24 | 杭州迪普科技股份有限公司 | Service traffics statistical method and device in a kind of IPSec vpn tunnelings |
| CN108924157A (en) * | 2018-07-25 | 2018-11-30 | 杭州迪普科技股份有限公司 | A kind of message forwarding method and device based on IPSec VPN |
| CN109150688A (en) * | 2018-10-22 | 2019-01-04 | 网宿科技股份有限公司 | IPSec VPN data transmission method and device |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113810397A (en) * | 2021-09-09 | 2021-12-17 | 山石网科通信技术股份有限公司 | Protocol data processing method and device |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111835613B (en) | 2022-07-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109150688B (en) | IPSec VPN data transmission method and device | |
| CN109450852B (en) | Network communication encryption and decryption method and electronic equipment | |
| US10757138B2 (en) | Systems and methods for storing a security parameter index in an options field of an encapsulation header | |
| US9712504B2 (en) | Method and apparatus for avoiding double-encryption in site-to-site IPsec VPN connections | |
| US7774593B2 (en) | Encrypted packet, processing device, method, program, and program recording medium | |
| US11316837B2 (en) | Supporting unknown unicast traffic using policy-based encryption virtualized networks | |
| CN107104929B (en) | Method, device and system for defending network attack | |
| JP2006121510A (en) | Encryption communications system | |
| CN111786867B (en) | Data transmission method and server | |
| CN111786869B (en) | Data transmission method between servers and server | |
| CN112491821B (en) | IPSec message forwarding method and device | |
| US9473466B2 (en) | System and method for internet protocol security processing | |
| CA2543236C (en) | Method and apparatus to provide inline encryption and decryption for a wireless station | |
| CN103227742B (en) | A kind of method of ipsec tunnel fast processing message | |
| CN111786868B (en) | Data transmission method between servers and strongswan server | |
| CN114024741A (en) | Request processing method and device, flow proxy terminal, equipment and readable storage medium | |
| CN110832806B (en) | ID-based data plane security for identity-oriented networks | |
| US10015208B2 (en) | Single proxies in secure communication using service function chaining | |
| CN112887187B (en) | Method, system, device, equipment and medium for establishing communication between equipment | |
| CN111835613B (en) | Data transmission method of VPN server and VPN server | |
| CN117254976A (en) | National standard IPsec VPN realization method, device and system based on VPP and electronic equipment | |
| CN111786870B (en) | Data transmission method and strongswan server | |
| CN112217769B (en) | Data decryption method, data encryption method, data decryption device, data encryption device, data decryption equipment and data decryption medium based on tunnel | |
| CN115225414B (en) | Encryption strategy matching method and device based on IPSEC (Internet protocol Security) and communication system | |
| US8670565B2 (en) | Encrypted packet communication system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |