CN115037685A - Tunnel communication method, relay node, branch node and tunnel communication system - Google Patents

Tunnel communication method, relay node, branch node and tunnel communication system Download PDF

Info

Publication number
CN115037685A
CN115037685A CN202210446461.6A CN202210446461A CN115037685A CN 115037685 A CN115037685 A CN 115037685A CN 202210446461 A CN202210446461 A CN 202210446461A CN 115037685 A CN115037685 A CN 115037685A
Authority
CN
China
Prior art keywords
tunnel
branch node
node
branch
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210446461.6A
Other languages
Chinese (zh)
Inventor
胡益明
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Dimiantong Information Network Co ltd
Original Assignee
Shanghai Dimiantong Information Network Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Dimiantong Information Network Co ltd filed Critical Shanghai Dimiantong Information Network Co ltd
Priority to CN202210446461.6A priority Critical patent/CN115037685A/en
Publication of CN115037685A publication Critical patent/CN115037685A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/74Address processing for routing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2592Translation of Internet protocol [IP] addresses using tunnelling or encapsulation
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/70Reducing energy consumption in communication networks in wireless communication networks

Abstract

The invention discloses a tunnel communication method, a relay node, a branch node and a tunnel communication system. The method comprises the following steps: establishing an MGRE tunnel between a relay node and at least two branch nodes, wherein the at least two branch nodes comprise a first branch node and a second branch node, and the MGRE tunnels are isolated from each other; performing the following operations through the MGRE tunnel between the relay node and the first and second branch nodes: forwarding the tunnel address of the first branch node to the second branch node; forwarding the tunnel address of the second branch node to the first branch node. According to the technical scheme, the MGRE tunnel between the relay node and the branch node is established, the relay node exchanges the tunnel address of the branch node, and the point-to-point private line communication between the branch nodes can be realized based on the two-layer link and the existing network architecture, so that the flexibility of tunnel communication is improved, and the cost is also reduced.

Description

Tunnel communication method, relay node, branch node and tunnel communication system
Technical Field
The embodiment of the invention relates to the technical field of wireless communication, in particular to a tunnel communication method, a relay node, a branch node and a tunnel communication system.
Background
Multicast refers primarily to communications between a central site and branch sites, e.g., between a corporate headquarters and branch offices. The branch site can access an Internet Protocol (IP) Address of the Internet through a broadband, because the branch nodes are located in an Address Translation (NAT) scenario and Port Address Translation (PAT), a virtual Network cannot be established in this case, and communication between the branch nodes cannot be realized. For example, a Virtual Private Network (VPN) does not support NAT traversal in which two branch sites are located behind the same NAT device and the IP addresses are the same after NAT translation; the dynamic multipoint VPN does not support NAT traversal of two branch sites which are positioned behind different NAT equipment and enable the PAT function; when mutual access is carried out between branch sites, the dynamic multipoint VPN does not support NAT traversal configured as an NAT external network interconnection port (Outbound).
Disclosure of Invention
The invention provides a tunnel communication method, a relay node, branch nodes and a tunnel communication system, which are used for realizing point-to-point private line communication among the branch nodes and improving the flexibility of tunnel communication.
The embodiment of the invention provides a tunnel communication method, which is applied to a relay node and comprises the following steps:
establishing a multi-point general Routing Encapsulation (MGRE) tunnel between a relay node and at least two branch nodes, wherein the at least two branch nodes comprise a first branch node and a second branch node, and the MGRE tunnels are isolated from each other;
performing the following operations through the MGRE tunnel between the relay node and the first and second branch nodes:
forwarding the tunnel address of the first branch node to the second branch node;
forwarding the tunnel address of the second branch node to the first branch node.
The embodiment of the invention also provides a tunnel communication method, which is applied to the first branch node and comprises the following steps:
requesting to establish a multi-point generic routing encapsulation (MGRE) tunnel between the first branch node and the relay node;
sending the tunnel address of the first branch node to the relay node through an MGRE tunnel between the first branch node and the relay node, and receiving the tunnel address of a second branch node forwarded by the relay node;
establishing a Generic Routing Encapsulation (GRE) tunnel between the first branch node and the second branch node according to the tunnel address of the second branch node.
The embodiment of the invention also provides a tunnel communication method, which is applied to the second branch node and comprises the following steps:
requesting to establish a multi-point general routing encapsulation (MGRE) tunnel between the second branch node and the relay node;
receiving the tunnel address of the first branch node forwarded by the relay node through the MGRE tunnel between the second branch node and the relay node, and sending the tunnel address of the second branch node to the relay node;
and establishing a Generic Routing Encapsulation (GRE) tunnel between the first branch node and the first branch node according to the tunnel address of the first branch node.
An embodiment of the present invention further provides a relay node, including:
one or more processors;
storage means for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement a tunneling method applied to a relay node.
An embodiment of the present invention further provides a branch node, including:
one or more processors;
storage means for storing one or more programs;
when the one or more programs are executed by the one or more processors, the one or more processors are caused to implement a tunneling method applied to a branch node.
An embodiment of the present invention further provides a tunnel communication system, including: a relay node as described above and at least two branch nodes as described above.
The embodiment of the invention provides a tunnel communication method, a relay node, a branch node and a tunnel communication system, wherein the method comprises the following steps: establishing an MGRE tunnel between a relay node and at least two branch nodes, wherein the at least two branch nodes comprise a first branch node and a second branch node, and the MGRE tunnels are isolated from each other; performing the following operations through the MGRE tunnel between the relay node and the first and second branch nodes: forwarding the tunnel address of the first branch node to the second branch node; forwarding the tunnel address of the second branch node to the first branch node. According to the technical scheme, the MGRE tunnel between the relay node and the branch node is established, the relay node exchanges the tunnel address of the branch node, and the point-to-point private line communication between the branch nodes can be realized based on the two-layer link and the existing network architecture, so that the flexibility of tunnel communication is improved, and the cost is also reduced.
Drawings
The above and other features, advantages and aspects of various embodiments of the present disclosure will become more apparent by referring to the following detailed description when taken in conjunction with the accompanying drawings. Throughout the drawings, the same or similar reference numbers refer to the same or similar elements. It should be understood that the drawings are schematic and that elements and components are not necessarily drawn to scale.
Fig. 1 is a flowchart of a tunneling method according to an embodiment;
fig. 2 is a schematic diagram illustrating establishment of a virtual private network based on a tunnel address according to an embodiment;
FIG. 3 is a flow diagram illustrating establishment of a GRE tunnel between branch nodes according to an embodiment;
fig. 4 is a flowchart of another tunneling method according to an embodiment;
fig. 5 is a diagram illustrating an embodiment of establishing an IPSec tunnel;
fig. 6 is a schematic diagram of encrypting and decrypting data to be transmitted through an IPSec tunnel according to an embodiment;
fig. 7 is a diagram illustrating authentication of data to be transmitted according to an embodiment;
fig. 8 is a flowchart of another tunneling method according to an embodiment;
fig. 9 is a schematic structural diagram of a tunneling apparatus according to an embodiment;
fig. 10 is a schematic structural diagram of another tunnel communication device according to an embodiment;
fig. 11 is a schematic structural diagram of another tunnel communication apparatus according to an embodiment;
fig. 12 is a schematic hardware structure diagram of a relay node according to an embodiment;
fig. 13 is a schematic hardware structure diagram of a branch node according to an embodiment;
fig. 14 is a schematic structural diagram of a tunnel communication system according to an embodiment.
Detailed Description
The present invention will be described in further detail with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. In addition, the embodiments and features of the embodiments in the present invention may be combined with each other without conflict. It should be further noted that, for the convenience of description, only some of the structures related to the present invention are shown in the drawings, not all of the structures.
Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although a flowchart may describe the steps as a sequential process, many of the steps can be performed in parallel, concurrently or simultaneously. In addition, the order of the steps may be rearranged. The process may be terminated when its operations are completed, but could have additional steps not included in the figure. The processes may correspond to methods, functions, procedures, subroutines, and the like.
It should be noted that the terms "first", "second", and the like in the embodiments of the present invention are only used for distinguishing different apparatuses, modules, units, or other objects, and are not used for limiting the order or interdependence relationship of the functions performed by these apparatuses, modules, units, or other objects.
Fig. 1 is a flowchart of a tunnel communication method according to an embodiment, which is applicable to a case where tunnel communication between branch nodes is implemented by a relay node. Specifically, the tunneling method may be performed by a tunneling apparatus, which may be implemented by software and/or hardware and integrated in the relay node.
As shown in fig. 1, the method specifically includes the following steps:
s110, establishing MGRE tunnels between the relay node and at least two branch nodes, wherein the at least two branch nodes comprise a first branch node and a second branch node, and the MGRE tunnels are isolated from each other.
In this embodiment, the relay node (HUB) may be located in a data center equipment room, and may set a fixed IP address or a domain name, and the branch node (Spoke) may use a broadband line without a fixed IP of the same underlying operator, and may be connected to the relay node by using a Next Hop Resolution Protocol (NHRP). GRE is a simple VPN tunnel from point to point, MGRE is multipoint GRE, and is a multipoint VPN with a HUB-Spoke structure, each VPN node only needs to be provided with a tunnel portal, and the IP of partial public networks can be changed. The center of the MGRE is a relay node which is used as a service end of the NHRP.
The first branch node (Spoke1) mainly refers to an address resolution request end which can request other branch nodes to resolve the self Tunnel (Tunnel) address; the second branch node (Spoke2) mainly refers to an address resolution responder, which can respond to the address resolution request of the requester. The public networks of the first and second branch nodes are agnostic to each other. It should be noted that any branch node in the tunnel communication system may serve as a request end or an answer end.
In this embodiment, the relay node may generate the NHRP mapping table by obtaining the tunnel address of each branch node, and establish the MGRE tunnel with each branch node, where the MGRE tunnel between the relay node and the first branch node is isolated from the MGRE tunnel between the relay node and the second branch node.
And S120, forwarding the tunnel address of the first branch node to the second branch node.
S130, forwarding the tunnel address of the second branch node to the first branch node.
Specifically, the relay node may exchange the tunnel addresses of the branch nodes by using the MGRE tunnel with the branch nodes, for example, by exchanging the tunnel addresses of the first branch node and the second branch node, the first branch node and the second branch node establish a point-to-point GRE tunnel. On the basis, the first branch node and the second branch node can establish point-to-point private line communication and can transmit data (namely user data) to be transmitted without forwarding through the relay node.
In one embodiment, there are at least two relay nodes, one of the relay nodes is a common relay node or a primary relay node, and the other relay nodes are standby relay nodes, so as to provide a redundancy scheme: when the common relay node cannot work normally, the standby relay node can replace the common relay node to work, for example, exchanging the tunnel address of the branch node and managing the NHRP mapping table.
The tunnel communication method provided by this embodiment is a point-to-point data dedicated line transmission scheme based on a dynamic link and a relay node, and by establishing an MGRE tunnel between the relay node and a branch node, the relay node exchanges a tunnel address of the branch node, and based on a two-layer link and an existing network architecture, point-to-point dedicated line communication between the branch nodes can be realized, thereby improving flexibility of tunnel communication and reducing cost.
Fig. 2 is a schematic diagram of establishing a virtual private network based on a tunnel address according to an embodiment. The embodiment provides a novel three-layer VPN bearing two-layer point-to-point line solution based on a PAT scene, and the solution is mainly realized by a relay node, a branch node, a public network link and a branch local area network. As shown in fig. 2, by introducing the relay node, the branch node 1 and the branch node 2 are respectively connected to the relay node via virtual networks, and the two subnets are separated from each other on the second layer.
Specifically, a relay node may establish a plurality of MGRE tunnel interface groups, bind with an NHRP protocol and automatically learn IP routing information of a branch node 1 and a branch node 2, and establish two MGRE tunnel interfaces for two branch nodes and a relay node located in a NAT scenario, where an IP of the tunnel interface 1 is 192.168.100.1/24, a tunnel address of the branch node 1 is 192.168.100.2/24, an IP of the relay node interface 2 is 192.168.101.1/24, and a tunnel address of the branch node 2 is 192.168.101.2/24. If more than two branch nodes exist, more than two tunnel interfaces are established with the relay node, and the tunnel interfaces between the two branch nodes are independently separated, so that independent three-layer networks are formed between each branch node and the relay node. On the basis, the problem that the DSVPN can not be established in the NAT scene can be solved.
In this embodiment, the GRE tunnel of the branch site 1 is established on the MGRE tunnel interface, which is equivalent to that an MGRE interface is established between the branch site 1 and the relay node, and the MGRE interface is used as a bearer network; the same procedure is also applied to the branch station 2 and the relay node, so that the branch station 1 and the branch station 2 establish a communication relationship through the relay node. As shown in fig. 2, 192.168.100.2 and 192.168.101.2 establish a GRE tunnel relationship, the tunnel of the branch site 1 uses 192.168.100.2 as the source IP of the outer layer of the tunnel, 192.168.101.2 as the destination IP of the outer layer of the tunnel, the tunnel interface of the branch site 2 uses 192.168.101.2 as the source IP of the outer layer, 192.168.100.2 as the destination IP of the outer layer, and the inner IP of the tunnel is customized by the user. The virtual private network is cheap and good, is a two-layer link, does not need to change and modify the existing network architecture of a client, is convenient to deploy, and is low in cost.
In an embodiment, establishing the MGRE tunnel between the relay node and the at least two branch nodes includes:
step 112: receiving a registration request message of each branch node, wherein the registration request message contains a tunnel address of the corresponding branch node;
step 114: generating an NHRP mapping table according to the tunnel address of each branch node;
step 116: and establishing MGRE tunnels between the relay nodes and the branch nodes according to the NHRP mapping table.
Specifically, after the administrator configures the tunnel address of the relay node on each branch node, the branch node may send a registration request message to the relay node at regular time, where the registration request message includes the tunnel address of the corresponding branch node; then, the relay node can respond to the registration request message of each branch node, extract the tunnel address of the corresponding branch node from the registration request message and generate an NHRP mapping table, thereby establishing an MGRE tunnel between branch nodes.
In one embodiment, forwarding the tunnel address of the first branching node to the second branching node comprises:
receiving an address resolution request message of a first branch node, wherein the address resolution request message comprises a tunnel address of the first branch node; and forwarding the address resolution request message to the second branch node.
In one embodiment, forwarding the tunnel address of the second branching node to the first branching node comprises:
receiving an address resolution response message of the second branch node, wherein the address resolution response message contains a tunnel address of the second branch node; and forwarding the address resolution request message to the second branch node.
Specifically, the relay node receives the address resolution request message of the first branch node and then can forward the address resolution request message to the second branch node for processing; after receiving the address resolution request message, the second branch node extracts the tunnel address of the first branch node from the address resolution request message, updates the information into an NHRP mapping table of the second branch node, and then can construct and send an address resolution response message to the first branch node through the relay node, wherein the tunnel address of the second branch node is carried; after receiving the address resolution response message, the first branch node extracts the tunnel address of the second branch node from the address resolution response message, updates the tunnel address into the NHRP mapping table of the first branch node, and immediately establishes a dynamic MGRE tunnel between the first branch node and the second branch node.
Fig. 3 is a flowchart illustrating a process of establishing a GRE tunnel between branch nodes according to an embodiment. As shown in fig. 3, Hub generates an NHRP mapping table according to registration request messages sent by Spoke1 and Spoke2, and establishes an MGRE tunnel; then, the tunnel addresses of Spoke1 and Spoke2 are exchanged through the address resolution request message and the address resolution response message, in the process, the Spoke1 and Spoke2 respectively update the tunnel addresses of the opposite sides to the NHRP mapping tables of the NHRP mapping tables, and accordingly the GRE tunnel is established.
Fig. 4 is a flowchart of another tunneling method according to an embodiment. The present embodiment is applicable to a case where tunnel communication between branch nodes is realized by a relay node. Specifically, the tunneling method may be performed by a branch node (address resolution requester), and the tunneling apparatus may be implemented by software and/or hardware and integrated in the branch node. It should be noted that technical details that are not described in detail in the present embodiment may be referred to any of the above embodiments.
As shown in fig. 4, the method specifically includes the following steps:
s210, requesting to establish an MGRE tunnel between the first branch node and the relay node.
S220, sending the tunnel address of the first branch node to the relay node through the MGRE tunnel between the first branch node and the relay node, and receiving the tunnel address of the second branch node forwarded by the relay node.
And S230, establishing a GRE tunnel between the first branch node and the second branch node according to the tunnel address of the second branch node.
The tunnel communication method provided by this embodiment is a point-to-point data dedicated line transmission scheme based on a dynamic link and a relay node, where a branch node first establishes an MGRE tunnel with the relay node, so that tunnel addresses of the branch nodes are exchanged through the relay node, and point-to-point dedicated line communication between the branch nodes can be implemented based on a two-layer link and an existing network architecture, thereby improving flexibility of tunnel communication and also reducing cost.
In an embodiment, the requesting establishment of the MGRE tunnel between the first branch node and the relay node includes: and sending a registration request message to the relay node, wherein the registration request message contains the tunnel address of the first branch node.
In one embodiment, sending the tunnel address of the first branch node to the relay node comprises:
and sending an address resolution request message to the relay node, wherein the address resolution request message comprises the tunnel address of the first branch node.
In an embodiment, receiving the tunnel address of the second branch node forwarded by the relay node includes:
and receiving an address resolution response message of the second branch node forwarded by the relay node, wherein the address resolution response message contains the tunnel address of the second branch node.
In one embodiment, establishing a GRE tunnel between a first branch node and a second branch node based on a tunnel address of the second branch node comprises:
and extracting the tunnel address of the second branch node from the address resolution response message, and updating the tunnel address into the NHRP mapping table of the first branch node.
In an embodiment, the method further comprises:
step 240: binding a Local Area Network (LAN) port with an interface of the GRE tunnel;
step 250: an Internet Protocol Security (IPSec) tunnel between the first branch node and the second branch node is established through an IPSec virtual tunnel interface.
Specifically, after a GRE tunnel is established between two branch nodes, the two branch nodes can bind a LAN port connected with a user switch to a GRE tunnel interface, so that a user ethernet data message received by the LAN interface is encapsulated into a GRE message, the GRE message is encapsulated into an IPSEC tunnel, the GRE tunnel uses an MGRE tunnel as an intermediate tunnel and is finally encapsulated into an ethernet, and the GRE tunnel is forwarded from a Wide Area Network (WAN) interface to finally realize that the GRE tunnel carries an ethernet message of a user Network. On the basis, an end-to-end two-layer data link channel is established, and a reliable safe communication scene is established, so that a Personal Computer (PC) and a server between user branch sites are in a two-layer network.
Taking fig. 2 as an example, different IP address segments defined by the MGRE tunnel interfaces of the branch sites, for example, the IP address defined by the MGRE tunnel interface of the branch site 1 is 192.168.100.2/24, the tunnel interface IP definition corresponding to the relay node is 192.168.100.1/24, the IP address defined by the MGRE tunnel interface of the branch site 2 is 192.168.101.2/24, the tunnel interface IP definition corresponding to the relay node is 192.168.101.2/24, the IP addresses of the branch sites are all connected through the relay node, so that the routes between them are reachable, GRE point-to-point connections are established between 2 branch sites through 192.168.100.2 and 192.168.101.2, and GRE over MGRE IPSec tunnel interfaces are respectively established between 2 branch nodes. And encapsulating User DATA User DATA in GRE, encapsulating GRE + User DATA DATA messages into an IPsec security encryption tunnel, and finally encapsulating the GRE + User DATA messages into an MGRE tunnel to be transmitted into an IP network. As in the 192.168.1.0/24 network of fig. 2, the two branches are connected as in the same lan, making the network connection simpler. The solution has wide application in the field of broadband networks, and the cost is greatly reduced.
Fig. 5 is a schematic diagram of establishing an IPSec tunnel according to an embodiment. As shown in fig. 5, an IPSec tunnel is established through an IPSec virtual tunnel interface, all packets routed to the IPSec virtual tunnel interface are subjected to IPSec protection, and which data streams need IPSec protection are determined according to a destination address of the route, where the IPSec virtual tunnel interface is a three-layer logical interface. The GRE tunnel is encapsulated in the IPSec protocol, the advantages of the GRE tunnel and the IPSec protocol are utilized, the multicast, broadcast and non-IP messages are encapsulated into common IP messages through GRE, the IPSec provides safe communication for the encapsulated IP data messages, GRE encapsulation is firstly carried out, and then IPSec encapsulation is carried out, so that the data messages of users are ensured not to be stolen in the public network. The routing mode also has the following advantages: the data flow needing IPSec protection is led to the virtual tunnel interface through the route, and the Access Control Lists (ACLs) are not needed to define the flow characteristics to be encrypted/decrypted, so that the complexity of IPSec configuration is simplified; support for dynamic routing protocols; protection of multicast traffic is supported by GRE over IPSec.
In an embodiment, the first branch node is used as a sending end of data to be transmitted, and the method further includes:
step 2610: encrypting data to be transmitted by using a symmetric key;
step 2620: encrypting the symmetric key by using the public key;
step 2630: and sending the encrypted symmetric key to the second branch node through the IPSec tunnel, and sending the encrypted data to be transmitted to the second branch node.
In an embodiment, the first branch node serves as a receiving end of data to be transmitted, and the method further includes:
step 2710: receiving the encrypted symmetric key and the encrypted data to be transmitted through the IPSec tunnel;
step 2720: decrypting the encrypted symmetric key by using a private key to obtain a symmetric key;
step 2730: and decrypting the encrypted data to be transmitted by using the symmetric key to obtain the data to be transmitted.
In this embodiment, the branch nodes may transmit data to be transmitted based on the IPSec tunnel, and each branch node may be a transmitting end or a receiving end of the data to be transmitted. By adopting the GRE over IPSec encryption concept, the symmetric encryption and the asymmetric encryption are combined: encrypting and transmitting a symmetric key used for encrypting and decrypting data to be transmitted by using an asymmetric algorithm; and the data to be transmitted is encrypted and decrypted by the exchanged symmetric cipher. Specifically, by encrypting the data to be transmitted, the data can be prevented from being read during transmission, and a symmetric encryption mode is specifically adopted, that is, the sending end and the receiving end use the same key (symmetric key) for encryption or decryption, so that the data transmission efficiency can be ensured. In addition, when the sending end and the receiving end exchange the symmetric key, in order to reduce the risk of stealing, an asymmetric encryption mode is used, namely, the sending end uses the public key to encrypt the symmetric key, and the receiving end uses the private key to decrypt the symmetric key, so that the safety of the exchange process is improved.
Fig. 6 is a schematic diagram of encrypting and decrypting data to be transmitted through an IPSec tunnel according to an embodiment. As shown in fig. 6, a user data (i.e. data to be transmitted) packet encapsulated by a GRE packet header is encrypted through an IPSec security tunnel by using a GRE over IPSec scheme, so as to ensure the reliability of the data, and the data is transmitted to an opposite node safely and then decrypted by the opposite node, thereby forming an end-to-end encryption tunnel.
In an embodiment, the first branch node is used as a sending end of data to be transmitted, and the method further includes:
and calculating to obtain a first hash value according to the data to be transmitted, wherein the first hash value is carried in the data to be transmitted and is sent to the second branch node through the IPSec tunnel.
In an embodiment, the first branch node serves as a receiving end of data to be transmitted, and the method further includes:
calculating to obtain a second hash value according to the data to be transmitted received through the IPSec tunnel;
and comparing the second hash value with the first hash value carried in the data to be transmitted to obtain a data authentication result.
In this embodiment, a Hash (Hash) algorithm is used to perform data authentication on the data to be transmitted, and the primary purpose is to determine whether the data is tampered. Each branch node may be a transmitting end or a receiving end of data to be transmitted. And the sending end data calculates a unique Hash value through a Hash algorithm, the Hash value is carried in the data to be transmitted and sent to the receiving end, the receiving end recalculates the received data to be transmitted to obtain the Hash value, the Hash value is compared with the Hash value carried in the data to be transmitted, and if the two Hash values are consistent, the data to be transmitted is not tampered.
Fig. 7 is a schematic diagram illustrating authentication of data to be transmitted according to an embodiment. As shown in fig. 7, RT1 is a sending end, and may be, for example, a first branch node, RT2 is a receiving end, and may be, for example, a second branch node, RT1 calculates to obtain a first Hash value (i.e., Hash value a), carries the first Hash value in the data to be transmitted, and sends the data to RT2, and RT2 calculates to obtain a second Hash value (i.e., Hash value B), and compares the first Hash value with the second Hash value to complete data authentication, thereby further improving security and reliability of data transmission.
Fig. 8 is a flowchart of another tunneling method according to an embodiment. The present embodiment is applicable to a case where tunnel communication between branch nodes is realized by a relay node. Specifically, the tunnel communication method may be performed by a branch node (address resolution responder), and the tunnel communication apparatus may be implemented by software and/or hardware and integrated in the branch node. It should be noted that technical details that are not described in detail in the present embodiment may be referred to any of the above embodiments.
As shown in fig. 8, the method specifically includes the following steps:
and S310, requesting to establish an MGRE tunnel between the second branch node and the relay node.
S320, receiving the tunnel address of the first branch node forwarded by the relay node through the MGRE tunnel between the second branch node and the relay node, and sending the tunnel address of the second branch node to the relay node
S330, establishing a GRE tunnel between the first branch node and the first branch node according to the tunnel address of the first branch node.
The tunnel communication method provided by the embodiment is a point-to-point data private line transmission scheme based on a dynamic link and a relay node, a branch node establishes an MGRE tunnel with the relay node firstly, so that the tunnel address of the branch node is exchanged through the relay node, and the point-to-point private line communication between the branch nodes can be realized based on a two-layer link and the existing network architecture, so that the flexibility of tunnel communication is improved, and the cost is also reduced.
In an embodiment, the requesting establishment of the MGRE tunnel between the second branch node and the relay node includes: and sending a registration request message to the relay node, wherein the registration request message contains the tunnel address of the second branch node.
In an embodiment, receiving a tunnel address of a first branch node forwarded by a relay node includes:
and receiving an address resolution request message of the first branch node forwarded by the relay node, wherein the address resolution request message comprises a tunnel address of the first branch node.
In one embodiment, establishing a GRE tunnel with a first branch node based on a tunnel address of the first branch node comprises:
and extracting the tunnel address of the first branch node from the address resolution request message, and updating the tunnel address into the NHRP mapping table of the second branch node.
In one embodiment, the sending the tunnel address of the second branch node to the relay node includes:
and sending an address resolution response message of the second branch node to the relay node, wherein the address resolution response message contains the tunnel address of the second branch node.
In one embodiment, the method further comprises:
and binding the LAN port of the local area network with the interface of the GRE tunnel.
An IPSec tunnel between the first branch node and the second branch node is established through an IPSec virtual tunnel interface.
In an embodiment, the second branch node is used as a sending end of the data to be transmitted, and the method further includes:
encrypting data to be transmitted by using a symmetric key;
encrypting the symmetric key by using the public key;
and sending the encrypted symmetric key to the first branch node through the IPSec tunnel, and sending the encrypted data to be transmitted to the first branch node.
In an embodiment, the second branch node serves as a receiving end of the data to be transmitted, and the method further includes:
receiving the encrypted symmetric key and the encrypted data to be transmitted through the IPSec tunnel;
decrypting the encrypted symmetric key by using a private key to obtain a symmetric key;
and decrypting the encrypted data to be transmitted by using the symmetric key to obtain the data to be transmitted.
In an embodiment, the second branch node is used as a sending end of data to be transmitted, and the method further includes:
and calculating to obtain a first hash value according to the data to be transmitted, wherein the first hash value is carried in the data to be transmitted and is sent to the first branch node through the IPSec tunnel.
In an embodiment, the second branch node serves as a receiving end of the data to be transmitted, and the method further includes:
calculating to obtain a second hash value according to the data to be transmitted received through the IPSec tunnel;
and comparing the second hash value with the first hash value carried in the data to be transmitted to obtain a data authentication result.
Fig. 9 is a schematic structural diagram of a tunnel communication apparatus according to an embodiment. As shown in fig. 9, the tunnel communication apparatus provided in this embodiment includes:
an establishing module 410 configured to establish an MGRE tunnel between a relay node and at least two branch nodes, where the at least two branch nodes include a first branch node and a second branch node, and each MGRE tunnel is isolated from each other;
a first forwarding module 420 configured to forward a tunnel address of the first branch node to the second branch node through an MGRE tunnel between the relay node and the first and second branch nodes;
a second forwarding module 430 configured to forward the tunnel address of the second branch node to the first branch node through the MGRE tunnel between the relay node and the first branch node and the second branch node.
In the tunnel communication device provided in this embodiment, the MGRE tunnel between the relay node and the branch node is established, the relay node exchanges the tunnel address of the branch node, and the peer-to-peer dedicated line communication between the branch nodes can be implemented based on the two-layer link and the existing network architecture, so that the flexibility of tunnel communication is improved, and the cost is also reduced.
On the basis of the above embodiment, the establishing module 410 includes:
a registration unit, configured to receive a registration request message of each branch node, where the registration request message includes a tunnel address of the corresponding branch node;
the generating unit is used for generating an NHRP mapping table according to the tunnel address of each branch node;
and the establishing unit is set to establish the MGRE tunnel between the relay node and each branch node according to the NHRP mapping table.
On the basis of the above embodiment, the first forwarding module 420 is configured to:
receiving an address resolution request message of the first branch node, wherein the address resolution request message comprises a tunnel address of the first branch node;
and forwarding the address resolution request message to the second branch node.
On the basis of the above embodiment, the second forwarding module 430 is configured to:
receiving an address resolution response message of the second branch node, wherein the address resolution response message comprises a tunnel address of the second branch node; and forwarding the address resolution request message to the second branch node.
The tunnel communication device provided by this embodiment may be configured to execute the tunnel communication method applied to the relay node provided by any of the above embodiments, and has corresponding functions and beneficial effects.
Fig. 10 is a schematic structural diagram of another tunneling apparatus according to an embodiment. As shown in fig. 10, the tunnel communication apparatus provided in this embodiment includes:
a first request module 510 configured to request establishment of an MGRE tunnel between the first branch node and the relay node;
a first information transceiver module 520 configured to send the tunnel address of the first branch node to the relay node, and receive the tunnel address of the second branch node forwarded by the relay node;
a first establishing module 530 configured to establish a GRE tunnel between the first branch node and the second branch node according to the tunnel address of the second branch node.
In the tunnel communication device provided in this embodiment, the MGRE tunnel between the relay node and the branch node is established, the relay node exchanges the tunnel address of the branch node, and the peer-to-peer dedicated line communication between the branch nodes can be implemented based on the two-layer link and the existing network architecture, so that the flexibility of tunnel communication is improved, and the cost is also reduced.
On the basis of the foregoing embodiment, the first request module 510 is configured to send a registration request packet to the relay node, where the registration request packet includes the tunnel address of the first branch node.
On the basis of the above embodiment, the first information transceiver module 520 includes:
and the first sending unit is configured to send an address resolution request message to the relay node, wherein the address resolution request message includes the tunnel address of the first branch node.
On the basis of the above embodiment, the first information transceiver module 520 includes:
a first receiving unit, configured to receive an address resolution response packet of the second branch node forwarded by the relay node, where the address resolution response packet includes a tunnel address of the second branch node.
On the basis of the above embodiment, the first establishing module 530 is configured to:
and extracting the tunnel address of the second branch node from the address resolution response message, and updating the tunnel address into the NHRP mapping table of the first branch node.
On the basis of the above embodiment, the apparatus further includes:
the first binding module is set to bind the LAN port of the local area network with the interface of the GRE tunnel;
and the first security tunnel establishing module is configured to establish an IPSec tunnel between the first branch node and the second branch node through an IPSec virtual tunnel interface.
On the basis of the above embodiment, the apparatus is applied to a sending end of data to be transmitted, and the apparatus further includes:
the first data encryption module is set to encrypt data to be transmitted by using a symmetric key;
a first key encryption module configured to encrypt the symmetric key using a public key;
and the first safety sending module is set to send the encrypted symmetric key to the second branch node through the IPSec tunnel and send the encrypted data to be transmitted to the second branch node.
On the basis of the above embodiment, the apparatus is applied to a receiving end of data to be transmitted, and the apparatus further includes:
the first safety receiving module is used for receiving the encrypted symmetric key and the encrypted data to be transmitted through the IPSec tunnel;
the first key decryption module is used for decrypting the encrypted symmetric key by using a private key to obtain the symmetric key;
and the first data decryption module is set to decrypt the encrypted data to be transmitted by using the symmetric key to obtain the data to be transmitted.
On the basis of the above embodiment, the apparatus is applied to a transmitting end of data to be transmitted, and the apparatus further includes:
and the first calculation module is used for calculating to obtain a first hash value according to the data to be transmitted, wherein the first hash value is carried in the data to be transmitted and is sent to the second branch node through the IPSec tunnel.
On the basis of the above embodiment, the apparatus is applied to a receiving end of data to be transmitted, and the apparatus further includes:
the second calculation module is used for calculating a second hash value according to the data to be transmitted received through the IPSec tunnel;
and the first comparison module is used for comparing the second hash value with the first hash value carried in the data to be transmitted to obtain a data authentication result.
The tunneling apparatus provided in this embodiment may be configured to perform the tunneling method applied to the first branch node provided in any of the above embodiments, and has corresponding functions and advantages.
Fig. 11 is a schematic structural diagram of another tunnel communication apparatus according to an embodiment. As shown in fig. 11, the tunnel communication apparatus provided in this embodiment includes:
a second request module 610 configured to request establishment of an MGRE tunnel between the second branch node and the relay node;
a second information transceiver module 620, configured to receive the tunnel address of the first branch node forwarded by the relay node, and send the tunnel address of the second branch node to the relay node;
a second establishing module 630, configured to establish an MGRE tunnel with the first branch node according to the tunnel address of the first branch node.
In the tunnel communication device provided in this embodiment, the MGRE tunnel between the relay node and the branch node is established, the relay node exchanges the tunnel address of the branch node, and the peer-to-peer dedicated line communication between the branch nodes can be implemented based on the two-layer link and the existing network architecture, so that the flexibility of tunnel communication is improved, and the cost is also reduced.
On the basis of the foregoing embodiment, the second request module 610 is configured to send a registration request packet to the relay node, where the registration request packet includes the tunnel address of the second branch node.
On the basis of the above embodiment, the second information transceiver module 620 includes:
a second receiving unit, configured to receive an address resolution request packet of the first branch node forwarded by the relay node, where the address resolution request packet includes a tunnel address of the first branch node.
On the basis of the foregoing embodiment, the second establishing module 630 is configured to extract the tunnel address of the first branch node from the address resolution request message, and update the tunnel address to the NHRP mapping table of the second branch node.
On the basis of the above embodiment, the second information transceiver module 620 includes:
and the second sending unit is configured to send an address resolution response message of the second branch node to the relay node, where the address resolution response message includes a tunnel address of the second branch node.
On the basis of the above embodiment, the apparatus further includes:
the second binding module is set to bind the LAN port of the local area network with the interface of the GRE tunnel;
and the second secure tunnel establishing module is configured to establish an IPSec tunnel between the first branch node and the second branch node through an IPSec virtual tunnel interface.
On the basis of the above embodiment, the apparatus is applied to a transmitting end of data to be transmitted, and the apparatus further includes:
the second data encryption module is set to encrypt the data to be transmitted by using the symmetric key;
a second key encryption module configured to encrypt the symmetric key using a public key;
and the second safety sending module is set to send the encrypted symmetric key to the first branch node through the IPSec tunnel and send the encrypted data to be transmitted to the first branch node.
On the basis of the above embodiment, the apparatus is applied to a receiving end of data to be transmitted, and the apparatus further includes:
the second safety receiving module is used for receiving the encrypted symmetric key and the encrypted data to be transmitted through the IPSec tunnel;
the second key decryption module is used for decrypting the encrypted symmetric key by using a private key to obtain the symmetric key;
and the second data decryption module is set to decrypt the encrypted data to be transmitted by using the symmetric key to obtain the data to be transmitted.
On the basis of the above embodiment, the apparatus is applied to a sending end of data to be transmitted, and the apparatus further includes:
and the third calculation module is used for calculating to obtain a first hash value according to the data to be transmitted, wherein the first hash value is carried in the data to be transmitted and is sent to the first branch node through the IPSec tunnel.
On the basis of the above embodiment, the apparatus is applied to a receiving end of data to be transmitted, and the apparatus further includes:
the fourth calculation module is used for calculating to obtain a second hash value according to the data to be transmitted received through the IPSec tunnel;
and the second comparison module is used for comparing the second hash value with the first hash value carried in the data to be transmitted to obtain a data authentication result.
The tunneling apparatus provided in this embodiment may be configured to perform the tunneling method applied to the second branch node provided in any of the above embodiments, and has corresponding functions and advantages.
Fig. 12 is a schematic hardware structure diagram of a relay node according to an embodiment. As shown in fig. 12, the relay node provided in the present application includes a storage device 720, a processor 710, and a computer program stored on the storage device and executable on the processor, and when the processor 710 executes the program, the above-mentioned tunnel communication method is implemented.
The relay node may further comprise a storage 720; the number of the processors 710 in the relay node may be one or more, and one processor 710 is taken as an example in fig. 12; storage 720 for storing one or more programs; the one or more programs are executed by the one or more processors 710, so that the one or more processors 710 implement the tunneling method as described in the embodiments of the present application.
The relay node further comprises: a communication device 730, an input device 740, and an output device 750.
The processor 710, the storage device 720, the communication device 730, the input device 740, and the output device 750 in the relay node may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 12.
The input device 740 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the relay node. The output device 750 may include a display device such as a display screen.
The communication device 730 may include a receiver and a transmitter. The communication device 730 is configured to perform information transceiving communication according to the control of the processor 710.
The storage device 720, which is a computer-readable storage medium, can be configured to store software programs, computer-executable programs, and modules, such as program instructions/modules corresponding to the tunnel communication method according to the embodiment of the present application (for example, the establishing module 410, the first forwarding module 420, and the second forwarding module 430 in the tunnel communication device). The storage 720 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the relay node, and the like. Additionally, storage 720 may include high speed random access storage, and may also include non-volatile storage, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, the storage 720 may further include storage remotely located from the processor 710, which may be connected to the relay node over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
Fig. 13 is a schematic hardware structure diagram of a branch node according to an embodiment. As shown in fig. 13, the branch node provided in the present application includes a storage device 820, a processor 810, and a computer program stored on the storage device and running on the processor, and when the processor 810 executes the computer program, the tunneling method is implemented.
The branch node may also include storage 820; the number of the processors 810 in the branch node may be one or more, and one processor 810 is taken as an example in fig. 13; storage 820 is used to store one or more programs; the one or more programs are executed by the one or more processors 810, so that the one or more processors 810 implement the tunneling method as described in the embodiment of the present application.
The branch node further includes: a communication device 830, an input device 840, and an output device 850.
The processor 810, the storage 820, the communication device 830, the input device 840 and the output device 850 in the branch node may be connected by a bus or other means, and the connection by the bus is exemplified in fig. 13.
The input device 840 may be used to receive input numeric or character information and generate key signal inputs related to user settings and function control of the branch node. The output device 850 may include a display device such as a display screen.
The communication device 830 may include a receiver and a transmitter. The communication device 830 is configured to perform information transceiving communication according to the control of the processor 810.
The storage device 820 may be configured to store a software program, a computer executable program, and modules, such as program instructions/modules corresponding to the tunnel communication method according to the embodiment of the present application (for example, the first request module 510, the first information transceiver module 520, and the first establishing module 530 in the tunnel communication device), as a computer readable storage medium. The storage device 820 may include a storage program area and a storage data area, wherein the storage program area may store an operating system, an application program required for at least one function; the storage data area may store data created according to the use of the branch node, and the like. Additionally, storage 820 may include high speed random access storage and may also include non-volatile storage, such as at least one magnetic disk storage device, flash memory device, or other non-volatile solid state storage device. In some examples, storage 820 may further include storage remotely located from processor 810, which may be connected to the branch node over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The embodiment of the invention also provides a tunnel communication system. Fig. 14 is a schematic structural diagram of a tunnel communication system according to an embodiment. As shown in fig. 14, the system includes: a relay node 910 as described in any of the embodiments above, and at least two branch nodes 920 as described in any of the embodiments above.
The tunnel communication system of the embodiment provides a point-to-point data private line transmission scheme based on a dynamic link and a relay node, and by establishing an MGRE tunnel between the relay node and a branch node, the relay node exchanges a tunnel address of the branch node, and based on a two-layer link and the existing network architecture, point-to-point private line communication between the branch nodes can be realized, so that the flexibility of tunnel communication is improved, and the cost is also reduced.
The tunnel communication system provided by this embodiment may be used to implement the tunnel communication method provided by any of the above embodiments, and has corresponding functions and beneficial effects. It should be noted that, for technical details that are not described in detail in this embodiment, reference may be made to any of the above embodiments.
On the basis of the above-mentioned embodiments, the present embodiment also provides a computer-readable storage medium having stored thereon a computer program which, when executed by a tunnel communication apparatus, implements a tunnel communication method in any of the above-mentioned embodiments of the present invention, the method including:
establishing an MGRE tunnel between a relay node and at least two branch nodes, wherein the at least two branch nodes comprise a first branch node and a second branch node, and the MGRE tunnels are isolated from each other;
performing the following operations through the MGRE tunnel between the relay node and the first and second branch nodes:
forwarding the tunnel address of the first branch node to the second branch node;
forwarding the tunnel address of the second branching node to the first branching node.
Alternatively, the method comprises:
requesting to establish a multi-point generic routing encapsulation (MGRE) tunnel between the first branch node and the relay node;
sending the tunnel address of the first branch node to the relay node through an MGRE tunnel between the first branch node and the relay node, and receiving the tunnel address of a second branch node forwarded by the relay node;
and establishing a GRE tunnel between the first branch node and the second branch node according to the tunnel address of the second branch node.
Alternatively, the method comprises:
requesting to establish a multi-point general routing encapsulation (MGRE) tunnel between the second branch node and the relay node;
receiving the tunnel address of the first branch node forwarded by the relay node through the MGRE tunnel between the second branch node and the relay node, and sending the tunnel address of the second branch node to the relay node;
and establishing a Generic Routing Encapsulation (GRE) tunnel between the first branch node and the first branch node according to the tunnel address of the first branch node.
Embodiments of the present invention provide a storage medium including computer-executable instructions, which may take the form of any combination of one or more computer-readable media, such as a computer-readable signal medium or storage medium. The computer-readable storage medium may be, for example, but is not limited to: an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination thereof. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory device (RAM), a Read Only Memory device (ROM), an Erasable Programmable Read Only Memory device (EPROM), a flash Memory, an optical fiber, a portable CD-ROM, an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. A computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in a base or as part of a carrier wave. Such a propagated data signal may take a variety of forms, including, but not limited to: an electromagnetic signal, an optical signal, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, Radio Frequency (RF), etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for aspects of the present application may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
From the above description of the embodiments, it is obvious for those skilled in the art that the present invention can be implemented by software and necessary general hardware, and certainly, can also be implemented by hardware, but the former is a better embodiment in many cases. Based on such understanding, the technical solutions of the present invention may be embodied in the form of a software product, which can be stored in a computer-readable storage medium, such as a floppy disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a FLASH Memory (FLASH), a hard disk or an optical disk of a computer, and includes several instructions for enabling a computer device (which may be a personal computer, a server, or a network device) to execute the methods according to the embodiments of the present invention.
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.

Claims (13)

1. A tunnel communication method is applied to a relay node, and is characterized by comprising the following steps:
establishing a multi-point general routing encapsulation (MGRE) tunnel between a relay node and at least two branch nodes, wherein the at least two branch nodes comprise a first branch node and a second branch node, and the MGRE tunnels are isolated from each other;
performing the following operations through the MGRE tunnel between the relay node and the first and second branch nodes:
forwarding the tunnel address of the first branch node to the second branch node;
forwarding the tunnel address of the second branch node to the first branch node.
2. The method of claim 1, wherein establishing the MGRE tunnel between the relay node and at least two branch nodes comprises:
receiving a registration request message of each branch node, wherein the registration request message contains a tunnel address of the corresponding branch node;
generating a Next Hop Resolution Protocol (NHRP) mapping table according to the tunnel address of each branch node;
and establishing an MGRE tunnel between the relay node and each branch node according to the NHRP mapping table.
3. The method of claim 1, wherein forwarding the tunnel address of the first branch node to the second branch node comprises:
receiving an address resolution request message of the first branch node, wherein the address resolution request message comprises a tunnel address of the first branch node;
and forwarding the address resolution request message to the second branch node.
4. The method of claim 1, wherein forwarding the tunnel address of the second branch node to the first branch node comprises:
receiving an address resolution response message of the second branch node, wherein the address resolution response message comprises a tunnel address of the second branch node;
and forwarding the address resolution request message to the second branch node.
5. A tunnel communication method is applied to a first branch node, and is characterized by comprising the following steps:
requesting to establish a multi-point generic routing encapsulation (MGRE) tunnel between the first branch node and the relay node;
sending the tunnel address of the first branch node to the relay node through an MGRE tunnel between the first branch node and the relay node, and receiving the tunnel address of a second branch node forwarded by the relay node;
and establishing a Generic Routing Encapsulation (GRE) tunnel between the first branch node and the second branch node according to the tunnel address of the second branch node.
6. The method of claim 5, further comprising:
binding a LAN port of a local area network with an interface of the GRE tunnel;
and establishing an IPSec tunnel between the first branch node and the second branch node through an Internet security protocol IPSec virtual tunnel interface.
7. The method of claim 6, wherein the first branch node serves as a sender of data to be transmitted, and wherein the method further comprises:
encrypting data to be transmitted by using a symmetric key;
encrypting the symmetric key using a public key;
and sending the encrypted symmetric key to the second branch node through the IPSec tunnel, and sending the encrypted data to be transmitted to the second branch node.
8. The method of claim 6, wherein the first branch node serves as a receiver of data to be transmitted, and wherein the method further comprises:
receiving the encrypted symmetric key and the encrypted data to be transmitted through the IPSec tunnel;
decrypting the encrypted symmetric key by using a private key to obtain the symmetric key;
and decrypting the encrypted data to be transmitted by using the symmetric key to obtain the data to be transmitted.
9. A tunnel communication method is applied to a second branch node, and is characterized by comprising the following steps:
requesting to establish a multi-point general routing encapsulation (MGRE) tunnel between the second branch node and the relay node;
receiving a tunnel address of a first branch node forwarded by a relay node through an MGRE tunnel between the second branch node and the relay node, and sending the tunnel address of the second branch node to the relay node;
and establishing a Generic Routing Encapsulation (GRE) tunnel between the first branch node and the first branch node according to the tunnel address of the first branch node.
10. The method of claim 9, further comprising:
binding a LAN port of a local area network with an interface of the GRE tunnel;
and establishing an IPSec tunnel between the first branch node and the second branch node through an Internet security protocol IPSec virtual tunnel interface.
11. A relay node, comprising:
one or more processors;
storage means for storing one or more programs;
the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the tunneling method of any of claims 1-5.
12. A branching node, comprising:
one or more processors;
storage means for storing one or more programs;
when executed by the one or more processors, cause the one or more processors to implement the tunneling method of any one of claims 6-8 or the tunneling method of any one of claims 9-10.
13. A tunnel communication system, comprising:
a relay node according to claim 11, and at least two branch nodes according to claim 12.
CN202210446461.6A 2022-04-26 2022-04-26 Tunnel communication method, relay node, branch node and tunnel communication system Pending CN115037685A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210446461.6A CN115037685A (en) 2022-04-26 2022-04-26 Tunnel communication method, relay node, branch node and tunnel communication system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210446461.6A CN115037685A (en) 2022-04-26 2022-04-26 Tunnel communication method, relay node, branch node and tunnel communication system

Publications (1)

Publication Number Publication Date
CN115037685A true CN115037685A (en) 2022-09-09

Family

ID=83118581

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210446461.6A Pending CN115037685A (en) 2022-04-26 2022-04-26 Tunnel communication method, relay node, branch node and tunnel communication system

Country Status (1)

Country Link
CN (1) CN115037685A (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7447901B1 (en) * 2002-06-25 2008-11-04 Cisco Technology, Inc. Method and apparatus for establishing a dynamic multipoint encrypted virtual private network
US20090157901A1 (en) * 2007-12-12 2009-06-18 Cisco Systems, Inc. System and method for using routing protocol extensions for improving spoke to spoke communication in a computer network
CN104427010A (en) * 2013-08-30 2015-03-18 杭州华三通信技术有限公司 NAT (network address translation) method and device applied to DVPN (dynamic virtual private network)
JP2017028393A (en) * 2015-07-17 2017-02-02 Necエンジニアリング株式会社 Communication system, communication device, and vpn construction method
CN108512755A (en) * 2017-02-24 2018-09-07 华为技术有限公司 A kind of learning method and device of routing iinformation

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7447901B1 (en) * 2002-06-25 2008-11-04 Cisco Technology, Inc. Method and apparatus for establishing a dynamic multipoint encrypted virtual private network
US20090157901A1 (en) * 2007-12-12 2009-06-18 Cisco Systems, Inc. System and method for using routing protocol extensions for improving spoke to spoke communication in a computer network
CN104427010A (en) * 2013-08-30 2015-03-18 杭州华三通信技术有限公司 NAT (network address translation) method and device applied to DVPN (dynamic virtual private network)
JP2017028393A (en) * 2015-07-17 2017-02-02 Necエンジニアリング株式会社 Communication system, communication device, and vpn construction method
CN108512755A (en) * 2017-02-24 2018-09-07 华为技术有限公司 A kind of learning method and device of routing iinformation

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
COME BETTER: "HCIE笔记-第十天", 《CSDN博客HTTPS://BLOG.CSDN.NET/QQ_45782298/ARTICLE/DETAILS/107643533》, pages 1 *

Similar Documents

Publication Publication Date Title
US10015046B2 (en) Methods and apparatus for a self-organized layer-2 enterprise network architecture
CN107018134B (en) Power distribution terminal safety access platform and implementation method thereof
US7373660B1 (en) Methods and apparatus to distribute policy information
EP2579544B1 (en) Methods and apparatus for a scalable network with efficient link utilization
US7590123B2 (en) Method of providing an encrypted multipoint VPN service
US7848335B1 (en) Automatic connected virtual private network
US20020016926A1 (en) Method and apparatus for integrating tunneling protocols with standard routing protocols
JP4407452B2 (en) Server, VPN client, VPN system, and software
US7869446B2 (en) Optimized dynamic multipoint virtual private network over IPv6 network
CA2466912A1 (en) Enabling secure communication in a clustered or distributed architecture
US20130182651A1 (en) Virtual Private Network Client Internet Protocol Conflict Detection
CN110290093A (en) The SD-WAN network architecture and network-building method, message forwarding method
CN101515859B (en) Method for multicast transport in Internet protocol secure tunnel and device
CN112583705B (en) Communication method, equipment and system of hybrid network
CN101515896B (en) Safe socket character layer protocol message forwarding method, device, system and exchange
CN104023022B (en) A kind of IPSec SA acquisition methods and device
US9602470B2 (en) Network device, IPsec system and method for establishing IPsec tunnel using the same
CN100502345C (en) Method, branch node and center node for transmitting multicast in IPsec tunnel
KR20140122335A (en) Method for constructing virtual private network, method for packet forwarding and gateway apparatus using the methods
TW201431336A (en) Virtual private network communication system, routing device and method thereof
CN115037685A (en) Tunnel communication method, relay node, branch node and tunnel communication system
CN115473729A (en) Data transmission method, gateway, SDN controller and storage medium
JP2018174550A (en) Communication system
CN109361684B (en) Dynamic encryption method and system for VXLAN tunnel
CN115037717A (en) Communication method, relay node, branch node and communication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination