CN117879996A

CN117879996A - Data transmission method and device based on IPSEC VPN

Info

Publication number: CN117879996A
Application number: CN202311651141.5A
Authority: CN
Inventors: 陈建虎
Original assignee: Yusur Technology Co ltd
Current assignee: Yusur Technology Co ltd
Priority date: 2023-12-04
Filing date: 2023-12-04
Publication date: 2024-04-12

Abstract

The invention provides a data transmission method and a device based on IPSEC VPN, which generate unique identification ID for each message in an IPSEC protection subnet under the IPSEC NAT traversing encryption scene, and transmit the unique identification ID through a source port of UDP protocol, and for different connected plaintext messages, the five-tuple information of the messages after IPSEC encrypting, packaging and transmitting is different, a receiving end can perform uniform hash based on the five-tuple information and process the five-tuple information by matching with a central processing unit, so that load balance is realized, and cache miss rate of the central processing unit is reduced.

Description

Data transmission method and device based on IPSEC VPN

Technical Field

The present invention relates to the field of data communications technologies, and in particular, to a data transmission method and apparatus based on an IPSEC VPN.

Background

An IPsec VPN is an implementation of a virtual switching network (Virtual Private Network, hereinafter referred to as VPN), and refers to establishing a private network on a public network to perform encrypted communication. The IPSEC VPN security gateway can provide high-performance and multi-task parallel processing core security authentication services such as encryption transmission, identity verification and the like for various service systems, realize local area network interconnection, remote access, encryption communication and the like, ensure confidentiality, integrity and effectiveness of transmission information, provide a safe and perfect key management mechanism, and have strong security protection capability.

However, the traditional VPN device is often limited by a linux kernel forwarding mechanism, so that higher performance is difficult to achieve, because the processing basis of data forwarding in the linux is that the source-destination address and the source-destination port number are subjected to hash operation and then distributed to a corresponding Central Processing Unit (CPU) for processing, the processing has a good CPU load balancing effect when a network application with high concurrency is processed, but in an IPsec VPN application, the source-destination address and the source-destination port at two ends of a tunnel are always the same for an encrypted message, and serious imbalance occurs when the CPU load distribution is performed by reusing information such as the source-destination address and the port number, so that the overall forwarding performance of the IPsec VPN is limited.

The patent with the Chinese patent application number of CN202210843953.9 provides a high-performance IPsec VPN CPU load balancing method, and the patent with the Chinese patent application number of CN202010449924.5 provides an IPsec VPN single tunnel software encryption and decryption performance extension method, although the two schemes can improve the processing speed of IPSEC encryption and decryption and the performance of the whole IPSEC VPN. However, both have a common disadvantage in that messages for the same connection are distributed to different CPU cores for processing, which may cause frequent CPU cache misses and performance degradation.

Thus, a new data packet forwarding scheme for IPSec VPNs is needed.

Disclosure of Invention

In view of this, the embodiment of the invention provides a data transmission method and device based on IPSEC VPN, so as to eliminate or improve one or more defects existing in the prior art, and solve the problems of unbalanced load of a central processing unit and high cache miss rate of the CPU in the IPSEC NAT traversal encryption scene.

One aspect of the present invention provides a data transmission method based on an IPSEC VPN, including the steps of:

receiving a plaintext message by an IPSEC module, matching a corresponding identification ID (identity) for the plaintext message according to a quintuple information group in the plaintext message, adding a UDP (user datagram protocol) header to the identification ID as a source port of a UDP (user datagram protocol) protocol, executing encryption encapsulation of the IPSEP protocol, adding a new IP (Internet protocol) header to obtain an encrypted message, and transmitting the encrypted message to receiving end equipment according to a new IP header searching path based on IPSEC NAT traversal;

the network card of the receiving end equipment receives the encrypted message and acquires the identification ID in the UDP header of the encrypted message; the network card is sunk and unloaded to a data processor to run;

inquiring a quick hash cache queue stored locally by the network card, if the identification ID is not inquired, calculating a hash value according to the five-tuple information, matching the central processing unit core for the encrypted message according to the hash value, and recording the identification ID and the central processing unit core corresponding to the identification ID in the quick hash cache queue; if the identification ID is inquired, directly acquiring a central processing unit core corresponding to the identification ID;

and forwarding the encrypted message by the network card according to the central processing unit core corresponding to the identification ID, decrypting and decapsulating the encrypted message based on the IPSEC ESP protocol to obtain the plaintext message, and rerouting the plaintext message to the target host.

In some embodiments, matching the corresponding ID for the plaintext message according to the quintuple information set in the plaintext message includes:

inquiring a preset session linked list according to the quintuple information, and directly acquiring if an identification ID matched with the quintuple information exists; if not, carrying out hash calculation according to the source and destination IP address, the source and destination port and the communication protocol recorded in the plaintext message to obtain the identification ID, and recording the identification ID to the session linked list.

In some embodiments, the record content of each data sequence in the fast hash cache queue includes the ID of the plaintext message, the ID corresponds to a central processing unit core, aging time, and a valid flag.

In some embodiments, the method further comprises:

and updating the aging time of each data sequence in the quick hash buffer queue every time the network card receives an encrypted message, and when the aging time of the data sequence is over, deleting the data sequence in an invalid way and multiplexing the released space.

In some embodiments, after receiving the plaintext message by the IPSEC module, the method further comprises:

and matching a security policy for the plaintext message to execute the encryption packaging of the IPSEC ESP protocol based on the security policy, wherein the security policy comprises an encryption algorithm, an authentication method and configuration parameters.

In some embodiments, calculating a hash value according to the five-tuple information, matching the encrypted message to a central processor core according to the hash value, including:

calculating the five-tuple information based on a preset hash function to obtain the hash value;

querying a configured hash table, wherein the hash table records available central processing unit cores and one or more hash value ranges corresponding to the available central processing unit cores;

and inquiring the hash table according to the hash value, and matching the hash table with the central processing unit core corresponding to the hash value range.

In some embodiments, the predetermined hash function is an MD5 or SHA-1 algorithm.

In some embodiments, the method further comprises:

and establishing a data forwarding log, recording the forwarding result of the plaintext message and monitoring.

In another aspect, the present invention further provides a data transmission device based on an IPSEC VPN, including a processor and a memory, where the memory stores computer instructions, and the processor is configured to execute the computer instructions stored in the memory, and when the computer instructions are executed by the processor, the device implements the steps of the method.

In another aspect, the invention also provides a computer-readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the method as described above.

The invention has the advantages that:

according to the data transmission method and device based on the IPSEC VPN, under the IPSEC NAT traversing encryption scene, a unique identification ID is generated for each message in the IPSEC protection subnet, the unique identification ID is transmitted through the source port of the UDP protocol, the quintuple information of the messages after the IPSEC encryption encapsulation transmission is different for the plaintext messages with different connections, the receiving end can perform uniform hash based on the quintuple information and is matched with the central processing unit for processing, load balance is achieved, and cache miss rate of the central processing unit is reduced.

Furthermore, the mapping relation between the identification ID in the encrypted message and the matched central processing unit is established and stored in the quick hash cache queue for searching preferentially, so that the hash calculation frequency can be reduced, and the message hash efficiency is improved.

Furthermore, by establishing a mapping relation between quintuple information and identification ID in the session linked list storage plaintext message, searching is preferentially performed, so that the frequency of hash calculation can be reduced, and the data transmission efficiency is improved.

Additional advantages, objects, and features of the invention will be set forth in part in the description which follows and in part will become apparent to those having ordinary skill in the art upon examination of the following or may be learned from practice of the invention. The objectives and other advantages of the invention may be realized and attained by the structure particularly pointed out in the written description and drawings.

It will be appreciated by those skilled in the art that the objects and advantages that can be achieved with the present invention are not limited to the above-described specific ones, and that the above and other objects that can be achieved with the present invention will be more clearly understood from the following detailed description.

Drawings

The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate and together with the description serve to explain the invention. In the drawings:

fig. 1 is a flow chart of a data transmission method based on IPSEC VPN according to an embodiment of the present invention.

Fig. 2 is a flowchart of plaintext message processing in a data transmission method based on an IPSEC VPN according to an embodiment of the present invention.

Fig. 3 is a schematic diagram of a data structure based on IPSEC ESP encryption in a data transmission method based on IPSEC VPN according to an embodiment of the present invention.

Fig. 4 is a flowchart of ciphertext message processing in an IPSEC VPN based data transmission method according to an embodiment of the present invention.

Detailed Description

The present invention will be described in further detail with reference to the following embodiments and the accompanying drawings, in order to make the objects, technical solutions and advantages of the present invention more apparent. The exemplary embodiments of the present invention and the descriptions thereof are used herein to explain the present invention, but are not intended to limit the invention.

It should be noted here that, in order to avoid obscuring the present invention due to unnecessary details, only structures and/or processing steps closely related to the solution according to the present invention are shown in the drawings, while other details not greatly related to the present invention are omitted.

It should be emphasized that the term "comprises/comprising" when used herein is taken to specify the presence of stated features, elements, steps or components, but does not preclude the presence or addition of one or more other features, elements, steps or components.

It is also noted herein that the term "coupled" may refer to not only a direct connection, but also an indirect connection in which an intermediate is present, unless otherwise specified.

Hereinafter, embodiments of the present invention will be described with reference to the accompanying drawings. In the drawings, the same reference numerals represent the same or similar components, or the same or similar steps.

IPSEC VPN is a secure virtual private network implemented at the IP layer, built on the IPSEC protocol suite, which does not refer specifically to which protocol, but rather an open protocol suite. IPSEC VPN provides safety communication channel for two private networks on public network, ensures connection safety through encryption channel, and provides private data packet service between two public gateways. It specifies a series of protocol standards including operating mode and security services. There are three modes of IPSEC VPN operation: tunnel mode (Tunnel mode): in this mode, the VPN gateway will be configured to establish a virtual private network over the public network. The gateway transmits data packets from one public network to another and encrypts and decrypts them during transmission. The advantage of this mode is that secure transmission of data can be achieved without changing the existing network topology. Forwarding mode (forward mode): in this mode, the VPN gateway acts as a router that forwards packets on the public network to another public network. This mode is applicable between two networks that require frequent exchanges of data, such as in an enterprise intranet. Network mode (network mode): in this mode, the VPN gateway is configured as a generic router that does not establish any virtual network. All packets are transmitted directly to the destination address and there is no encryption or decryption operation. This mode is typically used in data communication scenarios where protection is not required.

In the IPSEC message processing process, five-tuple information can be the same after the messages of different connections are encrypted by IPSEC; for a system which performs hash operation on message quintuple and distributes the message quintuple to corresponding CPU for processing, all encrypted messages are processed by the same CPU core, and for a multi-core system, the performance is not fully exerted.

The IPSEC message processing speed can be improved to a certain extent by using a polling CPU scheduling method or performing cross-core processing according to the CPU real-time utilization rate, but the problems of high CPU miss rate and the like are also introduced, so that the performance is greatly reduced.

Aiming at the problems, the invention provides an IPSec VPN single tunnel performance improvement scheme, which generates a unique ID for each plaintext message, transmits the ID as a source port of UDP protocol, and sends the encapsulated IPSec protocol to receiving equipment. The receiving device performs hash according to the five-tuple information, distributes the message to the corresponding CPU for processing, and adds the obtained corresponding relation between the ID and the CPU core to the fast hash cache table.

It should be noted in advance that the present embodiment is actually implemented for an IPSEC NAT traversal scenario, where IPSEC NAT traversal refers to a process in which a packet needs to traverse a Network Address Translation (NAT) device when using IPSEC encrypted communication. In this case, the UDP protocol is typically used to transport encrypted data in the IPsec tunnel. UDP (user datagram protocol) is a datagram-oriented transport layer protocol suitable for scenarios requiring fast transmission but no packet acknowledgement, and is therefore often used with IPsec in IPsec NAT traversal. Due to the characteristics of the UDP protocol, the method can be better suitable for forwarding the data packets in the NAT environment. In IPsec NAT traversal, UDP is typically used to encapsulate IPsec packets so that encrypted data can be properly transferred when passing through a NAT device. The mode of combining UDP and IPsec is helpful to overcome the influence of NAT on encrypted communication, and ensure that data can pass through the network safely and accurately.

In the existing implementation process, an original data packet is encrypted by IPsec to form an encrypted IPsec data packet, in order to correctly transmit encrypted data when passing through NAT equipment, the IPsec data packet is encapsulated into a UDP data packet, the encapsulated UDP data packet passes through NAT equipment, the NAT equipment converts a source IP address and a port number of the data packet to adapt to a network environment, after the data packet arrives at a target host, the UDP data packet is decapsulated and restored to the IPsec data packet, and finally, a receiver decrypts the IPsec data packet by using a corresponding key and restores to the original data packet content. In the process, the five-tuple information of the message encrypted by IPSEC is consistent, so that the subsequent message is matched with the same central processing unit for processing, the effective balance load cannot be realized, and the overall performance is improved.

Specifically, the present invention provides a data transmission method based on IPSEC VPN, as shown in fig. 1, the method includes the following steps S101 to S104:

step S101: and the IPSEC module receives the plaintext message, matches the corresponding identification ID to the plaintext message according to the quintuple information group in the plaintext message, takes the identification ID as a source port of the UDP protocol, adds the UDP header, executes the encryption encapsulation of the IPSEC ESP protocol, obtains the encrypted message after adding the new IP header, and transmits the encrypted message to the receiving end equipment according to the new IP header searching path based on IPSEC NAT traversal.

Step S102: receiving the encrypted message by a network card of the receiving end equipment, and obtaining an identification ID in a UDP header of the encrypted message; and the network card is sunk and unloaded to the data processor to run.

Step S103: inquiring a local stored quick hash cache queue by the network card, if the identification ID is not inquired, calculating a hash value according to five-tuple information, matching a central processor core for the encrypted message according to the hash value, and recording the identification ID and the corresponding central processor core in the quick hash cache queue; if the identification ID is inquired, directly acquiring the central processing unit core corresponding to the identification ID.

Step S104: and forwarding the encrypted message by the network card according to the central processing unit core corresponding to the identification ID, decrypting and decapsulating the encrypted message based on the IPSEC ESP protocol to obtain a plaintext message, and re-routing the plaintext message to the target host.

In step S101, the plaintext packet may include the original IP header, the communication Protocol, and the payload data, where five-tuple information may be obtained, including the source IP address (Source IP Address), the destination IP address (Destination IP Address), the source port number (Source Port Number), the destination port number (Destination Port Number), and the transport Protocol (Protocol). In this embodiment, the identifier ID is configured for the message data based on the quintuple information, so as to form a corresponding relationship. Therefore, the identification ID actually corresponds to a forwarding relation, and then the mapping between the identification ID and the central processing unit is established on the basis of the forwarding relation, so that the load is balanced.

In some embodiments, matching the corresponding ID for the plaintext message according to the quintuple information set in the plaintext message includes: inquiring a preset session linked list according to the quintuple information, and directly acquiring if an identification ID matched with the quintuple information exists; if not, hash calculation is carried out according to the source and destination IP address, the source and destination port and the communication protocol recorded in the plaintext message to obtain an identification ID, and the identification ID is recorded in a session linked list.

In this embodiment, the relation between the quintuple information and the identifier ID is stored through the session linked list, and in the process of forwarding a new plaintext message, it is checked first whether the identifier ID corresponding to the quintuple information is stored in the session linked list, and if the forwarding relation indicating that the corresponding plaintext message appears for the first time, it is necessary to perform initial marking by calculating a hash form. If the corresponding quintuple information already exists in the session linked list, the corresponding identification ID is directly called without recalculation so as to reduce the frequency of hash calculation.

In some embodiments, after receiving the plaintext message by the IPSEC module, the method further comprises: the security policy is preferentially matched with the plaintext message so as to execute the encryption packaging of the IPSEC ESP protocol based on the security policy, wherein the security policy comprises an encryption algorithm, an authentication method and configuration parameters. The security policy needs to be subjected to a protocol between the sending end and the receiving end, and an existing protocol can be adopted in a specific implementation process, and a new security policy can be adjusted or established according to actual application requirements and scene difference adaptability.

Specifically, in the IPSEC module, as shown in fig. 2, the plaintext processing flow includes:

when the IPSec module receives a plaintext message, carrying out IPSec strategy matching on the message, for the message hitting the IPSec strategy, firstly attempting to acquire a message ID from a session linked list according to message information, if the message ID is not acquired, considering the message is the first received message, calculating the message ID according to the message information and storing the message ID in the session linked list, and then completing the encryption packaging of the IPSec ESP on the message; and adding a UDP header to the packaged IPSEC message, simultaneously using a unique ID corresponding to the message to replace a source port of the UDP header, then packaging a new IP header according to an IPSEC strategy and re-routing, and sending the message to opposite terminal equipment, wherein the specific data encryption form can be referred to as figure 3.

In step S102, the network card of the receiving end is offloaded and sunk to the data processor DPU (Data Processing Unit). The DPU is a concept that closely surrounds data centers, that is, it is mainly used in a large-scale computing scenario such as data centers, not in our personal desktop, notebook, or cell phones. The data processor DPU is a special processor which is constructed by taking data as a center, adopts a software definition technology route to support the virtualization of infrastructure layer resources, and supports infrastructure layer services such as storage, security, service quality management and the like. The core problem to be solved by the DPU is cost reduction and efficiency improvement of the infrastructure, namely, load which is low in CPU processing efficiency and incapable of being processed by the GPU is unloaded to the special DPU, so that the efficiency of the whole computing system is improved, and the overall cost of the whole system is reduced.

In steps S103 and S104, for the received encrypted message, first, the ID recorded in the UDP header is queried, the fast hash cache queue is queried according to the ID, if no ID exists in the queue, the hash calculation is performed for the quintuple information, and the quintuple information is matched with the central processor. If the corresponding identification ID exists in the queue, the corresponding central processing unit is directly called, and the hash calculation is skipped.

In some embodiments, in step S103, a hash value is calculated according to the five-tuple information, and the central processing unit core is matched with the encrypted message according to the hash value, including steps S1031 to S1033:

step S1031: and calculating the quintuple information based on a preset hash function to obtain a hash value.

Step S1032: the configured hash table is queried, which records the available central processor cores and their corresponding one or more hash value ranges.

Step S1033: and inquiring the hash table according to the hash value, and matching the hash table with the central processing unit core corresponding to the hash value range.

Specifically, the flow may include:

1. selecting a hash function: the system selects an appropriate hash function to process the message quintuple. The hash function will calculate the message quintuple and generate a hash value in a specific range.

2. Hash table configuration: the system maintains a hash table containing a list of available CPU processors and their identities. Each processor is associated with one or more hash value ranges.

3. And (3) hash calculation: for each received message, the system will use the selected hash function to hash its five-tuple to obtain a hash value.

4. Hash value mapping: based on the hash value, the system will look up the hash table, determining which processor is assigned to process the message. Typically, hash tables use a range allocation approach to map a range of hash values to a corresponding processor.

5. And (3) message distribution: once the target processor is determined, the system will distribute the message to the corresponding CPU processor for processing. This may be accomplished through hardware or software mechanisms, such as a Network Interface Card (NIC) or task scheduling by an operating system.

6. Parallel processing: the respective CPU processors process the messages to which they are assigned in parallel. Therefore, the computing capacity of the multi-core processor can be fully utilized, and the throughput and the response speed of the system are improved.

In some embodiments, the record content of each data sequence in the fast hash cache queue includes an ID of the plaintext message, a central processing unit core corresponding to the ID, an aging time, and a valid flag.

In some embodiments, the method further comprises: and updating the aging time of each data sequence in the quick hash buffer queue every time the network card receives a encrypted message, and invalidating and deleting the data sequence and releasing space for multiplexing when the aging time of the data sequence is over.

Specifically, in the receiving network card, as shown in fig. 4, the ciphertext processing flow includes:

when the DPU network card receives the ciphertext, firstly confirming whether the message is an IPSEC NAT traversal encrypted message, if so, firstly acquiring source port information in a UDP header, namely ID information, searching a CPU core corresponding to the ID in a quick hash cache queue according to the ID information, if so, directly sending the message to the corresponding network card queue according to the result, and updating the aging time of the corresponding entry in the quick hash cache queue; if the result is not found, the hash value is recalculated according to the five-tuple information to determine the CPU core to be allocated, the calculation result, the ID information, the aging time and the like are cached in the quick hash cache queue, and then the message is sent to the corresponding network card queue and is submitted to the corresponding process for processing. After receiving the message, the IPSec module decrypts and decapsulates the message, re-routes the message after obtaining the plaintext, and sends the message to the target host.

In some embodiments, the method further comprises: and establishing a data forwarding log, recording a forwarding result of the plaintext message and monitoring.

Embodiments of the present invention also provide a computer device that may include a processor, a memory, wherein the processor and the memory may be connected by a bus or other means.

The processor may be a central processing unit (Central Processing Unit, CPU). The processor may also be any other general purpose processor, digital signal processor (Digital Signal Processor, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array (Field-Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof.

The memory, as a non-transitory computer readable storage medium, may be used to store a non-transitory software program, a non-transitory computer executable program, and a module, such as a program instruction/module corresponding to a key shielding method of an in-vehicle display device in an embodiment of the present invention. The processor executes various functional applications of the processor and data processing by running non-transitory software programs, instructions, and modules stored in memory.

The memory may include a memory program area and a memory data area, wherein the memory program area may store an operating system, at least one application program required for a function; the storage data area may store data created by the processor, etc. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one magnetic disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory may optionally include memory located remotely from the processor, the remote memory being connectable to the processor through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.

The one or more modules are stored in the memory that, when executed by the processor, perform the methods described in the present embodiments.

The embodiments of the present invention also provide a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the steps of the edge computing server deployment method described above. The computer readable storage medium may be a tangible storage medium such as Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, floppy disks, hard disk, a removable memory disk, a CD-ROM, or any other form of storage medium known in the art.

In summary, in the data transmission method and device based on the IPSEC VPN, under the IPSEC NAT traversal encryption scenario, a unique ID is generated for each packet in the IPSEC protection subnet, and the unique ID is transmitted through the source port of the UDP protocol, for plaintext packets with different connections, five-tuple information of the packets after the IPSEC encryption encapsulation transmission is different, and the receiving end can perform uniform hash based on the five-tuple information and process the five-tuple information by matching with the central processor, so as to realize load balancing, and reduce cache miss rate of the central processor.

By adopting the technology of the invention, the message distribution speed can be improved, the CPU cache miss can be reduced, the IPSEC message can be uniformly hashed to different CPU cores for processing, the performance of multi-core equipment is fully utilized, the IPSEC message processing speed is improved, and the IPSEC VPN throughput performance is greatly improved.

Those of ordinary skill in the art will appreciate that the various illustrative components, systems, and methods described in connection with the embodiments disclosed herein can be implemented as hardware, software, or a combination of both. The particular implementation is hardware or software dependent on the specific application of the solution and the design constraints. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention. When implemented in hardware, it may be, for example, an electronic circuit, an Application Specific Integrated Circuit (ASIC), suitable firmware, a plug-in, a function card, or the like. When implemented in software, the elements of the invention are the programs or code segments used to perform the required tasks. The program or code segments may be stored in a machine readable medium or transmitted over transmission media or communication links by a data signal carried in a carrier wave.

It should be understood that the invention is not limited to the particular arrangements and instrumentality described above and shown in the drawings. For the sake of brevity, a detailed description of known methods is omitted here. In the above embodiments, several specific steps are described and shown as examples. However, the method processes of the present invention are not limited to the specific steps described and shown, and those skilled in the art can make various changes, modifications and additions, or change the order between steps, after appreciating the spirit of the present invention.

In this disclosure, features that are described and/or illustrated with respect to one embodiment may be used in the same way or in a similar way in one or more other embodiments and/or in combination with or instead of the features of the other embodiments.

The above description is only of the preferred embodiments of the present invention and is not intended to limit the present invention, and various modifications and variations can be made to the embodiments of the present invention by those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims

1. A data transmission method based on IPSEC VPN, the method comprising the steps of:

2. The IPSEC VPN-based data transmission method according to claim 1, wherein matching the corresponding ID to the plaintext message according to the quintuple information group in the plaintext message includes:

3. The IPSEC VPN-based data transmission method according to claim 1, wherein the recorded content of each data sequence in the fast hash buffer queue includes the ID of the plaintext message, a central processor core corresponding to the ID of the identifier, an aging time, and a valid flag.

4. A data transmission method based on IPSEC VPN according to claim 3, characterized in that the method further comprises:

5. The IPSEC VPN-based data transmission method according to claim 1, further comprising, after receiving the plaintext message by the IPSEC module:

6. The IPSEC VPN-based data transmission method according to claim 1, wherein calculating a hash value according to the five-tuple information and matching the encrypted message with a central processor core according to the hash value comprises:

7. The IPSEC VPN-based data transmission method according to claim 6, wherein the preset hash function is an MD5 or SHA-1 algorithm.

8. The IPSEC VPN-based data transmission method according to claim 1, characterized in that the method further comprises:

9. An IPSEC VPN-based data transmission device comprising a processor and a memory, characterized in that the memory has stored therein computer instructions for executing the computer instructions stored in the memory, which device, when executed by the processor, realizes the steps of the method according to any of claims 1 to 8.

10. A computer readable storage medium, on which a computer program is stored, characterized in that the program, when being executed by a processor, implements the steps of the method according to any one of claims 1 to 8.