CN101043411B - Method and system for realizing mobile VPN in hybrid network - Google Patents

Abstract

The invention relates to a method and a system for realizing mobile VPN in a hybrid network. The invention is mainly applied to a hybrid network comprising an IPv4 network and an IPv6 network, wherein a mobile VPN (virtual private network) gateway is arranged, and the VPN gateway is provided with an internal interface of an IPv6 address and an external interface of an IPv4 address; firstly, a tunnel for transmitting VPN messages interacted between an external network and an IPv6 network inside the VPN is established between the VPN gateway and the external network, and addresses at two ends of the tunnel are respectively an IPv4 address of the external network and an IPv4 address of an external interface provided by the VPN gateway; then, after the VPN message to be transmitted is encapsulated with the IPv4 header, the VPN message is transmitted through the tunnel, and the interaction of VPN services is implemented in the hybrid network. Therefore, the invention well realizes the development of the mobile VPN service in the IPv4 and IPv6 hybrid network by utilizing the IPv6 in IPv4 tunnel technology, so that the mobile VPN service can still be realized through the hybrid network in the process of the evolution from the IPv4 network to the IPv 6.

Description

Method and system for implementing mobile VPN in hybrid network

technical field

The invention relates to the technical field of network communication, in particular to a technology for realizing mobile VPN.

Background technique

Mobile VPN (Virtual Private Network) is a new VPN solution combining traditional VPN and mobile technology. The MN (Mobile Node) inside the VPN supports communication with the VPN internal nodes by establishing a tunnel with the VPN gateway on the external network. IPsec VPN (IP Network Security Protocol VPN) adopts IPsec (IP Network Security Protocol) as the security guarantee of tunnel technology to realize VPN, so as to provide good security for the communication nodes at both ends of the tunnel in the IP network, thereby ensuring the security of VPN services sex. IPsec VPN combined with standard mobile IPv4 protocol provides the basic framework of mobile VPN.

In a pure IPv4 network environment, when a typical IPsec VPN is combined with MIPv4 (Mobile IPv4), there will be the following two main problems:

(1) When the mobile node moves outside the VPN, if the care-of address is obtained through the FA (foreign agent) of the external network, the foreign agent is configured by the administrator of other networks and usually does not support IPSec, which will cause the mobile node to fail Register with the i-HA (internal home agent) located in the VPN;

(2) If the mobile node obtains the configured care-of address in the external network, although it can establish an IPSec tunnel with the VPN gateway to complete the registration with the home agent inside the VPN, but every time the mobile node changes the configured care-of address, it must re-negotiate with the VPN gateway to establish IPSec Tunnels increase the delay of network switching and reduce the mobility of nodes when nodes move frequently.

A solution currently provided for the above problems is: in an IPv4 environment, set x-HA (external home agent) outside the VPN gateway, the mobile node first registers with the external home agent, and then establishes The IPsec tunnel realizes registration with the home agent inside the VPN, thereby solving the two problems mentioned above.

The corresponding network structure is shown in Figure 1. x-HA represents the home agent set up in the external network. In the Internet (Internet), there is an external network (External Net) that supports mobile IPv4; at the same time, there is also a support network in the VPN. Mobile IPv4 home network (Home Net) and foreign network (Foreign Net).

When the mobile node moves to the external network, after obtaining the care-of address, it first registers with the external home agent and obtains x-HoA (external home address). Then use the external home address to negotiate with the VPN gateway through IKE (Internet Key Exchange) to establish an IPsec tunnel, and register with the VPN internal home agent through the IPsec tunnel. After that, the mobile node can communicate with the VPN internal network nodes.

Taking the mobile node located in an external network configured with x-FA (foreign agent) as an example, the registration process of the mobile node and the encapsulation method of the data packet will be described below.

After the mobile node enters the external network configured with the external home agent, it obtains the foreign agent care-of address; at the same time, the mobile node also needs to send a standard mobile IPv4 registration request to the external home agent and the internal home agent;

Since the mobile node is located in the external network, it can only receive the registration response from the external home agent. According to the response message, the mobile node obtains the x-HoA assigned by the external home agent and serves as the care-of address of the mobile node in the external network. ;

The mobile node uses the obtained x-HoA as the endpoint address of the IKE negotiation and IPsec tunnel, and establishes a tunnel with the VPN gateway;

In the process of negotiating with the VPN gateway, the VPN gateway assigns a VPN-TIA (VPN tunnel internal address) to the mobile node; the mobile node uses the VPN-TIA as the care-of address registered with the internal home agent, and encapsulates it in the IPsec tunnel to the internal home agent. register;

After the registration is completed, the mobile node can communicate with the communication node inside the VPN. The communication data packets are encapsulated three times, and the specific encapsulation results are shown in Figure 2. The outermost x-MIP represents the mobile IPv4 encapsulation from the mobile node to the external home agent, and the middle layer is from x-HA to the VPN gateway. IPsec encapsulation, the innermost layer i-MIP is mobile IPv4 encapsulation inside the VPN. It can be seen from Figure 2 that the mobile node can complete the registration with the home agent inside the VPN in the external network where the foreign agent is configured. When the care-of address of the mobile node changes, it will not affect the maintenance of the IPsec tunnel. Therefore, this implementation effectively solves the two problems mentioned.

However, due to the introduction of the external home agent in the above implementation scheme, the VPN network structure is more complex and the maintenance cost is increased; at the same time, the introduction of the external home agent also brings some new problems, such as the location selection of the external home agent, and the external Home agent trust issues, etc.

At present, another solution to the above two problems is provided as follows: in an IPv4 environment, use IPsec that supports the MOBIKE (IKEv2 Mobility and Multi-Interface Protocol) protocol as the tunneling technology between the mobile node and the VPN gateway. Two questions.

The MOBIKE is an extended protocol based on IKEv2, which effectively supports the mobility of both ends of the IPsec tunnel communication. When the mobile node starts to negotiate with the VPN gateway to establish an IPsec tunnel, IKE SA and IPsec SAs will be generated successively. The MOBIKE protocol allows nodes at both ends of the tunnel to update their IP addresses while maintaining IKE SA and IPsec SAs. That is to say, after the addresses of nodes at both ends of the tunnel change, they can still maintain the original IPsec tunnel for communication without renegotiation.

The network structure based on MOBIKE is shown in Figure 3. There is an external network (External Net) supporting mobile IPv4 in the Internet; at the same time, there are also a home network (Home Net) and a foreign network (Home Net) supporting mobile IPv4 in the VPN internal network. Foreign Net).

When the mobile node is located in the foreign network inside the VPN, it uses standard mobile IPv4 to communicate with the home agent and the communication node inside the VPN. When the mobile node leaves the VPN internal network and enters an external network, it needs to conduct IKE negotiation with the VPN gateway to establish an IPsec tunnel supporting MOBIKE. At the same time, inside the VPN, the mobile node and the home agent still maintain an effective mobile IPv4 binding cache, and the mobile node uses the VPN-TIA assigned to it by the VPN gateway as the configured care-of address of the VPN internal network to register with the internal home agent.

After the mobile node enters another external network from one external network due to a change of location, it obtains a new mobile IPv4 care-of address. At this moment, the mobile node starts to use the MOBIKE protocol to update the IP addresses of the IKE SA and IPsec SAs of the end point, and notify the VPN gateway to update the IP addresses of the corresponding SAs. After completing the SA address update, use the original IPsec tunnel to continue communication.

It can be seen that this solution proposes to use MOBIKE in a pure IPv4 network environment to solve the two problems mentioned above. However, since the development direction of the Internet is IPv6, and in the process of IPv6 replacing IPv4, the hybrid network of "IPv6 island" and "IPv4 ocean" will inevitably exist for a long time, therefore, it is necessary to solve the corresponding problems in the hybrid network. However, the existing technical solutions cannot solve the application problem of mobile VPN under the mixed network including IPv4 and IPv6.

Contents of the invention

The purpose of the present invention is to provide a method and system for implementing mobile VPN in a mixed network, so as to solve the application problem of mobile VPN under the corresponding IPv4 and IPv6 mixed network, so that in the existing network scene, based on the IPv6 network to carry out VPN business becomes possible.

The purpose of the present invention is achieved through the following technical solutions:

The invention provides a method for realizing mobile VPN in a hybrid network, the method is applied in a hybrid network including an IPv4 network and an IPv6 network inside a VPN, and a VPN gateway of a mobile virtual private network VPN is set in the hybrid network , the VPN gateway provides an internal interface with an IPv6 address and an external interface with an IPv4 address, the method comprising:

A. Establish a tunnel between the VPN gateway and the external network for transmitting VPN packets exchanged between the external network and the IPv6 network inside the VPN, and the addresses at both ends of the tunnel are the IPv4 address and the IPv4 address of the external network respectively The IPv4 address of the external interface provided by the VPN gateway;

B. Encapsulate the VPN message to be transmitted with an IPv4 header and transmit it through the tunnel, so as to realize the interaction of VPN services in the hybrid network.

The external network is: IPv4 external network or IPv6 external network.

Described step A comprises:

A1. After the IPsec tunnel is established between the VPN gateway and the mobile node that obtains the care-of address in the IPv6 external network, the VPN gateway and the access router in the IPv6 external network establish an IPv6inIPv4 tunnel for transmitting IPv6 messages, The tunnel encapsulates the IPv6 message in the IPv4 message, and the addresses at both ends of the tunnel are the IPv4 address of the access router of the IPv6 external network and the IPv4 address of the external interface of the VPN gateway;

or,

A2. An IPsec protocol tunnel is established between the VPN gateway and the mobile node that obtains the care-of address in the IPv4 external network.

The IPsec protocol tunnel is an IPsec tunnel supporting Internet key exchange mobility and multi-interface protocol MOBIKE.

Described step A1 comprises:

A11, the mobile node moving to the IPv6 external network initiates a DNS request according to the address information of the domain name server DNS for resolving the IPv4 address of the VPN gateway stored in the IPv6 network;

A12. After the DNS receives the DNS request, it returns a DNS response message to the mobile node, and the response message includes the IPv4 address information of the VPN gateway;

A13. The mobile node and the IPv6 network obtain the IPv4 address information of the VPN gateway.

Described step A11 comprises:

The mobile node initiates the DNS request of the VPN gateway to the DNS in the IPv6 network where it is located, and after the request reaches the DNS in the IPv6 network, it will be forwarded to the domain name server application layer gateway DNS-ALG set in the IPv6 network;

The DNS-ALG determines the DNS for resolving the IPv4 address of the VPN gateway according to the saved DNS server information, and converts the DNS request into an IPv4 DNS request and sends it to the determined DNS.

Described step A13 comprises:

After the DNS-ALG receives the returned DNS response message, it saves the IPv4 address information of the VPN gateway, and adds a prefix to the IPv4 address and converts it into an IPv6 address in IPv6 format and sends it to the mobile node, and the mobile node uses the IPv6 address as the VPN gateway. Address information.

Described step B comprises:

B1, the mobile node located in the IPv6 external network constructs the message corresponding to the IPv6 address of the VPN gateway, and sends it to the external access router of the IPv6 network;

B2, the external access router receives the IPv6 message from the mobile node, adds an IPv4 message header to the message, and what bears the weight of in the message header is the IPv4 address of the VPN gateway, and sends it to said VPN gateway;

B3. The VPN gateway parses the received message, decapsulates the IPv4 message and restores it to an IPv6 message, and continues to transmit the IPv6 message.

Described step B comprises:

B4, the mobile node located in the IPv6 external network constructs the message corresponding to the IPv6 address of the VPN gateway, and sends it to the network address translation-protocol translation NAT-PT entity;

B5. The NAT-PT converts the IPv6 address in the IPv6 message into an IPv4 address, and sends it to the external access router, which sends the message to the external access router through the tunnel said VPN gateway;

B6. The VPN gateway parses the received message, and continues to transmit the message.

Described step A2 comprises:

A21. After the mobile node moves to the IPv4 external network, obtain the care-of address of the IPv4 network;

A22. The mobile node negotiates with the VPN gateway to establish the IPsec tunnel, and addresses at both ends of the tunnel are the care-of address and the IPv4 address of the VPN gateway respectively.

Described step A22 comprises:

During the IKE negotiation process of Internet key exchange between the mobile node and the VPN gateway, the VPN gateway will determine a VPN tunnel internal address for the mobile node as the mobile IPv6 care-of address registered by the mobile point to the VPN interior.

Described step B comprises:

The mobile node in the IPv4 network first performs mobile IPv6 encapsulation on the data packet, and then performs IPsec encapsulation according to the established tunnel, and sends the VPN service message encapsulated with the IPv4 header to the VPN gateway through the established tunnel.

Also include in the described step B:

When the mobile node performs mobile IPv6 encapsulation on the data packet, the corresponding source address is the internal address of the VPN tunnel, and the destination address is the address of the node inside the VPN.

When the IP address of the mobile node located in the VPN internal network changes during the moving process, immediately stop communicating with other nodes within the VPN, and the method also includes:

C1. If the mobile node obtains an IPv4 care-of address, then use the IPv4 care-of address to perform IKE negotiation supporting MOBIKE with the VPN gateway, and establish an IPsec tunnel; the mobile node uses the internal IPv6 care-of address provided by the VPN gateway to the internal home agent through the tunnel Initiate registration, and communicate with the VPN network node through the tunnel after receiving the registration application answer;

or,

C2. If the mobile node obtains the IPv6 care-of address, it uses domain name resolution to indirectly inquire about the IPv6 address of the VPN gateway. After that, the mobile node sends a standard mobile IPv6 registration request to the VPN internal home agent; when receiving the IPv6 registration response, It is determined that the mobile node is located inside the VPN, and the mobile node uses the new IPv6 care-of address to communicate with the VPN internal node.

The step C2 also includes:

If the mobile node does not receive the mobile IPv6 registration response, and the IPv6 address of the VPN gateway is successfully inquired, and it is determined that the mobile node is located in the IPv6 network outside the VPN, then the new IPv6 address is used to negotiate with the VPN gateway for IKE that supports MOBIKE, Establish an IPsec tunnel; the mobile node uses the internal IPv6 care-of address provided by the VPN gateway to send a registration request to the internal home agent through the IPsec tunnel, and communicates with the internal network node through the established IPsec tunnel after receiving the registration response.

When the IP address of the mobile node that was originally in the IPv4 external network changes during the moving process, the communication with the VPN internal node is stopped, and the method also includes:

D1. If the mobile node obtains the IPv4 care-of address and determines that the mobile node moves to another IPv4 external network, then initialize MOBIKE and update the SA address. After the update, the endpoint address of SA is the new IPv4 care-of address and VPN gateway of the mobile node IPv4 address, the mobile node continues to communicate with the VPN internal node through the tunnel;

or,

D2. If the mobile node obtains the IPv6 care-of address, it uses domain name resolution to indirectly query the IPv6 address of the VPN gateway; after that, the mobile node sends a standard mobile IPv6 registration request to the VPN internal home agent, and receives the mobile IPv6 registration response Afterwards, it is determined that the mobile node moves to the VPN internal network, and uses the new IPv6 care-of address to communicate with the VPN internal node.

Described step D2 also includes:

If the mobile node does not receive the mobile IPv6 registration response, and the query of the IPv6 address of the VPN gateway is successful, and it is determined that the mobile node has moved to the IPv6 external network, it will start to initialize MOBIKE and update the SA address. After the update, the SA endpoint address is mobile The node newly obtains the IPv6 care-of address and the IPv6 address of the VPN gateway, and the mobile node continues to communicate with the VPN internal node through the tunnel.

When the IP address of the mobile node in the IPv6 external network changes during the movement process, the communication with the VPN internal node is stopped, and the method also includes:

E1. If the mobile node obtains the IPv4 care-of address and determines that the mobile node moves to the IPv4 external network, then initialize MOBIKE and update the SA address. After the update, the endpoint address of SA is the new IPv4 care-of address of the mobile node and the IPv4 address of the VPN gateway , the mobile node continues to communicate with the VPN internal node through the tunnel;

or,

E2. If the mobile node obtains the IPv6 care-of address, it uses domain name resolution to indirectly query the IPv6 address of the VPN gateway; after that, the mobile node sends a standard mobile IPv6 registration request to the VPN internal home agent, and receives the corresponding mobile IPv6 After the registration response, it is determined that the mobile node moves to the VPN internal network, and the mobile node uses the new IPv6 care-of address to communicate with the VPN internal node.

Described step E2 also includes:

If the mobile node does not receive the corresponding mobile IPv6 registration response, and the IPv6 address of the VPN gateway is successfully inquired, and it is determined that the mobile node has moved to another IPv6 external network, it will start to initialize MOBIKE, update the SA address, and update the SA endpoint address For the newly obtained IPv6 care-of address of the mobile node and the IPv6 address of the VPN gateway, the mobile node continues to communicate with the VPN internal node through the tunnel.

The present invention also provides a system for realizing mobile VPN in a hybrid network, including an IPv4 external network, an IPv6 external network and a VPN gateway, the VPN internal network is an IPv6 network, and the internal interface provided by the VPN gateway is an IPv6 interface , the external interface is an IPv4 interface, and the system also includes:

Tunnel establishment module: used to establish a tunnel between the VPN gateway and the external network for transmitting VPN packets exchanged between the two networks, and the addresses at both ends of the tunnel are the IPv4 address and the IPv4 address of the external network respectively. The IPv4 address of the external interface provided by the VPN gateway;

Message encapsulation transmission module: installed at both ends of the tunnel, used to encapsulate the VPN message to be sent with an IPv4 header, and send it to the opposite end through the tunnel.

In the IPv6 external network, the system also includes:

DNS-ALG: configured as an IPv4 and IPv6 dual protocol stack, used to provide the IPv6 address corresponding to the VPN gateway during the VPN service process through the IPv6 external network;

DNS in IPv6 network: configured as IPv4 and IPv6 dual protocol stack, and its upper-level DNS is configured as the DNS-ALG;

External access router: configured as IPv4 and IPv6 dual protocol stacks, used to implement the function of encapsulating IPv6 packets with IPv4 headers, and at the same time, used to decapsulate corresponding packets.

In the IPv6 external network, the system also includes:

DNS-ALG: configured as an IPv4 and IPv6 dual protocol stack, used to provide the IPv6 address corresponding to the VPN gateway;

DNS in IPv6 network: configure its upper-level DNS in DNS as the DNS-ALG mentioned;

NAT-PT entity: used to communicate with external access routers, and convert corresponding IPv6 addresses and IPv4 addresses for packets passing through this entity;

External access router: used to send the packets converted by the NAT-PT entity to the VPN gateway, and receive packets from the VPN gateway.

As can be seen from the technical solution provided by the present invention above, the present invention utilizes the IPv6inIPv4 tunnel technology to realize the development of mobile VPN services in the IPv4 and IPv6 hybrid network, so that the mobile VPN can still be realized in the process of evolution from the IPv4 network to IPv6. business.

The present invention also utilizes the MOBIKE protocol to update the address item of the SA, cooperates with the method that the VPN gateway assigns the VPN-TIA address to the mobile node, and successfully solves the two problems described in the background technology. In the transition period from IPv4 to IPv6, under the IPv4-v6 mixed environment with IPv4 as the backbone network, a complete solution for mobile nodes to realize access to VPN services and to switch between networks under the premise of maintaining normal communication is proposed.

In the specific implementation process of the present invention, based on the existing communication network, no new equipment needs to be introduced, and no hardware needs to be upgraded, and only the software of the corresponding equipment needs to be improved. Therefore, the entire configuration operation process is simple and easy.

Description of drawings

Fig. 1 configures the structure of the mobile VPN of the external home agent under the IPv4 environment;

Fig. 2 configures the structure of the mobile VPN of MOBIKE under the IPv4 environment;

Fig. 3 is the concrete realization network structure of the mobile VPN of hybrid network provided by the present invention;

Fig. 4 is DNS request forwarding processing in Fig. 3;

Fig. 5 is DNS response forwarding processing in Fig. 3;

Fig. 6 is a schematic diagram of the processing flow of the method of the present invention.

Detailed ways

With the development of network communication technology, in the development process of IPv6 network replacing IPv4 network, due to the wide application of existing IPv4 network, the IPv4-v6 hybrid network based on "IPv6 island" and "IPv4 ocean" will be in a period of time. long-term existence.

The main purpose of the present invention is to provide a network structure of mobile VPN under the mixed network of IPv4-v6 and corresponding equipment functional requirements, as well as the mode for mobile nodes to access VPN in different types of networks, thereby solving the problem of mobile nodes between different types of networks. When switching, the SA address of the mobile node is updated.

The present invention takes "IPv6 isolated island" and "IPv4 ocean" IPv4-v6 hybrid network as the basic network framework, and solves the problem of updating the SA address of mobile nodes by introducing the MOBIKE extension protocol; The mobile node communicates with the VPN gateway in the IPv4 network in the IPv6 network, so that the communication between the mobile node and the VPN internal node can be realized even if the mobile node is located in various types of networks.

That is to say, the present invention mainly adopts the idea of IPv6in IPv4 tunneling technology, configures equipment such as DNS-ALG (domain name server-application layer gateway) to realize that the mobile node is located in the IPv6 external network and queries the VPN gateway IPv6 address through the IPv4 network, and performs Corresponding Communications. Therefore, when the mobile node is located in the IPv6 external network, it can still communicate with the VPN gateway through the IPv4 network, and then the mobile VPN service under the mixed network of IPv4 and IPv6 can be realized.

Specifically, in the hybrid network, according to the location of the mobile node, it can be specifically divided into three situations: the mobile node is located in the IPv6 internal network (that is, located inside the VPN), the IPv4 external network and the IPv6 external network. Different situations require different communication methods, so that mobile VPN services can be implemented in mixed networks.

In order to distinguish the communication methods used in different situations, when the IP address of the mobile node changes, first stop the communication with other nodes, and judge the type of the current network according to the type of IP address; after that, register through the mobile IP and VPN The way of address query determines whether the mobile node is located in the internal network or the external network, and according to the situation, either establish an IPsec tunnel, or update the address of the original IPsec SA; after completing the corresponding processing, resume the previous communication.

In the process of realizing the present invention, it is specifically necessary to set IPv4 and IPv6 dual protocol stacks in x-AR (external access router), DNS-ALG and DNS server on the edge of the IPv6 external network, and to set dual protocol stacks at the VPN gateway. Protocol stack; at the same time, x-AR and VPN gateway have IPv6in IPv4 tunnel encapsulation and decapsulation processing functions.

After the above settings, different communication processing methods can be adopted for different situations to realize the mobile VPN service in the hybrid network. Taking the mobile node entering the IPv6 external network as an example, the corresponding processing mainly includes the following processes:

(1) After the mobile node is connected to the IPv6 external network, the IPv6 address of the VPN gateway is indirectly inquired by means of domain name resolution;

(2) The mobile node sends out the IPv6DNS request of the VPN gateway, converts it into an IPv4DNS request through DNS-ALG, and forwards it to the IPv4 network;

(3) After the IPv4 network returns the IPv4 address about the VPN gateway, it is first sent to the DNS-ALG, and the DNS-ALG adds a specific prefix to the IPv4 address to form an IPv6 address, and finally returns this address to the mobile node.

(4) The mobile node constructs a data packet according to the returned VPN gateway IPv6 address, and communicates with the VPN gateway; wherein, the data packets communicated between the mobile node and the VPN gateway will be encapsulated and decapsulated through the IPv6in IPv4 tunnel to implement different protocol types Communication between nodes.

After the above processing process, the interworking of the mobile VPN service can be realized in the hybrid network.

In order to facilitate the understanding of the present invention, the specific implementation of the present invention will be described in detail below in conjunction with the accompanying drawings.

The networking structure of the technical solution for implementing the mobile VPN in the IPv4-v6 hybrid network provided by the present invention is shown in FIG. 4 . In Figure 4, the inside of the VPN is an IPv6 network environment, and at the same time, there are also a home network (Home Net) and a foreign network (Foreign Net) that support mobile IPv6 inside the VPN; the external network in the network is the Internet based on IPv4 , and there are also IPv4 external networks (External Net IPv4) supporting Mobile IPv4 and IPv6 external networks (External Net IPv6) supporting Mobile IPv6. A DNS-ALG device is set at the edge of the IPv6 external network to realize that the mobile node can obtain the VPN gateway address in the IPv4 network through domain name query on the IPv6 external network.

In the network system shown in Figure 4, the functions of each component device are as follows:

(1) MN (Mobile Node)

Configure IPv4-v6 dual protocol stack, support standard MIPv4 (Mobile IPv4)/MIPv6 (Mobile IPv6), and configure IPsec protocol that supports MOBIKE;

(2) VPN gateway

The address of the external interface with the external network is an IPv4 address, and the address of the internal interface with the internal network is an IPv6 address. The IPv4-v6 dual protocol stack is configured on the VPN gateway. At the same time, the VPN gateway has an IPv6in IPv4 tunnel (use IPv4 tunnel to transmit IPv6 packets Text technology) encapsulation and decapsulation function, support standard MIPv6 (Mobile IPv6 protocol), configuration support MOBIKE (IKEv2 mobile and multi-interface protocol) IPsec protocol;

(3) DNS-ALG (Domain Name Server-Application Layer Gateway) and DNS (Domain Name Server)

Among them, DNS-ALG configures IPv4-v6 dual protocol stack, that is, it can support IPv6 and IPv4 protocols at the same time, and is used to provide IPv4 address information of the VPN gateway, and add a specific prefix to the corresponding IPv4 address to convert it into a corresponding IPv6 address, and As the upper-level DNS of the DNS in the IPv6 network; the DNS in the IPv6 network only needs to configure the IPv6 protocol stack;

4. x-AR (External Access Router)

Configure IPv4-v6 dual protocol stack, with encapsulation and decapsulation functions of IPv6in IPv4 tunnel.

In the system shown in Figure 4, the corresponding IP address configuration within the VPN is as follows:

Traditional IPv4 networks are configured with private network addresses inside the VPN, which can only be used inside the VPN. In IPv6 address classification, the site-local unicast address is very suitable for VPN application, so the present invention configures the VPN internal network with the IPv6 site-local unicast address. The site-local unicast address can only be used to transmit data within the VPN network, and the router in the site can only forward data packets of this address type within the site, but cannot forward them outside the site. The structure of the site local unicast address may be: 1111111011+38-bit "0"+16-bit subnet identifier+64-bit interface identifier.

Based on the above-mentioned system shown in FIG. 4 , the specific implementation of the access mode of the mobile node provided by the present invention will be described below.

In the mobile VPN of the IPv4-v6 hybrid network, there are three ways for the mobile node to access the VPN. The following will describe the three ways and the corresponding processing methods for developing VPN services:

(1) In the network environment where the VPN internal network is pure IPv6, the mobile node inside the VPN communicates with the internal home agent and the communication node with standard mobile IPv6;

When the mobile node is in the VPN internal network, the corresponding way to carry out VPN services is as follows:

The entire internal network is regarded as an ordinary IPv6 network, and the mobility of the mobile node is realized by mobile IPv6; that is, when the mobile node is in the internal home network, the mobile node communicates through the IPv6 routing mechanism; when the mobile node moves out of the home network, it enters the mobile IPv6 In the foreign network, obtain the mobile IPv6 care-of address through the access router, register with the home agent and the communication node, and complete the binding update, so as to realize the mobile communication in the internal network.

(2) In the IPv4 external network, the mobile node outside the VPN supports mobile IPv4, obtains an IPv4 care-of address, performs IKE negotiation with the VPN gateway through the obtained care-of address, and establishes an IPsec tunnel, thereby realizing internal communication with the VPN through the tunnel communication between nodes;

When the mobile node moves out of the VPN internal network and enters an IPv4 external network that supports mobile IPv4, the corresponding process for developing VPN services specifically includes:

The mobile node will be assigned an IPv4 foreign agent care-of address or an IPv4 configuration care-of address. After completing identity authentication with the VPN gateway, the mobile node starts IKE negotiation with the VPN gateway to establish an IPsec tunnel. The addresses at both ends of the tunnel are the care-of address of the mobile node and the IPv4 address of the external interface of the VPN gateway respectively.

During IKE negotiation, the VPN gateway gives a VPN-TIA (VPN tunnel internal address), and notifies the address to the mobile node; after moving out of the internal network, the mobile node still maintains the same address as the home agent or communication node inside the VPN. Mobile IPv6 binding cache, VPN-TIA is used as the mobile IPv6 care-of address registered by the mobile node with the internal home agent or correspondent node.

That is to say, the mobile node does not use the care-of address obtained by itself in the external network as the care-of address registered with the home agent of the internal network, but uses VPN-TIA as the internal network care-of address of the mobile node; its purpose is to make the VPN The internal home agent and communication node can not be affected by the change of the care-of address of the mobile node in the external network, which reduces the frequent sending of control information such as registration updates, and also avoids the need for the mobile node to obtain the IPv4 care-of address from the mobile IPv6 internal home agent. problems with registration.

After the IPsec tunnel is established, the mobile node first performs mobile IPv6 encapsulation on the data packet of the upper layer protocol, the source address is VPN-TIA, and the destination address is the address of the internal home agent or the communication node; then IPsec encapsulation is performed, and the source address is the mobile node's The IPv4 care-of address of the external network, and the destination address is the IPv4 address of the external interface of the VPN gateway.

The structure of the data packet after two encapsulations is shown in Table 1, where: i-HoA is the home address of the mobile node in the internal network, x-CoA is the care-of address obtained by the mobile node in the external network, v4-v6 before the address The flag indicates the type of address.

Table 1

V4x-CoAV4VPN-GW ESP V6VPN-TIAV6i-HA V6i-HoAV6CN User Protocol l ESPTrailer

(3) In the IPv6 external network, the mobile node outside the VPN supports mobile IPv6 and obtains an IPv6 care-of address. The x-AR of the IPv6 external network and the VPN gateway in the IPv4 network use the IPv6in IPv4 tunnel encapsulation technology to enable the mobile node in the IPv6 external network to communicate with the VPN gateway in the IPv4 network;

When the mobile node is located on the IPv6 external network, that is, when the mobile node is located outside the VPN, the communication process between the mobile node and the VPN internal node is as follows:

(1) When the mobile node enters an external network that supports mobile IPv6, the access router (x-AR) in the network will provide it with a wireless interface to access the external network, that is, the mobile node will obtain the corresponding IPv6 care-of address to facilitate network communications;

(2) After the mobile node obtains the corresponding IPv6 care-of address, it adopts the IPv6in IPv4 tunnel technology to perform IPv4 encapsulation and decapsulation on the IPv6 data packets at the x-AR of the IPv6 external network and the VPN gateway of the IPv4 network respectively, so as to realize the IPv4 host Intercommunication with IPv6 hosts;

The reason for using IPv6 in IPv4 tunneling technology is: after the mobile node obtains the IPv6 care-of address, if it communicates with the VPN gateway located in the IPv4 network, it will still be unable to handle the IP version different from its own due to the different address structures at both ends. For this reason, IPv6 packets need to be encapsulated in IPv4, so that the peer VPN gateway can identify the received packets.

The specific implementation of the process of communicating with a VPN internal node when the mobile node is located outside the VPN will be described below.

In the specific implementation process of the present invention, the basis for establishing communication between an IPv4 host and an IPv6 host is to associate through a domain name. That is, the mobile node does not need to know whether the VPN gateway that needs to communicate is an IPv4 address or an IPv6 address, but only needs to know the FQDN (Fully Qualified Domain Name, fully qualified domain name) of the VPN gateway. In this way, after the domain name is resolved, the communication address of the VPN gateway can be obtained, and corresponding data packets can be constructed to realize mutual communication.

Firstly, the specific processing process of VPN gateway domain name resolution through DNS (Domain Name Server) is described, and the specific process includes two processing stages of domain name resolution request and domain name resolution response.

In the corresponding domain name resolution request stage, as shown in Figure 5, the main processing process includes:

(1) The mobile node sends a DNS request to the DNS server in the IPv6 site, that is, sends a DNS request ("AAAA") to the corresponding IPv6 DNS server to request the resolution of the FQDN of the destination host and obtain the address information of the VPN gateway;

For the IPv6 host mobile node that initiates communication, it does not know whether the communication partner is an IPv4 host or an IPv6 host. The mobile node only has the FQDN of the destination host (VPN gateway), for example, www.vpngw.com. Therefore, it needs to pass the domain name Parse the request to obtain the address of the VPN gateway.

(2) After the DNS request of the mobile node reaches the DNS server, it will be forwarded to the DNS-ALG;

This is because the DNS server of the IPv6 site receives the DNS request of the mobile node is actually the FQDN of the VPN gateway in the IPv4 network, so the DNS server cannot resolve the domain name, and will forward the request to the upper-level DNS server ;In this IPv6 external network, the address of the upper-level DNS server configured in the DNS server is the address of the DNS-ALG in the station, so the DNS request sent by the mobile node is forwarded to the DNS-ALG by the DNS server;

(3) The DNS server address of the IPv4 network is stored in the DNS-ALG. When it receives the IPv6 DNS request of the mobile node ("AAAA") forwarded by the DNS server, the DNS-ALG will determine the VPN gateway address according to the stored DNS server list. DNS server address, since the external interface of the VPN gateway is an IPv4 interface, the corresponding address is an IPv4 address, and the corresponding DNS server is a DNS server in the IPv4 network, therefore, this IPv6DNS request needs to be converted into an IPv4DNS request (“A” ), and sent to the DNS server of the IPv4 network;

(4) Since the DNS-ALG is connected to the x-AR, the DNS-ALG sends the IPv4DNS request to the x-AR first, and then the x-AR sends it to the IPv4 network.

The corresponding domain name resolution response stage, that is, the DNS response process is shown in Figure 6. After the DNS server in the IPv4 network receives the request, it returns a DNS response. The response message contains the IPv4 address of the VPN gateway, and the response message will return For a mobile node in an IPv6 network, the specific DNS response process includes the following processes:

(1) The DNS-ALG in the IPv6 network receives the DNS response from the DNS server in the IPv4 network, and the result is the IPv4 address of the VPN gateway; the DNS-ALG needs to add a specific address prefix to the VPN gateway address, with the prefix All data packets will be routed to x-AR;

The prefix route can be pre-configured and released in the routing device of the IPv6 network. For example, the prefix is 5ef0:3248::/64, assuming that the IPv4 address of the VPN gateway is 200.0.0.1, then DNS-ALG adds the VPN to this prefix The IPv4 address of the gateway is structured as an IPv6 address of the form 5efO:3248::200.0.0.1 and returns to the DNS server in the IPv6 network;

(2) After the DNS server in the IPv6 network receives the IPv6 address with a specific prefix returned by the DNS-ALG, it corresponds the address to the DNS request of the mobile node, and writes the corresponding address into the cache as the address of the VPN gateway, that is, in IPv6 The DNS in the network saves the corresponding relationship information between the address of the VPN gateway in IPv6 format and its domain name;

It should be noted that after a DNS resolution of the VPN gateway, this process will not be repeated, and the host that communicates with the VPN gateway through the domain name can directly obtain the converted address of the VPN gateway in the DNS server of the IPv6 network. The address is an IPv6 address;

(3) After the resolution result (that is, the IPv6 address with the specific prefix) is written into the cache, the DNS server also returns the IPv6 address formed by the specific address prefix and the IPv4 address of the VPN gateway to the mobile node, so that the mobile node can obtain The address information of the VPN gateway required to carry out the mobile VPN service.

After the mobile node and the DNS server have obtained the address information of the VPN gateway, the mobile node can communicate with the nodes in the VPN intranet through the conversion and forwarding of data packets, and the corresponding specific communication process include:

(1) The mobile node receives the IPv6 address returned by the DNS server, which is the IPv6 address constructed by adding a specific address prefix to the IPv4 address of the VPN gateway, and the mobile node constructs an IPv6 packet with this address as the destination address.

(2) Since the prefix route of the destination address has been configured and published in the IPv6 network, all IPv6 packets with the address prefix point to the x-AR, so the IPv6 data packet sent by the mobile node is routed to the x-AR. Therefore, assuming that the specific address prefix is 5efO:3248::/64, the IPv4 address of the VPN gateway is 200.0.0.1;

(3) x-AR receives the IPv6 data packet whose destination prefix is 5efO:3248::/64, recognizes that its prefix is a specific prefix released by DNS-ALG, and then performs IPv6in IPv4 tunnel encapsulation on the IPv6 data packet, specifically The packaging method is:

The x-AR extracts the IPv4 address of the VPN gateway from the destination address item of the IPv6 data packet as the destination address of the IPv4 tunnel header, uses the x-AR IPv4 address as the source address of the IPv4 tunnel header, and the newly constructed IPv4 data packet structure As shown in Table 2, that is, the structure of the corresponding packet encapsulated by the IPv4 tunnel is shown in Table 2:

Table 2

IPv4 header IPv6 header IPv6 valid data

(4) x-AR sends the encapsulated IPv4 data packet to the IPv4 network;

(5) The IPv4 data packet received by the VPN gateway may be a data packet from a mobile node in an IPv4 external network, or a data packet encapsulated by an IPv4 tunnel from a mobile node in an IPv6 external network; in order to identify the source of the data packet, the VPN gateway needs Read the IPv4 packet header, if the next packet header is found to be an IPv6 address, then determine that the data packet comes from the IPv6 external network, and decapsulate it, and hand over the decapsulated IPv6 data packet to other modules for the next step of processing, subsequent processing The process is the same as that of ordinary IPv6 data packets, so it will not be described in detail.

When the node inside the VPN needs to send information to the mobile node in the IPv6 external network, the IPv6 data packet that needs to be sent to the mobile node needs to be encapsulated with an IPv4 header at the VPN gateway, and through the x-AR and the VPN gateway The tunnel between them is sent to the mobile node, wherein the destination address of the IPv4 packet header encapsulated by the VPN gateway IPv4 tunnel is the IPv4 address of the x-AR, and the source address is the VPN gateway IPv4 address. When the x-AR receives the IPv4 data packet, reads the IPv4 packet header, and finds that the next packet header is IPv6, it decapsulates it, and forwards the IPv6 data packet obtained by decapsulating to the mobile node. The specific processing process can be regarded as an inverse processing process of sending data packets from the mobile node to the VPN gateway.

In the above process, when the mobile node is in the IPv6 external network, if the mobile node wants to communicate with the VPN internal node, it needs to establish a tunnel with the VPN gateway, that is, how to establish a tunnel to ensure that the communication between the IPv6 external network and the VPN internal The key to enabling VPN communication in a hybrid network. For this reason, the establishment of the corresponding IPsec tunnel and the forwarding process of the data packet will be described in detail below when the mobile node is in the IPv6 external network.

In the prior art, the communication between the mobile node and the VPN gateway supports the IKEv2 negotiation of MOBIKE to establish an IPsec tunnel, and then the data packets are transmitted after being encapsulated in IPsec ESP (IPsec Encapsulating Security Payload) tunnel mode. However, under the application scenario of the present invention, since the mobile node and the VPN gateway are located in different types of networks, the signaling information negotiated by IKE and the subsequent IPsec encapsulated data packets will be encapsulated and decapsulated through the IPv6in IPv4 tunnel, so , for the mobile node in the IPv6 external network to communicate with the internal node of the VPN, it is necessary to establish a corresponding IPsec tunnel whose addresses at both ends are IPv4 addresses, that is, a tunnel that supports IPv6in IPv4 encapsulation and decapsulation, through which IPv6inIPv4 packets are transmitted Package delivery.

In the present invention, in the established tunnel, the SPI (Security Parameter Index) destination address item of the mobile node SA is the IPv6 address of the VPN gateway, and the SPI destination address item of the VPN gateway SA is the IPv6 address of the mobile node, and the IKE negotiation is carried out at both sides During the process, the VPN gateway also obtains its own IPv6 address, that is, the corresponding specific prefix plus its own IPv4 address.

After the IPsec tunnel is established, data packets need to be transmitted interactively through the tunnel, and the forwarding process of the corresponding data packets will be described below.

The mobile node first performs mobile IPv6 encapsulation on the data packet of the upper layer protocol, the source address is VPN-TIA (VPNTunnel Inner Address, VPN tunnel internal address), and the destination address is the address of the node inside the VPN (including the internal home agent or communication node).

Afterwards, IPsec encapsulation is performed, the source address is the external network IPv6 care-of address of the mobile node, and the destination address is the VPN gateway external interface IPv6 address, which is generated by adding a specific prefix to the VPN gateway IPv4 address.

The structure of the IPv6 data packet after the corresponding data packet is encapsulated twice is shown in Table 3, where i-HoA is the home address of the mobile node in the internal network, x-CoA is the care-of address obtained by the mobile node in the external network, and VPN-HoA is the home address of the mobile node in the external network. GW is an IPv6 address with a specific prefix. The v4/v6 flag preceding the address indicates the address type.

table 3

V6x-CoAV6VPN-GW ESP V6VPN-TIAV6i-HA V6i-HoAV6CN User Protocol ESPTrailer

Since the prefix route of the destination address of the data packet has been configured and published in the IPv6 network, all IPv6 packets with the address prefix point to the x-AR, so the IPv6 data packet sent by the mobile node is routed to the x-AR.

x-AR recognizes that its prefix is a specific prefix released by DNS-ALG, so it performs IPv6inIPv4 tunnel encapsulation on the IPv6 data packet; specifically: x-AR extracts the IPv4 address of the VPN gateway from the destination address item of the IPv6 data packet, As the destination address of the IPv4 tunnel header, the IPv4 address of the x-AR is used as the source address of the IPv4 tunnel header, and the format of the IPv4 data packet encapsulated by the IPv4 tunnel is shown in Table 4, where the outermost header is the IPv4 data packet header , the original entire IPv6 data packet is encapsulated in an IPv4 data packet as an IPv payload. The x-AR in the outermost packet header is the IPv4 address of the access router, and the VPN-GW is the IPv4 address of the VPN gateway.

Table 4

V4x-ARV4VPN-GW V6x-CoAV6VPN-GW ESP V6VPN-TIAV6i-HA V6I-HoAV6CN User Protocol ESPTrailer

The tunnel-encapsulated IPv4 data packets are forwarded by the x-AR to the IPv4 network. After the VPN gateway receives the data packet, it first removes the IPv4 tunnel encapsulation; then transfers it to the IPsec function module, removes the IPsec encapsulation, and forwards it to the internal home agent or communication node to realize the communication between the mobile node and the VPN internal node.

The forwarding and conversion of the data packet sent by the VPN internal node to the mobile node can be regarded as the reverse process of the above steps, so it will not be repeated here.

In the specific implementation process of the present invention, when the mobile node moves to the IPv6 external network, the communication between the mobile node and the VPN internal node can also be realized by the following scheme.

In the IPv4-v6 hybrid network, in order to realize the communication between the host (mobile node) located in the IPv6 network and the host (VPN gateway) located in the IPv4 network, in addition to the IPv6in IPv4 tunnel technology, NAT-PT (network Address conversion-protocol conversion) technology implementation.

That is to say, the present invention also applies it to the IPv4-v6 hybrid network to realize mobile VPN according to the basic technology and thought of NAT-PT, and then proposes a mobile node located in the IPv6 network and a VPN gateway located in the IPv4 network under this structure. communication plan.

A NAT-PT entity, that is, a NAT-PT device, needs to be configured on the edge of the IPv6 external network. Specifically, in the present invention, the NAT-PT and the DNS-ALG can be combined into one device.

The specific realization process of the communication between the mobile node in the IPv6 external network and the VPN gateway in the IPv4 network will be described in detail below.

The mobile node still uses the domain name query method to obtain the IPv6 address of the VPN gateway. The specific query process has been described in the previous description and will not be described in detail here. The IPv6 address is the VPN gateway IPv4 address plus a specific address prefix. The mobile node constructs a data packet with this address as the destination address.

The IPv6 data packet with the specific address prefix will be routed to NAT-PT by default, and NAT-PT judges that the data packet is sent to the host in the IPv4 network according to the specific address prefix, so the protocol conversion is performed on the IPv6 data packet. NAT-PT maps the source address (the care-of address of the mobile node) in the received IPv6 packet to an IPv4 address as the source address of the converted IPv4 packet, and the last 32 bits of the destination address are used as the destination address of the converted IPv4 packet. The syntax and semantics of each field are converted (ie NAT-PT), and the destination address of the converted IPv4 data packet is the IPv4 address of the VPN gateway;

Both NAT-PT and x-AR are dual protocol stack devices. NAT-PT sends the converted IPv4 data packet to x-AR, and then x-AR sends the data packet to the IPv4 network.

The process of converting IPv4 data packets into IPv6 data packets is the reverse process of the above steps. When x-AR receives an IPv4 data packet, it first routes to NAT-PT, and NAT-PT extracts the destination address of the IPv4 packet, searches the address mapping table, and finds the IPv6 address corresponding to the IPv4 destination address as the destination address of the IPv6 data packet; Add a specific prefix to the source address of the IPv4 packet as the source address of the IPv6 packet, convert the syntax and semantics of each field in the IPv4 packet, construct an IPv6 data packet, and finally forward it to the mobile node.

In the following, when the NAT-PT entity is set, the establishment of the tunnel and the forwarding process of the data packet required for the mobile node in the IPv6 external network to realize internal communication with the VPN will be described in detail.

First, the tunnel establishment process is as follows:

Similarly, the initial communication between the mobile node and the VPN gateway is to support MOBIKE's IKEv2 negotiation to establish an IPsec tunnel, and then the data packets are transmitted after being encapsulated in IPsec ESP tunnel mode. Due to the existence of NAT-PT, the signaling information negotiated by IKE and the subsequent IPsec encapsulated data packets will be converted from IPv4 to IPv6 or IPv6 to IPv4. The SPI destination address item of the mobile node SA is the IPv6 address of the VPN gateway, and the VPN gateway SA’s The SPI destination address item is the IPv4 address of the mobile node, and the two parties do not know that the communication peer is a host different from their own network type. This does not affect the establishment of tunnels and data transmission between the two parties, and it also brings convenience for the mobile node to switch between different types of external networks: no matter whether the mobile node is in an IPv4 external network or an IPv6 external network, the VPN gateway always thinks that the mobile node is an external network. on an IPv4 network.

Afterwards, the process of forwarding data packets using the tunnel is as follows:

After the IPsec tunnel is established, the mobile node first performs mobile IPv6 encapsulation on the data packet of the upper layer protocol, the source address is VPN-TIA, and the destination address is the address of the internal home agent or communication node; then IPsec encapsulation is performed, and the source address is the mobile node's The IPv6 care-of address of the external network, the destination address is the IPv6 address of the external interface of the VPN gateway, which is generated by adding a specific prefix to the IPv4 address of the VPN gateway. The IPv6 packet structure of the mobile node located in the IPv6 external network after two encapsulations is shown in Table 5, where i-HoA is the home address of the mobile node in the internal network, x-CoA is the care-of address obtained by the mobile node in the external network, VPN - GW (VPN Gateway) is an IPv6 address with a specific prefix. The v4/v6 flag preceding the address indicates the address type.

table 5

V6x-CoAV6VPN-GW ESP V6VPN-TIAV6i-HA V6i-HoAV6CN User Protocol ESPTrailer

After the data packet is routed to NAT-PT, NAT-PT maps the source address (the care-of address of the mobile node) in the received IPv6 packet to an IPv4 address as the source address for converting the IPv4 packet, and the last 32 bits of the destination address as the conversion The destination address of the IPv4 packet performs syntax and semantic conversion on each field in the IPv6 packet, and constructs an IPv4 data packet whose destination address is the IPv4 address of the VPN gateway. Table 6 shows the format of the IPv4 data packet converted by NAT-PT. At this time, the outermost IPsec packet header has been converted into an IPv4 address. Wherein, x-CoA is the IPv4 care-of address obtained by the mobile node from the IPv6 care-of address mapping, and VPN-GW is the IPv4 address of the VPN gateway.

The structure of the IPv4 packet after NAT-PT conversion is shown in Table 6:

Table 6

V4x-CoAV4VPN-GW ESP V6VPN-TIAV6i-HA V6i-HoAV6CN User Protocol ESPTrailer

The IPv4 data packet transformed by NAT-PT is forwarded to x-AR, and then forwarded to the IPv4 network by x-AR. After the VPN gateway receives the data packet, it removes the IPsec encapsulation and forwards it to the internal home agent or communication node to realize the communication between the mobile node and the VPN internal node.

The forwarding and conversion of the data packet sent by the VPN internal node to the mobile node is completely the reverse process of the above steps, which will not be repeated here.

In the present invention, the mobility of the mobile node determines that the specific implementation process of the present invention also includes the processing process of switching the mobile node between different types of networks and updating the SA address, which will be described in detail below.

The IPv4-v6 hybrid network has an IPv4 external network that supports mobile IPv4 and an IPv6 external network that supports mobile IPv6. Heterogeneous networks refer to networks that are IPv4 and IPv6 respectively, and homogeneous networks refer to networks that are both IPv4 or both IPv6.

After the mobile node accesses the VPN through the IPsec tunnel, it may move between different networks. In the present invention, when the mobile node is located in the internal network, standard mobile IPv6 communication can be used; when the mobile node roams from the internal network to the external network, it is necessary to establish an IPsec tunnel to communicate with the VPN internal node; when the mobile node leaves the current After the external network enters a new heterogeneous or similar external network, it can use the newly obtained care-of address to update the SA address through the MOBIKE protocol, maintain the original IPsec tunnel, and continue to communicate with VPN internal nodes.

After the care-of address of the mobile node changes, in order to avoid renegotiation, to utilize the original IPsec tunnel to continue communication, need to adopt MOBIKE agreement among the present invention to realize the support of IPsec agreement to node mobility, thereby allow to occur in the mobile node care-of address After the change, continue to maintain the original IPsec tunnel for communication through the SA address update.

In order to clearly illustrate this technical point in the present invention, the existing MOBIKE protocol is firstly introduced below.

MOBIKE is an extended protocol based on IKEv2, which effectively supports the mobility of both ends of the IPsec tunnel communication. MOBIKE allows the nodes at both ends of the tunnel to update their IP addresses while maintaining the IKE SA and IPsec SA. That is to say, after the IP addresses of the nodes at both ends of the tunnel change, they can still maintain the original IPsec tunnel without renegotiation. An important application scenario of the MOBIKE protocol is that the mobile node of the IPsec VPN still maintains the original IPsec tunnel with the VPN gateway after the external network changes its care-of address.

MOBIKE supports multiple addresses for both sides of the communication, and the initiator of IKE_SA (Internet Key Exchange-Security Association) decides to use the end address pair of the tunnel. When updating the IPsec SA address, the initiator of IKE_SA also issues an address update request. Settings like MOBIKE are very suitable for mobile VPN application scenarios. In a mobile VPN, the mobile node usually initiates IKE negotiation to the VPN gateway when it is in the external network to establish an IPsec tunnel. After the mobile node's care-of address changes, the mobile node initiates an address update request to update the address of the mobile node in IKE SA and IPsec SAs (IPsec security association group).

Since MOBIKE is an extended protocol of IKEv2, its realization is completed in the negotiation exchange of IKEv2. MOBIKE defines some new notification loads, and uses the new notification loads to realize the functions supported by MOBIKE during the negotiation and exchange process of the three exchange types (IKE_SA exchange, IPsec SA exchange and information exchange) of IKEv2.

If you want to support the MOBIKE protocol in the established IPsec tunnel, you must first add the MOBIKE_SUPPORTED (support MOBIKE) notification load in the IKE_AUTH (IKE initialization authentication exchange) exchange when IKE_SA is initialized, indicating that both nodes support the MOBIKE protocol.

The MOBIKE protocol supports entities at both ends of the communication to have multiple addresses at the same time. The initiator and responder can add ADDITIONAL_IPv4_ADDRESS (add IPv4 address) or ADDITIONAL_IPv6_ADDRESS (add IPv6 address) notification payload to the IKE_AUTH exchange (that is, the last two messages of IKEv2 initialization exchange) .

When implementing the MOBIKE protocol, the update process of the addresses of the corresponding IPsec SAs is as follows:

In MOBIKE, the originator of the IKE_SA determines the addresses used in the IPsec SAs. That is, the responder only updates the IP addresses of IPsec SAs after receiving an explicit UPDATE_SA_ADDRESSES (update SA address) request from the initiator. When the initiator determines to update the address, update the IP address in IKE_SA and IPsec SAs, and set the "pending_update (binding update)" flag in IKE_SA; if there is an IKEv2 request sent to the responder but has not received a response, use The updated IP address retransmits the request; when the window size allows, send a message exchange request containing the UPDATE_SA_ADDRESSES notification payload, and clear the "pending_update" flag; if the address changes again while waiting for the message exchange response, it again Start with the first step and ignore the reply message returned.

When processing a message exchange request containing UPDATE_SA_ADDRESSES, the corresponding responder needs to perform the following processing:

1. If the responder uses a window size greater than 1, the order of the received requests may be reversed. Therefore, it is necessary to check whether an UPDATE_SA_ADDRESSES request newer than this message has been received. action;

2. Check whether the source address and destination address of the IP packet header are acceptable according to the local policy. If not, return a response containing the UNACCEPTABLE_ADDRESS notification payload, indicating that it is unacceptable;

3. Use the IP address in the IP packet header sent by the initiator to update the IP address in IKE_SA;

4. Reply an information exchange response indicating that the update has been completed;

When the initiator receives the response, it needs to carry out corresponding processing as follows:

1. If the IP address changes before the response arrives, do not process the response and send a new UPDATE_SA_ADDRESSES request;

2. If the response contains an UNACCEPTABLE_ADDRESSES notification payload, the initiator can select another address and re-exchange, or continue to use the current address, or disconnect.

In the MOBIKE protocol, it also includes the function of return routing reachability check (Return Routability Check), specifically: both the initiator and the responder can selectively verify whether the other party can receive the data packet using the current address. Return route reachability checks can be performed before or after updating IPsec SAs, or during normal connections. By default, a return route reachability check is required after updating IPsec SAs. One party initiates an IKE information exchange request, which contains a cookie2 advertisement payload; the other party sends an information exchange response after receiving the information exchange request, copies the received cookie2 advertisement payload and includes it in the information exchange response; the initiator receives After the information exchange response, check whether the received cookie2 advertisement payload is exactly the same as the one sent by itself, so as to complete the return route reachability check.

After introducing the MOBIKE protocol, the network switching and SA address updating process of the mobile node will be described below.

The handover of the mobile node in the external network can be divided into two situations:

Handover between similar networks, the said handover between similar networks refers to roaming of the mobile node from one IPv4 external network to another IPv4 external network, or roaming from one IPv6 external network to another IPv6 external network;

The handover between heterogeneous networks refers to the roaming of the mobile node from an IPv4 external network to an IPv6 external network, or from an IPv6 external network to an IPv4 external network.

In addition, roaming of a mobile node from an IPv6 internal network to an external network can be divided into two cases: moving to an IPv4 external network and moving to an IPv6 external network.

The following describes the configuration of the mobile node and the update of the SA address in various situations.

(1) The mobile node is located in the internal network

The mobile node is located in the internal network. If it is not in the home network, it communicates with the home agent and the communication node inside the VPN through standard mobile IPv6. During the moving process of the mobile node in the internal network, when the IP address changes, the processing that needs to be performed includes:

(1) Immediately stop communication with other nodes inside the VPN, if the IPv4 care-of address is obtained, then determine that the mobile node is located in an IPv4 external network at this time, start using the IPv4 care-of address to carry out IKE negotiation supporting MOBIKE with the VPN gateway, and establish IPsec tunnel;

(2) The mobile node uses the VPN-TIA generated by the VPN gateway as the internal MIPv6 care-of address to send a registration request to the i-HA (internal home agent) through the IPsec tunnel, and communicates with the internal network node through the established IPsec tunnel after receiving the registration response ;

(3) If the mobile node obtains the IPv6 care-of address, it uses domain name resolution to indirectly query the IPv6 address of the VPN gateway. The specific query process has been described above and will not be described here;

(4) While performing step (3), the mobile node also needs to send a standard mobile IPv6 registration request to the home agent inside the VPN;

(5) The mobile node performs corresponding communication processing according to whether it receives the corresponding mobile IPv6 registration response;

(51) If the mobile node receives the mobile IPv6 registration response of the mobile IPv6 registration request in the corresponding step (4), then it is determined that the current network of the mobile node is still the VPN internal network, and like this, after completing the registration update, the mobile node can Use the new IPv6 care-of address to communicate with VPN internal nodes;

(52) If the mobile IPv6 registration response of the mobile IPv6 registration request in the corresponding step (4) is not received, and the IPv6 address of the VPN gateway is inquired successfully, the mobile node should be located in an IPv6 external network and use a new IPv6 address Carry out IKE negotiation supporting MOBIKE with the VPN gateway to establish an IPsec tunnel;

In step (52), the specific process of establishing an IPsec tunnel is: the mobile node uses the VPN-TIA generated by the VPN gateway as the internal mobile IPv6 care-of address, sends a registration request to the internal home agent through the IPsec tunnel, and after receiving the registration response Communicate with internal network nodes through the established IPsec tunnel.

(2) The mobile node is located in the external network

When the mobile node is in the external network, it establishes an IPsec tunnel, and communicates with the VPN internal node through the IPsec tunnel. The configuration of the mobile node in the IPv4 external network is different from that in the IPv6 external network. In contrast, the mobile node in the IPv6 external network needs to perform IPv6in IPv4 tunnel encapsulation, which is more complicated.

The roaming of the mobile node on the IPv4 external network and the roaming on the IPv6 external network will be described separately below.

1. The mobile node is located in the IPv4 external network

When the mobile node is located in the IPv4 external network, the obtained IPv4 care-of address is used as the address of the local end of the tunnel, and the IKE negotiation supporting MOBIKE is performed with the VPN gateway to establish an IPsec tunnel, and communicate with the VPN internal node through the IPsec tunnel. When the mobile node moves in the IPv4 external network and the IP address changes, the processing that needs to be performed includes:

(1) Immediately stop the communication with the VPN internal node. If the IPv4 care-of address is obtained, it means that the mobile node has entered another IPv4 external network, and starts to initialize MOBIKE to update the SA address. After the update, the endpoint address of SA is the new mobile node IPv4 care-of address and IPv4 address of the VPN gateway;

(2) If the mobile node has obtained the IPv6 care-of address, use domain name resolution to indirectly query the IPv6 address of the VPN gateway;

(3) While performing step (2), the mobile node also needs to send a standard mobile IPv6 registration request to the home agent inside the VPN;

(4) The mobile node performs corresponding communication processing according to whether the corresponding registration response is returned;

(41) If the mobile node receives the mobile IPv6 registration response corresponding to the mobile IPv6 registration request in the corresponding step (3), it is determined that the mobile node has entered the VPN internal network now, and after completing the registration update, the mobile node can use the new IPv6 The care-of address communicates with VPN internal nodes;

(42) If the MIPv6 (mobile IPv6) registration response corresponding to the mobile IPv6 registration request in the corresponding step (3) is not received, and the IPv6 address of the VPN gateway is inquired successfully, the mobile node is located in an IPv6 external network at this time, and starts to initialize MOBIKE , update the SA address, the updated SA endpoint address is the IPv6 care-of address newly obtained by the mobile node and the IPv6 address of the VPN gateway;

After executing step (42) to complete the IKE SA and IPsec SAs address update, the mobile node continues to communicate with the VPN interior node through the IPsec tunnel.

What needs to be explained for the SA address is: since the mobile node moves from the IPv4 external network to the IPv6 external network, the destination address and source address of the mobile node (that is, the endpoint address of SA) have changed, and the mobile node updates them to IPv6 Address; for the VPN gateway, it is updated according to the address of the IP packet after receiving the UPDATE_SA_ADDRESSES (updated security association address) notification load, so the VPN gateway thinks that the endpoint address of the SA has changed, and will update it to the IPv6 of the mobile node and the VPN gateway address.

2. The mobile node is located in the IPv6 external network

When the mobile node is located in the IPv6 external network, it obtains the IPv6 care-of address, and queries the IPv6 address of the VPN gateway through domain name resolution. Then initiate IKE negotiation supporting MOBIKE to establish an IPsec tunnel. Communicate with VPN internal nodes through IPsec tunnels. When the mobile node moves in the IPv6 external network and the IP address changes, the processing that needs to be performed includes:

(1) Immediately stop the communication with the VPN internal node. If the IPv4 care-of address is obtained, it means that the mobile node has entered another IPv4 external network, and starts to initialize MOBIKE to update the SA address. After the update, the endpoint address of SA is the new mobile node IPv4 care-of address and IPv4 address of the VPN gateway;

(2) If the mobile node has obtained the IPv6 care-of address, use domain name resolution to indirectly query the IPv6 address of the VPN gateway;

(3) send a standard mobile IPv6 registration request to the VPN internal home agent simultaneously with step (2);

(4) The mobile node performs corresponding communication processing according to whether the registration response is returned;

(41) If the mobile node receives the mobile IPv6 registration response corresponding to the mobile IPv6 registration request in the corresponding step (3), it is determined that the mobile node has entered the VPN internal network now, and after completing the registration update, the mobile node can use the new IPv6 The care-of address communicates with VPN internal nodes;

(42) If the MIPv6 registration response corresponding to the mobile IPv6 registration request in the corresponding step (3) is not received, and the IPv6 address of the VPN gateway is successfully inquired, the mobile node is located in an IPv6 external network, and the MOBIKE is initialized to perform the SA address Update, the updated SA endpoint address is the IPv6 care-of address newly obtained by the mobile node and the IPv6 address of the VPN gateway;

After performing said step (42) to complete the IKE SA and IPsec SAs address update, the mobile node continues to communicate with the VPN internal node through the IPsec tunnel.

In the present invention, corresponding security issues need to be considered in the process of updating the SA address, specifically: when updating the SA address, some security threats from third parties in the network may be encountered. The MOBIKE protocol has designed two guarantee mechanisms in consideration of security factors:

First, the return routing reachability check ("return routability" check) can be used to check the reachability of the addresses provided by both nodes, which avoids a large amount of communication traffic from being transmitted to the third party;

Second, NAT prohibition (NAT prohibition) makes the IP address cannot be modified by any NAT, IPv4/v6 translation, or other similar devices.

This feature is mainly used when the administrator already knows that there is no NAT device between the two nodes, so any modification of the data packet is considered an attack.

In the present invention, after each update of the SA address, before the communication of the data flow is resumed, a return route reachability check is added to ensure that the updated address is safe and routable. When the mobile node enters the IPv4 external network or the IPv6 external network, it is considered that there is no necessary NAT device between the mobile node and the VPN gateway. Therefore, NAT prohibition can be used to protect the data packet from being modified.

To sum up, the present invention uses the MOBIKE protocol to update the address item of the SA, cooperates with the method of assigning the VPN-TIA address to the mobile node by the VPN gateway, and successfully solves the two problems mentioned in the prior art. It is also proposed that during the transition period from IPv4 to IPv6, under the IPv4-v6 mixed environment using IPv4 as the backbone network, mobile nodes can access VPN services and switch between networks under the premise of maintaining normal communication.

The above is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art can easily conceive of changes or modifications within the technical scope disclosed in the present invention. Replacement should be covered within the protection scope of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of claims.

Claims (19)

1. A method for realizing mobile VPN in a hybrid network, characterized in that, the method is applied to a hybrid network comprising an IPv4 network and a mobile virtual private network (VPN) internal IPv6 network, and the VPN is set in the hybrid network VPN gateway, described VPN gateway provides the internal interface that has IPv6 address and the external interface of IPv4 address, and this method comprises: A. Establish a tunnel between the VPN gateway and the external network for transmitting VPN packets exchanged between the external network and the IPv6 network inside the VPN, and the addresses at both ends of the tunnel are the IPv4 address and the IPv4 address of the external network respectively The IPv4 address of the external interface provided by the VPN gateway; B. Encapsulate the VPN message to be transmitted on the IPv4 header and transmit it through the tunnel to realize the interaction of VPN services in the hybrid network; Wherein, when the external network is an IPv4 external network, the step A includes: establishing an IPsec protocol tunnel between the VPN gateway and a mobile node that obtains a care-of address in the IPv4 external network; or When the external network is an IPv6 external network, the step A includes: after establishing an IPsec protocol tunnel between the VPN gateway and the mobile node that obtains the care-of address in the IPv6 external network, the VPN gateway and the IPv6 external network The access router in the network establishes an IPv6 in IPv4 tunnel for transmitting IPv6 packets. The tunnel encapsulates IPv6 packets in IPv4 packets. The addresses at both ends of the tunnel are the IPv4 address of the IPv6 external network access router and the VPN gateway. IPv4 address of the external interface; The IPsec protocol tunnel is an IPsec protocol tunnel supporting Internet key exchange mobility and the multi-interface protocol MOBIKE. 2. the method for realizing mobile VPN in the mixed network according to claim 1 is characterized in that, the described VPN gateway and the mobile node that is positioned at obtaining the care-of address in the IPv6 external network set up an IPsec protocol tunnel Afterwards, the VPN gateway and the access router in the IPv6 external network establish an IPv6 in IPv4 tunnel for transmitting IPv6 packets. The tunnel encapsulates the IPv6 packets in IPv4 packets, and the addresses at both ends of the tunnel are IPv6 external network access The IPv4 address of the router and the IPv4 address of the external interface of the VPN gateway, including: A11, the mobile node moving to the IPv6 external network initiates a DNS request according to the address information of the domain name server DNS for resolving the IPv4 address of the VPN gateway stored in the IPv6 network; A12. After the DNS receives the DNS request, it returns a DNS response message to the mobile node, and the response message includes the IPv4 address information of the VPN gateway; A13. The mobile node and the IPv6 network obtain the IPv4 address information of the VPN gateway. 3. the method for realizing mobile VPN in the hybrid network according to claim 2, is characterized in that, described step A11 comprises: The mobile node initiates the DNS request of the VPN gateway to the DNS in the IPv6 network where it is located, and after the request reaches the DNS in the IPv6 network, it will be forwarded to the domain name server application layer gateway DNS-ALG set in the IPv6 network; The DNS-ALG determines the DNS for resolving the IPv4 address of the VPN gateway according to the saved DNS server information, and converts the DNS request into an IPv4 DNS request and sends it to the determined DNS. 4. the method for realizing mobile VPN in the hybrid network according to claim 3, is characterized in that, described step A13 comprises: After the DNS-ALG receives the returned DNS response message, it saves the IPv4 address information of the VPN gateway, and adds a prefix to the IPv4 address and converts it into an IPv6 address in IPv6 format and sends it to the mobile node, and the mobile node uses the IPv6 address as the VPN gateway. Address information. 5. according to the method for realizing mobile VPN in the hybrid network described in any one of claim 1 to 4, it is characterized in that, described step B comprises: B1, the mobile node located in the IPv6 external network constructs the message corresponding to the IPv6 address of the VPN gateway, and sends it to the external access router of the IPv6 network; B2, the external access router receives the IPv6 message from the mobile node, adds an IPv4 message header to the message, and what is carried in the message header is the IPv4 address of the VPN gateway, and sends it to said VPN gateway; B3. The VPN gateway parses the received message, decapsulates the IPv4 message and restores it to an IPv6 message, and continues to transmit the IPv6 message. 6. according to the method for realizing mobile VPN in the hybrid network described in any one of claim 1 to 4, it is characterized in that, described step B comprises: B4, the mobile node located in the IPv6 external network constructs the message corresponding to the IPv6 address of the VPN gateway, and sends it to the network address translation-protocol translation NAT-PT entity; B5. The NAT-PT converts the IPv6 address in the IPv6 message into an IPv4 address, and sends it to the external access router, which sends the message to the external access router through the tunnel said VPN gateway; B6. The VPN gateway parses the received message, and continues to transmit the message. 7. the method for realizing mobile VPN in the hybrid network according to claim 1, is characterized in that, the described VPN gateway and the mobile node that is positioned at obtaining the care-of address in the IPv4 external network set up an IPsec protocol tunnel ,include: A21. After the mobile node moves to the IPv4 external network, obtain the care-of address of the IPv4 network; A22. The mobile node negotiates with the VPN gateway to establish the IPsec tunnel, and addresses at both ends of the tunnel are the care-of address and the IPv4 address of the VPN gateway respectively. 8. the method for realizing mobile VPN in the hybrid network according to claim 7, is characterized in that, described step A22 comprises: During the IKE negotiation process of Internet key exchange between the mobile node and the VPN gateway, the VPN gateway will determine a VPN tunnel internal address for the mobile node as the mobile IPv6 care-of address registered by the mobile point to the VPN interior. 9. according to the method for realizing mobile VPN in the hybrid network described in claim 1,7 or 8, it is characterized in that, described step B comprises: The mobile node in the IPv4 network first performs mobile IPv6 encapsulation on the data packet, and then performs IPsec encapsulation according to the established tunnel, and sends the VPN service message encapsulated with the IPv4 header to the VPN gateway through the established tunnel. 10. the method for realizing mobile VPN in the hybrid network according to claim 9, is characterized in that, also comprises in the described step B: When the mobile node performs mobile IPv6 encapsulation on the data packet, the corresponding source address is the internal address of the VPN tunnel, and the destination address is the address of the node inside the VPN. 11. according to the method for realizing mobile VPN in the mixed network described in any one of claim 1 to 4, it is characterized in that, when being positioned at the mobile node in VPN internal network IP address changes during moving, then stop immediately and Communication of other nodes within the VPN, and the method further includes: C1. If the mobile node obtains an IPv4 care-of address, then use the IPv4 care-of address to perform IKE negotiation supporting MOBIKE with the VPN gateway, and establish an IPsec tunnel; the mobile node uses the internal IPv6 care-of address provided by the VPN gateway to the internal home agent through the tunnel Initiate registration, and communicate with the VPN network node through the tunnel after receiving the registration application answer; or, C2. If the mobile node obtains the IPv6 care-of address, it uses domain name resolution to indirectly inquire about the IPv6 address of the VPN gateway. After that, the mobile node sends a standard mobile IPv6 registration request to the VPN internal home agent; when receiving the IPv6 registration response, It is determined that the mobile node is located inside the VPN, and the mobile node uses the new IPv6 care-of address to communicate with the VPN internal node. 12. the method for realizing mobile VPN in the hybrid network according to claim 11, is characterized in that, described step C2 also comprises: If the mobile node does not receive the mobile IPv6 registration response, and the IPv6 address of the VPN gateway is successfully inquired, and it is determined that the mobile node is located in the IPv6 network outside the VPN, then the new IPv6 address is used to negotiate with the VPN gateway for IKE that supports MOBIKE, Establish an IPsec tunnel; the mobile node uses the internal IPv6 care-of address provided by the VPN gateway to send a registration request to the internal home agent through the IPsec tunnel, and communicates with the internal network node through the established IPsec tunnel after receiving the registration response. 13. according to the method for realizing mobile VPN in the mixed network described in any one of claim 1 to 4, it is characterized in that, when formerly being in the mobile node in IPv4 external network IP address changes during moving, then stop and Communication of VPN internal nodes, and the method further includes: D1. If the mobile node obtains the IPv4 care-of address and determines that the mobile node moves to another IPv4 external network, then initialize MOBIKE and update the SA address. After the update, the endpoint address of SA is the new IPv4 care-of address and VPN gateway of the mobile node IPv4 address, the mobile node continues to communicate with the VPN internal node through the tunnel; or, D2. If the mobile node obtains the IPv6 care-of address, it uses domain name resolution to indirectly query the IPv6 address of the VPN gateway; after that, the mobile node sends a standard mobile IPv6 registration request to the VPN internal home agent, and receives the mobile IPv6 registration response Afterwards, it is determined that the mobile node moves to the VPN internal network, and uses the new IPv6 care-of address to communicate with the VPN internal node. 14. the method for realizing mobile VPN in the hybrid network according to claim 13, is characterized in that, described step D2 also comprises: If the mobile node does not receive the mobile IPv6 registration response, and the query of the IPv6 address of the VPN gateway is successful, and it is determined that the mobile node has moved to the IPv6 external network, it will start to initialize MOBIKE and update the SA address. After the update, the SA endpoint address is mobile The node newly obtains the IPv6 care-of address and the IPv6 address of the VPN gateway, and the mobile node continues to communicate with the VPN internal node through the tunnel. 15. according to the method for realizing mobile VPN in the mixed network described in any one of claim 1 to 4, it is characterized in that, when the mobile node that is originally in the IPv6 external network changes IP address during moving, then stop and Communication of VPN internal nodes, and the method further includes: E1. If the mobile node obtains the IPv4 care-of address and determines that the mobile node moves to the IPv4 external network, it starts to initialize MOBIKE and updates the SA address. After the update, the endpoint address of SA is the new IPv4 care-of address of the mobile node and the IPv4 address of the VPN gateway , the mobile node continues to communicate with the VPN internal node through the tunnel; or, E2. If the mobile node obtains the IPv6 care-of address, it uses domain name resolution to indirectly query the IPv6 address of the VPN gateway; after that, the mobile node sends a standard mobile IPv6 registration request to the VPN internal home agent, and receives the corresponding mobile IPv6 After the registration response, it is determined that the mobile node moves to the VPN internal network, and the mobile node uses the new IPv6 care-of address to communicate with the VPN internal node. 16. The method for realizing mobile VPN in the hybrid network according to claim 15, characterized in that, described step E2 also includes: If the mobile node does not receive the corresponding mobile IPv6 registration response, and the IPv6 address of the VPN gateway is successfully inquired, and it is determined that the mobile node has moved to another IPv6 external network, it will start to initialize MOBIKE, update the SA address, and update the SA endpoint address For the newly obtained IPv6 care-of address of the mobile node and the IPv6 address of the VPN gateway, the mobile node continues to communicate with the VPN internal node through the tunnel. 17. A system for realizing mobile VPN in a hybrid network, characterized in that it includes an IPv4 external network, an IPv6 external network and a VPN gateway, the internal network of the VPN is an IPv6 network, and the internal interface provided by the VPN gateway is an IPv6 interface, The external interface is an IPv4 interface, and the system also includes: Tunnel establishment module: used to establish a tunnel between the VPN gateway and the external network for transmitting VPN packets exchanged between the two networks, and the addresses at both ends of the tunnel are the IPv4 address and the IPv4 address of the external network respectively. The IPv4 address of the external interface provided by the VPN gateway; Message encapsulation transmission module: set at both ends of the tunnel, used to encapsulate the VPN message to be sent with an IPv4 header, and send it to the opposite end through the tunnel; Wherein, when the external network is an IPv4 external network, the tunnel establishment module further includes: establishing an IPsec protocol tunnel between the VPN gateway and a mobile node that obtains a care-of address in the IPv4 external network; or When the external network is an IPv6 external network, the tunnel establishment module also includes: after establishing an IPsec protocol tunnel between the VPN gateway and the mobile node that obtains the care-of address in the IPv6 external network, the VPN gateway and The access router in the IPv6 external network establishes an IPv6 in IPv4 tunnel for transmitting IPv6 messages. The tunnel encapsulates the IPv6 message in an IPv4 message. The addresses at both ends of the tunnel are the IPv4 address of the IPv6 external network access router and the The IPv4 address of the external interface of the VPN gateway; The IPsec protocol tunnel is an IPsec protocol tunnel supporting Internet key exchange mobility and the multi-interface protocol MOBIKE. 18. the system that realizes mobile VPN in hybrid network according to claim 17 is characterized in that, in IPv6 external network, described system also comprises: DNS-ALG: configured as an IPv4 and IPv6 dual protocol stack, used to provide the IPv6 address corresponding to the VPN gateway during the VPN service process through the IPv6 external network; DNS in IPv6 network: configured as IPv4 and IPv6 dual protocol stack, and its upper-level DNS is configured as the DNS-ALG; External access router: configured as IPv4 and IPv6 dual protocol stacks, used to implement the function of encapsulating IPv6 packets with IPv4 headers, and at the same time, used to decapsulate corresponding packets. 19. the system that realizes mobile VPN in hybrid network according to claim 17, is characterized in that, in IPv6 external network, described system also comprises: DNS-ALG: configured as an IPv4 and IPv6 dual protocol stack, used to provide the IPv6 address corresponding to the VPN gateway; DNS in IPv6 network: configure its upper-level DNS in DNS as the DNS-ALG mentioned; NAT-PT entity: used to communicate with external access routers, and convert corresponding IPv6 addresses and IPv4 addresses for packets passing through this entity; External access router: used to send the packets converted by the NAT-PT entity to the VPN gateway, and receive packets from the VPN gateway.

Images