[go: up one dir, main page]

CN113098856B - Virtual private network VPN implementation method and safety device in transparent mode - Google Patents

Virtual private network VPN implementation method and safety device in transparent mode Download PDF

Info

Publication number
CN113098856B
CN113098856B CN202110334251.3A CN202110334251A CN113098856B CN 113098856 B CN113098856 B CN 113098856B CN 202110334251 A CN202110334251 A CN 202110334251A CN 113098856 B CN113098856 B CN 113098856B
Authority
CN
China
Prior art keywords
message
interface
security device
address
mac address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202110334251.3A
Other languages
Chinese (zh)
Other versions
CN113098856A (en
Inventor
邹景嫽
郑惠中
姚尚平
刘琛梅
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Original Assignee
Nsfocus Technologies Inc
Nsfocus Technologies Group Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nsfocus Technologies Inc, Nsfocus Technologies Group Co Ltd filed Critical Nsfocus Technologies Inc
Priority to CN202110334251.3A priority Critical patent/CN113098856B/en
Publication of CN113098856A publication Critical patent/CN113098856A/en
Application granted granted Critical
Publication of CN113098856B publication Critical patent/CN113098856B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses a virtual private network VPN realization method and safety equipment in a transparent mode, wherein the safety equipment in the transparent transmission mode establishes a three-layer logic port for establishing a VPN tunnel with opposite terminal equipment; the safety equipment processes a first message sent by the internal network equipment to the opposite terminal equipment based on the binding relationship between the three-layer logic interface and the internal network interface of the safety equipment; and the safety equipment updates the destination MAC address of the second message sent to the intranet equipment by the peer-end equipment based on the three-layer logic interface. According to the method, under the condition that the existing network planning of a user is not changed, the safety equipment can be deployed into the network in a transparent transmission mode, further, a three-layer logic port can be created in the safety equipment, and VPN communication between the intranet equipment and the opposite-end equipment can be achieved based on the created three-layer logic port.

Description

Virtual private network VPN implementation method and safety device in transparent mode
Technical Field
The embodiment of the application relates to the field of network security, in particular to a Virtual Private Network (VPN) implementation method and security equipment in a transparent mode.
Background
Currently, there are a large number of industry-specific networks, such as those applied to banking systems, tobacco systems, and petrochemical systems. The networks are already built and are huge; furthermore, it would be desirable to be able to be interrupted during operation by a user modifying the network. However, these networks lack network security considerations during initial set-up. Therefore, under the condition that the original Network equipment configuration is not changed, the safe communication between internal networks of various enterprises on the unsafe internet can be realized by building a VPN (Virtual Private Network) tunnel.
Referring to fig. 1, a VPN communication system according to the prior art is shown. The system comprises two subnets Lan (Local Area Network) which are respectively called Lan1 and Lan2, and two safety devices which are respectively called safety device 1 and safety device 2, wherein the safety device 1 and the safety device 2 are respectively deployed in an environment of three-layer routing, and are used for realizing VPN communication between the Lan1 and the Lan2, namely, encrypting and decrypting interactive messages between the Lan1 and the Lan 2. Wherein. One end of the safety equipment 1 is connected with Lan1 through an intranet interface, and the other end of the safety equipment is connected with Internet (Internet) through an extranet interface; similarly, one end of the safety device 2 is connected with Lan2 through an intranet interface, and the other end of the safety device is connected with the Internet through an extranet interface. Where Router represents a Router.
However, a large number of security devices are currently deployed in the transparent environment, and these security devices deployed in the transparent environment may be used to implement Access Control Lists (ACL), security protection, and other functions. At this time, if a user wants to add a function of the security device in the transparent transmission mode to perform VPN communication on the protected subnet, the user needs to switch the current transparent deployment environment to the three-layer routing deployment environment again. However, this approach would require the user to update the configuration of the security devices, routers and other network devices in the network when implementing VPN communication between the two subnetworks, which greatly increases the workload of network management, and is cumbersome and time-consuming to implement.
In summary, a method for implementing VPN communication between subnetworks simply and efficiently by using a security device deployed in a transparent environment is needed.
Disclosure of Invention
The application provides a virtual private network VPN realization method and security equipment in a transparent mode, which are used for realizing simple and efficient realization of VPN communication between subnetworks by the security equipment in a transparent transmission mode.
In a first aspect, an embodiment of the present application provides a method for implementing a virtual private network VPN in a transparent mode, where the method includes: the method comprises the steps that a safety device in a transparent transmission mode establishes a three-layer logic port for establishing a VPN tunnel with an opposite device; the safety equipment processes a first message sent by the intranet equipment to the opposite terminal equipment based on the binding relationship between the three-layer logic interface and the intranet interface of the safety equipment; and the safety equipment updates the destination MAC address of the second message sent to the intranet equipment by the opposite terminal equipment based on the three-layer logic interface.
Based on the scheme, under the condition of not changing the existing network planning of a user, in order to construct a VPN tunnel, the safety equipment can be deployed into a network in a transparent transmission mode; since the security device in this state does not have a three-layer physical port for implementing VPN communication, it is possible to implement VPN communication between the intranet device and the peer device by creating a three-layer logical port in the security device, and then implement VPN communication between the intranet device and the peer device based on the created three-layer logical port. The method can realize that the VPN can be added more conveniently and rapidly when the user does not need to change the existing network.
In one possible implementation, the security device includes a first intranet interface; the security device processes a first message sent by the intranet device to the opposite terminal device based on the binding relationship between the three-layer logic interface and the intranet interface of the security device, and the processing method includes: the safety equipment receives the first message through the first intranet interface; if the security device determines that the binding relationship comprises the binding relationship between the three-layer logic interface and the first intranet interface, packaging the first message according to a first VPN strategy of the first message under the first intranet interface to generate a third message; the safety device transmits the third message to the opposite terminal device through a first external network interface; the first outer network interface is matched with the first inner network interface.
Based on the scheme, in the process that the intranet equipment sends the message to the opposite terminal equipment, for example, the security equipment can receive a first message generated by the intranet equipment through a first intranet interface of the security equipment; then, the security device may check a relationship existing between the first intranet interface and a three-layer logical port of the security device itself, and since the created three-layer logical port may be used to perform a VPN negotiation with an opposite device, and perform configuration and establishment of a VPN tunnel, if it is determined after the check that a binding relationship exists between the two (the binding relationship is pre-configured by a user), it may be preliminarily determined that the first packet is a packet that needs to be transmitted to the opposite device through the VPN tunnel; in addition, the security device still needs to further match the VPN policy of the first packet under the first intranet interface, and finally determines whether the first packet is a packet that needs to be transmitted to the peer device through the VPN tunnel, for example, if the security device determines that the first packet conforms to the first VPN policy under the first intranet interface (the VPN policy under the first intranet interface is pre-configured by the user), the security device encapsulates the first packet, and generates a third packet; finally, the security device may transmit the generated third packet to the peer device through the first extranet interface matched with the first intranet interface. Through the above manner, when the security device is deployed in the network in the transparent transmission mode, the three-layer logical interface is created, and some other binding relationships for implementing VPN communication are further created based on the created three-layer logical interface, so that VPN communication can be implemented without changing the existing network topology of the user.
In a possible implementation method, if it is determined that the binding relationship does not include the binding relationship between the three-layer logic port and the first intranet interface, the security device transmits the first message to the outside through the first extranet interface.
Based on the scheme, when the security device checks the relationship between the first intranet interface and the three-layer logical interface of the security device, if it is determined that the relationship does not exist between the first intranet interface and the three-layer logical interface of the security device, the security device can determine that the first message is not a message which needs to be transmitted to the opposite-end device through the VPN tunnel, and thus the security device does not perform any processing on the first message but transmits the first message to the outside through the first extranet interface of the security device.
In a possible implementation method, if it is determined that the first packet does not have a VPN policy under the first intranet interface, the security device transmits the first packet to the outside through the first extranet interface.
Based on the scheme, when the security device preliminarily determines that the first packet is a packet that needs to be transmitted to the opposite-end device through the VPN tunnel, but if the security device subsequently matches the VPN policy of the first packet under the first intranet interface, it is determined that the first packet does not conform to any VPN policy under the first intranet interface, that is, there is no VPN policy, and therefore the security device can finally determine that the first packet is a packet that needs to be transmitted to the opposite-end device through the VPN tunnel, and thus the security device does not perform any processing on the first packet, but transmits the first packet to the outside through its own first extranet interface.
In a possible implementation method, before encapsulating the first packet, the method further includes: and the safety equipment determines that a VPN tunnel is established with the opposite terminal equipment.
Based on the solution, for a first message received by the security device through its own first intranet interface, if the security device determines that a binding relationship exists between the first intranet interface and the three-layer logic port, and also determines that the first message conforms to a first VPN policy under the first intranet interface, the security device still needs to confirm whether the VPN tunnel is successfully created (the VPN tunnel is created by negotiating with the opposite-end device through the three-layer logic port of the security device), and when it is determined that the VPN tunnel is created with the opposite-end device, the security device may encapsulate the first message based on negotiation information when the VPN tunnel is successfully created.
In a possible implementation method, if the security device determines that a VPN tunnel is not established with the peer device, the security device transmits the first packet to the outside through the first extranet interface.
Based on the scheme, for a first message received by the security device through the first intranet interface of the security device, if the security device determines that a binding relationship exists between the first intranet interface and the three-layer logic interface and also determines that the first message conforms to a first VPN policy under the first intranet interface, then a result of confirmation of whether the VPN tunnel has been successfully created by the subsequent security device is that the creation is unsuccessful, that is, the VPN tunnel is not created, and at this time, the security device cannot encapsulate the first message based on negotiation information, so that the security device transmits the first message to the outside through the first extranet interface.
In one possible implementation, the security device includes a second external network interface; the security device performs, based on the three-layer logical interface, update processing of a destination MAC address on a second message sent by the peer device to the intranet device, including: the safety device receives a VPN data packet through the second external network interface; the VPN data packet is transmitted based on a VPN tunnel; the safety equipment decapsulates the VPN data packet to obtain the second message; and the safety equipment updates the destination MAC address of the second message based on the three-layer logic interface.
Based on the scheme, in the process that the opposite terminal equipment sends the message to the internal network equipment, for example, the safety equipment can receive a VPN data packet sent by the opposite terminal equipment through a second external network interface of the safety equipment, and decapsulate the VPN data packet to obtain a second message; since the security device is deployed in the network in a transparent transmission manner, the security device in this state cannot update the destination MAC address in the second message, however, in a VPN communication scenario, after the security device decapsulates a data packet traversing a VPN tunnel, if the destination MAC address in the decapsulated second message is not updated, data forwarding is not performed, and for this reason, in the embodiment of the present application, the destination MAC address in the second message is updated based on a three-layer logic port created locally by the security device, so that a drawback that the security device in a transparent deployment mode cannot implement VPN communication can be overcome.
In a possible implementation method, the destination IP address of the second packet and the IP address of the three-layer logical port are in different network segments; the updating, by the security device, the destination MAC address of the second packet based on the three-layer logical interface includes: if the safety equipment determines that the MAC table comprises a first MAC address pointed by the IP address of the next hop gateway, the first MAC address is used as the destination MAC address of the second message; the IP address of the next hop gateway is set in a configuration mode; if the safety equipment determines that the MAC table does not comprise the first MAC address, a first ARP request is sent to the next hop gateway based on the IP address of the next hop gateway; the safety equipment takes a second MAC address in the first ARP response message as a destination MAC address of the second message; the first ARP response message is generated by the next hop gateway upon receiving the first ARP request and sent to the security device.
Based on the scheme, when the security device decapsulates the VPN data packet and obtains the second message, the security device may compare the destination IP address of the second message with the IP addresses of the three-layer logic ports, and if the security device determines that the destination IP address and the IP addresses of the three-layer logic ports belong to different network segments, it indicates that the security device cannot determine how the second message should be subsequently transferred; in order to solve the technical problem that the second message is unable to flow, the embodiment of the present application may configure the IP address of the next hop gateway of the security device in advance, that is, the user needs to configure the IP address of the next hop gateway of the security device in advance, so that the security device may query the local MAC table by using the IP address of the next hop gateway as a query basis; when the security device queries the local MAC table by using the IP address of the following one-hop gateway as a query basis, there are two query results, including: the IP address of the next hop gateway exists in the MAC table and corresponds to the first MAC address, so that the safety equipment can use the first MAC address to update the destination MAC address of the second message; if the IP address of the next hop gateway does not exist in the MAC table, the security device may send the first ARP request to the next hop gateway based on the IP address of the next hop gateway, and thus the security device may update the destination MAC address of the second packet by using the second MAC address in the first ARP response message, thereby implementing the flow of the VPN packet in the network.
In a possible implementation method, the destination IP address of the second packet and the IP address of the three-layer logical port are in the same network segment; the updating, by the security device, the destination MAC address of the second packet based on the three-layer logical interface includes: if the safety equipment determines that the MAC table comprises a third MAC address pointed by the IP address of the second message, the third MAC address is used as a target MAC address of the second message; if the safety equipment determines that the MAC table does not comprise the third MAC address, the safety equipment sends a second ARP request to the intranet equipment based on the destination IP address of the second message; the safety equipment takes a fourth MAC address in a second ARP response message as a destination MAC address of the second message; the second ARP response message is generated by the intranet device when receiving the second ARP request and is sent to the security device.
Based on the scheme, when the security device decapsulates the VPN data packet and obtains a second message, the security device can compare the destination IP address of the second message with the IP addresses of the three-layer logic ports, and if the security device determines that the destination IP address of the second message and the IP addresses of the three-layer logic ports belong to the same network segment, the security device can simply query a local MAC table by taking the destination IP address of the second message as a query basis; when the security device queries the local MAC table using the destination IP address of the second packet as a query basis, there are two query results, including: the MAC table has a destination IP address of the second message and corresponds to a third MAC address, so that the safety equipment can use the third MAC address to update the destination MAC address of the second message; if the destination IP address of the second packet does not exist in the MAC table, the security device may send a second ARP request to the intranet device based on the destination IP address of the second packet, so that the security device may update the destination MAC address of the second packet by using the fourth MAC address in the second ARP response message, thereby implementing the flow of the VPN packet in the network.
In a second aspect, an embodiment of the present application provides a secure device in a transparent transmission mode, where the secure device includes: a three-layer logical interface creating unit, configured to create a three-layer logical interface used for establishing a VPN tunnel with an opposite device; a processing unit, configured to process, based on a binding relationship between the three-layer logic port and an intranet interface of the security device, a first message sent by an intranet device to the peer device; and the processing unit is further configured to update a destination MAC address of a second packet sent to the intranet device by the peer device based on the three-layer logical interface.
In one possible implementation, the security device includes a first intranet interface; the processing unit is specifically configured to: receiving the first message through the first intranet interface; if the binding relationship is determined to include the binding relationship between the three-layer logic interface and the first intranet interface, packaging the first message according to a first VPN strategy of the first message under the first intranet interface to generate a third message; transmitting the third message to the opposite terminal equipment through a first external network interface; the first outer network interface is matched with the first inner network interface.
In one possible implementation, the processing unit is further configured to: and if the binding relationship does not comprise the binding relationship between the three-layer logic interface and the first intranet interface, transmitting the first message outwards through the first extranet interface.
In one possible implementation, the processing unit is further configured to: and if the first message is determined to have no VPN strategy under the first intranet interface, transmitting the first message to the outside through the first extranet interface.
In one possible implementation, the processing unit is further configured to: and determining that a VPN tunnel is established with the opposite terminal equipment.
In a possible implementation, the processing unit is further configured to: and if the VPN tunnel with the opposite terminal equipment is not established, transmitting the first message outwards through the first external network interface.
In one possible implementation, the security device includes a second external network interface; the processing unit is specifically configured to: receiving a VPN data packet through the second external network interface; the VPN data packet is transmitted based on a VPN tunnel; decapsulating the VPN data packet to obtain the second packet; and updating the destination MAC address of the second message based on the three-layer logic interface.
In a possible implementation method, the destination IP address of the second packet and the IP address of the three-layer logical port are in different network segments; the processing unit is specifically configured to: if the MAC table comprises a first MAC address pointed by the IP address of the next hop gateway, taking the first MAC address as the destination MAC address of the second message; the IP address of the next hop gateway is set in a configuration mode; if the MAC table does not contain the first MAC address, a first ARP request is sent to the next hop gateway based on the IP address of the next hop gateway; taking a second MAC address in the first ARP response message as a destination MAC address of the second message; the first ARP response message is generated by the next hop gateway upon receiving the first ARP request and sent to the security device.
In a possible implementation method, the destination IP address of the second packet and the IP address of the three-layer logical port are in the same network segment; the processing unit is specifically configured to: if the MAC table comprises a third MAC address pointed by the IP address of the second message, taking the third MAC address as a destination MAC address of the second message; if the third MAC address is not included in the MAC table, sending a second ARP request to the intranet equipment based on the destination IP address of the second message; taking a fourth MAC address in the second ARP response message as a destination MAC address of the second message; and the second ARP response message is generated by the intranet equipment when receiving the second ARP request and is sent to the security equipment.
In a third aspect, an embodiment of the present application provides a computing device, including:
a memory for storing a computer program;
a processor for calling a computer program stored in said memory and executing the method according to any of the first aspect according to the obtained program.
In a fourth aspect, the present application provides a computer-readable storage medium, which stores a computer program for causing a computer to execute the method according to any one of the first aspect.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present application, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without inventive exercise.
Fig. 1 illustrates a VPN communication system according to the prior art;
fig. 2 is a VPN communication system according to an embodiment of the present application;
fig. 3 is another VPN communication system according to an embodiment of the present application;
fig. 4 is a method for implementing a virtual private network VPN in a transparent mode according to an embodiment of the present application;
fig. 5 is a flowchart of a security device deployed in a transparent transmission mode for VPN encapsulation according to an embodiment of the present application;
fig. 6 is a flowchart of a security device deployed in a transparent transmission mode for decapsulating a VPN according to an embodiment of the present application;
fig. 7 is a safety device provided in an embodiment of the present application;
fig. 8 is a schematic diagram of a computing device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application clearer, the present application will be described in further detail with reference to the accompanying drawings, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments in the present application without making any creative effort belong to the protection scope of the present application.
At present, in order to strengthen the secure communication between internal networks of each enterprise, the secure communication can be realized by building a VPN tunnel. Although the prior art solution supports the deployment of VPN tunnel for the security device in the three-layer routing environment, the current situation is expressed in many ways: there are a lot of security devices deployed in a transparent environment, that is, the security devices adopt a transparent transmission mode to transmit interactive messages between subnets. At this time, if a user wants to add a function of the security device in the transparent transmission mode to perform VPN communication on the protected subnet, the user needs to switch the current transparent deployment environment to the three-layer routing deployment environment again. However, when implementing VPN communication between two subnetworks in this way, a user would be required to update the configuration of security devices, routers and other network devices in the network, which greatly increases the workload of network management, and is cumbersome and time-consuming to implement.
To solve the above technical problem, as shown in fig. 2, a VPN communication system provided in the embodiment of the present application includes subnets Lan1 and Lan2, a security device 1, a security device 2, an Internet, and a switch Router. As an example, in the present application, the security device 1 is deployed in a three-layer routing mode, and the security device 2 is deployed in a transparent mode.
The subnet Lan2 connected to the security device 2 may be a user device, or may be a user device connected through a switch, or may also be a user device connected through a router. For convenience of understanding, the present embodiment provides another VPN communication system, as shown in fig. 3, in which (a) a diagram is used to indicate a scenario in which a subnet Lan2 connected to a security device 2 is a user device, (b) a diagram is used to indicate a scenario in which the subnet Lan2 connected to the security device 2 is a connection of the user device through a switch, and (c) a diagram is used to indicate a scenario in which the subnet Lan2 connected to the security device 2 is a connection of the user device through a router.
In the diagram (a) of fig. 3, the security device 1 is deployed in a three-layer routing environment, and the security device 2 is deployed in a transparent environment, where the interface a is an extranet interface, the interface a ' is an intranet interface, and the extranet interface a and the intranet interface a ' have a pairing relationship, and similarly, the extranet interface B and the intranet interface B ' have a pairing relationship. The two user equipments are connected with the intranet interfaces A 'and B' respectively, thereby accessing to the network.
In the diagram (b) of fig. 3, the security device 1 is deployed in a three-layer routing environment, and the security device 2 is deployed in a transparent environment, where the interface C is an external network interface, the interface C ' is an internal network interface, and the external network interface C and the internal network interface C ' have a pairing relationship, and similarly, the external network interface D and the internal network interface D ' have a pairing relationship. One end of each Switch (Switch) is connected with the user equipment, and the other end of each Switch is connected with the intranet interfaces C 'and D', so that the user equipment can be accessed into the network.
In the diagram (c) of fig. 3, the security device 1 is deployed in a three-layer routing environment, and the security device 2 is deployed in a transparent environment, where the interface E is an external network interface, the interface E ' is an internal network interface, and the external network interface E and the internal network interface E ' have a pairing relationship, and similarly, the external network interface F and the internal network interface F ' have a pairing relationship. One end of each Router (Router) is connected with the user equipment, and the other end of each Router is connected with the intranet interfaces E 'and F', so that the user equipment can be accessed into the network.
In view of the above technical problems and the VPN communication system provided in the present application, an embodiment of the present application provides a method for implementing a virtual private network VPN in a transparent mode, where the method may be executed by a security device 2 deployed in the transparent mode as shown in fig. 2, and as shown in fig. 4, the method includes the following steps:
step 401, the security device in the transparent transmission mode creates a three-layer logical interface for establishing a VPN tunnel with the opposite device.
In this step, in order to implement VPN communication, that is, to build a VPN tunnel, the security device may be deployed in the network in a transparent transmission mode in consideration of not changing a currently existing user network topology; since the security device in this state does not have a three-layer physical port for implementing VPN communication, it is possible to create a three-layer logical port in the security device, and further it is possible to implement VPN communication between the intranet device and the peer device based on the created three-layer logical port. The method can realize that the VPN can be added more conveniently and rapidly when the user does not need to change the existing network.
Step 402, the security device processes a first message sent by the intranet device to the opposite terminal device based on the binding relationship between the three-layer logic interface and the intranet interface of the security device.
In this step, for a scenario in which the intranet device sends a message (i.e., a first message) to the peer device, since the three-layer logical interface created by the security device may be used to perform VPN negotiation with the peer device, and perform configuration and establishment of a VPN tunnel, the security device may process the first message generated by the intranet device based on a binding relationship between the intranet interface and the three-layer logical interface of the security device. That is, for an intranet interface, if the intranet interface has been configured by a user in advance to establish a binding relationship with a three-layer logic interface of the security device, a subsequent message entering the security device through the intranet interface may be preliminarily determined as a message that needs to be transmitted to the opposite device through the VPN tunnel.
Step 403, the security device performs, based on the three-layer logic interface, update processing of a destination MAC address on the second packet sent by the peer device to the intranet device.
In the step, for a scenario in which the peer device sends a message (i.e., a second message) to the intranet device, since the security device is deployed in the network in a transparent transmission manner, the security device in this state cannot update the destination MAC address in the second message; however, in the VPN communication scenario, if the security device does not update the destination MAC address in the second message, the data forwarding is not successful. Therefore, the destination MAC address in the second message can be updated based on the three-layer logical interface created locally by the security device in the embodiment of the present application, which can overcome the defect that the security device in the transparent deployment mode cannot implement VPN communication.
In one implementation of step 402 above, the security device includes a first intranet interface; the security device processes a first message sent by the intranet device to the opposite terminal device based on the binding relationship between the three-layer logic interface and the intranet interface of the security device, and the processing method includes: the safety equipment receives the first message through the first intranet interface; if the security device determines that the binding relationship comprises the binding relationship between the three-layer logic interface and the first intranet interface, packaging the first message according to a first VPN strategy of the first message under the first intranet interface to generate a third message; the safety equipment transmits the third message to the opposite terminal equipment through a first external network interface; the first outer network interface is matched with the first inner network interface.
Referring to fig. 3 (b), the security device 2 in the transparent transmission mode includes two intranet interfaces, C 'and D', respectively; as an example, in the embodiment of the present application, the intranet interface C 'is made to be a first intranet interface, and the user equipment 1 is configured to generate a message, and the message is made to be a message 1, then the message 1 will enter the security equipment 2 through the intranet interface C', and the message 1 is the first message. Correspondingly, after the security device 2 receives the message 1 through the intranet interface C ', the security device 2 may check a relationship existing between the three-layer logic port of the security device and the intranet interface C ', and when it is determined that the user has configured the binding relationship between the three-layer logic port of the security device and the intranet interface C ', it indicates that the message 1 may be preliminarily determined as a message that needs to be transmitted to the opposite device through the VPN tunnel, but the security device 2 still needs to further determine the message 1; in the process of further judging the message 1, if the security device 2 determines that the message 1 can be matched with a VPN policy preset by the user at the intranet interface C', the security device 2 may encapsulate the message 1 according to the matched VPN policy, and obtain an encapsulated message, such as making the encapsulated message be the message 2; finally, for the packet 2, the security device 2 may transmit the packet to the peer device through the extranet interface C matched with the intranet interface C'. In this embodiment, the matched VPN policy is the first VPN policy, the message 2 is the third message, and the external network interface C is the first external network interface.
In some implementations of the application, if it is determined that the binding relationship does not include the binding relationship between the three-layer logic port and the first intranet interface, the security device transmits the first message to the outside through the first extranet interface.
Next to the example described in the diagram (b) of fig. 3, when the security device 2 checks the relationship between the three-layer logic port of the security device 2 and the intranet interface C ', if the security device 2 determines that the three-layer logic port does not have a binding relationship with the intranet interface C', that is, the user does not configure the binding relationship between the three-layer logic port of the security device 2 and the intranet interface C in advance, the security device 2 may determine that the message 1 does not need to be transmitted through the VPN tunnel, and thus the security device 2 may directly transmit the message 1 through the extranet interface C.
In some implementations of the present application, if it is determined that the first packet does not have a VPN policy under the first intranet interface, the security device transmits the first packet to the outside through the first extranet interface.
Next to the example described in the diagram (b) of fig. 3, after the security device 2 preliminarily determines that the message 1 is a message that needs to be transmitted to the opposite end device through the VPN tunnel, if the security device 2 determines that the message 1 cannot match the VPN policy preset by the user at the intranet interface C 'when further determining the message 1, that is, if the security device 2 determines that the message 1 does not have the VPN policy at the intranet interface C', then the security device 2 finally determines that the message 1 does not need to be transmitted through the VPN tunnel, so that the security device 2 can directly transmit the message 1 to the outside through the extranet interface C.
In some implementations of the present application, before encapsulating the first packet, the method further includes: and the safety equipment determines that a VPN tunnel is established with the opposite terminal equipment.
Following the example described in the diagram (b) of fig. 3, when the security device 2 determines that the packet 1 can match the VPN policy preset by the user at the intranet interface C', it indicates that the security device 2 determines that the packet 1 really belongs to a packet that needs to be transmitted to the opposite device through the VPN tunnel, and thus the security device 2 needs to encapsulate the packet 1, and then send the encapsulated packet to the opposite device. When the security device 2 encapsulates the packet 1, the security device 2 needs to determine that it has established a VPN tunnel with the opposite device through the three-layer logical interface, so that the security device 2 can encapsulate the packet 1 according to the negotiation information generated when the VPN tunnel is successfully established.
In some implementations of the present application, if it is determined that the VPN tunnel is not established with the peer device, the security device transmits the first packet to the outside through the first extranet interface.
Next, in the example described in the diagram (b) of fig. 3, when the security device 2 determines that the packet 1 indeed belongs to a packet that needs to be transmitted to the peer device through the VPN tunnel, but at this time, if the security device 2 determines that it does not successfully establish a VPN tunnel with the peer device through the three-layer logical interface, it indicates that the security device 2 cannot acquire negotiation information that can be used for encapsulating the packet 1, and therefore, at this time, the security device 2 may directly transmit the packet 1 to the outside through the extranet interface C.
In one implementation of step 403 above, the security device includes a second external network interface; the security device performs, based on the three-layer logical interface, update processing of a destination MAC address on a second message sent by the peer device to the intranet device, including: the safety device receives a VPN data packet through the second external network interface; the VPN data packet is transmitted based on a VPN tunnel; the safety equipment decapsulates the VPN data packet to obtain the second message; and the safety equipment updates the destination MAC address of the second message based on the three-layer logic interface.
Referring to fig. 3 (c), the security device 2 in the transparent transmission mode includes two extranet interfaces, E and F, respectively; as an example, in the embodiment of the present application, the external network interface E is made to be the second external network interface, and through the external network interface E, the security device 2 receives a VPN packet, where the VPN packet is transmitted based on a VPN tunnel; further, the security device 2 decapsulates the VPN packet to obtain a message, and makes the message be a message 3, where the message 3 is a second message. Finally, the security device 2 may update the destination MAC address of the packet 3 based on the created three-layer logical interface.
In some implementations of the present application, the destination IP address of the second packet and the IP address of the three-layer logical port are in different network segments; the updating, by the security device, the destination MAC address of the second packet based on the three-layer logical interface includes: if the safety equipment determines that the MAC table comprises a first MAC address pointed by the IP address of the next hop gateway, the first MAC address is used as the destination MAC address of the second message; the IP address of the next hop gateway is set in a configuration mode; if the safety equipment determines that the MAC table does not comprise the first MAC address, a first ARP request is sent to the next hop gateway based on the IP address of the next hop gateway; the safety equipment takes a second MAC address in the first ARP response message as a destination MAC address of the second message; the first ARP response message is generated by the next hop gateway upon receiving the first ARP request and sent to the security device.
Next to the example described in the diagram (c) of fig. 3, when the secure device 2 updates the destination MAC address of the packet 3 based on the created three-layer logical interface, after comparing the destination IP address of the packet 3 with the IP address of the three-layer logical interface, if it is determined that the destination IP address and the IP address of the three-layer logical interface are in different network segments, the secure device 2 may read the IP address of the next-hop gateway at this time, and query the local MAC table by using the IP address of the next-hop gateway as a query basis. When the security device 2 queries the local MAC table according to the IP address of the next hop gateway, there may be the following two query results:
results 1: the IP address of the next-hop gateway exists in the MAC table and corresponds to the first MAC address, so that the security device 2 can update the destination MAC address of the packet 3 using the first MAC address;
results 2: if the IP address of the next hop gateway does not exist in the MAC table, the security device 2 may send a first ARP request to the next hop gateway based on the IP address of the next hop gateway, so that the security device 2 may update the destination MAC address of the packet 3 using the second MAC address in the first ARP response message.
Wherein, the IP address of the next hop gateway is configured in advance by the user. The reason why the user is required to configure the IP address of the next-hop gateway of the security device in advance is that: since the security device 2 is deployed in a transparent transmission manner, if there is no other intervention means, the security device 2 does not actively modify the MAC address of the packet entering the security device through the VPN tunnel, but forwards the received packet out intact; however, in a scenario of VPN communication, after a data packet is decapsulated, if the security device 2 does not update the MAC address of the decapsulated packet, it will cause a problem that data forwarding is not feasible. Therefore, in view of the problem, in the embodiment of the present application, by setting the IP address of the next hop gateway in advance in the security device 2, when the security device 2 determines that the IP address of the packet 3 and the IP address of the three-layer logical port of the security device are located in different network segments, the security device 2 may read the IP address of the next hop gateway, and update the MAC address of the packet 3 according to the IP address, thereby ensuring normal flow of data.
In some implementations of the present application, the destination IP address of the second packet and the IP address of the three-layer logical port are in the same network segment; the updating, by the security device, the destination MAC address of the second packet based on the three-layer logical interface includes: if the safety equipment determines that the MAC table comprises a third MAC address pointed by the IP address of the second message, the third MAC address is used as a target MAC address of the second message; if the safety equipment determines that the MAC table does not comprise the third MAC address, the safety equipment sends a second ARP request to the intranet equipment based on the destination IP address of the second message; the safety equipment takes a fourth MAC address in a second ARP response message as a destination MAC address of the second message; and the second ARP response message is generated by the intranet equipment when receiving the second ARP request and is sent to the security equipment.
Next to the example described in the diagram (c) of fig. 3, when the secure device 2 updates the destination MAC address of the packet 3 based on the created three-layer logical interface, after comparing the destination IP address of the packet 3 with the IP address of the three-layer logical interface, if it is determined that the destination IP address of the packet 3 and the IP address of the three-layer logical interface are in the same network segment, the secure device 2 may query the local MAC table according to the destination IP address of the packet 3 at this time. At query time, there may be two types of query results:
results 1: the security device 2 determines that the destination IP address of the packet 3 exists in the MAC table and corresponds to the third MAC address, and the security device 2 may update the MAC address in the packet 3 with the third MAC address and send the updated packet 3 to the outside through the intranet interface E' paired with the extranet interface E. The intranet interface E' is a second intranet interface;
results 2: the security device 2 determines that the destination IP address of the packet 3 does not exist in the MAC table, the security device 2 may send a second ARP request to the intranet device in the environment according to the destination IP address of the packet 3, and receive a second ARP response message returned by the intranet device having the destination IP address, where the second ARP response message includes a fourth MAC address, so that the security device may update the MAC address in the packet 3 with the fourth MAC address, and send the updated packet 3 to the outside through the intranet interface E'.
As shown in fig. 5, a flowchart about VPN encapsulation for a security device deployed in a transparent transmission mode is provided in an embodiment of the present application, where the security device is created with three layers of logical interfaces, and includes the following steps:
step 501, the data packet enters an intranet interface.
Step 502, determining whether an intranet interface is bound with a three-layer logic interface; if the binding relationship exists, go to step 503, otherwise go to step 504.
Step 503, determining whether the data packet can be matched with the VPN policy under the intranet interface; if so, go to step 505, otherwise go to step 504.
And step 504, sending out through the paired extranet interfaces.
In step 505, the packet enters the VPN module and step 506 is executed.
Step 506, determining whether a VPN tunnel is established; if yes, go to step 507, otherwise go to step 504. The VPN tunnel is established after the security device successfully negotiates with the opposite terminal device through the three-layer logical interface of the security device.
In step 507, VPN encapsulation is performed on the data packet, and step 504 is performed.
The VPN encapsulation procedure described above can be explained with reference to fig. 3 (a).
Firstly, a user equipment 1 of a subnet Lan2 generates a message, and the message is called a message 4, and the message 4 enters a security device 2 through an intranet interface a'.
Next, the security device 2 determines whether a binding relationship exists between the three-layer logical interface of itself and the intranet interface a', including: if the binding relationship exists, the message 4 can be preliminarily judged to be a message which needs to pass through the VPN tunnel and is transmitted to the opposite terminal equipment, and further judgment is still needed; if the binding relationship does not exist, it means that the message 4 does not need to be transmitted through the VPN tunnel, so the message 4 can be directly transmitted to the outside through the external network interface a.
Next, for a scenario in which the packet 4 is preliminarily determined to need to pass through the VPN tunnel and transmit the packet to the peer device, the security device 2 may match a VPN policy of the packet 4 at the intranet interface a': if it is determined that the message 4 can match the VPN policy set at the intranet interface a', the message 4 may enter the VPN module in the security device 2; if it is determined that the packet 4 cannot match the VPN policy set at the intranet interface a', it means that the packet 4 does not need to be transmitted through a VPN tunnel, and therefore the packet 4 can be directly transmitted to the outside through the extranet interface a.
Finally, aiming at the scene that the message 4 can be matched with a VPN policy set under the internal network interface A', a VPN module in the security device 2 determines whether the result of VPN negotiation between the security device 2 and an opposite terminal device through a three-layer logic interface of the security device is successful, if the negotiation is successful, the VPN module encapsulates the message 4 based on negotiation information, and transmits the encapsulated message 4 from the external network interface A to the outside, so that VPN communication between the user equipment 1 and the opposite terminal device is realized; if the negotiation is determined to be failed, the VPN module cannot acquire negotiation information, and due to lack of negotiation information, the VPN module cannot encapsulate the message 4, but transmits the message 4 to the outside through the external network interface a.
In the above example, since the security device 2 is deployed in the transparent mode, and there is no three-layer physical port, it is not possible to implement the negotiation of the VPN with the peer device and the configuration and establishment of the VPN tunnel. Therefore, in the embodiment of the present application, a three-layer logical interface is created in the security device 2, and the three-layer logical interface is used to perform VPN negotiation with the opposite device and perform configuration and establishment of a VPN tunnel; in addition, in order to distinguish the message that needs to pass through the VPN tunnel from the message that does not need to pass through the VPN tunnel, that is, when distinguishing some data streams that need to be protected from some data streams that do not need to be protected, the security device 2 will bind some intranet interfaces with the three-layer logic ports of itself, and set a VPN policy for the intranet interfaces that have a binding relationship with the three-layer logic ports, where the set VPN policy is independent from the original three-layer policy, and does not affect each other. Thus, when a message 4 generated by the user equipment 1 enters the security device 2 through the intranet interface a ', if it is determined that a three-layer logical port has been created on the security device 2, it is further checked whether the three-layer logical port has a binding relationship with the intranet interface a ', and if it is determined that the binding relationship between the three-layer logical port and the intranet interface a ' exists, it indicates that the message 4 is a data stream to be protected, that is, a message that needs to be transmitted to an opposite device through a VPN tunnel. In addition, when the VPN module in the security device 2 encapsulates the packet 4, it needs to further check whether the security device has successfully negotiated the VPN with the opposite device through its own three-layer logical interface, and if it is determined that the negotiation is successful, the VPN module may encapsulate the packet 4 based on negotiation information generated by the successful negotiation.
As shown in fig. 6, for a flowchart of a security device deployed in a transparent transmission mode about VPN decapsulation provided in an embodiment of the present application, a security device is created with three layers of logical interfaces, including the following steps:
step 601, the VPN data packet enters a VPN module.
Step 602, decapsulate the VPN data packet to obtain a corresponding plaintext packet, and perform step 603.
Step 603, determining whether the destination IP address of the plaintext packet and the IP address of the three-layer logic port are in the same network segment; if the network segments are different, step 604 is executed, and if the network segments are in the same network segment, step 605 is executed.
Step 604, reading the pre-configured IP address of the next hop gateway, and performing step 609.
Step 605, determining whether the MAC table has the MAC address of the destination IP address of the plaintext packet; if it is determined that a MAC address exists, step 606 is performed, otherwise step 607 is performed.
Step 606 modifies the destination MAC address of the plaintext packet and proceeds to step 608.
Step 607, sending the second ARP request and obtaining the fourth MAC address, and performing step 606.
And step 608, sending the data to the outside through the paired intranet interfaces.
Step 609, determining whether the IP address of the next hop gateway exists in the MAC table; if the IP address of the next hop gateway is determined to exist, step 606 is executed, otherwise step 610 is executed.
Step 610, sending the first ARP request and obtaining the second MAC address, and performing step 606.
The VPN decapsulation procedure described above may be described with reference to fig. 3.
First, a VPN packet enters a VPN module of the security device 2, and is decapsulated to obtain a packet 5. For the message 5, it is determined whether its destination IP address belongs to the same network segment as the IP address of the three-layer logical port of the security device 2, and the following two cases are included:
case 1: if the message 5 is in the same network segment as the IP address of the three-layer logical port of the security device 2, the security device 2 may query the MAC table, determine whether the MAC table has the MAC address of the destination IP address of the message 5, if the MAC table has the MAC address of the destination IP address of the message 5, the security device 2 updates the MAC address of the message 5 with the MAC address, and sends the updated message 5 to the outside through the paired intranet interface, and if the MAC address does not have the MAC address, the security device 2 sends an ARP request to the device in the environment according to the destination IP address of the message 5, and receives an ARP response message returned by the device having the destination IP address, where the ARP response message includes the MAC address, so that the security device can update the MAC address of the message 5 with the MAC address, and send the updated message 5 to the outside through the paired intranet interface.
Case 2: if not, that is, the destination IP address of the message 5 and the IP address of the three-layer logical port of the security device 2 are in different network segments, the security device 2 may read the IP address of the next-hop gateway pre-configured by the user, and query the local MAC table by using the IP address of the next-hop gateway as a query basis. When the security device 2 queries the local MAC table according to the IP address of the next hop gateway, there may be two types of query results as follows:
results 1: the MAC table has the IP address of the next-hop gateway and corresponds to the first MAC address, so that the security device 2 can update the destination MAC address of the packet 5 using the first MAC address;
results 2: if the IP address of the next hop gateway does not exist in the MAC table, the security device 2 may send a first ARP request to the next hop gateway based on the IP address of the next hop gateway, so that the security device 2 may update the destination MAC address of the packet 5 using the second MAC address in the first ARP response message.
Because the security device 2 is deployed in a transparent transmission manner, if there is no other intervention means, it does not actively modify the MAC address of the data packet entering it, but forwards the received message without any change; however, in the process of VPN communication, after the data packet is decapsulated, if the security device 2 does not update the MAC address of the decapsulated packet, it may cause a problem that data forwarding is not feasible. For the problem, in the embodiment of the present application, by setting the MAC address of the next hop gateway in the security device 2 in advance, when the security device 2 determines that the IP address of the packet 5 and the three-layer logical port of the security device are located in different network segments, the security device 2 may read the MAC address of the next hop gateway, and update the MAC address of the packet 5 by using the MAC address, thereby ensuring normal flow of data.
For example, for a scenario in which the secure device 2 is directly connected to the user equipment, see fig. 3 (a), or a scenario in which the secure device 2 is connected to the user equipment through a switch, see fig. 3 (b), both scenarios are scenarios corresponding to the destination IP address of the packet 5 and the IP address of the three-tier logical port being in the same network segment; for a scenario in which the secure device 2 is a user device connected through a router, see (c) diagram of fig. 3, the scenario corresponds to a scenario in which the destination IP address of the packet 5 and the IP address of the three-layer logical port are in different network segments.
Based on the same concept, an embodiment of the present application further provides a security device, as shown in fig. 7, the security device includes:
a three-layer logical interface creating unit 701, configured to create a three-layer logical interface used for establishing a VPN tunnel with an opposite device.
A processing unit 702, configured to process, based on a binding relationship between the three-layer logic port and the intranet interface of the security device, a first packet sent by an intranet device to the peer device.
The processing unit 702 is further configured to update a destination MAC address of the second packet sent by the peer device to the intranet device based on the three-layer logic interface.
Further, the safety equipment comprises a first intranet interface; the processing unit 702 is specifically configured to: receiving the first message through the first intranet interface; if the binding relationship is determined to include the binding relationship between the three-layer logic interface and the first intranet interface, packaging the first message according to a first VPN strategy of the first message under the first intranet interface to generate a third message; transmitting the third message to the opposite terminal equipment through a first external network interface; the first outer network interface is matched with the first inner network interface.
Further, for the security device, the processing unit 702 is further configured to: and if the binding relationship does not comprise the binding relationship between the three-layer logic interface and the first intranet interface, transmitting the first message outwards through the first extranet interface.
Further, for the security device, the processing unit 702 is further configured to: and if the first message is determined to have no VPN strategy under the first intranet interface, transmitting the first message outwards through the first extranet interface.
Further, for the security device, the processing unit 702 is further configured to: and determining that a VPN tunnel is established with the opposite terminal equipment.
Further, for the security device, the processing unit 702 is further configured to: and if the VPN tunnel with the opposite terminal equipment is not established, transmitting the first message outwards through the first external network interface.
Further, for the security device, a second external network interface; the processing unit 702 is specifically configured to: receiving a VPN data packet through the second external network interface; the VPN data packet is transmitted based on a VPN tunnel; decapsulating the VPN packet to obtain the second packet; and updating the destination MAC address of the second message based on the three-layer logic interface.
Further, for the security device, the destination IP address of the second packet and the IP address of the three-layer logical port are in different network segments; the processing unit 702 is specifically configured to: if the MAC table comprises a first MAC address pointed by the IP address of the next hop gateway, taking the first MAC address as the destination MAC address of the second message; the IP address of the next hop gateway is set in a configuration mode; if the MAC table does not contain the first MAC address, a first ARP request is sent to the next hop gateway based on the IP address of the next hop gateway; taking a second MAC address in the first ARP response message as a destination MAC address of the second message; the first ARP response message is generated by the next hop gateway upon receiving the first ARP request and sent to the security device.
Further, for the security device, the destination IP address of the second packet and the IP address of the three-layer logical port are in the same network segment; the processing unit 702 is specifically configured to: if the MAC table comprises a third MAC address pointed by the IP address of the second message, taking the third MAC address as a destination MAC address of the second message; if the third MAC address is determined not to be included in the MAC table, a second ARP request is sent to the intranet equipment based on the destination IP address of the second message; taking a fourth MAC address in the second ARP response message as a destination MAC address of the second message; and the second ARP response message is generated by the intranet equipment when receiving the second ARP request and is sent to the security equipment.
The embodiment of the present application provides a computing device, which may specifically be a desktop computer, a portable computer, a smart phone, a tablet computer, a Personal Digital Assistant (PDA), and the like. The computing device may include a Central Processing Unit (CPU), memory, input/output devices, etc., the input devices may include a keyboard, mouse, touch screen, etc., and the output devices may include a Display device, such as a Liquid Crystal Display (LCD), a Cathode Ray Tube (CRT), etc.
Memory, which may include Read Only Memory (ROM) and Random Access Memory (RAM), provides the processor with program instructions and data stored in the memory. In an embodiment of the present application, the memory may be configured to store program instructions of a virtual private network VPN implementation method in a transparent mode;
and the processor is used for calling the program instruction stored in the memory and executing the virtual private network VPN realization method in the transparent mode according to the obtained program.
As shown in fig. 8, a schematic diagram of a computing device provided in an embodiment of the present application, the computing device includes:
a processor 801, a memory 802, a transceiver 803, a bus interface 804; the processor 801, the memory 802 and the transceiver 803 are connected through a bus 805;
the processor 801 is configured to read the program in the memory 802, and execute the method for implementing a virtual private network VPN in the transparent mode;
the processor 801 may be a Central Processing Unit (CPU), a Network Processor (NP), or a combination of a CPU and an NP. But also a hardware chip. The hardware chip may be an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
The memory 802 is used to store one or more executable programs, which may store data used by the processor 801 in performing operations.
In particular, the program may include program code comprising computer operating instructions. The memory 802 may include a volatile memory (volatile memory), such as a random-access memory (RAM); the memory 802 may also include a non-volatile memory (non-volatile memory), such as a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD); the memory 802 may also comprise a combination of the above-described types of memory.
The memory 802 stores the following elements, executable modules or data structures, or subsets thereof, or expanded sets thereof:
and (3) operating instructions: including various operational instructions for performing various operations.
Operating the system: including various system programs for implementing various basic services and for handling hardware-based tasks.
The bus 805 may be a Peripheral Component Interconnect (PCI) bus, an Extended Industry Standard Architecture (EISA) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one thick line is shown in FIG. 8, but this is not intended to represent only one bus or type of bus.
The bus interface 804 may be a wired communication access port, a wireless bus interface, or a combination thereof, wherein the wired bus interface may be, for example, an ethernet interface. The ethernet interface may be an optical interface, an electrical interface, or a combination thereof. The wireless bus interface may be a WLAN interface.
An embodiment of the present application provides a computer-readable storage medium storing computer-executable instructions for causing a computer to execute a virtual private network VPN implementation method in a transparent mode.
It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.

Claims (8)

1. A virtual private network VPN implementation method in a transparent mode is characterized by comprising the following steps:
the method comprises the steps that a safety device in a transparent transmission mode establishes a three-layer logic port for establishing a VPN tunnel with an opposite device;
the safety equipment receives a first message through a first intranet interface;
if the security device determines that the binding relationship between the three-layer logic interface and the intranet interface of the security device does not include the binding relationship between the three-layer logic interface and the first intranet interface, the first message is transmitted outwards through a first extranet interface; the first outer network interface is matched with the first inner network interface;
if the security device determines that the binding relationship comprises the binding relationship between the three-layer logic interface and the first intranet interface, packaging the first message according to a first VPN strategy of the first message under the first intranet interface to generate a third message;
the safety device transmits the third message to the opposite terminal device through the first external network interface; and (c) a second step of,
and the safety equipment updates the destination MAC address of the second message sent to the intranet equipment by the opposite terminal equipment based on the three-layer logic interface.
2. The method of claim 1,
the method further comprises the following steps:
and if the safety equipment determines that the first message has no VPN strategy under the first intranet interface, the safety equipment transmits the first message outwards through the first extranet interface.
3. The method of claim 1,
the method further comprises the following steps:
and if the safety equipment determines that the VPN tunnel between the safety equipment and the opposite terminal equipment is not established, the first message is transmitted outwards through the first external network interface.
4. The method of claim 1, wherein the security device comprises a second extranet interface;
the safety device performs update processing of a destination MAC address on a second packet sent by the peer device to the intranet device based on the three-layer logic interface, including:
the safety device receives a VPN data packet through the second external network interface; the VPN data packet is transmitted based on a VPN tunnel;
the safety equipment de-encapsulates the VPN data packet to obtain the second message;
and the safety equipment updates the destination MAC address of the second message based on the three-layer logic interface.
5. The method of claim 4, wherein the destination IP address of the second packet is in a different network segment than the IP address of the three-tier logical port;
the updating, by the security device, the destination MAC address of the second packet based on the three-layer logical interface includes:
if the safety equipment determines that the MAC table comprises a first MAC address pointed by the IP address of the next-hop gateway, the first MAC address is used as the destination MAC address of the second message; the IP address of the next hop gateway is set in a configuration mode;
if the safety equipment determines that the MAC table does not comprise the first MAC address, a first ARP request is sent to the next hop gateway based on the IP address of the next hop gateway;
the safety equipment takes a second MAC address in the first ARP response message as a destination MAC address of the second message; the first ARP response message is generated by the next hop gateway upon receiving the first ARP request and sent to the security device.
6. The method of claim 4, wherein the destination IP address of the second packet is in the same network segment as the IP address of the three-layer logical port;
the updating, by the security device, the destination MAC address of the second packet based on the three-layer logical interface includes:
if the safety equipment determines that the MAC table comprises a third MAC address pointed by the IP address of the second message, the third MAC address is used as a target MAC address of the second message;
if the safety equipment determines that the MAC table does not comprise the third MAC address, the safety equipment sends a second ARP request to the intranet equipment based on the destination IP address of the second message;
the safety equipment takes a fourth MAC address in a second ARP response message as a destination MAC address of the second message; and the second ARP response message is generated by the intranet equipment when receiving the second ARP request and is sent to the security equipment.
7. A computer device, comprising:
a memory for storing a computer program;
a processor for calling a computer program stored in said memory, for executing the method according to any one of claims 1-6 in accordance with the obtained program.
8. A computer-readable storage medium, characterized in that the storage medium stores a program which, when run on a computer, causes the computer to carry out the method according to any one of claims 1-6.
CN202110334251.3A 2021-03-29 2021-03-29 Virtual private network VPN implementation method and safety device in transparent mode Active CN113098856B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110334251.3A CN113098856B (en) 2021-03-29 2021-03-29 Virtual private network VPN implementation method and safety device in transparent mode

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110334251.3A CN113098856B (en) 2021-03-29 2021-03-29 Virtual private network VPN implementation method and safety device in transparent mode

Publications (2)

Publication Number Publication Date
CN113098856A CN113098856A (en) 2021-07-09
CN113098856B true CN113098856B (en) 2023-01-17

Family

ID=76670733

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110334251.3A Active CN113098856B (en) 2021-03-29 2021-03-29 Virtual private network VPN implementation method and safety device in transparent mode

Country Status (1)

Country Link
CN (1) CN113098856B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102611700A (en) * 2012-02-24 2012-07-25 汉柏科技有限公司 Method for realizing VPN (Virtual Private Network) access under transparent mode
CN107645458A (en) * 2017-10-20 2018-01-30 锐捷网络股份有限公司 Three-tier message drainage method and controller
CN111884916A (en) * 2020-07-24 2020-11-03 杭州希益丰新业科技有限公司 Proxy gateway system for realizing transparent transmission based on multi-network-port computer

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7120791B2 (en) * 2002-01-25 2006-10-10 Cranite Systems, Inc. Bridged cryptographic VLAN
US20090328192A1 (en) * 2006-08-02 2009-12-31 Alan Yang Policy based VPN configuration for firewall/VPN security gateway appliance
CN102710669B (en) * 2012-06-29 2016-03-02 杭州华三通信技术有限公司 A kind of method that firewall policy controls and device
CN108769292B (en) * 2018-06-29 2021-04-13 北京百悟科技有限公司 Message data processing method and device
CN112291243B (en) * 2020-10-29 2022-07-12 苏州浪潮智能科技有限公司 Method, system medium and equipment for transparent transmission of data packet in routing mode

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102611700A (en) * 2012-02-24 2012-07-25 汉柏科技有限公司 Method for realizing VPN (Virtual Private Network) access under transparent mode
CN107645458A (en) * 2017-10-20 2018-01-30 锐捷网络股份有限公司 Three-tier message drainage method and controller
CN111884916A (en) * 2020-07-24 2020-11-03 杭州希益丰新业科技有限公司 Proxy gateway system for realizing transparent transmission based on multi-network-port computer

Also Published As

Publication number Publication date
CN113098856A (en) 2021-07-09

Similar Documents

Publication Publication Date Title
CN106936939B (en) A message processing method, related device and NVO3 network system
US10122574B2 (en) Methods and apparatus for a common control protocol for wired and wireless nodes
CN112583690B (en) Tunnel configuration method, device, system, equipment and storage medium
EP2645632B1 (en) Methods and apparatus for improving compatibility between network devices
EP3001635B1 (en) Method, device and system for controlling access of user terminal
CN108989342B (en) Data transmission method and device
US11888818B2 (en) Multi-access interface for internet protocol security
CN107948086A (en) A kind of data packet sending method, device and mixed cloud network system
WO2016192686A1 (en) Data packet forwarding
CN106209638A (en) From VLAN to the message forwarding method of virtual expansible LAN and equipment
CN103905284A (en) EVI-network-based flow load sharing method and device
US20230336377A1 (en) Packet forwarding method and apparatus, and network system
CN106416146B (en) Communication apparatus, communication method, and communication system
CN113098856B (en) Virtual private network VPN implementation method and safety device in transparent mode
CN107018072B (en) A data frame sending method and access device
CN112039854A (en) Data transmission method, device and storage medium
EP4072072B1 (en) Multi-chassis link aggregation method and device
CN114553633B (en) Tunnel negotiation method and device
US20220255837A1 (en) Routing Information Transmission Method and Apparatus, and Data Center Interconnection Network
WO2023070572A1 (en) Communication device and method therein for facilitating ipsec communications
CN115701055A (en) A user information diffusion method and network equipment
WO2023005620A1 (en) Message processing method and apparatus, and communication system
CN117729142A (en) Route establishment method, routing equipment, system and computer-readable storage medium
CN119210934A (en) Communication method, device, computer equipment and computer readable storage medium
CN116915585A (en) Software-defined wide area network networking method, device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant