CN101697522A - Virtual private network networking method, communication system and related equipment - Google Patents
Virtual private network networking method, communication system and related equipment Download PDFInfo
- Publication number
- CN101697522A CN101697522A CN200910178331A CN200910178331A CN101697522A CN 101697522 A CN101697522 A CN 101697522A CN 200910178331 A CN200910178331 A CN 200910178331A CN 200910178331 A CN200910178331 A CN 200910178331A CN 101697522 A CN101697522 A CN 101697522A
- Authority
- CN
- China
- Prior art keywords
- terminal
- tunnel
- vpn
- parameters
- configuration information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 52
- 238000004891 communication Methods 0.000 title claims abstract description 20
- 230000006855 networking Effects 0.000 title abstract description 72
- 230000005540 biological transmission Effects 0.000 claims description 47
- 230000008569 process Effects 0.000 description 19
- 230000000875 corresponding effect Effects 0.000 description 13
- 238000010586 diagram Methods 0.000 description 7
- 230000008676 import Effects 0.000 description 3
- 230000002596 correlated effect Effects 0.000 description 2
- 230000008859 change Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
The embodiment of the invention discloses a VPN networking method, a communication system and related equipment, which are used for improving the flexibility of the networking of VPN. The method of the embodiment of the invention comprises that: a first terminal acquires password parameters, local preset VPN configuration information and tunnel parameters, generates a public key and a private key according to the password parameters and sends the password parameters, the VPN configuration information and the tunnel parameters to a second terminal, so that the second terminal can allocate the VPN of the second terminal according to the VPN configuration information and generate a public key and a private key according to the password parameters; the first terminal and the second terminal build an IPsec tunnel according to the tunnel parameters; and the first terminal and the second terminal transmit data by using the public keys and the private keys through the IPsec tunnel. The embodiment of the invention also provides the communication system and the related equipment. The VPN networking method, the communication system and the related equipment can effectively improve the flexibility of the networking of VPN.
Description
Technical field
The present invention relates to the communications field, relate in particular to a kind of virtual private network networking method and communication system and relevant device.
Background technology
More and more enterprises need be set up various administrative bodys, branch company, research institute etc. in the whole nation and even world wide, traditional internetwork connection mode generally is to rent special line between each branch company.Obviously, along with branch company increases, business is carried out more and more widely, it is complicated that network configuration also is tending towards, and expense is also expensive more.
Utilize the characteristic of Virtual Private Network (VPN, Virtual Private Network) (Internet) to go up establishment worldwide enterprises (Intranet) VPN in the Internet.Utilize the circuit of Internet to guarantee the interconnectivity of network, and utilize the VPN characteristics such as tunnel, encryption can guarantee information safe transmission on entire I ntranet VPN.Intranet VPN uses the special-purpose shared infrastructure that connects by one, connects enterprise headquarters, long-range office and branch.Enterprise has the identical policy with dedicated network, comprises safety, service quality (QoS, Quality of Service), manageability and reliability.
The mode of setting up VPN in the prior art is generally manually to be set up, promptly set up at needs and carry out the VPN configuration on each terminal of VPN, the VPN configuration information for example is set (comprises the VPN networking structure, Data Transport Protocol by the keeper, information such as server address), operations such as key are set.
But because the configuration of VPN relates to multinomial information, and may relate to a large amount of terminals, the process of therefore setting up VPN will be very complicated, reduced the flexibility of VPN networking.
Summary of the invention
The embodiment of the invention provides a kind of virtual private network networking method and communication system and relevant device, can improve the flexibility of VPN networking.
The virtual private network network-building method that the embodiment of the invention provides comprises: first terminal is obtained cryptographic parameter, VPN configuration information and the parameters for tunnel that preset this locality; First terminal generates PKI and private key according to described cryptographic parameter; First terminal is with described cryptographic parameter, and VPN configuration information and parameters for tunnel are sent to second terminal, so that described second terminal is disposed the VPN of described second terminal according to described VPN configuration information, and according to described cryptographic parameter generation PKI and private key; First terminal and described second terminal are set up internet protocol security IPsec tunnel according to described parameters for tunnel; First terminal and described second terminal use described PKI and private key to carry out transfer of data by described IPsec tunnel.
The VPN network-building method that the embodiment of the invention provides comprises: second terminal receives the cryptographic parameter that first terminal sends, VPN configuration information and parameters for tunnel; Second terminal is disposed the VPN of second terminal according to described VPN configuration information, and generates PKI and private key according to described cryptographic parameter; Second terminal is set up the IPsec tunnel according to described parameters for tunnel and described first terminal; Second terminal uses described PKI and private key and described first terminal to carry out transfer of data by described IPsec tunnel.
The communication system that the embodiment of the invention provides, comprise first terminal and second terminal, wherein: described first terminal is used to obtain cryptographic parameter, VPN configuration information and the parameters for tunnel that preset this locality, generate PKI and private key according to described cryptographic parameter, with described cryptographic parameter, VPN configuration information and parameters for tunnel are sent to described second terminal; Described second terminal is used for disposing the VPN of described second terminal according to described VPN configuration information, and generates PKI and private key according to described cryptographic parameter; First terminal and described second terminal also are used for setting up internet protocol security IPsec tunnel according to described parameters for tunnel, and by described IPsec tunnel, use described PKI and private key to carry out transfer of data.
The terminal equipment that the embodiment of the invention provides comprises: acquiring unit is used to obtain cryptographic parameter, VPN configuration information and the parameters for tunnel that preset this locality; First generation unit is used for generating PKI and private key according to described cryptographic parameter; Transmitting element is used for described cryptographic parameter, and VPN configuration information and parameters for tunnel are sent to second terminal equipment; First sets up the unit, is used for setting up the IPsec tunnel according to the described parameters for tunnel and second terminal equipment; First transmission unit is used for the tunnel by described IPsec, uses described PKI and private key and second terminal equipment to carry out transfer of data.
The terminal equipment that the embodiment of the invention provides comprises: receiving element is used to receive the cryptographic parameter that first terminal equipment sends, VPN configuration information and parameters for tunnel; Deployment unit is used for disposing according to described VPN configuration information the VPN of described terminal equipment; Second generation unit is used for generating PKI and private key according to described cryptographic parameter; Second sets up the unit, is used for setting up the IPsec tunnel according to the described parameters for tunnel and first terminal equipment; Second transmission unit is used for the tunnel by described IPsec, uses described PKI and private key and first terminal equipment to carry out transfer of data.
As can be seen from the above technical solutions, the embodiment of the invention has the following advantages:
In the embodiment of the invention, when satisfying VPN networking condition, first terminal can initiatively send cryptographic parameter to second terminal, VPN configuration information and parameters for tunnel, thereby can be so that second terminal is disposed local VPN according to the VPN configuration information, and can set up the IPsec tunnel between first terminal and second terminal, thereby can realize the VPN networking between first terminal and second terminal, so in the scheme of the embodiment of the invention, can realize automatic VPN networking between each terminal, Unsupervised member manually carries out the VPN networking in different terminals, therefore can improve the flexibility of VPN networking.
Description of drawings
Fig. 1 is embodiment schematic diagram of VPN network-building method in the embodiment of the invention;
Fig. 2 is another embodiment schematic diagram of VPN network-building method in the embodiment of the invention;
Fig. 3 is another embodiment schematic diagram of VPN network-building method in the embodiment of the invention;
Fig. 4 is another embodiment schematic diagram of VPN network-building method in the embodiment of the invention;
Fig. 5 is a communication system embodiment schematic diagram in the embodiment of the invention;
Fig. 6 is embodiment schematic diagram of terminal equipment in the embodiment of the invention;
Fig. 7 is another embodiment schematic diagram of terminal equipment in the embodiment of the invention.
Embodiment
The embodiment of the invention provides a kind of virtual private network networking method and communication system and relevant device, can improve the flexibility of VPN networking.
See also Fig. 1, embodiment of VPN network-building method comprises in the embodiment of the invention:
101, first terminal is obtained cryptographic parameter, VPN configuration information and the parameters for tunnel that preset this locality;
In the present embodiment, when satisfying VPN networking condition, first terminal can get access to the VPN configuration information that presets from this locality, and can get access to cryptographic parameter and parameters for tunnel.
This VPN configuration information is used to dispose local VPN, specifically can include the VPN networking structure, Data Transport Protocol, and information such as server address are specially those skilled in the art's common practise, do not limit herein.
This cryptographic parameter is used to generate PKI and private key, specifically can be by user's input or local configuration in first terminal.
This parameters for tunnel is used to set up the IPsec tunnel, specifically can comprise some information that the tunnel is set up, for example cryptographic algorithm or identification algorithm, the life cycle of key, data access strategy etc.
102, first terminal generates PKI and private key according to cryptographic parameter;
First terminal is after getting access to above-mentioned information, can generate PKI and private key according to cryptographic parameter, this PKI is used for the data that send are encrypted, private key is used for the data that receive are decrypted, specifically the process according to cryptographic parameter generation PKI and private key is those skilled in the art's a common practise, does not limit herein.
103, first terminal is with cryptographic parameter, and VPN configuration information and parameters for tunnel are sent to second terminal;
First terminal can be with the cryptographic parameter that gets access to after getting access to above-mentioned information, and VPN configuration information and parameters for tunnel are sent to second terminal.
This second terminal can be determined according to the telephone number of user's input, perhaps determine according to the information of local fixed configurations, the correlated identities of pre-configured second terminal in first terminal for example, then first terminal can be according to this sign automatically with cryptographic parameter, and VPN configuration information and parameters for tunnel are sent to second terminal and need not the user and manually import telephone number.
Need to prove that in the present embodiment, step 102 and 103 not strict execution sequences can carry out 102 earlier, also can carry out 103 earlier, perhaps can carry out 102 and 103 simultaneously.
104, second terminal is disposed the VPN of second terminal according to the VPN configuration information, and generates PKI and private key according to cryptographic parameter;
Second terminal is receiving the cryptographic parameter that first terminal sends, and after VPN configuration information and the parameters for tunnel, can dispose local VPN according to this VPN configuration information, and can generate PKI and private key according to cryptographic parameter.
Need to prove, in the present embodiment, second terminal according to the VPN configuration information dispose local VPN process can for: the value of the parameters in the VPN configuration information is inserted in the local corresponding parameter.
In the present embodiment, second terminal generates PKI and private key according to cryptographic parameter process is consistent according to the process that cryptographic parameter generates PKI and private key with first terminal, the algorithm that adopts is also consistent, i.e. the PKI of first terminal generation should be corresponding with PKI and private key that second terminal generates with private key.
105, first terminal and second terminal are set up internet protocol security IPsec tunnel according to parameters for tunnel;
Second terminal is after having disposed local VPN, and first terminal and second terminal can be set up the IPsec tunnel according to parameters for tunnel, and the concrete process of setting up will be described in detail in subsequent embodiment.
106,, use public-key and private key carries out transfer of data by the IPsec tunnel.
After the foundation of IPsec tunnel was finished, first terminal and second terminal can be passed through this IPsec tunnel, used the PKI and the private key of each self-generating of front to carry out transfer of data, thereby had realized the VPN networking between first terminal and second terminal.
Need to prove that this second terminal can or be a Terminal Type for a terminal in actual applications, concrete number does not limit herein.
In the present embodiment, when satisfying VPN networking condition, first terminal can initiatively send cryptographic parameter to second terminal, VPN configuration information and parameters for tunnel, thereby can be so that second terminal is disposed local VPN according to the VPN configuration information, and can set up the IPsec tunnel between first terminal and second terminal, thereby can realize the VPN networking between first terminal and second terminal, so in the scheme of the embodiment of the invention, can realize automatic VPN networking between each terminal, Unsupervised member manually carries out the VPN networking in different terminals, therefore can improve the flexibility of VPN networking.
For ease of understanding, with an instantiation VPN network-building method in the embodiment of the invention is described in detail below, see also Fig. 2, another embodiment of VPN network-building method comprises in the embodiment of the invention:
201~202, identical with step 101~102 among the aforementioned embodiment shown in Figure 1, repeat no more herein;
203, first terminal is according to second terminal of the telephone number query correspondence of user's input;
In the present embodiment, the user can import the telephone number of second terminal that need carry out the VPN networking on first terminal, and then first terminal can receive the telephone number of user's input.
The corresponding relation between telephone number and the terminal is preserved in first terminal this locality, then first terminal can be determined the second corresponding terminal according to the telephone number of user's input, need to prove, if the user has imported a plurality of telephone numbers, then first terminal also can be determined corresponding a plurality of second terminals.
204, first terminal sends SMS message to second terminal;
First terminal has been determined after second terminal, can send SMS message to second terminal by wireless network, and this short message can be identical with the short message format in the conventional wireless communication network, and pass-through mode also can be identical, repeats no more herein.
In the present embodiment, include the cryptographic parameter that first terminal gets access in this short message, VPN configuration information and parameters for tunnel.
205, second terminal is disposed the VPN of second terminal according to the VPN configuration information, and generates PKI and private key according to cryptographic parameter;
Second terminal after receiving the short message that first terminal sends, cryptographic parameter in therefrom extracting, VPN configuration information and parameters for tunnel can be disposed local VPN according to this VPN configuration information afterwards, and can be generated PKI and private key according to cryptographic parameter.
Need to prove, in the present embodiment, second terminal according to the VPN configuration information dispose local VPN process can for: the value of the parameters in the VPN configuration information is inserted in the local corresponding parameter.
In the present embodiment, second terminal generates PKI and private key according to cryptographic parameter process is consistent according to the process that cryptographic parameter generates PKI and private key with first terminal, the algorithm that adopts is also consistent, i.e. the PKI of first terminal generation should be corresponding with PKI and private key that second terminal generates with private key.
206, first terminal and second terminal are set up the IKE transmission channel;
In the present embodiment, second terminal is after having disposed local VPN, first terminal and second terminal can utilize internet key exchange (IKE, Internet Key Exchange) protocol negotiation IKE Security Association (SA, Security Association) parameter to set up the IKE transmission channel.
First terminal and second terminal are utilized the common practise of the process of IKE protocol negotiation IKE SA parameter for those skilled in the art, specifically do not limit herein.
207, first terminal and second terminal are set up the IPsec tunnel according to parameters for tunnel;
After the foundation of the IKE transmission channel between first terminal and second terminal was finished, first terminal and second terminal can be passed through this IKE transmission channel, consulted IPsec SA parameter to set up the IPsec tunnel according to parameters for tunnel.
In the present embodiment, can comprise cryptographic algorithm or identification algorithm that first terminal is supported in this parameters for tunnel, the life cycle of key, information such as data access strategy.
Second terminal can be held consultation according to the information and first terminal that this locality is supported, thereby determine the common IPsec SA parameter of supporting of first terminal and second terminal, which kind of specifically comprise: use IPsec agreement (for example using AH or ESP), use which kind of hash algorithm (for example using MD5 or SHA), use which kind of cryptographic algorithm (for example using DES or 3DES) etc.
After finishing IPsec SA parameter negotiation, first terminal and second terminal promptly set up the IPsec tunnel between first terminal and second terminal.
208, DHCP (DHCP, Dynamic Host Configuration Protocol) server is a net address in first terminal and second terminal distribution;
When first terminal and second terminal have been set up the IPsec tunnel, first terminal and second terminal can send address assignment request to Dynamic Host Configuration Protocol server, Dynamic Host Configuration Protocol server receives after the request of first terminal and the transmission of second terminal, can be net address in first terminal and the second terminal dynamic assignment.
Need to prove, in the present embodiment,, then also can need not Dynamic Host Configuration Protocol server and carry out dynamic assignment if first terminal and second terminal have fixedly installed interior net address in this locality.
209,, use public-key and private key carries out transfer of data by the IPsec tunnel.
After the foundation of IPsec tunnel was finished, first terminal and second terminal can be passed through this IPsec tunnel, used the PKI and the private key of each self-generating of front to carry out transfer of data, thereby had realized the VPN networking between first terminal and second terminal.
When first terminal and second terminal sent data when needs, can use public-key sent the clear data encryption, when first terminal and second terminal receive data, can use private key that data are decrypted and handle afterwards.
Need to prove that this second terminal can or be a Terminal Type for a terminal in actual applications, concrete number does not limit herein.
In the present embodiment, when satisfying VPN networking condition, first terminal can initiatively send cryptographic parameter to second terminal, VPN configuration information and parameters for tunnel, thereby can be so that second terminal is disposed local VPN according to the VPN configuration information, and can set up the IPsec tunnel between first terminal and second terminal, thereby can realize the VPN networking between first terminal and second terminal, so in the scheme of the embodiment of the invention, can realize automatic VPN networking between each terminal, Unsupervised member manually carries out the VPN networking in different terminals, therefore can improve the flexibility of VPN networking;
Secondly, in the present embodiment, first terminal can send cryptographic parameter to second terminal by the mode of short message, VPN configuration information and parameters for tunnel, so can be so that need not wired connection between first terminal and second terminal, and can adopt wireless connections to set up VPN, thereby further improved the flexibility of VPN networking;
Once more; in the present embodiment; first terminal and second terminal were at first set up the IKE transmission channel before setting up the IPsec tunnel; set up the IPsec tunnel based on this IKE transmission channel afterwards; because the IKE transmission channel can provide the protection service based on identity, therefore can effectively improve the fail safe of setting up the IPsec tunnel.
Mutual angle is described the VPN network-building method the embodiment of the invention between first equipment and second equipment above, angle from first equipment is described the VPN network-building method the embodiment of the invention below, see also Fig. 3, another embodiment of VPN network-building method comprises in the present embodiment:
301~304, with aforementioned embodiment shown in Figure 2 in describe 201 to 204 identical, repeat no more herein.
305, first terminal utilizes the IKE agreement and second terminal to consult IKE SA parameter to set up the IKE transmission channel;
In the present embodiment, first terminal is after second terminal has sent short message, and first terminal can utilize the IKE agreement and second terminal to consult IKE SA parameter to set up the IKE transmission channel.
It is those skilled in the art's common practise with the process of setting up the IKE transmission channel that first terminal utilizes the IKE agreement and second terminal to consult IKE SA parameter, does not specifically limit herein.
306, first terminal is consulted IPsec SA parameter to set up the IPsec tunnel by the IKE transmission channel according to the parameters for tunnel and second terminal;
After the foundation of the IKE transmission channel between first terminal and second terminal was finished, first terminal and second terminal can be passed through this IKE transmission channel, consulted IPsec SA parameter to set up the IPsec tunnel according to parameters for tunnel.
In the present embodiment, can comprise cryptographic algorithm or identification algorithm that first terminal is supported in this parameters for tunnel, the life cycle of key, information such as data access strategy.
First terminal can be held consultation with second terminal, thereby determine the common IPsec SA parameter of supporting of first terminal and second terminal, which kind of specifically comprise: use IPsec agreement (for example using AH or ESP), use which kind of hash algorithm (for example using MD5 or SHA), use which kind of cryptographic algorithm (for example using DES or 3DES) etc.
After finishing IPsec SA parameter negotiation, first terminal and second terminal promptly set up the IPsec tunnel between first terminal and second terminal.
307, first terminal is by the IPsec tunnel, uses public-key and private key and second terminal are carried out transfer of data.
After the foundation of IPsec tunnel was finished, first terminal and second terminal can be passed through this IPsec tunnel, used the PKI and the private key of each self-generating of front to carry out transfer of data, thereby had realized the VPN networking between first terminal and second terminal.
When first terminal need send data, can use public-key sent the clear data encryption, when first terminal receives data, can use private key that data are decrypted and handle afterwards.
In the present embodiment, when satisfying VPN networking condition, first terminal can initiatively send cryptographic parameter to second terminal, VPN configuration information and parameters for tunnel, thereby can be so that second terminal is disposed local VPN according to the VPN configuration information, and can set up the IPsec tunnel between first terminal and second terminal, thereby can realize the VPN networking between first terminal and second terminal, so in the scheme of the embodiment of the invention, can realize automatic VPN networking between each terminal, Unsupervised member manually carries out the VPN networking in different terminals, therefore can improve the flexibility of VPN networking;
Secondly, in the present embodiment, first terminal can send cryptographic parameter to second terminal by the mode of short message, VPN configuration information and parameters for tunnel, so can be so that need not wired connection between first terminal and second terminal, and can adopt wireless connections to set up VPN, thereby further improved the flexibility of VPN networking.
Above embodiment shown in Figure 3 from the angle of first equipment VPN network-building method the embodiment of the invention is described, angle from second equipment is described the VPN network-building method the embodiment of the invention below, see also Fig. 4, another embodiment of VPN network-building method comprises in the present embodiment:
401, second terminal receives the cryptographic parameter that first terminal sends, VPN configuration information and parameters for tunnel;
In the present embodiment, second terminal can receive cryptographic parameter from first terminal, and VPN configuration information and parameters for tunnel, these information can be carried in the short message of first terminal transmission, second terminal can extract cryptographic parameter by this short message, VPN configuration information and parameters for tunnel.
402, second terminal is disposed the VPN of second terminal according to the VPN configuration information, and generates PKI and private key according to cryptographic parameter;
Second terminal after receiving the short message that first terminal sends, cryptographic parameter in therefrom extracting, VPN configuration information and parameters for tunnel can be disposed local VPN according to this VPN configuration information afterwards, and can be generated PKI and private key according to cryptographic parameter.
Need to prove, in the present embodiment, second terminal according to the VPN configuration information dispose local VPN process can for: the value of the parameters in the VPN configuration information is inserted in the local corresponding parameter.
In the present embodiment, second terminal generates PKI and private key according to cryptographic parameter process is consistent according to the process that cryptographic parameter generates PKI and private key with first terminal, the algorithm that adopts is also consistent, i.e. the PKI of first terminal generation should be corresponding with PKI and private key that second terminal generates with private key.
403, second terminal utilizes the IKE agreement and first terminal to consult IKE SA parameter to set up the IKE transmission channel;
In the present embodiment, second terminal is after having disposed local VPN, and first terminal and second terminal can utilize IKE protocol negotiation IKE SA parameter to set up the IKE transmission channel.
First terminal and second terminal are utilized the common practise of the process of IKE protocol negotiation IKE SA parameter for those skilled in the art, specifically do not limit herein.
404, second terminal is consulted IPsec SA parameter to set up the IPsec tunnel by the IKE transmission channel according to the parameters for tunnel and first terminal;
After the foundation of the IKE transmission channel between first terminal and second terminal was finished, first terminal and second terminal can be passed through this IKE transmission channel, consulted IPsec SA parameter to set up the IPsec tunnel according to parameters for tunnel.
In the present embodiment, can comprise cryptographic algorithm or identification algorithm that first terminal is supported in this parameters for tunnel, the life cycle of key, information such as data access strategy.
Second terminal can be held consultation according to the information and first terminal that this locality is supported, thereby determine the common IPsec SA parameter of supporting of first terminal and second terminal, which kind of specifically comprise: use IPsec agreement (for example using AH or ESP), use which kind of hash algorithm (for example using MD5 or SHA), use which kind of cryptographic algorithm (for example using DES or 3DES) etc.
After finishing IPsec SA parameter negotiation, first terminal and second terminal promptly set up the IPsec tunnel between first terminal and second terminal.
405, second terminal is by the IPsec tunnel, uses public-key and private key and first terminal are carried out transfer of data.
After the foundation of IPsec tunnel was finished, first terminal and second terminal can be passed through this IPsec tunnel, used the PKI and the private key of each self-generating of front to carry out transfer of data, thereby had realized the VPN networking between first terminal and second terminal.
When second terminal need send data, can use public-key sent the clear data encryption, when second terminal receives data, can use private key that data are decrypted and handle afterwards.
Need to prove that this second terminal can or be a Terminal Type for a terminal in actual applications, concrete number does not limit herein.
In the present embodiment, when satisfying VPN networking condition, second terminal can receive the cryptographic parameter that first terminal initiatively sends, VPN configuration information and parameters for tunnel, thereby can dispose local VPN according to the VPN configuration information, and can set up the IPsec tunnel between first terminal and second terminal, thereby can realize the VPN networking between first terminal and second terminal, so in the scheme of the embodiment of the invention, can realize automatic VPN networking between each terminal, Unsupervised member manually carries out the VPN networking in different terminals, therefore can improve the flexibility of VPN networking.
Below the communication system in the embodiment of the invention is described, sees also Fig. 5, the communication system embodiment in the embodiment of the invention comprises:
First terminal 501 is used for obtaining cryptographic parameter when satisfying VPN networking condition, VPN configuration information and the parameters for tunnel that preset this locality, generate PKI and private key according to cryptographic parameter, with cryptographic parameter, VPN configuration information and parameters for tunnel are sent to second terminal 502;
Second terminal 502 is used for disposing according to the VPN configuration information VPN of second terminal, and generates PKI and private key according to cryptographic parameter;
First terminal 501 and second terminal 502 also are used for setting up internet protocol security IPsec tunnel according to parameters for tunnel, and by the IPsec tunnel, use public-key and private key carries out transfer of data.
In the present embodiment, first terminal 501 also is used to receive the telephone number of user's input, inquires about the second corresponding terminal 502 according to telephone number in the corresponding relation that presets.
For ease of understanding, with a concrete application scenarios communication system in the present embodiment is described in detail below:
In the present embodiment, when satisfying VPN networking condition, first terminal 501 can get access to the VPN configuration information that presets from this locality, and can get access to cryptographic parameter and parameters for tunnel.
This VPN configuration information is used to dispose local VPN, specifically can include the VPN networking structure, Data Transport Protocol, and information such as server address are specially those skilled in the art's common practise, do not limit herein.
This cryptographic parameter is used to generate PKI and private key, specifically can be by user's input or local configuration in first terminal.
This parameters for tunnel is used to set up the IPsec tunnel, specifically can comprise some information that the tunnel is set up, for example cryptographic algorithm or identification algorithm, the life cycle of key, data access strategy etc.
First terminal 501 is after getting access to above-mentioned information, can generate PKI and private key according to cryptographic parameter, this PKI is used for the data that send are encrypted, private key is used for the data that receive are decrypted, specifically the process according to cryptographic parameter generation PKI and private key is those skilled in the art's a common practise, does not limit herein.
First terminal 501 can be with the cryptographic parameter that gets access to after getting access to above-mentioned information, and VPN configuration information and parameters for tunnel are sent to second terminal 502.
This second terminal 502 can be determined according to the telephone number of user's input, perhaps determine according to the information of local fixed configurations, the correlated identities of pre-configured second terminal 502 in first terminal 501 for example, then first terminal 501 can be according to this sign automatically with cryptographic parameter, and VPN configuration information and parameters for tunnel are sent to second terminal 502 and need not the user and manually import telephone number.
First terminal 501 has been determined after second terminal 502, can send SMS message to second terminal 502 by wireless network, and this short message can be identical with the short message format in the conventional wireless communication network, and pass-through mode also can be identical, repeats no more herein.
In the present embodiment, include the cryptographic parameter that first terminal gets access in this short message, VPN configuration information and parameters for tunnel.
Second terminal 502 is after the short message that receives 501 transmissions of first terminal, cryptographic parameter in therefrom extracting, VPN configuration information and parameters for tunnel can be disposed local VPN according to this VPN configuration information afterwards, and can be generated PKI and private key according to cryptographic parameter.
In the present embodiment, second terminal 502 is after having disposed local VPN, and first terminal 501 and second terminal 502 can utilize IKE protocol negotiation IKE SA parameter to set up the IKE transmission channel.
After the foundation of IKE transmission channel is finished, first terminal 501 and second terminal 502 can be passed through this IKE transmission channel, consult IPsec SA parameter to set up the IPsec tunnel according to parameters for tunnel, specifically set up describe among process and the aforementioned embodiment shown in Figure 2 to set up process identical, repeat no more herein.
When first terminal 501 and second terminal 502 have been set up the IPsec tunnel, first terminal 501 and second terminal 502 can send address assignment request to Dynamic Host Configuration Protocol server, Dynamic Host Configuration Protocol server receives after the request of first terminal 501 and 502 transmissions of second terminal, can be net address in first terminal 501 and second terminal, 502 dynamic assignment.
Need to prove, in the present embodiment,, then also can need not Dynamic Host Configuration Protocol server and carry out dynamic assignment if first terminal 501 and second terminal 502 have fixedly installed interior net address in this locality.
After the foundation of IPsec tunnel is finished, first terminal 501 and second terminal 502 can be passed through this IPsec tunnel, use the PKI and the private key of each self-generating of front to carry out transfer of data, thereby realized the VPN networking between first terminal 501 and second terminal 502.
When first terminal 501 and second terminal 502 sent data when needs, can use public-key sent the clear data encryption, when first terminal 501 and second terminal 502 receive data, can use private key that data are decrypted and handle afterwards.
Need to prove that this second terminal 502 can or be a Terminal Type for a terminal in actual applications, concrete number does not limit herein.
In the present embodiment, when satisfying VPN networking condition, first terminal 501 can initiatively send cryptographic parameter to second terminal 502, VPN configuration information and parameters for tunnel, thereby can be so that second terminal 502 is disposed local VPN according to the VPN configuration information, and can set up the IPsec tunnel between first terminal 501 and second terminal 502, thereby can realize the VPN networking between first terminal 501 and second terminal 502, so in the scheme of the embodiment of the invention, can realize automatic VPN networking between each terminal, Unsupervised member manually carries out the VPN networking in different terminals, therefore can improve the flexibility of VPN networking;
Secondly, in the present embodiment, first terminal 501 can send cryptographic parameter to second terminal 502 by the mode of short message, VPN configuration information and parameters for tunnel, so can be so that need not wired connection between first terminal 501 and second terminal 502, and can adopt wireless connections to set up VPN, thereby further improved the flexibility of VPN networking;
Once more; in the present embodiment; first terminal 501 and second terminal 502 were at first set up the IKE transmission channel before setting up the IPsec tunnel; set up the IPsec tunnel based on this IKE transmission channel afterwards; because the IKE transmission channel can provide the protection service based on identity, therefore can effectively improve the fail safe of setting up the IPsec tunnel.
Introduce the terminal equipment embodiment in the embodiment of the invention below, see also Fig. 6, embodiment of terminal equipment comprises in the embodiment of the invention:
Acquiring unit 601 is used to obtain cryptographic parameter, VPN configuration information and the parameters for tunnel that preset this locality;
Transmitting element 603 is used for cryptographic parameter, and VPN configuration information and parameters for tunnel are sent to second terminal equipment;
First sets up unit 604, and the parameters for tunnel and second terminal equipment that are used for getting access to according to acquiring unit 601 are set up the IPsec tunnel;
Terminal equipment in the present embodiment can further include:
For ease of understanding, with a concrete application scenarios terminal equipment in the present embodiment is described in detail below:
In the present embodiment, when satisfying VPN networking condition, acquiring unit 601 can get access to the VPN configuration information that presets from this locality, and can get access to cryptographic parameter and parameters for tunnel.
Acquiring unit 601 is after getting access to above-mentioned information, first generation unit 602 can generate PKI and private key according to cryptographic parameter, this PKI is used for the data that send are encrypted, private key is used for the data that receive are decrypted, specifically the process according to cryptographic parameter generation PKI and private key is those skilled in the art's a common practise, does not limit herein.
Transmitting element 603 can be with the cryptographic parameter that gets access to after getting access to above-mentioned information, and VPN configuration information and parameters for tunnel are sent to second terminal equipment.
Need to prove that this second terminal equipment can be obtained by the telephone number query of query unit 606 according to user's input.
In the present embodiment, include the cryptographic parameter that acquiring unit 601 gets access in this short message, VPN configuration information and parameters for tunnel.
In the present embodiment, transmitting element 603 is after second terminal equipment has sent short message, first sets up unit 604 can utilize the IKE agreement and second terminal equipment to consult IKE SA parameter to set up the IKE transmission channel, and, consult the IPsecSA parameter to set up the IPsec tunnel according to the parameters for tunnel and second terminal equipment by this IKE transmission channel.
After the foundation of IPsec tunnel is finished, first transmission unit 605 can pass through this IPsec tunnel, the PKI of use each self-generating of front and private key and second terminal equipment carry out transfer of data, thereby have realized the VPN networking between first terminal equipment and second terminal equipment.
In the present embodiment, when satisfying VPN networking condition, transmitting element 603 initiatively sends cryptographic parameter to second terminal equipment, VPN configuration information and parameters for tunnel, thereby can be so that second terminal equipment is disposed local VPN according to the VPN configuration information, and first set up that unit 604 can be set up and second terminal equipment between the IPsec tunnel, thereby can realize the VPN networking between first terminal equipment and second terminal equipment, so in the scheme of the embodiment of the invention, can realize automatic VPN networking between each terminal, Unsupervised member manually carries out the VPN networking in different terminals, therefore can improve the flexibility of VPN networking;
Secondly, in the present embodiment, transmitting element 603 can send cryptographic parameter to second terminal equipment by the mode of short message, VPN configuration information and parameters for tunnel, so can be so that need not wired connection between first terminal equipment and second terminal equipment, and can adopt wireless connections to set up VPN, thereby further improved the flexibility of VPN networking.
The terminal equipment of describing in the foregoing description can be first terminal equipment in actual applications, introduce another embodiment of terminal equipment in the embodiment of the invention below, terminal equipment among this embodiment can be second terminal equipment in actual applications, see also Fig. 7, another embodiment of terminal equipment comprises in the embodiment of the invention:
Receiving element 701 is used to receive the cryptographic parameter that first terminal equipment sends, VPN configuration information and parameters for tunnel;
Second sets up unit 704, is used for setting up the IPsec tunnel according to the parameters for tunnel and first terminal equipment;
For ease of understanding, with a concrete application scenarios terminal equipment in the present embodiment is described in detail below:
In the present embodiment, receiving element 701 can receive cryptographic parameter from first terminal equipment, VPN configuration information and parameters for tunnel, these information can be carried in the short message of first terminal equipment transmission, receiving element 701 can extract cryptographic parameter by this short message, VPN configuration information and parameters for tunnel.
Receiving element 701 is after the short message that receives the transmission of first terminal equipment, cryptographic parameter in therefrom extracting, VPN configuration information and parameters for tunnel, deployment unit 702 can be disposed local VPN according to this VPN configuration information afterwards, and second generation unit 703 can generate PKI and private key according to cryptographic parameter.
In the present embodiment, deployment unit 702 is after having disposed local VPN, second sets up unit 704 can utilize the IKE agreement and first terminal equipment to consult IKE SA parameter to set up the IKE transmission channel, and, consult IPsec SA parameter to set up the IPsec tunnel according to the parameters for tunnel and first terminal equipment by this IKE transmission channel.
After the foundation of IPsec tunnel is finished, second transmission unit 705 can pass through this IPsec tunnel, PKI that use generates previously and private key and first terminal equipment carry out transfer of data, thereby have realized the VPN networking between first terminal equipment and second terminal equipment.
In the present embodiment, when satisfying VPN networking condition, receiving element 701 can receive the cryptographic parameter that first terminal equipment initiatively sends, VPN configuration information and parameters for tunnel, thereby deployment unit 702 can be disposed local VPN according to the VPN configuration information, and second sets up unit 704 can set up IPsec tunnel between first terminal equipment and second terminal equipment, thereby can realize the VPN networking between first terminal equipment and second terminal equipment, so in the scheme of the embodiment of the invention, can realize automatic VPN networking between each terminal equipment, Unsupervised member manually carries out the VPN networking in different terminal equipments, therefore can improve the flexibility of VPN networking.
One of ordinary skill in the art will appreciate that all or part of step that realizes in the foregoing description method is to instruct relevant hardware to finish by program, described program can be stored in a kind of computer-readable recording medium, the above-mentioned storage medium of mentioning can be a read-only memory, disk or CD etc.
More than a kind of virtual private network networking method provided by the present invention and communication system and relevant device are described in detail, for one of ordinary skill in the art, thought according to the embodiment of the invention, part in specific embodiments and applications all can change, in sum, this description should not be construed as limitation of the present invention.
Claims (13)
1. a virtual private network network-building method is characterized in that, comprising:
First terminal is obtained cryptographic parameter, VPN configuration information and the parameters for tunnel that preset this locality;
First terminal generates PKI and private key according to described cryptographic parameter;
First terminal is with described cryptographic parameter, and VPN configuration information and parameters for tunnel are sent to second terminal, so that described second terminal is disposed the VPN of described second terminal according to described VPN configuration information, and according to described cryptographic parameter generation PKI and private key;
First terminal and described second terminal are set up internet protocol security IPsec tunnel according to described parameters for tunnel;
First terminal and described second terminal use described PKI and private key to carry out transfer of data by described IPsec tunnel.
2. method according to claim 1 is characterized in that, described first terminal and described second terminal are set up internet protocol security IPsec tunnel according to described parameters for tunnel and comprised:
First terminal and described second terminal utilize internet key exchange IKE protocol negotiation IKE security alliance SA parameter to set up the IKE transmission channel;
First terminal and described second terminal are consulted IPsec SA parameter to set up the IPsec tunnel by described IKE transmission channel according to described parameters for tunnel.
3. method according to claim 1 and 2 is characterized in that described cryptographic parameter is pre-configured in this locality, or is imported by the user.
4. method according to claim 1 and 2 is characterized in that, described first terminal is with described cryptographic parameter, and VPN configuration information and parameters for tunnel are sent to described second terminal and comprise:
First terminal sends SMS message to described second terminal, carries described cryptographic parameter, VPN configuration information and parameters for tunnel in the described short message.
5. method according to claim 1 and 2 is characterized in that, described first terminal is with described cryptographic parameter, and VPN configuration information and parameters for tunnel also comprise before being sent to described second terminal:
First terminal receives the telephone number of user's input;
First terminal is inquired about the second corresponding terminal according to described telephone number in the corresponding relation that presets.
6. a VPN network-building method is characterized in that, comprising:
Second terminal receives the cryptographic parameter that first terminal sends, VPN configuration information and parameters for tunnel;
Second terminal is disposed the VPN of second terminal according to described VPN configuration information, and generates PKI and private key according to described cryptographic parameter;
Second terminal is set up the IPsec tunnel according to described parameters for tunnel and described first terminal;
Second terminal uses described PKI and private key and described first terminal to carry out transfer of data by described IPsec tunnel.
7. method according to claim 6 is characterized in that, described second terminal is set up the IPsec tunnel according to described parameters for tunnel and described first terminal and comprised:
Second terminal utilizes the IKE agreement and first terminal to consult IKE SA parameter to set up the IKE transmission channel;
Second terminal is consulted IPsec SA parameter to set up the IPsec tunnel by described IKE transmission channel according to described parameters for tunnel and described first terminal.
8. according to claim 6 or 7 described methods, it is characterized in that described second terminal receives the cryptographic parameter that described first terminal sends, VPN configuration information and parameters for tunnel comprise:
Second terminal receives the short message that described first terminal sends, and carries cryptographic parameter in the described short message, VPN configuration information and parameters for tunnel.
9. a communication system is characterized in that, comprises first terminal and second terminal, wherein:
Described first terminal is used to obtain cryptographic parameter, and VPN configuration information and the parameters for tunnel that preset this locality generate PKI and private key according to described cryptographic parameter, and with described cryptographic parameter, VPN configuration information and parameters for tunnel are sent to described second terminal;
Described second terminal is used for disposing the VPN of described second terminal according to described VPN configuration information, and generates PKI and private key according to described cryptographic parameter;
First terminal and described second terminal also are used for setting up internet protocol security IPsec tunnel according to described parameters for tunnel, and by described IPsec tunnel, use described PKI and private key to carry out transfer of data.
10. communication system according to claim 9 is characterized in that, described first terminal also is used to receive the telephone number of user's input, inquires about the second corresponding terminal according to described telephone number in the corresponding relation that presets.
11. a terminal equipment is characterized in that, comprising:
Acquiring unit is used to obtain cryptographic parameter, VPN configuration information and the parameters for tunnel that preset this locality;
First generation unit is used for generating PKI and private key according to described cryptographic parameter;
Transmitting element is used for described cryptographic parameter, and VPN configuration information and parameters for tunnel are sent to second terminal equipment;
First sets up the unit, is used for setting up the IPsec tunnel according to the described parameters for tunnel and second terminal equipment;
First transmission unit is used for the tunnel by described IPsec, uses described PKI and private key and second terminal equipment to carry out transfer of data.
12. terminal equipment according to claim 11 is characterized in that, described terminal equipment also comprises:
Query unit is used for inquiring about the second corresponding terminal equipment according to the telephone number of user's input at the corresponding relation that is presetting.
13. a terminal equipment is characterized in that, comprising:
Receiving element is used to receive the cryptographic parameter that first terminal equipment sends, VPN configuration information and parameters for tunnel;
Deployment unit is used for disposing according to described VPN configuration information the VPN of described terminal equipment;
Second generation unit is used for generating PKI and private key according to described cryptographic parameter;
Second sets up the unit, is used for setting up the IPsec tunnel according to the described parameters for tunnel and first terminal equipment;
Second transmission unit is used for the tunnel by described IPsec, uses described PKI and private key and first terminal equipment to carry out transfer of data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910178331A CN101697522A (en) | 2009-10-16 | 2009-10-16 | Virtual private network networking method, communication system and related equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910178331A CN101697522A (en) | 2009-10-16 | 2009-10-16 | Virtual private network networking method, communication system and related equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101697522A true CN101697522A (en) | 2010-04-21 |
Family
ID=42142597
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910178331A Pending CN101697522A (en) | 2009-10-16 | 2009-10-16 | Virtual private network networking method, communication system and related equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101697522A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102611574A (en) * | 2012-02-23 | 2012-07-25 | 成都飞鱼星科技开发有限公司 | Automatic configuration system and configuration method for VPN (Virtual Private Network) |
| CN103401751A (en) * | 2013-07-17 | 2013-11-20 | 北京星网锐捷网络技术有限公司 | Method and device for establishing IPSEC (Internet Protocol Security) tunnels |
| CN104426737A (en) * | 2013-08-30 | 2015-03-18 | 杭州华三通信技术有限公司 | Method and device for realizing DVPN (Dynamic Virtual Private Network) link layer communication |
| CN105610667A (en) * | 2015-12-23 | 2016-05-25 | 深圳市华成峰实业有限公司 | Method and device for establishing channel of virtual private network |
| WO2016124016A1 (en) * | 2015-02-05 | 2016-08-11 | 华为技术有限公司 | Ipsec acceleration method, device and system |
| CN108353076A (en) * | 2015-11-03 | 2018-07-31 | 高通股份有限公司 | Internet Key Exchange (IKE) for security associations between devices |
| CN109088883A (en) * | 2018-09-21 | 2018-12-25 | 北京天融信网络安全技术有限公司 | A kind of network-building method of plurality of subnets, device, storage medium and computer equipment |
| CN115766045A (en) * | 2021-09-02 | 2023-03-07 | 中车株洲电力机车研究所有限公司 | Communication channel establishing method, device, storage medium and electronic equipment |
-
2009
- 2009-10-16 CN CN200910178331A patent/CN101697522A/en active Pending
Cited By (15)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102611574A (en) * | 2012-02-23 | 2012-07-25 | 成都飞鱼星科技开发有限公司 | Automatic configuration system and configuration method for VPN (Virtual Private Network) |
| CN103401751A (en) * | 2013-07-17 | 2013-11-20 | 北京星网锐捷网络技术有限公司 | Method and device for establishing IPSEC (Internet Protocol Security) tunnels |
| CN104426737A (en) * | 2013-08-30 | 2015-03-18 | 杭州华三通信技术有限公司 | Method and device for realizing DVPN (Dynamic Virtual Private Network) link layer communication |
| CN104426737B (en) * | 2013-08-30 | 2018-01-12 | 新华三技术有限公司 | A kind of method and apparatus for realizing Dynamic VPN network link layer communications |
| WO2016124016A1 (en) * | 2015-02-05 | 2016-08-11 | 华为技术有限公司 | Ipsec acceleration method, device and system |
| CN105991562A (en) * | 2015-02-05 | 2016-10-05 | 华为技术有限公司 | IPSec acceleration method, apparatus and system |
| US11729042B2 (en) | 2015-02-05 | 2023-08-15 | Huawei Technologies Co., Ltd. | IPSec acceleration method, apparatus, and system |
| US11063812B2 (en) | 2015-02-05 | 2021-07-13 | Huawei Technologies Co., Ltd. | Ipsec acceleration method, apparatus, and system |
| CN108353076B (en) * | 2015-11-03 | 2021-02-02 | 高通股份有限公司 | Method and apparatus for Internet Key Exchange (IKE) |
| CN108353076A (en) * | 2015-11-03 | 2018-07-31 | 高通股份有限公司 | Internet Key Exchange (IKE) for security associations between devices |
| CN105610667A (en) * | 2015-12-23 | 2016-05-25 | 深圳市华成峰实业有限公司 | Method and device for establishing channel of virtual private network |
| CN105610667B (en) * | 2015-12-23 | 2019-01-25 | 深圳市华云中盛科技有限公司 | The method and apparatus for establishing Virtual Private Network channel |
| CN109088883B (en) * | 2018-09-21 | 2021-01-15 | 北京天融信网络安全技术有限公司 | Multi-subnet networking method and device, storage medium and computer equipment |
| CN109088883A (en) * | 2018-09-21 | 2018-12-25 | 北京天融信网络安全技术有限公司 | A kind of network-building method of plurality of subnets, device, storage medium and computer equipment |
| CN115766045A (en) * | 2021-09-02 | 2023-03-07 | 中车株洲电力机车研究所有限公司 | Communication channel establishing method, device, storage medium and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11240218B2 (en) | Key distribution and authentication method and system, and apparatus | |
| EP3432532B1 (en) | Key distribution and authentication method, apparatus and system | |
| US8838972B2 (en) | Exchange of key material | |
| RU2424634C2 (en) | Method and apparatus for base station self-configuration | |
| US20180278595A1 (en) | Key configuration method, key management center, and network element | |
| CN101969638B (en) | Method for protecting international mobile subscriber identity (IMSI) in mobile communication | |
| CN101697522A (en) | Virtual private network networking method, communication system and related equipment | |
| US8566590B2 (en) | Encryption information transmitting terminal | |
| EP3570487B1 (en) | Private key generation method, device and system | |
| CN105554747A (en) | Wireless network connection method, device and system | |
| CN104660567B (en) | D2D terminal access authentication method, D2D terminal and server | |
| CN104661219A (en) | Communication method of wireless equipment, wireless equipment and server | |
| CN105764058A (en) | Method, device and system for accessing network | |
| KR20180130203A (en) | APPARATUS FOR AUTHENTICATING IoT DEVICE AND METHOD FOR USING THE SAME | |
| CN107094138A (en) | A kind of smart home safe communication system and communication means | |
| CN103329508B (en) | The record according with the parsing of connection identifier (CID for application identities creates | |
| JP7635073B2 (en) | A cryptographic event to encrypt or decrypt data | |
| CN116108458A (en) | Key generation method, device, terminal device and server | |
| JP5721183B2 (en) | Wireless LAN communication system, wireless LAN base unit, communication connection establishment method, and program | |
| CN118573483A (en) | Network security management method and related equipment | |
| CN117880805A (en) | Network distribution method and device of intelligent equipment and electronic equipment | |
| CN114501591A (en) | Intelligent equipment network access method and device and computer readable storage medium | |
| CN107426724A (en) | Intelligent appliance accesses the method and system and terminal and certificate server of wireless network | |
| CN117560795A (en) | Autonomous networking processing method and device based on multiple Access Points (APs) | |
| CN119485283A (en) | Communication method, system, device, electronic device, storage medium and program product |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20100421 |