CN105471827A - Message transmission method and device - Google Patents

Abstract

Embodiments of the present invention provide a message transmission method and device. The method includes: the first CPE receives the first message sent by the first device, and the first message includes: a first source address, a first destination address, and a first A load; the first source address is the address of the first device, the first destination address is the address of the second device, the second device communicates with the second CPE, the first CPE and the second CPE store the same VPN negotiation parameters, The VPN negotiation parameters include: specifying an encryption algorithm and a shared key; the first CPE uses the specified encryption algorithm and a shared key to encrypt the first payload to obtain the first encrypted payload; the first CPE performs encapsulation processing to obtain the encapsulated packet The encapsulated message includes: a first source address, a first destination address, a first encapsulated header, and a first encrypted payload; the first CPE sends the encapsulated message to the first VR. Such a solution helps to improve communication security between branch networks.

Description

A message transmission method and device

technical field

The invention relates to the field of communication technology, in particular to a message transmission method and device.

Background technique

With the continuous development of virtual technology, virtual routing technology emerges as the times require. For example, a physical router on the enterprise network side can be virtualized into multiple isolated virtual routers (English: VirtualRouter, VR for short) through virtual routing technology, and The Layer 3 functions in the physical router are moved up to the virtual router maintained by the operator's network side. Correspondingly, the enterprise network side only needs to retain and maintain the customer terminal equipment (English: Customer Premise Equipment, CPE for short) with simple switching functions. In specific applications, services such as routing and forwarding, virtual private network (English: Virtual Private Network, abbreviated: VPN), and deep packet inspection (English: Deep Packet Inspection, abbreviated: DPI) can be realized through the mutual cooperation of VR and CPE.

Taking VR and CPE to cooperate with each other to implement VPN services between two enterprise branch networks as an example, refer to the network diagram shown in Figure 1, which can be embodied as follows: CPE1 in branch network 1 establishes communication with VR1 in the carrier network, and the branch CPE2 in network 2 establishes communication with VR2 in the carrier network, and establishes a VPN tunnel between VR1 and VR2. In this way, the VPN service between branch network 1 and branch network 2 is realized.

However, the VPN service implemented in this way has the following problems: the link between the CPE and the VR cannot encrypt and protect the message, resulting in a great security risk in the communication between the two, especially when the VR is broadcast. This problem becomes more prominent when downlink packets are forwarded.

Contents of the invention

The message transmission method and device of the embodiments of the present invention help to improve communication security between branch networks.

For this reason, the embodiment of the present invention provides following technical scheme:

In a first aspect, a message transmission method is provided, the method comprising:

The first client terminal equipment CPE receives the first packet sent by the first device, and the first packet includes: a first source address, a first destination address, and a first payload; the first source address is the first address of the device, the first destination address is the address of the second device, the first CPE and the first device are located in the first branch network, the second device communicates with the second CPE, and the first The second device and the second CPE are located in the second branch network, and the first CPE and the second CPE store the same virtual private network VPN negotiation parameters, and the VPN negotiation parameters include: a specified encryption algorithm and a shared key ;

The first CPE encrypts the first payload by using the specified encryption algorithm and the shared key to obtain a first encrypted payload;

The first CPE performs encapsulation processing to obtain an encapsulated message, and the encapsulated message includes: the first source address, the first destination address, a first encapsulation header, and the first encrypted payload ;

The first CPE sends the encapsulated packet to the first virtual router.

In a first possible implementation manner of the first aspect, the manner for the first CPE to obtain the VPN negotiation parameters includes:

The first CPE sends the encryption algorithm supported by the first CPE to the first virtual router;

The first CPE receives the VPN negotiation parameter sent by the first virtual router, the VPN negotiation parameter is obtained through negotiation between the first virtual router and a second virtual router, and the second virtual router and the second virtual router The two CPEs communicate with each other, the second virtual router can obtain the encryption algorithm supported by the second CPE, and the specified encryption algorithm is selected from the encryption algorithms supported by both the first CPE and the second CPE.

With reference to the first aspect or the first possible implementation manner of the first aspect, in the second possible implementation manner of the first aspect, the method further includes:

The first CPE receives the second packet sent by the first virtual router, and the second packet includes: a second source address, a second destination address, a second encapsulation header, and a second encrypted payload;

The first CPE performs decapsulation processing to obtain a decapsulated message, and the decapsulated message includes: the second source address, the second destination address, and the second encrypted payload;

The first CPE decrypts the decapsulated message to obtain a decrypted message, and the decrypted message includes: the second source address, the second destination address, and a payload;

The first CPE sends the decrypted packet to the device corresponding to the second destination address.

In a second aspect, a message transmission method is provided, the method comprising:

The first virtual router receives the first message sent by the first customer terminal equipment CPE, the first message includes: a first source address, a first destination address, a first encapsulation header, and a first encrypted payload;

The first virtual router searches for a second virtual router corresponding to the first destination address, and a first virtual private network (VPN) tunnel is established between the first virtual router and the second virtual router;

The first virtual router encapsulates the first message to obtain an encapsulated message, and the encapsulated message includes: the public network address of the first virtual router, the second virtual router public network address, the encapsulation header of the first VPN tunnel, the first source address, the first destination address, the first encapsulation header and the first encrypted payload;

The first virtual router sends the encapsulated packet to the second virtual router.

In a first possible implementation manner of the second aspect, the method further includes:

The first virtual router receives a second packet sent by a third virtual router, a second VPN tunnel is established between the first virtual router and the third virtual router, and the second packet includes: the The public network address of the third virtual router, the public network address of the first virtual router, the encapsulation header of the second VPN tunnel, the second source address, the second destination address, the second encapsulation header, and the second encrypted payload;

The first virtual router performs decapsulation processing to obtain a decapsulated message, and the decapsulated message includes: the second source address, the second destination address, the second encapsulation header, and the second encrypted payload;

The first virtual router sends the decapsulated packet to the first CPE.

In a third aspect, a message transmission device is provided, and the device includes:

The first receiving unit is configured to receive a first packet sent by a first device, where the first packet includes: a first source address, a first destination address, and a first payload; the first source address is the first packet. an address of a device, the first destination address is the address of a second device, the first device communicates with a first customer terminal equipment CPE, and the first CPE and the first device are located in a first branch network, The second device communicates with the second CPE, and the second device and the second CPE are located in a second branch network, and the first CPE and the second CPE maintain the same virtual private network (VPN) negotiation Parameters, the VPN negotiation parameters include: specifying an encryption algorithm and a shared key;

An encryption processing unit, configured to encrypt the first payload by using the designated encryption algorithm and the shared key to obtain a first encrypted payload;

An encapsulation processing unit, configured to perform encapsulation processing to obtain an encapsulated message, the encapsulated message including: the first source address, the first destination address, the first encapsulation header, and the first encrypted load;

The first sending unit is configured to send the encapsulated packet to the first virtual router.

In a first possible implementation manner of the third aspect, the device further includes:

a second sending unit, configured to send the encryption algorithm supported by the first CPE to the first virtual router;

The second receiving unit is configured to receive the VPN negotiation parameter sent by the first virtual router, the VPN negotiation parameter is obtained through negotiation between the first virtual router and a second virtual router, and the second virtual router and the The second CPE communicates with each other, the second virtual router can obtain the encryption algorithm supported by the second CPE, and the specified encryption algorithm is selected from the encryption algorithms supported by both the first CPE and the second CPE.

With reference to the third aspect or the first possible implementation manner of the third aspect, in a second possible implementation manner of the third aspect, the device further includes:

A third receiving unit, configured to receive a second packet sent by the first virtual router, where the second packet includes: a second source address, a second destination address, a second encapsulation header, and a second encrypted payload;

A decapsulation processing unit, configured to perform decapsulation processing to obtain a decapsulated message, where the decapsulated message includes: the second source address, the second destination address, and the second encrypted payload ;

A decryption processing unit, configured to decrypt the decapsulated message to obtain a decrypted message, where the decrypted message includes: the second source address, the second destination address, and the payload ;

A third sending unit, configured to send the decrypted message to the device corresponding to the second destination address.

In a fourth aspect, a message transmission device is provided, and the device includes:

The first receiving unit is configured to receive a first message sent by a first client terminal equipment CPE, where the first message includes: a first source address, a first destination address, a first encapsulation header, and a first encrypted payload;

A search unit, configured to search for a second virtual router corresponding to the first destination address, and a first virtual private network VPN tunnel is established between the first virtual router and the second virtual router;

An encapsulation processing unit, configured to perform encapsulation processing on the first message to obtain an encapsulated message, the encapsulated message including: the public network address of the first virtual router, the second virtual router public network address, the encapsulation header of the first VPN tunnel, the first source address, the first destination address, the first encapsulation header and the first encrypted payload;

A first sending unit, configured to send the encapsulated packet to the second virtual router.

In a first possible implementation manner of the fourth aspect, the device further includes:

The second receiving unit is configured to receive a second message sent by a third virtual router, a second VPN tunnel is established between the first virtual router and the third virtual router, and the second message includes: the The public network address of the third virtual router, the public network address of the first virtual router, the encapsulation header of the second VPN tunnel, the second source address, the second destination address, the second encapsulation header, and the second encrypted payload ;

A decapsulation processing unit, configured to perform decapsulation processing to obtain a decapsulated message, where the decapsulated message includes: the second source address, the second destination address, and the second encapsulated header and said second encrypted payload;

A second sending unit, configured to send the decapsulated message to the first CPE.

The message transmission method and device according to the embodiment of the present invention can enable the CPE1 on the branch network 1 side and the CPE2 on the branch network 2 side to store the same VPN negotiation parameters when performing message transmission between the branch network 1 and the branch network 2, In this way, CPE1 and CPE2 can use the same VPN negotiation parameters to encrypt and decrypt packets, which helps to improve the security of packet transmission.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiments of the present application or the prior art, the following will briefly introduce the drawings that need to be used in the description of the embodiments or the prior art. Obviously, the accompanying drawings in the following description are only These are some embodiments described in this application, and those skilled in the art can also obtain other drawings based on these drawings.

FIG. 1 is a schematic diagram of implementing a VPN service between a branch network 1 and a branch network 2 in the prior art;

FIG. 2 is a flow chart of Embodiment 1 of the message transmission method on the CPE side of the embodiment of the present invention;

FIG. 3 is a flow chart of establishing a VPN tunnel between CPE1 and CPE2 in an embodiment of the present invention;

4 is a flowchart of Embodiment 2 of the message transmission method on the CPE side of the embodiment of the present invention;

5 is a flow chart of Embodiment 1 of the message transmission method on the VR side of the embodiment of the present invention;

6 is a flow chart of Embodiment 2 of the message transmission method on the VR side of the embodiment of the present invention;

FIG. 7 is a schematic diagram of a message processing process in an embodiment of the present invention;

FIG. 8 is a schematic diagram of Embodiment 1 of the message transmission device on the CPE side of the embodiment of the present invention;

FIG. 9 is a schematic diagram of Embodiment 2 of the message transmission device on the CPE side of the embodiment of the present invention;

FIG. 10 is a schematic diagram of Embodiment 1 of the message transmission device on the VR side of the embodiment of the present invention;

FIG. 11 is a schematic diagram of Embodiment 2 of the message transmission device on the VR side of the embodiment of the present invention;

Fig. 12 is a schematic diagram of the structure of a message transmission device according to an embodiment of the present invention.

detailed description

In order to enable those skilled in the art to better understand the solution of the present invention, the embodiments of the present invention will be further described in detail below in conjunction with the accompanying drawings and implementation manners.

Referring to the schematic diagram shown in FIG. 1, it can be seen that when a VPN service is established between branch network 1 and branch network 2, virtual router VR1 (communicating with customer terminal equipment CPE1 in branch network 1) and VR2 (communicating with customer terminal equipment CPE1 in branch network 2) The terminal equipment CPE2 communicates with each other) to perform VPN negotiation, and establish a VPN tunnel between VR1 and VR2. In this way, although the communication security between VR1 and VR2 can be guaranteed, the communication security between CPE1 and VR1, CPE2 and VR2 cannot be guaranteed, resulting in great security risks in the communication between branch networks.

After continuous research, the inventor found that CPE1 and CPE2 can save the same VPN negotiation parameters, and establish a VPN tunnel between CPE1 and CPE2, thereby ensuring communication security between CPE1 and VR1, VR1 and VR2, and VR2 and CPE2.

Referring to FIG. 2, it shows a flow chart of Embodiment 1 of the message transmission method on the CPE side of the embodiment of the present invention, which may include the following steps:

Step 101, the first client terminal equipment CPE receives the first message sent by the first device, the first message includes: a first source address, a first destination address and a first payload; the first source address is the the address of the first device, the first destination address is the address of the second device, the first CPE and the first device are located in the first branch network, the second device communicates with the second CPE, and The second device and the second CPE are located in the second branch network, and the first CPE and the second CPE store the same virtual private network VPN negotiation parameters, and the VPN negotiation parameters include: a specified encryption algorithm and shared secret.

Step 102, the first CPE encrypts the first payload by using the specified encryption algorithm and the shared key to obtain a first encrypted payload.

Step 103, the first CPE performs encapsulation processing to obtain an encapsulated message, and the encapsulated message includes: the first source address, the first destination address, the first encapsulation header, and the first An encrypted payload.

Step 104, the first CPE sends the encapsulated message to the first virtual router VR.

After the first CPE and the second CPE establish a VPN tunnel using the VPN negotiation parameters coexisting between the two, the first CPE can receive the first message sent by the first device in the first branch network, and use the solution provided by the embodiment of the present invention The first message is processed to improve communication security between the first CPE and the first VR, making it possible for the first message to be safely transmitted between the first branch network and the second branch network. Specifically, the first CPE may perform the following two processing on the first packet:

1. Encryption processing

In order to improve the transmission security of the first packet between the first branch network and the second branch network, after receiving the first packet, the first CPE can use the specified encryption algorithm and shared key in the VPN negotiation parameters to The first payload in the first message is encrypted to obtain the first encrypted payload.

The specific process for the first CPE to obtain the first encrypted payload by using the specified encryption algorithm and the shared key can refer to the existing implementation manner, which is not described in detail here, and is not specifically limited in the embodiment of the present invention. It should be noted that the first packet before encryption processing may include: the first source address, the first destination address and the first payload, and the first packet after encryption processing may include: the first source address, the first destination address and the first encrypted payload. Wherein, the first source address is the address of the first device, as an example, it can be embodied as the IP address of the first device; the first destination address is the address of the second device, and can also be embodied as the IP address of the second device .

In addition, it should be noted that if the VPN negotiation parameters saved by the first CPE also include control parameters, the first CPE may also combine the control parameters and the first destination address to determine whether encryption processing is required before encrypting the first payload. action. For example, if the control parameter indicates: the packets going to the public network through the first CPE do not need to be encrypted, and the packets going to the second branch network through the first CPE need to be encrypted, then the first CPE can specify the first packet through the first destination address. The text is to be transmitted to the second branch network, and it is determined that encryption processing is required. In this case, the first CPE performs encryption processing on the first payload.

2. Package processing

Considering that during the transmission of the first packet, the transmission action across the public network is implemented by the first VR, so the first CPE can use a relatively simple transmission mode for packet encapsulation, so that the encapsulated packet can include: A source address, a first destination address, a first encapsulation header and a first encrypted payload. Wherein, the first encapsulation header is calculated by using the first payload. As an example, the first encapsulation header may be embodied as an authentication header (English: AuthenticationHeader, abbreviated: AH) or an encapsulated security payload header (English: EncapsulatedSecurityPayload, abbreviated: ESP ), correspondingly, the specific process of using the first payload to calculate the AH header or ESP header can refer to the existing implementation manner, which is not described in detail here, and is not specifically limited in the embodiment of the present invention.

After completing the above two processing actions, the first CPE can send the encapsulated message to the first VR, and after further processing by the first VR, it will be transmitted across the public network to the second VR, and then forwarded by the second VR to the The second CPE implements packet transmission from the first branch network to the second branch network. Based on the packaged message formed by the above scheme, unless the encapsulation method and encryption method adopted by the first CPE are known, it is possible to parse the first payload from it, which improves the communication security between the first CPE and the first VR. sex.

It should be noted that, in the scenario where the second branch network is the sender and the first branch network is the receiver, the second CPE in the second branch network can also follow the process described above to The packets are encrypted and encapsulated. In addition, the first branch network and the second branch network may belong to the same enterprise network, or may belong to different enterprise networks, which is not specifically limited in this embodiment of the present invention.

Optionally, this embodiment of the present invention provides a preferred solution for establishing a VPN tunnel between the first CPE and the second CPE, referring to FIG. 3 , which may include:

Step 201, the first CPE communicates with the first VR, and sends the encryption algorithm supported by the first CPE to the first VR; similarly, the second CPE can also communicate with the second VR, and sends the encryption algorithm supported by the second CPE to the Second VR.

In step 202, VPN negotiation is performed between the first VR and the second VR to obtain VPN negotiation parameters. Specifically, the VPN negotiation parameters may include: specifying an encryption algorithm, a shared key, control parameters, and so on.

Wherein, the designated encryption algorithm is selected from the encryption algorithms jointly supported by the first CPE and the second CPE, and is mainly used for encrypting and decrypting the packets transmitted in the tunnel. The shared key is calculated by the first VR and the second VR respectively, and can cooperate with the specified encryption algorithm to encrypt and decrypt the packets transmitted in the tunnel. It should be noted that the first VR and the second VR should be ensured Consistency of the shared keys calculated separately. The control parameters are used to identify whether the packets transmitted through the CPE need to be encrypted. For example, the control parameters can be: packets transmitted through the CPE to the public network do not need to be encrypted, and packets transmitted through the CPE to the peer end of the tunnel need to be encrypted. Encryption processing.

As an example, VPN negotiation can be performed between the first VR and the second VR through the Internet Key Exchange (English: InternetKeyExchange, IKE for short) protocol to obtain VPN negotiation parameters. The embodiment of the present invention does not specifically limit the negotiation protocol .

Step 203, the first VR sends the VPN negotiation parameters to the first CPE, similarly, the second VR can send the VPN negotiation parameters to the second CPE, so that the first CPE and the second CPE can use the same VPN negotiation parameters Establish a VPN tunnel.

Step 204, considering that when the first CPE communicates with the second CPE, the message needs to be transmitted across the public network, in order to hide the private network address of the communication between the branch networks, an IP address can also be established between the first VR and the second VR. VPN public network tunnel. Specifically, VPN public network tunnels can be embodied as Generic Routing Encapsulation (English: Generic Routing Encapsulation, GRE for short) tunnels, Multi-Protocol Label Switching (English: Multi-Protocol Label Switching, short: MPLS) tunnels, Internet Security Protocol (English: Internet Protocol Security, short for : IPSec) tunnel, etc., the embodiment of the present invention may not specifically limit the type of the VPN public network tunnel. It should be noted that the step of establishing a VPN public network tunnel can be performed after step 203 as shown in Figure 3, or it can also be performed after the VPN negotiation parameters are obtained in step 202. It is executed before message transmission with the second CPE, which is not specifically limited in this embodiment of the present invention.

After the above steps, the first CPE and the second CPE have saved the same VPN negotiation parameters, based on which they can establish a VPN tunnel, making it possible to securely transmit messages between branch networks 1 and 2.

It should be noted that, as a preferred solution, as shown in FIG. 3, before step 201, step 200 may also be included, in which the first CPE generates a public-private key pair using a public-key cryptographic algorithm, and sends the public key 1 therein to to the first VR; similarly, the second CPE can also generate a public-private key pair and send the public key 2 to the second VR. Correspondingly, before step 203, step 205 may also be included, where the first VR uses public key 1 to encrypt the VPN negotiation parameters; similarly, the second VR may also use public key 2 to encrypt the VPN negotiation parameters, In this way, in step 203, what the first VR sends to the first CPE is the encrypted VPN negotiation parameter, and what the second VR sends to the second CPE is also the encrypted VPN negotiation parameter. For this, the first CPE can decrypt the private key 1 corresponding to the public key 1 to obtain the VPN negotiation parameters, and the second CPE can decrypt the private key 2 corresponding to the public key 2 to obtain the VPN negotiation parameters, thereby improving the transmission security of the negotiation parameters.

In addition, it should be noted that when the packet is transmitted based on the preferred scheme shown in Figure 3, the VPN negotiation parameters are sent from the first VR to the first CPE, that is, the first CPE does not need to have the VPN negotiation capability, as long as it has encryption encapsulation The processing capability is enough, so the scheme of separating negotiation and encryption encapsulation can not only simplify the CPE design, but also avoid the problems of difficult maintenance and high cost of CPE caused by negotiation protocol replacement and upgrade. In addition, this method of establishing a VPN tunnel between the first CPE and the second CPE through one negotiation between the first VR and the second VR can also effectively reduce the burden on the first VR, the second VR, and the second CPE during the tunnel establishment process. Resource consumption of the first CPE and the second CPE.

In the example shown in Figure 2 above, the message transmission scheme of the first CPE when the first branch network is the sender is introduced, and the message transmission scheme of the first CPE when the first branch network is the receiver is explained below For illustration, refer to FIG. 4 for details, which shows a flow chart of Embodiment 2 of the message transmission method on the CPE side of the embodiment of the present invention, which may include the following steps:

Step 301, the first CPE receives a second packet sent by the first virtual router, and the second packet includes: a second source address, a second destination address, a second encapsulation header, and a second encrypted payload.

Step 302, the first CPE performs decapsulation processing to obtain the decapsulated message, the decapsulated message includes: the second source address, the second destination address and the second encrypted load.

Step 303, the first CPE decrypts the decapsulated message to obtain a decrypted message, and the decrypted message includes: the second source address, the second destination address and load.

Step 304, the first CPE sends the decrypted packet to the device corresponding to the second destination address.

When the first branch network is the receiver, the first CPE can receive the second packet sent by the first VR, and use the solution provided by the embodiment of the present invention to process the second packet to improve the communication between the first VR and the first CPE. communication security. Specifically, the first CPE may perform the following two processing on the first message:

1. Unpacking process

After the first CPE receives the second message, it can first decapsulate the second message to obtain the second encrypted payload, and then decrypt the second encrypted payload to restore the information sent by the second branch network. the second load.

For the process of unpacking the first CPE, reference may be made to existing implementations, which will not be described in detail here, nor specifically limited in this embodiment of the present invention. It should be noted that the second message before decapsulation processing may include: a second source address, a second destination address, a second encapsulation header and a second encrypted payload, and the second message after decapsulation processing may include: Two source addresses, a second destination address and a second encrypted payload. Wherein, the second source address is the address of the device in the second branch network, and the second destination address is the address of the device in the first branch network. According to different specific application scenarios, the second source address and the second destination address identify equipment will also vary. For example, the second message is the response message corresponding to the first message in the example shown in Figure 2. Corresponding to this scenario, the second source address is the address of the second device above, and the second destination address is the above The address of the first device.

2. Decryption processing

Because the second encrypted payload is encrypted by the second CPE using pre-stored VPN negotiation parameters, and the first CPE and the second CPE store the same VPN negotiation parameters, the first CPE can decrypt the second encrypted payload to obtain the second encrypted payload. Two loads.

After the above two processing actions are completed, the first CPE can send the restored second payload to the device identified by the second destination address, so as to realize message transmission from the second branch network to the first branch network. And based on the solution of the embodiment of the present invention, even when the first VR transmits downlink packets in broadcast mode, because the CPEs of other branch networks do not know the VPN negotiation parameters used by the second CPE, they cannot correctly decrypt and restore the second payload. The communication security between the first VR and the first CPE is improved.

It should be noted that the above only uses the second branch network as the sender as an example to introduce the message processing process of the first CPE. In addition, the second message in this example may also be transmitted by other branch networks. It is sent to the first branch network, that is, the first CPE also establishes a VPN tunnel with CPEs in other branch networks, for example, the first CPE also establishes a VPN tunnel with a third CPE in the third branch network. Corresponding to this scenario, the second packet in this example is sent from the third CPE to the first CPE, the second source address is the address of the device in the third branch network, and the first CPE uses the The VPN negotiation parameters are decrypted. The specific process can refer to the introduction above, and will not be repeated here.

Combining with the schematic diagrams shown in Figures 2 and 4 above, the processing process of the CPE in the message transmission process is explained. Next, the VR processing process is explained from the perspective of VR.

Referring to FIG. 5, it shows a flow chart of Embodiment 1 of the message transmission method on the VR side of the embodiment of the present invention, which may include the following steps:

Step 401, the first virtual router receives a first packet sent by a first customer terminal equipment CPE, the first packet includes: a first source address, a first destination address, a first encapsulation header and a first encrypted payload.

Step 402, the first virtual router searches for a second virtual router corresponding to the first destination address, and a first virtual private network (VPN) tunnel is established between the first virtual router and the second virtual router.

Step 403, the first virtual router encapsulates the first packet to obtain an encapsulated packet, and the encapsulated packet includes: the public network address of the first virtual router, the second Two, the public network address of the virtual router, the encapsulation header of the first VPN tunnel, the first source address, the first destination address, the first encapsulation header, and the first encrypted payload.

Step 404, the first virtual router sends the encapsulated message to the second virtual router.

In addition to the introduction in Figure 3 above, the first VR can receive the encryption algorithm supported by the first CPE sent by the first CPE, and negotiate with the second VR to obtain VPN negotiation parameters. After the first message sent by the CPE (if corresponding to the example shown in Figure 2, the first message here is the encapsulated message in step 104), the following two processing actions are performed:

1. Find the second VR

In order to hide the private network address of the enterprise network from the public network, a first VPN tunnel can be established between the first VR and the second VR, and considering that the first VR may establish different tunnels with different VRs, the first VR After receiving the first packet sent by the first CPE, the second VR can be searched according to the first destination address to determine the packet forwarding object, and then after the encapsulation process, the encapsulated packet can be passed through the first VPN Tunneled to the second VR.

2. Package processing

When transmitting packets across the public network, the first VR can be regarded as the source node of public network transmission, and the second VR can be regarded as the destination node of public network transmission, so the encapsulated packet can include the public The network address and the public network address of the second VR. As an example, the public network address may be embodied as the IP address of the VR.

In addition, as introduced in Figure 3 above, the first VPN tunnel can be embodied as GRE tunnel, MPLS tunnel, IPSec tunnel and other types, corresponding to different tunnel types, the encapsulation header of the first VPN tunnel obtained by the first VR encapsulation also has different Different, it can be embodied as GRE header, MPLS header, IPSec header, etc. For the specific encapsulation process, please refer to the existing implementation mode, which will not be described in detail here, nor specifically limited in the embodiment of the present invention. As a preferred solution, in order to reduce resource consumption of the first VR by encapsulation processing, a GRE tunnel may preferably be established between the first VR and the second VR.

It should be noted that, in actual implementation, the first VR may first search for the second VR and then perform encapsulation processing according to the solution shown in FIG. The above two actions are performed at the same time, which is not specifically limited in this embodiment of the present invention.

In addition, it should be noted that, in the scenario where the second branch network is the sender and the first branch network is the receiver, the second VR communicating with the second branch network can also follow the process described above to send messages to the first branch network. Packets of a branch network are encapsulated.

In the example shown in Figure 5 above, the message transmission scheme of the first VR when the first branch network is used as the sender is introduced, and the message transmission scheme of the first VR when the first branch network is used as the receiver is explained below For illustration, refer to FIG. 6 for details, which shows a flow chart of Embodiment 2 of the message transmission method on the VR side of the embodiment of the present invention, which may include the following steps:

Step 501, the first virtual router receives a second packet sent by a third virtual router, a second VPN tunnel is established between the first virtual router and the third virtual router, and the second packet includes : the public network address of the third virtual router, the public network address of the first virtual router, the encapsulation header of the second VPN tunnel, the second source address, the second destination address, the second encapsulation header, and the second Encrypted payload.

Step 502, the first virtual router performs decapsulation processing to obtain the decapsulated message, and the decapsulated message includes: the second source address, the second destination address, the second Encapsulating a header and the second encrypted payload.

Step 503, the first virtual router sends the decapsulated packet to the first CPE.

When the first branch network is the receiver, the first VR can receive the second packet sent by the third VR, and use the solution provided by the embodiment of the present invention to decapsulate the second packet, and remove the The public network address and the encapsulation header are used to restore the private network address of the enterprise network. In this way, after the first VR sends the decapsulated packet to the first CPE, the first CPE can forward the packet according to the second source address to the corresponding device. In this example solution, the secure transmission of packets between the third VR and the first VR can be realized based on the second VPN tunnel, and the private network address of the enterprise network will not be exposed to the public network during the transmission process, which can improve the security of the second VR. Communication security between the third VR and the first VR.

It should be noted that in different application scenarios, the third VR will be different, and an example will be given below. For example, the third VR may be the second VR in the example shown in Figure 5, and correspondingly, the second VPN tunnel is the first VPN tunnel in the example shown in Figure 5, and the second source address is the The address of the device. Alternatively, the third VR may also be other VRs than the first VR and the second VR in the example shown in FIG. The VPN tunnel is a tunnel between the first VR and the other VR, and the second source address is the address of the device in the branch network communicating with the other VR. In addition, it should be noted that in step 502, the first VR may decapsulate the second packet in combination with the type of tunnel established between it and the second VR and other VRs.

Taking the sending of a message from the first branch network to the second branch network as an example, the processing process in the embodiment of the present invention will be explained in combination with the schematic diagram shown in FIG. 7 .

1. After establishing the IPSecVPN tunnel between CPE1 and CPE2 according to the scheme shown in Figure 3, if terminal PC1 in branch network 1 needs to transmit a message to PC2 in branch network 2, PC1 can first send the message to CPE1 in branch network 1 processes packets to improve packet transmission security. At this time, the packet may include: a source IP address (the IP address of PC1), a destination IP address (the IP address of PC2), and a payload.

2. After receiving the packet sent by PC1, CPE1 determines that the packet will be transmitted across the public network to PC2, so it encrypts the payload with the specified encryption algorithm and shared key sent by VR1 in advance, and repackages the packet in transmission mode. and send the encrypted and encapsulated message to VR1. At this time, the message may include: a source IP address, a destination IP address, an IPSec header, and an encrypted payload.

3. After VR1 receives the message sent by CPE1, it determines that the message will be transmitted across the public network to PC2, so it searches for VR2 that communicates with the second branch network, and specifies the tunnel type between VR1 and VR2, such as the tunnel type It is a GRE tunnel. VR1 encapsulates packets with GRE and sends the encapsulated packets to VR2. At this time, the message may include: VR1IP (source address for public network transmission), VR2IP (destination address for public network transmission), GRE header, source IP address, destination IP address, IPSec header, and encrypted payload.

4. After VR2 receives the packet sent by VR1, it decapsulates the packet according to the tunnel type established between the two, strips off the public network transmission address and GRE header, restores it to the private network transmission address, and decapsulates the packet. The encapsulated packet is sent to CPE2. At this time, the message may include: a source IP address, a destination IP address, an IPSec header, and an encrypted payload.

5. After receiving the packet sent by VR2, CPE2 decapsulates the packet, strips off the IPSec header, and uses the specified encryption algorithm and shared key sent by VR2 to decrypt the encrypted payload to restore the original packet. The file is sent to PC2. At this time, the packet may include: a source IP address, a destination IP address, and a payload.

Such a solution is based on the VPN negotiation between VR1 and VR2 to establish a VPN tunnel between CPE1 and CPE2 to improve the communication security between branch network 1 and branch network 2 . CPE1 and CPE2 store the same VPN negotiation parameters sent by VR1 and VR2 respectively, and do not need to participate in the VPN negotiation process, which simplifies the design of the CPEs. When transmitting packets, CPE1 uses VPN negotiation parameters to encrypt and encapsulate the packets, and then transmits them to VR1, which improves the communication security between CPE1 and VR1; between VR1 and VR2, GRE encapsulation can be used to hide private network transmission address, and transmit packets through the GRE tunnel, which improves the communication security between VR1 and VR2; the packets transmitted from VR2 to CPE2 are processed by CPE1, and only CPE2 can use the same VPN negotiation parameters The payload is parsed from the message, which improves the communication security between VR2 and CPE2.

Corresponding to the method shown in FIG. 2, the embodiment of the present invention also provides a message transmission device on the CPE side. Referring to the schematic diagram of the device embodiment 1 shown in FIG. 8, the device may include:

The first receiving unit 601 is configured to receive the first message sent by the first device, the first message includes: a first source address, a first destination address, and a first payload; the first source address is the The address of the first device, the first destination address is the address of the second device, the first device communicates with the first customer terminal equipment CPE, and the first CPE and the first device are located in the first branch network , the second device communicates with the second CPE, and the second device and the second CPE are located in a second branch network, and the first CPE and the second CPE maintain the same virtual private network (VPN) Negotiation parameters, the VPN negotiation parameters include: specifying an encryption algorithm and a shared key;

An encryption processing unit 602, configured to encrypt the first payload by using the specified encryption algorithm and the shared key to obtain a first encrypted payload;

An encapsulation processing unit 603, configured to perform encapsulation processing to obtain an encapsulated message, where the encapsulated message includes: the first source address, the first destination address, the first encapsulation header, and the first encrypted payload;

The first sending unit 604 is configured to send the encapsulated packet to the first virtual router.

Optionally, the device also includes:

a second sending unit, configured to send the encryption algorithm supported by the first CPE to the first virtual router;

The second receiving unit is configured to receive the VPN negotiation parameter sent by the first virtual router, the VPN negotiation parameter is obtained through negotiation between the first virtual router and a second virtual router, and the second virtual router and the The second CPE communicates with each other, the second virtual router can obtain the encryption algorithm supported by the second CPE, and the specified encryption algorithm is selected from the encryption algorithms supported by both the first CPE and the second CPE.

Corresponding to the method shown in FIG. 4, the embodiment of the present invention also provides a schematic diagram of Embodiment 2 of the message transmission device on the CPE side. Referring to the schematic diagram shown in FIG. 9, the device may further include:

The third receiving unit 701 is configured to receive the second message sent by the first virtual router, where the second message includes: a second source address, a second destination address, a second encapsulation header, and a second encrypted payload;

The decapsulation processing unit 702 is configured to perform decapsulation processing to obtain a decapsulated message, the decapsulated message including: the second source address, the second destination address and the second encrypted load;

A decryption processing unit 703, configured to decrypt the decapsulated message to obtain a decrypted message, where the decrypted message includes: the second source address, the second destination address and load;

The third sending unit 704 is configured to send the decrypted message to the device corresponding to the second destination address.

It should be noted that the message transmission device provided in this device embodiment can be integrated in the CPE, and the method embodiments shown in Figures 2 and 4 above can be used to realize the function of the first CPE. For the specific process, please refer to The description of the method embodiment will not be repeated here.

In addition, when the devices shown in Figures 8 and 9 transmit messages, they only use the division of the above-mentioned functional modules as an example for illustration. The structure is divided into different functional modules to complete all or part of the functions described above.

Corresponding to the method shown in FIG. 5, the embodiment of the present invention also provides a schematic diagram of embodiment 1 of a message transmission device on the VR side. Referring to the schematic diagram shown in FIG. 10, the device may further include:

The first receiving unit 801 is configured to receive a first packet sent by a first client terminal equipment CPE, where the first packet includes: a first source address, a first destination address, a first encapsulation header, and a first encrypted payload;

A search unit 802, configured to search for a second virtual router corresponding to the first destination address, and a first virtual private network VPN tunnel is established between the first virtual router and the second virtual router;

An encapsulation processing unit 803, configured to perform encapsulation processing on the first message to obtain an encapsulated message, the encapsulated message including: the public network address of the first virtual router, the second virtual The public network address of the router, the encapsulation header of the first VPN tunnel, the first source address, the first destination address, the first encapsulation header, and the first encrypted payload;

The first sending unit 804 is configured to send the encapsulated packet to the second virtual router.

Corresponding to the method shown in FIG. 6, the embodiment of the present invention also provides a schematic diagram of Embodiment 2 of a message transmission device on the VR side. Referring to the schematic diagram shown in FIG. 11, the device may further include:

The second receiving unit 901 is configured to receive a second message sent by a third virtual router, a second VPN tunnel is established between the first virtual router and the third virtual router, and the second message includes: The public network address of the third virtual router, the public network address of the first virtual router, the encapsulation header of the second VPN tunnel, the second source address, the second destination address, the second encapsulation header, and the second encryption load;

The decapsulation processing unit 902 is configured to perform decapsulation processing to obtain a decapsulated message, where the decapsulated message includes: the second source address, the second destination address, the second encapsulated a header and said second encrypted payload;

The second sending unit 903 is configured to send the decapsulated message to the first CPE.

It should be noted that the message transmission device provided in this device embodiment can be integrated in VR, and the method embodiment shown in Figures 5 and 6 above can be used to realize the function of the first VR. For the specific process, please refer to The description of the method embodiment will not be repeated here.

Similarly, when the devices shown in Figures 10 and 11 transmit messages, they only use the division of the above-mentioned functional modules as an example for illustration. The internal structure is divided into different functional modules to complete all or part of the functions described above.

The embodiment of the invention also provides a message transmission device. Referring to the schematic diagram shown in FIG. 12 , the packet transmission device may include: a processor 1001 , a memory 1002 , a network interface 1003 , and a bus system 1004 .

The bus system 1004 is used to couple various hardware components of the message transmission device together.

The network interface 1003 is used to realize the communication connection between the packet transmission device and at least one other network element, and may use the Internet, a wide area network, a local network, a metropolitan area network, and the like.

The memory 1002 is used for storing program instructions and data.

The processor 1001 is configured to read instructions and data stored in the memory 1002 and execute corresponding operations.

Specifically, when the packet transmission device shown in FIG. 12 is embodied as the first CPE in the examples shown in FIGS. 2 and 4, the processor may perform the following operations according to the instructions and data stored in the memory:

The processor receives a first packet sent by a first device through the network interface, where the first packet includes: a first source address, a first destination address, and a first payload; the first source address is the the address of the first device, the first destination address is the address of the second device, the first CPE and the first device are located in the first branch network, the second device communicates with the second CPE, and The second device and the second CPE are located in the second branch network, and the first CPE and the second CPE store the same virtual private network VPN negotiation parameters, and the VPN negotiation parameters include: a specified encryption algorithm and shared key;

The processor encrypts the first payload by using the designated encryption algorithm and the shared key to obtain a first encrypted payload;

The processor performs encapsulation processing to obtain an encapsulated message, where the encapsulated message includes: the first source address, the first destination address, a first encapsulation header, and the first encrypted payload;

The processor sends the encapsulated packet to the first virtual router through the network interface.

Optionally, the processor may perform the following operations to acquire the manner of the VPN negotiation parameter:

The processor sends the encryption algorithm supported by the first CPE to the first virtual router through the network interface;

The processor receives the VPN negotiation parameter sent by the first virtual router through the network interface, the VPN negotiation parameter is obtained through negotiation between the first virtual router and a second virtual router, and the second virtual router Communicating with the second CPE, the second virtual router can obtain the encryption algorithm supported by the second CPE, and the specified encryption algorithm is selected from the encryption algorithms supported by the first CPE and the second CPE select.

Optionally, the processor may also perform the following operations:

The processor receives a second packet sent by the first virtual router through the network interface, and the second packet includes: a second source address, a second destination address, a second encapsulation header, and a second encrypted payload ;

The processor performs decapsulation processing to obtain a decapsulated message, where the decapsulated message includes: the second source address, the second destination address, and the second encrypted payload;

The processor decrypts the decapsulated message to obtain a decrypted message, where the decrypted message includes: the second source address, the second destination address, and a payload;

The processor sends the decrypted message to the device corresponding to the second destination address through the network interface.

Specifically, when the packet transmission device shown in FIG. 12 is embodied as the first VR in the examples shown in FIGS. 5 and 6, the processor may perform the following operations according to the instructions and data stored in the memory:

The processor receives the first message sent by the first customer terminal equipment CPE through the network interface, and the first message includes: a first source address, a first destination address, a first encapsulation header, and a first encrypted payload ;

The processor searches for a second virtual router corresponding to the first destination address, and a first virtual private network VPN tunnel is established between the first virtual router and the second virtual router;

The processor performs encapsulation processing on the first message to obtain an encapsulated message, and the encapsulated message includes: the public network address of the first virtual router, the public network address of the second virtual router A network address, an encapsulation header of the first VPN tunnel, the first source address, the first destination address, the first encapsulation header, and the first encrypted payload;

The processor sends the encapsulated packet to the second virtual router through the network interface.

Optionally, the processor may also perform the following operations:

The processor receives a second packet sent by a third virtual router through the network interface, a second VPN tunnel is established between the first virtual router and the third virtual router, and the second packet includes : the public network address of the third virtual router, the public network address of the first virtual router, the encapsulation header of the second VPN tunnel, the second source address, the second destination address, the second encapsulation header, and the second encrypted payload;

The processor performs decapsulation processing to obtain a decapsulated message, and the decapsulated message includes: the second source address, the second destination address, the second encapsulation header, and the the second encrypted payload;

The processor sends the decapsulated packet to the first CPE through the network interface.

Wherein, the processor 1001 may be an integrated circuit chip, which has a signal processing capability. In the implementation process, each step of the above method can be completed by an integrated logic circuit of hardware in a processor or an instruction in the form of software. These instructions can be realized and controlled by the cooperation of the processor therein, so as to execute the methods disclosed in the embodiments of the present invention. The above-mentioned processor can also be a general-purpose processor, a digital signal processor (Digital Signal Processing, DSP), an application specific integrated circuit (application specific integrated circuit), an off-the-shelf programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic devices, discrete gates or transistor logic devices , Discrete hardware components.

Wherein, the above general processor may be a microprocessor or the processor may be any conventional processor, decoder and the like. The steps of the methods disclosed in connection with the embodiments of the present invention may be directly implemented by a hardware processor, or implemented by a combination of hardware and software modules in the processor. The software module can be located in a mature storage medium in the field such as random access memory, flash memory, read-only memory, programmable read-only memory or electrically erasable programmable memory, register.

Wherein, besides the data bus, the bus system 1004 may also include a power bus, a control bus and a status signal bus. However, the various buses are labeled as bus system 1004 in FIG. 12 for clarity of illustration.

From the above description of the implementation manners, it can be seen that those skilled in the art can clearly understand that all or part of the steps in the methods of the above embodiments can be implemented by means of software plus a general hardware platform. Based on this understanding, the essence of the technical solution of the present invention or the part that contributes to the prior art can be embodied in the form of software products, and the computer software products can be stored in storage media, such as ROM/RAM, disk , optical disk, etc., including several instructions to make a computer device (which may be a personal computer, a server, or a network communication device such as a media gateway) execute the methods described in various embodiments or some parts of the embodiments of the present invention.

It should be noted that each embodiment in this specification is described in a progressive manner, the same and similar parts of each embodiment can be referred to each other, and each embodiment focuses on the differences from other embodiments. place. In particular, for the device and system embodiments, since they are basically similar to the method embodiments, the description is relatively simple, and for relevant parts, please refer to part of the description of the method embodiments. The device and system embodiments described above are only illustrative, and the units described as separate components may or may not be physically separated, and the components shown as units may or may not be physical units, that is, they may be located in One place, or it can be distributed to multiple network elements. Part or all of the modules can be selected according to actual needs to achieve the purpose of the solution of this embodiment. It can be understood and implemented by those skilled in the art without creative effort.

The above descriptions are only optional implementations of the present invention, and are not intended to limit the protection scope of the present invention. It should be pointed out that those skilled in the art can make some improvements and modifications without departing from the principle of the present invention, and these improvements and modifications should also be regarded as the protection scope of the present invention.

Claims (10)

1. a message transmitting method, is characterized in that, described method comprises:

First customer terminal equipment CPE receives the first message that the first equipment sends, and described first message comprises: the first source address, the first destination address and the first load; Described first source address is the address of described first equipment, described first destination address is the address of the second equipment, a described CPE and described first equipment are positioned at the first branching networks, described second equipment and the 2nd CPE communicate, and described second equipment and described 2nd CPE are positioned at the second branching networks, a described CPE preserves identical VPN (virtual private network) VPN consultation parameter with described 2nd CPE, and described VPN consultation parameter comprises: specify cryptographic algorithm and shared key;

A described CPE utilizes described appointment cryptographic algorithm and described shared key to be encrypted described first load, obtains the first encrypted payload;

A described CPE carries out encapsulation process, and obtain the message after encapsulation, the message after described encapsulation comprises: described first source address, described first destination address, the first encapsulation header and described first encrypted payload;

Message after described encapsulation is sent to the first virtual router by a described CPE.

2. method according to claim 1, is characterized in that, a described CPE obtains the mode of described VPN consultation parameter, comprising:

A described CPE sends the cryptographic algorithm of a described CPE support to described first virtual router;

A described CPE receives the described VPN consultation parameter that described first virtual router sends, described VPN consultation parameter is consulted to obtain by described first virtual router and the second virtual router, described second virtual router and described 2nd CPE communicate, described second virtual router can obtain the cryptographic algorithm that described 2nd CPE supports, described appointment cryptographic algorithm is chosen from the cryptographic algorithm that a described CPE and described 2nd CPE supports jointly.

3. method according to claim 1 and 2, is characterized in that, described method also comprises:

A described CPE receives the second message that described first virtual router sends, and described second message comprises: the second source address, the second destination address, the second encapsulation header and the second encrypted payload;

A described CPE carries out tearing encapsulation process open, obtains the message after sealing off dress, and the message after described opening dress comprises: described second source address, described second destination address and described second encrypted payload;

A described CPE is decrypted process to the message after described opening dress, and obtain the message after deciphering, the message after described deciphering comprises: described second source address, described second destination address and load;

Message after described deciphering is sent to equipment corresponding to described second destination address by a described CPE.

4. a message transmitting method, is characterized in that, described method comprises:

First virtual router receives the first message that the first customer terminal equipment CPE sends, and described first message comprises: the first source address, the first destination address, the first encapsulation header and the first encrypted payload;

Described first virtual router searches the second virtual router corresponding to described first destination address, sets up the first VPN (virtual private network) vpn tunneling between described first virtual router and described second virtual router;

Described first virtual router carries out encapsulation process to described first message, obtain the message after encapsulation, the message after described encapsulation comprises: the public network address of described first virtual router, the public network address of described second virtual router, the encapsulation header of described first vpn tunneling, described first source address, described first destination address, described first encapsulation header and described first encrypted payload;

Message after described encapsulation is sent to described second virtual router by described first virtual router.

5. method according to claim 4, is characterized in that, described method also comprises:

Described first virtual router receives the second message that the 3rd virtual router sends, set up the second vpn tunneling between described first virtual router and described 3rd virtual router, described second message comprises: the encapsulation header of the public network address of described 3rd virtual router, the public network address of described first virtual router, described second vpn tunneling, the second source address, the second destination address, the second encapsulation header and the second encrypted payload;

Described first virtual router carries out tearing encapsulation process open, obtains the message after sealing off dress, and the message after described opening dress comprises: described second source address, described second destination address, described second encapsulation header and described second encrypted payload;

Message after described opening dress is sent to a described CPE by described first virtual router.

6. a message transmitting device, is characterized in that, described device comprises:

First receiving element, for receiving the first message that the first equipment sends, described first message comprises: the first source address, the first destination address and the first load; Described first source address is the address of described first equipment, described first destination address is the address of the second equipment, described first equipment and the first customer terminal equipment CPE communicate, a described CPE and described first equipment are positioned at the first branching networks, described second equipment and the 2nd CPE communicate, and described second equipment and described 2nd CPE are positioned at the second branching networks, a described CPE preserves identical VPN (virtual private network) VPN consultation parameter with described 2nd CPE, and described VPN consultation parameter comprises: specify cryptographic algorithm and shared key;

Cryptographic processing unit, for utilizing described appointment cryptographic algorithm and described shared key to be encrypted described first load, obtains the first encrypted payload;

Encapsulation process unit, for carrying out encapsulation process, obtain the message after encapsulation, the message after described encapsulation comprises: described first source address, described first destination address, the first encapsulation header and described first encrypted payload;

First transmitting element, for being sent to the first virtual router by the message after described encapsulation.

7. device according to claim 6, is characterized in that, described device also comprises:

Second transmitting element, for sending the cryptographic algorithm that a described CPE supports to described first virtual router;

Second receiving element, for receiving the described VPN consultation parameter that described first virtual router sends, described VPN consultation parameter is consulted to obtain by described first virtual router and the second virtual router, described second virtual router and described 2nd CPE communicate, described second virtual router can obtain the cryptographic algorithm that described 2nd CPE supports, described appointment cryptographic algorithm is chosen from the cryptographic algorithm that a described CPE and described 2nd CPE supports jointly.

8. the device according to claim 6 or 7, is characterized in that, described device also comprises:

3rd receiving element, for receiving the second message that described first virtual router sends, described second message comprises: the second source address, the second destination address, the second encapsulation header and the second encrypted payload;

Sealing off dress processing unit, tearing encapsulation process open for carrying out, obtain the message after sealing off dress, the message after described opening dress comprises: described second source address, described second destination address and described second encrypted payload;

Decryption processing unit, for being decrypted process to the message after described opening dress, obtain the message after deciphering, the message after described deciphering comprises: described second source address, described second destination address and load;

3rd transmitting element, for being sent to equipment corresponding to described second destination address by the message after described deciphering.

9. a message transmitting device, is characterized in that, described device comprises:

First receiving element, for receiving the first message that the first customer terminal equipment CPE sends, described first message comprises: the first source address, the first destination address, the first encapsulation header and the first encrypted payload;

Searching unit, for searching the second virtual router corresponding to described first destination address, between the first virtual router and described second virtual router, setting up the first VPN (virtual private network) vpn tunneling;

Encapsulation process unit, for carrying out encapsulation process to described first message, obtain the message after encapsulation, the message after described encapsulation comprises: the public network address of described first virtual router, the public network address of described second virtual router, the encapsulation header of described first vpn tunneling, described first source address, described first destination address, described first encapsulation header and described first encrypted payload;

First transmitting element, for being sent to described second virtual router by the message after described encapsulation.

10. device according to claim 9, is characterized in that, described device also comprises:

Second receiving element, for receiving the second message that the 3rd virtual router sends, set up the second vpn tunneling between described first virtual router and described 3rd virtual router, described second message comprises: the encapsulation header of the public network address of described 3rd virtual router, the public network address of described first virtual router, described second vpn tunneling, the second source address, the second destination address, the second encapsulation header and the second encrypted payload;

Sealing off dress processing unit, tearing encapsulation process open for carrying out, obtain the message after sealing off dress, the message after described opening dress comprises: described second source address, described second destination address, described second encapsulation header and described second encrypted payload;

Second transmitting element, for being sent to a described CPE by the message after described opening dress.