[go: up one dir, main page]

CN111277481A - Method, device, equipment and storage medium for establishing VPN tunnel - Google Patents

Method, device, equipment and storage medium for establishing VPN tunnel Download PDF

Info

Publication number
CN111277481A
CN111277481A CN202010022644.6A CN202010022644A CN111277481A CN 111277481 A CN111277481 A CN 111277481A CN 202010022644 A CN202010022644 A CN 202010022644A CN 111277481 A CN111277481 A CN 111277481A
Authority
CN
China
Prior art keywords
cpe
external network
address information
vcpe
identification information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202010022644.6A
Other languages
Chinese (zh)
Other versions
CN111277481B (en
Inventor
张力园
樊俊诚
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Secworld Information Technology Beijing Co Ltd
Qax Technology Group Inc
Original Assignee
Secworld Information Technology Beijing Co Ltd
Qax Technology Group Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Secworld Information Technology Beijing Co Ltd, Qax Technology Group Inc filed Critical Secworld Information Technology Beijing Co Ltd
Priority to CN202010022644.6A priority Critical patent/CN111277481B/en
Publication of CN111277481A publication Critical patent/CN111277481A/en
Application granted granted Critical
Publication of CN111277481B publication Critical patent/CN111277481B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4633Interconnection of networks using encapsulation techniques, e.g. tunneling
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4641Virtual LANs, VLANs, e.g. virtual private networks [VPN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明公开了一种建立VPN隧道的方法、装置、设备及存储介质,所述方法包括:接收由CPE发送的建连请求消息;其中,所述CPE位于SD‑WAN的分支节点中,所述建连请求消息包括:所述CPE的身份识别信息;进行组网配置,以确定出与所述CPE的身份识别信息对应的建连对象的身份识别信息;其中,所述建连对象是位于SD‑WAN的云端服务节点中的vCPE,且在所述云端服务节点中还包括第一NAT设备,所述vCPE通过所述第一NAT设备连接所述控制平台;将与所述建连对象的身份识别信息对应的第一外网IP地址信息发送至所述CPE,以供所述CPE利用所述第一外网IP地址信息并通过所述第一NAT设备建立与所述vCPE之间的虚拟专用网络VPN隧道。

Figure 202010022644

The invention discloses a method, device, equipment and storage medium for establishing a VPN tunnel. The method includes: receiving a connection establishment request message sent by a CPE; wherein the CPE is located in a branch node of SD-WAN, and the The connection establishment request message includes: the identification information of the CPE; network configuration is performed to determine the identification information of the connection establishment object corresponding to the identification information of the CPE; wherein, the connection establishment object is located in SD The vCPE in the cloud service node of the WAN, and the cloud service node also includes a first NAT device, the vCPE is connected to the control platform through the first NAT device; The first external network IP address information corresponding to the identification information is sent to the CPE, so that the CPE can use the first external network IP address information and establish a virtual private network with the vCPE through the first NAT device Network VPN tunnel.

Figure 202010022644

Description

一种建立VPN隧道的方法、装置、设备及存储介质A method, apparatus, device and storage medium for establishing a VPN tunnel

技术领域technical field

本发明涉及互联网技术领域,特别涉及一种建立VPN隧道的方法、装置、设备及存储介质。The present invention relates to the field of Internet technologies, and in particular, to a method, apparatus, device and storage medium for establishing a VPN tunnel.

背景技术Background technique

SD-WAN(Software-Defined WAN,软件定义广域网)是将SDN(Software DefinedNetwork,软件定义网络)技术应用到广域网场景中所形成的一种服务;SD-WAN能够取代传统广域网线路(MPLS-VPN,IPSec-VPN等),连接广阔地理范围内的企业网络、数据中心、互联网应用及云服务,能够帮助用户降低广域网的开支和提高网络连接灵活性;目前可以将SD-WAN分成四种技术架构:叠加架构、云端架构、整合架构和原生架构,其中,云端架构是云商和服务商最喜欢的架构方式,也是SD-WAN大规模分支部署的推荐架构。在云端架构中,vCPE(virtual Customer Premise Equipment,虚拟客户终端设备)被部署在SD-WAN的云端服务节点中,且vCPE需要通过NAT(Network Address Translation,网络地址转换)方式接入互联网。由于vCPE位于云端服务节点的NAT设备之后,导致SD-WAN的分支节点中的CPE(Customer Premise Equipment,客户终端设备)无法直接与vCPE通信,CPE发送给vCPE的消息会被NAT设备丢弃;因此,如何解决在CPE与vCPE之间直接建立VPN(Virtual PrivateNetwork,虚拟专用网络)隧道成为本领域技术人员亟需解决的技术问题。SD-WAN (Software-Defined WAN, Software Defined Wide Area Network) is a service formed by applying SDN (Software Defined Network, Software Defined Network) technology to WAN scenarios; SD-WAN can replace traditional WAN lines (MPLS-VPN, IPSec-VPN, etc.), connect enterprise networks, data centers, Internet applications and cloud services within a wide geographical range, which can help users reduce WAN expenses and improve network connection flexibility; SD-WAN can currently be divided into four technical architectures: Overlay architecture, cloud architecture, integrated architecture and native architecture. Among them, cloud architecture is the favorite architecture method of cloud providers and service providers, and it is also the recommended architecture for large-scale branch deployment of SD-WAN. In the cloud architecture, vCPE (virtual Customer Premise Equipment, virtual customer terminal equipment) is deployed in the cloud service node of SD-WAN, and the vCPE needs to access the Internet through NAT (Network Address Translation, network address translation). Since the vCPE is located behind the NAT device of the cloud service node, the CPE (Customer Premise Equipment) in the SD-WAN branch node cannot directly communicate with the vCPE, and the messages sent by the CPE to the vCPE will be discarded by the NAT device; therefore, How to solve the problem of directly establishing a VPN (Virtual Private Network, virtual private network) tunnel between the CPE and the vCPE has become a technical problem that those skilled in the art need to solve urgently.

发明内容SUMMARY OF THE INVENTION

本发明的目的在于提供一种建立VPN隧道的方法、装置、设备及存储介质,能够实现在CPE与vCPE之间直接建立VPN隧道。The purpose of the present invention is to provide a method, apparatus, device and storage medium for establishing a VPN tunnel, which can realize the direct establishment of a VPN tunnel between a CPE and a vCPE.

根据本发明的一个方面,提供了一种建立VPN隧道的方法,应用于SD-WAN的控制平台,所述方法包括:According to one aspect of the present invention, a method for establishing a VPN tunnel is provided, which is applied to a control platform of SD-WAN, and the method includes:

接收由客户终端设备CPE发送的建连请求消息;其中,所述CPE位于SD-WAN的分支节点中,所述建连请求消息包括:所述CPE的身份识别信息;Receive a connection establishment request message sent by the client terminal equipment CPE; wherein, the CPE is located in a branch node of SD-WAN, and the connection establishment request message includes: the identification information of the CPE;

进行组网配置,以确定出与所述CPE的身份识别信息对应的建连对象的身份识别信息;其中,所述建连对象是位于SD-WAN的云端服务节点中的虚拟客户端设备vCPE,且在所述云端服务节点中还包括第一网络地址交互NAT设备,所述vCPE通过所述第一NAT设备连接所述控制平台;Carry out networking configuration to determine the identification information of the connection establishment object corresponding to the identification information of the CPE; wherein, the connection establishment object is the virtual client device vCPE located in the cloud service node of SD-WAN, And the cloud service node further includes a first network address interaction NAT device, and the vCPE connects to the control platform through the first NAT device;

将与所述建连对象的身份识别信息对应的第一外网IP地址信息发送至所述CPE,以供所述CPE利用所述第一外网IP地址信息并通过所述第一NAT设备建立与所述vCPE之间的虚拟专用网络VPN隧道。Sending the first external network IP address information corresponding to the identification information of the connection establishment object to the CPE, so that the CPE uses the first external network IP address information and establishes through the first NAT device A virtual private network VPN tunnel with the vCPE.

可选的,在所述接收由客户终端设备CPE发送的建连请求消息的步骤之前,所述方法还包括:Optionally, before the step of receiving the connection establishment request message sent by the client terminal equipment CPE, the method further includes:

接收由所述第一NAT设备转发的配置参数消息;其中,所述配置参数消息是由所述vCPE发送至所述第一NAT设备的;receiving a configuration parameter message forwarded by the first NAT device; wherein the configuration parameter message is sent by the vCPE to the first NAT device;

从所述配置参数消息中解析出所述vCPE的身份识别信息和外网IP地址信息;Parse out the identity information and external network IP address information of the vCPE from the configuration parameter message;

建立所述身份识别信息和外网IP地址信息的对应关系。A corresponding relationship between the identity identification information and the external network IP address information is established.

可选的,在所述CPE与所述vCPE之间建立了VPN隧道时,所述方法还包括:Optionally, when a VPN tunnel is established between the CPE and the vCPE, the method further includes:

接收由所述第一NAT设备转发的探测消息;其中,所述探测消息是由所述vCPE发送至所述第一NAT设备的消息;receiving a probe message forwarded by the first NAT device; wherein the probe message is a message sent by the vCPE to the first NAT device;

从所述探测消息中解析出第二外网IP地址信息;Parse out the second external network IP address information from the detection message;

判断所述第一外网IP地址信息与所述第二外网IP地址信息是否一致;Determine whether the first external network IP address information is consistent with the second external network IP address information;

若不一致,则将所述第二外网IP地址信息发送至所述CPE,以供所述CPE利用所述第二外网IP地址信息并通过所述第一NAT设备重新建立与所述vCPE之间的VPN隧道。If not, sending the second external network IP address information to the CPE, so that the CPE can use the second external network IP address information and re-establish a relationship with the vCPE through the first NAT device VPN tunnel between them.

可选的,所述方法还包括:Optionally, the method further includes:

从所述建连请求消息中解析出所述CPE的第三外网IP地址信息;Parse out the third external network IP address information of the CPE from the connection establishment request message;

将所述第三外网IP地址信息通过所述第一NAT设备发送至所述vCPE,以供所述vCPE利用所述第三外网IP地址信息并通过所述第一NAT设备建立与所述CPE之间的VPN隧道。Send the third external network IP address information to the vCPE through the first NAT device, so that the vCPE uses the third external network IP address information and establishes a connection with the vCPE through the first NAT device. VPN tunnel between CPEs.

可选的,所述接收由客户终端设备CPE发送的建连请求消息的步骤,具体包括:Optionally, the step of receiving the connection establishment request message sent by the client terminal equipment CPE specifically includes:

接收由第二NAT设备转发的建连请求消息;其中,所述建连请求消息是由所述CPE发送至所述第二NAT设备的消息,且所述第二NAT设备位于所述分支节点中。Receive a connection establishment request message forwarded by a second NAT device; wherein, the connection establishment request message is a message sent by the CPE to the second NAT device, and the second NAT device is located in the branch node .

可选的,所述将所述第一外网IP地址信息发送至所述CPE的步骤,具体包括:Optionally, the step of sending the first external network IP address information to the CPE specifically includes:

将所述第一外网IP地址信息通过所述第二NAT设备发送至所述CPE。Sending the first external network IP address information to the CPE through the second NAT device.

为了实现上述目的,本发明还提供一种建立VPN隧道的装置,应用于SD-WAN的控制平台,所述装置包括:In order to achieve the above object, the present invention also provides a device for establishing a VPN tunnel, which is applied to a control platform of SD-WAN, and the device includes:

接收模块,用于接收由客户终端设备CPE发送的建连请求消息;其中,所述CPE位于SD-WAN的分支节点中,所述建连请求消息包括:所述CPE的身份识别信息;A receiving module, configured to receive a connection establishment request message sent by the client terminal equipment CPE; wherein, the CPE is located in a branch node of the SD-WAN, and the connection establishment request message includes: the identity information of the CPE;

配置模块,用于进行组网配置,以确定出与所述CPE的身份识别信息对应的建连对象的身份识别信息;其中,所述建连对象是位于SD-WAN的云端服务节点中的虚拟客户端设备vCPE,且在所述云端服务节点中还包括第一网络地址交互NAT设备,所述vCPE通过所述第一NAT设备连接所述控制平台;A configuration module, configured to perform networking configuration to determine the identification information of the connection establishment object corresponding to the identification information of the CPE; wherein, the connection establishment object is a virtual device located in the cloud service node of SD-WAN a client device vCPE, and the cloud service node further includes a first network address interaction NAT device, the vCPE is connected to the control platform through the first NAT device;

发送模块,用于将与所述建连对象的身份识别信息对应的第一外网IP地址信息发送至所述CPE,以供所述CPE利用所述第一外网IP地址信息并通过所述第一NAT设备建立与所述vCPE之间的虚拟专用网络VPN隧道。A sending module, configured to send the first external network IP address information corresponding to the identification information of the connection establishment object to the CPE, so that the CPE can use the first external network IP address information and pass the The first NAT device establishes a virtual private network VPN tunnel with the vCPE.

可选的,所述接收模块,还用于:Optionally, the receiving module is further configured to:

接收由所述第一NAT设备转发的配置参数消息;其中,所述配置参数消息是由所述vCPE发送至所述第一NAT设备的消息;receiving a configuration parameter message forwarded by the first NAT device; wherein the configuration parameter message is a message sent by the vCPE to the first NAT device;

所述配置模块,还用于:The configuration module is also used for:

从所述配置参数消息中解析出所述vCPE的身份识别信息和外网IP地址信息;Parse out the identity information and external network IP address information of the vCPE from the configuration parameter message;

所述发送模块,还用于建立所述身份识别信息和外网IP地址信息的对应关系。The sending module is further configured to establish a corresponding relationship between the identification information and the external network IP address information.

为了实现上述目的,本发明还提供一种计算机设备,该计算机设备具体包括:存储器、处理器以及存储在所述存储器上并可在所述处理器上运行的计算机程序,所述处理器执行所述计算机程序时实现上述介绍的建立VPN隧道的方法的步骤。In order to achieve the above object, the present invention also provides a computer device, the computer device specifically includes: a memory, a processor, and a computer program stored in the memory and running on the processor, and the processor executes the computer program. When the computer program is described, the steps of the method for establishing a VPN tunnel described above are realized.

为了实现上述目的,本发明还提供一种计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述介绍的建立VPN隧道的方法的步骤。In order to achieve the above object, the present invention also provides a computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, implements the steps of the above-described method for establishing a VPN tunnel.

本发明提供的建立VPN隧道的方法、装置、设备及存储介质,通过控制平台作为中转服务器,CPE和vCPE均向控制平台发起连接,以便控制平台获取CPE和vCPE的外网IP地址信息,从而在控制平台进行组网配置,并将包含对端的外网IP地址信息的隧道配置文件发送至CPE和vCPE,这样CPE和vCPE就有了对端的外网IP地址信息,就可以发送隧道协商报文,从而在CPE和vCPE之间建立VPN隧道。In the method, device, device and storage medium for establishing a VPN tunnel provided by the present invention, through the control platform as a transit server, both the CPE and the vCPE initiate a connection to the control platform, so that the control platform obtains the external network IP address information of the CPE and the vCPE, so that the The control platform performs networking configuration, and sends the tunnel configuration file containing the external network IP address information of the peer end to the CPE and vCPE, so that the CPE and vCPE have the external network IP address information of the peer end, and can send tunnel negotiation packets. Thereby, a VPN tunnel is established between the CPE and the vCPE.

附图说明Description of drawings

通过阅读下文优选实施方式的详细描述,各种其他的优点和益处对于本领域普通技术人员将变得清楚明了。附图仅用于示出优选实施方式的目的,而并不认为是对本发明的限制。而且在整个附图中,用相同的参考符号表示相同的部件。在附图中:Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are for the purpose of illustrating preferred embodiments only and are not to be considered limiting of the invention. Also, the same components are denoted by the same reference numerals throughout the drawings. In the attached image:

图1为实施例一提供的SD-WAN框架的组成结构示意图;1 is a schematic diagram of the composition and structure of the SD-WAN framework provided by Embodiment 1;

图2为实施例一提供的建立VPN隧道的方法的一种可选的流程示意图;2 is an optional schematic flowchart of the method for establishing a VPN tunnel provided by Embodiment 1;

图3为实施例二提供的建立VPN隧道的方法的一种可选的流程示意图;3 is an optional schematic flowchart of the method for establishing a VPN tunnel provided by Embodiment 2;

图4为实施例三提供的建立VPN隧道的装置的一种可选的组成结构示意图;4 is a schematic diagram of an optional composition structure of an apparatus for establishing a VPN tunnel provided by Embodiment 3;

图5为实施例四提供的计算机设备的一种可选的硬件架构示意图。FIG. 5 is a schematic diagram of an optional hardware architecture of the computer device provided in the fourth embodiment.

具体实施方式Detailed ways

为了使本发明的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本发明进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本发明,并不用于限定本发明。基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。In order to make the objectives, technical solutions and advantages of the present invention clearer, the present invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the present invention, but not to limit the present invention. Based on the embodiments of the present invention, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present invention.

下面结合附图对本发明提供的建立VPN隧道的方法、装置、设备及存储介质。The method, apparatus, device and storage medium for establishing a VPN tunnel provided by the present invention are described below with reference to the accompanying drawings.

实施例一Example 1

本发明实施例提供了一种建立VPN隧道的方法,所述方法具体的应用于如图1所示的SD-WAN框架中的控制平台,其中,在SD-WAN框架中包括:控制平台、多个云端服务节点和多个分支节点,在每个云端服务节点中均设置有NAT设备和vCPE,在每个分支节点中均设置有CPE;图2为本发明实施例一提供的建立VPN隧道的方法的一种可选的流程示意图,如图2所示,该方法具体包括以下步骤:An embodiment of the present invention provides a method for establishing a VPN tunnel, and the method is specifically applied to a control platform in an SD-WAN framework as shown in FIG. 1 , wherein the SD-WAN framework includes: a control platform, a multi- a cloud service node and a plurality of branch nodes, each cloud service node is provided with a NAT device and a vCPE, and each branch node is provided with a CPE; An optional schematic flow chart of the method, as shown in Figure 2, the method specifically includes the following steps:

步骤S201:接收由客户终端设备CPE发送的建连请求消息;其中,所述CPE位于SD-WAN的分支节点中,所述建连请求消息包括:所述CPE的身份识别信息。Step S201: Receive a connection establishment request message sent by the client terminal equipment CPE; wherein the CPE is located in a branch node of the SD-WAN, and the connection establishment request message includes: the identity information of the CPE.

具体的,若在所述分支节点中未设置第二NAT设备,即所述CPE处于外网环境中,则所述CPE直接向所述控制平台发送建连请求消息;Specifically, if the second NAT device is not set in the branch node, that is, the CPE is in an external network environment, the CPE directly sends a connection establishment request message to the control platform;

若在所述分支节点中设置有第二NAT设备,即所述CPE处于内网环境,所述CPE需要通过第二NAT设备连接互联网,则步骤S201,具体包括:If a second NAT device is set in the branch node, that is, the CPE is in an intranet environment, and the CPE needs to connect to the Internet through the second NAT device, step S201 specifically includes:

接收由第二NAT设备转发的建连请求消息;其中,所述建连请求消息是由所述CPE发送至所述第二NAT设备的消息,且所述第二NAT设备位于所述分支节点中,所述CPE通过所述第二NAT设备连接所述控制平台。Receive a connection establishment request message forwarded by a second NAT device; wherein, the connection establishment request message is a message sent by the CPE to the second NAT device, and the second NAT device is located in the branch node , the CPE is connected to the control platform through the second NAT device.

其中,所述建连请求消息用于请求建立与vCPE之间的VPN隧道。The connection establishment request message is used for requesting establishment of a VPN tunnel with the vCPE.

在本实施例中,无论CPE出于内网环境还是外网环境均可以通过管控平台与云端服务节点中的位于NAT设备后的vCPE建立VPN隧道。In this embodiment, regardless of whether the CPE is in an internal network environment or an external network environment, a VPN tunnel can be established with the vCPE located behind the NAT device in the cloud service node through the management and control platform.

步骤S202:进行组网配置,以确定出与所述CPE的身份识别信息对应的建连对象的身份识别信息;其中,所述建连对象是位于SD-WAN的云端服务节点中的虚拟客户端设备vCPE,且在所述云端服务节点中还包括第一网络地址交互NAT设备,所述vCPE通过所述第一NAT设备连接所述控制平台。Step S202: Perform networking configuration to determine the identity identification information of the connection establishment object corresponding to the identity identification information of the CPE; wherein the connection establishment object is a virtual client located in a cloud service node of SD-WAN A device vCPE, and the cloud service node further includes a first network address interaction NAT device, and the vCPE is connected to the control platform through the first NAT device.

具体的,在步骤S202之前,所述方法还包括:Specifically, before step S202, the method further includes:

步骤A1:接收由所述第一NAT设备转发的配置参数消息;其中,所述配置参数消息是由所述vCPE发送至所述第一NAT设备的消息;Step A1: Receive a configuration parameter message forwarded by the first NAT device; wherein, the configuration parameter message is a message sent by the vCPE to the first NAT device;

在本实施例中,由于在所述云端服务节点中设置有第一NAT设备,所以所述vCPE处于内网环境,当所述vCPE需要连接互联网时,需要通过所述第一NAT设备以根据设置在所述第一NAT设备中的会话表项将所述vCPE的内网IP地址信息和内网端口信息转换为外网IP地址信息和外网端口信息。In this embodiment, since a first NAT device is set in the cloud service node, the vCPE is in an intranet environment. When the vCPE needs to connect to the Internet, it needs to pass through the first NAT device according to the settings. The session table entry in the first NAT device converts the internal network IP address information and the internal network port information of the vCPE into external network IP address information and external network port information.

步骤A2:从所述配置参数消息中解析出所述vCPE的身份识别信息和外网IP地址信息;Step A2: parse out the identity information and external network IP address information of the vCPE from the configuration parameter message;

进一步的,步骤A2,包括:Further, step A2 includes:

获取包含在所述述配置参数消息中的所述vCPE的身份识别信息,并通过获取所述配置参数消息的源IP地址信息以得到所述vCPE的外网IP地址信息。Obtain the identity information of the vCPE contained in the configuration parameter message, and obtain the external network IP address information of the vCPE by obtaining the source IP address information of the configuration parameter message.

步骤A3:建立所述身份识别信息和外网IP地址信息的对应关系。Step A3: Establish a corresponding relationship between the identity identification information and the external network IP address information.

在本实施例中,可以通过管控平台事先获取SD-WAN框架中的各个云端服务节点中的vCPE的身份识别信息和外网IP地址信息,并分别存储各个vCPE的身份识别信息和外网IP地址信息,以便于后期当CPE需要与任一vCPE建连时,管控平台将对应的vCPE的外网IP地址信息反馈给CPE。还需要说明的是,在实现所述进行组网配置,以确定出与所述CPE的身份识别信息对应的建连对象的身份识别信息的步骤时,可以通过预先设置的配置表确定出与CPE的身份识别信息对应的建连对象的身份识别信息,或者,在所述建连请求消息中添加建连对象的身份识别信息,又或者通过管理员在所述控制平台手动进行组网配置。In this embodiment, the identity information and external network IP address information of vCPEs in each cloud service node in the SD-WAN framework can be obtained in advance through the management and control platform, and the identity information and external network IP address information of each vCPE can be stored separately. information, so that when the CPE needs to establish a connection with any vCPE in the later stage, the management and control platform feeds back the external network IP address information of the corresponding vCPE to the CPE. It should also be noted that, when implementing the step of performing networking configuration to determine the identity identification information of the connection establishment object corresponding to the identity identification information of the CPE, it is possible to determine the connection with the CPE through a preset configuration table. The identification information of the connection establishment object corresponding to the identification information, or the identification information of the connection establishment object is added to the connection establishment request message, or the network configuration is manually performed by the administrator on the control platform.

还需要说明的是,本实施例应用于非对称NAT(也称ConeNAT)场景中;其中,ConeNAT又细分为3类,分别是Full Cone型、Restricted Cone型和Restricted Port Cone。优选的,本实施例中的NAT具体为FullConeNAT(全锥形NAT)。It should also be noted that this embodiment is applied to an asymmetric NAT (also referred to as ConeNAT) scenario, wherein ConeNAT is further subdivided into three types, namely, Full Cone type, Restricted Cone type, and Restricted Port Cone. Preferably, the NAT in this embodiment is specifically FullConeNAT (full cone NAT).

步骤S203:将与所述建连对象的身份识别信息对应的第一外网IP地址信息发送至所述CPE,以供所述CPE利用所述第一外网IP地址信息并通过所述第一NAT设备建立与所述vCPE之间的虚拟专用网络VPN隧道。Step S203: Send the first external network IP address information corresponding to the identification information of the connection establishment object to the CPE, so that the CPE can use the first external network IP address information and pass the first external network IP address information. The NAT device establishes a virtual private network VPN tunnel with the vCPE.

由于在SD-WAN框架中存在多个云端服务节点,每个云端服务节点中的vCPE均会向控制平台发送配置参数消息,所以在控制平台中存储有多个vCPE的身份识别信息与对应的外网IP地址信息的对应关系;所以在步骤S203中需要确定出与所述建连对象的身份识别信息对应的第一外网IP地址信息,并将所述第一外网IP地址信息发送至所述CPE。Since there are multiple cloud service nodes in the SD-WAN framework, the vCPE in each cloud service node will send a configuration parameter message to the control platform, so the control platform stores the identification information of multiple vCPEs and the corresponding external Therefore, in step S203, it is necessary to determine the first external network IP address information corresponding to the identification information of the connection establishment object, and send the first external network IP address information to the described CPE.

具体的,若在所述分支节点中未设置第二NAT设备,即所述CPE处于外网环境中,则所述控制平台直接向所述CPE发送所述第一外网IP地址信息;Specifically, if the second NAT device is not set in the branch node, that is, the CPE is in an external network environment, the control platform directly sends the first external network IP address information to the CPE;

若在所述分支节点中设置有第二NAT设备,即所述CPE处于内网环境,所述CPE需要通过第二NAT设备连接互联网,则步骤S203,具体包括:If a second NAT device is set in the branch node, that is, the CPE is in an intranet environment, and the CPE needs to connect to the Internet through the second NAT device, step S203 specifically includes:

将所述第一外网IP地址信息通过所述第二NAT设备发送至所述CPE。Sending the first external network IP address information to the CPE through the second NAT device.

还需要说明的是,所述控制平台在向所述CPE发送所述第一外网IP地址信息的同时还向所述CPE发送用于建立VPN隧道的其他隧道配置信息。It should also be noted that, while sending the first external network IP address information to the CPE, the control platform also sends other tunnel configuration information for establishing a VPN tunnel to the CPE.

在本实施例中,由于在云端服务节点中设置有NAT设备,vCPE需要通过NAT设备连接互联网,所以vCPE处于内网环境中,且vCPE的外网IP地址和外网端口信息均是由NAT设备动态配置的;因此,处于分支节点中的CPE无法获取到vCPE的实时外网IP地址,即CPE无法直接与vCPE通信。为了解决CPE无法直接与vCPE通信的问题,在本实施例中,通过控制平台作为中转服务器,CPE和vCPE均向控制平台发起连接,以便控制平台获取CPE和vCPE的外网IP地址信息和外网端口信息,从而在控制平台进行组网配置,并将包含vCPE的外网IP地址信息的隧道配置文件发送至CPE,这样CPE就有了vCPE的外网IP地址信息,就可以发送隧道协商报文,从而在CPE和vCPE之间建立VPN隧道In this embodiment, since a NAT device is set in the cloud service node, the vCPE needs to connect to the Internet through the NAT device, so the vCPE is in the internal network environment, and the external network IP address and external network port information of the vCPE are all provided by the NAT device. It is dynamically configured; therefore, the CPE in the branch node cannot obtain the real-time external network IP address of the vCPE, that is, the CPE cannot directly communicate with the vCPE. In order to solve the problem that the CPE cannot directly communicate with the vCPE, in this embodiment, the control platform is used as a transit server, and both the CPE and the vCPE initiate a connection to the control platform, so that the control platform can obtain the external network IP address information of the CPE and the vCPE and the external network. port information, so as to perform networking configuration on the control platform, and send the tunnel configuration file containing the external network IP address information of the vCPE to the CPE, so that the CPE has the external network IP address information of the vCPE and can send tunnel negotiation packets. , thereby establishing a VPN tunnel between the CPE and the vCPE

进一步的,在所述CPE与所述vCPE之间建立了VPN隧道时,所述方法还包括:Further, when a VPN tunnel is established between the CPE and the vCPE, the method further includes:

步骤B1:接收由所述第一NAT设备转发的探测消息;其中,所述探测消息是由所述vCPE发送至所述第一NAT设备的消息;Step B1: Receive a probe message forwarded by the first NAT device; wherein, the probe message is a message sent by the vCPE to the first NAT device;

在本实施例中,当在所述CPE与所述vCPE之间建立了VPN隧道时,所述vCPE按照设定时间间隔定期向所述控制平台发送探测消息;其中,所述探测消息包括所述vCPE的身份识别信息。In this embodiment, when a VPN tunnel is established between the CPE and the vCPE, the vCPE periodically sends a probe message to the control platform at a set time interval; wherein the probe message includes the Identity information of the vCPE.

步骤B2:从所述探测消息中解析出第二外网IP地址信息;Step B2: parse out the second external network IP address information from the detection message;

具体的,步骤B2,包括:Specifically, step B2 includes:

获取包含在所述探测消息中的身份识别信息,并根据所述探测消息中的身份识别信息,查找对应的第一外网IP地址信息;Obtain the identification information contained in the detection message, and search for the corresponding first external network IP address information according to the identification information in the detection message;

根据所述探测消息的源外网IP地址信息确定出所述第二外网IP地址信息;其中,所述第二外网IP地址信息是所述第一NAT设备当前为所述vCPE分配的外网IP地址。The second external network IP address information is determined according to the source external network IP address information of the probe message; wherein, the second external network IP address information is the external network IP address currently allocated by the first NAT device for the vCPE network IP address.

由于在实际应用中,因为第一NAT设备的地址池会发生变化,所以第一NAT设备为vCPE分配的外网地址和外网端口会改变,从而导致VPN隧道中断;因此在本实施例中,vCPE定期通过第一NAT设备向控制平台发送探测报文,以向控制平台上报实时的vCPE的外网IP地址信息。In practical applications, because the address pool of the first NAT device will change, the external network address and external network port allocated by the first NAT device to the vCPE will change, thereby causing the VPN tunnel to be interrupted; therefore, in this embodiment, The vCPE periodically sends detection packets to the control platform through the first NAT device, so as to report the real-time external network IP address information of the vCPE to the control platform.

步骤B3:判断所述第一外网IP地址信息与所述第二外网IP地址信息是否一致;Step B3: judging whether the first external network IP address information is consistent with the second external network IP address information;

步骤B4:若不一致,则将所述第二外网IP地址信息发送至所述CPE,以供所述CPE利用所述第二外网IP地址信息并通过所述第一NAT设备重新建立与所述vCPE之间的VPN隧道。Step B4: If they are inconsistent, send the second external network IP address information to the CPE, so that the CPE can use the second external network IP address information and re-establish a connection with the CPE through the first NAT device. VPN tunnel between vCPEs.

在本实施例中,在CPE与vCPE建立了VPN隧道之后,还会通过探测消息定期获取vCPE的实时外网IP地址信息,当发现vCPE的外网IP地址信息发生改变时,将改变后的vCPE的外网IP地址信息发送至CPE,以供CPE根据改变后的vCPE的外网IP地址信息重新与vCPE建立VPN隧道。在现有技术中,在CPE与vCPE建立了VPN隧道之后,第一NAT设备会重新为vCPE分配外网IP地址信息,从而导致VPN隧道的断开,而在本实施例中,可以借助探测报文实时向管控平台上报vCPE的当前外网IP地址信息,当管控平台发现vCPE的外网IP地址信息发生改变时,将改变后的vCPE的外网IP地址信息发送至CPE,以供CPE重新与vCPE建立隧道连接,防止VPN隧道的断开。In this embodiment, after a VPN tunnel is established between the CPE and the vCPE, the real-time external network IP address information of the vCPE is also periodically obtained through detection messages. The external network IP address information of the vCPE is sent to the CPE, so that the CPE can re-establish a VPN tunnel with the vCPE according to the changed external network IP address information of the vCPE. In the prior art, after the CPE and the vCPE establish a VPN tunnel, the first NAT device will re-allocate the external network IP address information to the vCPE, thereby causing the disconnection of the VPN tunnel. The document reports the current external network IP address information of the vCPE to the management and control platform in real time. When the management and control platform finds that the external network IP address information of the vCPE has changed, it sends the changed external network IP address information of the vCPE to the CPE, so that the CPE can reconnect with it. The vCPE establishes a tunnel connection to prevent the disconnection of the VPN tunnel.

更进一步的,所述方法还包括:Further, the method also includes:

步骤C1:从所述建连请求消息中解析出所述CPE的第三外网IP地址信息;Step C1: parse out the third external network IP address information of the CPE from the connection establishment request message;

步骤C2:将所述第三外网IP地址信息通过所述第一NAT设备发送至所述vCPE,以供所述vCPE利用所述第三外网IP地址信息并通过所述第一NAT设备建立与所述CPE之间的VPN隧道。Step C2: Sending the third external network IP address information to the vCPE through the first NAT device, so that the vCPE can use the third external network IP address information and establish through the first NAT device VPN tunnel with the CPE.

在本实施例中,通过控制平台作为中转服务器,CPE和vCPE均向控制平台发起连接,以便控制平台获取CPE和vCPE的外网IP地址信息,从而在控制平台进行组网配置,并将包含对端的外网IP地址信息的隧道配置文件发送至CPE和vCPE,这样CPE和vCPE就有了对端的外网IP地址信息,就可以发送隧道协商报文,从而在CPE和vCPE之间能够建立VPN隧道。In this embodiment, by using the control platform as a transit server, both the CPE and the vCPE initiate a connection to the control platform, so that the control platform obtains the external network IP address information of the CPE and the vCPE, so as to perform networking configuration on the control platform, and will include The tunnel configuration file of the external network IP address information of the end is sent to the CPE and vCPE, so that the CPE and vCPE have the external network IP address information of the opposite end, and can send tunnel negotiation packets, so that a VPN tunnel can be established between the CPE and the vCPE. .

实施例二Embodiment 2

本发明实施例提供了一种建立VPN隧道的方法,所述方法具体的应用于如图1所示的SD-WAN框架中,其中,在SD-WAN框架中包括:控制平台、多个云端服务节点和多个分支节点,在每个云端服务节点中均设置有NAT设备和vCPE,在每个分支节点中均设置有CPE;图3为本发明实施例一提供的建立VPN隧道的方法的一种可选的流程示意图,如图3所示,该方法具体包括以下步骤:An embodiment of the present invention provides a method for establishing a VPN tunnel. The method is specifically applied to the SD-WAN framework as shown in FIG. 1 , wherein the SD-WAN framework includes: a control platform, multiple cloud services A node and a plurality of branch nodes, each cloud service node is provided with a NAT device and a vCPE, and each branch node is provided with a CPE; FIG. 3 is a method for establishing a VPN tunnel provided by Embodiment 1 of the present invention. An optional schematic flowchart, as shown in Figure 3, the method specifically includes the following steps:

步骤S301:vCPE通过NAT设备向控制平台发送配置参数消息;其中,所述配置参数消息包括:所述vCPE的身份识别信息,所述vCPE与所述NAT设备位于SD-WAN的同一个云端服务节点中,所述vCPE通过所述NAT设备连接互联网。Step S301: the vCPE sends a configuration parameter message to the control platform through the NAT device; wherein, the configuration parameter message includes: the identity information of the vCPE, and the vCPE and the NAT device are located in the same cloud service node of SD-WAN , the vCPE is connected to the Internet through the NAT device.

具体的,步骤S301,包括:Specifically, step S301 includes:

所述vCPE获取自身的内网IP地址信息和内网端口信息,并通过所述NAT设备中的会话表项将所述内网IP地址信息和内网端口信息转换为第一外网IP地址信息和第一外网端口信息,以基于所述第一外网IP地址信息和第一外网端口信息向所述控制平台发送所述配置参数消息。The vCPE obtains its own intranet IP address information and intranet port information, and converts the intranet IP address information and the intranet port information into the first extranet IP address information through the session entry in the NAT device and first external network port information, so as to send the configuration parameter message to the control platform based on the first external network IP address information and the first external network port information.

步骤S302:所述控制平台根据所述配置参数消息解析出所述vCPE的身份识别信息和第一外网IP地址信息,并在本地建立所述vCPE的身份识别信息与所述第一外网IP地址信息的对应关系。Step S302: The control platform parses out the identity information of the vCPE and the first external network IP address information according to the configuration parameter message, and locally establishes the identity information of the vCPE and the first external network IP address. Correspondence of address information.

具体的,所述控制平台根据所述配置参数消息解析出所述vCPE的身份识别信息和第一外网IP地址信息,包括:Specifically, the control platform parses out the identity information of the vCPE and the first external network IP address information according to the configuration parameter message, including:

获取包含在所述配置参数消息中的身份识别信息;obtain the identification information contained in the configuration parameter message;

根据所述配置参数消息的源地址信息确定出所述第一外网IP地址信息。The first external network IP address information is determined according to the source address information of the configuration parameter message.

步骤S303:CPE向所述控制平台发送建连请求消息;其中,所述建连请求消息包括:所述CPE的身份识别信息。Step S303: The CPE sends a connection establishment request message to the control platform, wherein the connection establishment request message includes: the identity information of the CPE.

步骤S304:所述控制器根据所述建连请求消息解析出所述CPE的第二外网IP地址信息。Step S304: The controller parses out the second external network IP address information of the CPE according to the connection establishment request message.

具体的,步骤S304,包括:Specifically, step S304 includes:

根据所述建连请求消息的源地址信息,确定出所述第二外网IP地址信息。The IP address information of the second external network is determined according to the source address information of the connection establishment request message.

步骤S305:所述控制平台,进行组网配置,以确定出与所述CPE的身份识别信息对应的建连对象的身份识别信息。Step S305: The control platform performs networking configuration to determine the identity identification information of the connection establishment object corresponding to the identity identification information of the CPE.

其中,所述建连对象是位于SD-WAN的云端服务节点中的vCPE。Wherein, the connection establishment object is the vCPE located in the cloud service node of SD-WAN.

步骤S306:所述控制器平台根据所述建连对象的身份识别信息从本地查找到对应的第一外网IP地址信息。Step S306: The controller platform searches locally for the corresponding first external network IP address information according to the identification information of the connection establishment object.

步骤S307:所述控制平台将所述第一外网IP地址信息发送至所述CPE,并将所述第二外网IP地址信息通过所述NAT设备发送至所述vCPE。Step S307: The control platform sends the first external network IP address information to the CPE, and sends the second external network IP address information to the vCPE through the NAT device.

具体的,步骤S307,包括:Specifically, step S307 includes:

所述控制平台在获取到CPE和vCPE的外网IP地址信息之后进行组网配置,以得到隧道配置文件;其中,所述隧道配置文件包括:CPE的外网IP地址信息、vCPE的外网IP地址信息、以及隧道配置信息;The control platform performs networking configuration after acquiring the external network IP address information of the CPE and the vCPE to obtain a tunnel configuration file; wherein the tunnel configuration file includes: the external network IP address information of the CPE and the external network IP of the vCPE. address information, and tunnel configuration information;

所述控制平台将所述隧道配置文件分别发送至所述CPE和vCPE。The control platform sends the tunnel configuration file to the CPE and vCPE, respectively.

步骤S308:所述CPE根据所述第一外网IP地址信息,通过所述NAT设备建立与所述vCPE之间的VPN隧道。Step S308: The CPE establishes a VPN tunnel with the vCPE through the NAT device according to the first external network IP address information.

具体的,步骤S308,包括:Specifically, step S308 includes:

所述CPE在获取到所述隧道配置文件之后,获取所述隧道配置文件中的第一外网IP地址信息,并将包含所述第一外网IP地址信息的隧道协商报文发送至所述NAT设备;After acquiring the tunnel configuration file, the CPE acquires the first external network IP address information in the tunnel configuration file, and sends a tunnel negotiation packet including the first external network IP address information to the NAT device;

所述NAT设备接收所述隧道协商报文,通过会话表项将所述第一外网IP地址信息转化为对应的内网IP地址信息,并基于所述内网IP地址信息向所述vCPE转发所述隧道协商报文。The NAT device receives the tunnel negotiation message, converts the first external network IP address information into corresponding internal network IP address information through a session table entry, and forwards it to the vCPE based on the internal network IP address information the tunnel negotiation message.

进一步的,所述方法还包括:Further, the method also includes:

步骤S309:在所述CPE与所述vCPE建立了VPN隧道之后,所述vCPE按照设定时间间隔定期通过所述NAT设备向所述控制平台发送探测报文;其中,所述探测报文包括:所述vCPE的身份识别信息;Step S309: After the CPE and the vCPE establish a VPN tunnel, the vCPE periodically sends a detection packet to the control platform through the NAT device according to a set time interval; wherein the detection packet includes: the identification information of the vCPE;

步骤S310:所述控制平台根据所述探测报文解析出所述vCPE的第三外网IP地址信息;Step S310: the control platform parses the third external network IP address information of the vCPE according to the detection message;

其中,所述第三外网IP地址信息为所述NAT设备当前为所述vCPE分配的。The third external network IP address information is currently allocated by the NAT device for the vCPE.

步骤S311:所述控制平台根据所述探测报文中的身份识别信息从本地查找到对应的第一外网IP地址,并将所述第一外网IP地址信息与所述第三外网IP地址信息进行比对;Step S311: The control platform finds the corresponding first external network IP address locally according to the identification information in the detection packet, and compares the first external network IP address information with the third external network IP address. address information for comparison;

步骤S312:若不一致,则所述控制平台将所述第三外网IP地址信息发送至所述CPE;Step S312: if inconsistent, the control platform sends the third external network IP address information to the CPE;

具体的,步骤S312,包括:Specifically, step S312 includes:

若不一致,所述管控平台在本地更新与所述vCPE的身份识别信息对应的外网IP地址信息,并更新对应的隧道协商报文,并将更新后的隧道协商报文分别下发至所述CPE和vCPE。If not, the management and control platform locally updates the external network IP address information corresponding to the identity information of the vCPE, updates the corresponding tunnel negotiation message, and sends the updated tunnel negotiation message to the CPEs and vCPEs.

步骤S313:所述CPE根据所述第三外网IP地址信息,通过所述NAT设备重新建立与所述vCPE之间的VPN隧道。Step S313: The CPE re-establishes a VPN tunnel with the vCPE through the NAT device according to the third external network IP address information.

实施例三Embodiment 3

本发明实施例提供了一种建立VPN隧道的装置,所述装置具体的应用于如图1所示的SD-WAN框架中的控制平台;图4为本发明实施例三提供的建立VPN隧道的装置的一种可选的组成结构示意图,如图4所示,该装置具体包括以下组成部分:An embodiment of the present invention provides a device for establishing a VPN tunnel, and the device is specifically applied to a control platform in the SD-WAN framework as shown in FIG. 1; A schematic diagram of an optional composition structure of the device, as shown in Figure 4, the device specifically includes the following components:

接收模块401,用于接收由客户终端设备CPE发送的建连请求消息;其中,所述CPE位于SD-WAN的分支节点中,所述建连请求消息包括:所述CPE的身份识别信息;The receiving module 401 is configured to receive a connection establishment request message sent by the client terminal equipment CPE; wherein, the CPE is located in a branch node of the SD-WAN, and the connection establishment request message includes: the identity information of the CPE;

配置模块402,用于进行组网配置,以确定出与所述CPE的身份识别信息对应的建连对象的身份识别信息;其中,所述建连对象是位于SD-WAN的云端服务节点中的虚拟客户端设备vCPE,且在所述云端服务节点中还包括第一网络地址交互NAT设备,所述vCPE通过所述第一NAT设备连接所述控制平台;The configuration module 402 is configured to perform networking configuration to determine the identification information of the connection establishment object corresponding to the identification information of the CPE; wherein, the connection establishment object is located in the cloud service node of SD-WAN. a virtual client device vCPE, and the cloud service node further includes a first network address interaction NAT device, the vCPE is connected to the control platform through the first NAT device;

发送模块403,用于将与所述建连对象的身份识别信息对应的第一外网IP地址信息发送至所述CPE,以供所述CPE利用所述第一外网IP地址信息并通过所述第一NAT设备建立与所述vCPE之间的虚拟专用网络VPN隧道。The sending module 403 is configured to send the first external network IP address information corresponding to the identification information of the connection establishment object to the CPE, so that the CPE can use the first external network IP address information and pass the The first NAT device establishes a virtual private network VPN tunnel with the vCPE.

具体的,接收模块401,还用于:Specifically, the receiving module 401 is further configured to:

在所述接收由客户终端设备CPE发送的建连请求消息的步骤之前,接收由所述第一NAT设备转发的配置参数消息;其中,所述配置参数消息是由所述vCPE发送至所述第一NAT设备的消息;Before the step of receiving the connection establishment request message sent by the client terminal equipment CPE, the configuration parameter message forwarded by the first NAT device is received; wherein, the configuration parameter message is sent by the vCPE to the first NAT device. A message from a NAT device;

配置模块402,还用于:The configuration module 402 is also used to:

从所述配置参数消息中解析出所述vCPE的身份识别信息和外网IP地址信息;Parse out the identity information and external network IP address information of the vCPE from the configuration parameter message;

发送模块403,还用于建立所述身份识别信息和外网IP地址信息的对应关。The sending module 403 is further configured to establish a corresponding relationship between the identity information and the external network IP address information.

进一步的,接收模块401,还用于:Further, the receiving module 401 is also used for:

在所述CPE与所述vCPE之间建立了VPN隧道时,接收由所述第一NAT设备转发的探测消息;其中,所述探测消息是由所述vCPE发送至所述第一NAT设备的消息。When a VPN tunnel is established between the CPE and the vCPE, a probe message forwarded by the first NAT device is received; wherein the probe message is a message sent by the vCPE to the first NAT device .

配置模块402,还用于:The configuration module 402 is also used to:

从所述探测消息中解析出第二外网IP地址信息。The second external network IP address information is parsed from the detection message.

所述装置还包括:The device also includes:

判断模块,用于判判断所述第一外网IP地址信息与所述第二外网IP地址信息是否一致;若不一致,则将所述第二外网IP地址信息发送至所述CPE,以供所述CPE利用所述第二外网IP地址信息并通过所述第一NAT设备重新建立与所述vCPE之间的VPN隧道。A judging module for judging and judging whether the first external network IP address information is consistent with the second external network IP address information; if not, sending the second external network IP address information to the CPE for for the CPE to use the second external network IP address information and re-establish a VPN tunnel with the vCPE through the first NAT device.

进一步的,配置模块402,还用于:Further, the configuration module 402 is also used for:

从所述建连请求消息中解析出所述CPE的第三外网IP地址信息。The third external network IP address information of the CPE is parsed from the connection establishment request message.

发送模块403,还用于:The sending module 403 is also used for:

将所述第三外网IP地址信息通过所述第一NAT设备发送至所述vCPE,以供所述vCPE利用所述第三外网IP地址信息并通过所述第一NAT设备建立与所述CPE之间的VPN隧道。Send the third external network IP address information to the vCPE through the first NAT device, so that the vCPE uses the third external network IP address information and establishes a connection with the vCPE through the first NAT device. VPN tunnel between CPEs.

更进一步的,接收模块401在实现所述接收由客户终端设备CPE发送的建连请求消息的步骤时,具有用于:Further, when implementing the step of receiving the connection establishment request message sent by the client terminal equipment CPE, the receiving module 401 has the following functions:

接收由第二NAT设备转发的建连请求消息;其中,所述建连请求消息是由所述CPE发送至所述第二NAT设备的消息,且所述第二NAT设备位于所述分支节点中。Receive a connection establishment request message forwarded by a second NAT device; wherein, the connection establishment request message is a message sent by the CPE to the second NAT device, and the second NAT device is located in the branch node .

发送模块403在实现将所述第一外网IP地址信息和第一外网端口信息发送至所述CPE的步骤时,具体用于:When implementing the step of sending the first external network IP address information and the first external network port information to the CPE, the sending module 403 is specifically configured to:

将所述第一外网IP地址信息通过所述第二NAT设备发送至所述CPE。Sending the first external network IP address information to the CPE through the second NAT device.

实施例四Embodiment 4

本实施例还提供一种计算机设备,如可以执行程序的智能手机、平板电脑、笔记本电脑、台式计算机、机架式服务器、刀片式服务器、塔式服务器或机柜式服务器(包括独立的服务器,或者多个服务器所组成的服务器集群)等。如图5所示,本实施例的计算机设备50至少包括但不限于:可通过系统总线相互通信连接的存储器501、处理器502。需要指出的是,图5仅示出了具有组件501-502的计算机设备50,但是应理解的是,并不要求实施所有示出的组件,可以替代的实施更多或者更少的组件。This embodiment also provides a computer device, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a rack server, a blade server, a tower server, or a cabinet server (including independent servers, or A server cluster composed of multiple servers), etc. As shown in FIG. 5 , the computer device 50 in this embodiment at least includes, but is not limited to, a memory 501 and a processor 502 that can be communicatively connected to each other through a system bus. It should be noted that FIG. 5 only shows the computer device 50 having components 501-502, but it should be understood that implementation of all of the illustrated components is not required, and more or fewer components may be implemented instead.

本实施例中,存储器501(即可读存储介质)包括闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、随机访问存储器(RAM)、静态随机访问存储器(SRAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、可编程只读存储器(PROM)、磁性存储器、磁盘、光盘等。在一些实施例中,存储器501可以是计算机设备50的内部存储单元,例如该计算机设备50的硬盘或内存。在另一些实施例中,存储器501也可以是计算机设备50的外部存储设备,例如该计算机设备50上配备的插接式硬盘,智能存储卡(Smart Media Card,SMC),安全数字(Secure Digital,SD)卡,闪存卡(Flash Card)等。当然,存储器501还可以既包括计算机设备50的内部存储单元也包括其外部存储设备。在本实施例中,存储器501通常用于存储安装于计算机设备50的操作系统和各类应用软件。此外,存储器501还可以用于暂时地存储已经输出或者将要输出的各类数据。In this embodiment, the memory 501 (that is, a readable storage medium) includes a flash memory, a hard disk, a multimedia card, a card-type memory (eg, SD or DX memory, etc.), random access memory (RAM), static random access memory (SRAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), Programmable Read Only Memory (PROM), Magnetic Memory, Magnetic Disk, Optical Disk, etc. In some embodiments, the memory 501 may be an internal storage unit of the computer device 50 , such as a hard disk or a memory of the computer device 50 . In other embodiments, the memory 501 may also be an external storage device of the computer device 50, such as a plug-in hard disk, a smart memory card (Smart Media Card, SMC), a secure digital (Secure Digital, SD) card, flash memory card (Flash Card), etc. Of course, the memory 501 may also include both the internal storage unit of the computer device 50 and its external storage device. In this embodiment, the memory 501 is generally used to store the operating system and various application software installed on the computer device 50 . In addition, the memory 501 can also be used to temporarily store various types of data that have been output or will be output.

处理器502在一些实施例中可以是中央处理器(Central Processing Unit,CPU)、控制器、微控制器、微处理器、或其他数据处理芯片。该处理器502通常用于控制计算机设备50的总体操作。In some embodiments, the processor 502 may be a central processing unit (Central Processing Unit, CPU), a controller, a microcontroller, a microprocessor, or other data processing chips. The processor 502 is typically used to control the overall operation of the computer device 50 .

具体的,在本实施例中,处理器502用于执行处理器502中存储的建立VPN隧道的方法的程序,所述建立VPN隧道的方法的程序被执行时可以实现如下步骤:Specifically, in this embodiment, the processor 502 is configured to execute the program of the method for establishing a VPN tunnel stored in the processor 502. When the program of the method for establishing a VPN tunnel is executed, the following steps may be implemented:

接收由客户终端设备CPE发送的建连请求消息;其中,所述CPE位于SD-WAN的分支节点中,所述建连请求消息包括:所述CPE的身份识别信息;Receive a connection establishment request message sent by the client terminal equipment CPE; wherein, the CPE is located in a branch node of SD-WAN, and the connection establishment request message includes: the identification information of the CPE;

进行组网配置,以确定出与所述CPE的身份识别信息对应的建连对象的身份识别信息;其中,所述建连对象是位于SD-WAN的云端服务节点中的虚拟客户端设备vCPE,且在所述云端服务节点中还包括第一网络地址交互NAT设备,所述vCPE通过所述第一NAT设备连接所述控制平台;Carry out networking configuration to determine the identification information of the connection establishment object corresponding to the identification information of the CPE; wherein, the connection establishment object is the virtual client device vCPE located in the cloud service node of SD-WAN, And the cloud service node further includes a first network address interaction NAT device, and the vCPE connects to the control platform through the first NAT device;

将与所述建连对象的身份识别信息对应的第一外网IP地址信息发送至所述CPE,以供所述CPE利用所述第一外网IP地址信息并通过所述第一NAT设备建立与所述vCPE之间的虚拟专用网络VPN隧道。Sending the first external network IP address information corresponding to the identification information of the connection establishment object to the CPE, so that the CPE uses the first external network IP address information and establishes through the first NAT device A virtual private network VPN tunnel with the vCPE.

上述方法步骤的具体实施例过程可参见第一实施例,本实施例在此不再重复赘述。For the specific embodiment process of the above method steps, reference may be made to the first embodiment, which will not be repeated in this embodiment.

实施例五Embodiment 5

本实施例还提供一种计算机可读存储介质,如闪存、硬盘、多媒体卡、卡型存储器(例如,SD或DX存储器等)、随机访问存储器(RAM)、静态随机访问存储器(SRAM)、只读存储器(ROM)、电可擦除可编程只读存储器(EEPROM)、可编程只读存储器(PROM)、磁性存储器、磁盘、光盘、服务器、App应用商城等等,其上存储有计算机程序,所述计算机程序被处理器执行时可以实现如下方法步骤:This embodiment also provides a computer-readable storage medium, such as a flash memory, a hard disk, a multimedia card, a card-type memory (for example, SD or DX memory, etc.), random access memory (RAM), static random access memory (SRAM), only Read-only memory (ROM), Electrically Erasable Programmable Read-Only Memory (EEPROM), Programmable Read-Only Memory (PROM), magnetic memory, magnetic disk, optical disk, server, App application mall, etc., on which computer programs are stored, When the computer program is executed by the processor, the following method steps can be implemented:

接收由客户终端设备CPE发送的建连请求消息;其中,所述CPE位于SD-WAN的分支节点中,所述建连请求消息包括:所述CPE的身份识别信息;Receive a connection establishment request message sent by the client terminal equipment CPE; wherein, the CPE is located in a branch node of SD-WAN, and the connection establishment request message includes: the identification information of the CPE;

进行组网配置,以确定出与所述CPE的身份识别信息对应的建连对象的身份识别信息;其中,所述建连对象是位于SD-WAN的云端服务节点中的虚拟客户端设备vCPE,且在所述云端服务节点中还包括第一网络地址交互NAT设备,所述vCPE通过所述第一NAT设备连接所述控制平台;Carry out networking configuration to determine the identification information of the connection establishment object corresponding to the identification information of the CPE; wherein, the connection establishment object is the virtual client device vCPE located in the cloud service node of SD-WAN, And the cloud service node further includes a first network address interaction NAT device, and the vCPE connects to the control platform through the first NAT device;

将与所述建连对象的身份识别信息对应的第一外网IP地址信息发送至所述CPE,以供所述CPE利用所述第一外网IP地址信息并通过所述第一NAT设备建立与所述vCPE之间的虚拟专用网络VPN隧道。Sending the first external network IP address information corresponding to the identification information of the connection establishment object to the CPE, so that the CPE uses the first external network IP address information and establishes through the first NAT device A virtual private network VPN tunnel with the vCPE.

上述方法步骤的具体实施例过程可参见第一实施例,本实施例在此不再重复赘述。For the specific embodiment process of the above method steps, reference may be made to the first embodiment, which will not be repeated in this embodiment.

需要说明的是,在本文中,术语“包括”、“包含”或者其任何其他变体意在涵盖非排他性的包含,从而使得包括一系列要素的过程、方法、物品或者装置不仅包括那些要素,而且还包括没有明确列出的其他要素,或者是还包括为这种过程、方法、物品或者装置所固有的要素。在没有更多限制的情况下,由语句“包括一个……”限定的要素,并不排除在包括该要素的过程、方法、物品或者装置中还存在另外的相同要素。It should be noted that, herein, the terms "comprising", "comprising" or any other variation thereof are intended to encompass non-exclusive inclusion, such that a process, method, article or device comprising a series of elements includes not only those elements, It also includes other elements not expressly listed or inherent to such a process, method, article or apparatus. Without further limitation, an element qualified by the phrase "comprising a..." does not preclude the presence of additional identical elements in a process, method, article or apparatus that includes the element.

上述本发明实施例序号仅仅为了描述,不代表实施例的优劣。The above-mentioned serial numbers of the embodiments of the present invention are only for description, and do not represent the advantages or disadvantages of the embodiments.

通过以上的实施方式的描述,本领域的技术人员可以清楚地了解到上述实施例方法可借助软件加必需的通用硬件平台的方式来实现,当然也可以通过硬件,但很多情况下前者是更佳的实施方式。From the description of the above embodiments, those skilled in the art can clearly understand that the method of the above embodiment can be implemented by means of software plus a necessary general hardware platform, and of course can also be implemented by hardware, but in many cases the former is better implementation.

以上仅为本发明的优选实施例,并非因此限制本发明的专利范围,凡是利用本发明说明书及附图内容所作的等效结构或等效流程变换,或直接或间接运用在其他相关的技术领域,均同理包括在本发明的专利保护范围内。The above are only preferred embodiments of the present invention, and are not intended to limit the scope of the present invention. Any equivalent structure or equivalent process transformation made by using the contents of the description and drawings of the present invention, or directly or indirectly applied in other related technical fields , are similarly included in the scope of patent protection of the present invention.

Claims (10)

1. A method for establishing a VPN tunnel, which is applied to a control platform of an SD-WAN, and comprises the following steps:
receiving a connection establishment request message sent by Customer Premises Equipment (CPE); wherein the CPE is located in a branch node of the SD-WAN, and the connection request message comprises: identification information of the CPE;
networking configuration is carried out to determine the identity identification information of the connection object corresponding to the identity identification information of the CPE; the connection object is virtual client equipment vCPE located in a cloud service node of the SD-WAN, the cloud service node further comprises first network address interaction NAT equipment, and the vCPE is connected with the control platform through the first NAT equipment;
and sending first external network IP address information corresponding to the identification information of the connection object to the CPE so that the CPE utilizes the first external network IP address information and establishes a virtual private network VPN tunnel between the CPE and the VPN through the first NAT equipment.
2. Method for establishing a VPN tunnel according to claim 1, characterised in that before said step of receiving a connection request message sent by a customer premises equipment, CPE, the method further comprises:
receiving a configuration parameter message forwarded by the first NAT device; wherein the configuration parameter message is a message sent by the vcCPE to the first NAT device;
analyzing the identity identification information and the external network IP address information of the vCPE from the configuration parameter message;
and establishing a corresponding relation between the identity identification information and the external network IP address information.
3. Method for establishing a VPN tunnel according to claim 1, characterised in that when a VPN tunnel is established between the CPE and the vCPE, the method further comprises:
receiving a probe message forwarded by the first NAT device; wherein the probe message is a message sent by the vcCPE to the first NAT device;
analyzing second external network IP address information from the detection message;
judging whether the first external network IP address information is consistent with the second external network IP address information;
and if the two pieces of external network IP address information are not consistent, the second external network IP address information is sent to the CPE so that the CPE can reestablish a VPN tunnel between the CPE and the second external network IP address information through the first NAT equipment.
4. The method of establishing a VPN tunnel according to claim 1, further comprising:
analyzing third external network IP address information of the CPE from the connection establishing request message;
and sending the third external network IP address information to the vCPE through the first NAT equipment so that the vCPE utilizes the third external network IP address information and establishes a VPN tunnel between the vCPE and the first NAT equipment.
5. The method according to claim 1, wherein the step of receiving the connection establishment request message sent by the customer premises equipment CPE specifically comprises:
receiving a connection establishment request message forwarded by the second NAT equipment; wherein the connection establishment request message is a message sent by the CPE to the second NAT device, and the second NAT device is located in the branch node.
6. The method according to claim 5, wherein the step of sending the first extranet IP address information to the CPE specifically includes:
and sending the first external network IP address information to the CPE through the second NAT equipment.
7. An apparatus for establishing a VPN tunnel, applied to a control platform of an SD-WAN, the apparatus comprising:
the receiving module is used for receiving a connection establishment request message sent by Customer Premises Equipment (CPE); wherein the CPE is located in a branch node of the SD-WAN, and the connection request message comprises: identification information of the CPE;
the configuration module is used for carrying out networking configuration so as to determine the identity identification information of the connection object corresponding to the identity identification information of the CPE; the connection object is virtual client equipment vCPE located in a cloud service node of the SD-WAN, the cloud service node further comprises first network address interaction NAT equipment, and the vCPE is connected with the control platform through the first NAT equipment;
and the sending module is used for sending the first external network IP address information corresponding to the identity identification information of the connection object to the CPE so that the CPE utilizes the first external network IP address information and establishes a virtual private network VPN tunnel between the CPE and the VPN through the first NAT equipment.
8. The apparatus for establishing a VPN tunnel according to claim 7, wherein said receiving module is further configured to:
receiving a configuration parameter message forwarded by the first NAT device; wherein the configuration parameter message is a message sent by the vcCPE to the first NAT device;
the configuration module is further configured to:
analyzing the identity identification information and the external network IP address information of the vCPE from the configuration parameter message;
the sending module is further configured to establish a corresponding relationship between the identification information and the external network IP address information.
9. A computer device, the computer device comprising: memory, processor and computer program stored on the memory and executable on the processor, characterized in that the processor implements the steps of the method of any of claims 1 to 6 when executing the computer program.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method of any one of claims 1 to 6.
CN202010022644.6A 2020-01-09 2020-01-09 A method, apparatus, device and storage medium for establishing a VPN tunnel Active CN111277481B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202010022644.6A CN111277481B (en) 2020-01-09 2020-01-09 A method, apparatus, device and storage medium for establishing a VPN tunnel

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202010022644.6A CN111277481B (en) 2020-01-09 2020-01-09 A method, apparatus, device and storage medium for establishing a VPN tunnel

Publications (2)

Publication Number Publication Date
CN111277481A true CN111277481A (en) 2020-06-12
CN111277481B CN111277481B (en) 2021-09-24

Family

ID=71001571

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202010022644.6A Active CN111277481B (en) 2020-01-09 2020-01-09 A method, apparatus, device and storage medium for establishing a VPN tunnel

Country Status (1)

Country Link
CN (1) CN111277481B (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112532505A (en) * 2020-12-01 2021-03-19 长沙市同迅计算机科技有限公司 SD-WAN-based local area network communication method and device, readable storage medium and control equipment
CN113472913A (en) * 2021-06-25 2021-10-01 新华三信息安全技术有限公司 Communication method and device
CN115633014A (en) * 2022-10-21 2023-01-20 成都西加云杉科技有限公司 A vCPE-based networking method and related components
WO2023061069A1 (en) * 2021-10-15 2023-04-20 中兴通讯股份有限公司 Routing packet processing method and apparatus, and storage medium and electronic apparatus
CN116264538A (en) * 2022-07-22 2023-06-16 中移(苏州)软件技术有限公司 Data processing method, device, equipment and computer storage medium
WO2023116912A1 (en) * 2021-12-24 2023-06-29 贵州白山云科技股份有限公司 Device networking method and apparatus, medium, and device

Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040218611A1 (en) * 2003-01-21 2004-11-04 Samsung Electronics Co., Ltd. Gateway for supporting communications between network devices of different private networks
US20110040968A1 (en) * 2008-04-30 2011-02-17 Chengdu Huawei Symantec Technologies Co., Ltd. Method and system for forwarding data between private networks
CN105978708A (en) * 2016-04-27 2016-09-28 赛特斯信息科技股份有限公司 System of realizing vCPE virtualization enterprise network based on NFV and method thereof
CN106130850A (en) * 2016-08-22 2016-11-16 福建富士通信息软件有限公司 Individual line subscriber intellectuality cut-in method
CN106533883A (en) * 2016-11-16 2017-03-22 中国联合网络通信集团有限公司 Network private line establishment method, apparatus and system
CN106685817A (en) * 2016-12-27 2017-05-17 中国移动通信集团江苏有限公司 A method and device for traffic switching of box-side equipment
CN106792821A (en) * 2016-12-27 2017-05-31 中国移动通信集团江苏有限公司 Connection control method and device based on virtual gateway
CN107147580A (en) * 2017-06-23 2017-09-08 北京佰才邦技术有限公司 The method and communication system of a kind of tunnel building
CN107666419A (en) * 2016-07-28 2018-02-06 中兴通讯股份有限公司 A kind of virtual broadband cut-in method, controller and system
CN108234318A (en) * 2018-03-20 2018-06-29 新华三技术有限公司 The choosing method and device of message forwarding tunnel
CN108259299A (en) * 2017-06-23 2018-07-06 新华三技术有限公司 A kind of forwarding-table item generation method, device and machine readable storage medium
CN109617906A (en) * 2019-01-03 2019-04-12 中国联合网络通信集团有限公司 A kind of cut-in method and device of mixed cloud

Patent Citations (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040218611A1 (en) * 2003-01-21 2004-11-04 Samsung Electronics Co., Ltd. Gateway for supporting communications between network devices of different private networks
US20110040968A1 (en) * 2008-04-30 2011-02-17 Chengdu Huawei Symantec Technologies Co., Ltd. Method and system for forwarding data between private networks
CN105978708A (en) * 2016-04-27 2016-09-28 赛特斯信息科技股份有限公司 System of realizing vCPE virtualization enterprise network based on NFV and method thereof
CN107666419A (en) * 2016-07-28 2018-02-06 中兴通讯股份有限公司 A kind of virtual broadband cut-in method, controller and system
CN106130850A (en) * 2016-08-22 2016-11-16 福建富士通信息软件有限公司 Individual line subscriber intellectuality cut-in method
CN106533883A (en) * 2016-11-16 2017-03-22 中国联合网络通信集团有限公司 Network private line establishment method, apparatus and system
CN106685817A (en) * 2016-12-27 2017-05-17 中国移动通信集团江苏有限公司 A method and device for traffic switching of box-side equipment
CN106792821A (en) * 2016-12-27 2017-05-31 中国移动通信集团江苏有限公司 Connection control method and device based on virtual gateway
CN107147580A (en) * 2017-06-23 2017-09-08 北京佰才邦技术有限公司 The method and communication system of a kind of tunnel building
CN108259299A (en) * 2017-06-23 2018-07-06 新华三技术有限公司 A kind of forwarding-table item generation method, device and machine readable storage medium
CN108234318A (en) * 2018-03-20 2018-06-29 新华三技术有限公司 The choosing method and device of message forwarding tunnel
CN109617906A (en) * 2019-01-03 2019-04-12 中国联合网络通信集团有限公司 A kind of cut-in method and device of mixed cloud

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
李建等: ""VPN的NAT穿透研究及系统设计"", 《计算机工程与应用》 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112532505A (en) * 2020-12-01 2021-03-19 长沙市同迅计算机科技有限公司 SD-WAN-based local area network communication method and device, readable storage medium and control equipment
CN113472913A (en) * 2021-06-25 2021-10-01 新华三信息安全技术有限公司 Communication method and device
WO2023061069A1 (en) * 2021-10-15 2023-04-20 中兴通讯股份有限公司 Routing packet processing method and apparatus, and storage medium and electronic apparatus
WO2023116912A1 (en) * 2021-12-24 2023-06-29 贵州白山云科技股份有限公司 Device networking method and apparatus, medium, and device
CN116264538A (en) * 2022-07-22 2023-06-16 中移(苏州)软件技术有限公司 Data processing method, device, equipment and computer storage medium
CN115633014A (en) * 2022-10-21 2023-01-20 成都西加云杉科技有限公司 A vCPE-based networking method and related components

Also Published As

Publication number Publication date
CN111277481B (en) 2021-09-24

Similar Documents

Publication Publication Date Title
CN111277481A (en) Method, device, equipment and storage medium for establishing VPN tunnel
US8650326B2 (en) Smart client routing
CN103580980B (en) Method and device for automatic discovery and automatic configuration of virtual network
CN104219127B (en) A kind of creation method and equipment of virtual network example
US9525627B2 (en) Network packet encapsulation and routing
CN105610632B (en) A kind of virtual network device and related method
US11625280B2 (en) Cloud-native proxy gateway to cloud resources
US12255817B2 (en) Executing workloads across multiple cloud service providers
CN112583618B (en) Methods, devices and computing equipment for providing network services to businesses
CN113014680B (en) Broadband access method, device, equipment and storage medium
CN103051535B (en) A kind of data cut-in method, device and data insertion system
CN114710560A (en) Data processing method, system, proxy device, and terminal device
CN110392066A (en) A kind of method and apparatus of access service
CN113037761A (en) Login request verification method and device, storage medium and electronic equipment
CN103581353B (en) The method of automatic configuration and system of gateway device
CN115379010A (en) A container network construction method, device, equipment and storage medium
CN107995321A (en) A kind of VPN client acts on behalf of the method and device of DNS
CN107911496A (en) A kind of VPN service terminal acts on behalf of the method and device of DNS
CN106027354A (en) Backflow method and device for VPN (Virtual Private Network) client
CN105681055A (en) Access method, device and system of shared file server
CN111711705A (en) Method and device for realizing network connection based on proxy node for bidirectional NAT
EP3018883B1 (en) Login method and system for client unit
CN112217659B (en) Method and system for adding client terminal equipment to SD-WAN system
CN115834290A (en) Method, device, equipment and medium for dynamically establishing tunnel
CN115918047A (en) High Availability Network Address Translation

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CP01 Change in the name or title of a patent holder
CP01 Change in the name or title of a patent holder

Address after: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee after: QAX Technology Group Inc.

Patentee after: Qianxin Wangshen information technology (Beijing) Co.,Ltd.

Address before: Room 332, 3 / F, Building 102, 28 xinjiekouwei street, Xicheng District, Beijing 100088

Patentee before: QAX Technology Group Inc.

Patentee before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc.