CN113067910A - A NAT traversal method, device, electronic device and storage medium - Google Patents

Abstract

The invention discloses a NAT (network Address translation) traversing method, a NAT traversing device, electronic equipment and a storage medium. The method comprises the following steps: determining the type of the first NAT equipment, the type of the second NAT equipment and public network address information corresponding to the second CPE after NAT; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE; and configuring an IPSEC tunnel and tunnel address information based on the type of the first NAT equipment, the type of the second NAT equipment and the public network address information corresponding to the second CPE and subjected to NAT.

Description

A NAT traversal method, device, electronic device and storage medium

technical field

The present invention relates to mobile communication technology, in particular to a network address translation (NAT, Network AddressTranslation) traversal method, device, electronic device and storage medium.

Background technique

Internet Protocol Security (IPSEC, Internet Protocol Security) tunnels are used in an end-to-end based security model to establish trust and security between source and destination addresses. For an IPSEC tunnel running on the public network, at least one end must have a public network address, otherwise the IPSEC tunnel cannot be established.

SUMMARY OF THE INVENTION

In view of this, the main purpose of the present invention is to provide a NAT traversal method, apparatus, electronic device and storage medium.

In order to achieve the above object, the technical scheme of the present invention is achieved in this way:

An embodiment of the present invention provides a NAT traversal method, the method is applied to a first customer premise equipment (CPE, Customer Premise Equipment), and the method includes:

Determine the type of the first NAT device, the type of the second NAT device, and the NATed public network address information corresponding to the second CPE; the first NAT device is connected to the first CPE, and the second NAT device is connected Second CPE;

Based on the type of the first NAT device, the type of the second NAT device, and the NATed public network address information corresponding to the second CPE, configure an IPSEC tunnel and tunnel address information.

In the above scheme, the determining the type of the second NAT device includes:

The type of the second NAT device sent by the receiving server.

In the above scheme, the method also includes:

sending a first test message to the server; the first test message is used to request the server to send a first result message;

Receive the first result message sent by the server, determine the type of the NAT device connected to itself based on the first result message, and send the determined type of the NAT device connected to itself to the server.

In the above scheme, when the type of the first NAT device is a complete cone NAT, and the type of the second NAT device is a basic NAT; determine the NATed public network address information corresponding to the second CPE ,include:

receiving the message sent by the second CPE;

The NATed public network address information corresponding to the second CPE is determined based on the received message.

In the above scheme, the method also includes:

Send a second test packet to the server; the second test packet is used by the server to determine the NATed public network address information corresponding to the first CPE.

In the above scheme, the method also includes:

Based on the configured IPSEC tunnel, a message whose destination address is any address is sent; the message whose destination address is any address is used to punch holes in the first NAT device.

In the above scheme, the configuration IPSEC tunnel and tunnel address information includes:

Configure the encapsulation mode of the IPSEC tunnel as tunnel mode, and configure the NAT-T mode;

Configure the source address in the tunnel address information based on the private network address information of the first CPE itself;

The destination address in the tunnel address information is configured based on the NATed public network address information corresponding to the second CPE.

In the above scheme, when the type of the first NAT device is basic NAT, and the type of the second NAT device is a complete cone NAT; determine the NATed public network address information corresponding to the second CPE ,include:

The NATed public network address information corresponding to the second CPE sent by the server is received.

In the above scheme, the method also includes:

Send a message to the second CPE; the sent message is used by the second CPE to determine the NATed public network address information corresponding to the first CPE.

In the above scheme, the configuration IPSEC tunnel and tunnel address information includes:

Configure the encapsulation mode of the IPSEC tunnel as tunnel mode, and configure the NAT-T mode;

Configure the source address in the tunnel address information based on the private network address information of the first CPE itself;

The destination address in the tunnel address information is configured based on the NATed public network address information corresponding to the second CPE.

In the above solution, in the case where the type of the first NAT device is a complete cone NAT, and the type of the second NAT device is a network address port translation (NAPT, Network Address Port Translation), or, in the described When the type of the first NAT device is NAPT, and the type of the second NAT device is a complete cone NAT; determine the NATed public network address information corresponding to the second CPE, including:

The NATed public network address information corresponding to the second CPE sent by the server is received.

In the above scheme, the configuration IPSEC tunnel and tunnel address information includes:

Configure the encapsulation mode of the IPSEC tunnel as tunnel mode, and configure the NAT-T mode;

Configure the source address in the tunnel address information based on the private network address information of the first CPE itself;

The destination address in the tunnel address information is configured based on the NATed public network address information corresponding to the second CPE.

In the above scheme, the method also includes:

A packet is sent based on the configured IPSEC tunnel and tunnel address information, and the sent packet is used to punch holes in the first NAT device.

In the above solution, the NAPT includes at least one of the following: symmetric NAT, full cone NAT, address restricted cone NAT, and port restricted cone NAT.

In the above solution, the tunnel address information includes at least one of the following:

The private network address information of the first CPE itself corresponds to the NATed public network address information of the second CPE.

In the above solution, the public network address information includes: a public network address and a port number.

In the above scheme, it is characterized in that the message includes: an Internet Protocol (IP, Internet Protocol) header, a User Datagram Protocol (UDP) header, an authentication part, and an Encapsulation Security Payload (ESP) authentication;

Wherein, the authentication part includes: an ESP header and an encrypted part; the encrypted part includes: an original IP header, a Transmission Control Protocol (TCP, Transmission Control Protocol), a data (DATA), and an ESP tail.

The embodiment of the present invention also provides a NAT traversal method, the method is applied to the server, and the method includes:

Determine the type of the first NAT device and the type of the second NAT device; the first NAT device is connected to the first CPE, and the second NAT device is connected to the second CPE;

sending the type of the second NAT device to the first CPE; sending the type of the first NAT device to the second CPE;

In the case that the type of the first NAT device and the device of the second NAT meet the preset conditions, determine the NATed public network address information corresponding to the first CPE, and send the information corresponding to the first CPE to the second CPE The NATed public network address information of the first CPE; and/or, determining the NATed public network address information corresponding to the second CPE, and sending the NATed public network address information corresponding to the second CPE to the first CPE. public network address information;

The public network address information is used to configure IPSEC tunnels and tunnel address information.

In the above solution, when the type of the first NAT device is a complete cone NAT, and the type of the second NAT device is a basic NAT, the NATed public network address information corresponding to the first CPE is determined , and send the NATed public network address information corresponding to the first CPE to the second CPE.

In the above solution, when the type of the first NAT device is a basic NAT, and the type of the second NAT device is a complete cone NAT, the NATed public network address information corresponding to the second CPE is determined , and send the NATed public network address information corresponding to the second CPE to the first CPE.

In the above solution, when the type of the first NAT device is a complete cone NAT and the type of the second NAT device is NAPT, or, when the type of the first NAT device is NAPT and the type of the second NAT device is NAPT. When the type of the second NAT device is a complete cone NAT, determine the NATed public network address information corresponding to the first CPE, and send the NATed public network address corresponding to the first CPE to the second CPE and determining the NATed public network address information corresponding to the second CPE, and sending the NATed public network address information corresponding to the second CPE to the first CPE.

In the above scheme, the NAPT includes at least one of the following:

Symmetric NAT, Full Cone NAT, Address Restriction Cone NAT, Port Restriction Cone NAT.

In the above solution, the public network address information includes: a public network address and a port number.

In the above scheme, the determining of the type of the first NAT device and the type of the second NAT device includes:

Receive a first test packet sent by the first CPE, and send a first result packet based on the first test packet; the first result packet is used by the first CPE to determine the status of the first NAT device connected to itself. Type; the type of the first NAT device that receives the self-connection sent by the first CPE;

Receive a third test packet sent by the second CPE, and send a second result packet based on the third test packet; the second result packet is used by the second CPE to determine the status of the second NAT device connected to itself. Type: the type of the second NAT device that receives the self-connection sent by the second CPE.

In the above solution, the determining of the NATed public network address information corresponding to the first CPE includes:

receiving a second test packet sent by the first CPE; determining the NATed public network address information corresponding to the first CPE based on the second test packet sent by the first CPE;

The determining of the NATed public network address information corresponding to the second CPE includes:

Receive a fourth test packet sent by the second CPE; and determine the NATed public network address information corresponding to the second CPE based on the fourth test packet sent by the second CPE.

An embodiment of the present invention further provides a NAT traversal device, the device is applied to the first CPE, and the device includes: a first processing module and a second processing module;

The first processing module is used to determine the type of the first NAT device, the type of the second NAT device and the NATed public network address information corresponding to the second CPE; the first NAT device is connected to the first CPE, the second NAT device is connected to the second CPE;

The second processing module is configured to configure IPSEC tunnels and tunnels based on the type of the first NAT device, the type of the second NAT device, and the NATed public network address information corresponding to the second CPE Address information.

In the above solution, the first processing module is configured to receive the type of the second NAT device sent by the server.

In the above solution, the first processing module is further configured to send a first test message to the server; the first test message is used to request the server to send a first result message;

Receive the first result message sent by the server, determine the type of the NAT device connected to itself based on the first result message, and send the determined type of the NAT device connected to itself to the server.

In one embodiment, when the type of the first NAT device is a complete cone NAT, and the type of the second NAT device is a basic NAT; the first processing module is specifically configured to receive the second NAT device. The message sent by the CPE;

The NATed public network address information corresponding to the second CPE is determined based on the received message.

In the above solution, the first processing module is further configured to send a second test message to the server; the second test message is used for the server to determine the NATed public network address information corresponding to the first CPE .

Specifically, the first processing module is further configured to, based on the configured IPSEC tunnel, send a message with a destination address of any address; the message with an arbitrary address as a destination address is used to punch holes in the first NAT device.

Specifically, the second processing module is used to configure the encapsulation mode of the IPSEC tunnel as tunnel mode, and the configuration adopts NAT-T mode;

Configure the source address in the tunnel address information based on the private network address information of the first CPE itself;

The destination address in the tunnel address information is configured based on the NATed public network address information corresponding to the second CPE.

In the above scheme, in the case where the type of the first NAT device is a basic NAT, and the type of the second NAT device is a complete cone NAT; the first processing module is specifically configured to receive the corresponding data sent by the server. The NATed public network address information of the second CPE.

In the above solution, the first processing module is further configured to send a message to the second CPE; the sent message is used by the second CPE to determine the NATed public network address information corresponding to the first CPE.

The second processing module is used for configuring the encapsulation mode of the IPSEC tunnel to be a tunnel mode, and the configuration adopts a NAT-T mode;

Configure the source address in the tunnel address information based on the private network address information of the first CPE itself;

The destination address in the tunnel address information is configured based on the NATed public network address information corresponding to the second CPE.

In the above solution, when the type of the first NAT device is a complete cone NAT, and the type of the second NAT device is NAPT, or, when the type of the first NAT device is NAPT, and all When the type of the second NAT device is a complete cone NAT; the first processing module is specifically configured to receive the NATed public network address information corresponding to the second CPE sent by the server.

In the above scheme, the second processing module is used to configure the encapsulation mode of the IPSEC tunnel as the tunnel mode, and the configuration adopts the NAT-T mode;

Configure the source address in the tunnel address information based on the private network address information of the first CPE itself;

The destination address in the tunnel address information is configured based on the NATed public network address information corresponding to the second CPE.

In the above solution, the first processing module is further configured to send a message based on the configured IPSEC tunnel and tunnel address information, and the sent message is used for punching a hole in the first NAT device.

In the above solution, the NAPT includes at least one of the following: symmetric NAT, full cone NAT, address restricted cone NAT, and port restricted cone NAT.

In the above solution, the tunnel address information includes at least one of the following:

The private network address information of the first CPE itself corresponds to the NATed public network address information of the second CPE.

In the above solution, the public network address information includes: a public network address and a port number.

In the above solution, the packet includes: an IP header, a UDP header, an authentication part, and an ESP authentication;

Wherein, the authentication part includes: ESP header and encryption part; and the encryption part includes: original IP header, TCP, DATA, and ESP tail.

An embodiment of the present invention further provides a NAT traversal device, the device is applied to a server, and the device includes: a third processing module, a fourth processing module, and a fifth processing module; wherein,

The third processing module is used to determine the type of the first NAT device and the type of the second NAT device; the first NAT device is connected to the first CPE, and the second NAT device is connected to the second CPE;

The fourth processing module is configured to send the type of the second NAT device to the first CPE; send the type of the first NAT device to the second CPE;

The fifth processing module is configured to determine the NATed public network address information corresponding to the first CPE when the type of the first NAT device and the second NAT device meet preset conditions, Sending the NATed public network address information corresponding to the first CPE to the second CPE; and/or, determining the NATed public network address information corresponding to the second CPE, and sending the corresponding public network address information to the first CPE The NATed public network address information of the second CPE;

The public network address information is used to configure IPSEC tunnels and tunnel address information.

In the above solution, the fifth processing module is configured to determine the corresponding first CPE when the type of the first NAT device is a complete cone NAT and the type of the second NAT device is a basic NAT and send the NATed public network address information corresponding to the first CPE to the second CPE.

In the above solution, the fifth processing module is configured to determine the corresponding second CPE when the type of the first NAT device is a basic NAT and the type of the second NAT device is a complete cone NAT The NATed public network address information, and the NATed public network address information corresponding to the second CPE is sent to the first CPE.

In the above solution, the fifth processing module is used for the case that the type of the first NAT device is a complete cone NAT and the type of the second NAT device is NAPT, or, in the case of the first NAT When the type of the device is NAPT and the type of the second NAT device is full cone NAT, determine the NATed public network address information corresponding to the first CPE, and send the information corresponding to the first CPE to the second CPE. The NATed public network address information of the CPE; and determining the NATed public network address information corresponding to the second CPE, and sending the NATed public network address information corresponding to the second CPE to the first CPE .

In the above scheme, the NAPT includes at least one of the following:

Symmetric NAT, Full Cone NAT, Address Restriction Cone NAT, Port Restriction Cone NAT.

In the above solution, the public network address information includes: a public network address and a port number.

In the above solution, the third processing module is configured to receive a first test packet sent by the first CPE, and send a first result packet based on the first test packet; the first result packet is used for all The first CPE determines the type of the first NAT device that is connected to itself; receives the type of the first NAT device that is connected to itself sent by the first CPE;

Receive a third test packet sent by the second CPE, and send a second result packet based on the third test packet; the second result packet is used by the second CPE to determine the status of the second NAT device connected to itself. Type: the type of the second NAT device that receives the self-connection sent by the second CPE.

In the above solution, the third processing module is further configured to receive the second test packet sent by the first CPE; public network address information;

The third processing module is further configured to receive a fourth test packet sent by the second CPE; and determine the NATed public network address information corresponding to the second CPE based on the fourth test packet sent by the second CPE .

An embodiment of the present invention further provides an electronic device, including a memory, a processor, and a computer program stored in the memory and running on the processor, where the processor implements any one of the above first CPE sides when executing the program The steps of the NAT traversal method described in item; Or,

When the processor executes the program, the steps of any one of the above NAT traversal methods on the server side are implemented.

An embodiment of the present invention further provides a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the steps of any one of the NAT traversal methods on the first CPE side above are performed; or,

When the processor executes the program, the steps of any one of the above NAT traversal methods on the server side are implemented.

The NAT traversal method, device, electronic device, and storage medium provided by the embodiments of the present invention determine the type of the first NAT device, the type of the second NAT device, and the NATed public network address information corresponding to the second CPE; The first NAT device is connected to the first CPE, and the second NAT device is connected to the second CPE; based on the type of the first NAT device, the type of the second NAT device and the Configure IPSEC tunnel and tunnel address information based on the public network address information after NAT. With the technical solutions of the embodiments of the present invention, in a scenario where both ends are connected with NAT devices, that is, they do not have public network addresses, an IPSEC tunnel can also be established.

Description of drawings

Fig. 1 is a kind of architecture diagram of existing IPSEC tunnel establishment;

Figure 2 is another architecture diagram of the existing IPSEC tunnel establishment

3 is a schematic flowchart of a NAT traversal method according to an embodiment of the present invention;

4 is a schematic flowchart of another NAT traversal method provided by an embodiment of the present invention;

5 is a schematic diagram of a scenario in which one end traverses a NAT provided by an embodiment of the present invention;

6 is a schematic flowchart of still another NAT traversal method provided by an embodiment of the present invention;

7 is a schematic structural diagram of a second packet according to an embodiment of the present invention;

FIG. 8 is a schematic structural diagram of a third packet according to an embodiment of the present invention;

9 is a schematic structural diagram of a NAT traversal device according to an embodiment of the present invention;

10 is a schematic structural diagram of another NAT traversal device provided by an embodiment of the present invention;

FIG. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.

Detailed ways

Before the present invention is further described in detail with reference to the embodiments, the related technology of the IPSEC tunnel will be described first.

For an IPSEC tunnel running on the public network, at least one end must have a public network address, otherwise the IPSEC tunnel cannot be established. Fig. 1 is an architecture diagram of the establishment of an existing IPSEC tunnel; as shown in Fig. 1, at least one end of the two tunnels has a public network address (no NAT device is connected), that is, an IPSEC tunnel can be established.

FIG. 2 is another architectural diagram of an existing IPSEC tunnel. As shown in FIG. 2, neither end has a public network address (both are connected to a NAT device), and an IPSEC tunnel cannot be established actually.

The present invention will be described in further detail below in conjunction with the embodiments.

3 is a schematic flowchart of a NAT traversal method according to an embodiment of the present invention; as shown in FIG. 3 , the NAT traversal method is applied to the first CPE; the method includes:

Step 301: Determine the type of the first NAT device, the type of the second NAT device, and the NATed public network address information corresponding to the second CPE; the first NAT device is connected to the first CPE, the second The NAT device connects to the second CPE;

Step 302: Based on the type of the first NAT device, the type of the second NAT device, and the NATed public network address information corresponding to the second CPE, configure an IPSEC tunnel and tunnel address information.

Specifically, the determining the type of the second NAT device includes:

The type of the second NAT device sent by the receiving server.

Here, the second CPE determines the type of the NAT device connected to the second CPE by interacting with the server to detect the type of the NAT device, and sends the obtained result to the server, so that the server can report to the first CPE based on the received result. Type of second NAT device sent.

Specifically, the method further includes:

sending a first test message to the server; the first test message is used to request the server to send a first result message;

Receive the first result message sent by the server, determine the type of the NAT device connected to itself based on the first result message, and send the determined type of the NAT device connected to itself to the server.

Here, the first CPE determines the NAT device (that is, the first NAT device) to which it is connected by interacting with the server to detect the type of the NAT device (including sending the first test packet and receiving the first result packet). type.

Specifically, when the type of the first NAT device is a complete cone NAT, and the type of the second NAT device is a basic NAT; determine the NATed public network address information corresponding to the second CPE, include:

receiving the message sent by the second CPE;

The NATed public network address information corresponding to the second CPE is determined based on the received message.

Here, the received message includes or carries the NATed public network address information corresponding to the second CPE.

Here, it can be understood that the second CPE sends a message, the sent message includes or carries an address, the message is received by the first CPE after NAT, and the displayed address is the NATed address corresponding to the second CPE After the public network address information, that is, the first CPE can determine the NATed public network address information corresponding to the second CPE based on the received message.

Specifically, the method further includes:

Send a second test packet to the server; the second test packet is used by the server to determine the NATed public network address information corresponding to the first CPE.

Here, it can be understood that the first CPE sends a message, the sent message includes or carries an address, the message is received by the server after NAT, and the displayed address is the NATed public network corresponding to the first CPE Address information, that is, the server can determine the NATed public network address information corresponding to the first CPE based on the received message.

Specifically, the method further includes:

Based on the configured IPSEC tunnel, a message whose destination address is any address is sent; the message whose destination address is any address is used to punch holes in the first NAT device.

Specifically, the configuration of the IPSEC tunnel and the tunnel address information includes:

Configure the encapsulation mode of the IPSEC tunnel as tunnel mode, and configure the NAT-T mode;

Configure the source address in the tunnel address information based on the private network address information of the first CPE itself;

The destination address in the tunnel address information is configured based on the NATed public network address information corresponding to the second CPE.

Here, the working mode of the IPSEC tunnel includes a tunnel mode, that is, the entire IP data packet sent by the CPE is used to calculate the Authentication Header (AH, Authentication Header) or Encapsulating Security Payload (ESP, Encapsulating Security Payload) header. , where the AH or ESP header and ESP-encrypted data are encapsulated in a new IP packet. Typically, tunnel mode is used for communication between two gateways.

NAT-T mode means that by encapsulating ESP protocol packets into User Datagram Protocol (UDP, User Datagram Protocol) packets (adding new IP headers and UDP headers to the IP data packet headers of the original ESP protocol), NAT treats it as if it were Like a normal UDP packet, the transport mode that supports ESP coexists with NAT in a one-to-many manner.

Specifically, the NAT-T mode is adopted, and the sent message includes: Internet Protocol (IP, Internet Protocol) header, User Datagram Protocol (UDP) header, authentication part, and Encapsulating Security Payload (ESP) authentication;

Wherein, the authentication part includes: an ESP header and an encrypted part; the encrypted part includes: an original IP header, a Transmission Control Protocol (TCP, Transmission Control Protocol), a data (DATA), and an ESP tail.

Specifically, when the type of the first NAT device is a basic NAT, and the type of the second NAT device is a complete cone NAT; determine the NATed public network address information corresponding to the second CPE, include:

The NATed public network address information corresponding to the second CPE sent by the server is received.

Here, the server determines the NATed public network address information corresponding to the second CPE, and may send the NATed public network address information corresponding to the second CPE to the first CPE.

Specifically, the method further includes:

Send a message to the second CPE; the sent message is used by the second CPE to determine the NATed public network address information corresponding to the first CPE.

Here, the first CPE sends a packet to the second CPE, and the sent packet carries the corresponding address information. After the packet is NATed, the second CPE receives the packet, and the second CPE determines based on the packet. The address is the NATed public network address information corresponding to the first CPE.

Specifically, the configuration of the IPSEC tunnel and the tunnel address information includes:

Configure the encapsulation mode of the IPSEC tunnel as tunnel mode, and configure the NAT-T mode;

Configure the source address in the tunnel address information based on the private network address information of the first CPE itself;

The destination address in the tunnel address information is configured based on the NATed public network address information corresponding to the second CPE.

It should be noted that the first CPE in the case where the type of the first NAT device is full cone NAT and the type of the second NAT device is basic NAT is the type of the first NAT device. is a basic NAT, and the type of the second NAT device is the second CPE in the case of a complete cone NAT;

The second CPE in the case where the type of the first NAT device is full cone NAT and the type of the second NAT device is basic NAT, that is, the type of the first NAT device is basic NAT, and The type of the second NAT device is the first CPE in the case of a full cone NAT.

The above descriptions for the two cases illustrate the operations performed by the CPEs at both ends respectively.

Specifically, in the case where the type of the first NAT device is a full cone NAT and the type of the second NAT device is NAPT, or, in the case where the type of the first NAT device is NAPT, and the When the type of the second NAT device is a complete cone NAT; determine the NATed public network address information corresponding to the second CPE, including:

The NATed public network address information corresponding to the second CPE sent by the server is received.

Specifically, the configuration of the IPSEC tunnel and the tunnel address information includes:

Configure the encapsulation mode of the IPSEC tunnel as tunnel mode, and configure the NAT-T mode;

Configure the source address in the tunnel address information based on the private network address information of the first CPE itself;

The destination address in the tunnel address information is configured based on the NATed public network address information corresponding to the second CPE.

Specifically, the method further includes:

A packet is sent based on the configured IPSEC tunnel and tunnel address information, and the sent packet is used to punch holes in the first NAT device.

Specifically, the NAPT includes at least one of the following: symmetric NAT, full cone NAT, address restricted cone NAT, and port restricted cone NAT.

It should be noted that when the type of the first NAT device is full cone NAT and the type of the second NAT device is NAPT, the first CPE is the type of the first NAT device is NAPT, and the second CPE in the case where the type of the second NAT device is a complete cone NAT; otherwise, when the type of the first NAT device is a complete cone NAT, and the second NAT device is The second CPE when the type is NAPT is the first CPE when the type of the first NAT device is NAPT and the type of the second NAT device is full cone NAT.

In the case where the type of the first NAT device is full cone NAT and the type of the second NAT device is NAPT, or, in the case where the type of the first NAT device is NAPT, and the second NAT device is of type NAPT When the device type is full cone NAT, the operations performed by the first CPE and the second CPE are the same.

Specifically, the tunnel address information includes at least one of the following:

The private network address information of the first CPE itself corresponds to the NATed public network address information of the second CPE.

Specifically, the public network address information includes: a public network address and a port number.

Specifically, the message includes: an Internet Protocol (IP) header, a User Datagram Protocol (UDP) header, an authentication part, and an Encapsulating Security Payload (ESP) authentication;

Wherein, the authentication part includes: ESP header and encryption part; and the encryption part includes: original IP header, transmission control protocol TCP, DATA, and ESP tail.

FIG. 4 is a schematic flowchart of a NAT traversal method provided by an embodiment of the present invention; as shown in FIG. 4 , the NAT traversal method is applied to a server, and the method includes:

Step 401, determine the type of the first NAT device and the type of the second NAT device; the first NAT device is connected to the first CPE, and the second NAT device is connected to the second CPE;

Step 402, sending the type of the second NAT device to the first CPE; sending the type of the first NAT device to the second CPE;

Step 403: Under the condition that the type of the first NAT device and the device of the second NAT meet the preset conditions, determine the NATed public network address information corresponding to the first CPE, and send the information to the second CPE. describe the NATed public network address information corresponding to the first CPE; and/or determine the NATed public network address information corresponding to the second CPE, and send the NATed public network address information corresponding to the second CPE to the first CPE Public network address information after NAT;

The public network address information is used to configure IPSEC tunnels and tunnel address information.

Specifically, when the type of the first NAT device is full cone NAT, and the type of the second NAT device is basic NAT (that is, when the type of the first NAT device and the second NAT device are If the device meets a preset condition), determine the NATed public network address information corresponding to the first CPE, and send the NATed public network address information corresponding to the first CPE to the second CPE .

Specifically, in the case where the type of the first NAT device is basic NAT and the type of the second NAT device is full cone NAT (that is, when the type of the first NAT device and the second NAT device are If the device satisfies another preset condition), determine the NATed public network address information corresponding to the second CPE, and send the NATed public network address corresponding to the second CPE to the first CPE information.

Specifically, when the type of the first NAT device is full cone NAT and the type of the second NAT device is NAPT, or, in the case where the type of the first NAT device is NAPT and the type of the second NAT device is NAPT In the case that the type of the NAT device is a complete cone NAT (that is, in the case that the type of the first NAT device and the device of the second NAT meet another preset condition), determine the NAT device corresponding to the first CPE. After the NATed public network address information, send the NATed public network address information corresponding to the first CPE to the second CPE; The first CPE sends the NATed public network address information corresponding to the second CPE.

Specifically, the NAPT includes at least one of the following:

Symmetric NAT, Full Cone NAT, Address Restriction Cone NAT, Port Restriction Cone NAT.

Specifically, the public network address information includes: a public network address and a port number.

Specifically, the determining of the type of the first NAT device and the type of the second NAT device includes:

Receive a first test packet sent by the first CPE, and send a first result packet based on the first test packet; the first result packet is used by the first CPE to determine the status of the first NAT device connected to itself. Type; the type of the first NAT device that receives the self-connection sent by the first CPE;

Receive a third test packet sent by the second CPE, and send a second result packet based on the third test packet; the second result packet is used by the second CPE to determine the status of the second NAT device connected to itself. Type: the type of the second NAT device that receives the self-connection sent by the second CPE.

Specifically, the determining of the NATed public network address information of the corresponding CPE includes:

receiving a second test packet sent by the first CPE; determining the NATed public network address information corresponding to the first CPE based on the second test packet sent by the first CPE;

The determining of the NATed public network address information corresponding to the second CPE includes:

Receive a fourth test packet sent by the second CPE; and determine the NATed public network address information corresponding to the second CPE based on the fourth test packet sent by the second CPE.

The second test packet has the same function as the fourth test packet. For the second test packet sent by the first CPE, the NATed public network address information corresponding to the first CPE can be determined; The fourth test packet sent by the CPE may determine the NATed public network address information corresponding to the second CPE.

The NAT traversal at both ends will be described in detail below with reference to the methods shown in FIG. 3 and FIG. 4 .

In one embodiment, the two ends include a CPEA and a CPEB, the CPEA is connected to a first NAT device, and the type of the first NAT device is a full cone NAT; the CPEB is connected to a second NAT device, the The type of the second NAT device is basic NAT; the method for performing NAT traversal at the two ends includes:

Step 01, CPEA interacts with the server (specifically refers to sending the first test message) to determine the type of the first NAT device, and sends it to the server; and, CPEB interacts with the server (specifically refers to sending the third test message) , to determine the type of the second NAT device and send it to the server;

Step 02, the server sends the type of the second NAT device to the CPEA; sends the type of the first NAT device to the CPEB;

Step 03, the server determines the NATed public network address information corresponding to CPEA based on the second test message, and sends the NATed public network address information corresponding to CPEA to CPEB;

Step 04, CPEA configures the IPSEC tunnel to encapsulate in tunnel mode, and opens NAT-T mode, the source address is the private network address of the end and the Internet Key Exchange Protocol (IKE, Internet Key Exchange) port number (4500), based on the above configuration to send A packet whose destination address is any address is used to punch holes in the first NAT device;

Step 05. CPEB configures the IPSEC tunnel to be encapsulated in tunnel mode and enables NAT-T mode. The source address is the private network address of the end and the port number AAA (the port number is still AAA after passing through a NAT device whose type is basic NAT). The above configuration sends packets to CPEA;

Step 06, after CPEA receives the message sent by CPEB, determines the public network address information after NAT corresponding to CPEB;

In step 07, regular packets are exchanged between the CPEA and the CPEB through the IPSEC tunnel.

In another embodiment, the two ends include CPEA and CPEB, the CPEA is connected to a first NAT device, and the type of the first NAT device is a full cone NAT; the CPEB is connected to the second NAT device, so The type of the second NAT device is NAPT; the method for NAT traversal at the two ends includes:

Step 11, CPEA interacts with the server (specifically refers to sending the first test message) to determine the type of the first NAT device, and sends it to the server; and, CPEB interacts with the server (specifically refers to sending the third test message) , to determine the type of the second NAT device and send it to the server;

Step 12, the server sends the type of the second NAT device to the CPEA; sends the type of the first NAT device to the CPEB;

Step 13: The server determines the NATed public network address information corresponding to the CPEA based on the second test message (the above-mentioned first test message can also be used directly), and sends the information corresponding to the CPEA to the CPEB. Public network address information after NAT;

Step 14: The server determines the NATed public network address information corresponding to the CPEA based on the fourth test message (the above-mentioned third test message can also be used directly), and sends the information corresponding to the CPEA to the CPEB. Public network address information after NAT;

Step 15, the server sends to CPEA the message for informing CPEB of only the public network address information after NAT conversion; And, the server sends to CPEB the message for informing CPEA that only the public network address information after NAT conversion;

Here, the NATed public network address information corresponding to the CPEB specifically includes: the public network address and the port number BBB (the port number before the NAT conversion is AAA).

Here, the public network address information after NAT corresponding to CPEA specifically includes: public network address and port number CCC (the port number before NAT conversion is IKE port number 4500);

Step 16. CPEA configures IPSEC to encapsulate in tunnel mode and enables NAT-T mode. Based on the above configuration, the sending source address is the private network address of the end and the IKE port number 4500, and the destination address is the NATed public network address corresponding to CPEB. and port number BBB, the sent message is used to punch holes in the NAT device connected to CPEA;

Step 17. CPEB configures IPSEC to encapsulate in tunnel mode and enables NAT-T mode. Based on the above configuration, the sending source address is the private network address and port number AAA of the end, and the destination address is the NATed public network address corresponding to CPEA and the port number AAA. Packet of port CCC (the port number before NAT is IKE port number 4500), the sent packet is used to punch holes in the NAT device connected to CPEB;

Step 18: After the above configuration, an IPSEC tunnel is established between CPEA and CPEB, and regular packets are forwarded between CPEA and CPEB through the IPSEC tunnel.

Here, various types of NATs in the methods shown in FIG. 3 and FIG. 4 are described respectively.

NAT can be mainly divided into two categories: basic NAT and NAPT (Network Address Port Translation); among them,

The basic NAT is generally applicable to statically binding the public network address to the intranet host when the NAT device has multiple public Internet Protocol (IP, Internet Protocol) addresses (hereinafter referred to as public network addresses). There are fewer types of NAT devices.

The NAPT is a common NAT type, and the NAT device of the NAPT type can map the internal address to a separate IP address in the external network, and at the same time add a port number selected by the NAT device to the address. According to different mapping methods, NAPT can be divided into symmetrical NAT and cone NAT, wherein cone NAT includes: complete cone NAT, address restricted cone NAT, and port restricted cone NAT.

Specifically, NAPT is the most commonly used type of NAT in the public network, and is divided into the following four types:

1. Symmetric NAT

In the symmetric NAT, all requests from the same intranet address and port to the same destination address and port are mapped to the same public network address and port. If the same intranet host uses the same intranet address and port to send packets to another destination address, different mappings will be used. Different from port-restricted NAT, port-restricted NAT maps all requests to the same public IP address and port, while symmetric NAT has different mappings for different requests.

2. Full Cone NAT

The full cone NAT maps all requests from one internal IP address and port to the same external IP address and port. Moreover, any external host can communicate with the internal host by sending a message to the mapped external address. This is a relatively loose policy. As long as the mapping relationship between the IP address and port of the internal network and the IP address and port of the public network is established, all hosts on the Internet can access the host behind the NAT device.

3. Address Restricted Cone NAT

The address-restricted cone NAT also maps all requests from the same internal IP address and port to the same public IP address and port. However, unlike complete cone NAT, the public network host address can send packets to the internal network host only if and only if the internal host has previously sent packets to the public network host address.

4. Port Restricted Cone NAT

The port-restricted cone NAT is similar to the address-restricted cone NAT, but more restrictive. The port limit cone NAT increases the port number limit. Only when the internal network host has previously sent a message to the public network host address and port number, the public network host address and port number can communicate with the internal network host.

The following describes the working modes of the IPSec tunnel, including two working modes:

1. Transport mode: Only the transport layer data is used to calculate the AH or ESP header, and the AH or ESP header and the ESP-encrypted user data are placed behind the original IP header. Typically, the transport mode is used for communication between two hosts, or between a host and a gateway.

2. Tunnel mode: The entire IP packet of the user is used to calculate the AH or ESP header, and the AH or ESP header and the ESP-encrypted user data are encapsulated in a new IP packet. Typically, tunnel mode is used for communication between two gateways (the mode used in this article).

In the conventional tunnel mode of ESP, since NAT changes the external IP without changing the encrypted original IP, it is only in this case that it can coexist with NAT, but it can only coexist in a 1-to-1 form.

NAT-T supports the transmission of ESP by encapsulating ESP protocol packets into UDP packets (adding new IP headers and UDP headers to the IP header of the original ESP protocol), so that NAT treats it like a normal UDP packet. Modes coexist with NAT in a 1-to-many fashion. The format of the final data forwarding message is shown in Figure 5.

FIG. 6 is a schematic flowchart of still another NAT traversal method provided by an embodiment of the present invention; as shown in FIG. 6 , in order to realize NAT traversal at both ends of an IPSEC tunnel, the NAT traversal method provided by an embodiment of the present invention includes: detecting a NAT device Type: After determining the type of the NAT device, configure the IPSEC tunnel and related address information of the CPE according to the type of the NAT device.

The type of the detection NAT device includes: in combination with other protocols (referring to the protocols involved in interacting with the NAT detection server, such as IP protocols, etc.), the client-side gateway CPEA and the client-side gateway CPEB are respectively used for NAT detection. The server (equivalent to the server in the method shown in Figure 3 and Figure 4, can use the public network free server or the controller) to exchange packets, and detect the type of NAT device that CPEA and CPEB need to traverse respectively, that is, CPEA connection Type of NAT device, type of NAT device connected to CPEB.

Described configuring IPSEC tunnel and related address information, including:

Configure IPSEC to use tunnel mode;

Configure the tunnel address information; for each CPE, the tunnel address information includes: the private network address of the local end and the public network address after the NAT of the opposite end.

The following describes the methods of the above embodiments of the present invention using different types of NAT devices.

Embodiment 1: After the packet exchange with the NAT detection server, it is determined that the type of the NAT device connected to CPEA is basic NAT, and the type of the NAT device connected to CPEB is basic NAT.

The NAT traversal method includes:

Step 111, the NAT detection Server sends a first message to the CPEB to inform the NAT detection Server records corresponding to the NATed public network address information (including the public network address and port number CCC, converted to CPEA) after the NAT. The previous port number is IKE port number 4500);

Step 112: The CPEA configures IPSEC to use "tunnel mode" encapsulation and enables NAT-T mode, and configures and sends a second packet; the source address information of the second packet includes the local private network address and the IKE port number 4500, the destination address is any address; here, configure the packet with the destination address as any address to punch holes in the NAT device connected to CPEA;

Step 113: The CPEB configures IPSEC to use "tunnel mode" encapsulation, enables NAT-T mode, and configures a third packet, where the source address information of the third packet includes the local private network address and port number AAA, and the destination The address is the NATed public network address and port number CCC corresponding to CPEA (the port number before NAT is the above-mentioned IKE port number 4500); the CPEB sends the third message to CPEA, so that CPEA receives all After the third message is described, the NATed public network address and port corresponding to the CPEB are obtained based on the third message.

Step 114: After the above configuration, an IPSEC tunnel is established between CPEA and CPEB, and regular packets are forwarded between CPEA and CPEB through the IPSEC tunnel.

Embodiment 2: After exchanging packets with the NAT detection server, it is determined that the type of the NAT device connected to CPEA is a complete cone NAT, and the type of the NAT device connected to CPEB is a complete cone NAT. The NAT traversal method includes:

Step 211, the NAT detection server sends a first message to the CPEA, in order to inform the NAT detection server records corresponding to the CPEB's NATed public network address information, specifically including: public network address and port number BBB (NAT translation). The former port number is AAA).

Step 212, the NAT detection Server sends a packet to the CPEB, in order to inform the public network address information after the NAT corresponding to the CPEA recorded by the NAT detection Server, specifically including: the public network address and the port number CCC (the port number before the NAT conversion is IKE) port number 4500);

Step 213: The CPEA configures IPSEC to use "tunnel mode" encapsulation and enables NAT-T mode. The source address is the private network address of the end and IKE port 4500, and the destination address is the NATed public network address and port BBB corresponding to CPEB. , send a second packet based on the above configuration, and the second packet is used to punch holes in the NAT device connected to the CPEA;

FIG. 7 is a schematic structural diagram of a second packet provided by an embodiment of the present invention; as shown in FIG. 7 , the source address of the second packet is the private network address of the end and the IKE port 4500, and the destination address is corresponding to The NATed public network address and port BBB of CPEB (the port number before NAT is AAA).

Step 214, CPEB configures IPSEC to use "tunnel mode" encapsulation and enables NAT-T mode, the source address is the private network address and port number AAA of the end, and the destination address is the NATed public network address and port CCC corresponding to CPEA (The port number before the NAT is the IKE port number 4500), and based on the above configuration, a third packet is sent, and the third packet is used to punch holes in the NAT device connected to the CPEB;

8 is a schematic structural diagram of a third packet provided by an embodiment of the present invention; as shown in FIG. 8 , the source address of the third packet is the private network address of the end and the port number AAA (the port number after NAT translation is BBB ), the port number of the destination address is port CCC (the port number before NAT is IKE port number 4500).

Step 215: After the above configuration, an IPSEC tunnel is established between CPEA and CPEB, and regular packets are forwarded between CPEA and CPEB through the IPSEC tunnel.

Embodiment 3: After the packet exchange with the NAT detection server, it is determined that the type of the NAT device connected to CPEA is a full cone NAT, and the type of the NAT device connected to CPEB is an address restricted cone NAT.

Here, the address-limited cone NAT has the same NAT mapping for IP packets of the same origin and the same port (that is, all requests from the same internal IP address and port are mapped to the same public IP address and port); Unlike NAT, the public network host can send packets to the internal network host only if the internal host has previously sent packets to the public network host address.

For a scenario in which the NAT device connected to the CPEB is an address-restricted cone NAT, the same method as in the second embodiment above may be used for processing.

Embodiment 4: After the packet exchange with the NAT detection server, it is determined that the type of the NAT device connected to CPEA is a full cone NAT, and the type of the NAT device connected to CPEB is a port restricted cone NAT.

Here, the port-restricted cone NAT is also the same as the NAT mapping of the same-source and same-port IP packets (that is, all requests from the same internal IP address and port are mapped to the same public IP address and port), but the port is limited by Cone-limited NAT increases the port number limit. The public network host can communicate with the internal network host only if the internal host has sent packets to the public network host address before.

For the scenario in which the NAT device connected to the CPEB is a port-restricted cone NAT, the same method as in the second embodiment above may be used for processing.

Embodiment 5: After exchanging packets with the NAT detection server, it is determined that the type of the NAT device connected by CPEA is a complete cone NAT, and the type of the NAT device connected by CPEB is a symmetric NAT.

Here, symmetric NAT will map all requests from the same internal IP address and port to the same public IP address and port. If the same intranet host uses the same intranet address and port to send packets to another destination address, different mappings will be used.

The type of NAT device connected by CPEA is complete cone NAT, which is a relatively loose strategy. As long as the mapping relationship between the IP address and port of the internal network and the IP address and port of the public network is established (that is, the NAT device connected to the CPEA) After the hole is punched successfully), all hosts on the Internet can access the host behind the NAT (ie CPEA);

That is, the destination address sent by CPEB is always the NATed public network address and port number CCC corresponding to CPEA. Therefore, for the scenario in which the NAT device connected to the CPEB is a symmetric NAT, the same method as in the second embodiment above may be used for processing.

The following describes the types of detecting NAT devices.

Taking the NAT device connected by CPEA as an example (the detection method of the NAT device connected by CPEB is the same, so only one of them is used as an example for description), the NAT detection server receives the first test message sent by CPEA; the The first test packet includes the address information (IP address and port) of the CPEA, and the NAT detection server performs the following steps after determining that the first test packet is received.

Step 1: Check whether the CPE is behind NAT;

The client of CPEA establishes a UDP socket (socket), and uses the established UDP socket to send a data packet (that is, the above-mentioned first test packet) to the server (IP-1, Port-1), requesting the server to return the address information of the CPE ( IP and Port), the client starts to receive data packets immediately after sending the request, and the socket Timeout (300ms) can be set to prevent infinite blockage; repeat this process several times. If it times out every time and cannot receive a response from the server, it means that CPEA cannot carry out UDP communication, possibly because a firewall or NAT device blocks UDP communication.

When the client of CPEA can receive the response from the server, it needs to compare the (IP, Port) returned by the server with the (LocalIP, LocalPort) of the CPE socket. If they are identical, it is determined that the CPEA is not behind the NAT device; if not, Then, after determining that the CPEA is in the NAT device, it is necessary to further detect the type of the NAT device.

Step 2: Check whether the NAT is a complete cone NAT;

The client of CPEA establishes a UDP socket, and uses the established UDP socket to send data packets to the server's (IP-1, Port-1) requesting the server to respond to the client with another pair (IP-2, Port-2), and the server responds to the request A data packet is returned, and the client starts to receive the data packet immediately after sending the request. You can set the socket Timeout (300ms) to prevent infinite blockage, and repeat this process several times. If it can receive the response UDP packet returned by the server from (IP-2, Port-2), it means that the NAT is a complete cone NAT; if it times out every time and cannot receive the response from the server, it means that the NAT connected by CPEA The device is not a complete cone NAT, the specific type needs to be detected in the next step, and the next step is entered.

Step 3: Check whether the NAT device is a symmetric NAT;

The client of CPEA establishes a UDP socket, and uses the established UDP socket to send data packets to the server (IP-1, Port-1), and requires the server to return the IP and Port of the client. Set socket Timeout (300ms) to prevent infinite blockage; repeat this process until a response is received;

In the same way, use another socket to send data packets to the server's (IP-2, Port-2) and ask the server to return the IP and Port.

Compare the (IP, Port) returned by the above two processes from the server. If there is a pair of different (IP, Port) returned by the two processes, it is a symmetric NAT, otherwise it is a restricted cone NAT, specifically whether it is a port restricted cone NAT enters the next step of detection;

Step 4: Detect that the NAT is an address-restricted cone NAT or a port-restricted cone NAT;

The client of CPEA establishes a UDP socket, and uses the established UDP socket to send data packets to the server's (IP-1, Port-1), requiring the server to send a UDP data packet with IP-1 and a port different from Port-1. In response, the client starts receiving data packets immediately after sending the request, and sets the socket Timeout (300ms) to prevent infinite blockage; repeat this process several times. If it times out every time and cannot receive a response from the server, it means that it is a port-restricted cone NAT; if it can receive a response from the server, it means that it is an address-restricted cone NAT.

The data packet sent by the above-mentioned CEPA client can be the first test message in FIG. 3 and FIG. 4 , and correspondingly, the data packet sent by the server is the first result message fed back.

The server to which the NAT traversal method in the embodiment of the present invention is applied may be a public network free server or a public network controller concurrently, that is, the function of the public network free server or the public network controller is extended to realize the above solution. That's it.

It should be noted that the above-mentioned method for detecting the type of NAT device is only an embodiment, and other methods may also be used for detection in this embodiment of the present invention. After detection, the type of connected NAT device is determined, and the result is sent to the server. The server sends it to the peer CPE. For example, after the CPEA determines the type of the connected NAT device by interacting with the server, it sends the result to the server, and the server can send the result to the CPEB; and vice versa.

FIG. 9 is a schematic structural diagram of a NAT traversal device according to an embodiment of the present invention; as shown in FIG. 9 , the NAT traversal device is applied to the first CPE, and the device includes: a first processing module and a second processing module ;

The first processing module is used to determine the type of the first NAT device, the type of the second NAT device and the NATed public network address information corresponding to the second CPE; the first NAT device is connected to the first CPE, the second NAT device is connected to the second CPE;

The second processing module is configured to configure IPSEC tunnels and tunnels based on the type of the first NAT device, the type of the second NAT device, and the NATed public network address information corresponding to the second CPE Address information.

Specifically, the first processing module is configured to receive the type of the second NAT device sent by the server.

Specifically, the first processing module is further configured to send a first test message to the server; the first test message is used to request the server to send a first result message;

Receive the first result message sent by the server, determine the type of the NAT device connected to itself based on the first result message, and send the determined type of the NAT device connected to itself to the server.

In one embodiment, when the type of the first NAT device is a complete cone NAT, and the type of the second NAT device is a basic NAT; the first processing module is specifically configured to receive the second NAT device. The message sent by the CPE;

The NATed public network address information corresponding to the second CPE is determined based on the received message.

Specifically, the first processing module is further configured to send a second test packet to the server; the second test packet is used by the server to determine the NATed public network address information corresponding to the first CPE.

Specifically, the first processing module is further configured to, based on the configured IPSEC tunnel, send a message with a destination address of any address; the message with an arbitrary address as a destination address is used to punch holes in the first NAT device.

Specifically, the second processing module is used to configure the encapsulation mode of the IPSEC tunnel as tunnel mode, and the configuration adopts NAT-T mode;

Configure the source address in the tunnel address information based on the private network address information of the first CPE itself;

The destination address in the tunnel address information is configured based on the NATed public network address information corresponding to the second CPE.

In one embodiment, when the type of the first NAT device is a basic NAT, and the type of the second NAT device is a complete cone NAT; the first processing module is specifically configured to receive the data sent by the server. corresponding to the NATed public network address information of the second CPE.

Specifically, the first processing module is further configured to send a message to the second CPE; the sent message is used by the second CPE to determine the NATed public network address information corresponding to the first CPE.

The second processing module is used for configuring the encapsulation mode of the IPSEC tunnel to be a tunnel mode, and the configuration adopts a NAT-T mode;

Configure the source address in the tunnel address information based on the private network address information of the first CPE itself;

The destination address in the tunnel address information is configured based on the NATed public network address information corresponding to the second CPE.

In one embodiment, when the type of the first NAT device is a complete cone NAT, and the type of the second NAT device is NAPT, or, when the type of the first NAT device is NAPT, And when the type of the second NAT device is a complete cone NAT; the first processing module is specifically configured to receive the NATed public network address information corresponding to the second CPE sent by the server.

The second processing module is used for configuring the encapsulation mode of the IPSEC tunnel to be a tunnel mode, and the configuration adopts a NAT-T mode;

Configure the source address in the tunnel address information based on the private network address information of the first CPE itself;

The destination address in the tunnel address information is configured based on the NATed public network address information corresponding to the second CPE.

The first processing module is further configured to send a message based on the configured IPSEC tunnel and tunnel address information, and the sent message is used for punching a hole in the first NAT device.

Specifically, the NAPT includes at least one of the following: symmetric NAT, full cone NAT, address restricted cone NAT, and port restricted cone NAT.

The tunnel address information includes at least one of the following:

The private network address information of the first CPE itself corresponds to the NATed public network address information of the second CPE.

The public network address information includes: public network address and port number.

The message includes: IP header, UDP header, authentication part, and ESP authentication;

Wherein, the authentication part includes: ESP header and encryption part; and the encryption part includes: original IP header, TCP, DATA, and ESP tail.

FIG. 10 is a schematic structural diagram of another NAT traversal device provided by an embodiment of the present invention; as shown in FIG. 10 , the NAT traversal device is applied to a server, and the device includes: a third processing module, a fourth processing module, and a third processing module. Five processing modules; of which,

The third processing module is used to determine the type of the first NAT device and the type of the second NAT device; the first NAT device is connected to the first CPE, and the second NAT device is connected to the second CPE;

The fourth processing module is configured to send the type of the second NAT device to the first CPE; send the type of the first NAT device to the second CPE;

The fifth processing module is configured to determine the NATed public network address information corresponding to the first CPE when the type of the first NAT device and the device of the second NAT meet a preset condition, Sending the NATed public network address information corresponding to the first CPE to the second CPE; and/or, determining the NATed public network address information corresponding to the second CPE, and sending the corresponding public network address information to the first CPE NATed public network address information of the second CPE;

The public network address information is used to configure IPSEC tunnels and tunnel address information.

Specifically, the fifth processing module is specifically configured to, in the case that the type of the first NAT device is a full cone NAT, and the type of the second NAT device is a basic NAT, determine whether the The NATed public network address information of a CPE, and the NATed public network address information corresponding to the first CPE is sent to the second CPE.

Specifically, the fifth processing module is specifically configured to, in the case that the type of the first NAT device is a basic NAT, and the type of the second NAT device is a full cone NAT, determine whether the The NATed public network address information of the second CPE, and the NATed public network address information corresponding to the second CPE is sent to the first CPE.

Specifically, the fifth processing module is specifically configured to be used in the case that the type of the first NAT device is a full cone NAT and the type of the second NAT device is NAPT, or, in the case that the type of the first NAT device is NAPT When the type of a NAT device is NAPT and the type of the second NAT device is a complete cone NAT, determine the NATed public network address information corresponding to the first CPE, and send the corresponding information to the second CPE. NATed public network address information of the first CPE; and determining the NATed public network address information corresponding to the second CPE, and sending the NATed public network corresponding to the second CPE to the first CPE Address information.

Specifically, the NAPT includes at least one of the following:

Symmetric NAT, Full Cone NAT, Address Restriction Cone NAT, Port Restriction Cone NAT.

Specifically, the public network address information includes: a public network address and a port number.

Specifically, the third processing module is configured to receive a first test packet sent by the first CPE, and send a first result packet based on the first test packet; the first result packet is used for the The first CPE determines the type of the first NAT device connected to itself; receives the type of the first NAT device connected to itself sent by the first CPE;

Receive a third test packet sent by the second CPE, and send a second result packet based on the third test packet; the second result packet is used by the second CPE to determine the status of the second NAT device connected to itself. Type: the type of the second NAT device that receives the self-connection sent by the second CPE.

Specifically, the third processing module is further configured to receive a second test packet sent by the first CPE; and determine, based on the second test packet sent by the first CPE, a NATed public address corresponding to the first CPE web address information;

The third processing module is further configured to receive a fourth test packet sent by the second CPE; and determine the NATed public network address information corresponding to the second CPE based on the fourth test packet sent by the second CPE .

FIG. 11 is a schematic structural diagram of an electronic device according to an embodiment of the present invention; as shown in FIG. 11 , the apparatus 110 includes: a processor 1101 and a memory 1102 for storing a computer program that can run on the processor ; wherein, when the electronic device is applied to the first CPE, when the processor 1101 is configured to run the computer program, execute:

In one embodiment, the processor 1101 is further configured to, when running the computer program, execute: determining the type of the first NAT device, the type of the second NAT device, and the NATed public network corresponding to the second CPE address information; the first NAT device is connected to the first CPE, and the second NAT device is connected to the second CPE;

Based on the type of the first NAT device, the type of the second NAT device, and the NATed public network address information corresponding to the second CPE, configure an IPSEC tunnel and tunnel address information.

Specifically, the electronic device performs the method shown in FIG. 3 , which belongs to the same concept as the NAT traversal method embodiment shown in FIG. 3 , and the specific implementation process is detailed in the method embodiment, which will not be repeated here.

As another embodiment, when the electronic device is applied to a server, when the processor 1101 is configured to run the computer program, execute: determine the type of the first NAT device and the type of the second NAT device; A NAT device is connected to the first CPE, and the second NAT device is connected to the second CPE;

sending the type of the second NAT device to the first CPE; sending the type of the first NAT device to the second CPE;

In the case that the type of the first NAT device and the device of the second NAT meet the preset conditions, determine the NATed public network address information corresponding to the first CPE, and send the information corresponding to the first CPE to the second CPE The NATed public network address information of the first CPE; and/or, determining the NATed public network address information corresponding to the second CPE, and sending the NATed public network address information corresponding to the second CPE to the first CPE. public network address information;

The public network address information is used to configure IPSEC tunnels and tunnel address information.

Specifically, the electronic device performs the method shown in FIG. 4, which belongs to the same concept as the NAT traversal method embodiment shown in FIG.

In practical application, the apparatus 110 may further include: at least one network interface 1103 . The various components in electronic device 110 are coupled together by bus system 1104 . It will be appreciated that the bus system 1104 is used to implement the connection communication between these components. In addition to the data bus, the bus system 1104 also includes a power bus, a control bus, and a status signal bus. However, for clarity of illustration, the various buses are labeled as bus system 1104 in FIG. 11 . The number of the processors 1101 may be at least one. The network interface 1103 is used for wired or wireless communication between the electronic device 110 and other devices.

The memory 1102 in the embodiment of the present invention is used to store various types of data to support the operation of the electronic device 110 .

The methods disclosed in the above embodiments of the present invention may be applied to the processor 1101 or implemented by the processor 1101 . The processor 1101 may be an integrated circuit chip with signal processing capability. In the implementation process, each step of the above-mentioned method may be completed by an integrated logic circuit of hardware in the processor 1101 or an instruction in the form of software. The above-mentioned processor 1101 may be a general-purpose processor, a digital signal processor (DSP, DiGital Signal Processor), or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, and the like. The processor 1101 may implement or execute the methods, steps, and logical block diagrams disclosed in the embodiments of the present invention. A general purpose processor may be a microprocessor or any conventional processor or the like. The steps of the method disclosed in combination with the embodiments of the present invention can be directly embodied as being executed by a hardware decoding processor, or executed by a combination of hardware and software modules in the decoding processor. The software module may be located in a storage medium, and the storage medium is located in the memory 1102, and the processor 1101 reads the information in the memory 1102, and completes the steps of the foregoing method in combination with its hardware.

In an exemplary embodiment, the electronic device 110 may be implemented by one or more Application Specific Integrated Circuit (ASIC, Application Specific Integrated Circuit), DSP, Programmable Logic Device (PLD, Programmable Logic Device), Complex Programmable Logic Device (CPLD, Complex Programmable Logic Device), Field-Programmable Gate Array (FPGA, Field-Programmable Gate Array), general-purpose processor, controller, microcontroller (MCU, Micro Controller Unit), microprocessor (Microprocessor), or other electronic components implementation for performing the aforementioned method.

Embodiments of the present invention also provide a computer-readable storage medium, on which a computer program is stored, and when the computer program is run by the processor, executes: determining the type of the first NAT device, the type of the second NAT device and corresponding The NATed public network address information of the second CPE; the first NAT device is connected to the first CPE, and the second NAT device is connected to the second CPE;

Based on the type of the first NAT device, the type of the second NAT device, and the NATed public network address information corresponding to the second CPE, configure an IPSEC tunnel and tunnel address information. Specifically, when the computer program is run by the processor, the method shown in FIG. 3 is executed, which belongs to the same concept as the embodiment of the NAT traversal method shown in FIG. Repeat.

An embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored. As another implementation manner, when the computer program is run by a processor, execute: determine the type of the first NAT device and the second type of the second NAT device. The type of NAT device; the first NAT device is connected to the first CPE, and the second NAT device is connected to the second CPE;

sending the type of the second NAT device to the first CPE; sending the type of the first NAT device to the second CPE;

In the case that the type of the first NAT device and the device of the second NAT meet the preset conditions, determine the NATed public network address information corresponding to the first CPE, and send the information corresponding to the first CPE to the second CPE The NATed public network address information of the first CPE; and/or, determining the NATed public network address information corresponding to the second CPE, and sending the NATed public network address information corresponding to the second CPE to the first CPE. public network address information;

The public network address information is used to configure IPSEC tunnels and tunnel address information.

Specifically, when the computer program is run by the processor, the method shown in FIG. 4 can be executed, which belongs to the same concept as the embodiment of the NAT traversal method shown in FIG. No longer.

In the several embodiments provided in this application, it should be understood that the disclosed apparatus and method may be implemented in other manners. The device embodiments described above are only illustrative. For example, the division of the units is only a logical function division. In actual implementation, there may be other division methods. For example, multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored, or not implemented. In addition, the coupling, or direct coupling, or communication connection between the components shown or discussed may be through some interfaces, and the indirect coupling or communication connection of devices or units may be electrical, mechanical or other forms. of.

The unit described above as a separate component may or may not be physically separated, and the component displayed as a unit may or may not be a physical unit, that is, it may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution in this embodiment.

In addition, each functional unit in each embodiment of the present invention may all be integrated into one processing unit, or each unit may be separately used as a unit, or two or more units may be integrated into one unit; the above-mentioned integration The unit can be implemented either in the form of hardware or in the form of hardware plus software functional units.

Those of ordinary skill in the art can understand that all or part of the steps of implementing the above method embodiments may be completed by program instructions related to hardware, the aforementioned program may be stored in a computer-readable storage medium, and when the program is executed, execute Including the steps of the above-mentioned method embodiment; and the aforementioned storage medium includes: a mobile storage device, a read-only memory (ROM, Read-Only Memory), a random access memory (RAM, Random Access Memory), a magnetic disk or an optical disk and other various A medium on which program code can be stored.

Alternatively, if the above-mentioned integrated unit of the present invention is implemented in the form of a software function module and sold or used as an independent product, it may also be stored in a computer-readable storage medium. Based on this understanding, the technical solutions of the embodiments of the present invention may be embodied in the form of software products in essence or the parts that make contributions to the prior art. The computer software products are stored in a storage medium and include several instructions for A computer device (which may be a personal computer, a server, or a network device, etc.) is caused to execute all or part of the methods described in the various embodiments of the present invention. The aforementioned storage medium includes: a removable storage device, a ROM, a RAM, a magnetic disk or an optical disk and other mediums that can store program codes.

The above are only specific embodiments of the present invention, but the protection scope of the present invention is not limited thereto. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed by the present invention. should be included within the protection scope of the present invention. Therefore, the protection scope of the present invention should be based on the protection scope of the claims.

Claims (29)

1. A Network Address Translation (NAT) traversal method is applied to a first Customer Premises Equipment (CPE), and is characterized by comprising the following steps:

determining the type of the first NAT equipment, the type of the second NAT equipment and public network address information corresponding to the second CPE after NAT; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE;

and configuring an internet security protocol (IPSEC) tunnel and tunnel address information based on the type of the first NAT equipment, the type of the second NAT equipment and the public network address information corresponding to the second CPE after NAT.

2. The method of claim 1, wherein the determining the type of the second NAT device comprises:

and receiving the type of the second NAT equipment sent by the server.

3. The method of claim 2, further comprising:

sending a first test message to a server; the first test message is used for requesting the server to send a first result message;

and receiving a first result message sent by the server, determining the type of the NAT equipment connected with the server based on the first result message, and sending the determined type of the NAT equipment connected with the server to the server.

4. The method of claim 1, wherein if the first NAT device is of a full cone type NAT and the second NAT device is of a basic type NAT; determining the NAT-enabled public network address information corresponding to the second CPE, comprising:

receiving a message sent by a second CPE;

and determining public network address information corresponding to the second CPE after NAT based on the received message.

5. The method of claim 4, further comprising:

sending a second test message to the server; and the second test message is used for the server to determine the public network address information corresponding to the first CPE after NAT.

6. The method of claim 4, further comprising:

based on the configured IPSEC tunnel, sending a message with a target address as an arbitrary address; and the message with the target address as any address is used for punching a hole in the first NAT equipment.

7. The method of claim 4, wherein the configuring IPSEC tunnels and tunnel address information comprises:

configuring an IPSEC tunnel in a tunnel mode and configuring an NAT-T mode;

configuring a source address in the tunnel address information based on the private network address information of the first CPE;

and configuring a destination address in the tunnel address information based on the NAT-passed public network address information corresponding to the second CPE.

8. A method according to any one of claims 1 to 3, characterized in that in the case where the type of the first NAT device is basic NAT and the type of the second NAT device is full cone NAT; determining the NAT-enabled public network address information corresponding to the second CPE, comprising:

and receiving the public network address information which is sent by the server and corresponds to the second CPE after NAT.

9. The method of claim 8, further comprising:

sending a message to a second CPE; the sent message is used for the second CPE to determine the public network address information which corresponds to the first CPE and is subject to NAT.

10. The method of claim 7 or 8, wherein the configuring IPSEC tunnels and tunnel address information comprises:

configuring an IPSEC tunnel in a tunnel mode and configuring an NAT-T mode;

configuring a source address in the tunnel address information based on the private network address information of the first CPE;

and configuring a destination address in the tunnel address information based on the NAT-passed public network address information corresponding to the second CPE.

11. The method according to any of claims 1 to 3, characterized in that, in case the type of the first NAT device is a full cone type NAT and the type of the second NAT device is a network address port translation NAPT, or in case the type of the first NAT device is NAPT and the type of the second NAT device is a full cone type NAT; determining the NAT-enabled public network address information corresponding to the second CPE, comprising:

and receiving the public network address information which is sent by the server and corresponds to the second CPE after NAT.

12. The method of claim 11, wherein the configuring IPSEC tunnel and tunnel address information comprises:

configuring an IPSEC tunnel in a tunnel mode and configuring an NAT-T mode;

configuring a source address in the tunnel address information based on the private network address information of the first CPE;

and configuring a destination address in the tunnel address information based on the NAT-passed public network address information corresponding to the second CPE.

13. The method of claim 12, further comprising:

and sending a message based on the configured IPSEC tunnel and the tunnel address information, wherein the sent message is used for punching a hole in the first NAT equipment.

14. The method of claim 11, wherein the NAPT comprises at least one of: symmetric NAT, perfect cone NAT, address restricted cone NAT, port restricted cone NAT.

15. The method of claim 1, wherein the tunnel address information comprises at least one of:

the private network address information of the first CPE is corresponding to the public network address information of the second CPE after NAT.

16. The method of claim 15, wherein the public network address information comprises: public network address and port number.

17. The method according to claim 4, 9 or 13, wherein the message comprises: an Internet Protocol (IP) header, a User Datagram Protocol (UDP) header, an authentication part and an encapsulated security load (ESP) authentication;

wherein the authentication section includes: an ESP header and an encryption section; the encryption part includes: original IP header, transmission control protocol TCP, DATA, ESP trailer.

18. A NAT traversal method is applied to a server, and is characterized by comprising the following steps:

determining the type of a first NAT device and the type of a second NAT device; the first NAT equipment is connected with a first CPE, and the second NAT equipment is connected with a second CPE;

sending the type of the second NAT device to the first CPE; sending the type of the first NAT device to the second CPE;

under the condition that the type of the first NAT equipment and the second NAT equipment meet preset conditions, determining public network address information corresponding to the first CPE after NAT, and sending the public network address information corresponding to the first CPE after NAT to the second CPE; and/or determining public network address information corresponding to the second CPE after NAT, and sending the public network address information corresponding to the second CPE after NAT to the first CPE;

the public network address information is used for configuring an IPSEC tunnel and tunnel address information.

19. The method of claim 18, wherein if the first NAT device is of a full cone NAT type and the second NAT device is of a basic NAT type, determining NAT-enabled public network address information corresponding to the first CPE, and sending the NAT-enabled public network address information corresponding to the first CPE to the second CPE.

20. The method of claim 18, wherein when the first NAT device is of a basic NAT type and the second NAT device is of a full cone NAT type, determining NAT-enabled public network address information corresponding to the second CPE, and sending the NAT-enabled public network address information corresponding to the second CPE to the first CPE.

21. The method according to claim 18, wherein in a case where the type of the first NAT device is full cone NAT and the type of the second NAT device is NAPT, or in a case where the type of the first NAT device is NAPT and the type of the second NAT device is full cone NAT, determining NAT-passed public network address information corresponding to the first CPE, and sending the NAT-passed public network address information corresponding to the first CPE to the second CPE; and determining the public network address information corresponding to the second CPE after the NAT, and sending the public network address information corresponding to the second CPE after the NAT to the first CPE.

22. The method of claim 21, wherein the NAPT comprises at least one of:

symmetric NAT, perfect cone NAT, address restricted cone NAT, port restricted cone NAT.

23. The method of claim 18, wherein the public network address information comprises: public network address and port number.

24. The method of claim 18, wherein determining the type of the first NAT device and the type of the second NAT device comprises:

receiving a first test message sent by a first CPE, and sending a first result message based on the first test message; the first result message is used for the first CPE to determine the type of a first NAT device connected with the first CPE; receiving the type of a first NAT device connected with the first CPE and sent by the first CPE;

receiving a third test message sent by a second CPE, and sending a second result message based on the third test message; the second result message is used for the second CPE to determine the type of a second NAT device connected with the second CPE; and receiving the type of the self-connected second NAT equipment sent by the second CPE.

25. The method of claim 18, wherein determining the NAT-enabled public network address information corresponding to the first CPE comprises:

receiving a second test message sent by the first CPE; determining public network address information corresponding to the first CPE after NAT based on a second test message sent by the first CPE;

the determining the public network address information corresponding to the second CPE after NAT includes:

receiving a fourth test message sent by the second CPE; and determining the public network address information corresponding to the second CPE after NAT based on the fourth test message sent by the second CPE.

26. An apparatus for NAT traversal, the apparatus being applied to a first CPE, the apparatus comprising: a first processing module and a second processing module;

the first processing module is used for determining the type of the first NAT equipment, the type of the second NAT equipment and public network address information corresponding to the second CPE after NAT; the first NAT equipment is connected with the first CPE, and the second NAT equipment is connected with the second CPE;

the second processing module is configured to configure an IPSEC tunnel and tunnel address information based on the type of the first NAT device, the type of the second NAT device, and the public network address information corresponding to the second CPE after NAT.

27. An apparatus for NAT traversal, the apparatus being applied to a server, the apparatus comprising: the device comprises a third processing module, a fourth processing module and a fifth processing module; wherein,

the third processing module is used for determining the type of the first NAT equipment and the type of the second NAT equipment; the first NAT equipment is connected with a first CPE, and the second NAT equipment is connected with a second CPE;

the fourth processing module is configured to send the type of the second NAT device to the first CPE; sending the type of the first NAT device to the second CPE;

the fifth processing module is configured to determine public network address information after NAT processing corresponding to the first CPE when the type of the first NAT device and the device of the second NAT device meet a preset condition, and send the public network address information after NAT processing corresponding to the first CPE to the second CPE; and/or determining public network address information corresponding to the second CPE after NAT, and sending the public network address information corresponding to the second CPE after NAT to the first CPE;

the public network address information is used for configuring an IPSEC tunnel and tunnel address information.

28. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the steps of the method of any one of claims 1 to 17 are implemented when the program is executed by the processor; or,

the processor, when executing the program, performs the steps of the method of any one of claims 18 to 25.

29. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 17; or,

the processor, when executing the program, performs the steps of the method of any one of claims 18 to 25.

Images