[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN1118171C - On-demand system and method for access repeater applied to virtual private network - Google Patents

On-demand system and method for access repeater applied to virtual private network Download PDF

Info

Publication number
CN1118171C
CN1118171C CN 99107858 CN99107858A CN1118171C CN 1118171 C CN1118171 C CN 1118171C CN 99107858 CN99107858 CN 99107858 CN 99107858 A CN99107858 A CN 99107858A CN 1118171 C CN1118171 C CN 1118171C
Authority
CN
China
Prior art keywords
virtual private
private networks
user
address
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Expired - Lifetime
Application number
CN 99107858
Other languages
Chinese (zh)
Other versions
CN1276666A (en
Inventor
鲍立国
杜唯源
李逸元
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Institute for Information Industry
Original Assignee
Institute for Information Industry
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Institute for Information Industry filed Critical Institute for Information Industry
Priority to CN 99107858 priority Critical patent/CN1118171C/en
Publication of CN1276666A publication Critical patent/CN1276666A/en
Application granted granted Critical
Publication of CN1118171C publication Critical patent/CN1118171C/en
Anticipated expiration legal-status Critical
Expired - Lifetime legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present invention uses two-stage PPP link to process the connection requirement of the user. The PPP link in the first stage is used to coordinate the communication between the user and the access repeater and to confirm the identity of the user. If the user is legitimate, it is assigned a new network address. Then, the user can select a service item from the function menu provided by the on-demand repeater, which includes VPN service and non-VPN service. If the user selects non-VPN service, the access repeater will forward the packet to its destination address, and if the user requests VPN service, the access repeater will establish a second stage PPP link with VPN.

Description

应用于虚拟私有网络的存取中继器的随选系统与方法On-demand system and method for access repeater applied to virtual private network

技术领域technical field

本发明为一种应用于虚拟私有网络(Virtual Private Networks,VPN)的存取中继器(Access Concentrator),尤指一种可提供随选服务(On-Demand)的存取中继器,以让使用者可在连结至虚拟私有网络伺服器前,可有其它的服务选择。The present invention is an access repeater (Access Concentrator) applied to a virtual private network (Virtual Private Networks, VPN), especially an access repeater that can provide on-demand services (On-Demand). Allow users to have other service options before connecting to the virtual private network server.

背景技术Background technique

虚拟私有网络(Virtual Private Network,以下简称VPN)为一使用公共电信传输系统(public telecommunication infrastructure)的数据网络(data network),如图1所示。VPN的网络系统通常是以专线方式来连结,因此具有隐私性。通过一授权的网络服务公司(ISP)13,一个公司或企业14可将一网际网络15当作一大型的区域网络。在经由公共电话网络12及网际网络15从一VPN传送数据至另一端的VPN时,通常要经过加密及解密的程序,以保障数据的安全。为保障数据的私密性及安全性,网际网络(Internet)更应用隧道化(tunneling)16的方式,提供一特别的通道(path)给一特定的公司通过网际网络15传递信息或档案。而提供此沟通的协定便称为点对点隧道化协定(Point-to-Point Tunneling Protocol,以下简称PPTP)。通过PPTP,公司可在网际网络通过隧道产生一VPN而安全地传送数据。如此,公司或企业14便不需要使用自己租用的广域网络线,而能安全地利用一般的网络系统。A virtual private network (Virtual Private Network, hereinafter referred to as VPN) is a data network (data network) using a public telecommunications transmission system (public telecommunications infrastructure), as shown in Figure 1. The network system of the VPN is usually connected by a dedicated line, so it has privacy. Through an authorized Internet Service Provider (ISP) 13, a company or enterprise 14 can treat an Internet 15 as a large local area network. When transmitting data from one VPN to the other VPN via the public telephone network 12 and the Internet 15, encryption and decryption procedures are usually required to ensure data security. In order to protect the privacy and security of data, the Internet (Internet) uses tunneling (tunneling) 16 to provide a special channel (path) for a specific company to transmit information or files through the Internet 15 . The protocol that provides this communication is called Point-to-Point Tunneling Protocol (hereinafter referred to as PPTP). Through PPTP, companies can generate a VPN through tunnels on the Internet to transmit data securely. In this way, the company or enterprise 14 does not need to use its own leased wide-area network line, but can safely use the general network system.

网络服务公司13使用存取中继器17及一数据库18以处理VPN的通讯。存取中继器17具有两个介面:VPN介面171以提供使用公用电话交换网络(PSTNs)或整体服务数字网络(ISDN)的点对点存取,以及一般的网络通讯介面172,可提供TCP/IP通讯协定,以将讯息包传送至网际网络15或其它一般网络服务。The Internet service company 13 uses the access repeater 17 and a database 18 to handle VPN communication. Access repeater 17 has two interfaces: VPN interface 171 to provide point-to-point access using public switched telephone networks (PSTNs) or integrated services digital network (ISDN), and general network communication interface 172, which can provide TCP/IP Communication protocol to send packets to the Internet 15 or other general network services.

PPTP使用增强型的GRE(Generic Routing Encapsulation)机制以提供流量及阻塞控制的包裹(encapsulated)数据框(datagram)服务,以传送点对点通讯协定格式讯息包(PPP讯息包)。当一企业的使用者11使用PPTP通讯协定,并拨接至一网络服务公司13时,讯息包将被包裹起来(encapsulated),然后传送到存取中继器17。包裹的PPP讯息包将用IP的方式来传送。因此,包裹的PPP讯息包的数据格式将如图2所示。包含一媒介标头21,一IP标头22,一GRE标头23,以及PPP的讯息包24。PPTP uses the enhanced GRE (Generic Routing Encapsulation) mechanism to provide flow and congestion control package (encapsulated) data frame (datagram) service to transmit point-to-point communication protocol format message packets (PPP message packets). When a user 11 of an enterprise uses the PPTP communication protocol and dials to an Internet service company 13 , the message packet will be encapsulated and then sent to the access repeater 17 . The wrapped PPP message packet will be transmitted by IP. Therefore, the data format of the wrapped PPP message packet will be as shown in FIG. 2 . The message packet 24 includes a media header 21 , an IP header 22 , a GRE header 23 , and PPP.

现在使用的存取中继器17将只从PPP讯息包中的call ID栏位来确认拨号使用者身份的真实性,然后赋于一合法的网络地址给该拨号使用者,以取代其来源地址。如此便可在不必将该讯息包解密的情况下,使该拨号使用者可存取虚拟私有网络。换而言之,网络服务公司13可使拨号使用者11直接执行与伺服器14的PPP通讯协定。结果,如果该拨号使用者只想浏览网际网络或使用远程登录(TELNET)、档案传输(FTP)、电子布告栏(BBS),以及网际网络(WWW)等功能,他仍必需连结至位于VPN19的伺服器14。这样的结果不但耗费连结的时间,而且也产生不必要的通讯流量。The access repeater 17 used now will only confirm the authenticity of the dial-up user's identity from the call ID field in the PPP message packet, and then assign a legal network address to the dial-up user to replace its source address . In this way, the dial-up user can access the virtual private network without decrypting the message packet. In other words, the network service company 13 can make the dial-up user 11 directly implement the PPP communication protocol with the server 14 . As a result, if the dial-up user only wants to browse the Internet or use functions such as remote login (TELNET), file transfer (FTP), electronic bulletin board (BBS), and Internet (WWW), he still must connect to the VPN19. server 14. Such a result not only consumes connection time, but also generates unnecessary communication traffic.

另外,就目前存取中继器的结构而言,如果要增加随选服务的功能,必须配合「远端身份确认拨号使用者服务」(Remote Authentication Dial-InUser Service,RADIOU)认证的结构来完成。如此不但必须修正既有的PPP通迅协定,以支援EAP(PPP的可扩充式认证RFC2284)标准,更要增加RADIUS认证结构的成本。如此,在实际架设及程序设计上都较为困难且复杂。另外,在单一PPP链结的设计下,存取中继器对远端使用者所传送的PPP数据(Payload)讯息包,仅能作包裹VPN标头及转送的动作,无法同时分析讯息包内的资料,例如IP,IPX等地址,以作为链结服务品质选择的依据,所以在实用上比较缺乏弹性。In addition, as far as the current structure of the access repeater is concerned, if the function of on-demand service is to be added, it must be completed in conjunction with the authentication structure of the "Remote Authentication Dial-InUser Service" (RADIOU) . In this way, not only must the existing PPP communication protocol be amended to support the EAP (PPP extensible authentication RFC2284) standard, but also the cost of the RADIUS authentication structure must be increased. In this way, it is relatively difficult and complicated in actual erection and program design. In addition, under the design of a single PPP link, the access repeater can only wrap the VPN header and forward the PPP data (Payload) message packet sent by the remote user, and cannot analyze the message packet at the same time. The data, such as IP, IPX and other addresses, are used as the basis for the selection of link service quality, so it is relatively inflexible in practice.

发明内容Contents of the invention

本发明的目的是提供一种应用于VPN的存取中继器的随选服务系统与方法,其可让使用者在连结至VPN伺服器之前,可对存取中继器要求非虚拟私有网络的服务。The purpose of the present invention is to provide an on-demand service system and method applied to a VPN access repeater, which allows users to request non-virtual private network access to the access repeater before connecting to the VPN server services.

本发明的另一目的是提供一种可提供随选服务的存取中继器系统与方法,其可延续既有的PPP通迅协定机制,而能提供中继器随选服务的功能,以减少程序安装及修正的成本。Another object of the present invention is to provide an access repeater system and method that can provide on-demand services, which can continue the existing PPP communication agreement mechanism, and can provide the function of repeater on-demand services, so as to Reduce the cost of program installation and modification.

本发明的又一目的是提供一种应用于虚拟私有网络的PPTP链结分段的方法,其可仅针对虚拟私有网络部份程序码作少许的修改,便可提供中继器进行功能的增加或程序码的升级,减少设备装置及维持的复杂度。Another object of the present invention is to provide a method for segmenting PPTP links in a virtual private network, which can only slightly modify part of the program code of the virtual private network, and then provide a repeater to increase the function Or program code upgrades to reduce the complexity of equipment installation and maintenance.

本发明的再一目的是提供一种不需额外支援RADIUS机制的PPTP链结分段的方法,其可节省建置RADIUS代理伺服器与伺服器设备的费用,进而节省成本。Another object of the present invention is to provide a method for segmenting PPTP links without additional support for the RADIUS mechanism, which can save the cost of building RADIUS proxy servers and server equipment, thereby saving costs.

本发明应用于虚拟私有网络的存取中继器的随选服务方法包含下列步骤:The on-demand service method applied to the access repeater of the virtual private network of the present invention comprises the following steps:

建立一虚拟私有网络使用者资料库,以储存虚拟私有网络之使用者资料;Establish a virtual private network user database to store user data of the virtual private network;

当收到一拨号使用者之连结需求时,建立该拨号使用者之第一阶段的点对点通讯协定;When receiving a connection request from a dial-up user, establish the first-stage point-to-point communication protocol for the dial-up user;

查询该虚拟私有网络使用者资料库以判定该拨号使用者的身份真确性;Query the virtual private network user database to determine the identity authenticity of the dial-up user;

当该拨号使用者之身份判定为真时,赋于该拨号使用者一网络地址,否则拒绝上述之第一阶段PPP连结要求;When the identity of the dial-up user is determined to be true, give the dial-up user a network address, otherwise reject the above-mentioned first-stage PPP connection request;

提供一随选服务选单给该拨号使用者选取,及该随选服务包含使用虚拟私有网络的连线服务及不使用虚拟私有网络的一般网络服务;Provide an on-demand service menu for the dial-up user to select, and the on-demand service includes connection services using virtual private networks and general network services that do not use virtual private networks;

当该拨号使用者选取一虚拟私有网络的连线服务时,与该虚拟私有网络之伺服器建立一第二阶段的点对点通讯连结;及When the dial-up user selects a virtual private network connection service, establish a second-stage point-to-point communication link with the server of the virtual private network; and

赋于该拨号使用者一合法的虚拟私有网络地址以存取该虚拟私有网络;Give the dial-up user a legal virtual private network address to access the virtual private network;

当上述之拨号使用者的身份判定为不真确时,拒绝上述之第一阶段的点对点通讯连结要求。When the identity of the above-mentioned dial-up user is determined to be false, the above-mentioned first-stage point-to-point communication connection request is rejected.

其中上述的网络地址为IP地址。The aforementioned network address is an IP address.

其中上述的非虚拟私有网络服务包含:远程登录、档案传输、网际网络以及电子布告栏。The above-mentioned non-virtual private network services include: remote login, file transfer, Internet and electronic bulletin board.

其中上述的合法的虚拟私有网络地址为一IP址。Wherein the legal virtual private network address mentioned above is an IP address.

其中上述的合法的虚拟私有网络地址为一IPX地址。Wherein the legal virtual private network address mentioned above is an IPX address.

更包含步骤:当上述的拨号使用者选取一非虚拟私有网络的服务时,”转送上述的拨号使用者的讯息包至其目的地址。It further includes the step: when the above-mentioned dial-up user selects a non-virtual private network service, "forwarding the message packet of the above-mentioned dial-up user to its destination address.

其中上述的第二阶段的PPP通讯连结,是依据上述的第一阶段的PPP通讯连结中所取得的使用者数据来执行。Wherein the above-mentioned second-stage PPP communication connection is executed according to the user data obtained in the above-mentioned first-stage PPP communication connection.

本发明的可提供随选服务功能的虚拟私有网络存取中继器系统是这样实现的:其包含:一介面装置,用以接收来自公用电话网络的连结需求;一第一连结层控制装置,用以执行与一拨号使用者的主机的连结层的通讯协调;一身份确认装置,耦合至一虚拟私有网络使用者数据库,用以判定该拨号使用者的身份正确性;一第一网络层控制装置,用以执行与该拨号使用者的主机的网络层的通讯协调,并取得一网络地址;一服务提供装置,用以提供一随选服务选单给该拨号使用者选择;一第二连结层控制装置,用以对一虚拟私有网络伺服器建立一第二连结层的通讯协调;以及一第二网络层控制装置,用以赋于该拨号使用者一合法的虚拟私有网络地址,以存取该虚拟私有网络伺服器。The virtual private network access repeater system that can provide on-demand service functions of the present invention is realized in this way: it includes: an interface device for receiving connection requirements from the public telephone network; a first connection layer control device, Used to perform communication coordination with the connection layer of a dial-up user's host; an identity verification device, coupled to a virtual private network user database, to determine the correctness of the dial-up user's identity; a first network layer control A device for performing communication coordination with the network layer of the dial-up user's host and obtaining a network address; a service providing device for providing an on-demand service menu for the dial-up user to choose; a second connection layer The control device is used to establish a second connection layer communication coordination for a virtual private network server; and a second network layer control device is used to give the dial-up user a legal virtual private network address to access The virtual private network server.

其中上述的网络地址为IP地址。The aforementioned network address is an IP address.

其中上述的随选服务包含:虚拟私有网络服务及非虚拟私有网络服务。The on-demand services mentioned above include: virtual private network services and non-virtual private network services.

其中上述的非虚拟私有网络服务包含:远程登录、档案传输、网际网络以及电子布告栏。The above-mentioned non-virtual private network services include: remote login, file transfer, Internet and electronic bulletin board.

其中上述的合法的虚拟私有网络地址为一IP地址。Wherein the legal virtual private network address mentioned above is an IP address.

其中上述的合法的虚拟私有网络地址为一IPX地址。Wherein the legal virtual private network address mentioned above is an IPX address.

其中上述的服务提供装置是在上述的拨号使用者要求一非虚拟私有网络服务时,将上述的拨号使用者的讯息包转送至其目的地址。Wherein the above-mentioned service providing device forwards the message packet of the above-mentioned dial-up user to its destination address when the above-mentioned dial-up user requests a non-virtual private network service.

本发明主要以两阶段式的PPP链结来处理使用者的连线需求。第一阶段的PPP链结是为了进行使用者与存取中继器之间的协调。在第一阶段的PPP链结时,使用者的身份将被确认。如果该使用者为合法的使用者,则该使用者便会被赋于一个新的网络地址。然后,使用者便可从随选中继器所提供的功能选单中选取一个服务项目,包含虚拟私有网络及非虚拟私有网络,如远程登录(TELNET〕、档案传输(FTP)、电子布告栏(BBS)以及网际网络(WWW)。如果使用者选择非虚拟私有网络,存取中继器便会将讯息包传送到其目的地址。如果使用者要求一虚拟网络服务,则存取中继器便会建立一与虚拟私有网络连结的PPP通讯协定。如此,使用者便可存取非虚拟私有网络连结的服务,而不必直接连接到虚拟私有网络的伺服器。The present invention mainly uses a two-stage PPP link to handle the user's connection requirements. The first phase of the PPP link is for coordination between the user and the access repeater. In the first phase of the PPP link, the identity of the user will be confirmed. If the user is a legitimate user, the user will be assigned a new network address. Then, the user can select a service item from the function menu provided by the on-demand repeater, including virtual private network and non-virtual private network, such as remote login (TELNET), file transfer (FTP), electronic bulletin board (BBS), etc. ) and the Internet (WWW). If the user chooses a non-virtual private network, the access repeater will send the message packet to its destination address. If the user requests a virtual network service, the access repeater will Establish a PPP communication protocol connected to the virtual private network. In this way, users can access services not connected to the virtual private network without directly connecting to the server of the virtual private network.

附图说明Description of drawings

图1是现在使用的虚拟私有网络的系统示意图。Fig. 1 is a system schematic diagram of a virtual private network currently in use.

图2是一包裹的PPP讯息包的格式。Figure 2 is the format of a wrapped PPP message packet.

图3是本发明的具有随选功能的中继器系统运作示意图。Fig. 3 is a schematic diagram of the operation of the repeater system with on-demand function of the present invention.

图4是本发明的方法的流程图。Figure 4 is a flowchart of the method of the present invention.

具体实施方式Detailed ways

假设虚拟私有网络伺服端所联结的区域网络使用TCP/IP通讯协定,本发明的方法在PPP链结中区分为两阶段,如图3所示。图3显示本发明的具有随选服务功能的存取中继器。存取中继器31在一可接受拨接存取的平台上执行,并可控制来自公共交换电话线路(Public Switched Telephone Networks)32,或整体服务数字网络(ISDN)的拨接电话存取控制,或者发出一向外的电路交换连结。Assuming that the local area network connected to the virtual private network server uses the TCP/IP communication protocol, the method of the present invention is divided into two stages in the PPP link, as shown in FIG. 3 . Fig. 3 shows the access repeater with on-demand service function of the present invention. The access repeater 31 is implemented on a platform that accepts dial-up access, and can control dial-up telephone access control from public switched telephone networks (Public Switched Telephone Networks) 32, or integrated services digital network (ISDN) , or send an outbound circuit-switched link.

存取中继器31也提供实体层介面装置33(Physical nativeinterfacing device),以连结公共交换电话线路32。在远端使用者拨号成功,并要求一与网络服务公司30的连结层(data link layer)通讯协调时,连结层控制装置361便为该拨号使用者执行一PPP的连结层通讯协调,以与该拨号使用者的主机34连结。连结时,身份确认装置362查询一VPN使用者数据库,以执行身份的确认,例如查询使用者讯息包中的来源地址、使用权限、使用者身份识别码以及密码等数据是否真实。如果判定使用者34为一合法的VPN使用者时,PPP协定将继续执行网络层(Network Layer)的通讯协调。与现有技术不同的是,网络层的通讯控制装置363将讯息包解码并取得其网络号码及服务需求等数据。在PPP通讯协调完成后,远端的使用者34将被赋于一个系统所给的新网络地址,如IP地址。由于此网络地址与原本该使用者所属的VPN网络地址不同,因此该使用者所发出的讯息包将不会被传送到其所属的VPN中。而该使用者也不必先连结到其所属的VPN伺服器35,再由该VPN伺服器35连结至其它的网络服务或使用其资源。网络连结控制装置363也可决定讯息包的路由方式。The access repeater 31 also provides a physical layer interface device 33 (Physical native interfacing device) to connect to the public switched telephone line 32 . When the far-end user dials successfully and requires a communication coordination with the connection layer (data link layer) of the network service company 30, the connection layer control device 361 just executes a PPP connection layer communication coordination for the dial-up user, so as to communicate with the network service company 30 The dial-up user's host computer 34 is connected. When connecting, the identity confirming device 362 inquires a VPN user database to perform identity confirmation, such as inquiring whether the data such as the source address in the user message packet, the use authority, the user identification code and the password are true. If it is determined that the user 34 is a legal VPN user, the PPP agreement will continue to carry out the communication coordination of the Network Layer. Different from the prior art, the communication control device 363 at the network layer decodes the message packet and obtains data such as its network number and service requirements. After the PPP communication coordination is completed, the remote user 34 will be assigned a new network address given by the system, such as an IP address. Since this network address is different from the original VPN network address to which the user belongs, the message packets sent by the user will not be sent to the VPN to which the user belongs. And the user does not need to connect to the VPN server 35 to which it belongs first, and then connect to other network services or use its resources by the VPN server 35. The network connection control device 363 can also determine the routing mode of the message packet.

然后,在第一次的PPP通讯协调完成后,具有新网络地址的讯息包便会被传送到服务提供装置37。服务提供装置37提供了随选的服务给拨号使用者34选择。由于拨号使用者已有了新的IP地址,于是便可自由选取各种不同的非虚拟私有网络服务,如远程登录(TELNET)、档案传输(FTP)、电子告栏(BBS)以及网际网络(WWW)。如果使用者34选择Non-VPN的服务时,服务提供装置37便会直接传送这些讯息包至其目的地址,而不必再连结至该使用者公司的VPN伺服器35。另一方面,如果使用者34选择VPN服务,存取中继器31便会对VPN伺服器35建立第二次的PPP连结。在PPP的通讯协定中,连结层控制装置381可以从第一次PPP连结的连结层通讯协定中所获得使用者数据,不必再执行使用者的身份确认,所以可加速连结的速度。然后,讯息包便会转送到网络层连结控制装置382,以对虚拟私有网络伺服器35建立网络层的通讯。此时,使用者11可自VPN伺服器35获取一合法的VPN地址,如IP地址或IPX地址,因此使用者可存取VPN伺服器35的资源。Then, after the first PPP communication coordination is completed, the message packet with the new network address will be sent to the service provider 37 . The service provider 37 provides on-demand services for the dial-up user 34 to choose. Since the dial-up user has a new IP address, he can freely choose various non-virtual private network services, such as remote login (TELNET), file transfer (FTP), electronic bulletin board (BBS) and Internet ( www). If the user 34 selects the service of Non-VPN, the service provider 37 will directly send these packets to its destination address without connecting to the VPN server 35 of the user company. On the other hand, if the user 34 selects the VPN service, the access repeater 31 will establish a second PPP connection to the VPN server 35 . In the PPP communication protocol, the link layer control device 381 can obtain the user data from the link layer communication protocol of the first PPP connection, and no need to perform user identity verification, so the connection speed can be accelerated. Then, the message packet will be forwarded to the network layer connection control device 382 to establish network layer communication with the VPN server 35 . At this time, the user 11 can obtain a legal VPN address, such as an IP address or an IPX address, from the VPN server 35 , so the user can access the resources of the VPN server 35 .

图4显示本发明的应用VPN的存取中继器的随选方法,包含下列步骤:Fig. 4 shows the on-demand method of the access repeater of application VPN of the present invention, comprises the following steps:

401:在接收到一连结的需求时,对一拨接使用者执行一连结层的通讯协调。401: Execute a link layer communication coordination for a dial-up user when a link request is received.

402:查询一虚拟私有网络使用者数据库,以判定该拨接使用者的身份。如果该拨接使用者的身份无误,执行步骤404;否则执行步骤403。402: Query a virtual private network user database to determine the identity of the dial-up user. If the identity of the dial-up user is correct, go to step 404; otherwise, go to step 403.

403:拒绝拨接使用者的连结需求。403: The connection request of the dial-up user is rejected.

404:对该拨接使用者执行一网络层的通讯协调,包括对PPP讯息包解密,以取得网络地址以及服务需求数据。404: Execute a network layer communication coordination for the dial-up user, including decrypting the PPP message packet to obtain the network address and service requirement data.

405:赋于一新的网络地址给该拨接使用者。405: Assign a new network address to the dial-up user.

406:提供一随选服务的选单给该拨接使用者选择。如果该使用者要求一个NON-VPN服务时,执行步骤407。否则,执行步骤408。406: Provide a menu of on-demand services for the dial-up user to select. If the user requires a NON-VPN service, step 407 is executed. Otherwise, go to step 408 .

407:如果拨接使用者选择一个NON-VPN服务时,如TELNET、FTP、BBS以及WWW,转送讯息包至其目的地址。407: If the dial-up user chooses a NON-VPN service, such as TELNET, FTP, BBS and WWW, forward the message packet to its destination address.

408:依据第一次连结层的通讯所得的数据,对虚拟私有网络伺服器执行一连结层的通讯协调。408: Perform a link layer communication coordination with the virtual private network server according to the data obtained in the first link layer communication.

409:对虚拟私有网络伺服器执行一网络层的通讯协调。409: Execute a network layer communication coordination for the virtual private network server.

410:提供一合法的虚拟私有网络地址给该拨接使用者,如1P地址或IPX地址。410: Provide a legal virtual private network address to the dial-up user, such as 1P address or IPX address.

411:连结该虚拟私有网络伺服器。411: Connect to the virtual private network server.

本发明的最佳实施例已详述如上,但在上述的实施例所作的若干变更,仍在本发明的专利范围内,例如:本发明可通用于任何可应用于未来的虚拟私有网络连结的类似通讯协定,而且,随选服务的项目也可依实际的状况而设定,并不限于以上所述的TELNET、FTP、BBS以及WWW等服务。The preferred embodiment of the present invention has been described in detail above, but some changes made in the above-mentioned embodiment are still within the patent scope of the present invention, for example: the present invention can be generally applied to any virtual private network connection that can be applied in the future Similar to the communication protocol, moreover, the items of the on-demand service can also be set according to the actual situation, and are not limited to the above-mentioned services such as TELNET, FTP, BBS and WWW.

Claims (14)

  1. An access repeater that is applied to virtual private networks with selecting method of servicing, it is characterized in that comprising the following step:
    Set up a virtual private networks user data bank, to store user's data of virtual private networks;
    When receiving a dialing user binding demand, set up the point-to-point communication agreement of this dialing user's phase I;
    Inquire about this virtual private networks user data bank to judge this dialing user's identity validity;
    When this dialing user's judging identity is a true time, give this dialing user one network address, link requirement otherwise refuse above-mentioned phase I PPP;
    Provide one to choose to this dialing user, and this comprise the line service of using virtual private networks with the choosing service and reach general networking service of not using virtual private networks with choosing service menu;
    When this dialing user chose the line service of a virtual private networks, the point-to-point communication of setting up a second stage with the server of this virtual private networks linked; And
    Give the legal virtual private networks address of this dialing user one with this virtual private networks of access;
    When above-mentioned dialing user's judging identity was falsity, the point-to-point communication of refusing the above-mentioned phase I linked requirement.
  2. 2. as claimed in claim 1 with selecting method of servicing, it is characterized in that: the wherein above-mentioned network address is the IP address.
  3. 3. as claimed in claim 1 with selecting method of servicing, it is characterized in that: wherein above-mentioned non-virtual private networks service comprises: Telnet, archives transmission, world-wide web, and BBS.
  4. 4. as claimed in claim 1 with selecting method of servicing, it is characterized in that: wherein above-mentioned legal virtual private networks address is an IP address.
  5. 5. as claimed in claim 1 with selecting method of servicing, it is characterized in that: wherein above-mentioned legal virtual private networks address is an IPX address.
  6. 6. as claimed in claim 1 with selecting method of servicing, it is characterized in that: more comprise step:
    When above-mentioned dialing user chooses general networking when service, pass on above-mentioned dialing user's message bag to its destination address.
  7. 7. as claimed in claim 1 with selecting method of servicing, it is characterized in that: the PPP communication link of wherein above-mentioned second stage is to carry out according to obtained user's data in the PPP communication link of above-mentioned phase I.
  8. 8. one kind can provide with the virtual private networks access repeater system that selects service function, it is characterized in that comprising:
    One interfare device is in order to receive the binding demand from public phone network; One first binder couse control device is coordinated in order to the execution and the communication of the binder couse of a dialing user main frame; One identity confirmation device is to be coupled to a virtual private networks user data bank, in order to judge this dialing user's identity validity; One first network layer control device is coordinated in order to the execution and the communication of the network layer of this dialing user's main frame, and is obtained a network address; One service generator is in order to provide one with selecting the service menu to select to this dialing user; One second binder couse control device is coordinated in order to the communication of a virtual private networks server being set up one second binder couse; And one second network layer control device, in order to give this dialing user one legal virtual private networks address, with this virtual private networks server of access.
  9. 9. as claimed in claim 8 providing with the virtual private networks access repeater system that selects service function, it is characterized in that: the wherein above-mentioned network address is the IP address.
  10. 10. as claimed in claim 8 providing with the virtual private networks access repeater system that selects service function is characterized in that: wherein above-mentioned comprises with the choosing service: virtual private networks service and non-virtual private networks service.
  11. 11. as claimed in claim 10 providing with the virtual private networks access repeater system that selects service function is characterized in that: wherein above-mentioned non-virtual private networks service comprises: Telnet, archives transmission, world-wide web, and BBS.
  12. 12. as claimed in claim 8 providing with the virtual private networks access repeater system that selects service function is characterized in that: wherein above-mentioned legal virtual private networks address is an IP address.
  13. 13. as claimed in claim 8 providing with the virtual private networks access repeater system that selects service function is characterized in that: wherein above-mentioned legal virtual private networks address is an IPX address.
  14. 14. as claimed in claim 8 providing with the virtual private networks access repeater system that selects service function, it is characterized in that: wherein above-mentioned service generator ties up to above-mentioned dialing user when requiring as one of non-virtual private networks the network service, with above-mentioned dialing user's message packet transfer to its destination address.
CN 99107858 1999-06-03 1999-06-03 On-demand system and method for access repeater applied to virtual private network Expired - Lifetime CN1118171C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 99107858 CN1118171C (en) 1999-06-03 1999-06-03 On-demand system and method for access repeater applied to virtual private network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 99107858 CN1118171C (en) 1999-06-03 1999-06-03 On-demand system and method for access repeater applied to virtual private network

Publications (2)

Publication Number Publication Date
CN1276666A CN1276666A (en) 2000-12-13
CN1118171C true CN1118171C (en) 2003-08-13

Family

ID=5272995

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 99107858 Expired - Lifetime CN1118171C (en) 1999-06-03 1999-06-03 On-demand system and method for access repeater applied to virtual private network

Country Status (1)

Country Link
CN (1) CN1118171C (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100372386C (en) * 2002-12-10 2008-02-27 华为技术有限公司 Short and long number corresponding method for mobile exchange
CN100356760C (en) * 2002-12-20 2007-12-19 英华达(南京)科技有限公司 Method for accessing company inside data from network using mobile phone
CN1297105C (en) * 2003-01-06 2007-01-24 华为技术有限公司 Method for implementing multirole main machine based on virtual local network
CN103428062B (en) * 2012-05-25 2017-07-14 杭州瑞高智能设备有限公司 A kind of access method of vpn server and a kind of VPN client computer
CN110691059B (en) * 2018-07-05 2021-09-17 资富电子股份有限公司 Apparatus and method for dynamic virtual private network

Also Published As

Publication number Publication date
CN1276666A (en) 2000-12-13

Similar Documents

Publication Publication Date Title
US6694437B1 (en) System and method for on-demand access concentrator for virtual private networks
US11659385B2 (en) Method and system for peer-to-peer enforcement
US5918019A (en) Virtual dial-up protocol for network communication
US6754712B1 (en) Virtual dial-up protocol for network communication
US8116307B1 (en) Packet structure for mirrored traffic flow
US7730521B1 (en) Authentication device initiated lawful intercept of network traffic
US8006296B2 (en) Method and system for transmitting information across a firewall
US7536720B2 (en) Method and apparatus for accelerating CPE-based VPN transmissions over a wireless network
US20020038371A1 (en) Communication method and system
CN104506670B (en) Establish method, equipment and the system of network game connection
KR100333530B1 (en) Method for configurating VPN(Virtual Private Network) by using NAT(Network Address Translation) and computer readable record medium on which a program therefor is recorded
CN1478232A (en) System and method for secure network mobility
JP2003531539A (en) Secure dynamic link allocation system for mobile data communications
US20040168049A1 (en) Method for encrypting data of an access virtual private network (VPN)
US7173933B1 (en) System and method for providing source awareness in a network environment
US7100202B2 (en) Voice firewall
US7694015B2 (en) Connection control system, connection control equipment and connection management equipment
CN1231024C (en) Virtual specsel net realizing method based on dynamic IP address and system
US8437254B2 (en) Dynamic configuration of VoIP trunks
CN1118171C (en) On-demand system and method for access repeater applied to virtual private network
US7616625B1 (en) System and method for selective enhanced data connections in an asymmetrically routed network
CN108064441A (en) Method and system for accelerating network transmission optimization
CN1947455A (en) Supporting a network behind a wireless station
US8259914B2 (en) System and method for a secure log-on to a communications system comprising network connection and connection handling computers
TW512263B (en) On-demand system and method for access repeater used in Virtual Private Network

Legal Events

Date Code Title Description
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C06 Publication
PB01 Publication
C14 Grant of patent or utility model
GR01 Patent grant
CX01 Expiry of patent term
CX01 Expiry of patent term

Granted publication date: 20030813