阅读说明：本技术 一种传输数据的方法、装置、存储介质和电子设备 (Data transmission method and device, storage medium and electronic equipment ) 是由 赵帅鹏 李金国 施德军 党帆 于 2019-09-30 设计创作，主要内容包括：本申请实施例提供一种传输数据的方法、装置、存储介质和电子设备,该方法包括：获取至少两条虚拟专用网络VPN隧道的安全策略中的VPN隧道的优先级；从至少两条VPN隧道的安全策略中选取出优先级最高的VPN隧道；利用优先级最高的VPN隧道传输数据。本申请实施例通过获取至少两条VPN隧道的安全策略中的VPN隧道的优先级,并从至少两条VPN隧道的安全策略中选取出优先级最高的VPN隧道,以及利用优先级最高的VPN隧道传输数据。从而,在两个子网之间建立有两条VPN隧道的情况下,可以通过选取优先级最高的VPN隧道来传输数据,从而由于优先级最高的VPN隧道具有较好的数据传输性能,进而能够保证数据传输的稳定性。(the embodiment of the application provides a method, a device, a storage medium and an electronic device for transmitting data, wherein the method comprises the following steps: acquiring the priority of the VPN tunnels in the security policies of at least two virtual private network VPN tunnels; selecting a VPN tunnel with the highest priority from the security policies of at least two VPN tunnels; and transmitting the data by using the VPN tunnel with the highest priority. According to the embodiment of the application, the priority of the VPN tunnel in the security policies of the at least two VPN tunnels is obtained, the VPN tunnel with the highest priority is selected from the security policies of the at least two VPN tunnels, and the VPN tunnel with the highest priority is used for transmitting data. Therefore, under the condition that two VPN tunnels are established between two subnetworks, data can be transmitted by selecting the VPN tunnel with the highest priority, and the VPN tunnel with the highest priority has better data transmission performance, so that the stability of data transmission can be ensured.)

1. A method of transmitting data, comprising:

Acquiring the priority of the VPN tunnels in the security policies of at least two virtual private network VPN tunnels;

Selecting a VPN tunnel with the highest priority from the security policies of the at least two VPN tunnels;

And transmitting data by using the VPN tunnel with the highest priority.

2. The method according to claim 1, wherein said at least two VPN tunnels are backup tunnels, and before said obtaining the priority of VPN tunnels in the security policies of the at least two virtual private network VPN tunnels, the method further comprises:

The main tunnel is determined to be broken.

3. The method of claim 1, wherein one of the at least two VPN tunnels is a primary tunnel and the remaining VPN tunnels are backup tunnels.

4. The method according to claim 1, wherein said selecting a VPN tunnel with a highest priority from the security policies of the at least two VPN tunnels comprises:

Determining the priority of any one VPN tunnel in all the VPN tunnels as the temporary highest priority;

Sequentially traversing the security policies of the other VPN tunnels, and updating the temporary highest priority to determine the final temporary highest priority;

And determining the VPN tunnel corresponding to the final temporary highest priority as the VPN tunnel with the highest priority.

5. The method of claim 4, wherein said updating the temporary highest priority to determine a final temporary highest priority comprises:

Under the condition that the priority of the current VPN tunnel is higher than the temporary highest priority, updating the temporary highest priority to the priority of the current VPN tunnel; alternatively, the first and second electrodes may be,

Keeping the temporary highest priority unchanged when the priority of the current VPN tunnel is equal to or lower than the temporary highest priority.

6. An apparatus for transmitting data, comprising:

The system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring the priority of the VPN tunnel in the security policies of at least two virtual private network VPN tunnels;

the selecting module is used for selecting the VPN tunnel with the highest priority from the security policies of the at least two VPN tunnels;

And the transmission module is used for transmitting data by utilizing the VPN tunnel with the highest priority.

7. The apparatus of claim 6, wherein the at least two VPN tunnels are backup tunnels, the apparatus further comprising:

A first determining module, configured to determine that the main tunnel is disconnected before the acquiring of the priority of the VPN tunnel in the security policies of the at least two virtual private network VPN tunnels.

8. the apparatus of claim 6, wherein one of the at least two VPN tunnels is a primary tunnel and the remaining VPN tunnels are backup tunnels.

9. The apparatus of claim 6, wherein the selecting module comprises:

a second determining module, configured to determine that a priority of any one of all VPN tunnels is a temporary highest priority;

A third determining module, configured to sequentially traverse security policies of the remaining VPN tunnels, and update the temporary highest priority to determine a final temporary highest priority;

A fourth determining module, configured to determine the VPN tunnel corresponding to the final temporary highest priority as the VPN tunnel with the highest priority.

10. The apparatus of claim 9, wherein the third determining module is configured to: under the condition that the priority of the current VPN tunnel is higher than the temporary highest priority, updating the temporary highest priority to the priority of the current VPN tunnel; or, in case that the priority of the current VPN tunnel is equal to or lower than the temporary highest priority, keeping the temporary highest priority unchanged.

11. A storage medium, having stored thereon a computer program which, when executed by a processor, performs a method of transmitting data according to any one of claims 1-5.

12. An electronic device, characterized in that the electronic device comprises: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is operating, the machine-readable instructions when executed by the processor performing the method of transmitting data according to any one of claims 1-5.

Technical Field

The present application relates to the field of network security technologies, and in particular, to a method, an apparatus, a storage medium, and an electronic device for transmitting data.

Background

VPN (Virtual Private Network) refers to a technology for establishing a Private Network on a public Network, and supports establishment of a VPN tunnel between two communicating parties, so that a transmission process is encrypted and data security is improved.

At present, in order to ensure stability of data transmission, a plurality of VPN tunnels are generally established between two subnetworks, so as to implement backup of the VPN tunnels.

For example, when multiple IPSEC (Internet Protocol Security) tunnels are established between two subnets, when one of the IPSEC tunnels is abnormally disconnected, another IPSEC tunnel may be used for data transmission. The IPSEC is a VPN technology that uses the IPSEC protocol to implement remote access.

In the process of implementing the invention, the inventor finds that the following problems exist in the prior art: at present, in the process of selecting a VPN tunnel for transmitting data, the selection of the VPN tunnel has randomness, so that the problem of poor stability of data transmission can be caused. For example, when the VPN main tunnel is abnormally disconnected, the randomly matched first VPN backup tunnel is subsequently used for data transmission. However, since the data transmission performance of the matched first VPN backup tunnel may be much weaker than that of the VPN main tunnel, a problem of poor stability of data transmission may be caused.

disclosure of Invention

An object of the embodiments of the present application is to provide a method, an apparatus, a storage medium, and an electronic device for transmitting data, so as to ensure stability of data transmission.

in a first aspect, an embodiment of the present application provides a method for transmitting data, where the method includes: acquiring the priority of the VPN tunnels in the security policies of at least two virtual private network VPN tunnels; selecting a VPN tunnel with the highest priority from the security policies of at least two VPN tunnels; and transmitting the data by using the VPN tunnel with the highest priority.

Therefore, in the embodiment of the present application, the priority of the VPN tunnel in the security policies of the at least two VPN tunnels is obtained, and the VPN tunnel with the highest priority is selected from the security policies of the at least two VPN tunnels, and the VPN tunnel with the highest priority is used for transmitting data. Therefore, under the condition that two VPN tunnels are established between two subnetworks, data can be transmitted by selecting the VPN tunnel with the highest priority, and the VPN tunnel with the highest priority has better data transmission performance, so that the stability of data transmission can be ensured.

In addition, in the embodiment of the application, the user can configure the priority of the VPN tunnel in the security policy of the VPN tunnel according to the actual situation, so that the VPN tunnel can be selected according to the security policy configured by the user, further, the data transmission is controllable, and the stability of the data transmission is further improved.

In a possible embodiment, the at least two VPN tunnels are backup tunnels, and before obtaining the priorities of the VPN tunnels in the security policies of the at least two virtual private network VPN tunnels, the method further includes: the main tunnel is determined to be broken.

Therefore, the embodiment of the application can be applied to a scene that one backup tunnel with the highest priority is selected from a plurality of backup tunnels when the main tunnel is disconnected.

In one possible embodiment, one of the at least two VPN tunnels is a primary tunnel and the remaining VPN tunnels are backup tunnels.

Therefore, the embodiment of the application can be applied to a scene of selecting a VPN tunnel with the highest priority from a plurality of VPN tunnels between two subnetworks.

In one possible embodiment, selecting the VPN tunnel with the highest priority from the security policies of the at least two VPN tunnels includes: determining the priority of any one VPN tunnel in all the VPN tunnels as the temporary highest priority; sequentially traversing the security policies of the other VPN tunnels, and updating the temporary highest priority to determine the final temporary highest priority; and determining the VPN tunnel corresponding to the final temporary highest priority as the VPN tunnel with the highest priority.

Therefore, in the embodiment of the application, the priority of any one of all the VPN tunnels is determined to be the temporary highest priority, and the security policies of the other VPN tunnels are sequentially traversed to update the temporary highest priority so as to determine the final temporary highest priority, so that the VPN tunnel with the highest priority can be accurately and quickly determined.

In one possible embodiment, updating the temporary highest priority to determine a final temporary highest priority includes: under the condition that the priority of the current VPN tunnel is higher than the temporary highest priority, updating the temporary highest priority to the priority of the current VPN tunnel; or, in case that the priority of the current VPN tunnel is equal to or lower than the temporary highest priority, the temporary highest priority is kept unchanged.

therefore, compared with a mode of sequencing priorities, the processing efficiency can be improved by updating the temporary highest priority, so that the waiting time of the user is shortened, and the experience of the user is improved.

In a second aspect, an embodiment of the present application provides an apparatus for transmitting data, where the apparatus includes: the system comprises an acquisition module, a processing module and a processing module, wherein the acquisition module is used for acquiring the priority of the VPN tunnel in the security policies of at least two virtual private network VPN tunnels; the selecting module is used for selecting the VPN tunnel with the highest priority from the security policies of the at least two VPN tunnels; and the transmission module is used for transmitting data by using the VPN tunnel with the highest priority.

In one possible embodiment, at least two VPN tunnels are backup tunnels, and the apparatus further includes: the first determining module is used for determining that the main tunnel is disconnected before acquiring the priority of the VPN tunnels in the security policies of the at least two virtual private network VPN tunnels.

In one possible embodiment, one of the at least two VPN tunnels is a primary tunnel and the remaining VPN tunnels are backup tunnels.

In one possible embodiment, the selection module comprises: a second determining module, configured to determine that a priority of any one of all VPN tunnels is a temporary highest priority; the third determining module is used for sequentially traversing the security policies of the other VPN tunnels and updating the temporary highest priority so as to determine the final temporary highest priority; and the fourth determining module is used for determining the final VPN tunnel corresponding to the temporary highest priority as the VPN tunnel with the highest priority.

In one possible embodiment, the third determination module is to: under the condition that the priority of the current VPN tunnel is higher than the temporary highest priority, updating the temporary highest priority to the priority of the current VPN tunnel; or, in case that the priority of the current VPN tunnel is equal to or lower than the temporary highest priority, the temporary highest priority is kept unchanged.

In a third aspect, an embodiment of the present application provides a storage medium, where a computer program is stored on the storage medium, and when the computer program is executed by a processor, the computer program performs the method according to the first aspect or any optional implementation manner of the first aspect.

In a fourth aspect, an embodiment of the present application provides an electronic device, including: a processor, a memory and a bus, the memory storing machine-readable instructions executable by the processor, the processor and the memory communicating via the bus when the electronic device is running, the machine-readable instructions when executed by the processor performing the method of the first aspect or any of the alternative implementations of the first aspect.

In a fifth aspect, the present application provides a computer program product which, when run on a computer, causes the computer to perform the method of the first aspect or any possible implementation manner of the first aspect.

In order to make the aforementioned and other objects, features and advantages of the present invention comprehensible, preferred embodiments accompanied with figures are described in detail below.

Drawings

in order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are required to be used in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and therefore should not be considered as limiting the scope, and that those skilled in the art can also obtain other related drawings based on the drawings without inventive efforts.

FIG. 1 illustrates a schematic diagram of an application scenario to which embodiments of the present application are applicable;

Fig. 2 is a flowchart illustrating a method for transmitting data according to an embodiment of the present application;

Fig. 3 is a detailed flowchart of a method for transmitting data according to an embodiment of the present application;

fig. 4 is a block diagram illustrating a structure of an apparatus for transmitting data according to an embodiment of the present disclosure;

Fig. 5 is a block diagram of an electronic device in the embodiment of the present application.

Detailed Description

The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.

It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures. Meanwhile, in the description of the present application, the terms "first", "second", and the like are used only for distinguishing the description, and are not to be construed as indicating or implying relative importance.

At present, when a plurality of VPN tunnels (including a main tunnel and at least one backup tunnel) between two subnets are established by using different IP addresses, when the main tunnel is abnormally disconnected, the backup tunnel may be subsequently used to ensure communication of devices within the subnets.

Because the matched security policy of the data stream has randomness, the data stream will use the backup tunnel corresponding to the matched first security policy as a tunnel for subsequent data transmission. However, the backup tunnel corresponding to the matched first security policy may cause a problem of poor stability of data transmission.

Therefore, the selection of the backup tunnel in the prior art is random, that is, the user cannot control the selection of the backup tunnel, which may cause a problem of poor stability of data transmission.

based on this, the embodiment of the present application skillfully provides a scheme for transmitting data, by acquiring the priorities of the VPN tunnels in the security policies of the at least two VPN tunnels, selecting the VPN tunnel with the highest priority from the security policies of the at least two VPN tunnels, and transmitting data by using the VPN tunnel with the highest priority. Therefore, under the condition that two VPN tunnels are established between two subnetworks, data can be transmitted by selecting the VPN tunnel with the highest priority, and the VPN tunnel with the highest priority has better data transmission performance, so that the stability of data transmission can be ensured.

To facilitate understanding of the embodiments of the present application, some terms in the embodiments of the present application are first explained herein as follows:

A "subnet" may be a system of devices including clients and routers. For example, a user may configure all clients within a company as a subnet.

It should be understood that a subnet may also be referred to as a protection subnet, and embodiments of the present application are not limited thereto.

A "gateway" is a complex network interconnection device that can be used to interconnect two networks with different higher layer protocols.

A "security policy" may control data transmission between subnets (or between different IP addresses). And, the security policy may decide which data from one subnet to another subnet (or from one IP address to another IP address) may be transmitted and which data may not be transmitted through policy rules. Wherein the policy rules may include filter conditions, etc.

In addition, one security policy may be set corresponding to one VPN tunnel.

"tunnel negotiation" is a process of setting up transmission rules between two network devices. For example, the tunnel negotiation includes encryption rules and the like.

referring to fig. 1, fig. 1 is a schematic diagram illustrating an application scenario 100 to which an embodiment of the present application is applicable. Specifically, the application scenario 100 includes: a first subnet 110, a first gateway 120, a second gateway 130, and a second subnet 140. Wherein the first subnet 110 may include a plurality of clients 111 and the second subnet may include a server 141.

It should be understood that, although fig. 1 shows that the first subnet 110 only includes a plurality of clients 111, those skilled in the art should understand that the first subnet 110 may also include other devices, and the embodiments of the present application are not limited thereto.

Correspondingly, the devices forming the second sub-network 140 are similar to the devices forming the first sub-network 110, and specific reference may be made to the related description of the devices forming the first sub-network 110 in the foregoing.

It should also be understood that, although the first subnet 110 and the first gateway 120 are separately arranged in fig. 1, those skilled in the art should understand that the first gateway 120 may also be arranged in the first subnet 110, and the embodiment of the present application is not limited thereto.

Correspondingly, the setting manner of the second gateway 130 is similar to that of the first gateway 120, and specific reference may be made to the foregoing description of the setting manner of the first gateway 120.

In some possible embodiments, the client 111 may be a mobile phone, a tablet computer, a virtual machine, or a desktop computer. That is, the specific device type of the client 111 may be set according to actual requirements, and the embodiment of the present application is not limited thereto.

In addition, the client 111 further has a communication function, and may run a VPN application, or may run other web pages capable of loading a VPN process, and the embodiment of the present application is not limited to this.

In some possible embodiments, the first gateway 120 may be a transmission gateway or an application gateway. That is, the specific gateway type of the first gateway 120 may also be set according to actual requirements, and the embodiment of the present application is not limited thereto.

The device type of the second gateway 130 is similar to that of the first gateway 120, and will not be described in detail herein, and specific reference may be made to the related description of the device type of the first gateway 120.

In one embodiment, the server 141 may be a single server or a group of servers. The server group may be centralized or distributed (e.g., server 141 may be a distributed system). That is, the type of the server 141 may be set according to actual requirements, and the embodiment of the present application is not limited thereto.

In the embodiment of the present application, when the user holding the client 111 wants to access the server 141, the client 111 may send a data packet including an access request to the first gateway 120. And, in case that the first gateway 120 receives a data packet sent by the client 111, the first gateway 120 may query a security policy matching the data packet by traversing in a security policy repository. One security policy may be set corresponding to one VPN tunnel, and both the configuration file and the security policy of the VPN tunnel may be set with the priority of the VPN tunnel.

and after the traversal is completed, the first gateway 120 may acquire the VPN tunnel with the highest priority, and the first gateway 120 may send the data packet to the second gateway 130 through the VPN tunnel with the highest priority. Finally, the second gateway 130 transmits the data packet to the server 141, thereby implementing the access of the remote server.

It should be noted that the scheme for transmitting data provided in the embodiment of the present application may be further extended to other suitable implementation scenarios, and is not limited to the implementation scenario shown in fig. 1. Although a specific number of clients, gateways, and servers are shown in FIG. 1, those skilled in the art will appreciate that the application scenario 100 may include more or fewer devices in the course of an actual application. It should be understood that those skilled in the art may replace the devices in the application scenario 100 according to actual needs, and the embodiments of the present application are not limited thereto.

For example, the user may replace the first gateway 120 in the application scenario 100 with a router, a switch, or other network device. Correspondingly, the user may replace the second gateway 130 with another network device such as a router or a switch.

Referring to fig. 2, fig. 2 is a flowchart illustrating a method for transmitting data according to an embodiment of the present application, where the method shown in fig. 2 includes:

Step S210, the user sets a VPN tunnel and a security policy corresponding to the VPN tunnel through the network device.

It should be understood that the specific type of the network device may be set according to actual requirements, and the embodiments of the present application are not limited thereto.

For example, the network device may be a device that transmits data as shown in fig. 4, an electronic device as shown in fig. 5, a gateway, a router, a switch, or the like.

It should also be understood that the specific tunnel type of the VPN tunnel may also be set according to actual requirements, and the embodiments of the present application are not limited thereto. For example, the VPN tunnel can be an IPSEC tunnel or the like.

it should also be understood that the specific number of VPN tunnels may also be set according to actual requirements, and the embodiments of the present application are not limited thereto.

It should also be understood that a tunnel scene corresponding to the VPN tunnel may also be set according to actual requirements, and the embodiment of the present application is not limited thereto. For example, VPN tunnels corresponding to different service providers such as mobility, connectivity, and telecommunications may be set between two subnetworks, that is, one service provider corresponds to one VPN tunnel. For another example, VPN tunnels corresponding to different IP addresses of the same service provider may also be set between two subnets, that is, one IP address corresponds to one VPN tunnel.

Specifically, a user may set up a VPN tunnel between two subnets through a device (e.g., a computer, etc.) communicatively connected to the network device. The setting of the VPN tunnels comprises adding priority options in tunnel configuration containing configuration information such as tunnel identifiers, IP addresses and the like, and assigning the priority of each VPN tunnel.

It should be understood that the priority of the VPN tunnel may be represented by a preset identifier, and the embodiments of the present application are not limited thereto. For example, the preset identifier may be an arabic numeral, a letter, a roman numeral, or the like.

It should also be understood that the value of the priority of each VPN tunnel may also be set according to actual requirements, and the embodiment of the present application is not limited thereto.

For example, a user may assign a value to the priority of the VPN tunnel according to an application scenario, and the higher the value of the priority is, the higher the priority is. For another example, since an application scenario (e.g., a network environment, etc.) may change at any time, a user may subsequently reset the priorities of one or more VPN tunnels again, so as to achieve controllability of data transmission by controlling the VPN tunnels through which data is transmitted.

It should also be understood that configuration information included in the configuration of the VPN tunnel may also be set according to actual requirements, and the embodiment of the present application is not limited thereto.

Further, after the user sets the VPN tunnel, the user may proceed to set the security policy through the device communicatively connected to the network device. The two network devices can perform tunnel negotiation according to a standard VPN tunnel negotiation method, create a security policy corresponding to the VPN tunnel, and subsequently store the created security policy in a security policy library after the security policy is completed. The security policy corresponding to the VPN tunnel may include a priority of the corresponding VPN tunnel.

It should be understood that the priority of the VPN tunnel of the security policy and the priority of the corresponding VPN tunnel may be consistent, so that, subsequently, in the case that a matching VPN tunnel is determined by the security policy, since the priority of the VPN tunnel of the security policy and the priority of the corresponding VPN tunnel may be consistent, the corresponding VPN tunnel may be quickly queried by the priority of the security policy.

It should also be understood that the security policy may include other information besides the priority of the VPN tunnel, and the embodiments of the present application are not limited thereto. For example, the security policy may also include an identification of the corresponding VPN tunnel, etc.

It should be noted that, although step S210 in the embodiment of the present application illustrates a process in which a user sets a VPN tunnel and a security policy, it should be understood by those skilled in the art that the VPN tunnel and the security policy corresponding to the VPN tunnel in the embodiment of the present application may also be set in advance, so that the embodiment of the present application may directly perform step S220, that is, step S210 does not need to be performed, and the embodiment of the present application is not limited thereto.

Step S220, the network device obtains the priority of the VPN tunnel in the security policies of the at least two VPN tunnels.

It should be understood that the tunnel type of each of the at least two VPN tunnels may be set according to actual requirements, and the embodiments of the present application are not limited thereto.

For example, when data transmission is not performed between two subnetworks, one VPN tunnel of the at least two VPN tunnels is a primary tunnel, and the other tunnels are backup tunnels, where the primary tunnel may be a subsequently selected VPN tunnel with the highest priority, that is, the scenario in the embodiment of the present application is to select the primary tunnel from multiple tunnels between the two subnetworks. For another example, before step S220, in a case that the network device determines that the main tunnel between the two subnetworks is disconnected, the at least two VPN tunnels may both be backup tunnels, that is, in the scenario of this embodiment of the application, one backup tunnel capable of transmitting data is selected from the at least two backup tunnels.

specifically, in a case where communication through a VPN tunnel is required between two subnetworks, the network device may determine the priority of the VPN tunnel in the security policy by querying the security policy repository.

It should be understood that the network device may query all security policies in the security policy repository, or may query only a part of the security policies in the security policy repository, as long as it is ensured that the number of the queried security policies is not less than two, and the embodiment of the present application is not limited thereto.

For example, the network device may traverse all the security policies in the security policy repository to determine the VPN tunnel with the highest priority according to the priority of the VPN tunnel in each security policy.

For another example, when the number of the security policies in the security policy repository exceeds the preset number, the network device may randomly select N security policies from the security policy repository, and determine, according to the priority of the VPN tunnel in each of the N security policies, a VPN tunnel with the highest priority among the N VPN tunnels corresponding to the N security policies, where N is a positive integer greater than or equal to 2, and the preset number may also be set according to an actual requirement. Therefore, the problem that the required time for traversal is long due to the fact that the number of the security policies is large can be solved through the technical scheme, the number of the security policies needing to be inquired is reduced, the waiting time of a user is further reduced, and user experience is improved.

In step S230, the network device selects a VPN tunnel with the highest priority from the security policies of the at least two VPN tunnels.

It should be understood that the specific selection manner of the network device selecting the VPN tunnel with the highest priority may be set according to actual requirements, and the embodiment of the present application is not limited to this.

Optionally, the network device determines that the priority of any one of all VPN tunnels is a temporary highest priority; sequentially traversing the security policies of the other VPN tunnels, and updating the temporary highest priority to determine the final temporary highest priority; and determining the VPN tunnel corresponding to the final temporary highest priority as the VPN tunnel with the highest priority.

The network device updates the temporary highest priority to determine a final temporary highest priority, including: under the condition that the priority of the current VPN tunnel is higher than the temporary highest priority, updating the temporary highest priority to the priority of the current VPN tunnel; or, in case that the priority of the current VPN tunnel is equal to or lower than the temporary highest priority, the temporary highest priority is kept unchanged.

For example, in a case that the network device needs to query the security policies of 2 VPN tunnels, the network device may determine the priority of a VPN tunnel in the security policies of the 1 st VPN tunnel that is matched as a temporary highest priority, where the temporary highest priority at this time may be the priority corresponding to the security policy of the 1 st VPN tunnel. Subsequently, in case the network device matches the security policy of the 2 nd VPN tunnel, the network device may compare the priority corresponding to the security policy of the 2 nd VPN tunnel with the temporary highest priority. If the priority corresponding to the security policy of the 2 nd VPN tunnel is higher than the temporary highest priority, the temporary highest priority is updated to the priority corresponding to the security policy of the 2 nd VPN tunnel, and the priority corresponding to the security policy of the 2 nd VPN tunnel is also the final temporary highest priority. If the priority of the VPN tunnel in the security policy of the 2 nd VPN tunnel is less than or equal to the temporary highest priority, the temporary highest priority remains unchanged, that is, the final temporary highest priority is the priority corresponding to the security policy of the 1 st VPN tunnel.

It should be noted that, although the foregoing describes a case where the temporary highest priority may be the same as the priority corresponding to the first matched security policy, it should be understood by those skilled in the art that, when the first security policy is matched, the temporary highest priority may also be set to be the preset priority, that is, the temporary highest priority may also be different from the priority corresponding to the first matched security policy. The preset priority may be any number except the maximum priority in all priorities corresponding to all security policies, and the embodiment of the present application is not limited thereto.

Optionally, the network device may also sequence all priorities corresponding to the security policies of all VPN tunnels, so as to select a VPN tunnel with the highest priority according to the sequencing result.

For example, in a case that the network device needs to query the security policies of 4 VPN tunnels, the network device sorts all the priorities corresponding to the security policies of the 4 VPN tunnels in descending order. Subsequently, the network device may determine the priority of the VPN tunnel in the security policy of the first VPN tunnel at the head in the sorted queue as the highest priority, and set the corresponding tunnel as the VPN tunnel with the highest priority.

in step S240, the network device transmits data by using the VPN tunnel with the highest priority.

In addition, when the network device transmits data by using the current tunnel (for example, the VPN tunnel with the highest current priority), if the application scenario changes, the user may adjust the priorities of other VPN tunnels and security policies corresponding to other VPN tunnels regardless of whether the current tunnel is disconnected. Subsequently, the network device may select a VPN tunnel suitable for the current application scenario by performing steps S220 to S240 again, and transmit data using the selected VPN tunnel (or, the network device may select a VPN tunnel with the highest transmission performance in the current changed scenario and transmit data using the selected VPN tunnel), so that the transmission performance can be ensured.

For example, when the network device transmits data using a VPN tunnel related to mobility, if a problem occurs in the mobile network, the user may adjust the priority of the VPN tunnel related to connectivity and the security policy corresponding to the VPN tunnel related to connectivity. Subsequently, the network device may perform steps S220 to S240 again to select a connection-related VPN tunnel and transmit data by using the data connection-related VPN tunnel.

In addition, if the network device needs to tear down the VPN tunnel, the network device also needs to delete the security policy in step S210, that is, when the network device tears down the VPN tunnel, the network device also needs to delete the history setting data related to the VPN tunnel that needs to be torn down.

Therefore, in the embodiment of the present application, the priority of the VPN tunnel in the security policies of the at least two VPN tunnels is obtained, and the VPN tunnel with the highest priority is selected from the security policies of the at least two VPN tunnels, and the VPN tunnel with the highest priority is used for transmitting data. Therefore, under the condition that two VPN tunnels are established between two subnetworks, data can be transmitted by selecting the VPN tunnel with the highest priority, and the VPN tunnel with the highest priority has better data transmission performance, so that the stability of data transmission can be ensured.

In order to facilitate understanding of the embodiments of the present application, the following description will be given by way of specific examples.

Referring to fig. 3, fig. 3 is a specific flowchart illustrating a method for transmitting data according to an embodiment of the present application, where the method shown in fig. 3 includes:

Step S310, sets the priority of the VPN tunnel.

In particular, a priority value V is added in the VPN tunnel_pand for the priority value V_pAnd carrying out assignment. Wherein the priority authority value V_pThe setting can be made by the user according to the application scenario.

Step S320, according to the standard tunnel negotiation method, tunnel negotiation is carried out, a security policy is established, and a priority right value V is set_pto the security policy.

Step S330, under the condition that the equipment between the two subnetworks needs to communicate through the VPN tunnel, when the inquiry is matched with the first security policy, the temporary highest priority V is used_hrecording priority authority value V of first security policy_p1. That is, with a temporary highest priority V_hThe priority of the first security policy is marked.

step S340, when the second security policy is searched from the security policy library in a traversing way, the temporary highest priority V is used_hAnd a priority value V in a second security policy_p2A comparison is made. If the temporary highest priority V_hless than priority value V_p2then temporarily highest priority will be givenV_hIs updated to the priority value V_p2. If the temporary highest priority V_hGreater than or equal to the priority value V_p2Then temporarily the highest priority V_hRemain unchanged.

Step S350, traversing all the security policies matched with the data stream in the security policy library in sequence by using the mode of the step S340, and using the final temporary highest priority V after the traversal is finished_hA corresponding VPN tunnel is used for communication between the two subnetworks.

Therefore, in the embodiment of the present application, a user may configure the priority of the VPN tunnel in the security policy of the VPN tunnel according to an actual situation, so that when devices in two subnetworks need to communicate through the VPN tunnel, the devices can perform policy matching according to the priority of the security policy configured by the user, so that data transmission has controllability, and stability of data transmission is increased.

It should be understood that the above method for transmitting data is only exemplary, and those skilled in the art can make various changes, modifications or variations according to the above method and also fall within the scope of the present application.

For example, while the operations of the methods of the present application are depicted in the drawings in a particular order, this does not require or imply that the operations must be performed in this particular order, or that all of the illustrated operations must be performed, to achieve desirable results. For example, with the method of transmission shown in fig. 3, in the case where the VPN tunnel and the security policy are set in advance, step S330 may be directly performed. Rather, the steps depicted in the flowcharts may change the order of execution. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step execution, and/or one step broken down into multiple step executions. For example, for the method of transmission shown in fig. 3, step S310 and step S320 may be combined into one step for execution.

Referring to fig. 4, fig. 4 shows a block diagram of a device 400 for transmitting data according to an embodiment of the present application, it should be understood that the device 400 corresponds to the method embodiment of fig. 2 to fig. 3, and is capable of performing various steps related to the method embodiment, and specific functions of the device 400 may be referred to the description above, and detailed descriptions are appropriately omitted herein to avoid repetition. The device 400 includes at least one software function module that can be stored in a memory in the form of software or firmware (firmware) or solidified in an Operating System (OS) of the device 400. Specifically, the apparatus 400 includes:

An obtaining module 410, configured to obtain priorities of at least two virtual private network VPN tunnels in a security policy of the VPN tunnels; a selecting module 420, configured to select a VPN tunnel with a highest priority from the security policies of the at least two VPN tunnels; and a transmission module 430, configured to transmit data using the VPN tunnel with the highest priority.

In one possible embodiment, at least two VPN tunnels are backup tunnels, and the apparatus 400 further comprises: a first determining module (not shown) for determining that the main tunnel is disconnected before acquiring the priority of the VPN tunnel in the security policies of the at least two virtual private network VPN tunnels.

In one possible embodiment, one of the at least two VPN tunnels is a primary tunnel and the remaining VPN tunnels are backup tunnels.

In one possible embodiment, the selecting module 420 includes: a second determining module (not shown) for determining the priority of any one of all the VPN tunnels as a temporary highest priority; a third determining module (not shown) configured to sequentially traverse the security policies of the remaining VPN tunnels, and update the temporary highest priority to determine a final temporary highest priority; a fourth determining module (not shown) is configured to determine the final VPN tunnel corresponding to the temporary highest priority as the VPN tunnel with the highest priority.

In one possible embodiment, the third determination module is to: under the condition that the priority of the current VPN tunnel is higher than the temporary highest priority, updating the temporary highest priority to the priority of the current VPN tunnel; or, in case that the priority of the current VPN tunnel is equal to or lower than the temporary highest priority, the temporary highest priority is kept unchanged.

It is clear to those skilled in the art that, for convenience and brevity of description, the specific working process of the apparatus described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.

Fig. 5 is a block diagram of an electronic device 500 in an embodiment of the present application, as shown in fig. 5. Electronic device 500 may include a processor 510, a communication interface 520, a memory 530, and at least one communication bus 540. Wherein the communication bus 540 is used for realizing direct connection communication of these components. The communication interface 520 in the embodiment of the present application is used for communicating signaling or data with other devices. Processor 510 may be an integrated circuit chip having signal processing capabilities. The Processor 510 may be a general-purpose Processor, and includes a Central Processing Unit (CPU), a Network Processor (NP), and the like; but may also be a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), an off-the-shelf programmable gate array (FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor 510 may be any conventional processor or the like.

The Memory 530 may be, but is not limited to, a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like. The memory 530 stores computer readable instructions, and when the computer readable instructions are executed by the processor 510, the electronic device 500 may perform the steps involved in the method embodiments of fig. 2 to 3.

The electronic device 500 may further include a memory controller, an input-output unit, an audio unit, and a display unit.

The memory 530, the memory controller, the processor 510, the peripheral interface, the input/output unit, the audio unit, and the display unit are electrically connected to each other directly or indirectly to realize data transmission or interaction. For example, these elements may be electrically coupled to each other via one or more communication buses 540. The processor 510 is used to execute executable modules stored in the memory 530. Also, the apparatus 300 is configured to perform the following method: acquiring the priority of the VPN tunnels in the security policies of at least two virtual private network VPN tunnels; selecting a VPN tunnel with the highest priority from the security policies of at least two VPN tunnels; and transmitting the data by using the VPN tunnel with the highest priority.

The input and output unit is used for providing input data for a user to realize the interaction of the user and the server (or the local terminal). The input/output unit may be, but is not limited to, a mouse, a keyboard, and the like.

The audio unit provides an audio interface to the user, which may include one or more microphones, one or more speakers, and audio circuitry.

The display unit provides an interactive interface (e.g. a user interface) between the electronic device and a user or for displaying image data to a user reference. In this embodiment, the display unit may be a liquid crystal display or a touch display. In the case of a touch display, the display can be a capacitive touch screen or a resistive touch screen, which supports single-point and multi-point touch operations. The support of single-point and multi-point touch operations means that the touch display can sense touch operations simultaneously generated from one or more positions on the touch display, and the sensed touch operations are sent to the processor for calculation and processing.

It will be appreciated that the configuration shown in FIG. 5 is merely illustrative and that the electronic device 500 may include more or fewer components than shown in FIG. 5 or may have a different configuration than shown in FIG. 5. The components shown in fig. 5 may be implemented in hardware, software, or a combination thereof.

The present application also provides a storage medium having a computer program stored thereon, which, when executed by a processor, performs the method of the method embodiments.

The present application also provides a computer program product which, when run on a computer, causes the computer to perform the method of the method embodiments.

It can be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the system described above may refer to the corresponding process in the foregoing method, and will not be described in too much detail herein.

It should be noted that, in the present specification, the embodiments are all described in a progressive manner, each embodiment focuses on differences from other embodiments, and the same and similar parts among the embodiments may be referred to each other. For the device-like embodiment, since it is basically similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.

in the embodiments provided in the present application, it should be understood that the disclosed apparatus and method can be implemented in other ways. The apparatus embodiments described above are merely illustrative, and for example, the flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of apparatus, methods and computer program products according to various embodiments of the present application. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams and/or flowchart illustration, and combinations of blocks in the block diagrams and/or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

In addition, functional modules in the embodiments of the present application may be integrated together to form an independent part, or each module may exist separately, or two or more modules may be integrated to form an independent part.

The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application or portions thereof that substantially contribute to the prior art may be embodied in the form of a software product stored in a storage medium and including instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes. It is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other identical elements in a process, method, article, or apparatus that comprises the element.

The above description is only a preferred embodiment of the present application and is not intended to limit the present application, and various modifications and changes may be made by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present application shall be included in the protection scope of the present application. It should be noted that: like reference numbers and letters refer to like items in the following figures, and thus, once an item is defined in one figure, it need not be further defined and explained in subsequent figures.

The above description is only for the specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily conceive of the changes or substitutions within the technical scope of the present application, and shall be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.