摘要： 针对大规模虚拟专用网络中安全隧道管理的复杂性，提出了一种基于组策略的管理模型。通信实体按其安全需求聚合为不同的安全组，组策略以抽象方式定义组内成员间通信的安全保护机制，设备之间的隧道连接关系则通过对组策略的扩展自动生成。模型实现了对全网VPN 设备的统一管理，有效减轻了VPN 的管理负担，具有良好的扩展能力。

关键词: 虚拟专用网；安全隧道；组策略；安全组

Abstract: Group policy based management architecture is proposed to solve complexity problem of security tunnel management in large-scale VPN network. In this architecture, communication entities are aggregated into different security groups, and group policy is used to regulate security protection mechanism for communications among group members. For each VPN device, tunnel relationships are computed automatically via extension of corresponding group policy. This architecture is both efficient and scalable, and is supposed to have promising perspective

Key words: VPN; Security tunnel; Group policy; Security group