JP2011239277A - Vpn apparatus, vpn networking method, program, and storage medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a VPN apparatus that can minimize communication delay and/or communication failure with respect to bursty packet generation at the establishment of VPN communication path between a plurality of VPN apparatuses.SOLUTION: There is provided a VPN apparatus such as a VPN apparatus 101. The VPN apparatus 101 communicates with another VPN apparatus 301 over a VPN established between the two apparatuses and between a network 100 and a network 300, and starts transmitting communication data to the VPN 301 through a call control server 202 before the VPN is established. The VPN apparatus 101 specifies, for a priority mode, a TCP mode in which TCP data transmission is made priority or a UDP mode in which UDP data transmission is made priority. The VPN apparatus 101 determines whether a protocol type of communication data to be transmitted is UDP or TCP, and transmits the communication data or restricts the transmission of the communication data depending on whether or not the determined protocol type of the communication data is a protocol type specified for the priority mode.

Description

  The present invention provides a VPN (Virtual Private Network) for connecting between networks using a communication network in which a large number of subscribers share a band instead of a dedicated communication line (dedicated line) to which a communication partner is fixed in network communication. : Virtual private network) VPN device, VPN networking method, program, and storage medium.

  A virtual private network (hereinafter referred to as a VPN) is generally a network segment of a different network segment, such as a local area network (LAN) between two or more bases in a company or the like. Connect to each other via And it is comprised so that the whole may be one private network (private line) virtually by ensuring the secrecy of communication. This enables a communication service similar to that used when a dedicated line is used.

  Such a VPN includes a so-called Internet VPN constructed using a WAN such as the Internet or a public line network, and an IP-VPN constructed using a communication network different from the Internet such as a carrier closed network, It is divided roughly into. In particular, the number of users of the Internet VPN is increasing because it is possible to construct a VPN at a low cost by using a broadband network infrastructure and using the Internet.

  In constructing a VPN, for example, when communication is performed between different bases, there is a risk of communication leakage, wiretapping, tampering and the like because a shared communication network such as the Internet is interposed in the middle of the communication path. Therefore, in the VPN technology, in order to ensure the confidentiality of communication, the basic technical idea is to encrypt and encapsulate data in any layer of the network. Here, wrapping a communication protocol in packets of another communication protocol and sending it is called “encapsulation”.

  Specific examples of encryption protocols used in the VPN technology include IPsec (Security Architecture for Internet Protocol) that performs encryption in the IP (Internet Protocol) layer, TCP (Transmission Control Protocol) layer (particularly HTTP: Hyper Text Transfer Protocol). SSL (Secure Sockets Layer), etc., which performs encryption in a known manner. In addition, as examples of other VPN technologies, SSH, TLS, SoftEther, PPTP, L2TP, L2F, MPLS, and the like are known. The software VPN that constructs the VPN by software uses the tunneling technology using the above-described IPsec or SSL. Here, communicating a certain communication protocol as data of the same or higher layer protocol is referred to as “tunneling”. When constructing a VPN, a virtual tunnel is constructed by encrypting and encapsulating a packet by a VPN device provided in a network relay device or a communication terminal or the like (hereinafter also referred to as “peer”). This establishes a closed communication path connecting the peers.

  For example, as a technology for interconnecting networks, a reverse tunnel technology is used to construct a communication path, transmission of the communication path maintenance data to maintain the communication path, and electronic signatures to prevent communication leakage, etc. And those that perform encryption have been proposed (see, for example, Patent Document 1). In this patent document 1, in order for an external host in an external network to establish a tunnel and communicate with an internal host in an internal network across a firewall, according to the timing required to maintain the tunnel. Transmission means for transmitting communication path maintenance data for maintaining the tunnel and electronic signature means for applying an electronic signature to the communication path maintenance data are provided.

JP 2008-160497 A

  By the way, when establishing a VPN communication path using a plurality of VPN devices, one of the VPN devices transmits a connection request to the desired VPN device. The VPN device that has received the connection request transmits a connection response to the connection request to the source VPN device. If VPN communication is possible between the VPN devices, a VPN communication path is established, and thereafter, communication data can be transmitted and received by VPN.

  Here, as a communication format of VPN communication performed by the VPN apparatus, there are communication using a TCP (Transmission Control Protocol) protocol (hereinafter referred to as TCP communication) and communication using a UDP (User Datagram Protocol) protocol (hereinafter referred to as UDP communication). . TCP communication is a connection-type communication format, which is highly reliable and ensures data communication, but does not require real-time characteristics. On the other hand, UDP communication is a connectionless communication format and is used for communication with high real-time properties, but data communication is not guaranteed and is a communication mode with low reliability.

  In TCP communication, a TCP packet (TCP data) is transmitted and received, and in UDP communication, a UDP packet (UDP data) is transmitted and received. TCP data is mainly used for data that requires high reliability, such as data for data communication and control data, and UDP data is mainly used for data for image communication, data for voice communication, etc. Used for data that requires real-time performance. These data may be transmitted and received at the same time. In general, when data is transmitted and received in bursts when trying to transmit some data, the load on the VPN device or VPN system temporarily increases, resulting in communication delay, communication failure, etc. is there. Therefore, in order to avoid such a failure as much as possible, in the processing mode in which these data are transmitted in bursts, the priority order of the data to be transmitted / received is determined in consideration of the type of data to be transmitted / received. Is preferred.

  Furthermore, in many cases, the TCP communication does not require real-time property. However, for example, when streaming a moving image, it is considered necessary to receive a large amount of TCP data while ensuring the real-time property. In such a case, it is preferable not to determine the priority order of data to be transmitted / received according to only the data type.

  The present invention has been made in view of the above circumstances, and minimizes the occurrence of communication delay and communication failure for bursty packets generated when establishing a VPN communication path between a plurality of VPN devices. An object of the present invention is to provide a VPN device, a VPN networking method, a program, and a storage medium.

  The VPN apparatus according to the present invention is a VPN apparatus that constructs a virtual private network with another VPN apparatus on the network and performs VPN communication, and before the virtual private network is constructed, the VPN apparatus And a communication data transmission unit that transmits communication data to the other VPN device via a call control server that performs call control processing between the communication data transmission unit and the other VPN device, and a communication that is transmitted by the communication data transmission unit A data type determination unit that determines whether the protocol type of data is a first protocol that requires real-time property or a second protocol that performs retransmission control, and a priority is given to transmission of communication data of the first protocol. One of the first priority mode and the second priority mode that prioritizes transmission of communication data of the second protocol is set as the priority mode. If the protocol type determined by the data type determination unit matches the protocol type prioritized in the priority mode set by the priority mode setting unit, the communication data is transmitted. A transmission control unit that controls the communication data transmission unit so as to limit transmission of the communication data if they do not match.

  With this configuration, in order to determine whether to perform transmission or to restrict transmission according to the protocol type to be preferentially transmitted and the protocol type of actual communication data, a transmission request is transmitted in bursts when establishing a VPN communication path. Even if this occurs, transmission of the priority communication data can be started early via the call control server. Further, since transmission of non-prioritized communication data is restricted, it is possible to reduce the load on the call control server.

  In the VPN apparatus according to the present invention, when the protocol of the communication data is determined as the first protocol by the data type determination unit and the second priority mode is set by the priority mode setting unit, the communication data A data amount restriction unit for restricting the data amount of communication data transmitted by the transmission unit is provided.

  With this configuration, even in the second priority mode in which transmission of the first protocol requiring real time is not prioritized, the amount of data is limited when the communication data of the first protocol is transmitted, but a VPN communication path is established. Since transmission can be started before, communication delay of communication data of the first protocol can be minimized.

  In the VPN apparatus of the present invention, when the data type determination unit determines that the protocol of the communication data is the second protocol, and the priority mode setting unit sets the first priority mode, the communication data A transmission timing limiting unit that limits a transmission timing at which communication data is transmitted by the transmission unit is provided.

  With this configuration, even in the first priority mode in which the transmission of the second protocol for performing retransmission control is not prioritized, the transmission timing is limited when the communication data of the second protocol is transmitted, but the VPN communication path is established. Since transmission can be started before, communication delay of communication data of the second protocol can be minimized.

  The VPN apparatus of the present invention includes a communication data storage unit that stores communication data transmitted by the communication data transmission unit, a free capacity detection unit that detects a free capacity of the communication data storage unit, and the data type determination The communication data storage unit detected by the free capacity detection unit when the protocol of the communication data is determined to be the second protocol by the unit and the first priority mode setting unit sets the first priority mode. A communication data storage control unit that controls to store the communication data in the communication data storage unit when the free space is equal to or greater than a predetermined capacity.

  With this configuration, even when the transmission timing of the communication data of the second protocol is limited, the communication data is stored when there is an empty space in the predetermined buffer for storing the communication data. Therefore, most of the communication data of the second protocol can be periodically transmitted or stored in a buffer. Furthermore, even if it is not stored in the buffer, it is possible to avoid the loss of communication data by the retransmission control function of the second protocol.

  The VPN networking method of the present invention is a VPN networking method for a VPN device that constructs a virtual private network with other VPN devices and performs VPN communication on the network, and the virtual private network is constructed. Before transmitting communication data to the other VPN device via a call control server that performs call control processing between the VPN device and the other VPN device, and Determining whether the protocol type is a first protocol that requires real-time property or a second protocol that performs retransmission control; a first priority mode that prioritizes transmission of communication data of the first protocol; Either of the second priority mode that prioritizes transmission of communication data of the second protocol is set to the priority mode. If the protocol type of the determined communication data and the protocol type prioritized in the set priority mode match, the communication data is transmitted, and if not, the communication data is transmitted. Controlling to limit.

  The program of the present invention is a program for executing each step of the VPN networking method.

  The storage medium of the present invention is a computer-readable storage medium storing a program for executing each step of the VPN networking method.

  A VPN communication path is established by such a method, program, and storage medium in order to determine whether to perform transmission or restrict transmission according to the protocol type to be preferentially transmitted and the protocol type of the actual communication data. Even when a transmission request is generated in bursts, transmission of priority communication data can be started early via the call control server. Further, since transmission of non-prioritized communication data is restricted, it is possible to reduce the load on the call control server.

  According to the present invention, it is possible to minimize the occurrence of communication delay and communication failure with respect to bursty packets that occur when establishing a VPN communication path between a plurality of VPN devices.

The figure which shows the structural example of the VPN system which concerns on embodiment of this invention 1 is a block diagram showing a configuration example of a hardware configuration of a VPN apparatus according to an embodiment of this invention The block diagram which shows the functional structural example of the VPN apparatus of embodiment of this invention The flowchart which shows an example of the process sequence at the time of determination of the classification of communication data and priority mode in the VPN system of embodiment of this invention The flowchart which shows an example of the TCP data transmission process (1st transmission process) in TCP priority mode in the VPN apparatus of embodiment of this invention The flowchart which shows an example of UDP data transmission process (2nd transmission process) in TCP priority mode in the VPN apparatus of embodiment of this invention The flowchart which shows an example of the flow volume restriction | limiting process of UDP data in TCP priority mode in the VPN apparatus of embodiment of this invention The flowchart which shows an example of the TCP data transmission process (3rd transmission process) in UDP priority mode in the VPN apparatus of embodiment of this invention Image of periodic transmission of TCP data in the UDP priority mode in the VPN apparatus according to the embodiment of the present invention The flowchart which shows an example of the periodic transmission process and buffering process of TCP data in UDP priority mode in the VPN apparatus of embodiment of this invention The flowchart which shows an example of the buffering control process of TCP data in UDP priority mode in the VPN apparatus of embodiment of this invention The figure which shows an example of the buffer size and transmission / reception timing of TCP data in UDP priority mode in the VPN apparatus of embodiment of this invention The flowchart which shows an example of the UDP data transmission process (4th transmission process) in UDP priority mode in the VPN apparatus of embodiment of this invention The figure which shows the modification of a structure of the VPN system which concerns on embodiment of this invention.

  Hereinafter, a VPN apparatus, a VPN networking method, a program, and an embodiment as an example of a storage medium according to the present invention will be described. Here, a configuration example in the case where a virtual private network (VPN) system is constructed by connecting paths (LAN, local network) of two local area networks via a wide area network (WAN, global network) is shown. A wired LAN or a wireless LAN is used as the LAN. The WAN is used as the WAN.

  FIG. 1 is a diagram showing a configuration example of a VPN system according to an embodiment of the present invention. The VPN system of this embodiment connects a communication path between the LAN 100 provided at one site and the LAN 300 provided at another site via a WAN 200 such as the Internet. Communication between the terminal 103 connected under the LAN 100 and the terminal 303 connected under the LAN 300 ensures communication with VPN (also referred to as “VPN communication”). As specific uses (application programs, etc.) of VPN communication, IP phone (voice call), net meeting (moving image & voice communication), network camera (video transmission), etc. are assumed.

  A router 102 is disposed at the boundary between the LAN 100 and the WAN 200, and a router 302 is disposed at the boundary between the WAN 200 and the LAN 300. In this embodiment, in order to enable the construction of a VPN, the VPN apparatus 101 is connected to the LAN 100 and the VPN apparatus 301 is connected to the LAN 300. A subordinate terminal 103 is connected to the VPN apparatus 101, and a subordinate terminal 303 is connected to the VPN apparatus 301.

  In addition, on the WAN 200, a STUN server 201 and a call control server 202 are connected to enable a VPN connection (hereinafter referred to as “VPN connection”) between the VPN apparatus 101 and the VPN apparatus 301. ing. The STUN server 201 is a server used to execute a STUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators (NATs)) protocol. The call control server 202 is a server used for making and receiving calls between peers such as VPN devices and terminals.

  In FIG. 1, a broken line indicates a flow of external address / port information including external address (global IP address) and port information. A one-dot chain line indicates a flow of a call control signal related to control of outgoing and incoming calls. A solid line indicates a flow of communication between peers (P2P communication) regarding communication data transmitted between peers. Further, a communication path connected by VPN for P2P communication is represented in the figure as a virtual tunnel. Although a case where direct communication is performed between peers is shown here as a VPN-connected communication path, VPN connection may be performed via the relay server 203.

  When each device communicates via the WAN 200, global address information that can be specified in the WAN is used on the WAN 200 as address information for specifying the source and destination of a packet to be transmitted. Since an IP network is generally used, a global IP address and a port number are used. However, in communication within each LAN 100, 300, local address information that can be specified only within the LAN is used as address information for specifying a transmission source and a transmission destination. Since an IP network is generally used, a local IP address and a port number are used. Therefore, in order to enable communication between the LANs 100 and 300 and the WAN 200, each router 102 and 302 has a NAT (Network Address Translation) function for performing mutual conversion between local address information and global address information. Has been. In the case of other than the IP network, global address information other than the global IP address may be used.

  However, each terminal under the LAN 100, 300 does not have global IP address information accessible from the outside. In addition, unless special settings are made, the terminal 103 under the LAN 100 cannot directly communicate with the terminal 303 under the other LAN 300. Further, because of the NAT function of each router 102, 302, it is impossible to access each terminal in each LAN 100, 300 from the WAN 200 side in a normal state.

  Even in such a situation, in this embodiment, VPN devices 101 and 301 are provided in the LANs at the respective bases, so that the LANs are VPN-connected as in the P2P communication path indicated by the solid line in FIG. It becomes possible to communicate directly between the terminal 103 and the terminal 303 through a virtual closed communication path. The configuration, function, and operation of the VPN apparatus according to the present embodiment will be described in order below.

  The STUN server 201 performs a service related to the execution of the STUN protocol, and is an address information server that provides information necessary for performing so-called NAT traversal communication. STUN is a standardized client-server Internet protocol used as one of NAT passing methods in applications that perform bidirectional real-time IP communication such as voice, video, and text. The STUN server 201 includes external address / port information including at least one of global IP address and port information visible from the external network as global address information of the access source accessible from the outside in response to a request from the access source. Reply. As the external address / port information, in the IP network, a global IP address of the IP network layer and a port number of the transport layer are used.

  Each of the VPN apparatuses 101 and 301 executes communication of a predetermined test procedure with the STUN server 201, and receives a response packet including the global IP address and port number of the own apparatus from the STUN server 201. Thereby, each VPN apparatus 101 and 301 can acquire the global IP address and port number of an own apparatus. Further, even when there are a plurality of routers between the LAN where the device is located and the WAN, even when these routers do not have UPnP (Universal Plug and Play) functions. There is also an effect that the global IP address and the port number can be acquired with certainty.

  The call control server 202 is a call management server that performs a service (call control process) related to call control between communication apparatuses for calling a specific destination and establishing a communication path. The call control server 202 holds the identification information of the registered VPN apparatus or terminal. For example, in the case of a communication system having an IP telephone function, a specific destination is called based on the telephone number of the connection partner. It is also possible. In addition, the call control server 202 has a function of relaying signals and data, and forwards packets sent from the caller device to the callee device, or sends packets sent from the callee device. It is also possible to forward to the originating device. However, it is assumed that the call control server 202 mainly performs transmission / reception of data related to call control, and for example, transmission / reception of data that requires a large capacity such as moving image data is often not considered.

  Note that the STUN server 201 and the call control server 202 are shown here as configuration examples using separate servers. However, the functions of the two servers, the address information server and the relay server, are mounted on one server. Alternatively, the same function may be mounted on any other server on the WAN.

  The relay server 203 relays communication between the VPN device 101 and the VPN device 301. In particular, after the call control server 202 performs a call control process, it is suitable for transmitting / receiving data requiring a large capacity such as moving image data. Further, depending on the type of the routers 102 and 302, there is a case where VPN connection by P2P communication cannot be performed. In this case, communication data can be relayed. In the present embodiment, only one relay server is shown, but two or more relay servers may be used.

  Next, the configuration and function of the VPN apparatus of this embodiment will be described. The configurations and functions of the VPN apparatus 101 and the VPN apparatus 301 are the same, and will be described here using the VPN apparatus 101. FIG. 2 is a block diagram showing a configuration example of the hardware configuration of the VPN apparatus according to the present embodiment.

  The VPN apparatus 101 includes a central processing unit (CPU) 111, a nonvolatile memory 112 such as a flash RAM, a memory 113 such as an SD RAM, a network interface 114, a network interface 115, a LAN side network control unit 116, and a WAN side network control unit. 117, a communication relay unit 118, a display control unit 119, and a display unit 120.

  The CPU 111 controls the entire VPN apparatus 101 by executing a predetermined program. The non-volatile memory 112 holds a program executed by the CPU 111. This program includes an external address / port acquisition program for the VPN apparatus 101 to acquire external address / port information.

The program executed by the CPU 111 can be acquired from an external server online via an arbitrary communication path, or can be acquired by reading from a recording medium such as a memory card or a CD-ROM. it can. In other words, the VPN apparatus and the VPN networking method can be realized by reading a program for realizing the function of the VPN apparatus from a recording medium into a general-purpose computer.
Note that when the CPU 111 executes the program, a part of the program on the nonvolatile memory 112 may be expanded on the memory 113 and the program on the memory 113 may be executed.

  The memory 113 is for temporarily storing data management during operation of the VPN apparatus 101 and various setting information. The setting information includes destination address information necessary for communication, such as external address / port information included in a response to the external address / port acquisition request of the terminal itself.

  The network interface 114 is an interface for connecting the VPN apparatus 101 and the subordinate terminal 103 managed by the own apparatus in a communicable state. The network interface 115 is an interface for connecting the VPN apparatus 101 and the LAN 100 in a communicable state. The LAN-side network control unit 116 performs communication control related to the LAN-side network interface 114. The WAN-side network control unit 117 performs communication control related to the WAN-side network interface 115.

  The communication relay unit 118, on the contrary, transmits packet data sent from the subordinate terminal 103 connected to the LAN side to the external VPN connection destination (the terminal 303 subordinate to the VPN device 301), and external VPN connection destination (the VPN device 301). The packet data arriving from the subordinate terminal 303) to the subordinate terminal 103 is relayed.

  The display unit 120 is configured by a display that displays the operation state of the VPN apparatus 101 and notifies the user or administrator of various states. The display unit 120 includes a plurality of light emitting diodes (LEDs), a liquid crystal display (LCD), and the like. The display control unit 119 performs display control of the display unit 120, and controls contents to be displayed on the display unit 120 according to a display signal from the CPU 111.

  FIG. 3 is a block diagram showing a functional configuration example of the VPN apparatus according to the present embodiment.

  The VPN apparatus 101 includes a system control unit 130, a subordinate terminal management unit 131, a memory unit 132, a data relay unit 133, a setting interface unit 134, and a communication control unit 140 as functional configurations. The memory unit 132 includes an external address / port information storage unit 135 and a buffer 136. The communication control unit 140 includes an external address / port acquisition unit 141, a VPN function unit 142, a call control function unit 143, a priority control unit 144, a TCP buffering control unit 145, and a UDP flow rate control unit 146. The VPN function unit 142 includes an encryption processing unit 147. Each of these functions is realized by the hardware operation of each block shown in FIG. 2 or when the CPU 111 executes a predetermined program.

  The network interface 114 on the LAN side of the VPN apparatus 101 is connected to the subordinate terminal 103, and the network interface 115 on the WAN side is connected to the WAN 200 via the LAN 100 and the router 102.

  The system control unit 130 performs overall control of the VPN apparatus 101. The subordinate terminal management unit 131 manages the terminals 103 subordinate to the VPN apparatus 101. In the external address / port information storage unit 135, the memory unit 132 stores external address / port information including information on an external address (global IP address on the WAN 200) and a port (port number of the IP network). As the external address / port information, information on the global IP address and port number assigned to the subordinate terminal 103 that is the connection source, information on the global IP address and port number assigned to the terminal 303 of the connection destination, and the like are stored. To do. In addition, the memory unit 132 includes a buffer 136 that temporarily stores TCP data as necessary.

  The data relay unit 133 relays a packet transferred from the connection source terminal 103 to the connection destination terminal 303, and conversely, a packet transferred from the connection destination terminal 303 to the connection source terminal 103, respectively ( Receive / send). That is, the data relay unit 133 receives communication data from the subordinate terminal or the VPN device 301 or transmits the communication data to the subordinate terminal or the VPN device 301. The setting interface unit 134 is a user interface for the user or administrator to perform various operations such as a setting operation on the VPN apparatus 101. As a specific example of this user interface, a Web page displayed by a browser operating on a terminal is used.

  The external address / port acquisition unit 141 of the communication control unit 140 acquires the external address / port information assigned to the terminal 103 under the control of the VPN apparatus 101 from the STUN server 201. In addition, a packet including the external address / port information of the connection destination terminal 303 is received via the call control server 202, and the external address / port information assigned to the connection destination terminal 303 is acquired. The information acquired by the external address / port acquisition unit 141 is held in the external address / port information storage unit 135 of the memory unit 132.

  The VPN function unit 142 of the communication control unit 140 performs encryption processing necessary for VPN communication in the encryption processing unit 147. That is, the encryption processing unit 147 encapsulates and encrypts a packet to be transmitted, or unencapsulates and decrypts a received packet to extract an original packet. Note that the VPN communication is not the P2P communication as shown in FIG. 1, but the relay server 203 provided on the WAN 200 relays the packet, and the VPN communication can be performed by the client / server method. In this case, encryption processing may be performed on the server side. Further, the VPN function unit 142 determines whether VPN communication is possible by any method. The encapsulated packet includes information for specifying the calling terminal 103 and information for specifying the called terminal 303. Based on this specific information, communication data is relayed by the data relay unit 133 between the VPN device and the terminals under the VPN device.

  The call control function unit 143 of the communication control unit 140 transmits a connection request for connecting to a target connection destination to the call control server 202, and receives a connection response from the connection destination via the call control server 202. For example, a process related to call control (call control process) is performed.

  The priority control unit 144 of the communication control unit 140 determines the type of communication data to be transmitted to the VPN apparatus 301 by the data relay unit 133. Specifically, it is identified whether the communication data to be transmitted is communication data (UDP data) of the UDP protocol as the first protocol or communication data (TCP data) of the TCP protocol as the second protocol. That is, the protocol type of communication data is identified.

  The priority control unit 144 sets a priority mode. The priority mode indicates specific communication data that is preferentially transmitted by the data relay unit 133. The priority mode includes a UDP priority mode as a first priority mode that prioritizes transmission of UDP data and a TCP priority mode as a second priority mode that prioritizes transmission of TCP data. Note that when the priority mode is set by the priority control unit 144, a hardware switch associated with the VPN apparatus 101, a software setting screen via the setting interface unit 134, definition information defined by the VPN system, Either may be used.

  The priority control unit 144 also transmits a communication data based on the protocol type and priority mode of the communication data to be transmitted (any one of a first transmission process to a fourth transmission process to be described later). To decide. Specifically, if the protocol type of the communication data determined by the priority control unit 144 matches the set priority mode, transmission of the communication data is permitted, and if they do not match, transmission of the communication data is permitted. The data relay unit 133 is controlled so as to be limited. Examples of transmission data transmission restrictions include a transmission data amount restriction and a transmission timing restriction. Thereby, transmission of communication data with high priority can be started as early as possible, and the processing load on the call control server 202 can be reduced.

  Note that the UDP protocol is a protocol that requires real-time performance, but has low reliability and does not perform retransmission control. The TCP protocol often does not require real-time performance, but is highly reliable and performs retransmission control.

  The TCP buffering control unit 145 of the communication control unit 140 controls to store the TCP data in the memory unit 132 as necessary. In particular, before determining whether or not VPN communication is possible, that is, before the VPN communication path is established, when the UDP priority mode and the communication data are TCP data, a free capacity of a predetermined capacity or more is stored in the memory unit 132. If it exists, control is performed so that the TCP data is stored in the buffer 136 of the memory unit 132.

  Further, the TCP buffering control unit 145 controls the timing for transmitting TCP data as necessary. In particular, before the VPN communication path is established, when the UDP priority mode and the communication data are TCP data, TCP data transmission timing is controlled such that TCP data is periodically transmitted at a predetermined interval.

  The UDP flow rate control unit 146 of the communication control unit 140 controls the data amount (flow rate) when transmitting UDP data as necessary. In particular, the amount of UDP data is controlled when the TCP priority mode and the communication data are UDP data before the VPN communication path is established.

Next, the operation at the time of VPN construction by the VPN apparatus 101 of this embodiment will be described.
FIG. 4 is a flowchart illustrating an example of a processing procedure when determining the type of communication data and the priority mode in the VPN system of the present embodiment. It is assumed that the priority control unit 144 sets in advance whether the UDP priority mode or the TCP priority mode before the processing of FIG. 4 is started.

  First, when the priority control unit 144 detects reception of communication data (communication packet) from the terminal 103 under the VPN apparatus 101 (step S101), the priority control unit 144 determines whether the set priority mode is a TCP priority mode or a UDP priority mode. (Step S102). Further, the priority control unit 144 determines whether the detected communication data is UDP data or TCP data (steps S103 and S104).

  As a result of the determination in steps S102 to S104, when the set priority mode is the TCP priority mode and the detected communication data is TCP data, the priority control unit 144 causes the VPN apparatus 101 to perform the first transmission process. Control is performed (step S105). Also, when the set priority mode is the TCP priority mode and the detected communication data is UDP data, the priority control unit 144 controls the VPN apparatus 101 to perform the second transmission process (step S106). . In addition, when the set priority mode is the UDP priority mode and the detected communication data is TCP data, the priority control unit 144 controls the VPN apparatus 101 to perform the third transmission process (step S107). . If the set priority mode is the UDP priority mode and the detected communication data is UDP data, the priority control unit 144 controls the VPN apparatus 101 to perform the fourth transmission process (step S108). . Details of the first transmission process are shown in FIG. 5, details of the second transmission process are shown in FIG. 6, details of the third transmission process are shown in FIG. 8, and details of the fourth transmission process are shown in FIG. .

  According to the processing of FIG. 4 as described above, communication delays and communication failures are minimized with respect to burst packets generated when a VPN communication path is established between a plurality of VPN apparatuses 101 and 301. It is possible. That is, a suitable transmission processing method can be determined from a plurality of transmission processes according to the priority mode (TCP priority mode or UDP priority mode) and the type of communication data to be transmitted (TCP data or UDP data). . As a result, communication data to be prioritized can be transmitted early while minimizing the data communication delay time, and data communication other than call control processing (especially data communication with a large amount of data) should be performed. It is possible to reduce the load on the call control server 202 that is not assumed to be.

  Hereinafter, details of the first transmission process to the fourth transmission process will be described.

(First transmission process)
Next, an example of transmission processing (first transmission processing) when the priority mode is the TCP priority mode and the communication data is TCP data will be described with reference to FIG.
FIG. 5 shows processing when the VPN system shown in FIG. 1 tries to connect from the terminal 103 under the VPN apparatus 101 to the terminal 303 under the other VPN apparatus 301 via the WAN 200. .

  First, prior to the processing shown in FIG. 5, the VPN apparatus 101 logs in to the call control server 202 to receive user authentication. When the VPN apparatus 101 succeeds in user authentication, the call control server 202 registers and sets identification information (MAC address, user ID, telephone number, etc.) of the VPN apparatus 101, location information on the network (global IP address), etc. Is done. Thereafter, communication between the VPN apparatus 101 and the call control server 202 becomes possible. Although the VPN apparatus 101 is the calling party, the VPN apparatus 301 that is the called party also logs in to the call control server 202 and receives user authentication, and the call control server 202 identifies the identification information of the VPN apparatus 301. Etc. are registered and set.

  Upon receiving a VPN connection request from the subordinate terminal 103, the VPN apparatus 101 establishes a VPN communication path to the call control server 202 to the VPN apparatus 301 subordinate to the connection destination terminal 303. A connection request is made (step S201). This connection request includes identification information of the calling party (VPN device 101) and identification information of the called party (VPN device 301). The call control server 202 relays this connection request and transmits it to the VPN apparatus 301 that is the connection destination of the VPN connection. In response to this connection request, the call control server 202 notifies the callee, which is the connection destination, of a request that the VPN apparatus 101 wants to establish a VPN connection for establishing a VPN communication path to the VPN apparatus 301.

  Further, the VPN apparatus 101 performs an external address / port acquisition procedure with the STUN server 201 by the function of the external address / port acquisition unit 141 (step S202). At this time, the VPN apparatus 101 acquires external address / port information (global IP address and port number as seen from the WAN 200 side) assigned to the self apparatus, so that the STUN server 201 receives an external address / port acquisition request. A binding request (Binding Request, refer to RFC3489; the same applies hereinafter) packet is transmitted. On the other hand, the STUN server 201 responds to the external address / port acquisition request, and includes a binding response (Binding Response, refer to RFC3489; the same applies hereinafter) packet including the external address / port information as a reply to the external address / port information to the VPN apparatus 101. Will be returned. The VPN apparatus 101 stores the external address / port information obtained by returning the external address / port information.

  Upon receiving the connection request from the call control server 202 (step S203), the called-side VPN device 301 sends a connection response to the connection request to the call control server 202 (step S204). This connection response includes identification information of the calling party (VPN device 101) and identification information of the called party (VPN device 301). The call control server 202 relays this connection response and transmits it to the VPN apparatus 101 that is the connection request source of the VPN connection. With this connection response, the call control server 202 notifies the caller serving as the connection request source of a response from the VPN apparatus 301 to the VPN apparatus 101 in response to the connection request. Then, the called-side VPN apparatus 301 starts transmission of communication data via the call control server 202 (step S205).

  The VPN apparatus 301 performs an external address / port acquisition procedure with the STUN server 201 (step S206). At this time, the VPN apparatus 301 acquires the external address / port information (global IP address and port number as seen from the WAN 200 side) assigned to the own apparatus in the STUN server 201 in the same manner as the calling VPN apparatus 101. On the other hand, a binding request packet is transmitted as an external address / port acquisition request. On the other hand, the STUN server 201 responds to the external address / port acquisition request, and returns a binding response packet including the external address / port information to the VPN apparatus 301 as a reply to the external address / port information. The VPN device 301 stores the external address / port information obtained by returning the external address / port information.

  After acquiring the external address / port information, the VPN apparatus 101 waits to receive a connection response to the connection request from the VPN apparatus 301, and confirms whether the connection response has been received at a predetermined timing. (Step S207). After the VPN apparatus 101 receives the connection response from the VPN apparatus 301 in step S207, the VPN apparatus 301 acquires the external address / port information in step S206 and then communicates with each other via the call control server 202. Transmission / reception is started (steps S208 and S209).

  That is, the VPN apparatuses 101 and 301 can start communication data communication via the call control server 202 at an early stage before establishing the VPN communication path.

  After starting data communication via the call control server 202, the VPN apparatus 101 transmits the external address / port information of the VPN apparatus 101 acquired from the STUN server 201 to the VPN apparatus 301 via the call control server 202 ( Step 210). The VPN apparatus 301 receives and stores the external address / port information of the VPN apparatus 101 as the calling side address / port information (step S211). Similarly, the VPN apparatus 301 transmits the external address / port information of the VPN apparatus 301 acquired from the STUN server 201 to the VPN apparatus 101 via the call control server 202 (step 212). The VPN apparatus 101 receives and stores the external address / port information of the VPN apparatus 301 as called address / port information (step S213).

  At this stage, the calling-side VPN device 101 and the called-side VPN device 301 acquire the external address / port information of the other party. Therefore, the VPN apparatus 101 and the VPN apparatus 301 set the other party's external address / port information (global IP address and port number) as the transmission destination and transmit the packet via the WAN 200, and the VPN function unit 142 It is confirmed whether or not VPN communication is possible (step S214). For example, when the VPN apparatus 101 transmits arbitrary data to the VPN apparatus 301 and receives a response indicating that the data has been received from the VPN apparatus 301 within a predetermined period from this transmission, the VPN communication is possible. It is determined that

  When the VPN communication is possible, the VPN apparatus 101 and the VPN apparatus 301 start transmission / reception of communication data via the VPN communication path. Specifically, the VPN apparatus 101 transmits communication data to the VPN apparatus 301 using the external address / port information (called party address / port information) of the VPN apparatus 301 through the VPN communication path (step S215). ). Then, the VPN device 301 receives the communication data from the VPN device 101 (step S216). Similarly, the VPN apparatus 301 transmits communication data to the VPN apparatus 101 using the external address / port information (calling side address / port information) of the VPN apparatus 101 through the VPN communication path (step S217). The VPN apparatus 101 receives communication data from the VPN apparatus 301 (step S218).

  According to such a first transmission process, the VPN devices 101 and 301 can preferentially transmit TCP data. Therefore, when a TCP data transmission request is generated, call control is performed before the VPN communication path is established. TCP data can be transmitted at an early stage via the server 202. Therefore, for example, when transmitting communication data that requires real-time characteristics, such as streaming data, such as streaming data, data communication can be performed while minimizing data delay. Similarly, in video communication such as a TV conference, data loss is large and the video is affected. Therefore, communication quality and communication speed are emphasized, but such communication can be suitably performed. Similarly, when communication using RTSP (Real Time Streaming Protocol), which is a kind of TCP (for example, video distribution by streaming), and UDP communication (for example, communication only for IP phone audio) are used in combination, Even if data is lost to some extent, the sound quality is not affected so much, so communication quality of UDP communication is not important, communication quality and communication speed for RTSP communication are important, but such communication is also suitable It can be carried out.

(Second transmission process)
Next, an example of a transmission process (second transmission process) when the priority mode is the TCP priority mode and the communication data is UDP data will be described with reference to FIG.
FIG. 6 shows processing when the VPN system shown in FIG. 1 tries to connect from the terminal 103 under the VPN apparatus 101 to the terminal 303 under the other VPN apparatus 301 via the WAN 200. . Here, since the functions of the VPN apparatus 101 and the VPN apparatus 301 are the same, the VPN apparatus 101 will be described.

  The second transmission process is basically similar to the first transmission process described above, but in the data communication performed via the call control server 202 before the establishment of the VPN communication path, The difference is that the amount of data permitted to transmit UDP data, which is communication data, is limited. In other words, the VPN apparatus 101 uses the UDP flow rate control unit 146 to limit the amount of data when communication data is transmitted via the call control server 202 in steps S205B, 208B, and 209B. In addition, after the VPN communication path is established, the UDP flow rate control unit 146 releases the restriction on the data amount (steps S215B and S217B). Therefore, after the VPN communication path is established, the VPN apparatus 101 can transmit and receive communication data without limitation on the data amount.

  FIG. 7 is a flowchart illustrating an example of a UDP data flow rate limiting process performed by the UDP flow rate control unit 146. The process of FIG. 7 is periodically performed until the establishment of the VPN communication path is confirmed in step S214 after the transmission of communication data is started in steps S205B, 208B, and 209B.

  First, when the UDP flow control unit 146 detects reception of communication data (communication packet) from the terminal 103 under the VPN apparatus 101 (step S301), the UDP data transmission count is larger than a specified number (for example, 9 times). Whether or not (step S302).

  If the number of UDP data transmissions (for example, 10 times) is greater than the specified number, the UDP flow rate control unit 146 discards the received UDP data (that is, to be transmitted to the called VPN device 301) (step S303). . Then, the UDP flow rate control unit 146 initializes the number of UDP data transmissions (step S304).

  On the other hand, when the number of UDP data transmissions (for example, 8 times) is smaller than the prescribed number, the UDP flow rate control unit 146 transmits the received UDP data to the VPN device 301 on the called side (step S305). Then, the UDP flow rate control unit 146 increments the current number of UDP data transmissions by one (step S306).

  For example, if the specified number of comparisons with the number of UDP data transmissions is “9”, the UDP data is discarded once for every 10 consecutive UDP data transmissions. In this case, UDP data can be thinned out by 10%. As a result, the load on the call control server 202 that relays UDP data can be reduced, and more TCP data can be transmitted instead. For example, when the application to be used is an IP phone and voice data is transmitted as UDP data, there is no problem even if about 40% of UDP data is discarded. Further, by setting the specified number of times to “0”, it is possible to stop the transmission of UDP data until the VPN communication path is determined.

  In addition, the specified number of times may be a fixed value as described above, or based on the amount of TCP data and the processing capacity of the call control server 202, the ability to process UDP data in the TCP priority mode. It may be calculated and set by dynamically changing the specified number of times so as to perform communication within the capacity.

  According to such a second transmission process, even when UDP data that is not prioritized in the priority mode is transmitted, UDP data that requires real-time characteristics is transmitted at an early stage by limiting the data transmission amount of the UDP data. It is possible to reduce the load on the call control server 202 until the establishment of the VPN communication path.

(Third transmission process)
Next, an example of a transmission process (third transmission process) when the priority mode is the UDP priority mode and the communication data is TCP data will be described with reference to FIG.
FIG. 8 shows processing when the VPN system shown in FIG. 1 tries to connect from the terminal 103 under the VPN apparatus 101 to the terminal 303 under the other VPN apparatus 301 via the WAN 200. . Here, since the functions of the VPN apparatus 101 and the VPN apparatus 301 are the same, the VPN apparatus 101 will be described.

  The third transmission process is basically similar to the first transmission process described above, but in the data communication performed via the call control server 202 before the establishment of the VPN communication path, The difference is that the timing for transmitting TCP data, which is communication data, is limited. That is, the VPN apparatus 101 controls the TCP buffering control unit 145 so that the data relay unit 133 periodically transmits communication data via the call control server 202 in steps S205C, 208C, and 209C, for example. In the third transmission process, since the UDP priority mode is set, TCP data not prioritized by the priority mode is stored in the buffer 136 of the memory unit 132 except for a predetermined transmission timing until the VPN communication path is established. It is temporarily stored or discarded. After the VPN communication path is established, the TCP buffering control unit 145 releases the restriction on the transmission timing and performs transmission when a transmission request is generated. When the restriction on the transmission timing is released, the VPN apparatus 101 transmits all the TCP data stored in the buffer 136 before establishing the VPN communication path on the VPN communication path (steps S215C and S217C).

  FIG. 9 is an image diagram of periodic transmission of TCP data. Periodic transmission is an example of a limitation on transmission timing. The TCP buffering control unit 145 has a timer inside, and this timer measures a predetermined time (timeout time) from the initial time point or the reset time point. As shown in FIG. 9, each time point from t1 to t4 indicates a timing at which the time measurement by the timer times out. This timer is reset in the initial state or when timed out, and starts counting time. Transmission of TCP data is permitted only at times t1 to t4, and transmission of TCP data is restricted at other timings and only transmission of UDP data is permitted.

  FIG. 10 is a flowchart illustrating an example of an operation when the VPN apparatus 101 periodically transmits TCP data. The processing in FIG. 10 is performed when the periodic timer times out after the transmission of communication data is started in steps S205C, 208C, and 209C until the establishment of the VPN communication path is confirmed in step S214.

  When the timer times out, it is time to send TCP data. In this case, the TCP buffering control unit 145 determines whether there is TCP data stored in the buffer 136 at the time of timeout (step S401). When the TCP data is stored in the buffer 136, the TCP buffering control unit 145 instructs the data relay unit 133 to transmit the TCP data, and the data relay unit 133 has a predetermined data amount stored in the buffer 136. The TCP data is transmitted (step S402).

  Here, a predetermined amount of data is transmitted because when all buffered TCP data is transmitted, transmission occurs in bursts, and the load on the call control server 202 increases instantaneously. It is because it ends. Therefore, TCP data is transmitted to the call control server 202 so as not to be loaded in order to prioritize UDP communication. If the load can be predicted, the TCP buffering control unit 145 may calculate in advance a data amount that does not hinder the operation of the call control server 202 as the above-described load is not applied. The TCP buffering control unit 145 may obtain the data amount as a fixed value, or may dynamically obtain the data amount based on the data amount including UDP data and the processing capability of the call control server 202.

  According to the processing of FIG. 10 described above, if there is a space exceeding the predetermined capacity in the buffer 136, the TCP data is not discarded but temporarily buffered in the VPN apparatus 101. Thus, by considering the free capacity of the buffer 136, the buffer 136 having a finite capacity can be used efficiently.

  FIG. 11 is a flowchart showing an example of an operation when the VPN apparatus 101 buffers TCP data. The processing in FIG. 11 is performed when the received communication data is TCP data until the establishment of the VPN communication path is confirmed in step S214 after transmission of communication data is started in steps S205C, 208C, and 209C.

  First, when the TCP buffering control unit 145 detects reception of TCP data (step S501), the TCP buffering control unit 145 determines whether or not the free capacity of the buffer 136 of the memory unit 132 is equal to or greater than a specified value (step S502). With respect to the prescribed value of the free capacity of the buffer 136, the size is specified so that there is no problem even if the received TCP data to be transmitted is buffered (for example, the free capacity of 20% or more of the memory capacity to be buffered). Is set.

  If the free capacity of the buffer 136 is greater than or equal to the specified value, the TCP buffering control unit 145 stores the received TCP data to be transmitted in the buffer 136 (step S503). On the other hand, if the free capacity of the buffer 136 is less than the specified value, the TCP buffering control unit 145 discards the received TCP data to be transmitted (step S504).

  According to such processing in FIG. 11, by periodically transmitting, it is possible to advance the communication start timing of TCP data that is non-priority data in the UDP priority mode. Furthermore, since the amount of TCP data transmitted after the start of VPN communication can be reduced, the amount of data transmitted by retransmission control using the TCP protocol can be reduced, reducing the load on the VPN apparatus 101 and the network load in the VPN system. can do.

  FIG. 12 is a diagram illustrating an example of the buffer size and transmission / reception timing of the TCP data stored in the buffer 136. As shown in FIG. 12, TCP data is periodically transmitted from the buffer 136. At this timing, the data amount (buffer size) of the TCP data stored in the buffer 136 decreases (time t1 to t4). At this time, the free capacity of the buffer 136 increases. Further, when the buffer size is less than the specified value (buffer size specified value), that is, when there is room for storing other TCP data in the buffer 136, the received TCP data to be transmitted is stored in the buffer 136 (time t11). , T21, t41). However, since the capacity of the buffer 136 is also limited, when the buffer size exceeds a specified value (for example, when the buffer capacity exceeds 80%, that is, when the buffer free capacity becomes less than 20%). Discards the TCP data without storing it in the buffer 136 (time t22, t23). When the VPN communication path is established, all the TCP data stored in the buffer 136 is transmitted.

  According to such third transmission processing, TCP data can be periodically transmitted even in the UDP priority mode in which UDP data is preferentially transmitted. Therefore, TCP data can be transmitted as early as possible. it can. This is suitable for transmitting communication data (for example, streaming data) that requires real-time characteristics even for TCP data.

  In addition, the VPN apparatus 101 performs TCP data buffering control and periodic transmission, thereby reducing retransmission processing by the TCP protocol as much as possible, and establishing each apparatus (particularly the call control server 202) in the VPN system until the establishment of the VPN communication path. The load on the network can be reduced.

  Further, even when the TCP data is discarded, the TCP protocol retransmission control function periodically generates a retransmission request for the discarded TCP packet, and after establishing the VPN communication path, Data having the same content can be automatically transmitted to the VPN apparatus 301. Therefore, no TCP packet is lost. Thus, even in the UDP priority mode, TCP communication between the plurality of VPN apparatuses 101 and 301 is guaranteed.

(4th transmission process)
Next, an example of a transmission process (fourth transmission process) when the priority mode is the UDP priority mode and the communication data is UDP data will be described with reference to FIG.
FIG. 13 shows processing when the VPN system shown in FIG. 1 tries to connect from the terminal 103 under the VPN apparatus 101 to the terminal 303 under the other VPN apparatus 301 via the WAN 200. . The detailed operation in each step is the same as that described above, and thus the description thereof is omitted.

  The calling-side VPN device 101 obtains the calling-side external address / port information (step S202), then issues a connection request (step S201), and makes a call with the called-side VPN device 301. Transmission of communication data via the control server 202 is started (step S601).

  On the other hand, when receiving the connection request from the VPN apparatus 101 (step S203), the called-side VPN apparatus 301 starts transmission / reception of communication data via the call control server 202 with the calling-side VPN apparatus 101. (Step S602).

  After starting transmission of communication data via the call control server 202, the VPN apparatus 301 acquires the external address / port information of the called party (step S206) and makes a connection response (step S204). When the VPN apparatus 101 receives the connection response from the VPN apparatus 301, the VPN apparatus 101 continues to transmit communication data via the call control server 202 (step S603).

  The VPN apparatuses 101 and 301 perform the processes of steps S210 to S218 in the same manner as the first transmission process after the processes of steps S603 and S204.

  According to such a fourth transmission process, the VPN apparatuses 101 and 301 can preferentially transmit UDP data. Therefore, when a UDP data transmission request requiring real-time performance occurs, before the VPN communication path is established. In addition, UDP data can be transmitted at an early stage via the call control server 202. Therefore, data communication can be performed while minimizing data delay. In particular, as shown in FIG. 13, since the VPN apparatus 101 can transmit UDP data together with a connection request, data communication can be further speeded up.

(Modification)
In the above description, the VPN device having the VPN function is arranged as an independent device, and the terminal is arranged under the VPN device. However, as shown in FIG. 14, only the VPN device 104 (terminal having the VPN function) is provided. May be arranged.

  The present invention relates to a VPN apparatus and a VPN networking method capable of minimizing the occurrence of communication delay and communication failure with respect to bursty packets generated when a VPN communication path is established between a plurality of VPN apparatuses. , Programs, and storage media.

100, 300 LAN
101, 301 VPN device 102, 302 Router 103, 303 Terminal 104, 304 VPN device (terminal)
111 Microcomputer (CPU)
112 Non-volatile memory 113 Memory 114, 115 Network interface 116 LAN side network control unit 117 WAN side network control unit 118 Communication relay unit 119 Display control unit 120 Display unit 130 System control unit 131 Subordinate terminal management unit 132 Memory unit 133 Data relay unit 134 Setting interface unit 135 External address / port information storage unit 136 Buffer 140 Communication control unit 141 External address / port acquisition unit 142 VPN function unit 143 Call control function unit 144 Priority control unit 145 TCP buffering control unit 146 UDP flow rate control unit 147 Cryptographic processing unit 200 WAN
201 STUN server 202 Call control server 203 Relay server

Claims (7)

A VPN device that constructs a virtual private network with other VPN devices on the network and performs VPN communication,
Communication data for transmitting communication data to the other VPN device via a call control server that performs call control processing between the VPN device and the other VPN device before the virtual private network is constructed A transmission unit;
A data type determination unit that determines whether the protocol type of the communication data transmitted by the communication data transmission unit is a first protocol that requires real-time property or a second protocol that performs retransmission control;
A priority mode setting unit that sets, as a priority mode, either a first priority mode that prioritizes transmission of communication data of the first protocol or a second priority mode that prioritizes transmission of communication data of the second protocol;
When the protocol type of the communication data determined by the data type determination unit and the protocol type prioritized in the priority mode set by the priority mode setting unit match, the communication data is transmitted. A transmission control unit for controlling the communication data transmission unit to limit transmission of the communication data;
VPN device comprising: The VPN device according to claim 1, further comprising:
When the data type determination unit determines that the protocol of the communication data is the first protocol, and the priority mode setting unit sets the second priority mode, the communication data transmitted by the communication data transmission unit A VPN apparatus including a data amount limiting unit that limits the data amount. The VPN device according to claim 1, further comprising:
When the data type determination unit determines that the protocol of the communication data is the second protocol and the priority mode setting unit sets the first priority mode, the communication data transmission unit transmits the communication data. A VPN apparatus including a transmission timing limiting unit that limits transmission timing. The VPN device according to claim 1 or 3, further comprising:
A communication data storage unit for storing communication data transmitted by the communication data transmission unit;
A free capacity detection unit for detecting a free capacity of the communication data storage unit;
When the protocol of the communication data is determined as the second protocol by the data type determination unit and the first priority mode is set by the priority mode setting unit, and the free capacity detection unit detects the A communication data storage control unit for controlling the communication data to be stored in the communication data storage unit when a free capacity of the communication data storage unit is equal to or greater than a predetermined capacity;
VPN device comprising: A VPN networking method for a VPN device that establishes a virtual private network with another VPN device on the network and performs VPN communication,
Transmitting communication data to the other VPN device via a call control server that performs call control processing between the VPN device and the other VPN device before the virtual private network is constructed; ,
Determining whether the protocol type of the communication data to be transmitted is a first protocol that requires real-time property or a second protocol that performs retransmission control;
Setting one of a first priority mode that prioritizes transmission of communication data of the first protocol and a second priority mode that prioritizes transmission of communication data of the second protocol as a priority mode;
Control is performed to transmit the communication data when the determined protocol type of the communication data and the protocol type prioritized in the set priority mode match, and to limit the transmission of the communication data when they do not match And steps to
VPN networking method comprising:   The program for performing each step of the VPN networking method of Claim 5.   A computer-readable storage medium having recorded thereon a program for executing each step of the VPN networking method according to claim 5.

Images