JP5273078B2 - VPN router, server and communication system - Google Patents

Description

  The present invention relates to a VPN router, a server, and a communication system. Specifically, the present invention relates to a VPN router, a server, and a communication system for establishing a VPN session between a plurality of terminal devices.

  Conventionally, VPN (Virtual Private Network) is known as a kind of network service. In VPN, a part of the public network is used as a virtual dedicated line. Communication with high security is performed between the terminal devices in which the VPN session is established. In recent years, it has been proposed to construct a VPN on the Internet. For example, a plurality of terminal devices are connected to the Internet via routers (hereinafter referred to as VPN routers) each having a VPN function. A VPN router connected to each terminal device performs encrypted communication using a predetermined protocol, so that VPN is realized on the Internet.

  An on-demand VPN router is known as a kind of VPN router. In the on-demand type VPN router, an IP address that identifies the end node of the VPN session is registered in advance. When the VPN router receives an IP packet from a locally connected terminal device, the VPN router determines whether the destination address of the IP packet matches the registered IP address. When the destination address matches the registered IP address, the VPN router automatically establishes a VPN session connecting the terminal device and the terminal node.

  In VPN, in order to improve security, an encryption key used for encrypted communication may be periodically updated. Therefore, one VPN router generates a common key and transmits the common key to the other VPN router via the mobile phone network. As a result, a VPN communication device that realizes high security while simplifying data communication necessary for the exchange of the common key is known (see, for example, Patent Document 1).

JP 2006-217275 A

  In recent years, there are cases where a user connects to an in-house network using a mobile terminal (for example, a mobile phone or a notebook PC) on the go. At this time, in order to ensure security during communication, a user may connect to an in-house network via a VPN via a VPN router installed on the go. It is also conceivable that the user can carry the VPN router by reducing the size and weight of the on-demand VPN router. In this case, the mobile terminal and the in-house network may be connected by VPN via a VPN router carried by the user on the go.

  In such a case, any terminal device that has been set for communication to establish a VPN session with the internal network can access the internal network. In other words, there is a possibility that a third party may illegally access an in-house network from an external environment via a VPN router using an unspecified terminal device. In addition, the mobile terminal in which the above communication settings remain may be lost by the user or stolen by a third party. In this case as well, there is a possibility that a mobile terminal illegally acquired by a third party may illegally access an in-house network from the external environment via the VPN router.

  The present invention has been made to solve the above-described problems, and can easily access a local network from an external environment with a VPN, and limit the VPN connection target to a regular terminal device. An object of the present invention is to provide a VPN router, a server, and a communication system.

  A VPN router according to a first aspect of the present invention is a VPN router that is locally connected to one terminal device and connected to another terminal device and a server that manages a VPN session via a network, An authentication request relay unit that relays an authentication request that is transmitted from one terminal device to the server and that is an instruction for requesting authentication as to whether or not the one terminal device is an establishment target of the VPN session; Authentication information relay means for relaying authentication information unique to the one terminal device transmitted from the server to the one terminal device, and a connection request from the one terminal device to the other terminal device When the connection request including the authentication information is received, an information request that is an instruction to request the authentication information unique to the one terminal device is transmitted to the server. An information request transmitting means; and a session authentication means for determining whether the authentication information included in the connection request matches the authentication information received from the server when the authentication information is received from the server. And a session establishing means for establishing the VPN session for connecting the one terminal device and the other terminal device on the network when the authentication information is judged to match by the session authentication means. .

  According to the first aspect, when an authentication request is transmitted from one terminal device, the authentication request is relayed to the server by the VPN router. When the authentication information is transmitted from the server, the authentication information is relayed toward the terminal device by the VPN router. When a connection request including authentication information is transmitted from one terminal device to the VPN router, the information request is transmitted from the VPN router to the server. When the authentication information is transmitted from the server to the VPN router, the VPN router determines whether or not the authentication information received from the server matches the authentication information included in the connection request. If the authentication information matches, a VPN session connecting one terminal device and another terminal device is established. Thereby, it is possible to easily access the local network from the external environment with the VPN, and it is possible to limit the VPN connection target to a regular terminal device.

  In the first aspect, the information request transmitting means may include identification information unique to the one terminal device in the information request and transmit it to the server. According to this, the server can identify the terminal device connected to the VPN router by the identification information of one terminal device included in the information request.

  In the first aspect, the connection request includes information indicating a service to be provided by the one terminal device, and the information request transmitting unit includes information indicating the service included in the connection request in the information request. Including the address receiving means for receiving the address of the other terminal device capable of providing the service from the server, and the session establishing means is configured to receive the address received by the address receiving means. The VPN session may be established based on According to this, since the connection destination address of the VPN session is specified by the server, it is not necessary for the VPN router to manage the connection destination address.

  A server according to a second aspect of the present invention is a server that is connected to a VPN router locally connected to one terminal device via a network and manages a VPN session, and from the one terminal device, the one terminal device Authentication information generating means for generating first authentication information unique to the one terminal device when receiving an authentication request that is an instruction for requesting authentication as to whether or not the terminal device is an establishment target of the VPN session; A first authentication information transmitting means for transmitting the first authentication information generated by the authentication information generating means to the one terminal device; and a first authentication information generated by the authentication information generating means. 1 authentication information storage means and an information request that is an instruction to request the first authentication information from the VPN router, the information stored in the first authentication information storage means The first authentication information, and a second authentication information transmitting means for transmitting to the VPN router.

  According to the second aspect, when an authentication request is transmitted from one terminal device to the server, the first authentication information is generated and stored in the server, and the first authentication information is transmitted from the server to the one terminal device. The When an information request is transmitted from the VPN router to the server, the first authentication information stored in the server is transmitted to the VPN router. Accordingly, it is possible to determine whether or not the VPN router should establish a VPN session based on whether or not the authentication information acquired from the server matches the authentication information acquired from one terminal device. Therefore, it is possible to easily access the local network from the external environment with the VPN, and it is possible to limit the VPN connection target to a regular terminal device.

  2nd aspect WHEREIN: About the said 1st authentication information memorize | stored in the said 1st authentication information memory | storage means, the elapsed time measurement means to measure the elapsed time from the time produced | generated by the said authentication information generation means, The said VPN session Status information storage means for storing status information indicating the status of the one terminal device, and status setting means for setting the status information to the first state when the authentication information is generated by the authentication information generating means; A status changing unit that changes the status information from the first state to the second state when the elapsed time is equal to or longer than a predetermined time, and the second authentication information transmitting unit sends the information request from the server. When the status information is in the first state at the time of reception, the first authentication information is transmitted while the status information is in the first state. If the scan information is the second state may cancel the transmission of the first authentication information.

  According to this, when the elapsed time from when the first authentication information is generated until the information request is received is equal to or longer than a predetermined time, the status information is changed from the first state to the second state. Transmission of authentication information is canceled. Therefore, the delay of the process performed by the server can be suppressed, and the possibility of an unauthorized operation by a third party intervening can be reduced.

  In the second aspect, the information request includes information indicating a service to be provided by the one terminal device, an address storage means for storing an address of the other terminal device that can provide the service, and the information request The one terminal device specifies the service that the one terminal device seeks to provide based on the information indicating the service included in the address, and the address of the other terminal device that can provide the specified service is stored in the address storage Address specifying means for specifying with reference to the means, and address transmitting means for transmitting the address specified by the address specifying means to the VPN router may be provided. According to this, the server can specify the connection destination address of the VPN session according to the service received from the other terminal device, and can notify the VPN router.

  In the second aspect, the authentication request includes second authentication information set in the one terminal device, and stores the second authentication information registered in advance in association with the one terminal device. When the authentication request is received from the authentication information storage means and the one terminal device, the second authentication information included in the authentication request and the second authentication information stored in the second authentication information storage means Terminal authentication means for determining whether or not and the authentication information generating means generates the first authentication information when the terminal authentication means determines that the second authentication information matches. On the other hand, if the terminal authentication means determines that the second authentication information does not match, the generation of the first authentication information may be stopped.

  According to this, an authentication process using the first authentication information is executed in the VPN router, and an authentication process using the second authentication information is executed in the server. That is, since the authentication process using different authentication information is executed by different devices, security is improved. When the authentication process using the second authentication information fails, the generation of the first authentication information is stopped, so that the delay of the process executed on the server can be suppressed.

  In the second aspect, the first identification information may be an authentication key that is randomly generated each time the authentication request is received. Accordingly, it is possible to make the VPN router specify whether or not the authentication request source terminal device and the terminal device connected to the VPN router are the same.

  A server according to a third aspect of the present invention includes a server that manages a VPN session, and a VPN router that is locally connected to one terminal device and that is connected to another terminal device and the server via a network. In the communication system, the VPN router sends an instruction requesting whether or not the one terminal device is an establishment target of the VPN session transmitted from the one terminal device to the server. Authentication request relaying means for relaying an authentication request; authentication information relaying means for relaying authentication information transmitted from the server toward the one terminal device; and unique to the one terminal device; and the one terminal When receiving a connection request including the authentication information from a device, the authentication information is specific to the one terminal device. An information request transmitting means for transmitting an information request as an instruction to request to the server, and when receiving the authentication information from the server, the authentication information included in the connection request and the authentication information received from the server A session authentication unit that determines whether or not and the session authentication unit determines that the authentication information matches, and connects the one terminal device and the other terminal device on the network. Session establishment means for establishing the VPN session, and when the server receives the authentication request from the one terminal device, the server generates authentication information generation means for generating the authentication information and generated by the authentication information generation means The first authentication information transmitting means for transmitting the authentication information to the one terminal device, and the authentication information generating means Authentication information storage means for storing the generated authentication information; and when the information request is received from the VPN router, the authentication information stored in the authentication information storage means is transmitted to the VPN router. Authentication information transmission means.

  According to the third aspect, when an authentication request is transmitted from one terminal device, the authentication request is relayed to the server by the VPN router. When the authentication information is transmitted from the server, the authentication information is relayed toward the terminal device by the VPN router. When a connection request is transmitted from one terminal device to the VPN router, an information request is transmitted from the VPN router to the server. When the authentication information is transmitted from the server to the VPN router, the VPN router determines whether or not the authentication information received from the server matches the authentication information included in the connection request. If the authentication information matches, a VPN session connecting one terminal device and another terminal device is established. Thereby, it is possible to easily access the local network from the external environment with the VPN, and it is possible to limit the VPN connection target to a regular terminal device.

1 is a diagram illustrating an overall configuration of a communication system 1. FIG. 2 is a block diagram showing an electrical configuration of a VPN router 8. FIG. 3 is a block diagram showing an electrical configuration of a server 3. FIG. It is a figure which shows the data structure of the session management table. 4 is a diagram showing a data configuration of a connection destination management table 120. FIG. 3 is a timing chart showing the flow of various data in the communication system 1. 7 is a flowchart of main processing executed by the VPN router 8. It is a flowchart of a VPN connection process. 4 is a flowchart of main processing executed by the server 3. It is a flowchart of a center authentication process. It is a continuation of the flowchart shown in FIG. It is another figure which shows the data structure of the session management table 110. It is another figure which shows the data structure of the session management table 110.

  Embodiments of the present invention will be described with reference to the drawings. The drawings to be referred to are used to explain technical features that can be adopted by the present invention, and are merely illustrative examples.

  With reference to FIG. 1, an overall configuration of a communication system 1 according to the present embodiment will be described. The communication system 1 has a configuration in which an external terminal device can be connected to a specific local network via a VPN. A communication system 1 illustrated in FIG. 1 includes a PC (Personal Computer) 2, a server 3, a LAN (Local Area Network) 4, a VPN router 5, the Internet 6, a portable terminal 7, a VPN router 8, and the like.

  The PC 2 is installed at the head office of the company to which the user belongs. The LAN 4 is a local network of the head office to which devices such as the PC 2, a server (not shown), and a printer (not shown) are connected. The VPN router 5 is a known VPN router installed at the head office, and relays data communication between the LAN 4 and an external network. The PC 2 can access the Internet 6 via the VPN router 5.

  The portable terminal 7 is a small and lightweight terminal device, such as a notebook PC, a PDA (Personal Digital Assistant), an electronic paper terminal, or the like. The VPN router 8 is a small and lightweight VPN router and has the same function as a known VPN router. The user can carry the portable terminal 7 and the VPN router 8 and use them on the go.

  For example, when the destination is an environment that can connect to the Internet 6, the user connects the mobile terminal 7 and the VPN router 8, and connects the VPN router 8 and the Internet 6. The VPN router 8 relays data communication between the mobile terminal 7 and an external network (that is, the Internet 6). As a result, the mobile terminal 7 can access the Internet 6 via the VPN router 8.

  In the present embodiment, a case where a user who is away from home accesses the LAN 4 of the head office using the mobile terminal 7 and refers to a file stored in the PC 2 is illustrated. The VPN router 5 at the head office permits access to the device connected to the LAN 4 only to an external terminal for which a VPN session has been established by a known security function. That is, only when a VPN session is established between the mobile terminal 7 and the PC 2, the mobile terminal 7 and the PC 2 can communicate with each other through the VPN, and the user can refer to a file stored in the PC 2.

  The server 3 is a known server connected to the Internet 6. The server 3 determines whether or not establishment of a VPN session should be permitted for an external terminal that requests access to the LAN 4 (that is, whether or not access to the LAN 4 should be permitted). Processing related to establishment of a VPN session (that is, VPN connection processing and center authentication processing described later) will be described later.

  The electrical configuration of the VPN router 8 will be described with reference to FIG. Although not described, the electrical configuration of the VPN router 5 is the same as that of the VPN router 8.

  The VPN router 8 includes a CPU 81 that controls the VPN router 8. A ROM 82, a RAM 83, a flash memory 84, a LAN interface 85, a wireless LAN interface 86, a WAN interface 87, a USB interface 88, and an LED display unit 89 are connected to the CPU 81 via a bus 80. Although not shown, the VPN router 8 includes a battery for supplying power. The ROM 82 stores a program that causes the CPU 80 to execute main processing (see FIG. 7).

  The LAN interface 85 includes a port to which a LAN cable (not shown) is connected, and transmits / receives data to / from an external device via the LAN cable. The wireless LAN interface 86 includes an antenna (not shown) and transmits / receives data to / from an external device by wireless communication. The WAN interface 87 includes a port to which a WAN cable (not shown) is connected, and transmits / receives data to / from the wide area network via the WAN cable. The USB interface 88 includes a port to which a USB cable (not shown) is connected, and transmits / receives data to / from an external device via the USB cable. The LED display unit 89 notifies the operation state of the VPN router 8 by the light emission pattern and light emission color of the LED (not shown).

  In the present embodiment, when the user connects the portable terminal 7 to the VPN router 8, the user can make a wired connection using a LAN cable or a USB cable, or a wireless connection using a wireless LAN. For example, the mobile terminal 7 and the VPN router 8 may be connected in a suitable manner according to the function and structure of the mobile terminal 7. When the user connects the VPN router 8 to the Internet 6, the user may make a wired connection using a WAN cable or a LAN cable, a connection via an access point using a wireless LAN, or a wireless connection via a 3G line. it can. For example, the VPN router 8 and the Internet 6 may be connected in a suitable manner according to the connection environment of the place where the user is away.

  The electrical configuration of the server 3 will be described with reference to FIG. The server 3 includes a CPU 31 that controls the server 3. A ROM 32, a RAM 33, an HDD (Hard Disk Drive) 34, a LAN interface 35, and an input / output unit 36 are connected to the CPU 31 via a bus 30. An input device 37 exemplified by a mouse and a keyboard and a display 38 are connected to the input / output unit 36. The server 3 is connected to the Internet 6 via a LAN cable connected to the LAN interface 35. The HDD 34 stores a program for causing the CPU 30 to execute main processing (see FIG. 9), a session management table 110, a connection destination management table 120, and the like.

  The data configuration of the session management table 110 will be described with reference to FIG. In the session management table 110, a record including a data item related to a VPN session is registered for each legitimate terminal device. A legitimate terminal device is a terminal device that is permitted to connect to the VPN router 8. Hereinafter, the record registered in the session management table 110 is referred to as a session management record. In the present embodiment, a plurality of session management records are registered in the session management table 110 in response to a plurality of legitimate terminal devices.

  In the example shown in FIG. 4, the session management record of the mobile terminal 7 is registered in the session management table 110. This session management record includes, as data items, the MAC address and IP address of the mobile terminal 7, the terminal ID and password set in the mobile terminal 7, the session state, the authentication key, the key generation date and time, and the like. .

  The session state indicates a processing state related to the VPN session (that is, a progress status of a center authentication process described later) by any of “idle”, “waiting for authentication”, “during VPN communication”, and “lock”. Specifically, “idle” indicates a state in which the center authentication process (see FIGS. 10 and 11) can be started in response to a request from the mobile terminal 7. “Waiting for authentication” indicates a state of waiting for completion of local authentication related to the mobile terminal 7. “VPN communication in progress” indicates a state in which a VPN session for the mobile terminal 7 is established. “Lock” indicates a state in which the VPN session for the mobile terminal 7 is restricted. The local authentication is an authentication process using an authentication key executed by the VPN router 8, and details will be described later.

  The authentication key is authentication information that is randomly generated every time the center authentication process (see FIGS. 10 and 11) is executed. The key generation date / time indicates the date / time when the authentication key was generated. As shown in FIG. 4, when the session state is “idle”, since the center authentication process (see FIGS. 10 and 11) has not started, the authentication key and the key generation date and time are not set.

  The data configuration of the connection destination management table 120 will be described with reference to FIG. In the connection destination management table 120, a record including a data item related to the connection destination of the VPN session is registered for each legitimate terminal device. Hereinafter, the record registered in the connection destination management table 120 is referred to as a connection destination management record. In the example shown in FIG. 5, the connection destination management record of the mobile terminal 7 is registered in the connection destination management table 120. This connection destination management record includes, as data items, the MAC address and IP address of the mobile terminal 7, service information, and the like.

  The service information is information related to a service provided by the service providing device, and includes a service ID, a provider address, and a certificate as data items. The service providing device is a device that provides various services to a legitimate terminal device through VPN communication. The service ID is an ID that identifies a service provided by the service providing device. The source address is the IP address of the service providing device. The certificate is authentication information necessary for receiving the provision of the service.

  In the present embodiment, a plurality of connection destination management records are registered in the connection destination management table 120 in response to the presence of a plurality of regular terminal devices. A plurality of service information is set in each connection destination management record corresponding to a plurality of services that can be provided by a legitimate terminal device. Although not shown, each service information includes a communication protocol and setting information for receiving service provision.

  For example, in response to the user browsing the file on the PC 2 using the mobile terminal 7, information related to the file providing service of the PC 2 is set in the first service information included in the connection destination management record of the mobile terminal 7. Has been. Specifically, the service ID of the first service information is an ID that specifies the file providing service of the PC 2. The source address of the first service information is the IP address of PC2. The certificate of the first service information is authentication information necessary for receiving the file providing service of the PC 2.

  With reference to FIG. 6, the outline of the overall processing of the communication system 1 will be described. In the following description, a terminal device that requests establishment of a VPN session is referred to as a target terminal. The VPN router to which the target terminal is connected is called the target router. In this embodiment, the portable terminal 7 is a target terminal, and the VPN router 8 is a target router.

  For example, when the user browses a file on the PC 2 using the mobile terminal 7, the mobile terminal 7 transmits a center authentication request to the server 3 (T1). The center authentication request is a signal that requests the server to execute center authentication regarding the target terminal. The VPN router 8 relays the center authentication request transmitted from the mobile terminal 7 toward the server 3.

  When the server 3 receives the center authentication request, the server 3 executes device authentication for determining whether or not the mobile terminal 7 is a legitimate terminal device. When the device authentication is successful, the server 3 generates and stores an authentication key for the mobile terminal 7. The server 3 transmits an authentication success notification to the mobile terminal 7 (T2). The authentication success notification is a signal for notifying the target terminal that the device authentication of the server 3 has been successful, and includes at least an authentication key generated by the server 3. The VPN router 8 relays the authentication success notification transmitted from the server 3 toward the mobile terminal 7.

  When the mobile terminal 7 receives the authentication success notification, the mobile terminal 7 transmits a VPN connection request to the VPN router 8 (T3). The VPN connection request is a signal for requesting the target router to establish a VPN session for connecting the target terminal and the service providing device, and includes at least the authentication key received from the server 3. When receiving the VPN connection request, the VPN router 8 transmits an authentication key request to the server 3 (T4). The authentication key request is a signal that requests the server 3 for the authentication key of the target terminal. When receiving the authentication key request, the server 3 transmits the authentication key stored in the server 3 to the VPN router 8 (T5).

  The VPN router 8 collates the authentication key received from the server 3 with the authentication key received from the mobile terminal 7. If the authentication keys match, the VPN router 8 transmits a connection destination request to the server 3 (T6). The connection destination request is a signal that requests the server 3 for the address of the service providing device connected to the target terminal through the VPN. When receiving the connection destination request, the server 3 transmits a connection destination instruction to the VPN router 8 (T7). The connection destination instruction is a signal that indicates to the target router the address of the service providing device connected to the target terminal via the VPN.

  When receiving the connection destination instruction, the VPN router 8 transmits a VPN permission notice to the portable terminal 7 (T8). The VPN permission notification is a signal that notifies the target terminal that the establishment of a VPN session that connects the target terminal and the service providing device is permitted. The VPN router 8 establishes a VPN session for connecting the mobile terminal 7 and the PC 2 (T9). VPN communication is executed between the portable terminal 7 and the PC 2 by a known tunneling process executed by the VPN router 5 and the VPN router 8 (T10). Thereby, the portable terminal 7 can access PC2 by VPN communication, and the user can browse the file of PC2 from an external environment.

  With reference to FIGS. 7-13, the detail of the process respectively performed by the VPN router 8 and the server 3 among the whole processes of the communication system 1 mentioned above is demonstrated. Below, in order to make an understanding easy, it demonstrates, referring suitably the timing chart shown in FIG.

  With reference to FIG. 7, the main process executed by the VPN router 8 will be described. The main process (see FIG. 7) is continuously executed by the CPU 81 based on the program stored in the ROM 82 until the VPN router 8 is turned off.

  In the main process of the VPN router 8, it is first determined whether or not a packet addressed to itself is received (S1). Specifically, when the VPN router 8 receives the packet and the destination address included in the received packet matches the IP address of the VPN router 8, it is determined that the packet addressed to itself is received (S1: YES) In this case, it is determined whether the received packet is a VPN connection request (S3). When the received packet is a VPN connection request (S3: YES), a VPN connection process (S5) described later is called and executed. If the received packet is not a VPN connection request (S3: NO), other processing is executed according to the received packet (S7).

  If the VPN router 8 has not received the packet, or if the destination address included in the received packet does not match the IP address of the VPN router 8, it is determined that the packet addressed to itself has not been received (S1: NO). ). In this case, the process proceeds to step S9. Even after execution of step S5 or step S7, the process proceeds to step S9.

  In step S9, it is determined whether a packet addressed to another device has been received. Specifically, when the VPN router 8 receives the packet and the destination address included in the received packet does not match the IP address of the VPN router 8, it is determined that the packet addressed to another device has been received (S9: YES) In this case, it is determined whether VPN communication is being executed between the packet transmission source and the packet transmission destination (S11). The VPN router 8 grasps the target device of the VPN session when performing VPN communication with other VPN routers. For example, whether or not VPN communication is being performed can be determined based on whether or not the target device of the VPN session matches the packet transmission source and the packet transmission destination.

  When VPN communication is being executed (S11: YES), a known tunneling process is executed (S13). That is, the received packet is transferred via the VPN. On the other hand, when VPN communication is not being executed (S11: NO), a known packet relay process is executed (S15). That is, the received packet is transferred by the same routing control as a known router.

  If the VPN router 8 has not received a packet, or if the destination address included in the received packet matches the IP address of the VPN router 8, it is determined that a packet addressed to another device has not been received (S9: NO). ). In this case, the process returns to step S1. Even after execution of step S13 or step S15, the process returns to step S1.

  With reference to FIG. 9, the main process executed by the server 3 will be described. The main process (see FIG. 9) is continuously executed by the CPU 31 based on the program stored in the HDD 34 until the server 3 is turned off.

  In the main process of the server 3, it is first determined whether or not a packet has been received (S101). When the packet is received (S101: YES), it is determined whether or not the received packet is a center authentication request (S103). When the received packet is a center authentication request (S103: YES), a center authentication process (S105) described later is called and executed. If the received packet is not a center authentication request (S103: NO), other processing is executed according to the received packet (S7). For example, when the received packet is an update instruction for the session management table 110, the session management record is updated according to the update instruction. When the received packet is an instruction to update the connection destination management table 120, the connection destination management record is updated according to the update instruction. After execution of step S105 or step S107, the process returns to step S101.

  In this embodiment, in order to receive the file providing service of the PC 2, the user operates the portable terminal 7 to input an instruction to execute center authentication. At this time, the user inputs the terminal ID “000001” and the password “******” of the mobile terminal 7. The portable terminal 7 transmits a center authentication request including information input by the user and the address of the portable terminal 7 to the server 3 (see T1 in FIG. 6). The address of the mobile terminal 7 is, for example, the IP address “202.213.xxx.xxx” or the MAC address “00-11-22-33-44-55”.

  When the VPN router 8 receives the center authentication request from the portable terminal 7, the VPN router 8 transfers the center authentication request to the server 3 by packet relay processing (S9: YES, S11: NO, S15). When the server 3 receives the center authentication request transferred by the VPN router 8, the server 3 starts the following center authentication processing (S101: YES, S103: YES, S105).

  The center authentication process (S105) will be described with reference to FIGS. In the center authentication process, it is first determined whether or not the target terminal is registered in the server 3 (S111). Specifically, it is determined whether or not a record in which an address included in the center authentication request is set (that is, a session management record of the target terminal) is registered in session management table 110. When the session management record of the target terminal is registered (S111: YES), it is determined whether or not the session state included in the session management record of the target terminal is “idle” (S113). When the session state is “idle” (S113: YES), device authentication processing is executed (S115).

  In the device authentication process (S115), the terminal ID and password included in the center authentication request are collated with the terminal ID and password included in the session management record of the target terminal. Based on the comparison result, it is determined whether or not the device authentication is successful (S117). If the device authentication is successful (S117: YES), a random authentication key is generated by a known method (S119). The authentication key generated in step S119 is stored in the HDD 34 as an authentication key included in the session management record of the target terminal (S121). An authentication success notification including the authentication key generated in step S119 is transmitted to the target terminal (S123). The session state included in the session management record of the target terminal is set to “waiting for authentication” (S125). The elapsed time counted from the time of transmission of the authentication success notification is started by a timer not shown (S127).

  When the session management record of the target terminal is not registered (S111: NO), or when the session state is not “idle” (S113: NO), an error is transmitted to the target terminal (S131). When the device authentication fails (S117: NO), the session state included in the session management record of the target terminal is set to “lock” (S129), and an error is transmitted to the target terminal (S131). After execution of step S131, the center authentication process is terminated. The target terminal that has received the error in step S131 is notified of the center authentication failure.

  In the present embodiment, the session management record of the mobile terminal 7 is registered in the session management table 110, and the session state is “idle” (see FIG. 4). The terminal ID and password included in the center authentication request match the terminal ID “000001” and password “******” included in the session management record of the mobile terminal 7. Therefore, the server 3 that has received the center authentication request generates an authentication key “qececsz”. As shown in FIG. 12, in the session management record of the portable terminal 7, the authentication key “qegecsz” is set, and the session state is updated from “idle” to “waiting for authentication”. The server 3 transmits an authentication success notification including the authentication key “qegecsz” to the mobile terminal 7 (see T2 in FIG. 6). When the VPN router 8 receives the authentication success notification from the server 3, the VPN router 8 transfers the authentication success notification to the mobile terminal 7 by packet relay processing (S9: YES, S11: NO, S15).

  The target terminal that has received the authentication success notification notifies the center authentication success. In this case, the user operates the portable terminal 7 to input a VPN connection to the PC 2 and inputs a service ID “S001” indicating the file providing service of the PC 2. The portable terminal 7 transmits a VPN connection request including the authentication key received from the server 3, the service ID input by the user, and the address of the portable terminal 7 to the VPN router 8 (see T3 in FIG. 6). When the VPN router 8 receives a VPN connection request from the mobile terminal 7, it starts the following VPN connection processing (S1: YES, S3: YES, S5).

  The VPN connection process (S5) will be described with reference to FIG. In the VPN connection process, first, the authentication key included in the VPN connection request is stored in the flash memory 84 (S31). An authentication key request including the address received from the target terminal is transmitted to the server 3 (S33). The elapsed time calculated from the time of transmitting the authentication key request is started by a timer not shown (S35). In the present embodiment, the VPN router 8 that has received the VPN connection request transmits an authentication key request including the address of the mobile terminal 7 to the server 3 (see T4 in FIG. 6).

  As shown in FIGS. 10 and 11, in the center authentication process, it is determined whether or not the authentication key request of the target terminal has been received after the execution of step S127 (S133). Whether or not it is an authentication key request of the target terminal can be determined based on an address included in the authentication key request. If the authentication key request of the target terminal has not been received (S133: NO), it is determined whether or not a timeout has occurred (S135). Specifically, it is determined whether or not the elapsed time at which the counting is started in step S127 has passed a predetermined time (for example, 60 seconds). If the elapsed time has passed the predetermined time (S135: YES), the session state included in the session management record of the target terminal is set to “lock” (S137). If it is not a timeout (S135: NO), the process returns to step S133.

  When the authentication key request of the target terminal is received (S133: YES), or after execution of step S137, it is determined whether the session state included in the session management record of the target terminal is “waiting for authentication” (S139). ). When the session state is “waiting for authentication” (S139: YES), the authentication key included in the session management record of the target terminal is read from the HDD 84 (S141). The authentication key read in step S141 is transmitted to the VPN router 8 (S143).

  If the session state is set to “locked” in step S137, it is determined that the session state is not “waiting for authentication” (S139: NO), and the center authentication process is terminated. In the present embodiment, the server 3 that has received the authentication key request transmits the authentication key “qegecsz” to the VPN router 8 (see T5 in FIG. 6).

  As shown in FIG. 8, in the VPN connection process, it is determined whether or not a timeout has occurred after the execution of step S35 (S37). Specifically, it is determined whether or not the elapsed time at which the counting is started in step S35 has passed a predetermined time (for example, 10 seconds). If the elapsed time has not passed the predetermined time (S37: NO), it is determined whether or not an authentication key has been received (S39). When the authentication key is received (S39: YES), local authentication using the authentication key is executed. That is, it is determined whether or not the authentication key received in step 39 matches the authentication key stored in step S31 (S41). If the authentication keys match (S41: YES), a connection destination request including the service ID and address received from the target terminal is transmitted to the server 3 (S43). The elapsed time counted from the time of transmission of the connection destination request is started by a timer not shown (S45).

  If the authentication key has not been received (S39: NO), the process returns to step S37. If the elapsed time has passed the predetermined time (S37: YES), or if the authentication keys do not match (S41: NO), an error is transmitted to the target terminal and the server 3 (S63). The target terminal that has received the error in step S63 is notified of the failure to establish the VPN session. After the execution of step S63, the VPN connection process is terminated.

  In the present embodiment, the authentication key included in the session management record of the mobile terminal 7 and the authentication key received from the server 3 both match with “qececsz”. Therefore, the VPN router 8 that has received the authentication key transmits a connection destination request including the service ID “S001” and the address of the mobile terminal 7 to the server 3 (see T6 in FIG. 6).

  As shown in FIGS. 10 and 11, in the center authentication process, it is determined whether or not an error has been received after the execution of step S143 (S145). If no error has been received (S145: NO), it is determined whether a connection destination request for the target terminal has been received (S147). Whether or not the request is a connection destination request for the target terminal can be determined based on an address included in the connection destination request. When the connection destination request of the target terminal is received (S147: YES), the VPN connection destination of the target terminal is specified (S149). Specifically, from the record including the address of the target terminal registered in the connection destination management table 120 (that is, the connection destination management record of the target terminal), the source address corresponding to the service ID included in the connection destination request, and A certificate is identified. A connection destination instruction including the source address and certificate specified in S149 is transmitted to the target router (S151).

  If the connection destination request for the target terminal has not been received (S147: NO), the process returns to step S145. When an error is received (S145: YES), it indicates that the local authentication has failed in the target router or a timeout has occurred. Therefore, the session state included in the session management record of the target terminal is set to “lock” (S163), and the center authentication process is terminated.

  In this embodiment, the connection destination management record of the portable terminal 7 is registered in the connection destination management table 120, and includes service information related to the file providing service of the PC 2 (see FIG. 5). Therefore, the server 3 that has received the connection destination request connects the provision destination address “155.98.xxx.xxx” and the certificate “****” corresponding to the service ID “S001” to the VPN router 8. It is transmitted as a previous instruction (see T7 in FIG. 6).

  As shown in FIG. 8, in the VPN connection process, it is determined whether or not a timeout has occurred after the execution of step S45 (S47). Specifically, it is determined whether or not the elapsed time when the counting is started in step S45 has passed a predetermined time (for example, 10 seconds). If the elapsed time has not passed the predetermined time (S47: NO), it is determined whether a connection destination instruction has been received (S49). When the connection destination instruction is received (S49: YES), a VPN permission notification is transmitted to the target terminal (S51). A VPN session for connecting the target terminal and the service providing device is established by a known VPN session establishment process (S53). In step S53, a VPN session is established based on the providing source address indicated by the connection destination instruction received from the server 3. When the service providing device requests a certificate, a VPN session is established based on the certificate included in the connection destination instruction.

  When the VPN session is established, a VPN start notification is transmitted to the server 3 (S55). The VPN start notification is a signal indicating that VPN communication has been started between the target terminal and the service providing device. After execution of step S55, it is determined whether a VPN end instruction has been received (S57). The VPN end instruction is a signal transmitted from the target terminal to the target router when the user instructs the end of VPN communication at the target terminal.

  When the VPN end instruction is received (S57: YES), the VPN session connecting the target terminal and the service providing device is disconnected by a known VPN session disconnection process (S59). When the VPN session is disconnected, a VPN end notification is transmitted to the server 3 (S61). The VPN end notification is a signal indicating that VPN communication has ended between the target terminal and the service providing device.

  If the VPN end instruction has not been received (S57: NO), the process returns to step S57. When the elapsed time has passed the predetermined time (S47: YES), an error is transmitted to the target terminal and the server 3 (S63), and the VPN connection process is terminated. Even after the execution of step S61, the VPN connection process is terminated.

  In the present embodiment, the VPN router 8 that has received the connection destination instruction transmits a VPN permission notification to the mobile terminal 7 (see T8 in FIG. 6). The VPN router 8 establishes a session for connecting the portable terminal 7 and the PC 2 by communication control performed with the VPN router 5 (see T9 in FIG. 6). Thereby, the portable terminal 7 and the PC 2 can execute VPN communication via the VPN router 5 and the VPN router 8 (see T10 in FIG. 7). That is, the portable terminal 7 can receive the file providing service of the PC 2 via the VPN.

  As shown in FIGS. 10 and 11, in the center authentication process, it is determined whether or not an error has been received after the execution of step S151 (S153). If no error has been received (S153: NO), it is determined whether a VPN start notification has been received (S155). When the VPN start notification is received (S155: YES), the session state included in the session management record of the target terminal is set to “VPN communication in progress” (S157). After execution of step S157, it is determined whether a VPN end notification has been received (S159). When the VPN end notification is received (S159: YES), the session state included in the session management record of the target terminal is set to “idle” (S161).

  If the VPN end notification has not been received (S159: NO), the process returns to step S159. If the VPN start notification has not been received (S155: NO), the process returns to step S153. If an error is received (S153: YES), it indicates that a timeout has occurred in the VPN router 8. Therefore, the session state included in the session management record of the target terminal is set to “lock” (S163), and the center authentication process is terminated. Even after the execution of step S161, the VPN connection process is terminated.

  In this embodiment, when the server 3 receives the VPN start notification, the session state included in the session management record of the mobile terminal 7 is updated from “Waiting for authentication” to “VPN communication in progress” as shown in FIG. . When the server 3 receives the VPN end notification, the session state included in the session management record of the mobile terminal 7 is updated from “waiting for authentication” to “idle” (see FIG. 4). As described above, the session management table 110 manages the progress status of the center authentication process for each target terminal (that is, the progress status regarding establishment of a VPN session).

  As described above, according to the present embodiment, the server 3 that has received the center authentication request from the mobile terminal 7 via the VPN router 8 generates and stores the authentication key. The server 3 transmits an authentication success notification including the authentication key to the mobile terminal 7 via the VPN router 8. The mobile terminal 7 that has received the authentication success notification transmits a VPN connection request including the authentication key to the VPN router 8. The VPN router 8 that has received the VPN connection request transmits an authentication key request to the server 3 and acquires the authentication key stored in the server 3. When the authentication key received from the mobile terminal 7 and the authentication key acquired from the VPN router 8 match, the VPN router 8 transmits a connection destination request to the server 3 and acquires the providing source address of the PC 2. The VPN router 8 establishes a VPN session that connects the mobile terminal 7 and the PC 2 based on the provider address acquired from the server 3. Thereby, the user of the portable terminal 7 can easily access the PC 2 from the external environment via the VPN, and can limit the VPN connection target to a regular terminal device.

  Specifically, in the server 3, regular terminal devices are managed by the session management table 110. When the server 3 receives the VPN connection request from the unauthorized terminal device, the server 3 rejects the establishment of the VPN session (S111: NO). Therefore, the VPN connection target to the LAN 4 at the head office can be limited to a regular terminal device. For example, it is possible to prevent a VPN session from being established in an unauthorized terminal device connected to the VPN router 8.

  The VPN router 8 determines whether or not the authentication key received from the server 3 matches the authentication key received from the target terminal (S41). Thereby, the VPN router 8 can specify correctly whether the object terminal and the terminal device connected to the VPN router 8 are the same. During the execution of the process related to the establishment of the VPN session, for example, even when a third party performs a replacement or unauthorized operation of the mobile terminal 7 or the VPN router 8, the establishment of the VPN session can be restricted.

  In the VPN router 8, if the authentication keys do not match (S41: NO), an error is transmitted to the server 3 (S63). In the server 3, when the device authentication fails (S117: NO) or an error is received from the target router (S145: YES), the session state is set to “locked” (S129, S163). When the server 3 receives a center authentication request from the target terminal whose session state is set to “locked”, the center authentication process is terminated (S113: NO, S131), and thus the VPN session is not established. This can reduce the risk of establishing a VPN session for an unauthorized terminal device that has failed authentication.

  In the VPN router 8, when a timeout occurs (S37: YES, S47: YES), an error is transmitted to the server 3 (S63). In the server 3, when a timeout occurs (S135: YES) or when an error is received from the target router (S145: YES, S153: YES), the session state is set to “locked” (S137, S163). A VPN session is not established. For example, when a third party replaces the portable terminal 7 or the VPN router 8 or performs an illegal operation, a process relating to the establishment of the VPN session is delayed, and the timeout may occur as described above. Therefore, the possibility that a VPN session is established for an unauthorized terminal device that has timed out can be reduced.

  In the VPN router 8, when a timeout occurs (S37: YES, S47: YES), the VPN connection process is terminated. In the server 3, when the timeout occurs (S135: YES) or when an error is received from the target router (S145: YES, S153: YES), the center authentication process is terminated. That is, when a timeout occurs, the process ends without establishing a VPN session. Therefore, it is possible to suppress a delay in processing related to establishment of a VPN session, and it is possible to reduce a possibility that an unauthorized operation by a third party intervenes.

  The server 3 executes device authentication (S115) using the terminal ID and password. The VPN router 8 executes local authentication (S41) using an authentication key. That is, since authentication processing using different authentication information is executed by different devices, security can be improved. Furthermore, when the device authentication fails (S117: NO), the process ends without generating an authentication key, so that the process related to the establishment of the VPN session can be speeded up.

  In the server 3, service providing devices are managed by the connection destination management table 120. When the server 3 receives the connection destination request including the service ID (S147: NO), the server 3 transmits the source address corresponding to the service ID to the target router (S149, S151). According to this, since the service providing device that can provide the service required by the target terminal is connected to the target terminal through the VPN, various services can be provided to the user. Furthermore, since it is not necessary to manage the address of the service providing device by the target router, a VPN session can be established using a general-purpose VPN router.

  For example, when establishing a VPN session for connecting the portable terminal 7 and the PC 2, the user only needs to set a terminal ID and a password on the portable terminal 7. Therefore, the user can easily access the LAN 4 of the head office by VPN from the external environment. Moreover, if it is a legitimate terminal device, it is possible to access the LAN 4 at the headquarters by VPN using any VPN router. Therefore, since the user does not need to carry a regular VPN router, the convenience for the user can be improved.

  In the above embodiment, the portable terminal 7 corresponds to “one terminal device” of the present invention. The PC 2 corresponds to “another terminal device” of the present invention. The CPU 81 executing step S15 corresponds to the “authentication request relay unit” and the “authentication information relay unit” of the present invention. The CPU 81 executing step S33 corresponds to the “information request transmitting unit” of the present invention. The CPU 81 executing step S41 corresponds to the “session authentication means” of the present invention. The CPU 81 executing step S53 corresponds to the “session establishment means” of the present invention. The CPU 81 executing step S49 corresponds to the “address receiving means” of the present invention.

  The CPU 31 executing step S119 corresponds to the “authentication information generating unit” of the present invention. The CPU 31 executing step S123 corresponds to the “first authentication information transmitting unit” of the present invention. The HDD 34 corresponds to “authentication information storage means” and “first authentication information storage means” of the present invention. The CPU 31 executing step S143 corresponds to the “second authentication information transmitting unit” of the present invention. The CPU 31 executing step S127 corresponds to “elapsed time measuring means” of the present invention. The session management table 110 corresponds to “second authentication information storage unit” and “status information storage unit” of the present invention. The CPU 31 executing step S125 corresponds to “state setting means” of the present invention. The CPU 31 executing step S137 corresponds to “state changing means” of the present invention. The connection destination management table 120 corresponds to the “address storage unit” of the present invention. The CPU 31 executing step S149 corresponds to “address specifying means” of the present invention. The CPU 31 that executes step S151 corresponds to the “address transmission means” of the present invention. The CPU 31 executing step S115 corresponds to “terminal authentication means” of the present invention.

  In addition, this invention is not limited to the said embodiment, The change in the range which does not change the summary of invention is possible. In the above embodiment, the user inputs the terminal ID and the password with the mobile terminal 7. Instead, at least one of the terminal ID and the password may be registered in the mobile terminal 7 in advance. In this case, for example, the terminal ID can be automatically set in the center authentication request transmitted from the mobile terminal 7.

  In the above embodiment, only the mobile terminal 7 is connected to the VPN router 8, but a plurality of terminal devices may be connected to the VPN router 8. In this case, the VPN connection process (see FIG. 8) and the center authentication process (see FIGS. 10 and 11) are executed for each terminal device, so that a VPN session can be established for each terminal device. .

  In the above embodiment, the user inputs the service ID on the mobile terminal 7. Instead, a service ID registered in advance in the mobile terminal 7 may be automatically set in the VPN connection request transmitted from the mobile terminal 7. In this case, the mobile terminal 7 may automatically transmit a VPN connection request when receiving a notification of successful authentication. When there is one service information set in the connection management table of the portable terminal 7, the service ID may not be included in the VPN connection request.

1 Communication system 2 PC
3 Server 4 LAN
5 VPN router 6 Internet 7 Mobile terminal 8 VPN router 31 CPU
32 ROM
33 RAM
34 HDD
81 CPU
82 ROM
83 RAM
84 Flash memory 85 LAN interface 86 Wireless LAN interface 87 WAN interface 88 USB interface 89 LED display unit 110 Session management table 120 Connection destination management table

Claims (9)

A VPN router that is locally connected to one terminal device and connected to a server that manages a VPN session with another terminal device via a network,
An authentication request relay unit that relays an authentication request that is transmitted from the one terminal device to the server and that is an instruction for requesting whether or not the one terminal device is an establishment target of the VPN session ,
Authentication information relay means for relaying authentication information transmitted from the server to the one terminal device and unique to the one terminal device;
An instruction to request a connection to the other terminal apparatus from the one terminal apparatus, and an instruction to request the authentication information specific to the one terminal apparatus when a connection request including the authentication information is received. An information request transmitting means for transmitting an information request to the server;
When the authentication information is received from the server, session authentication means for determining whether or not the authentication information included in the connection request matches the authentication information received from the server;
Session establishment means for establishing the VPN session for connecting the one terminal device and the other terminal device on the network when the session authentication means determines that the authentication information matches. A featured VPN router.   The VPN router according to claim 1, wherein the information request transmission unit includes identification information unique to the one terminal device and transmits the identification information to the server. The connection request includes information indicating a service that the one terminal device requests to provide,
The information request transmission means includes information indicating the service included in the connection request and transmits the information request to the server,
An address receiving means for receiving an address of the other terminal device capable of providing the service from the server;
The VPN router according to claim 1 or 2, wherein the session establishing means establishes the VPN session based on the address received by the address receiving means. A server that is connected to a locally connected VPN router via a network and manages a VPN session;
When receiving from the one terminal device an authentication request that is an instruction for requesting authentication as to whether or not the one terminal device is the subject of establishment of the VPN session, the first authentication unique to the one terminal device Authentication information generating means for generating information;
First authentication information transmitting means for transmitting the first authentication information generated by the authentication information generating means to the one terminal device;
First authentication information storage means for storing the first authentication information generated by the authentication information generation means;
When receiving an information request that is an instruction to request the first authentication information from the VPN router, the second authentication that transmits the first authentication information stored in the first authentication information storage means to the VPN router. A server comprising: an information transmission unit. For the first authentication information stored in the first authentication information storage means, an elapsed time measuring means for measuring an elapsed time from the time point generated by the authentication information generating means;
Status information storage means for storing status information indicating the state of the one terminal device related to the VPN session;
State setting means for setting the status information to a first state when the authentication information is generated by the authentication information generating means;
When the elapsed time is equal to or longer than a predetermined time, the status information includes a status change unit that changes the status information from the first status to the second status,
When the status information is in the first state at the time when the information request is received from the server, the second authentication information transmitting means executes transmission of the first authentication information, while the status information is The server according to claim 4, wherein in the second state, transmission of the first authentication information is stopped. The information request includes information indicating a service that the one terminal device requests to provide,
Address storage means for storing an address of the other terminal device capable of providing the service;
Based on information indicating the service included in the information request, the one terminal device specifies the service to be provided, and the address of the other terminal device capable of providing the specified service is determined. Address specifying means for specifying with reference to the address storage means;
The server according to claim 4, further comprising: an address transmitting unit that transmits the address specified by the address specifying unit to the VPN router. The authentication request includes second authentication information set in the one terminal device,
Second authentication information storage means for storing the second authentication information registered in advance in association with the one terminal device;
If the authentication request is received from the one terminal device, whether or not the second authentication information included in the authentication request matches the second authentication information stored in the second authentication information storage unit Terminal authentication means for determining whether or not
The authentication information generating unit generates the first authentication information when the terminal authentication unit determines that the second authentication information matches, while the terminal authentication unit does not match the second authentication information. The server according to claim 4, wherein the generation of the first authentication information is stopped when it is determined.   The server according to claim 4, wherein the first identification information is an authentication key that is randomly generated each time the authentication request is received. A communication system including a server for managing a VPN session, a local connection with one terminal device, and a VPN router connected to another terminal device and the server via a network,
The VPN router
An authentication request relay unit that relays an authentication request that is transmitted from the one terminal device to the server and that is an instruction for requesting whether or not the one terminal device is an establishment target of the VPN session; ,
Authentication information relay means for relaying authentication information transmitted from the server to the one terminal device and unique to the one terminal device;
An instruction to request a connection to the other terminal apparatus from the one terminal apparatus, and an instruction to request the authentication information specific to the one terminal apparatus when a connection request including the authentication information is received. An information request transmitting means for transmitting an information request to the server;
When the authentication information is received from the server, session authentication means for determining whether or not the authentication information included in the connection request matches the authentication information received from the server;
Session establishment means for establishing the VPN session for connecting the one terminal device and the other terminal device on the network when the authentication information is judged to be coincident by the session authentication means;
The server
If the authentication request is received from the one terminal device, authentication information generating means for generating the authentication information;
First authentication information transmitting means for transmitting the authentication information generated by the authentication information generating means to the one terminal device;
Authentication information storage means for storing the authentication information generated by the authentication information generation means;
And a second authentication information transmitting means for transmitting the authentication information stored in the authentication information storage means to the VPN router when the information request is received from the VPN router. .

Images