JP2002335273A - Method, system and program for performing remote maintenance and recording medium for recording the remote maintenance performance program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a method, program and system for performing remote maintenance capable of remote maintenance on a plurality of Internet gateway terminals and their extension terminals to the utmost at the same time by way of a VPN(Virtual Private Network) on the Internet from a maintenance center while permitting duplicate local network addresses under the control, and to provide a recording medium for recording the remote maintenance execution program. SOLUTION: The method, program and system for executing remote maintenance adopts a characteristic configuration method realized such that a NAT(network address translation) 110 leading to a local network 7 is provided in a router section 11 in the Internet gateway terminal 1 to convert a global address into a local IP address for VPN NAT thereby allowing the maintenance center 9 to provide/release it.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a maintenance center connected to the Internet, and an Internet gateway terminal itself and an extension terminal such as a personal computer connected to a local network under the Internet gateway terminal using a VPN via the Internet. A remote maintenance implementation method for performing remote maintenance, a remote maintenance system directly used for the implementation,
It relates to a program and the recording medium.

[0002]

2. Description of the Related Art Conventionally, a maintenance center connected to the Internet transmits an Internet gateway terminal (hereinafter referred to as a GW terminal) itself and a personal computer (hereinafter referred to as an extension terminal) on a local network connected to the GW terminal. Maintenance method for performing remote maintenance using VPN via
PN remote maintenance).
There is a method proposed in 00-000496.

However, in the VPN remote maintenance proposed by the method of Japanese Patent Application No. 2000-000496, when remote maintenance is simultaneously performed on a plurality of information GW terminals, a local network under the target information GW terminal is required. If the address is duplicated, the flow of the remote maintenance target G from the maintenance center via VPN
When sending a packet to the W terminal and its extension terminals,
Since the target local IP address is batted, the VPN gateway on the maintenance center side cannot determine which local network to send the packet to, and simultaneously performs maintenance on a plurality of information GWs having the same local network address. It was impossible.

Therefore, as a method of simultaneously performing maintenance from a local network of a maintenance center to a plurality of information GWs having the same local network address under the maintenance center, when the internal network of each information GW is viewed from the Internet side. A method for making the local network address unique can be considered.

[0005] Specifically, a processing unit (hereinafter, referred to as "IP address for VPNNAT") for fixedly linking a local network address with a temporary network address for VPN communication with the maintenance center side (hereinafter referred to as "IP address for VPNNAT") is provided inside the information flow GW. , NATBOX). The operation will be described with reference to FIG.

In FIG. 32, a client PC (a)
In order to indicate a change in the address of a packet when IP communication is performed from VPN to the server PC (b) via VPNNAT,
First, the connection form of each node will be described. Client P
C (a) is connected to the private network (c) and has a private IP address of 192.168.2.103. The VPN gateway (d) is connected to the private network (c) and has 211.0.0.1 as a global IP address on the Internet (e) side.

[0007] The VPN router (f) is connected to the private network (g) and has 210.0.0.1 as a global IP address on the Internet side. The server PC (b) is connected to the private network (c) and has a private IP address of 192.168.1.1 to 192.168.1.254.

Further, the VPN gateway (d) and the information stream G
W (hereinafter also referred to as a VPN router) constructs a VPN tunnel (h). In the VPN gateway (d), 10.0.0.0/24 is set as a VPN target packet for the VPN tunnel (h) to the VPN router (b). In the VPN router (b), the VPN gateway (d) connects to the VPN gateway (d). 192.168.2.0/24 is set as a VPN target packet for the VPN tunnel (h).

The NATBOX (f10) is provided on the Internet (e) side as an IP address for VPNNAT.
Has addresses 10.0.0.1 to 10.0.0.254, 10.0.0.1 and 19
2.168.1.1, 10.0.0.2 and 192.168.1.2,… (omitted),…,
Static NAT is set at 10.0.0.254 and 192.168.1.254.

Here, the server PC (b) of 192.168.1.1
Focusing on, the source address 192.16 from the private network (g) side of the NATBOX (f10)
When the packet of 8.1.1 is sent, the source address is 10.
The packet is rewritten to 0.0.1 and sent to the Internet side of NATBOX (f10). When a packet addressed to the destination 10.0.0.1 arrives from the Internet (e) side of NATBOX (f10), the destination address is rewritten to 192.168.1.1. It is sent to the private network (c) side of the NATBOX (f10).

Hereinafter, the client PC (a) and the server P
It shows an address change of a packet when performing communication between C (b). Here, from the client PC (a) to the server PC
The original packet addressed to (b) is “source 192.168.
2.103: Transmission destination 10.0.0.1 "and arrives at VPN gateway (d).

Since the VPN gateway (d) receives the packet of 10.0.0.1, the VPN gateway (d) sends the VPN to the VPN router (f).
It determines that the packet is a VPN target packet for the tunnel (h), adds a new IP header of “source 211.0.0.1: destination 210.0.0.1”, and performs encapsulation. The original packet enters the data section after being encrypted. This packet is VP
VPN processing unit (f
11) is reached.

In the VPN processing unit (f11) of the VPN router, the original packet is decrypted, and the "source 192.16
8.2.103: NATBOX (f1
0). In NATBOX (f10), outside 1
Since static NAT is set at 0.0.0.1 and inside 192.168.1.1, and the destination address matches 10.0.0.1, address conversion is performed and "source 192.168.2.103: destination 19"
2.168.1.1 ", and the private network (c)
To the network. Therefore, this packet can arrive at the server PC (b).

The response original packet from the server PC (b) to the client PC (a) is transmitted as "source 192.168.1.1: destination 192.168.2.103".
Arrive at the VPN router (f). Since the VPN router (f) has received the packet of 192.168.2.0/24, it determines that the packet is a VPN target packet for the VPN tunnel (h) to the VPN gateway (d).
The packet is sent to 0).

[0015] In the NATBOX (f10), the outside 10.0.
Static NAT is set at 0.1 and inside 192.168.1.1,
Since the source address matches 192.168.1.1, the address is translated and “Source 10.0.0.1: Destination 192.168.2.
103 "and is sent to the VPN processing unit (b11).

In the VPN processing unit (f11), "the transmission source 210.
0.0.1: Destination 211.0.0.1 "and a new IP header is added to perform encapsulation. The response original packet enters the data portion after being encrypted. This packet is VP
VPN gateway (d) via N tunnel (h)
To reach. In the VPN gateway (d), the response original packet is decrypted, and the “source 10.0.0.
1: destination 192.168.2.103 "and transmitted to the private network (c). Therefore, this packet can arrive at the client PC (a).

As described above, in the case where one information flow GW (f) is provided from the maintenance center and there is one local network under the control, the private network (g) of the maintenance information center and the information flow GW are provided.
(F) A private network (c) under the
The outline of the operation when communication is performed by applying the PNNAT function has been described. (F1) in the figure is NATBOX
(F10) and a router unit composed of a VPN processing unit (f11).

Next, the information GW (f ') is sent from the maintenance center.
(F ″) When there are two subordinate private networks (g ′) and (g ″) and their private network addresses are duplicated, each flow G from the private network (c) of the maintenance center
An outline of the operation when performing communication by applying the static VPN NAT function to the private network (g ′) (g ″) under W (f ′) (f ″) will be described.

In FIG. 33, in the case where the two private networks GW (f ′) and (f ″) have the same private network network address, two static networks GW (f ′) are sent from the maintenance center using the static VPN NAT function. (F ″) shows a method of simultaneously accessing the server PCs (b1) to (b4) of the subordinate addresses.

Here, in order to show a change in the address of a packet when performing IP communication from the client PC (a) to the server PCs (b1) to (b4) via VPNNAT, first, the connection form of each node is described. explain. Client PC (a) is a private network (g ')
(G ″) and has a private IP address of 192.168.2.103.
Connected to the private network (c), and as a global IP address on the Internet (e) side
With 211.0.0.1.

The VPN router (f ') is connected to the private network (g') and has a global IP address of 210.0.0.1 on the Internet (e) side. The server PCs (b1) and (b2) are connected to the internal local network 192.168.1.0/24 of the VPN router (f ') and have private IP addresses of 192.168.1.1 to 192.168.1.254. The VPN gateway (d) and the VPN router (f ') form a VPN tunnel (h').

In the VPN gateway (d), the VP for the VPN tunnel (h ') to the VPN router (f')
10.0.0.0/24 is set as N target packet,
In the VPN router (f '), 192.168.2.0/24 is set as a VPN target packet for the VPN tunnel (h') to the VPN gateway (d).

The NATBOX (f10 ') has an IP address for VPNNAT of 10.0.0.1 to 10.0.0.254 on the Internet (e) side.
192.168.1.1, 10.0.0.2 and 192.168.1.2,…, (omitted),
..., static NAT is set at 10.0.0.254 and 192.168.1.254.

Here, the server PC of 192.168.1.1 (b
1) and (b2), NATBOX (f1
When a packet with a source address of 192.168.1.1 is sent from the private network (g ') side of (0), the source address is rewritten to 10.0.0.1 and NATBOX
(F10 ') sent to the Internet side, NATB
Destination from the Internet (e) side of OX (f10 ')
When a packet addressed to 10.0.0.1 arrives, the destination address is rewritten to 192.168.1.1 and NATBOX (f ')
To the private network side.

The VPN router (f ″) is connected to the private network (g ″) and has 210.0.1.1 as a global IP address on the Internet (e) side. The server PCs (b3) and (b4) are connected to the internal local network 192.168.1.0/24 of the VPN router (f ″) and have private IP addresses of 192.168.1.1 to 192.168.1.254.

The VPN gateway (d) and the VPN
The router (f ″) is constructing a VPN tunnel (h ″). In the VPN gateway (d), the VPN for the VPN tunnel (h ″) to the VPN router (f ″)
10.0.1.0/24 is set as the target packet, and V
In the PN router (f ″), 192.168.2, 0/24 is set as a VPN target packet for the VPN tunnel (h ″) to the VPN gateway (d).

The NATBOX (f10 ″) has an IP address for VPNNAT of 10.0.1.1 to 10.0.1.254 on the Internet (e) side.
192.168.1.1, 10.0.1.2 and 192.168.1.2,…, (omitted),
.., 10.0.1.254 and 192.168.1.254 have static NAT set.

Here, paying attention to the server PCB of 192.168.1.1, the source address 192.168.1. From the private network (g ″) side of the NATBOX (f ″).
When the packet of 1 is sent, the source address is 10.0.1.
1 is sent to the Internet (e) side of the NATBOX (f ″), and when a packet addressed to the destination 10.0.1.1 arrives from the Internet (e) side of the NATBOX (f ″), the destination address is 192.168. It is rewritten to 1.1 and sent to the private network (g ") side of NATBOX (f").

As described above, the information GW (f ') is sent from the maintenance center.
(F ″) When there are two subordinate private networks (g ′) and (g ″) and their private network addresses are duplicated, each flow G from the private network (c) of the maintenance center
The operation outline in the case of performing communication by applying the static VPN NAT function to the private network (g ′) (g ″) under W (f ′) (f ″) has been described.

Needless to say, the above-mentioned "Jiyu GW"
In the case where there are two subordinate private networks and their private network addresses are duplicated, the operation is as follows: "Now, there are N private networks under the control of GWN (N is an arbitrary natural number). When private network addresses are duplicated ".

Therefore, in the method shown in FIG.
When remote maintenance is simultaneously performed on a plurality of information GW terminals (VPN routers) by accessing the maintenance center after constructing a NAT, the private network addresses under the target information GW terminals are duplicated. Even when the maintenance center sends a packet from the maintenance center to the remote maintenance target information GW terminal via VPN and the extension terminal (server PC) under the GW terminal, the target private IP address is assigned on the Internet side of the NATBOX assigned with the static VPN NAT. By sending the packet to the address, the VPN gateway on the maintenance center side can determine which private network the packet can be sent to, and simultaneously perform maintenance on a plurality of GW terminals having the same private network address. But The ability. Hereinafter, this is referred to as “static VP
NNAT method ".

Further, in the VPN remote maintenance proposed in Japanese Patent Application No. 2000-000496, it is essential that the global GW terminal knows the global IP address of the VPN gateway of the maintenance center in advance, and a countermeasure for that. In this regard, a method has been adopted in which the global IP address of the VPN gateway is embedded in the information gateway GW terminal before shipping.

[0033]

However, in the case where the private network of the maintenance center accesses all the private networks under the information GW terminal by the above-described "static VPN NAT" method, the information GW terminal and the information GW terminal must be connected to each other. When a VPN is constructed between VPN gateways, it is necessary to assign a VPNNAT IP address and a real network IP address of a private network in the information gateway GW terminal in advance using a static VPNNAT.

In this case, it is necessary to allocate in advance the VPN NAT IP address resources (private IP addresses) uniquely managed by the maintenance center by the number of terminals of the private network under the information processing GW terminal to be maintained. A very large number of IP address resources for VPNNAT are required for the number of target terminals for performing the above. That is, in the static VPN NAT method, when private IP addresses of the same class are used, only the extension terminals under the control of approximately 16.7 million current GW terminals are remote maintenance target terminals.

For example, using a private address of the same class as an IP address resource for VPNNAT,
If the subnet mask of the private network under the GW terminal is 24 bits, the maximum is about 65,000
When the subnet mask of the private network under the 1000 subscribed GW terminal is all 16 bits, there is a restriction that only terminals under the subscribed GW terminal with a maximum of about 256 subscriptions can be targeted for maintenance.

[0036] In addition, using the static VPN NAT method, the V method proposed by Japanese Patent Application No. 2000-000496 is proposed.
When performing PN remote maintenance, there has been a problem that all the extension terminal resources under the information GW terminal requesting the remote maintenance can be accessed from the maintenance center.

When the number of installation notices of VPN remote maintenance increases and the number of simultaneous users of the VPN remote maintenance service exceeds the number of permissible VPN sessions of the VPN gateway, it is necessary to add and install a VPN gateway on the maintenance center side. Yes, in that case, there is no means for setting the terminal to the global IP address of the VPN gateway. Also, the method of notifying the Internet gateway administrator of the VPN gateway address of the maintenance center by some means and manually setting the VPN gateway address is not applicable to VPN remote maintenance because remote maintenance requires manual labor. There was a point.

Here, the main objects to be solved by the present invention are as follows.

A first object of the present invention is to simultaneously perform remote maintenance of a plurality of information GW terminals and their extension terminals from a maintenance center via a VPN of the Internet, which allow duplication of subordinate private (local) network addresses. The maintenance center manages the restriction on the number of GW terminals and extension terminals that are subject to remote maintenance.
A remote maintenance method, system, program, and recording medium that allow the upper limit of the P address resource and allow remote maintenance of as many GW terminals as possible and extension terminals under the GW terminal at the same time are provided. Is what you do.

A second object of the present invention is to implement remote maintenance which does not require prior allocation of VPNNAT required IP address resources uniquely managed by the maintenance center by the number of private networks under the information processing GW terminal to be maintained. It is intended to provide a method, a system, a program, and a recording medium.

A third object of the present invention is to provide a remote control system in which, when VPN remote maintenance is performed, access to all extension terminal resources under the GW terminal requesting remote maintenance from the maintenance center does not occur. It is intended to provide a maintenance execution method, a system, a program, and a recording medium.

A fourth object of the present invention is to increase the number of notices of installation of VPN remote maintenance, and to allow simultaneous users of VPN remote maintenance to use the allowable VP of the VPN gateway.
If the number of sessions exceeds N, it is necessary to add and install a VPN gateway on the maintenance center side. In that case, a remote maintenance execution method in which the global IP address of the VPN gateway is set in the terminal,
It is intended to provide systems, programs and recording media.

Other objects of the present invention will become apparent from the description of the specification, the drawings, and particularly from the claims.

[0044]

SUMMARY OF THE INVENTION In order to solve the above-mentioned problems, the method of the present invention provides an IP connection with an arbitrary number of extension terminals by each local network to be controlled by respective Internet gateway terminals, while the respective Internet networks are controlled. IPse for realizing a VPN session at the network layer of the OSI reference model between a gateway terminal and a VPN gateway via the Internet
is a method of performing remote maintenance from a single maintenance center including the VPN gateway by establishing the local network and the VP in the router unit of the Internet gateway terminal.
A characteristic configuration method in which a VPNNAT is provided between the N processing unit and a global address is assigned and released from the maintenance center as a VPNNAT local IP address, a plurality of Internet gateways connected to the Internet The terminal itself and the extension terminal IP-connected to the local network under the terminal,
A method for performing remote maintenance from a single maintenance server under the VPN gateway by establishing IPsec for realizing a VPN session in the network layer of the OSI reference model between the Internet gateway terminal and the VPN gateway connected to the Internet Before constructing a VPN, the maintenance center, which has received a VPN construction request from the Internet gateway terminal, dynamically selects a VPN gateway having a free VPN resource from a plurality of VPN gateways under the maintenance center. Then, the Internet gateway terminal notifies the global IP address of the selected VPN gateway to the Internet gateway terminal, and the Internet gateway terminal transmits the notified global IP address to the VPN pair. By setting as a host, implementing the remote maintenance, take the characteristic construction technique.

In order to solve the above-mentioned problems, the system of the present invention makes an IP connection with an arbitrary number of extension terminals via each local network to be controlled by each Internet gateway terminal, and at the same time, via each Internet gateway terminal and the Internet. A remote maintenance from a single maintenance center including the VPN gateway by establishing IPsec for realizing a VPN session in the network layer of the OSI reference model between the VPN gateways. A VPN NAT unit is provided between the local network and the VPN processing unit in the unit, and a global address is assigned as a VPN NAT local IP address from the maintenance center. Configuration means, a plurality of Internet gateway terminals connected to the Internet, and extension terminals connected to the local network under the system by IP connection to the Internet gateway terminal and the Internet. OSI between configured VPN gateways
By establishing IPsec for realizing a VPN session in the network layer of the reference model,
A system for performing remote maintenance from a single maintenance server under the N gateway, wherein when a request for VPN construction is received from the Internet gateway terminal,
A VPN gateway having a free VPN resource is dynamically selected from a plurality of VPN gateways under its own, and a global I of the selected VPN gateway is selected.
The maintenance center for notifying the P-address to the Internet gateway terminal that made the request, and making a request for the VPN construction to the maintenance center, and the selected center notified to the request from the maintenance center. A characteristic configuration means is provided which includes the Internet gateway terminal which sets a global IP address of a VPN gateway as a host opposite to the VPN.

In order to solve the above-mentioned problems, the program according to the present invention makes an IP connection with an arbitrary number of extension terminals via each local network to be controlled by each Internet gateway terminal, and at the same time, via each Internet gateway terminal and the Internet. VPN
By establishing IPsec for realizing a VPN session in the network layer of the OSI reference model between the gateways, a system for performing remote maintenance from a maintenance center including the VPN gateway is used by the Internet gateway terminal and the maintenance center. VPN address on global side by program
A characteristic configuration procedure in which various processing procedures for giving and releasing from the maintenance center as a NAT local IP address were executed, and a plurality of Internet gateway terminals connected to the Internet and a local network under the IP connection were connected. An IPsec that implements a VPN session between the Internet gateway terminal and a VPN gateway connected to the Internet at the network layer of the OSI reference model between the Internet gateway terminal and the VPN gateway connected to the Internet
In a system that performs remote maintenance from a single maintenance server under the VPN gateway, the Internet gateway terminal makes a VPNGW address request using a program used in the maintenance center. And the VPN gateway address notified from the maintenance server in response to the VPNGW address request.
As a remote host of N, a processing procedure to be set in its own router unit, and when the VPNGW address request is received, VPs are transmitted from a plurality of VPN gateways under its own control.
A characteristic configuration procedure of dynamically selecting a VPN gateway having N free resources and notifying the global IP address of the VPN gateway to the Internet gateway terminal that has made the request for the VPN gateway address is taken. .

In order to solve the above problems, the recording medium of the present invention takes a characteristic configuration procedure in which a series of completion procedures are actually recorded by the program of the present invention.

More specifically, in order to solve the problem, the present invention provides the following novel characteristic configuration methods,
By taking measures, procedures or procedures, the above objectives are achieved.

A first feature of the method of the present invention is that each local network is IP-connected to an arbitrary number of extension terminals under the control of the respective Internet gateway terminals, while being connected to the respective Internet gateway terminals via the Internet. OS between VPN gateways
By establishing IPsec for realizing a VPN session in the network layer of the I reference model,
A method for performing remote maintenance from a maintenance center including a PN gateway, wherein a VP is provided between the local network and a VPN processing unit in a router unit of each of the Internet gateway terminals.
NNAT is provided and the global address is VPNNA
The present invention resides in adopting a configuration of a remote maintenance execution method for performing the remote maintenance by giving and releasing a local IP address for T from the maintenance server of the maintenance center.

According to a second feature of the method of the present invention, the request for the remote maintenance in the method of the first feature of the method of the present invention is such that the Internet gateway terminal making the request is an extension whose remote maintenance is to be performed. When the terminal name and the global IP address of the Internet gateway terminal are notified to the maintenance server as a remote maintenance request command,
The VPN assigned to the extension terminal to be notified of the remote maintenance by the maintenance server having received the notification.
The NAT local IP address and the extension terminal name are returned to the Internet gateway terminal that sent the notification as a remote maintenance request response, and the IPsec shared with the Internet gateway terminal's global IP address at the time of the installation notification. VP using IPsec using authentication key
N VPN is set to its own VPN gateway, and a packet addressed to the local IP address for VPNNAT is sent to the VPN gateway.
Perform the setting to be the target packet for VPN processing of the tunnel,
The Internet gateway terminal that has received the response obtains the real local IP address corresponding to the extension terminal name, and sets the real local IP address and the VPNNAT local IP address corresponding to the extension terminal name as static NAT, and The present invention resides in adoption of a configuration of a remote maintenance execution method that sequentially performs the above series of processes for setting a router unit.

According to a third feature of the method of the present invention, the execution of the remote maintenance in the second feature of the method of the present invention is performed by using the VPNNAT local IP address to the extension terminal to be subjected to the remote maintenance. The present invention resides in adopting a configuration of a remote maintenance execution method performed from the maintenance center via the established VPN tunnel.

According to a fourth feature of the method of the present invention, the end of the remote maintenance in the second or third feature of the method of the present invention is performed by first setting the local IP address for VPNNAT.
Via the established VPN tunnel with the address,
A remote maintenance end command is transmitted to the server unit of the Internet gateway terminal that has established the VPN tunnel, and the server unit that has received the transmission performs a process related to the remote maintenance end command, The maintenance server that has transmitted the maintenance end response, and thereafter receives the remote maintenance end response, makes a first determination as to whether all the maintenance for the extension terminal has been completed, and if the first determination is affirmative, The terminated extension terminal makes a second determination as to whether the terminal unit is one of the server unit and the router unit of the Internet gateway terminal. If the determination is negative, the determination process ends, and the second determination determines negative. In the case of, the process shifts to VPNNAT release processing, while in the case of affirmative, A third determination is made as to whether or not all remote maintenance for the Internet gateway terminal has been completed. If the third determination is affirmative, the process proceeds to a VPN termination process, and if the third determination is negative, the determination process ends. The present invention resides in adopting a configuration of a remote maintenance execution method that sequentially executes the above series of processes.

A fifth feature of the method of the present invention is that the VPNNAT release processing in the fourth feature of the method of the present invention is as follows.
First, the maintenance server releases the local IP address for VPNNAT for the extension terminal name of the remote maintenance target set at the time of the remote maintenance request from the VPN processing target packet to the established VPN tunnel, After notifying the Internet gateway terminal of the name of the extension terminal to be subjected to the remote maintenance, the Internet gateway terminal having received the notification obtains a real local IP address corresponding to the received extension terminal name, and
Release of static NAT with the local address for PNNAT, and subsequently, the maintenance server makes the third determination, and according to the result of the determination, sequentially executes the above series of processing. It is in.

According to a sixth feature of the method of the present invention, the VPN termination processing in the fourth or fifth feature of the method of the present invention is characterized in that the maintenance server uses the Internet gateway as a VPN termination command to terminate an IPsec session. Notifying the terminal, the Internet gateway terminal having received the notification transmits a response to the VPN termination command to the maintenance server as a VPN termination response, and the maintenance server responds to the VPN gateway with the remote maintenance request. The configuration of the remote maintenance execution method which sequentially executes the above series of processes, which releases the VPN tunnel set at the time of the termination and terminates the VPN tunnel process established between the VPN gateway and the Internet gateway terminal, is adopted. It is in.

A seventh feature of the method of the present invention resides in that the installation notice in the second, third, fourth, fifth or sixth feature of the method of the present invention is such that the installation notice of the newly installed Internet gateway terminal is provided. From the server unit, the installation server notifies the maintenance server of the installation notification command for the installation, and the maintenance server having received the installation notification command generates an IPsec authentication key that is common information for the remote maintenance. The Internet gateway terminal that has responded to the Internet gateway terminal that has notified the installation notification command, and that has received the response, sets an IPsec authentication key in its own router unit. The present invention resides in adopting a configuration of a remote maintenance implementation method that is implemented.

According to an eighth feature of the method of the present invention, the method of the second, third, fourth, fifth, sixth or seventh feature of the present invention is characterized in that: In one of the setting notifications, a configuration of a remote maintenance execution method in which VPNNAT setting processing is performed on the server unit and the router unit of the Internet gateway terminal.

A ninth feature of the method of the present invention is that the method of the second, third, fourth, fifth, sixth, seventh or eighth feature of the method of the present invention is the same as that of the Internet gateway terminal. When the occurrence of a failure is detected, first, the Internet gateway terminal transmits information on the failure to the maintenance server as a failure notification command, and then, when the maintenance server receives the failure notification command, Processing the information pertaining to the above, transmitting as a failure notification response to the Internet gateway terminal that transmitted the failure notification command, and further, the Internet gateway terminal that has received the failure notification response shifts to the remote maintenance request, Configuration adoption of a remote maintenance implementation method that sequentially performs the above series of processes A.

The tenth feature of the method of the present invention resides in that a plurality of Internet gateway terminals connected to the Internet and an extension terminal IP-connected to a local network under the Internet gateway terminal are connected to the Internet gateway terminal and the Internet. VP at the network layer of the OSI reference model between VPN gateways
A method for performing remote maintenance from a single maintenance server under the VPN gateway by establishing IPsec realizing N sessions, comprising:
Before constructing the N, the maintenance center, which has received the VPN construction request from the Internet gateway terminal, dynamically selects a VPN gateway having an available VPN resource from a plurality of VPN gateways under the maintenance center, and performs the selection. Notify the Internet gateway terminal of the global IP address of the VPN gateway,
The Internet gateway terminal is configured to adopt the configuration of a remote maintenance execution method for performing the remote maintenance by setting the notified global IP address as a host opposite to the VPN. (Corresponding to claim 21)

The first feature of the system of the present invention is that each local network is connected to an arbitrary number of extension terminals by IP and is controlled by each Internet gateway terminal, while the respective Internet gateway terminals are connected to the Internet via the Internet. By establishing IPsec for realizing a VPN session at the network layer of the OSI reference model between VPN gateways,
A system for performing remote maintenance from a maintenance center including a PN gateway, wherein a NAT is provided between a local network and a VPN processing unit in a router unit of the Internet gateway terminal, and a global address is used as a VPNNAT local IP address. The present invention resides in adopting a configuration of a remote maintenance execution system constructed by constructing a system with a functional configuration for giving and releasing from the maintenance center.

A second feature of the system of the present invention is that the maintenance center according to the first feature of the above-mentioned system of the present invention receives the notification of the name of the extension terminal to be remotely maintained from the Internet gateway terminal, and A maintenance server for assigning a VPNNAT local address for VPN access corresponding to the extension terminal name, a remote maintenance device for performing the remote maintenance, and a remote maintenance target extension terminal name from the remote maintenance device. The present invention resides in adoption of a configuration of a remote maintenance execution system in which a network is constructed in a maintenance center local network with a VPN gateway via access to a local IP address for VPNNAT.

A third feature of the system of the present invention is that the internet gateway terminal in the first or second feature of the above-mentioned system of the present invention is a server unit that notifies the maintenance center of the name of an extension terminal to be remotely maintained,
As a result of the notification, the local IP address for VPNNAT for VPN access and the IP of the extension terminal name of the remote maintenance target given from the maintenance center
A VPN NAT for allocating an address, a VPN gateway of the maintenance center and a router of a VPN processing unit for establishing a VPN tunnel, and a local IP address for a VPN NAT for a remote maintenance target terminal name via the VPN gateway. In this case, the remote maintenance device that performs the remote maintenance enables a packet to be transferred to the extension terminal from the remote maintenance device.

A fourth feature of the system of the present invention is that a plurality of Internet gateway terminals connected to the Internet and an extension terminal IP-connected to a local network under the Internet gateway terminal are connected to the Internet gateway terminal and the Internet. V at the network layer of the OSI reference model between VPN gateways
A system for performing remote maintenance from a single maintenance server under the VPN gateway by establishing IPsec for realizing a PN session. When a request for VPN construction is received from the Internet gateway terminal, a plurality of VPNs under the VPN gateway are received. A maintenance center for dynamically selecting a VPN gateway having a free VPN resource from the VPN gateway, and notifying the Internet gateway terminal of the request of the global IP address of the selected VPN gateway; and the maintenance center. To the VPN construction request, and the global IP address of the selected VPN gateway notified from the maintenance center in response to the request.
The present invention resides in adoption of a configuration of a remote maintenance execution system including the Internet gateway terminal for setting an address as a host opposite to the VPN.
(Corresponding to claim 22)

The first feature of the program of the present invention is that each local network is connected to an arbitrary number of extension terminals by IP and controlled by each Internet gateway terminal, while the respective Internet gateway terminals are connected to the Internet via the Internet. A program used in the Internet gateway terminal in a system for performing remote maintenance from a maintenance center including the VPN gateway by establishing IPsec for realizing a VPN session in the network layer of the OSI reference model between the VPN gateways, After the Internet gateway terminal is installed,
When the remote maintenance service is used, the Internet gateway terminal performs an installation notification process for notifying the maintenance center that the installation has been performed, thereby executing the installation notification to the maintenance server of the maintenance center regarding the installation. After notifying the command,
Upon receiving a response to the installation notification command from the maintenance server, the IP received as the response
The present invention resides in adoption of a configuration of a remote maintenance execution program which takes a series of steps to set an authentication key for sec in its own router unit.

A second feature of the program of the present invention is that each local network is connected to an arbitrary number of extension terminals by IP and is controlled by each Internet gateway terminal, while the respective Internet gateway terminals are connected to each other via the Internet. A program used in the Internet gateway terminal in a system for performing remote maintenance from a maintenance center including the VPN gateway by establishing IPsec for realizing a VPN session in the network layer of the OSI reference model between the VPN gateways. ,
The program for causing the Internet gateway terminal to perform a remote maintenance request process for requesting remote maintenance by one of WEB access to the Internet gateway terminal from the internal terminal and a button operation by an operator of the Internet gateway terminal. By executing, after notifying the extension server being a remote maintenance target and the global IP address of the Internet gateway terminal to the maintenance server as a remote maintenance request command, receiving a response to the remote maintenance request command, Received,
The real local IP address corresponding to the extension terminal name is obtained, and the real local IP address corresponding to the extension terminal name and the VPNNAT local I received as the response are obtained.
The present invention resides in adoption of a configuration of a remote maintenance execution program that performs the above series of steps for setting a P address and a static NAT.

A third feature of the program of the present invention is that each local network is connected to an arbitrary number of extension terminals by IP and is controlled by each Internet gateway terminal, while the respective Internet gateway terminals are connected to each other via the Internet. A program used in the Internet gateway terminal in a system for performing remote maintenance from a maintenance center including the VPN gateway by establishing IPsec for realizing a VPN session in the network layer of the OSI reference model between the VPN gateways. ,
By executing the program that causes the interface gateway terminal that has received the notification to perform a remote maintenance end process related to the notification that the remote maintenance work performed by the maintenance center has ended, the remote control from the maintenance center is performed. When the maintenance end command is received, the remote maintenance end command is processed, a remote maintenance end response is transmitted, and the remote maintenance target extension terminal name is notified from the maintenance center as a VPN release command. Obtains the real local IP address corresponding to the received extension terminal name, and obtains the obtained real local IP address.
The present invention resides in adopting a configuration of a remote maintenance execution program which performs a series of the above-described procedures for releasing a static NAT between a P address and a VPN NAT local address.

A fourth feature of the program according to the present invention is that each local network is connected to an arbitrary number of extension terminals by IP and is controlled by each Internet gateway terminal, while the respective Internet gateway terminals are connected to the Internet via the Internet. A program used in the maintenance center in a system for performing remote maintenance from a maintenance center including the VPN gateway by establishing IPsec for realizing a VPN session in the network layer of the OSI reference model between the VPN gateways, By executing the program for causing the maintenance server to execute a remote maintenance request process corresponding to the remote maintenance request, the request is received, and the remote server corresponding to the remote maintenance request is received. A local IP address for VPNNAT and the name of the extension terminal to be assigned to the extension terminal to be maintained are transmitted as a remote maintenance request response to the Internet gateway terminal that has made the request, and between the local IP address and the global IP address of the Internet gateway terminal. I shared in
Instructs its own VPN gateway to establish a VPN tunnel by IPsec using a Psec authentication key, and transmits a packet addressed to the local IP address for VPN NAT to the VPN gateway itself by the VPN tunnel established by the instruction. The configuration of the remote maintenance execution program is performed by performing the above series of procedures for setting the packet to be subjected to the VPN processing.

A fifth feature of the program of the present invention is that each local network is connected to an arbitrary number of extension terminals by IP and is controlled by each Internet gateway terminal, while the respective Internet gateway terminals are connected to the Internet via the Internet. A program used by the maintenance center in a system for performing remote maintenance from a maintenance center including the VPN gateway by establishing IPsec for realizing a VPN session in the network layer of the OSI reference model between the VPN gateways. By executing the program that causes the maintenance center to perform a setting notification command process for processing an installation notification command from the newly installed Internet gateway terminal, according to the installation notification command, A configuration of a remote maintenance implementation program that generates an IPsec authentication key that is common information for remote maintenance and responds to the Internet gateway terminal that has notified the installation notification command by performing the above series of procedures. It is in.

A sixth feature of the program of the present invention is that each local network is IP-connected to an arbitrary number of extension terminals under the control of the respective Internet gateway terminals, while the respective Internet gateway terminals and the respective Internet gateway terminals are controlled via the Internet. By establishing IPsec for realizing a VPN session in the network layer of the OSI reference model between VPN gateways, a program used in the maintenance center in a system that performs remote maintenance from a single maintenance center including the VPN gateway. The program causing the maintenance server to execute a remote maintenance end process for notifying that the remote maintenance work has been completed when an end button in the maintenance center is pressed. By executing the command, a remote maintenance end command is transmitted to the server unit of the Internet gateway terminal that has established the VPN tunnel via the VPN tunnel established with the VPNNAT local IP address, and then the remote maintenance end is performed. Is received, a first determination is made as to whether all the maintenance for the extension terminal has been completed, and if the first determination is affirmative, the completed extension terminal is the server unit of the Internet gateway terminal. Or a router unit, while if not, this program is terminated.
If the second determination is negative, the process shifts to VPNNAT release processing, while if affirmative, a third determination is made as to whether all remote maintenance for the corresponding Internet gateway terminal has been completed. If the determination is affirmative, the process shifts to the VPN termination process, while if the determination is negative, the program is terminated.

A seventh feature of the program of the present invention is the VPNNAT according to the sixth feature of the program of the present invention.
Release processing is performed for the remote maintenance target extension terminal name set in response to the remote maintenance request.
The VP that has established the local IP address for NNAT
A series of steps is performed to the VPN gateway so as to release the packet from the VPN processing target to the N tunnel, to the Internet gateway terminal of the extension terminal name of the remote maintenance target, and thereafter returning to the third judgment. The VPN termination processing transmits the termination of the IPsec session as a VPN termination command to the Internet gateway terminal, and sends the VPN gateway the VPN tunnel set at the time of the remote maintenance execution request to the VPN gateway. The present invention lies in the configuration of a remote maintenance execution program, which is a series of processes for canceling the VPN tunnel and establishing the VPN tunnel process established between the VPN gateway and the Internet gateway terminal.

The eighth feature of the program of the present invention resides in that a plurality of Internet gateway terminals connected to the Internet and local networks under the Internet gateway terminals have IP addresses.
By establishing IPsec for realizing a VPN session in the network layer of the OSI reference model between the Internet gateway terminal and the VPN gateway connected to the Internet, the connected extension terminal can perform a single maintenance under the VPN gateway. In a system that performs remote maintenance from a server,
A program used in the Internet gateway terminal, the VPN requesting a VPN gateway address by either registering a remote maintenance request from the extension terminal or operating a button of the Internet gateway terminal body by an Internet gateway terminal administrator. By executing the program for causing the Internet gateway terminal to perform the gateway address request processing, the V
When a request for a PN gateway address is made and a VPN gateway address request response to the request is received from the maintenance center, the VPN gateway global IP address received as the VPN gateway address request response is used as the opposite host of the VPN and its own router. The present invention is configured to adopt a configuration of a remote maintenance execution program which is set in a unit and performs the above-described series of procedures for processing the remote maintenance request. (Corresponding to claim 23)

A ninth feature of the program of the present invention resides in that a plurality of Internet gateway terminals connected to the Internet and a local network under the Internet gateway terminals have IP addresses.
The connected extension terminal is transferred between the Internet gateway terminal and the VPN gateway connected to the Internet in the network layer of the OSI reference model.
A program used in the maintenance center in a system for performing remote maintenance from a single maintenance server under the VPN gateway by establishing IPsec for realizing N sessions, wherein the program is a VPN gateway from the Internet gateway terminal. V, which is a process in the maintenance center accompanying the address request
When the VPN gateway address request is received from the Internet gateway terminal by executing the program for causing the maintenance center to perform the PN gateway address request processing, the VPN gateway having the VPN free resource is transmitted from the plurality of VPN gateways under its control. The present invention resides in adopting a configuration of a remote maintenance execution program which dynamically selects and notifies a global IP address of the VPN gateway to an Internet gateway terminal which has made a request for the VPN gateway address, and which performs the above series of procedures. (Corresponding to claim 24)

A first feature of the recording medium of the present invention is that a series of procedures by the program according to the first, second, third, fourth, fifth, sixth or seventh feature of the program of the present invention are actually recorded. The present invention resides in the adoption of a configuration of a recording medium on which a remote maintenance execution program is recorded.

A second feature of the recording medium of the present invention is that the configuration of the recording medium which records a remote maintenance execution program in which a series of procedures by the program according to the seventh or ninth feature of the present invention program is recorded. It is in. (Corresponding to claim 25)

[0074]

DESCRIPTION OF THE PREFERRED EMBODIMENTS Embodiments of the present invention will be described below in detail with reference to the accompanying drawings with respect to examples of systems, methods, recording media, and programs.

(Example of System) FIG. 1 shows a configuration diagram of an example of a remote maintenance execution system according to an embodiment of the present invention. The remote maintenance system includes an Internet gateway terminal 1 (hereinafter referred to as a GW terminal), extension terminals 2a to 2n (n represents an arbitrary natural number), a maintenance server 3, a remote maintenance device 4, and a VPN gateway 5 (5a to 5n). The system is constructed from five nodes.

It is assumed that the information GW terminal 1 normally communicates with both the Internet 6 (WAN) and the local network extension (LAN) 7 by TCP / IP. In addition, it is necessary to have a function of establishing a VPN with the VPN gateway 5 (5a to 5n) on the LAN 8 on the maintenance server 3 side.

An object called a conventional router f or application gateway is an object. Objects that do not perform TCP / IP communication by themselves, such as the conventional ISDN-Minar adapter, are not targeted. In the following description, the term “terminal” simply refers to the information GW terminal 1.

The extension terminals 2a to 2n communicate with the information GW
PC (PC) connected to extension LAN 7 under terminal 1
And the like (terminal). The server unit 10 and the router unit 11 included in the mainstream GW terminal 1 connected to the extension LAN 7 are also treated as extension terminals 2a to 2n. The maintenance center 9 includes a maintenance server 3, a remote maintenance device 4,
It is a general term for centers that perform remote maintenance with the PN gateway 5 (5a to 5n) as a component.

The maintenance server 3 is a server on the Internet 6 for managing information relating to remote maintenance of the information GW terminal 1 and the extension terminals 2a to 2n. The LA on which the Internet 6 and the remote maintenance device 4 exist is located.
Each N8 has a LAN interface.

The remote maintenance device 4 is an operating device for performing remote maintenance of the information GW terminal 1 and the extension terminals 2a to 2n, and is assumed to have a WEB browser function. The VPN gateway 5a
5 to 5n are VPN gateway devices for constructing a VPN connecting the information GW terminal 1 and the maintenance center 9 via the Internet 6.

The information GW terminal 1 includes an http server unit 100 for performing http server processing, a CGI processing unit 101 called from the http server for internal processing, and a router setting for issuing a control command to the router unit 11. It comprises a processing unit 102, a server unit 10 including a command transmission processing unit 103 for transmitting a command to the maintenance server 3, and a router unit 11 for controlling IP router processing including IPsec.

The maintenance server 3 sends the http from the terminal 1
http server unit 30 for receiving the p command, http
It comprises a CGI processing unit 31 that is called from the p server unit 30 and performs internal processing, and a VPN gateway setting processing unit 32 that issues a telnet command to the VPN gateway 1. The VPN gateways 5a to 5n include a VPN processing unit 50 for performing a VPN session with the router unit 11 of the terminal 1, and a setting command reception processing unit 51 for receiving a telnet command from the maintenance server 3.

The remote maintenance device 4 comprises a maintenance command processing unit 40 for sending a command to the server unit 10 of the terminal 1 using the http protocol or the like. Using the maintenance server 3, the VPN gateways 5a to 5n, and the remote maintenance device 4 described above, a plurality of information GW terminals 1 and their extension terminals 2a are transmitted from the maintenance center 9 via the VPN tunnel 12 of the Internet 6. When remote maintenance is performed on the remote maintenance of .about.2n, VPN remote maintenance is realized at the same time, regardless of the local network address under the information GW terminal 1.

(Method Example) VPN remote maintenance in this method example applied to the system example includes installation notification processing, VPNGW address request, remote maintenance request processing, remote maintenance end processing, V
The seven “notification commands and responses” of the PNNAT release processing, the VPN termination processing, and the failure notification processing, and “remote maintenance execution” actually performed by the operator of the maintenance center 9 (in this remote maintenance protocol, the actual maintenance is performed). The protocol of the work is not particularly defined, and may be a general-purpose application or a unique protocol as long as TCP / IP is used.)

Here, the seven communication protocols other than the remote maintenance implementation are merely techniques for performing the actual maintenance work (hereinafter, remote maintenance implementation), and the gist is as follows.

That is, the first point is that the extension terminals 2a to 2n to be maintained from the remote maintenance device 4
To the TCP / I using the VPN tunnel 12
At this time, an IP connection from the remote maintenance device 4 of the maintenance center 9 to the extension terminals 2a to 2n to be maintained is performed in the router unit 11 using the local IP address for VPNNAT. By performing the above-described VPNNAT 110, the above-described access to the plurality of information GW terminals 1 can be reliably performed even when the IP addresses under the same are duplicated. However, it is a restriction that an application that cannot be executed via the NAT cannot be executed.

The second purpose is that the remote maintenance device 4 uses the VPN tunnel 12 to perform an application using the TCP / IP protocol to the extension terminals 2a to 2n to be maintained. Even if the VPN gateways 5a to 5n of the center 9 have their addresses changed due to expansion or the like, any VPN gateway 5a can be sent from the remote maintenance device 4.
Through 5n and the Internet gateway, the IP connection to the extension terminal to be maintained is reliably executed.

Hereinafter, in order to achieve the first gist,
An example of the method will be described below with reference to the drawings. The present method example is to dynamically assign a VPNNAT local IP address to the VPNNAT 110 functioning in the router unit 11. An outline of a function of dynamically assigning a VPNNAT local IP address to the VPNNAT 110 will be described with reference to FIG.

First, the maintenance center 9 is notified of the extension terminals 2a to 2n of the remote maintenance target terminals.
Then, the maintenance center 9 sends the information G to the information GW terminal 1.
A local IP address (10.0.0.1) for VPN access for VPN access corresponding to the remote maintenance target extension terminals 2a to 2n is assigned via the server unit 10 of the W terminal 1. This is basically done at the time of the remote maintenance request.

Next, the VPNNAT local IP address and the remote maintenance extension terminals 2a to 2n
Is assigned by the static NAT 110. This is also performed upon a remote maintenance request. Next, the local IP address for VPNNAT is accessed through the VPN tunnel 12 when remote maintenance is performed. Then, as shown in (1), the packet is transferred to the remote maintenance target extension terminals 2a to 2n and becomes accessible.

As described above, even if the local IP address for the VPNNAT is not statically assigned in advance, the VPNN
By assigning the local IP address for AT, access to a plurality of information GW terminals 1 can be performed simultaneously even when the IP addresses under the same are duplicated.

Hereinafter, as an example of a method for achieving the second purpose, prior to VPN construction, the maintenance center 9 dynamically sends a VPN gateway 5i having an empty VPN resource from a plurality of VPN gateways 5a to 5n under its control. Selected,
By notifying the router unit 11 of the information gateway device, the global IP address of the VPN gateway installed in the router unit 11 is dynamically set as the opposite host of the VPN.

Hereinafter, the outline of six protocols for realizing the present method example will be described. The installation notification process notifies the maintenance server 3 that the information GW terminal 1 has been installed, and the maintenance server 3 sends shared information for remote maintenance (IPsec Preshared Key, terminal authentication password (hereinafter, Secret (ID2) The main purpose is to receive)) etc. encrypted.

In order to realize the above-mentioned purpose, it is also a big object in the present method example to construct a VPN NAT 110 for the server unit 10 and the router unit 11 of the information GW terminal 1 even in the installation notification processing. .

In the VPN GW address request processing, the maintenance server 3 sends a VPN with a free VPN resource from a plurality of VPN gateways 5a to 5n under the maintenance center 9.
The gateway 5i is dynamically selected, and the global IP address of the VPN gateway 5i is notified to the information gateway GW terminal 1 as a VPN gateway notification response, and the information gateway terminal unit 11 sends the global IP address of the notified VPN gateway 5i. Setting the address as the opposite host of the VPN is also a major purpose in the present method.

The remote maintenance request processing is performed by I
The main purpose is to request the maintenance server 3 to perform remote maintenance by Psec. The maintenance target terminal corresponding to the remote maintenance request processing is
The W terminal 1 and the extension terminals 2a to 2n. Also, in order to realize the gist, the VPNNAT 1 is sent to the extension terminals 2a to 2n other than the server unit 10 and the router unit 11 of the information GW terminal 1 even in the remote maintenance request processing.
Constructing 10 is also a big gist in this example method.

The main purpose of the remote maintenance ending process is to notify the remote GW terminal 1 of the fact that the remote maintenance has actually been completed using the remote maintenance device 4.

The VPN NAT 110 release processing is intended to release the VPN NAT 110 for the extension terminals 2a to 2n other than the server unit 10 and the router unit 11 of the information GW terminal 1 for which the remote maintenance has been completed. As a result, the local IP address resources for VPNNAT can be effectively used, as will be described later. The purpose of the VPN termination process is to terminate the IPsec session.

(Example of Program and Example of Recording Medium) An example of a program and an example of a recording medium for implementing the present method will be described with reference to the drawings. Overall Processing Flow of Remote Maintenance The flow of each communication data will be described with reference to FIGS. “→” in each drawing indicates command transmission and reception in a communication sequence during installation notification processing, VPNGW address request processing, remote maintenance request processing, remote maintenance end processing, VPNNAT release processing, VPN end processing, and failure notification processing. These are the procedures and the flow of procedures.

The processing is performed only once when the emotional GW terminal 1 is installed, and triggered by the operation of the emotional GW terminal 1 installer, as shown in FIG.
The installation notification command (terminal ID,
Public key, original text, MAC) → Installation notification response (encrypted Preshared Key, encrypted Secret ID2, encryption maintainer password, local I for VPNNAT for encryption server unit)
P address, local IP address for VPNNAT for encryption router unit, local IP address for VPNNAT for encryption router unit) → router setting (VPNNAT11)
0, encrypted Preshared Key).

Thereafter, each time a user of the extension terminals 2a to 2n (hereinafter referred to as a user) thinks that a request for remote maintenance of the extension terminals 2a to 2n is made from the information GW terminal 1 to the maintenance center 9 (hereinafter referred to as a center). Each time the operation of the extension terminal user is triggered, a VPN GW address request command (terminal ID, public key, original text, MAC) of the VPN GW address request shown in FIG. 4 → VPN GW selection processing → VPN GW address request response (VPN gateway global IP address) ) → Router setting (VP
N gateway global IP address).

Next, when the processing of the VPNGW address request ends, the remote maintenance request command (terminal ID, extension terminals 2a to 2n name, information flow GW terminal global address,
Requester level, urgency, requester name, telephone number, request contents) → VPNNAT local IP address allocation processing → Routing setting for VPNNAT local IP address → IPsec setting processing → Remote maintenance request response (extension terminals 2a to 2n names) , VP
(Local IP address for NNAT, reception number) → VP
VPNNAT110 of local IP address for NNAT
The settings are made.

At the center 9, the operator confirms reception of a remote maintenance request from the remote maintenance device 4 as needed. Every time the operator decides to perform the remote maintenance for each remote maintenance request process, the remote maintenance shown in FIG. 6 is performed by the operation of the operator.

In the center 9, every time the remote maintenance for each remote maintenance request processing is completed, the operator operates the remote maintenance end command (reception number) → remote maintenance end response of the remote maintenance end processing shown in FIG. Is performed.

After the remote maintenance end processing, a VPNNAT 110 release command (extension terminals 2a to 2n names) of the VPNNAT release processing shown in FIG. Release VPNNAT setting → VPN
NAT110 release response → VPNNAT local IP address conversion processing → VPNNAT local I
The P address routing setting is released.

After the VPN NAT 110 is released, the maintenance server 3 automatically determines, if necessary, a VPN termination command for VPN termination shown in FIG. 9 → VPNNAT local IP address initialization setting → VPN termination response → VPNNAT local. IP address routing initialization → IPsec setting release is performed.

The above is the outline of the entire flow. In addition,
FIGS. 10 and 11 show the processing flows of the emotional GW terminal 1 and the maintenance center 9 when focusing on one emotional GW terminal.

That is, according to the information flow GW terminal 1 side flowchart shown in FIG. 10, the installation notification STc is STa → ST
b, the remote maintenance end processing STh is performed from the installation notification STc from STd to STe, the VPNNAT release processing STi is performed from the installation notification STc from STd to STe to STf, and the VPN end processing ST is performed.
j is STd → STe → STf → ST from installation notification STc
g, the failure notification STn is changed from the installation notification STc to ST.
d → STk → STl, the VPNGW address request STo is stepped from the installation notification STc to STd → STk or directly connected to the failure notification STn, and the remote maintenance request STm is set from the installation notification STc to STd → STk → S
Step on To or STd → STk → STl → STn → STo
, Each of which is practiced, during which time repetitions are entered as necessary.

The flowchart of the center 9 (flow GWID = N) shown in FIG.
ST1 → ST2 → ST3, VPNGW address request processing ST16: ST1 → ST2 → ST3 → ST15,
The remote maintenance request processing ST7 is from ST1 to ST2.
→ ST3 → ST15 → ST4, and failure notification processing ST8 is ST1 → ST2 → ST3 → ST15 → ST4 → ST5.
Is practiced step by step.

End of remote maintenance ST9 is ST1
→ Step ST2, VPNNAT release ST12 ends remote maintenance from ST9, ST10 → ST11, VPN end ST14, VPNNAT release ST12
From step to step ST13, each is practiced, and during that time, repetition is entered as necessary. The failure notification shown in FIG. 26 is notified when a failure occurs, but is not described here in detail because it is a process independent of the overall flow.

[Prerequisites for Performing Remote Maintenance] The following prerequisites are required to execute the present embodiment. (1) The maintenance server 3 and the terminal 1 share in advance shared secret information (hereinafter, Secret (ID)). Secret
(ID) is handled by embedding it in a ROM or the like in the terminal 1 at the time of shipment and sharing it with the maintenance server 3. Secret (ID)
Is common to all terminals 1 on which the maintenance server 3 performs remote maintenance.

(2) The router unit 11 of the terminal 1
Having an IP level VPN function such as c. Also, VP
For the N sessions, the setting of the session waiting side must be performed in advance (in the case of IPsec, it should be set as a responder). In addition, dummy data must be set for the preshared key. (3) The VPN gateway 5 of the maintenance center 9
The session establishment side must be set in advance for the session (in the case of IPsec, it must be set as an initiator).

(4) The VPN gateway 5 has a VPN function that is compatible with the router unit 11 of the terminal 1. (5) The router unit 11 of the terminal 1 must know the published global IP address (or Internet host name) of the maintenance server 3 before the installation notification. Also, the connection setting to the Internet 6 has been completed.

(6) Various settings from the router setting processing unit 102 to the router unit 11 are transmitted to a remote console (hereinafter referred to as te).
lnet) or inter-process communication (socket communication, etc.)
What you can do with (7) VPN gateway setting processing unit 3 of maintenance server 3
2. Various settings to the setting command reception processing unit 51 of the VPN gateway 5 can be performed by telnet or inter-process communication (socket communication or the like).

(8) On the maintenance server 3, VPNNAT
Has 110DB. The table is composed of a plurality of records using the VPNNAT local IP address as a key, and has an assigned information GW terminal ID / terminal name as a field. (9) The GW terminal 1 has a host table. The table is composed of a plurality of records using the extension terminals 2a to 2n as keys, and has a real IP address and a local IP address for VPNNAT as fields. In the initial state, the host table is empty.

(10) VPN GW 5 on maintenance server 3
(5a to 5n) allow a plurality of entities. One VP
NGW5 includes a plurality of VPNs permitted by the VPNGW5.
The tunnel 12 can be configured. (11) The maintenance server 3 has a VPNGW tunnel table. The table is composed of a plurality of records using the IP address of the VPN gateway 5 and the VPN tunnel number as keys, and has an assignment information GWID as a field value.

[Explanation of Processing Sequence] The procedure of each processing will be described below in detail with reference to FIGS. 3 to 9 and FIGS. 12 to 25. The numbers nn (n is an arbitrary natural number) assigned to the left in the book correspond to the step processing numbers in the figure.

<Installation Notification Processing> FIGS. 3, 12, and 13
As shown in (1), the installation notification notifies the maintenance server 3 that the terminal 1 has been installed, and the maintenance server 3 sends the shared information (Preshared Key of IPsec,
The purpose is to encrypt and receive the terminal 1 authentication password (hereinafter, Secret (ID2)) and the maintenance person password, and to set it.

[0119] Secret is used for terminal authentication processing after the installation notification processing.
Terminal 1 uses Secret (ID2) instead of (ID).
Secret (ID2) rather than Secret (ID) that is common to all
This is because the security is strengthened by using.
Also, when constructing a VPN, it is conceivable that the private IP addresses under the control of each information GW terminal 1 are duplicated. To avoid this, VPNNAT processing is performed. For that purpose, a dummy private IP address for VPN (hereinafter, referred to as
Maintenance server 3 with the VPNNAT local IP address)
Is the second purpose.

Installation notification command (terminal server unit 10 →
(Maintenance center 9) ((communication opportunity)) 1-1 After the installation of the terminal 1, when the router unit 11 completes the connection setting to the Internet 6, the operation is performed by button operation on the server unit 10. The installation notification needs to be given only once.

((Terminal Pre-Processing)) 1-2 The command transmission processing unit 103 of the server unit 10
Generate private and public keys. The algorithm uses public key cryptography such as RSA. 1-3 "Unique ID of terminal 1 + time stamp"
Create the original text for authentication from. 1-4 Generate a message authenticator (MAC) using Secret (ID) for the original text (ISO9797-1, ISO9797
-2 is desirable).

((Command transmission processing)) 1-5 Terminal 1 (server 10 / command transmission processor 1) using terminal ID, public key, original text, and MAC as parameters
03) to the maintenance server 3 (http server section 30), transmits an installation notification command as an <non-IPsec session> by an http command.

Installation notification response (maintenance server 3 → terminal server unit 10) ((maintenance server processing)) 1-6 The http server unit 30 of the maintenance server 3 passes the received command name and parameters to the CGI processing unit 31, The CGI processing unit 31 sends a Secret (ID)
Is generated (operation similar to that of the terminal 1) to confirm that it matches the received MAC (terminal authentication).

1-7 The CGI processing section 31 performs the IPsec
Randomly generates an authentication key (Preshared Key) and Secret (ID2), obtains a maintainer password from the setting file, and newly creates a record corresponding to the terminal ID in the terminal 1DB (if it already exists, Overwrite), and hold in each field of the record.

1-8 CGI processing section 31
Two local IP addresses for a free VPN NAT are selected from the TDB 91 for the server unit 10 and the router unit 11, and the current GW terminal I is set in the assignment status field of the record.
While holding the D / terminal name, the local IP address for the VPNNAT is stored in the local IP address for the VPNNAT and the local IP address for the VPNNAT in the server unit 10 of the terminal 1DB.

1-9 The CGI processing unit 31 performs IPsec
Authentication key (Preshared Key), Secret (ID2), maintenance person password, VPNNA for server unit 10 and router unit 11
The local IP address for T is encrypted with the public key of the information GW terminal 1.

((Response Transmission Processing)) 1-10 The http server unit 30 of the maintenance server 3 stores the status (normal or error status (authentication abnormality, etc.)), the IPsec authentication key (encrypted with the public key of the terminal 1). Preshared Key), Secret encrypted with the public key of terminal 1.
t (ID2), the maintenance person password encrypted with the terminal 1 public key, the server unit VPNNA encrypted with the terminal 1 public key
The CGI processing unit 31 receives data using the local IP address for T and the local IP address for VPNNAT for the router encrypted with the public key of the terminal 1 as parameters.
Http from the maintenance server 3 (http server unit 30) to the terminal 1 (server unit 10 / command transmission processing unit 103)
A response is transmitted as a response <non-IPsec session>.

The VPNN of the server unit 10 and the router unit 11
AT110 setting (terminal server unit 10 → terminal router unit 1)
1) ((terminal post-processing)) 1-11 The terminal server unit 10 uses the secret key of the terminal 1
Psec authentication key (Preshared Key), Secret (ID2),
Maintainer password, local IP address for VPNNAT for server, local I for VPNNAT for router
Decrypt and retain the P address.

1-12. The terminal server unit 10 uses the VPN gateway 5 as a pre-shared host for IPsec.
A setting command for the Key, a local IP address for the VPNNAT for the server unit, and a local IP address for the VPNNAT for the router unit (depending on the implementation of the telnet command of the router unit 11) is created. At this time, the address of the VPN gateway is set as a dummy.

((Command Transmission Processing)) 1-13 As a telnet command <local network session> from the terminal (router setting processing unit 102) to terminal 1 (router unit 11) using the command created in the previous processing as a parameter , Send a command. ((Terminal router processing)) 1-14 Setting of Preshared Key and VPNN
The setting of the AT 110 is written in the router unit 11.

((Response Transmission Processing)) 1-15 From terminal 1 (router unit 11) to terminal 1 (server unit 10 / command transmission processing unit 103), using status (normal or error status (command error etc.)) as a parameter Telnet response <non-IPse
The response is transmitted as <c session>. ((Terminal router setting section post-processing)) None The installation notification processing is completed.

<Failure Notification Processing> As shown in the sequence diagram of FIG. 26 and the procedure diagram of the processing flow of FIG. 27, the failure notification processing detects that the terminal 1 has failed and notifies the maintenance server 3 of the failure. The terminal 1 (server unit 10) constantly monitors the occurrence and recovery of the failure of the server unit 10 and the router unit 11 of the terminal 1, and activates a failure notification process when a failure occurs. That is, a failure notification command (terminal ID, original text, MAC, failure code) of the failure notification processing → failure notification response →
Activation of a remote maintenance request is performed.

((Communication Trigger)) 7-1 When a failure is detected in the terminal 1, the terminal 1 performs the operation autonomously. ((Terminal preprocessing)) 7-2 “Unique ID of terminal 1 + time stamp”
Create the original text for authentication from. 7-3 Generate a message authenticator (MAC) using Secret (ID2) for the original text (ISO9797-1, ISO979
It is desirable to comply with 7-2).

((Command Transmission Processing)) 7-4 The terminal 1 (server unit 10 / command transmission processing unit 103) sends the maintenance server 3 (http server unit 3) using the terminal ID, original text, MAC, and failure code as parameters.
The failure notification command is transmitted as <non-IPsec session> by the http command to 0).

((Maintenance Server Processing)) 7-5 The http server unit 30 of the maintenance server 3 passes the received command name and parameters to the CGI processing unit 31. The CGI processing unit 31 sends a Secret (ID
A message authenticator (MAC) using 2) is generated (operation similar to that of the terminal 1), and it is confirmed that the MAC matches the received MAC (terminal authentication). 7-6 The CGI processing unit 31 holds the received failure code.

((Response Transmission Processing)) 7-7 The http server unit 30 of the maintenance server 3 receives data using the status (normal or error status (authentication abnormality or the like)) as a parameter from the CGI processing unit 31 and performs maintenance. Server 3 (http server section 31) to terminal 1
Ht to (server unit 10 / command transmission processing unit 103)
A response is transmitted as a tp response <non-IPsec session>.

((Terminal post-processing)) 7-8 Activate VPNGW address request processing. It is desirable that the failure code held by the failure notification processing can be referred to from the remote maintenance device 4 via an http access or the like (failure confirmation processing).

<VPNGW Address Request Processing> As shown in the sequence diagram of FIG. 4 and the processing flow procedures of FIGS. 14 and 15, the VPNGW address request includes the address of the VPN gateway 5 i of the maintenance center 9 selected by the maintenance server 3. The main purpose is to notify the flow GW terminal 1. Basically, when a remote maintenance request is registered from the extension terminals 2a to 2n to the information flow GW terminal 1, a VPN GW address request is notified.
It is also possible to notify a VPNGW address request by operating a button on the terminal 1 body.

VPNGW Address Request Command (Terminal Server Unit 10 → Maintenance Server 3) (Opportunity for Communication) 9-1 W from extension terminals 2a to 2n to information GW terminal 1
It depends on the action to the GW terminal 1 due to the EB access or the button operation of the terminal manager.

(Terminal Pre-Processing) 9-2 When activated by a browser access from the extension terminals 2a to 2n, "requester name, requester level, extension terminal name (plural The setting is possible), the degree of urgency, the telephone number, and the content of the request are input from the browser, and are acquired and stored as remote maintenance information. The screen image is as shown in the browser screen. When activated by the button operation of the information GW terminal 1, "requester name, requester level, terminal name, urgency, telephone number, request content" is acquired from a table registered in advance and held. The requester level can be set to general or administrator. The extension terminal name is the name of the extension terminal that is to be a target of remote maintenance, and the other information is that the operator of the maintenance center 9 executes the remote maintenance by the user who has started the remote maintenance request to the operator of the center 9. This information is used to indicate your intention.

9-3 The command transmission processing unit 103 of the server unit 10 generates a secret key and a public key. The algorithm uses public key cryptography such as RSA. 9-4 Generate original text for authentication from “unique ID of terminal + time stamp”. 9-5 Generate a message authenticator (MAC) using Secret (id2) for the original text. (ISO9
It is desirable to conform to 797-1, ISO9797-2). )

(Command Transmission Processing) 9-6 The terminal 1 (server unit 10 / command transmission processing unit 1) receives the terminal ID, original text, MAC, and public key as parameters.
03) to the maintenance server 3 (http server section 30) by using an http command to transmit a remote maintenance request command as <non-Ipsec session>.

VPNGW Selection Process (Maintenance Server Processing Unit) 9-7 The http server unit 30 of the maintenance server 3 passes the received command name and parameters to the CGI processing unit 31. The CGI processing unit 31 performs a Secret
A message authenticator (MAC) using (id2) is generated (operation similar to that of the terminal 1), and it is confirmed that the MAC matches the received MAC. (Terminal authentication)

9-8 The maintenance server 3 reads out the VPNGW tunnel DB, searches the tunnel of the allocation status of the VPNGW tunnel DB from the top, and acquires a tunnel number whose field value is “unused”. Also, the field corresponding to the obtained tunnel number is rewritten from “unused” to “terminal ID”, and the corresponding VPNGW global IP address is obtained. Hereafter, this global I
The VPN GW corresponding to the P address is “5i”. The selection processing of the VPN gateways 5a to 5n shown here is one of the features of the present invention.

9-9 The response parameter "VPNGW global IP address" is encrypted with the received public key.

VPNGW Address Request Response (Maintenance Server 3 → Terminal Server Unit 10) (Response Transmission Processing) 9-10 The http server unit 30 of the maintenance server 3 has the status (normal or error status (authentication abnormality etc.)), the terminal 1 Receives data from the CGI processing unit 31 using the VPNGW global IP address as a parameter, which is encrypted with the public key of the server 1, from the maintenance server 3 (http server unit 30) to the terminal 1 (server unit 10 / command transmission processing unit 103). A response is transmitted as an http response <non-session>.

Processing after Receiving VPNNG Address Request Response (Terminal Server Unit 10 → Terminal Router Unit 11) (Terminal Pre-Processing) 9-11 The terminal server unit 10
Decrypt and retain the PNGW global IP address.

9-12. The terminal server unit 10
A command for setting the W global IP address as a VPN opposite host (it differs depending on the implementation of the telnet command of the router unit 11) is created. 9-13 From terminal 1 (router setting processing unit 102) to terminal 1
A command is transmitted as a telnet command <local network session> to the (router unit 11).

(Terminal Router Unit Processing) 9-14 Write the setting in which the VPNGW global address is set as the VPN opposite host to the router unit 11. (Response Transmission Processing) 9-15 The telnet response from the terminal 1 (the router unit 11) to the terminal 1 (the server unit 10 / the command transmission processing unit 103) using the status (normal or error status (command abnormality or the like)) as a parameter < Non-Ipsec
Session>.

(Terminal router setting section post-processing) 9-16 Activate remote maintenance request processing. Thus, the VPNGW address request processing is completed.
This processing is one of the points of the invention.

<Remote Maintenance Request Processing> As shown in the sequence diagram of FIG. 5 and the flow chart of the processing flow of FIGS.
ec to perform remote maintenance on maintenance server 3
The main purpose is to request

In the remote maintenance request processing, one of the main purposes is to notify the center 9 of the IP address of the information GW terminal 1 for constructing a VPN. The remote maintenance request is made by the http protocol, and the maintenance server 3 sends the remote GW terminal 1
To obtain the received IP address. A VPN key and a terminal IP address are set for the VPN gateway 5i of the maintenance center 9 based on the IP address.

Further, at the time of constructing a VPN, in order to enable IP-level communication to the extension terminals 2a to 2n under the respective information GW terminals 1, the center 9 sets extension terminals 2a to 2n to be subjected to remote maintenance. VPNNA for
A local IP address for T is acquired, and VPN NAT processing is performed.

By performing VPN NAT processing, even when maintenance is performed on a plurality of GW terminals 1 having the same local LAN address under the GW terminal 1 (for example, the GW terminal 1 to be maintained is In the case where there are two information flow GW terminals 1 each having a local network of 192.168.0.0/24), the information flow GW terminal 1 and the extension terminals 2a to 2n under its control are sent from the operator terminal of the maintenance center 9. , An IP rechargeable environment can be constructed.

Remote Maintenance Request Command (Terminal Server Unit 10 → Maintenance Server 3) ((Communication Trigger)) 2-1 Activated after processing of a VPNGW address request is completed.

((Terminal Preprocessing)) 2-2 The remote maintenance information held by the VPNGW address request is acquired.

2-3 The command transmission processing unit 103 of the server unit 10 generates a secret key and a public key. The algorithm uses public key cryptography such as RSA. 2-4 "Unique ID of terminal 1 + time stamp"
Create the original text for authentication from.

2-5 A message authenticator (MAC) using Secret (ID2) is generated for the original text (ISO 979).
It is desirable to comply with 7-1 and ISO9797-2). 2-6 Among the parameters for notifying the maintenance center 9, "requester name, extension terminal name, telephone number, request contents" are encrypted by Secret (ID2) held in the information GW terminal 1.

((Command Transmission Processing)) 2-7 Terminal ID, Original Text, MAC, Public Key, Requester Level, Urgency, Encryption Requester Name, Encrypted Extension Terminal Name (s), Encrypted Telephone Number The terminal 1 (server unit 10 / command transmission processing unit 10)
3) h to maintenance server 3 (http server unit 30)
The remote maintenance request command is transmitted as a <non-IPsec session> by the ttp command.

2-8 Local IP Address Assignment Processing for VPNNAT ((Maintenance Server Processing)) 2-8 The http server section 30 of the maintenance server 3 passes the received command name and parameters to the CGI processing section 31. The CGI processing unit 31 sends a Secret (ID
A message authenticator (MAC) using 2) is generated (operation similar to that of the terminal), and it is confirmed that the MAC matches the received MAC (terminal authentication).

2-9 The CGI processing unit 31 generates a reception number, newly creates a record in the remote maintenance request DB 92, and stores the reception number, the reception time, and the maintenance status (at this time, always waiting for correspondence) at the maintenance terminal. It is stored in the browser terminal DB 90. When the requester level is an administrator, the table name is held as "administrator". When the requester level is general, the extension terminal 2a is used.
~ 2n names are retained. FIG. 26 shows the records in the terminal DB 90.

2-10 CGI processing unit 31
The global IP address of the GW terminal 1 is acquired from REMOTE_ADDR, and the remote maintenance request DB 92 is acquired.
Of records. 2-11 The CGI processing unit 31 holds the terminal ID, the requester level, and the urgency in the record of the remote maintenance request DB 92.

2-12 The CGI processing unit 31 decrypts the encrypted extension terminal name, the encryption requester name, the encrypted telephone number, and the content of the encryption request with Secret (ID2), and holds the decrypted information in the record of the remote maintenance request DB 92. I do. FIG. 27 shows the records of the remote maintenance request DB 92.

2-13. The CGI processing unit 31 uses the notified terminal ID / extension terminal name (for a plurality of terminal names,
By searching the NATDB 91, it is determined whether a local IP address for VPN NAT is assigned to the terminal 1.

If the local IP address for VPNNAT has been assigned, the local IP address for VPNNAT that has been assigned is assigned to the remote maintenance request D.
B92 record, and the local I for VPNNAT
If no P address is assigned, VPNNAT
A free VPNNAT local IP address is selected from the DB 91.

The information GW terminal ID / extension terminal name is held in the assignment status field of the record, and the held VPNNAT local IP address is also held in the record of the remote maintenance request DB 92. FIG. 30 shows records of the VPNNAT DB 91.

2-14 The CGI processing section 31 creates a page on the WEB browser of the remote maintenance device 4 so as to display that the remote maintenance request has been received. The display contents include the reception number, terminal ID, global IP address, requester name, requester level, telephone number, urgency, request contents, reception time, local IP address for VPNNAT, table name, and maintenance status (FIG. 29).

Remote Maintenance Request Response Process (Maintenance Server 3 → Terminal Server Unit 10) (Maintenance Server Unit) 2-26 Among the response processes, “set of extension terminal name and dummy IP address” is encrypted with the received public key. I do. (Response Transmission Process) 2-27 The http server unit 30 of the maintenance server 3 stores the status (normal or error status (authentication error or the like)), the reception number, the extension terminal name encrypted with the public key of the terminal 1, and the local address for VPNNAT. Data using the IP address set (plurality) as a parameter is received from the CGI processing unit 31, and the http response from the maintenance server 3 (http server unit 30) to the terminal 1 (server unit 10 / command transmission processing unit 103) < Non-Ipsec session>.

IPsec processing target packet setting (maintenance center 9 → VPN gateway 5i) (command transmission processing) 2-15 The VPN gateway setting processing section 32 reads the terminal I from the corresponding record of the remote maintenance request DB.
Local I for VPNNAT held in the processing of D and
Acquire a packet for the P address. 2-16 The VPN gateway setting processing unit 32
The packet for the local IP address for NNAT is transmitted to terminal I.
The setting for assigning to the VPN tunnel 12 corresponding to D (depending on the implementation of the telnet command of the VPN gateway 5i) is used as a parameter from the maintenance server 3 (VPN gateway setting processing unit 32) to the VPN gateway 5i (setting command reception processing unit). T to 51)
The command is transmitted as an elnet command <local network session>.

(VPN Gateway Processing) 2-17 The setting for setting the received local IP address for VPNNAT as a host to be subjected to IPsec processing is set in the VP.
Write to N gateway 5i. (Response Transmission Processing) 2-18 Using the status (normal or error status (command error or the like)) as a parameter, a te from the VPN gateway 5i (setting command reception processing unit 51) to the maintenance server 3 (VPN gateway setting processing unit 32) is performed.
A response is transmitted as an lnet response <local network session>.

(Post-Processing of VPN Gateway Setting Processing Unit) 2-19 The VPN gateway setting processing unit 32
Terminal I received by "Remote maintenance request command"
It obtains from the VPN gateway 5i whether a VPN has been established with the information GW terminal 1 having D. 2-20 If the VPN is established based on the VPN establishment status of the VPN gateway 5i, the process ends. If a VPN has not been established, an IPsec setting process is started.

IPsec setting processing (maintenance center 9 → V
PN gateway 5i) (Pre-processing of VPN gateway setting processing unit) 2-21 Maintenance server 3 / IPs from CGI processing unit 31
The authentication key (PresharedKey) of ec and the global IP address of the terminal router unit 11 are obtained, and a command is generated.

(Command transmission processing) 2-22 Preshared key with the global IP address of the terminal router 11 as a host subject to IPsec
y and the setting for establishing the VPN tunnel 12 corresponding to the terminal ID (the tel of the VPN gateway 5i)
It depends on the implementation of the net command. ) As a parameter, the maintenance server 3 (the VPN gateway setting processing unit 3).
2) A command is transmitted as a telnet command <local network session> to the VPN gateway 5i (setting command reception processing unit 51).

(VPN Gateway Processing) 2-23 Received Preshared Key and VP
The setting for establishing the N tunnel 12 is written in the VPN gateway 5i. (Response Transmission Processing) 2-24 Using the status (normal or error status (command error, etc.)) as a parameter, a te from the VPN gateway 5i (setting command reception processing unit 51) to the maintenance server 3 (VPN gateway setting processing unit 32).
A response is transmitted as an lnet response <local network session>.

(Maintenance Server Post-Processing) 2-25 The VPN gateway setting processing unit 32
Terminal I received by "Remote maintenance request command"
It obtains from the VPN gateway 5i whether the establishment of the VPN with the information GW terminal 1 having D has been completed. If the establishment has not been completed, the same acquisition process is repeated at intervals of several seconds until the completion of the VPN establishment is confirmed. When the completion of the establishment of the VPN is confirmed, the remote maintenance request response process is started. It is desirable that the status can be confirmed from the remote maintenance device 4 when the VPN setting is completed. The reason is that it is more efficient for the maintenance person to perform the remote maintenance start instruction after confirming that the VPN setting is completed.

VPNN of server unit 10 and router unit 11
AT Setting (Terminal Server Unit 10 → Terminal Router Unit 11) (Terminal Processing Unit) 2-28 The terminal server unit 10 that has received the remote maintenance request response holds the reception number. 2-29 The terminal server unit 10 decrypts the set (in some cases) of the extension terminal name and the local IP address for VPNNAT using the secret key of the terminal 1, and stores the pair in the host table.

2-30 Using the extension terminal name as a key, the terminal server section 10 corresponds to a terminal name from a table (refer to DNS or the like) of a set of extension terminal name and real IP address which the terminal server section 10 has. A setting command (in some cases) for acquiring a real IP address and associating the VPNNAT 110 with the local IP address for the VPN NAT corresponding to the terminal name (there may be a plurality of commands) (teln of the router unit 11)
Depends on the implementation of the et command. ) To create. (Command transmission processing) 2-31 The terminal 1 (router setting processing unit 102) transmits the command created in 2-30 as a parameter to the terminal 1
A command is transmitted as a telnet command <local network session> to the (router unit 11).

(Terminal Router Unit Processing) 2-32 The settings of the VPN NAT 110 are written in the router unit 11. (Response Transmission Process) 2-33 The telnet response from the terminal 1 (the router unit 11) to the terminal 1 (the server unit 10 / the command transmission processing unit 102) using the status (normal or error status (command error or the like)) as a parameter < Non-Ipsec
Session>. (Terminal router setting section post-processing) None Above, the remote maintenance request processing is completed.

<Remote Maintenance Processing> (Remote Maintenance Device 4 → Extension Terminals 2a to 2n)
As shown in the sequence diagram of FIG. 6 and the procedure flow diagram of FIG. 19, the remote maintenance execution process receives the remote maintenance request process and receives a VPN such as IPsec.
GW terminal 1 and its extension terminals 2a to 2 from remote maintenance device 4 via tunnel 12
n for secure remote maintenance (V
Since the transmission is performed via the PN, the transmission path can be encrypted.)
The main purpose is to recover from the failure of the PC, and to remotely install the application on the personal computer.

The remote maintenance device 4 is not special, and is connected to the extension terminal 2a on the local network 8.
By transmitting a command to the extension terminals 2a to 2n, the device can be diverted as long as the device can maintain the extension terminals 2a to 2n. As a function, for a failure (for example, a Proxy failure), a recovery operation (activation of a proxy, restart of the terminal 1) is performed to recover the failure. In addition, a log of the terminal 1 can be displayed and a setting of the router unit 11 can be confirmed. Tools include http client (Web browser) and te
lnet tool and the like.

The remote installation on the personal computer is performed by remote control software such as VNC.
Therefore, this process is a general-purpose process that depends on the communication protocol from the remote maintenance device 4 to the extension terminals 2a to 2n that perform maintenance, and thus will not be described in detail.

Again, the point of this embodiment is that the connection from the center 9 to the extension terminals 2a to 2n is made to the VPNNAT local IP address given at the time of the remote maintenance request.

Remote Maintenance Start Process (Remote Maintenance Device 4 → Maintenance Server 3) ((Communication Trigger)) When the VPN tunnel 12 is established, the remote maintenance device 4 (maintenance terminal in the figure)
It is started from the above WEB browser at an arbitrary opportunity of the remote maintenance maintainer (even when a failure is detected in the above-described failure confirmation processing, it is desirable to start in synchronization therewith).

((Remote Maintenance Start Processing)) 3-1 The remote maintenance request confirmation screen of the maintenance server 3 is accessed, and it is determined that the remote maintenance has been started for the target remote maintenance request.
The I processing unit 31 notifies the maintenance server 3.

((Server Processing)) 3-2 When the remote maintenance start is started by the CGI processing unit 31, the maintenance state of the corresponding table of the remote maintenance request DB 92 becomes “under service”.

Remote maintenance execution processing (remote maintenance device 4 → extension terminals 2a to 2n) ((remote maintenance execution)) 3-3 Remote maintenance is executed. In remote maintenance, V
An IP connection is made to the PNNAT local IP address via VPN. During remote maintenance,
It is strongly recommended that a user interface on the server side be designed so that work can be performed while referring to the remote maintenance request DB 92.

<Remote Maintenance Termination Processing> As shown in the sequence diagram of FIG. 7 and the procedure flow chart of FIG. 20, the remote maintenance termination processing indicates that the remote maintenance work requested by the remote maintenance request has been completed. The main purpose is to inform the GW terminal 1 of the information.

Remote Maintenance End Command Transmission Process (Maintenance Server 3 → Terminal Server Unit 10) ((Communication Opportunity)) 4-1 In the state where the VPN tunnel 12 is established, when the requested remote maintenance work is completed The CGI processing unit 31 is started by the remote maintenance maintainer kicking the maintenance server 3 from the web browser on the remote maintenance device 4.

((Server Pre-Processing)) 4-2 When the remote maintenance end is started by the CGI processing unit 31, the maintenance state of the corresponding table of the remote maintenance request DB 92 becomes “end”. FIG. 31 shows a table record of the remote maintenance request DB 92.

4-3 When the maintenance server 3 detects that the maintenance state of the corresponding table of the remote maintenance request DB 92 has become “finished”, the maintenance server 3 acquires the reception number of the corresponding table using the reception number as a parameter, and To create a remote maintenance end command using This reception number is a VPN described later.
It is also referred to in NAT 110 release processing and VPN termination processing.

((Command Transmission Processing)) 4-4 The maintenance server 3 sends the command created in the previous processing as a parameter to the terminal 1 (http server section 100).
A remote maintenance end command is transmitted as an <IPsec session> by the http command to

Remote Maintenance End Command Reception Processing (Terminal Server Unit 10 → Maintenance Server 3) ((Terminal Server Unit Processing)) 4-5 When the remote maintenance end is received, the reception number is extracted from the parameter and the received reception The state of the number ends.

((Response Transmission Processing)) 4-6 The http server unit 100 of the terminal 1 uses the status (normal or error status) as a parameter,
The terminal 1 (http server section 100) transmits a response to the maintenance center 9 as an http response <IPsec session>.

Processing after receiving the remote maintenance end response (maintenance server 3) ((server post-processing)) 4-7 After receiving the response, it is determined whether or not maintenance has been completed for all of the extension terminals 2a to 2n. If all of the maintenance for .about.2n has not been completed, the processing is terminated. Applicable extension terminals 2a to 2n
If the maintenance for all the terminals has been completed, it is further determined whether the completed extension terminal is the server unit 10 or the router unit 11 of the information GW terminal 1. If the terminal is not the server unit 10 or the router unit 11 of the terminal 1, the VPNNAT release processing is performed. Start

In the case of the server unit 10 or the router unit 11 of the terminal 1, it is determined whether or not all the remote maintenance for the corresponding information GW terminal 1 has been completed. If not, the process ends. This completes the remote maintenance end processing.

<VPNNAT Release Processing> As shown in the sequence diagram of FIG. 8 and the procedure flow charts of FIG. 21 and FIG.
The PNNAT 110 release processing is intended to release the VPNNAT local IP address for the VPNNAT allocated to the information GW terminal 1 from the maintenance center 9 at the time of the remote maintenance request.

VPNNAT 110 Release Command Transmission Processing (Maintenance Server 3 → Terminal Server Unit 10) ((Communication Trigger)) 5-1 In the state where the VPN tunnel 12 is established, after the remote maintenance is completed, the corresponding extension terminal 2a to
The maintenance for the 2n is completed, and the extension terminals 2a to 2n are activated when the extension terminals 2a to 2n are other than the server unit 10 or the router unit 11 of the information GW terminal 1.

((Server Pre-Processing)) 5-2 A VPNNAT 110 release command is created.
The table record of the remote maintenance request DB 92 is the same as that in FIG. ((Command transmission process)) 5-3 The maintenance server 3 sends the terminal 1 (http server 10
<IPsec session> by http command to 0)
And sends a VPNNAT release command.

VPNNAT Release Command Receiving Process (Terminal Server Unit 10 → Terminal Router Unit 11) ((Terminal Preprocessing)) 5-4 The terminal server unit 10 receives the VPNNNAT110 release command and sets the extension terminals 2a to 2n of the parameters.
Using the name as a key, a real IP address corresponding to the terminal name is obtained from a table (refer to DNS or the like) of a set of the terminal name and the real IP address held by the terminal server unit 10.

Then, the VPNNAT local IP address corresponding to the terminal name and the VPNNAT of the real IP address
A command (a plurality of commands) for releasing 110 (depending on the implementation of the telnet command of the router unit 11) is created.

((Command Transmission Processing)) 5-5 A telnet command from the terminal 1 (the router setting processing unit 102) to the terminal 1 (the router unit 11) using the command created in the previous processing as a parameter <local network session> As a command. ((Terminal router processing)) 5-6 Setting of VPNNAT 110 release is performed by the router 11
Write to.

((Response Transmission Processing)) 5-7 Using the status (normal or error status (command error, etc.)) as a parameter from the terminal 1 (router unit 11) to the terminal 1 (server unit 10 / command transmission processing unit 103) Is transmitted as a telnet response <non-IPsec session>. ((Terminal router setting section post-processing)) 5-8 Delete the record corresponding to the terminal name in the host table.

VPNNAT 110 Release Response Transmission Process (Terminal Server Unit 10 → Maintenance Server 3) ((Response Transmission Process)) 5-9 The http server unit 100 of the terminal 1 uses the status (normal or error status) as a parameter,
Http from terminal 1 (server unit 10) to maintenance center 9
A response is transmitted as a response <IPsec session>.

Local I for VPNNAT on maintenance server side
P address conversion processing (maintenance server 3) ((VPNNAT local IP address conversion processing)) 5-10 Local IP for VPNNAT corresponding to extension terminals 2a to 2n corresponding to the reception number being processed on the server side
The address is acquired from the remote maintenance request DB 92 and held, and the corresponding V
Release the local IP address for PNNAT.

IPsec processing target packet release setting (maintenance server 3 → VPN gateway 5) ((command transmission processing)) 5-11 VPN gateway setting processing section 32 records the remote maintenance request DB 92 corresponding to the reception number being processed. , The terminal ID and the VPNNAT local IP address are obtained.

5-12 The VPN gateway setting processing unit 32 cancels the setting for allocating the packet for the VPNNAT local IP address to the VPN tunnel 12 corresponding to the terminal ID (implementation of the telnet command of the VPN gateway 5). The command is transmitted as a telnet command <local network session> from the maintenance server 3 (the VPN gateway setting processing unit 32) to the VPN gateway 5 (the setting command reception processing unit 51) using the parameter as a parameter.

((VPN Gateway Processing)) 5-13 Cancels the received routing setting for the VPNNAT local IP address from the VPN gateway 5.

(Response Transmission Processing) 5-14 Using the status (normal or error status (command error or the like)) as a parameter from the VPN gateway 5 (setting command reception processing unit 51) to the maintenance server 3 (VPN gateway setting processing unit 32) Tel to
net response <local network session>
And send the response.

((Post-processing of VPN Gateway Setting Processing Unit)) 5-15 It is determined whether or not all the remote maintenance for the corresponding information GW terminal 1 has been completed. If not, the process ends.

<VPN Termination Processing> As shown in the sequence diagram of FIG. 9 and the procedure flow charts of FIG. 23 to FIG.
The termination processing is intended to terminate the VPN constructed from the maintenance center 9 at the time of a remote maintenance request.

VPN End Command Transmission Processing (Maintenance Server 3 → Terminal Server Unit 10) ((Opportunity for Communication)) 6-1 In the state where the VPN tunnel 12 is established, after the remote maintenance ends, the corresponding information GW terminal 1 It is started when all maintenance for is completed.

((Server Preprocessing)) 6-2 Create a VPN end command. The table record of the remote maintenance request DB 92 is shown in FIG.
Same as 9. (Command transmission processing) 6-3 The maintenance server 3 sends the terminal 1 (h
<IP with the http command to the http server unit 100)
Then, a VPN termination command is transmitted as “sec session>”.

VPN End Command Reception Processing (Terminal Server Unit 10 → Terminal Router Unit 11) ((Terminal Preprocessing)) 6-4 The terminal server unit 10 receives the VPN end command and releases all VPNNATs 110 ( (There may be multiple cases) (depending on the implementation of the telnet command of the router unit 11).

((Command transmission processing)) 6-5 A telnet command from the terminal 1 (the router setting processing unit 102) to the terminal 1 (the router unit 11) using the command created in the previous processing as a parameter <local network session> As a command. Reception and processing of VPNNAT setting initialization command (router 11) ((terminal router processing)) 6-6 Setting of VPNNAT 110 release is performed by router 11
Write to.

((Response Transmission Processing)) 6-7 Using the status (normal or error status (command error, etc.)) as a parameter from the terminal 1 (router unit 11) to the terminal 1 (server unit 10 / command transmission processing unit 103) Is transmitted as a telnet response <local session>. ((Terminal router setting section post-processing)) 6-8 Delete all host tables.

VPN end response transmission processing (terminal server section 10 → maintenance server 11) ((response transmission processing)) 6-9 The http server section 100 of the terminal 1 uses the status (normal or error status) as a parameter,
The terminal 1 (http server section 100) transmits a response to the maintenance center 9 as an http response <IPsec session>.

Local I for VPNNAT on maintenance server side
P address conversion processing (maintenance server 3) ((VPNNAT local IP address conversion processing)) 6-10 VP corresponding to reception number being processed on server side
All the local IP addresses for NNAT are acquired from the remote maintenance request DB 92, held, and
Local IP for VPNNAT corresponding to PNNATDB91
Release the address.

IPSec processing target packet release setting (maintenance server 3 → VPN gateway 5) ((command transmission processing)) 6-11 VPN gateway setting processing section 32 corresponds to the terminal ID from the corresponding record of remote maintenance request DB 92. Acquire all terminal IDs and local IP addresses for VPNNAT.

6-12. The VPN gateway setting processing unit 32 cancels the setting for allocating the packet for the VPNNAT local IP address to the VPN tunnel 12 corresponding to the terminal ID (implementation of the telnet command of the VPN gateway 5). The command is transmitted as a telnet command <local network session> from the maintenance server 3 (the VPN gateway setting processing unit 32) to the VPN gateway 5 (the setting command reception processing unit 51) using the parameter as a parameter.

((VPN Gateway Processing)) 6-13 Cancels the received routing setting for the VPNNAT local IP address from the VPN gateway 5i.

((Response Transmission Processing)) 6-14 Using the status (normal or error status (command error etc.)) as a parameter from the VPN gateway 5 (setting command reception processing unit 51) to the maintenance server 3 (VPN gateway setting processing unit) Tel to 32)
net response <local network session>
And send the response.

IPsec setting release command transmission processing (maintenance server 3 → VPN gateway 5) ((command transmission processing)) 6-15 VPN gateway setting processing section 32 executes remote maintenance request DB corresponding to the reception number being processed.
The terminal ID is obtained from the 92 records.

6-16 The VPN gateway setting processing section 32 performs a setting for releasing the VPN tunnel 12 corresponding to the terminal ID (the telnet of the VPN gateway 5).
(Depending on the command implementation) as a parameter from the maintenance server 3 (VPN gateway setting processing unit 32) to the VPN gateway 5 (setting command reception processing unit 51).
Telnet command <local network session>.

Receiving and Processing IPsec Setting Release Command (VPN Gateway 5) ((VPN Gateway Processing)) 6-17 Releases the VPN setting corresponding to the received terminal ID from the VPN gateway 5.

((Response Transmission Processing)) 6-18 Using the status (normal or error status (command error, etc.)) as a parameter from the VPN gateway 5 (setting command reception processing unit 51) to the maintenance server 3 (VPN gateway setting processing unit) Tel to 32)
net response <local network session>
And send the response.

((Post-processing of VPN Gateway Setting Processing Unit)) 6-19 In the VPN GW address request processing, the field in which the “terminal ID” is obtained and held from the VPN gateway tunnel DB and the “terminal ID” is written is rewritten to “unused”, and the VPN tunnel resource is changed. release. Above, the remote maintenance end processing is completed. The remote maintenance processing procedure has been described based on the sequence diagrams 3 to 9 and the procedure flow diagrams 13 to 25.

This recording medium example is a computer-readable record of a series of completion procedures of the remote maintenance processing program procedure.

In the present embodiment, the VPNNAT 110 is sent to the server unit 10 and the router unit 11 of the mainstream GW terminal 1.
Is set at the time of installation notification, but this is a function for enabling VPN access to the information GW terminal 1 from the maintenance center 9 at an arbitrary opportunity without a remote maintenance request. Therefore, the setting of the VPN NAT 110 in the server unit 10 and the router unit 11 of the mainstream GW terminal 1 is not specially treated, and the VP is set when the remote maintenance is requested.
It goes without saying that a procedure for setting the NNAT 110 and releasing it when the VPNNAT 110 is released may be used.

In the present embodiment, the IPsec
, The present invention is based on the layer 3 level V
It goes without saying that PN can be applied to other than IPsec.

[0230]

As described above, according to the present invention, the VPNNA
A limited local IP address resource for VPNNAT used for T is allocated only to the remote maintenance requesting terminal, and VPNNA
By releasing in the T release process, IP address resources can be saved, and more terminals can be remotely maintained at the same time as compared with the static VPN NAT system.

In other words, the conventional "VPNNAT"
By using the present invention, the extension terminals for the "local IP address resource for VPNNAT" are simultaneously set as the terminals for the remote maintenance, while the extension terminals for the "local IP address resource for the VPNNAT" are the terminals for the remote maintenance. This makes it possible to greatly increase the number of subscribers of the terminal to be subjected to the remote maintenance service.

Further, the finite VP used for VPNNAT
The local IP address resource for NNAT is allocated only to the remote maintenance requesting terminal, and is released by the VPNNAT release process at the end of the remote nonce. A remote maintenance method that allows access can be realized.

For the remote maintenance service provider, when the maintenance center installs the VPN gateway equipment, the VPN gateway equipment can be added and installed according to the number of accesses of the VPN remote maintenance. Equipment cost can be optimized.

From the above effects, the maintenance center and the VP are required for the customer who enjoys the remote maintenance service.
When building N, the shortage of VPN resources is reduced, and the number of cases in which remote maintenance cannot be performed due to VPN construction failure decreases.

[Brief description of the drawings]

FIG. 1 is a system configuration diagram of an example system showing an embodiment of the present invention.

FIG. 2 is a diagram showing a configuration in which a VPNNAT is dynamically added to a VPNNAT.
FIG. 4 is a diagram illustrating a function of assigning an AT local IP address.

FIG. 3 is a sequence diagram of an installation notification process in a method example showing the embodiment of the present invention.

FIG. 4 is a sequence diagram of a VPN GW address request process in the embodiment.

FIG. 5 is a sequence diagram of a remote maintenance request process in the embodiment.

FIG. 6 is a sequence diagram of a remote maintenance execution process in the embodiment.

FIG. 7 is a sequence diagram of a remote maintenance end process in the above.

FIG. 8 is a sequence diagram of VPNNAT release processing in the above.

FIG. 9 is a sequence diagram of a VPN termination process in the embodiment.

FIG. 10 is an information GW terminal-side general flowchart in an example of a program and an example of a recording medium showing an embodiment of the present invention.

FIG. 11 is a general flowchart of the maintenance center on the above.

FIG. 12 is a flowchart illustrating a first half of an installation notification process according to the first embodiment;

FIG. 13 is a flowchart showing the latter half of the installation notification process of the above.

FIG. 14 is a flowchart illustrating a first half of a VPNGW address request process according to the first embodiment;

FIG. 15 is a flowchart showing the latter half of the VPNGW address request process in the above embodiment.

FIG. 16 is a flowchart showing an initial stage flow of a remote maintenance request process in the embodiment.

FIG. 17 is a second-stage flow procedure of the remote maintenance request process in the above energy management system;

FIG. 18 is a flowchart showing a final stage flow of remote maintenance request processing in the above energy management system;

FIG. 19 is a flowchart showing the flow of a remote maintenance execution process in the embodiment.

FIG. 20 is a flowchart of a remote maintenance end process in the above embodiment.

FIG. 21 is a flowchart showing the first half of VPNNAT release processing in the first embodiment;

FIG. 22 is a flowchart showing the latter half of the VPNNAT release process in the above.

FIG. 23 is an initial flow procedure diagram of a VPN termination process in the above.

FIG. 24 is a diagram showing an intermediate flow of VPN termination processing in the above.

FIG. 25 is a flowchart showing the final flow of VPN termination processing in the above embodiment.

FIG. 26 is a sequence diagram of a failure notification process in a method example showing an embodiment of the present invention.

FIG. 27 is a flowchart of a failure notification process in an example of a program and an example of a recording medium showing an embodiment of the present invention.

FIG. 28 is a table showing record contents of a terminal DB 90 in FIG.

FIG. 29 is a remote maintenance request DB 9 in FIG.
2 is a table showing the contents of the record of FIG.

FIG. 30 is a table showing record contents of a VPNNAT DB 91 in FIG.

FIG. 31 shows a remote maintenance request DB 9 in FIG.
2 is a table showing the contents of the record of FIG.

FIG. 32 is a diagram illustrating the function of VPNNAT in a conventional system.

FIG. 33: VPNNAT of the same point-to-point connection
FIG. 3 is an explanatory diagram of the function of FIG.

[Explanation of symbols]

DESCRIPTION OF SYMBOLS 1 ... Internet gateway terminal (terminal information GW terminal) 2a-2n ... Extension terminal 3 ... Maintenance server 4 ... Remote maintenance device 5, 5a, 5i, 5n ... VPN gateway (VPN)
W) 6 Internet 7 and 8 Local network (LAN) 9 Maintenance center (center) 10 Server part (terminal server part) 11 Router part (terminal router part and VPN router part) 12 VPN tunnel 30, 100 ... http server units 31, 101 CGI processing unit 32 VPN gateway setting processing unit 40 maintenance command processing unit 50 VPN processing unit 51 setting command reception processing unit 102 router setting processing unit 103 command transmission processing unit 110 NAT (VPNNAT)

Claims (25)

[Claims] 1. An Internet connection with an arbitrary number of extension terminals by each local network under the control of a respective Internet gateway terminal, and a connection between the respective Internet gateway terminals and the V via the Internet.
A method for performing remote maintenance from a maintenance center including a VPN gateway by establishing IPsec for realizing a VPN session in a network layer of an OSI reference model between PN gateways, wherein the router is provided in each of the Internet gateway terminals. Performing a remote maintenance by providing a VPNNAT between the local network and the VPN processing unit, and assigning and releasing a global address as a VPNNAT local IP address from the maintenance server of the maintenance center. A method for performing remote maintenance. 2. The remote maintenance request according to the method, wherein the Internet gateway terminal making the request uses the extension terminal name of the remote maintenance target and the global IP address of the Internet gateway terminal as a remote maintenance request command. When the maintenance server is notified, the maintenance server having received the notification provides a VPN assigned to the extension terminal to be notified of the remote maintenance.
The NAT local IP address and the extension terminal name are returned to the Internet gateway terminal that sent the notification as a remote maintenance request response, and the IPsec shared with the Internet gateway terminal's global IP address at the time of the installation notification. VP using IPsec using authentication key
N VPN is set to its own VPN gateway, and a packet addressed to the local IP address for VPNNAT is sent to the VPN gateway.
The Internet gateway terminal that has received the response acquires the real local IP address corresponding to the extension terminal name received, and sets the real local IP address corresponding to the extension terminal name and the VPNNAT. The method according to claim 1, wherein a series of the above-described processes is sequentially performed by setting a local IP address for use as a static NAT and setting the router's own router unit. 3. The remote maintenance is performed from the maintenance center to the extension terminal to be subjected to the remote maintenance via the established VPN tunnel with the VPNNAT local IP address. The method according to claim 2, wherein the remote maintenance is performed. 4. Terminating the remote maintenance, first, via the established VPN tunnel with the VPNNAT local IP address, to the server unit of the Internet gateway terminal which has established the VPN tunnel. The server that has transmitted the remote maintenance end command, performs processing related to the remote maintenance end command in the server unit that has received the transmission, transmits a remote maintenance end response, and then receives the remote maintenance end response. The server makes a first determination as to whether all maintenance for the extension terminal has been completed, and if the first determination is affirmative, the completed extension terminal is the server unit and the router unit of the Internet gateway terminal. Is one of 2) On the other hand, if the judgment is negative, the judgment processing is terminated. If the judgment is negative in the second judgment, the processing shifts to VPNNAT release processing. A third judgment as to whether all have been completed,
4. The process according to claim 2, wherein if the third determination is affirmative, the process proceeds to a VPN termination process, and if the determination is negative, the determination process is terminated. The method for performing remote maintenance described in the above. 5. The VPNNAT release processing is as follows: first, the maintenance server sends a VPNNAT local IP address for the remote maintenance target extension terminal name set at the time of the remote maintenance request to the established VPN tunnel. While notifying the Internet gateway terminal of the name of the extension terminal to be remote-maintained, while receiving the notification, the Internet gateway terminal receiving the notification transmits the actual local name corresponding to the received extension terminal name. Obtain an IP address and set the V
5. The method according to claim 4, wherein the maintenance server releases the static NAT with the PNNAT local address, and subsequently performs the above-described series of processes sequentially, wherein the maintenance server performs the third determination and follows the determination result. The described remote maintenance implementation method. 6. The VPN termination processing is performed in such a manner that the maintenance server determines that the IPsec session has been terminated by a VP.
N as an end command, the internet gateway terminal notifies the internet gateway terminal, and the internet gateway terminal that has received the notification sends a response to the VPN end command to the maintenance server as a VPN end response, Release the VPN tunnel set at the time of the remote maintenance request, and establish a VPN established between the VPN gateway and the Internet gateway terminal.
The remote maintenance execution method according to claim 4, wherein the tunnel processing is terminated, and the above series of processing is sequentially performed. 7. The installation notice is transmitted from the server unit of the newly installed Internet gateway terminal to the maintenance server with respect to the installation, by the maintenance server receiving the installation notification command. ,
IP that is common information for the remote maintenance
The Internet gateway terminal generates an authentication key of sec, and responds to the Internet gateway terminal that has notified the installation notification command. The Internet gateway terminal that has received the response sets the IPsec authentication key in its own router unit. The method according to claim 2, 3, 4, 5, or 6, wherein the series of processes described above are sequentially performed. 8. The method according to claim 1, wherein, in one of the remote maintenance request and the setting notification, a VPN NAT setting process is performed on the server unit and the router unit of the Internet gateway terminal. The remote maintenance execution method according to claim 2, 3, 4, 5, 6, or 7. 9. The method according to claim 1, wherein when the occurrence of a failure is detected in the Internet gateway terminal, the Internet gateway terminal first transmits information on the failure to the maintenance server as a failure notification command. When the maintenance server receives the failure notification command, it processes information related to the failure, transmits the information as a failure notification response to the Internet gateway terminal that transmitted the failure notification command, and further receives the failure notification response. The said Internet gateway terminal shifts to the request of the said remote maintenance, and performs the above-mentioned series of processes sequentially, The claim 2, 3, 4, 5, 6, 7, or 8 characterized by the above-mentioned.
The method for performing remote maintenance described in the above. 10. An OSI reference model between each VPN gateway and each Internet gateway terminal via the Internet by making an IP connection with an arbitrary number of extension terminals via each local network. A system for performing remote maintenance from a maintenance center including the VPN gateway by establishing IPsec for realizing a VPN session in a network layer, wherein a local network and a VPN processing unit are provided in a router unit of the Internet gateway terminal. NAT on the global side and VPNNAT
A remote maintenance execution system, wherein the system is constructed to have a functional configuration for giving and releasing from the maintenance center as a local IP address for use. 11. The maintenance center receives a notification of an extension terminal name of a remote maintenance target from the Internet gateway terminal, and assigns a VPNNAT local address for VPN access corresponding to the extension terminal name of the remote maintenance target. A maintenance server, a remote maintenance device for performing the remote maintenance, and a VPN gateway via the access from the remote maintenance device to a VPNNAT local IP address corresponding to the extension terminal name of the remote maintenance target. The remote maintenance execution system according to claim 10, wherein a network is constructed by a network. 12. The Internet gateway terminal, a server for notifying the maintenance center of the name of the extension terminal to be remotely maintained, and a VPNNAT local IP address for VPN access given by the maintenance center in response to the notification. And the IP of the extension terminal name of the remote maintenance target
A VPN NAT for allocating an address, a VPN gateway of the maintenance center and a router of a VPN processing unit for establishing a VPN tunnel, and a VPN NAT local IP address for a remote maintenance target terminal name via the VPN gateway. 12. The remote maintenance execution system according to claim 10, wherein a function of enabling a packet transfer from the remote maintenance device performing the remote maintenance to the extension terminal by accessing the remote maintenance device is established. 13. 13. Each of the local networks is connected to an arbitrary number of extension terminals by IP, under the control of the respective Internet gateway terminals, while the respective Internet gateway terminals and the VPN gateway via the Internet establish an OSI reference model. A program used in the Internet gateway terminal in a system for performing remote maintenance from a maintenance center including the VPN gateway by establishing IPsec for realizing a VPN session in the network layer, wherein the Internet gateway terminal is installed. Later, when using the remote maintenance service,
By executing the program that causes the Internet gateway terminal to perform an installation notification process for notifying the maintenance center that the installation has been performed, after notifying an installation notification command to the maintenance server of the maintenance center regarding the installation, the maintenance server And receiving the response to the installation notification command from the server, and setting the IPsec authentication key received as the response in its own router unit. 14. Each of the local networks is connected to an arbitrary number of extension terminals by IP and controlled by respective Internet gateway terminals, while the respective Internet gateway terminals and the VPN gateway via the Internet establish an OSI reference model. A program used in the Internet gateway terminal in a system for performing remote maintenance from a maintenance center including the VPN gateway by establishing IPsec for realizing a VPN session in the network layer, Remote maintenance requesting remote maintenance by either web access from the internal terminal or button operation by the operator of the Internet gateway terminal Execution of the program that causes the Internet gateway terminal to perform a service request process, after notifying the extension server being a remote maintenance target and the global IP address of the Internet gateway terminal to the maintenance server as a remote maintenance request command, In response to the response to the remote maintenance request command, a real local IP address for the extension terminal name received as the response is obtained, and a real local IP address for the extension terminal name and a VPNNAT local IP address received as the response A remote maintenance execution program, wherein the program is set as a static NAT. 15. An OSI reference model between each VPN gateway via each Internet gateway terminal and the Internet while each local network is IP-connected to an arbitrary number of extension terminals under the control of each Internet gateway terminal. A program used in the Internet gateway terminal in a system for performing remote maintenance from a maintenance center including the VPN gateway by establishing IPsec for realizing a VPN session in a network layer, wherein the program is executed by the maintenance center. By executing the program that causes the interface gateway terminal that has received the notification to perform remote maintenance end processing related to the notification that the work of the remote maintenance has ended, Upon receiving the remote maintenance end command from the maintenance center, the remote maintenance end command is processed, a remote maintenance end response is transmitted, and the remote maintenance target extension terminal name is sent from the maintenance center as a VPN release command. Is received, the real local IP address corresponding to the received extension terminal name is obtained, and the static NAT with the VPNNAT local address corresponding to the obtained real local IP address is released. Step on a remote maintenance program. 16. An OSI reference model between each VPN gateway via each Internet gateway terminal and the Internet, while each local network makes IP connection with an arbitrary number of extension terminals under the control of each Internet gateway terminal. A program used in the maintenance center in a system for performing remote maintenance from a maintenance center including the VPN gateway by establishing IPsec for realizing a VPN session in the network layer, the program corresponding to the remote maintenance request. By executing the program that causes the maintenance server to perform remote maintenance request processing, the extension terminal to be subjected to the remote maintenance in response to the request in response to the request The grant local IP address and the extension terminal name for VPNNAT be, transmits a remote maintenance request response to the Internet gateway terminal performing the request, IPs shared between the global IP address of the Internet gateway device
Instructs its own VPN gateway to establish a VPN tunnel by IPsec using the authentication key of ec, and sends a packet addressed to the local IP address for VPNNAT to the VPN gateway itself, by the VPN tunnel established by the instruction. A remote maintenance execution program characterized by performing the above series of steps for setting a packet to be subjected to VPN processing. 17. Each of the local networks is IP-connected to an arbitrary number of extension terminals under the control of the respective Internet gateway terminals, while the respective Internet gateway terminals and the VPN gateway via the Internet use the OSI reference model. A program used in the maintenance center in a system for performing remote maintenance from a maintenance center including the VPN gateway by establishing IPsec for realizing a VPN session in a network layer, the program being used in the newly installed Internet. By executing the program for causing the maintenance center to perform a setting notification command processing for processing an installation notification command from a gateway terminal, the remote maintenance is performed in response to the installation notification command. Generates the IPsec authentication key is passing information, the remote maintenance execution program response to the Internet gateway terminal that has notified the installation notification command, go through a series of steps described above, characterized in that. 18. Each of the local networks is connected to an arbitrary number of extension terminals by IP and is controlled by the respective Internet gateway terminals, while the respective Internet gateway terminals and the VPN gateway via the Internet use the OSI reference model. A program used in the maintenance center in a system for performing remote maintenance from a single maintenance center including the VPN gateway by establishing IPsec for realizing a VPN session in a network layer, wherein the program is terminated in the maintenance center. When the button is pressed, the remote maintenance end processing for notifying that the remote maintenance work has been completed is executed by the maintenance server to execute the remote maintenance end processing. VP that has been established in Karu IP address
After transmitting a remote maintenance end command to the server unit of the Internet gateway terminal that has established the VPN tunnel via the N tunnel, and receiving a response of the remote maintenance end, maintenance of the extension terminal is performed. A first determination is made as to whether or not all of the extensions have been completed. If the first determination is affirmative, a determination is made as to whether the terminated extension terminal is either the server unit or the router unit of the Internet gateway terminal. If the second judgment is made, the program is terminated if the judgment is negative, and the processing shifts to VPNNAT release processing if the judgment is negative in the second judgment. A third judgment whether all the steps have been completed, and the third judgment A remote maintenance execution program characterized by performing a series of steps described above, in which the processing shifts to the VPN termination processing if affirmative in the above, while terminating the program if negative. 19. The VPNNAT release processing is to release a local IP address for VPNNAT for a remote maintenance target extension terminal name set in response to a remote maintenance request from an established VPN processing target packet to the VPN tunnel. The VPN
This is a series of processes performed for the gateway, notifying the Internet gateway terminal of the name of the extension terminal to be remotely maintained, and thereafter returning to the third determination. The VPN termination process is to terminate the IPsec session. As a VPN end command to the Internet gateway terminal to cause the VPN gateway to release the VPN tunnel set at the time of the remote maintenance execution request, and establish the connection between the VPN gateway and the Internet gateway terminal. The remote maintenance execution program according to claim 18, wherein the series of processing is a series of processing for terminating the existing VPN tunnel processing. 20. The method of claim 13, 14, 15, 16, 17,
20. A recording medium recording a remote maintenance execution program, wherein a series of procedures according to the remote maintenance execution program according to 18 or 19 is actually recorded. 21. A plurality of Internet gateway terminals connected to the Internet and an extension terminal IP-connected to a local network under the Internet gateway terminal are connected between the Internet gateway terminal and the VPN gateway connected to the Internet by an OSI reference model. IP realizing a VPN session at the network layer
a remote maintenance from a single maintenance server under the VPN gateway by establishing a security center, the maintenance center receiving a VPN construction request from the Internet gateway terminal before constructing a VPN. Dynamically selects a VPN gateway having a free VPN resource from a plurality of VPN gateways under the VPN gateway, and selects a global I of the selected VPN gateway.
A P-address to the Internet gateway terminal, and the Internet gateway terminal performs the remote maintenance by setting the notified global IP address as the opposite host of the VPN. Implementation method. 22. A plurality of Internet gateway terminals connected to the Internet and an extension terminal IP-connected to a local network under the plurality of Internet gateway terminals are connected between the Internet gateway terminal and the VPN gateway connected to the Internet according to the OSI reference model. IP realizing a VPN session at the network layer
is a system that performs remote maintenance from a single maintenance server under the VPN gateway by establishing a second security request. When a request for VPN construction is received from the Internet gateway terminal, a VPN is transmitted from a plurality of VPN gateways under the VPN gateway. A maintenance center for dynamically selecting a VPN gateway having a free resource and notifying a global IP address of the selected VPN gateway to the Internet gateway terminal which made the request; and a VPN for the maintenance center. A request for construction, and a global I of the selected VPN gateway notified from the maintenance center in response to the request.
A remote maintenance execution system, comprising: an Internet gateway terminal that sets a P address as an opposite host of the VPN. 23. A plurality of Internet gateway terminals connected to the Internet and an extension terminal IP-connected to a local network under the plurality of Internet gateway terminals are connected between the Internet gateway terminal and the VPN gateway connected to the Internet by an OSI reference model. IP realizing a VPN session at the network layer
is a program used by the Internet gateway terminal in a system for performing remote maintenance from a single maintenance server under the VPN gateway by establishing a remote maintenance request from the extension terminal. VP requesting a VPN gateway address by any one of button operations on the Internet gateway terminal body by the gateway terminal administrator
By executing the program for causing the Internet gateway terminal to perform the N gateway address request processing, the server requests the maintenance center for the VPN gateway address, and receives a VPN gateway address request response to the request from the maintenance center. , The VP received as the VPN gateway address request response
A remote maintenance execution program, comprising setting the N gateway global IP address as a remote host of a VPN in its own router unit and performing the remote maintenance request process. 24. An OSI reference model network between a plurality of Internet gateway terminals themselves connected to the Internet and extension terminals IP-connected to a local network under the plurality of Internet gateway terminals, between the Internet gateway terminal and a VPN gateway connected to the Internet. That realizes a VPN session at the layer
(c) is a program used in the maintenance center in a system for performing remote maintenance from a single maintenance server under the VPN gateway by establishing a c, wherein the program is associated with a VPN gateway address request from the Internet gateway terminal. Upon receiving the VPN gateway address request from the Internet gateway terminal by executing the program that causes the maintenance center to perform a VPN gateway address request process that is a process in the maintenance center, the VPN gateway requests a plurality of VPN gateways under its own control. An Internet gateway terminal that dynamically selects a VPN gateway having a free resource and changes the global IP address of the VPN gateway to the VPN gateway address request Notifying, go through a series of steps described above, the remote maintenance execution program characterized by. 25. A recording medium recording a remote maintenance execution program, wherein a series of procedures according to the remote maintenance execution program according to claim 23 or 24 are actually recorded.