JP2005311507A - Vpn communication method and vpn system - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To solve the problem about the security of the conventional VPN system that VPN connection requests cause some services to be disabled in the system and the problem about the serviceability for users. <P>SOLUTION: A GK 100 on the internet authenticates an originating terminal and a terminating terminal, executes a VPN connection between the originating and terminating terminals, based on the authentication result, thus making a direct communication between the originating and terminating terminals during the VPN connection. Upon originating of a VPN connection request from the originating terminal to the terminated terminal, both the GK 100 and the terminated terminal decide whether the VPN connection is enabled or not (S006, S008). <P>COPYRIGHT: (C)2006,JPO&NCIPI

Description

  In the present invention, in an Internet VPN (Virtual Private Network) connection (hereinafter referred to as VPN connection) between a source and a destination, a mediation server recognizes a PC terminal and a router, and performs VPN connection between users based on the recognition result. The present invention relates to a VPN communication method and a VPN system that perform direct communication between users during VPN connection, and more particularly to a VPN communication method and a VPN system that determine whether or not a VPN connection request from a source is acceptable.

There are two forms of VPN connection between any two parties (source and destination): remote access VPN and LAN-to-LAN VPN.
A network configuration example of the remote access VPN is shown in FIG. The remote access VPN refers to a special form in which a VPN connection is established with the PC terminal 104 as the source and the router 102 as the destination. At the time of remote access VPN connection, an IP address in the address space of the destination user network 107 is assigned to the source before connection, and connection is started after address setting is performed at the source.
The source can be used as if the source PC terminal 104 is in the destination user network 107. A common use case of remote access VPN is to remotely access a mail server or Web server on the company LAN from a terminal on the go.

On the other hand, FIG. 18 shows a network configuration example of a VPN connection between LANs. The LAN-to-LAN VPN is a form in which the source and destination are connected by all combinations of PC terminals (108 to 110, 111 to 113) and routers (101, 102). At the time of LAN-to-LAN VPN connection, it is necessary to set different address spaces in advance in order to avoid address space collision between the source user network 106 and the destination user network 107. For example, a range of 10.0.0.1 to 10.0.254 is set as the source address space, and a range of 192.168.1.1 to 192.168.1.254 is set as the destination address space. By setting this, address spaces that do not collide with each other are connected.
Common examples of LAN-to-LAN VPN connections include file exchange between companies and P2P connections represented by VoIP.
Conventional VPN connections use either remote access VPN or LAN-to-LAN VPN.

The VPN connection procedure will be described using an example of a common VPN connection, IPsec connection using the shared key authentication method.
First, the caller sends a VPN connection request to the callee. At the receiver, the identity of the sender is authenticated based on a shared key set in advance between the two parties, the sender is authenticated, and if the VPN connection from the sender is permitted, a response is sent to the sender To do.
Here, the sender authenticates the identity of the called party based on the shared key, and exchanges VPN connection information necessary for VPN connection when they authenticate each other. VPN connection information is exchanged by temporarily generating a VPN tunnel (ISAKMP SA) for control communication and encrypting it.

  After exchanging VPN connection information, you can start a VPN connection from within the user network by creating a new VPN tunnel (IPsec SA) for data communication and setting the exchanged VPN connection information. Here, the address space information of each user network needs to be set in advance, and exchange through ISAKMP SA is not defined. Note that IPsec is described in Non-Patent Document 1.

As explained above, in the VPN connection between the sender and the receiver, before starting the VPN connection, the VPN connection request is passed, each other's identity authentication, the VPN connection possibility determination at the receiver, and the VPN connection. It is necessary to exchange necessary VPN connection information.
In addition, the shared key and address space information for identity authentication must be set in advance for each connection destination. Among these pre-processing, there is a method to install a gatekeeper (hereinafter referred to as GK), which is an intermediary server, between the source and destination as a method for efficiently passing VPN connection requests and authenticating each other's identity. .

GK mediates a VPN connection request from the caller to the callee by signaling, authenticates the identity of the caller, and passes the VPN connection request to the callee. As a result, a sender that cannot be authenticated by GK cannot issue a VPN connection request to the called party, which is effective in avoiding impersonation.
Necessary for direct VPN connection between the caller and the callee after passing the VPN connection request to the callee and determining whether or not the callee actually accepts the VPN connection. Exchange VPN connection information and start VPN connection. In this way, a VPN system based on user authentication can be realized by a VPN system in which an intermediary server is installed.

However, the VPN system via an intermediary server has the following problems because it goes through the above process.
In other words, in the conventional VPN system via the mediation server, there is no GK that determines whether or not VPN connection is possible. That is, none of the GKs has a function for determining whether or not to permit VPN connection in response to a VPN connection request from the sender.
In the VPN connection system so far, after GK authenticates the caller, all VPN connection requests are passed to the callee. As a result, when VPN connection requests from an unspecified number of sources are generated at the same time for the destination, all VPN connection requests are passed to the destination via the GK in the conventional method. Compared to a destination that has a lower processing capacity, a large number of VPN connection requests cannot be processed at the same time.

Also, when issuing a VPN connection request from the caller to the callee, there is a problem in user convenience in that it is not possible to select whether to use remote access VPN connection or VPN connection between LANs. there were.
Also, when the VPN connection between the caller and the callee is using a shared key that was set in advance by both parties, it is necessary to set a different shared key between all VPN connections, There was a problem in user convenience in that the setting of VPN connection was complicated.
In addition, in order to avoid address space collision in the VPN connection between the source and destination user networks, the address space information assigned to each other must be set in advance for each connection destination. There was a problem with convenience.

In addition, the conventional VPN system has a problem in the security of the system in that the information of all PC terminals in each user network is exchanged in the VPN connection between the source and destination user networks. It was.
In addition, there is a problem in user convenience in that there is no way for the caller to know in advance online whether the connection is possible from the caller to which destination.

In addition, the VPN connection is started from the source, and the VPN connection is terminated from either the source or the destination. As a trigger, there was a problem in user convenience in that the start or end of VPN connection could not be controlled.
Tomoaki Kobayakawa, “Introduction to IPsec”, Shosuisha

  The present invention has been made in consideration of the above circumstances, and its purpose is to solve problems related to system safety and problems related to user convenience that would cause service inability due to a VPN connection request of a conventional VPN system. There is to solve.

In the first aspect of the invention, the intermediary server on the Internet authenticates the source terminal and the destination terminal, and performs VPN connection between the source terminal and the destination terminal based on the authentication result. In a VPN communication method in which direct communication is performed between a source terminal and a destination terminal, when a VPN connection request from the source terminal to the destination terminal occurs, both the mediation server and the destination terminal It is characterized by determining whether or not VPN connection is possible.
If the intermediary server rejects the VPN connection, it does not pass the VPN connection request to the destination terminal, but responds to the source terminal as it is. Only the VPN connection request that is permitted by the intermediary server VPN connection determination is passed to the destination terminal.

The invention according to claim 2 is characterized in that, in the invention according to claim 1, the source terminal can select whether it is a remote access VPN connection or a LAN-to-LAN VPN connection to the destination terminal.
When starting a VPN connection, the source terminal can select whether to make a remote access VPN connection or a LAN-to-LAN VPN connection to the destination terminal.

A third aspect of the present invention provides the shared key for VPN connection in the destination terminal every time in response to a VPN connection request from the source terminal to the destination terminal in the invention of the first aspect. Is generated and delivered to the source terminal via the mediation server.
When the connection request from the source terminal is permitted by the determination of whether or not the destination terminal can be connected, the VPN connection between the source terminal and the destination terminal is performed at the destination terminal or source terminal or intermediary server each time. By generating a shared key and exchanging it via a mediation server, it is not necessary to set a shared key with the destination terminal in advance before starting the VPN connection.

According to a fourth aspect of the present invention, in the first aspect of the present invention, network information exchange for avoiding an address collision at the time of VPN connection between user networks of the source terminal and the destination terminal is performed as described above. It is characterized by being superimposed on the signaling via the mediation server.
The VPN connection information of the source terminal and the destination terminal and the address space information assigned to each other's user network are set in advance before starting the VPN connection by exchanging them with signaling via the mediation server. There is no need.

According to a fifth aspect of the present invention, in the first aspect of the present invention, a terminal that exchanges information with a partner among terminal information in each other's user network when the source terminal and the destination terminal are connected by VPN. It can be restricted or selected.
In the exchange of terminal information of the user network between the source terminal and the destination terminal, information on the destination terminal that is desired to be concealed by restricting and selecting the information on the destination terminal disclosed to the source terminal Need not be notified to the caller terminal.

The invention according to claim 6 is the invention according to claim 1, wherein the intermediary server generates a list of destination terminals to which the source terminal permits VPN connection from the source terminal. And displaying it online.
A list of destination terminals that are permitted to connect to the VPN from the source terminal is generated from the information on whether or not the VPN connection is registered in the mediation server, and is displayed online to the source terminal.

The invention according to claim 7 is the invention according to claim 1, wherein the source terminal and the destination terminal are triggered by an operation from the terminal other than the source terminal or the destination terminal to the mediation server. Or a VPN connection between the source terminal and the destination terminal is terminated.
By allowing the mediation server to operate from a third party other than the source terminal and the destination terminal, the third party can control the VPN connection between the source terminal and the destination terminal.

  The invention according to claim 8 is an VPN system comprising a source terminal connected to the Internet, a mediation server, and a destination terminal, wherein the source terminal notifies the mediation server of authentication information. An identity notifying means for authenticating the identity based on the authentication information notified from the source terminal, and the identity is authenticated by the identity authenticating means. In the case where the connection is permitted by the first connection permission determination means for determining whether the VPN connection is possible between the source terminal and the destination terminal, and the first connection permission determination means, VPN connection request notification means for notifying the destination terminal of a VPN connection request, and the destination terminal is based on the VPN connection request notified from the VPN connection request notification means. And said wearing And a second connection permission / non-permission determining unit for determining whether or not a VPN connection is possible between the destination terminals, and both the first connection permission / non-permission determining unit and the second connection permission / non-permission determining unit permit the connection. In this case, a VPN connection is performed between the source terminal and the destination terminal.

The present invention is different from the conventional method in that the VPN connection feasibility determination, which was performed only at the destination terminal in the conventional method, is also performed in the mediation server, and the remote access VPN and the LAN-to-LAN VPN can be selected. to differ greatly.
In addition, each time a VPN connection is established, a shared key is generated between the source terminal and the destination terminal, VPN connection information and address space information are superposed on the signaling via the intermediary server, and exchanged. This is greatly different from the conventional method in that terminal information in the user network to be exchanged can be limited.
Furthermore, the destination terminal that can be connected to the VPN is displayed on the source terminal online, and the VPN connection between the source terminal and the destination terminal can be controlled by a third party other than the source terminal and the destination terminal. Is significantly different from the conventional method.

According to the first aspect of the present invention, when a VPN connection request from the source terminal to the destination terminal is generated, the VPN connection availability determination is performed in both the mediation server and the destination terminal. Therefore, by determining whether or not the intermediary server and the destination are connected to the VPN in two stages, when an unspecified number of VPN connection requests are received at the same time, the intermediary server can block to some extent, and the system safety is improved.
In addition, because the intermediary server can determine whether a VPN connection is static and the destination terminal performs a dynamic VPN connection determination, the VPN connection determination can be made extensible, so that Improved convenience for VPN users.

  According to the invention described in claim 2, the source terminal can select whether to perform remote access VPN connection or LAN-to-LAN VPN connection to the destination terminal. Improved convenience for VPN users.

  According to the third aspect of the present invention, in response to a VPN connection request from the caller terminal to the callee terminal, a shared key for VPN connection is generated at the callee terminal each time via the mediation server. Thus, since it is transferred to the source terminal, it is not necessary to manage the shared key individually, and the convenience for the user is improved.

  According to the invention described in claim 4, since the VPN connection information, the address space information, the terminal information, etc. necessary for the VPN connection are exchanged superimposed on the signaling via the mediation server, Pre-configuration processing for VPN connection between the terminal and the called terminal is no longer necessary, reducing the VPN connection processing and improving the convenience for VPN users.

  According to the fifth aspect of the present invention, it is possible to limit and select information on the destination terminal that is disclosed in accordance with the connection destination regarding the terminal information exchanged between the source terminal and the destination terminal. As a result, VPN connection is possible without unnecessarily disclosing information in the user network, which improves system safety.

  According to the invention described in claim 6, since the intermediary server can display the information of the destination terminal that can be connected to the VPN online to the source terminal, it is convenient for the user of the source terminal. Can be improved.

  According to the seventh aspect of the invention, the VPN connection between the caller terminal and the callee terminal can be controlled by the operation of the mediation server by a third party. Therefore, it is possible to provide extensibility for the control of starting and disconnecting the VPN connection, and the convenience of the VPN user can be improved.

  According to the invention described in claim 8, since the intermediary server and the destination terminal determine whether or not the VPN connection is possible in two stages, when an unspecified number of VPN connection requests are received at the same time, the intermediary server Can be cut off to some extent, and the safety of the system can be improved.

FIG. 1 is a schematic diagram showing the configuration of a VPN system according to the first embodiment of the present invention.
The VPN system according to this embodiment includes a source router 101, a destination router 102, a source PC terminal 104, a destination PC terminal 105, and a GK 100 installed on the Internet 103.

FIG. 2 is a block diagram showing the configuration of the source router 101 and the destination router 102 of the VPN system according to the present embodiment.
The source router 101 and the destination router 102 are respectively set with a setting unit (301, 311), a connection possibility determination unit (302, 312), authentication information (303, 313) indicating identity, a signaling unit (304, 314), It consists of shared key generation units (305, 315), VPN connection units (306, 316), and subordinate NW control units (307, 317).
One or more PC terminals (108 to 110, 111 to 113) are connected to the source user network 106 and the destination user network 107, which are subordinate to the source router 101 and the destination router 102, respectively.

FIG. 3 is a block diagram showing the configuration of the transmission source PC terminal 104 and the call destination PC terminal 105.
The source PC terminal 104 and the destination PC terminal 105 are respectively set with a setting unit (401, 411), a connection possibility determination unit (402, 412), authentication information (403, 413) indicating identity, and a signaling unit (404, 414). ), A shared key generation unit (405, 415), and a VPN connection unit (406, 416).

FIG. 4 is a block diagram showing the configuration of GK 100. As shown in FIG.
The GK 100 includes an authentication unit 201, a connection availability determination unit 202, a signaling mediation unit 203, a customer control unit 204, and a DB 205. The DB 205 records authentication information of each router, VPN connection information, VPN connection availability information, and the like. As shown in FIG. 5, the DB 205 stores an access list 500 that records a list of destinations that are permitted to connect to the caller.

FIG. 6 is a flowchart showing VPN connection processing according to the present embodiment.
In step S001, when a VPN connection request to the destination router 102 is generated from the PC terminal (108 to 110) of the source user network 106 (FIG. 2), the subordinate NW control unit 307 of the source router 101 sends a VPN connection request. Is transferred to the signaling unit 304.
Here, the VPN connection request is generated by a method in which the source router 101 automatically generates a VPN connection request by specifying a connection destination from the PC terminal, and a user manually generates a VPN connection request by a dedicated application on the PC terminal. There is a way to make it.

In this case, information indicating whether it is a remote access VPN or a LAN-to-LAN VPN is superimposed on the VPN connection request, and this setting is made by the VPN connection set in the setting unit 301 by the administrator of the source router 101 in advance. It can be determined based on the form, or can be specified sequentially when the user issues a VPN connection request with a dedicated application on the PC terminal.
The signaling unit 304 in the source router 101 that has passed the processing starts communication with the GK 100.

  In step S002, in the GK 100, the authentication unit 201 first performs identity authentication of the source router 101 for communication from the signaling unit 304 in the source router 101. The authentication is performed based on the authentication information in the source router 101. If the identity of the source router 101 is authenticated, YES is determined in step S003, and the connection possibility determination unit 202 in the GK 100 is determined. Hand over the process. If not authenticated, NO is determined in step S003, and the process proceeds to step S004. In step S004, an authentication failure response is returned to the signaling unit 304 in the source router 101, and the process proceeds to step 005. In step S005, the entire process ends.

In step S006, the connection permission / non-permission determination unit 202 in the GK 100 that has passed the processing determines whether or not the VPN connection request of the source router 101 is permitted to the destination router 102 for VPN connection. Whether or not VPN connection is possible is determined based on an access list 500 as shown in FIG. 5 set in advance in the DB 205 in the GK 100 by the administrator of the destination router 102.
As a result of referring to the access list 500, if the VPN connection from the caller to the callee is permitted, “YES” is determined in the step S006, and the process is transferred to the signaling mediation unit 203 in the GK 100.
If the VPN connection is rejected, NO is determined in step S006, and the process proceeds to step S004. In step S004, a connection rejection response is returned to the signaling unit 304 in the source router 101, and the process proceeds to step S005. In step S005, the entire process ends.

In step S <b> 007, the signaling mediation unit 203 in the GK 100 that has passed the process delivers the VPN connection request of the source router 101 to the signaling unit 314 in the destination router 102. The signaling unit 314 in the destination router 102 passes the VPN connection request from the source router 101 to the connection availability determination unit 312 in the destination router 102.
In step S008, the connection possibility determination unit 312 in the destination router 102 determines whether to accept the VPN connection request of the source router 101. This determination is made based on an access list as shown in FIG. 5 that is set in advance in the setting unit 311 of the destination router 102 by the administrator of the destination router 102.

  If the connection is permitted as a result of referring to the access list 500, YES is determined in step S008, the process is transferred to the signaling unit 314 in the destination router 102, and the process proceeds to step S009. On the other hand, if the connection possibility determination unit 312 of the destination router 102 rejects the connection, NO is determined in step S008, and the process proceeds to step S004 via the signaling mediation unit 203 of the GK 100. In step S004, a connection rejection response is returned to the source router 101 by signaling. Then, it progresses to step S005 and complete | finishes the whole process.

In step S 009, a connection permission response is returned to the signaling unit 304 in the source router 101 by signaling via the signaling mediation unit 203 of the GK 100. In step S014, the caller receives a response from the callee.
In step S010, before starting the VPN connection process between the VPN connection units, a shared key is generated by the shared key generation unit 315 of the destination router 102, and is superimposed on the signaling in the same manner as the VPN connection information and the address space information. Replace.
In steps S011 and S015, VPN connection information and address space information necessary for VPN connection are exchanged between the signaling units (304, 314) of each router by superimposing on the VPN connection request signaling.

The address space information exchanged here is set in advance by the administrator of the source router 101 in the setting unit 301 of the source router 101 and in the setting unit 311 of the destination router 102 by the administrator of the destination router 102, respectively. Based on the public terminal information list 700 for each VPN connection destination as shown in FIG. 7, the terminal information list 800 to be disclosed to the other party to be connected to the VPN shown in FIG. 8 is generated.
Note that if there is no information on the other party connected to the VPN in the public terminal information list 700 for each VPN connection destination, all terminal information is disclosed, and default settings are followed. After information necessary for VPN can be exchanged between the source router 101 and the destination router 102, the VPN connection units (306, 316) between the source router 101 and the destination router 102 are exchanged in steps S012 and S016. Direct VPN connection processing with. Thereafter, in steps S013 and S017, a VPN connection is started between the caller and the callee.

Note that the connection possibility determination unit 312 in the destination router 102 does not make a determination based on the preset access list 500, but the VPN connection request from the source router 101 is sent to the signaling unit 314 in the destination router 102. It is also possible to dynamically determine whether or not connection is possible at the intention of the administrator of the destination router 102 at the time when it is transferred to the connection determination unit 312.
In addition, when the GK 100 and the called party perform the two-stage connection permission / inhibition determination, each determination can be performed based on different connection permission lists. As the connection permission list, as shown in FIG. 9, an access list 501 designated by a connectable time can be used in addition to the connection destination name. In this case, the connection is permitted when the connection destination name and the time when the connection request is transmitted are permitted.

  If the destination is not the destination router 102 but the destination PC terminal 105 (FIG. 3), the connection possibility judgment unit 412 of the destination PC terminal 105 judges whether or not the VPN connection is possible. The configurations of the destination router 102 and the destination PC terminal 105 are largely different in that the subordinate NW control unit 317 does not exist. The destination PC terminal 105 serving as the destination is operated while being connected to the destination router 102 or directly connected to the Internet 103. Similarly to the incoming call destination, the transmission source is not the transmission source router 101 but the transmission source PC terminal 104.

With the above structure, it is possible to determine whether a VPN connection request from the source can be made in two stages, GK 100 and the destination, and the VPN connection type is remote access VPN or LAN-to-LAN VPN. You will be able to choose one of these.
In addition, a shared key between the source and destination can be generated and exchanged for each VPN connection, and the address space information of the user network connected to the VPN can be exchanged by superimposing on the signaling. The terminal information in the user network to be exchanged with can be restricted. In addition, information on a connection destination that can be connected to a VPN can be easily obtained online by the transmission source user.

A method for solving the problem of the address space of the source user network 106 and the destination user network 107 colliding when a LAN-to-LAN VPN connection is established between two user networks will be described with reference to FIG.
In the figure, the source address space (1) and the destination address space (3) are both 192.168.1.1 to 192.168.1.254, which are in conflict.
Therefore, when initiating a VPN connection, it is proposed that the address space (192.168.3.1 to 192.168.3.254) of (2) is assigned to the destination from the source. It is proposed to allocate the address space (4. 168.4.1 to 192.168.4.454) of (4) to the source. Even if the address spaces ((1), (3)) of the user networks are equal, if (1) and (2) and (3) and (4) are different, the address spaces do not collide. Can communicate with each other.
In an actual VPN connection, (1) is used when the source specifies an address in the source user network 106, and (2) is used when the address of the destination user network 107 is specified. The address of (2) is converted into (3) by the destination router 102, and communication with the terminals (111 to 113) in the destination user network 107 becomes possible.
Similarly, when the destination designates an address in the destination network 107, (3) is used, and when the destination user network 106 is designated, (4) is used. The address of (4) is converted to (1) by the source router 101, and communication with a terminal in the source user network 106 becomes possible.

Next, a VPN connection processing sequence according to the present embodiment will be described with reference to FIG.
In step S <b> 101, the transmission source delivers a VPN connection request to GK 100. In step S102, in response to a VPN connection request from the source, the GK 100 requests authentication information from the source. In step S103, the transmission source notifies the GK 100 of authentication information.
In step S104, GK 100 authenticates the identity of the sender. Thereafter, in step S105, a determination is made as to whether or not the caller can connect to the callee. If connection to the callee destination is accepted, in step S106, the GK 100 passes a VPN connection request to the callee.

In step S107, it is determined whether or not connection is possible at the destination. If connection to the callee destination is accepted, a response request is passed from the callee to the caller in step S108. In response to the response request from the destination to the source, in step S109, a response is returned from the source to the destination. Thereafter, in steps S110 and S111, a public terminal list is generated at both the transmission source and the reception destination. In step S112,
VPN connection information and address space information are exchanged between the source and destination.
In step S113, a shared key is generated at the destination. Thereafter, in step S114, the shared key generated at the destination is delivered to the source.
In step 115, a VPN connection is started between the caller and the callee.

FIG. 12 is a sequence diagram showing VPN connection destination display processing according to the present embodiment.
In step S <b> 201, the incoming call destination requests the customer control unit 204 of the GK 100 to register a connection destination that permits VPN connection.
In step S202, the customer control unit 204 of the GK 100 passes the processing to the authentication unit 201, and the authentication unit 201 authenticates the identity of the destination.
In step S <b> 203, when identity verification of the destination is performed, the process is transferred to the customer control unit 204. The customer control unit 204 registers a connection destination that permits VPN connection to the destination in the access list 500 shown in FIG.

In step S <b> 204, the transmission source requests the GK 100 for a connection destination list capable of VPN connection. It is triggered by accessing the customer control unit 204 of the GK 100 through a Web browser or the like.
In step S <b> 205, the customer control unit 204 that has received the request passes the processing to the authentication unit 201. The authentication unit 201 of the GK 100 requests authentication information for identity authentication in response to a request from the sender.
In step S206, the transmission source notifies the GK 100 of authentication information.

In step S207, the authentication unit 201 of the GK 100 authenticates the identity of the sender. If the authentication unit 201 can authenticate the identity, the process is transferred to the customer control unit 204.
In step S208, the customer control unit 204 searches the access list 500 (FIG. 5) of each connection destination stored in the DB 205 for destinations that allow the VPN connection from the source in the DB 205, and FIG. A connection destination list 600 capable of VPN connection as shown in FIG.
In step S209, the connection destination list 600 (FIG. 13) capable of VPN connection is displayed on the source web browser or the like.

Next, a VPN system according to the second embodiment of the present invention will be described.
FIG. 14 is a sequence diagram showing VPN connection start processing in the VPN system according to the second embodiment of the present invention.
In steps S301 and S302, both the caller and callee request the customer control unit 204 of the GK 100 to register a third party who permits control of the VPN connection.
The customer control unit 204 of the GK 100 passes the processing to the authentication unit 201, and the authentication unit 201 authenticates the identity of the transmission source and destination.
In step S <b> 303, when the identity authentication of the caller and the callee is performed, the process is transferred to the customer control unit 204. The customer control unit 204 registers a third party who is permitted to control the source and destination VPN connections in the VPN connection control permission list 900 shown in FIG.

In step S304, a third party requests a VPN connection between any two parties (source and destination) to the customer control unit 204 of the GK 100 through a Web browser or the like. The customer control unit 204 of the GK 100 passes the processing to the authentication unit 201.
In step S305, the authentication unit 201 requests authentication information for identity authentication from the third party in response to the request from the third party.
In step S306, a third party notifies the GK 100 of authentication information.
In step S307, the authentication unit 201 of the GK 100 authenticates the identity of a third party. If the authentication unit 201 can authenticate the identity, the process is passed to the connection determination unit 202.

In step S308, the connection permission / non-permission determination unit 202 determines from the DB 205 whether the caller and the callee are permitted to control VPN connection by a third party. If the control of the VPN connection is permitted, the process is passed to the signaling unit 203, and in steps S309 and S310, the signaling unit 304 of the source router 101, and the signaling unit 314 of the destination router 102 from the GK 100 to the signaling unit 314, respectively. Pass the VPN connection request.
In other cases, the process is transferred to the customer control unit 204, and in step S311, the fact that the process has failed is notified to a third party through a Web browser or the like, and the entire process is terminated.

In steps S312 and S313, the signaling units (304, 314) of the source router 101 and the destination router 102 that have received the processing from the GK 100 determine whether the VPN connection is possible or not in the connection availability judgment unit (302, 312), respectively. Do. Thereafter, the result is returned to the GK 100 in steps S314 and S315.
In the case where the source and the destination have permitted VPN connection, in step S316, the VPN connection information superimposed on the signaling in the signaling units (304, 314) of the source router 101 and the destination router 102, Exchange address space information and terminal information list. Thereafter, in step S317, a direct VPN connection is started between the VPN connection units between the caller and the callee.
The customer control unit 204 notifies the third party of the VPN connection start information through a Web browser or the like.

FIG. 16 is a sequence diagram showing VPN connection disconnection processing in the VPN system according to the second embodiment of the present invention.
In steps S401 and S402, both the transmission source and the reception destination request the GK 100 to register a third party who permits control of the VPN connection.
In step S403, a third party who permits control of the VPN connection of the transmission source and the reception destination is registered in the DB 205 of the GK 100.
In step S404, the third party requests the customer control unit 204 of the GK 100 to disconnect the VPN connection between any two parties (source and destination) through a Web browser or the like. The customer control unit 204 of the GK 100 passes the processing to the authentication unit 201.

In step S405, the authentication unit 201 requests authentication information for identity authentication from a third party in response to a request from the third party. In response to this, in step S406, the third party notifies the GK 100 of the authentication information.
In step S407, third-party identity authentication is performed. The authentication unit 201 of the GK 100 passes the process to the connection possibility determination unit 202 when the identity of the third party can be authenticated.
In step S <b> 408, the connection possibility determination unit 202 determines from the DB 205 whether the transmission source and the reception destination permit control of VPN connection by a third party. When the transmission source and the reception destination permit the third party to control the VPN connection, the processing is transferred to the signaling unit 203. Thereafter, in step S409, the GK 100 delivers a VPN connection disconnection request to the signaling unit 314 of the destination router 102, and a response is returned from the destination to the GK 100 in step S411.
In other cases, in step S410, the process is transferred to the customer control unit 204, the third party is notified of the process failure through a Web browser or the like, and the entire process is terminated.

The signaling units (304, 314) of the source router 101 and the destination router 102 that have received the processing from the GK 100 deliver a disconnection request to the signaling unit 304 of the source router 101 in step S412. In response to this, in step S413, the disconnection request is transferred from the signaling unit 304 of the source router 101 to the signaling unit 314 of the destination router 102. Thereafter, in steps S414 and S415, the VPN connection between the caller and the callee is disconnected.
The customer control unit 204 notifies the third party of the VPN connection disconnection information through a Web browser or the like.

In addition, it is assumed that this embodiment also includes passing a VPN connection disconnection request from the GK 100 to the signaling unit 304 of the source router 101.
In addition, it is assumed that this embodiment includes controlling the VPN connection through the GK 100 as described above, with the sender itself and the receiver itself as a third party.
Since it has the above-described structure, it is possible to control the VPN connection from the caller to the callee, triggered by an operation on the GK 100 by a third party.

According to the VPN system according to the embodiment of the present invention described above, in the VPN connection between two parties connected to the Internet (source and destination), in particular, a mediation server is installed, and the mediation server is the source and destination. With regard to a VPN system that authenticates the system and provides a VPN connection based on the result, it is possible to achieve system security and improved user convenience, which had problems with the conventional method.
In addition, since the determination as to whether or not the VPN connection from the caller to the callee is permitted is performed at two locations, the mediation server and the callee, the system security can be ensured by the VPN connection availability determination method.
In addition, a method for selecting a connection form in advance, a method for sequentially generating a shared key between two parties, a method for exchanging connection information and network information superimposed on signaling, and limiting terminals to be disclosed in the user network during VPN connection User convenience can be improved by using a method, an online display method of connection destination information, or a connection control method by a third party.

1 is a configuration diagram of a VPN system according to an embodiment of the present invention. 2 is a configuration diagram of a source router 101 and a destination router 102 according to an embodiment of the present invention. FIG. It is a block diagram of the transmission origin PC terminal 104 and the call destination PC terminal 105 by embodiment of this invention. 1 is a configuration diagram of a GK 100 according to an embodiment of the present invention. It is an example of the access list 500 which is VPN connection availability information. It is a flowchart of the VPN connection process by the 1st Embodiment of this invention. It is an example of the public terminal information list 700 for each VPN connection destination. It is an example of a public terminal list 800 that is disclosed to a VPN-connected partner. It is an example of the access list 501 which is VPN connection availability information. It is the schematic which shows the method of avoiding the collision of address space. It is a sequence diagram of the VPN connection process by the 1st Embodiment of this invention. FIG. 6 is a sequence diagram of VPN connection destination display processing according to the first embodiment of the present invention. It is an example of a connection destination list 600 capable of VPN connection. It is a sequence diagram of the VPN connection start process by the 2nd Embodiment of this invention. It is an example of the list | wrist of the third party who permits VPN connection control. It is a sequence diagram of the VPN connection end process by the 2nd Embodiment of this invention. It is a network block diagram of the conventional remote access VPN. It is a network block diagram of the conventional VPN connection between LAN.

Explanation of symbols

100 ... GK
101 ... Source router 102 ... Destination router 103 ... Internet 104 ... Source PC terminal 105 ... Destination PC terminal 106 ... Source user network 107 ... Destination user Network 108 to 113... PC terminal 201 under the router 201... Authentication unit 202... Connection determination unit 203 .. signaling mediation unit 204 .. customer control unit 205.
301, 311 ... setting units 302, 312 ... connectability determination unit 303, 313 ... authentication information 304, 314 ... signaling unit 305, 315 ... shared key generation unit 306, 316 ... Connection unit 307, 317 ... Subordinate NW control unit 401, 411 ... Setting unit 402, 412 ... Connection availability determination unit 403, 413 ... Authentication information 404, 414 ... Signaling unit 405, 415 ··· Shared key generation unit 406, 416 ··· Connection unit 500, 501 ··· Access list 600 ··· List of connection destinations 700 capable of VPN connection ··· Public terminal information list 800 for each VPN connection destination ..Public terminal list 900 ... List of third parties that allow VPN connection control

Claims (8)

An intermediary server on the Internet authenticates the source terminal and the destination terminal, and makes a VPN connection between the source terminal and the destination terminal based on the authentication result. During the VPN connection, between the source terminal and the destination terminal In the VPN communication method for direct communication,
A VPN communication method characterized in that, when a VPN connection request from the source terminal to the destination terminal is generated, a VPN connection possibility determination is performed in both the mediation server and the destination terminal.   The VPN communication method according to claim 1, wherein the source terminal can select a remote access VPN connection or a LAN-to-LAN VPN connection to the destination terminal.   In response to a VPN connection request from the source terminal to the destination terminal, a shared key for VPN connection is generated at the destination terminal each time and is passed to the source terminal via the mediation server The VPN communication method according to claim 1, wherein:   The network information exchange for avoiding address collision at the time of VPN connection between user networks of the source terminal and the destination terminal is performed by superimposing on signaling via the mediation server. The VPN communication method according to 1.   2. The VPN communication method according to claim 1, wherein, when the VPN connection is established between the source terminal and the destination terminal, a terminal for exchanging information with the other party can be restricted or selected among terminal information in each user network.   2. The VPN according to claim 1, wherein the mediation server generates a list of destination terminals that are permitted to connect to the source terminal from the source terminal and displays the list on-line. Communication method.   In response to an operation from the source terminal or a terminal other than the destination terminal to the mediation server, a VPN connection is started between the source terminal and the destination terminal, or the source terminal and the destination The VPN communication method according to claim 1, wherein the VPN connection between terminals is terminated. In a VPN system consisting of a source terminal connected to the Internet, a mediation server, and a destination terminal,
The source terminal is
Authentication information notifying means for notifying authentication information to the mediation server,
The mediation server is
Identity authentication means for authenticating the identity based on the authentication information notified from the source terminal;
First identity determination means for determining whether a VPN connection is possible between the source terminal and the destination terminal when the identity is authenticated by the identity authentication means;
VPN connection request notification means for notifying the destination terminal of a VPN connection request when a connection is permitted by the first connection permission determination means;
The destination terminal is
Based on a VPN connection request notified from the VPN connection request notification means, second connection availability determination means for determining whether or not a VPN connection is possible between the source terminal and the destination terminal;
VPN connection is performed between the source terminal and the destination terminal when connection is permitted in both the first connection permission determination unit and the second connection permission determination unit. system.

Images