JP2011166312A - Virtual private network system, communication method and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To reduce the generation of a bottleneck in VPN communication. <P>SOLUTION: In the virtual private network system, a virtual private network server includes a notification part for acquiring the load situation of the present device and notifying a relay server of the load situation, and the relay server includes a storage part for storing the load situation for each virtual private network server, an updating part for updating the load situation stored in the storage part when receiving the notice of the load situation, and a connection part for selecting the virtual private network server according to a predetermined reference indicating that the load is small corresponding to the load situation stored in the storage part and establishing a communication path between the selected virtual private network server and a virtual private network client when receiving a connection request from the virtual private network client. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a VPN (Virtual Private Network) system.

  An example of a VPN system using a relay server is described in Patent Document 1. FIG. 18 is a configuration diagram of a VPN system related to the system disclosed in Patent Document 1. As shown in FIG. 18, the networks included in this VPN system are the Internet R1, the first network R2, and the second network R4. A router R5 (with NAT function) is installed between the second network and the Internet R1, and a firewall R3 (with NAT function) is installed between the Internet R1 and the first network R2. The first network R2 includes a VPN server R21 having an authentication function for VPN connection to the Internet R1 side, a business server R23, and a mail server R29, which are connected via a firewall R3 and a hub R24 (HUB). The Internet R1 includes a mail server R10 and a relay server R11. The second network R4 includes a communication terminal R41.

  The VPN system of FIG. 18 having such a configuration operates as follows. First, the communication terminal R41 transmits a connection information request to the relay server R11. The relay server R11 transmits information (identification information) for uniquely identifying the connection to the communication terminal R41. Then, the communication terminal R41 establishes a TCP connection to the relay server R11. Next, the communication terminal R41 transmits a control mail to a mail address set in advance to the VPN server R21. The control mail is first transmitted to the mail server R10 and transferred from the mail server R10 to the mail server R29. The control mail includes the identification information of the VPN connection request. For example, the communication terminal R41 may embed identification information of the VPN connection request in the header portion of the control mail. By including the identification information in this way, it becomes possible to distinguish between the control mail and the normal electronic mail. Further, information necessary for establishing a VPN connection from the first network R2 side to the communication terminal R41, such as the IP address of the relay server R11 and information for uniquely identifying the connection acquired from the relay server R11, is a control mail. To be added.

  The VPN server R21 periodically accesses the mail server R29 and inquires whether the self-addressed e-mail has arrived. When the self-addressed e-mail has arrived, the VPN server R21 takes in the e-mail and determines whether it is a control mail. When the self-addressed e-mail is a control mail, the control mail receiving application of the VPN server R21 instructs the mail server R29 to delete the control mail. Further, the control mail receiving application establishes a TCP connection to the relay server R11 and transmits a connection completion message including information for uniquely identifying. The relay server R11 connects the TCP connections from both sides based on the identification information included in the connection completion message from the VPN server R21 and the identification information between the communication terminal R41. Then, the relay server R11 transmits a connection completion message to the communication terminal R41. The communication terminal R41 exchanges encryption information with the VPN server R21 via the relay server R11. Then, the communication terminal R41 encrypts the user ID and password using this encryption information and transmits it to the VPN server R21. With the above processing, a VPN connection is established between the communication terminal R41 and the VPN server R21. When the VPN connection is established, the communication terminal R41 in the second network R4 can access the business server R23 in the first network R1 via the VPN server R21.

  The advantage of the above scheme is that a VPN connection is established in the direction from the VPN server R21 in the first network R2 to the relay server R11 in the Internet R1. That is, since the VPN connection is established in this way, the VPN system can be introduced without changing the setting of the existing firewall R3. However, although the mail server R10 and the mail server R29 can use existing ones because they can be used, there is an advantage that transmission of control mail may be delayed. For this reason, it may take time to complete the VPN connection. Therefore, a system has been devised and commercialized that uses a relay server R11 for transferring connection requests, not using means using mail.

  FIG. 19 is a configuration diagram of a VPN system for establishing a VPN connection using the relay server R11. The networks included in the VPN system shown in FIG. 19 are the Internet R1, the first network R2, and the second network R4. A router R5 (with NAT function) is installed between the second network R4 and the Internet R1, and a firewall R3 (with NAT function) is installed between the Internet R1 and the first network R2. The first network R2 includes a VPN server R21 having an authentication function for VPN connection to the Internet R1 side, and a business server R23, which are connected via a firewall R3 and a hub R24 (HUB). The Internet R1 includes a relay server R11. The second network R4 includes a communication terminal R41.

  Hereinafter, the operation of the VPN system of FIG. 19 will be described. FIG. 20 is a diagram showing an outline of communication between the VPN server R21 and the relay server R11 in the VPN system of FIG. In order to send a connection request from outside the first network R2 to the VPN server R21 in the first network R2, it is usually necessary to change the setting of the firewall R3. In order to make this setting change unnecessary, in the VPN system in FIG. 19, a connection (permanent connection in FIG. 20) is established from the VPN server R21 in the first network R2 to the relay server R11 in the Internet R1. That is, this permanent connection is a connection for transferring a connection request. Then, the relay server R11 transfers the connection request from the communication terminal R41 to the VPN server R21 through the permanent connection.

  The relay server R11 waits for connection at the port 443. In the VPN server R21, the IP address of the relay server R11 is set in advance. When the VPN server R21 is activated, it establishes a connection (permanent connection) to the relay server R11 with a TCP connection to the port 443. When the permanent connection is established, the VPN server R21 periodically transmits a survival confirmation message to the relay server R11 through the permanent connection in order to confirm whether communication is possible. When the relay server R11 receives the survival confirmation message, the relay server R11 transmits a survival confirmation response to the transmission source VPN server R21 through the permanent connection. The VPN server R21 is permanently installed in the relay server R11 when the transmission of the survival confirmation message fails continuously or when the transmission is successful but the response (survival confirmation response) from the relay server R11 is not received. Re-establish the connection.

  FIG. 21 is a diagram showing an outline of a VPN connection (VPN connection) establishment process in the VPN system of FIG. First, the communication terminal R41 establishes a first TCP connection for transmitting a connection request message to the relay server R11. The communication terminal R41 creates a connection request message including information (for example, client identification information) necessary for establishing a VPN connection from the VPN server R21. Then, the communication terminal R41 transmits a connection request message to the relay server R11 through the first TCP connection. This first TCP connection is an alternative to the conventional mail. The communication terminal R41 also establishes a second TCP connection for VPN connection to the relay server R11. When the relay server R11 receives the connection request message through the first TCP connection, the relay server R11 transfers the received connection request message to the VPN server R21 through the permanent connection. When the VPN server R21 receives the connection request message, the VPN server R21 establishes an individual connection to the relay server R11. Then, the relay server R11 establishes a VPN connection from the communication terminal R41 to the VPN server R21 using the second TCP connection and the individual connection.

  FIG. 22 is a configuration diagram of another VPN system related to the VPN system of FIG. In the VPN system of FIG. 22, a plurality of communication terminals R41 (R41-1 and R41-2) are connected to the second network R4, and each is connected to the VPN server R21. In the VPN, all data communicated between the VPN server / client is encrypted / decrypted. When data is transmitted from the communication terminal R41 to the business server R28 (R28-1 or R28-2), the VPN application installed in the communication terminal R41 encrypts and transmits the data. The transmitted data is decrypted by the VPN server R21 and then transmitted to the destination business server R28 in the first network R2. Conversely, when data is transmitted from the business server R28 in the first network R2 to the communication terminal R41, the business server R28 first transmits data to the VPN server R21. The VPN server R21 encrypts the data and then transmits it to the communication terminal R41. Then, the VPN application installed in the communication terminal R41 decrypts the data.

JP 2008-028996 A

  At the same time, when the number of communication terminals R41 that are simultaneously connected by VPN increases, the VPN server R21 is subjected to a heavy load for communication encryption / decryption processing. Therefore, there is a problem that the encryption / decryption process in the VPN server R21 becomes a bottleneck of VPN communication. In addition, since the capacity of the LAN connected to the VPN server R21 is shared by many VPN clients (communication terminal R41), there is a problem that the communication capacity per communication terminal R41 is suppressed. It was.

  In view of the above circumstances, an object of the present invention is to provide a technique capable of reducing the occurrence of bottlenecks in the VPN communication as described above.

  One aspect of the present invention includes a plurality of virtual private network servers and a relay server that establishes a communication path between the virtual private network server and the virtual private network client in response to a connection request from a virtual private network client. The virtual private network server includes a notification unit that acquires a load status of the device itself and notifies the relay server of the load status, and the relay server includes the load A storage unit that stores the status for each virtual private network server, an update unit that updates the load status stored in the storage unit upon receiving the notification of the load status, and a connection request received from the virtual private network client Then According to the load status stored in the storage unit, the virtual private network server is selected according to a predetermined criterion indicating that the load is small, and between the selected virtual private network server and the virtual private network client And a connection unit for establishing the communication path.

  According to one aspect of the present invention, a plurality of virtual private network servers, a management device that manages the plurality of virtual private network servers, and the virtual private network server and the virtual in response to a connection request from a virtual private network client A virtual private network system comprising a relay server that establishes a communication path with a private network client, wherein the virtual private network server acquires a load status of the own device and sends the load status to the management device A notification unit for notifying, and the management device updates the load status stored in the storage unit upon receiving the notification of the load status, and a storage unit for storing the load status for each virtual private network server Updating part to A selection unit that selects the virtual private network server according to a predetermined criterion indicating that the load is small according to a load situation stored in the storage unit when receiving a connection request from the server, and the relay server When a connection request is received from the virtual private network client, the connection request is transferred to the management device, and a communication path between the virtual private network server selected by the management device and the virtual private network client is established. And a connecting portion.

  One aspect of the present invention includes a plurality of virtual private network servers and a relay server that establishes a communication path between the virtual private network server and the virtual private network client in response to a connection request from a virtual private network client. A virtual private network system comprising: a notification step in which the virtual private network server acquires a load status of its own device and notifies the relay server of the load status; and When the relay server having a storage device for storing each virtual private network server receives the load status notification, the relay server updates the load status stored in the storage device, and the relay server includes the virtual private network server. Net When receiving a connection request from a work client, the virtual private network server is selected according to a predetermined criterion indicating that the load is small according to the load status stored in the storage device, and the selected virtual private network server And a connection step of establishing a communication path between the client and the virtual private network client.

  According to one aspect of the present invention, a plurality of virtual private network servers, a management device that manages the plurality of virtual private network servers, and the virtual private network server and the virtual in response to a connection request from a virtual private network client A communication method performed by a virtual private network system comprising a relay server that establishes a communication path with a private network client, wherein the virtual private network server acquires a load status of the own device, and A notification step of notifying the management device; and a load status stored in the storage device when the management device comprising the storage device storing the load status for each virtual private network server receives the notification of the load status More And when the management device receives a connection request from the relay server, the virtual private network server is set in accordance with a predetermined criterion indicating that the load is small according to the load status stored in the storage device. A selecting step for selecting, and when the relay server receives a connection request from the virtual private network client, the connection request is transferred to the management device, and the virtual private network server and the virtual private network selected by the management device And a connection step for establishing a communication path with the client.

  One aspect of the present invention includes a plurality of first computers, a second computer that establishes a communication path between the first computer and the virtual private network client in response to a connection request from the virtual private network client, In the virtual private network system comprising: the first computer is caused to execute a notification step of acquiring a load status of the own device and notifying the relay server of the load status; When receiving the load status notification to the second computer comprising the storage device stored in the storage device, an update step for updating the load status stored in the storage device and a connection request received from the virtual private network client , Load stored in the storage device Selecting a first computer according to a predetermined criterion indicating a low load according to a situation, and establishing a communication path between the selected first computer and the virtual private network client; Is a computer program for executing

  One aspect of the present invention includes a plurality of first computers, a third computer that manages the plurality of first computers, and the first computer and the virtual private network in response to a connection request from a virtual private network client. In a virtual private network system comprising a second computer that establishes a communication path with a client, a notification for acquiring the load status of the own device and notifying the management device of the load status to the first computer The load status stored in the storage device is updated when the third computer is provided with a storage device that stores the load status for each of the first computers. Update step and receiving a connection request from the second computer Selecting the first computer according to a predetermined criterion indicating that the load is small according to a load situation stored in the storage device, and causing the second computer to execute the virtual private A connection step of receiving a connection request from the network client, transferring the connection request to the third computer, and establishing a communication path between the first computer selected by the third computer and the virtual private network client; , Is a computer program for executing.

  According to the present invention, it is possible to reduce the occurrence of bottlenecks in VPN communication.

It is a figure showing the system configuration | structure of the VPN system of 1st embodiment. It is a schematic block diagram showing the system configuration | structure of a relay server. A specific example of a group setting file is shown. It is a figure showing the specific example of a permanent connection management table. It is a schematic block diagram showing the system configuration | structure of a VPN server. It is a schematic block diagram showing the system configuration | structure of a communication terminal. It is a figure showing the outline of the communication performed between a relay server and a VPN server. It is a sequence diagram showing the flow of a process of the VPN system of 1st embodiment. It is a figure showing the system configuration | structure of the VPN system of 2nd embodiment. It is a schematic block diagram showing the system configuration | structure of a relay server. The example of the group setting file of 2nd embodiment is represented. It is a figure showing the specific example of the permanent connection management table of 2nd embodiment. It is a schematic block diagram showing the system configuration | structure of a VPN server manager. It is a figure showing the specific example of the permanent connection management table for managers. It is a schematic block diagram showing the system configuration | structure of a VPN server. It is a figure showing the outline of each of the communication performed between a relay server and a VPN server manager, and the communication performed between a VPN server manager and a VPN server. It is a sequence diagram showing the flow of a process of the VPN system of 2nd embodiment. 1 is a configuration diagram of a VPN system related to the system disclosed in Patent Document 1. FIG. It is a block diagram of the VPN system for establishing a VPN connection using a relay server. It is a figure which shows the outline of the communication between the VPN server and relay server in the VPN system of FIG. It is a figure which shows the outline of the establishment process of the VPN connection (VPN connection) in the VPN system of FIG. It is a block diagram of the other VPN system relevant to the VPN system of FIG.

[First embodiment]
FIG. 1 is a diagram illustrating a system configuration of a VPN (Virtual Private Network) system according to the first embodiment. The VPN system of the first embodiment includes an Internet 1, a first network 2, and a second network 4 as networks. A router 5 is installed between the second network 4 and the Internet 1. A firewall 3 is installed between the Internet 1 and the first network 2. The firewall 3 and the router 5 have a NAT (Network Address Translation) function. A relay server 11 is connected to the Internet 1. In the first network 2, a HUB 24 (hub 24), three VPN servers 21 (21-1, 21-2, 21-3), an authentication server 22, and a business server 23 are connected. A communication terminal 41 is connected in the second network 4. The first network 2 and the second network 4 are communicably connected via the Internet 1. In the VPN system of the first embodiment, a plurality of first networks 2 may be connected to one relay server 11.

  The authentication server 22 authenticates a user who makes a VPN connection to the first network 2. The business server 23 is a server device to which a user of the communication terminal 41 is connected in order to perform a predetermined business. The HUB 24 is a communication device that connects the VPN servers 21-1 to 21-3, the authentication server 22, the business server 23, and the firewall 3. The communication terminal 41 is an information processing apparatus that operates as a VPN client in the VPN system.

  FIG. 2 is a schematic block diagram showing the system configuration of the relay server 11. The relay server 11 includes a CPU (Central Processing Unit) connected via a bus, a memory, an auxiliary storage device, and the like. By executing a relay program, the transmission / reception unit 111, the setting file storage unit 112, the management table storage unit 113, It functions as a device including the permanent connection management unit 114 and the connection connection unit 115. Note that all or part of the functions of the relay server 11 may be realized by using hardware such as an application specific integrated circuit (ASIC), a programmable logic device (PLD), or a field programmable gate array (FPGA).

  The transmission / reception unit 111 is configured using a network interface such as a NIC (Network Interface Card). The transmission / reception unit 111 transmits / receives data to / from other communication devices via the Internet 1.

  The setting file storage unit 112 is configured using a storage device such as a magnetic hard disk device or a semiconductor storage device, and stores a group setting file. FIG. 3 shows a specific example of the group setting file. In the group setting file, authentication server information and the IP address and host name of the VPN server 21 included in the VPN group are recorded for each VPN group set in advance. FIG. 3 shows information regarding Group 1 and Group 2 as the VPN group. Information set in the group setting file will be described using Group 1 as an example. The number “192.168.1.10” described after “auth-server =” represents the IP address of the authentication server. In addition, the numbers “192.168.1.11”, “192.168.1.12”, “192.168.1.13” in three lines described below the character string “IP Address” Each represents the IP address of the VPN server 21 included in the VPN group. Further, the three-line character string described below the character string “hostname” represents the host name of the VPN server 21 of each IP address. The group setting file may be configured as a separate file for each group, for example, using the group name as the file name. In the group setting file, information on each group may be described in one file.

  The management table storage unit 113 is configured using a storage device such as a magnetic hard disk device or a semiconductor storage device, and stores a permanent connection management file. In the permanent connection management file, a permanent connection management table is described. FIG. 4 is a diagram illustrating a specific example of the permanent connection management table. The permanent connection management table stores the name, IP address, host name, and load status of the VPN group to which each VPN server 21 connected to the relay server 11 belongs. The load status is information related to the load generated in the VPN server 21, for example, information such as CPU load (CPU usage rate (%)), the number of connected VPN clients, network usage bandwidth information (Mbps), and the like. is there.

  The permanent connection management unit 114 manages the permanent connection established for the own apparatus (relay server 11). When a permanent connection is newly established from the VPN server 21 to the own apparatus, the permanent connection management unit 114 stores information regarding the VPN server 21 located on the opposite side of the new permanent connection, in the management table storage unit 113. Is newly registered in the permanent connection management table. Further, when the permanent connection management unit 114 receives the survival confirmation message from the VPN server 21, it uses the load status information included in the survival confirmation message to load the permanent connection management table load status stored in the management table storage unit 113. Update the information. In addition, the permanent connection management unit 114 transmits a survival confirmation response message to the VPN server 21 that is the transmission source of the survival confirmation message.

  The connection connection unit 115 selects the VPN server 21 that is the connection destination of the VPN connection according to the contents of the permanent connection management table stored in the management table storage unit 113. Specifically, the connection connection unit 115 selects the VPN server 21 having the lowest load. Then, the connection connection unit 115 performs a process of establishing a VPN connection between the selected VPN server 21 and the VPN client (communication terminal 41).

  The VPN server 21 having the lowest load may be determined based on all the load status values registered in the permanent connection management table, or may be determined based on a part of the load status values. Further, how to specifically determine how the load is low is appropriately designed by a designer or an administrator. For example, the connection connection unit 115 divides the value of the network usage band information by the number of connected VPN clients. Then, the connection connection unit 115 may select the VPN server 21 having the smallest calculated value (the network use bandwidth (Mbps) per VPN client) as the VPN server 21 having the lowest load.

  FIG. 5 is a schematic block diagram showing the system configuration of the VPN server 21. The VPN server 21 includes a CPU, a memory, an auxiliary storage device, and the like connected by a bus. By executing a VPN server program, the transmission / reception unit 211, the permanent connection establishment unit 212, the survival confirmation management unit 213, and the individual connection establishment The unit 214 and the VPN control unit 215 function as a device. All or some of the functions of the VPN server 21 may be realized using hardware such as an ASIC, PLD, or FPGA.

The transmission / reception unit 211 is configured using a network interface such as a NIC. The transmission / reception unit 211 transmits / receives data to / from other communication devices via the first network 2.
The permanent connection establishment unit 212 stores the IP address of the relay server 11 in advance, and establishes a permanent connection with the relay server 11.

  The survival confirmation management unit 213 generates a survival confirmation message at a predetermined timing and transmits it to the relay server 11. The existence confirmation message includes a message requesting the relay server 11 to return the existence confirmation response message, and a message indicating the load status of the own apparatus (VPN server 21). In addition, the survival confirmation management unit 213 receives a survival confirmation response message for the survival confirmation message from the relay server 11.

  When the connection request message is received from the VPN client (communication terminal 41), the individual connection establishment unit 214 establishes a TCP connection with the relay server 11. The TCP connection established by the individual connection establishment unit 214 is a connection used as a part of the VPN connection with the communication terminal 41 that is the transmission source of the connection request message. Hereinafter, this TCP connection is referred to as “individual connection”.

  The VPN control unit 215 performs processing as a so-called conventional VPN server. Specifically, the VPN control unit 215 provides a VPN service to the VPN client through a VPN connection established with the VPN client (communication terminal 41). For example, the VPN control unit 215 enables a VPN client to access the business server 23 in the first network 2 by VPN and transmit / receive data.

  FIG. 6 is a schematic block diagram showing the system configuration of the communication terminal 41. The communication terminal 41 includes a CPU, a memory, an auxiliary storage device, and the like connected by a bus. By executing a VPN client program, the transmission / reception unit 411, the first connection establishment unit 412, the second connection establishment unit 413, the authentication It functions as a device including a request unit 414 and a VPN control unit 415. All or some of the functions of the communication terminal 41 may be realized using hardware such as an ASIC, PLD, or FPGA.

The transmission / reception unit 411 is configured using a network interface such as a NIC. The transmission / reception unit 411 transmits / receives data to / from other communication devices via the second network 4.
The first connection establishment unit 412 stores the IP address of the relay server 11 in advance, and establishes a first TCP connection with the relay server 11. The first TCP connection is a connection used when transmitting a connection request message from the communication terminal 41 to the relay server 11. The first connection establishment unit 412 transmits a connection request message to the relay device 11 through the first TCP connection. The connection request message includes information necessary for the VPN server 21 to establish a VPN connection to the VPN client. Specifically, the connection request message includes identification information (for example, group name) of the VPN group that the communication terminal 41 desires to connect, identification information of the communication terminal 41, and the like.

  The second connection establishment unit 413 stores the IP address of the relay server 11 in advance, and establishes a second TCP connection with the relay server 11. The second TCP connection is a connection used as a part of the VPN connection between the communication terminal 41 and the VPN server 21.

  The authentication request unit 414 creates an authentication request message. The authentication request message includes a user name and a password necessary for receiving authentication in the authentication server 22. The authentication request unit 414 stores the IP address of the relay server 11 in advance, and transmits an authentication request message to the relay server 11.

  The VPN control unit 415 performs processing as a so-called conventional VPN client. Specifically, the VPN control unit 415 accesses a communication device in the first network 2 through a VPN connection established with the VPN server (VPN server 21). For example, the VPN control unit 415 transmits / receives data by accessing the business server 23 in the first network 2 via the VPN server 21 via the VPN.

  FIG. 7 is a diagram illustrating an outline of communication performed between the relay server 11 and the VPN server 21. The permanent connection establishment unit 212 of the VPN server 21 establishes a permanent connection to a predetermined port with a TCP connection to the relay server 11. The predetermined port is a port set in advance, for example, port 443. The establishment of the permanent connection may be performed immediately after the VPN server 21 is turned on and started, or may be performed when an establishment instruction is input by the administrator, or at another timing. May be. Through this permanent connection, the survival confirmation management unit 213 of the VPN server 21 transmits a survival confirmation message to the relay server 11. In addition, when the permanent connection management unit 114 of the relay server 11 receives the survival confirmation message from the VPN server 21, it transmits a survival confirmation response message to the VPN server 21 through the permanent connection.

  FIG. 8 is a sequence diagram illustrating a processing flow of the VPN system according to the first embodiment. First, the relay server 11 waits for a connection from the VPN servers 21-1 to 21-3 at a predetermined port (the 443th port). The permanent connection establishment unit 212 of each VPN server 21-1 to 21-3 stores the IP address of the relay server 11 in advance. The permanent connection establishment unit 212 of each of the VPN servers 21-1 to 21-3 establishes a permanent connection to the relay server 11 (Steps S101-1 to S101-3).

  When the permanent connection management unit 114 of the relay server 11 accepts the connection of the permanent connection from each of the VPN servers 21-1 to 21-3, the IP address and host name of the VPN server 21-1 to 21-3 of the connection source are obtained. Register in the permanent connection management table. Note that the permanent connection management unit 114 of the relay server 11 may be configured to authenticate each of the VPN servers 21-1 to 21-3 when the permanent connection is established. With this configuration, it is possible to prevent a device such as a VPN server from being illegally connected to the relay server 11.

  Next, the survival confirmation management unit 213 of each of the VPN servers 21-1 to 21-3 transmits a survival confirmation message to the relay server 11 at a predetermined timing in order to confirm that communication is possible (step S102-). 1-S102-3). At this time, each survival confirmation management unit 213 transmits a survival confirmation message through the permanent connection. When the permanent connection management unit 114 of the relay server 11 receives the survival confirmation message, it transmits a survival confirmation response message to the source VPN servers 21-1 to 21-3 (steps S103-1 to S103-3). At this time, the permanent connection management unit 114 transmits a survival confirmation response message through the permanent connection. Further, the permanent connection management unit 114 updates the permanent connection management table using the load status information included in the received survival confirmation message.

  The survival confirmation management unit 213 of each of the VPN servers 21-1 to 21-3 receives the survival confirmation response message from the relay server 11 within a predetermined time when the transmission of the survival confirmation message fails continuously or when the transmission is successful. If it cannot be received, an error notification is sent to the permanent connection establishment unit 212. The permanent connection establishment unit 212 reestablishes the permanent connection to the relay server 11 when receiving an error notification from the survival confirmation management unit 213.

  Next, processing for establishing a VPN connection by the communication terminal 41 serving as a VPN client will be described. First, the first connection establishment unit 412 of the communication terminal 41 establishes a first TCP connection with the relay server 11. Then, the first connection establishment unit creates a connection request message and transmits it to the relay server 11 through the first TCP connection (step S104).

  Further, the second connection establishment unit 413 of the communication terminal 41 establishes a second TCP connection to the relay server 11 after or in parallel with the process of step S104 (step S105).

  When the connection connection unit 115 of the relay server 11 receives the connection request message through the first TCP connection, the connection connection unit 115 refers to the permanent connection management table of the management table storage unit 113. Then, the connection connection unit 115 determines whether or not the name of the VPN group included in the received connection request message is registered in the permanent connection management table. When the name of the VPN group is registered, the connection connection unit 115 selects the VPN server 21 with the lowest load from the VPN servers 21 belonging to the VPN group. The connection connection unit 115 transfers a connection request message to the selected VPN server 21 (21-1) through a permanent connection (step S106).

  When receiving the connection request message from the relay server 11, the individual connection establishing unit 214 of the VPN server 21-1 acquires information necessary for establishing a VPN connection to the communication terminal 41 from the received connection request message. Then, the individual connection establishment unit 214 establishes an individual connection with the relay server 11 by transmitting a connection request message to the relay server 11 (step S107).

  The connection connection unit 115 of the relay server 11 refers to the information included in the connection request message received from the communication terminal 41 and the connection request message received from the VPN server 21-1, respectively. Connect individual connections. Through this process, the connection connection unit 115 establishes a communication path between the communication terminal 41 and the VPN server 21-1. When the establishment of the communication path is completed, the connection connection unit 115 transmits a connection completion message to the communication terminal 41 through the second TCP connection (step S108).

  When receiving the connection completion message from the relay server 11, the VPN control unit 415 of the communication terminal 41 instructs the authentication request unit 414 to start authentication processing. The authentication request unit 414 creates an authentication request message in response to an instruction from the VPN control unit 415 and transmits it to the relay server 11 (step S109).

  When receiving the authentication request message from the communication terminal 41, the connection connection unit 115 of the relay server 11 refers to the group setting file and searches for the IP address of the authentication server 22 of the corresponding VPN group. Then, the connection connection unit 115 transfers the authentication request message to the authentication server 22 via the VPN server 21-1 (Step S110). At this time, the authentication request message is transmitted and received through the individual connection between the relay server 11 and the VPN server 21-1.

  Upon receiving the authentication request message, the authentication server 22 performs an authentication process based on the user name and password included in the authentication request message. Then, the authentication server 22 creates an authentication result notification message representing the authentication result, and transmits it to the relay server 11 (step S111). The relay server 11 transfers the authentication result notification message to the VPN server 21-1 (step S112). The VPN control unit 215 of the VPN server 21-1 determines whether access from the communication terminal 41 is permitted based on the content of the authentication result represented by the received authentication result notification message. Specifically, when the content of the authentication result indicates that the user of the communication terminal 41 is a valid user, the VPN control unit 215 establishes a VPN connection with the communication terminal 41. At this time, the VPN control unit 215 establishes a VPN connection using the second TCP connection and the individual connection already connected by the relay server 11. Then, the VPN control unit 215 of the VPN server 21-1 relays communication between the communication terminal 41 and the business server 23 in the first network 2 (step S113). On the other hand, when the content of the authentication result indicates that the user of the communication terminal 41 is not a valid user, the VPN control unit 215 does not establish the VPN connection, and the business in the communication terminal 41 and the first network 2 is not established. Communication with the server 23 is not relayed.

  In the VPN system of the first embodiment, the load status of the VPN server 21 is notified to the relay server 11 at a predetermined timing. The relay server 11 establishes a VPN connection between the VPN server 21 having the lowest load and the VPN client (communication terminal 41) when a connection request for a new VPN connection is made. Therefore, it is possible to prevent the load from being concentrated on the specific VPN server 21. Therefore, it is possible to prevent a VPN communication bottleneck from occurring in the VPN server 21.

  In addition, the user of the communication terminal 41 can use more network bandwidth. The reason is as follows. The network bandwidth that can be used by the user of the communication terminal 41 is shared by the communication terminals 41 connected to the VPN server 21 with the maximum capacity of the LAN cable connected to the VPN server 21 as the maximum value. Therefore, the network bandwidth allocated to each communication terminal 41 increases by preventing the load from being concentrated on the specific VPN server 21 as described above.

[Second Embodiment]
FIG. 9 is a diagram illustrating a system configuration of the VPN system according to the second embodiment. Hereinafter, the difference between the VPN system of the second embodiment and the VPN system of the first embodiment will be mainly described.

  The VPN system according to the second embodiment includes a relay server 12 in place of the relay server 11, a point in which the VPN server manager 20 is provided in the first network 2, and a VPN server in place of the VPN servers 21-1 to 21-3. It differs from the VPN system of the first embodiment in that it includes 25-1 to 25-3 and does not include the authentication server 22 in the first network 2. In the VPN system of the second embodiment, a plurality of first networks 2 may be connected to one relay server 12.

  FIG. 10 is a schematic block diagram showing the system configuration of the relay server 12. The relay server 12 includes a CPU, a memory, an auxiliary storage device, and the like connected by a bus, and by executing a relay program, the transmission / reception unit 121, the setting file storage unit 122, the management table storage unit 123, and the permanent connection management unit 124. , Function as a device including the connection connection unit 125. All or some of the functions of the relay server 12 may be realized using hardware such as an ASIC, PLD, or FPGA.

The transmission / reception unit 121 is configured using a network interface such as a NIC. The transmission / reception unit 121 transmits / receives data to / from other communication devices via the Internet 1.
The setting file storage unit 122 is configured using a storage device such as a magnetic hard disk device or a semiconductor storage device, and stores a group setting file. FIG. 11 shows a specific example of the group setting file of the second embodiment. In the group setting file of the second embodiment, VPN server manager information is recorded for each preset VPN group. FIG. 11 shows information regarding Group 1 and Group 2 as the VPN group. Information set in the group setting file will be described using Group 1 as an example. The number “192.168.1.1” described after “manager =” represents the IP address of the VPN server manager. The group setting file may be configured as a separate file for each group, for example, using the group name as the file name. In the group setting file, information on each group may be described in one file.

  The management table storage unit 123 is configured using a storage device such as a magnetic hard disk device or a semiconductor storage device, and stores a permanent connection management file. In the permanent connection management file, a permanent connection management table is described. FIG. 12 is a diagram illustrating a specific example of the permanent connection management table of the second embodiment. The permanent connection management table of the second embodiment stores an IP address and a host name for each VPN server manager 20 connected to the relay server 12.

  The permanent connection management unit 124 manages the permanent connection established for the own apparatus (relay server 12). When a permanent connection is newly established from the VPN server manager 20 to the own device, the permanent connection management unit 124 stores information on the VPN server manager 20 located on the opposite side of the new permanent connection in the management table. Is newly registered in the permanent connection management table of the unit 123. In addition, the permanent connection management unit 124 transmits a survival confirmation response message to the VPN server manager 20 that is the transmission source of the survival confirmation message.

The connection connection unit 125 performs processing for establishing a VPN connection between the VPN server 25 and the VPN client (communication terminal 41).
FIG. 13 is a schematic block diagram showing the system configuration of the VPN server manager 20. The VPN server manager 20 includes a CPU, a memory, an auxiliary storage device, and the like connected by a bus. By executing the VPN server manager program, the transmission / reception unit 201, the management table storage unit 202, the permanent connection management unit 203, and the connection connection It functions as a device including a unit 204, a permanent connection establishment unit 205, a survival confirmation management unit 206, and an authentication unit 207. All or some of the functions of the VPN server manager 20 may be realized using hardware such as an ASIC, PLD, or FPGA.

The transmission / reception unit 201 is configured using a network interface such as a NIC. The transmission / reception unit 201 transmits / receives data to / from other communication devices via the first network 2.
The management table storage unit 202 is configured using a storage device such as a magnetic hard disk device or a semiconductor storage device, and stores a permanent connection management file for managers. The manager permanent connection management file describes a manager permanent connection management table. FIG. 14 is a diagram illustrating a specific example of the manager permanent connection management table. The manager permanent connection management table stores the IP address, host name, and load status for each VPN server 25 connected to the VPN server manager 20. The content of the load situation is the same as the load situation of the first embodiment.

  The permanent connection management unit 203 manages a permanent connection established for the own device (VPN server manager 20). When a permanent connection is newly established from the VPN server 25 to the own device, the permanent connection management unit 203 stores information related to the VPN server 25 located on the opposite side of the new permanent connection with the management table storage unit 202. Is newly registered in the permanent connection management table for managers. Further, when the permanent connection management unit 203 receives the survival confirmation message from the VPN server 25, the permanent connection management unit 203 uses the load status information included in the survival confirmation message to store the manager permanent connection management table in the management table storage unit 202. Update the load status information. In addition, the permanent connection management unit 203 transmits a survival confirmation response message to the VPN server 25 that is the transmission source of the survival confirmation message.

  The connection connection unit 204 selects the VPN server 25 as a connection destination of the VPN connection according to the contents of the manager permanent connection management table stored in the management table storage unit 202. Specifically, the connection connection unit 204 selects the VPN server 25 with the lowest load. Then, the connection connection unit 204 performs processing for establishing a VPN connection between the selected VPN server 25 and the VPN client (communication terminal 41).

The permanent connection establishment unit 205 stores the IP address of the relay server 12 in advance, and establishes a permanent connection with the relay server 12.
The survival confirmation management unit 206 generates a survival confirmation message at a predetermined timing and transmits it to the relay server 12. The survival confirmation message includes a message requesting the relay server 12 to return a survival confirmation response message. In addition, the survival confirmation management unit 206 receives a survival confirmation response message for the survival confirmation message from the relay server 12.

  The authentication unit 207 performs the same processing as the authentication server 22 in the first embodiment. Specifically, the authentication unit 207 receives an authentication request message from the VPN client, performs authentication processing, and outputs an authentication result.

  FIG. 15 is a schematic block diagram showing the system configuration of the VPN server 25. The VPN server 25 includes a CPU, a memory, an auxiliary storage device, and the like connected by a bus. By executing a VPN server program, the transmission / reception unit 251, the permanent connection establishment unit 252, the survival confirmation management unit 253, and the individual connection establishment The unit 254 and the VPN control unit 255 function as an apparatus. Note that all or some of the functions of the VPN server 25 may be realized using hardware such as an ASIC, PLD, or FPGA.

The transmission / reception unit 251 is configured using a network interface such as a NIC. The transmission / reception unit 251 transmits / receives data to / from other communication devices via the first network 2.
The permanent connection establishing unit 252 stores the IP address of the VPN server manager 20 in advance, and establishes a permanent connection with the VPN server manager 20.

  The survival confirmation management unit 253 generates a survival confirmation message at a predetermined timing and transmits it to the VPN server manager 20. The existence confirmation message includes a message requesting the VPN server manager 20 to return an existence confirmation response message, and a message indicating the load status of the own apparatus (VPN server 25). In addition, the survival confirmation management unit 253 receives a survival confirmation response message for the survival confirmation message from the VPN server manager 20.

  The individual connection establishment unit 254 establishes a TCP connection with the relay server 12 when receiving the connection request message from the VPN client (communication terminal 41). The TCP connection established by the individual connection establishment unit 254 is a connection used as a part of the VPN connection with the communication terminal 41 that is the transmission source of the connection request message.

  The VPN control unit 255 performs processing as a so-called conventional VPN server. Specifically, the VPN control unit 255 provides a VPN service to the VPN client through a VPN connection established with the VPN client (communication terminal 41).

  FIG. 16 is a diagram illustrating the outline of each of the communication performed between the relay server 12 and the VPN server manager 20 and the communication performed between the VPN server manager 20 and the VPN server 25.

  The permanent connection establishment unit 203 of the VPN server manager 20 establishes a permanent connection to a predetermined port by TCP connection to the relay server 12. The predetermined port is a port set in advance, for example, port 443. The permanent connection may be established, for example, immediately after the VPN server manager 20 is turned on and started, or may be established when an establishment instruction is input by the administrator, or may be performed at another timing. It may be broken. Through this permanent connection, the survival confirmation management unit 206 of the VPN server manager 20 transmits a survival confirmation message to the relay server 12. In addition, when the permanent connection management unit 124 of the relay server 12 receives the survival confirmation message from the VPN server manager 20, it transmits a survival confirmation response message to the VPN server manager 20 through the permanent connection.

  The permanent connection establishment unit 252 of the VPN server 25 establishes a permanent connection to a predetermined port by TCP connection to the VPN server manager 20. The predetermined port is a port set in advance, for example, 443 port. The establishment of the permanent connection may be performed immediately after the VPN server 25 is turned on and started, or may be performed when an establishment instruction is input by the administrator, or at another timing. May be. Through this permanent connection, the survival confirmation management unit 253 of the VPN server 25 transmits a survival confirmation message to the VPN server manager 20. In addition, when the permanent connection management unit 203 of the VPN server manager 20 receives the survival confirmation message from the VPN server 25, it transmits a survival confirmation response message to the VPN server 25 through the permanent connection.

  FIG. 17 is a sequence diagram illustrating a processing flow of the VPN system according to the second embodiment. First, the VPN server manager 20 waits for a connection from the VPN servers 25-1 to 25-3 at a predetermined port (port 443). The permanent connection establishment unit 212 of each of the VPN servers 25-1 to 25-3 stores the IP address of the VPN server manager 20 in advance. The permanent connection establishment unit 252 of each VPN server 25-1 to 25-3 establishes a permanent connection 25-20 to the VPN server manager 20 (steps S201-1 to S201-3). When the permanent connection management unit 204 of the VPN server manager 20 receives the connection of the permanent connection 25-20 from each of the VPN servers 25-1 to 25-3, the IP address of the VPN server 25-1 to 25-3 as the connection source And the host name are registered in the permanent connection management table.

  The relay server 12 waits for a connection from the VPN server manager 20 at a predetermined port (port 443). The permanent connection establishment unit 205 of the VPN server manager 20 stores the IP address of the relay server 12 in advance. The permanent connection establishment unit 205 of the VPN server manager 20 establishes the permanent connection 20-12 to the relay server 12 when the permanent connection 25-20 is established from one or more VPN servers 25-1 to 25-3. (Step S201-2). When the permanent connection management unit 124 of the relay server 12 receives the connection of the permanent connection 20-12 from the VPN server manager 20, the permanent connection management unit 124 registers the IP address and host name of the connection source VPN server manager 20 in the permanent connection management table. Note that the permanent connection establishment unit 124 of the relay server 12 may be configured to authenticate the VPN server manager 20 when establishing the permanent connection.

  Next, the survival confirmation management unit 253 of each of the VPN servers 25-1 to 25-3 transmits a survival confirmation message to the VPN server manager 20 at a predetermined timing in order to confirm whether communication is possible (step S203). -1 to S203-3). At this time, each survival confirmation management unit 253 transmits a survival confirmation message through the permanent connection 25-20. When the permanent connection management unit 203 of the VPN server manager 20 receives the survival confirmation message, it transmits a survival confirmation response message to the source VPN servers 25-1 to 25-3 (steps S204-1 to S204-3). . At this time, the permanent connection management unit 203 transmits a survival confirmation response message through the permanent connection 25-20. In addition, the permanent connection management unit 203 updates the permanent connection management table using the load status information included in the received survival confirmation message.

  The survival confirmation management unit 253 of each of the VPN servers 25-1 to 25-3 sends a survival confirmation response message from the VPN server manager 20 within a predetermined time when the transmission of the survival confirmation message fails continuously or when the transmission is successful. If the connection cannot be received, an error notification is sent to the permanent connection establishment unit 252. The permanent connection establishing unit 252 reestablishes the permanent connection 25-20 to the VPN server manager 20 when receiving an error notification from the survival confirmation managing unit 253.

  Further, the survival confirmation management unit 206 of the VPN server manager 20 transmits a survival confirmation message to the relay server 12 at a predetermined timing in order to confirm whether communication is possible. At this time, the survival confirmation management unit 206 transmits a survival confirmation message through the permanent connection 20-12. When the permanent connection management unit 124 of the relay server 12 receives the survival confirmation message, it transmits a survival confirmation response message to the source VPN server manager 20. At this time, the permanent connection management unit 124 transmits a survival confirmation response message through the permanent connection 20-12.

  The survival confirmation management unit 206 of the VPN server manager 20 has failed to transmit the survival confirmation message continuously, or when transmission has succeeded but the survival confirmation response message has not been received from the relay server 12 within a predetermined time. Sends an error notification to the permanent connection establishment unit 205. The permanent connection establishing unit 205 reestablishes the permanent connection 20-12 to the relay server 12 when receiving an error notification from the survival confirmation managing unit 206.

  Next, processing for establishing a VPN connection by the communication terminal 41 serving as a VPN client will be described. First, the first connection establishment unit 412 of the communication terminal 41 establishes a first TCP connection with the relay server 12. Then, the first connection establishment unit creates a connection request message and transmits it to the relay server 12 through the first TCP connection (step S205). At this time, the information included in the connection request message may be identification information (for example, a group name) of the VPN group that is the connection destination, as in the first embodiment, or the VPN server manager 20 that is the connection destination. It may be an IP address or a host name. If the communication terminal 41 succeeds in transmitting the connection request message, the communication terminal 41 disconnects the first TCP connection. Further, the second connection establishment unit 413 of the communication terminal 41 establishes a second TCP connection to the relay server 12 after the process of step S205 or in parallel (step S207).

  When receiving the connection request message, the connection connection unit 125 of the relay server 12 refers to the setting file, the permanent connection management table, etc., and searches for the IP address of the VPN server manager 20 corresponding to the connection destination of the connection request message. Then, it is searched whether or not the IP address included in the connection request message is registered in the permanent connection management table. If not registered, the connection connection unit 125 notifies the communication terminal 41 that is the transmission source of the connection request message of an error. On the other hand, if registered, the connection connection unit 125 transfers the connection request message to the VPN server manager 20 through the permanent connection 20-12 (step S206).

  When the connection connection unit 204 of the VPN server manager 20 receives the connection request message through the permanent connection 20-12, the connection connection unit 204 refers to the permanent connection management table of the management table storage unit 202. Then, the connection connection unit 204 selects the VPN server 25 having the lowest load from the VPN servers 25 registered in the permanent connection management table. The connection connection unit 204 transfers a connection request message to the selected VPN server 25 (25-1) through the permanent connection 25-20 (step S208).

  When receiving the connection request message from the VPN server manager 20, the individual connection establishment unit 254 of the VPN server 25-1 acquires information necessary for establishing a VPN connection to the communication terminal 41 from the received connection request message. . Then, the individual connection establishment unit 254 establishes an individual connection with the relay server 12 by transmitting a connection request message to the relay server 12 (step S209).

  The connection connection unit 125 of the relay server 12 refers to the information included in the connection request message received from the communication terminal 41 and the connection request message received from the VPN server 25-1, respectively. Connect individual connections. By this processing, the connection connection unit 125 establishes a communication path (VPN connection) between the communication terminal 41 and the VPN server 25-1. When the establishment of the VPN connection is completed, the connection connection unit 125 transmits a connection completion message to the communication terminal 41 through the second TCP connection (step S210).

  When receiving the connection completion message from the relay server 12, the VPN control unit 415 of the communication terminal 41 instructs the authentication request unit 414 to start the authentication process. In response to an instruction from the VPN control unit 415, the authentication request unit 414 creates an authentication request message and transmits it to the relay server 12 (step S211).

  When receiving the authentication request message from the communication terminal 41, the connection connection unit 125 of the relay server 12 transmits the authentication request message to the VPN server manager 20 (step S212).

  Upon receiving the authentication request message, the authentication unit 207 of the VPN server manager 20 performs an authentication process based on the user name and password included in the authentication request message. Then, the authentication unit 207 creates an authentication result notification message representing the authentication result, and transmits it to the relay server 12 (step S213). The relay server 12 transfers the authentication result notification message to the VPN server 25-1 (step S214). The VPN control unit 255 of the VPN server 25-1 determines whether or not access from the communication terminal 41 is permitted based on the content of the authentication result represented by the received authentication result notification message. Specifically, when the content of the authentication result indicates that the user of the communication terminal 41 is a valid user, the VPN control unit 255 establishes a VPN connection with the communication terminal 41. At this time, the VPN control unit 255 establishes the VPN connection using the second TCP connection and the individual connection already connected by the relay server 12. Then, the VPN control unit 255 of the VPN server 25-1 relays communication between the communication terminal 41 and the business server 23 in the first network 2 (step S215). On the other hand, when the content of the authentication result indicates that the user of the communication terminal 41 is not a valid user, the VPN control unit 255 does not establish the VPN connection, and the business in the communication terminal 41 and the first network 2 is not established. Communication with the server 23 is not relayed.

  In the VPN system of the first embodiment, when load distribution of VPN servers is performed at a plurality of bases (each first network), the amount of communication to the relay server for performing load distribution increases. In addition, the CPU usage rate of the relay server increases. Therefore, there is a possibility that the bandwidth that can be used for VPN communication is reduced. On the other hand, in the VPN system of the second embodiment, a VPN server manager 20 that collectively manages a plurality of VPN servers 25 is installed in each first network, and the VPN server 25 and the VPN server manager 20 store load information. Communicate. With such a process, it is possible to prevent the load from being increased in a specific VPN server 25 by performing the load distribution process of the VPN server 25. Furthermore, it is possible to prevent the processing from being concentrated on the relay server 12.

  In the second embodiment, it is necessary to newly introduce the VPN server manager 20. However, by implementing an authentication function in the VPN server manager 20, no authentication server is required. Therefore, power consumption, management man-hours, etc. are almost the same as in the first embodiment.

  The VPN system of the first embodiment or the second embodiment described above can be applied when a large amount of VPN such as a data center needs to be processed at high speed. Similarly, it can be applied to the cloud computing field that handles a large number of servers such as a data center.

  The embodiment of the present invention has been described in detail with reference to the drawings. However, the specific configuration is not limited to this embodiment, and includes designs and the like that do not depart from the gist of the present invention.

DESCRIPTION OF SYMBOLS 11, 12 ... Relay server (2nd computer), 20 ... VPN server manager (management apparatus, 3rd computer), 21 (21-1 to 21-3), 25 (25-1 to 25-3) ... VPN server (First computer), 22 ... authentication server, 23 ... business server, 41 ... communication terminal, 111, 121 ... transmission / reception unit, 112, 122 ... setting file storage unit, 113, 123 ... management table storage unit (storage unit), 114, 124 ... Permanent connection management unit (update unit), 115, 125 ... Connection connection unit (connection unit), 201 Transmission / reception unit, 202 ... Management table storage unit (storage unit), 203 ... Permanent connection management unit (update unit) , 204 ... Connection connection unit (selection unit), 205 ... Permanent connection establishment unit, 206 ... Survival confirmation management unit, 20 7: Authentication unit, 211, 251 ... Transmission / reception unit, 212, 252 ... Permanent connection establishment unit (first communication path establishment unit), 213, 253 ... Survival confirmation management unit (notification unit), 214, 254 ... Individual connection establishment unit (Second communication path establishment unit), 215, 255 ... VPN control unit, 411 ... transmission / reception unit, 412 ... first connection establishment unit, 413 ... second connection establishment unit, 414 ... authentication request unit, 415 ... VPN control unit

Claims (10)

A virtual private network system comprising: a plurality of virtual private network servers; and a relay server that establishes a communication path between the virtual private network server and the virtual private network client in response to a connection request from the virtual private network client Because
The virtual private network server is
A notification unit for acquiring the load status of the own device and notifying the relay server of the load status;
With
The relay server is
A storage unit for storing the load status for each virtual private network server;
Upon receiving the notification of the load status, an update unit that updates the load status stored in the storage unit;
Upon receiving a connection request from the virtual private network client, the virtual private network server is selected according to a predetermined criterion indicating that the load is small according to the load status stored in the storage unit, and the selected virtual A connection for establishing a communication path between a private network server and the virtual private network client;
A virtual private network system comprising: The virtual private network server is
A first communication path establishment unit that establishes a first communication path between the own device and the relay server;
When a connection request is received from the relay server using the first communication path, a second communication path establishment unit that establishes a second communication path between the own apparatus and the relay server;
Further comprising
The notification unit notifies the relay server of the load status using the first communication path,
When the connection unit of the relay server receives a connection request from the virtual private network client, the connection unit transmits the connection request to the selected virtual private network server using the first communication path, and the virtual private network server Establishing the communication path using the second communication path between and
The virtual private network system according to claim 1. The notification unit further transmits a survival confirmation message to the relay server,
The first communication path establishment unit establishes the first communication path when the notification unit cannot transmit the survival confirmation message to the relay server or when it cannot receive a response to the survival confirmation message from the relay server. Rework,
The virtual private network system according to claim 1, wherein the virtual private network system is a virtual private network system. A plurality of virtual private network servers, a management device that manages the plurality of virtual private network servers, and between the virtual private network server and the virtual private network client in response to a connection request from a virtual private network client A virtual private network system comprising a relay server for establishing a communication path,
The virtual private network server is
A notification unit for acquiring a load status of the own device and notifying the management device of the load status;
With
The management device
A storage unit for storing the load status for each virtual private network server;
Upon receiving the notification of the load status, an update unit that updates the load status stored in the storage unit;
When receiving a connection request from the relay server, a selection unit that selects the virtual private network server according to a predetermined criterion indicating that the load is small according to a load situation stored in the storage unit;
With
The relay server is
A connection that, upon receiving a connection request from the virtual private network client, transfers the connection request to the management apparatus and establishes a communication path between the virtual private network server selected by the management apparatus and the virtual private network client And
A virtual private network system comprising: The virtual private network server is
A first communication path establishment unit for establishing a first communication path between the own apparatus and the management apparatus;
When receiving a connection request from the management apparatus using the first communication path, a second communication path establishment unit that establishes a second communication path between the own apparatus and the relay server;
Further comprising
The notification unit uses the first communication path to notify the load status to the management device,
The selection unit of the management device, upon receiving a connection request from the virtual private network client, transmits the connection request to the virtual private network server using the first communication path,
The connection unit establishes the communication path using the second communication path with the selected virtual private network server;
The virtual private network system according to claim 4. The notification unit further transmits a survival confirmation message to the management device,
The first communication path establishment unit establishes the first communication path when the notification unit cannot transmit the survival confirmation message to the management apparatus or when it cannot receive a response to the survival confirmation message from the management apparatus. Rework,
The virtual private network system according to claim 4 or 5, characterized in that A virtual private network system comprising: a plurality of virtual private network servers; and a relay server that establishes a communication path between the virtual private network server and the virtual private network client in response to a connection request from the virtual private network client Is a communication method performed by
The virtual private network server obtains the load status of its own device and notifies the relay server of the load status;
When the relay server including a storage device that stores the load status for each virtual private network server receives the notification of the load status, an update step of updating the load status stored in the storage device;
When the relay server receives a connection request from the virtual private network client, the relay server selects the virtual private network server according to a predetermined criterion indicating that the load is small according to the load status stored in the storage device, A connection step for establishing a communication path between the selected virtual private network server and the virtual private network client;
A communication method comprising: A plurality of virtual private network servers, a management device that manages the plurality of virtual private network servers, and between the virtual private network server and the virtual private network client in response to a connection request from a virtual private network client A communication method performed by a virtual private network system comprising a relay server for establishing a communication path,
The virtual private network server obtains the load status of its own device and notifies the management device of the load status;
When the management device including a storage device that stores the load status for each virtual private network server receives the notification of the load status, an update step of updating the load status stored in the storage device;
When the management device receives a connection request from the relay server, a selection step of selecting the virtual private network server according to a predetermined criterion indicating that the load is small according to a load situation stored in the storage device; ,
When the relay server receives a connection request from the virtual private network client, the connection request is transferred to the management device, and communication between the virtual private network server selected by the management device and the virtual private network client is performed. A connection step for establishing a path;
A communication method comprising: In a virtual private network system comprising a plurality of first computers and a second computer that establishes a communication path between the first computer and the virtual private network client in response to a connection request from the virtual private network client ,
For the first computer,
A notification step of acquiring a load status of the own device and notifying the second computer of the load status;
And execute
For the second computer comprising a storage device for storing the load status for each first computer,
When receiving the notification of the load status, an update step of updating the load status stored in the storage device;
When a connection request is received from the virtual private network client, the first computer is selected according to a predetermined criterion indicating that the load is small according to the load status stored in the storage device, and the selected first Establishing a communication path between a computer and the virtual private network client;
A computer program for running. A plurality of first computers, a third computer managing the plurality of first computers, and a communication path between the first computer and the virtual private network client in response to a connection request from the virtual private network client A virtual private network system comprising a second computer for establishing
For the first computer,
A notification step of acquiring the load status of the device itself and notifying the management device of the load status;
And execute
For the third computer comprising a storage device for storing the load status for each first computer,
When receiving the notification of the load status, an update step of updating the load status stored in the storage device;
Upon receiving a connection request from the second computer, a selection step of selecting the first computer according to a predetermined criterion indicating that the load is small according to the load status stored in the storage device;
And execute
For the second computer,
When a connection request is received from the virtual private network client, the connection request is transferred to the third computer, and a communication path is established between the first computer selected by the third computer and the virtual private network client. A connection step;
A computer program for running.

Images