JP2011182070A - System and method for virtual communication route connection - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To quickly process respective connection requests even when a large amount of the VPN (Virtual Private Network) connection requests are received. <P>SOLUTION: When SIP (Session Initiation Protocol) connection requests including terminal side connection information showing information used for connection of virtual communication routes are received from a plurality of terminals, a load distribution device distributes the terminal side connection information included in the SIP connection requests to either one of the plurality of the virtual communication route connection devices following a predetermined condition. When the terminal side connection information is received from the load distribution device, the plurality of the virtual communication route connection devices discriminate whether the connection of the virtual communication route is permitted or not. When the connection of the virtual communication route is discriminated to be permitted, the plurality of the virtual communication route connection devices transmit own device side connection information showing information used for connection of the virtual communication route by the own device, to the terminal of the SIP connection request source. Afterward, the plurality of the virtual communication route connection devices establish a virtual communication route between the terminal of the SIP connection request source and the own device using the terminal side connection information and the own device side connection information. <P>COPYRIGHT: (C)2011,JPO&INPIT

Description

  The present invention relates to a virtual channel connection system and a virtual channel connection method.

  2. Description of the Related Art Conventionally, high-speed networks and network-compatible information home appliances have become widespread, and individuals exchange data using secure communication. For example, a secure communication path is established by connecting a VPN (Virtual Private Network) between home LANs (Local Area Networks). Data is exchanged over the established VPN connection.

  However, a general VPN connection requires specialized knowledge such as installing and setting dedicated software on a computer or the like. Therefore, it is difficult for a general user who does not have high IT literacy to establish a VPN connection to a home LAN or his / her personal computer.

  For this reason, even for a general user who does not have high IT literacy, as a method for easily establishing a VPN connection, for example, a SIP (Session Initiation Protocol) used in an Internet telephone or the like applying VoIP (Voice over Internet Protocol) A method of connecting a VPN at a telephone interval is disclosed.

  Specifically, the user A inputs the telephone number of the user B's home that is the VPN connection destination to a SIP phone or the like that is a telephone that can use SIP, and transmits the call. Then, when the SIP phone of user B, which is the other party, responds, the SIP phone of user home A connects the SIP communication between the SIP fonts of user home B that has responded, and establishes a VPN connection. As a result, the home LAN of user home A and the home LAN of user home B are VPN-connected. In this way, the user can easily establish a VPN connection by simply operating the familiar telephone.

  For example, an in-house system in which a company employee connects to a server in the company from the outside will be described as an example. The in-house system has a VPN server device under the control of a plurality of data centers, and an employee terminal in which a SIP phone function and VPN software are installed in advance and used by employees outside the company. The VPN server device stores a telephone number that permits VPN connection.

  In such a state, the employee inputs the telephone number of the VPN server device to be connected to the employee terminal, and transmits to the VPN server device. Upon receiving this, the VPN server device determines whether or not the telephone number of the employee terminal that is the caller is a telephone number for which VPN connection is permitted. When the VPN server device permits the connection, the VPN server device transmits VPN connection information necessary for VPN connection to the source employee terminal, and between the source employee terminal and the connection request destination data center. Establish a VPN connection to

JP 2006-274301 A

  However, the conventional technique has a problem that when a large number of VPN connection requests are received, each connection request cannot be processed.

  For example, when the VPN server apparatus receives VPN connection requests from a large number of client terminals in a short time, the VPN server apparatus performs “authentication processing using a telephone number”, “VPN connection information transmission processing”, “VPN” for each request. It is necessary to execute processing such as “connection establishment processing”. For this reason, the processing load of the VPN server device increases, and the above processing cannot be performed or is delayed. As a result, a terminal that does not receive a VPN connection request, a terminal that receives a request but does not establish a VPN connection, and the like are generated.

  The present invention has been made in view of the above, and even when a large number of VPN connection requests are received, a virtual communication path connection system and a virtual communication path connection capable of quickly processing each connection request It aims to provide a method.

  In order to solve the above-described problems and achieve the object, the present invention includes a load distribution device and a plurality of virtual communication path connection devices, and distributes the load between the plurality of terminals and the plurality of virtual communication path connection devices. A virtual communication path connection system for establishing a virtual communication path via a device, wherein the load distribution apparatus includes a SIP connection request including terminal side connection information indicating information used by the plurality of terminals for connection of a virtual communication path A connection distribution unit that distributes terminal-side connection information included in the SIP connection request to any one of the plurality of virtual communication path connection devices according to a predetermined condition when the plurality of terminals are received from the plurality of terminals. Each of the virtual communication path connection devices, when receiving terminal-side connection information from the load balancing device, determines whether to permit connection of the virtual communication path, and performs virtual communication by the connection determination unit. Road When it is determined that the connection is permitted, the local device side connection information indicating the information used by the local device to connect to the virtual communication path is transmitted to the SIP connection request source terminal, and the local connection response unit Communication path establishment that establishes a virtual communication path between the SIP connection request source terminal and the local apparatus using the terminal side connection information and the local apparatus side connection information when the apparatus side connection information is transmitted Part.

  The virtual channel connection system and the virtual channel connection method according to the present invention have an effect that each connection request can be quickly processed even when a large number of VPN connection requests are received.

FIG. 1 is a diagram illustrating an overall configuration of a VPN connection system according to the first embodiment. FIG. 2 is a block diagram illustrating the configuration of the load distribution apparatus according to the first embodiment. FIG. 3 is a diagram illustrating an example of information stored in the VPN-GW information DB. FIG. 4 is a diagram illustrating an example of information stored in the priority connection destination DB. FIG. 5 is a diagram illustrating an example of information stored in the connection status DB. FIG. 6 is a block diagram illustrating the configuration of the VPN-GW apparatus according to the first embodiment. FIG. 7 is a diagram illustrating an example of information stored in the resource DB. FIG. 8 is a diagram illustrating an example of information stored in the connection status DB. FIG. 9 is a sequence diagram illustrating the flow of processing by the VPN connection system according to the first embodiment. FIG. 10 is a flowchart illustrating the flow of the VPN connection process in the load balancer according to the first embodiment. FIG. 11 is a flowchart illustrating the flow of the VPN disconnection process in the load balancer according to the first embodiment. FIG. 12 is a flowchart illustrating a process flow in the VPN-GW apparatus according to the first embodiment. FIG. 13 is a sequence diagram showing the flow of processing when switching VPN connections.

  Embodiments of a virtual channel connection system and a virtual channel connection method according to the present invention will be described below in detail with reference to the drawings. Although a case where a VPN (Virtual Private Network) is connected as a virtual communication path will be described here, the present invention is not limited to this embodiment.

[overall structure]
FIG. 1 is a diagram illustrating an overall configuration of a VPN connection system according to the first embodiment. As shown in FIG. 1, this VPN connection system is communicably connected to a plurality of client apparatuses via a SIP (Session Initiation Protocol) network.

  The client device is a general computer device having a SIP phone function that enables telephone connection by SIP, a browser function that enables Web access by a Web browser, a document creation function such as document creation and spreadsheet, and the like.

  The VPN connection system includes a load distribution device and a plurality of VPN-GW devices, and is connected to an in-company network configured by a VLAN (Virtual Local Area Network). The load balancer is a load balancer that balances access from client devices. The VPN-GW device is a device that establishes a VPN connection with a client device and controls connection between the client device and a server device or other client devices connected to the VLAN.

  In such a state, the load distribution apparatus receives SIP connection requests including client-side VPN connection information indicating information used by the plurality of client apparatuses for VPN connection from the plurality of client apparatuses. Then, the load balancer distributes the client-side VPN connection information included in the SIP connection request to one of the plurality of VPN-GW apparatuses according to a predetermined condition.

  Subsequently, when a plurality of VPN-GW apparatuses receive VPN connection information on the terminal side from the load distribution apparatus, the plurality of VPN-GW apparatuses determine whether to permit VPN connection. When it is determined that the VPN connection is permitted, the VPN-GW apparatus transmits GW-side VPN connection information indicating information used for the VPN connection of the self apparatus to the SIP connection request source client apparatus. Thereafter, when the GW side VPN connection information is transmitted, the VPN-GW apparatus uses the client side VPN connection information and the own GW side VPN connection information to establish a connection between the client apparatus of the SIP connection request source and the own apparatus. Establish a VPN.

  Next, the process in the VPN connection system described above will be described with a specific example. When a client device receives a predetermined operation such as a dial number indicating an operation for requesting a VPN connection or a command from a user, the client device load balances the SIP connection request to which the IP address and port number used by the client device are added. Send to device. When receiving a SIP connection request from the client device, the load balancer determines the load status of each VPN-GW device, the current number of connected devices, etc., and the VPN-GW device with the least load, that is, the processing performance at the present time A VPN-GW device that can fully exhibit the above is specified. Subsequently, the load balancer transmits the IP address and port number used by the client device included in the SIP connection request received from the client device to the specified VPN-GW device.

  The VPN-GW apparatus that has received the IP address and port number used by the client apparatus determines the resource status of the own apparatus and determines whether to permit VPN connection. The VPN-GW device that has determined that the VPN connection is permitted transmits the IP address and port number used by the device to the client device that is the SIP connection request source. Thereafter, the VPN-GW apparatus performs IKE (Internet Key Exchange) negotiation and the like with the client apparatus to exchange a common key necessary for VPN. The VPN-GW apparatus establishes a VPN connection using the IP address and port number of the client apparatus, and performs packet communication using IPsec (Security Architecture for Internet Protocol) using a common key.

  As described above, in the VPN connection system according to the first embodiment, the VPN connection performed by the VPN-GW apparatus can be load-balanced. As a result, even when a large number of VPN connection requests are received, it is possible to process each connection request quickly.

[Configuration of load balancer]
Next, the configuration of the load distribution apparatus shown in FIG. 1 will be described with reference to FIGS. FIG. 2 is a block diagram illustrating a configuration of the load distribution apparatus according to the first embodiment, FIG. 3 is a diagram illustrating an example of information stored in the VPN-GW information DB, and FIG. 4 is a priority connection destination. FIG. 5 is a diagram illustrating an example of information stored in the DB, and FIG. 5 is a diagram illustrating an example of information stored in the connection status DB. Note that the information including various data and parameters stored in FIGS. 3 to 5 can be arbitrarily changed unless otherwise specified.

  As illustrated in FIG. 2, the load distribution apparatus 10 includes an external I / F unit 11, an internal I / F unit 12, a storage unit 13, and a control unit 14. The external I / F unit 11 is an interface having at least one port, and controls communication with a client device connected via the SIP network. For example, the external I / F unit 11 receives a SIP connection request such as INVITE from the client device, or transmits a SIP response such as 200 OK to the client device.

  The internal I / F unit 12 is an interface having at least one port, and controls communication with a plurality of VPN-GW apparatuses 20 connected via an Ethernet (registered trademark) network or the like. For example, the internal I / F unit 12 transmits client-side VPN connection information indicating the IP address and port number of the client device to the plurality of VPN-GW devices 20. The internal I / F unit 12 transmits GW-side VPN connection information indicating the IP address and port number of the VPN-GW apparatus 20 to the client apparatus.

  The storage unit 13 is a storage device such as a semiconductor memory element, a hard disk, or an optical disk that stores data and programs necessary for various processes by the control unit 14, and includes a VPN-GW information DB 13a, a priority connection destination DB 13b, and a connection status DB 13c. And have. Each of the VPN-GW information DB 13a, the priority connection destination DB 13b, and the connection status DB 13c is also a storage device such as a semiconductor memory element, a hard disk, or an optical disk.

  The VPN-GW information DB 13a stores information on each of a plurality of VPN-GW devices connected to the internal I / F unit 12. For example, as shown in FIG. 3, the VPN-GW information DB 13a includes “1, IP1, 2, high, 1” as “GW-ID, IP address, maximum number of connections, GW quality, current number of connections, update time”. , 9:23:15 ”,“ 2, IP2, 5, medium, 3, 9:31:16 ”,“ 3, IP3, 5, low, 0, − ”, and the like.

  The “GW-ID” stored here is an identifier for identifying the VPN-GW apparatus. The “IP address” is an IP address assigned to the VPN-GW apparatus, and the VPN-GW apparatus performs various communications using this address. The “maximum number of connections” is the number of VPN connections to which the VPN-GW apparatus can be connected, and the VPN-GW apparatus performs VPN connection within the range of the maximum number of connections. “GW quality” is the quality of VPN provided by the VPN-GW apparatus, and three levels of high, medium, and low are exemplified here, but the present invention is not limited to this. The “current number of connections” is the number of VPNs that are currently probable for the VPN-GW apparatus, and the “update time” is the time when the VPN connection is established. Information stored in the VPN-GW information DB 13a may be periodically updated by, for example, the maximum number of connections, IP address, VPN quality, etc. by an administrator, etc. Updated at any time by the unit 14d and the like.

  The above "1, IP1, 2, high, 1, 9:23:15" will be described. In this example, the VPN-GW device having “GW-ID” “1” is assigned “IP1” as the IP address, enabling “high” quality VPN connection, and the maximum number of VPN connections. Is “2”. The VPN-GW apparatus with “GW-ID = 1” has established one VPN connection at the present time, indicating that a VPN connection has been established at “9:23:15”.

  In the case of “2, IP2, 5, medium, 3, 9:31:16”, “IP2” is assigned as the IP address to the VPN-GW device having “GW-ID” “2”. The “medium” quality VPN connection is possible, and the maximum number of VPN connections is “5”. This VPN-GW apparatus with “GW-ID = 2” has established three VPN connections at this time, indicating that a VPN connection has been established at “9:31:16”.

  In the case of “3, IP3, 5, low, 0, −”, a VPN-GW device having “GW-ID” “3” is assigned “IP3” as an IP address. A “low” quality VPN connection is possible, and the maximum number of VPN connections is “5”. This indicates that the VPN-GW device with “GW-ID = 3” has not established a VPN connection at this time.

  The priority connection destination DB 13b stores the VPN connection contract determined by the prior contract for each client device. For example, as shown in FIG. 4, the priority connection destination DB 13b has “1111, 1, −, high,” as “telephone number, connection destination 1 (GW-ID), connection destination 2 (GW-ID), contract VPN quality”. "," 2222,-,-, medium "," 3333, 2, 3, medium ", etc. are stored.

  The “telephone number” stored here is a telephone number of a user indicated in a SIP-URI (SIP-Uniform Resource Identifier) or the like for which a VPN connection contract has been concluded in advance offline or online. “Connection 1” is the GW-ID of the VPN-GW apparatus contracted as the highest priority connection destination, and “Connection 2” was contracted as the connection destination with the second highest priority after the connection destination 1. This is the GW-ID of the VPN-GW apparatus. “Contract VPN quality” is the quality of the VPN contracted for use by the user when a VPN connection contract is concluded.

  The “1111, 1,-, high” will be described. In this example, the user of the telephone number “1111” confirms that the contract with the VPN connection destination of the VPN-GW device with the “contract VPN quality” “high” and the GW-ID = “1” is concluded. Show. In the case of “2222, −, −, medium”, the user with the telephone number “2222” has no contract with the VPN-GW apparatus to be preferentially connected, and the contract with “contract VPN quality” is “medium”. Indicates that has been concluded. In the case of “3333, 2, 3, low”, the user of the telephone number “3333” has “medium” as the “contract VPN quality” and the VPN-GW device with the GW-ID = “2” has the highest priority. The VPN connection destination and the VPN-GW apparatus with GW-ID = "3" indicate that a contract has been concluded that the VPN connection destination has the next highest priority.

  The connection status DB 13c stores the current connection status for each of the plurality of VPN-GW devices connected to the internal I / F unit 12. For example, as shown in FIG. 5, the connection status DB 13c stores “111, IP111, 1” and the like as “telephone number, IP address, connection destination (GW-ID)”. The “telephone number” stored here is the telephone number used by the user currently connected via VPN, and the “IP address” is the IP address used by the user currently connected via VPN. It is. The “connection destination” is information indicating a VPN-GW apparatus that is VPN-connected to the user terminal registered in “telephone number” or “IP address”. For example, when the connection status DB 13c stores “111, IP111, 1”, a user terminal that uses the telephone number “111” and the IP address “IP111”, and a VPN-GW device with “GW-ID = 1” Are currently connected by VPN.

  The control unit 14 is an integrated circuit or a CPU (Central Process Unit) or MPU (Micro Process) having an internal memory for storing a control program such as an OS (Operating System), a program defining various processing procedures, and necessary data. Unit). The control unit 14 includes a request reception unit 14a, a request determination unit 14b, a request distribution unit 14c, and a response transfer unit 14d, and executes various processes.

  The request receiving unit 14a receives SIP connection requests including client-side VPN connection information indicating information used by a plurality of client devices for VPN connection from the plurality of client devices. For example, the request receiving unit 14a receives SIP INVITE including “port number, IP address” as client side VPN connection information from the client device. Then, the request reception unit 14a transfers the received SIP INVITE to the request determination unit 14b described later.

  Further, when receiving a VPN disconnection request from the client device, the request receiving unit 14a transmits the VPN disconnection request to the VPN-GW device that is a VPN connection destination. For example, when receiving a SIP BYE as a VPN disconnection request from the client device, the request receiving unit 14a acquires a “telephone number” or “IP address” from the SIP BYE. Subsequently, the request reception unit 14a specifies “GW-ID” associated with the acquired “phone number” or “IP address” from the connection status DB 13c. Then, the request receiving unit 14a specifies the “IP address” of the specified “GW-ID” from the VPN-GW information DB 13a, and transmits a VPN disconnection request to the specified “IP address”. Further, the request receiving unit 14a transfers the acquired “phone number” and “IP address” of the client device together with the VPN disconnection request to a response transfer unit 14d described later.

  The request determination unit 14b determines whether to permit the SIP connection request received by the request reception unit 14a. For example, when receiving a SIP INVITE from the request receiving unit 14a, the request determining unit 14b acquires a telephone number or an IP address from the INVITE. Then, the request determination unit 14b determines whether or not the acquired telephone number or IP address or a combination of the telephone number and the IP address is stored in the priority connection destination DB 13b. That is, the request determination unit 14b determines whether or not the source of the received INVITE is a user under contract.

  Then, when the telephone number or IP address is stored in the priority connection destination DB 13b, in other words, when the source of INVITE is INVITE from a user under contract, the request determination unit 14b The received SIP INVITE is transferred to the dividing unit 14c. On the other hand, when the telephone number or IP address is not stored in the priority connection destination DB 13b, in other words, the request determination unit 14b, when the INVITE source is an INVITE from a user who is not under contract, the INVITE source A connection rejection response such as SIP BYE is transmitted.

  When receiving a SIP connection request from the request determination unit 14b, the request distribution unit 14c distributes the client-side VPN connection information included in the SIP connection request to one of a plurality of VPN-GW apparatuses according to a predetermined condition. Then, the request distribution unit 14c transfers the SIP connection request received from the request determination unit 14b to a response transfer unit 14d described later.

  For example, the request distribution unit 14c acquires a telephone number from the SIP connection request received from the request determination unit 14b, and prioritizes the contract information “connection destination 1, connection destination 2, contract VPN quality” corresponding to the acquired telephone number. Obtained from the connection destination DB 13b. Subsequently, the request distribution unit 14c acquires the current number of connections and the maximum number of connections corresponding to “connection destination 1” acquired from the priority connection destination DB 13b from the VPN-GW information DB 13a, and the current number of connections is the maximum connection. It is determined whether it is less than the number. Then, when the current connection number of “connection destination 1” is smaller than the maximum connection number, the request distribution unit 14c identifies the VPN-GW device stored in “connection destination 1” as the distribution destination. . Thereafter, the request distribution unit 14 c transmits the client-side VPN connection information included in the SIP connection request to the identified VPN-GW device of “connection destination 1”.

  On the other hand, when the current number of connections of “connection destination 1” is larger than the maximum number of connections, the request distribution unit 14c determines that the processing load of “connection destination 1” is large, and “connection destination 2” Processing similar to that of “connection destination 1” is performed. Then, when the current number of connections of “connection destination 2” is smaller than the maximum number of connections, the request distribution unit 14c identifies the VPN-GW device stored in “connection destination 2” as the distribution destination. . Thereafter, the request distribution unit 14 c transmits the client-side VPN connection information included in the SIP connection request to the identified “connection destination 2” VPN-GW apparatus.

  Further, when the current connection number of “connection destination 2” is larger than the maximum connection number, the request distribution unit 14c determines that the processing load of “connection destination 2” is large. In this case, the request distribution unit 14c acquires “contract VPN quality” corresponding to the telephone number acquired from the SIP connection request from the priority connection destination DB 13b. For example, when the acquired “contract VPN quality” is “medium”, the request distribution unit 14c sets “GW quality” stored in the VPN-GW information DB 13a to “medium” and “current connection” The “GW-ID” whose “number” is smaller than the “maximum number of connections” is specified as the distribution destination. Then, the request distribution unit 14c transmits the client-side VPN connection information included in the SIP connection request to the VPN-GW apparatus corresponding to the specified “GW-ID”.

  Further, the request distribution unit 14c has a “GW-ID” in which the “GW quality” stored in the VPN-GW information DB 13a is “medium” and the “current number of connections” is smaller than the “maximum number of connections”. If it does not exist, a connection rejection response or a connection hold response is transmitted to the INVITE transmission source client terminal.

  When the response transfer unit 14d receives the GW side VPN connection information from the VPN-GW device to which the client side VPN connection information is distributed by the request distribution unit 14c, the response transfer unit 14d transmits the GW side VPN connection information to the client device that is the INVITE transmission source. Send to.

  For example, the response transfer unit 14d receives “port number, IP address” as the GW side VPN connection information from the VPN-GW apparatus to which the client side VPN connection information is distributed. Subsequently, the response transfer unit 14d specifies the “phone number” and “IP address” of the transmission source client device from the SIP connection request (INVITE) received from the request distribution unit 14c. Then, the response transfer unit 14d sends the GW side VPN connection information “port number, IP address” from the VPN-GW device to the connection permission response (200 OK) to the “phone number” or “IP address” of the specified client device. Add and send.

  Then, the response transfer unit 14d associates the “telephone number” and “IP address” of the client apparatus that transmitted the connection permission response with the “GW-ID” of the VPN-GW apparatus, and stores them in the connection status DB 13c. In addition, the response transfer unit 14d updates the VPN-GW information DB 13a so that the "current number of connections" of "GW-ID" stored in the connection status DB 13c is increased by one with respect to the VPN-GW information DB 13a. .

  In addition, when the response transfer unit 14d receives a connection rejection response from the VPN-GW device to which the client-side VPN connection information is distributed, the response transfer unit 14d specifies the transmission source specified from the SIP connection request (INVITE) received from the request distribution unit 14c. A connection rejection response (SIP BYE) is transmitted to the “phone number” and “IP address” of the client device.

  Further, it is assumed that the response transfer unit 14d receives a disconnection permission response from the VPN-GW apparatus. In this case, the response transfer unit 14d specifies “GW-ID” corresponding to the transmission source IP address of the disconnection permission response from the VPN-GW information DB 13a. Then, the response transfer unit 14d identifies the association between the “telephone number” or “IP address” received together with the VPN disconnection request from the request reception unit 14a and the identified “GW-ID” from the connection status DB 13c. Thereafter, the response transfer unit 14d transmits a disconnection permission response (200 OK) to the identified “phone number” or “IP address”, and identifies the identified “phone number”, “IP address”, “GW-ID”. Is deleted from the connection status DB 13c. Furthermore, the response transfer unit 14d updates the VPN-GW information DB 13a so that the “current number of connections” corresponding to the identified “GW-ID” is decreased by one.

[Configuration of VPN-GW device]
Next, the configuration of the VPN-GW apparatus shown in FIG. 1 will be described with reference to FIGS. Since each of the plurality of VPN-GW apparatuses has the same configuration, only one unit will be described here. FIG. 6 is a block diagram illustrating the configuration of the VPN-GW apparatus according to the first embodiment, FIG. 7 is a diagram illustrating an example of information stored in the resource DB, and FIG. 8 is stored in the connection status DB. It is a figure which shows the example of the information performed. The information including various data and parameters stored in FIGS. 7 and 8 can be arbitrarily changed unless otherwise specified.

  As illustrated in FIG. 6, the VPN-GW apparatus 20 includes a communication I / F unit 21, an internal I / F unit 22, a storage unit 23, and a control unit 24. The communication I / F unit 21 is an interface having at least one port, and controls communication with the load balancer 10 connected via an Ethernet (registered trademark) network or the like. For example, the communication I / F unit 21 receives client side VPN connection information that is a port number or IP address of a client terminal from the load balancer 10, or receives a port number or IP address on the GW side from the load balancer 10. GW side VPN connection information is transmitted.

  The internal I / F unit 22 is an interface having at least one port, and is a device that controls communication with a server device and other client devices connected to the VLAN. For example, the internal I / F unit 22 performs packet communication between the client device connected through the VPN and the server device belonging to the VLAN connected to the VPN-GW device 20 using IPsec or the like using a common key. To do.

  The storage unit 23 is a storage device such as a semiconductor memory element, a hard disk, or an optical disk that stores data and programs necessary for various processes performed by the control unit 24, and includes a resource DB 23a and a connection status DB 23b. Each of the resource DB 23a and the connection status DB 23b is also a storage device such as a semiconductor memory element, a hard disk, or an optical disk.

  The resource DB 23 a stores the resource status of the VPN-GW apparatus 20. For example, as shown in FIG. 7, the resource DB 23 a has “CPU usage rate, network usage rate, memory usage rate, CPU usage rate threshold value, network usage rate threshold value, memory usage rate threshold value” as “30%, 60%, 40”. %, 80%, 70%, 70% ", etc.

  The “CPU usage rate” stored here indicates the usage status of the CPU mounted on the VPN-GW apparatus 20, and the “network usage rate” indicates that the VPN-GW apparatus 20 communicates with other apparatuses. The “memory usage rate” indicates the status of the memory used by the CPU or the like installed in the VPN-GW apparatus 20. The “CPU usage rate threshold” indicates the limit of the processing load of the CPU, and the “network usage rate threshold” indicates the limit of the network bandwidth or the like in which the VPN-GW device 20 communicates with other devices. The “memory usage rate” indicates the usage limit of the memory mounted on the VPN-GW apparatus 20. The information stored here is stored by the resource collection unit 24a described later.

  The connection status DB 23b stores the VPN connection status to which the VPN-GW apparatus 20 is connected. For example, as shown in FIG. 8, the connection status DB 23 b stores “2, 2”, etc. as “the number of connectable units, the current number of connections”. The “number of connectable units” stored here indicates the maximum number that can be connected to the VPN-GW apparatus 20 and is set by an administrator or the like. The “current number of connections” indicates the number of VPNs to which the VPN-GW apparatus 20 is currently connected, and is stored by the VPN establishment unit 24e described later. Further, the “current number of connections” is updated by the VPN disconnection unit 24 f described later when the VPN is disconnected.

  The control unit 24 is an integrated circuit having an internal memory for storing a control program such as an OS, a program that defines various processing procedures, and required data, or an electronic circuit such as a CPU or MPU. The control unit 24 includes a resource collection unit 24a, an information reception unit 24b, a connection determination unit 24c, a connection response unit 24d, a VPN establishment unit 24e, and a VPN disconnection unit 24f, and executes various processes.

  The resource collection unit 24a periodically collects the resource status of the VPN-GW apparatus 20 and stores it in the resource DB 23a. For example, the resource collection unit 24a collects the CPU usage rate, the network usage rate, and the memory usage rate every hour and stores them in the resource DB 23a. The resource collection unit 24a can collect the resources by using a command prepared in advance by an OS or the like installed in the VPN-GW apparatus 20.

  The information receiving unit 24 b receives client-side VPN connection information that is VPN connection information of the client device from the load balancer 10 via the communication I / F unit 21. For example, the information receiving unit 24b receives the “port number, IP address” of the client device as the client-side VPN connection information. Subsequently, the information receiving unit 24b transfers the received client side VPN connection information to the connection determining unit 24c described later. Further, the information receiving unit 24b receives a VPN disconnection request from the load balancer 10 via the communication I / F unit 21, and transfers it to the VPN disconnecting unit 24f described later.

  The connection determination unit 24c determines whether or not to permit VPN connection when the client-side VPN connection information is received from the information reception unit 24b. If the connection determination unit 24c determines that the VPN connection is permitted, the connection determination unit 24c transfers the client-side VPN connection information to the connection response unit 24d described later. On the other hand, if the connection determination unit 24 c determines to reject the VPN connection, the connection determination unit 24 c transmits a connection rejection response to the load distribution apparatus 10.

  For example, the connection determination unit 24c refers to the connection status DB 23b and determines that the connection is permitted when the “current number of connections” is smaller than the “number of connectable units”. The connection determination unit 24c refers to the connection status DB 23b, and determines that the connection is rejected when the “current number of connections” matches the “number of connectable units”.

  Further, the connection determination unit 24c refers to the resource DB 23a and determines that the connection is rejected when any of the “CPU usage rate”, “network usage rate”, and “memory usage rate” exceeds the “threshold value”. . In addition, the number of resources that exceed a threshold that is a basis for determining that the connection determination unit 24c rejects the connection can be arbitrarily set. Further, the connection determination unit 24c may permit the connection when both the connection status and the resource status described above satisfy the conditions.

  When the connection determination unit 24c determines that the VPN connection is permitted, the connection response unit 24d transmits GW side connection information indicating information used for the VPN connection to the SIP connection request source client device. For example, when the connection response unit 24d determines that the VPN connection is permitted by the connection determination unit 24c, the connection response unit 24d acquires the port number and IP address of the own device stored in the storage unit 23 and the like, and the GW side connection information To the client device of the SIP connection request source via the load balancer 10.

  When the GW side connection information is transmitted by the connection response unit 24d, the VPN establishment unit 24e uses the client side VPN connection information and the GW side connection information between the SIP connection request source terminal and the own device. Establish a VPN. For example, when the GW side connection information is transmitted by the connection response unit 24d, the VPN establishment unit 24e acquires the IP address of the destination client device from the load balancer 10 or the like. Then, the VPN establishment unit 24e performs IKE negotiation (IKE authentication) with the acquired IP address of the client device as a destination, and exchanges a common key necessary for VPN.

  Subsequently, the VPN establishment unit 24e establishes a VPN connection using the IP address and port number of the client device acquired by the information reception unit 24b, and performs packet communication using IPsec or the like using a common key. Then, the VPN establishment unit 24e increments the “current number of connections” in the connection status DB 23b.

  The VPN disconnection unit 24f disconnects the VPN when the information reception unit 24b receives the VPN disconnection request and updates the “current number of connections” in the connection status DB 23b. For example, when the VPN disconnection unit 24f receives the “telephone number” or “IP address” of the client terminal that requests VPN disconnection from the load balancer 10, the client corresponding to the “telephone number” or “IP address” A response permitting disconnection of the VPN connected to the device is transmitted to the client device that is the disconnect request source via the load balancer 10. Thereafter, the VPN disconnection unit 24f decrements the “current number of connections” in the connection status DB 23b.

[Process by VPN connection system]
Next, the flow of processing by the VPN connection system according to the first embodiment will be described with reference to FIGS. FIG. 9 is a sequence diagram illustrating a flow of processing by the VPN connection system according to the first embodiment, and FIG. 10 is a flowchart illustrating a flow of VPN connection processing in the load distribution apparatus according to the first embodiment. FIG. 11 is a flowchart illustrating a flow of VPN disconnection processing in the load distribution apparatus according to the first embodiment, and FIG. 12 is a flowchart illustrating a flow of processing in the VPN-GW apparatus according to the first embodiment.

(Sequence Diagram)
First, a sequence showing a processing flow by the VPN connection system according to the first embodiment will be described with reference to FIG. FIG. 9 illustrates an example in which a SIP server is provided between a client device and a load balancer. However, the present invention is not limited to this. For example, the SIP server is realized by the same housing as the load balancer. Etc.

  As illustrated in FIG. 9, the client device 30 transmits a SIP connection request including client-side VPN connection information to the load distribution device 10 to the SIP server 40 (step S <b> 101), and the SIP server 40 receives the SIP connection request. The SIP connection request is transferred to the destination load balancer 10 (step S102).

  When receiving the SIP connection request, the request distribution unit 14c of the load distribution apparatus 10 specifies the VPN-GW apparatus 20 that distributes the client-side VPN connection information included in the SIP connection request according to a predetermined condition (step S103). The client-side VPN connection information is transmitted to the specified VPN-GW apparatus 20 (step S104).

  The connection determination unit 24c of the VPN-GW apparatus 20 determines whether or not to permit VPN connection when the client-side VPN connection information is received from the information reception unit 24b (step S105). If the connection determination unit 24c determines that the VPN connection is permitted, the connection response unit 24d transmits the GW side VPN connection information to the load balancer 10 (step S106).

  When the response transfer unit 14d of the load distribution apparatus 10 receives the GW side VPN connection information from the VPN-GW apparatus 20 to which the client side VPN connection information is distributed by the request distribution unit 14c, the response transfer unit 14d of the SIP connection request source The GW side VPN connection information is transmitted to the SIP server 40 with the client device 30 as the destination (step S107). The SIP server 40 transfers the GW-side VPN connection information received from the load distribution apparatus 10 to the client apparatus 30 that is the SIP connection request source (step S108).

  Subsequently, the VPN establishment unit 24e of the VPN-GW apparatus 20 performs IKE negotiation (IKE authentication) with the client apparatus 30 that is the transmission source of the client-side VPN connection information, and a common key necessary for VPN Are exchanged (step S109). Then, the VPN establishment unit 24e establishes a VPN connection using the IP address and port number of the client device 30, and performs packet communication using IPsec or the like using a common key (step S110).

  Thereafter, the client device 30 transmits a VPN disconnection request to the load distribution device 10 to the SIP server (step S111), and the SIP server 40 transfers the received VPN disconnection request to the destination load distribution device 10. (Step S112).

  When receiving the VPN disconnection request from the client device 30, the request receiving unit 14 a of the load distribution apparatus 10 acquires the “telephone number” or “IP address” from the VPN disconnection request, and connects to the VPN-GW of the connection destination. The device 20 is specified (step S113). Subsequently, the request reception unit 14a transmits the received VPN disconnection request to the specified VPN-GW apparatus 20 (step S114).

  Thereafter, the VPN disconnection unit 24f of the VPN-GW apparatus 20 transmits a VPN disconnection permission to the load balancer 10 when the information reception unit 24b receives the VPN disconnection request (step S115). Then, the response transfer unit 14d of the load distribution apparatus 10 transmits 100 Trying or the like (for example, waiting for 100 seconds) to the client apparatus 30 via the SIP server 40 (Step S116 and Step S117).

  Then, the VPN disconnecting unit 24f of the VPN-GW apparatus 20 performs IKE negotiation with the client apparatus 30 to disconnect the IKE (step S118) and disconnect the VPN (step S119). Then, the VPN disconnection unit 24f transmits a disconnection completion notification indicating that the disconnection has been completed to the client device 30 via the load balancer 10 and the SIP server 40 (steps S120 to S122).

(Flow of VPN connection processing in the load balancer)
Next, a flowchart illustrating a flow of VPN connection processing in the load distribution apparatus according to the first embodiment will be described with reference to FIG. As illustrated in FIG. 10, the request reception unit 14 a receives SIP connection requests (incoming calls) including client-side VPN connection information from a plurality of client devices (Yes in step S <b> 201), and the request determination unit 14 b It is determined whether to permit the SIP connection request received by 14a (step S202).

  When the request determination unit 14b determines that the SIP connection request is permitted (Yes at Step S202), the request distribution unit 14c distributes VPN-side VPN connection information included in the SIP connection request according to a predetermined condition. The GW apparatus 20 is specified (step S203), and the client side VPN connection information is distributed to the specified VPN-GW apparatus 20 (step S204).

  Thereafter, when the response transfer unit 14d receives a response from the VPN-GW apparatus 20 to which the client-side VPN connection information is distributed by the request distribution unit 14c (Yes in step S205), the response transfer unit 14d determines whether the response is connection permission. (Step S206). Then, when the response is connection permission (Yes at Step S206), the response transfer unit 14d transmits the GW side VPN connection information to the client device 30 that is the SIP connection request source (Step S207).

  On the other hand, when the request determination unit 14b determines to reject the SIP connection request received by the request reception unit 14a (No at Step S202), the request determination unit 14b transmits a connection rejection response (SIP BYE) to the client device 30 (Step S208). ). Moreover, the response transfer part 14d transmits a connection rejection response (SIP BYE) to the client apparatus 30, when the response received from the VPN-GW apparatus 20 is connection rejection (step S206 negative) (step S208).

(Processing flow of load balancer)
Next, a flowchart illustrating a flow of VPN disconnection processing in the load distribution apparatus according to the first embodiment will be described with reference to FIG. As illustrated in FIG. 11, when receiving a VPN disconnection request from the client device 30 (Yes in step S301), the request reception unit 14a identifies the VPN-GW device 20 that is the VPN connection destination as the VPN disconnection request. (Step S302).

  Then, the request reception unit 14a transmits the VPN disconnection request received from the client device 30 to the specified VPN-GW device 20 (step S303). Thereafter, when the response transfer unit 14d receives a disconnection completion notification from the VPN-GW apparatus 20 (Yes at Step S304), the response transfer unit 14d transmits the disconnection completion to the client apparatus 30 (Step S305).

(Processing flow of VPN-GW device)
Next, a flowchart illustrating a processing flow in the VPN-GW apparatus according to the first embodiment will be described with reference to FIG. As illustrated in FIG. 12, when the information determination unit 24c receives client side VPN connection information that is VPN connection information of the client device 30 from the load distribution device 10 by the information reception unit 24b (Yes in step S401), the VPN It is determined whether or not the connection is permitted (step S402).

  When the connection determination unit 24c determines that the VPN connection is permitted (Yes at Step S402), the connection response unit 24d sends the GW side connection information to the SIP connection request via the load balancer 10 and the SIP server 40. It transmits to the original client device 30 (step S403).

  Thereafter, the VPN establishment unit 24e acquires the IP address of the destination client device 30 from the load balancer 10 or the like, and performs IKE negotiation (IKE authentication) with the acquired IP address of the client device 30 as the destination. A common key necessary for VPN is exchanged (step S404). Subsequently, the VPN establishment unit 24e establishes a VPN connection using the client-side VPN connection information acquired by the information reception unit 24b, and performs packet communication using IPsec or the like using a common key (step S405).

  Thereafter, when the information disconnecting unit 24b receives the VPN disconnection request (Yes at Step S406), the VPN disconnecting unit 24f sends a connection permission response to the VPN disconnecting request source client via the load balancer 10 and the SIP server 40. It transmits to the apparatus 30 (step S407).

  Then, when waiting for a predetermined time such as 100 seconds (Yes at Step S408), the VPN disconnecting unit 24f disconnects the IKE from the client device 30 (Step S409), and then disconnects the VPN (Step S410).

  On the other hand, if the connection determination unit 24c determines that VPN connection is not permitted (No at Step S402), the connection determination unit 24c transmits a connection rejection response to the connection request source client device 30 via the load balancer 10 and the SIP server 40. (Step S411).

[Effects of Example 1]
As described above, according to the first embodiment, it is possible to distribute the load on the VPN connection performed by the VPN-GW apparatus 20. When it is determined that the load is high due to resources or the like on the VPN-GW 20 side, the VPN connection can be rejected. Reliability is also improved.

  By the way, the VPN connection system which this application discloses can also perform connection switching with respect to the VPN once connected. For example, in the VPN connection system disclosed in the present application, after establishing a VPN connection between the client apparatus and the VPN-GW apparatus A, the VPN connection may be switched between the client apparatus and the VPN-GW apparatus B. it can.

  Therefore, in the second embodiment, a sequence diagram in the case of changing the VPN connection will be described with reference to FIG. FIG. 13 is a sequence diagram showing the flow of processing when switching VPN connections. Here, an example will be described in which a VPN connection is established between the client apparatus and the VPN-GW apparatus A, and then the VPN connection is switched between the client apparatus and the VPN-GW apparatus B.

  As shown in FIG. 13, the processing from step S501 to step S510, which is processing until the VPN connection is established between the client device and the VPN-GW device A, is performed from step S101 to step S110 described in FIG. Since this is the same as the above processing, it is omitted here.

  The VPN establishment unit 24e of the VPN-GW apparatus A 20a connecting the VPN with the client apparatus 30 transmits a reconnection request to the load distribution apparatus 10 when a reconnection desired situation occurs (step S511) (step S511). S512). For example, if the resource threshold has been exceeded for a predetermined number of times, if all resources have exceeded the threshold, if the number of connectable devices has changed and connection has failed, server maintenance, etc. This is the case when the connection cannot be continued. VPN-GW apparatus A20a When a specific connection is switched in a situation where a plurality of VPNs are connected, the telephone number of the connection destination is also transmitted to the load distribution apparatus 10.

  Then, the request distribution unit 14c of the load distribution apparatus 10 identifies the VPN-GW apparatus B 20b that can be reconnected by the same method as the distribution destination specification at the time of the connection request such as step S503 (step S513), and specifies The client side VPN connection information of the client device 30 to be reconnected to the VPN-GW device B 20b is transmitted (step S514). The load balancer 10 stores client-side VPN connection information of the client device 30 as a connection status.

  Thereafter, the connection determination unit 24c of the VPN-GW apparatus B 20b determines whether or not to permit VPN connection when the client-side VPN connection information is received from the load distribution apparatus 10 (step S515). Then, when the connection determination unit 24c determines that the VPN connection is permitted, the connection response unit 24d transmits the VPN connection information of the own device (VPN connection information of the VPN-GWB 20b) to the load distribution device 10 (step) S516).

  Subsequently, the response transfer unit 14d of the load distribution apparatus 10 transmits a reconnection OK response to the reconnection source VPN-GW apparatus A 20a (step S517). Then, the response transfer unit 14d of the load distribution apparatus 10 transmits re-INVITE including the VPN connection information of the VPN-GWB 20b to the client apparatus 30 to which the VPN is switched via the SIP server 40 (Step S518). And step S519).

  Then, the VPN disconnecting unit 24f of the VPN-GW apparatus A 20a disconnects the IKE from the client apparatus 30 (step S520). Subsequently, the VPN establishing unit 24e of the VPN-GW apparatus B 20b acquires the IP address of the destination client apparatus 30 from the load distribution apparatus 10 or the like, and uses the acquired IP address of the client apparatus as a destination as an IKE negotiation (IKE authentication). ) To exchange a common key necessary for VPN (step S521). Subsequently, the VPN establishment unit 24e establishes a VPN connection using the client-side VPN connection information acquired by the information reception unit 24b, and performs packet communication using IPsec or the like using a common key (step S522).

  As described above, according to the second embodiment, when the load on the resources of the VPN-GW apparatus A 20a to which the VPN is already connected becomes large and there is a concern about a reduction in processing, the processing before the reduction in processing occurs. A VPN can be connected to a VPN-GW apparatus in which there is no concern about a decrease or the like. As a result, the reliability of the VPN connection system is improved, and a safe system operation is possible.

  Although the embodiments of the present invention have been described so far, the present invention may be implemented in various different forms other than the embodiments described above. Therefore, different embodiments will be described below.

(IKE certification)
For example, a certificate based on IKE authentication may be exchanged during the IKE negotiation described in the first and second embodiments. By doing so, it can be determined whether or not it is from a legitimate client device certified by a legitimate institution.

(Switch back)
In the second embodiment, the VPN connection is established between the client apparatus and the VPN-GW apparatus A after the VPN connection is established between the client apparatus and the VPN-GW apparatus A. It is not limited to this. For example, a VPN-GW device that reconnects a VPN connection because the resource status has deteriorated can request reconnection again when the resource is stable. In other words, when the resource of the VPN-GW device that is the switching source is stable, the switched VPN can be switched back. In this case as well, the same processing as in the second embodiment may be performed.

(blacklist)
For example, in the first embodiment, an example has been described in which a telephone number for which a VPN connection contract is previously concluded offline or online is stored in the priority connection destination DB 13b or the like. However, the present invention is not limited to this. For example, the load balancer disclosed in the present application may store a telephone number that does not permit VPN connection. In this case, when receiving the SIP connection request from the client terminal, the load distribution apparatus determines whether or not the telephone number included in the SIP connection request is stored as a telephone number that does not permit VPN connection. When the telephone number included in the received SIP connection request is stored as a telephone number that does not permit VPN connection, the load distribution apparatus rejects the connection and transmits a connection rejection response to the client terminal. .

(VPN connection information transmission method)
For example, in the first and second embodiments, the example in which the VPN-GW apparatus transmits the VPN connection information of the own apparatus to the client apparatus via the load distribution apparatus has been described, but the present invention is not limited to this. For example, when the VPN-GW apparatus recognizes the IP address and telephone number of the client apparatus in advance or obtains it from the load distribution apparatus, the VPN-GW apparatus transmits the VPN connection information of its own apparatus to the client without going through the load distribution apparatus. It can also be sent directly to the device.

(System configuration etc.)
In addition, among the processes described in the present embodiment, all or a part of the processes described as being automatically performed can be manually performed. In addition, processing procedures, control procedures, and specific names shown in the above documents and drawings, for example, information including various data and parameters such as FIGS. It can be changed arbitrarily except for.

  Further, each component of each illustrated apparatus is functionally conceptual, and does not necessarily need to be physically configured as illustrated. In other words, the specific form of distribution / integration of each device is not limited to the one shown in the figure, and all or a part thereof may be, for example, a VPN establishment unit 24e and a VPN disconnection unit 24f according to various loads and usage conditions. Can be configured to be functionally or physically distributed / integrated in arbitrary units, such as integrating them. Further, all or any part of each processing function performed in each device may be realized by a CPU and a program analyzed and executed by the CPU, or may be realized as hardware by wired logic.

(program)
The VPN connection method described in this embodiment can be realized by executing a program prepared in advance on a computer such as a personal computer or a workstation. This program can be distributed via a network such as the Internet. The program can also be executed by being recorded on a computer-readable recording medium such as a hard disk, a flexible disk (FD), a CD-ROM, an MO, and a DVD and being read from the recording medium by the computer.

  As described above, the virtual communication path connection system and the virtual communication path connection method according to the present invention include the load distribution apparatus and the virtual communication path connection apparatus, and a plurality of terminals are connected between the virtual communication path connection apparatus. This is useful for establishing a virtual communication path, and is particularly suitable for quickly processing each connection request even when a large number of VPN connection requests are received.

DESCRIPTION OF SYMBOLS 10 Load distribution apparatus 11 External I / F part 12 Internal I / F part 13 Memory | storage part 13a VPN-GW information DB
13b Preferential connection destination DB
13c Connection status DB
DESCRIPTION OF SYMBOLS 14 Control part 14a Request receiving part 14b Request determination part 14c Request distribution part 14d Response transfer part 20 VPN-GW apparatus 21 Communication I / F part 22 Internal I / F part 23 Storage part 23a Resource DB
23b Connection status DB
24 control unit 24a resource collection unit 24b information reception unit 24c connection determination unit 24d connection response unit 24e VPN establishment unit 24f VPN disconnection unit 30 client device 40 SIP server

Claims (8)

A virtual communication path connection system having a load distribution apparatus and a plurality of virtual communication path connection apparatuses, and establishing a virtual communication path via a load distribution apparatus between a plurality of terminals and a plurality of virtual communication path connection apparatuses. ,
The load balancer is:
The terminal side included in the SIP connection request according to a predetermined condition when receiving a SIP connection request including terminal side connection information indicating information used for connection of the virtual communication path by the plurality of terminals from the plurality of terminals. A connection distribution unit that distributes connection information to any one of the plurality of virtual communication path connection devices;
Each of the plurality of virtual communication path connection devices is
A connection determination unit that determines whether to permit connection of the virtual communication path when receiving terminal-side connection information from the load balancer;
A connection response for transmitting own device side connection information indicating information used by the own device for connection of the virtual communication path to the terminal of the SIP connection request source when it is determined by the connection determining unit to permit connection of the virtual communication path And
When the local device side connection information is transmitted by the connection response unit, a virtual communication path is established between the SIP connection request source terminal and the local device using the terminal side connection information and the local device side connection information. A virtual channel connection system, comprising: a communication channel establishment unit that establishes The load balancer further includes terminal information storage means for storing a telephone number of the terminal,
The connection distribution unit, when the telephone number acquired from the received SIP connection request is stored in the terminal information storage unit as a telephone number that permits connection of the virtual communication path, according to a predetermined condition, 2. The virtual communication path connection system according to claim 1, wherein terminal side connection information is distributed to any of the plurality of virtual communication path connection devices.   The communication path establishment unit of each of the plurality of virtual communication path connection apparatuses performs authentication by IKE between the SIP connection request source terminal and the own apparatus, and the SIP connection request source terminal is a valid terminal. The virtual communication path connection system according to claim 1 or 2, wherein the virtual communication path is established.   When the connection distribution unit of the load distribution apparatus receives a reconnection request for requesting reconnection of the virtual communication path from a virtual communication path connection apparatus in which the virtual communication path has already been established, according to a predetermined condition , Identifying the virtual communication path connection device that is the switching destination of the virtual communication path, and the terminal-side connection information used to connect the virtual communication path to the specified virtual communication path connection device that is the switching destination The virtual communication path connection system according to claim 1, wherein the virtual communication path connection system is distributed. A virtual communication path connection method including a load distribution apparatus and a plurality of virtual communication path connection apparatuses, and establishing a virtual communication path via a load distribution apparatus between a plurality of terminals and a plurality of virtual communication path connection apparatuses. ,
The load balancer is:
The terminal side included in the SIP connection request according to a predetermined condition when receiving a SIP connection request including terminal side connection information indicating information used for connection of the virtual communication path by the plurality of terminals from the plurality of terminals. A connection distribution step of distributing connection information to any of the plurality of virtual communication path connection devices;
Each of the plurality of virtual communication path connection devices is
A connection determination step of determining whether to permit connection of the virtual communication path when receiving terminal-side connection information from the load balancer;
A connection response for transmitting own device side connection information indicating information used by the own device for connection of the virtual communication path to the terminal of the SIP connection request source when it is determined in the connection determining step that the connection of the virtual communication path is permitted. Process,
When the local device side connection information is transmitted by the connection response step, a virtual communication path is established between the SIP connection request source terminal and the local device using the terminal side connection information and the local device side connection information. A virtual channel connection method comprising: a channel establishment step for establishing a network. The load balancer further includes a terminal information storage unit that stores a telephone number of the terminal,
In the connection distribution step, when the telephone number acquired from the received SIP connection request is stored in the terminal information storage unit as a telephone number that permits connection of the virtual communication path, according to a predetermined condition, 6. The virtual communication path connection method according to claim 5, wherein the terminal side connection information is distributed to any of the plurality of virtual communication path connection devices.   In the communication path establishment process of each of the plurality of virtual communication path connection devices, IKE authentication is performed between the SIP connection request source terminal and the own device, and the SIP connection request source terminal is a valid terminal. The virtual communication path connection method according to claim 5 or 6, wherein the virtual communication path is established.   The connection distribution step of the load balancer is performed according to a predetermined condition when a reconnection request for requesting reconnection of the virtual communication path is received from a virtual communication path connection apparatus in which the virtual communication path is already established. , Identifying the virtual communication path connection device that is the switching destination of the virtual communication path, and the terminal-side connection information used to connect the virtual communication path to the specified virtual communication path connection device that is the switching destination The virtual communication path connection method according to claim 5, wherein the virtual communication path connection method is assigned.

Images