JP2011211490A - Vpn device, ip communication apparatus, and server device - Google Patents

Abstract

PROBLEM TO BE SOLVED: To establish stable and continuous communication even if a communication failure occurs during P2P communication.SOLUTION: A communication control section 140 finds a communication failure which is a cause for difficulty in the continuity of P2P communication based on the condition that Keep-alive packet is not received for a time longer than or equal to a predetermined time period from a device on the other side and an error occurrence rate of a specified value or higher continues for a predetermined period or longer by using a communication failure detecting section 147 while P2P communication conducted by the device on the other side. Upon the detection of the communication failure, the communication control section 140 carries out shifting processing to communication via a server that uses a relay server provided in an IP network to switch the P2P communication to communication via a server.

Description

  The present invention relates to a VPN (Virtual Private Network) device, an IP (Internet Protocol) communication device, and a server device that establish a path between a plurality of networks and communicate with each other.

  An IP communication device such as a VPN device that constructs a virtual private network (VPN: hereinafter referred to as VPN) or an IP telephone device that makes a call using an IP phone is an environment between communication partners in the IP network. A communication path is constructed according to the communication. Here, the case where a VPN apparatus is used will be described. In a VPN, for example, different network segments are generally connected to each other via a wide area network (WAN) or the like, such as between two or more local area networks (LANs) in a company. And it is comprised so that the whole may be one private network virtually by ensuring the secrecy of communication between networks. This enables a communication service similar to that used when a dedicated line is used.

  When constructing a VPN, a virtual tunnel is constructed by encrypting and encapsulating a packet by a VPN device provided in a network relay device or a communication terminal or the like (hereinafter also referred to as “peer”). Thus, a closed virtual direct communication (hereinafter also referred to as P2P (Peer to Peer) communication) line connecting the peers is established on a network via the Internet or the like. It is also conceivable to set a communication path for performing communication between a plurality of communication devices by a method other than P2P communication via a virtual direct communication line on the network. For example, a relay server that relays data communication may be provided on the network, and communication may be performed via the relay server.

  As described above, when there are a plurality of communication paths for performing communication between a plurality of communication apparatuses, a response is sent to the earliest after sending a transmission request as the shortest path (a communication path that enables data transmission in the shortest time). A technique for selecting a returned communication path is known (see, for example, Patent Document 1). In addition, a technique for setting a communication path to the shortest distance when performing communication between two communication devices using a known Dijkstra method is known (for example, see Patent Document 2).

JP-A-8-228192 Japanese National Patent Publication No. 11-508754

  When a plurality of communication devices perform communication on a network, as described above, a case where P2P communication is performed and a case where communication via a relay server or the like is performed are roughly divided. At this time, since P2P communication is desirable from the viewpoint of communication efficiency and the like, a conventional IP communication apparatus such as a VPN apparatus performs P2P communication if possible.

  However, in P2P communication, when a communication uses a specific line (for example, when it is aggregated within an intranet), unlike a general line, a recovery process (such as a bypass connection) is performed when a communication failure occurs. Therefore, communication quality may deteriorate or communication may become impossible. On the other hand, when a communication failure occurs and the communication status deteriorates, recovery processing (bypass communication avoiding the location of the communication failure) can be normally performed once through the public line, and communication is stabilized. May be possible.

  The present invention has been made in view of the above circumstances, and an object thereof is to provide a VPN device, an IP communication device, and a server device capable of continuing stable communication even when a communication failure occurs during P2P communication. It is to provide.

The present invention is a VPN apparatus that establishes a virtual private network and communicates with a partner apparatus in an IP network. When P2P communication is performed with the partner apparatus, the P2P communication is performed. A communication failure detection unit that detects a communication failure that is difficult to continue, and a communication control that performs a transition process to communication via a server that is communication via a relay server provided in the IP network when the communication failure is detected And a VPN device comprising:
With the above configuration, when a communication failure occurs during P2P communication, stable communication can be continued by shifting to communication via a server using a relay server.

Further, the present invention is the above VPN device, wherein the communication failure detection unit receives the Keep-alive packet from the partner device during the P2P communication and receives the Keep-alive packet for a predetermined period or more. Includes those that determine that a communication failure has occurred when there is no reception.
With the above configuration, it is possible to detect the occurrence of a communication failure depending on whether or not a keep-alive packet is received, and to execute processing (communication path switching processing) when the communication failure occurs.

Further, the present invention is the above VPN device, wherein the communication failure detection unit has exceeded a predetermined value based on an error occurrence rate of communication with the counterpart device during the P2P communication. This includes determining that a communication failure has occurred when the state continues for a predetermined time or longer.
With the above configuration, it is possible to detect the occurrence of a communication failure based on the high error rate and its duration, and to execute processing (communication path switching processing) when a communication failure occurs.

Further, the present invention is the above VPN apparatus, wherein the communication control unit performs the above-described call control server that controls connection with the counterpart apparatus when performing the transition process to the communication via the server. When a use request of a relay server that performs communication via a server is transmitted and a response to use of the relay server is received from the call control server, the relay server is connected to the specified destination relay server and connected to the partner device Including those that start communication via.
With the above configuration, when a communication failure occurs, it is possible to shift to communication via a server using a relay server, and stable communication can be continued.

  Further, the present invention is an IP communication device that performs communication with a partner device in an IP network, and when P2P communication is performed with the partner device, it is difficult to continue this P2P communication. A communication failure detection unit that detects a communication failure; and a communication control unit that performs a transition process to communication via a server that is communication via a relay server provided in the IP network when the communication failure is detected, An IP communication apparatus is provided.

Further, the present invention is a server device having a function of a call control server for controlling connection between a plurality of communication devices in an IP network, and when the plurality of communication devices perform P2P communication, When a use request for a relay server provided in the IP network is received from the communication device, it is determined whether or not the relay server can be used, and a use response of the relay server including connection destination information to the relay server is used. A server apparatus is provided that includes a communication transition control unit that performs a transition control from P2P communication to communication via a server by sending a reply to the requested communication apparatus and connecting the communication apparatus to the relay server.
With the above configuration, when there is a use request of a relay server from a communication device, it is possible to connect the communication device to the relay server and shift from P2P communication to communication via the server.

Further, the present invention is the server device described above, wherein the communication transition control unit receives a relay request for the specified communication when receiving the use request of the relay server, or relays In the case where there is a server assignment, this includes a reply to the communication apparatus that has requested use of the relay server.
With the above configuration, even if both of the communication devices that are performing communication simultaneously transfer to the server via communication, even if relay server usage requests are duplicated, one of them is suppressed, and communication via the relay server is consistent. It is possible to migrate.

Further, the present invention is a communication method in a VPN apparatus that establishes a virtual private network and communicates with a partner apparatus in an IP network, and performs P2P communication with the partner apparatus. The step of detecting a communication failure that makes it difficult to continue the P2P communication, and when the communication failure is detected, a transition process to a communication via a server that is a communication via a relay server provided in the IP network is performed. And providing a communication method.
According to the above procedure, when a communication failure occurs during P2P communication, stable communication can be continued by shifting to communication via a server using a relay server.

  According to the present invention, it is possible to provide a VPN device, an IP communication device, and a server device capable of continuing stable communication even when a communication failure occurs during P2P communication.

The figure which shows the structural example of the network at the time of constructing | assembling a VPN system using the IP communication apparatus which concerns on embodiment of this invention. 1 is a block diagram showing a configuration example of a hardware configuration of an IP communication apparatus (VPN apparatus) according to the present embodiment 1 is a block diagram showing an example of a functional configuration of an IP communication apparatus (VPN apparatus) according to the present embodiment Schematic diagram showing a state in which communication via a server and P2P communication are simultaneously performed by a relay server The sequence diagram which shows the communication processing procedure between each apparatus until it performs P2P communication in the VPN system using the IP communication apparatus (VPN apparatus) which concerns on this embodiment. The flowchart which shows the operation | movement algorithm of the communication failure detection process in the IP communication apparatus (VPN apparatus) of this embodiment. The flowchart which shows the operation | movement algorithm of the communication transition process via a server in the IP communication apparatus (VPN apparatus) of this embodiment. The sequence diagram which shows the communication processing procedure between each apparatus at the time of transfer from P2P communication to communication via a server in the VPN system using the IP communication apparatus (VPN apparatus) which concerns on 1st Embodiment. The sequence diagram which shows the communication processing procedure between each apparatus at the time of transfer from P2P communication to communication via a server in the VPN system using the IP communication apparatus (VPN apparatus) which concerns on 2nd Embodiment. The sequence diagram which shows the communication processing procedure between each apparatus at the time of transfer from P2P communication to communication via a server in the VPN system using the IP communication apparatus (VPN apparatus) which concerns on 3rd Embodiment.

  Hereinafter, an embodiment as an example of a VPN apparatus and an IP communication apparatus according to the present invention will be described. Here, a configuration example in the case where a virtual private network (VPN) system is constructed by connecting paths (LAN, local network) of two local area networks via a wide area network (WAN, global network) is shown. A wired LAN or a wireless LAN is used as the LAN. The WAN is used as the WAN.

  FIG. 1 is a diagram showing a configuration example of a network when a VPN system is constructed using an IP communication apparatus according to an embodiment of the present invention. The VPN system of this embodiment connects a communication path between the LAN 100 provided at one site and the LAN 300 provided at another site via a WAN 200 such as the Internet. Communication between the terminal 103 connected under the LAN 100 and the terminal 303 connected under the LAN 300 ensures communication with VPN (also referred to as “VPN communication”). As specific uses (application programs, etc.) of VPN communication, IP phone (voice call), net meeting (moving image & voice communication), network camera (video transmission), etc. are assumed.

  A router 102 as a relay device is disposed at the boundary between the LAN 100 and the WAN 200, and a router 302 as a relay device is disposed at the boundary between the WAN 200 and the LAN 300. In this embodiment, in order to enable the construction of a VPN, the VPN apparatus 101 is connected to the LAN 100 and the VPN apparatus 301 is connected to the LAN 300. A subordinate terminal 103 is connected to the VPN apparatus 101, and a subordinate terminal 303 is connected to the VPN apparatus 301. Here, the VPN apparatuses 101 and 301 correspond to the “IP communication apparatus” of the present invention. Note that the VPN apparatuses 101 and 301 as an example of the IP communication apparatus according to the present embodiment show an example of the configuration of independent apparatuses configured in a communication apparatus or a relay apparatus, but It is also possible to configure as a device having a VPN function in a communication device or a terminal.

  On the WAN 200, a STUN server 201 and a call control server 202 are provided as server devices for enabling a VPN connection between the VPN device 101 and the VPN device 301 (hereinafter referred to as “VPN connection”). Is connected. The STUN server 201 is a server used to execute a STUN (Simple Traversal of User Datagram Protocol (UDP) through Network Address Translators (NATs)) protocol. The call control server 202 is a server used for making and receiving calls between peers such as VPN devices or terminals.

  In FIG. 1, a broken line indicates a flow of external address / port information including external address (global IP address) and port information. A one-dot chain line indicates a flow of a call control signal related to control of calling and called. A solid line indicates a flow of communication between peers (P2P (peer-to-peer) communication) related to communication data transmitted between peers. Further, a communication path connected by VPN for P2P communication is represented in the figure as a virtual tunnel.

  When each device communicates via the WAN 200, global address information that can be specified in the WAN is used on the WAN 200 as address information for specifying the calling side or called side of a packet to be transmitted. Since an IP network is generally used, a global IP address and a port number are used. However, in communication within each LAN 100, 300, local address information that can be specified only within the LAN is used as address information for specifying the calling party or called party. Since an IP network is generally used, a local IP address and a port number are used. Therefore, in order to enable communication between each of the LANs 100 and 300 and the WAN 200, as an example of the address translation function, there is a NAT (Network Address Translation) function that performs mutual conversion between local address information and global address information. The routers 102 and 302 as relay devices for connecting a plurality of networks are mounted. That is, the address conversion function performs mutual conversion corresponding to so-called NAPT (Network Address Port Translation) including the IP address of the IP network layer and the port of the transport layer. Hereinafter, in the description of the present invention, the NAT function refers to a NAT function in a broad sense including a NAPT function in a narrow sense.

  However, the terminals 103 and 303 under the LANs 100 and 300 do not have global address information accessible from the outside. In addition, unless special settings are made, the terminal 103 under the LAN 100 cannot directly communicate with the terminal 303 under the other LAN 300. Further, because of the NAT function of each router 102, 302, it is impossible to access each terminal in each LAN 100, 300 from the WAN 200 side in a normal state. That is, the “external address / port information” is address / port information necessary for connecting to the WAN 200, and the VPN device 101 functioning with the local address / port information specified in the LANs 100, 300, From the viewpoint of 301, the global network WAN 200 is externally referred to as “external address / port information”. Note that “address / port” means only an address, or an address and a port.

  Even in such a situation, in this embodiment, VPN devices 101 and 301 are provided in the LANs at the respective bases, so that the LANs are VPN-connected as in the P2P communication path indicated by the solid line in FIG. It becomes possible to communicate directly between the terminal 103 and the terminal 303 through a virtual closed communication path. The configuration, function, and operation of the VPN apparatus as the IP communication apparatus according to the present embodiment will be described in order below.

  The STUN server 201 performs a service related to the execution of the STUN protocol, and is an address information server that provides information necessary for performing communication that passes through the NAT (so-called communication beyond NAT). STUN is a standardized client-server Internet protocol used as one of NAT transparent methods in applications that perform bidirectional real-time IP communication such as voice, video, and text. In response to a request from the access source, the STUN server 201 has external address / port information including information on an external address and a port visible from the external network as global address information assigned to the access source accessible from the outside. Reply. As the external address / port information, in the IP network, a global IP address of the IP network layer and a port number of the transport layer are used.

  Each of the VPN apparatuses 101 and 301 performs communication of a predetermined test procedure with the STUN server 201, and a response packet including a global IP address and a port number assigned for communication of the own apparatus from the STUN server 201 Receive. Thereby, each VPN apparatus 101 and 301 can acquire the global IP address and port number of an own apparatus. Further, even when there are a plurality of routers between the LAN where the device is located and the WAN, or when these routers do not have a UPnP (Universal Plug and Play) function. However, there is also an effect that the global IP address and the port number assigned for reliably communicating with the WAN 200 side can be acquired.

  The call control server 202 is a call management server that performs a service related to call control between communication apparatuses for calling a specific destination and establishing a communication path. The call control server 202 holds the identification information of each registered user's VPN device or terminal. For example, in the case of a communication system having an IP telephone function, a specific partner is determined based on the telephone number of the connection partner. You can call the destination.

  A relay server 203 is connected on the WAN 200 as a server device for relaying communication between the VPN device 101 and the VPN device 301. The relay server 203 has a function of relaying a signal or data when performing VPN communication via the server, such as before the start of P2P communication or when P2P communication is not possible. The relay server 203 transfers a packet sent from the calling device to the called device, and transfers a packet sent from the called device to the calling device. In this case, a VPN-connected communication path is established between the VPN device 101, the VPN device 301, and the relay server 203, and a function equivalent to the VPN connection established by the P2P communication is realized. The call control server 202 also has a function of relaying communication between VPN apparatuses at the start of VPN connection.

  Note that the STUN server 201, the call control server 202, and the relay server 203 are shown here as configuration examples using separate server devices, but these address information servers, call management servers, and relay servers are included in one server device. The function of each server may be mounted and configured, or the same function may be mounted and configured in any other server device on the WAN.

  Next, the configuration and function of the VPN apparatus as the IP communication apparatus according to the present embodiment will be described. The configurations and functions of the VPN apparatus 101 and the VPN apparatus 301 are the same, and will be described here using the VPN apparatus 101. FIG. 2 is a block diagram showing a configuration example of the hardware configuration of the IP communication apparatus (VPN apparatus) according to the present embodiment.

  The VPN apparatus 101 includes a central processing unit (CPU) 111 such as a microcomputer, a non-volatile memory 112 such as a flash RAM, a memory 113 such as an SD RAM, a network interface 114, a network interface 115, a LAN side network control unit 116, and a WAN. Side network control unit 117, communication relay unit 118, display control unit 119, and display unit 120.

  The CPU 111 controls the entire VPN apparatus 101 by executing a predetermined program. The non-volatile memory 112 holds a program executed by the CPU 111. This program also includes a communication abnormality control program for the VPN apparatus 101 to detect an abnormality during communication with another communication apparatus and perform communication control.

  The program executed by the CPU 111 can be acquired from an external server online via an arbitrary communication path, or can be acquired by reading from a recording medium such as a memory card or a CD-ROM. it can. In other words, the VPN apparatus and the VPN networking method can be realized by reading a program for realizing the function of the VPN apparatus from a recording medium into a general-purpose computer.

  Note that when the CPU 111 executes the program, a part of the program on the nonvolatile memory 112 may be expanded on the memory 113 and the program on the memory 113 may be executed.

  The memory 113 is for temporarily storing data management during operation of the VPN apparatus 101, various setting information, and the like. The setting information includes destination address information necessary for communication, such as external address / port information included in a response to the external address / port acquisition request of the device itself.

  The network interface 114 is an interface for connecting the VPN apparatus 101 and the subordinate terminal 103 managed by the own apparatus in a communicable state. The network interface 115 is an interface for connecting the VPN apparatus 101 and the LAN 100 in a communicable state. The LAN-side network control unit 116 performs communication control related to the LAN-side network interface 114. The WAN-side network control unit 117 performs communication control related to the WAN-side network interface 115.

  The communication relay unit 118, on the contrary, transmits packet data sent from the subordinate terminal 103 connected to the LAN side to the external called party (terminal 303 subordinate to the VPN apparatus 301), and on the other hand, the external called party (VPN apparatus 301). The packet data arriving from the subordinate terminal 303) to the subordinate terminal 103 is relayed.

  The display unit 120 is configured by a display that displays the operation state of the VPN apparatus 101 and notifies the user or administrator of various states. The display unit 120 includes a plurality of light emitting diodes (LEDs) or a liquid crystal display (LCD). The display control unit 119 performs display control of the display unit 120, and controls contents to be displayed on the display unit 120 according to a display signal from the CPU 111.

  FIG. 3 is a block diagram showing a functional configuration example of the IP communication apparatus (VPN apparatus) according to the present embodiment.

  The VPN apparatus 101 includes a system control unit 130, a subordinate terminal management unit 131, a memory unit 132, a data relay unit 133, a setting interface unit 134, and a communication control unit 140 as functional configurations. The memory unit 132 includes an external address / port information storage unit 135. The communication control unit 140 includes an external address / port acquisition unit 141, a VPN function unit 142, a call control function unit 143, and a communication failure detection unit 147. The VPN function unit 142 includes an encryption processing unit 145. Each of these functions is realized by the hardware operation of each block shown in FIG. 2 or when the CPU 111 executes a predetermined program.

  The network interface 114 on the LAN side of the VPN apparatus 101 is connected to the subordinate terminal 103, and the network interface 115 on the WAN side is connected to the WAN 200 via the LAN 100 and the router 102.

  The system control unit 130 performs overall control of the VPN apparatus 101. The subordinate terminal management unit 131 manages the terminals 103 subordinate to the VPN apparatus 101. In the external address / port information storage unit 135, the memory unit 132 stores external address / port information including information on an external address (global IP address on the WAN 200) and a port (port number of the IP network). As the external address / port information, information on the global IP address and port number assigned to the terminal 103 on the calling side, information on the global IP address and port number assigned to the terminal 303 on the called side, etc. Remember. The external address / port information storage unit 135 may store NAT type information between the own device and the external network.

  The data relay unit 133 transfers the packet transferred from the calling terminal 103 to the called terminal 303, or conversely, transfers the packet from the called terminal 303 to the calling terminal 103. Each packet is relayed (transmitted / received). The setting interface unit 134 is a user interface for the user or administrator to perform various operations such as a setting operation on the VPN apparatus 101. As a specific example of this user interface, a Web page displayed by a browser operating on a terminal is used.

  The external address / port acquisition unit 141 of the communication control unit 140 acquires the external address / port information assigned to the terminal 103 under the control of the VPN apparatus 101 from the STUN server 201. Further, a packet including the external address / port information of the called terminal 303 is received via the call control server 202, and the external address / port information assigned to the called terminal 303 is acquired. The information acquired by the external address / port acquisition unit 141 is held in the external address / port information storage unit 135 of the memory unit 132.

  The VPN function unit 142 of the communication control unit 140 performs encryption processing necessary for VPN communication in the encryption processing unit 145. That is, the encryption processing unit 145 encapsulates and encrypts a packet to be transmitted, or unencapsulates and decrypts a received packet to extract an original packet. Note that VPN communication is not P2P communication that directly connects VPN devices as shown in FIG. 1, but relays packets by the relay server 203 provided on the WAN 200 and performs VPN communication by the client / server method. Is also possible. In this case, encryption / decryption processing may be performed on the server side. Also, the encapsulated packet includes information for specifying the terminal 103 under its own device and information for specifying the terminal 303 under its partner device. Based on this specific information, communication data is relayed by the data relay unit 133 between the VPN device and the terminals under the VPN device.

  The call control function unit 143 of the communication control unit 140 transmits a connection request for connection to the target called party to the call control server 202, and sends a connection response from the called party via the call control server 202. Perform processing to receive.

  The communication failure detection unit 147 of the communication control unit 140 has a function of detecting a communication failure during P2P communication. For example, the communication failure detection unit 147 detects a communication failure using a Keep-alive packet that is communication periodically performed to confirm that the connection on the network is valid. Here, the reception of the Keep-alive packet from the communication partner and the communication quality (communication error occurrence rate) are measured from the start of the P2P communication, and the Keep-alive packet from the partner cannot be received for a predetermined period or a predetermined time As described above, when the communication error occurrence rate is very high (eg, the error occurrence rate of 60% or more continues), it is determined that the environment of P2P communication is not normal. Details of the operation of the communication failure detection process by the communication failure detection unit 147 and the communication control process by the call control function unit 143 will be described later.

  The communication control unit 140 according to the present embodiment can perform communication via a server that performs communication via a relay server such as the relay server 203 and P2P communication with a partner apparatus. The call control function unit 143 has a function of performing a transition process to communication via a server when a communication failure is detected by the communication failure detection unit 147 and it is determined that P2P communication is difficult to continue. .

  Next, operations of a communication failure detection process and a server-routed communication transition process performed by the IP communication apparatus according to the present embodiment will be described.

(First embodiment)
In the IP communication apparatus according to the present invention, when performing P2P communication with a partner apparatus, communication failure detection processing is performed to determine whether a communication failure that makes it difficult to continue P2P communication has occurred. Here, when a communication failure occurs during P2P communication, a stable communication environment is provided by changing the current communication from P2P communication to communication via a server using the relay server 203 or the like. As the duration for determining a communication failure, temporary communication deterioration is an event that should normally be considered on the network. Is determined to have occurred. For example, if an abnormality occurs continuously in such a time that the Keep-alive packet cannot be received three times continuously, it is determined that the communication failure state is difficult for P2P communication to continue. If a communication failure is detected, a server-routed communication transition process is executed to switch from P2P communication to server-routed communication. As a result, when a communication failure occurs and the communication status deteriorates, the recovery process can be executed normally and communication can be continued stably.

  Here, an example of operation in the case where the relay server performs the server communication and the P2P communication at the same time will be described. FIG. 4 is a schematic diagram showing a state in which communication via a server and P2P communication are simultaneously performed by a relay server. In the example of FIG. 4, a NAT router 521 of a first LAN and a NAT router 522 of a second LAN are connected to a WAN 500 such as the Internet network. The VPN device 511 and the communication device 531 are connected in order via the NAT router 521, and the VPN device 512 and the communication device 532 are connected in order via the NAT router 522. A relay server 503 is connected to the WAN 500. When the VPN apparatus 511 and the VPN apparatus 512 are VPN-connected to ensure a confidential communication path, VPN communication can be realized by communication via the server and P2P communication. In the case of communication via a server, a packet including a signal or data transmitted from a calling-side communication device is once relayed via the relay server 503 and transferred to the called-side communication device. In the case of P2P communication, the packet transmitted from the calling communication device is directly transferred to the called communication device.

  As an example of using the communication via the server and the P2P communication together, for example, it is conceivable that the VPN communication is first started by the communication via the server, and then the P2P communication is performed after the P2P communication path can be secured. By using such a VPN communication procedure, VPN communication can be started in a shorter time, and communication efficiency can be increased by executing P2P communication. Further, as described above, when a communication failure occurs during P2P communication, it is possible to switch to communication via a server and maintain a stable communication environment.

  Here, as the ports used for communication, for example, different ports are used as a port for communication via a server and a port for P2P communication. Note that when the protocol for server-routed communication and P2P communication are different, even if the port number is the same, there is no effect, so the same port can be used. In this specification, for the sake of convenience, description will be made on the premise of communication using the same protocol. For this reason, it is assumed that P2P communication is performed using a port different from the communication via the server.

  In the first embodiment, a communication failure is detected in one IP communication device (VPN device) during P2P communication. Here, when it is determined that a communication abnormal state has continued for a predetermined time or more and a communication failure has occurred, the P2P communication is shifted to the communication via the server.

  First, processing from the start of connection by the VPN device to P2P communication will be described. FIG. 5 is a sequence diagram showing a communication processing procedure between apparatuses until P2P communication is performed in the VPN system using the IP communication apparatus (VPN apparatus) according to the present embodiment. Here, in the network configuration of FIG. 1, processing is shown in the case where it is attempted to connect from the terminal 103 under the VPN apparatus 101 to the terminal 303 under the other VPN apparatus 301 via the WAN 200.

  First, the VPN apparatus 101 logs in to the call control server 202 and receives user authentication (S101). When the VPN apparatus 101 succeeds in user authentication, the call control server 202 registers and sets identification information (MAC address, user ID, telephone number, etc.) of the VPN apparatus 101, location information on the network (global IP address), etc. Is done. Thereafter, communication between the VPN apparatus 101 and the call control server 202 becomes possible. Although the VPN apparatus 101 is the calling party, the VPN apparatus 301 that is the called party also logs in to the call control server 202 and receives user authentication, and the call control server 202 identifies the identification information of the VPN apparatus 301. Are registered and set (S102).

  When the VPN apparatus 101 receives a VPN connection request from the subordinate terminal 103, the VPN apparatus 101 sends a VPN to the VPN apparatus 301 subordinate to the connection destination terminal 303 to the call control server 202 via the router 102. A connection request for constructing the communication path is transmitted (S103). The call control server 202 relays this connection request and transmits it to the VPN apparatus 301 that is the connection destination of the VPN connection via the router 302 (S104).

  When the connection destination VPN apparatus 301 receives a connection request from the call control server 202, it returns a connection response (S105). The call control server 202 relays the connection response from the VPN apparatus 301 and transmits it to the connection source VPN apparatus 101 (S106).

  When the VPN apparatus 101 receives a connection response from the call control server 202, the VPN apparatus 101 establishes a communication path for P2P communication with the connection destination VPN apparatus 301, and performs data communication between the VPN apparatuses 101 and 301 by P2P communication. Start (S107). At this time, direct data communication is performed between the VPN apparatus 101 and the VPN apparatus 301 via the WAN 200 using the P2P communication port. At this time, the connection source VPN apparatus 101 and the connection destination VPN apparatus 301 notify the partner apparatus of the external address / port information of the own apparatus for P2P communication. As a result, the external address / port information (global IP address and port number) for the peer P2P communication with each other is acquired, and the VPN connection can be made directly. In order to acquire the external address / port information of the own apparatus, an external address / port acquisition request is transmitted to the STUN server 201 and the external address / port information returned from the STUN server 201 is received.

  In addition, before performing the P2P communication, the communication may be once started via the call control server 202, or the communication via the server using the relay server 203 may be performed. In this case, the VPN communication with the communication partner can be performed in a shorter time. Can start.

  Next, communication failure detection processing in this embodiment will be described. FIG. 6 is a flowchart showing an operation algorithm of communication failure detection processing in the IP communication apparatus (VPN apparatus) of this embodiment. Here, as communication failure detection processing, the state of communication is periodically monitored during P2P communication to determine whether or not a communication failure has occurred. The processing example of FIG. 6 shows an example applied to a communication method for performing a keep-alive confirmation operation (confirmation of keep-alive packets) with a communication partner, but there is a communication form in which this operation is not performed. In this case, it is possible to omit this process, but here, the description will be made on the assumption that a keep-alive confirmation operation with the communication partner is performed. This communication failure detection process is periodically executed by a predetermined timer as a periodic diagnosis during P2P communication.

  First, the communication failure detection unit 147 acquires the time when the Keep-alive packet was last received (step S11). The keep-alive packet transmission / reception process is executed by a routine different from this process. Keep-alive transmission is performed for the purpose of notifying the communication partner that the communication port of the NAT is maintained and the communication path exists at regular time intervals, and a Keep-alive message is transmitted to the communication partner. Keep-alive reception is for confirming that a communication path with a communication partner has been established. When a Keep-alive message is received, the reception time information is stored in the storage unit. Then, the communication failure detection unit 147 extracts the reception time information of the Keep-alive message from the storage unit, and acquires the final reception time.

  Next, the communication failure detection unit 147 calculates the non-reception time of the keep-alive packet from the last reception time of the acquired keep-alive packet to the current time, and whether the non-reception time has exceeded a predetermined specified value. It is determined whether or not (step S12). This default value corresponds to the communication route guarantee time, and here, it is determined whether or not the time for which the communication route is guaranteed has elapsed since the last reception of the Keep-alive packet.

  If the non-reception time of the keep-alive packet has exceeded the communication path guarantee time, the communication failure detection unit 147 has not received the keep-alive packet for a certain time in the communication path, and the communication path is not valid. Judged as stable (or non-existent). That is, the communication failure detection unit 147 determines that a communication failure on the current communication path has been detected by determining that the non-reception time of this Keep-alive packet has passed the communication path guarantee time. When a communication failure is detected by the communication failure detection unit 147, the call control function unit 143 executes a server-routed communication transfer process for transferring the current communication path to the relay server (step S13). The server-routed communication transition process will be described later.

  If the non-reception time of the keep-alive packet has not passed the communication path guarantee time, the communication failure detection unit 147 determines that the current communication path is valid, and then checks the communication state. . As an operation for confirming the communication state, first, an error occurrence rate (communication error occurrence rate) of a packet during communication is acquired (step S14). The communication error occurrence rate here is the rate at which a communication error has occurred after confirming the legitimacy of received packets, and it is assumed that statistical information is acquired by an independent control method separately from this processing. Then, the communication failure detection unit 147 determines whether or not the communication error occurrence rate has exceeded a predetermined specified value (step S15). As the specified value, for example, a predetermined error rate such as 60% is appropriately used to determine the occurrence of a communication error state.

  When the communication error occurrence rate exceeds the specified value, 1 is added to the number of times of error occurrence measurement (the number of times the communication error occurrence rate exceeds the specified value continuously) (step S16). Comparison with the specified value (step S17). The specified value for the number of error occurrence measurements is sent via the server when the determination of the communication error status (exceeding the specified value for the communication error occurrence rate) occurs for the periodic activation time of this algorithm (interval of P2P communication periodic diagnosis) It is a value that determines whether or not to perform the transition process to communication. In a normal network, an instantaneous communication error occurrence is an event that can occur sufficiently, so it is desirable to set the specified value to “1” or more. However, when a stable network environment is provided and no communication error occurs, it is allowed to set “0” as the specified value. The communication failure detection unit 147 compares the network environment and the specified value determined from the interval of this P2P communication periodic diagnosis with the error occurrence measurement count, and if the error occurrence measurement count exceeds the specified value, It is determined that a communication failure on the current communication path has been detected. When a communication failure is detected by the communication failure detection unit 147, the call control function unit 143 executes a server-routed communication transition process in step S13.

  If the error occurrence measurement count is equal to or less than the specified value in step S17, the communication failure detection unit 147 sets a timer for re-executing the P2P communication periodic diagnosis (step S18). If the communication error occurrence rate is equal to or less than the specified value in step S15, the communication failure detection unit 147 initializes the number of error occurrence measurements (step S19), and again executes the regular P2P communication periodic diagnosis in step S18. Set the timer.

  After the timer setting for performing the P2P communication periodic diagnosis, the process returns to step S11 due to the timeout of this timer and the same processing is repeated.

  In the above processing example, a method for detecting a communication failure due to successive occurrences of communication errors has been described. However, other methods, for example, a method for collecting communication state statistical information on a network and detecting a communication failure are similar. It is possible to get a function.

  Next, the server-routed communication migration process in this embodiment will be described. FIG. 7 is a flowchart showing an operation algorithm of server-routed communication transition processing in the IP communication apparatus (VPN apparatus) of this embodiment.

  The call control function unit 143 performs call control on the relay server use request for the P2P communication with the communication partner currently being performed when the communication failure detection unit 147 requests the server-to-server communication transition process by the communication failure detection process of FIG. It transmits to the server 202 (step S21). In response to this, the call control server 202 issues a relay instruction to the relay server 203, acquires the relay response from the relay server 203, and returns the relay server use response to the communication apparatus that has received the relay server use request. . Then, the call control function unit 143 receives the relay server use response from the call control server 202 (step S22), and determines whether or not the relay server can be used (step S23). If the relay server cannot be used, the process is terminated.

  When the relay server is available, the call control function unit 143 executes a transition process from the current P2P communication to the communication via the relay server (step S24). And the communication information from the relay server 203 is received (step S25).

  FIG. 8 is a sequence diagram showing a communication processing procedure between the devices at the time of transition from P2P communication to server-routed communication in the VPN system using the IP communication device (VPN device) according to the first embodiment. The server-routed communication transition process in the first embodiment will be described using this sequence diagram. Here, similarly to FIG. 5, processing in the case where the terminal 103 under the VPN apparatus 101 and the terminal 303 under the other VPN apparatus 301 communicate with each other via the WAN 200 in the network configuration in FIG. 1 is shown. .

  It is assumed that the VPN apparatus 101 and the VPN apparatus 301 are performing P2P communication by the process shown in FIG. 5 (S201). At this time, the VPN apparatus 101 performs P2P communication periodic diagnosis at predetermined intervals by the above-described communication failure detection process. Here, when an abnormality occurs in data communication and an abnormality (communication failure) in P2P communication is detected (S202), the VPN apparatus 101 transmits a relay server use request to the call control server 202 (S203). . When receiving the relay server use request from the VPN apparatus 101, the call control server 202 selects a relay server to be used and issues a relay instruction to the selected relay server 203 (S204). This relay instruction includes connection device information such as the external address / port information of the VPN device 101 that issued the relay server use request. The connection device information may include external address / port information of the VPN device 301 of the communication partner.

  When the relay server 203 receives the relay instruction from the call control server 202, the relay server 203 determines whether data communication can be relayed in its own device, and returns a relay response to the call control server 202 if possible (S205). When the call control server 202 receives the relay response from the relay server 203, the call control server 202 transmits a relay server use response message to the VPN apparatus 101 that has made the relay server use request (S206). In this relay server use response, external address / port information of the relay server 203 to be used is set as connection destination information. Further, when there is no relay server that can be used in the relay server selection process, the call control server 202 sets the relay server use NG information in the relay server use response, and the VPN server 101 that has made the request to use the relay server. Send to. As described above, the call control server 202 has a function of a communication transition control unit that determines whether or not a relay server can be used when a relay server use request is made, and performs transition control from P2P communication to communication via the server. Yes.

  The VPN apparatus 101 waits for reception of a relay server utilization response, and when receiving the relay server utilization response, confirms information set in the relay server utilization response message. Here, when the relay server usage NG information is set and there is no relay server that can be used, the transition processing to the relay server cannot be performed, so the server-routed communication transition processing is terminated as it is. Here, if a communication failure is detected at the timing of the next P2P communication periodic diagnosis, there is a high possibility that the communication transition process via the server will be performed again at that time, so the retry process is not performed.

  In addition, when the connection destination information is set in the relay server use response and the relay server can be used, the VPN apparatus 101 performs a process of transferring communication via the server to the relay server 203 selected by the call control server 202. Start. As a transition process to the relay server, a login process to the relay server 203 is performed (S207). When the login is successful and the login is completed (S208), the VPN apparatus 301 of the communication partner is communicated via the call control server 202. A relay server connection instruction message is transmitted (S209, S210). This relay server connection instruction includes external address / port information of the relay server 203 as connection destination information.

  Upon receiving the relay server connection instruction from the VPN apparatus 101 via the call control server 202, the communication partner VPN apparatus 301 performs login processing to the relay server 203 specified by the connection destination information (S211). When the login is completed (S212), the VPN apparatus 301 transmits a relay server connection response message to the VPN apparatus 101 that is the relay server connection instruction transmission source via the call control server 202 (S213, S214).

  When the VPN apparatus 101 receives the relay server connection response from the VPN apparatus 301 of the communication partner, the VPN apparatus 101 establishes a communication path for communication via the server with the relay server 203, and passes through the relay server 203, the VPN apparatus 301. Data communication is started by communication via a server (S215, S216). At this time, data communication is performed in the VPN apparatus 101 -the relay server 203 -the VPN apparatus 301 using a port for server communication. When a packet (data) is received from the communication partner VPN apparatus 301 via the relay server 203, the existing P2P communication session (communication) is terminated (S217). In this way, when a communication failure occurs during P2P communication, it is possible to automatically change from the P2P communication path to the server-routed communication path using the relay server, and to perform more stable communication.

(Second Embodiment)
The second embodiment shows an example of processing when a communication failure is detected in both IP communication devices (VPN devices) during P2P communication. The periodic diagnosis of the P2P communication shown in FIG. 6 can be performed by both apparatuses that perform communication. Here, a processing procedure when a communication failure is detected in both apparatuses is shown. In addition, it demonstrates centering on a different part from 1st Embodiment, and abbreviate | omits description about the same operation | movement.

  When the P2P communication periodic diagnosis is performed by both of the communicating devices, the communication failure process is started from the device that has detected the communication failure early to the relay server, so that the state of the communication failure is shortened. is there. However, when P2P communication is regularly diagnosed on both sides, there is a possibility that a communication failure will be detected at the same time, and a collision of processing that attempts to perform server-routed communication transition processing to the relay server on both sides may occur. Therefore, in the second embodiment, the processing state is managed in the call control server so as to avoid the collision of the processing in both apparatuses.

  FIG. 9 is a sequence diagram showing a communication processing procedure between the devices at the time of transition from P2P communication to server-routed communication in the VPN system using the IP communication device (VPN device) according to the second embodiment. With reference to this sequence diagram, a server-routed communication transition process in the second embodiment will be described.

  It is assumed that the VPN apparatus 101 and the VPN apparatus 301 are performing P2P communication by the process shown in FIG. 5 (S301). At this time, the VPN apparatus 101 performs P2P communication periodic diagnosis at predetermined intervals by the communication failure detection process described above. Here, when an abnormality occurs in data communication and an abnormality (communication failure) in P2P communication is detected (S302), the VPN apparatus 101 transmits a relay server use request to the call control server 202 (S303). . When receiving the relay server use request from the VPN apparatus 101, the call control server 202 selects a relay server to be used, and transmits a relay instruction including connection apparatus information to the selected relay server 203 (S304).

  Similarly, the VPN apparatus 301 of the communication partner performs P2P communication periodic diagnosis at predetermined intervals by the communication failure detection process described above. Here, when an abnormality occurs in data communication and an abnormality (communication failure) in P2P communication is detected (S305), the VPN apparatus 301 transmits a relay server use request to the call control server 202 (S306). . When the call control server 202 receives the relay server use request, the call control server 202 has already selected the relay server in the specified session (specified communication), that is, the target communication that has received the request to shift from the P2P communication to the communication via the server. Determine whether relay instructions are being issued. If the specified session is already instructed to be relayed, a response indicating that the relay server cannot be used is returned. In the case of the illustrated example, when receiving the relay server use request from the VPN apparatus 301, the call control server 202 determines whether a relay instruction in the designated session is being instructed (S307). In this case, since the relay instruction is in progress, the call control server 202 sets the relay server use NG information in the relay server use response, and transmits it to the VPN apparatus 301 that has made the relay server use request later (S308).

  When the relay server 203 receives the relay instruction from the call control server 202, the relay server 203 determines whether data communication can be relayed in its own device, and if possible, returns a relay response to the call control server 202 (S309). When the call control server 202 receives the relay response from the relay server 203, the call control server 202 transmits a relay server use response message including the connection destination information to the VPN apparatus 101 that has made the relay server use request (S310).

  The subsequent processing procedure from the login process (S311) of the VPN apparatus 101 to the relay server 203, the transition process to the server communication via the relay server 203, and the P2P communication end process (S321) is described above. This is the same as the processing of S207 to S217 in FIG.

  In this way, by managing the processing state on the call control server, even if both devices that are performing communication simultaneously transition to server-directed communication using a relay server, one of them is suppressed and a contradiction occurs. It is possible to shift to communication via a relay server.

(Third embodiment)
The third embodiment is a modification of the second embodiment, and shows another example of processing when a communication failure is detected in both IP communication devices (VPN devices) during P2P communication. Is. Here, similarly to the second embodiment, a processing procedure when a communication failure is detected in both apparatuses will be described. In addition, it demonstrates centering on a different part from 1st and 2nd embodiment, and abbreviate | omits description about the same operation | movement.

  FIG. 10 is a sequence diagram showing a communication processing procedure between the devices at the time of shifting from P2P communication to server-routed communication in the VPN system using the IP communication device (VPN device) according to the third embodiment. With reference to this sequence diagram, a server-routed communication transition process in the third embodiment will be described.

  It is assumed that the VPN apparatus 101 and the VPN apparatus 301 are performing P2P communication by the process shown in FIG. 5 (S401). At this time, the VPN apparatus 101 performs P2P communication periodic diagnosis at predetermined intervals by the communication failure detection process described above. Here, when an abnormality occurs in data communication and an abnormality (communication failure) in P2P communication is detected (S402), the VPN apparatus 101 transmits a relay server use request to the call control server 202 (S403). . When receiving the relay server use request from the VPN apparatus 101, the call control server 202 selects a relay server to be used, and transmits a relay instruction including connection apparatus information to the selected relay server 203 (S404).

  When the relay server 203 receives the relay instruction from the call control server 202, the relay server 203 determines whether data communication can be relayed in its own device, and if possible, returns a relay response to the call control server 202 (S405). When the call control server 202 receives the relay response from the relay server 203, the call control server 202 transmits a relay server use response message including the connection destination information to the VPN apparatus 101 that has made the relay server use request (S406).

  Similarly, the VPN apparatus 301 of the communication partner performs P2P communication periodic diagnosis at predetermined intervals by the communication failure detection process described above. Here, when an abnormality occurs in data communication and an abnormality (communication failure) in P2P communication is detected (S407), the VPN device 301 transmits a relay server use request to the call control server 202 (S408). . When the call control server 202 receives the relay server use request, the call control server 202 determines whether or not the relay server has already been assigned in the designated session, and if there is a relay server assignment, returns a response indicating that the relay server cannot be used. In the case of the illustrated example, when receiving the relay server use request from the VPN apparatus 301, the call control server 202 determines whether there is a relay server assignment in the designated session (S409). In this case, since there is a relay server assignment, the call control server 202 sets the relay server use NG information in the relay server use response, and transmits it to the VPN apparatus 301 that has made a relay server use request later (S410). .

  The subsequent processing procedure from the login process (S411) of the VPN apparatus 101 to the relay server 203, the transition process to the server-routed communication via the relay server 203, and the P2P communication end process (S421) is described above. This is the same as the processing in S207 to S217 in FIG. 8 and S311 to S321 in FIG.

  As described above, when the processing state is managed by the call control server, the transition processing to the server-directed communication using the relay server occurs simultaneously in both apparatuses performing communication as in the second embodiment. However, it is possible to suppress one of them and shift to communication via a relay server without contradiction.

  In the case where the VPN device recognizes the calling side and the called side, it is possible to perform the process of performing the P2P communication periodic diagnosis shown in FIG. In this case, the processing is the same as that of the first embodiment shown in FIG. When the P2P communication periodic diagnosis is performed with only one of the devices, the event that the relay server use request collides as shown in FIGS. 9 and 10 does not occur, and it is not necessary to consider complicated processing. This has the effect of simplifying the server-routed communication migration process.

  As described above, in this embodiment, when P2P communication is performed with a partner device, a keep-alive packet from the partner device is not received for a predetermined time or more, and an error occurrence rate of a specified value or more continues for a predetermined time or more. Thus, a communication failure that makes it difficult to continue P2P communication is detected. When a communication failure is detected, the process shifts from P2P communication to communication via a server using a relay server. As a result, when any failure occurs during P2P communication, the communication path can be automatically switched to a stable communication path via the relay server, and a stable communication service can be provided. Therefore, according to the present embodiment, recovery processing when a communication failure occurs can be normally executed, and stable communication can be continued.

  The present invention is intended to be variously modified and applied by those skilled in the art based on the description in the specification and well-known techniques without departing from the spirit and scope of the present invention. Included in the scope for protection. Moreover, you may combine each component in the said embodiment arbitrarily in the range which does not deviate from the meaning of invention.

  INDUSTRIAL APPLICABILITY The present invention has an effect that it is possible to continue stable communication even when a communication failure occurs during P2P communication, and a VPN device that establishes a route between a plurality of networks and communicates with each other, IP communication It is useful as a device.

100, 300 LAN
101, 301, 511, 512 VPN device 102, 302 Router 103, 303 Terminal 111 Microcomputer (CPU)
112 Non-volatile memory 113 Memory 114, 115 Network interface 116 LAN side network control unit 117 WAN side network control unit 118 Communication relay unit 119 Display control unit 120 Display unit 130 System control unit 131 Subordinate terminal management unit 132 Memory unit 133 Data relay unit 134 Setting Interface Unit 135 External Address / Port Information Storage Unit 140 Communication Control Unit 141 External Address / Port Acquisition Unit 142 VPN Function Unit 143 Call Control Function Unit 145 Cryptographic Processing Unit 147 Communication Failure Detection Unit 200, 500 WAN
201 STUN Server 202 Call Control Server 203, 503 Relay Server 521, 522 NAT Router 531, 532 Communication Device

Claims (8)

In an IP network, a VPN device that establishes a virtual private network and communicates with a partner device,
A communication failure detection unit that detects a communication failure that makes it difficult to continue P2P communication when performing P2P communication with the counterpart device;
A communication control unit that performs a transition process to communication via a server that is communication via a relay server provided in the IP network when the communication failure is detected;
VPN device comprising: The VPN device according to claim 1,
The communication failure detection unit determines that a communication failure has occurred when no Keep-alive packet has been received for a predetermined period of time based on reception of the Keep-alive packet from the counterpart device during the P2P communication. apparatus. The VPN device according to claim 1,
The communication failure detection unit generates a communication failure when a state in which the error occurrence rate exceeds a predetermined value continues for a predetermined time or more based on an error occurrence rate of communication with the counterpart device during the P2P communication. VPN device that determines that. The VPN device according to claim 1,
The communication control unit transmits a request for using a relay server that performs communication via the server to a call control server that controls connection with the counterpart device when performing the transition process to communication via the server, A VPN device that connects to a specified destination relay server and starts communication with the counterpart device via the relay server when a response to use of the relay server is received from the call control server. An IP communication device that communicates with a partner device in an IP network,
A communication failure detection unit that detects a communication failure that makes it difficult to continue P2P communication when performing P2P communication with the counterpart device;
A communication control unit that performs a transition process to communication via a server that is communication via a relay server provided in the IP network when the communication failure is detected;
An IP communication apparatus comprising: A server device having a function of a call control server for controlling connection between a plurality of communication devices in an IP network,
When the plurality of communication apparatuses are performing P2P communication, if a request for using a relay server provided in the IP network is received from any one of the communication apparatuses, it is determined whether or not the relay server can be used, and the relay A response to the use of the relay server including connection destination information to the server is returned to the communication device that has made the use request, and the communication device is connected to the relay server, so that the communication from the P2P communication to the communication via the server is performed. A server device including a communication transition control unit that performs transition control. The server device according to claim 6,
When the communication transition control unit receives a request to use the relay server, if the relay is already instructed for the specified communication, or if there is a relay server assignment, the relay server cannot be used. A server device that returns a response to the communication device that has made the use request. In an IP network, a communication method in a VPN device that performs communication by constructing a virtual private network with a partner device,
Detecting a communication failure that makes it difficult to continue the P2P communication when performing the P2P communication with the counterpart device;
Performing a transition process to communication via a server, which is communication via a relay server provided in the IP network when the communication failure is detected;
A communication method comprising:

Images