JP2000228674A - Address assignment method for communication between multiple sites, communication method between multiple sites, and connection device thereof - Google Patents

Abstract

(57) [Summary] [PROBLEMS] To provide a communication method and a connection device between a plurality of locations without overlapping private addresses between the locations and without consuming a large amount of global address addresses. SOLUTION: In a network connecting a plurality of bases, for communication data on a communication path between one base to which a terminal as a connection destination candidate belongs and a connection source, the connection destination address is set to the connection destination terminal. By converting the address into an address, the connection destination of communication data having the same connection destination address is allocated.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a multi-site VPN.
Method and apparatus for supporting connection. More specifically, the present invention relates to a method and an apparatus for coping with a case where addresses used by a plurality of bases in a VPN connection apparatus may be duplicated.

[0002]

2. Description of the Related Art In recent years, as a means for connecting a plurality of bases divided by a global network, a VPN (Virtual
Private Network (virtual private network) is used. V
The PN is realized by a technique such as VPN tunneling described later. In the communication using the VPN, communication data is encrypted as necessary. As a result, communication via a network such as the Internet where there is a possibility of eavesdropping or tampering can be performed with security as if it were a communication when a dedicated line is connected.

[0003] VPN tunneling is a technique in which a VPN connection device that functions as a relay device attaches a new destination address and a source address to the entire communication data, and transmits the new data to the destination VPN connection device. At this time, the original data is encrypted as necessary. The newly added connection destination address and connection source address are the VPN of each base.
This is the address of the connection device. The data transmitted from the VPN connection device is restored to data having the original transmission source address and transmission destination address at the VPN connection device at the connection destination. As a result, this VPN tunneling can be used as long as the VPN connection device at each site has a global address.

There are various methods for implementing VPN tunneling. As one of the methods, a virtual interface connected to the same virtual network (referred to as a VPN tunnel) is added to the VPN connection devices at both bases using the VPN, and communication data passing through the VPN tunnel is added to the VPN interface. There is a method of performing VPN tunneling. That is, communication data that enters the VPN tunnel through the virtual interface added to the VPN connection device is V
Encryption is performed as necessary by the PN connection device, and VP
After being reconfigured as communication data addressed to the VPN connection device at the VPN connection destination from the N connection device, the data is delivered. Here, the reconstructed data is transmitted not through the virtual interface but through the real interface of the VPN connection device.
Arrives at the real interface of the PN connection device. The VPN connection device that has received this data decrypts the data using the encryption key for the transmission source VPN connection device as necessary, and restores the original data. Here, the restored data has an initial source address and destination address. This data is handled as data that has entered the VPN connection device via the virtual interface of the restored VPN connection device.

[0005] When this method is used, the specification of the encrypted communication can be treated as the specification of the routing, so that the application does not need to perform the control for the encrypted communication. Note that a VPN in which one side of the VPN tunnel is directly connected to a client machine (client terminal) is referred to as an end-to-station type VPN.
And is distinguished from a station-to-station type VPN which is an ordinary system.

However, when a plurality of locations are interconnected by a VPN or the like, private addresses used at the locations may be duplicated. In this case, the connection cannot be made as it is. This is called a private address duplication problem. Also, even if the private addresses used by the connecting bases do not overlap,
If a certain base has a higher-level base that includes the higher-level base, it occurs even if the private addresses used including the higher-level base are duplicated. For example, a certain base A
Recognizes the private address used by the higher-level base B that includes it as the connection destination, the base A
If the site C uses the address used by the higher site B when connecting to the other site C, the machine in the site A cannot identify the machine indicated by the address. Therefore, the problem of duplicate private addresses is
Among the sites recognized as the connection destination, the site must be considered based on whether or not it occurs at the highest site including the site.

[0007] The "global address" is a machine identifier uniquely prepared in a global network such as the Internet. In order to use a global address, an application for the appropriate authority is required. The number of global addresses currently used on the Internet is becoming increasingly short, and it is difficult to secure a large number of new global addresses. This problem is called the global address exhaustion problem.

[0008] A "private address" is an address that can be arbitrarily assigned and used by a user. Generally, communication data using a private address as a source address or a destination address
It is forbidden to flow directly to global networks such as the Internet. However, VPN described later
If the private address is concealed by adding a new global address as a source or destination address by a technique such as tunneling, such data is allowed to leak to the global network.

[0009] The term "base" refers to a network or sub-network or a single terminal to which a plurality of terminals are connected. LANs and intranets are examples. In some cases, each base independently manages terminals and host machines using an address system based on private addresses.

Conventionally, as described above, the problem of duplication of private addresses that occurs at the time of VPN connection, etc.
The following methods have been adopted.

(A) Abandonment of External Connectivity During the VPN connection, the machine in the own site is prevented from being connected to any machine other than the machine in the connection destination site.

(B) Address Replacement Addresses of at least one site are re-assigned so as not to be duplicated between sites.

(C) Replacement of Global Address In the case of the above (B), a global address is used as a relocation address. According to this method, the problem of address collision does not occur when a base to which a global address has been assigned once makes a multiplex VPN connection thereafter. In this respect, this method can be said to be superior to (A). Here, “a certain location (hereinafter, referred to as a location A) makes multiple VPN connections” means that the location A makes a VPN connection simultaneously with a plurality of locations B to Z. At this time, it is not necessary that machines belonging to the partner site can be connected between the different sites B to Z that are VPN-connected to the site A.

(D) Use of non-common alias address by address translation device An address translation device is installed at a connection boundary point between bases, and an alias address is used. The alias address is prepared by the manager of each site in the address system at each site with respect to the address of the machine at the partner site and registered in the address translator. An alias address is used as the address of the other party in the base, and the alias address used as the transmission destination address of the communication data is converted into an actual address by the address conversion device when the communication data enters the base of the other party. At the same time, the source address is replaced with the alias address at the destination base.

(E) Use of a common alias address by the address translator An address that is not duplicated between the sites to be connected is confirmed and operated as a common alias in the same manner as in (D) above. (D)
There is an advantage that management becomes easier than in the case of.

(F) Use of a Common Alias Address Without an Address Translator In the case of (D), the machine in the connection base can directly handle the alias address.
Unlike the above (D), no address translation device is used. Use the alias address when connecting to the machine at the other site.

(G) Use of Global Address as Alias Address In the cases of (C), (D) and (E), a global address that is properly obtained is used as an alias address. It is characterized in that it is not necessary to refer to the address information of each base when preparing for connection.

[0018]

SUMMARY OF THE INVENTION An object of the present invention is to solve all the following problems. The following issues are:
In some cases, the method is partially solved by a conventional method, but there is no method that solves all of the problems except the present invention.

Problem 1. Secure connectivity All machines in two sites that perform VPN connection can communicate with each other before VPN connection (including machines outside the site)
And means for maintaining connection after the VPN connection. The method (A) does not satisfy this condition.

Problem 2. Avoidance of Address Replacement In the above methods (B) and (C), address replacement work generally requires a great deal of trouble. In addition, in the case of a network that has already been operated, it is often not possible to make a change, so this is not a practical method. In view of the above, there is provided means capable of continuing to use the address used conventionally.

Problem 3. Non-use of management information at one site In the above methods (D), (E), and (F), the operation of preparing an alias address within the range of a private address does not conflict with the management policy at the site. There is a need. For this reason, it is desirable that a person having the authority of the administrator makes the determination, but this is generally troublesome. Therefore, a means is provided that does not require reference to the management policy in at least one site.

Problem 4. Avoidance of Address Negotiation In the above methods (E) and (F), prior to VPN connection, it is necessary to specify a non-overlapping range in the address system of a plurality of sites to be connected. The negotiations that take place for this identification are generally time-consuming. Therefore, means for establishing a connection without such negotiation work is provided.

Problem 5 Avoidance of resetting at the time of multiple connection In the above methods (B), (E), and (F), when another site is connected, an address that has not been duplicated at the previous two sites may newly be duplicated. . In this case, it is necessary to prepare a new non-overlapping address and prepare an alias address of the connection host again. This operation is generally troublesome. In view of this, there is provided means capable of performing a new VPN connection without resetting the conventional VPN connection environment.

Problem 6. Non-Disclosure of Address Information In the methods (B), (D), (E), and (F), it is necessary to provide address information of each other's base when performing a VPN connection. This is undesirable for security.
In view of this, there is provided means capable of VPN connection without providing address information of each other.

Problem 7 Simplification of setting of one-side base In the methods (B), (D), (E), (F), and (G), the VP
Procedures related to addresses required for VPN connection at both sites that perform N connection (addressing to a virtual interface added to the VPN connection device within the own site, preparation of an alias address of the machine at the other site) is necessary. In view of the above, a means capable of VPN connection is provided if one of the sites performing the VPN connection performs a procedure regarding an address required for the VPN connection. This means that the burden on the user is reduced when one side is considered to be the user. This also includes the problem 6.

Problem 8. Avoidance of Global Address Mass Consumption In the cases of (C) and (G), global addresses are required for the number of machines connected via VPN. Therefore, when the number of machines is large, it is difficult to realize this method because it is difficult to obtain a large number of global addresses in the current Internet address system (IPv4). Therefore, a means is provided that enables VPN connection by using a small number of global addresses.

Problem 9 Avoiding an increase in global address consumption when the number of connection points increases In the above-mentioned problem 8, when the point S performs multiple VPN connections to a plurality of points, the number of connection destination points viewed from the point S increases. To provide a means by which the number of global addresses used does not increase.

[0028]

The present invention is based on and extends the conventional method (D) based on the "non-common alias addressing method using an address translator". By adopting the conventional method (D) as a basis, problem 1 (ensure connectivity), problem 2 (avoid address reassignment), problem 4 (avoid address negotiation), problem 5 (reset of multiple connection) Avoidance) is achieved. In the method (D), the problem 8 (avoidance of the large consumption of global addresses) and the problem 9 (the avoidance of the consumption of the global addresses when the number of connection bases is increased) are not directly related. Consideration is required because a global address is used as described later.

The reason why the present invention raises the problems of the other method in the present application, although it is based on the method (D), is that when the method (D) is extended, the other method is used. This is to specify that no problems will be introduced.

The VPN system used in the present invention is as follows.
The second base and the first base are connected in an end-to-station type. Therefore, that is, among the machines (terminals) on the client site side, which is the second site, the VPN
Only one device connects via a tunnel per VPN tunnel. The machine is the client machine itself to which the virtual interface of the VPN tunnel is added. Since the address used as the source of the communication data is the address of the interface from which the data is output, of the communication data passing through the inside of the VPN tunnel, the address used to represent the client machine is: Only the address of the virtual interface. Further, the server-side base, which is the first base, is a LAN to which a plurality of machines are connected.

In the present invention, in addition to the above-mentioned method (D), two further measures are taken. These two ideas are the essence of the present invention. Hereinafter, the contents will be described.

The first idea is to use a global address as an address newly recognized by the client at the time of VPN connection. When a VPN connection is made, the VPN
The connecting machine recognizes the new address in addition to the address used before the connection. They are the two addresses of the virtual interface at both ends of the VPN tunnel and the addresses of the machines in the server site, which is the first site to which the client connects. When the method (D) is used, an address newly recognized on the client side is different from an address recognized on the server base side. Of these, the global address is used only for the address recognized by the client side, and the server side allocates the private address on the server base side in the same manner as in the above method (D). The global address used here is not used for routing in the global network, but is an address used only inside the VPN.

The above-mentioned problems 3, 6, and 7 are solved by the first device. The reason will be described below.

First, the reason why Problem 3 (non-use of management information at one site) is solved will be described. In this ingenuity, the second
Only the global address will be newly recognized by the client base that is the base. The global address does not overlap with the private address used in the client site. Therefore, when the user at the client site sets the operation of the address translator, the user inputs information of a private address not used on the client side, and performs communication via a VPN among the machines at the client site. You do not need to enter the machine address (private address). This solves the problem 3.

Next, the reason why Problem 6 (non-disclosure of address information) is solved will be described. The address information that should not be disclosed is information of a private address used in each site. If this method is used, the second
The settings required at the client site, which is the base, need only be for establishing the VPN connection between the VPN connection device of the client and the VPN connection device at the server site, which is the first base. The address used on the client side at this time is the address used on the firewall at the client site, and is the address of the VPN server on the firewall at the server site. This address is used as an address added after being encapsulated by VPN tunneling. At the time of the setting, the information of the private address in the client site is not required, so that the leakage of this information can be avoided. Here, the access from the server site to the client machine via the VPN tunnel uses not the private address of the client machine but the address of the virtual interface on the client side. Also, at the server site, a private address used at the server site is assigned to each client instead of being aware of the global address as the address of the client. However, this assignment only needs to be set to the device installed at the server site. Therefore, the information is not notified to the client base, and the address information does not leak.

In order to achieve the task 7 (simplification of setting of one site), in this method, a global address as an address recognized by the client is prepared in advance at the server site. And the end-to-station type VP
As a feature of N, the address assignment of the virtual interface on the client side, which is the second base, can be performed from the server base, which is the first base, and this is used.

A second contrivance is to use the same global address to indicate a plurality of machines.
In other words, the same set of addresses is used as addresses recognized by a plurality of client sites, even if the addresses indicate different machines.

By the second contrivance, the problem 8 (avoidance of global address mass consumption) and the problem 9 (avoidance of global address consumption increase when the number of connection bases is increased) are solved.

[0039]

DESCRIPTION OF THE PREFERRED EMBODIMENTS (First Embodiment) Hereinafter, communication between a plurality of locations according to a first embodiment of the present invention will be described with reference to FIG. FIG. 1 is a network configuration diagram. In the figure, "<>" is attached to the real address, and "()" is attached to the alias address to distinguish between them. In the figure, the solid line arrow indicates a group in which a connection request exists, and the dotted line indicates a VPN tunnel.

As shown in FIG. 1, the first base 100 and the second bases 200-1 to 200-n are connected via a network 1 based on a global address such as the Internet. Therefore, in the present embodiment, a VPN is provided between the first base 100 and the plurality of second bases 200-1 to 200-n using the network 1.
And construct the first base 100 and the second bases 200-1 to 200-1.
The communication is performed between 200-n. Note that the second bases 200-1 to 200-n are respectively connected to the third base 30.
0-1 to 300-n. For example, there is a case where the relation between the third base and the second base is a relation of one network and its sub-network.

Here, the VPN connection is established by the end
It is a to-station type. That is, the second base 2
Client machines 201 in 00-1 to 200-n
Only one (client terminal) is installed (201-1 to 201-n in FIG. 1). In addition, each base 2
00-1 to 200-n client machines 201-1
To 201-n are VPN connection function units 202-1 to 201-n, respectively.
202-n are implemented. Each client machine 2
01-1 to 201-n have their own private addresses PAC1 to PACn. Also, each of the client machines 201-1 to 201-n has a global address GAC1 to GACn in addition to the private address.
have. Each of the second bases 200 has an address conversion unit (not shown) such as a PROXY server or a firewall for converting a private address of the client machine 201 into a global address. As a result, the second base 200 can directly communicate with the network 1 and establish a VPN. In addition,
Each client's private address is
May be duplicated between the bases 200.

At the first base 100, one VPN connection function unit 111 is provided in the main device 110. This VPN connection function unit 111 has its own private address PAS0. Also, the VPN connection function unit 111
Has a global address GAS0 in addition to the private address PAS0. This allows direct communication with the network 1 and construction of a VPN. The main device 110 is provided with an address conversion function unit 112.

The first base 100 has a main unit 11
0 are connected to a plurality of machines 101-1 through 101-n via a LAN. Each machine 101-1 to 101-n
Are the private addresses PAS11-PAS, respectively.
1n. These private addresses PA
S11 to PAS1n may overlap with the private addresses PAC1 to PACn of the client machines 201-1 to 201-n of the second base 200.

Hereinafter, the first base 100 and the second base 20
The basic procedure of communication between 0 will be described. In addition,
In the following description, a symbol starting with PA as a symbol representing an address represents a private address, and a symbol beginning with GA represents a global address.

(1) Preparation for VPN Connection First, as preparation for VPN connection, the second base 200-1
To 200-n VPN connection function units 202-1 to 202-
n is registered in advance as a target that the connection function unit 111 of the first base 100 receives a connection request. Hereinafter, the machine 101-1 in the first base 100 and the second base 200-1
The following describes an example of communication between the machines 201-1 in the inside.

The first base 100 is provided with an alias address PAS31 to be allocated to the virtual interface of the client machine 201-1 after the VPN connection and the VPS of the first base 100.
A real address PAS21 of a virtual interface to be added to the PN connection function unit 111 is prepared. These are both private addresses in the first base 100.

Here, there are two methods of address allocation: a method of static allocation at the time of registration and a method of dynamic allocation at the time of establishing a VPN connection, and the present invention does not limit which one is used. Here, the former is statically allocated.
At this time, if necessary, an encryption key is prepared. The data encrypted with the encryption key prepared on one side can be decrypted with the encryption key prepared on the other side. The method does not limit whether the encryption key is common or non-common.

In the present invention, each client machine 2
The global addresses for the alias addresses of the machines 101-1 to 101-n in the first base 100 are actually assigned to the machines 101 in the first base 100 for each of 01-1 to 201-n.
-1 to 101-n. Here, since the client machine 201-1 has a connection request to the machine 101-1, the global address GA1 is changed to the real address PAS of the machine 101-1.
11 is set. This setting is reflected in the operation of the address conversion function unit 112.

Further, global addresses GA2 and GA3 to be used at the time of address assignment described later are prepared in advance. The global address GA1, the global address GA2, and the global address GA3 are preferably used within the range that has been applied to a predetermined authority (for example, NIC if the global network is the Internet). Thus, when the client machine 201 connects to a location other than the first location 100 at the second location 200, the global address does not overlap with the other connection destination.

(2) Issuing a connection request After that, the client machine 2 in the second base 200-1
The flow of processing when connecting from 01-1 to the machine 101-1 in the first base 100 will be described. First, the VPN connection function unit 202 of the client machine 201-1
-1 issues a connection request to the VPN connection function unit 111 of the first base 100.

(3) Authentication of Client The VPN connection function unit 111 is connected to the client machine 201-
Authentication is performed to confirm that 1 is a registered client machine.

(4) Establishment of VPN Connection VPN Connection Function Unit 202-1 and VPN Connection Function Unit 11
1 is the client machine 201-1 and the first base 100
Establish a VPN connection between This refers to making the virtual interface and the VPN tunnel available.

The address required at this time is the first base 1
The one registered in advance in the VPN connection function unit 111 on the 00 side is used. This address is the PAS 21 as the real address for the virtual interface added to the VPN connection function unit 111 on the first base 100 side, GA2 as its alias address, and the VP on the client machine 201-1 side.
There are a total of four addresses, GA3 as the real address for the virtual interface added to the N-connection function unit 202-1 and PAS31 as its alias address. Thus, in this method,
The real address of the virtual interface added to the client uses a common global address GA3 for each first base 100, and the address added to the virtual interface of the VPN connection function unit 111 of the first base 100 is Use the one registered in advance in (1) above.

As described above, the first base 100 and the second base 2
A VPN was established between 00-1. Hereinafter, a process in which the client machine 201-1 communicates with the machine in the first base 100 via the VPN tunnel will be described.

(5) Transmission of communication data from the client machine to the machine in the first base 100 Communication is performed from the client machine 201-1 to the machine 101-1 in the first base 100. At this time, the communication data goes to the machine in the first base 100 via the VPN tunnel. The address GA3 of the virtual interface is added as a source address to data generated by the client machine 201-1 and first output to the VPN tunnel. This address is, as shown above, the first
The base 100 has a fixed global address regardless of the client machine. The global address GA1 which is the alias address of the machine 101-1 is used as the destination address of this data. Here, this address is the global address associated with the machine 101-1 in the above (1).

(6) Distribution of Connection Destinations The address conversion function unit 112 in the main device 110 at the first base 100 transmits the transmission destination address and the transmission destination of the communication data entered from the virtual interface via the VPN tunnel. The original address is converted to a private address used in the first base 100. The address conversion function unit 112 manages the addresses of the machines to which each client machine connects, and sorts the connection destinations by changing the addresses to appropriate transmission destinations. At this time, since an individual VPN tunnel is to be used for each client machine, it is recognized from which client the data comes from a virtual interface through which the data passes. In the case of communication data from the client machine 201-1, the destination address GA1 is set to PAS1
Convert to 1. If there are a plurality of machines connected to the client machine in the first base 100, the connection destination is specified according to the destination address before the conversion. Further, the source address is changed to the alias address of the client used in the first base 100 prepared at the time of the client registration in (1). Client machine 201-
In the case of communication data from 1, the source address is converted from GA3 to PAS31.

(7) Communication to Client Machine For communication from a machine in the first base 100 to a client machine in the second base 100, the reverse of the address conversion shown in the above (6) is performed. To do. At this time, communication data having an address in the first base 100 attached to the client machine as a destination address must pass through a VPN tunnel connected to the client machine. This may be realized by a data delivery control mechanism in the first base 100.

(Second Embodiment) Next, communication between a plurality of locations according to a second embodiment of the present invention will be described with reference to FIG.
This will be described with reference to FIG. FIG. 2 is a conceptual diagram illustrating a network connection request, and FIG. 3 is a network configuration diagram. The same elements as those in the first embodiment are denoted by the same reference numerals.

In the present embodiment, as shown in FIG. 2, a plurality of client machines 20 in the second base 200-0 are
A case where there is a request that 1-01 to 201-0m want to connect to the machine 101-1 in the first base 100 via VPN will be described.

Even in such a connection form, if the network configuration is changed as shown in FIG. 3 by the following procedure, the number of machines in the base on the client machine side is reduced to one, and the basic configuration shown in FIG. Can be applied to This solves the aforementioned problem 8. (1) Client machines 201-01 to 201-0m
Of all the VPN connection function units 202-01 to 202-
0 m is built in. (2) Client machines 201-01 to 201-0m
It is assumed that there are partial bases 210-01 to 210-0m each including only one machine as a component. (3) An individual VPN is constructed from the partial bases 210-01 to 210-0m to the first base 100.

(Third Embodiment) Next, communication between a plurality of locations according to a third embodiment of the present invention will be described with reference to FIG.
This will be described with reference to FIG. FIG. 4 is a network configuration diagram. The same components as those in the first and second embodiments are denoted by the same reference numerals.

In this embodiment, as in the second embodiment, a plurality of client machines 201-01 to 201-0m in the second base 200-0 are connected to the first base 100 via the VPN. The case where there is a request to connect to the machine 101-1 in the server will be described.

As shown in FIG. 4, the second base 200-0
A VPN connection device 202-0 is installed in the main site 110 of the first base 100.
Make a PN connection. Here, it is assumed that the VPN connection device 202-0 has a built-in conversion unit 220 having a function of replacing the source address of communication data from the client machines 201-01 to 201-0m with its own address. In the Internet world, this technology is called "IP masquerade" or "NAPT". This makes the first
From the base 100 of the client machine 201
All communications from -01 to 201-0m appear to be from VPN connection device 202-0. Each of the client machines 201-01 to 201-0m has a private address PA of the third base 300-0.
Assuming that C01 to PAC0m are attached, first, communication data having this address as a source address is
When passing through the PN connection device 202-0, the address GA3 of the VPN connection device 202-0 is replaced as the source address. Further, this address is replaced with the alias address PAS30 when passing through the address conversion function section 112 of the main device 110, similarly to the address shown in FIG.
The PAS 30 is a private address of the first base 100. As described above, the configuration shown in FIG. 1 can be replaced by considering the site 200-00 including only the VPN connection device 202-0 as the second site.
Problem 8 can be solved by this method. The same method can be used not only at the second base on the client side but also at the first base on the server side, but is omitted here.

(Fourth Embodiment) Next, communication between a plurality of locations according to a fourth embodiment of the present invention will be described with reference to FIG.
This will be described with reference to FIG. FIG. 5 is a network configuration diagram. Note that the same components as those in the above-described embodiments are denoted by the same reference numerals.

In the present embodiment, the second base 200-1
Are a plurality of machines 201-1 and 2 in the first base 100.
The case where connection is made to 01-2 is shown. In this case, VPN
Global addresses (two of GA11 and GA12) are required for the number of machines connected via the tunnel.
The total number of global addresses used as alias addresses of the machines in the first base 100 is
Among the second bases 200-1 to 200-n connected to
This is the maximum value of the total number of machines in the first site 100 that are simultaneously connected. Here, this number is not affected by the number of the first bases 200 as client bases. Therefore, the problem 9 is still solved.
That is, for example, as shown in FIG.
-2 connects to the machine 100-2 in the first base 100, the global address GA11 can be used as an alias address assigned to the machine 100-2. That is, the same address as the alias address used for the connection between the second base 200-1 and the first base 100 can be used when the second base 200-2 and the first base 100 are connected. .

(Fifth Embodiment) Next, communication between a plurality of bases according to a fifth embodiment of the present invention will be described with reference to FIG.
This will be described with reference to FIG. FIG. 6 is a network configuration diagram. Note that the same components as those in the above-described embodiments are denoted by the same reference numerals.

In the present embodiment, a case is shown where the second base 200-1 and the second base 200-2 connected to the first base 100 communicate with each other. In this case, when viewed from the second base 200-1, the client machine 201-2 in the second base 200-2 appears to exist in the first base 100. Conversely, when viewed from the second base 200-2, it looks as if the client machine 201-1 in the second base 200-1 exists at the first base 100. In this case, each other is aware of the same address GA1 as the address of the other party.

Further, by preparing a plurality of main devices 100 corresponding to different VPN systems, it becomes possible to perform VPN communication between different models.

[0069]

According to the present Internet address system (IPv4), the problem of global address shortage is considered to be serious. Further studies are underway on a new address system (IPv6) with sufficient global addresses, but it is believed that it will take some time before this new address system becomes mainstream. I have. Moreover, it is said that the currently used address system will not be used on the Internet, and that the coexistence environment will continue in the future.

On the other hand, in an environment where a large number of addresses can be used, the method of using the computer network will change. For example, technology that makes one host machine virtually appear as a plurality of machines makes it possible to handle a large number of small environments. In this case, a large amount of addresses are consumed. It is also conceivable to construct an extranet in such a way that one machine is virtually connected to a plurality of networks. The present invention takes such an extranet construction into consideration. In this case, a single machine uses a plurality of addresses, so that a large number of addresses are required for the entire network. Thus, in realizing these, the problem of global address exhaustion is a major obstacle.

As a countermeasure against the global address exhaustion problem, private addresses are being widely used in each base. However, with the development of the extranet in recent years, the situation where a plurality of bases are connected by VPN has been increasing, and the problem of duplication of private addresses occurring at this time has become serious. Conventionally, a great deal of setting work has been required to solve this problem.

As described above, in the present invention, the role of the connection base in relation to the VPN connection is divided into the first base on the server side and the second base on the client side. By installing the device, it is possible to reduce the setting load on the second base in the case of a VPN connection that may cause duplication of private addresses.

This is achieved by using a global address as an alias address to avoid address duplication and by using a limited and small number of global addresses for connection to a large number of client bases without restriction. Is achieved.

Also, by providing addresses under the IPv6 address system instead of using private addresses at the first site on the server side, a coexistence relationship between the current address system and the new address system can be realized. Therefore, in the server rental service shown in the embodiment, I
A coexistence environment of Pv4 and IPv6 can be constructed by this method. The present invention can be said to be useful as long as the service target supports the base of the current address system.

In the present invention, the following application examples can be considered.

Example 1 Server rental service Provides various servers, electronic bulletin boards, file sharing environments, etc. over a network. The security of the communication path is ensured by the VPN. By connecting machines belonging to multiple companies as clients, an extranet can be easily realized.

The advantage is that the initial investment cost can be reduced by taking the form of rental.
It can be used immediately when needed, can be operated in a short period of time, and can be outsourced to a service provider for server management. In addition, since the connection from the inside to the outside is often permitted in the setting of the corporate firewall, it can be a means for easily constructing the extranet environment.

When performing this service on a large scale, it becomes necessary to solve the problem of global address exhaustion and the problem of duplication of private addresses. According to the present invention, this problem can be solved in a form in which the burden of setting on the client side is small.

Example 2 In-house server central management center Using this method, a centralized application management center is built in the company. The advantage of building a centralized management center is that by centrally managing application environments that have been dispersed in the enterprise, the total cost of ownership
p: total cost of ownership). For example, reduce the cost of upgrading software, reduce the cost of enhancing equipment installation environment to protect important information, and reduce the human cost by concentrating human resources with system management skills There are things.

In a company, information that is desired to be prevented from being leaked to other departments may be handled. Therefore, it is possible to use a VPN using encrypted communication for each department, so the use of a VPN is useful. The centralized management center shown here is also useful for providing a network environment for forming a group spanning departments.

By utilizing the present invention, centralized management becomes possible even when the private addresses are used in different departments.

Example 3 Application Server Rental Service The conventional distribution form of an application is that the application is sold as a package and the customer installs and uses it on his or her own machine. It is considered that the present invention is utilized to enable a customer to access a server device in a service center via a network. Advantages of this service include that it is possible to provide a variety of fee collection methods such as pay-as-you-go billing according to the number of usages, and that equipment changes on the client side can be minimized. The present invention is characterized in that there is little restriction on the protocol to be used because a VPN is used for ensuring secure communication. Note that this service also has the same problems as those in Example 1, and these are solved by the present invention.

Example 4 VPN Connection Relay System Consider a case where a plurality of bases that have a request for VPN connection perform connection via a relay system. The first base which is the server base in the present invention functions as the relay system referred to here, and the V of the second base which is the client base is used.
Relays PN connection. When the relay center is useful, this relay system is used as a means for solving the problem of duplication of private addresses, or even one of the connection points is a VPN due to a firewall traversal problem.
There are cases where the connection cannot be awaited, and cases where the connection is made without disclosing the network information of each site.

However, since this method assumes that there is only one client machine at the second base, access to a machine at a higher base to which the client machine belongs is considered instead of one client machine as a connection destination. In some cases, as shown in FIG. 4, an IP masquerade function or the like that makes another machine appear to be a client is required.

Example 5 Heterogeneous Cryptographic System Relay System In the embodiment shown in the above Example 4, by installing a plurality of main devices based on different VPN systems at the first site which is a server side site, VPN connection devices of different systems can be installed. It can be a relay system for connecting the bases that have them.

[Brief description of the drawings]

FIG. 1 is a network configuration diagram

FIG. 2 is a conceptual diagram illustrating a network connection request.

FIG. 3 is a network configuration diagram.

FIG. 4 is a network configuration diagram.

FIG. 5 is a network configuration diagram.

FIG. 6 is a network configuration diagram.

[Explanation of symbols]

DESCRIPTION OF SYMBOLS 1 ... Network, 100 ... 1st base, 101 ... Machine, 110 ... Main apparatus, 111 ... VPN connection function part, 11
2 ... Address conversion function unit, 200 ... Second base, 201
… Client machine, 202… VPN connection function part

 ──────────────────────────────────────────────────続 き Continued on the front page F term (reference) 5K030 GA15 GA19 HC01 HD09 LB05 LD16 LD17 5K033 AA04 AA08 AA09 CB09 DA06 EC03 9A001 BB02 BB03 BB04 CC03 CC07 CC08 DD12 EE02 EE03 JJ18 JJ27 KK56 LL03

Claims (18)

[Claims] In a communication between a plurality of bases in a network in which a first base and a plurality of second bases are respectively connected via a VPN (Virtual Private Network), only one terminal at the second base has a VPN. When a connection is made and this terminal connects to a specific terminal at the first base, the same address is assigned to the virtual interface added to the VPN tunnel at all the second bases, For the terminal to which the terminal at the second base is connected, the address is different from the address and all the second
Address allocation method in multi-site communication, wherein a common address is allocated between the sites. 2. A method according to claim 1, wherein the first base and the second base are V
In communication between a plurality of bases in a network connected via a PN, an unclaimed global address is not used in a third base including the second base, and one terminal is used in the second base. If only the first base makes a VPN connection to the first base, at the time of the VPN connection, the applied global address to the terminal in the first base newly recognized by the second base is set as the alias address. An address assignment method in communication between a plurality of bases, characterized by assigning. 3. A communication method between a plurality of bases in a network connecting a first base and a second base, wherein communication on a communication path between one base to which a terminal to be a connection destination belongs and a connection source is performed. A communication method between a plurality of bases, wherein, for communication data having the same connection destination address, the connection destination of the communication data is allocated by converting the connection destination address to the address of the connection destination terminal. . 4. A communication method between a plurality of bases in a network connecting a first base and a second base, wherein communication on a communication path between one base to which a terminal to be a connection destination belongs and a connection source is performed. A communication method between a plurality of bases, characterized in that, for communication data having the same connection destination address, connection destinations are allocated based on a communication path of the communication data. 5. A communication method between a plurality of bases in a network connecting a first base and a second base, wherein communication on a communication path between one base to which a terminal as a connection destination belongs and a connection source is performed. For communication data that is data and has the same connection destination address, the connection destination address is
A communication method between a plurality of bases, characterized in that the connection destination of communication data is sorted by converting the communication data into the address of a connection destination terminal corresponding to the communication path of the communication data. 6. A VPN between the first base and the second base.
6. The communication method according to claim 3, wherein the communication path is a VPN tunnel. 7. In the address conversion, a destination address or a source address of communication data passing through a VPN tunnel is converted based on an address assigned by the address assignment method in the multipoint communication according to claim 1 or 2. 7. The communication method between a plurality of locations according to claim 6, wherein 8. The communication method between a plurality of sites according to claim 3, wherein all alias addresses used for the address conversion are prepared in advance at the first site. . 9. The method according to claim 9, wherein the second base is divided into a plurality of partial bases, and each of the partial bases is individually connected to the first base by V
9. A PN connection is made.
Communication method between multiple sites described in section. 10. The communication between a plurality of second sites by passing through the first site.
10. The communication method between a plurality of bases according to any one of claims 9 to 9. 11. A connection device between a plurality of bases in a network connecting the plurality of bases, the communication device being configured to transmit communication data on a communication path between one base to which a terminal as a connection destination candidate belongs and a connection source. A connection device for distributing the connection destination of communication data having the same connection destination address by converting the connection destination address to the address of the connection destination terminal. 12. A connection device for connecting a first base and a global network in a network in which a first base and a second base are respectively connected via a VPN, wherein the communication passes through a VPN tunnel. A connection device between a plurality of locations, comprising an address conversion means for converting a source or destination address of data for each VPN connection. 13. At the second base, only one terminal has V
When performing a PN connection and connecting this terminal to a specific terminal at the first base, the same address is assigned to the virtual interface added to the VPN tunnel at all the second bases, For the terminal to be connected to the terminal at the second base, the address is different from the address and all the second
13. The connection apparatus according to claim 12, wherein a common address is assigned between the bases, and the address conversion means converts the address of the communication data based on the address. 14. A connection device for connecting a first base and a global network in a network in which a first base and a plurality of second bases are respectively connected via VPNs, wherein the second base Then, only one terminal makes a VPN connection, and if this terminal connects to a specific terminal at the first base, the same is applied to the virtual interface added to the VPN tunnel at all the second bases. And a terminal different from the above-mentioned address for the terminal to which the terminal at the second base is connected.
A connection address between a plurality of locations, wherein a common address is allocated between the locations, and the address is used as a destination address or a source address of communication data passing through a VPN tunnel. 15. An apparatus according to claim 14, further comprising address conversion means for converting a source or destination address of communication data passing through a VPN tunnel based on the address for each VPN connection. Connection device. 16. The connection apparatus according to claim 13, further comprising a connection destination allocating means for allocating a connection destination based on the address converted by the address conversion means. 17. An unapplied global address is not used in a third base including the second base, and only one terminal is connected to the first base by a VPN connection in the second base. In the case of performing a VPN connection, at the time of VPN connection, the second base assigns the applied global address as an alias address to a terminal in the first base which is newly conscious, and the address conversion means communicates based on this address. 13. The method according to claim 12, wherein a data address is converted.
16. The connection device between a plurality of bases according to any one of 16. 18. The connection device between a plurality of bases according to claim 12, wherein all alias addresses used in the address conversion are provided in advance.