JP2011176395A - IPsec COMMUNICATION METHOD AND IPsec COMMUNICATION SYSTEM - Google Patents

Abstract

An IPsec communication method and an IPsec communication system that can easily manage an IPsec policy and reduce packet loss and communication delay.
A MOBIKE tunnel capable of changing a termination address between a client A (20A) that does not share an IPsec policy with a client B (20B) and a gateway processing unit 10 that shares the IPsec policy with both clients T3 is established, and the gateway processing unit 10 notifies the client B (20B) of the SA information, and changes the termination address of the MOBIKE tunnel T3 with the client A (20A), whereby the MOBIKE tunnel T3 is changed to the client. It can be used as an IPsec tunnel between A (20A) and Client B (20B).
[Selection] Figure 1

Description

  The present invention relates to an IPsec communication method and an IPsec communication system that perform encrypted communication using an IPsec (Security Architecture for Internet Protocol) tunnel, and more particularly, to a communication partner that does not have shared information necessary to establish an IPsec tunnel. It is related with the technique which establishes an IPsec tunnel between.

  In encrypted communication using an IPsec tunnel (hereinafter also referred to as “tunnel” as appropriate), security association information (hereinafter, “encryption method”, encryption key, etc.) is started between the two devices performing communication before starting the encrypted communication. By negotiating and sharing "SA information"), an IPsec tunnel, which is a virtual encrypted communication path, is established. This SA information negotiation is performed using IKEv2 (Internet Key Exchange Version 2), which is a key exchange protocol defined in RFC4306 (Non-Patent Document 1). Therefore, mutual IP (Internet Protocol) addresses, shared keys, key generation algorithms, etc., called IPsec policies (hereinafter also referred to as “policies” where appropriate) must be shared in advance.

  RFC4555 (Non-patent Document 2) maintains a tunnel by notifying the other device of the change destination address when one terminal address of the device that established the tunnel changes due to handover or the like. For this purpose, MOBIKE (IKEv2 Mobility and Multihoming Protocol) is defined.

IETF, "Internet Key Exchange (IKEv2) Protocol", RFC4306, December 2005. IETF, "IKEv2 Mobility and Multihoming Protocol (MOBIKE)", RFC4555, June 2006.

  When constructing a VPN (Virtual Private Network) (hereinafter referred to as “IPSecVPN”), which is a virtual closed communication network using an IPsec tunnel, and communicating with a plurality of devices in the network, In order to individually establish a tunnel for each device, a policy corresponding to the number of communication destination devices needs to be set in advance for each device, which makes management complicated. Therefore, a hub-spoke model is generally used in which a gateway device that aggregates policies is provided, all devices establish a tunnel only with the gateway device, and the gateway device relays IPsec encrypted packets.

  However, in this hub-spoke model, all traffic in the network is concentrated on the gateway device, and the decryption and re-encryption processing load of the encrypted packet to be relayed is large. There has been a problem that a loss occurs and a large delay occurs in communication. To avoid this problem, the communicating devices need only establish a tunnel directly. However, in the hub-spoke model, the policies necessary for establishing a new tunnel are not shared between the devices. A new tunnel cannot be established directly between them.

  The present invention has been made in order to overcome the above-described problems, and provides an IPsec communication method and an IPsec communication system that can easily manage an IPsec policy and can reduce packet loss and communication delay. The issue is to provide.

  In order to solve the above-mentioned problem, the present invention establishes a new IPsec tunnel between a first device and a second device that do not share an IPsec policy, so that the first device and the second device are connected. An IPsec communication method for performing encrypted communication using IPsec, wherein the second IPsec is connected to the first device and the second device, and is shared with the first device and the second device. The gateway device that holds the IPsec policy in the storage unit communicates with the first device via the first IPsec tunnel established by using the first IPsec policy. Necessary to establish a third IPsec tunnel whose end address can be changed, and for the gateway device to perform encrypted communication through the third IPsec tunnel. SA (Security Association) information is notified to the second device via the second IPsec tunnel established using the second IPsec policy, and the second device uses the notified SA information. To instruct the first device to change the destination address of the communication destination of the third IPsec tunnel to the IP address of the second device, and the first device transmits the destination address of the third IPsec tunnel. Utilizing the third IPsec tunnel as the new IPsec tunnel between the first device and the second device by changing the termination address to the instructed IP address of the second device. It is characterized by.

  As a result, each device only needs to share one IPsec policy with the gateway device, and establishes a new IPsec tunnel with other devices that do not share the IPsec policy as necessary, and directly encrypts it. Communication can be performed.

  In the IPsec communication method according to the present invention, the gateway device transmits the third IPsec tunnel to the first device or the second device via the first IPsec tunnel or the second IPsec tunnel. The first device or the second device requested to delete the third IPsec tunnel discards the SA information necessary for performing cryptographic communication through the third IPsec tunnel. It is characterized by that.

  As a result, when the third IPsec tunnel established by the gateway device is used illegally, the gateway device can stop the use.

  Further, in the IPsec communication method according to the present invention, when the traffic volume between the first device and the second device is a predetermined value or less, the gateway device connects the first IPsec tunnel and the second IPsec. The encrypted packet is relayed between the first device and the second device, and when the communication amount between the first device and the second device exceeds the predetermined value, the first device and the second device The new IPsec tunnel is established between the first device and the second device, and encrypted packets are directly exchanged between the first device and the second device.

  As a result, the gateway device relays encrypted packets between IPsec tunnels between devices with a small amount of communication, and establishes a new IPsec tunnel between the devices with a large amount of communication to directly perform encrypted communication. Therefore, it is possible to reduce packet loss and communication delay due to insufficient performance of the gateway device.

  According to the present invention, it is possible to provide an IPsec communication method and an IPsec communication system that can easily manage an IPsec policy and can reduce occurrence of packet loss and communication delay.

It is explanatory drawing which shows the establishment procedure of a new IPsec tunnel. It is a block diagram which shows the hardware structural example of an IPsec gateway apparatus. It is a connection block diagram of the communication system provided with the IPsec gateway apparatus. It is a sequence chart which shows the establishment procedure of a new IPsec tunnel. It is explanatory drawing of the structural example and operation | movement of VPN by a hub spoke model. It is explanatory drawing about the establishment of the MOBIKE tunnel in VPN. It is explanatory drawing about the MOBIKE execution request in VPN. It is explanatory drawing about the termination address change request in VPN. It is explanatory drawing about the termination address change result in VPN. It is explanatory drawing about the MOBIKE tunnel deletion request | requirement in VPN. 1 is a configuration example of a communication system that provides a plurality of cloud services. It is explanatory drawing which shows the state which established the new IPsec tunnel between the terminal and the cloud server.

  Hereinafter, modes for carrying out the present invention (hereinafter referred to as “the present embodiment”) will be described with reference to the drawings. First, a procedure for establishing a new IPsec tunnel according to the present embodiment will be described, and then, an application example (embodiment 1) in the case of performing cryptographic communication between a plurality of devices accommodated in a VPN, and a cloud service An application example (Embodiment 2) in the case where encrypted communication is performed between a plurality of cloud servers that provide a single device and a single device will be sequentially described.

  FIG. 1 is an explanatory diagram showing a procedure for establishing a new tunnel between two IPsec clients (hereinafter, abbreviated as “clients” where appropriate) that do not share a policy with each other. In FIG. 1, a client A (20A) and a client B (20B) are mounted on two apparatuses that communicate with each other through a new tunnel, and a gateway processing unit 10 is connected to these two apparatuses via an IP network. Installed in the gateway device.

  The client A (20A) establishes a policy including the shared key A for establishing a tunnel with the gateway processing unit 10, and the client B (20B) establishes a tunnel with the gateway processing unit 10. Each policy including the shared key B is held. The gateway processing unit 10 includes an IPsec tunnel control unit 11 that controls the IPsec tunnel, and an IPsec packet relay unit 12 that relays the encrypted packet of the IPsec, and establishes a tunnel between the client A (20A). A policy including the shared key A for establishing and a policy including the shared key B for establishing a tunnel with the client B (20B) are held.

  Here, as an example, from the state in which the AG tunnel T1 and the BG tunnel T2 are established between the clients A (20A) and B (20B) and the gateway processing unit 10, respectively, the client A (20A) Although a procedure for establishing a new tunnel with B (20B) will be described, the AG tunnel T1 or the BG tunnel T2 may not be established in advance. The IPsec tunnel is composed of SA information including one control encryption key called IKE SA and SA information including one or more data communication encryption keys called CHILD SA. The “encryption key” in FIG. 4 means a control encryption key included in IKE SA unless otherwise specified.

  For example, it is assumed that a request for establishing a new tunnel between the client A (20A) and B (20B) is transmitted from the client A (20A) to the gateway processing unit 10. Then, the IPsec tunnel control unit 11 of the gateway processing unit 10 generates a MOBIKE tunnel (encryption key: ext-tunnel) T3 with the client A (20A) as shown by a broken line in FIG. The “MOBIKE tunnel” is a convenient name representing an IPsec tunnel whose end address can be changed by the MOBIKE technology.

  Next, the IPsec tunnel control unit 11 uses the already established BG tunnel (encryption key: BG-tunnel) T2 to generate the encryption key: ext-tunnel of the generated MOBIKE tunnel T3 and the client A (20A). SA information including the end address is transmitted to the client B (20B) to request execution of change of the end address.

  Next, the client B (20B) that has received this execution request notifies the client A (20A) of its own IP address using the notified termination address and encryption key: ext-tunnel, and the MOBIKE tunnel T3 Request to change the end address of. Then, the client A (20A) receives this change request and changes the terminal address of the communication destination of the MOBIKE tunnel T3 to the IP address of the client B (20B) notified from the address of the gateway processing unit 10, thereby finally Specifically, as shown by the thick line in FIG. 1, a new MOBIKE tunnel (encryption key: ext-tunnel) T3 between the clients A (20A) and B (20B) is established.

  By the way, the conventional MOBIKE specified in RFC4555 assumes only the case where the end address of the same client changes. Therefore, when the change of the end address is requested (at the time of MOBIKE request), the MOBIKE tunnel The SA information itself was not transmitted. On the other hand, in this embodiment, when the MOBIKE request is made, the SA information related to the generated MOBIKE tunnel T3 is also transmitted, so that the right to use the MOBIKE tunnel T3 can be transferred to another client.

  For the MOBIKE tunnel T3 to which the usage right has been transferred, SA information for the gateway processing unit 10 to perform cryptographic communication with the client A (20A) is also retained in the client B (20B) as the transfer destination. It is desirable that the SA information can be invalidated to prevent unauthorized use. Therefore, for the MOBIKE tunnel T3 to which the usage right has been transferred, the gateway processing unit 10 that has generated the request requests the client A (20A) that performs encrypted communication with the transfer destination client B (20B) to delete the tunnel. The SA information was discarded. The tunnel deletion request may also be notified to the transfer destination client B (20B).

  FIG. 2 is a block diagram showing an example of a hardware configuration of an IPsec gateway apparatus in which the gateway processing unit 10 is mounted. As shown in FIG. 2, the IPsec gateway apparatus 1 includes a CPU 13, a memory 14, a hard disk 15, an input unit 17 and a display unit 18 controlled by an input / output control unit 16, a communication control unit 19, and the like. Various functions as the gateway processing unit 10 are realized by the CPU 13 loading a predetermined program into the memory 14 and executing it. Further, the policy and SA information necessary for encryption communication are held in a storage unit such as the memory 14 or the hard disk 15.

  The communication control unit 19 is connected to the IP network 4 by, for example, a LAN cable, and the IPsec gateway apparatus 1 exchanges IP packets with other devices connected to the IP network 4 via the communication control unit 19. .

  FIG. 3 shows an example of a communication system in which a terminal A (2A) and a terminal B (2B), which are two apparatuses equipped with an IPsec client, are connected to the IPsec gateway apparatus 1 via the IP network 4. It is a connection block diagram. Hereinafter, in the communication system shown in FIG. 3, when a new IPsec tunnel is established between the terminal A (2A) and the terminal B (2B), message exchange between these devices is performed using a sequence chart. I will explain.

  FIG. 4 shows a new connection between terminal A (2A) (hereinafter abbreviated as “A” where appropriate) and terminal B (2B) (hereinafter abbreviated as “B” where appropriate) that do not share policies. 6 is a sequence chart showing message exchange between devices including the IPsec gateway device 1 (hereinafter, abbreviated as “G” as appropriate) when establishing a tunnel.

  First, in the initial state, it is assumed that A and G share the first policy and a tunnel can be established but the tunnel has not yet been established. Further, it is assumed that B and G share the second policy, and the BG tunnel (encryption key: BG-tunnel) T2 has already been established using the second policy.

  Here, it is assumed that some trigger for generating a tunnel directly between A and B occurs (S10). Such triggers include, for example, a session establishment request that is a request to G for A to communicate with B, a data transfer request, or the upper limit of the amount of data that G relays between A and B, etc. There is an opportunity led by A, such as an opportunity led by G or a tunnel establishment request from A to B required by G by a newly defined IKEv2 message.

  Based on the occurrence of the trigger as described above, first, IKE_SA_INIT exchange and IKE_AUTH which are IKEv2 / MOBIKE message exchange (a pair of request and corresponding response) for establishing a new MOBIKE tunnel between A and G Exchange is performed between A and G (S11). At this time, by notifying the MOBIKE SUPPORTED parameter, an inter-AG MOBIKE tunnel (encryption key: ext-tunnel) T3AG that can change the termination address later is established.

  Next, G sends an INFORMATIONAL request including the newly defined Do Mobike with this SA parameter to B via the established inter-BG tunnel T2 (using the encryption key: BG-tunnel) ( S12). In this message, SA information (IKE SA and CHILD SA) including the encryption key: ext-tunnel necessary for use of the previously established inter-AG MOBIKE tunnel T3AG and the termination address of A is notified to B.

  Next, B uses the IKE SA included in the notified SA information to A (using the inter-AG MOBIKE tunnel T3AG encryption key: ext-tunnel), and the end address to its own IP address Perform an INFORMATIONAL exchange that includes the UPDATE_SA_ADDRESSES parameter requesting the change. Then, A that has received this request changes the communication destination termination address of the inter-AG MOBIKE tunnel T3AG to the IP address of B notified from the G address, so that the inter-AG MOBIKE tunnel T3AG Is switched to the inter-AB MOBIKE tunnel T3AB (S13).

  The completion of switching to the inter-AB MOBIKE tunnel T3AB is notified to G by an INFORMATIONAL response including the MOBIKE DONE parameter from B to G (S14).

  In addition, when the inter-AB MOBIKE tunnel T3AB, which was the old inter-MOB MOBIKE tunnel T3AG from which the usage rights have been transferred from G to B, is illegally used by B, a newly defined Delete requesting deletion of the tunnel is made. An INFORMATIONAL request including the Mobiked SA parameter can be transmitted from G to A, which is a communication destination of B (S15). In FIG. 4, the sequence for establishing a tunnel between AGs is omitted.

  After receiving this deletion request, A performs an informational exchange with B to delete the AB AB MOBIKE tunnel T3AB (S16), and then newly defined Mobiked SA indicating that the deletion of the tunnel has been completed. An INFORMATIONAL response including the Deleted parameter is transmitted to G (S17). As a result, the AB ABOBIKE tunnel T3AB is in a deletion completion state (T3D) indicated by a broken line.

[Embodiment 1]
Next, an application example in the case where cryptographic communication is performed between a plurality of devices accommodated in the IPsec VPN constructed by the hub spoke model will be described. As shown in FIG. 5, the base A, the base B, and the base C configuring the VPN X are connected to a carrier IP network 4a provided by a communication carrier. The carrier IP network 4a is connected to a gateway device G (1a) (hereinafter abbreviated as “G” as appropriate) provided in a communication carrier as a gateway device according to the present embodiment, and a hub-spoke model IPsec VPN is constructed. ing.

  The bases A, B, and C each have a terminal A (2A) (hereinafter abbreviated as “A” where appropriate) and a terminal B (2B) (hereinafter abbreviated as “B” as appropriate) each equipped with the above-described IPsec client. ), Terminal C (2C) (hereinafter abbreviated as “C” as appropriate), and an IPsec tunnel is established between G and A, B, and C, respectively, or is in an established state. . Each terminal can participate in VPN X by establishing an IPsec tunnel with G.

  For example, as shown in FIG. 5, a BG tunnel (encryption key: BG-tunnel) T2 is established between A and G, which has established an AG-to-AG tunnel (encryption key: AG-tunnel) T1 with G. When communicating with the established B, when there is little traffic to be relayed by the G, the IPsec packet relay unit 12 (see FIG. 1) provided in the G relays encrypted packets exchanged between both terminals. For example, the encrypted packet transmitted from A to B is once decrypted by the IPsec packet relay unit 12 with the encryption key for data communication of the AG tunnel T1, and then encrypted for data communication of the BG tunnel T2. Re-encrypt with key and send to B.

  However, when the traffic relayed by G increases, the load of decryption and re-encryption processing of the encrypted packet to be relayed increases, which may cause packet loss and increase the delay time.

  Therefore, for example, a communication traffic reference value for switching the communication between the terminals from the G relay method to the direct communication method between the terminals is determined, and the communication amount per unit time between the terminals is If this reference value is exceeded, a direct IPsec tunnel is established between the two terminals for direct communication, thereby preventing packet loss and delay time from increasing.

  Here, in the VPN X shown in FIG. 5, it is assumed that the communication amount between A and B exceeds the reference value. The IPsec packet relay unit 12 (see FIG. 1) included in the G monitors whether or not the data amount per unit time of the encrypted packet relayed between the terminals exceeds a predetermined reference value. Thus, it is detected that the communication amount between A and B exceeds the reference value.

  Therefore, as shown in FIG. 6, the IPsec tunnel control unit 11 (see FIG. 1) provided in G first exchanges IKEv2 / MOBIKE messages with A, so that between G and A, A new inter-AG MOBIKE tunnel (encryption key: ext-tunnel) T3AG is established. This inter-AG MOBIKE tunnel T3AG capable of changing the end address can be established by sending A IKEv2 / MOBIKE MOBIKE SUPPORTED parameter notification to A.

  Next, as shown in FIG. 7, the IPsec tunnel control unit 11 uses the existing BG tunnel (encryption key: BG-tunnel) T2 as the SA information generated when the inter-AG MOBIKE tunnel T3AG is established. Use it to request B to implement MOBIKE while notifying B. This MOBIKE execution request is made by notifying B of the newly defined Do Mobike parameter. Here, the SA information notified to B includes the encryption key: ext-tunnel of the inter-AG MOBIKE tunnel T3AG and the end address of A. Therefore, B can directly transmit an encrypted packet for control corresponding to the inter-AG MOBIKE tunnel T3AG to A by using such information. At this point in time, the AB AB MOBIKE tunnel T3AB is still open in only one direction (B → A).

  Next, as shown in FIG. 8, B, which has been notified of the Do Mobike parameter, uses the inter-AB MOBIKE tunnel (encryption key: ext-tunnel) T3AB opened in only one direction (B → A). A is requested to update the G termination address included in the SA information of the MOBIKE tunnel T3AG to its own IP address (for example, the B termination address of the inter-BG tunnel T2). This end address update request is made by notifying A of the IKEv2 / MOBIKE UPDATE_SA_ADDRESSES parameter.

  Finally, A notified of the UPDATE_SA_ADDRESSES parameter changes the G end address contained in the SA information of the inter-AG MOBIKE tunnel T3AG held by itself to the specified B IP address, and then Send a completion notification to As a result, the G termination address of the inter-AG MOBIKE tunnel T3AG is changed to the IP address of B as indicated by the two-dot chain line arrow in FIG. 9, and the tunnel that was previously the inter-AG MOBIKE tunnel T3AG is referred to as A And B are switched to the MOBIKE tunnel between ABs (between the old AGs) T3AB for direct cryptographic communication.

  In addition, as shown in FIG. 10, the IPsec tunnel control unit 11 provided in G, as needed, uses the inter-AB MOBIKE tunnel [the old AG ] A deletion of T3AB can be requested from A and / or B. This deletion request is made by notifying the terminal of the newly defined Delete Mobiked SA parameter. The terminal that is notified of this Delete Mobiked SA parameter deletes the corresponding inter-AB MOBIKE tunnel [between the old AGs] T3AB.

  As described above, according to the first embodiment, in the IPsec VPN configured by the hub-spoke model, it is possible to reduce the occurrence of packet loss and communication delay due to insufficient performance of the gateway device. Further, since an IPsec tunnel can be freely established and deleted between arbitrary devices, it is possible to realize a dynamic VPN that dynamically connects user bases of IPsec VPN provided by a communication carrier.

[Embodiment 2]
Next, an application example in the case where cryptographic communication is performed between a plurality of cloud servers that provide a cloud service using a hub-spoke model and one client device will be described. As shown in FIG. 11, as a plurality of servers that provide different cloud services, a server X (5X) that provides the cloud service X (hereinafter abbreviated as “X” as appropriate) and a server that provides the cloud service Y Y (5Y) (hereinafter abbreviated as “Y” where appropriate) and a server Z (5Z) (hereinafter abbreviated as “Z” where appropriate) that provides the cloud service Z are connected to the IP network 4. Further, a gateway device G (1b) (hereinafter abbreviated as “G” as appropriate) provided in a communication carrier or a service provider as a gateway device according to the present embodiment is connected to the cloud aggregation base of the IP network 4. .

  Between terminal A (2A) (hereinafter referred to as “A” where appropriate) which is a client device of user A who uses the plurality of cloud services and G, and between G and X, Y, Z Are assumed to be in the state where the IPsec tunnel is established or can be established.

  In this way, even when using a plurality of cloud services from A, it is possible for G to relay A by relaying encrypted packets between A and each server X, Y, Z. Only one policy to be shared with G is preset. Also, the cloud service does not need to set a policy in advance for each user who uses the service, and only one policy to be set in advance is shared with G.

  However, when the traffic relayed by G increases, as in the first embodiment, the load of decryption and re-encryption of the encrypted packet to be relayed increases, resulting in packet loss and increased delay time. There is a possibility.

  Therefore, for example, a communication traffic reference value for switching the communication between the servers X, Y, Z, and A from the relay method using G to the direct communication method between the two is determined, and each server X, When the amount of communication per unit time between Y, Z and A exceeds this reference value, a packet loss occurs or delay time is established by establishing a direct IPsec tunnel between the two and making them communicate directly. To prevent the increase.

  For example, in FIG. 11, it is assumed that the traffic between X and A exceeds the reference value. G monitors whether or not the data amount per unit time of the encrypted packet relayed between each server and each user terminal exceeds a predetermined reference value, whereby X and A Detects that the amount of communication between and exceeds the reference value.

  Therefore, as shown in FIG. 12, G performs a new inter-AG MOBIKE tunnel (encryption key: ext-tunnel) T3AG between G and A by the same procedure as in the first embodiment. AX for direct encryption communication between A and X by notifying X using the existing XG tunnel T2XG and transferring the right to use the MOBIKE tunnel Establish MOBIKE tunnel [between old AGs] T3AX.

  In addition, as a trigger for establishing a MOBIKE tunnel for performing such direct encryption communication, for example, a new notification notifying that a direct tunnel is to be established between A and X at the start of use of the cloud service X, etc. An IKEv2 message may be defined and communicated to G.

  As described above, according to the second embodiment, in a communication system in which a plurality of cloud services are provided by the hub-and-spoke model, it is possible to reduce packet loss and communication delay due to insufficient performance of the gateway device. Further, it is possible to realize an aggregation base that provides a high-speed and high-speed communication service without individually sharing a policy between an unspecified number of users and an unspecified number of service providers.

  Although the description of the mode for carrying out the present invention has been described above, the embodiment of the present invention is not limited to these, and various modifications and changes can be made without departing from the spirit of the present invention. Is possible.

1,1a, 1b IPsec gateway device (gateway device)
2A, 2B, 2C terminal (first device / second device)
4, 4a IP network 5X, 5Y, 5Z Server (first device / second device)
10 Gateway processing unit (processing unit)
11 IPsec tunnel control unit 12 IPsec packet relay unit 13 CPU
14 Memory (storage unit)
15 Hard disk (storage unit)
16 Input / output control unit 17 Input unit 18 Display unit 19 Communication control unit 20A, 20B IPsec client T1 AG tunnel (first IPsec tunnel)
T2 BG tunnel (second IPsec tunnel)
T2xy xy tunnel (second IPsec tunnel)
T3 MOBIKE tunnel (third IPsec tunnel)
MOBIKE tunnel between T3xy and xy (third IPsec tunnel)

Claims (6)

An IPsec communication method for establishing a new IPsec tunnel between a first device and a second device that do not share an IPsec policy, and performing encrypted communication by IPsec between the first device and the second device. ,
A gateway device connected to the first device and the second device and holding a first IPsec policy shared with the first device and a second IPsec policy shared with the second device in a storage unit, Establishing a third IPsec tunnel whose end address can be changed with the first device by communicating with the first device via a first IPsec tunnel established using a first IPsec policy And
SA (Security Association) information necessary for the gateway device to perform cryptographic communication through the third IPsec tunnel is transmitted through the second IPsec tunnel established using the second IPsec policy. 2 Notify the device,
The second device instructs the first device to change the destination address of the communication destination of the third IPsec tunnel to the IP address of the second device using the notified SA information,
The first device changes the end address of the communication destination of the third IPsec tunnel to the IP address of the instructed second device, whereby the third IPsec tunnel is changed with the first device. An IPsec communication method, wherein the IPsec communication method is used as the new IPsec tunnel with a second device. The IPsec communication method according to claim 1,
The gateway device requests the first device or the second device to delete the third IPsec tunnel via the first IPsec tunnel or the second IPsec tunnel;
The IPsec, wherein the first device or the second device requested to delete the third IPsec tunnel discards the SA information necessary for performing cryptographic communication through the third IPsec tunnel. Communication method. In the IPsec communication method according to claim 1 or 2,
When the traffic between the first device and the second device is less than or equal to a predetermined value, the gateway device relays encrypted packets between the first IPsec tunnel and the second IPsec tunnel. Done
When the traffic between the first device and the second device exceeds the predetermined value, the new IPsec tunnel is established between the first device and the second device, and the first device An IPsec communication method, wherein encrypted packets are directly exchanged between one device and the second device. An IPsec communication system that establishes a new IPsec tunnel between a first device and a second device that do not share an IPsec policy, and performs cryptographic communication by IPsec between the first device and the second device. ,
A gateway device connected to the first device and the second device and having a storage unit and a processing unit;
The gateway device is
The storage unit holds a first IPsec policy shared with the first device and a second IPsec policy shared with the second device,
The processor is
By communicating with the first device via a first IPsec tunnel established using the first IPsec policy, a third IPsec tunnel whose end address can be changed with the first device. After establishing
Notifying the second device of SA information necessary for performing cryptographic communication through the third IPsec tunnel via the second IPsec tunnel established using the second IPsec policy;
The second device instructs the first device to change the destination address of the communication destination of the third IPsec tunnel to the IP address of the second device using the notified SA information,
The first device changes the termination address of the communication destination of the third IPsec tunnel to the IP address of the instructed second device, thereby changing the third IPsec tunnel to the first device and the first device. An IPsec communication system, which is used as the new IPsec tunnel with a second device. The IPsec communication system according to claim 4,
The processing unit of the gateway device requests the first device or the second device to delete the third IPsec tunnel via the first IPsec tunnel or the second IPsec tunnel,
The first device or the second device requested to delete the third IPsec tunnel discards the SA information necessary for performing cryptographic communication through the third IPsec tunnel. Communications system. In the IPsec communication system according to claim 4 or 5,
The processing unit of the gateway device includes:
When the traffic between the first device and the second device is a predetermined value or less, the encrypted packet is relayed between the first IPsec tunnel and the second IPsec tunnel,
When the traffic between the first device and the second device exceeds the predetermined value, the first IPsec tunnel is established between the first device and the second device to establish the first An IPsec communication system, wherein encrypted packets are directly exchanged between a device and the second device.

Images