JP5773205B2 - Relay server and relay communication system - Google Patents

Description

  The present invention mainly relates to a relay server that enables communication between devices connected to different LANs (Local Area Networks).

  2. Description of the Related Art Conventionally, a communication technique called a virtual private network (VPN) that performs communication between LANs installed at physically separated locations is known. In the example shown in Patent Document 1, a relay server, a communication terminal, and the like are connected to each of a plurality of LANs installed at physically separated positions. A communication terminal can transmit a packet to a communication terminal connected to another LAN using this VPN. Specifically, a packet transmitted by a communication terminal is first sent to a relay server in the same LAN. This relay server transmits (transfers) the packet to the relay server in the same LAN as the destination communication terminal via the Internet. The relay server that receives this packet transmits (transfers) the packet to the destination communication terminal.

  By using this VPN, other remote LANs can be used as if they were directly connected networks.

JP 2010-268312 A

  By the way, in this type of system, the terminals communicate with each other using the IP address (private IP address) of the terminal connected to the LAN. IP addresses are assigned so as not to overlap in the same LAN, but may overlap between terminals connected to different LANs. In this case, two or more identical IP addresses exist in the VPN, and appropriate communication cannot be performed.

  As a method for coping with duplication of IP addresses, a method of assigning a virtual address to the IP address of the terminal and performing communication using this virtual address is conceivable. However, when communicating using a virtual address, some applications may not function properly. As this application, for example, there are some file sharing systems, some applications that use FTP communication, and some applications that generate IDs based on IP addresses.

  Therefore, when the virtual address is always used, the above application cannot be used. On the other hand, if no virtual address is used, communication cannot be performed when IP addresses are duplicated. Therefore, this method alone cannot flexibly cope with changes in the communication environment. In addition, when a virtual address is used only when address duplication is detected, the user may be confused because the application cannot be used suddenly.

  The present invention has been made in view of the above circumstances, and its main purpose is to perform relay server notification when a predetermined application becomes unavailable when communication is performed using a virtual address. Is to provide.

Means and effects for solving the problems

  The problems to be solved by the present invention are as described above. Next, means for solving the problems and the effects thereof will be described.

  According to a first aspect of the present invention, a relay server having the following configuration is provided. That is, the relay server includes an address filter information storage unit, a virtual address allocation information storage unit, and a control unit. The address filter information storage unit is located in the first LAN (the relay server) is capable of transferring packets, and the first routing target address that is the address of the first routing target device and the second relay server located in the second LAN Stores the second routing target address that is the address of the second routing target device that can transfer the packet. The virtual address assignment information storage unit stores a second routing target address and a virtual address assigned to the second routing target address in association with each other. The control unit performs a reception process for receiving an instruction to permit or prohibit communication using the virtual address from a user. The control unit transmits the first routing target address to the second relay server, receives the second routing target address from the second relay server, and establishes a routing session with the second relay server. The control unit performs a determination process for determining whether there is an overlap between the first routing target address and the second routing target address. The control unit notifies the fact that communication is not possible when it is determined that there is duplication in the determination process and when an instruction to prohibit communication using the virtual address is received. When receiving an instruction for permitting communication using the virtual address, the control unit stores the virtual address assignment information when receiving a packet addressed to the virtual address from the first routing target device. The packet destination address is converted to the second routing target address assigned to the virtual address, and the packet is transferred to the routing session. When the control unit receives a packet destined for the first routing target address from the routing session and refers to the virtual address allocation information storage unit and the virtual address is allocated, The packet source address is converted into the virtual address assigned to the second routing target address, and the packet is transferred to the destination first routing target device.

  That is, when the first routing target address and the second routing target address overlap, communication is possible by assigning a virtual address to the second routing target address. However, some applications may not function properly with a virtual address assigned. In this regard, the above configuration can set permission / prohibition of communication using a virtual address. Therefore, as a user, when the above application is not used, by allowing communication using a virtual address, it is possible to perform normal communication even when the routing target addresses overlap. On the other hand, when using the above application, by prohibiting communication using virtual addresses, when the routing target addresses do not overlap, the application can be used without any problem, while the routing target addresses overlap It is possible to immediately grasp the situation and respond appropriately.

  According to a second aspect of the present invention, a relay server having the following configuration is provided. That is, the relay server includes an address filter information storage unit, a virtual address allocation information storage unit, and a control unit. The address filter information storage unit is located in the first LAN (the relay server) is capable of transferring packets, and the first routing target address that is the address of the first routing target device and the second relay server located in the second LAN Stores the second routing target address that is the address of the second routing target device that can transfer the packet. The virtual address assignment information storage unit stores a second routing target address and a virtual address assigned to the second routing target address in association with each other. The control unit transmits the first routing target address to the second relay server, receives the second routing target address from the second relay server, and establishes a routing session with the second relay server. The control unit performs a determination process for determining whether there is an overlap between the first routing target address and the second routing target address. The control unit notifies the fact that communication is not possible when it is determined that there is duplication in the determination process and when an instruction to prohibit communication using the virtual address is received. The control unit performs a reception process for receiving an instruction to permit or prohibit communication using the virtual address from a user. When the control unit receives an instruction to permit communication using the virtual address and receives a packet addressed to the virtual address from the first routing target device, the virtual address allocation information storage unit The packet destination address is converted to the second routing target address assigned to the virtual address, and the packet is transferred to the routing session. When the control unit receives a packet destined for the first routing target address from the routing session and refers to the virtual address allocation information storage unit and the virtual address is allocated, The packet source address is converted into the virtual address assigned to the second routing target address, and the packet is transferred to the destination first routing target device.

  Thus, after the user is notified that communication cannot be performed, the user can select whether to permit or prohibit communication using the virtual address. Therefore, it is possible to flexibly cope with the case where the presence / absence of the use of the application frequently changes.

  In the relay server, it is preferable that the control unit notifies the user that communication is not possible and inquires of the user whether to permit or prohibit communication using the virtual address.

  Thereby, for example, when priority is given to communication over the above-mentioned application, the user can give an instruction to permit communication immediately. Therefore, a user-friendly operation feeling can be realized.

  In the relay server, the accepting process is preferably a process of presenting an application whose function is restricted when the virtual address is assigned and accepting designation of the possibility of using the application. .

  This makes it possible to notify the user which application is affected by using the virtual address. Therefore, even when the user does not fully understand the communication using the virtual address, the user can make an appropriate setting according to his / her usage mode.

  In the relay server, the control unit preferably accepts addition and deletion of an application presented in the acceptance process.

  Thereby, the relay server can present the application newly installed in the routing target device and perform the reception process. In addition, the relay server can prevent an application that is rarely used, for example, from being presented during the reception process. Accordingly, the relay server can perform reception processing by presenting only the applications necessary for the user.

  The relay server preferably has the following configuration. That is, the second routing target address is received from the second relay server, and the third routing target address is received from the third relay server. The determination process determines whether there is an overlap between the first routing target address, the second routing target address, and the third routing target address.

  Accordingly, even when communication is performed with three or more relay servers, it is possible to detect duplication of routing target addresses and assign virtual addresses.

  According to the 3rd viewpoint of this invention, the following structures are provided in the relay communication system comprised including a 1st relay server and a 2nd relay server. That is, the first relay server located in the first LAN includes an address filter information storage unit, a virtual address allocation information storage unit, and a control unit. The address filter information storage unit includes a first routing target address that is an address of a first routing target device to which the first relay server can transfer a packet, and the second relay server located in a second LAN transfers the packet. And a second routing target address that is an address of a possible second routing target device. The virtual address assignment information storage unit stores a second routing target address and a virtual address assigned to the second routing target address in association with each other. The control unit transmits the first routing target address to the second relay server, receives the second routing target address from the second relay server, and establishes a routing session with the second relay server. The control unit performs a determination process for determining whether there is an overlap between the first routing target address and the second routing target address. The control unit notifies the fact that communication is not possible when it is determined that there is duplication in the determination process and when an instruction to prohibit communication using the virtual address is received. When receiving an instruction for permitting communication using the virtual address, the control unit stores the virtual address assignment information when receiving a packet addressed to the virtual address from the first routing target device. The packet destination address is converted to the second routing target address assigned to the virtual address, and the packet is transferred to the routing session. When the control unit receives a packet destined for the first routing target address from the routing session and refers to the virtual address allocation information storage unit and the virtual address is allocated, The packet source address is converted into the virtual address assigned to the second routing target address, and the packet is transferred to the destination first routing target device.

  Thereby, in this relay communication system, it is possible to set the availability of communication using a virtual address. Therefore, as a user, when the above application is not used, by allowing communication using a virtual address, it is possible to perform normal communication even when the routing target addresses overlap. On the other hand, when using the above application, by prohibiting communication using virtual addresses, when the routing target addresses do not overlap, the application can be used without any problem, while the routing target addresses overlap It is possible to immediately grasp the situation and respond appropriately.

BRIEF DESCRIPTION OF THE DRAWINGS Explanatory drawing which shows the whole structure of the relay communication system which concerns on one Embodiment of this invention. The functional block diagram of a relay server. The figure which shows the content of relay group information. The figure which shows the content of relay server information. The figure which shows the content of client terminal information. The figure which shows the content of VPN group information. The figure which shows the content of the address filter information registered beforehand in each relay server. The figure which shows the content which an address filter information storage part memorize | stores after VPN construction. The figure which shows the content of virtual address registration information. The figure which shows the content of virtual address allocation information. The figure which shows the content of the virtual address communication availability information. The figure which shows the content of the designation | designated application list. The flowchart which shows the setting performed to a relay server beforehand. The flowchart which shows the process which produces a VPN group. The figure which shows the content which the relay server 3 displays. The flowchart which shows the process which builds VPN. The flowchart which shows the process which builds VPN. The flowchart which shows the routing control which a relay server performs when a packet is received from LAN. The flowchart which shows the routing control which a relay server performs when a packet is received from a routing session. Explanatory drawing which shows the routing control using a virtual address.

  Next, embodiments of the present invention will be described with reference to the drawings. First, an overview of the relay communication system 100 of the present embodiment will be described with reference to FIG. FIG. 1 is an explanatory diagram showing the overall configuration of the relay communication system 100 according to the present embodiment.

  As shown in FIG. 1, this relay communication system 100 includes a plurality of LANs 10, 20, and 30 connected to a wide area network (WAN) 80. Each of the LANs 10, 20, and 30 is a relatively small network constructed in a limited place. Further, the LANs 10, 20, and 30 are arranged at locations that are physically separated from each other. In the present embodiment, the Internet is used as the WAN 80.

  Each LAN will be specifically described below. As shown in FIG. 1, a relay server (second relay server) 1, operation PCs 11 and 12 as second routing target devices, and a client terminal 13 are connected to a LAN (second LAN) 10. . A relay server 2, an operation PC 21, and a client terminal 22 are connected to the LAN 20. Connected to the LAN (first LAN) 30 are a relay server (first relay server) 3, target terminals 31, 32 and 33 as first routing target devices, and a client terminal 34.

  Since each of the relay servers 1, 2, and 3 is connected not only to the LANs 10, 20, and 30 but also to the WAN 80, it can communicate with devices connected to the same LAN and is also arranged in another LAN. It is also possible to communicate with the relay server. The operation PCs 11, 12, and 21 are personal computers that are operated by an operator, for example. The target terminals 31, 32, and 33 are personal computers or file servers. For example, the operator operates the operation PC 11 or the like to request predetermined data from the target terminal 31 or the like, and the target terminal 31 It is assumed that the stored content of is updated. The client terminals 13, 22, and 34 are configured by, for example, a personal computer, and can communicate with each other via the relay servers 1, 2, and 3 to which the client terminals 13, 22, and 34 belong.

  Next, a detailed configuration of the relay servers 1, 2, and 3 will be described with reference to FIG. FIG. 2 is a functional block diagram of the relay server 3. Since the relay server 3 has substantially the same configuration as the relay servers 1 and 2, the relay server 3 will be mainly described below.

  As illustrated in FIG. 2, the relay server 3 includes a storage unit 50, a control unit 60, and an interface unit 70.

  The interface unit 70 performs communication with terminals in the LAN 10. The interface unit 70 performs communication with the WAN 80. The interface unit 70 performs an appropriate process on the packet received from the LAN 30 or the WAN 80 and outputs the packet to the control unit 60.

  The control unit 60 is a CPU having control and calculation functions, for example, and can execute various processes by a program read from the storage unit 50. The control unit 60 can control various communications according to protocols such as TCP / IP, UDP, and SIP. Specifically, the control unit 60 determines a destination of the received packet based on information indicated by the packet and information stored in the storage unit 50, and transmits the packet to the determined destination. Moreover, the control part 60 can update the memory content of the memory | storage part 50 based on the information received from the other terminal.

  The storage unit 50 is composed of, for example, a hard disk or a nonvolatile RAM, and can store various data. The storage unit 50 includes a relay group information storage unit 51, a relay server information storage unit 52, a client terminal information storage unit 53, a VPN group information storage unit 54, an address filter information storage unit 55, and a virtual address registration information storage. Unit 56, virtual address allocation information storage unit 57, virtual address communication availability information storage unit 58, and designated application list storage unit 59. Hereinafter, the contents stored in the storage unit 50 will be described with reference to FIGS. 3 to 12 are diagrams mainly showing the storage contents of the storage unit 50 of the relay server 3.

  The relay group information storage unit 51 stores relay group information indicating a relay group and a relay server that constitutes the relay group.

  As shown in FIG. 3, in the relay group information, a group tag and a site tag of a child element whose parent element is the group tag are described. In the group tag, group information 511 related to the relay group is described. As the group information 511, relay group identification information (“id”), last update time (“lastmod”), and relay group name (“name”) are described. In the site tag, group configuration information 512 related to the relay server that configures the relay group is described. In this group configuration information 512, identification information (“id”) of the relay server is described. Further, additional relay groups can be created. In this case, unique identification information different from other relay groups is given to the new relay group. As a result, settings such as data exchange only within a specific relay group are possible.

  This relay group information is shared between the relay servers 1, 2, and 3 that constitute the relay group. When a process for changing a relay group is performed in a certain relay server, the fact is transmitted to the other relay server and the relay group information is updated. In this way, relay group information is dynamically shared.

  The relay server information storage unit 52 stores relay server information indicating an outline of a relay server that performs relay communication and a client terminal that belongs to the relay server.

  In the relay server information shown in FIG. 4, a site tag described for each relay server and a node tag of a child element whose parent element is the site tag are described. In the site tag, server information 521 regarding the relay server 1 is described. As the server information 521, relay server identification information (“id”), a relay server name (“name”), and activation information (“stat”) are described. When the content of “stat” is “active”, it indicates that the relay server is logged in to the relay communication system 100, and when stat is blank, it indicates that the log-off is being performed. In a node tag that is a child element of the site tag, affiliation information 522 indicating a client terminal belonging to the relay server is described. The belonging information 522 includes the name of the relay group to which it belongs (“group”), the identification information of the client terminal (“id”), the name of the client terminal (“name”), and the identification information of the relay server to which it belongs. ("Site"). When the client terminal is not logged in to the relay communication system 100, “site” is blank.

  Note that the communication by the relay group is performed as follows based on the relay group information and the relay server information. For example, when a packet is transmitted from the client terminal 13 to the client terminal 22, the client terminal 13 first transmits the packet to the relay server 1 that is a relay server to which the client terminal 13 is connected. The relay server capable of exchanging packets can be grasped based on the above relay group information, and the identification information of the client terminal belonging to the relay server and the connection possibility can be determined based on the above relay server information. I can grasp it. Based on these pieces of information, the relay server 1 transfers the packet to the relay server 2 that is a relay server to which the client terminal 22 is connected. The relay server 2 that has received this packet transfers the packet to the client terminal 22. Thus, relay communication can be performed between the client terminals 13 and 22.

  As with the relay group information, the relay server information is shared between the relay servers 1, 2, and 3 that constitute the relay group. When a process for changing the relay server information is performed in a certain relay server, the fact is transmitted to the other relay server and the relay server information is updated. In this way, the relay server information is dynamically shared.

  The client terminal information storage unit 53 stores client terminal information that is detailed information about the client terminal. Note that the relay servers 1, 2, and 3 store only client terminal information related to client terminals belonging to the relay server. Since the client terminal 34 belongs to the relay server 3, only the client terminal information about the client terminal 34 is stored in the client terminal information storage unit 53 provided in the relay server 3.

  The client terminal information stored in the client terminal information storage unit 53 of the relay server 3 is shown in FIG. Similarly, the client terminal information stored in the relay server 1 is shown in FIG. 5A, and the client terminal information stored in the relay server 2 is shown in FIG. 5B.

  In the client terminal information shown in FIG. 5, a node tag is described. The node tag includes a private IP address (“addr”) of the client terminal, a name of the relay group to which the client terminal belongs (“group”), identification information (“id”), a name (“name”), a relay A password for logging in to the server (“pass”) and port information (“port”) are described.

  The VPN group information storage unit 54 stores VPN group information, which is information related to a VPN group configured by a relay server and a device selected as a routing point from the client terminal (hereinafter referred to as a routing device). ing. By establishing a routing session between routing devices belonging to the same VPN group, communication using VPN can be started.

  In the VPN group information shown in FIG. 6, a vnet tag is described. In this vnet tag, VPN group basic information 541, routing point information 542, and routing session information 543 are described. The VPN group basic information 541 includes a relay group name (“group”) to which the VPN group belongs, a VPN group identification information (“id”), a last update time (“lastmod”), and a VPN group name. ("Name"). The routing point information 542 describes identification information of a routing device that performs routing when communication is performed between VPN groups. In the example of FIG. 6, a relay server 1 and a relay server 3 are described as routing devices. The routing session information 543 describes routing devices connected to each other in the VPN group. In the routing session information 543, the routing device first performs communication control (“sp (start point)”) in the routing session establishment process for establishing the VPN in the VPN group and starting communication, and its communication. It is determined separately for the side to be controlled “ep (end point)”. In the following description, a routing device that first performs communication control for establishing a routing session may be referred to as a “start point”, and a routing device that receives the communication control may be referred to as a “end point”.

  It can be seen from the VPN group information shown in FIG. 6 that the VPN group (VPN-GROUP 1) is composed of the relay server 1 and the relay server 3. It can also be seen that at the start of this VPN group, communication control for establishing a routing session from the relay server 3 to the relay server 1 is performed.

  This VPN group information is also shared between the relay servers 1 and 3 belonging to the same VPN group, like the relay server information and the relay group information. When a process for changing VPN group information is performed in a certain relay server, the fact is transmitted to other relay servers belonging to the same VPN group, and the VPN group information is updated. In this way, VPN group information is dynamically shared. The process for creating this VPN group will be described later.

  The address filter information storage unit 55 stores address filter information that is information used when performing routing control using VPN. The address filter information storage unit 55 stores information (address filter information of the relay server 3) indicating a device (routing target device) to which the relay server 3 itself can directly transmit a packet before the VPN is constructed. The address filter information includes the address of the routing target device (routing target address) and the name of the routing target device.

  FIG. 7C shows an example of address filter information registered in advance in the relay server 3 itself. In this example, it is described that devices to which the relay server 3 can directly transmit packets are the target terminals 31, 32, and 33. 7A shows the address filter information registered in advance in the relay server 1, and FIG. 7B shows the address filter information registered in advance in the relay server 2.

  As described above, the address filter information storage unit 55 of the relay server 3 stores only the address filter information shown in FIG. 7C before constructing the VPN. When the relay server 3 establishes a routing session with the relay server 1, for example, the relay server 3 transmits address filter information (FIG. 7C) registered in advance to the relay server 1 and addresses from the relay server 1. The filter information (FIG. 7A) is received. Then, the relay server 3 stores the address filter information of the relay server 1 in the address filter information storage unit 55 in association with the identification information of the relay server 1.

  As a result, the contents shown in FIG. 9A are stored in the address filter information storage unit 55 of the relay server 3. Similarly, the content shown in FIG. 8A (the same content as FIG. 9A) is also stored in the address filter information storage unit 55 of the relay server 1. Then, the relay servers 1 and 3 perform routing control based on the acquired address (detailed control will be described later). Hereinafter, a routing target address (addresses of target terminals 31, 32, and 33) included in the address filter information of the relay server 3 is referred to as a first routing target address, and the routing target included in the address filter information of the relay server 1 The address (the address of the operation PCs 11 and 12) may be referred to as a second routing target address.

  In the present embodiment, when there is an overlap between the first routing target address and the second routing target address, in the communication between the relay server 3 and the target terminals 31, 32, 33, the actual operation of the operation PCs 11, 12 Communication can be performed using a virtual address without using an address. As a virtual address, an address that does not overlap in the LAN 30 (an address that is not assigned to a device in the LAN 30 and that is not reserved) is registered in advance in the virtual address registration information storage unit 56 of the relay server 3. It is remembered. In the present embodiment, the addresses shown in FIG. 10B are registered as virtual addresses.

  Similarly, when there is an overlap between the first routing target address and the second routing target address, in the communication between the relay server 1 and the operation PCs 11 and 12, the actual addresses of the target terminals 31, 32, and 33 are set. Without using it, communication can be performed using a virtual address. As this virtual address, an address that does not overlap within the LAN 10 is registered in advance and stored in the virtual address registration information storage unit 56 of the relay server 1 as described above. In the present embodiment, the addresses shown in FIG. 10A are registered as virtual addresses.

  When the relay server 3 obtains the second routing target address by exchanging the address filter information as described above and detects that there is an overlap between the routing target addresses, The virtual address is assigned to (address). As shown in FIG. 9B, the virtual address assignment information storage unit 57 stores the assignment relationship between the second routing target address and the virtual address. Similarly, the virtual address assignment information storage unit 57 of the relay server 1 stores the assignment relationship between the first routing target address and the virtual address, as shown in FIG. 8B.

  In the present embodiment, the user can set whether to permit or prohibit communication using the virtual address. The contents registered by the user (setting contents) are stored in the virtual address communication availability information storage unit 58. As shown in FIG. 11, the virtual address communication availability information storage unit 58 stores whether communication using a virtual address is permitted or prohibited.

  As shown in FIG. 12, the designated application list storage unit 59 stores a list of applications that do not function normally when virtual addresses are used. As this type of application, as described above, there are some applications that share files, some applications that use FTP communication, and some applications that generate IDs based on IP addresses. .

  Among the applications preinstalled in the target terminals 31, 32, 33, etc., the corresponding application is registered in the designated application list storage unit 59 in advance. Note that when a user newly installs this type of application in the target terminals 31, 32, 33, the user can register the application in the designated application list storage unit 59. In addition, the user can designate one or a plurality of applications registered in the designated application list storage unit 59 and delete them from the list. As described above, the contents (list) of the designated application list storage unit 59 can be edited by the user. Hereinafter, an application registered in the designated application list storage unit 59 may be referred to as a designated application.

  Next, preparation for performing communication using VPN will be described. First, setting performed in advance in the relay server will be described with reference to FIG. 13, and next, a flow when creating a VPN group will be described with reference to FIG. FIG. 13 is a flowchart showing settings to be made to the relay server in advance. FIG. 14 is a flowchart showing processing for creating a VPN group. In the following, the relay server 3 is taken as an example, and the settings performed on the relay server 3 and the processing executed by the relay server 3 will be described. Processing can be executed.

  The setting to be made in advance in the relay server 3 includes registration of address filter information of the relay server 3 (S101). This registration is performed by a user using the relay communication system 100 by inputting an address (first routing target address) of a device or the like designated as a routing target device and a name by a predetermined method. Here, it is assumed that the user has input the addresses and names of the target terminals 31, 32, and 33. The registered address filter information is stored in the address filter information storage unit 55.

  Next, when performing communication using a virtual address, the user registers an address that does not overlap within the LAN 30 to which the relay server 3 is connected as a virtual address (S102). The virtual address registered here is stored in the virtual address registration information storage unit 56.

  Hereinafter, the flow when creating a VPN group will be described. First, the user can display a VPN group setting screen by operating the client terminals 13, 22, 34, and the like. Here, a case where setting is performed using the client terminal 34 will be described. On the setting screen displayed on the client terminal 34, a plurality of relay groups to which the client terminal 34 belongs are displayed. The user selects a relay group for which a VPN group is to be constructed from the plurality of relay groups (S201).

  When a relay group is selected, a list of identification information of relay servers and client terminals that belong to the selected relay group and that can function as a routing point is displayed on the screen of the client terminal 34 (S202). Then, the user selects a relay server and a client terminal that function as a routing point in the VPN group to be constructed (S203). In this description, it is assumed that the relay server 1 and the relay server 3 are selected by the user.

  Then, based on the identification information of the selected relay server, the identification information of the routing point and the routing session information are created (S204). The VPN group information shown in FIG. 6 is created by adding VPN group identification information or the like to these pieces of information. The client terminal 34 transmits this VPN group information to the relay servers 1 and 3 belonging to the same VPN group (S205). Then, the relay servers 1 and 3 store the received VPN group information in the VPN group information storage unit 54. Thus, the VPN group construction process is completed.

  Next, a flow until communication using VPN is started in the constructed VPN group will be described with reference to FIGS. 15 to 17. FIG. 16 and FIG. 17 are flowcharts showing processing performed until communication using VPN is started.

  The user can display the constructed VPN group on the screen by operating the client terminal 13 or the operation PC 11 or the like. Then, by selecting an appropriate VPN group from the displayed VPN groups (S301), a process for constructing the VPN can be performed. In this description, an example will be described in which the relay server 3 performs the start process of the VPN group created above (a VPN group composed of the relay servers 1 and 3).

  Next, the relay server 3 accepts an instruction to permit or prohibit communication using the virtual address (S302, accepting process). Specifically, the relay server 3 displays a box (dialog) shown in FIG. 15A on the display of the client terminal 34 or the like. In FIG. 15A, a list of designated applications registered in the designated application list storage unit 59, a question asking whether or not there is a possibility of using the application, and “Yes” and “Yes” that allow the user to select as an answer to the question. “No” button is displayed. When the relay server 3 accepts the selection of “Yes” from the user, the relay server 3 determines that an instruction to prohibit communication using the virtual address has been issued, and registers “prohibited” in the virtual address communication availability information storage unit 58. To do. On the other hand, when the relay server 3 accepts the selection of “No” from the user, the relay server 3 determines that an instruction to permit communication using the virtual address has been issued, and registers “permitted” in the virtual address communication availability information storage unit 58. To do.

  As described above, in this embodiment, the user is not allowed to directly select permission or prohibition of communication using the virtual address, but the user is allowed to select the possibility of using the designated application. Accordingly, even if the user's knowledge is not sufficient for communication using a virtual address, it is possible to make an appropriate setting according to the user's own usage mode. Further, as described above, the designated application can be added and deleted by the user. Therefore, it is possible to cope with a case where a user newly installs an application whose function is restricted when using a virtual address. Further, by excluding this type of application that is rarely used by the user from the designated application, the list of designated applications can be prevented from becoming complicated. Accordingly, the relay server 3 can make a selection by presenting only the application necessary for the user.

  Next, the relay server 3 reads the address filter information associated with itself (S303). The information read here is the content registered in S101 (the content shown in FIG. 7C).

  Then, the relay server 3 reads the routing points belonging to the VPN group selected in S301 (S304). Thereby, the relay server 1 is read based on the content of the VPN group information shown in FIG.

  Based on the relay server information, the relay server 3 first determines whether or not the relay server 1 is logged in (“stat” is active or blank) (S305). According to the relay server information shown in FIG. 4, since the relay server 1 is logged in, the relay server 3 transmits a VPN group start command together with the VPN group identification information to the relay server 1 (S306).

  When the relay server 3 receives a response from the relay server 1 in response to the start command (S307), the relay server 1 registers the relay server 1 as a routing point that is ready to construct a VPN (S308).

  Next, the relay server 3 determines whether there is another device belonging to the same VPN group (S309). Since the currently created VPN group is composed of only the relay server 1 and the relay server 3, there is no other device. If there is another device, the relay server 3 performs the processing of S305 to S308 this time for the device.

  Next, the relay server 3 extracts routing session information from the contents stored in the VPN group information storage unit 54 (S310 in FIG. 17). Then, the relay server 3 refers to the extracted routing session information and determines whether or not a routing session starting from itself is described (S311). In the routing session information of FIG. 6, it is described that in the routing session to be established between the relay server 1 and the relay server 3, itself (the relay server 3) is the starting point.

  Therefore, the relay server 3 establishes a routing session by performing predetermined communication control on the relay server 1 (S312). When this communication control is performed, the address filter information is exchanged as described above (S313). As a result, the contents shown in FIG. 9A are stored in the address filter information storage unit 55 of the relay server 3. Similarly, the content shown in FIG. 8A is stored in the address filter information storage unit 55 of the relay server 1.

  Next, the relay server 3 determines whether there is an overlap between the routing target addresses of the address filter information based on the storage contents of the address filter information storage unit 55 (S314, determination processing). In this determination processing, it is determined that there is an overlap when, for example, the network addresses match between the routing target addresses. This determination process is performed not only at the start of the VPN but also at an appropriate timing (such as a timing when the address filter information is updated) after the start of the VPN.

  In this description, since the VPN is composed of two routing points, the relay server 3 determines the overlap between the two routing target addresses. On the other hand, when the VPN is composed of three routing points (for example, when the relay servers 1, 2, and 3 are routing points), the relay server 3 detects duplication between the three routing target addresses.

  When it is determined that there is an overlap between the routing target addresses, the relay server 3 refers to the contents of the virtual address communication availability information storage unit 58 to determine whether communication using the virtual address is permitted or prohibited. (S315).

  When the communication using the virtual address is permitted, the relay server 3 allocates a virtual address to the second routing target address (S316), and stores the allocation relationship in the virtual address allocation information storage unit 57 (S317). In addition, as a virtual address assigned in S314, any address can be assigned as long as it is registered in the virtual address registration information storage unit 56 and is not yet assigned to the second routing target address. it can.

  Next, the relay server 3 performs the process of S311 again. Even when it is determined that there is no duplication between the routing target addresses, the process of S311 is performed again. Since the currently created VPN group is composed of only the relay server 1 and the relay server 3, other routing sessions are not described in the VPN group information. Accordingly, the relay server 3 starts packet routing control (S318). If there is another routing session, the relay server 3 performs the processes of S311 to S315 again.

  On the other hand, when the communication using the virtual address is prohibited, the relay server 3 notifies the error that the communication cannot be performed, and also indicates whether the communication using the virtual address is permitted or prohibited. Is received again (S319, reception processing). Specifically, the relay server 3 displays the box shown in FIG. 15B on the display of the client terminal 34 or the like. FIG. 15B shows that address duplication has been detected, that communication is possible if a virtual address is used, and that a specified application may not be usable if a virtual address is used. And are displayed. In FIG. 15B, “Yes” and “No” buttons for the user to select and a designated application list are displayed.

  Thus, in the present embodiment, in S319 as well as in S302, the user is not allowed to directly select permission or prohibition of communication using the virtual address, but the user is asked whether or not there is a possibility of using the designated application. It is supposed to be selected.

  When the relay server 3 accepts the selection of “Yes” from the user, the relay server 3 allocates the virtual address (S316) and stores the allocation relationship (S317), and then returns to the process of S311. On the other hand, when the relay server 3 receives “No” selection from the user, the relay server 3 stops the routing session with the relay server 1 and returns to the process of S311.

  As described above, in this embodiment, since it is possible to set in advance whether to permit or prohibit communication using a virtual address, a virtual address is automatically assigned, and a designated application can be used without notifying the user. The situation of disappearing can be avoided.

  In this embodiment, when a VPN is constructed, each routing device exchanges (acquires) address filter information with other routing devices, so that the VPN can be constructed using the latest address filter information. Therefore, even if the address filter information is changed in some routing devices at the stage before the VPN start, the VPN can be constructed and communication can be started with the change reflected in all the routing devices. Inconsistency in routing can be prevented, and reliability can be improved.

  Although not described in the flowchart of FIG. 17, even if there is no routing session that is the connection start point in S <b> 311 (the case that it is the routing end point), Under the communication control, routing session establishment processing and address filter information exchange are performed. At the same time, when communication using virtual addresses is performed, virtual addresses are assigned. Therefore, the relay server 1 also assigns a virtual address to the first routing target address and performs control to store it.

  Each routing device does not perform the initial communication control for establishing a routing session unless the routing session information indicates that it is the starting point. The routing session can be established with simple control.

  Next, a process for routing a packet using the established routing session will be described. Hereinafter, the relay server 3 will be described as an example, and processing executed by the relay server 3 will be described. However, it is assumed that the relay servers 1 and 2 can also execute similar processing.

  First, control performed when the relay server 3 receives a packet from the LAN 30 will be described with reference to FIG. FIG. 18 is a flowchart showing the flow of this control.

  When a routing target device in the LAN 30 transmits a packet to another routing target device, the routing target device obtains another routing target address with reference to the information registered in the relay server 3, and sends the routing target address to the destination. Send the packet as When a virtual address is assigned to another routing target address, the routing target device in the LAN 30 acquires the virtual address from the relay server 3 instead of the actual address. Therefore, for example, when a packet is transmitted from the target terminal 31 to the operation PC 11, the target terminal 31 acquires a virtual address (160.90.0.1) as a destination address.

  The relay server 3 stands by until a packet is received from the LAN 30 (S401). When a packet is received from the LAN 30, first, it is determined whether or not the destination of the packet is the own device (relay server 3) (S402).

  The relay server 3 receives the packet when the destination of the packet is its own device (S403). On the other hand, if the destination of the packet is other than its own, the relay server 3 compares the destination address of the received packet with the address filter information (see FIG. 9B), and the destination address is the address. It is determined whether or not it is registered in the filter information (S404). When the destination address is not registered in the address filter information, the relay server 3 discards the packet (S405). On the other hand, when the destination address is registered in the address filter information, the relay server 3 specifies a routing session corresponding to the address filter information (S406).

  Next, the relay server 3 refers to the virtual address assignment information storage unit 57 and determines whether or not the destination address is a virtual address (S407). When the destination address is a virtual address, the relay server 3 converts the destination address into an actual address (S408), and transmits (transfers) the packet to the routing session specified in S406 (S409).

  Next, control performed when the relay server 3 receives a packet from the routing session will be described with reference to FIG. FIG. 19 is a flowchart showing the flow of this control.

  The relay server 3 stands by until a packet is received from the routing session (S501). When receiving the packet, the relay server 3 compares the destination address of the packet with the address filter information (see FIG. 9B), and the destination address of the packet is the address filter information of its own device. It is determined whether it is registered in association with (S502).

  When the destination address of the packet is registered in association with the address filter information of the own device, the virtual address assignment information storage unit 57 is referred to determine whether a virtual address is assigned to the source address. (S503). When a virtual address is assigned to the transmission source address, the relay server 3 converts the transmission source address into a virtual address (S504), and transfers the packet to the device (target terminals 31, 32, 33) indicated by the destination address. (S505). If a virtual address is not assigned to the source address, the relay server 3 transfers the packet to the device indicated by the destination without converting the address (S505).

  Further, when the destination address is not registered in association with the address filter information of the own device, the relay server 3 determines whether or not the destination address is registered in association with the address filter information of another routing device. (S506). When the destination address is registered in association with the address filter information of another routing device, the relay server 3 identifies the corresponding routing session (S507), and transmits (transfers) the packet to this routing session ( S508).

  On the other hand, when the destination address is not registered in the address filter information of another routing device, the relay server 3 discards the packet (S509).

  By performing the above control, the relay server 3 can perform communication using a virtual address.

  Next, a flow when the operation PC 11 and the target terminal 31 exchange packets via the relay servers 1 and 3 that perform the above control will be briefly described with reference to FIG.

  FIG. 20A shows a case where a packet is transmitted from the target terminal 31 to the operation PC 11. In this case, the relay server 1 performs the control shown in FIG. 19 in order to receive a packet from the routing session. On the other hand, the relay server 3 performs the control shown in FIG. 18 in order to receive a packet from the LAN 30.

  The target terminal 31 transmits a packet with the virtual address of the operation PC 11 as the destination address as described above. The relay server 3 that has received this packet recognizes that the relay server 1 is described as a routing device corresponding to the destination address of the packet based on the address filter information (see FIG. 9B) and performs routing. A session is specified (S406). Next, the relay server 3 recognizes that the destination address is a virtual address, and converts the destination address into an actual address (S408). Then, the relay server 3 transmits a packet to the relay server 1 via the routing session (S409).

  The relay server 1 that has received this packet confirms that its own device (relay server 1) is described as a routing device corresponding to the destination address of the packet based on the address filter information (see FIG. 8B). recognize. Next, the relay server 1 recognizes that the virtual address is associated with the transmission source address, and converts the transmission source address into a virtual address (S504). Then, the relay server 1 transmits a packet to the destination operation PC 11 (S505).

  FIG. 20B shows a case where a packet is transmitted from the operation PC 11 to the target terminal 31. In this case, the relay server 1 performs the control shown in FIG. 18 in order to receive a packet from the LAN 10. On the other hand, the relay server 3 performs the control shown in FIG. 19 in order to receive a packet from the routing session.

  The operation PC 11 transmits a packet with the virtual address of the target terminal 31 as a destination. The relay server 1 that has received this packet, like the relay server 3 described above, specifies the routing session (S406), converts the destination address into an actual address (S408), and sends the packet to the relay server 3. A transmission process (S409) is performed.

  The relay server 3 that has received this packet performs the process of converting the source address into a virtual address (S504) and the process of transmitting the packet to the destination target terminal 31 (S505), as with the relay server 1 described above.

  As described above, even when the first routing target address and the second routing target address overlap, communication can be performed using the allocated virtual address.

  As described above, the relay server 3 of this embodiment includes the address filter information storage unit 55, the virtual address allocation information storage unit 57, and the control unit 60. The address filter information storage unit 55 stores the first routing target address and the second routing target address. The virtual address assignment information storage unit 57 stores the second routing target address and the virtual address assigned to the second routing target address in association with each other. The control unit 60 performs reception processing for receiving an instruction to permit or prohibit communication using a virtual address from the user. The control unit 60 transmits the first routing target address to the relay server 1, receives the second routing target address from the relay server 1, and establishes a routing session with the relay server 1. The control unit 60 determines whether there is an overlap between the first routing target address and the second routing target address. When the control unit 60 determines that there is an overlap, the control unit 60 performs the following processing. That is, when the control unit 60 receives an instruction to prohibit communication using a virtual address, the control unit 60 notifies the user that communication is not possible. On the other hand, when the control unit 60 has received an instruction to permit communication using the virtual address, the control unit 60 sets the destination address of the packet when the packet addressed to the virtual address is received from the first routing target device. 2 Convert to a routing target address and transfer the packet to the routing session. Further, when receiving a packet destined for the first routing target address from the routing session, the control unit 60 converts the packet source address to a virtual address and transfers the packet to the destination first routing target device. To do.

  Thereby, in this relay communication system 100, it is possible to set whether communication using a virtual address is possible. Therefore, as a user, when a designated application is not used, by allowing communication using a virtual address, communication can be normally performed even when the routing target addresses overlap. On the other hand, when using a specified application, by prohibiting communication using virtual addresses, if the routing target addresses do not overlap, the specified application can be used without any problem, while the routing target addresses overlap In this case, the user can immediately grasp the situation and take appropriate action.

  In addition, the relay server 3 according to the present embodiment notifies that the communication is impossible and inquires of the user whether to permit or prohibit the communication using the virtual address.

  Thereby, for example, when the user wants to give priority to communication over the designated application, the user can immediately give an instruction to permit communication. Therefore, it is not necessary for the user to call the setting screen or the like to perform the setting for permitting communication, so that a user-friendly operation feeling can be realized.

  In addition, the relay server 3 of the present embodiment presents a designated application and accepts designation of the possibility of using the application.

  This makes it possible to notify the user which application is affected by using the virtual address. Therefore, even when the user does not fully understand the communication using the virtual address, the user can make an appropriate setting according to his / her usage mode.

  In addition, the relay server 3 according to the present embodiment accepts additions and deletions of designated applications.

  Thereby, the relay server can perform reception processing by presenting only the application necessary for the user.

  Moreover, the relay server 3 of this embodiment determines whether there exists duplication between three routing object addresses, when VPN is constructed by the relay servers 1, 2, and 3.

  Accordingly, even when communication is performed with three or more relay servers, it is possible to detect duplication of routing target addresses and assign virtual addresses.

  The preferred embodiment of the present invention has been described above, but the above configuration can be modified as follows, for example.

  The process of accepting an instruction for permitting or prohibiting communication using a virtual address is not limited to after the start of VPN, and may be configured to be performed at the time of initial setting (simultaneously with S102 or the like). Further, when it is detected that there is an overlap between the routing target addresses without setting permission or prohibition of communication using the virtual address in advance, the box shown in FIG. It is also possible to use a configuration in which the user selects whether to use a virtual address each time.

  In the above embodiment, the relay server 3 is configured to assign a virtual address registered in the virtual address registration information storage unit 56. Instead, the relay server 3 may not include the virtual address registration information storage unit 56, and the relay server 3 may generate a virtual address when duplication is detected. At this time, the relay server 3 refers to the contents stored in the address filter information storage unit 55 and uses a virtual address as an address that is not used when performing VPN, thereby ensuring that the virtual server does not overlap with the address in use. An address can be generated.

  A method for determining whether or not there is an overlap between the routing target addresses is arbitrary. For example, a configuration may be adopted in which the overlap is determined only when both the network address and the host address match.

  In the above configuration, the address filter information is exchanged almost simultaneously with the establishment of the routing session. On the other hand, the address filter information may be transmitted together with the transmission of the VPN group start command (S306), and the address filter information may be received together with the response (S307).

  In the above description, the individual devices such as the operation PC 11 are the routing target devices. However, for example, the entire LAN 10 (192.168.0.0/24) may be set as the routing target device of the relay server 1. In this case, a virtual address with a range specified as (160.60.0.0/24) is assigned to the routing target device.

  The timing for assigning the virtual address is arbitrary. For example, in the case of the configuration in which the address filter information is transmitted together with the transmission of the start command, the virtual address can be allocated at an earlier timing.

  In the above, only the relay server functions as a routing point. However, the client terminal may function as a routing point. Further, the number of routing points in the VPN group is not limited to two and may be three or more. One routing device may belong to a plurality of VPN groups.

  The format for storing the relay group information, relay server information, client terminal information, VPN group information, address filter information, etc. is not limited to the XML format, and each information can be stored in an appropriate format.

  Instead of the configuration of the above-described embodiment, an external server used for communication between each relay server may be installed on the Internet, and a communication may be performed by exhibiting a function as a SIP (Session Initiation Protocol) server. .

1 Relay server (second relay server)
3 Relay server (first relay server)
11, 12 Operation PC (second routing target device)
31, 32, 33 Target terminal (first routing target device)
10 LAN (second LAN)
30 LAN (first LAN)
54 VPN group information storage unit 55 Address filter information storage unit 56 Virtual address registration information storage unit 57 Virtual address allocation information storage unit 100 Relay communication system

Claims (7)

A first routing target address that is an address of a first routing target device that is located in the first LAN and can transfer a packet, and an address of a second routing target device that can be transferred by a second relay server located in the second LAN. An address filter information storage unit for storing the second routing target address,
A virtual address assignment information storage unit that stores a second routing target address and a virtual address assigned to the second routing target address in association with each other;
A control unit,
The controller is
A control for performing an acceptance process for accepting an instruction to permit or prohibit communication using the virtual address from a user;
A control for transmitting the first routing target address to the second relay server, receiving the second routing target address from the second relay server, and establishing a routing session with the second relay server;
Control for performing determination processing for determining whether or not there is an overlap between the first routing target address and the second routing target address;
In the case where it is determined that the determination process is duplicated,
Control for notifying that communication is not possible when receiving an instruction to prohibit communication using the virtual address;
When accepting an instruction to permit communication using the virtual address,
When the packet destined for the virtual address is received from the first routing target device, the second routing assigned to the virtual address is made by referring to the virtual address allocation information storage unit. Control to convert the target address and transfer the packet to the routing session;
When a packet addressed to the first routing target address is received from the routing session and the virtual address is assigned with reference to the virtual address assignment information storage unit, the source address of the packet Control to convert the packet to the virtual address assigned to the second routing target address and transfer the packet to the destination first routing target device;
The relay server characterized by performing. A first routing target address that is an address of a first routing target device that is located in the first LAN and can transfer a packet, and an address of a second routing target device that can be transferred by a second relay server located in the second LAN. An address filter information storage unit for storing the second routing target address,
A virtual address assignment information storage unit that stores a second routing target address and a virtual address assigned to the second routing target address in association with each other;
A control unit,
The controller is
A control for transmitting the first routing target address to the second relay server, receiving the second routing target address from the second relay server, and establishing a routing session with the second relay server;
Control for performing determination processing for determining whether or not there is an overlap between the first routing target address and the second routing target address;
When it is determined that the determination process is duplicated,
Control to notify that communication is not possible;
A control for performing an acceptance process for accepting an instruction to permit or prohibit communication using the virtual address from a user;
When receiving an instruction to permit communication using the virtual address,
When the packet destined for the virtual address is received from the first routing target device, the second routing assigned to the virtual address is made by referring to the virtual address allocation information storage unit. Control to convert the target address and transfer the packet to the routing session;
When a packet addressed to the first routing target address is received from the routing session and the virtual address is assigned with reference to the virtual address assignment information storage unit, the source address of the packet Control to convert the packet to the virtual address assigned to the second routing target address and transfer the packet to the destination first routing target device;
The relay server characterized by performing. The relay server according to claim 1,
The said control part notifies that a communication is impossible, and inquires a user whether communication using the said virtual address is permitted or prohibited. A relay server according to any one of claims 1 to 3,
The relay server is a process of presenting an application whose function is restricted in a state in which the virtual address is assigned and receiving designation of the possibility of using the application. The relay server according to claim 4,
The said control part receives the addition and deletion of the application shown by the said reception process, The relay server characterized by the above-mentioned. A relay server according to any one of claims 1 to 5,
The controller is
Receiving the second routing target address from the second relay server and receiving the third routing target address from the third relay server;
The relay server characterized in that the determination process determines whether there is an overlap among the first routing target address, the second routing target address, and the third routing target address. In the relay communication system including the first relay server and the second relay server,
The first relay server located in the first LAN is
A first routing target address which is an address of a first routing target device to which the first relay server can transfer a packet, and a second routing target device to which the second relay server located in the second LAN can transfer a packet. An address filter information storage unit that stores a second routing target address that is an address;
A virtual address assignment information storage unit that stores a second routing target address and a virtual address assigned to the second routing target address in association with each other;
A control unit,
The controller is
A control for performing an acceptance process for accepting an instruction to permit or prohibit communication using the virtual address from a user;
A control for transmitting the first routing target address to the second relay server, receiving the second routing target address from the second relay server, and establishing a routing session with the second relay server;
Control for performing determination processing for determining whether or not there is an overlap between the first routing target address and the second routing target address;
In the case where it is determined that the determination process is duplicated,
Control for notifying that communication is not possible when receiving an instruction to prohibit communication using the virtual address;
When accepting an instruction to permit communication using the virtual address,
When the packet destined for the virtual address is received from the first routing target device, the second routing assigned to the virtual address is made by referring to the virtual address allocation information storage unit. Control to convert the target address and transfer the packet to the routing session;
When a packet addressed to the first routing target address is received from the routing session and the virtual address is assigned with reference to the virtual address assignment information storage unit, the source address of the packet Control to convert the packet to the virtual address assigned to the second routing target address and transfer the packet to the destination first routing target device;
A relay communication system.

Images