JP3658300B2 - Mobile VPN service method and apparatus - Google Patents

Description

[0001]
BACKGROUND OF THE INVENTION
In an IP (Internet Protocol) communication network (communication network that uses IP as a transfer protocol) that connects multiple LANs, a specific LAN connected to the IP communication network is secured with the same security as a dedicated line. As a technique for this, a VPN (Virtual Private Networks) function for setting a virtual private network between specific LANs is known. A communication network is involved in a VPN set between a specific LAN connected to the IP communication network by a device in the IP communication network. Conventionally, a VPN is set for a LAN whose connection position to the IP communication network is fixed. The present invention relates to a network means (function) for automatically setting a VPN for a LAN that moves a connection position to an IP communication network, and a setting method thereof.
[0002]
[Prior art]
For example, as shown in FIG. 4, in the conventional VPN, when setting a VPN 6 between LAN 1 and LAN 2 in an IP communication network (network) 21, a LAN accommodation having a VPN setting function (means) to which the LAN 1 is connected. The network management device 20 is used for the device 3 and the LAN accommodating device 3A having the VPN setting function (means) to which the LAN 2 is connected, and the maintenance person of the IP communication network 21 maintains the formation of the VPN 6 by the VPN setting instruction 20A. Set.
[0003]
In this method (method and apparatus), it is assumed that the connection position of the LAN for setting the VPN 6 to the IP communication network 21 is fixed. Therefore, when the connection positions of the LAN 1 and LAN 2 to the IP communication network 21 are changed. If it is left as it is, the setting position of the VPN 6 deviates from the connection positions of the LAN 1 and the LAN 2, and the VPN setting formed between the LAN 1 and the LAN 2 becomes invalid.
[0004]
FIG. 5 shows a method for dealing with the case where the connection position of the LAN forming the VPN to the IP communication network is changed in this method.
[0005]
In the IP communication network 21, the network management device 20 creates a VPN 6 for the LAN 1 connected to the LAN accommodating device 3 having the VPN setting function (means) and the LAN 2 connected to the LAN accommodating device 3 A having the VPN setting function (means). Although but had been set, when moving to the LAN accommodating device 3B with the VPN function (means) LAN2 is the connection position to the IP network 21 as LAN2 ', from the network management apparatus 20 of the IP network 21 maintenance personnel Then, after the VPN6 setting is canceled by the VPN setting cancellation instruction 20B, the VPN6A is set by the VPN setting instruction 20A.
[0006]
As described above, in this method, when the connection position to the IP communication network 21 of the LAN 2 to which the VPN 6 is set is changed, the VPN 6A can be reset according to the change, but the IP communication network 21 side performs the IP communication. When the maintenance person of the network 21 needs to reset the VPN 6A and the frequency of changing the connection position of the LAN 2 ′ to the IP communication network 21 increases, the maintenance operation on the IP communication network 21 side increases.
[0007]
In addition, when the connection position of the LAN 2 to the IP communication network 21 is repeatedly changed in a short time, the setting change by the maintenance work cannot be expected to be immediate for the new VPN resetting.
[0008]
As for the conventional VPN, there is a service example shown in FIG.
In the IP communication network 21 of FIG. 6, the LAN connection terminal 1A accommodated in the LAN 1 to which the VPN is set moves to the connection position as the LAN connection terminal 2A of the LAN 2 belonging to the same VPN 6.
[0009]
In the example of FIG. 6, when some LAN connection terminals 1A and 2A accommodated in a LAN in which VPN 6 is set move to another LAN, network means (function) for holding the VPN with respect to the LAN connection terminal As for the network function (means) for holding the VPN for the moved LAN when the LAN itself moves, there is no example implemented so far.
[0010]
The network function (means) held by the VPN setting when the LAN itself moves can be expected to be a function provided by the IP communication network with the spread of a local IP network such as an intranet.
[0011]
[Problems to be solved by the invention]
An object of the present invention is to perform maintenance operation by a maintenance person of an IP communication network to re-set a VPN that is necessary with frequent movement of the LAN when a VPN is set between LANs connected to the IP communication network. It is to provide a technology that can be realized without involving the above.
[0012]
The above and other objects and novel features of the present invention will become apparent from the description of this specification and the accompanying drawings.
[0013]
[Means for Solving the Problems]
The outline of the invention disclosed in the present application will be briefly described as follows.
According to a first aspect of the present invention, there are provided a plurality of LAN accommodating devices for setting a VPN (Virtual Private Networks) in an IP communication network, a VPN management device for managing the VPN settings, and an IP (Internet Protocol) via the LAN accommodating device. ) in IP communication network comprising a plurality of LAN that is connected to a communication network, a mobile VPN service apparatus for moving a VPN tunnel set between LAN according to the movement of the LAN, said LAN receiving device, the VPN setting means for setting a VPN tunnel based on the location information of the VPN managed by the VPN management device, and the movement of the LAN accommodated based on the LAN identifier managed by the VPN management device, and setting the VPN A mobile IP means for setting a mobile IP tunnel to the destination LAN accommodating device when the movement of the local LAN is detected; The VPN setting unit and the mobile IP unit cooperate to connect the VPN tunnel and the mobile IP tunnel, and the VPN tunnel identifier and the LAN identifier managed by the VPN management device are provided. This is a mobile VPN service device that forms a new VPN tunnel without changing the correspondence relationship .
[0014]
According to a second aspect of the present invention, there are provided a plurality of LAN accommodating devices for setting a VPN (Virtual Private Networks) in an IP communication network, a VPN management device for managing the VPN settings, and an IP (Internet Protocol) via the LAN accommodating device. ) in IP communication network comprising a plurality of LAN that is connected to a communication network, a mobile VPN service method for moving a VPN tunnel set between LAN according to the movement of the LAN, it is managed in the VPN management device VPN setting step for setting a VPN tunnel based on the location information of the VPN, and the movement of the LAN accommodated based on the LAN identifier managed by the VPN management device, and the movement of the LAN for which the VPN is set If detected, a mobile IP step for setting a mobile IP tunnel to the destination LAN accommodating device, and the VPN setting step A connection step for connecting the VPN tunnel set in step and the mobile IP step and the mobile IP tunnel, and a correspondence relationship between the VPN tunnel identifier managed by the VPN management device and the LAN identifier. This is a mobile VPN service method for forming a new VPN tunnel without change .
[0015]
That is, the point of the present invention is that when a VPN is set between LANs connected to the IP communication network, the VPN is automatically set even when the LAN moves the connection position to the IP communication network. A service method of an IP communication network to be held and an apparatus for implementing the method.
[0016]
In IP network, VPN setting unit to the LAN accommodating device, a mobile IP means, provided connecting means between the VPN tunnel and a Mobile IP tunnel by the Turkey to manage VPN setting conditions of LAN to VPN management apparatus installed VPN , Regarding the LAN for setting the VPN, the VPN management device sets the VPN tunnel identifier and the LAN identifier, which are the VPN setting conditions for the LAN, to the LAN accommodating device that is the home agent (HA) of the mobile IP means of the LAN. The LAN accommodating apparatus sets the VPN tunnel according to the VPN setting condition.
[0017]
Thereafter, the mobile IP means manages the movement of the accommodated LAN based on the LAN identifier managed by the VPN management apparatus, and when the movement of the LAN in which the VPN is set is detected, the mobile to the destination LAN accommodation apparatus An IP tunnel is set up, and the connecting unit cooperates with the VPN setting unit and the mobile IP unit to connect the VPN tunnel and the mobile IP tunnel.
When any of the LANs configured with VPN moves from the place of the LAN accommodating device connected to the IP communication network, the LAN accommodating device connected to the moved LAN is moved by the FA function (means) of the mobile IP means. The location information of the moved LAN is notified to the LAN accommodating device serving as the HA of the mobile IP tunnel between the LAN accommodating device serving as the HA of the moved LAN and the LAN accommodating device serving as the FA (Foreign Agant) of the LAN. Set. Here, the LAN accommodating device serving as the HA connects the original VPN tunnel and the mobile IP tunnel to form a new VPN, so that the setting of the VPN between the LANs is automatically held even after movement.
[0018]
Hereinafter, the present invention will be described in detail with reference to the drawings together with embodiments (examples) according to the present invention.
In all the drawings for explaining the embodiments (examples), those having the same function are given the same reference numerals, and the repeated explanation thereof is omitted.
[0019]
DETAILED DESCRIPTION OF THE INVENTION
(Example 1)
FIG. 1 is a schematic diagram showing a schematic configuration of a mobile VPN service apparatus according to the first embodiment of the present invention. FIG. 2 is a diagram showing VPN setting conditions in the mobile VPN service apparatus according to the first embodiment. In FIG. 1, 1 and 2 are LANs, 4, 5 and 6 are LAN accommodating devices, 8 is a VPN tunnel, 9 is a mobile IP tunnel, 10 is a new VPN, 20 is a VPN management device, and 21 is an IP communication network. . Each of the LAN accommodating devices 4, 5, and 6 has a VPN setting function, a mobile IP function, and a function (means) for connecting the VPN tunnel and the mobile IP tunnel.
[0020]
As shown in FIG. 1, the mobile VPN service apparatus according to the first embodiment is connected between the LAN 1 connected to the LAN accommodating apparatus 4 and the LAN 2 connected to the LAN accommodating apparatus 5 in the IP communication network 21. When setting the VPN, the VPN management device 20 sets VPN setting conditions for the LAN accommodating device 4 and the LAN accommodating device 5 which are the HAs of the respective mobile IP functions (means) for the LAN 1 and the LAN 2.
[0021]
At this time, the VPN setting condition to be set indicates a correspondence relationship between a LAN identifier for distinguishing a LAN for setting a VPN and a VPN tunnel identifier for identifying a VPN tunnel used by the LAN, which are indicated by the components of the MD in FIG. Information.
[0022]
In FIG. 2, VD1, VD2, ··· identifier of the VPN tunnel (VPN Tunnel 8), LD1, LD2, ··· is an identifier of LA N. An identifier VD1 of the VPN tunnel (VPN tunnel 8) and an identifier LD1 of LAN (LAN 1 ) are managed by the LAN accommodating device 4, and an identifier VD2 of the VPN tunnel (VPN tunnel 8) and an identifier LD2 of LAN (LAN2) Are managed by the LAN accommodating device 5. Similarly, identifiers VD3,... And identifiers LD3,.
[0023]
Specifically, the VPN management device 20 sets that the LAN 1 corresponds to the VPN tunnel 8 for the LAN accommodating device 4 and that the LAN 2 corresponds to the VPN tunnel 8 for the LAN accommodating device 5. Further, the LAN accommodating device 4 is a LAN agent 4 that is the home agent (HA) of its own mobile IP function (means), and the LAN 2 is the HA accommodating of its own mobile IP function (means). The device 5 is set.
[0024]
After this setting, the LAN accommodating device 4 and the LAN accommodating device 5 set the VPN tunnel 8 between the LAN 1 and the LAN 2 by the VPN setting function (means).
[0025]
Here, each time the LAN that is managed as the home agent (HA) of the mobile IP function (means) by the LAN accommodating device moves as the home agent (HA) of the mobile IP function (means), It keeps receiving and managing the notification of the IP address of the destination LAN accommodating device as a care-of address, captures the packet addressed to the home address of the moved LAN, and moves to the care-of address (current position) of the LAN via the mobile IP tunnel. Can be transferred.
[0026]
Further, the destination LAN accommodating device can notify the home agent (HA) of the connected LAN as a care-of address to the home agent (HA) of the connected LAN as a mobile IP function (means) FA (Foreign Agant).
[0027]
From this state, when the LAN 2 moves the connection position with the IP communication network 21 to the LAN accommodating device 6, the LAN accommodating device 6 keeps holding the VPN tunnel 8 and indicates that the LAN 2 has moved under its control. The LAN function notifies the LAN accommodating device 5 that is the HA of the LAN 2 by the FA function (specifically, the LAN accommodating device 6 transmits the IP address of the LAN accommodating device 6 to the LAN accommodating device 5 as the care-of address of the LAN 2). The device 5 holds the current position of the LAN 2 with a care-of address, and generates a mobile IP tunnel 9 between the LAN accommodating device 5 and the LAN accommodating device 6.
[0028]
The LAN accommodating device 5 manages that the LAN 2 is currently connected to the mobile IP tunnel 9.
[0029]
Thereafter, the LAN accommodating device 5 connects the VPN tunnel 8 and the mobile IP tunnel 9 based on the VPN setting condition set by the VPN management device 20 (LAN2 communicates with the VPN tunnel 8) (VPN tunnel 8). Can be transferred to the mobile IP tunnel 9 to which the LAN 2 is currently connected), and a new VPN 10 can be generated between the LAN 1 and the LAN 2 to automatically hold the VPN.
[0030]
(Example 2)
FIG. 3 is a schematic diagram showing a schematic configuration of the mobile VPN service apparatus according to the second embodiment of the present invention.
[0031]
The mobile VPN service apparatus according to the second embodiment is an example of a case where the LAN further moves the connection position to the IP communication network from the LAN connection position (the LAN position shown in FIG. 1) of the first embodiment.
[0032]
As shown in FIG. 3, in the IP communication network 21, the LAN 2 shows the connection position to the IP communication network 21 from the state where the VPN is formed between the LAN 1 and the LAN 2 by the VPN tunnel 9 and the mobile IP tunnel 10. In this case, while the VPN tunnel 9 is held, the LAN accommodating device 7 uses the FA function (means) of the mobile IP function (means) to indicate that the LAN 2 has moved under the control of the mobile IP function ( And the LAN accommodation device 5 functioning as a home agent (HA) (specifically, the LAN accommodation device 7 notifies the LAN accommodation device 5 of the IP address of the LAN accommodation device 7), and the LAN accommodation A new mobile IP tunnel 11 is generated between the device 5 and the LAN accommodating device 7.
[0033]
Thereafter, a VPN 12 is newly generated between the LAN 1 and the LAN 2 ′ by connecting the VPN tunnel 9 and the mobile IP tunnel 11 based on the VPN setting condition set by the VPN management device 8, and the LAN of the moved LAN Keep the VPN in between.
[0034]
Although the invention made by the present inventor has been specifically described based on the embodiment (example), the invention is not limited to the embodiment (example), and departs from the gist thereof. Of course, various changes can be made without departing from the scope.
[0035]
【The invention's effect】
The effects obtained by the invention disclosed in the present application will be briefly described as follows.
According to the present invention, when a VPN is set between a specific LAN connected to the IP communication network by the function of the device in the IP communication network, the LAN in which the VPN is set is Even if the connection position to the IP communication network is moved, the function (means) that can maintain the VPN settings and ensure communication security can be used without the maintenance operation on the IP communication network side (means). ) Can be realized automatically and immediately.
[Brief description of the drawings]
FIG. 1 is a schematic diagram showing a schematic configuration of a mobile VPN service apparatus according to a first embodiment of the present invention.
FIG. 2 is a diagram illustrating VPN setting conditions in the mobile VPN service apparatus of the first embodiment.
FIG. 3 is a schematic diagram showing a schematic configuration of a mobile VPN service apparatus according to a second embodiment of the present invention.
FIG. 4 is a schematic diagram for explaining a conventional VPN setting method;
FIG. 5 is a schematic diagram for explaining a method of dealing with a conventional VPN setting method when a LAN in which a conventional VPN is set moves to a connection position to an IP communication network.
FIG. 6 is a schematic diagram for explaining an example of a function in which only a terminal accommodated in an existing LAN moves with a conventional function.
[Explanation of symbols]
DESCRIPTION OF SYMBOLS 1, 2 ... LAN 4, 5, 6, 7 ... LAN accommodating apparatus 8 ... VPN tunnel 9 ... Mobile IP tunnel 10, 12 ... New VPN 11 ... New mobile IP tunnel 20 ... VPN management apparatus 21 ... IP communication network

Claims (2)

Connected to an IP (Internet Protocol) communication network via a plurality of LAN accommodating devices for setting VPN (Virtual Private Networks) in the IP communication network, a VPN management device for managing the VPN settings, and the LAN accommodating device. that a plurality of IP communication network of a LAN, creating a mobile VPN service apparatus for moving a VPN tunnel set between LAN according to the movement of the LAN,
The LAN accommodating device is:
VPN setting means for setting a VPN tunnel based on VPN location information managed by the VPN management device;
Manages the movement of the accommodated LAN based on the LAN identifier managed by the VPN management apparatus, and sets the mobile IP tunnel to the destination LAN accommodation apparatus when the movement of the LAN in which the VPN is set is detected. Mobile IP means;
Connecting means for connecting the VPN tunnel and the mobile IP tunnel in cooperation with the VPN setting means and the mobile IP means;
Wherein the without VPN management device changes the correspondence relationship between the VPN tunnel identifier which manage the LAN identifier, the mobile VPN service apparatus according to claim Rukoto forming form a new VPN tunnel. Connected to an IP (Internet Protocol) communication network via a plurality of LAN accommodating devices for setting VPN (Virtual Private Networks) in the IP communication network, a VPN management device for managing the VPN settings, and the LAN accommodating device. that a plurality of IP communication network of a LAN, creating a mobile VPN service method for moving a VPN tunnel set between LAN according to the movement of the LAN,
A VPN setting step for setting a VPN tunnel based on the location information of the VPN managed by the VPN management device;
Manages the movement of the accommodated LAN based on the LAN identifier managed by the VPN management apparatus, and sets the mobile IP tunnel to the destination LAN accommodation apparatus when the movement of the LAN in which the VPN is set is detected. Mobile IP step;
A connecting step of connecting the VPN tunnel set in the VPN setting step and the mobile IP step and the mobile IP tunnel;
And forming a new VPN tunnel without changing the correspondence between the VPN tunnel identifier managed by the VPN management device and the LAN identifier .

Images