JP2019118156A - Communication system, communication device, and vpn construction method - Google Patents

Abstract

To dynamically generate a virtual tunnel by transmitting global IP address port information after NAT conversion between spokes, in an environment where the spokes are subordinate to a NAT device.SOLUTION: A spoke transmits and receives global IP address port information after NAT conversion obtained from a STUN server, so as to be included in a packet extension field of an NHRP protocol. Each spoke notifies a hub of its global IP address port information, so as to be included in an NHRP registration packet. In generating a virtual tunnel, a transmission source spoke notifies another spoke of its global IP address port information by using an NHRP resolution request packet. Upon receipt of the NHRP resolution request packet, the other spoke transmits its global IP address port information so as to be included in an NHRP resolution response packet. The spoke generates the virtual tunnel with the other spoke on the basis of external address information transmitted to each other.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a communication system, a communication device, and a method of constructing a Virtual Private Network (VPN), and more particularly, to a communication system, a communication device, and a method of constructing a VPN which configure a Dynamic Multipoint Virtual Private Network (DMVPN).

  When building a VPN between a large number of sites such as companies via a wide area network, a mechanism to build a secure network that can exchange data directly between the sites without going through the VPN device at the head office There is DMVPN as a solution to provide. DMVPN is an abbreviation of "Dynamic Multipoint Virtual Private Network", and can construct a hub-and-spoke VPN, and can create a virtual tunnel between spokes on demand when communication between the spokes occurs. That is, DMVPN can provide near full mesh performance while taking a hub-and-spoke configuration. The virtual tunnel is constructed by the original packet being encapsulated by the carrier protocol by the VPN device.

  For example, a VPN device, which is a spoke that is under control of a local area network (LAN) at the base, and a VPN device, which is a hub disposed at the head office, are connected by virtual tunnels via a wide area network such as the Internet. At this time, virtual tunnels are always set between the hub and the spokes, and the spokes are configured to create virtual tunnels only when necessary. As described above, the DMVPN virtual tunnel is a virtual tunnel in which a plurality of destinations are connected by connecting a plurality of spokes to a hub. Therefore, multipoint GRE (Generic Routing Encapsulation) is used to perform routing encapsulation at a multipoint. In addition, IPsec (Internet Protocol Security) is used to encrypt transfer data in order to secure the security of communication in the virtual tunnel.

  That is, the hub and each spoke are connected by a static IPsec virtual tunnel, and between the spokes is configured to establish an IPsec virtual tunnel on demand. By configuring in this way, it is possible to reduce the load on the hub and flexibly construct a network that secures communication security.

  Note that IPsec is defined by the Internet Engineering Task Force (IETF) as a standard protocol of VPN in order to perform highly secure inter-LAN communication between routers via the Internet. IPsec is a technology that encrypts communication performed by routers connecting a LAN to the Internet via the Internet according to a predetermined protocol, and prevents interception or falsification of data transmitted and received between the routers. . That is, the routers connecting the LAN to the Internet encrypt and encapsulate packets transferred in the Internet by using IPsec to construct a secure VPN.

  In addition, there is NHRP (Next Hop Resolution Protocol) as a technology used in DMVPN.

  NHRP is a protocol for performing address resolution in an NBMA (Non Broadcast Multiple Access) environment, which is a multi-access network not supporting broadcast, and is defined in IETF Request For Comments (RFC) 2332. NHRP is used to resolve the Non Broadcast Multiple Access (NBMA) address, which is the physical address on the wide area network side of the destination VPN device, from the destination IP (Internet Protocol) address (private IP address on the virtual network) of the virtual tunnel. It is a protocol.

  In DMVPN, for example, a dynamic virtual tunnel between spokes is generated in the following procedure.

  Each spoke under the hub notifies the hub of the private IP address and NBMA address of its virtual tunnel in advance by NHRP registration. Then, the hub holds mapping information of private IP address and NBMA address of virtual tunnel of each spoke.

  When a terminal A in a private network under a certain spoke A communicates with a terminal B in a private network under another spoke B, the data packet is transmitted along a route of terminal A → spoke A → hub → spoke B → terminal B Be done.

  At this time, when the hub detects that the spoke A of the packet transmission source and the spoke B to which the packet is transmitted can dynamically create a virtual tunnel, it transmits an NHRP traffic notification to the spoke A. In the NHRP traffic notification, the private IP address of the terminal B in the private network under the spoke B is stored.

  Having received the NHRP traffic notification, spoke A transmits an NHRP resolution request to the private IP address of terminal B in the private network under spoke B.

  The NHRP resolution request is received at spoke B via the hub.

  Spoke B returns an NHRP resolution response to Spoke A. The NHRP resolution response contains the private IP address and the NBMA address of the spoke B virtual tunnel.

  In the spoke A that has received the NHRP resolution response, routing information is generated that a packet addressed to the private network under the spoke B is forwarded to the private IP address of the spoke B virtual tunnel. And, in the spoke A, at the same time, the mapping information of the private IP address and the NBMA address of the virtual tunnel of the spoke B is held.

  Spoke A creates a virtual tunnel to Spoke B using the holding Spoke B address information. As a result, data packets from this virtual tunnel creation are sent directly from the spoke A to the spoke B without passing through the hub, and are sent to the terminal B in the private network subordinate to the spoke B.

  In the above description, it is assumed that the hub that has received the NHRP resolution request from the spoke A sends it to the spoke B, and the spoke B returns an NHRP resolution response. However, if the protocol permits the return of the NHRP resolution response based on the mapping information cached at the hub, the hub that has received the NHRP resolution request may return the NHRP resolution response. Here, for simplicity of explanation, it is assumed that the hub that has received the NHRP resolution request from spoke A sends it to spoke B, and spoke B returns an NHRP resolution response.

  Here, as technologies related to VPN, NAT (Network Address Translation) and STUN (Simple Traversal of User Datagram Protocol through NATs) protocols will be outlined.

  NAT is an address conversion performed in a gateway device that connects a private network and the Internet, and a private IP address and a global IP address held by the gateway device are converted. NAT is defined in IETF RFC 2766, 2663, 3022, etc. Here, NAT means NAT in a broad sense including NAPT (Network Address Port Translation) in a narrow sense. And an address port shall mean either an address only, an address and a port.

  The STUN protocol is a global IP address and port necessary for communication across NAT devices when a communication device located behind a device (NAT device) performing NAT performs a UDP (User Datagram Protocol) connection. , Used to obtain the type of NAT. The STUN protocol is defined in RFC 3489 of the IETF.

  The network configuration in which the STUN protocol operates includes a STUN server, a NAT device, and a STUN client.

  The STUN server is a server that performs services related to the execution of the STUN protocol, and is an address information providing device provided on the Internet and providing information necessary for communication across NAT devices.

  The STUN client is a communication device in a private network located behind a NAT device. The STUN client sends a test message to the STUN server on the Internet via the NAT device, and obtains information on how the STUN client looks from the STUN server. That is, the STUN client acquires, from the STUN server, the global IP address and port necessary for communication across the NAT device, and the type of NAT.

  In the STUN protocol, NAT is classified into four types (NAT types) according to the mapping method of NAT address / port conversion performed by the NAT device. There are four NAT types, full cone NAT, address restricted cone NAT, port restricted cone NAT, and symmetric NAT, according to the restriction of the terminal on the Internet side that can access the port assigned by NAT.

  The full cone NAT has no restriction on terminals on the Internet side that can access the port assigned by NAT, and makes the session port once opened accessible by anyone. That is, regardless of the other party of communication, address / port conversion is performed according to the entry of the NAT conversion table, and is made to pass inside the NAT device (private network side).

  The address restriction cone NAT restricts the terminal on the Internet side which can access the port assigned by NAT in an address dependent manner. In other words, it is possible to access only from the terminal having the Internet side address which has been accessed by the terminal under the NAT device, and the address / port conversion according to the entry of the NAT conversion table is performed to pass inside the NAT. The "terminal under the NAT device" means a terminal on the private network side connected to the NAT device.

  Port restriction cone NAT restricts the terminal on the Internet side which can access the port assigned by NAT depending on the address and the port. In other words, the terminal under the NAT device can only access from the terminal with the address and port number on the Internet side that has a history of access, and performs address / port conversion according to the entry of the NAT translation table and passes inside the NAT device. Let

  Symmetric NAT generates, for the communication source terminal, an entry of a NAT translation table having a different port number for each destination on the Internet side of the communication destination. In other words, if the Internet destination changes, NAT's Internet-oriented port number will always change. As a terminal on the Internet side capable of accessing a port assigned by NAT, the terminal on the private network side of the communication source and the terminal on the Internet side of the communication destination are limited only when they correspond one to one.

  The operation until the STUN client knows the global IP address / port after NAT translation is as follows.

  The STUN client sends a STUN request message to the STUN server global IP address / port.

  When the STUN request message passes through the NAT device, a NAT translation table entry is created and the source IP address port is rewritten from the private IP address port to the global IP address port.

  When the STUN server receives the STUN request message, it sends a STUN response message to the global IP address port of the sender address of the STUN request message. At this time, the STUN server includes the global IP address / port in the STUN response message.

  As the STUN response message passes through the NAT device, the destination address / port is rewritten to the private IP address / port based on the NAT translation table entry, and is received by the STUN client.

  The STUN client can know its own global IP address and global port by the information of the global IP address and port contained in the STUN response message.

  Note that the STUN server has two IP addresses and port numbers. Then, when the STUN client sends a STUN request message, it can include an IP address change and port number change request in the request message. Thereby, the transmission source IP address and port number of the response message from the STUN server can be changed. In the STUN protocol, the STUN client can specify the NAT type of the NAT device to which the STUN client is connected by performing communication several times between the STUN client and the STUN server by this mechanism.

  Techniques related to a VPN apparatus, NAT and STUN are disclosed in Patent Documents 1 to 3.

  Patent Document 1 discloses a VPN apparatus capable of transitioning to P2P communication when peer-to-peer (P2P) communication is possible during communication. There are NAT devices whose operating characteristics change depending on conditions, and even when communication can only be performed via a relay server at the start of a call, P2P communication may be possible during the communication. In such a case, the VPN apparatus disclosed in Patent Document 1 can shift to P2P communication.

  This VPN apparatus includes a NAT type determination unit, performs NAT type determination processing while performing communication with a partner apparatus via a relay server, and NAT type that is highly likely to allow P2P communication with the partner apparatus. When it is determined, processing to shift to P2P communication is performed. The VPN apparatus also includes an external address / port acquisition unit that acquires external address / port information used when accessing the apparatus from the outside of the relay apparatus.

  The external address / port acquisition unit executes communication of a predetermined test procedure with the STUN server, and receives from the STUN server a response packet including the global IP address and port assigned for communication of the own device. . Also, the NAT type is determined by STUN. The NAT type determination unit determines the availability of P2P communication based on a combination of NAT types installed on the transmission side and the reception side.

  When transitioning to P2P communication, the calling side and the called side are connected via the call control server using the call control port, and communication port information for performing communication via the relay server is exchanged. Then, in the communication via the relay server, the information of the P2P port that performs P2P communication is exchanged. The call control server is a device that holds identification information of a registered terminal or the like and performs a service related to call control between communication devices for calling a specific destination and establishing a communication path.

  Patent Document 2 determines a NAT type of a relay apparatus between networks in which address conversion is performed, promptly determines the communication possibility with the other apparatus, and can construct a communication path with the other apparatus. Disclose.

  The VPN device sends at least two test packets to the STUN server at different address ports of the STUN server. Then, the NAT type of the relay apparatus is determined based on the external address / port information included in the response packet from different address / port for these test packets, and the communication possibility is determined.

  When it determines that communication is possible and shifts to P2P communication, a connection request including external address and port information is transmitted from the calling side to the called side via the call control server. When the called party receives a connection request via the call control server, the called party acquires the external address / port information of its own device from the STUN server as in the case of the calling party. Then, the connection response including the external address and port information is returned to the calling side via the call control server.

  In this way, when both the calling side and the called side acquire the external address and port information of the other party via the call control server, the external address and port information is subsequently exchanged between the calling side and the called side. Use it to perform P2P communication. The call control server is a device that holds identification information of a registered terminal or the like and performs a service related to call control between communication devices for calling a specific destination and establishing a communication path.

  Patent Document 3 discloses a communication device such as an IP-PBX (Private Branch Exchange) or an IP key telephone system which performs connection between local networks connected by relaying the Internet or the like.

  The IP-PBX acquires the access information (global IP address and port) of its own device from the router or STUN server functioning as a gateway of the local network, and creates an e-mail in which the acquired access information is inserted in the text. Then, the IP-PBX sends the e-mail to a remote IP phone deployed in a different local network as a destination. The remote IP telephone registers with the IP-PBX using the access information described in the e-mail. By this registration, the IP-PBX performs call origination / reception control to the IP telephone at a remote location.

JP, 2011-188358, A JP, 2010-283594, A JP, 2011-041138, A

  In DMVPN, in a network environment in which spokes are located under a NAT device, two spokes attempting to perform inter-spoke communication can not know each other's NAT translated global IP address. Address information notified within the Internet and reachable of transfer data is a global IP address. Therefore, in a network environment in which the spokes are subordinate to the NAT device, both spokes can not know the other party's global IP address, and a virtual tunnel can not be dynamically established between the spokes.

  For example, in a corporate network via the Internet, DMVPN can implement a full mesh VPN by arranging VPN devices at the head office and each location. Usually, it is necessary to select an ISP (Internet Service Provider) for Internet connection. And, in some ISPs, carrier grade NAT has been introduced against the background of IP address exhaustion and the like.

  If the ISP for connecting the VPN device as the spoke to the Internet introduces carrier grade NAT, the IP address port of the spoke under carrier grade NAT is translated by carrier grade NAT. Therefore, even if trying to create a virtual tunnel dynamically between spokes under carrier grade NAT, it is not possible to know the global IP address / port after NAT conversion of each other.

  On the other hand, Patent Literatures 1 to 3 disclose a technique for finding a global IP address / port after NAT conversion using the STUN protocol.

  Then, in the techniques disclosed in Patent Document 1 and Patent Document 2, the calling side and the called side mutually exchange the NAT-converted global IP address port obtained using the STUN protocol via the call control server. It is configured as follows. In the technology disclosed in Patent Document 3, the global IP address / port after NAT conversion acquired using the STUN protocol is configured to be notified to a remote IP telephone using electronic mail.

  The call control server in Patent Document 1 or 2 holds identification information of a registered terminal or the like, and performs a service related to call control between communication devices for calling a specific destination and establishing a communication path. It is an apparatus. In Patent Document 1 and Patent Document 2, an environment in which such a call control server is deployed is premised. Moreover, in patent document 3, it presupposes that the structure which transmits an email is required.

  Therefore, there is a problem that the techniques disclosed in Patent Literatures 1 to 3 can not be used for a system to which such a premise can not be applied.

  In other words, even if the global IP address / port after NAT conversion can be acquired, the spoke on the DMVPN that does not have an environment where a call control server is not deployed or a configuration to send an e-mail does not have that information to the other spoke. There is a problem that it can not be transmitted.

  The present invention is a communication system capable of dynamically generating virtual tunnels by notifying acquired spokes global IP address / port information after NAT conversion between spokes in an environment where spokes on DMVPN are under a NAT device. , A communication device and a method of constructing a VPN.

  In order to achieve the above object, a communication system according to an embodiment of the present invention functions as a spoke that configures a Dynamic Multipoint Virtual Private Network (DMVPN), and NATs packets transmitted and received between networks in different address spaces. Network Address Translation) External address / port information, which is installed under the relay device that performs address translation, and is generated by the NAT address translation and is address information that can be accessed from the address space outside the relay device. The external address / port information is acquired from an address information providing apparatus having a function to reply, and the external address / port information is included in an extension field of a Next Hop Resolution Protocol (NHRP) registration packet used in the DMVPN and transmitted. At least two communication devices, a first communication device and a second And the external address / port information contained in the NHRP registration packet received from each of the subordinate first communication device and the second communication device. And a third communication device registered in mapping information associated with each of the first communication device and the second communication device, wherein the third communication device is connected via the third communication device. In communication between the first communication device, which is the spoke of the packet transmission source, and the second communication device, which is the spoke of the packet transmission destination, between the first communication device and the second communication device When it is detected on the basis of the mapping information that a virtual tunnel can be generated, the first communication device is instructed to generate the virtual tunnel, and from the third communication device The first communication device that has received an instruction to create a virtual tunnel transmits the information including the external address and port information of the first communication device in the extension field of the NHRP resolution request packet used in the DMVPN, The second communication device that has received the NHRP resolution request packet from the first communication device includes the external address / port information of the second communication device in the extension field of the NHRP resolution response packet used in the DMVPN. And the first communication device that receives the NHRP resolution response packet receives the second communication based on the external address / port information of the second communication device included in the NHRP resolution response packet. The virtual tunnel is created between itself and a device.

  A communication apparatus according to another aspect of the present invention is generated by the NAT address translation through a relay apparatus that performs NAT (Network Address Translation) address translation of packets transmitted and received between networks in different address spaces. External address / port information for acquiring the external address / port information from an address information providing apparatus having a function of returning external address / port information which is address information accessible from the address space outside the relay apparatus The external address / port information is included in an extension field of a Next Hop Resolution Protocol (NHRP) registration packet used in acquisition means and a Dynamic Multipoint Virtual Private Network (DMVPN), and the information is transmitted to the DMVPN hub. In the inter-spoke communication via the hub, between the other party spoke When it is notified that the virtual tunnel can be created, the external address / port information is included in the extension field of the NHRP resolution request packet used in the DMVPN, and the information is transmitted to the counterpart spoke, and the NHRP resolution request packet Address resolution means for acquiring the external address / port information of the other party spoke from the extension field of the NHRP resolution response packet used in the DMVPN returned by the other party spoke that has received e. Tunnel generation means for generating the virtual tunnel with the other party spoke based on the foreign address / port information of the other party spoke.

  In addition, a VPN construction method according to another embodiment of the present invention functions as a spoke configuring a Dynamic Multipoint Virtual Private Network (DMVPN), and NAT (Network Address Translation) address of packets transmitted and received between networks of different address spaces. From the address information providing apparatus having the function of returning the external address and port information which is installed under the relay apparatus performing conversion and can access from the address space outside the relay apparatus In the extension field of the Next Hop Resolution Protocol (NHRP) registration packet used by the DMVPN, each of the first communication device and the second communication device, which are at least two communication devices for acquiring port information, the external address / port. As a hub that transmits the information including information and configures the DMVPN. The third communication device functioning as the first communication device includes the external address / port information included in the NHRP registration packet received from each of the first communication device and the second communication device under its control. And the mapping information associated with each of the second communication devices, and the spoke of the packet transmission destination from the first communication device being the spoke of the packet transmission source via the third communication device In the communication with the second communication device, the mapping information indicates that the third communication device can create a virtual tunnel between the first communication device and the second communication device. If it detects based on, it will instruct | indicate the production | generation of the said virtual tunnel with respect to the said 1st communication apparatus, The said 1st communication apparatus which received the instruction | indication of the production | generation of the said virtual tunnel from the said 3rd communication apparatus Transmits the NHRP resolution request packet used in the DMVPN including the external address / port information of the first communication device in the extension field of the NHRP resolution request packet, and the NHRP resolution request packet is received from the first communication device The second communication device sends back the external address / port information of the second communication device in an extension field of the NHRP resolution response packet used in the DMVPN, and the first NHRP resolution response packet is received. The communication device generates the virtual tunnel with the second communication device based on the external address / port information of the second communication device included in the NHRP resolution response packet. Do.

  Furthermore, according to another aspect of the present invention, there is provided a VPN construction method, wherein the NAT is performed via a relay apparatus that performs Network Address Translation (NAT) address translation of packets transmitted and received between networks in different address spaces. The external address / port information is acquired from an address information providing apparatus having a function of returning external address / port information which is address information accessible from the address space outside the relay apparatus generated by address conversion. , Including the external address and port information in an extension field of a Next Hop Resolution Protocol (NHRP) registration packet used in a Dynamic Multipoint Virtual Private Network (DMVPN) and transmitting the information to the DMVPN hub, from the hub via the hub In the inter-spoke communication, a virtual tunnel is created with the other party spoke When notified that it can be configured, the external address / port information is included in the extension field of the NHRP resolution request packet used in the DMVPN and transmitted to the correspondent spoke, and the NHRP resolution request packet is received. The outside address / port information of the outside spoke is obtained from the extension field of the NHRP resolution response packet used by the DMVPN returned by the outside spoke, and based on the outside address / port information of the outside spoke acquired. And generating the virtual tunnel with the other party spoke.

  The present invention can dynamically generate virtual tunnels by notifying acquired global IP address / port information after NAT conversion between spokes in an environment where the spokes on the DMVPN are under a NAT device.

It is a block diagram showing composition of a communication system of a 1st embodiment of the present invention. It is a block diagram which shows the structure of the communication apparatus of the 1st Embodiment of this invention. It is a sequence diagram explaining the operation | movement between the apparatuses in the communication system of the 1st Embodiment of this invention. It is a flowchart explaining operation | movement of the communication apparatus of the 1st Embodiment of this invention. It is a block diagram which shows the structure of the communication system of the 2nd Embodiment of this invention. It is a sequence diagram explaining the operation | movement between the apparatuses in the communication system of the 2nd Embodiment of this invention. It is a block diagram which shows the structure of the communication apparatus of the 2nd Embodiment of this invention. It is a block diagram which shows the extended field of a NHRP protocol packet. FIG. 5 is a flow diagram illustrating the operation of the hub. FIG. 7 is a flow diagram illustrating the operation of the spokes. It is a sequence diagram which shows conversion control of the port number in IPsec packet transmission / reception of NAT traversal. It is a figure which shows the response | compatibility of the production | generation availability of the dynamic virtual tunnel by the combination of NAT type. FIG. 10 is a flowchart showing a control operation in accordance with the NAT type of the own apparatus side and the NAT type of the opposite apparatus side in the spoke. FIG. 7 is a flow diagram showing an operation of updating external address / port information in a spoke.

  An embodiment for carrying out the present invention will be described with reference to the drawings.

  Note that the embodiment is an example, and the disclosed apparatus, system, and method are not limited to the configurations of the following embodiments.

First Embodiment
The communication system of the first embodiment will be described.
FIG. 1 is a block diagram showing the configuration of the communication system of the first exemplary embodiment of the present invention. The communication system 1 according to the present embodiment has a network configuration in which a private network of a company or the like is connected via a wide area network 60 to configure a dynamic multipoint virtual private network (DMVPN).

  The first communication device 10 is a communication device that belongs to the first private network 61 and functions as a spoke of DMVPN. The second communication device 20 is a communication device belonging to the second private network 62 and functioning as a spoke of DMVPN. The third communication device 30 is a communication device that belongs to the third private network 63 and functions as a DMVPN hub. Although only the first communication device 10 and the second communication device 20 are shown as communication devices to be spokes in FIG. 1, this illustrates the minimum configuration, and the number of communication devices to be spokes is It is optional. The first private network 61, the second private network 62, and the third private network 63 are private networks belonging to the same company or the like. In particular, when it is not necessary to distinguish and describe each private network, it will be generically described as "private network".

  The first communication device 10 is installed under the first relay device 40 that performs NAT address conversion in the first private network 61. In addition, the second communication device 20 is installed under the second relay device 50 that performs NAT address conversion in the second private network 62. In addition, when it is not necessary to distinguish and explain each relay device, it is collectively described as a "relay device".

  NAT refers to the function of performing address conversion of packets transmitted and received between networks of different address spaces. That is, the NAT translates the address information used in the private network and the address information used in the wide area network held by the relay device. Also, NAT here means NAT in a broad sense, including NAPT (Network Address Port Translation) in a narrow sense. And an address port shall mean either an address only, an address and a port number.

  Also, “installed in the subordinate” means installed in the private network with the relay device as the boundary. Therefore, “outside” or “outside” means the wide area network side with the relay device as the boundary.

  Further, an address information providing device 70 is connected to the wide area network 60, and sends back external address and port information generated by NAT address conversion to the first communication device 10 and the second communication device 20. Has a function. Here, the external address / port information is address information capable of accessing the first communication device 10 and the second communication device 20 from the wide area network side which is the address space outside each relay device.

  Each of the first communication device 10 and the second communication device 20 acquires external address / port information from the address information providing device 70. Then, the external address / port information is included in the extension field of the Next Hop Resolution Protocol (NHRP) registration packet used in the DMVPN and transmitted.

  The third communication device 30 transmits the external address / port information included in the NHRP registration packet received from each of the subordinate first communication device 10 and the second communication device 20 to the first communication device 10 and the second communication device 20. Are registered in the mapping information associated with each of the communication devices 20 of FIG. Here, "under" means a spoke to a hub in the configuration of DMVPN.

  The first communication device 10, which is a packet transmission source spoke, communicates with the second communication device 20, which is a transmission destination spoke, through a virtual tunnel via the third communication device 30.

  The third communication device 30 communicates with the first communication device 10 and the second communication device 20 in communication between the first communication device 10 and the second communication device 20 via the third communication device. And detect that a virtual tunnel can be created between on the basis of the mapping information. Then, the third communication device 30 instructs the first communication device 10 to generate a virtual tunnel.

  The first communication device 10 receiving the instruction to create a virtual tunnel from the third communication device 30 receives the external address / port information of the first communication device 10 in the extension field of the NHRP resolution request packet used in DMVPN. Include and send.

  The second communication device 20 that has received the NHRP resolution request packet from the first communication device 10 includes the external address / port information of the second communication device 20 in the extension field of the NHRP resolution response packet used in DMVPN. Send back.

  Then, the first communication device 10 having received the NHRP resolution response packet communicates with the second communication device 20 based on the external address / port information of the second communication device 20 included in the NHRP resolution response packet. Create a virtual tunnel on

  A communication apparatus of the first embodiment will be described.

  FIG. 2 is a block diagram showing the configuration of the communication apparatus of the first embodiment of the present invention.

  The communication apparatus 100 according to the first embodiment is configured to include an external address / port information acquisition unit 110, an address resolution unit 120, and a tunnel generation unit 130.

  The external address / port information acquisition unit 110 acquires external address / port information from the address information providing apparatus via a relay apparatus that performs NAT address conversion of packets transmitted and received between networks of different address spaces.

  The external address / port information is address information that can be accessed from the wide area network side which is an address space outside the relay device generated by NAT address conversion. The address information providing apparatus is an apparatus having a function of returning the external address / port information to the communication apparatus 100.

  The address resolution means 120 includes the external address / port information in the extension field of the NHRP registration packet used in DMVPN and transmits it to the DMVPN hub.

  When the address resolution means 120 is notified by the hub that it can create a virtual tunnel with the other party spoke in the inter-spoke communication via the hub, the other side of the NHRP resolution request packet used in DMVPN is Send to destination spokes. The extension field of the NHRP resolution request packet contains external address / port information.

  In addition, the address resolution means 120 acquires the external address / port information of the destination spoke from the extension field of the NHRP resolution response packet used in the DMVPN returned by the destination spoke that received the NHRP resolution request packet.

  The tunnel generation unit 130 generates a virtual tunnel with the opposite spoke based on the foreign address / port information of the opposite spoke acquired by the address resolution unit 120.

  Next, the VPN construction method of the first embodiment will be described with reference to FIGS. 3 and 4.

  FIG. 3 is a sequence diagram for explaining the operation between the devices in the communication system 1 of the first embodiment shown in FIG.

  FIG. 4 is a flow chart showing the operation of the communication apparatus 100 of the first embodiment shown in FIG.

  By the communication system 1 and the communication apparatus 100 operating, the VPN construction method of the first embodiment is implemented.

  First, the operation between devices in the communication system 1 will be described with reference to FIG.

Each of the first communication device 10 and the second communication device 20 functioning as spokes constituting the DMVPN acquires external address / port information from the address information providing device 70 (S101, S102)
The first communication device 10 and the second communication device 20 are subordinate to the first relay device 40 and the second relay device 50 that perform NAT address conversion of packets transmitted and received between networks of different address spaces. Will be installed. The address information providing device 70 has a function of returning the external address / port information generated by NAT address conversion to the first communication device 10 and the second communication device 20. The external address and port information may be accessed from the wide area network side which is the address space outside the first relay device 40 and the second relay device 50 to the first communication device 10 and the second communication device 20, respectively. It is possible address information.

  Each of the first communication device 10 and the second communication device 20 that has acquired the external address / port information includes the external address / port information in the extension field of the NHRP registration packet used in DMVPN and transmits (S103, S104).

  This NHRP registration packet is received by the third communication device 30 functioning as a hub configuring the DMVPN. Then, the third communication device 30 transmits the external address / port information included in the NHRP registration packet received from each of the first communication device 10 and the second communication device 20 to the first communication device 10 and the second communication device 10. It registers in the mapping information matched with each of the communication apparatus 20 (S105).

  Communication is performed from the first communication device 10 that is the spoke of the packet transmission source via the third communication device 30 to the second communication device 20 that is the spoke of the packet transmission destination. In this communication, the third communication device 30 detects that a virtual tunnel can be created between the first communication device 10 and the second communication device 20. The third communication device 30 performs this detection based on the mapping information (S106).

  The generation of a virtual tunnel is instructed to the first communication device 10 (S107).

  The first communication device 10, which has received a virtual tunnel creation instruction from the third communication device 30, uses the external address / port information of the first communication device 10 in the extension field of the NHRP resolution request packet used in DMVPN. It includes and transmits (S108).

  The second communication device 20 that receives this NHRP resolution request packet from the first communication device 10 includes the external address / port information of the second communication device 20 in the extension field of the NHRP resolution response packet used in DMVPN. And reply (S109).

  The first communication device 10 having received the NHRP resolution response packet is virtually connected to the second communication device 20 based on the external address / port information of the second communication device 20 included in the NHRP resolution response packet. A tunnel is generated (S110).

  The subsequent communication between the first communication device 10 and the second communication device 20 is performed by the dynamically generated virtual tunnel without passing through the third communication device 30 which is a hub.

  Next, the operation of the communication apparatus 100 will be described with reference to FIG.

  The external address / port information is acquired from the address information providing apparatus via the relay apparatus that performs NAT address conversion of packets transmitted / received between networks of different address spaces (S201).

  The external address / port information is address information that can be accessed from the wide area network side which is an address space outside the relay device generated by NAT address conversion. The address information providing apparatus is an apparatus having a function of returning the external address / port information to the communication apparatus 100.

  The NHRP registration is performed in which the external address / port information is included in the extension field of the NHRP registration packet used in the DMVPN and transmitted to the DMVPN hub (S202).

  Inter-spoke communication via the hub is performed (S203).

  In the inter-spoke communication via the hub, the hub is notified by the hub that the virtual tunnel can be created with the other-party spoke (S204).

  The external address / port information is included in the extension field of the NHRP resolution request packet used in the DMVPN and transmitted to the other party spoke (S205).

  In response to the NHRP resolution request packet, the NHRP resolution request packet returned by the other party spoke is received, and the external address / port information of the other party spoke is acquired from the extension field of the NHRP resolution response packet (S206).

  Based on the acquired foreign address / port information of the partner spoke, a virtual tunnel is created between the partner spoke and the partner spoke (S207).

  As described above, in this embodiment, the relay address apparatus acquires external address / port information that has been translated by the relay apparatus from the address information providing apparatus. Then, it can be included in the extension field of the NHRP protocol packet and notified between the spokes.

  Therefore, in an environment in which the spokes on the DMVPN are under a NAT device, it is possible to notify the acquired global IP address / port after NAT conversion between the spokes to dynamically create a virtual tunnel.

Second Embodiment
Next, a second embodiment of the present invention will be described.

(Configuration of Communication System of Second Embodiment)
FIG. 5 is a block diagram showing the configuration of the communication system of the second exemplary embodiment of the present invention.

  In the communication system 2 according to the present embodiment, the first VPN device 11 or the second VPN device 21 serving as the spokes of each site and the third VPN device 31 serving as the hub of the head office are connected by virtual tunnels via the Internet 65 It has become a form to build DMVPN. Then, the spokes of the first VPN device 11 and the second VPN device 21 create dynamic virtual tunnels only when necessary. Here, only the first VPN device 11 and the second VPN device 21 are illustrated as the minimum configuration, but the number of VPN devices serving as bases and spokes installed there is arbitrary. In addition, the virtual tunnel is routed by multipoint GRE, encryption of transfer data is performed by IPsec, and security of communication is secured.

  The first VPN apparatus 11 connects the first LAN 12 that is the LAN of the base to the LAN side interface, and connects the first gateway 41 that performs NAT address conversion to the WAN (Wide Area Network) side interface. . That is, the first VPN device 11 is installed under the first gateway 41, and makes the first LAN 12 subordinate. In the path information of the first VPN device 11, the first gateway 41 is set as a default gateway, and the private IP address of the first gateway 41 is set.

  Further, the second VPN apparatus 21 connects the second LAN 22 which is the LAN of the base to the LAN side interface, and connects the second gateway 51 which performs NAT address conversion to the WAN side interface. That is, the second VPN device 21 is installed under the second gateway 51, and makes the second LAN 22 subordinate. In the path information of the second VPN device 21, the second gateway 51 is set as a default gateway, and the private IP address of the second gateway 51 is set.

  The first gateway 41 and the second gateway 51 convert the address information used in the subordinate private network and the address information used in the Internet 65 held by each gateway. In this embodiment, the address information used in the private network is a private IP address port, and the address information used in the Internet 65 is a global IP address port.

  In the following description, "NAT address translation" is simply referred to as "NAT" or "NAT translation". Also, a gateway having a NAT function is also referred to as a "NAT device".

  A STUN server 71 is installed on the Internet 65. The STUN server 71 returns external address / port information generated by NAT implemented by corresponding gateways to the first VPN device 11 and the second VPN device 21 serving as STUN clients according to the STUN protocol. Has a function.

  Here, the external address / port information is address information capable of accessing the first VPN apparatus 11 and the second VPN apparatus 21 from the Internet 65, and means a global IP address / port.

  Also, the external address / port information includes the NAT type classified according to the address / port conversion mapping method implemented by each gateway. That is, there are four types of full cone NAT, address restricted cone NAT, port restricted cone NAT, and symmetric NAT according to the restriction of the terminal on the Internet side which can access the port assigned by NAT.

  The above configuration corresponds to the communication device 1 of the first embodiment shown in FIG. 1 as follows.

  The first VPN device 11, the second VPN device 21, and the third VPN device 31 correspond to the first communication device 10, the second communication device 20, and the third communication device 30, respectively.

  The first gateway 41 and the second gateway 51 correspond to the first relay device 40 and the second relay device 50, respectively.

  The Internet 61 corresponds to the wide area network 60, and the STUN server 71 corresponds to the address information providing device 70.

  Further, as in the first embodiment, in this embodiment also, NAT refers to the function of performing address conversion of packets transmitted and received between networks in different address spaces, and NAT in a broad sense including NAPT in a narrow sense. means. And an address port shall mean either an address only, an address and a port number.

  When the communication system 2 physically configured as described above is viewed from the viewpoint of a virtual network, the route information of DMVPN is distributed by a dynamic routing protocol such as BGP (Border Gateway Protocol), etc. It is set to.

  The first VPN device 11 and the second VPN device 21 serving as spokes on the virtual network constructed by DMVPN and the third VPN device 31 serving as a hub are referred to as stations, and each station has a tunnel IP address. ing. A tunnel IP address is an IP address on a virtual network assigned to a tunnel interface, and is used when transmitting and receiving a packet between stations on the DMVPN.

  In the first VPN device 11, the tunnel IP address of the third VPN device 31 which is a hub is set as the next hop to the second LAN 22 subordinate to the second VPN device 21 which is the other party spoke. Similarly, in the second VPN device 21, the tunnel IP address of the third VPN device 31 as the hub is set as the next hop to the first LAN 12 subordinate to the first VPN device 11 as the other party spoke. ing.

  Further, in the third VPN device 31 which is a hub, the tunnel IP address of the first VPN device 11 is set as the next hop to the first LAN 12 subordinate to the first VPN device 11. Similarly, in the third VPN device 31 which is a hub, the tunnel IP address of the second VPN device 21 is set as the next hop to the second LAN 22 subordinate to the second VPN device 21.

  Also, as an IP address assigned to the physical interface of each station, there are a private IP address and a global IP address. For example, since the first VPN device 11 and the second VPN device 21 belong to a private network, a private IP address is assigned. The third VPN device 31 is disposed on the Internet and has a global IP address.

  When a terminal belonging to the first LAN 12 transmits a data packet to a terminal belonging to the second LAN 22, the packet is routed by the tunnel IP address set as described above and passes through the tunnel constructed with DMVPN. That is, the data packet having the IP header of the tunnel IP address is GRE-encapsulated, and the IP header of the IP address of the physical interface is added and transferred in the Internet 65. Then, in the tunnel between stations, the transferred packet is encrypted by IPsec.

(Operation between devices in the communication system of the second embodiment)
FIG. 6 is a sequence diagram for explaining the operation between the devices in the communication system 2 of the second embodiment shown in FIG.

  Before starting communication between a terminal belonging to the first LAN 12 and a terminal belonging to the second LAN 22 in order to make the DMVPN function, the first VPN device 11 and the second VPN device that are spokes to the hub The registration of the NHRP protocol according to 21 is performed in advance.

  First, each of the first VPN device 11 and the second VPN device 21 acquires information necessary for registration of the NHRP protocol.

  Each of the first VPN device 11 and the second VPN device 21 makes an inquiry to the STUN server 71 deployed on the Internet 65, and acquires its global IP address / port and NAT type after NAT conversion ( S301, S302).

  The operation at this time will be described by taking the first VPN device 11 as an example.

  The first VPN apparatus 11 transmits a STUN request whose destination is the global IP address port of the STUN server 71 with the private IP address / port of its own as the transmission source address. When this STUN request exits the Internet 65 via the first gateway 41, NAT conversion is performed. That is, the source address of the STUN request is rewritten from the private IP address / port of the first VPN device 11 to the global IP address / port assigned by NAT translation, and the entry is generated.

  The STUN server 71 that has received the STUN request transmits a STUN response including the global IP address and port of the transmission source address of the STUN request, with the global IP address and port as the destination.

  This STUN response reaches the first gateway 41 which is the destination global IP address port. In the first gateway 41, NAT conversion in the reverse direction is performed based on the entry generated when the above STUN request passes. That is, the destination of the STUN response is rewritten from the global IP address port to the private IP address port of the first VPN device 11 based on the entry, and is received by the first VPN device 11.

  In this way, the first VPN apparatus 11 acquires a global IP address / port that is NAT-converted when leaving the Internet 65 using the STUN protocol. Also, the NAT type of the first gateway 41 is specified. The first VPN device 11 stores the acquired global IP address / port and NAT type as global IP address / port information in the device itself.

  The second VPN device 21 also acquires the global IP address / port and NAT type to be NAT-converted by the second gateway 51 by the same operation as described above, and stores the same in its own device.

  The above-described acquisition of the NAT-translated global IP address / port by the STUN protocol is performed periodically. And if there is a change in the global IP address / port, it is kept up-to-date. A process for keeping the global IP address / port in the latest state will be described later.

  Each of the first VPN apparatus 11 and the second VPN apparatus 21 that acquired the NAT-converted global IP address / port and NAT type from the STUN server 71 perform NHRP registration with the third VPN apparatus 31 that is a hub. (S303, S304).

  Each of the first VPN device 11 and the second VPN device 21 transmits an NHRP registration request to the third VPN device 31. A later-described NAPT extension is added to the extension part of the NHRP registration request, and the global IP address / port and NAT type acquired from the STUN server 71 are stored.

  The third VPN device 31 that has received the NHRP registration request extracts the global IP address / port type and NAT type of the first VPN device 11 and the second VPN device 21 included in the NAPT extension of the NHRP registration request. Then, the third VPN device 31 registers mapping information in which the tunnel IP address on the virtual network of each spoke, which is the source address of the NHRP registration request, is associated with the global IP address / port and the NAT type S305).

  The third VPN device 31 that has completed NHRP registration returns an NHRP registration response to the first VPN device 11 and the second VPN device 21. At this time, the destination physical IP address of the NHRP registration response and the destination UDP port number used in the NAT traversal of IPsec use the acquired information of the NAPT extension.

  Once NHRP registration is complete, DMVPN is available.

  Communication between hubs and spokes is performed between a terminal belonging to the first LAN 12 and a terminal belonging to the second LAN 22 (S306).

  When a terminal belonging to the first LAN 12 transmits a data packet addressed to a terminal belonging to the second LAN 22, this data packet is transferred to the first VPN device 11 which is a spoke.

  The first VPN device 11 transfers the data packet addressed to the terminal belonging to the second LAN 22 subordinate to the second VPN device 21 to the third VPN device 31 as a hub according to the route information.

  The third VPN device 31 transfers to the second VPN device 21 a data packet addressed to a terminal belonging to the second LAN 22 subordinate to the second VPN device 21.

  The second VPN apparatus 21 transfers the data packet to the terminal belonging to the second LAN 22 because the destination of the data packet is addressed to the terminal belonging to the second LAN 22 subordinate to the second VPN apparatus 21. Data packets are received at the terminal.

  In the above operation, when the third VPN device 31 as a hub transfers a data packet, it is determined whether inter-spoke communication is possible between the first VPN device 11 and the second VPN device 21. (S307).

  This determination is performed based on the NAT type corresponding to both spokes of the mapping information registered in the third VPN device 31. Details will be described later.

  If it is determined that inter-spoke communication is possible between the first VPN device 11 and the second VPN device 21, the third VPN device 31 NHRPs the first VPN device 11 of the data packet transmission source. A traffic notification is sent to instruct the implementation of address resolution (S308).

  The first VPN device 11 that receives the NHRP traffic notification starts NHRP resolution.

  The first VPN apparatus 11 transmits an NHRP resolution request to the private IP address / port of the terminal belonging to the second LAN 22 (S309).

  At that time, the NAPT extension of the first VPN device 11 is added to the extension part of the NHRP resolution request. The global IP address / port and NAT type that the first VPN device 11 has acquired from the STUN server 71 are stored in the NAPT extension.

  The NHRP resolution request is received by the second VPN device 21 via the third VPN device 31 in the same manner as the data packet addressed to the terminal belonging to the second LAN 22 from the terminal belonging to the first LAN 12.

  The second VPN device 21 that has received the NHRP resolution request transmits an NHRP resolution response to the first VPN device 11 (S310).

  To the NHRP resolution response extension, the NAPT extension of the second VPN device 21 is added. The global IP address / port and NAT type that the second VPN device 21 has acquired from the STUN server 71 are stored in the NAPT extension.

  The NHRP resolution response arrives at the first VPN device 11 via the third VPN device 31 according to the route information, and is received by the first VPN device 11.

  In addition to the IP address information (IP address on the physical network and IP address on the virtual network) of the second VPN device 21 as source address information of the NHRP resolution response, the first VPN device 11 is information on the NAPT extension. To get

  The first VPN device 11 that has acquired the global IP address / port of the second VPN device 21 serving as the other-party spoke uses that information to create a dynamic virtual tunnel with the second VPN device 21. To do (S311).

  At this time, the first VPN device 11 adds path information of the virtual network. That is, the next hop to the second LAN 22 under the second VPN device 21 is a tunnel IP address on the virtual network of the second VPN device 21.

  The above operations complete the NHRP resolution.

  After the inter-spoke tunnel of the first VPN device 11 and the second VPN device 21 is generated, routing is performed based on the route information of the second LAN 22 subordinate to the second VPN device 21 generated by the first VPN device 11 Be done. Therefore, the data packet from the terminal of the first LAN 12 to the terminal of the second LAN 22 is directly transferred from the first VPN device 11 to the second VPN device 21.

  This route information is present only while the information of the second VPN device 21 is alive. In the NHRP protocol, the other party spoke information is provided with survival time so as to delete the dynamically created virtual tunnel when not in use.

(Communication Device of Second Embodiment)
Subsequently, a communication apparatus according to the second embodiment will be described with reference to FIG.

  FIG. 7 is a block diagram showing the configuration of the communication apparatus of the second exemplary embodiment of the present invention.

  This communication device 200 shows the configuration of the first VPN device 11 and the second VPN device 21 which are spokes shown in FIG.

  The communication device 200 includes a LAN interface unit 230, a WAN interface unit 240, a communication control unit 210, and an external address / port information storage unit 220.

  The LAN interface unit 230 is a functional unit that connects a LAN subordinate to the communication device 200 and transmits and receives packets to and from terminals belonging to the LAN.

  The WAN interface unit 240 is a functional unit that transmits and receives packets to and from the Internet, and is connected to a gateway having a NAT function.

  The communication control unit 210 has a function of relaying a packet between the LAN interface unit 230 and the WAN interface unit 240, and is a functional unit that controls the VPN construction of this embodiment.

  The external address / port information storage unit 220 stores the global IP address / port and NAT type to be NAT translated by the gateway to which the present communication device is obtained, which is obtained from the STUN server 71. Also, it stores the global IP address / port and NAT type of the communication device to be the other-end spoke acquired by the NHRP resolution response.

  The communication control unit 210 is configured to include an external address / port information acquisition unit 211, an address resolution unit 212, and a tunnel generation unit 213 as a function of controlling the VPN construction of this embodiment.

  The external address / port information acquisition unit 211 includes the STUN application 2111 and performs global IP address / port and NAT type acquisition by accessing the STUN server 71. The acquired information is registered in the external address / port information storage unit 220 and notified to the address resolution unit 212.

  Also, as described later, the external address / port information acquisition unit 211 periodically accesses the STUN server 71 to update and notify the acquired information. Furthermore, conversion processing of the destination UDP port number used in NAT traversal of IPsec is performed. This will also be described later.

  The address resolution unit 212 has a control function of NHRP protocol, and controls NHRP registration, NHRP registration response, NHRP traffic notification, NHRP resolution request, and NHRP resolution response.

  When receiving the notification of acquisition of the global IP address / port and NAT type from the external address / port information acquisition unit 211, the address resolution unit 212 adds the information as a NAPT extension to the NHRP registration extension and notifies the hub .

  The address resolution unit 212, upon receiving an NHRP traffic notification from the hub at the time of inter-spoke communication via a hub, adds information on the global IP address / port and NAT type as an NAPT extension to the extension of the NHRP resolution request to complete NHRP resolution. Plan.

  The address resolution unit 212 acquires global IP address / port and NAT type information contained as a NAPT extension in the expansion unit of the NHRP resolution response, and registers it as information of the other party spoke in the external address / port information storage unit.

  The tunnel generation unit 213 performs control on generation of a dynamic virtual tunnel. Also, the tunnel generation unit 213 includes a tunnel generation control unit 2131 that performs control to be described later according to the NAT type when generating a virtual tunnel.

  The above configuration is the configuration according to the present embodiment, and the illustration and description of the configuration regarding other functions (route information control, BGP, multipoint GRE, IPsec, etc.) for functioning as a spoke of DMVPN are omitted. .

  The communication device 200 has been described as showing the configuration of the first VPN device 11 and the second VPN device 21 which are spokes. On the other hand, as can be understood from the above description, the third VPN device 31 serving as a hub shown in FIG. 5 performs control related to NHRP registration and NHRP traffic notification in the present embodiment. And as a structure required for that, there exists a production | generation of the mapping information based on the information acquired by NHRP registration, and the dynamic virtual tunnel production | generation possibility determination function performed based on it. The “mapping information” and the “tunnel generation determination” of the third VPN device 31 illustrated in FIG. 5 correspond to those functions, and the detailed configuration as an individual communication device is omitted.

(Field configuration of NAPT extension)
Here, the NAPT extension added to the extension part of the NHRP protocol packet used in the present embodiment will be described.

  FIG. 8 is a block diagram showing an extension field of an NHRP protocol packet.

  In the NHRP protocol, packets of the NHRP message are composed of mandatory and extended parts. The extension allows the protocol to add something that you define yourself. In this embodiment, as shown in FIG. 8 as the NAPT extension in the extension unit, the global IP address of the transmission source spoke that transmits the message, the global port number, and the NAT type of the NAT device to which the transmission source spoke is connected The indicated value is added.

  As described above, in the present embodiment, information on each other's NAPT extensions is exchanged via the hub between the spokes installed under the NAT device through the NHRP address resolution. Therefore, the spoke that has sent the NHRP resolution request can know the global IP address, global port number, and NAT type of the correspondent spoke. Furthermore, since each spoke notifies the hub of its NAPT extension information in NHRP registration, the hub holds each spoke's global IP address, global port number, and NAT type in addition to the normal NHRP registration information. be able to.

(Operation of communication device)
Next, with reference to FIGS. 9 and 10, operations of the communication device as the hub and the communication device as the spoke will be described.

  FIG. 9 is a flow chart showing the operation of the hub.

  (1) of FIG. 9 shows the operation at the time of NHRP registration.

  The hub receives an NHRP registration request from each subordinate spoke (S401).

  Then, the hub acquires the global IP address, global port number, and NAT type of each spoke from the NAPT extension added to the received NHRP registration request packet extension, and registers it in the mapping information associated with each spoke. (S402).

  The NHRP registered hub sends an NHRP registration response back to the spoke (S403).

  Further, (2) in FIG. 9 shows the operation of determining whether or not the inter-spoke tunnel can be generated during inter-spoke communication.

  The hub is aware of the occurrence of inter-spoke inter-spoke communication from the source spoke of the packet to the destination spoke (S411).

  The hub identifies the NAT type of the NAT device to which each spoke of the source spoke and the destination spoke is connected based on the mapping information generated by the above-mentioned NHRP registration (S 412). Then, it is determined based on the combination of those NAT types whether creation of a dynamic virtual tunnel is possible (S413).

  The details of the possibility of dynamic virtual tunnel creation based on the combination of NAT types will be described later with reference to FIG. 12. However, if the NAT type corresponding to both the source and destination spokes is symmetric NAT, the dynamic is It determines that a virtual tunnel can not be created. Also, it is determined that a dynamic virtual tunnel can not be created even if the NAT type corresponding to one of the source and destination spokes is symmetric NAT and the other is port restricted cone NAT.

  If it is determined that creation of a dynamic virtual tunnel is possible (S413, Yes), the hub sends an NHRP traffic notification to the spoke of the transmission source, and instructs creation of a virtual tunnel between the spokes (S414). The NHRP traffic notification stores the IP address of the terminal on the private network that is subordinate to the destination spoke. Then, inter-spoke communication via hub is performed (S415). In this case, hub-to-spoke communication continues until the source spoke that receives the NHRP traffic notification creates a dynamic virtual tunnel with the destination spoke.

  Also, when it is determined that creation of a dynamic virtual tunnel is not possible (S413: not possible), the hub performs inter-spoke inter-hub communication without transmitting an NHRP traffic notification (S415).

  FIG. 10 is a flow chart showing the operation of the spokes.

  (1) of FIG. 10 shows an operation of acquiring external address / port information.

  The spoke of this embodiment acquires external address and port information from the STUN server deployed on the Internet (S501). The external address / port information is a global IP address / port and NAT type, which is source address information after NAT conversion attached to a packet transmitted from the spoke to the Internet. This operation is as described in step S301 and step S302 with reference to FIG.

  The spoke that has acquired the external address / port information transmits an NHRP registration request to the hub (S502). At this time, the NAPT extension is added to the extension of the NHRP registration request packet. The NAPT extension is information including the global IP address acquired by the spoke, the global port number, and the NAT type, as described with reference to FIG. At this time, the acquired external address / port information is also registered in the external address / port information storage unit 220 shown in FIG.

  As described with reference to FIG. 9 (1), the NHRP registration request sent by the spoke is received at the hub. Then, mapping information is registered at the hub, and an NHRP registration response is returned. The spoke receives this NHRP registration response and knows the completion of the NHRP registration (S 503).

  Further, (2) of FIG. 10 shows an operation of generating an inter-spoke tunnel.

  First, the spokes request inter-spoke communication via hub (S511).

  This operation is as described in step S306 with reference to FIG. That is, the data packet received by the spoke from the terminal in the subordinate private network is forwarded to the correspondent spoke via the hub according to the predetermined route information.

  In this operation, the hub determines the possibility of direct communication between the spokes as described in step S413 in FIG. 9 (2), and the hub determined that the inter-spoke communication is possible is NHRP for the source spoke. Send traffic notifications. The spoke receives this NHRP traffic notification (S512).

  The spoke that receives the NHRP traffic notification initiates address resolution to create a virtual tunnel with the opposite spoke.

  The spoke transmits an NHRP resolution request to the terminal of the private network under the other party spoke as a destination based on the address information included in the NHRP traffic notification (S513).

  At this time, the NAPT extension of the spoke is added to the extension of the NHRP resolution request packet. The NAPT extension includes the global IP address acquired by the spoke, the global port number, and the NAT type.

  This NHRP resolution request is received at the other party spoke via the hub, and an NHRP resolution response is sent from the other party spoke.

  The extension of the packet of the NHRP resolution response is added with the NAPT extension of the opposite spoke. This NAPT extension includes the global IP address acquired by the correspondent spoke, the global port number, and the NAT type.

  The spoke receives this NHRP resolution response (S514).

  The spoke acquires the information of the NAPT extension including the global IP address acquired by the correspondent spoke, the global port number, and the NAT type in addition to the IP address information of the correspondent spoke as source address information of the NHRP resolution response. The acquired external address / port information of the destination spoke is also registered in the external address / port information storage unit 220 shown in FIG.

  The spoke creates a dynamic virtual tunnel with the correspondent spoke based on the acquired correspondent spoke global IP address / port (S515).

  At this time, the spoke adds the route information of the virtual network, and the next hop to the private network subordinate to the other party spoke is the tunnel IP address on the other party spoke's virtual network.

  Hereinafter, characteristic functions of the communication apparatus according to the present embodiment will be described with reference to FIGS.

  The following four functions will be sequentially described as this characteristic function.

  Conversion control of port number in sending and receiving of NAT traversal IPsec packet, possibility of creation of dynamic virtual tunnel by combination of NAT type, control operation according to NAT type of own device / other device, and update of external address / port information Operation.

(Translation control of port number in sending and receiving NAT traversal IPsec packet)
FIG. 11 is a sequence diagram showing conversion control of port numbers in transmission and reception of IPsec packets in NAT traversal.

  This function is executed by the STUN application 2111 of the external address / port information acquisition unit 211 described with reference to FIG.

  NAT traversal is a technology for passing packets encrypted by IPsec through NAT. In the packet encrypted by IPsec, the data of the portion encapsulated in the ESP (Encapsulating Security Payload) header is encrypted, so NAT can not read the port number from the packet encrypted by IPsec. Therefore, as NAT traversal, the packet encapsulated in the ESP header is encapsulated with a UDP dummy header, and a packet added with an IP header for transfer is generated and transferred. The port number 4500 is used for the IPsec packet that uses this NAT traversal.

  As described above, since port numbers of IPsec packets using NAT traversal are defined, port number conversion processing is required when acquiring external address / port information by the STUN protocol.

  What is desired to be acquired by the STUN protocol is the global IP address and global port number of the entry of the NAT device, which is used when an IPsec packet using NAT traversal passes through the NAT device.

  When using NAT traversal, the source port number is 4500.

  In order to obtain the global IP address and port number used in DMVPN, the STUN application 2111 needs to inquire the STUN server with the source port number 4500. However, port 4500 is not defined for NAT traversal and can not be used with the STUN protocol.

  Therefore, the STUN application 2111 makes an inquiry to the STUN server using an arbitrary port number for which the application is not defined as a dummy port number.

  This function will be described with reference to FIG.

  The STUN application 2111 sets the dummy port number as the transmission source port number (S601), and transmits a STUN request message to the STUN server (S602).

  At this time, in the gateway (NAT apparatus), the private IP address of the spoke, which is the source address of the message, and the dummy port number are NAT translated into a global IP address and a global port number. That is, an entry is created that associates the spoke's private IP address and dummy port number with the NAT-translated global IP address and global port number (S603).

  The STUN server sends a STUN response message including the NAT-converted global IP address and global port number as the destination, the NAT-converted global IP address and global port number. This STUN response message is received at the gateway. The gateway converts the destination into the spoke's private IP address and dummy port number based on the entry generated when the STUN request message passes, and transfers the STUN response message (S604).

  This STUN response message is received by the STUN application 2111 of the spoke.

  Further, in the case of transmitting and receiving an NAT traversal IPsec packet, the following processing is performed.

  When the spoke transmits an NAT traversal IPsec packet, the transmission packet is passed to the STUN application 2111 once. Then, the STUN application 2111 converts the transmission source port number of the transmission packet into a dummy port number and then transmits it (S605, S606).

  When passing through the gateway, an IPsec packet of this NAT traversal is NAT-translated from the private IP address of the spoke and the dummy port number to the global IP address and the global port number.

  On the other hand, when the NAT traversal IPsec packet is received, the destination is NAT-translated to the spoke private IP address and dummy port number at the gateway (S 607). That is, the NAT traversal IPsec packet is temporarily received by the STUN application 2111.

  The STUN application 2111 confirms that the source IP address of the received NAT traversal IPsec packet is not that of the STUN server, converts the destination port number to 4500 and outputs it (S 608).

  An IPsec packet of NAT traversal in which the destination port number is set to 4500 is received (S609).

  As described above, the port number conversion process is performed on the NAT traversal IPsec packet.

(Whether or not a dynamic virtual tunnel can be created by combining NAT types)
When dynamically creating virtual tunnels between spokes, the combination of NAT types corresponding to the respective spokes may make it impossible to create tunnels or may be limited.

  FIG. 12 is a diagram showing the correspondence between the possibility of creation of a dynamic virtual tunnel and the combination of NAT types.

  In FIG. 12, whether or not to create a tunnel is indicated by a matrix corresponding to the NAT type corresponding to each of the source spoke and the opposite spoke.

  In the case where both the source spoke and the other party spoke are full cone NATs, "o" is displayed, and creation of a dynamic virtual tunnel is possible without limitation.

  If either the source spoke or the destination spoke is a full cone NAT, and the other spoke is an address restricted cone NAT or a port restricted cone NAT, it is necessary to carry out control to create a communication result with "△ 1". . This will be described later with reference to FIG.

  Even when the combination of the source spoke and the destination spoke NAT type is an address restricted cone NAT and a port restricted cone NAT, it is necessary to perform control for creating a communication result by the “Δ1” display.

  If the source spoke or the destination spoke is symmetric NAT, and the other spoke is full cone NAT or address restricted cone NAT, "△ 2" is displayed, and control for creating communication results and symmetric NAT side Control of global port number acquisition is required. This will also be described later with reference to FIG.

  If either the source spoke or the opposite spoke is a symmetric NAT, and the other spoke is a port restricted cone NAT or a symmetric NAT, it is not possible to create a dynamic virtual tunnel with an “x” indication.

  In symmetric NAT, when the destination outside the NAT is different, the NAT device generates an entry of global port numbers that differ by the number of destinations. Therefore, the spokes under the port restriction cone NAT device can not acquire the global port number on the symmetric NAT side, and can not create communication results to the global IP address and port number of the symmetric NAT device.

  As described above, the hub recognizes which NAT type of NAT device the subordinate spoke is behind with the NAPT extension added to the NHRP registration request notified from each spoke in NHRP registration. Then, when forwarding the data packet from spoke to spoke, the hub refers to the NAT type corresponding to each spoke to determine whether it is a combination of NAT types that can be generated by the dynamic virtual tunnel. Thus, the hub does not send NHRP traffic notification if it is a combination of NAT types that can not create dynamic virtual tunnels.

  Also, in each spoke, the NAT type corresponding to the other-end spoke is acquired through NHRP resolution.

(Control operation according to the NAT type of the own device side / the other party device side)
As described with reference to FIG. 12, it is necessary to perform control for creating communication results and control for acquiring the global port number on the symmetric NAT side according to the combination of the NAT type on the source spoke side and the other party spoke side. It becomes.

  FIG. 13 is a flow chart showing a control operation according to the NAT type of the own apparatus side and the NAT type of the opposite apparatus side in the spoke. This control is executed by the tunnel generation control unit 2131 of the communication device 200 shown in FIG. The tunnel generation control unit 2131 refers to the external address and port information of the own device registered in the external address and port information storage unit 220 and the external address and port information of the opposite device acquired through NHRP resolution. The external address / port information includes the NAT type.

  FIG. 13A is a control for creating communication results, and is an operation flow in the case of “Δ1” display in FIG.

  First, the NAT type on the self apparatus side is identified (S701).

  It is determined whether or not the NAT type on the local apparatus side is full cone NAT (S702).

  When the NAT type on the local apparatus side is full cone NAT (S702, Yes), it is not necessary to perform special preparation to create a dynamic virtual tunnel between spokes.

  When the NAT type on the own device side is not full cone NAT (S702, No), before creating a dynamic virtual tunnel between spokes, control is performed to create a communication record for the NAT device to which the own device is connected . The case of not being full cone NAT is the case where the NAT type is any of address restricted cone NAT, port restricted cone NAT, and symmetric NAT.

  In the case of a NAT type other than full cone NAT, the NAT device only allows packets from the other device with a communication history to pass inside the NAT device. “There is a communication record” means that the destination of the global IP address / port that has transmitted a packet on the Internet beyond the NAT device remains as an entry.

  Therefore, a dummy UDP packet is transmitted to create the communication result (S703).

  The dummy UDP packet is a UDP packet without a payload in which the global IP address / port of the other device acquired by NHRP resolution is set as the destination.

  That is, after the transmitting spoke that has transmitted the NHRP resolution request receives the NHRP resolution response, it transmits this dummy UDP packet when the NAT type on the side of the own apparatus is other than full cone NAT. Also, after receiving the NHRP resolution request, the receiving spoke that has received the NHRP resolution request transmits this dummy UDP packet when the NAT type of the own apparatus side is other than full cone NAT.

  This dummy UDP packet is transmitted a plurality of times until a similar dummy UDP packet from the opposite device is received. When the spoke under the NAT device of the full cone NAT receives this dummy UDP packet, the same dummy UDP packet is sent to the other party spoke in order to notify that the dummy UDP packet has been received.

  As described above, the NAT apparatus to which both spokes are connected has a record of communication with the other spoke.

  After the dummy UDP packet is received from the correspondent spoke, communication for dynamic virtual tunnel creation is performed between the spokes.

  Next, control in the case where the NAT type on the opposite device side is symmetric NAT will be described.

  FIG. 13 (2) is control of acquisition of the global port number of the partner apparatus, and is an operation flow related to “acquisition of global port number on symmetric NAT side” of “Δ2” display in FIG.

  First, the NAT type on the opposite device side is identified (S711). Note that the NAT type on the partner device side is obtained through NHRP resolution.

  It is determined whether or not the NAT type on the opposite device side is symmetric NAT (S 712).

  If the NAT type on the partner device side is not symmetric NAT (S712, No), the NAT type on the host device side is any of full cone NAT, address restricted cone NAT, port restricted near NAT, and symmetric NAT. Then, the control described in FIG. 13 (1) is performed.

  Furthermore, in this case, the external address port obtained through the NHRP resolution is used as the external address port of the other party (S714). That is, the transmitting spoke that sent the NHRP resolution request uses the external address port included in the received NHRP resolution response, and the receiving spoke that received the NHRP resolution request receives the external address port included in the received NHRP resolution request. Use

  On the other hand, when the NAT type on the opposite device side is symmetric NAT (S712, Yes), the following processing is performed.

  In this case, if the NAT type on the local apparatus side is symmetric NAT or port restricted cone NAT, NHRP traffic notification from the hub is not received, and this control is not performed. That is, this case is applicable only when the NAT type of the local apparatus is full cone NAT or address restricted cone NAT.

  The information of the NAPT extension added to the packet of the NHRP message transmitted by the spoke is global IP address / port information acquired by communicating with the STUN server, even if it is a spoke under the NAT device of symmetric NAT. However, the spoke (for example, spoke B) to which the spoke under the NAT device of symmetric NAT (for example, spoke A) (for example, spoke B) has a global IP address used when the spoke A communicates with spoke B. You need to use a port.

  That is, when the NAT type on the opposite side is symmetric NAT, the external address / port information acquired through NHRP resolution can not be used.

  As described in FIG. 13 (1), even if the NAT type on the apparatus side is symmetric NAT, the above-described dummy UDP packet is transmitted. Therefore, in FIG. 13B, in the case of “Yes” in step S 712, the transmission source address of the dummy UDP packet transmitted by the other device under control of the NAT device of symmetric NAT may be used. That is, the transmission source address of this dummy UDP packet is set to a global IP address / port having a communication result NAT-translated by the NAT device of symmetric NAT.

  Therefore, in step S713, processing is performed using the transmission source address / port information of the dummy UDP packet received from the other device as the other party's external address / port information.

  The NAT type on the side of the own apparatus is the address restriction cone NAT, and when transmitting the above-described dummy UDP packet, the following processing is performed. First, an external address / port acquired through NHRP resolution is set as a destination of a dummy UDP packet to be transmitted by the own apparatus until a dummy UDP packet is received from a partner apparatus side under a NAT apparatus of symmetric NAT. Then, when the dummy UDP packet transmitted by the other device is received, the destination of the dummy UDP packet transmitted by the own device is changed to the port number set as the transmission source address of the received dummy UDP packet and transmitted.

(Operation to update external address / port information)
Since the NAT translation rule entry generated by the NAT device is not unique, it has a function of detecting a NAT device entry change.

  That is, in the tunnel between the spokes and the hub or in the tunnel between the spokes, it is necessary to keep the information on the global IP address / port of the NAT device to which the spokes are connected always up-to-date.

  FIG. 14 is a flow chart showing the operation of updating external address / port information in the spoke.

  This operation is an operation performed by the communication control unit 210 of the communication apparatus 200 in FIG. 7, and the external address / port information acquisition unit 211, the address resolution unit 212, and the tunnel generation unit 213 cooperate and execute.

  First, the external address / port information acquisition unit 211 accesses the STUN server at a predetermined timing, and periodically acquires external address / port information from the STUN server (S801). Then, it is determined whether the acquired external address / port information has been changed (S802).

  If there is no change in the external address / port information in this determination operation (S802, No), the process returns to step S801, and the STUN server is accessed again at the next timing.

  On the other hand, when there is a change in the acquired external address / port information (S802, Yes), the external address / port information acquisition unit 211 acquires the external address of the own device registered in the external address / port information storage unit 220. Update port information. At the same time, the external address / port information acquisition unit 211 notifies the address resolution unit 212 and the tunnel generation unit 213 that the external address / port information has been updated.

  The address resolution unit 212, upon knowing the update of the external address / port information, transmits an NHRP registration request to which the updated external address / port information is added as a NAPT extension immediately to the hub (S804).

  Further, when the tunnel generation unit 213 knows that the external address / port information has been updated, it transmits a dummy UDP packet having the updated external address / port as a transmission source address to the spoke of the other party (S805). Note that this dummy UDP packet is the same as the packet transmitted to create the communication result in NAT as described above, and is a UDP packet without a payload. The dummy UDP packet is periodically transmitted while the other party's spoke information is alive.

  By the above operation, the hub updates the source spoke's external address / port information based on the NAPT extension added to the newly received NHRP registration request. Also, the spoke at the other end that receives the dummy UDP packet whose source address has been changed updates the external address port of the source spoke based on the information of the source address.

  As described above, in the present embodiment, the spoke acquires the information of the global IP address / port NATed by the gateway which is the NAT device from the STUN server. Then, a global IP address, a global port number, and a NAT type can be added as an NAPT extension to the packet extension of the NHRP protocol, and notification can be made between the spokes.

  Therefore, in an environment in which the spokes on the DMVPN are under a NAT device, it is possible to notify the acquired global IP address / port after NAT conversion between the spokes to dynamically create a virtual tunnel.

In addition, although a part or all of the above-mentioned embodiment may be described also as the following additional notes, it is not limited to the following.
(Additional remark 1) It functions as a spoke which constitutes Dynamic Multipoint Virtual Private Network (DMVPN), and is installed under the relay apparatus which performs Network Address Translation (NAT) address translation of packets transmitted and received between networks of different address spaces. From the address information providing apparatus having the function of returning external address / port information which is address information that can be accessed from the address space outside the relay apparatus generated by the NAT address conversion, to the external address / port information The second communication device, the first communication device being at least two communication devices, which acquires the external address / port information in the extension field of the Next Hop Resolution Protocol (NHRP) registration packet used in the DMVPN A communication device,
The external address / port information included in the NHRP registration packet, which functions as a hub configuring the DMVPN and is received from each of the subordinate first communication device and the second communication device, corresponds to the first communication device And a third communication device registered in mapping information associated with each of the second communication devices,
The third communication device communicates with the second communication device, which is the spoke of the packet transmission destination from the first communication device, which is the spoke of the packet transmission source via the third communication device. Generating a virtual tunnel for the first communication device when detecting that a virtual tunnel can be generated between the first communication device and the second communication device based on the mapping information; And the first communication device that has received the generation instruction of the virtual tunnel from the third communication device receives the instruction of the first communication device in the extension field of the NHRP resolution request packet used in the DMVPN. The second communication device that transmits including the external address / port information and receives the NHRP resolution request packet from the first communication device is an NHR used in the DMVPN. The first communication device that has sent back the NHRP resolution response packet including the external address / port information of the second communication device in the extension field of the resolution response packet is included in the NHRP resolution response packet A communication system characterized by creating the virtual tunnel with the second communication device based on the external address / port information of the second communication device.
(Supplementary Note 2) The external address / port information includes the NAT type of the relay device, and the third communication device includes the NAT type of the relay device to which the first communication device is connected and the second communication. It is determined whether or not the virtual tunnel can be generated between the first communication device and the second communication device according to a combination of NAT types of the relay devices connected by the device. The communication system described in.
(Supplementary Note 3) The NAT type includes full cone NAT, address restriction cone NAT, which is a type according to the access restriction from the address space outside the relay apparatus to the external address / port generated by the NAT address conversion. The third communication apparatus includes a port restricted cone NAT and a symmetric NAT, and the third communication apparatus is an NAT type of the relay apparatus to which the first communication apparatus is connected and an NAT type of the relay apparatus to which the second communication apparatus is connected. The communication system according to appendix 2, wherein it is determined that the generation of the virtual tunnel is not possible when the combination of the symmetric NAT and the port restricted cone NAT is both the case of the symmetric NAT and the symmetric NAT. .
(Supplementary Note 4) The NAT type includes a full cone NAT, an address restriction cone NAT, which is a type according to the access restriction from the address space outside the relay apparatus to the external address / port generated by the NAT address conversion. Each of the first communication device and the second communication device includes a port restricted cone NAT and a symmetric NAT, wherein the NAT type of the relay device to which the own device is connected is the address restricted cone NAT, the port restriction In the case of either of the cone NAT and the symmetric NAT, before creating the virtual tunnel, a dummy UDP (User Datagram Protocol) packet addressed to the external address / port of the communication destination device is transmitted to transmit the dummy UDP packet. Make an entry for the NAT address translation for the destination device Communication system according to Note 2, wherein the generating troduction.
(Supplementary Note 5) Each of the first communication device and the second communication device is received from the communication destination device when the NAT type of the relay device to which the communication destination device is connected is the symmetric NAT. The communication system according to claim 4, wherein a transmission source address port of the dummy UDP packet is used as an external address port of the communication partner apparatus.
(Supplementary Note 6) Each of the first communication device and the second communication device acquires the external address / port information from the address information providing device at a predetermined timing, and the acquired external address / port information is When updated, the updated external address / port information is included in the extension field of the NHRP registration packet and notified to the third communication apparatus, as described in any one of the additional notes Communication system.
(Supplementary Note 7) Each of the first communication device and the second communication device is updated when the external address / port information acquired at a predetermined timing from the address information providing device is updated. A dummy UDP (User Datagram Protocol) packet in which an address / port is set as a transmission source address / port is transmitted to the communication partner apparatus to notify a change of the external address / port of the own apparatus. Communication system.
(Supplementary Note 8) Access is made from an address space outside the relay device generated by the NAT address conversion via the relay device that performs NAT (Network Address Translation) address conversion of packets transmitted and received between networks of different address spaces External address / port information acquisition means for acquiring the external address / port information from an address information providing apparatus having a function of returning external address / port information which is address information that can be performed;
The external address / port information is included in the extension field of the Next Hop Resolution Protocol (NHRP) registration packet used in Dynamic Multipoint Virtual Private Network (DMVPN) and transmitted to the DMVPN hub, and from the hub via the hub In the inter-spoke communication, when notified that it is possible to create a virtual tunnel with the other party spoke, the foreign address / port information is included in the extension field of the NHRP resolution request packet used in the DMVPN, and the other party is said Address resolution for acquiring the external address / port information of the destination spoke from the extension field of the NHRP resolution response packet used in the DMVPN which is sent to the destination spoke and the destination spoke receives the NHRP resolution request packet and is returned Means,
A communication apparatus, comprising: tunnel generation means for generating the virtual tunnel between the other party spoke and the other party spoke based on the external address / port information of the other party spoke acquired by the address resolution means.
(Supplementary Note 9) The external address / port information includes the NAT type of the relay apparatus, and the address resolution means uses the external address / port information of the partner spoke included in the extension field of the NHRP resolution response packet. Acquiring the NAT type of the relay device to which the destination spoke is connected;
The tunnel generation means includes a tunnel generation control unit for performing preparation control for tunnel generation according to the NAT type of the relay apparatus to which the own apparatus is connected and the NAT type of the relay apparatus to which the destination spoke is connected. The communication device according to appendix 8.
(Supplementary Note 10) The NAT type includes a full cone NAT, an address restriction cone NAT, which is a type according to the access restriction from the external address space of the relay apparatus to the external address / port generated by the NAT address conversion. The tunnel generation control unit includes a port restriction cone NAT and a symmetry NAT, wherein the type of NAT of the relay device to which the device is connected is any of the address restriction cone NAT, the port restriction cone NAT, and the symmetry NAT. In some cases, before creating the virtual tunnel, a dummy UDP (User Datagram Protocol) packet addressed to the external address / port of the other party spoke is transmitted to make an entry of the NAT address conversion for the other party spoke. It is characterized by generating in advance Communication device according to Note 9 that.
(Supplementary Note 11) If the NAT type of the relay apparatus to which the destination spoke is connected is the symmetric NAT, the tunnel generation control unit uses the source address / port of the dummy UDP packet received from the destination spoke. The communication device according to claim 10, wherein said communication device is used as an external address / port of said partner spoke.
(Supplementary Note 12) The external address / port information acquisition unit acquires the external address / port information from the address information providing apparatus at a predetermined timing, and when the acquired external address / port information is updated, the external 15. The communication apparatus according to any one of appendices 8 to 11, which outputs an update notification of address / port information.
(Supplementary Note 13) The address resolution means includes the updated external address / port information in the expansion field of the NHRP registration packet based on the update notification outputted by the external address / port information acquisition means. 15. The communication apparatus according to appendix 12, wherein the communication apparatus is notified.
(Supplementary Note 14) The dummy UDP (User Datagram) in which the tunnel generation control unit sets the updated external address / port as a transmission source address / port based on the update notification output from the external address / port information acquisition unit. 12. The communication apparatus according to claim 12, wherein a packet is transmitted to the other party's spoke to notify the change of the external address / port of the own apparatus.
(Supplementary Note 15) The external address / port information acquisition means generates a NAT address translation entry using a dummy port number as an arbitrary port number for which the application is not defined, and generates NAT Traversal Internet Protocol security (IPsec) packets. At the time of transmission, the source of the IPsec packet is converted from the port number specified in the IPsec packet to the dummy port number and transmitted, and when the IPsec packet having the dummy port number as the destination is received, the received IPsec is received. The communication apparatus according to any one of appendices 8 to 14, further comprising a port number conversion unit which converts a destination port number of a packet into a port number defined in the IPsec packet and outputs the port number.
(Supplementary note 16) A relay device that functions as a spoke that configures a Dynamic Multipoint Virtual Private Network (DMVPN), and is installed under a relay device that performs Network Address Translation (NAT) address translation of packets transmitted and received between networks in different address spaces. At least two communication devices for acquiring the external address / port information from an address information providing device having a function of returning external address / port information which is address information accessible from an address space outside the relay device Each of the first communication device and the second communication device transmits the information including the external address / port information in the extension field of the Next Hop Resolution Protocol (NHRP) registration packet used in the DMVPN;
The external address / port information included in the NHRP registration packet received by the third communication device functioning as a hub constituting the DMVPN from each of the first communication device and the second communication device under control Register in mapping information associated with each of the first communication device and the second communication device,
In communication with the second communication device which is the spoke of the packet transmission destination from the first communication device which is the spoke of the packet transmission source via the third communication device, the third communication device is When it is detected based on the mapping information that a virtual tunnel can be generated between the first communication device and the second communication device, generation of the virtual tunnel with respect to the first communication device And
The external address / port of the first communication device in the extension field of the NHRP resolution request packet used in the DMVPN by the first communication device that has received the instruction to create the virtual tunnel from the third communication device. Send including information
The second communication device that has received the NHRP resolution request packet from the first communication device uses the external address / port information of the second communication device in the extension field of the NHRP resolution response packet used in the DMVPN. Reply including,
The first communication device that has received the NHRP resolution response packet communicates with the second communication device based on the external address / port information of the second communication device included in the NHRP resolution response packet. A method for constructing a VPN, characterized in that the virtual tunnel is created in
(Supplementary Note 17) The external address / port information includes the NAT type of the relay apparatus, and the third communication apparatus is the NAT type of the relay apparatus to which the first communication apparatus is connected and the second communication apparatus. It is determined whether or not the virtual tunnel can be generated between the first communication device and the second communication device according to the combination of the NAT types of the relay devices to which is connected. How to build a VPN.
(Supplementary Note 18) A full cone NAT, an address restriction cone NAT, which is a type according to the access restriction from the external address space of the relay apparatus to the external address / port generated by the NAT address conversion, in the NAT type. The third communication apparatus includes a port limited cone NAT and a symmetric NAT, and the third communication apparatus is a combination of the NAT type of the relay apparatus to which the first communication apparatus is connected and the NAT type of the relay apparatus to which the second communication apparatus is connected. 22. The VPN construction method according to appendix 17, wherein it is determined that the generation of the virtual tunnel is not possible when S is symmetric NAT and port restricted cone NAT, and in the case of both symmetric NAT.
(Supplementary Note 19) The NAT type includes a full cone NAT, an address restriction cone NAT, which is a type according to the access restriction from the address space outside the relay apparatus to the external address / port generated by the NAT address conversion. Each of the first communication device and the second communication device includes a port restricted cone NAT and a symmetric NAT, wherein the NAT type of the relay device to which the own device is connected is the address restricted cone NAT, the port restriction In the case of either of the cone NAT and the symmetric NAT, before creating the virtual tunnel, a dummy UDP (User Datagram Protocol) packet addressed to the external address / port of the communication destination device is transmitted to transmit the dummy UDP packet. The NAT address translation entry for the destination device is VPN construction method of statement 17, wherein the generating beforehand.
(Supplementary Note 20) Each of the first communication apparatus and the second communication apparatus is received from the communication partner apparatus when the NAT type of the relay apparatus to which the communication partner apparatus is connected is the symmetric NAT. The VPN construction method according to appendix 19, wherein a transmission source address / port of the dummy UDP packet is used as an external address / port of the communication partner apparatus.
(Supplementary Note 21) Each of the first communication device and the second communication device acquires the external address / port information from the address information providing device at a predetermined timing, and the acquired external address / port information is In the case of being added, the updated external address / port information is included in the extension field of the NHRP registration packet, and notified to the third communication device. VPN construction method described.
(Supplementary Note 22) Each of the first communication device and the second communication device is updated external when the external address / port information acquired at a predetermined timing from the address information providing device is updated. A dummy UDP (User Datagram Protocol) packet in which an address / port is set as a transmission source address / port is transmitted to the communication partner apparatus to notify a change of the external address / port of the own apparatus. How to build a VPN.
(Supplementary note 23) Access from an address space outside the relay device generated by the NAT address conversion, through the relay device that performs NAT (Network Address Translation) address conversion of packets transmitted and received between networks of different address spaces The external address / port information is acquired from an address information providing apparatus having a function of returning external address / port information which is address information that can be
The information is transmitted to the DMVPN hub by including the external address / port information in an extension field of a Next Hop Resolution Protocol (NHRP) registration packet used in Dynamic Multipoint Virtual Private Network (DMVPN).
When notified by the hub that it is possible to create a virtual tunnel with the other party spoke in the inter-spoke communication via the hub, the external field is included in the extension field of the NHRP resolution request packet used in the DMVPN. Send to the other party spoke including address and port information,
The external address / port information of the destination spoke is acquired from an extension field of an NHRP resolution response packet used in the DMVPN returned by the destination spoke that received the NHRP resolution request packet,
A VPN construction method, characterized in that the virtual tunnel is created between itself and the other party spoke based on the acquired foreign address / port information of the other party spoke.
(Supplementary Note 24) The external address / port information includes the NAT type of the relay device,
The NAT type of the relay apparatus to which the partner spoke is connected is acquired from the external address / port information of the partner spoke included in the extension field of the NHRP resolution response packet returned by the partner spoke.
24. The VPN construction method according to claim 23, characterized in that tunnel generation preparation control is performed according to the NAT type of the relay apparatus to which the own apparatus is connected and the NAT type of the relay apparatus to which the other party spoke is connected.
(Supplementary Note 25) A full cone NAT, an address restriction cone NAT, which is a type according to the access restriction from the address space outside the relay apparatus to the external address / port generated by the NAT address conversion, in the NAT type. Includes port restricted cone NAT and symmetric NAT,
If the NAT type of the relay apparatus to which the apparatus is connected is any one of the address restricted cone NAT, the port restricted cone NAT, and the symmetric NAT, the external side of the partner spoke before creating the virtual tunnel 24. The VPN construction method according to appendix 24, wherein a dummy UDP (User Datagram Protocol) packet having an address / port as a destination is transmitted, and an entry of the NAT address conversion related to the other party spoke is generated in advance.
(Supplementary note 26) If the NAT type of the relay apparatus to which the destination spoke is connected is the symmetric NAT, the source address / port of the dummy UDP packet received from the destination spoke is the external address of the destination spoke The VPN construction method according to appendix 25, characterized in that it is used as a port.
(Supplementary Note 27) The external address / port information is acquired from the address information providing apparatus at a predetermined timing, and when the acquired external address / port information is updated, an update notification of the external address / port information is output. 24. The VPN construction method according to any one of appendices 23 to 26, characterized in that:
(Supplementary Note 28) The VPN establishment method according to Supplementary note 27, including notifying the hub of the NHRP registration packet including the updated external address and port information based on the update notification.
(Supplementary note 29) Based on the update notification, a dummy UDP (User Datagram Protocol) packet in which the updated external address and port are set as the source address and port is transmitted to the partner spoke to transmit the external address of the own apparatus. 28. The VPN construction method according to appendix 27 or appendix 28, characterized by notifying a change of a port.
(Supplementary note 30) A NAT address translation entry is generated using a dummy port number as an arbitrary port number for which the application is not defined, and when transmitting an NAT (Internet Protocol security) packet of NAT traversal, a transmission source of the IPsec packet. Is converted from the port number specified in the IPsec packet to the dummy port number and transmitted, and when the IPsec packet having the dummy port number as the destination is received, the destination port number of the received IPsec packet is added to the IPsec packet The VPN construction method according to any one of appendices 23 to 29, characterized by converting into a defined port number and outputting.

1, 2 communication system 10 first communication device 11 first VPN device 12 first LAN
20 second communication device 21 second VPN device 22 second LAN
30 third communication device 31 third VPN device 40 first relay device 41 first gateway 50 second relay device 51 second gateway 60 wide area network 61 first private network 62 second private network 63 third Private network 65 Internet 70 Address information provider 71 STUN server 100, 200 Communication device 110 External address / port information acquisition means 120 Address resolution means 130 Tunnel generation means 210 Communication control section 211 External address / port information acquisition section 2111 STUN application 212 address Solution unit 213 tunnel generation unit 2131 tunnel generation control unit 220 external address / port information storage unit 230 LAN interface unit 240 WAN interface unit

Claims (10)

It functions as a spoke that configures Dynamic Multipoint Virtual Private Network (DMVPN), and is installed under a relay device that performs Network Address Translation (NAT) address translation of packets transmitted and received between networks in different address spaces, said NAT address translation Acquiring the external address / port information from an address information providing apparatus having a function of returning external address / port information which is address information that can be accessed from the address space outside the relay apparatus, generated in At least two communication devices, a first communication device and a second communication device, which transmit the external address / port information included in an extension field of a Next Hop Resolution Protocol (NHRP) registration packet used in the DMVPN;
The external address / port information included in the NHRP registration packet, which functions as a hub configuring the DMVPN and is received from each of the subordinate first communication device and the second communication device, corresponds to the first communication device And a third communication device registered in mapping information associated with each of the second communication devices,
Equipped with
The third communication device communicates with the second communication device, which is the spoke of the packet transmission destination from the first communication device, which is the spoke of the packet transmission source via the third communication device. Generating a virtual tunnel for the first communication device when detecting that a virtual tunnel can be generated between the first communication device and the second communication device based on the mapping information; And
The first communication device, which has received the instruction to create the virtual tunnel from the third communication device, uses the external address / port of the first communication device in the extension field of the NHRP resolution request packet used in the DMVPN. Send including information
The second communication device, which has received the NHRP resolution request packet from the first communication device, uses the external address / port information of the second communication device in the extension field of the NHRP resolution response packet used in the DMVPN. Reply including,
The first communication device having received the NHRP resolution response packet communicates with the second communication device based on the external address / port information of the second communication device included in the NHRP resolution response packet. Creating a virtual tunnel on the network. The external address / port information includes the NAT type of the relay apparatus, and the third communication apparatus connects the NAT type of the relay apparatus to which the first communication apparatus is connected and the second communication apparatus. It is determined whether or not the virtual tunnel can be generated between the first communication device and the second communication device according to a combination of NAT types of the relay devices. Communications system. The NAT type is a type according to the access restriction from the address space outside the relay apparatus for the external address / port generated by the NAT address conversion, full cone NAT, address restriction cone NAT, port restriction cone NAT And the third communication device includes a combination of a NAT type of the relay device to which the first communication device is connected and a NAT type of the relay device to which the second communication device is connected. 3. The communication system according to claim 2, wherein it is determined that the creation of the virtual tunnel is not possible in the case of a symmetric NAT and the port restricted cone NAT, and in the case of both of the symmetric NAT. The NAT type is a type according to the access restriction from the address space outside the relay apparatus for the external address / port generated by the NAT address conversion, full cone NAT, address restriction cone NAT, port restriction cone NAT And each of the first communication device and the second communication device includes the address restriction cone NAT, the port restriction cone NAT, and the NAT type of the relay device to which the first communication device is connected. In the case of any one of symmetric NAT, before creating the virtual tunnel, a dummy UDP (User Datagram Protocol) packet addressed to the external address / port of the communication destination device is transmitted, and the communication destination device is generated. Create an entry for the NAT address translation in advance The communication system according to claim 2, characterized in that: Each of the first communication apparatus and the second communication apparatus receives the dummy UDP packet received from the communication destination apparatus when the NAT type of the relay apparatus to which the communication destination apparatus is connected is the symmetric NAT. 5. The communication system according to claim 4, wherein the source address port of is used as an external address port of the communication destination apparatus. Each of the first communication device and the second communication device acquires the external address / port information from the address information providing device at a predetermined timing, and the acquired external address / port information is updated. The communication system according to any one of claims 1 to 5, wherein the third communication device is notified of the updated external address / port information by including it in the extension field of the NHRP registration packet. . When each of the first communication device and the second communication device has updated the external address / port information acquired at a predetermined timing from the address information providing device, the updated external address / port is used. 7. The communication system according to claim 6, wherein a dummy UDP (User Datagram Protocol) packet set to a transmission source address / port is transmitted to the communication destination apparatus to notify a change of the external address / port of the own apparatus. . It is possible to access from the outside address space of the relay device generated by the NAT address conversion via the relay device that performs NAT (Network Address Translation) address conversion of packets transmitted and received between networks of different address spaces External address / port information acquisition means for acquiring the external address / port information from an address information providing apparatus having a function of returning external address / port information which is unique address information;
The external address / port information is included in the extension field of the Next Hop Resolution Protocol (NHRP) registration packet used in Dynamic Multipoint Virtual Private Network (DMVPN) and transmitted to the DMVPN hub, and from the hub via the hub In the inter-spoke communication, when notified that it is possible to create a virtual tunnel with the other party spoke, the foreign address / port information is included in the extension field of the NHRP resolution request packet used in the DMVPN, and the other party is said Address resolution for acquiring the external address / port information of the destination spoke from the extension field of the NHRP resolution response packet used in the DMVPN which is sent to the destination spoke and the destination spoke receives the NHRP resolution request packet and is returned Means,
A communication apparatus, comprising: tunnel generation means for generating the virtual tunnel between the other party spoke and the other party spoke based on the external address / port information of the other party spoke acquired by the address resolution means. It functions as a spoke that configures a Dynamic Multipoint Virtual Private Network (DMVPN), and is installed under a relay device that performs Network Address Translation (NAT) address translation of packets transmitted and received between networks in different address spaces. First of at least two communication devices for acquiring the external address / port information from an address information providing device having a function of returning external address / port information which is address information accessible from an external address space Each of the communication device and the second communication device transmits the information including the external address / port information in the extension field of the Next Hop Resolution Protocol (NHRP) registration packet used in the DMVPN, and
The external address / port information included in the NHRP registration packet received by the third communication device functioning as a hub constituting the DMVPN from each of the first communication device and the second communication device under control Register in mapping information associated with each of the first communication device and the second communication device,
In communication with the second communication device which is the spoke of the packet transmission destination from the first communication device which is the spoke of the packet transmission source via the third communication device, the third communication device is When it is detected based on the mapping information that a virtual tunnel can be generated between the first communication device and the second communication device, generation of the virtual tunnel with respect to the first communication device And
The external address / port of the first communication device in the extension field of the NHRP resolution request packet used in the DMVPN by the first communication device that has received the instruction to create the virtual tunnel from the third communication device. Send including information
The second communication device that has received the NHRP resolution request packet from the first communication device uses the external address / port information of the second communication device in the extension field of the NHRP resolution response packet used in the DMVPN. Reply including,
The first communication device that has received the NHRP resolution response packet communicates with the second communication device based on the external address / port information of the second communication device included in the NHRP resolution response packet. A method for constructing a VPN, characterized in that the virtual tunnel is created in It is possible to access from the outside address space of the relay device generated by the NAT address conversion via the relay device that performs NAT (Network Address Translation) address conversion of packets transmitted and received between networks of different address spaces The external address / port information is acquired from an address information providing apparatus having a function of returning external address / port information which is unique address information,
The information is transmitted to the DMVPN hub by including the external address / port information in an extension field of a Next Hop Resolution Protocol (NHRP) registration packet used in Dynamic Multipoint Virtual Private Network (DMVPN).
When notified by the hub that it is possible to create a virtual tunnel with the other party spoke in the inter-spoke communication via the hub, the external field is included in the extension field of the NHRP resolution request packet used in the DMVPN. Send to the other party spoke including address and port information,
The external address / port information of the destination spoke is acquired from an extension field of an NHRP resolution response packet used in the DMVPN returned by the destination spoke that received the NHRP resolution request packet,
A VPN construction method, characterized in that the virtual tunnel is created between itself and the other party spoke based on the acquired foreign address / port information of the other party spoke.

Images