1. Field of the Invention
The present invention relates to an apparatus or appliance such as client apparatus or gateway apparatus, which is equipped with an IPSec (IP Security Protocol) function, remote-accesses a remote network in a safe manner under various network environments.
2. Description of the Related Art
As an example of an Internet key exchange protocol utilized in IPSec, there is an IKE (Internet Key Exchange). The IKE negotiates with a communication counterpart on parameters which are required for setting IPSec SA (IPSec security association), and then, sets the obtained values to a system.
The protocol of the IKE is divided into two phases, namely; a “phase 1” and a “phase 2”. In the phase 1, an SA (Security Association, called “Internet Security Association and Key Management Protocol (ISAKMP) SA”) is established, which is employed so as to establish a safe communication path through which messages of the IKE itself are transmitted and received. In the phase 1, keys used to encrypt the messages of the IKE and the IKE itself are authenticated. In the phase 2, the parameters of the authentication and the encryption used in communication of the IPSec are exchanged by using the ISAKMP SA (IKE SA) established in the phase 1, and finally, the IPSec SA is established.
In the phase 1, there are two modes, namely, a “main mode” and an “aggressive mode”, and one of these modes is used in the phase 1. In the main mode, since six messages in total are exchanged, the ISAKMP SA is established. In contrast, the ISAKMP SA is established in the aggressive mode by exchanging three messages, which is less than that of the main mode.
When the remote access is made from a client to a gateway in the IPSec, the aggressive mode is generally employed. However, in the aggressive mode, identification information (ID (authentication ID): for example, electronic mail address, FQDN (Fully Qualified Domain Name) etc.) is previously registered in both the gateway and the client, while the identification information is employed in the authentication of the IKE. The ID is transmitted and/or received between the gateway and the client at a time of authentication of the ID under a plain text (no-encryption) state. As a result, there has been a risk that the ID is leaked to a third party.
For instance, there has been a case where the ID and a fixed gateway address corresponding to this ID are intercepted by the third party in a communication area of a wireless LAN (Radio Local Area Network) such as a public hot spot and a hotel, which does not require a WEP (Wired Equivalent Privacy) key to be set. In this case, there has been a risk of the third party externally attacking the gateway and the client by way of, for example, a replay attack or a scan attack.
In a case where there is an administrator of the gateway with respect to the external attack, there is a possibility of the administrator detecting the scan attack and the like and taking a countermeasure the attacks. However, as to the remote access to a home network where the administrator having expert knowledge is not present, there has been a risk that attacks are given from the third party due to weakness of the system.
On the other hand, in the main mode, when an ID is authenticated, the ID is encrypted by a common key produced in the phase 1. As a result, there is no problem of ID leakage in the aggressive mode. Apparently, in the main mode, unlike the aggressive mode, a fixed IP address is employed as an ID for authenticating the client. As a consequence, the main mode is mainly employed in point-to-point connections, for example, communications between nodes having global IP addresses on the Internet where the IP addresses are not changed.
Also, as prior art related to the present invention, there is proposed a method in which terminal management information in management servers utilized in Mobile IP is combined with VPN (Virtual Private Network) path information on networks, and VPN paths through which the management servers transmit data to the clients are switched to a seamless manner in conformation to movement of the clients (for example, Patent document 1).    [Patent document 1] JP 2002-111732 A    [Patent document 2] JP 2002-44141 A