In recent years, the widespread proliferation of the Internet access has brought many PCs into various businesses or even individual households, and such PCs often communicate with each other on a local area network (LAN) for more effective use. When a LAN configured by some PCs is connected to the Internet, a gateway apparatus that connects a LAN and a WAN is required.
To access a terminal on a LAN from a PC outside the LAN, the PC firstly needs to establish a dialup connection with the provider that the PC signs on, then to access the terminal, for example, a PC on the LAN via a WAN.
However, packets transmitted through a WAN are not basically safeguarded. Intercepted such packets by eavesdroppers, there would be a fear of making bad use of sensitive information.
A security gateway apparatus connecting the WAN and the LAN need to be used to protect such information from unauthorized access and provide data security. It is also required that the PC, which has a dialup connection with the WAN, is equipped with a communication protocol stack for data security. In this way, it makes possible to realize a virtual private line environment on a WAN, by establishing the VPN communication between the PC located outside the LAN and the security gateway apparatus.
Currently, typically used communication protocol for the VPN communication is Security Architecture for the Internet Protocol (IPsec).
Now will be described the overview of the VPN communication employing IPsec, referring to FIG. 5. FIG. 5 is a block diagram of a typical network system including a WAN.
The network system comprises, as shown in FIG. 5, PC 101, which is located outside the LAN, establishing a dialup connection to the provider, WAN 102, and security gateway 103 that connects WAN 102 and LAN 104 for line connection and conversion processing.
LAN 104 being subjected to security gateway 103 includes server terminal 105 and client PCs 106, 107.
Besides, in order to perform the IPsec communication, VPN 108 is established between PC 101 and security gateway 103.
When PC 101 establishes a dialup connection to the provider and accesses to a terminal on LAN 104, VPN 108 will be established between PC 101 and security gateway 103, with a virtual private line environment achieved on WAN 102. This environment protects information exchanged on WAN 102 from interception or alteration, ensuring safety communication between PC 101 and the terminal on LAN 104.
Now will be described the outline of required information for performing the IPsec communication, referring to FIG. 6. FIG. 6 illustrates a state of WAN connection.
PC 101, WAN 102, and security gateway 103 are the same as those described in FIG. 5.
In order to perform IPsec communication between PC 101 and security gateway 103, the followings have to be shared with the both sides prior to IP sec communication.                1) data security;        2) countermeasures against making alterations to transmitting data by avoiding to use a fixed logical communication path;        3) encrypting algorithm that protects data to be transmitted from alteration;        4) key information used for authentication algorithm.        
There are two methods of sharing key information on both sides of communication partners: (1) setting the key information manually on both sides prior to communication, and (2) setting the key information automatically with the Internet Key Exchange (IKE) protocol on initiating communication.
Hereinafter will be focused on the latter method, which is practically used in actual communication.
The IPsec communication will be described with reference to FIG. 7. FIG. 7 is a flow diagram that illustrates the working of security gateway 103 for starting the IPsec communication.
To perform the IPsec communication, it is necessary to establish Security Association (SA) that is a two-way logical connection between the both sides. For that reason, the IKE communication has two phases.
Phase 1 is to establish IKE-SA for performing the IKE communication with safety (S11, S12). With the connection established successfully, phase 2 will be in active for exchanging security information including key information for the IPsec communication (S13).
When IPsec—SA is successfully established (S14) in phase 2, the IKE communication is over then IPsec communication initiates.(S15).
The table below shows the information to be exchanged between the both sides, in phase 2 of IKE communication (indicated by S13 in the description above.)
TABLE 1ItemDetailSecurity ProtocolEncapsulating Security Payload (ESP)/Authentication Header (AH)IPsec communication modeTunnel mode/Transport modeEncryption algorithmMust in ESPEncryption key—Authentication algorithmMust in AH, May be selected in ESPAuthentication key—SA life time formatData amount (Byte)/hourSA life time—
As for the operating mode (IPsec communication mode), security gateway 103 is in active in the tunnel mode (encapsulating whole IP packets) only. In the explanation below, the IPsec operating mode is assumed to be the tunnel mode.
FIG. 8 schematically illustrates of the IPsec communication in the tunnel mode. In FIG. 8, PC 101, security gateway 103, LAN 104, client PC 106, and VPN 108 are the same as those illustrated in FIG. 5. IP packet 100 is handled in this system.
In FIG. 8, suppose that IP addresses “A”, “B”, and “C” are assigned to PC 101, security gateway 103, and client PC 106, respectively. IP address “A” assigned to PC 101 is provided from the provider.
When client PC 106 on LAN 104 transmits an IP packet to PC 101, which has established connection with PC 106 via VPN 108,                1) client PC 106 generates IP packet 100 in which the sender's IP address is “C” and the receiver's IP address is “A”, then sends it to security gateway 103;        2) received packet 100, gateway 103 identifies that the packet is the one to be sent to PC 101 which has established VPN 108;        3) gateway 103 encapsulates IP packet 100 according to exchanged information during the IKE communication;        4) the IP header including the sender's IP address B and the receiver's IP address “A” is added to outside the originally set IP address;        5) authentication information is added to the encapsulated IP packet based on the exchanged information, then the IP packet is encrypted;        6) received the encapsulated packet via VPN 108, PC 101 retrieves encapsulated original IP packet 100 from the received packet, according to the exchanged information, then process it.        
The VPN communication method in the prior-art security gateway apparatus assures safety of data exchanging on WAN 102. However, an access from outside of the LAN is treated as the access from an outside network.
The fact has brought an inconvenience or some security problems described below when a terminal outside the LAN tries to establish a dialup connection to the WAN and accesses to client PC 106 on LAN 104.                1) the security policy setting indicating acceptable/unacceptable access is required to PC 106. For example, PC 106 needs an information setting by which PC 106 can determine which IP address is acceptable or which protocol service is unacceptable.        2) the setting described above has to be set each time an outside terminal accesses to a terminal on the LAN. Unless the setting procedures are performed completely, the security level could be degraded.        3) When the outside terminal accesses to a server on the LAN, even after the terminal has successfully established the IPsec communication with the gateway apparatus, the server needs another setting procedures for identifying the outside terminal and giving a permission to communicate with a terminal on the LAN. Like the security policy setting described above, the security level could be degraded unless the setting procedures are performed completely.        
Besides, if LAN 104 is a network configured with private IP addresses, the setting procedures would be extremely complicated.