Method and system of establishing a virtual private network in a cloud service for branch networking

US 10,135,789 B2
Filed: 04/12/2016
Issued: 11/20/2018
Est. Priority Date: 04/13/2015
Status: Active Grant

First Claim

Patent Images

1. A computerized system useful for implementing a virtual private network (VPN), the system comprising:

an edge device that automatically establishes an Internet Protocol Security (IPsec) tunnel alongside an unsecure Multipath Protocol (MP) tunnel with a gateway device in a public cloud in preparation for a transmission of a secure traffic communication, wherein the edge device has a list of local subnets, and wherein the edge device sends the list of local subnets to the gateway device during an initial MP tunnel establishment handshake message exchange between the edge device and the gateway device, wherein each local subnet includes an indication of whether the local subnet is reachable over the VPN;

the gateway device automatically establishing the IP sec tunnel alongside the unsecure MP tunnel with the edge device; and

an orchestrator module operating on an enterprise datacenter server that receives a toggle-the-VPN command and enables the VPN on the orchestrator module, and wherein the orchestrator module informs the edge device that the list of local subnets is accessible over the VPN, causing the edge device to update the gateway device with a new list of local subnets of the edge device that are accessible over the VPN.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, a computerized system useful for implementing a virtual private network (VPN) including an edge device that automatically establishes an Internet Protocol Security (IPsec) tunnel alongside an unsecure Multipath Protocol (MP) tunnel with a gateway device in preparation for a transmission of a secure traffic communication. The edge device has a list of local subnets. The edge device sends the list of local subnets to the gateway during an initial MP tunnel establishment handshake message exchange between the edge device and the gateway device. Each subnet includes an indication of whether the subnet is reachable over the VPN. A gateway device that automatically establishes the IPsec tunnel alongside the unsecure MP tunnel with the edge device. An enterprise datacenter server that comprises an orchestrator module that receives a toggle the VPN command and enables the VPN on the orchestrator. The orchestrator informs the edge device the list of subnets is accessible over the VPN causing the edge device to update the gateway device with a new list of subnets of the edge device that accessible over the VPN.

128 Citations

View as Search Results

20 Claims

1. A computerized system useful for implementing a virtual private network (VPN), the system comprising:
- an edge device that automatically establishes an Internet Protocol Security (IPsec) tunnel alongside an unsecure Multipath Protocol (MP) tunnel with a gateway device in a public cloud in preparation for a transmission of a secure traffic communication, wherein the edge device has a list of local subnets, and wherein the edge device sends the list of local subnets to the gateway device during an initial MP tunnel establishment handshake message exchange between the edge device and the gateway device, wherein each local subnet includes an indication of whether the local subnet is reachable over the VPN;
  
  the gateway device automatically establishing the IP sec tunnel alongside the unsecure MP tunnel with the edge device; and
  
  an orchestrator module operating on an enterprise datacenter server that receives a toggle-the-VPN command and enables the VPN on the orchestrator module, and wherein the orchestrator module informs the edge device that the list of local subnets is accessible over the VPN, causing the edge device to update the gateway device with a new list of local subnets of the edge device that are accessible over the VPN.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computerized system of claim 1, wherein the VPN is disabled on the orchestrator module and the orchestrator module informs the edge device that the local subnets of the new list of local subnets of the edge device accessible over the VPN are no longer reachable over VPN.
  - 3. The computerized system of claim 2, wherein the edge device updates the gateway device that the local subnets of the new list of local subnets are no longer reachable over VPN.
  - 4. The computerized system of claim 1, wherein a routing protocol is implemented between the edge device and the gateway device.
  - 5. The computerized system of claim 4, wherein the routing protocol relays state information of the edge device to a plurality of other gateway peers that are one hop away from the gateway device, and wherein the gateway peers of the plurality of gateway peers are listed in a virtual routing and forwarding (VRF) table.
  - 6. The computerized system of claim 5, wherein the edge device is a first edge device, the system further comprisinga second edge device that establishes a separate IPsec tunnel alongside a separate unsecure MP tunnel with the gateway device in preparation for a separate transmission of a secure traffic communication, wherein the second edge device has a second list of local subnets accessible over the VPN, wherein the second edge device informs the gateway device of the second list of local subnets of the second edge device accessible over the VPN.
  - 7. The computerized system of claim 6, wherein the gateway device informs the plurality of gateway peers of the new list of local subnets of the first edge device accessible over the VPN and the second list of local subnets of the second edge device accessible over the VPN.
  - 8. The computerized system of claim 6, wherein the first edge device comprises an entry point into an enterprise core network and the second edge device comprises a virtual machine located in a customer premises.
  - 9. The computerized system of claim 1, wherein the gateway device automatically establishes the IPsec tunnel alongside the unsecure MP tunnel with the edge device irrespective of whether the VPN has been enabled on the edge device.
  - 10. The computerized system of claim 1, wherein the gateway device is implemented in a cloud-computing platform.

11. A method for an edge device for implementing a virtual private network (VPN), the method comprising:
- establishing an unsecure Multipath Protocol (MP) tunnel with a gateway device in a public cloud, wherein establishing the MP tunnel comprises an establishment handshake message exchange comprising sending a list of local subnets of the edge device to the gateway device, wherein each local subnet includes an indication of whether the local subnet is reachable over the VPN;
  
  automatically establishing an Internet Protocol Security (IPsec) tunnel with the gateway device alongside the MP tunnel in preparation for a transmission of a secure traffic communication;
  
  receiving an update that the list of local subnets is accessible over the VPN from an orchestrator module executing on an enterprise datacenter, wherein the orchestrator module sends the update in response to receiving a toggle-the-VPN command, and in response to the toggle-the-VPN command the orchestrator module also enables the VPN on the orchestrator module; and
  
  transmitting to the gateway device a new list of local subnets of the edge device that are accessible over the VPN.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The method of claim 11, wherein the VPN is disabled on the orchestrator module and the orchestrator module informs the edge device that the local subnets of the new list of local subnets are no longer reachable over VPN.
  - 13. The method of claim 12, wherein the edge device updates the gateway device that the local subnets of the new list of local subnets are no longer reachable over VPN.
  - 14. The method of claim 11, wherein a routing protocol is implemented between the edge device and the gateway device.
  - 15. The method of claim 14, wherein the routing protocol relays state information of the edge device to a plurality of other gateway peers that are one hop away from the gateway device, and wherein the gateway peers of the plurality of other gateway peers are listed in a virtual routing and forwarding (VRF) table.
  - 16. The method of claim 15, wherein the edge device is a first edge device, the method further comprising, at a second edge device, establishing a separate IPsec tunnel alongside a separate unsecure MP tunnel with the gateway device in preparation for a separate transmission of a secure traffic communication, wherein the second edge device has a second list of local subnets accessible over the VPN, wherein the second edge device informs the gateway device of the second list of local subnets of the second edge device accessible over the VPN.
  - 17. The method of claim 16, wherein the gateway device informs the plurality of gateway peers of the new list of local subnets of the first edge device accessible over the VPN and the second list of local subnets of the second edge device accessible over the VPN.
  - 18. The method of claim 17 further comprising the second edge device transmitting a secure traffic communication over the VPN to the gateway device, wherein the gateway device transmits the secure traffic communication over the internet through the VPN to the first edge device.
  - 19. The method of claim 16, wherein the first edge device comprises an entry point into an enterprise core network and the second edge device comprises a virtual machine located in a customer premises.
  - 20. The method of claim 11, wherein the gateway device automatically establishes the IPsec tunnel alongside the unsecure MP tunnel with the edge device irrespective of whether or not the VPN has been enabled on the edge device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Mayya, Ajit Ramachandra, Thakore, Parag Pritam, Connors, Stephen Craig, Woo, Steven Michael, Mukundan, Sunil, Speeter, Thomas Harold
Primary Examiner(s)
Hirl, Joseph P
Assistant Examiner(s)
Murphy, J. Brant

Application Number

US15/097,282
Publication Number

US 20160315912A1
Time in Patent Office

952 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/66   Arrangements for connecting...

H04L 45/42   Centralised routing

H04L 49/35   Switches specially adapted ...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 67/10   in which an application is ...

Method and system of establishing a virtual private network in a cloud service for branch networking

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

128 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system of establishing a virtual private network in a cloud service for branch networking

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links