Virtual private network and tunnel gateway with multiple overlapping, remote subnets
First Claim
1. A method for providing local gateway support for multiple overlapping remote networks, comprising the steps of:
- loading a plurality of overlapping connections, each including an inbound packet having a source IP address;
for each said connection, binding said source IP address in a bind table with an internally routable and system-wide unique source IP address from an internal address pool; and
network address translating outbound packets, each said outbound packet having a destination IP address, to determine a virtual private network connection for receiving said outbound packet.
2 Assignments
0 Petitions
Accused Products
Abstract
Local gateway support for multiple overlapping remote networks. The local gateway includes a pool of unique, internally routable system-wide addresses, an address bind table, a filter rules table, and a collection of security association databases. A plurality of overlapping connections are received at the local gateway from remote networks, each including an inbound packet having a source IP address. For each connection, the source IP address is bound with an address from the address pool in a bind table. Outbound packets are processed through the bind table to determine the destination IP address corresponding to a correct one of the plurality of overlapping connections.
78 Citations
28 Claims
-
1. A method for providing local gateway support for multiple overlapping remote networks, comprising the steps of:
-
loading a plurality of overlapping connections, each including an inbound packet having a source IP address;
for each said connection, binding said source IP address in a bind table with an internally routable and system-wide unique source IP address from an internal address pool; and
network address translating outbound packets, each said outbound packet having a destination IP address, to determine a virtual private network connection for receiving said outbound packet. - View Dependent Claims (2)
-
-
3. A local gateway system, comprising:
-
an address pool for storing a plurality of internally routable and system wide, nonconflicting network addresses;
an address bind table for binding a conflicting source address from an inbound packet from a remote network to a connection name and to a unique network address from said address pool;
a filter rules table responsive to an outbound packet for determining a first connection indicia;
said address bind table further responsive to said outbound packet for determining a second connection indicia; and
said local gateway system being responsive to said first and second connection indicia comparing equal for processing said outbound packet to a communications tunnel using a first security association determined by said first connection indicia, and responsive to said first and second connection indicia comparing not equal for processing said outbound packet to a communications tunnel using a second security association determined by said second connection indicia.
-
-
4. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for providing local gateway support for multiple overlapping remote networks, said method steps comprising:
-
loading a plurality of overlapping connections, each including an inbound packet having a source IP address;
for each said connection, binding said source IP address in a bind table with an internally routable and system-wide unique source IP address from an internal address pool; and
network address translating outbound packets, each said outbound packet having a destination IP address, to determine a virtual private network connection for receiving said outbound packet. - View Dependent Claims (5)
-
-
6. A computer program product or computer program element for providing local gateway support for multiple overlapping remote networks, according to method steps comprising:
-
loading a plurality of overlapping connections, each including an inbound packet having a source IP address;
for each said connection, binding said source IP address in a bind table with an internally routable and system-wide unique source IP address from an internal address pool; and
network address translating outbound packets, each said outbound packet having a destination IP address, to determine a virtual private network connection for receiving said outbound packet.
-
-
7. A local gateway system for processing inbound and outbound packets with respect to a local network and a plurality of remote nodes having potentially overlapping addresses, comprising:
-
an address pool component;
an address bind table component;
a filter rules table component;
a security association component;
an entry in said address bind table component including a left hand side (LHS) address field, a right hand side (RHS) address field, and first connection name field;
an entry in said filter rules table component including source IP address (sip), destination IP address (dip), source port, destination port, second connection name, and action field;
said address pool component including a pool of sip addresses administratively reserved and uniquely routable within said local network;
a security association in said security association component including third connection name and security association data;
first logic responsive to an inbound packet for dynamically binding in said address bind table component the inbound packet sip with a local sip selected from said address pool component and first connection indicia;
second logic responsive to an outbound packet for accessing said filter rules table component to determine filter derived connection indicia;
third logic responsive to said outbound packet for accessing said address bind table component to determine corresponding bind table derived connection indicia; and
fourth logic responsive to said filter derived connection indicia and said bind table derived connection indicia comparing equal for accessing said security association component to select security association data corresponding to said filter derived connection data for processing said outbound packet, and responsive to said filter derived connection indicia and said bind table derived connection indicia comparing not equal for accessing said security association component to select security association data corresponding to said bind table derived connection indicia for processing said outbound packet. - View Dependent Claims (8)
-
-
9. A method for operating a local gateway, comprising the steps of:
-
receiving an inbound packet on a network connection from a remote node; and
applying source-in network address translation to establish dynamic binding of the source IP address of said inbound packet with an internally routable and system wide unique source-in IP address and a connection name. - View Dependent Claims (10, 11, 12)
-
-
13. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for providing local gateway support for multiple overlapping remote networks, said method steps comprising:
-
receiving an inbound packet on a network connection from a remote node; and
applying source-in network address translation to establish dynamic binding of the source IP address of said inbound packet with an internally routable and system wide unique source-in IP address and a connection name. - View Dependent Claims (14, 15, 16)
-
-
17. A communication method, comprising the steps of:
-
operating a remote gateway to initiate a connection with a local gateway;
sending from a remote node at said remote gateway an inbound packet addressed by a destination address to a local node at said local gateway and a remote node source address identifying said remote node;
operating said local gateway to decapsulate said inbound packet;
operating said local gateway to determine that said inbound packet requires source-in network address translation and that no existing address bind exists for said inbound packet;
operating said local gateway to choose a pool address and create a binding table entry binding said remote node source address to said pool address and a unique connection name;
replacing said remote node source address with said pool address and forwarding said inbound packet to said local node;
receiving at said local gateway an outbound packet having as its destination address said pool address;
filtering said outbound packet to identify corresponding connection indicia;
finding in said binding table an entry corresponding to said outbound packet, converting said destination address to said remote node source address, and returning said unique connection name;
responsive to said unique connection name, selecting security association data; and
responsive to said security association data, tunneling said outbound packet to said remote node. - View Dependent Claims (18, 19)
-
-
20. A method for operating a local gateway for controlling communication between a local node and a remote node, comprising the steps of:
-
receiving an inbound packet on a network connection from a remote node, said inbound packet characterized by a first source address identifying said remote node and a first destination address identifying said local node; and
applying source-in network address translation to establish dynamic binding of said first source address with an internally routable and system wide unique second source address and a first connection name. - View Dependent Claims (21, 22, 23)
-
-
24. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for providing local gateway support for multiple overlapping remote networks, said method steps comprising:
-
operating a remote gateway to initiate a connection with a local gateway;
sending from a remote node at said remote gateway an inbound packet addressed by a destination address to said local node at said local gateway and a remote node source address identifying said remote node;
operating said local gateway to decapsulate said inbound packet;
operating said local gateway to determine that said inbound packet requires source-in network address translation and that no existing address bind exists for said inbound packet;
operating said local gateway to choose a pool address and create a binding table entry binding said remote node source address to said pool address and a unique connection name;
replacing said remote node source address with said pool address and forwarding said inbound packet to said local node;
receiving at said local gateway an outbound packet having as its destination address said pool address;
filtering said outbound packet to identify corresponding connection indicia;
finding in said binding table an entry corresponding to said outbound packet, converting said destination address to said remote node source address, and returning said unique connection name;
responsive to said unique connection name, selecting security association data; and
responsive to said security association data, tunneling said outbound packet to said remote node.
-
-
25. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for providing local gateway support for multiple overlapping remote networks, said method steps comprising:
-
receiving an inbound packet on a network connection from a remote node, said inbound packet characterized by a first source address identifying said remote node and a first destination address identifying said local node; and
applying source-in network address translation to establish dynamic binding of said first source address with an internally routable and system wide unique second source address and a first connection name. - View Dependent Claims (26, 27, 28)
-
Specification