System and method for network address translation integration with IP security
First Claim
1. A method of operating a virtual private network (VPN) based on IP Sec that integrates network address translation (NAT) with IP Sec processing, comprising the steps of:
- configuring a NAT IP address pool;
configuring a VPN connection to utilize said NAT IP address pool;
obtaining a specific IP address from said NAT IP address pool, and allocating said specific IP address for said VPN connection;
starting said VPN connection;
loading to an operating system kernal the security associations and connection filters for said VPN connection;
processing a IP datagram for said VPN connection; and
applying VPN NAT to said IP datagram.
0 Assignments
0 Petitions
Accused Products
Abstract
IP security is provided in a virtual private network using network address translation (NAT) by performing one or a combination of the three types of VPN NAT, including VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT. This involves dynamically generating NAT rules and associating them with the manual or dynamically generated (IKE) Security Associations, before beginning IP security that uses the Security Associations. Then, as IP Sec is performed on outbound and inbound datagrams, the NAT function is also performed.
79 Citations
21 Claims
-
1. A method of operating a virtual private network (VPN) based on IP Sec that integrates network address translation (NAT) with IP Sec processing, comprising the steps of:
-
configuring a NAT IP address pool;
configuring a VPN connection to utilize said NAT IP address pool;
obtaining a specific IP address from said NAT IP address pool, and allocating said specific IP address for said VPN connection;
starting said VPN connection;
loading to an operating system kernal the security associations and connection filters for said VPN connection;
processing a IP datagram for said VPN connection; and
applying VPN NAT to said IP datagram. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A method for allowing the definition and configuration of NAT directly with definition and configuration of VPN connections and VPN policy, comprising the steps of:
-
configuring the requirement for VPN NAT by a yes/no decision in a policy database for each of the three types of VPN NAT, said three types being VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT; and
configuring a remote IP address pool or a server IP address pool selectively responsive to said yes/no decision for each said VPN NAT type. - View Dependent Claims (9, 10)
-
-
11. A method of providing customer tracking of VPN NAT activities as they occur in an operating system kernel, comprising the steps of:
-
responsive to VPN connection configuration, generating journal records;
updating said journal records with new records for each datagram processed through a VPN connection; and
enabling a customer to manage said journal records.
-
-
12. A method of allowing a VPN NAT address pool to be associated with a gateway, thereby allowing server load-balancing, comprising the steps of:
-
configuring a server NAT IP address pool for a system being configured;
storing specific IP addresses that are globally routable in said server NAT IP address pool;
configuring a VPN connection to utilize said server NAT IP address pool; and
managing total volume of concurrent VPN connections responsive to the number of addresses in said server NAT IP address pool.
-
-
13. A method of controlling the total number of VPN connections for a system based on availability of NAT addresses, comprising the steps of:
-
configuring the totality of remote IP address pools with a common set of IP addresses; and
limiting the successful start of concurrently active VPN connections responsive to the number of said IP addresses configured across the totality of said remote address pools.
-
-
14. A method of performing network address translation on selected ICMP datagrams, comprising the steps of:
-
detecting selected types of ICMP type packets; and
responsive to said selected types, performing network address translation functions on the entire datagram including ICMP data.
-
-
15. A method of performing network address translation on selected FTP datagrams, comprising the steps of:
-
detecting the occurrence of FTP PORT or PASV FTP commands; and
responsive to said command, performing network address translation on the FTP data and the header.
-
-
16. A system for operating a virtual private network (VPN) based on IP Sec that integrates network address translation (NAT) with IP Sec processing, comprising:
-
means for configuring a NAT IP address pool;
means for configuring a VPN connection to utilize said NAT IP address pool;
means for obtaining a specific IP address from said NAT IP address pool, and allocating said specific IP address for said VPN connection;
means for starting said VPN connection;
means for loading to an operating system kernal the security associations and connection filters for said VPN connection;
means for processing a IP datagram for said VPN connection; and
means for applying VPN NAT to said IP datagram.
-
-
17. A system for definition and configuration of NAT directly with definition and configuration of VPN connections and VPN policy, comprising:
-
a policy database for configuring the requirement for VPN NAT by a yes/no decision for each of the three types of VPN NAT, said three types being VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT; and
a remote IP address pool or a server IP address pool selectively configured responsive to said yes/no decision for each said VPN NAT type.
-
-
18. A system for allowing a VPN NAT address pool to be associated with a gateway, thereby allowing server load-balancing, comprising:
-
a server NAT IP address pool configured for a given system being configured;
said server NAT IP address pool storing specific IP addresses that are globally routable;
a VPN connection configured to utilize said server NAT IP address pool; and
a connection controller for managing total volume of concurrent VPN connections responsive to the number of addresses in said server NAT IP address pool.
-
-
19. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for operating a virtual private network (VPN) based on IP Sec that integrates network address translation (NAT) with IP Sec processing, said method steps comprising:
-
configuring a NAT IP address pool;
configuring a VPN connection to utilize said NAT IP address pool;
obtaining a specific IP address from said NAT IP address pool, and allocating said specific IP address for said VPN connection;
starting said VPN connection;
loading to an operating system kernal the security associations and connection filters for said VPN connection;
processing a IP datagram for said VPN connection; and
applying VPN NAT to said IP datagram.
-
-
20. An article of manufacture comprising:
a computer useable medium having computer readable program code means embodied therein for operating a virtual private network (VPN) based on IP Sec that integrates network address translation (NAT) with IP Sec processing , the computer readable program means in said article of manufacture comprising;
computer readable program code means for causing a computer to effect configuring a NAT IP address pool;
computer readable program code means for causing a computer to effect configuring a VPN connection to utilize said NAT IP address pool;
computer readable program code means for causing a computer to effect obtaining a specific IP address from said NAT IP address pool, and allocating said specific IP address for said VPN connection;
computer readable program code means for causing a computer to effect starting said VPN connection;
computer readable program code means for causing a computer to effect loading to an operating system kernal the security associations and connection filters for said VPN connection;
computer readable program code means for causing a computer to effect processing a IP datagram for said VPN connection; and
computer readable program code means for causing a computer to effect applying VPN NAT to said IP datagram.
-
21. Method for providing IP security in a virtual private network using network address translation (NAT), comprising the steps of:
-
dynamically generating NAT rules and associating them with manual or dynamically generated (IKE) Security Associations;
thereafterbeginning IP security that uses the Security Associations; and
thenas IP Sec is performed on outbound and inbound datagrams, selectively performing one or more of VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT.
-
Specification