Method and apparatus for traversing a translation device with a security protocol
First Claim
1. A method for sending UDP encapsulated ESP packets through a NAT on a private network from a client on the private network to a server on a public network, using an IKE negotiation, comprising:
- determining whether both the client and server are capable of sending the UDP encapsulated ESP packets, wherein the client '"'"'sends a first IKE packet to the server and receives a second IKE packet from the server, the first and second IKE packets using first source and destination UDP port addresses;
determining whether at least one of the client or the server operate behind the NAT;
changing the first source and destination port addresses to second source and destination port addresses, the second source and destination port addresses being distinct from the first source and destination port addresses;
sending UDP encapsulated ESP packets using the second source and destination port addresses.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention uses a three phase IKE protocol main mode negotiation to implement a port float algorithm that permits UDP encapsulated ESP traffic to traverse an IPSec-aware NAT. The NAT is connected to a plurality of client computers on a private network and provides an interface between the client computers and a server connected to a public network. In a first phase, a client and the server determine whether both are capable of sending UDP encapsulated ESP packets. In a second phase, the client and server conduct NAT discovery and determine whether the client, server, or both operate behind a NAT. In a third phase, the client and server initiate a port float algorithm, moving a destination UDP port specified in IKE packets from a first port value to a second port value. The server maintains a data structure that allows the server to identify the client sending IKE packets after exiting the second phase and entering the third phase.
-
Citations
27 Claims
-
1. A method for sending UDP encapsulated ESP packets through a NAT on a private network from a client on the private network to a server on a public network, using an IKE negotiation, comprising:
-
determining whether both the client and server are capable of sending the UDP encapsulated ESP packets, wherein the client '"'"'sends a first IKE packet to the server and receives a second IKE packet from the server, the first and second IKE packets using first source and destination UDP port addresses;
determining whether at least one of the client or the server operate behind the NAT;
changing the first source and destination port addresses to second source and destination port addresses, the second source and destination port addresses being distinct from the first source and destination port addresses;
sending UDP encapsulated ESP packets using the second source and destination port addresses. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for sending UDP encapsulated ESP packets through a NAT on a private network from a client on the private network to a server on a public network, whereby the NAT interprets UDP encapsulated ESP packets using a first destination port address as IKE packets, comprising;
-
conducting an IKE negotiation by sending IKE packets designating a second destination port, the second destination port being distinct from the first destination port; and
sending the UDP encapsulated ESP packets using the second destination port.
-
-
12. A method for receiving UDP encapsulated ESP packets at a server on a public network, the UDP encapsulated ESP packets being sent from a client operating behind a NAT on a private network, comprising:
-
receiving a first IKE packet and sending a second IKE packet, the first and second IKE packets designating a first destination port and including a vendor identification value indicating a capability to send the UDP encapsulated ESP packets;
determining that at least the client operates behind the NAT;
receiving a third IKE packet designating a second destination port, the second destination port being distinct from the first destination port;
determining that the third IKE packet is sent by the client;
receiving UDP encapsulated ESP packets, the UDP encapsulated ESP packets designating the second destination port. - View Dependent Claims (13, 14, 15, 16)
-
-
17. A computer-readable medium having computer executable instruction for sending UDP encapsulated ESP packets through a NAT on a private network from a client on the private network to a server on a public network, using an IKE negotiation, comprising:
-
determining whether both the client and server are capable of sending the UDP encapsulated ESP packets, wherein the client sends a first IKE packet to the server and receives a second IKE packet from the server, the first and second IKE packets using first source and destination UDP port addresses;
determining whether at least one of the client or the server operate behind the NAT;
changing the first source and destination port addresses to second source and destination port addresses, the second source and destination port addresses being distinct from the first source and destination port addresses;
sending UDP encapsulated ESP packets using the second source and destination port addresses. - View Dependent Claims (18, 19, 20, 21, 22)
-
-
23. A computer-readable medium having computer executable instructions for sending UDP encapsulated ESP packets through a NAT on a private network from a client on the private network to a server on a public network, whereby the NAT interprets UDP encapsulated ESP packets using a first destination port address as IKE packets, comprising;
-
conducting an IKE negotiation by sending IKE packets designating a second destination port, the second destination port being distinct from the first destination port; and
sending the UDP encapsulated ESPpackets using the second destination port.
-
-
24. A computer-readable medium having computer executable instructions for receiving UDP encapsulated ESP packets at a server on a public network, the UDP encapsulated ESP packets being sent from a client operating behind a NAT on a private network, comprising:
-
receiving a first IKE packet and sending a second IKE packet, the first and second IKE packets designating a first destination port and including a vendor identification value indicating a capability to send the UDP encapsulated ESP packets;
determining that at least the client operates behind the NAT;
receiving a third IKE packet designating a second destination port, the second destination port being distinct from the first destination port;
determining that the third IKE packet is sent by the client;
receiving UDP encapsulated ESP packets, the UDP encapsulated ESP packets designating the second destination port. - View Dependent Claims (25, 26, 27)
-
Specification