Method and apparatus for learning endpoint addresses of IPSec VPN tunnels
First Claim
1. A method of communicating an endpoint address of an Internet Protocol Security (IPSec) Virtual Private Network (VPN) tunnel, the method comprising the steps of:
- formatting a Multiprotocol Border Gateway Protocol (MPBGP) route advertisement to include a route distinguisher;
ip-prefix, an endpoint address of an IPSec VPN tunnel, and a route target; and
transmitting the MPBGP route advertisement.
23 Assignments
0 Petitions
Accused Products
Abstract
Customer Edge (CE) network elements can automatically learn IPSec tunnel endpoints for other CEs connected to sites in a Virtual Private Network (VPN) so that manual configuration of IPSec tunnel endpoints is not required and so that a centralized database of IPSec tunnel endpoints is not required to be separately maintained. According to an embodiment of the invention, a BGP export route policy is set on all CEs, so that when they announce their VPN routes in the standard format, the application of this export route policy changes the announcement to replace the BGP peering point address that would ordinarily be advertised with the IPSec tunnel endpoint address. When any given site receives a VPN route update formatted in this manner, it processes the VPN route update and learns from the update the IPSec tunnel endpoint as well as the associated VPN routes.
179 Citations
15 Claims
-
1. A method of communicating an endpoint address of an Internet Protocol Security (IPSec) Virtual Private Network (VPN) tunnel, the method comprising the steps of:
-
formatting a Multiprotocol Border Gateway Protocol (MPBGP) route advertisement to include a route distinguisher;
ip-prefix, an endpoint address of an IPSec VPN tunnel, and a route target; andtransmitting the MPBGP route advertisement. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A Multiprotocol Border Gateway Protocol (MPBGP) route advertisement, comprising:
-
a route distinguisher;
IP-prefix;an Internet Protocol Security (IPSec) Virtual Private Network (VPN) tunnel endpoint address; and a route target. - View Dependent Claims (7, 8, 9)
-
-
10. A network, comprising:
-
a Group Controller Key Server (GCKS), a plurality of Customer Edge (CE) network elements, each of the CE network elements having an established secure control channel between a routing peering endpoint address on the CE and the GCKS, each of the CE network elements also having at least one established secure data channel having a secure data channel endpoint address other than the routing peering endpoint address; wherein each of the CE network elements includes a routing table containing routing information correlating routes with the secure data channel endpoint addresses of the other CE network elements; and wherein each of the CE network elements is configured to transmit route advertisements containing both route information and the secure data channel endpoint address of that CE network element. - View Dependent Claims (11, 12, 13, 14, 15)
-
Specification