Dynamic system and method for virtual private network (VPN) packet level routing using dual-NAT method

US 20080201486A1
Filed: 02/21/2007
Published: 08/21/2008
Est. Priority Date: 02/21/2007
Status: Active Grant

First Claim

Patent Images

1. A method for virtual private network packet level routing using a dual-NAT (network address translation) mechanism comprising:

providing at least one client on a client virtual private network node a list of available resources hosted on a resource virtual private network node;

assigning the at least one resource on the resource virtual private network node a local (virtual) IP address on the client virtual private network node;

initiating a request by the at least one client for the at least one resource from the list of available resources hosted on the resource virtual private network node as though the at least one resource is local to the at least one client without exposing the actual IP addresses of the list of available resources on the resource virtual private network node, wherein a client dynamic virtual private network (DVPN) gateway associated with the client virtual private network node translates the local (actual) client IP address and the local (virtual) resource IP address into a client DVPN address and a resource DVPN address;

routing the request packet with the client DVPN address and the resource DVPN address through a secure connection to a resource dynamic virtual private network (DVPN) gateway associated with the resource virtual private network node;

translating the client DVPN address and the resource DVPN address to a local (virtual) client IP address and the local (actual) resource IP address on the resource virtual private network node, and wherein the translation is performed by the resource DVPN gateway;

responding to the request by the at least one resource on the resource virtual private network node as though the request is initiated locally on the resource virtual private network node without exposing the actual IP address of the at least one client on the client virtual private network node;

routing the response packet from the at least one resource on the resource virtual private network node back to the at least one client on the client virtual private network node through the secure connection, wherein the resource DVPN gateway translates the local (actual) resource IP address and the local (virtual) client IP address on the resource virtual private network node to the resource DVPN address and the client DVPN address for routing through the secure tunnel to the client DVPN gateway; and

forwarding the response packet to the at least one client, wherein the client DVPN gateway translates the resource DVPN address and the client DVPN address to the local (virtual) resource IP address and the local (actual) client IP address on the client virtual private network node.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for virtual private network (VPN) packet level routing using a Dual-NAT architecture to provide a bidirectional secure connection between applications, hosts, or networks at any two end sites without exposing each other'"'"'s actual IP addresses and network topologies. The method includes providing a client a list of available resources on a remote network; initiating a request by the client for at least one resource from the list of available remote resources as though the at least one resource is local to the client; NATting the source and destination IP addresses to a pair of client and resource Dynamic VPN (DVPN) addresses; routing the request to the remote network; NATting the client and resource DVPN addresses to local IP addresses on the remote network; issuing the request to the at least resource; and NATting/routing the response using the reverse process.

163 Citations

17 Claims

1. A method for virtual private network packet level routing using a dual-NAT (network address translation) mechanism comprising:
- providing at least one client on a client virtual private network node a list of available resources hosted on a resource virtual private network node;
  
  assigning the at least one resource on the resource virtual private network node a local (virtual) IP address on the client virtual private network node;
  
  initiating a request by the at least one client for the at least one resource from the list of available resources hosted on the resource virtual private network node as though the at least one resource is local to the at least one client without exposing the actual IP addresses of the list of available resources on the resource virtual private network node, wherein a client dynamic virtual private network (DVPN) gateway associated with the client virtual private network node translates the local (actual) client IP address and the local (virtual) resource IP address into a client DVPN address and a resource DVPN address;
  
  routing the request packet with the client DVPN address and the resource DVPN address through a secure connection to a resource dynamic virtual private network (DVPN) gateway associated with the resource virtual private network node;
  
  translating the client DVPN address and the resource DVPN address to a local (virtual) client IP address and the local (actual) resource IP address on the resource virtual private network node, and wherein the translation is performed by the resource DVPN gateway;
  
  responding to the request by the at least one resource on the resource virtual private network node as though the request is initiated locally on the resource virtual private network node without exposing the actual IP address of the at least one client on the client virtual private network node;
  
  routing the response packet from the at least one resource on the resource virtual private network node back to the at least one client on the client virtual private network node through the secure connection, wherein the resource DVPN gateway translates the local (actual) resource IP address and the local (virtual) client IP address on the resource virtual private network node to the resource DVPN address and the client DVPN address for routing through the secure tunnel to the client DVPN gateway; and
  
  forwarding the response packet to the at least one client, wherein the client DVPN gateway translates the resource DVPN address and the client DVPN address to the local (virtual) resource IP address and the local (actual) client IP address on the client virtual private network node.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein the client DVPN gateway and the resource DVPN gateway maintain a range of DVPN addresses, which are assigned as the resource DVPN address and the client DVPN address.
  - 3. The method of claim 2, wherein the resource DVPN address and the client DVPN address are different from the local IP addresses used on the resource and client virtual private network nodes such that the range of DVPN addresses are only meaningful and used among the client and resource DVPN gateways for routing a packet through the secure connection between the resource virtual private network node and the client virtual private network node.
  - 4. The method of claim 2, wherein the DVPN addresses ranges are assigned manually and/or dynamically from a server with DHCP similar functions to each DVPN gateway.
  - 5. The method of claim 1, wherein the resource DVPN gateway assigns the resource DVPN address to the at least one resource from its pool of DVPN addresses upon publishing the at least one resource to a client virtual private network node.
  - 6. The method of claim 5, wherein the resource DVPN address of the at least one resource will be published to all client DVPN gateways for accessing the at least one resource by any client.
  - 7. The method of claim 1, wherein the client DVPN gateway assigns the client DVPN address to the at least one client upon initiation of the request to access the at least one resource from its pool of DVPN addresses.
  - 8. The method of claim 7, wherein the client DVPN address will be used by the client DVPN gateway for all remote resources accessed by the at least one client.
  - 9. The method of claim 1, wherein the client IP addresses and the resource IP address further include a port number.
  - 10. The method of claim 9, wherein a plurality of local (virtual) client IP addresses on the resource virtual private network node can share the same IP address with different port numbers, and further wherein the resource DVPN gateway translates the client DVPN addresses and port numbers.
  - 11. The method of claim 9, wherein a plurality of local (virtual) resource IP addresses on the client virtual private network node can share the same IP address with different port numbers, and further wherein the client DVPN gateway translates the resource DVPN addresses and port numbers.
  - 12. The method of claim 1, wherein the client and the resource DVPN gateways perform packet content rewrite to translate embedded IP addresses and port numbers to support certain application protocols such as File Transfer Protocol (FTP).
  - 13. The method of claim 1, wherein the at least one client accesses the at least one resource through a plurality of intermediate virtual private network nodes with a DVPN gateway associated with each of the plurality of intermediate virtual private network nodes.
  - 14. The method of claim 1, wherein the at least one client comprises a plurality of clients on the resource virtual private network node, and wherein the plurality of clients access a plurality of resources on the client virtual private network node.
  - 15. The method of claim 1, wherein packets with DVPN addresses are routed among a plurality of DVPN gateways using an IP routing protocol, such as OSPF or BGP.
  - 16. The method of claim 1, wherein the local client IP address on the client virtual private network node is used as the client DVPN address.
  - 17. The method of claim 16, wherein the local client IP address is used only among DVPN gateways, such that the local client IP address is not exposed to other virtual private network nodes.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Array Networks Incorporated (Hitachi, Ltd.)
Original Assignee
Array Networks Incorporated (Hitachi, Ltd.)
Inventors
Yen, Leemay, Zhang, Junzheng, Hsu, Pu-Chau, Chai, Zhuoyuan, Hsu, Nai-Ting

Granted Patent

US 7,840,701 B2
Time in Patent Office

Days
Field of Search
US Class Current

709/238
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 61/2517   using port numbers

H04L 61/2535   Multiple local networks, e....

H04L 61/2539   Hiding addresses; Keeping a...

H04L 63/0272   Virtual private networks

H04L 63/164   at the network layer

H04L 67/06   specially adapted for file ...

H04L 9/40   Network security protocols

Dynamic system and method for virtual private network (VPN) packet level routing using dual-NAT method

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

163 Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic system and method for virtual private network (VPN) packet level routing using dual-NAT method

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

163 Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links