Method and apparatus for processing communications in a virtual private network
First Claim
1. A method of operating a virtual private network unit to facilitate secure communications between virtual private network members over a public network, comprising:
- coupling the virtual private network unit to a first local network via a first data channel;
coupling the virtual private network unit to a first public network via the first data channel;
maintaining a set of addresses in the first local network that are not assigned to members of the virtual private network residing in the first local network;
receiving a first data packet over the first data channel from a first member of the virtual private network in the first local network, wherein the first data packet is addressed to a second member of the virtual private network with a first address from the set of addresses;
replacing the first address with a remote address corresponding to the second member;
transforming the first data packet in accordance with pre-determined rules for transforming data packets sent between members of the virtual private network; and
forwarding the transformed first data packet over the first data channel to the public network for delivery to the remote address.
18 Assignments
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a computer system for processing communications in a virtual private network. The computer system operates in a selective mode, in which only communications transiting the virtual private network are processed according to specified virtual private network parameters, such as encryption, compression and authentication algorithms. Virtual private network communications passing between a public network and a private network are thus received and processed according to the algorithms, while other communications bypass the computer system. Multiple private networks may be served by a single computer system.
344 Citations
33 Claims
-
1. A method of operating a virtual private network unit to facilitate secure communications between virtual private network members over a public network, comprising:
-
coupling the virtual private network unit to a first local network via a first data channel;
coupling the virtual private network unit to a first public network via the first data channel;
maintaining a set of addresses in the first local network that are not assigned to members of the virtual private network residing in the first local network;
receiving a first data packet over the first data channel from a first member of the virtual private network in the first local network, wherein the first data packet is addressed to a second member of the virtual private network with a first address from the set of addresses;
replacing the first address with a remote address corresponding to the second member;
transforming the first data packet in accordance with pre-determined rules for transforming data packets sent between members of the virtual private network; and
forwarding the transformed first data packet over the first data channel to the public network for delivery to the remote address. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
receiving a secure data packet over the first data channel from the public network;
processing the secure data packet in accordance with pre-determined rules for processing secure data packets sent between members of the virtual private network; and
forwarding the processed data packet over the first data channel to the first local network.
-
-
3. The method of claim 2, wherein processing the secure data packet comprises:
-
disassembling the secure data packet; and
recovering a second data packet.
-
-
4. The method of claim 3, wherein processing the secure data packet further comprises decrypting the second data packet.
-
5. The method of claim 2, wherein processing the secure data packet comprises translating the secure data packet from a tunnel mode.
-
6. The method of claim 1, wherein transforming the first data packet comprises encapsulating the first data packet within a secure data packet.
-
7. The method of claim 6, wherein transforming the first data packet further comprises encrypting the first data packet.
-
8. The method of claim 6, wherein encapsulating the first data packet comprises:
-
coupling a source address to the first data packet, the source address corresponding to the virtual private network unit; and
coupling a destination address to the first data packet, the destination address corresponding to a second virtual private network unit.
-
-
9. The method of claim 1, wherein transforming the first data packet comprises translating the first data packet into a tunnel mode.
-
10. The method of claim 1, further comprising:
-
coupling the virtual private network unit to a second local network via a second data channel;
receiving a second data packet from a third member of the virtual private network in the second local network over the second data channel, wherein the second data packet is addressed to a fourth member of the virtual private network;
transforming the second data packet in accordance with said pre-determined rules for transforming data packets sent between members of the virtual private network; and
transmitting the transformed second data packet toward the fourth member of the virtual private network;
wherein the first and second data channels comprise separate and distinct signal conductors.
-
-
11. The method of claim 10, wherein transmitting the transformed second data packet comprises forwarding the transformed second data packet to the public network over the first data channel.
-
12. The method of claim 10, further comprising coupling the virtual private network unit to a second public network via the second data channel, wherein transmitting the transformed second data packet comprises forwarding the transformed second data packet to the second public network via the second data channel.
-
13. The method of claim 12, wherein the first public network comprises the second public network.
-
14. The method of claim 1, further comprising:
operating the virtual private network unit in a selective mode, in which the virtual private network unit only receives communications from members of the virtual private network.
-
15. An apparatus for facilitating secure communications between members of a virtual private network, comprising:
-
a first communication port coupled to a first local network and a public network;
a first storage area containing a first series of instructions for transforming a communication packet received from the public network;
a processor for processing a received communication packet according to said first series of executable instructions; and
a set of local addresses not assigned to virtual private network members coupled to said first local network;
wherein a first communication packet directed from a remote member of the virtual private network to a first member of the virtual private network in said first local network is received at the apparatus with a remote source address corresponding to the remote member; and
wherein the remote source address is replaced with a local address from the set of local addresses before the first communication packet is forwarded to said first local network. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
a second storage area containing a second series of instructions for transforming a communication packet received from said first local network;
wherein a second communication packet received through said first communication port from said first local network is processed in accordance with said second series of instructions and then forwarded through said first communication port toward a member of the virtual private network not in said first local network.
-
-
17. The apparatus of claim 16, wherein said processor is configured in accordance with said second series of instructions to modify an address portion of said second communication packet and to encrypt a data portion of said second communication packet.
-
18. The apparatus of claim 16, wherein said processor is configured in accordance with said second series of instructions to translate said second communication packet into a tunnel mode.
-
19. The apparatus of claim 15, wherein said processor is configured in accordance with said first series of instructions to modify an address portion of said first communication packet and to decrypt a data portion of said first communication packet.
-
20. The apparatus of claim 15, wherein said processor is configured in accordance with said first series of instructions to translate said first communication packet from a tunnel mode.
-
21. The apparatus of claim 15, further comprising:
-
a second communication port coupled to a second local network;
wherein a second communication packet received through said second communication port from said second local network is processed in accordance with a second series of instructions.
-
-
22. The apparatus of claim 21, wherein said second communication port is further coupled to a second public network.
-
23. The apparatus of claim 22, wherein said second communication packet is forwarded through said second communication port to said second public network.
-
24. The apparatus of claim 23, wherein said first public network comprises said second public network.
-
25. The apparatus of claim 15, wherein the apparatus is operable in a selective mode in which the apparatus only receives communications from members of the virtual private network.
-
26. A method of operating a virtual private network unit in a virtual private network to selectively process communications across a public network between members of the virtual private network, comprising:
-
operating the virtual private network unit in a selective mode, in which the virtual private network unit only receives communications from members of the virtual private network;
receiving a virtual private network communication at the virtual private network unit, wherein the communication comprises a source address corresponding to a remote client and a destination address corresponding to a member of the virtual private network connected to a local network;
maintaining a set of local addresses not assigned to virtual private network members connected to the local network;
processing the communication to replace the source address with a local address from the set of local addresses; and
forwarding the communication to the local network for delivery to the virtual private network member;
wherein the virtual private network unit is coupled to the public network and the local network through a single communication port. - View Dependent Claims (27)
receiving a response from the local network sent from the virtual private network member, the response being directed to the local address;
processing the response to replace the local address with the source address; and
forwarding the response to the public network for delivery to the remote client.
-
-
28. A method of operating a virtual private network unit within a virtual private network to facilitate the exchange of secure communications across a public network, comprising:
-
coupling the virtual private network unit to a first local network via a first data channel;
coupling the virtual private network unit to the public network via the first data channel;
maintaining a set of addresses in the first local network that are not assigned to members of the virtual private network residing in the local network;
receiving a first communication over the first data channel, the first communication being directed between a local member of the virtual private network within the first local network and a remote member of the virtual private network;
if the first communication is directed from the remote member to the local member, in the communication, replacing a remote address corresponding to the remote member with a first address from the set of addresses;
if the first communication is directed from the local member to the remote member, in the communication, replacing a first address from the set of addresses with a remote address corresponding to the remote member; and
forwarding the communication over the first data channel. - View Dependent Claims (29)
operating the virtual private network unit in a selective mode, in which the virtual private network unit only receives communications from members of the virtual private network.
-
-
30. A communication system for facilitating secure communications over a public network between members of a virtual private network, comprising:
-
a local network comprising a first member of the virtual private network;
a virtual private network unit operating in a selective mode, in which the virtual private network unit only receives communications from members of the virtual private network;
a pool of addresses in the local network that are not assigned to members of the virtual private network residing in the local network;
a first communication link coupling the local network and the public network; and
a second communication link coupling the virtual private network unit to the first communication link;
wherein a communication directed between the first member of the virtual private network and a second member of the virtual private network is received by the virtual private network unit over the second communication link with a first address from the pool of addresses, modified in accordance with a pre-determined series of rules, and forwarded by the virtual private network unit over the second communication link; and
wherein the virtual private network unit replaces the first address from the pool of addresses with a remote address corresponding to the second member.
-
-
31. A computer readable storage medium storing instructions that, when executed by a computer, cause the computer to perform a method of operating a virtual private network unit in a virtual private network to selectively process communications across a public network between members of the virtual private network, the method comprising:
-
operating the virtual private network unit in a selective mode, in which the virtual private network unit only receives communications from members of the virtual private network;
receiving a virtual private network communication at the virtual private network unit, wherein the communication comprises a source address corresponding to a remote client and a destination address corresponding to a member of the virtual private network connected to a local network;
maintaining a set of local addresses not assigned to virtual private network members connected to the local network;
processing the communication to replace the source address with a local address from the set of local addresses; and
forwarding the communication to the local network for delivery to the virtual private network member;
wherein the virtual private network unit is coupled to the public network and the local network through a single communication port.
-
-
32. A computer readable storage medium storing instructions that, when executed by a computer, cause the computer to perform a method of operating a virtual private network unit to facilitate secure communications between virtual private network members over a public network, the method comprising:
-
coupling the virtual private network unit to a first local network via a first data channel;
coupling the virtual private network unit to a first public network via the first data channel;
maintaining a set of addresses in the first local network that are not assigned to members of the virtual private network residing in the first local network;
receiving a first data packet over the first data channel from a first member of the virtual private network in the first local network, wherein the first data packet is addressed to a second member of the virtual private network with a first address from the set of addresses;
replacing the first address with a remote address corresponding to the second member;
forwarding the first data packet over the first data channel to the public network.
-
-
33. A computer readable storage medium storing instructions that, when executed by a computer, cause the computer to perform a method of operating a virtual private network unit within a virtual private network to facilitate the exchange of secure communications across a public network, the method comprising:
-
coupling the virtual private network unit to a first local network via a first data channel;
coupling the virtual private network unit to the public network via the first data channel;
maintaining a set of addresses in the first local network that are not assigned to members of the virtual private network residing in the local network;
receiving a first communication over the first data channel, the first communication being directed between a local member of the virtual private network within the first local network and a remote member of the virtual private network;
if the first communication is directed from the remote member to the local member, in the communication, replacing a remote address corresponding to the remote member with a first address from the set of addresses;
if the first communication is directed from the local member to the remote member, in the communication, replacing a first address from the set of addresses with a remote address corresponding to the remote member; and
forwarding the communication over the first data channel.
-
Specification