Virtual private network with multiple tunnels associated with one group name
First Claim
1. A method for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name comprising the steps of:
- configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;
configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;
establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy; and
associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, network system and computer program product for establishing a server node in a virtual private network with a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name. In one embodiment, a method comprises the step of configuring a group database in the server node. The group database in the server node comprises the group name and a list of members associated with the group name. The method further comprises configuring a rules database in the server node. The rules database associates the group name with a particular security policy. The method further comprises configuring a tunnel definition database in the server node. In the tunnel definition database, the remote ID is defined as the group name. In another embodiment of the present invention, the list of members associated with the group name comprises a non-contiguous list of ID types. In another embodiment of the present invention, the members associated with the group name are identified by any specified name.
117 Citations
66 Claims
-
1. A method for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name comprising the steps of:
-
configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;
configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;
establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy; and
associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
configuring a tunnel definition database in said server node, wherein a remote ID in said tunnel definition is defined as said group name, wherein said server node has a single tunnel definition for each of the plurality of tunnels associated with said group name.
-
-
3. The method as recited in claim 1, wherein said list of members associated with said group name comprise an ID type and an ID of each member associated with said group name.
-
4. The method as recited in claim 3, wherein said ID type is an Internet Key Exchange (IKE) defined ID type, wherein said list of members is a non-contiguous list of IKE defined ID types.
-
5. The method as recited in claim 3, wherein said ID is a login ID.
-
6. The method as recited in claim 3, wherein said ID is a specified name.
-
7. The method as recited in claim 2, wherein configuring said tunnel definition database in said server node comprises establishing said server node and said client node as the two end points of said tunnel.
-
8. The method as recited in claim 7, wherein said tunnel definition database in said server node is configured by a user entering a local ID, a local ID type, said remote ID and a remote ID type through a GUI.
-
9. The method as recited in claim 7, wherein said tunnel definition database in said server node is configured by a user entering a local ID, a local ID type, said remote ID and a remote ID type through a command line interface.
-
10. The method as recited in claim 1, wherein said group database in said server node comprises said group name and an ID type of each member of said group name and an ID of each member of said group name.
-
11. The method as recited in claim 10, wherein configuring said group database in said server node is accomplished by entering said group name, said ID type of each member of said group name and said ID of each member of said group name through a GUI.
-
12. The method as recited in claim 10, wherein configuring said group database in said server node is accomplished by entering said group name, said ID type of each member of said group name and said ID of each member of said group name through a command line interface.
-
13. The method as recited in claim 10, wherein configuring said group database in said server node is accomplished by entering said group name, said ID type of each member of said group name and said ID of each member of said group name through configuration files.
-
14. The method as recited in claim 1, wherein said rules database in said server node comprises said group name, a group name ID type and a security policy pointer.
-
15. The method as recited in claim 14, wherein configuring said rules database in said server node is accomplished by entering said group name, said group name ID type and said security policy pointer through a GUI.
-
16. The method as recited in claim 14, wherein configuring said rules database in said server node is accomplished by entering said group name, said group name ID type and said security policy pointer through a command line interface.
-
17. A method for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name comprising the steps of:
-
configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;
configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;
establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy;
associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group; and
activating said tunnel, wherein activating said tunnel comprises the steps of;
sending a security policy stored in a policy database of said client node by said client node to said server node;
sending a security policy stored in a policy database of said server node by said server node to said client node if said security policy stored in said policy database of said server node matches said security policy stored in said policy database of said client node;
sending a first nonce by said client node to said server node;
sending a second nonce by said server node to said client node;
sending a first ID by said client node to said server node; and
sending a second ID by said server node to said client node. - View Dependent Claims (18, 19, 20, 21)
-
-
22. A method for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a soup name comprising the steps of:
-
configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;
configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;
establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy;
associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group; and
activating said tunnel, wherein activating tunnel comprises the steps of;
sending a security policy stored in a policy database of said client node by said client node to said server node;
sending a security policy stored in a policy database of said server node by said server node to said client node if said security policy stored in said policy database of said server node agrees on the same set of protection suites at any point in time with said security policy stored in said policy database of said client node;
sending a first nonce by said client node to said server node;
sending a second nonce by said server node to said client node;
sending a first ID by said client node to said server node; and
sending a second ID by said server node to said client node.
-
-
23. A virtual private network system comprising:
- a plurality of tunnels associated with a group name, wherein each of said plurality of tunnels associated with said group name comprises a plurality of nodes, wherein each of said plurality of nodes comprises a communication adapter to interconnect with said virtual private network, wherein one of said plurality of nodes is a server node, wherein one of said plurality of nodes is a client node, wherein said server node comprises;
a group database, wherein said group database comprises said group name and a list of members associated with said group name; and
a rules database, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single copy of a security policy for each of the plurality of tunnels associated with said group name. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38)
- a plurality of tunnels associated with a group name, wherein each of said plurality of tunnels associated with said group name comprises a plurality of nodes, wherein each of said plurality of nodes comprises a communication adapter to interconnect with said virtual private network, wherein one of said plurality of nodes is a server node, wherein one of said plurality of nodes is a client node, wherein said server node comprises;
-
39. A virtual private network system comprising:
- a plurality of tunnels associated with a group name, wherein each of said plurality of tunnels associated with said group name comprises a plurality of nodes, wherein each of said plurality of nodes comprises a communication adapter to interconnect with said virtual private network, wherein one of said plurality of nodes is a server node, wherein one of said plurality of nodes is a client node, wherein said server node comprises;
a group database, wherein said group database comprises said group name and a list of members associated with said group name; and
a rules database, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single copy of a security policy for each of the plurality of tunnels associated with said group name;
wherein the server node further comprises;
a tunnel definition database, wherein a remote ID in said tunnel definition is defined as said group name, wherein said server node has a single tunnel definition for each of the plurality of tunnels associated with said group name;
wherein a particular tunnel of said plurality of tunnels associated with said group name is activated, wherein said particular tunnel is associated with a particular member of said group name;
wherein activating said particular tunnel comprises the steps of;
sending a security policy stored in a policy database of said client node by said client node to said server node;
sending a security policy stored in a policy database of said server node by said server node to said client node if said security policy stored in said policy database of said server node matches said security policy stored in said policy database of said client node;
sending a first nonce by said client node to said server node;
sending a second nonce by said server node to said client node;
sending a first ID by said client node to said server node; and
sending a second ID by said server node to said client node. - View Dependent Claims (40, 41, 42, 43)
- a plurality of tunnels associated with a group name, wherein each of said plurality of tunnels associated with said group name comprises a plurality of nodes, wherein each of said plurality of nodes comprises a communication adapter to interconnect with said virtual private network, wherein one of said plurality of nodes is a server node, wherein one of said plurality of nodes is a client node, wherein said server node comprises;
-
44. A virtual private network system comprising:
- a plurality of tunnels associated with a group name, wherein each of said plurality of tunnels associated with said group name comprises a plurality of nodes, wherein each of said plurality of nodes comprises a communication adapter to interconnect with said virtual private network, wherein one of said plurality of nodes is a server node, wherein one of said plurality of nodes is a client node, wherein said server node comprises;
a group database, wherein said group database comprises said group name and a list of members associated with said group name; and
a rules database, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single copy of a security policy for each of the plurality of tunnels associated with said group name;
wherein the server node further comprises;
a tunnel definition database, wherein a remote ID in said tunnel definition is defined as said group name, wherein said server node has a single tunnel definition for each of the plurality of tunnels associated with said group name;
wherein a particular tunnel of said plurality of tunnels associated with said group name is activated, wherein said particular tunnel is associated with a particular member of said group name;
wherein activating said particular tunnel comprises the steps of sending a security policy stored in a policy database of said client node by said client node to said server node;
sending a security policy stored in a policy database of said server node by said server node to said client node if said security policy stored in said policy database of said server node agrees on the same set of protection suites at any point in time with said security policy stored in said policy database of said client node;
sending a first nonce by said client node to said server node;
sending a second nonce by said server node to said client node;
sending a first ID by said client node to said server node; and
sending a second ID by said server node to said client node.
- a plurality of tunnels associated with a group name, wherein each of said plurality of tunnels associated with said group name comprises a plurality of nodes, wherein each of said plurality of nodes comprises a communication adapter to interconnect with said virtual private network, wherein one of said plurality of nodes is a server node, wherein one of said plurality of nodes is a client node, wherein said server node comprises;
-
45. A computer program product having a computer readable medium having computer program logic recorded thereon for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name, comprising:
-
programming operable for configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;
programming operable for configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;
programming operable for establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy; and
programming operable for associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group. - View Dependent Claims (46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60)
programming operable for configuring a tunnel definition database in said server node, wherein a remote ID in said tunnel definition is defined as said group name, wherein said server node has a single tunnel definition for each of the plurality of tunnels associated with said group name.
-
-
47. The computer program product as recited in claim 45, wherein said list of members associated with said group name comprise an ID type and an ID of each member associated with said group name.
-
48. The computer program product as recited in claim 47, wherein said ID type is an Internet Key Exchange (IKE) defined ID type, wherein said list of members is a non-contiguous list of IKE defined ID types.
-
49. The computer program product as recited in claim 47, wherein said ID is a login ID.
-
50. The computer program product as recited in claim 47, wherein said ID is a specified name.
-
51. The computer program product as recited in claim 46, wherein configuring said tunnel definition database in said server node comprises:
programming operable for establishing said server node and said client node as the two end points of said tunnel.
-
52. The computer program product as recited in claim 51, wherein said tunnel definition database in said server node is configured by a user entering a local ID, a local ID type, said remote ID and a remote ID type through a GUI.
-
53. The computer program product as recited in claim 51, wherein said tunnel definition database in said server node is configured by a user entering a local ID, a local ID type, said remote ID and a remote ID type through a command line interface.
-
54. The computer program product as recited in claim 45, wherein said group database in said server node comprises said group name and an ID type of each member of said group name and an ID of each member of said group name.
-
55. The computer program product as recited in claim 54, wherein configuring said group database in said server node is accomplished by entering said group name, said ID type of each member of said group name and said ID of each member of said group name through a GUI.
-
56. The computer program product as recited in claim 54, wherein configuring said group database in said server node is accomplished by entering said group name, said ID type of each member of said group name and said ID of each member of said group name through a command line interface.
-
57. The computer program product as recited in claim 54, wherein configuring said group database in said server node is accomplished by entering said group name, said ID type of each member of said group name and said ID of each member of said group name through configuration files.
-
58. The computer program product as recited in claim 45, wherein said rules database in said server node comprises said group name, a group name ID type and a security policy pointer.
-
59. The computer program product as recited in claim 58, wherein configuring said rules database in said server node is accomplished by entering said group name, said group name ID type and said security policy pointer through a GUI.
-
60. The computer program product as recited in claim 58, wherein configuring said rules database in said server node is accomplished by entering said group name, said group name ID type and said security policy pointer through a command line interface.
-
61. A computer program product having a computer readable medium having computer program logic recorded thereon for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name, comprising:
-
programming operable for configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;
programming operable for configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;
programming operable for establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy;
programming operable for associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group; and
programming operable for activating said tunnel, wherein said programming operable for activating said tunnel comprises;
programming operable for sending a security policy stored in a policy database of said client node by said client node to said server node;
programming operable for sending a security policy stored in a policy database of said server node by said server node to said client node if said security policy stored in said policy database of said server node matches said security policy stored in said policy database of said client node;
programming operable for sending a first nonce by said client node to said server node;
programming operable for sending a second nonce by said server node to said client node;
programming operable for sending a first ID by said client node to said server node; and
programming operable for sending a second ID by said server node to said client node. - View Dependent Claims (62, 63, 64, 65)
-
-
66. A computer program product having a computer readable medium having computer program logic recorded thereon for allowing a server node in a virtual private network to have a single tunnel definition and a single security policy for a plurality of tunnels associated with a group name, comprising:
-
programming operable for configuring a group database in said server node, wherein said group database in said server node comprises said group name and a list of members associated with said group name;
programming operable for configuring a rules database in said server node, wherein said rules database associates said group name with a particular security policy, wherein said server node has a single security policy for each of the plurality of tunnels associated with said group name;
programming operable for establishing a tunnel having a tunnel definition between a client node having a member name and said server node by negotiating a common security policy;
programming operable for associating said tunnel with a group in said group database based on said member name such that only one copy of said tunnel definition and associated security policy is maintained on said server node regardless of the number of client nodes to server node tunnels associated with said group; and
programming operable for activating said tunnel, wherein said programming operable for activating said tunnel comprises;
programming operable for sending a security policy stored in a policy database of said client node by said client node to said server node;
programming operable for sending a security policy stored in a policy database of said server node by said server node to said client node if said security policy stored in said policy database of said server node agrees on the same set of protection suites at any point in time with said security policy stored in said policy database of said client node;
programming operable for sending a first nonce by said client node to said server node;
programming operable for sending a second nonce by said server node to said client node;
programming operable for sending a first ID by said client node to said server node; and
programming operable for sending a second ID by said server node to said client node.
-
Specification