Computer systems, in particular virtual private networks
First Claim
1. A method of operating a computer system comprising a first node connectable to a second node by way of any of a plurality of gateway nodes, wherein:
- (a) the first node initially establishes a first virtual private network (VPN) connection with the second node by way of one of the gateway nodes, using a session key which is held in a cache store in the first node to encrypt communications between the first node and said one of the gateway nodes;
(b) the first node monitors said one of the gateway nodes for failure;
(c) in the event of failure of said one of the gateway nodes, the first node deletes the session key from the cache store and searches the cache store to determine whether another session key has been cached allowing a new VPN connection to be established with the second node by way of another of the gateway nodes;
(d) in the event that another session key has not been cached, the first node initiates a key establishment protocol exchange with a selected one of the gateway nodes, other than the failed node, to establish a new session key allowing a new VPN connection to be established with the second node by way of said selected one of the gateway nodes, the new session key being saved in the cache store.
2 Assignments
0 Petitions
Accused Products
Abstract
A first node (client) (1) is in communication with one of a plurality of second nodes (5, 6, 7) connected to a local area network (LAN) (4) via a virtual private network including a link (3), such as the Internet, and a selected one of a plurality of third nodes (gateway servers) (21, 22, 23). Communication between the first node (1) and the third nodes (21, 22, 23) is encrypted, whereas communication between the third nodes and the second nodes (5, 6, 7) is unencrypted. Communication from the first node (1) to one of the second nodes (5, 6, 7) is initially set up via a selected one of the third nodes after suitable authentication. If that third node should subsequently fail, an alternative third node can be used. To detect the failure of a third node, the first node (1) sends a “heartbeat” packet (failure detection signal) to it. An operational third node responds with an answer, indicating that all is well. If no answer is received within a predetermined time interval, the first node sends another “heartbeat” packet. If there is still no answer, another third node is selected for use. This other third node can be one that was previously authenticated, or alternatively one that must be authenticated at this time. In order to reduce workload heartbeat messages may only be sent at selected times.
-
Citations
7 Claims
-
1. A method of operating a computer system comprising a first node connectable to a second node by way of any of a plurality of gateway nodes, wherein:
-
(a) the first node initially establishes a first virtual private network (VPN) connection with the second node by way of one of the gateway nodes, using a session key which is held in a cache store in the first node to encrypt communications between the first node and said one of the gateway nodes;
(b) the first node monitors said one of the gateway nodes for failure;
(c) in the event of failure of said one of the gateway nodes, the first node deletes the session key from the cache store and searches the cache store to determine whether another session key has been cached allowing a new VPN connection to be established with the second node by way of another of the gateway nodes;
(d) in the event that another session key has not been cached, the first node initiates a key establishment protocol exchange with a selected one of the gateway nodes, other than the failed node, to establish a new session key allowing a new VPN connection to be established with the second node by way of said selected one of the gateway nodes, the new session key being saved in the cache store. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer system comprising a first node connectable to a second node by way of any of a plurality of gateway nodes, wherein the first node comprises:
-
(a) a cache store for storing session keys;
(b) means for establishing a first virtual private network (VPN) connection with the second node by way of one of the gateway nodes, using a session key held in the cache store to encrypt communications between the first node and said one of the gateway nodes;
(c) means for monitoring said one of the gateway nodes for failure;
(d) means operative in the event of failure of said one of the gateway nodes, for deleting the session key from the cache store and searching the cache store to determine whether another session key has been cached allowing a new VPN connection to be established with the second node by way of another of the gateway nodes;
(e) means operative in the event that another session key has not been cached, for initiating a key establishment protocol exchange with a selected one of the gateway nodes, other than the failed node, to establish a new session key allowing a new VPN connection to be established with the second node by way of said selected one of the gateway nodes, and for saving the new session key in the cache store.
-
Specification
-
- Resources
-
Current AssigneeFujitsu Services Limited (Fujitsu Limited)
-
Original AssigneeFujitsu Services Limited (Fujitsu Limited)
-
InventorsJarosz, Mark Joseph Stefan
-
Primary Examiner(s)JUNG, DAVID YIUK
-
Application NumberUS09/862,860Publication NumberTime in Patent Office1,729 DaysField of Search713200-202, 713150-153, 713168-172, 709/225, 709/229, 709/226US Class Current726/15CPC Class CodesH04L 43/10 Active monitoring, e.g. hea...H04L 63/0272 Virtual private networksH04L 63/0428 wherein the data content is...H04L 63/06 for supporting key manageme...
