System and method for network address translation integration with IP security
First Claim
1. A method of operating a virtual private network (VPN) based on IPsec that integrates network address translation (NAT) with IPsec processing, comprising the steps executed at one end of a VPN connection of:
- configuring a VPN NAT IP address pool on a VPN gateway machine at said one end of a VPN connection employing only IP address data available at said VPN gateway machine;
configuring at said one end of said VPN connection a VPN connection to utilize said VPN NAT IP address pool;
obtaining at said one end of said VPN connection a specific IP address from said VPN NAT IP address pool, and allocating said specific IP address for said VPN connection;
starting said VPN connection;
loading to an operating system kernel at said one end of said VPN connection the security associations and connection filters for said VPN connection;
processing at said one end of said VPN connection a IP datagram for said VPN connection;
applying VPN NAT at one end of said VPN connection to said IP datagram with source and destination port values after the application of VPN NAT being the same as before application of VPN NAT; and
further for integrating NAT with IPsec for dynamically-keyed internet key exchange protocol (IKE) IPsec connections, comprising the further step of;
configuring the VPN connections to obtain their keys automatically.
2 Assignments
0 Petitions
Accused Products
Abstract
IP security is provided in a virtual private network using network address translation (NAT) by performing one or a combination of the four types of VPN NAT, including VPN NAT type ‘a source-outbound’ IP NAT, VPN NAT type ‘b destination-outbound, VPN NAT type ‘c inbound-source’ IP NAT, and VPN NAT type ‘d inbound-destination’ IP NAT. This involves dynamically generating NAT rules and associating them with the manual or dynamically generated (IKE) Security Associations, before beginning IP security that uses the Security Associations. Then, as IP Sec is performed on outbound and inbound datagrams, the NAT function is also performed.
-
Citations
17 Claims
-
1. A method of operating a virtual private network (VPN) based on IPsec that integrates network address translation (NAT) with IPsec processing, comprising the steps executed at one end of a VPN connection of:
-
configuring a VPN NAT IP address pool on a VPN gateway machine at said one end of a VPN connection employing only IP address data available at said VPN gateway machine; configuring at said one end of said VPN connection a VPN connection to utilize said VPN NAT IP address pool; obtaining at said one end of said VPN connection a specific IP address from said VPN NAT IP address pool, and allocating said specific IP address for said VPN connection; starting said VPN connection; loading to an operating system kernel at said one end of said VPN connection the security associations and connection filters for said VPN connection; processing at said one end of said VPN connection a IP datagram for said VPN connection; applying VPN NAT at one end of said VPN connection to said IP datagram with source and destination port values after the application of VPN NAT being the same as before application of VPN NAT; and further for integrating NAT with IPsec for dynamically-keyed internet key exchange protocol (IKE) IPsec connections, comprising the further step of; configuring the VPN connections to obtain their keys automatically. - View Dependent Claims (2, 3, 4, 5, 6, 17)
-
-
7. A computer implemented method for allowing the definition and configuration of NAT directly with definition and configuration of IPsec-based VPN connections and VPN policy, comprising the steps executed by a digital processor at one end of a VPN connection of:
-
configuring at one end of said VPN connection the requirement for VPN NAT by a yes/no decision in a policy database for each of the three types of VPN NAT, said three types being VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT; configuring at said one end of said VPN connection on a VPN gateway machine at said one end of a VPN connection employing only IP address data available at said VPN gateway machine a remote IP address pool or a server IP address pool selectively responsive to said yes/no decision for each said VPN NAT type; and upon subsequent start of said VPN connection, processing inbound and outbound packets at said one end of said VPN connection responsive to configuration of said VPN NAT in said policy database and configuration of said remote IP address pool; and further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of; configuring the VPN connections to obtain their keys automatically. - View Dependent Claims (8, 9)
-
-
10. A computer implemented method of allowing a VPN NAT address pool to be associated with a gateway, thereby allowing server load-balancing, comprising the steps executed by a digital processor at one end of a VPN connection of:
-
configuring at said one end of said VPN connection a server VPN NAT IP address pool for a system being configured; storing at said one end of said VPN connection specific IP addresses that are globally routable in said server VPN NAT IP address pool; configuring at said one end of said VPN connection a VPN connection to utilize said server VPN NAT IP address pool; and managing at said one end of said VPN connection total volume of concurrent VPN connections responsive to the number of addresses in said server VPN NAT IP address pool with source and destination port values before and after application of VPN NAT being the same; and further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of; configuring the VPN connections to obtain their keys automatically.
-
-
11. A computer system for operating a virtual private network (VPN) based on IPsec that integrates network address translation (NAT) with IPsec processing executed by a digital processor at one end of a VPN connection, comprising:
-
means for configuring on a VPN gateway machine at said one end of a VPN connection a VPN NAT IP address pool employing only IP address data available at said VPN gateway machine; means for configuring at said one end of said VPN connection a VPN connection to utilize said VPN NAT IP address pool; means for obtaining at said one end of said VPN connection a specific IP address from said VPN NAT IP address pool, and allocating said specific IP address for said VPN connection; means for starting said VPN connection at said one end of said VPN connection; means for loading at said one end of said VPN connection to an operating system kernel the security associations and connection filters for said VPN connection; means for processing at said one end of said VPN connection a IP datagram for said VPN connection; means for applying at said one end of said VPN connection VPN NAT to said IP datagram with source and destination port values after application of VPN NAT being the same as before application of VPN NAT; and further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of; configuring the VPN connections to obtain their keys automatically.
-
-
12. A system for definition and configuration of NAT directly with definition and configuration of VPN connections and VPN policy executed by a digital processor at one end of a VPN connection, comprising:
- Computer readable-medium embodying a policy database for configuring at said one end of said VPN connection the requirement for VPN NAT by a yes/no decision for each of the three types of VPN NAT, said three types being VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT; and
a remote IP address pool or a server IP address pool at said one end of said VPN connection selectively configured on a VPN gateway machine at said one end of a VPN connection responsive to said yes/no decision for each said VPN NAT type employing only IP address data available at said VPN gateway machine; upon subsequent start of said VPN connection, processing inbound and outbound packets at said one end of said VPN connection responsive to configuration of said VPN NAT in said policy database and configuration of said remote IP address pool; and further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of; configuring the VPN connections to obtain their keys automatically.
- Computer readable-medium embodying a policy database for configuring at said one end of said VPN connection the requirement for VPN NAT by a yes/no decision for each of the three types of VPN NAT, said three types being VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT; and
-
13. A system implemented at one end of a VPN connection for allowing a VPN NAT address pool to be associated with a gateway, thereby allowing server load-balancing, comprising:
-
a server VPN NAT IP address pool on a VPN gateway machine at said one end of a VPN connection configured for a given system being configured for containing multiple addresses configured as a range, as a list of single addresses, or any combination of multiple ranges and single addresses employing only IP address data available at said VPN gateway machine; said server VPN NAT IP address pool storing specific IP addresses that are globally routable; a VPN connection at said one end of said VPN connection configured to utilize said server VPN NAT IP address pool; and a connection controller for managing at said one end of said VPN connection total volume of concurrent VPN connections responsive to the number of addresses in said server VPN NAT IP address pool with source and destination port values after application of VPN NAT being the same as before application of VPN NAT; and further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of; configuring the VPN connections to obtain their keys automatically.
-
-
14. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps executed at one end of a VPN connection for operating a virtual private network (VPN) based on IPsec that integrates network address translation (NAT) with IPsec processing, said method steps comprising:
-
configuring on a VPN gateway machine at said one end of a VPN connection a NAT IP address pool employing only IP address data available at said VPN gateway machine; configuring at said one end of said VPN connection a VPN connection to utilize said VPN NAT IP address pool; obtaining a specific IP address from said VPN NAT IP address pool, and allocating at said one end of said VPN connection said specific IP address for said VPN connection; starting said VPN connection at said one end of said VPN connection; loading to an operating system kernel at said one end of said VPN connection the security associations and connection filters for said VPN connection; processing at said one end of said VPN connection a IP datagram for said VPN connection; and applying at said one end of said VPN connection VPN NAT to said IP datagram with source and destination port values after application of VPN NAT being the same as before application of VPN NAT; and further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of; configuring the VPN connections to obtain their keys automatically.
-
-
15. An article of manufacture comprising:
-
a computer useable medium having computer readable program code means embodied therein for operating a virtual private network (VPN) based on IPsec that integrates network address translation (NAT) with IPsec processing executed at one end of a VPN connection, the computer readable program means in said article of manufacture comprising; computer readable program code means for causing a computer to effect configuring a VPN NAT IP address pool on a VPN gateway machine at said one end of a VPN connection employing only IP address data available at said VPN gateway machine; computer readable program code means for causing a computer to effect configuring at said one end of said VPN connection a VPN connection to utilize said VPN NAT IP address pool; computer readable program code means for causing a computer to effect obtaining at said one end of said VPN connection a specific IP address from said VPN NAT IP address pool, and allocating said specific IP address for said VPN connection; computer readable program code means for causing a computer to effect starting at said one end of said VPN connection said VPN connection; computer readable program code means for causing a computer to effect loading at said one end of said VPN connection to an operating system kernel the security associations and connection filters for said VPN connection; computer readable program code means for causing a computer to effect processing at said one end of said VPN connection a IP datagram for said VPN connection; and computer readable program code means for causing a computer to effect applying at said one end of said VPN connection VPN NAT to said IP datagram with source and destination port values after the application of VPN NAT being the same as before application of VPN NAT; and further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of; configuring the VPN connections to obtain their keys automatically.
-
-
16. A computer implemented method for providing IP security in a virtual private network using network address translation (NAT), comprising the steps executed by a digital processor at one end of a VPN connection of:
-
dynamically generating at said one end of said VPN connection NAT rules and associating them selectively with manual and dynamically generated, internet key exchange protocol (IKE), Security Associations, comprising the further step of; configuring the VPN connections to obtain their keys automatically;
thereafter beginning at said one end of said VPN connection IP security that uses the Security Associations; and
thenas IP security is performed on outbound and inbound datagrams, selectively performing at said one end of said VPN connection one or more of VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT on said outbound and inbound datagrams, so as to provided said IPsec for communication conducted in said VPN.
-
Specification