System and method for network address translation integration with IP security

US 7,107,614 B1
Filed: 05/23/2000
Issued: 09/12/2006
Est. Priority Date: 01/29/1999
Status: Expired due to Term

First Claim

Patent Images

1. A method of operating a virtual private network (VPN) based on IPsec that integrates network address translation (NAT) with IPsec processing, comprising the steps executed at one end of a VPN connection of:

configuring a VPN NAT IP address pool on a VPN gateway machine at said one end of a VPN connection employing only IP address data available at said VPN gateway machine;

configuring at said one end of said VPN connection a VPN connection to utilize said VPN NAT IP address pool;

obtaining at said one end of said VPN connection a specific IP address from said VPN NAT IP address pool, and allocating said specific IP address for said VPN connection;

starting said VPN connection;

loading to an operating system kernel at said one end of said VPN connection the security associations and connection filters for said VPN connection;

processing at said one end of said VPN connection a IP datagram for said VPN connection;

applying VPN NAT at one end of said VPN connection to said IP datagram with source and destination port values after the application of VPN NAT being the same as before application of VPN NAT; and

further for integrating NAT with IPsec for dynamically-keyed internet key exchange protocol (IKE) IPsec connections, comprising the further step of;

configuring the VPN connections to obtain their keys automatically.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

IP security is provided in a virtual private network using network address translation (NAT) by performing one or a combination of the four types of VPN NAT, including VPN NAT type ‘a source-outbound’ IP NAT, VPN NAT type ‘b destination-outbound, VPN NAT type ‘c inbound-source’ IP NAT, and VPN NAT type ‘d inbound-destination’ IP NAT. This involves dynamically generating NAT rules and associating them with the manual or dynamically generated (IKE) Security Associations, before beginning IP security that uses the Security Associations. Then, as IP Sec is performed on outbound and inbound datagrams, the NAT function is also performed.

Citations

17 Claims

1. A method of operating a virtual private network (VPN) based on IPsec that integrates network address translation (NAT) with IPsec processing, comprising the steps executed at one end of a VPN connection of:
- configuring a VPN NAT IP address pool on a VPN gateway machine at said one end of a VPN connection employing only IP address data available at said VPN gateway machine;
  
  configuring at said one end of said VPN connection a VPN connection to utilize said VPN NAT IP address pool;
  
  obtaining at said one end of said VPN connection a specific IP address from said VPN NAT IP address pool, and allocating said specific IP address for said VPN connection;
  
  starting said VPN connection;
  
  loading to an operating system kernel at said one end of said VPN connection the security associations and connection filters for said VPN connection;
  
  processing at said one end of said VPN connection a IP datagram for said VPN connection;
  
  applying VPN NAT at one end of said VPN connection to said IP datagram with source and destination port values after the application of VPN NAT being the same as before application of VPN NAT; and
  
  further for integrating NAT with IPsec for dynamically-keyed internet key exchange protocol (IKE) IPsec connections, comprising the further step of;
  
  configuring the VPN connections to obtain their keys automatically.
- View Dependent Claims (2, 3, 4, 5, 6, 17)
- - 2. The method of claim 1, wherein said VPN connection is configured for outbound processing, and said applying step comprises outbound source IP Nating.
  - 3. The method of claim 1, wherein said VPN connection is configured for some combination of inbound processing, and said applying step selectively comprises inbound source IP NATing or inbound destination IP NATing.
  - 4. The method of claim 1, further for integration of NAT with IP Sec for manually-keyed IPsec connections, comprising the further step of manually configuring connection keys.
  - 5. The method of claim 1, further for integrating NAT with IPsec Security Associations, negotiated dynamically by internet key exchange Protocol (IKE), wherein said starting step further comprises creating a message for IKE containing said IP address from said NAT pool;
    - and further comprising the step of operating IKE to obtain dynamically negotiated keys.
  - 6. The method of claim 5, further comprising the step of combining the dynamically obtained keys with said NAT pool IP address and wherein said loading step loads the result as security associations into said operating system kernel.
  - 17. The method of claim 1, said VPN NAT IP address pool containing multiple addresses configured as a range, as a list of single address, or any combination of multiple ranges and single addresses.

7. A computer implemented method for allowing the definition and configuration of NAT directly with definition and configuration of IPsec-based VPN connections and VPN policy, comprising the steps executed by a digital processor at one end of a VPN connection of:
- configuring at one end of said VPN connection the requirement for VPN NAT by a yes/no decision in a policy database for each of the three types of VPN NAT, said three types being VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT;
  
  configuring at said one end of said VPN connection on a VPN gateway machine at said one end of a VPN connection employing only IP address data available at said VPN gateway machine a remote IP address pool or a server IP address pool selectively responsive to said yes/no decision for each said VPN NAT type; and
  
  upon subsequent start of said VPN connection, processing inbound and outbound packets at said one end of said VPN connection responsive to configuration of said VPN NAT in said policy database and configuration of said remote IP address pool; and
  
  further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of;
  
  configuring the VPN connections to obtain their keys automatically.
- View Dependent Claims (8, 9)
- - 8. The computer implemented method of claim 7, further comprising the step of configuring a unique said remote IP address pool for each remote address to which a VPN connection will be required, whereby said remote IP address pool is keyed by a remote ID.
  - 9. The computer implemented method of claim 7, further comprising the step of configuring said server IP address pool once for a system being configured.

10. A computer implemented method of allowing a VPN NAT address pool to be associated with a gateway, thereby allowing server load-balancing, comprising the steps executed by a digital processor at one end of a VPN connection of:
- configuring at said one end of said VPN connection a server VPN NAT IP address pool for a system being configured;
  
  storing at said one end of said VPN connection specific IP addresses that are globally routable in said server VPN NAT IP address pool;
  
  configuring at said one end of said VPN connection a VPN connection to utilize said server VPN NAT IP address pool; and
  
  managing at said one end of said VPN connection total volume of concurrent VPN connections responsive to the number of addresses in said server VPN NAT IP address pool with source and destination port values before and after application of VPN NAT being the same; and
  
  further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of;
  
  configuring the VPN connections to obtain their keys automatically.

11. A computer system for operating a virtual private network (VPN) based on IPsec that integrates network address translation (NAT) with IPsec processing executed by a digital processor at one end of a VPN connection, comprising:
- means for configuring on a VPN gateway machine at said one end of a VPN connection a VPN NAT IP address pool employing only IP address data available at said VPN gateway machine;
  
  means for configuring at said one end of said VPN connection a VPN connection to utilize said VPN NAT IP address pool;
  
  means for obtaining at said one end of said VPN connection a specific IP address from said VPN NAT IP address pool, and allocating said specific IP address for said VPN connection;
  
  means for starting said VPN connection at said one end of said VPN connection;
  
  means for loading at said one end of said VPN connection to an operating system kernel the security associations and connection filters for said VPN connection;
  
  means for processing at said one end of said VPN connection a IP datagram for said VPN connection;
  
  means for applying at said one end of said VPN connection VPN NAT to said IP datagram with source and destination port values after application of VPN NAT being the same as before application of VPN NAT; and
  
  further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of;
  
  configuring the VPN connections to obtain their keys automatically.

12. A system for definition and configuration of NAT directly with definition and configuration of VPN connections and VPN policy executed by a digital processor at one end of a VPN connection, comprising:
- Computer readable-medium embodying a policy database for configuring at said one end of said VPN connection the requirement for VPN NAT by a yes/no decision for each of the three types of VPN NAT, said three types being VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT; and
  
  a remote IP address pool or a server IP address pool at said one end of said VPN connection selectively configured on a VPN gateway machine at said one end of a VPN connection responsive to said yes/no decision for each said VPN NAT type employing only IP address data available at said VPN gateway machine;
  
  upon subsequent start of said VPN connection, processing inbound and outbound packets at said one end of said VPN connection responsive to configuration of said VPN NAT in said policy database and configuration of said remote IP address pool; and
  
  further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of;
  
  configuring the VPN connections to obtain their keys automatically.

13. A system implemented at one end of a VPN connection for allowing a VPN NAT address pool to be associated with a gateway, thereby allowing server load-balancing, comprising:
- a server VPN NAT IP address pool on a VPN gateway machine at said one end of a VPN connection configured for a given system being configured for containing multiple addresses configured as a range, as a list of single addresses, or any combination of multiple ranges and single addresses employing only IP address data available at said VPN gateway machine;
  
  said server VPN NAT IP address pool storing specific IP addresses that are globally routable;
  
  a VPN connection at said one end of said VPN connection configured to utilize said server VPN NAT IP address pool; and
  
  a connection controller for managing at said one end of said VPN connection total volume of concurrent VPN connections responsive to the number of addresses in said server VPN NAT IP address pool with source and destination port values after application of VPN NAT being the same as before application of VPN NAT; and
  
  further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of;
  
  configuring the VPN connections to obtain their keys automatically.

14. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps executed at one end of a VPN connection for operating a virtual private network (VPN) based on IPsec that integrates network address translation (NAT) with IPsec processing, said method steps comprising:
- configuring on a VPN gateway machine at said one end of a VPN connection a NAT IP address pool employing only IP address data available at said VPN gateway machine;
  
  configuring at said one end of said VPN connection a VPN connection to utilize said VPN NAT IP address pool;
  
  obtaining a specific IP address from said VPN NAT IP address pool, and allocating at said one end of said VPN connection said specific IP address for said VPN connection;
  
  starting said VPN connection at said one end of said VPN connection;
  
  loading to an operating system kernel at said one end of said VPN connection the security associations and connection filters for said VPN connection;
  
  processing at said one end of said VPN connection a IP datagram for said VPN connection; and
  
  applying at said one end of said VPN connection VPN NAT to said IP datagram with source and destination port values after application of VPN NAT being the same as before application of VPN NAT; and
  
  further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of;
  
  configuring the VPN connections to obtain their keys automatically.

15. An article of manufacture comprising:
- a computer useable medium having computer readable program code means embodied therein for operating a virtual private network (VPN) based on IPsec that integrates network address translation (NAT) with IPsec processing executed at one end of a VPN connection, the computer readable program means in said article of manufacture comprising;
  
  computer readable program code means for causing a computer to effect configuring a VPN NAT IP address pool on a VPN gateway machine at said one end of a VPN connection employing only IP address data available at said VPN gateway machine;
  
  computer readable program code means for causing a computer to effect configuring at said one end of said VPN connection a VPN connection to utilize said VPN NAT IP address pool;
  
  computer readable program code means for causing a computer to effect obtaining at said one end of said VPN connection a specific IP address from said VPN NAT IP address pool, and allocating said specific IP address for said VPN connection;
  
  computer readable program code means for causing a computer to effect starting at said one end of said VPN connection said VPN connection;
  
  computer readable program code means for causing a computer to effect loading at said one end of said VPN connection to an operating system kernel the security associations and connection filters for said VPN connection;
  
  computer readable program code means for causing a computer to effect processing at said one end of said VPN connection a IP datagram for said VPN connection; and
  
  computer readable program code means for causing a computer to effect applying at said one end of said VPN connection VPN NAT to said IP datagram with source and destination port values after the application of VPN NAT being the same as before application of VPN NAT; and
  
  further for integrating NAT with IPsec for dynamically-keyed, internet key exchange protocol (IKE), IPsec connections, comprising the further step of;
  
  configuring the VPN connections to obtain their keys automatically.

16. A computer implemented method for providing IP security in a virtual private network using network address translation (NAT), comprising the steps executed by a digital processor at one end of a VPN connection of:
- dynamically generating at said one end of said VPN connection NAT rules and associating them selectively with manual and dynamically generated, internet key exchange protocol (IKE), Security Associations, comprising the further step of;
  
  configuring the VPN connections to obtain their keys automatically;
  
  thereafter beginning at said one end of said VPN connection IP security that uses the Security Associations; and
  
  thenas IP security is performed on outbound and inbound datagrams, selectively performing at said one end of said VPN connection one or more of VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT on said outbound and inbound datagrams, so as to provided said IPsec for communication conducted in said VPN.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
International Business Machines Corporation
Inventors
Boden, Edward B., Melville, Mark J., Monroe, Tod A., Paxhia, Frank V.
Primary Examiner(s)
Song, Hosuk
Assistant Examiner(s)
Son, Linh LD

Application Number

US09/578,215
Time in Patent Office

2,303 Days
Field of Search

713/201, 713/160, 713/151, 709244-245, 726/15
US Class Current

726/15
CPC Class Codes

H04L 61/2514   between local and global IP...

H04L 63/0272   Virtual private networks

H04L 63/061   for key exchange, e.g. in p...

System and method for network address translation integration with IP security

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

17 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for network address translation integration with IP security

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

17 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links