System and method for network address translation integration with IP Security

US 7,401,354 B2
Filed: 03/12/2003
Issued: 07/15/2008
Est. Priority Date: 01/29/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method of operating a virtual private network (VPN) based On IP Sec that integrates network address translation (NAT) with IPSec processing, to enable two hosts operating in AH or ESP, and in tunnel or transport, modes to establish an IPSec connection across a NAT system, comprising the steps of:

operating said two hosts in AH or ESP, and in tunnel or transport, modes;

configuring a plurality of NAT IP address pools and a VPN connection to utilize one of said plurality of NAT IP address pools;

obtaining a specific IP address from a correct one of said NAT IP address pools, and allocating said specific IP address for said VPN connection prior to execution of an Internet Key Execution (IKE) protocol;

a correct pool being determined by type of VPN connection that is starting;

responsive to said allocating step, starting said VPN connection, including executing said IKE protocol to generate two local IPSec security associations required for said VPN connection and creating a message for IKE containing said IP address from said NAT pool;

loading to an operating system kernel said IPSec security associations and connection filters for said VPN connection;

responsive to loading said IPSec security associations and connection filters for said VPN connection, processing an IP datagram for said VPN connection and applying VPN NAT to said IP datagram.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

IP security is provided in a virtual private network using network address translation (NAT) by performing one or a combination of the three types of VPN NAT, including VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT. This involves dynamically generating NAT rules and associating them with the manual or dynamically generated (IKE) Security Associations, before beginning IP security that uses the Security Associations. Then, as IP Sec is performed on outbound and inbound datagrams, the NAT function is also performed.

Citations

11 Claims

1. A method of operating a virtual private network (VPN) based On IP Sec that integrates network address translation (NAT) with IPSec processing, to enable two hosts operating in AH or ESP, and in tunnel or transport, modes to establish an IPSec connection across a NAT system, comprising the steps of:
- operating said two hosts in AH or ESP, and in tunnel or transport, modes;
  
  configuring a plurality of NAT IP address pools and a VPN connection to utilize one of said plurality of NAT IP address pools;
  
  obtaining a specific IP address from a correct one of said NAT IP address pools, and allocating said specific IP address for said VPN connection prior to execution of an Internet Key Execution (IKE) protocol;
  
  a correct pool being determined by type of VPN connection that is starting;
  
  responsive to said allocating step, starting said VPN connection, including executing said IKE protocol to generate two local IPSec security associations required for said VPN connection and creating a message for IKE containing said IP address from said NAT pool;
  
  loading to an operating system kernel said IPSec security associations and connection filters for said VPN connection;
  
  responsive to loading said IPSec security associations and connection filters for said VPN connection, processing an IP datagram for said VPN connection and applying VPN NAT to said IP datagram.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein said VPN connection is configured for outbound processing, and said applying step comprises outbound source IP NATing.
  - 3. The method of claim 1, wherein said VPN connection is configured for some combination of inbound processing, and said applying step selectively comprises inbound source IP NATing or inbound destination IP NATing.
  - 4. The method of claim 1, farther comprising integration of NAT with IPSec for manually-keyed IPSec connections, including further step of manually configuring connection keys.
  - 5. The method of claim 1, further comprising integrating NAT with IPSec for dynamically-keyed IPSec connections, including a further step of configuring the VPN Connections to obtain their keys automatically.
  - 6. The method of claim 1, further comprising integrating NAT with IPSec Security Associations, negotiated dynamically by IKE, wherein said starting step including a further step of creating a message for IKE containing said IP address from said NAT pool;
    - and operating IKE to obtain dynamically negotiated keys.
  - 7. The method of claim 6, further comprising the step of combining the dynamically obtained keys with said NAT pool IP address and wherein said loading step loads the result as security associations into said operating system kernel.

8. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for operating a virtual private network (VPN) based on IPSec that integrates network address translation (NAT) with IPSec processing to enable two hosts operating in AH or ESP, and in tunnel or transport, modes to establish an IPSec connection across a NAT system, said method steps comprising:
- operating said two hosts in AH or ESP, and in tunnel or transport, modes;
  
  configuring a plurality of NAT IP address pools and a VPN connection to utilize one of said NAT IP address pools;
  
  obtaining a specific IP address from a selected correct one of said NAT IP address, and allocating said specific IP address for said VPN connection prior to execution of an Internet Key Execution (IKE) protocol;
  
  a correct pool being determined by type of VPN connection that is starting;
  
  responsive to said allocating step, starting said VPN connection, including executing said IKE protocol to generate two local IPSec Security Associations security associations required for said VPN connection and creating a message for IKE containing said IP address from said NAT pool;
  
  loading to an operating system kernel said IPSec security associations and connection filters for said VPN connection;
  
  responsive to said loading step, processing an IP datagram for said VPN connection and applying VPN NAT to said IP datagram.

9. An article of manufacture comprising:
- a computer useable medium having computer readable program code means embodied therein for operating a virtual private network (VPN) based on IPSec that integrates network address translation (NAT) with IPSec processing to enable two hosts operating in AH or ESP, and in tunnel or transport, modes to establish an IPSec connection across a NAT system, the computer readable program means in said article of manufacture comprising;
  
  computer readable program code means for operating said two hosts in AH or ESP, and in tunnel or transport, modes;
  
  computer readable program code means for causing a computer to effect configuring a plurality of NAT IP address pools;
  
  computer readable program code means for causing a computer to effect configuring plurality of NAT IP address pools and a VPN connection to utilize one of said NAT IP address pools;
  
  computer readable program code means for causing a computer to effect obtaining a specific IP address from a selected one of said NAT IP address pool, and pools, and allocating said specific IP address for said VPN connection prior to execution of an Internet Key Execution (IKE) protocol, a selected address pool determined by type of VPN connection being started;
  
  computer readable program code means, responsive to said allocating, for causing a computer to effect starting said VPN connection, including executing said IKE protocol to generate two local IPSec Security Associations security associations required for said VPN connection and creating a message for IKE containing said IP address from said NAT pool;
  
  computer readable program code means for causing a computer to effect loading to an operating system kernel said IPSec security associations and connection filters for said VPN connection;
  
  computer readable program code means, responsive to said loading, for causing a computer to effect processing an IP datagram for said VPN connection;
  
  computer readable program code means for causing a computer to effect applying VPN NAT to said IP datagram.

10. A method of operating a virtual private network based on Internet protocol (IP) security that integrates network address translation (NAT) with IP security processing to enable two hosts operating in AH or ESP, and in tunnel or transport, modes to establish an IPSec connection across a NAT system, comprising the steps of:
- operating said two hosts to execute IPSec in AH or ESP, and in tunnel or transport, modes;
  
  configuring a plurality of NAT IP address pools and a virtual private network connection to utilize one of said NAT IP address pools;
  
  obtaining a specific IP address from a selected one of NAT IP address pools, and allocating said specific IP address for said virtual private network connection prior to execution of an Internet Key Execution (IKE) protocol, said one of said NAT IP address pools being selected responsive to a VPN connection that is starting;
  
  responsive to said allocating, starting said virtual private network connection, including executing said IKE protocol to generate two IPSec security associations required for said VPN connection and creating a message for IKE containing said IP address from said NAT pool;
  
  loading to an operating system kernel said IPSec security associations and connection filters for said virtual private network connection; and
  
  responsive to said loading, processing an IP datagram for said virtual private network connection and applying NAT to said IP datagram.

11. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for operating a virtual private network based on IPSec that integrates network address translation (NAT) with IPSec processing to enable two hosts operating in AH or ESP, and in tunnel or transport, modes to establish an IPSec connection across a NAT system said method steps comprising:
- operating said two hosts in AH or ESP, and in tunnel or transport, modes;
  
  configuring a plurality of NAT IP address pools and a Virtual private network connection to utilize one of said NAT IP address pools;
  
  obtaining a specific IP address from a selected NAT IP address pool, and allocating said specific IP address for said virtual private network connection prior to execution of an Internet Key Execution (IKE) protocol said selected NAT IP address pool determined by type of VPN connection being started;
  
  responsive to said allocating, starting said virtual private network connection, including executing said IKE protocol to generate two local IPSec security associations required for saidVPN Connection and creating a message for IKE containing said IP address from said NAT pool;
  
  loading to an operating system kernel said IPSec security associations and connection filters for said virtual private network connection;
  
  responsive to loading said IPSec security associations and connection filters, processing a an IP datagram for said virtual private network connection and applying NAT to said IP datagram.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Boden, Edward B., Gruber, Franklin A.
Primary Examiner(s)
Moise; Emmanuel L
Assistant Examiner(s)
Gergiso; Techane J

Application Number

US10/386,989
Publication Number

US 20030149899A1
Time in Patent Office

1,952 Days
Field of Search

726/11, 726/15, 713/151, 713/150, 380/277
US Class Current

726/11
CPC Class Codes

H04L 61/25   of the same type

H04L 61/255   Maintenance or indexing of ...

H04L 61/2557   Translation policies or rules

H04L 63/0272   Virtual private networks

H04L 63/164   at the network layer

System and method for network address translation integration with IP Security

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

11 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for network address translation integration with IP Security

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

11 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links