System and method for network address translation integration with IP Security
First Claim
1. A method of operating a virtual private network (VPN) based On IP Sec that integrates network address translation (NAT) with IPSec processing, to enable two hosts operating in AH or ESP, and in tunnel or transport, modes to establish an IPSec connection across a NAT system, comprising the steps of:
- operating said two hosts in AH or ESP, and in tunnel or transport, modes;
configuring a plurality of NAT IP address pools and a VPN connection to utilize one of said plurality of NAT IP address pools;
obtaining a specific IP address from a correct one of said NAT IP address pools, and allocating said specific IP address for said VPN connection prior to execution of an Internet Key Execution (IKE) protocol;
a correct pool being determined by type of VPN connection that is starting;
responsive to said allocating step, starting said VPN connection, including executing said IKE protocol to generate two local IPSec security associations required for said VPN connection and creating a message for IKE containing said IP address from said NAT pool;
loading to an operating system kernel said IPSec security associations and connection filters for said VPN connection;
responsive to loading said IPSec security associations and connection filters for said VPN connection, processing an IP datagram for said VPN connection and applying VPN NAT to said IP datagram.
0 Assignments
0 Petitions
Accused Products
Abstract
IP security is provided in a virtual private network using network address translation (NAT) by performing one or a combination of the three types of VPN NAT, including VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT. This involves dynamically generating NAT rules and associating them with the manual or dynamically generated (IKE) Security Associations, before beginning IP security that uses the Security Associations. Then, as IP Sec is performed on outbound and inbound datagrams, the NAT function is also performed.
-
Citations
11 Claims
-
1. A method of operating a virtual private network (VPN) based On IP Sec that integrates network address translation (NAT) with IPSec processing, to enable two hosts operating in AH or ESP, and in tunnel or transport, modes to establish an IPSec connection across a NAT system, comprising the steps of:
-
operating said two hosts in AH or ESP, and in tunnel or transport, modes; configuring a plurality of NAT IP address pools and a VPN connection to utilize one of said plurality of NAT IP address pools; obtaining a specific IP address from a correct one of said NAT IP address pools, and allocating said specific IP address for said VPN connection prior to execution of an Internet Key Execution (IKE) protocol;
a correct pool being determined by type of VPN connection that is starting;responsive to said allocating step, starting said VPN connection, including executing said IKE protocol to generate two local IPSec security associations required for said VPN connection and creating a message for IKE containing said IP address from said NAT pool; loading to an operating system kernel said IPSec security associations and connection filters for said VPN connection; responsive to loading said IPSec security associations and connection filters for said VPN connection, processing an IP datagram for said VPN connection and applying VPN NAT to said IP datagram. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for operating a virtual private network (VPN) based on IPSec that integrates network address translation (NAT) with IPSec processing to enable two hosts operating in AH or ESP, and in tunnel or transport, modes to establish an IPSec connection across a NAT system, said method steps comprising:
-
operating said two hosts in AH or ESP, and in tunnel or transport, modes; configuring a plurality of NAT IP address pools and a VPN connection to utilize one of said NAT IP address pools; obtaining a specific IP address from a selected correct one of said NAT IP address, and allocating said specific IP address for said VPN connection prior to execution of an Internet Key Execution (IKE) protocol;
a correct pool being determined by type of VPN connection that is starting;responsive to said allocating step, starting said VPN connection, including executing said IKE protocol to generate two local IPSec Security Associations security associations required for said VPN connection and creating a message for IKE containing said IP address from said NAT pool; loading to an operating system kernel said IPSec security associations and connection filters for said VPN connection; responsive to said loading step, processing an IP datagram for said VPN connection and applying VPN NAT to said IP datagram.
-
-
9. An article of manufacture comprising:
-
a computer useable medium having computer readable program code means embodied therein for operating a virtual private network (VPN) based on IPSec that integrates network address translation (NAT) with IPSec processing to enable two hosts operating in AH or ESP, and in tunnel or transport, modes to establish an IPSec connection across a NAT system, the computer readable program means in said article of manufacture comprising; computer readable program code means for operating said two hosts in AH or ESP, and in tunnel or transport, modes; computer readable program code means for causing a computer to effect configuring a plurality of NAT IP address pools; computer readable program code means for causing a computer to effect configuring plurality of NAT IP address pools and a VPN connection to utilize one of said NAT IP address pools; computer readable program code means for causing a computer to effect obtaining a specific IP address from a selected one of said NAT IP address pool, and pools, and allocating said specific IP address for said VPN connection prior to execution of an Internet Key Execution (IKE) protocol, a selected address pool determined by type of VPN connection being started; computer readable program code means, responsive to said allocating, for causing a computer to effect starting said VPN connection, including executing said IKE protocol to generate two local IPSec Security Associations security associations required for said VPN connection and creating a message for IKE containing said IP address from said NAT pool; computer readable program code means for causing a computer to effect loading to an operating system kernel said IPSec security associations and connection filters for said VPN connection; computer readable program code means, responsive to said loading, for causing a computer to effect processing an IP datagram for said VPN connection; computer readable program code means for causing a computer to effect applying VPN NAT to said IP datagram.
-
-
10. A method of operating a virtual private network based on Internet protocol (IP) security that integrates network address translation (NAT) with IP security processing to enable two hosts operating in AH or ESP, and in tunnel or transport, modes to establish an IPSec connection across a NAT system, comprising the steps of:
-
operating said two hosts to execute IPSec in AH or ESP, and in tunnel or transport, modes; configuring a plurality of NAT IP address pools and a virtual private network connection to utilize one of said NAT IP address pools; obtaining a specific IP address from a selected one of NAT IP address pools, and allocating said specific IP address for said virtual private network connection prior to execution of an Internet Key Execution (IKE) protocol, said one of said NAT IP address pools being selected responsive to a VPN connection that is starting; responsive to said allocating, starting said virtual private network connection, including executing said IKE protocol to generate two IPSec security associations required for said VPN connection and creating a message for IKE containing said IP address from said NAT pool; loading to an operating system kernel said IPSec security associations and connection filters for said virtual private network connection; and responsive to said loading, processing an IP datagram for said virtual private network connection and applying NAT to said IP datagram.
-
-
11. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for operating a virtual private network based on IPSec that integrates network address translation (NAT) with IPSec processing to enable two hosts operating in AH or ESP, and in tunnel or transport, modes to establish an IPSec connection across a NAT system said method steps comprising:
-
operating said two hosts in AH or ESP, and in tunnel or transport, modes; configuring a plurality of NAT IP address pools and a Virtual private network connection to utilize one of said NAT IP address pools; obtaining a specific IP address from a selected NAT IP address pool, and allocating said specific IP address for said virtual private network connection prior to execution of an Internet Key Execution (IKE) protocol said selected NAT IP address pool determined by type of VPN connection being started; responsive to said allocating, starting said virtual private network connection, including executing said IKE protocol to generate two local IPSec security associations required for said VPN Connection and creating a message for IKE containing said IP address from said NAT pool; loading to an operating system kernel said IPSec security associations and connection filters for said virtual private network connection; responsive to loading said IPSec security associations and connection filters, processing a an IP datagram for said virtual private network connection and applying NAT to said IP datagram.
-
Specification