Method and apparatus for providing adaptive VPN to enable different security levels in virtual private networks (VPNs)

US 7,478,427 B2
Filed: 05/05/2003
Issued: 01/13/2009
Est. Priority Date: 05/05/2003
Status: Active Grant

First Claim

Patent Images

1. A method of providing at least two virtual private network (VPN) tunnels from a client device in a VPN network comprising an enterprise VPN gateway and a network VPN gateway, said method comprising:

establishing said at least two tunnels using an encryption key exchange protocol;

downloading respective enterprise security policies for each of said at least two tunnels, wherein a first tunnel is an end-to-end VPN tunnel to said enterprise VPN gateway, and a second tunnel is a network-based tunnel to said network VPN gateway; and

routing packets over one of said at least two tunnels selected based on said downloaded policies.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for providing at least two virtual private network VPN tunnels from a client device in a VPN network having an enterprise gateway and a network VPN gateway. The method and apparatus includes a client device having an Internet Key Exchange (IKE) module for establishing the at least two tunnels using an IKE protocol wherein a first tunnel is an end-to-end VPN tunnel to the enterprise gateway, and a second tunnel is a network-based tunnel to the network VPN gateway. An IPsec Network Driver Interface interfaces with the IKE module, which includes a security authentication database (SADB) that stores downloaded enterprise security policies respectively for each of the at least two tunnels. A routing table stores IP addresses of local presences and hosts respectively associated with the at least two tunnels, whereby packets are routed over the at least two tunnels based on the downloaded policies.

124 Citations

27 Claims

1. A method of providing at least two virtual private network (VPN) tunnels from a client device in a VPN network comprising an enterprise VPN gateway and a network VPN gateway, said method comprising:
- establishing said at least two tunnels using an encryption key exchange protocol;
  
  downloading respective enterprise security policies for each of said at least two tunnels, wherein a first tunnel is an end-to-end VPN tunnel to said enterprise VPN gateway, and a second tunnel is a network-based tunnel to said network VPN gateway; and
  
  routing packets over one of said at least two tunnels selected based on said downloaded policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 further comprising downloading IP addresses of local presences and IP addresses of hosts and destination TCP ports within said hosts respectively associated with said at least two tunnels.
  - 3. The method of claim 2, further comprising storing said IP addresses of said local presence and said hosts respectively associated with said at least two tunnels in a routing table of said client device.
  - 4. The method of claim 1, wherein said packets are routed over one of said first and second tunnels based on user identification.
  - 5. The method of claim 4, wherein said user identification comprises at least one of a user network access identifier (NAI) and a destination IP address.
  - 6. The method of claim 1, wherein said packets are routed over one of said first and second tunnels based on user application programs.
  - 7. The method of claim 6, wherein said user application programs are selected from the group consisting of e-mail and Internet access.
  - 8. The method of claim 6, further comprising routing packets over one of said first and second tunnels based on said IP addresses of said hosts and destination TCP ports within said hosts respectively associated with said at least two tunnels.
  - 9. The method of claim 6, further comprising, for each of said packets, identifying source and destination TCP/UDP port values provided in a TCP header of said packet.
  - 10. The method of claim 1, wherein said first and second tunnels are IPsec tunnels.
  - 11. The method of claim 1, further comprising storing said downloaded policies for each tunnel in a security association database (SADB).
  - 12. The method of claim 11, wherein for a packet generated locally at said client device, said method further comprises querying said SADB for values matching header information of said packet.
  - 13. The method of claim 12, wherein said header information of said packet comprises a source IP address, a destination IP address, a source port address, a destination port address, and a protocol type.
  - 14. The method of claim 13, wherein in an instance where said packet header information does not match said SADB values, said method further comprises performing conventional IP processing.
  - 15. The method of claim 13, wherein in an instance where said packet header information matches said SADB values, said method further comprises:
    - retrieving tunnel destination IP address and an encryption key from said SADB;
      
      encrypting said packet;
      
      attaching an IPsec header; and
      
      performing conventional IP processing.
  - 16. The method of claim 14, wherein after retrieving said tunnel destination IP address and said encryption key from said SADB, said method further comprises applying source network address translation (NAT).
  - 17. The method of claim 16, wherein said source NAT comprises:
    - selecting a primary tunnel for every subnet that is specified as a host subnet behind a tunnel;
      
      identifying a packet port number in a TCP header of said packet;
      
      identifying packet port number from a packet sent over said primary tunnel or a secondary tunnel;
      
      changing said source IP address in said packet header to correspond with a local presence IP address in instances where said port number is sent over a secondary tunnel; and
      
      otherwise, retaining said source IP address in said packet header in instances where said port number is sent over said primary tunnel.
  - 18. The method of claim 11, wherein for a packet received over an Internet connection at said client device, said method further comprises:
    - querying said SADB for a decryption key;
      
      decrypting said received packet; and
      
      performing conventional IP processing.
  - 19. The method of claim 18 wherein said querying comprises using a security parameter index (SPI) of said received packet to identify a proper SADB entry.
  - 20. The method of claim 1 wherein while establishing said at least two tunnels said network-based tunnel fails to establish, packets originally destined for forwarding over said failed network-based tunnel are forwarded over said end-to-end VPN tunnel.

21. A client apparatus for providing at least two virtual private network (VPN) tunnels, comprising:
- an Internet key exchange (IKE) module;
  
  an IPsec Network Driver Interface Specification (NDIS) driver interfacing with said IKE module, said IPsec NDIS driver comprising a security authentication database (SADB) that stores policy information for each of said at least two tunnels; and
  
  a routing table for respectively storing IP addresses of local presences and hosts respectively associated with said at least two tunnels, said routing table for use in routing packets over one of said at least two tunnels selected based on said downloaded policies.
- View Dependent Claims (22, 23, 24, 25)
- - 22. The apparatus of claim 21, wherein a first VPN tunnel is formed end-to-end between said client apparatus and an Enterprise VPN gateway, and a second VPN tunnel is formed between said client apparatus and an IP service switch (IPSS).
  - 23. The apparatus of claim 21, wherein said SADB receives said policy information for each tunnel from an Enterprise VPN gateway via said IKE module.
  - 24. The apparatus of claim 21, wherein said routing table receives said IP addresses from an Enterprise VPN gateway via said IKE module.
  - 25. The apparatus of claim 21, wherein said IPsec NDIS driver further comprises an IPsec engine for prefixing a packet with an IPsec header and an outer IP header.

26. A client apparatus for providing at least two virtual private network (VPN) tunnels, comprising:
- means for establishing said at least two tunnels using an encryption key exchange protocol;
  
  means for downloading respective enterprise security policies for each of said at least two tunnels, wherein a first tunnel is an end-to-end VPN tunnel to said enterprise gateway, and a second tunnel is a network-based tunnel to said network VPN gateway; and
  
  means for routing packets over one of said at least two tunnels selected based on said downloaded policies.
- View Dependent Claims (27)
- - 27. The apparatus of claim 26, further comprising:
    - means for downloading IP addresses of local presences and hosts respectively associated with said at least two tunnels.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Alcatel-Lucent USA, Inc. (Nokia Corporation)
Original Assignee
Alcatel-Lucent USA, Inc. (Nokia Corporation)
Inventors
Takkallapalli, Anil, Paul, Sanjoy, Rangarajan, Sampath, Mukherjee, Sarit
Primary Examiner(s)
Revak; Christopher A

Application Number

US10/429,815
Publication Number

US 20040225895A1
Time in Patent Office

2,080 Days
Field of Search

726/12
US Class Current

726/15
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 63/0272   Virtual private networks

H04L 63/164   at the network layer

Method and apparatus for providing adaptive VPN to enable different security levels in virtual private networks (VPNs)

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

124 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for providing adaptive VPN to enable different security levels in virtual private networks (VPNs)

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

124 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links