Remote access VPN mediation method and mediation device

US 7,665,132 B2
Filed: 07/02/2004
Issued: 02/16/2010
Est. Priority Date: 07/04/2003
Status: Expired due to Fees

First Claim

Patent Images

1. A remote-access VPN mediating method in a system wherein;

VPN client units and a VPN gateway unit are connected to an IP network;

communication units are connected to a local area network placed under the management of the VPN gateway unit; and

a remote-access VPN by a tunneling protocol is implemented between an arbitrary one of the VPN client units and the VPN gateway unit connected to said IP network and an arbitrary one of the communication units connected to the local area network placed under the management of the VPN gateway unit, where VPN represents virtual private network, said method comprising the steps of;

(a) sending an access control list containing information indicative of a private IP address assigned to said communication unit to a mediating apparatus on said IP network from said VPN gateway unit, said mediating apparatus being a separate and distinct apparatus from the VPN gateway unit;

(b) storing said access control list in said mediating apparatus in correspondence to said VPN gateway unit;

(c) retrieving, by said mediating apparatus, an IP address of said VPN gateway unit in response to a request from said VPN client unit, acquiring the private IP address of the corresponding communication unit from said access control list, sending the acquired IP address of said VPN gateway unit and the acquired private IP address to said VPN client unit, sending an IP address of said VPN client unit to said VPN gateway unit, generating mutual authentication information for setting up an authenticated encrypted tunnel between said VPN client unit and said VPN gateway unit, and sending said mutual authentication information to both of said VPN client unit and said VPN gateway unit; and

(d) setting up said authentication encrypted tunnel between said VPN client unit and said VPN gateway unit by use of said mutual authentication information, and implementing remote access through said encrypted tunnel by use of the private IP address of said communication unit.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A mediating apparatus is provided on an IP network, and stores an access control list (ACL) retained in a VPN gateway unit. The mediating apparatus: receives a retrieval request from a VPN client unit; acquires a private IP address of a communication unit by reference to ACL; searches DNS to acquire therefrom an IP address of the VPN gateway unit; generates a common key that is used for authentication between the VPN client unit and the VPN gateway unit and for encrypted communication therebetween; sends the IP address of the VPN gateway unit, the private IP address of the communication unit, and the common key to the VPN client unit; and sends the IP address of the VPN client unit and the common key to the VPN gateway unit.

53 Citations

View as Search Results

15 Claims

1. A remote-access VPN mediating method in a system wherein;
- VPN client units and a VPN gateway unit are connected to an IP network;
  
  communication units are connected to a local area network placed under the management of the VPN gateway unit; and
  
  a remote-access VPN by a tunneling protocol is implemented between an arbitrary one of the VPN client units and the VPN gateway unit connected to said IP network and an arbitrary one of the communication units connected to the local area network placed under the management of the VPN gateway unit, where VPN represents virtual private network, said method comprising the steps of;
  
  (a) sending an access control list containing information indicative of a private IP address assigned to said communication unit to a mediating apparatus on said IP network from said VPN gateway unit, said mediating apparatus being a separate and distinct apparatus from the VPN gateway unit;
  
  (b) storing said access control list in said mediating apparatus in correspondence to said VPN gateway unit;
  
  (c) retrieving, by said mediating apparatus, an IP address of said VPN gateway unit in response to a request from said VPN client unit, acquiring the private IP address of the corresponding communication unit from said access control list, sending the acquired IP address of said VPN gateway unit and the acquired private IP address to said VPN client unit, sending an IP address of said VPN client unit to said VPN gateway unit, generating mutual authentication information for setting up an authenticated encrypted tunnel between said VPN client unit and said VPN gateway unit, and sending said mutual authentication information to both of said VPN client unit and said VPN gateway unit; and
  
  (d) setting up said authentication encrypted tunnel between said VPN client unit and said VPN gateway unit by use of said mutual authentication information, and implementing remote access through said encrypted tunnel by use of the private IP address of said communication unit.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The remote-access mediating method of claim 1, wherein said access control list contains attribute information about VPN client unit.
  - 3. The remote-access VPN mediating method of claim 2, wherein said step (a) includes a step of encrypting a communication channel between said mediating apparatus and said VPN gateway unit or a VPN gateway management unit having an authority of its management, and sending said access control list from said VPN gateway unit to said mediating apparatus.
  - 4. The remote-access VPN mediating method of claim 2 or 3, wherein said step (b) includes steps of:
    - authenticating said VPN gateway unit by said mediating apparatus; and
      
      storing an access control list for said VPN client unit sent from said VPN gateway unit when the authentication is successful.
  - 5. The remote-access VPN mediating method of claim 2 or 3, wherein said step (c) includes the steps of:
    - (c-0) on receiving a request for retrieval of an IP address assigned to said VPN gateway unit from said VPN client unit, verifying whether said VPN client unit has an authority of access to said VPN gateway unit; and
      
      only when said VPN client unit has said access authority,(c-1) referring to an access control list, and acquiring the private IP address assigned to said communication unit;
      
      (c-2) searching a domain name server to acquire the IP address assigned to said VPN gateway unit;
      
      (c-3generating said mutual authentication information for authentication between said VPN client unit and said VPN gateway unit;
      
      (c-4) encrypting a first communication channel between said mediating apparatus and said VPN client unit, and sending said mutual authentication information, the IP address of said VPN gateway unit and the private IP address of said communication unit to said VPN client unit;
      
      (c-5) encrypting a second communication channel between said mediating apparatus and said VPN gateway unit, and sending to said VPN gateway unit said mutual authentication information, an IP address of said VPN client unit and said attribute information about said VPN client unit described in said access control list.
  - 6. The remote-access VPN mediating method of claim 5, comprising the steps:
    - wherein, at the time of setting up the encrypted tunnel between said VPN client unit and said VPN gateway unit, said VPN gateway unit performs at least one of;
      
      a function of determining the private IP address to be given to said VPN client unit on the basis of said attribute information on said VPN client unit sent from said mediating apparatus, and giving the determined private IP address to said VPN client unit;
      
      a function of determining a VLAN to be accommodated on the basis of said attribute information about said VPN client unit, a gateway address, an internal DNS address, a WINS server address, etc.; and
      
      a function of changing packet filtering setting of said VPN gateway unit on the basis of said attribute information; and
      
      wherein when the tunnel established between said VPN gateway unit and said VPN client unit is disconnected or no communication has been conducted via said tunnel for a predetermined period of time, said VPN gateway unit performs tunnel cleanup processing, processing for returning the private IP address assigned to said VPN client unit, and restoring the setting of the packet filtering of said VPN gateway unit used for said VPN client unit concerned.
  - 7. The remote-access VPN mediating method of claim 2 or 3, wherein:
    - letting a domain name server be denoted by DNS, said step (c) includes a step wherein said VPN client unit captures a DNS query transferred from an in-unit application or another VPN client unit, then collates the source address and contents of said query with filtering conditions, and, if they match the conditions, converts said query to a query to said mediating apparatus;
      
      said step (d) includes a step of setting/updating tunneling protocol configuration management information on the basis of an answer to said query; and
      
      said step (e) includes a step of initializing the tunnel as required, passing the private IP address of the communication unit specified by said mediating unit, as the result of said DNS query, to the application of the query source.
  - 8. The remote-access VPN mediating method of claim 5, wherein, letting simple public key infrastructure be denoted by SPKI, said step (c) includes a step wherein said VPN client unit issues a certificate by an SPKI scheme, and another VPN client unit having received said certificate sends to said mediating apparatus a request for retrieval of the IP address assigned to said VPN gateway unit.

9. A remote-access VPN mediating apparatus which is built on an IP network to implement a remote-access VPN representing virtual private network in a system wherein:
- VPN client units and a VPN gateway unit are connected to the IP network;
  
  communication units are connected to a local area network placed under the management of the VPN gateway unit; and
  
  a remote-access VPN by a tunneling protocol is implemented between an arbitrary one of said VPN client units and said VPN gateway unit connected to said IP network and an arbitrary one of said communication units connected to said local area network placed under the management of said VPN gateway unit, said mediating apparatus being a separate and distinct apparatus from the gateway unit and comprising;
  
  ACL storage means for storing an access control list, hereinafter referred to as ACL, sent from said VPN gateway unit and containing information indicative of a private IP address assigned to said communication unit;
  
  authentication/access authorization control means for authenticating said VPN client unit and said VPN gateway unit, and for executing access authorization control;
  
  IP address acquiring means for referring to said access control list to acquire the private IP address assigned to said communication unit, and for searching a domain name server to acquire an IP address assigned to said VPN gateway unit;
  
  authentication information generating means for generating mutual authentication information for setting up an authenticated encrypted tunnel between said VPN client unit and said VPN gateway unit; and
  
  communication means for sending the IP address of said VPN gateway unit, the private IP address of said communication unit and said mutual authentication information to said VPN client unit, and for sending the IP address of said VPN client unit and said mutual authentication information to said VPN gateway unit.
- View Dependent Claims (10, 11, 12, 13, 14, 15)
- - 10. The mediating apparatus of claim 9, wherein said communication means includes encryption means for encrypting communications between said mediating apparatus and said VPN client unit, and communications between said mediating apparatus and said VPN gateway unit.
  - 11. The mediating apparatus of claim 9, wherein said authentication/access authorization control means is configured to:
    - authenticate said VPN client unit; and
      
      only when the authentication is successful, cause said IP address acquiring means to query the domain name server about the IP address assigned to said VPN gateway unit and acquire said IP address;
      
      cause said mutual authentication information generating means to generate said mutual authentication information; and
      
      cause said communication means to send the acquired IP address, the private IP address assigned to said communication unit, and said generated mutual authentication information to said VPN client unit.
  - 12. The mediating apparatus of claim 9, wherein said authentication/access authorization control means is configured to:
    - decide whether said VPN client unit has the authority to retrieve the IP address assigned to said VPN gateway unit; and
      
      only when the VPN client unit has said authority, cause said IP address acquiring means to query the domain name server about the IP address assigned to said VPN gateway unit and acquire said IP address;
      
      cause said mutual authentication information generating means to generate said mutual authentication information; and
      
      cause said communication means to send the acquired IP address, the private IP address assigned to said communication unit, and said generated mutual authentication information to said VPN client unit.
  - 13. The mediating apparatus of claim 11 or 12, wherein said authentication/access authority control means is configured to:
    - authenticate said VPN gateway unit; and
      
      only when the authentication is successful, causes said communication means to send the IP address assigned to said VPN client unit and said mutual authentication information to said VPN gateway unit.
  - 14. The mediating apparatus of claim 9, wherein said authentication/access authorization control means is configured to authenticate said VPN client unit and said VPN gateway unit by an SPKI (Simple Public Key Infrastructure) scheme, and/or executes access authorization control.
  - 15. The mediating apparatus of claim 9, wherein said authentication/access authorization control means authenticates said VPN client unit and said VPN gateway unit by a PKI (Public Key Infrastructure) scheme.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nippon Telegraph and Telephone Corporation
Original Assignee
Nippon Telegraph and Telephone Corporation
Inventors
Ono, Satoshi, Hisada, Yusuke, Tsuruoka, Yukio
Primary Examiner(s)
Korzuch; William R
Assistant Examiner(s)
Su; Sarah

Application Number

US10/526,935
Publication Number

US 20060143702A1
Time in Patent Office

2,055 Days
Field of Search

726/15, 726/27, 726/11, 709/227, 709/229
US Class Current

726/15
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

H04L 9/006   involving public key infras...

Remote access VPN mediation method and mediation device

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

53 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

Remote access VPN mediation method and mediation device

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links