Virtual private network and tunnel gateway with multiple overlapping, remote subnets
First Claim
Patent Images
1. A method for providing local gateway support for multiple overlapping remote networks using source-in virtual private network address translation (VPN NAT), comprising the steps of:
- loading a plurality of overlapping connections in a local gateway of a virtual private network (VPN), each connection with a respective remote node, each connection being established responsive to receiving a respective inbound packet having a respective conflicting source IP address from the corresponding remote node destined for a respective local node serviced by said local gateway;
for each said connection, binding at least one of the respective source IP address and a respective VPN connection name in a bind table of said local gateway with an internally routable and system-wide unique source IP address from an internal address pool; and
using said bind table to VPN network address translate outbound packets, each said outbound packet being associated with a respective said connection and being sent from a respective local node serviced by said local gateway to a respective remote node, each said outbound packet having a respective destination IP address, to determine a respective virtual private network connection for receiving each said outbound packet.
0 Assignments
0 Petitions
Accused Products
Abstract
Local gateway support for multiple overlapping remote networks. The local gateway includes a pool of unique, internally routable system-wide addresses, an address bind table, a filter rules table, and a collection of security association databases. A plurality of overlapping connections are received at the local gateway from remote networks, each including an inbound packet having a source IP address. For each connection, the source IP address is bound with an address from the address pool in a bind table. Outbound packets are processed through the bind table to determine the destination IP address corresponding to a correct one of the plurality of overlapping connections.
-
Citations
7 Claims
-
1. A method for providing local gateway support for multiple overlapping remote networks using source-in virtual private network address translation (VPN NAT), comprising the steps of:
-
loading a plurality of overlapping connections in a local gateway of a virtual private network (VPN), each connection with a respective remote node, each connection being established responsive to receiving a respective inbound packet having a respective conflicting source IP address from the corresponding remote node destined for a respective local node serviced by said local gateway; for each said connection, binding at least one of the respective source IP address and a respective VPN connection name in a bind table of said local gateway with an internally routable and system-wide unique source IP address from an internal address pool; and using said bind table to VPN network address translate outbound packets, each said outbound packet being associated with a respective said connection and being sent from a respective local node serviced by said local gateway to a respective remote node, each said outbound packet having a respective destination IP address, to determine a respective virtual private network connection for receiving each said outbound packet.
-
-
2. A method for operating a local gateway of a virtual private network (VPN) using source-in VPN network address translation (NAT), comprising the steps of:
-
receiving an inbound packet having a conflicting source-in IP address on a network connection from a remote node, said inbound data packet being destined for a local node serviced by said local gateway; applying source-in network address translation to establish dynamic binding of the source IP address of said inbound packet with an internally routable and system wide unique source-in IP address and a connection name; and using said dynamic binding to route, from said local gateway, one or more outbound data packets associated with said network connection and being sent from said local node serviced by said local gateway to said remote node, each said outbound packet having a respective destination IP address corresponding to said internally routable and system wide unique source-in IP address dynamically bound with said source IP address of said inbound packet.
-
-
3. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform method steps for providing local gateway support in a virtual private network (VPN) for multiple overlapping remote networks using source-in VPN network address translation (NAT), said method steps comprising:
-
receiving an inbound packet having a conflicting source-in IP address on a network connection from a remote node, said inbound data packet being destined for a local node of said VPN serviced by a local gateway of said VPN; applying VPN source-in network address translation to establish dynamic binding of the source IP address of said inbound packet with an internally routable and system wide unique source-in IP address and a connection name; and using said dynamic binding to route, from said local gateway, one or more outbound data packets associated with said network connection and being sent from said local node serviced by said local gateway to said remote node, each said outbound packet having a respective destination IP address corresponding to said internally routable and system wide unique source-in IP address dynamically bound with said source IP address of said inbound packet.
-
-
4. A method for operating a local gateway of a virtual private network (VPN) for controlling communication between a local node and a remote node using source-in VPN network address translation (NAT), comprising the steps of:
-
receiving an inbound packet in said local gateway on a network connection from a remote node, said inbound packet characterized by a conflicting first source address identifying said remote node and a first destination address identifying said local node; applying VPN source-in network address translation to establish dynamic binding of said first source address with an internally routable and system wide unique second source address and a first connection name; and using said dynamic binding to route, from said local gateway, one or more outbound data packets associated with said network connection and being sent from said local node to said remote node, each said outbound packet having a respective destination address corresponding to said internally routable and system wide unique second source address dynamically bound with said first source address of said inbound packet.
-
-
5. A program storage device readable by a machine, tangibly embodying a program of instructions executable by the machine to perform method steps for providing local gateway support in a virtual private network (VPN) for multiple overlapping remote networks using source-in VPN network address translation (NAT), said method steps comprising:
-
receiving an inbound packet in a local gateway of said VPN on a network connection from a remote node, said inbound packet characterized by a conflicting first source address identifying said remote node and a first destination address identifying said local node; applying VPN source-in network address translation to establish dynamic binding of said first source address with an internally routable and system wide unique second source address and a first connection name; and using said dynamic binding to route, from said local gateway, one or more outbound data packets associated with said network connection and being sent from said local node to said remote node, each said outbound packet having a respective destination address corresponding to said internally routable and system wide unique second source address dynamically bound with said first source address of said inbound packet.
-
-
6. A method for operating a local gateway for a virtual private network (VPN), comprising the steps of:
-
receiving a plurality of inbound packets on a network connection, each packet from a respective remote node, each inbound packet having a respective first source IP address associated with the respective remote node from which the inbound packet is received, each inbound packet being destined for a respective local node serviced by said local gateway of said VPN, wherein at least some inbound packets have conflicting first source IP addresses; with respect to a plurality of inbound packets each having a conflicting first source IP address, dynamically associating a respective second source IP address and connection with each first source IP address in said local gateway, each said second source IP address being an internally routable and system wide unique IP address; forwarding each said inbound packet having conflicting first source IP address from said gateway to the respective local node for which it is destined using the respective second source IP address to identify the source remote node; receiving a plurality of outbound packets in said local gateway, each outbound packet from a respective local node serviced by said local gateway and destined for a respective remote node, each outbound packet containing a respective destination IP address, of at least some of said outbound packets containing a respective destination IP address corresponding to a respective said second source IP address; and with respect to each said outbound packet containing a respective destination IP address corresponding to a respective said second source IP address, determining a connection and first source IP address associated with the second source IP address from said destination IP address, and using said corresponding connection and first source IP address to route the outgoing data packet from said local gateway to a respective remote node. - View Dependent Claims (7)
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsPalermo, Donald A., Boden, Edward B.
-
Primary Examiner(s)Ton; Dang T
-
Assistant Examiner(s)Zhao; Wei
-
Application NumberUS11/493,887Publication NumberTime in Patent Office1,441 DaysField of Search709/223, 709/201, 709/225, 709/203, 709/206, 235/462.25, 370/389US Class Current370/389CPC Class CodesH04L 12/4641 Virtual LANs, VLANs, e.g. v...H04L 61/00 Network arrangements, proto...H04L 61/2535 Multiple local networks, e....H04L 61/2567 for reachability, e.g. inqu...H04L 63/0227 Filtering policies mail mes...H04L 63/0272 Virtual private networks
