Method of network communication
First Claim
1. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, wherein a secure communication session is a NAT-T IKE (Internet Key Exchange protocol) session in which the type of session negotiated by NAT-T IKE between the secure network and remote clients is IPsec (IP Security), and in which initiator and responder cookies in an ISAKMP (Internet Security Association and Key Management Protocol) header of a packet are used to identify a packet as part of an established session, wherein the remote clients share a common source address on the intermediate transport network;
- and wherein in the NAT-T proxy, the method comprises;
a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session;
b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet;
c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and
d) routing the translated packets to the security gatewaywhereby packets received by the security gateway have, for each established session, a unique IP address.
3 Assignments
0 Petitions
Accused Products
Abstract
A method of network communication and a network gateway are disclosed. The method and gateway operate between a secure network and remote clients by way of an intermediate transport network, such as the Internet. The remote clients connect through a NAT router so share a common source address on the intermediate transport network. In the secure network, the method analyses packets received from a remote client to identify packets that start a new secure communication session. Then, the method assigns a session-unique address and port to the new secure communication session. Subsequent packets are translated in the secure communication session by exchanging the source address with the local session address. Thus, the secure network perceived each session as originating from a distinct address and port, whereby several such sessions can coexist simultaneously.
53 Citations
9 Claims
-
1. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, wherein a secure communication session is a NAT-T IKE (Internet Key Exchange protocol) session in which the type of session negotiated by NAT-T IKE between the secure network and remote clients is IPsec (IP Security), and in which initiator and responder cookies in an ISAKMP (Internet Security Association and Key Management Protocol) header of a packet are used to identify a packet as part of an established session, wherein the remote clients share a common source address on the intermediate transport network;
- and wherein in the NAT-T proxy, the method comprises;
a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session; b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet; c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and d) routing the translated packets to the security gateway whereby packets received by the security gateway have, for each established session, a unique IP address. - View Dependent Claims (2, 3, 4)
- and wherein in the NAT-T proxy, the method comprises;
-
5. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, wherein a secure communication session is a NAT-T IKE (Internet Key Exchange protocol) session in which the type of session between the secure network and remote clients is IPsec (IP Security) transport mode ESP (Encapsulating Security Payload), wherein the remote clients share a common source address on the intermediate transport network;
- and wherein in the NAT-T proxy, the method comprises;
a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session; b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet; c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and d) routing the translated packets to the security gateway whereby packets received by the security gateway have, for each established session, a unique IP address.
- and wherein in the NAT-T proxy, the method comprises;
-
6. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, wherein a secure communication session is a NAT-T IKE (Internet Key Exchange protocol) session in which the type of session negotiated by NAT-T IKE between the secure network and remote clients is IPsec (IP Security) and in which the type of session between peers is L2TP (Layer 2 Tunneling Protocol) over IPsec transport mode ESP (Encapsulating Security Payload), wherein the remote clients share a common source address on the intermediate transport network;
- and wherein in the NAT-T proxy, the method comprises;
a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session; b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet; c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and d) routing the translated packets to the security gateway whereby packets received by the security gateway have, for each established session, a unique IP address.
- and wherein in the NAT-T proxy, the method comprises;
-
7. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, and the remote clients share a common source address on the intermediate transport network;
- wherein in the NAT-T proxy, the method comprises;
a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session; b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet; c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and d) routing the translated packets to the security gateway whereby packets received by the security gateway have, for each established session, a unique IP address, and wherein sessions are maintained and terminated on a variable time basis.
- wherein in the NAT-T proxy, the method comprises;
-
8. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, and the remote clients share a common source address on the intermediate transport network;
- wherein in the NAT-T proxy, the method comprises;
a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session; b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet; c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and d) routing the translated packets to the security gateway whereby packets received by the security gateway have, for each established session, a unique IP address, and wherein sessions are located using a multitude of strategies to deliver session resilience in the event of client IP address and port changes.
- wherein in the NAT-T proxy, the method comprises;
-
9. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, and the remote clients share a common source address on the intermediate transport network;
- wherein in the NAT-T proxy, the method comprises;
a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session; b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet; c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and d) routing the translated packets to the security gateway whereby packets received by the security gateway have, for each established session, a unique IP address, and wherein a state machine is associated with a new session in order to monitor the state of the session.
- wherein in the NAT-T proxy, the method comprises;
Specification