Optimizing connections over virtual private networks

US 9,942,199 B2
Filed: 12/31/2013
Issued: 04/10/2018
Est. Priority Date: 12/31/2013
Status: Active Grant

First Claim

Patent Images

1. A system for providing a virtual private network (VPN), the system comprising:

a routing apparatus on a public network, the routing apparatus configured to accept a first connection with a client on the VPN and a second connection with a VPN gateway behind a firewall in a private network extended by the VPN; and

the VPN gateway configured to establish the second connection with the routing apparatus, receive a set of packets from a host device of the private network, encrypt the set of packets using a shared secret between the client on the public network and the VPN gateway behind the firewall on the private network, insert a destination identifier of the client on the public network, and route the encrypted set of packets having the destination identifier of the client to the routing apparatus via the second connection;

wherein secure access to private resources of the host device behind the firewall of the private network is extended from behind the firewall to the client on the public network and beyond the firewall by the VPN that includes the VPN gateway behind the firewall on the private network and the routing apparatus on the public network;

wherein the VPN is extended to the client by the routing apparatus via the public network without requiring the client to install VPN software;

wherein the transmission of the packets is associated with at least one of;

omitting a three-way handshake between the client and the host device;

bypassing checksums on the sets of packets;

setting a maximum transmission unit (MTU) associated with transmission of the set of packets; and

setting a receive window associated with transmission of the set of packets.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed embodiments provide a system that provides a virtual private network (VPN). The system includes a routing apparatus on a public network. The routing apparatus accepts a first connection with a client on the VPN and a second connection with a gateway in a private network extended by the VPN. Next, the routing apparatus receives a first set of packets from the client over the first connection, wherein the first set of packets is encrypted. The routing apparatus then routes the first set of packets to the gateway. The system also includes the gateway, which establishes the second connection with the routing apparatus. Next, the gateway decrypts the first set of packets and routes the decrypted first set of packets to a host in the private network.

Citations

16 Claims

1. A system for providing a virtual private network (VPN), the system comprising:
- a routing apparatus on a public network, the routing apparatus configured to accept a first connection with a client on the VPN and a second connection with a VPN gateway behind a firewall in a private network extended by the VPN; and
  
  the VPN gateway configured to establish the second connection with the routing apparatus, receive a set of packets from a host device of the private network, encrypt the set of packets using a shared secret between the client on the public network and the VPN gateway behind the firewall on the private network, insert a destination identifier of the client on the public network, and route the encrypted set of packets having the destination identifier of the client to the routing apparatus via the second connection;
  
  wherein secure access to private resources of the host device behind the firewall of the private network is extended from behind the firewall to the client on the public network and beyond the firewall by the VPN that includes the VPN gateway behind the firewall on the private network and the routing apparatus on the public network;
  
  wherein the VPN is extended to the client by the routing apparatus via the public network without requiring the client to install VPN software;
  
  wherein the transmission of the packets is associated with at least one of;
  
  omitting a three-way handshake between the client and the host device;
  
  bypassing checksums on the sets of packets;
  
  setting a maximum transmission unit (MTU) associated with transmission of the set of packets; and
  
  setting a receive window associated with transmission of the set of packets.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, further comprising:
    - the client configured to establish the first connection with the routing apparatus, encrypt another set of packets, and transmit the other set of packets over the first connection to the routing apparatus.
  - 3. The system of claim 1,wherein the routing apparatus is further configured to route the set of packets from the VPN gateway to the client based on the destination identifier added by the VPN gateway.
  - 4. The system of claim 3, wherein the client is further configured to receive the set of packets over the first connection from the routing apparatus and decrypt the set of packets.
  - 5. The system of claim 2, wherein the client is further configured to exchange a third set of packets with another client on the VPN through the routing apparatus or a direct connection with the other client.
  - 6. The system of claim 2, wherein the VPN gateway and the client are further configured to maintain the first and second connections with the routing apparatus by periodically transmitting keep-alive packets to the routing apparatus.
  - 7. The system of claim 1, wherein each packet from the set of packets comprises destination identifier added by the VPN gateway, a cryptographic header added by the VPN gateway, and a payload.
  - 8. The system of claim 1, wherein the routing apparatus stores and distributes public keys for the client and the VPN gateway, and the public keys are used to generate the shared secret along with a private key that is not known to the routing apparatus.

9. A computer-implemented method for facilitating use of a virtual private network (VPN), the computer-implemented method comprising:
- establishing a connection between a routing apparatus on a public network and a VPN gateway behind a firewall in a private network extended by the VPN;
  
  receiving, by the VPN gateway, a set of packets from a host device of the private network, encrypting, by the VPN gateway, the set of packets using a shared secret that is unknown to the routing apparatus and shared between a client on the public network and the VPN gateway that is behind the firewall of the private network, and inserting, by the VPN gateway, a destination identifier of the client on the public network; and
  
  transmitting, by the VPN gateway, the set of packets having the destination identifier of the client to the routing apparatus;
  
  wherein secure access to private resources of the host device behind the firewall of the private network is extended from behind the firewall to the client on the public network and beyond the firewall by the VPN that includes the VPN gateway behind the firewall on the private network and the routing apparatus on the public network;
  
  wherein the VPN is extended to the client by the routing apparatus via the public network without requiring the client to install VPN software;
  
  wherein the transmission of the set of packets is associated with at least one of;
  
  omitting a three-way handshake between the client and the host device;
  
  bypassing checksums on the sets of packets;
  
  setting a maximum transmission unit (MTU) associated with transmission of the set of packets; and
  
  setting a receive window associated with transmission of the set of packets.
- View Dependent Claims (10, 11, 12, 13)
- - 10. The computer-implemented method of claim 9, further comprising:
    - receiving, at the routing apparatus, a second set of packets over the connection, wherein the second set of packets are encrypted by and transmitted from the client; and
      
      decrypting the second set of packets at the first node using the shared secret.
  - 11. The computer-implemented method of claim 10, further comprising:
    - using, by the routing apparatus, the shared secret to verify the second set of packets after receiving the second set of packets from the client.
  - 12. The computer-implemented method of claim 9, wherein omitting the three-way handshake comprises at least one of:
    - omitting the transmission of one or more packets associated with the three-way handshake; and
      
      performing, at the routing apparatus, the three-way handshake with an endpoint associated with the three-way handshake in lieu of transmitting the one or more packets to the VPN gateway.
  - 13. The computer-implemented method of claim 9, wherein the MTU and the receive window are associated with a previous connection of the routing apparatus with the VPN.

14. A non-transitory computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for facilitating use of a virtual private network (VPN), the method comprising:
- establishing a connection between a routing apparatus on a public network and a VPN gateway behind a firewall in a private network extended by the VPN;
  
  receiving, by the VPN gateway, a set of packets from a host device of the private network, encrypting, by the VPN gateway, the set of packets using a shared secret that is unknown to the routing apparatus and shared between a client on the public network and the VPN gateway that is behind the firewall of the private network, and inserting, by the VPN gateway, a destination identifier of the client on the public network; and
  
  transmitting, by the VPN gateway, the set of packets having the destination identifier of the client to the routing apparatus;
  
  wherein secure access to private resources of the host device behind the firewall of the private network is extended from behind the firewall to the client on the public network and beyond the firewall by the VPN that includes the VPN gateway behind the firewall on the private network and the routing apparatus on the public network;
  
  wherein the VPN is extended to the client by the routing apparatus via the public network without requiring the client to install VPN software;
  
  wherein the transmission of the set of packets is associated with at least one of;
  
  omitting a three-way handshake between the client and the host device;
  
  bypassing checksums on the sets of packets;
  
  setting a maximum transmission unit (MTU) associated with transmission of the set of packets; and
  
  setting a receive window associated with transmission of the set of packets.
- View Dependent Claims (15, 16)
- - 15. The non-transitory computer-readable storage medium of claim 14, wherein the method further comprises:
    - using, by the routing apparatus, the shared secret to verify the set of packets after receiving the second set of packets from the client.
  - 16. The non-transitory computer-readable storage medium of claim 14, wherein omitting the three-way handshake comprises at least one of:
    - omitting the transmission of one or more packets associated with the three-way handshake; and
      
      performing, at the routing apparatus, the three-way handshake with an endpoint associated with the three-way handshake in lieu of transmitting the one or more packets to the VPN gateway.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Open Invention Network LLC
Original Assignee
Open Invention Network LLC
Inventors
Thomas, Geoffrey G., Whaley, John
Primary Examiner(s)
King, John B

Application Number

US14/145,586
Publication Number

US 20150188887A1
Time in Patent Office

1,561 Days
Field of Search

713153
US Class Current
CPC Class Codes

H04L 12/4641 Virtual LANs, VLANs, e.g. v...

H04L 63/0272 Virtual private networks

Optimizing connections over virtual private networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Optimizing connections over virtual private networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links