Method and system of establishing a virtual private network in a cloud service for branch networking

US 10,805,272 B2
Filed: 11/02/2018
Issued: 10/13/2020
Est. Priority Date: 04/13/2015
Status: Active Grant

First Claim

Patent Images

1. A method for implementing a virtual private network (VPN) between a cloud gateway node and a network comprising a plurality of subnets, the method comprising:

at an edge device connecting the network to at least one external network;

receiving a plurality of subnet VPN statuses for the plurality of subnets, each subnet VPN status specifying whether a particular subnet of the network is accessible over the VPN;

forwarding the plurality of subnet VPN statuses to the cloud gateway node in a public cloud connected to the edge device through an external network, wherein the cloud gateway node uses the plurality of subnet VPN statuses to determine whether received traffic for a subnet should be sent over the VPN; and

receiving, over the VPN, traffic from the cloud gateway node for subnets determined to be VPN-accessible.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In one aspect, a computerized system useful for implementing a virtual private network (VPN) including an edge device that automatically establishes an Internet Protocol Security (IPsec) tunnel alongside an unsecure Multipath Protocol (MP) tunnel with a gateway device in preparation for a transmission of a secure traffic communication. The edge device has a list of local subnets. The edge device sends the list of local subnets to the gateway during an initial MP tunnel establishment handshake message exchange between the edge device and the gateway device. Each subnet includes an indication of whether the subnet is reachable over the VPN. A gateway device that automatically establishes the IPsec tunnel alongside the unsecure MP tunnel with the edge device. An enterprise datacenter server that comprises an orchestrator module that receives a toggle the VPN command and enables the VPN on the orchestrator. The orchestrator informs the edge device the list of subnets is accessible over the VPN causing the edge device to update the gateway device with a new list of subnets of the edge device that accessible over the VPN.

335 Citations

20 Claims

1. A method for implementing a virtual private network (VPN) between a cloud gateway node and a network comprising a plurality of subnets, the method comprising:
- at an edge device connecting the network to at least one external network;
  
  receiving a plurality of subnet VPN statuses for the plurality of subnets, each subnet VPN status specifying whether a particular subnet of the network is accessible over the VPN;
  
  forwarding the plurality of subnet VPN statuses to the cloud gateway node in a public cloud connected to the edge device through an external network, wherein the cloud gateway node uses the plurality of subnet VPN statuses to determine whether received traffic for a subnet should be sent over the VPN; and
  
  receiving, over the VPN, traffic from the cloud gateway node for subnets determined to be VPN-accessible.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, wherein receiving the traffic over the VPN comprises, when a subnet VPN status indicates that a particular subnet is accessible over the VPN, receiving traffic for the particular subnet using at least one secure Internet Protocol Security (IPSec) tunnel between the edge device and the cloud gateway node.
  - 3. The method of claim 1 further comprising:
    - when a subnet VPN status indicates that a particular subnet is not accessible over the VPN, receiving, at the edge device, traffic for the particular subnet from the cloud gateway node through a set of unsecure tunnels between the edge device and the cloud gateway node.
  - 4. The method of claim 3, wherein edge device is connected to the cloud gateway node by a plurality of multipath protocol tunnels which comprise the set of unsecure tunnels.
  - 5. The method of claim 4, wherein the plurality of multipath protocol tunnels spans a plurality of network links, the plurality of network links comprising at least two of a DSL link, a fiber link, a broadband cable link, and a cellular network link.
  - 6. The method of claim 1 further comprising:
    - when a subnet VPN status indicates that a particular subnet is accessible over the VPN, forwarding traffic from the particular subnet to the cloud gateway node over the VPN through at least one secure Internet Protocol Security (IPSec) tunnel between the edge device and the cloud gateway node; and
      
      when a subnet VPN status indicates that a particular subnet is not accessible over the VPN, forwarding traffic from the particular subnet to the cloud gateway node through a set of unsecure tunnels between the edge device and the cloud gateway node.
  - 7. The method of claim 1, wherein the network is a first network, the edge device is a first edge device, and the particular subnet is a first subnet, wherein:
    - receiving traffic for the particular subnet over the VPN comprises receiving traffic from a second network comprising a second edge device connecting the second network to an external network; and
      
      the second edge device sends traffic from the second network to one of the same cloud gateway node and another cloud gateway node through at least one IPSec tunnel implementing the VPN.
  - 8. The method of claim 7, wherein the first network is an enterprise datacenter of a particular enterprise and the second network is one of a client of the particular enterprise and a branch office belonging to the particular enterprise.
  - 9. The method of claim 1, wherein:
    - receiving the plurality of subnet VPN statuses comprises receiving a set of gateway configuration data;
      
      forwarding the plurality of subnet VPN statuses comprises forwarding the set of gateway configuration data to the cloud gateway node; and
      
      the edge device and the cloud gateway node use the gateway configuration data to configure between the edge device and the cloud gateway node a plurality of multipath protocol tunnels and at least one secure Internet Protocol Security (IPSec) tunnel for implementing the VPN.
  - 10. The method of claim 9, wherein the edge device and cloud gateway node maintain the IPSec tunnel even when none of the subnets of the network are available over the VPN.
  - 11. The method of claim 9, wherein:
    - the cloud gateway node uses the gateway configuration data to configure a virtual routing and forwarding (VRF) table comprising an entry for each subnet of the network and stores the forwarded subnet VPN statuses in their corresponding subnet entries in the VRF table; and
      
      using the subnet VPN statuses to determine whether received traffic for a subnet should be sent over the VPN comprises searching the VRF table for a subnet VPN status.
  - 12. The method of claim 1, wherein the cloud gateway node comprises a virtual routing and forwarding (VRF) table comprising an entry for each subnet of the network and stores the forwarded subnet VPN statuses in their corresponding subnet entries in the VRF table.

13. A non-transitory machine readable medium storing a program that when executed by a set of processing units at an edge device implements a virtual private network (VPN) between a cloud gateway node and a network of the edge device which comprises a plurality of subnets, the program comprising sets of instructions for:
- at the edge device connecting the network to at least one external network;
  
  receiving a plurality of subnet VPN statuses for the plurality of subnets, each subnet VPN status specifying whether a particular subnet of the network is accessible over the VPN;
  
  forwarding the plurality of subnet VPN statuses to the cloud gateway node in a public cloud connected to the edge device through an external network, wherein the cloud gateway node uses the plurality of subnet VPN statuses to determine whether received traffic for a subnet should be sent over the VPN; and
  
  receiving, over the VPN, traffic from the cloud gateway node for subnets determined to be VPN-accessible.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
- - 14. The non-transitory machine readable medium of claim 13, wherein the set of instructions for receiving the traffic over the VPN comprises a set of instructions for, when a subnet VPN status indicates that a particular subnet is accessible over the VPN, receiving traffic for the particular subnet using at least one secure Internet Protocol Security (IPSec) tunnel between the edge device and the cloud gateway node.
  - 15. The non-transitory machine readable medium of claim 13, wherein the program further comprises sets of instructions for:
    - when a subnet VPN status indicates that a particular subnet is not accessible over the VPN, receiving traffic for the particular subnet from the cloud gateway node through a set of unsecure tunnels between the edge device and the cloud gateway node.
  - 16. The non-transitory machine readable medium of claim 15, wherein edge device is connected to the cloud gateway node by a plurality of multipath protocol tunnels which comprise the set of unsecure tunnels.
  - 17. The non-transitory machine readable medium of claim 16, wherein the plurality of multipath protocol tunnels spans a plurality of network links, the plurality of network links comprising at least two of a DSL link, a fiber link, a broadband cable link, and a cellular network link.
  - 18. The non-transitory machine readable medium of claim 13, wherein the program further comprises sets of instructions for:
    - when a subnet VPN status indicates that a particular subnet is accessible over the VPN, forwarding traffic from the particular subnet to the cloud gateway node over the VPN through at least one secure Internet Protocol Security (IPSec) tunnel between the edge device and the cloud gateway node; and
      
      when a subnet VPN status indicates that a particular subnet is not accessible over the VPN, forwarding traffic from the particular subnet to the cloud gateway node through a set of unsecure tunnels between the edge device and the cloud gateway node.
  - 19. The non-transitory machine readable medium of claim 13, wherein:
    - the set of instruction for receiving the plurality of subnet VPN statuses comprises a set of instructions for receiving a set of gateway configuration data;
      
      the set of instructions for forwarding the plurality of subnet VPN statuses comprises a set of instructions for forwarding the set of gateway configuration data to the cloud gateway node; and
      
      the program further comprises sets of instructions for, with the cloud gateway node, using the gateway configuration data to configure between the edge device and the cloud gateway node a plurality of multipath protocol tunnels and at least one secure Internet Protocol Security (IPSec) tunnel for implementing the VPN.
  - 20. The non-transitory machine readable medium of claim 19, wherein the program further comprises sets of instructions for maintaining the IPSec tunnel with the cloud gateway node even when none of the subnets of the network are available over the VPN.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nicira Incorporated (Broadcom, Inc.)
Original Assignee
Nicira Incorporated (Broadcom, Inc.)
Inventors
Mayya, Ajit Ramachandra, Thakore, Parag Pritam, Connors, Stephen Craig, Woo, Steven Michael, Mukundan, Sunil, Speeter, Thomas Harold
Primary Examiner(s)
Murphy, J. Brant

Application Number

US16/179,675
Publication Number

US 20190075083A1
Time in Patent Office

711 Days
Field of Search
US Class Current
CPC Class Codes

G06N 20/00   Machine learning

H04L 12/4633   Interconnection of networks...

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 12/66   Arrangements for connecting...

H04L 45/42   Centralised routing

H04L 49/35   Switches specially adapted ...

H04L 63/0272   Virtual private networks

H04L 63/0281   Proxies

H04L 63/029   Firewall traversal, e.g. tu...

H04L 67/10   in which an application is ...

Method and system of establishing a virtual private network in a cloud service for branch networking

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

335 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system of establishing a virtual private network in a cloud service for branch networking

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

335 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links