WO2002017558A2 - Procede et appareil de communication de donnees entre plusieurs parties - Google Patents

Procede et appareil de communication de donnees entre plusieurs parties Download PDF

Info

Publication number
WO2002017558A2
WO2002017558A2 PCT/CA2001/001157 CA0101157W WO0217558A2 WO 2002017558 A2 WO2002017558 A2 WO 2002017558A2 CA 0101157 W CA0101157 W CA 0101157W WO 0217558 A2 WO0217558 A2 WO 0217558A2
Authority
WO
WIPO (PCT)
Prior art keywords
node
nodes
vpn
server
establishing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/CA2001/001157
Other languages
English (en)
Other versions
WO2002017558A3 (fr
Inventor
Gersham Meharg
M. Skye Poier
Alexendre Pankratov
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ETUNNELS Inc
Original Assignee
ETUNNELS Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ETUNNELS Inc filed Critical ETUNNELS Inc
Priority to AU2001281622A priority Critical patent/AU2001281622A1/en
Publication of WO2002017558A2 publication Critical patent/WO2002017558A2/fr
Anticipated expiration legal-status Critical
Publication of WO2002017558A3 publication Critical patent/WO2002017558A3/fr
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/126Applying verification of the received information the source of the received data
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Definitions

  • the present invention relates to a system and method of providing secure communications over an open network, and more specifically to establishing a virtual private network (VPN), which runs across a diverse set of operating systems and hardware platforms and facilitates ease of use.
  • VPN virtual private network
  • a virtual private network is a logical entity consisting of multiple nodes having a secure communications over an open and typically insecure network such as the Internet.
  • Data security is commonly achieved through the use of cryptography, which requires the data traffic to be encrypted at the sender's end and then decrypted at the receiver's end so that other users of the public network can intercept the data traffic, but cannot read it due to the encryption.
  • Data encryption also allows the receiver to verify the integrity of the data received and therefore detect 3 rd party data tampering.
  • a typical VPN connects one or more private networks together through the Internet.
  • the network on either side of the Internet has a gateway and a single-access connection to the Internet. To create the VPN, a secure communications path between the two gateways is formed such that the two private networks may communicate with one another.
  • each node obtains by some means information (“configuration") including but not limited to:
  • a VPN does not allow for automatic configuration of nodes for VPN participation as nodes change their network addresses on being dynamically added/removed to/from a VPN.
  • each of the nodes may only be a member of one VPN at a time in the majority of implementations, which limits the ultimate efficiency of the user at each node
  • NAT Network Address Translation
  • a NAT device modifies the data packet to allow for proper routing both inside a private LAN and in the outside world.
  • any change to the packet is treated by tunnel terminators as a tampering, thus packets undergoing NAT processing are discarded as damaged.
  • one aspect of the present invention provides a system for facilitating the secure communication between nodes in a workgroup by the creation of an "n"-tiered virtual private network (VPN).
  • Each node preferably has the ability to transmit and receive secured data over a public network such as the Internet.
  • the system comprises at least a pair of nodes, a server, a datastore linked to the server (where the datastore may be in the form of memory, a disk, a database etc), and a client application capable of communicating with the NPN server and securing IP-level connections towards other VPN nodes by utilizing a suite of protocols, for example and IPSec protocol, in particular an ESP protocol.
  • the datastore further includes information pertaining to the configuration of VPNs, VPN relationships (e.g.
  • the system further includes a means to intercept both incoming and outgoing data from a node so as to create a secure tunnel between an open network and a node by encrypting and decrypting data.
  • the system includes a means for verification of node credentials against authentication servers. The tunnel enables data to be securely shared to VPN(s).
  • the present invention is designed to facilitate the aspects of VPN functionality including but not limited to: securing communication within the VPN and VPN configuration for the exchange of secure information between VPN nodes.
  • the client on start up of a node within the system, the client forms a connection with the VPN server. Authentication credentials are transmitted to the VPN server, where they are validated and a connection is established. Following the creation of a secure connection between the VPN server and a node, the client application is synchronized with the VPN server by receiving and processing initial configuration information. This information includes a list of VPN's of which this particular node is a member, their respective attributes, a listing of other nodes which are members of the same VPNs as the client computer, the current status of each node in each respective VPN, and other related details.
  • a node Once a node is logged onto and synchronized with the VPN server its client application sits in the loop so as to maintain the node in sync with the rest of the VPN by sending and receiving status and configuration updates to/from VPN server.
  • the central management of the system enables the server to be informed of any changes to a VPN e.g. a node logging off, and is informed of these changes in a timely mam er, where the time frame is elected by the node.
  • the VPN server then relays this information to each node within the VPN, which in turn is putting its self, the VPN server, in sync with the system.
  • This system is global by the nature of the server such that it facilitates the central management of any VPN.
  • the server facilitates the ability to make changes to a VPN without having to effect changes manually at each node of a virtual private network.
  • a change made to the datastore linked to the server is transmitted in a timely manner to all client computers effected by the change.
  • to change the password of a VPN for each node in a network requires making that change to the datastore and, in turn, that change is transmitted to each node on the virtual private network.
  • changing a password is a relatively simple task
  • the ability to effect more detailed changes to a VPN requires updating only a single point in a VPN and then transmitting that data to the remaining nodes in the workgroup via the secure connection.
  • the network includes, the ability to automatically and securely provision security associations between nodes.
  • nodes Once nodes are logged onto a VPN, they may exchange information. Outgoing data packets are intercepted and then those destined to a specific VPN node are selected for further processing. When ongoing data packets are intercepted, the VPN indicates the presence of a NAT or PAT device, a firewall, gateway, and proxy server in front of the intended receiving node.
  • the data packet header is modified.
  • the data packet itself is encrypted as a whole and a. new header is prepended to the now encrypted data packet.
  • Source and destination node information is added to the prepended header and is determined by the VPN.
  • the new header is referred to as an "external header" and the original packet header is referred to as the "internal header".
  • the external header contains a masquerade bit which allows the receiving node to recognize the modified data packet as having a prepended external header.
  • Figure 1 is a schematic diagram of an overview of a computer system
  • Figure 2 is a functional block diagram detailing the method for establishing secure communication between nodes, in the computer system of figure 1;
  • Figure 3 is a schematic of the computer system incorporating a plurality of types of nodes;
  • Figure 4 is a schematic diagram of an overview of a computer system incorporating LAN's, a gateway, and a firewall;
  • Figure 5 is a functional block diagram detailing the method for sending data over a VPN having secure communication in the computer system of figure 1;
  • Figure 6 is a functional block diagram detailing the method for receiving data over a VPN having secure communication in the computer system of figure 1;
  • Figure 7 is a schematic of the data packets transferred between a plurality of types of nodes on a VPN;
  • Figure 8 is a schematic diagram of an overview of another embodiment of the computer system of Figure 1.
  • Work Group a group of two or more individual nodes working collaboratively on a group of tasks
  • the 12 includes a client application 14 capable of communicating with server 18.
  • the system 10 is arranged to enable the establishment of a secure path for communication between nodes 12 over a public network such as the Internet 22.
  • the server 18 collects and distributes data collected by the client application 14 at each node 12, so as to maintain state information for each node 12.
  • the server 18 tracks changes made to the datastore 20 and subsequently updates each of the nodes 12.
  • the client application 14 is responsible for transmitting information to and receiving information from a second client application 14 of a node 12 and server 18.
  • the server 18 also serves to generate specific node cues based on those events, such as the availability of upgrades for client application.
  • the datastore 20 is linked to the server 18, and is managed so as to enable the automatic provisioning of security relationships with nodes 12 in a network.
  • a network having secure communication between these nodes 12 is typically known as and from herein referred to "a virtual private network” (VPN).
  • VPN virtual private network
  • the centrally managed system 10 allows for arbitrary additions, modifications, and alterations to the datastore 20 and, in turn, deploys that information through the server 18 " ,”to nodes 12 located within a virtual private network.
  • the method of establishing secure communication between nodes in a work group is detailed in Figure 2.
  • the client application 14 instructs the node 12 to form a connection with the server 18.
  • a socket connection is formed between that same node 12 and server 18 (generally using secure socket links such as SSL/3DES socket security).
  • the authentication phase, 106 begins.
  • the client application transmits credentials to the server 18.
  • the server 18 authenticates the validity of these credentials and returns data stating the success 108 or failure 109 of the logon to the server. If the credentials are found to be invalid the process fails and ends.
  • the computer system 10 allows arbitrary grouping of nodes 12 on the Internet 22 into VPNs across, for instance, network, organisational and geographical boundaries.
  • the computer system 10 enables an extranet connection for example between two offices of a company 12D and 12E, each of which includes its own Intranet, to be included in a work group.
  • a corporation typically will have at least one localized server 17B, 19B, which will act as server for that Intranet.
  • Each node 12 within that corporation will be connected to that localized server.
  • the gateway 24 includes a set of rules called security associations that are designed to control access to the VPN such that the gateway protects a plurality of nodes.
  • security associations that are designed to control access to the VPN such that the gateway protects a plurality of nodes.
  • the node 12A selects the key pair associated with the gateway 24 to provide encryption and decryption of the data. The decryption then occurs at the gateway as opposed to at the node to which the message is directed.
  • decryption traditionally occurs at the device.
  • IP address of the home computer 12A is not in the range of IP addresses specified by the gateway 24.
  • IP address falls outside the range of addresses known to the gateway 24 access may be denied to the company network.
  • a virtual IP (VIP) address is typically assigned to the home user 12A.
  • VIP virtual IP
  • the data packet memorizing the external IP header prior to its stripping, and then adjusts internal IP header based on the network setup. For example, a data packet when traversing a NAT device, arrives at the NAT device and at this point prompts the system to copy the destination IP address from the external header.
  • a data packet traversing a PAT has both its IP header modified as well as its transport layer header translated.
  • Commonly supported transport protocols are TCP and UDP.
  • ICMP while not being true transport protocol, is also generally provided a limited support for its ECHO messages. Note that these three protocols are referred as 'post-IP protocols' below.
  • the masquerade allows recipient to differentiate between masqueraded and 'true' UDP packets with a high degree of accuracy.
  • the data packet UDP header is associated with the tunnel through which it arrived. In other words, it associates the node from which the data packet originated.
  • packet is then stripped of the UDP masquerade header to reveal the original header and inbound ESP processing and RNAT transformation is performed as previously outlined.
  • the ESP code links plain text post-IP information to the tunnel through which it was delivered.
  • a data packet leaving node B destined for node A is first subject to a regular ESP processing with compulsory Tunnel selection based on its IP and post-IP information stored during inbound processing. Once encryption of the data packet is completed, the data packet is masqueraded based on masquerading information also stored during inbound processing. Upon arrival at node A, the data packet is subject to demasquerading, regular ESP processing and RNAT transformation.
  • the system facilitates a means to potential post-IP information ambiguity developing on node B after packet decryption.
  • two nodes Al, A2 may reside behind the same PAT device and use the same source port to access the same node B port. It this case, after RNAT is applied, data packets originating from nodes Al and A2 are indistinguishable and a reply from node B could not be routed back to the appropriate node.
  • the system applies a post-IP layer overloading (similar to the PAT) to each data packet traversing the same PAT device arriving through different tunnels.
  • a PAT transformation is applied to all inbound data packets to resolve ambiguities and the reverse mapping to the originating node is performed on the outbound data packet in order to restore the post-LP headers to peer's expectations.
  • the node When a node is the intended recipient and that node logs on to the VPN, the node receives a data packet 252 as shown in Figure 6.
  • the interception mechanism (253) analyses the packet header 254 for the presence of a masquerade bit. If a masquerade bit is not detected, the data packet is received by the intended node 262 and is processed. When a masquerade bit is detected 256, it indicates to the system that further processing is required.
  • the received node When the received node is located behind a NAT PAT box, it is the box that receives the data packet, analyzes the header, and detects the presence of a masquerade bit. In the case where there is no NAT/PAT box, the node performs the analysis and detects the masquerade bit. Once the masquerade bit is found, the external header is removed 258 to reveal to original header. This original header is examined and the packet is routed to the intended-receiving node and allows for return data to be sent.
  • Figure 7 shows the transformation of a regular data packet 70 illustrated in Figure 7a to a modified data packet 90 illustrated in Figure 7b that was described in Figure 7.
  • the originating data packet 70 includes an IP header 72, a TCP header 4, and a data portion 76.
  • the data packet is modified/re-written, as described in Figures 5 and 6.
  • the modified data packet 90 comprises a new header 9 land a data payload 96.
  • the header 91 of the modified packet 90 comprises an IP header 72b, and ESP header 93 and a masquerade bit 94.
  • the data payload 96 of the modified pack 90 encapsulates the original data packet 70.
  • the new header 91 is removed and the packet is processed to reveal the original data packet 70.
  • secure IP communication using end-to-end security between any two nodes 12 over the Internet 22 is established with only minimal assumptions about any particular node's connectivity privileges. This is accomplished by applying IP Sec transformations to incoming and outgoing IP packets at the transport layer and then transforming these processed packets so they appear to be an SSL protocol session until received by the destination node.
  • the node (base configuration) preferably includes:
  • IP address and a connection to the Internet may be non-unique
  • the optimal configuration for a node (recommended configuration is defined as follows:
  • At least one node in each pair supports at least the recommended configuration, and the other node supports at least the minimum configuration.
  • the system requires that only one of a pair of nodes may be located behind a firewall.
  • the recommended encryption level for data in transit is 3DES.
  • the system in the preferred embodiment, accesses both:
  • the computer system 10 may be run on a diverse set of operating systems and hardware platforms such as open BSD, UNIX, Windows NT, Windows 95/98, Linux, and Solaris.
  • a system 50 comprises VPN servers 44, which function as central policy management for establishing and facilitating VPN operation.
  • the system 50 further comprises at least a pair of database servers 40 and a Round-Robin Domain Name Server (DNS) 42 in a distributed, fully integrated environment.
  • DNS Round-Robin Domain Name Server
  • the DNS server 42 assures homogenous distribution of the data load across the VPN servers 44.
  • Connectivity between VPN servers 44 and the database servers 40 is implemented so as to support several modes of communication including but not limited to open database connectivity (ODBC), Java Database Connectivity (JDBC) or any other database connectivity interface.
  • the database servers 40 are mutually synchronized to keep the data contents current and up-to- date.
  • the content of each database server 40 is identical such that, should one database server 40 crash, each of the VPN servers 44 connected to that failed database server 40 may automatically reconnect to another available non-failed database server.
  • the VPN server 44 may operate in either a standalone or a distributed environment.
  • the nodes 12 participating in a VPN may be connected to the same VPN server 44, as the VPN servers 44 are synchronized such that a node may log onto any VPN server 44 and participate in a VPN of which they are a member. As the system 50 is fully synchronized, forwarding from one VPN server 44 to another is not necessary. Each event or revised attribute of a node 12 or server 44 is distributed to the entire system 50 directly by the original sender. Synchronization enables VPN nodes to see one another as if they were physically connected to the same VPN server 44.
  • the system 50 employs a variety of communication protocols utilized within the VPN environment so as to facilitate communication of the VPN server 44 and its node 12 across the open network environment.
  • communication within the system 50 occurs at a "secure sockets layer” (SSL) underneath any security attributes.
  • SSL secure sockets layer
  • the system however, further enables communication, in one embodiment at the application layer.
  • Such communication may be in the form of the following:
  • the node 12 When a VPN node 12 is going online, the node 12 submits its authentication credentials, which are validated on the server side. The node 12 may enter another state of communication once the authentication credentials have been approved.
  • the system 50 supports two ways of authentication, either using a user name and password or client side certificates however, authentication is not limited to these two types. b) Proxy authentication of users
  • the credential(s) is validated against an external data repository, for example Lightweight Directory Access Protocol (LDAPO, Radius, or Windows NT/2000 domain.
  • LDAPO Lightweight Directory Access Protocol
  • Radius Radius
  • Windows NT/2000 domain for example Lightweight Directory Access Protocol
  • Each VPN node 12 generally possesses a common secret such as a private key which is passed to the IPSec layer and is used to protect the respective data traffic.
  • This secret may be created by the VPN server 44 and distributed to the appropriate VPN node or the secret may be created locally at the node 12 and submitted to a second node in a secure and private manner through the VPN server 44.
  • the common secret for example may be a symmetric key, "Internet key exchange” (IKE) so as to allow secured node-to-node communication.
  • IKE Internet key exchange

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

L'invention se rapporte à un système et à un procédé permettant un transfert sécurisé d'informations entre des noeuds d'un groupe de travail sur un réseau public et visant à faciliter la création d'un réseau privé virtuel (VPN). Ledit système comporte au moins une paire de noeuds et un serveur VPN. Le système est géré de manière centrale de sorte qu'un attribut relatif à un noeud ou à un serveur soit révisé, les informations de configuration associées à cet attribut étant mises à jour au niveau de chaque noeud au sein du VPN. Ce système comporte par ailleurs une mémoire de données reliée au serveur et une application client présente au niveau de chaque noeud.
PCT/CA2001/001157 2000-08-18 2001-08-20 Procede et appareil de communication de donnees entre plusieurs parties Ceased WO2002017558A2 (fr)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2001281622A AU2001281622A1 (en) 2000-08-18 2001-08-20 Method and apparatus for data communication between a plurality of parties

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US64079500A 2000-08-18 2000-08-18
US09/640,795 2000-08-18
US66024500A 2000-09-12 2000-09-12
US09/660,245 2000-09-12

Publications (2)

Publication Number Publication Date
WO2002017558A2 true WO2002017558A2 (fr) 2002-02-28
WO2002017558A3 WO2002017558A3 (fr) 2003-05-01

Family

ID=27093631

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CA2001/001157 Ceased WO2002017558A2 (fr) 2000-08-18 2001-08-20 Procede et appareil de communication de donnees entre plusieurs parties

Country Status (2)

Country Link
AU (1) AU2001281622A1 (fr)
WO (1) WO2002017558A2 (fr)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2003007561A1 (fr) * 2001-07-13 2003-01-23 Ssh Communications Security Corp Procede d'obtention d'un reseau securise
US6631416B2 (en) 2000-04-12 2003-10-07 Openreach Inc. Methods and systems for enabling a tunnel between two computers on a network
WO2005117392A1 (fr) * 2004-05-17 2005-12-08 Thomson Licensing Procedes et appareils permettant de gerer l'acces a un reseau prive virtuel pour des dispositifs portatifs sans client vpn
US6996628B2 (en) 2000-04-12 2006-02-07 Corente, Inc. Methods and systems for managing virtual addresses for virtual networks
US7028333B2 (en) 2000-04-12 2006-04-11 Corente, Inc. Methods and systems for partners in virtual networks
US7028334B2 (en) 2000-04-12 2006-04-11 Corente, Inc. Methods and systems for using names in virtual networks
US7047424B2 (en) 2000-04-12 2006-05-16 Corente, Inc. Methods and systems for hairpins in virtual networks
US7085854B2 (en) 2000-04-12 2006-08-01 Corente, Inc. Methods and systems for enabling communication between a processor and a network operations center
WO2006106434A1 (fr) * 2005-04-04 2006-10-12 Nokia Corporation Dispositif de gestion dans un systeme de communication
US7181766B2 (en) 2000-04-12 2007-02-20 Corente, Inc. Methods and system for providing network services using at least one processor interfacing a base network
US7181542B2 (en) 2000-04-12 2007-02-20 Corente, Inc. Method and system for managing and configuring virtual private networks
US7395354B2 (en) 2002-02-21 2008-07-01 Corente, Inc. Methods and systems for resolving addressing conflicts based on tunnel information
US7533409B2 (en) 2001-03-22 2009-05-12 Corente, Inc. Methods and systems for firewalling virtual private networks
US20120096540A1 (en) * 2010-10-15 2012-04-19 Phoenix Contact Gmbh & Co. Kg Process for establishing a vpn connection between two networks
US20220360566A1 (en) * 2015-07-31 2022-11-10 Nicira, Inc. Distributed tunneling for vpn

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6092200A (en) * 1997-08-01 2000-07-18 Novell, Inc. Method and apparatus for providing a virtual private network

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7181766B2 (en) 2000-04-12 2007-02-20 Corente, Inc. Methods and system for providing network services using at least one processor interfacing a base network
US6631416B2 (en) 2000-04-12 2003-10-07 Openreach Inc. Methods and systems for enabling a tunnel between two computers on a network
US7181542B2 (en) 2000-04-12 2007-02-20 Corente, Inc. Method and system for managing and configuring virtual private networks
US6996628B2 (en) 2000-04-12 2006-02-07 Corente, Inc. Methods and systems for managing virtual addresses for virtual networks
US7028333B2 (en) 2000-04-12 2006-04-11 Corente, Inc. Methods and systems for partners in virtual networks
US7028334B2 (en) 2000-04-12 2006-04-11 Corente, Inc. Methods and systems for using names in virtual networks
US7047424B2 (en) 2000-04-12 2006-05-16 Corente, Inc. Methods and systems for hairpins in virtual networks
US7085854B2 (en) 2000-04-12 2006-08-01 Corente, Inc. Methods and systems for enabling communication between a processor and a network operations center
US7533409B2 (en) 2001-03-22 2009-05-12 Corente, Inc. Methods and systems for firewalling virtual private networks
WO2003007561A1 (fr) * 2001-07-13 2003-01-23 Ssh Communications Security Corp Procede d'obtention d'un reseau securise
US7395354B2 (en) 2002-02-21 2008-07-01 Corente, Inc. Methods and systems for resolving addressing conflicts based on tunnel information
WO2005117392A1 (fr) * 2004-05-17 2005-12-08 Thomson Licensing Procedes et appareils permettant de gerer l'acces a un reseau prive virtuel pour des dispositifs portatifs sans client vpn
WO2006106434A1 (fr) * 2005-04-04 2006-10-12 Nokia Corporation Dispositif de gestion dans un systeme de communication
US20120096540A1 (en) * 2010-10-15 2012-04-19 Phoenix Contact Gmbh & Co. Kg Process for establishing a vpn connection between two networks
CN102457421A (zh) * 2010-10-15 2012-05-16 凤凰接触股份有限及两合公司 在两个网络间建立vpn连接的方法
EP2442527A3 (fr) * 2010-10-15 2013-03-20 Phoenix Contact GmbH & Co. KG Procédé de création d'une connexion VPN entre deux réseaux
US8918859B2 (en) * 2010-10-15 2014-12-23 Phoenix Contact Gmbh & Co. Kg Process for establishing a VPN connection between two networks
CN102457421B (zh) * 2010-10-15 2015-04-22 凤凰接触股份有限及两合公司 在两个网络间建立vpn连接的方法
US20220360566A1 (en) * 2015-07-31 2022-11-10 Nicira, Inc. Distributed tunneling for vpn

Also Published As

Publication number Publication date
WO2002017558A3 (fr) 2003-05-01
AU2001281622A1 (en) 2002-03-04

Similar Documents

Publication Publication Date Title
US20020124090A1 (en) Method and apparatus for data communication between a plurality of parties
US11283772B2 (en) Method and system for sending a message through a secure connection
US10805113B2 (en) Application transmission control protocol tunneling over the public internet
US7086086B2 (en) System and method for maintaining N number of simultaneous cryptographic sessions using a distributed computing environment
US7949785B2 (en) Secure virtual community network system
US6484257B1 (en) System and method for maintaining N number of simultaneous cryptographic sessions using a distributed computing environment
EP1304830B1 (fr) Gestion de réseaux privés virtuels
US7509491B1 (en) System and method for dynamic secured group communication
US7231664B2 (en) System and method for transmitting and receiving secure data in a virtual private group
US6092200A (en) Method and apparatus for providing a virtual private network
US7774837B2 (en) Securing network traffic by distributing policies in a hierarchy over secure tunnels
US20040249974A1 (en) Secure virtual address realm
US20040249973A1 (en) Group agent
EP3923540B1 (fr) Accès amélioré préservant la vie privée à un service vpn par plusieurs modifications d'adresse réseau
WO2003062992A1 (fr) Configuration automatique de dispositifs assurant une communication securisee sur le reseau
EP4323898B1 (fr) Procédés et systèmes implémentés par ordinateur pour établir et/ou commander une connectivité de réseau
US7716724B2 (en) Extensible authentication protocol (EAP) state server
WO2002017558A2 (fr) Procede et appareil de communication de donnees entre plusieurs parties
US20040243837A1 (en) Process and communication equipment for encrypting e-mail traffic between mail domains of the internet
US8104082B2 (en) Virtual security interface
JP2008508573A (ja) セキュア通信に関連する改良
US20050086533A1 (en) Method and apparatus for providing secure communication
US20080222693A1 (en) Multiple security groups with common keys on distributed networks
CA2323221A1 (fr) Methode et appareil de transmission de donnees entre un certain nombre de correspondants
CA2316428A1 (fr) Systeme et methode de fourniture d'un reseau prive virtuel

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PH PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
NENP Non-entry into the national phase

Ref country code: JP