1. Technical Field of the Invention
This invention pertains to network communications. More particularly, it relates to network address translation (NAT) propagation over nested virtual private network (VPN) tunnels, or connections, with coincident local endpoints.
2. Background Art
An important use of virtual private networking (VPN) is to allow a remote user or small branch office to connect to an enterprise via the Internet. The basic scenario for so doing is illustrated in FIG. 1. Personal computer (PC) 10 represents a remote user, or client, connecting through an Internet Service Provider (ISP, such as SprintNet, AT&T, AOL, or the like) 12 via Internet 14 to a VPN gateway 16 (also referred to as an enterprise gateway) for the enterprise. Typically in this scenario the user at PC 10 desires to connect to some server, such as a Lotus Notes server, within the internal network 18 of a company or enterprise.
A typical configuration for doing this connection of PC 10 to a server within internal network 18 uses two VPN connections (also referred to as tunnels) t1 20 and t2 22. Connection t1 20 begins at ISP 12 and ends at gateway 16.
Connection t2 begins at PC 10, is nested within connection t1 20, then continues on to the company server internal to network 18. (By “Internet”, reference is made to a specific internet—the one usually referred to today. This “Internet” is implemented by a well defined set of system routers, available from many vendors. By “internet”, reference is usually made to any network that has its own well defined domain, routing, and other properties. These networks are usually TCP/IP based.) ISP's 12 are generally located outside of Internet 14, but not always. IBM, for example, connects directly to an AT&T ISP which is inside the Internet.
If PC 10 has a dedicated, or permanent, Internet Protocol (IP) address, this all works fine. However, it much more likely that PC 10 has an IP address which is dynamically assigned by ISP 12 and which may be, in general, from one of several designated private IP address ranges. This raises the possibility, if not likelihood, of the same IP address being assigned to a plurality of clients 10 seeking access through gateway 16. To support such remote users 10, the company gateway 16 needs some way to handle the dynamically assigned and possibly overlapping IP addresses assigned to these remote systems, and allow it through to its internal network 18.
Network address translation (NAT) is a widely-deployed approach by which an enterprise can support remote users while avoiding address collisions within its own internal network. However, NAT is incompatible with VPN for architectural reasons. U.S. patent application Ser. No. 09/240,720, now U.S. Pat. No. 6,615,357, issued 2 Sep. 2003, and other applications therein referenced, provide a solution that integrates NAT with VPN.
It is an object of the invention to provide an improved method and system for managing connections within a communications system.
It is a further object of the invention to provide an improved method and system for connecting a remote client to an enterprise network through a local gateway.
It is a further object of the invention to provide a method and system for enabling an enterprise gateway to handle dynamically assigned IP addresses from remote clients.
It is a further object of the invention to provide an improved method and system for supporting nested connections with coincident endpoints.
It is a further object of the invention to provide a method and system for supporting automatically nested connections with coincident endpoints (without requiring customer configuration).
It is a further object of the invention to provide a method and system for implementing nested connections by automatically detecting and establishing connections so as to achieve a nested implementation.
It is a further object of the invention to provide a system and method which extends VPN NAT to include support for nested connections with coincident endpoints, without requiring any special configuration for the inner (nested) VPN connection, with respect to VPN NAT.
It is a further object of the invention to provide a method and system for providing, without customer configuration, tunnel or transport mode IP security (IPsec) at a remote endpoint, with the VPN role of the remote endpoint being host or gateway, with L2TP supported within the internal connection, and with an arbitrary level of connection nesting.