1. Field of the Invention
The present invention relates to network technology. More particularly, the present invention relates to establishing virtual private network (“VPN”) tunnels for a user whose IP address is not known in advance, known in the art and referred to herein as a “road warrior.”
2. Description of the Related Art
Increasingly, users desire to access a private network securely via the Internet. The private network may be, for example, a home network, the private network of a business or other entity, etc. One commonly used method for accomplishing this goal is to establish a VPN tunnel, which to a user seems like a point-to-point connection between the user and the private network, but which does not allow an unauthorized third party to “snoop” the communications on the VPN tunnel. There are several methods and protocols known in the art for setting up VPN tunnels. One such well-known protocol is known as Internet Protocol Security (“IPSec”).
An overview of one method for establishing a VPN tunnel between known IP addresses will now be described with reference to FIG. 1. Here, private network 101 includes user PC 105. In this example, the user wants to establish a VPN tunnel between PC 105 and server 125 in private network 121.
Security gateways 110 and 120 control communications between Internet 115 and private networks 101 and 121, respectively. Accordingly, security gateways 110 and 120 provide firewall and network address translation functions for private networks 101 and 121. Moreover, security gateways 110 and 120 will negotiate the parameters of a desired VPN tunnel, e.g., the types of authentication and encryption. Security gateway 110 will detect packets destined for a VPN tunnel (for example, because the destination is the address of server 125 within private network 121), encrypt the packets and encapsulate them with a header indicating security gateways 110 and 120 as the IP source and destination. Security gateway 120 receives the packet, strips off the encapsulation and decrypts the contents of packet. Then, security gateway 120 reads the destination address and forwards the packet to server 125.
Establishing a VPN tunnel between a private network and a road warrior is more problematic, primarily because the IP address of the road warrior is not known in advance. Some methods solve the problem by using digital certificates for authentication. A digital certificate is a one-way hash, which is a way of encoding information that only the road warrior's PC knows. The hash is then “signed” by a reputable certification authority, such as a third-party authentication server controlled by, for example, VeriSign™. On the other end, a public key of the certification authority is used to view the contents and determine whether the packet includes an authorized IP address.
Using digital certificates is an effective, but somewhat cumbersome, method of establishing a VPN tunnel between a private network and a road warrior. Digital certificates require a substantial amount of infrastructure, including the involvement of a third-party certification authority. The complexity and expense of this involvement make the use of digital certificates less than optimal for, e.g., forming a VPN tunnel to a home network.
Other methods enable any IP address to establish a VPN tunnel (for example, an IPSec tunnel) using a particular widely shared secret. However, it is well known that such widely shared secrets can easily be discovered and used by unauthorized persons. These “shared secrets” are shared by everyone involved and are not separate secrets for each client.
It would be desirable to implement improved methods for forming a VPN tunnel between a road warrior and a private network, particularly when the private network is a home network.