1. Field of the Invention
The present invention relates to wireless communications and, more particularly, to a method and system for initiating a virtual private network over a shared network on behalf of a wireless terminal.
2. Description of Related Art
In a wireless network, a wireless terminal such as a cellular telephone or a computer with wireless modem may exchange signals with a radio access network. The radio access network may have a base transceiver station (BTS), which, in turn, communicates with a base station controller (BSC). The BSC may be coupled to a packet data serving node (PDSN) and/or a mobile switching center (MSC) and interworking function (IWF). The PDSN and the IWF may provide connectivity with a shared network, such as the Internet. The wireless terminal may communicate with a resource, such as a computer, on the shared network via the BTS, BSC, and PDSN or the BTS, BSC, MSC and IWF.
The radio access network and the shared network typically carry packets. Each of the packets is defined by a payload and a header. The payload has data, e.g., voice, video, or web content, to be transported over the radio access network and the shared network. The header has control information used by network elements on the radio access network and the shared network. The control information may include a source address and a destination address of the packet. The network elements may use the source address and the destination address to route the packet to a destination, e.g., the wireless terminal or the resource.
The wireless terminal typically initiates a virtual private network (VPN) over the radio access network and the shared network to securely transport the packets between the wireless terminal and the resource. The VPN securely transports the packets by encrypting the packets as a whole or, alternatively, encrypting the payload of the packets.
IPSec is a framework of open standards published by the Institute of Electrical and Electronic Engineers (I.E.E.E) for initiating the VPN. IPSec ensures confidentiality and integrity of data communications. IPSec provides methods for exchanging encryption/decryption keys with endpoints of the VPN, using the keys to encrypt and decrypt the payload of the packet, and adding headers to the packets. As a result, the packets can be securely transported over both the radio access network and the shared network.
The wireless terminal typically initiates the VPN so that the VPN spans both the radio access network and the shared network. The wireless terminal initiates the VPN by exchanging the encryption/decryption keys with the resource. Using the encryption key, the wireless terminal encrypts the payload of the packet. Alternatively, the wireless terminal may encrypt both the header and the payload of the packet. Then, the wireless terminal may insert the packet, as encrypted, into another packet having a source address of the wireless terminal and a destination address of the resource.
The wireless terminal sends the packet over both the radio access network and the shared network and to the resource. Network elements route the packet over both the radio access network and the shared network using the source and destination addresses in the packet. Upon receiving the packet, the resource uses the decryption key to decrypt the payload of the packet and the header of the packet, if necessary. The decryption key allow for recovering the payload of the packet as the payload existed prior to encryption.
Thus, the VPN allows for the wireless terminal to exchange packets with the resource over both the radio access network and the shared network without concern for the loss of privacy or integrity of the data in the payload.