Mobile wireless devices with connectivity to wireless networks such as cellular networks and IEEE 802.11x (WiFi) networks are increasing in popularity. Ideally, mobile devices allow users to connect to their target network from anywhere, at anytime. The virtual private network (VPN) approach has been the dominant choice for secure connectivity between mobile wireless devices and networks.
Unlike stationary devices, mobile devices move from one network to another network. As such, a mobile device's network attachment is not fixed. Depending on the location of the mobile device and the available wireless networks in its vicinity, a mobile device can attach to different networks at different times.
In the Internet Protocol version 4 (IPv4) network infrastructure, each time a mobile device attaches to a network, the mobile device receives a different network address. Such mobility, however, breaks the VPN connection because a VPN connection assumes that the VPN endpoints (i.e., the VPN client and the VPN server) have persistent IP addresses. For a mobile wireless device, the VPN client IP address changes during network handoff from one wireless network to another.
To overcome this problem, a conventional approach has been to use Internet Protocol Security (IPSec) over a Mobile IP tunnel, which assumes that the mobile wireless device has a mobile IP address as opposed to a regular IP address. The mobile IP address does not change when a mobile wireless device moves from one network to another network, and therefore, the mobile wireless device has a persistent IP address. This approach uses IPSec VPN technology to establish a VPN over the mobile IP.
Such an approach, however, has several disadvantages. The first disadvantage is that it is tied to a specific IP technology, namely, the mobile IP. With the slow adoption of mobile IP, a large number of the mobile wireless devices will not have mobile IP in the foreseeable future. The second disadvantage is that such an approach requires a particular VPN technology, namely, the IPSec VPN. IPSec VPN requires each mobile wireless device to have the IPSec in the operating system kernel, which is difficult to configure. The third disadvantage of such an approach is that using tunnels is inefficient and difficult to manage.
A technical trend in the VPN technology has been to use Secure Socket Layer/Transport Layer Security (SSL/TLS) as the base for the VPN connection. A SSL/TLS VPN establishes a VPN over a SSL/TLS connection. The current SSL/TLS VPN connection breaks when a mobile device moves from one network to another, because the SSL/TLS connection is lost when a mobile wireless device moves out of a network, and therefore, a new SSL/TLS connection must be established when the mobile wireless device moves into another network.
A conventional approach for maintaining a connection between a VPN server and a mobile device is to use a migratable socket. A migratable socket maintains an open socket regardless of the mobile device's network attaching point. Once the socket is maintained, upper layer protocols, such as SSL/TLS can be maintained as well.
However, this approach requires the additional functionalities of a network router, as illustrated by an example herein. Assume that a mobile wireless device in a wireless network A establishes a VPN connection to its home network (e.g., network C), and at a later time, the mobile device moves from the wireless network A to another wireless network B while keeping the VPN open. To accomplish this, a router in the wireless network A must forward packets from the network C to the router in the wireless network B such that from the socket's point of view, the connection is still open. This approach requires the additional functionalities of the network router. There is, therefore, a need for a method and system for secure connection of mobile devices to VPN wireless networks.