1. Field of the Invention
The present invention relates generally to the field of data communications and, more specifically, the present invention relates to data communications through the Internet.
2. Background Information
The traditional workplace is generally thought of as a single location to which all employees commuted and worked during the day. With the explosion of technology, the definition of the workplace is expanding to include telecommuters as well as employees that work while traveling. In addition, employees may often need the ability to login remotely from their home or laptop computer systems to their employer""s corporate networks for any number of reasons including accessing or transferring files or simply checking their electronic mail.
FIG. 1 shows a computer system 101 remotely connected to a local area network (LAN) 131. As shown in FIG. 1, computer system 101 is coupled to LAN 131 through a modem 103. Modem 103 is connected to modem 105 through a connection 127. Modem 105 is connected to a LAN bus 107, to which a plurality of other network resources are attached. For example, FIG. 1 shows that computer systems 113 and 117 are coupled to LAN bus 107 through network interfaces 111 and 115, respectively.
A disadvantage with the setup described above for remotely coupling computer system 101 to corporate LAN 131 through the modems 103 and 105 is that connection 127 is typically a telephone connection through a public switched telephone network. Thus, if computer system 101 is located a great physical distance away from LAN 131, connection 127 may be a long distance telephone call, which could be quite expensive if used often or for long periods of time.
FIG. 1 also shows that in the alternative, computer system 101 may be coupled to LAN 131 through the Internet 119. As shown in FIG. 1, computer system 101 connects to an Internet service provider (ISP) 121 through connection 133. Typically, connection 133 is a local telephone call, which is more cost-effective in comparison with connection 127 in the event that connection 127 is a long distance telephone call. FIG. 1 shows that ISP 121 is connected to a gateway system 109 through a connection 129 through the Internet 119. Gateway system 109 is connected to LAN 131 through LAN bus 107.
There are a variety of different protocols that may be used for connection 129 between ISP 121 and gateway system 109. One such example protocol is the Point-to-Point Tunnel Protocol (PPTP). A shortcoming of this protocol is that it does not provide complete security in connection 129. As is known to those skilled in the art, the control channel of a PPTP connection is not encrypted. Consequently, it would be relatively easy for an intruder 125 to intercept the non-protected communications in connection 129 between ISP 121 and gateway system 109 and conceivably eavesdrop on communications, disrupt communications, or possibly even masquerade as one of the two parties.
One known protocol providing secured communications through the Internet 119 is the Internet Security Association and Key Management Protocol (ISAKMP)/Oakley protocol combined with Internet Protocol Security (IPSec). ISAKMP/Oakley is used for key management and IPSec is used for transferring encrypted data. As is known to those skilled in the art, the ISAKMP/Oakley protocol was designed to be used primarily for providing secured static host to host communications through the Internet 119 between networks that are not shut down often. For example, a pair of networks such as LAN 131 could communicate securely through the Internet 119 using the ISAKMP/Oakley protocol with IPSec. When designing the ISAKMP/Oakley protocol, it was assumed that the secured host to host (e.g. firewall to firewall) communications through the Internet 119 between networks would be relatively static. That is, the connections between the networks would remain active for relatively long periods of time and therefore would not be dropped frequently.
One disadvantage of using the ISAKMP/Oakley protocol with IPSec in the example illustrated in FIG. 1 is that computer system 101 accesses the Internet 119 through modem 103. As is known to those skilled in the art, it is known that modem connections to the Internet 119 may drop often. For example, if connection 133 is on a noisy telephone line or if for example connection 133 includes the call waiting service, connection 133 could be dropped unexpectedly. As is known to those skilled in the art, the ISAKMP/Oakley protocol does not provide a keepalive feature. Consequently, LAN 131 would not be aware that computer system 101 was no longer reachable until the connection between computer system 101 and LAN 131 times out. Generally, ISAKMP/Oakley connections time out after attempts to renegotiate the policy and keys used to secure the communications link have failed. It is appreciated that the attempts to renegotiate the policy and keys to secure communications under the ISAKMP/Oakley protocol are computationally intensive operations and are therefore not performed at a high enough frequency to detect quickly and reliably that computer system 101 is no longer reachable through Internet 119.
A method of verifying the reachability of a remote box from a local box is disclosed. In one embodiment, the method includes the steps of establishing a protected Internet communications link between the local box and the remote box. A protected keepalive message is transmitted to the remote box from the local box. The protected Internet communications link is terminated if the remote box fails to transmit to the local box a protected acknowledgement message in response to the protected keepalive message. Additional features and benefits of the present invention will become apparent from the detailed description, figures and claims set forth below.