Conventionally, companies have networked geographically dispersed intra-corporation networks together through the use of private lines. This technique allowed for the formation of a network system that was isolated from external networks and thus, had some level of assurance that the network would be secure. However, when intra-corporation communication is conducted over the Internet, thereby taking advantage of the low cost associated with such connectivity, the enterprise communication is done through the use of a Virtual Private Network (VPN). The use of a VPN for such a solution results in virtually building private networks through the Internet by using the Internet Protocol (IP) facilities provided by IP networks and the facilities of lower layer protocols below the IP. This art enables building a safe network that is isolated from external networks and can provide quality assurance service of any level, even through the Internet.
Today, the workforce continues to migrate towards mobility and thus, the requirements for employees to have remote data access generates an increasing need for communication through Mobile VPNs (MVPN) that are spread over wire line networks and wireless data networks. A MVPN may use a combination of data packets, radio protocols on the mobile side (dynamic side) and tunneling protocols on the plane side (fix side, static side). A static tunnel between the wireless operator's premises and the intranet of a corporation, connecting through the Internet Service Provider (ISP), is called a Network Based Tunnel (NBT). An exemplary NBT may be a “Compulsory Tunnel” (CT). Throughout this description, the terms Network Based Tunnel and Compulsory Tunnel may be used interchangeably and/or have the same meaning. An exemplary protocol for packet communication over wireless data networks is the General Packet Radio Service (GPRS). Other wireless protocols may include, but are not limited to, HDR (High Data Rate), CDPD (Cellular Digital Packet Data), etc., as well as others not listed.
An NBT may be used by multiple peers of the same corporation and may be active even without any current transportation. The NBTs are based on protocols such as, but not limited to, the IPSec, LSP/IPSec, L2TP, GRE, IEEE 802.1Q (VLAN Tagging, or VLAN TAG, both terms are used interchangeably herein), IP over IP protocols, as well as other protocols not listed. The wireless operator has an Access Gateway (AGW), which converts NBT traffic coming through the Internet, or over a direct connection from the corporation's intranet, via a Border Gateway (BGW), into an appropriate wireless protocol and vice-versa. One example of an Access Gateway is the Gateway GPRS Support Node (GGSN). Another example of an Access Gateway is a Packet Data Serving Node (PDSN) such as those used in CDMA2000 Radio Access Network (RAN).
In intra-corporation networks, private IP addresses are often used. IP addresses are divided into public IP addresses and private IP addresses. Public IP addresses are globally defined unique addresses, whereas private IP addresses can be freely defined by a corporation. Thus, it is desirable for private IP addresses to be used when corporations use VPN service. If a plurality of VPNs are employed, and private IP addresses are used over the VPNs, it is possible that a private IP address used in one VPN is also used in another VPN during the same time over the wireless operator network.
To improve services, an operator may want to add Manipulation Equipment (MEq) that operates to interrupt the communication between a remote client and its final destination, and then perform some manipulation on the data. An exemplary MEq may be a personalization server that operates to add personal banners to the communication being directed towards the remote client. Another exemplary MEq may be a front-end content server such as the MS Exchange Server. Other MEq may operate to improve the speed of the communication and reduce the volume of data over the wireless lines. Generally, the MEq is located between the Access Gateway and the Border Gateway or Router. An MEq may manipulate the data in internal layers, such as: the Transport layer (TCP), in the application layer (HTTP, MAPI etc.) and in the content (html, gif etc.). Within the context of this description, the terms manipulation, optimization and acceleration may be used interchangeably and at times, may have the same meaning.
In the case of using a VPN, the communication between the Access Gateway and the Border Gateway is done through an NBT. Therefore there is a need to break the NBT at the input to the MEq and reconstruct (re-tunnel) the tunnel at the output of the MEq. Moreover, the tunnel between the operator's network and the corporation's intranet(s) may comprises a plurality of connections from a plurality of mobile peers, some of them may use the MEq and others may not. Furthermore, the communication from/to a client using the MEq may contain information that is not handled by the MEq. These are some of the difficulties that a system, which splits the NBT, needs to overcome in re re-constructing, or re-tunneling, the tunnel. In addition to these difficulties, the data that returns from the MEq may be different than the data that was sent to the MEq.
The transportation over the VPN may be protected by mechanisms such as Remote Authentication Dial In User Service (RADIUS) in the plane section. Another mechanism may be to encrypt the data flow. These methods operate to protect the confidentiality of the connection. The splitter system, which reads, processes and manipulates the transportation, needs to inter-operate with these methods.
Therefore there is a need for a system and a method for splitting a plurality of VPN tunnels, in between the Access Gateway in the operator's network and a plurality of corporate intranets over a data network (like the Internet or via private connection), decrypting the data, redirecting the data to a manipulation server, manipulating the data, receiving the manipulated data, encrypting the manipulated data and reconstructing the appropriate tunnels (re-tunneling) again.