1. Technical Field of the Invention
This invention pertains to network communications. More particularly, it relates to the nesting of virtual private network (VPN) tunnels, or connections, with coincident local endpoints.
2. Background Art
An important use of virtual private networking (VPN) is to allow a remote user or small branch office to connect to an enterprise via the Internet. The basic scenario for so doing is illustrated in FIG. 1. Personal computer (PC) 10 represents a remote user, or client, connecting through an Internet Service Provider (ISP, such as SprintNet, AT&T, AOL, or the like) 12 via Internet 14 to a VPN gateway 16 (also referred to as an enterprise gateway) for the enterprise. Typically in this scenario the user at PC 10 desires to connect to some server, such as a Lotus Notes server, within the internal network 18 of a company or enterprise.
A typical configuration for doing this connection of PC 10 to a server within internal network 18 uses two VPN connections (also referred to as tunnels) t1 20 and t2 22. Tunnel t1 20 begins at ISP 12 and ends at gateway 16. Tunnel t2 begins at PC 10, is nested within tunnel t1 20, then continues on to the company server internal to network 18. (By “Internet”, reference is made to a specific internet—the one usually referred to today. This “Internet” is implemented by a well defined set of system routers, available from many vendors. By “internet”, reference is usually made to any network that has its own well defined domain, routing, and other properties. These networks are usually TCP/IP based.) ISP's 12 are generally located outside of Internet 14, but not always. IBM, for example, connects directly to an AT&T ISP which is inside the Internet.
If PC 10 has a dedicated, or permanent, Internet Protocol (IP) address, this all works fine. However, it much more likely that PC 10 has an IP address which is dynamically assigned by ISP 12 and which may be, in general, from one of several designated private IP address ranges. This raises the possibility, if not likelihood, of the same IP address being assigned to a plurality of clients 10 seeking access through gateway 16. To support such remote users 10, the company gateway 16 needs some way to handle the dynamically assigned IP address and allow it through to its internal network 18.
It is an object of the invention to provide an improved method and system for managing connections within a communications system.
It is a further object of the invention to provide an improved method and system for connecting a remote client to an enterprise network through a local gateway.
It is a further object of the invention to provide a method and system for enabling an enterprise gateway to handle dynamically assigned IP addresses from remote clients.
It is a further object of the invention to provide an improved method and system for supporting nested tunnels with coincident endpoints.
It is a further object of the invention to provide a method and system for supporting automatic nested tunnels with coincident endpoints.
It is a further object of the invention to provide a method and system for implementing nested tunnels by automatically detecting and establishing tunnels so as to achieve a nested implementation.
It is a further object of the invention to provide a method and system for providing, without customer configuration, tunnel or transport mode IP security (IPsec) at a remote endpoint, with the VPN role of the remote endpoint being host or gateway, with L2TP supported within the internal tunnel, and with an arbitrary level of tunnel nesting.