A virtual private network (VPN) enables secure communication over an external/untrusted IP network such as the Internet. A VPN provides a relatively secure way to connect nodes on internal trusted networks that are remote from each other, such as clients, servers, and host computers. Encryption and other security mechanisms are typically employed to create secure point to point “tunnels” for plain text messages/packets between authorized users over an untrusted external network. Typically, “plain text” packets are encrypted and inserted into an outer packet. The inner “plain text” packet is subsequently “tunneled” (forwarded) over the untrusted external IP network from one VPN gateway to another VPN gateway where the outer packet is decrypted and the inner “plain text” packet is forwarded towards its destination on the internal network. The other packet serves as a protective shell or encapsulation for the “plain text” packet as it is tunneled from one node to another node over the external untrusted network.
Typically, a gateway in a VPN also operates as a router for IP traffic on their internal networks. For example, upon receiving a “plain text” packet from a node on a trusted internal network, the VPN gateway looks up the destination in a selector list to see whether or not the packet was directed to a destination outside the locally attached internal network and if it should be encrypted for tunneling to the destination. If true, the VPN gateway securely tunnels the “plain text” packet to a particular VPN gateway peer associated with the destination over an external untrusted network. The particular VPN gateway peer determines if the destination of this tunneled packet is on their own selector list. And if so, decrypts the encrypted packet and forwards it to a node on its locally attached internal network. Additionally, if the destination of the “plain text” packet had not been on the selector list but had been an entry in a routing table, the VPN gateway would have forwarded the unencrypted plain text packet to the destination.
As more and more gateways are added to a VPN, a mesh topology may be developed where all of the gateways were aware of every other gateway in the VPN. Also, tunnels may be established between each gateway in the VPN. However, since each tunnel can be associated with a selector in a list kept at each gateway, an administrator may have to update this list at each gateway whenever a new gateway was added to the VPN, or a route was dynamically changed. Thus, as the number of gateways in a VPN grows, the effort required to update each list of selectors on each gateway can become burdensome. Moreover, encryption services employed on the VPN gateway may be unaware of dynamic routing changes.