1. Field of the Invention
The present invention relates to software, computer network communications, and VPN gateway components. More specifically, it relates to cryptographic functions applied to data packets in the Internet Key Exchange (IKE) process in a VPN gateway appliance.
2. Description of the Related Art
There is an increasing need for mobile security in enterprises that have users utilizing mobile devices and mobile apps for work or to access services behind the enterprise firewall. Although there is conventional software that provides for a VPN from a mobile device to a VPN gateway, the level of security is often insufficient and provides little information to the enterprise about enterprise-enabled app usage. In this conventional scenario, one VPN is used by all the data from all enterprise apps to the VPN gateway. In other words, the VPN is at the device level. Given the growing number of users executing work-related apps on their personal mobile devices and having to connect to work-related or enterprise-related services through a secure tunnel, having a single VPN pipe for all the data going to and from a mobile device to an enterprise VPN gateway does not provide the level of security needed to prevent hackers and other bad actors from stealing and manipulating the data or from planting malware on the mobile devices that could eventually harm enterprises.
A higher level of security would involve not having multiple apps (let alone an entire device) share a single VPN, in other words, not using a device-level secure VPN tunnel. A better level of security would be to have each app have its own dedicated VPN to a gateway, one that is secure and only transports data for that app or at least one that only transmits data for a federation of apps. In one scenario, each enterprise app on a personal mobile device has its own VPN connection to the enterprise gateway (operated by the user's employer, client, supplier, or the like). Moreover, the enterprise VPN gateway has to be able to manage and create a high volume of VPN connections (e.g., hundreds of thousands of VPNs), keeping in mind that each VPN connection may require a private, unique IP address. The enterprise VPN gateway will also have to be able to terminate this high number of VPN connections and manage traffic coming from and going to internal enterprise servers.
Conventionally, the IKE process in the gateway has to have knowledge of or understand datapaths and IPSec instances within the datapaths. It also needs to know which datapaths are responsible for tunneled flows (the respective security associations and security policies for a flow) in order for IPSec to determine which packets to encrypt, decrypt, and allow through the tunnel. This has caused increased processing and complexity within IKE and made it infeasible to scale the number of datapaths in each IKE process. It would be desirable to remove this complexity from IKE. It would be desirable to have a process where IKE does not need to have any inherent knowledge of datapaths, IPSec instances or their respective security policy and security association mappings and tunnels.