1. Field of the Invention
The present invention relates to communication networks and, more particularly, to a method and apparatus for establishing Virtual Private Network (VPN) tunnels in a wireless network.
2. Description of the Related Art
Data communication networks may include various computers, servers, nodes, routers, switches, hubs, proxies, and other devices coupled to and configured to pass data to one another. These devices will be referred to herein as “network devices.” Data is communicated through the data communication network by passing data packets (or data cells or segments) between the network devices by utilizing one or more communication links. A particular packet may be handled by multiple network devices and cross multiple communication links as it travels between its source and its destination over the network.
The various network devices on the communication network communicate with each other using predefined sets of rules, referred to herein as protocols. Different protocols are used to govern different aspects of the communication, such as how signals should be formed for transmission between network devices, various aspects of what the data packets should look like, and how packets should be handled or routed through the network by the network devices.
A Virtual Private Network may be formed by connecting two or more networks or network devices over a public network using encryption or other means, such as by attaching a unique label to traffic in a Multiprotocol Label Switching (MPLS) network, to secure the transmissions between the two or more networks or network devices. Using VPN tunnels over a public network such as the Internet enables a network having geographically separated components to be set up as a single autonomous network without requiring the network participants to lease dedicated lines through the network. As used herein, “VPN site” will be used to refer to a network or portion of a network that is to be connected to a VPN tunnel.
When a person seeks to establish or join a VPN tunnel on a wireless network, such as a network operating under one of the 802.11x protocols, the user must first log onto the wireless network and then be connected to the VPN tunnel. This requires the user to have or establish an account on the wireless network as well as an account with the network associated with the VPN site.
FIG. 1 illustrates a conventional system in which a wireless user 10 is able to obtain VPN services over a wireless network 12 through a wireless access point 14. As shown in FIG. 1, a wireless user 10 in a conventional wireless network 12 uses a two step log-on process to first establish its identity with the wireless network, and then establish its identity with the VPN host network. Specifically, upon gaining access to the wireless network, the wireless user will seek to gain admittance to the wireless network by engaging an Authentication, Authorization, and Accounting (AAA) server 16 associated with the wireless network. The process of engaging the AAA server enables the wireless network to verify the user's identity and authorization to access the network, and establish accounting entries to enable the wireless network to invoice the wireless user for admittance to the wireless network. If the wireless user is successful, a Dynamic Host Configuration Protocol (DHCP) server associated with the wireless network assigns the wireless user an IP address on the wireless network and otherwise enables communication to take place on the wireless network.
Once the wireless user has been granted admittance to the wireless network, if the wireless user desires to participate on a VPN tunnel with a VPN host network 18, the wireless user initiates a protocol exchange with the VPN host network. The VPN host network may be a corporate network to which the wireless user would like to obtain access or another network or network device. The wireless user provides the VPN host network with authentication and authorization information, such as a corporate ID and password, which is used to authenticate the user and ascertain whether the user has authorization to access the network and/or participate in VPN communications with the VPN host network. Typically, the VPN host network will utilize an AAA server 20 to perform authorization and authentication services on behalf of the VPN host network. If the authorization and authentication procedures are successful, the VPN host network grants admittance to the wireless user and assigns a VPN host network private IP address to the wireless network user using its DHCP server. The VPN host network private IP address is then used by the wireless network device as the end point for a VPN tunnel 22 between the wireless user 10 and the VPN host network 18. The VPN tunnel 22 may extend through the Internet 24 or other network.
Requiring the wireless user to log onto the wireless network as well onto the VPN host network thus results in a duplication of services. Specifically, both the wireless network point and the VPN host network must authenticate and authorize the user before the user can establish a VPN tunnel to the VPN host network. This duplication results in added setup time as well as added expense.
Additionally, communications on the wireless network may involve double encryption, over the wireless portion of the VPN tunnel. Specifically, in the conventional scenario discussed above in connection with FIG. 1, the VPN tunnel extends from the wireless user to the VPN host network. Thus, communications between the VPN host network and the wireless user are typically encrypted using an encryption protocol such as IP Sec. Additionally, to prevent other wireless users from intercepting communications on the wireless network, communications on the wireless link are typically encrypted using Wired Equivalency Protocol (WEP), Temporal Key Integrity Protocol (TKIP), or another protocol that may be used to secure 802.11 wireless LANs. The double encryption between the user and the wireless access point (WEP/TKIP and IP Sec) increases the latency associated with transmissions between the corporation and the wireless user. This double encryption also uses additional resources on the wireless device, which may reduce the amount of time a battery powered wireless device is able to participate in wireless communications.
The fact that the wireless access point is not participating in establishing the VPN tunnel between the VPN host network and the wireless user requires the wireless user to have VPN software, such as a VPN client, loaded on the wireless access device. Where the wireless access device is a small computing device, such as a personal data assistant (PDA) or telephone handset, it may be unreasonable to expect the wireless access device to be able to support a VPN client or to engage in an IPSec protocol exchange.