A computer network is a collection of interconnected computing devices that exchange data and share resources. In a packet-based network, such as the Internet, the computing devices communicate data by dividing the data into small blocks called packets. The packets are individually routed across the network from a source device to a destination device. The destination device extracts the data from the packets and assembles the data into its original form. Dividing the data into packets enables the source device to resend only those individual packets that may be lost during transmission.
A private network may include a number of devices, such as computers, owned or administered by a single enterprise. These devices may be grouped into a number of site networks, which in turn may be geographically distributed over a wide area. Each site network may include one or more local area networks (LANs). With the advent of Virtual Private Network (VPN) technology, enterprises can now securely share data between site networks over a public network, such as the Internet.
A VPN may be configured in a “hub-and-spokes” topology. In a hub-and-spokes network, one site network is the hub, while other site networks are the spokes. This configuration passes all data through the central hub site network; isolating the spoke site networks, and allowing communication between devices within different spoke site networks only through the hub site network. For example, the hub site network may be the network at the headquarters of the enterprise, while the spoke site networks are typically networks at geographically distributed branch offices, sales offices, manufacturing or distribution facilities, or other remote site of the enterprise.
In some instances the remote sites may establish a spoke-to-spoke VPN tunnel to allow computing devices within the remote sites to securely handle time-sensitive communications, such as Voice over Internet Protocol (VoIP) or video conferencing, between the sites through the Internet or another public network infrastructure. A number of communication protocols have been developed for establishing a VPN tunnel. In general, these protocols allow network devices to establish the VPN tunnel as one or more secure data flows across the public network infrastructure. For example, Internet Protocol Security (IPSec) protocols and Secure Sockets Layer (SSL) protocols make use of cryptographic technology to establish network “tunnels.” These tunnels allow packets conforming to other network protocols, such as Internet Protocol (IP) packets, to be encapsulated within encrypted packet streams flowing between the sites.
One approach to spoke-to-spoke VPN communications is to maintain a permanent full mesh VPN connection. However, the cost of this approach may be prohibitive. Another option is to establish a spoke-to-spoke VPN tunnel manually whenever a VPN tunnel is needed. However, this option may consume many resources and may induce lengthy delays prior to establishment of the spoke-to-spoke VPN tunnel. An example of automatically setting up a VPN tunnel on demand, known as dynamic VPN, operates by first running a routing protocol, such as Open Shortest Path First (OSPF) or Enhanced Interior Gateway Routing Protocol (EIGRP) on all gateway routers to learn the private IP address of a destination gateway to which an originating gateway is trying to dynamically connect. Routing tables are updated with the VPN route, and packets are sent over this route. Next, the originating gateway queries a Next Hop Resolution Protocol (NHRP) server to obtain the gateway's public IP address using NHRP's private/public IP mapping functionality. Only after the public and private IP addresses are obtained does the originating gateway router use IPSec to set up the VPN tunnel between the spokes. In the meantime, packets are dropped until the VPN tunnel is set up between the spokes, making this method less desirable for time-sensitive communications. Moreover, this method requires three distinct steps, and also requires usage of routing protocols on the gateway routers of the remote sites to learn the private IP addresses.