In the creation of Virtual Private Networks (VPNs), multiple tunnels connecting multiple client computers to a hub often have to be created in a short time period. This may occur following certain system failure scenarios, such as a power outage or a connectivity problem, which typically result in multiple devices simultaneously trying to reconnect to the hub. As the creation of VPN tunnels is computationally intensive, the hub cannot process all the connection requests.
Current methods for creation of tunnels connecting client computers to a Virtual Private Network are described, for example, in the RFC 4306 standard, entitled “Internet Key Exchange (IKEv2) Protocol”, which is incorporated herein by reference. Section 1.2 of this standard describes the current initial exchange between the hub and a client computer requesting connection to the hub.
According to the RFC 4306 standard, when the hub cannot process a connection request, the client computer waits until a timeout duration expires, and retransmits the request. In the situation described above, this results in multiple client computers retransmitting connection requests to the hub and in delayed session creation, while maintaining a high traffic volume on the network.
One current solution to the problem described hereinabove is limiting the number of sessions the hub can create simultaneously. This allows necessary resources to be allocated to successfully respond to some of the connection requests. This solution is described, for example, in Cisco's IOS Software Release 12.3T, first published on May 17, 2004 and entitled “Call Admission Control for IKE”, which is incorporated herein by reference.
One disadvantage of this solution is that the connection requests of all the client computers are given the same priority by the hub, and thus all client computers have the same probability for creation of a connection.
Additionally, under the solution described above, the most aggressive client computer, which retransmits the connection request most frequently, has the highest probability of connecting to the hub. Under ideal conditions, in which each client computer uses an exponentially increasing delay time for retransmission of the connection request, the time duration for establishing all the requested VPN tunnels is greatly increased.
Furthermore, the load on the network and on the device may stay high for a very long time, which may adversely affect the function of the device or of other applications using the network.
Applicant's U.S. Pat. No. 7,376,743, filed on Oct. 29, 2002 and entitled METHOD AND APPARATUS FOR LOAD BALANCING IN A VIRTUAL PRIVATE NETWORK”, which is hereby incorporated by reference, describes a network including a plurality of hubs, one of which is designated as the master hub. All connection requests from client computers are directed to the master hub, which then responds to the requesting client computer with a redirection message, which indicates a specific hub to which the connection request should be resent.
The present invention will be more fully understood from the following detailed description of embodiments thereof, taken together with the drawings in which: