DE10128493A1 - Integration of network address translation and IP security protocol within virtual private network, involves providing allocation table containing NAT rules in VPN gateway - Google Patents

Abstract

An internal network host is configured to transmit selected data to a proxy network address. An allocation table containing network address translation (NAT) rules is provided in a virtual private network (VPN) gateway. Connection through VPN is initiated based on the NAT rules. Independent claims are also included for the following: (a) Method and system for operation of domain name server; (b) System for integration of network address translation within secured VPN; (c) Computer readable program storage unit for integration of NAT within secured VPN; (d) Article of manufacture comprising computer readable program for integration of NAT within secured VPN

Description

Background of the Invention Cross-references to related applications

This application is Continuation-In-Part (CIP) from Serial number 09/240 720, filed on January 29, 1999, with the Title "System and Method for Network Address Translation Integration With IP Security ".

U.S. Patent Application Serial No. 09/239 693, filed on 29/01/99, entitled "System and Method for Managing Security Objects "; serial number 09/240 718, on January 29, 1999, with entitled "System and Method for Dynamic Macro Placement of IP Connection Filters "; S / N 09/239 694, filed on 29/01/99, entitled "System and Method for Dynamic Micro Placement of IP Connection Filters "; S / N 09/240 483, filed on January 29, 1999, entitled "System and Method for Central Management of Connections in a Virtual Private Network, and serial number 09 / 578,215, filed on May 23, 1999, entitled "System and Method for Network Address Translation Integration with IP Security " assigned to the same legal successor and contained in certain topics of the present application. The above-mentioned patent applications are by reference included here.

Technical field of the invention

This invention relates to connection security virtual private networks connections) (VPN) and refers in particular to VPN  NAT or the simultaneous use of network addresses Network address translation (NAT) and Internet Protocol (IP) security (IPSec) protocols.

State of the art

Virtual private networks (VPNs) represent an active area of technical development of the entire Internet and the computer industry. This is because it works for most forms of electronic trading is a basic requirement represent. VPNs use protocol tunneling as well Encryption and decryption technology (IP Security protocols) to clients and servers, Branches or independent organizations use of the Internet is too essential for your TCP / IP traffic lower costs than buying Leased lines are incurred without the main benefit of Losing dedicated lines: privacy.

The tunneling that VPN uses has a side effect that causes a problem: two subnets or companies or other users who are not directly connected to each other in the beginning communicated now do what the probability of IP address conflicts significantly increased Network Address Translation (NAT) is used on the Internet and in companies that deal with the Connect to the Internet, often used to address conflicts to overcome. These conflicts usually happen between specified "private" address spaces (i.e. 10. *. *. *)

However, NAT and IP security (IP-Sec) are architectural  in conflict with each other. In fact, IP-Sec is supported by NAT impaired. That is, "NAT" is the function that ultimately the semantic overload of the IP address both as a localizer and as the endpoint Identifier breaks up "(see" Architectural Implications of NAT ", draft-iab-nat-implications-00.txt, March 1998. IPSec is described in Kent, S., and Atkinson, "Security Architecture for the Internet Protocol ", RFC2401, November 1998; Kent, S., and Atkinson, "IP Authentication Protocol", RFC 2402 November 1998; and Kent, 5th, and Atkinson, "IP Encapsulation Security Payload ", RFC 2406, November 1998.) As a result, two hosts cannot establish an IP-Sec connection, if there is a NAT system in between. Therefore there is two reasons: for the IP traffic between the two hosts (for the IP-Sec connection) is the authorization protocol (AH) or encapsulation of the safety information (encapsulation security payload) (ESP) applied. (Please refer RFCs 2402 and 2406, above.)

First, regarding tunnel mode, the IP address is that needs to be translated, in the ESP tunnel, and it is encrypted. For this reason, it is not for NAT available. Regarding the authorization protocol (AH) in Transport or tunnel mode, is the IP address that must be translated, visible in NAT, but the AH- It contains authorization recognition. Therefore authorization recognition becomes by changing the IP address interrupted at the far end of the IP-Sec connection. In terms of of the ESP in transport mode is the IP address for NAT available even if ESP with authorization recognition is used. However, if the IP address is changed, the IP-Sec connection is interrupted due to the interruption of the Authorization recognition at the far end of the IP-Sec connection interrupted.  

Second, even if the IP traffic could be translated for the IP-Sec connection, it would fail because the IP-Sec connection is based on security associations that link the two host IP addresses ) contain. These are fundamental to the security association architecture (see RFC 2401, above), insofar as the incoming IP-Sec on the host on which the decryption (or authorization recognition) has to take place must be uniquely determined in three ways:
{Destination IP addr, SPI, IP Sec protocol}.
where SPI is the security protocol index (see RFC 2401, above). Assuming given hosts A and W, NAT is applied to an IP datagram (a generic term for bytes that are sent on the line), whereby ESP in Transport mode, which ranges from A to W. As a result, the IP source address is changed. When the packet arrives at W, it is likely to be decrypted successfully because it does not depend on the source IP address (which was strictly unencrypted, so it was not tunneled). If executed correctly, the incoming SPD check that should follow the decryption will fail due to the changed IP source address (since it was not the address used when negotiating the security association). Therefore, even the case of the transport mode ESP fails.

Simply excluding NAT and IP-Sec is not one State-of-the-art solution. NAT will be very often used because it solves many problems  for example: it masks global address changes, reduces address usage, decreases Support burden of Internet service providers (ISP) and enables sharing of loads as virtual Hosts.

Still, NAT is considered the biggest single threat to that Considered security integration, which is used on the internet today. This "NAT- Problem "as it is still called architecturally fundamental. Even old applications and -services (for example, those for IP version 4 their coexistence will still exist continue for a long time while applications and services for IP Version 6 will be further developed. Consequently, there is a State of the art a strong need for that Provision of a coexistence of NAT and IP Sec, at least in selected situations, without that therefore serious configuration problems arise. (IP Version 4 is published in "Internet Protocol", RFC791, September 1981. IP version 6 is in Deering, S., Hinden, R., "Internet Protocol, Version 6 (IPv6) Specification", RFC2460, December 1998.)

A VPN connection between two address domains (address domains) can cause two domains to be linked directly connected, though most likely not was planned. Therefore, through the increased use of VPNs address conflicts probably enlarged. It will also be understood that VPNs new network visibility define and the likelihood of address collision Increase (address collision) when traversing NATs. Address management hidden behind NATs becomes one considerable burden. Therefore, the status of  Technology the need to reduce this burden.

In U.S. patent application serial number 09/240 720 a solution to this general problem of integration presented by IP-Sec and NAT. In a virtual private Network, the network address translation (network address translation) (NAT) is used, IP security is by means of Carrying out one or a combination of four types of VPN-NAT (VPN NAT) provided. (The description of three VPN NAT types from the legal successor file END9 1999 0129 US1 is included here from now on, and the fourth type is Subject of this application.) This includes dynamically generated NAT rules and their connection with the manually or dynamically generated security associations (security associations) for the exchange of Internet keys (Internet key exchange) (IKE) before the start of IP security, which the security associations used. (See Harkins, D., Carrel, D., "The Internet Key Exchange (IKE) "RFC2409, November 1998. The term 'Security Associations' is defined in RFC201, above.) If then IP-Sec for incoming and outgoing datagrams is also carried out NAT function performed. "Perform IP-Sec" means that the steps that the outgoing or incoming IP Sec processing involves executing as above the three IP-Sec RFCs (and others) defined. "NAT perform "means that the steps are performed that include VPN NAT processing, as described below in described in this application.

In U.S. patent application serial number 09/240 720, the Customer each individual VPN NAT rule as a separate VPN Configure connection. This is time consuming and error prone, and VPN connections are actually for that thought to protect traffic and should not be from  depend on special VPN NAT rules. That is, the rules have been implemented one-to-one so far, so NAT Number of required VPN connections increased.

It is an object of the invention to provide an improved and highly simplified system and procedure for the simultaneous execution of network address translation (NAT) and IP security (IP-Sec).

Furthermore, it is an object of the invention, a system and a method of reducing the elevated Probability of IP address conflicts to provide a virtual private network (VPN) brings with it.

Furthermore, it is an object of the invention, a system and to provide a method for using VPNs without that a reallocation of a domain (an expensive one Alternative) is required.

Furthermore, it is an object of the invention, a system and to provide a method for VPN-NAT without required changes in domain hosts completely in the IP Sec gateway can be brought about.

Furthermore, it is an object of the invention, a system and to provide a procedure for VPN-NAT that does not or only minor changes to the routing in each connected Domain requires.

Furthermore, it is an object of the invention, a system and to provide a procedure for VPN NAT that is easy to do is to configure.

Furthermore, it is an object of the invention to provide a solution for  address collision problems provide that are caused by VPNs.

Furthermore, it is an object of the invention to simplified solution for configuring VPN Providing connections through customers.

Furthermore, it is an object of the invention, an individual VPN connection to support multiple VPN NAT rules enable.

Furthermore, it is an object of the invention, a system and to provide a process to resolve conflicts among the implicitly or dynamically assigned VPN NAT rules avoids cross-system.

Furthermore, it is an object of the invention, a system and to provide a procedure that takes system administration time for dynamic NAT rules by eliminating the Need to manage numerous individual VPN Connections reduced for each NAT rule.

It is also an object of the invention to provide a VPN NAT To provide the system and method that the Network monitoring and the Traffic analysis simplified.

Summary of the invention

According to the invention, a system and a method for Integration of network address translation within one secured virtual private network. An internal network host is configured to selected traffic to a proxy network address send. A gateway of a virtual private network becomes  with an assignment table with translation rules for Network addresses translation rules configured. In response to the translation rules for Network addresses will then become a virtual private one Network connection started.

Other features and advantages of this invention will become apparent the following detailed description of the present preferred embodiment of the invention in connection with the accompanying drawings clearly.

Brief description of the drawings

Fig. 1 is a flow diagram of the VPN NAT method is the preferred embodiment of the invention.

Figure 2 illustrates destination outbound NAT used with source outbound NAT to allow two subnets with identical subnets to communicate in accordance with the preferred embodiment of the invention.

Fig. 3 illustrates static NAT, the simplest conventional NAT to show the relationship.

Figure 4 illustrates masquerade NAT, a type of conventional NAT to illustrate the relationship.

Figure 5 is an overview flow diagram illustrating the relationships between various program and data elements that the system and method of the invention employ.

Fig. 6 illustrates VPN NAT, type b (known as the "destination") (destination-out), according to the preferred embodiment of the invention.

Figure 7 is a diagram illustrating the intersection of address domains and the conditions under which destination-out and source-out network address translation is required.

Preferred embodiment of the invention

According to the preferred embodiment of the invention, the NAT problem is addressed by functions which, instead of a single NAT translation rule, contain VPN-NAT with several NAT translation rules which are valid for a single VPN connection. This considerably simplifies the configuration by the customer. Previously, each address that required NAT and VPN had to be configured separately. Regarding the previous US patent application, serial number 09/240 720, "Type a source-off" and "Type d target-on" -VPN-NAT is also in pending patent application serial number 09 / 578,215 and in the present application for "Type b Target-out "additional function provided. In order to avoid non-functioning IP-Sec connections with the inadvertent use of HIDE and ASSIGN NAT rules (known as "conventional NAT"), AH or ESP is checked during conventional NAT. HIDE and ASSIGN NAT rules are two basic forms of conventional NAT that are described below in connection with FIGS. 3 and 4. If a given NAT rule is valid for the IP packet (IP packet), except for the AH or ESP header, no address translation is carried out. This applies to incoming and outgoing NAT. Therefore, IP-Sec is preferred for conventional NAT (compared to VPN-NAT for IP-Sec or IP-Sec-NAT). IP-Sec takes precedence over conventional NAT.

Because at the time the NAT rules are loaded, not it is known whether there are any IP-Sec connections with each other could be in conflict (e.g. dynamic IP), the Checking such problems only with the actual NAT Processing takes place in the operating system kernel. If the Journaling for the rule is enabled (on) User visibility for these actions granted by displaying in a journal entry that a NAT rule fits into the datagram, but because of IP-Sec has not been carried out. In addition, a Log operating system kernel information of these actions for a limited number of occurrences per conventional NAT rule are provided. Similar can also have one message per connection instead of per occurrence in the job log of a connection manager or in a Connection journal will be provided.

"Journaling" and "Journal Entry" are terms that also refer to what is usually called "Logging" or "log entry" is known.

To enable that according to the in the parent application described invention, referred to as VPN-NAT NAT is used on the IP-Sec gateway with IP-Sec, customers retain private internal IP addresses. Increased Address collision is avoided by IP-Sec Connections on the IP-Sec gateway begin and end. An IP Sec gateway is a term defined in RFC2401, above is. The term "VPN connection" is another term which refers to what is usually associated with "IP-Sec-Tunnel" ("IP-Sec tunnel") is referred to, the latter in RFC2401, above.

Furthermore, according to the master registration, virtual private networks (VPN) are provided both in initiator and answering mode with an integrated NAT function. Security associations are negotiated using the correct external (NAT-rts) IP addresses, and the network address translation of corresponding internal (NAT lks) IP addresses is carried out by generated NAT rules in synchronism with the connection load for IPsec and IPSec -Processing in the operating system kernel. Incoming source IP addresses are translated just like the usual source IP address NAT on output (with a corresponding translation of the target IP address on input). A "VPN NAT rule" is represented in FIG. 3 by blocks 72 and 76 ; that is, the two lks and rts address sets include a VPN NAT rule.

According to the present invention, a single one supports VPN connection multiple VFN NAT rules by the customer allows you to specify a class of NAT rules that use a VPN connection, and allows that System, a special NAT binding (rule) from this class generate dynamically. Conflicts between the implicitly or dynamically assigned VPN NAT rules by linking customer-configured NAT address pools with system-wide local IP addresses avoided if the VPN NAT Type is incoming. The four VPN NAT types are in Table 1, below, defined.

Referring to Fig. 1, the method of the preferred embodiment of the invention for performing VPN NAT includes configuring connections that require NAT in step 20 , defining IPsec NAT address pools in step 22 , starting in step 24 of connections in initiator mode, in step 26 the start of answering mode connections (these are started at the other end of the connection), in step 28 the processing of SA pair updates and in step 30 the termination of the connections. (A NAT pool consists of a number of IP addresses.) Each of these steps is explained in more detail below.

In step 20 , the user decides on the connections that NAT requires and configures these connections. This is logically equivalent to writing NAT rules. The four cases where this should be considered are shown in Table 1.

TABLE 1

TYPES OF VPN NAT

in which
IDci = "Identifier of the client initiator"
IDcr = "Identifier of the client answering machine".

A VPN connection has four endpoints by definition:
two "connection endpoints" and two "data endpoints". (Transport mode then means that the connection endpoint is equal to the data endpoint at each end of the connection.) The terms IDci and IDcr refer in particular to the two data endpoints by indicating which is the initiator and which is the answerer (see RFC2409, above. ) These identifiers can take one of about six different forms that are part of the IDci, IDcr definitions. Identifier types are less relevant for this registration.

When specifying a special case of NAT, for example in an IP-Sec strategy database the user makes a yes / no decision, e.g. B. in one Check box. As used here, an IP refers Sec strategy on the full number of configured IP-Sec information about a system. This information are stored in a database that is stored as IP-Sec Database or IP-Sec strategy database is called. Answering mode NAT flags IDci and IDcr can be part of the Connection definition. The initiator mode flag can be part of the user-client pair that (only) with one "local client identifier" is linked. The answering machine NAT Flags IDci and IDcr can be set independently of each other become. Both are only relevant if the Connection definition an external initialization mode having.

In all cases in which the NAT flag has been "set" was, it was required that the appropriate Granularity value in the connection definition "s" (scalar) was. According to the present invention, this exists Limitation with dynamic VPN NAT no longer. This means, the granularities "s" (scalar), "f" (filter) and "c" (Client) all are supported. "Granularity" is used in RF02401, described above, on pages 15-16. According to one exemplary embodiment of the invention, for example the IBM AS / 400, "granularity" is as follows implemented: each VPN connection has five voters (selectors) (fields in a datagram that may checked to see if in the VPN connection  Traffic should be available; these are: source IP, target IP, source connection, destination connection and protocol. According to In this exemplary embodiment, each voter receives (selector) its value when starting a VPN connection either (1) from the strategy filter for this VPN connection (for voter granularity "f"), (2) individual values from IKE (for voter granularity "s") or (3) one contiguous range of values from IKE (for voter Granularity "c").

In reference to FIG. 2, the system illustrates an exemplary embodiment of the present invention, a possible customer configuration, contains the type "b destination of". Networks 462 and 466 are connected by VPN gateway A 470 and VPN gateway B 472 via network 460 . VPN gateway A 470 in this embodiment includes a domain name server (DNS) 468 and table 480 , which gateway 470 uses to provide the same aliases for external addresses as those on their own subnet 462 . (DNS 468 may reside within gateway 470 or on a host 474 elsewhere within network 462 behind the gateway 470 with respect to tunnel 482nd) The alias (for example, 10.90.5.37) is carried gateway 470 immediately prior to IP sec in its correct address used at the other end of tunnel 482 by gateway 472 . The addresses that are used for the VPN NAT originating from the destination are obtained in a different way than for the other three VPN NAT types. That is, according to the present invention, in conjunction with any remote VPN gateway 472 with which a given network 462 must communicate, a customer can configure a template or translation rule of a VPN NAT originating from the destination. For example, the rule shown in Table 480 could be expressed as follows: 10.5. *. *, Which means that all addresses in the displayed subnet are translated. The destination-from-NAT rule can specify a single IP address or multiple IP addresses in different forms as a range, a subnet, a list, or a combination of these.

Domain name server (DNS) 468 is configured to avoid redundant copies of information contained in DNS server 468 (configured). This use of DNS also simply solves the problem of how both the host 474 and VPN gateway 470 can share information (using the existing DNS protocol). DNS server 468 is configured for external hosts on intranets (such as network B 466) where IP addresses conflict or could conflict with network A 462. The logical information in Table 469 is configured in DNS 468 : a host name and two IP addresses. The first IP address 467 is returned by the DNS 468 for a normal "gethostbyname ()" query (type A entry). The second IP address 471 is returned by another query, perhaps using text entries from the DNS. (Table 480 in Fig. 2 is logically the same as Table 410 in Fig. 6.) The relationship between Table 469 in Fig. 2 and Table 410 , 480 is as follows: IP-Adr1 467 in Table 469 together form the left of Table 410 , 480 , and IP-Adr2 471 together form the rts of tables 410 , 480 .

Gateway 470 and all hosts 474 behind the gateway all access table 469 through normal DNS lookups. Hosts do a normal A-entry lookup (for example, using gethostbyname ()) and get IPaddr1 467 . VPN gateway 470 performs a query for IPaddr2 471 , which can be in the DNS text entry, for example.

In order to configure the DNS server 468 with corresponding information, a user can be provided with a graphical user interface in which logically organized information in table 469 can be provided directly by the user. This information can then be used in the graphical user interface (GUI) to update the corresponding DNS entries. In general, an entry would be made for each host with the following characteristics: it is outside of network A 462 , it is outside of intranet 466 , the addresses in 462 and 466 could conflict with one another, between networks 462 and 466 a VPN Connection used, for business reasons, hosts on network 462 must communicate with a particular host on network 466 . Thus, the DNS server 468 is used in a new and advantageous manner in accordance with the preferred embodiment of the invention, but which is supported by its current functionality. This means that this new use of DNS 458 solves the problem, as Tables 410 , 480 (especially the left column) is consistent across all hosts in network 462 and VPN gateway 470 . This problem must be solved because each host, e.g. B. 474 who wants to communicate with one of the external hosts, e.g. B. with 476 , the lks address of the external host must know. And the VPN gateway 470 must also know the same lks address for a given host 476 . DNS 468 is used to solve the problem of distributing general information without multiple copies and without the problems associated with maintaining multiple copies in circulation.

The way in which VPN-NAT-IP pools are related to network scenarios for the other three types - "a source-off", "c source-on" and "d destination-on" is serial number in the pending patent application 09 / 578,215, shown on May 23, 1999. For type "b target-out", the set of IPaddrl 467 (the entire column in table 469 ) is the logical equivalent for the NAT pools of the other three types. As configured in Table 469 , the pool is statically mapped to the rts. In the other three types, the pool is dynamically allocated when there is traffic. In other words, the binding time of an lk with an rts is for type "b target-out" the time in which a pair is configured in the DNS, this binding remaining until a reconfiguration. The link time of a link with an rts for the other types of NAT is the time during which traffic takes place that requires NAT to be performed, the link remaining for the duration of the traffic.

Referring back to FIG. 1, in step 22 the user defines a number of IP addresses that are available for the exclusive use of the VPN NAT function. Each pool can preferably be defined as a range of the IP address, but could also consist of a list of related addresses and is, of course, also with the units of the strategy database and local identifier IP-Sec (remote ID and local ID IP Sec Policy database entities) linked.

Referring back to FIG. 1, the connections are started in initiator mode in step 24 . As will be described in more detail below in connection with FIG. 5, the connection manager 300 ( FIG. 5) checks the do 313 flag in the VPN strategy database 304 when starting a connection in initiator mode in order to determine whether the local client ID needs to be translated. With continued reference to FIG. 5, the connection manager 300 generates the runtime allocation table 480 in FIG. 2 when target-out NAT is to be applied to a locally started VPN connection. This is done as follows: for each IP address that is defined (as a range, list, subnet or a combination) as a destination address for the VPN connection, the connection manager 300 carries out a DNS search (for example for the text entry) for this destination address to get the rts address. The destination address corresponds to IPaddr1 467 and the address returned by the DNS query corresponds to IPaddr2 471 in table 469 ( Fig. 2). IPaddr2 471 can be a globally routable address or a private (e.g. 10. *. *. *) Address. For a locally started VPN connection, connection manager 300 requests that IKE 330 ( FIG. 5) negotiate security associations or SA pairs (SAs) using the rts address. After IKE has completed the SAs, they are passed on to the connection manager in the start message 332 . For a remote connection, the SAs are passed on in the same way.

The NAT-rts IP address is assigned to the security association (security association) (SA) couple added by the SAs returned by the IKE is completed. The Connection manager then loads the connection to IPSec. On SA pair consists of two security associations (security associations) (defined by RFC2401, above), a incoming and an outgoing.

IPSec creates NAT rules for the two SAs. On output, NAT takes place after filtering and before IPSec; on input, NAT takes place after IPSec (and before filtering, if at all). In this sense, NAT "wraps" the local connection endpoint of the IPSec connection. In reference to FIGS. 3 and 4 conventional NAT functions are illustrated as background and contrast for subsequent figures, the VPN NAT type according to the invention.

In reference to FIG. 3, the simplest form of NAT is static. The two conventional NAT types are explicitly configured by the user by writing the corresponding NAT rule instructions via the OpNat GUI. This is in contrast to IPSec-NAT, in which the actual NAT rules or instructions are generated by the system. The ASSIGN instruction <ORDNE LEFT ZU rts ZU <of FIG. 3 and the HIDE instruction <HIDE IP-adr sentence BEHIND rts <of FIG. 4 are such NAT rule instructions.

Referring back to FIG. 3, if the outbound processing in step <1 <the source IP 70 matches lks 72 in the instruction "ORDNE lks ZU rts ZU", in step <2 <source ip 70 in rts 76 translated. If the incoming processing in step <3 <target ip 74 coincides with rts 76 , in step <4 <target ip 74 it is translated into links 72 . (Steps <1 <, <2 <... Refer to the circled numbers 1, 2... In the figures.)

Referring to Figure 4, Masquerade NAT (also called Network Address and Port Translation (NAPT)) uses the HIDE statement above and provides many to one address translation using its own port pools 118 (UDP, TCP) to be reminded how to translate the incoming traffic. In contrast to static NAT ( FIG. 3), masquerade NAT conversations <CONVERSATION source ip, source connection, rts ip, rts connection,. , . <can only be started by internal (left) addresses. Some VPN NAT types also use port assignment to allow multiple local hosts to communicate with the external system at the same time over the same VPN connection.

If it is determined again in reference to Fig. 4, in the processing of outgoing datagrams in step <1 <that the source IP address to be 90 in the IP address set 92 of the HIDE statement, in step <2 <is the CONVERSATION by copying source ip90 to CONVERSATION field 94 , in step <3 <by copying source port 98 to field 96 , in step <4 <by copying rts 104 in field 100 and in step <5 < Copy the rts port into field 102 from the correct pool of port pool 118 set up.

Then in step <6 <source IP 90 is translated to rts 104 , and in step <7 <source port 98 is changed to rts port 102 . If the processing of incoming datagrams in step <8 <destination IP address 106 and destination port 108 corresponds to the CONVERSATION fields rtsip 100 and rts port 102 , in step <9 <destination IP address 106 in CONVERSATION source -IP address 94 and translated in step <10 <destination port 108 to CONVERSATION source port 96 .

Some special situations are also caused by NAT overcome. This includes coping more specifically Situations created by FTP or ICMP that both contain the IP addresses that are translated. (FTP refers to the File Transfer Protocol Transfer files on the Internet) and is in RFC959 Are defined. ICMP refers to Internet Control Message Protocol (Internet Control Message Protocol) and is in RFC792 defined). The checksum will be recalculated carried out. As soon as a conversation in the masquerade NAT takes place instead of the original HIDE (retiring) rule later on datagrams The connection pools are checked for compliance managed, the duration of the conversations is measured, the conversations themselves are ended and the connections  assigned. It is a particular advantage of the invention that ICMP and FTP (including the famous FTP CONNECTION and PASV commands and accompanying problems) by VPN NAT are supported.

According to the present invention, dynamics are determined VPN NAT rules implemented as follows. The customer gives over one graphical user interface (GUI) that VPN-NAT to be carried out. Multiple IP addresses are for that Source IP address of locally started connections allowed. These multiple IP addresses are over a (contiguous) area or via address and mask or an address list or a combination of these Address representations specified. These form the Left-hand (lks) address set of the VPN NAT rule.

In Fig. 6 VPN NAT destination is illustrated. Since a destination-from-NAT is requested, the implicit ASSIGN rule 428 is created for a locally started conversation in step <-2 <by a number of DNS queries. For each lks - <- 2 <address, a query is carried out to retrieve the corresponding rts - <- 1 <address. There are important properties that all of these addresses have in common: (a) they are routable to in the internal network 462 ( Fig. 2) of the VPN gateway and to the VPN gateway, and (b) they become within the internal network not needed for any other purpose. Step <0 <is part of the start of the VPN connection and takes place during steps 24 and 26 ( FIG. 1). After the IKE negotiation using rts 424 is complete, the implicit ASSIGN rule is loaded into the operating system kernel in step <0 <. This step <0 <comprises the following steps; Load the connection SAs and connection filters and create an empty version of table 410 . For outbound processing, the destination IP address 434 of the outbound datagram is compared to the lks entry 436 in the local binding table 410 in step <1 <. If no match is found, no destination from NAT is necessary. If a match is found in step <2 <, the datagram destination IP address 434 is replaced by rts 438 of the entry (line, pair, rule are equivalent terms) that contains the matching lks 436 . Outgoing NAT processing is complete and the datagram moves to the next step in outgoing processing, ie to IP-Sec. After processing incoming IP-Sec, in step <3 <for incoming processing, the source IP address 442 is compared to rts entry 438 in the local binding table 410 . If no match is found, NAT is not necessary. If a match is found in step <4 <, the source IP address 442 is replaced with the lks 436 of the entry containing the matching rts 438 . Incoming NAT processing is complete and the datagram moves to the next step, which is usually TCP / IP protocol stake processing.

"Incoming" is the abbreviation for "incoming datagram". Datagrams flow out of the VPN gateway (known as "outbound traffic") and into the VPN gateway (known as "incoming traffic"). These two directions or Terms are in almost all communications, if not in basic in all cases, including discrete protocol-based communications such as TCP / IP and consequently in all functions connected with VPN-NAT.

The next step is to download to IPSec. When processing of remote connection traffic can be used for each incoming and outgoing packet (source and destination) two  Address translations are done.

Referring to FIG. 5, the connection manager server 300 looks at the connection definition 306 in the database 304 upon receipt of the start message (msg) 332 from the IKE server 330 and checks the NAT flags 314 . Before the start message 332 from the IKE server 330 to the connection manager 300 , a start message 332 goes from the connection manager 300 to the IKE 330 for locally started connections and not for remotely started messages. In both cases, start message 332 from IKE 330 to connection manager 300 is the same message. If one or more NAT remote flags source-out (qa) 308 , source-in (qe) 310 , destination-in (ze) 312 or destination-out (za) 313 is set, one or more IP addresses received from the corresponding NAT pool or from the DNS 468 ( FIG. 2).

If the connection manager 300 with respect to Fig. 5 in connection with Fig. 1 in step 28 SA-pair 302 receives updates, it copies the new SA-pair information in the SA pair table 322 in the bonding process memory 320.

In step 30 , connection manager 300 releases (makes available) any NAT IP address 52 , 54 that is associated with the connection upon termination of a connection 34 , 36 . NAT IP addresses are deleted from the corresponding list 316 maintained by the connection manager 300 .

Figure 7 shows the relationship between address domains and host addresses and shows whether destination-from-NAT and source-from-NAT are required. Each circle represents an address domain - A represents the address of a host 474 behind gateway 470 and B represents the address of an external host 476. In case I, neither the address of host A nor that of host B is within the join of their respective Address domains so that no network address translation (NAT) is required. In case II only the address of remote host B is within the link of the address domains; therefore, target-from-NAT is required and source-from-NAT is not. In case III the address of host A is within the join (join) of the address domains, but not the address of host B; therefore, source-from-NAT is required and destination-from-NAT is not. In case IV, the addresses of hosts A and B are within the join (join) of the address domains, whereby both source-from-NAT and destination-from-NAT are required.

Advantages over the state of the art

It is an advantage of the invention, an improved and strong simplified system and procedure for simultaneous Execution of network address translation (NAT) and IP To provide security (IP-Sec).

Furthermore, it is an advantage of the invention, a system and a method of reducing the elevated Probability of IP address conflicts to provide a virtual private network (VPN) brings with it.

Furthermore, it is an advantage of the invention, a system and to provide a method for using VPNs without that a reallocation of a domain (an expensive one Alternative) is required.

Furthermore, it is an advantage of the invention, a system and to provide a procedure for VPN NAT that is complete is achieved in the IP-Sec gateway without changes in Domain hosts are required.  

Furthermore, it is an advantage of the invention, a system and to provide a procedure for VPN-NAT that does not or only minor changes to the routing in each connected Domain requires.

Furthermore, it is an advantage of the invention, a system and to provide a procedure for VPN NAT that is easy to do is to configure.

It is also an advantage of the invention to provide a solution for to provide the address collision problems posed by VPNs caused.

It is also an advantage of the invention, a simplified solution for configuring VPN Providing connections through customers.

Furthermore, it is an advantage of the invention, a system and to provide a process that a single VPN Connection allows multiple VPN NAT rules support.

Furthermore, it is an advantage of the invention, a system and to provide a process to resolve conflicts among the implicitly or dynamically assigned VPN NAT rules avoids cross-system.

Furthermore, it is an advantage of the invention, a system and to provide a procedure that takes system administration time in systems for dynamic NAT rules by eliminating the Need to manage numerous individual VPN Connections reduced for each NAT rule.

It is also an advantage of the invention to use a VPN NAT To provide the system and method that the  Network monitoring and traffic analysis simplified.

It is also an advantage of the invention to use a VPN NAT To provide the system and method that the Network monitoring and traffic analysis simplified.

It is also an advantage of the invention to have an entire VPN To provide a NAT solution package that meets the needs of customers equivalent.

Furthermore, it is an advantage of the invention to provide a non-redundant method to Address connections for certain VPN NAT types configure and maintain.

Furthermore, it is an advantage of the invention that for everyone VPN NAT types Several VPN NAT rules per VPN connection can be specified.

Alternative embodiments

It is clear that, although specific embodiments of the Invention described here for the purpose of illustration various changes have been made can without departing from the spirit and scope of the invention. In particular, it is within the scope of the invention Computer program product or program element or one Program memory - the storage unit, such as a solid or liquid transmission medium, magnetic or optical wire, a tape or a plate or Something similar for storing machine-readable signals for Control the operation of a computer according to the procedure of the invention and / or for structuring its components according to the system of the invention.  

Furthermore, each step of the process can be done on any ordinary computers are running, for example on an IBM system 390, AS / 400, PC or the like and according to one or more or part of one or more Program elements, modules or objects created by a any programming language, such as for example C ++, Java, P1 / i, Fortran or the like. And furthermore, each step or file or one Object or the like each step executes, by special hardware or by one for this Circuit module designed for the purpose.

Accordingly, the scope of protection of this invention is limited only by the following claims and their equivalents.

Claims (19)

1. A method for integrating network address translation within a secured virtual private network, comprising the following steps:
Configuring an internal network host to send selected traffic to a proxy network address;
Configuring a virtual private network gateway with a mapping table of network address translation rules; and
Start a virtual private network connection according to the network address translation rules. 2. The method of claim 1, further comprising the step of Configuration of each rule includes a destination and include a replacement address. 3. The method of claim 2, further comprising using the virtual private network connection according to the following steps:
Generating a datagram at the internal network host;
Forwarding the datagram to the gateway;
Forwarding the datagram at the gateway through filter rules that define a virtual private network tunnel;
Process a destination address in the datagram accessing the assignment table in the virtual private network tunnel according to the following steps:
Searching the table for a match of the destination address with a left address of a left / right address pair;
Performing address translation by replacing the target address with the right address of the address pair if a match is found; and
Perform security processing. 4. The method of claim 3, further comprising the steps of:
Receipt of an incoming datagram at the gateway from an external host including a security note;
in response to the security notice, determining a connection address of the network source;
Process the network connection address according to the following steps:
Searching the table for a match of the source link address with a right address;
if a match is found, performing an address translation by replacing the source link address with the left entry of the address pair; and
Perform security processing. 5. The method of claim 4, wherein the step of Determining the receipt of a locally routable host Alias address for the external host from one Domain name server behind the gateway included. 6. A method of operating domain names, which includes:
Configure a domain name server behind a gateway to store locally routable host alias addresses for external hosts;
Structure of an allocation table by:
Displaying to a user a list of host names making up the left address entries;
Prompting the user to enter a corresponding right-hand alias address entry in response to a user's selection of an entry in the list;
Repeating the two steps of displaying and prompting for a plurality of mapping table entries;
Serve the alias address in response to a request from a gateway or host behind the gateway for a right-hand address. 7. System for integrating network address translation within a secured virtual private network, comprising:
an internal network host for sending selected traffic to a proxy network address;
an assignment table with translation rules of network addresses; and
a gateway that responds to the translation rules of network addresses to start a virtual private network connection. 8. The system of claim 7, wherein the translation rules for Network addresses a destination address and a replacement address include. 9. The system of claim 8, wherein the gateway is capable is in response to a datagram from the host Forward the datagram through filter rules that define a virtual private network tunnel, perform. 10. The system of claim 9, further comprising:
Means for processing a destination address in the datagram in the virtual private network tunnel, which can access the assignment table. 11. The system of claim 10, further comprising:
Means for searching the table for a match of the destination address with a left address of a left / right address pair;
Means capable of finding a match for performing address translation by replacing the destination address with the right address of the address pair; and
Means for performing security processing. 12. The system of claim 9, further comprising:
Receiving, including a security note;
Means responsive to the security notice received at the gateway in an incoming datagram from an external host to determine the connection address of a network source;
Means for processing the network link address by searching the table for a match of the source link address with a right address, and if a match is found, performing address translation by replacing the source link address with the left entry of the address pair; and
Perform security processing. 13. The system of claim 12, further comprising a Domain server behind the gateway includes both the Gateway as well as the local host with local routable host alias addresses for the external host to use. 14. Domain name service system comprising:
a domain name server behind a gateway for storing local routable host alias addresses for external hosts;
Means for generating a mapping table, wherein a user is presented with a list of host names that form the left-hand address entries and, in response to a user's selection of an entry in the list, receives repeated requests to enter a corresponding right-hand alias address entry; and
Means that responds to a request from a gateway or a host behind the gateway for a right-hand address to operate the alias address. 15. Process for performing VPN NAT destination, which includes the following steps:
Create a local binding table with rules that contain right-hand and left-hand rule entry pairs;
in response to a locally started conversation, requesting a network address translation, creating an implicit ASSIGN rule that contains left and right entries, by copying a local client ID into the left entry and receiving the right entry from an address pool created;
Performing security processing on the right entry;
Start a VPN connection and load a first implicit rule;
for outbound processing, comparing the destination address with the left rule entry in the local binding table and, if a match is found, replacing the destination address with the right rule entry; and
for inbound processing, comparing the source address with the right rule entry in the local binding table and, if a match is found, replacing the source address with the left rule entry. 16. Program storage unit readable by a machine that contains a real program with instructions that can be executed by a machine to carry out the method steps for integrating the network address translation within a secure virtual private network, the method comprising the following steps:
Configuring an internal network host to send selected traffic to a proxy network address;
Configuring a virtual private network gateway with a mapping table that includes network address translation rules;
Start a virtual private network connection according to the network address translation rules. 17. A machine readable program storage unit that contains a real program with instructions that can be executed by a machine to perform method steps for operating domain names, the method comprising the following steps:
Configure a domain name server behind a gateway to store locally routable host alias addresses for external hosts;
Structure of an allocation table by:
Displaying to a user a list of host names making up the left address entries;
in response to a user's selection of an entry in the list, prompting the user for a corresponding right-hand alias address entry;
Repeating the two steps of displaying and prompting for a plurality of mapping table entries;
in response to a request from a gateway or a host behind the gateway for a right hand address, serving the alias address. 18. A machine-readable program storage unit that contains a real program with instructions that can be executed by a machine in order to carry out procedural steps for performing VPN-NAT target-out, the method comprising the following steps:
Creating a local binding rule table that contains right-hand and left-hand rule entry pairs;
in response to a locally started conversation, requesting a network address translation, creating an implicit ASSIGN rule that contains left and right entries, by copying a local client ID into the left entry and receiving the right entry from an address pool created;
Performing security processing on the right entry;
Start a VPN connection including loading a first implicit rule;
for outbound processing, comparing the destination address with the left rule entry in the local binding table and, if a match is found, replacing the destination address with the right rule entry; and
for inbound processing, comparing the source address with the right rule entry in the local binding table and, if a match is found, replacing the source address with the left rule entry. 19. An article of manufacture comprising: a computer usable medium containing computer readable program code means for serving domain names, the computer readable program means in the article of manufacture comprising:
computer readable program code means for causing a computer to store locally routable host alias addresses for external hosts;
computer readable program code means for generating a mapping table, displaying to a user a list of host names making up the left address entries and in response to a user's selection of an entry in the list, recurring prompts by the user to enter a corresponding right alias address entry ; and
computer-readable program code means which responds to a request from a gateway or a host behind the gateway for a right-hand address for the operation of the alias address.