CA2548341A1 - Establishing a virtual private network for a road warrior - Google Patents
Establishing a virtual private network for a road warrior Download PDFInfo
- Publication number
- CA2548341A1 CA2548341A1 CA002548341A CA2548341A CA2548341A1 CA 2548341 A1 CA2548341 A1 CA 2548341A1 CA 002548341 A CA002548341 A CA 002548341A CA 2548341 A CA2548341 A CA 2548341A CA 2548341 A1 CA2548341 A1 CA 2548341A1
- Authority
- CA
- Canada
- Prior art keywords
- shared secret
- user
- request
- address
- private network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
- H04L63/061—Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
Abstract
Methods and devices are provided for establishing a VPN tunnel for a user whose IP address is not known in advance (a "road warrior"). The road warrior first initiates a secure authentication session with a security gateway. In some such implementations, the road warrior provides a username/password pair that the security gateway compares to a database of usernames that have been authorized to initiate a VPN tunnel. After authenticating the road warrior, the security gateway then determines the IP address of the road warrior, then makes a correlation between the IP address, user, and a shared secret allocated to the road warrior. If the road warrior uses the proper shared secret in connection with a request to establish a VPN tunnel, the security gateway will establish the VPN tunnel.
Claims (21)
1. A method of establishing a virtual private network tunnel, the method comprising:
receiving, from a user whose IP address is not known in advance, a first request to form an encrypted tunnel with a security gateway;
forming the encrypted tunnel;
authenticating the user;
determining an IP address of the user;
establishing a correspondence between the IP address and a first shared secret authorized for the user;
receiving a second request from the user to form a virtual private network tunnel, the request incorporating a second shared secret;
determining whether the first shared secret matches the second shared secret; and forming the virtual private network tunnel when the first shared secret matches the second shared secret.
receiving, from a user whose IP address is not known in advance, a first request to form an encrypted tunnel with a security gateway;
forming the encrypted tunnel;
authenticating the user;
determining an IP address of the user;
establishing a correspondence between the IP address and a first shared secret authorized for the user;
receiving a second request from the user to form a virtual private network tunnel, the request incorporating a second shared secret;
determining whether the first shared secret matches the second shared secret; and forming the virtual private network tunnel when the first shared secret matches the second shared secret.
2. The method of claim 1, wherein the first request comprises a request to form a Hypertext Transfer Protocol over Secure Socket Layer session.
3. The method of claim 1, wherein the authenticating step comprises receiving and verifying a username/password pair from the user.
4. The method of claim 1, wherein the second request comprises a request to form an IPSec tunnel.
5. The method of claim 1, wherein the establishing step comprises comparing a username and password provided by the user with a database of usernames, passwords and shared secrets.
6. The method of claim 1, wherein the second request incorporates a hashing function based on the second shared secret.
7. The method of claim 1, wherein the step of determining whether the first shared secret matches the second shared secret comprises attempting to decrypt at least a portion of the second request.
8. The method of claim 1, wherein the establishing step comprises making an entry in an IPSec table, the entry comprising the IP address and the first shared secret.
9. The method of claim 8, wherein the entry is a temporary entry that is deleted after the occurrence of a predetermined event.
10. The method of claim 9, wherein the predetermined event comprises a passage of a predetermined time.
11. The method of claim 9, further comprising the step of tearing down the virtual private network tunnel when the temporary entry is deleted.
12. A computer program embodied in a machine-readable medium, the computer program comprising instructions for controlling a security gateway to perform the following steps:
receiving, from a user whose IP address is not known in advance, a first request to form an encrypted tunnel wit h a security gateway;
forming the encrypted tunnel;
authenticating the user;
determining an IP address of the user;
establishing a correspondence between the IP address and a first shared secret authorized for the user;
receiving a second request from the user to form a virtual private network tunnel, the request incorporating a second shared secret;
determining whether the first shared secret matches the second shared secret; and forming the virtual private network tunnel when the first shared secret matches the second shared secret.
receiving, from a user whose IP address is not known in advance, a first request to form an encrypted tunnel wit h a security gateway;
forming the encrypted tunnel;
authenticating the user;
determining an IP address of the user;
establishing a correspondence between the IP address and a first shared secret authorized for the user;
receiving a second request from the user to form a virtual private network tunnel, the request incorporating a second shared secret;
determining whether the first shared secret matches the second shared secret; and forming the virtual private network tunnel when the first shared secret matches the second shared secret.
13. The computer program of claim 12, wherein the first request comprises a request to form a Hypertext Transfer Protocol over Secure Socket Layer session.
14. The computer program of claim 12, wherein the authenticating step comprises receiving and verifying a username/password pair from the user.
15. The computer program of claim 12, wherein the second request comprises a request to form an IPSec tunnel.
16. The computer program of claim 12, wherein the establishing step comprises comparing a username and password provided by the user with a database of usernames, passwords and shared secrets.
17. The computer program of claim 12, wherein the second request incorporates a hashing function based on the second shared secret.
18. The computer program of claim 12, wherein the step of determining whether the first shared secret matches the second shared secret comprises attempting to decrypt at least a portion of the second request.
19. A security gateway, comprising:
means for receiving, from a user whose IP address is not known in advance, a first request to form an encrypted tunnel with a security gateway;
means for forming the encrypted tunnel;
means for authenticating the user;
means for determining an IP address of the user;
means for establishing a correspondence between the IP address and a first shared secret authorized for the user;
means for receiving a second request from the user to form a virtual private network tunnel, the request incorporating a second shared secret;
means for determining whether the first shared secret matches the second shared secret; and means for forming the virtual private network tunnel when the first shared secret matches the second shared secret.
means for receiving, from a user whose IP address is not known in advance, a first request to form an encrypted tunnel with a security gateway;
means for forming the encrypted tunnel;
means for authenticating the user;
means for determining an IP address of the user;
means for establishing a correspondence between the IP address and a first shared secret authorized for the user;
means for receiving a second request from the user to form a virtual private network tunnel, the request incorporating a second shared secret;
means for determining whether the first shared secret matches the second shared secret; and means for forming the virtual private network tunnel when the first shared secret matches the second shared secret.
20. A security gateway, comprising:
a first port configured for communication with the Internet;
a second port configured for communication with a private network; and at least one processor configured to:
receive, via the first port, a first request to form an encrypted tunnel with a security gateway from a user whose IP address is not known in advance;
form the encrypted tunnel;
authenticate the user;
determine an IP address of the user;
establish a correspondence between the IP
address and a first shared secret authorized for the user;
receive a second request from the user to form a virtual private network tunnel, the request incorporating a second shared secret;
determine whether the first shared secret matches the second shared secret; and form the virtual private network tunnel when the first shared secret matches the second shared secret.
a first port configured for communication with the Internet;
a second port configured for communication with a private network; and at least one processor configured to:
receive, via the first port, a first request to form an encrypted tunnel with a security gateway from a user whose IP address is not known in advance;
form the encrypted tunnel;
authenticate the user;
determine an IP address of the user;
establish a correspondence between the IP
address and a first shared secret authorized for the user;
receive a second request from the user to form a virtual private network tunnel, the request incorporating a second shared secret;
determine whether the first shared secret matches the second shared secret; and form the virtual private network tunnel when the first shared secret matches the second shared secret.
21. A method of establishing a virtual private network tunnel, the method comprising:
receiving, from a user whose IP address is not known in advance, a first request to form an encrypted tunnel with a security gateway;
forming the encrypted tunnel;
authenticating the user;
determining an IP address of the user;
establishing a correspondence between the IP
address and a subject of a digital certificate;
receiving a second request from the user to form a virtual private network tunnel, the request incorporating the digital certificate;
determining that the subject of the digital certificate is an expected subject; and forming the virtual private network tunnel when the subject of the digital certificate is the expected subject.
receiving, from a user whose IP address is not known in advance, a first request to form an encrypted tunnel with a security gateway;
forming the encrypted tunnel;
authenticating the user;
determining an IP address of the user;
establishing a correspondence between the IP
address and a subject of a digital certificate;
receiving a second request from the user to form a virtual private network tunnel, the request incorporating the digital certificate;
determining that the subject of the digital certificate is an expected subject; and forming the virtual private network tunnel when the subject of the digital certificate is the expected subject.
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US10/758,757 | 2004-01-15 | ||
US10/758,757 US7305706B2 (en) | 2004-01-15 | 2004-01-15 | Establishing a virtual private network for a road warrior |
PCT/US2005/001235 WO2005069864A2 (en) | 2004-01-15 | 2005-01-13 | Establishing a virtual private network for a road warrior |
Publications (2)
Publication Number | Publication Date |
---|---|
CA2548341A1 true CA2548341A1 (en) | 2005-08-04 |
CA2548341C CA2548341C (en) | 2010-01-12 |
Family
ID=34749571
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CA002548341A Expired - Fee Related CA2548341C (en) | 2004-01-15 | 2005-01-13 | Establishing a virtual private network for a road warrior |
Country Status (6)
Country | Link |
---|---|
US (1) | US7305706B2 (en) |
EP (1) | EP1730651B1 (en) |
CN (1) | CN101076796B (en) |
AU (1) | AU2005206904B2 (en) |
CA (1) | CA2548341C (en) |
WO (1) | WO2005069864A2 (en) |
Families Citing this family (26)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7391865B2 (en) * | 1999-09-20 | 2008-06-24 | Security First Corporation | Secure data parser method and system |
US20060041741A1 (en) * | 2004-08-23 | 2006-02-23 | Nokia Corporation | Systems and methods for IP level decryption |
CA2922172A1 (en) | 2004-10-25 | 2006-05-04 | Security First Corp. | Secure data parser method and system |
JP2006148661A (en) * | 2004-11-22 | 2006-06-08 | Toshiba Corp | Remote control system for information terminal, remote access terminal therefor, gateway server therefor, information terminal controller therefor, information terminal apparatus. and remote control method therefor |
US8547874B2 (en) * | 2005-06-30 | 2013-10-01 | Cisco Technology, Inc. | Method and system for learning network information |
US8621577B2 (en) * | 2005-08-19 | 2013-12-31 | Samsung Electronics Co., Ltd. | Method for performing multiple pre-shared key based authentication at once and system for executing the method |
US7962743B2 (en) * | 2006-05-22 | 2011-06-14 | Cisco Technology, Inc. | System and method for protected spoke to spoke communication using an unprotected computer network |
US20070283430A1 (en) * | 2006-06-02 | 2007-12-06 | Research In Motion Limited | Negotiating vpn tunnel establishment parameters on user's interaction |
US8417868B2 (en) * | 2006-06-30 | 2013-04-09 | Intel Corporation | Method, apparatus and system for offloading encryption on partitioned platforms |
US20080137859A1 (en) * | 2006-12-06 | 2008-06-12 | Ramanathan Jagadeesan | Public key passing |
JP5138359B2 (en) * | 2007-12-27 | 2013-02-06 | エヌ・ティ・ティ アイティ株式会社 | Remote access method |
US8312147B2 (en) * | 2008-05-13 | 2012-11-13 | Adobe Systems Incorporated | Many-to-one mapping of host identities |
WO2010127610A1 (en) * | 2009-05-04 | 2010-11-11 | 成都市华为赛门铁克科技有限公司 | Method, equipment and system for processing visual private network node information |
JP5650238B2 (en) | 2009-11-25 | 2015-01-07 | セキュリティー ファースト コープ. | System and method for securing data in motion |
CA2795206C (en) | 2010-03-31 | 2014-12-23 | Rick L. Orsini | Systems and methods for securing data in motion |
WO2011150346A2 (en) | 2010-05-28 | 2011-12-01 | Laurich Lawrence A | Accelerator system for use with secure data storage |
EP2619939A2 (en) | 2010-09-20 | 2013-07-31 | Rick L. Orsini | Systems and methods for secure data sharing |
CN102281179A (en) * | 2011-06-27 | 2011-12-14 | 上海安达通信息安全技术股份有限公司 | VPN tunnel relay acceleration technology |
US10140049B2 (en) | 2012-02-24 | 2018-11-27 | Missing Link Electronics, Inc. | Partitioning systems operating in multiple domains |
CN102882859B (en) * | 2012-09-13 | 2015-08-05 | 广东电网公司电力科学研究院 | A kind of safety protecting method based on public network data transmission information system |
CN103259736A (en) * | 2013-05-24 | 2013-08-21 | 杭州华三通信技术有限公司 | Tunnel building method and network equipment |
US9942200B1 (en) * | 2014-12-02 | 2018-04-10 | Trend Micro Inc. | End user authentication using a virtual private network |
US20170310655A1 (en) * | 2014-12-04 | 2017-10-26 | Telefonaktiebolaget Lm Ericsson (Publ) | Secure connections establishment |
US10051000B2 (en) * | 2015-07-28 | 2018-08-14 | Citrix Systems, Inc. | Efficient use of IPsec tunnels in multi-path environment |
US10231151B2 (en) | 2016-08-24 | 2019-03-12 | Parallel Wireless, Inc. | Optimized train solution |
US10868803B2 (en) * | 2017-01-13 | 2020-12-15 | Parallel Wireless, Inc. | Multi-stage secure network element certificate provisioning in a distributed mobile access network |
Family Cites Families (31)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1997040610A2 (en) | 1996-04-24 | 1997-10-30 | Northern Telecom Limited | Internet protocol filter |
US6061346A (en) * | 1997-01-17 | 2000-05-09 | Telefonaktiebolaget Lm Ericsson (Publ) | Secure access method, and associated apparatus, for accessing a private IP network |
US6275941B1 (en) | 1997-03-28 | 2001-08-14 | Hiatchi, Ltd. | Security management method for network system |
US6229894B1 (en) | 1997-07-14 | 2001-05-08 | Entrust Technologies, Ltd. | Method and apparatus for access to user-specific encryption information |
US6202156B1 (en) | 1997-09-12 | 2001-03-13 | Sun Microsystems, Inc. | Remote access-controlled communication |
US6064736A (en) | 1997-09-15 | 2000-05-16 | International Business Machines Corporation | Systems, methods and computer program products that use an encrypted session for additional password verification |
US6631402B1 (en) | 1997-09-26 | 2003-10-07 | Worldcom, Inc. | Integrated proxy interface for web based report requester tool set |
US6070244A (en) | 1997-11-10 | 2000-05-30 | The Chase Manhattan Bank | Computer network security management system |
US6339595B1 (en) | 1997-12-23 | 2002-01-15 | Cisco Technology, Inc. | Peer-model support for virtual private networks with potentially overlapping addresses |
JPH11338798A (en) | 1998-05-27 | 1999-12-10 | Ntt Communication Ware Kk | Network system and computer readable recording medium recording program |
US6470453B1 (en) | 1998-09-17 | 2002-10-22 | Cisco Technology, Inc. | Validating connections to a network system |
US6154543A (en) | 1998-11-25 | 2000-11-28 | Hush Communications Anguilla, Inc. | Public key cryptosystem with roaming user capability |
US6678283B1 (en) | 1999-03-10 | 2004-01-13 | Lucent Technologies Inc. | System and method for distributing packet processing in an internetworking device |
US6081900A (en) * | 1999-03-16 | 2000-06-27 | Novell, Inc. | Secure intranet access |
US6678827B1 (en) | 1999-05-06 | 2004-01-13 | Watchguard Technologies, Inc. | Managing multiple network security devices from a manager device |
GB2364477B (en) | 2000-01-18 | 2003-11-05 | Ericsson Telefon Ab L M | Virtual private networks |
GB2366631B (en) | 2000-03-04 | 2004-10-20 | Ericsson Telefon Ab L M | Communication node, communication network and method of recovering from a temporary failure of a node |
JP2002077274A (en) | 2000-08-31 | 2002-03-15 | Toshiba Corp | Home gateway device, access server and communication method |
US20020042883A1 (en) | 2000-10-04 | 2002-04-11 | Soundvoice Limited | Method and system for controlling access by clients to servers over an internet protocol network |
US20030041268A1 (en) | 2000-10-18 | 2003-02-27 | Noriaki Hashimoto | Method and system for preventing unauthorized access to the internet |
KR100416541B1 (en) | 2000-11-30 | 2004-02-05 | 삼성전자주식회사 | Method for accessing to home-network using home-gateway and home-portal sever and apparatus thereof |
US6983381B2 (en) | 2001-01-17 | 2006-01-03 | Arcot Systems, Inc. | Methods for pre-authentication of users using one-time passwords |
US20020129271A1 (en) | 2001-03-12 | 2002-09-12 | Lucent Technologies Inc. | Method and apparatus for order independent processing of virtual private network protocols |
GB2378009B (en) | 2001-07-27 | 2005-08-31 | Hewlett Packard Co | Method of establishing a secure data connection |
US20030204752A1 (en) | 2001-08-13 | 2003-10-30 | Garrison Greg B. | System and method for securely accessing a database from a remote location |
JP2003091503A (en) | 2001-09-14 | 2003-03-28 | Toshiba Corp | Authentication method using port access and server equipment to which the same is applied |
JP3864743B2 (en) | 2001-10-04 | 2007-01-10 | 株式会社日立製作所 | Firewall device, information device, and information device communication method |
KR100470915B1 (en) | 2001-12-28 | 2005-03-08 | 한국전자통신연구원 | Method for controlling internet information security system in ip packet level |
JP2003304268A (en) | 2002-04-12 | 2003-10-24 | Nec Corp | Server, user restriction type home server access system having the server and access control method |
US7159242B2 (en) | 2002-05-09 | 2007-01-02 | International Business Machines Corporation | Secure IPsec tunnels with a background system accessible via a gateway implementing NAT |
US7596629B2 (en) | 2002-11-21 | 2009-09-29 | Cisco Technology, Inc. | System and method for interconnecting heterogeneous layer 2 VPN applications |
-
2004
- 2004-01-15 US US10/758,757 patent/US7305706B2/en active Active
-
2005
- 2005-01-13 CN CN2005800013848A patent/CN101076796B/en active Active
- 2005-01-13 EP EP05705710.1A patent/EP1730651B1/en active Active
- 2005-01-13 CA CA002548341A patent/CA2548341C/en not_active Expired - Fee Related
- 2005-01-13 AU AU2005206904A patent/AU2005206904B2/en not_active Ceased
- 2005-01-13 WO PCT/US2005/001235 patent/WO2005069864A2/en active Application Filing
Also Published As
Publication number | Publication date |
---|---|
US7305706B2 (en) | 2007-12-04 |
CN101076796A (en) | 2007-11-21 |
AU2005206904A1 (en) | 2005-08-04 |
US20050160290A1 (en) | 2005-07-21 |
CN101076796B (en) | 2010-12-15 |
AU2005206904B2 (en) | 2010-02-11 |
WO2005069864A2 (en) | 2005-08-04 |
EP1730651A4 (en) | 2013-12-25 |
CA2548341C (en) | 2010-01-12 |
EP1730651B1 (en) | 2018-10-31 |
EP1730651A2 (en) | 2006-12-13 |
WO2005069864A3 (en) | 2006-10-26 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CA2548341A1 (en) | Establishing a virtual private network for a road warrior | |
US9819666B2 (en) | Pass-thru for client authentication | |
US7587598B2 (en) | Interlayer fast authentication or re-authentication for network communication | |
KR100883648B1 (en) | Method of access control in wireless environment and recording medium in which the method is recorded | |
US7913080B2 (en) | Setting information distribution apparatus, method, program, and medium, authentication setting transfer apparatus, method, program, and medium, and setting information reception program | |
US6971005B1 (en) | Mobile host using a virtual single account client and server system for network access and management | |
US8893240B2 (en) | Mobile host using a virtual single account client and server system for network access and management | |
WO2005006703A3 (en) | System and method for authenticating clients in a client-server environment | |
US11451959B2 (en) | Authenticating client devices in a wireless communication network with client-specific pre-shared keys | |
EP1540878A1 (en) | Linked authentication protocols | |
WO2005065132B1 (en) | System, method, and devices for authentication in a wireless local area network (wlan) | |
CA2540590A1 (en) | System and method for secure access | |
US20060021036A1 (en) | Method and system for network security management | |
CN114553430B (en) | SDP-based safety access system for power service terminal | |
CA2571814A1 (en) | System and method for secure access | |
CN101212465B (en) | Method for authenticating validity of IKE V2 certificate | |
CN113645115B (en) | Virtual private network access method and system | |
Kâafar et al. | A Kerberos-based authentication architecture for Wireless Lans | |
CN116506199A (en) | Service hiding method based on dynamic seed SPA single packet detection | |
CN114189855A (en) | DSA algorithm-based Portal authentication method |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
EEER | Examination request | ||
MKLA | Lapsed |
Effective date: 20180115 |