CA2548341A1 - Establishing a virtual private network for a road warrior - Google Patents

Establishing a virtual private network for a road warrior Download PDF

Info

Publication number
CA2548341A1
CA2548341A1 CA002548341A CA2548341A CA2548341A1 CA 2548341 A1 CA2548341 A1 CA 2548341A1 CA 002548341 A CA002548341 A CA 002548341A CA 2548341 A CA2548341 A CA 2548341A CA 2548341 A1 CA2548341 A1 CA 2548341A1
Authority
CA
Canada
Prior art keywords
shared secret
user
request
address
private network
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CA002548341A
Other languages
French (fr)
Other versions
CA2548341C (en
Inventor
Bruce Moon
Mark Enright
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Cisco Technology Inc
Original Assignee
Cisco Technology, Inc.
Bruce Moon
Mark Enright
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Cisco Technology, Inc., Bruce Moon, Mark Enright filed Critical Cisco Technology, Inc.
Publication of CA2548341A1 publication Critical patent/CA2548341A1/en
Application granted granted Critical
Publication of CA2548341C publication Critical patent/CA2548341C/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer

Abstract

Methods and devices are provided for establishing a VPN tunnel for a user whose IP address is not known in advance (a "road warrior"). The road warrior first initiates a secure authentication session with a security gateway. In some such implementations, the road warrior provides a username/password pair that the security gateway compares to a database of usernames that have been authorized to initiate a VPN tunnel. After authenticating the road warrior, the security gateway then determines the IP address of the road warrior, then makes a correlation between the IP address, user, and a shared secret allocated to the road warrior. If the road warrior uses the proper shared secret in connection with a request to establish a VPN tunnel, the security gateway will establish the VPN tunnel.

Claims (21)

1. A method of establishing a virtual private network tunnel, the method comprising:
receiving, from a user whose IP address is not known in advance, a first request to form an encrypted tunnel with a security gateway;
forming the encrypted tunnel;
authenticating the user;
determining an IP address of the user;
establishing a correspondence between the IP address and a first shared secret authorized for the user;
receiving a second request from the user to form a virtual private network tunnel, the request incorporating a second shared secret;
determining whether the first shared secret matches the second shared secret; and forming the virtual private network tunnel when the first shared secret matches the second shared secret.
2. The method of claim 1, wherein the first request comprises a request to form a Hypertext Transfer Protocol over Secure Socket Layer session.
3. The method of claim 1, wherein the authenticating step comprises receiving and verifying a username/password pair from the user.
4. The method of claim 1, wherein the second request comprises a request to form an IPSec tunnel.
5. The method of claim 1, wherein the establishing step comprises comparing a username and password provided by the user with a database of usernames, passwords and shared secrets.
6. The method of claim 1, wherein the second request incorporates a hashing function based on the second shared secret.
7. The method of claim 1, wherein the step of determining whether the first shared secret matches the second shared secret comprises attempting to decrypt at least a portion of the second request.
8. The method of claim 1, wherein the establishing step comprises making an entry in an IPSec table, the entry comprising the IP address and the first shared secret.
9. The method of claim 8, wherein the entry is a temporary entry that is deleted after the occurrence of a predetermined event.
10. The method of claim 9, wherein the predetermined event comprises a passage of a predetermined time.
11. The method of claim 9, further comprising the step of tearing down the virtual private network tunnel when the temporary entry is deleted.
12. A computer program embodied in a machine-readable medium, the computer program comprising instructions for controlling a security gateway to perform the following steps:
receiving, from a user whose IP address is not known in advance, a first request to form an encrypted tunnel wit h a security gateway;
forming the encrypted tunnel;
authenticating the user;
determining an IP address of the user;
establishing a correspondence between the IP address and a first shared secret authorized for the user;

receiving a second request from the user to form a virtual private network tunnel, the request incorporating a second shared secret;
determining whether the first shared secret matches the second shared secret; and forming the virtual private network tunnel when the first shared secret matches the second shared secret.
13. The computer program of claim 12, wherein the first request comprises a request to form a Hypertext Transfer Protocol over Secure Socket Layer session.
14. The computer program of claim 12, wherein the authenticating step comprises receiving and verifying a username/password pair from the user.
15. The computer program of claim 12, wherein the second request comprises a request to form an IPSec tunnel.
16. The computer program of claim 12, wherein the establishing step comprises comparing a username and password provided by the user with a database of usernames, passwords and shared secrets.
17. The computer program of claim 12, wherein the second request incorporates a hashing function based on the second shared secret.
18. The computer program of claim 12, wherein the step of determining whether the first shared secret matches the second shared secret comprises attempting to decrypt at least a portion of the second request.
19. A security gateway, comprising:
means for receiving, from a user whose IP address is not known in advance, a first request to form an encrypted tunnel with a security gateway;
means for forming the encrypted tunnel;
means for authenticating the user;

means for determining an IP address of the user;
means for establishing a correspondence between the IP address and a first shared secret authorized for the user;
means for receiving a second request from the user to form a virtual private network tunnel, the request incorporating a second shared secret;
means for determining whether the first shared secret matches the second shared secret; and means for forming the virtual private network tunnel when the first shared secret matches the second shared secret.
20. A security gateway, comprising:
a first port configured for communication with the Internet;
a second port configured for communication with a private network; and at least one processor configured to:
receive, via the first port, a first request to form an encrypted tunnel with a security gateway from a user whose IP address is not known in advance;
form the encrypted tunnel;
authenticate the user;
determine an IP address of the user;
establish a correspondence between the IP
address and a first shared secret authorized for the user;
receive a second request from the user to form a virtual private network tunnel, the request incorporating a second shared secret;
determine whether the first shared secret matches the second shared secret; and form the virtual private network tunnel when the first shared secret matches the second shared secret.
21. A method of establishing a virtual private network tunnel, the method comprising:
receiving, from a user whose IP address is not known in advance, a first request to form an encrypted tunnel with a security gateway;
forming the encrypted tunnel;
authenticating the user;
determining an IP address of the user;
establishing a correspondence between the IP
address and a subject of a digital certificate;
receiving a second request from the user to form a virtual private network tunnel, the request incorporating the digital certificate;
determining that the subject of the digital certificate is an expected subject; and forming the virtual private network tunnel when the subject of the digital certificate is the expected subject.
CA002548341A 2004-01-15 2005-01-13 Establishing a virtual private network for a road warrior Expired - Fee Related CA2548341C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US10/758,757 2004-01-15
US10/758,757 US7305706B2 (en) 2004-01-15 2004-01-15 Establishing a virtual private network for a road warrior
PCT/US2005/001235 WO2005069864A2 (en) 2004-01-15 2005-01-13 Establishing a virtual private network for a road warrior

Publications (2)

Publication Number Publication Date
CA2548341A1 true CA2548341A1 (en) 2005-08-04
CA2548341C CA2548341C (en) 2010-01-12

Family

ID=34749571

Family Applications (1)

Application Number Title Priority Date Filing Date
CA002548341A Expired - Fee Related CA2548341C (en) 2004-01-15 2005-01-13 Establishing a virtual private network for a road warrior

Country Status (6)

Country Link
US (1) US7305706B2 (en)
EP (1) EP1730651B1 (en)
CN (1) CN101076796B (en)
AU (1) AU2005206904B2 (en)
CA (1) CA2548341C (en)
WO (1) WO2005069864A2 (en)

Families Citing this family (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7391865B2 (en) * 1999-09-20 2008-06-24 Security First Corporation Secure data parser method and system
US20060041741A1 (en) * 2004-08-23 2006-02-23 Nokia Corporation Systems and methods for IP level decryption
CA2922172A1 (en) 2004-10-25 2006-05-04 Security First Corp. Secure data parser method and system
JP2006148661A (en) * 2004-11-22 2006-06-08 Toshiba Corp Remote control system for information terminal, remote access terminal therefor, gateway server therefor, information terminal controller therefor, information terminal apparatus. and remote control method therefor
US8547874B2 (en) * 2005-06-30 2013-10-01 Cisco Technology, Inc. Method and system for learning network information
US8621577B2 (en) * 2005-08-19 2013-12-31 Samsung Electronics Co., Ltd. Method for performing multiple pre-shared key based authentication at once and system for executing the method
US7962743B2 (en) * 2006-05-22 2011-06-14 Cisco Technology, Inc. System and method for protected spoke to spoke communication using an unprotected computer network
US20070283430A1 (en) * 2006-06-02 2007-12-06 Research In Motion Limited Negotiating vpn tunnel establishment parameters on user's interaction
US8417868B2 (en) * 2006-06-30 2013-04-09 Intel Corporation Method, apparatus and system for offloading encryption on partitioned platforms
US20080137859A1 (en) * 2006-12-06 2008-06-12 Ramanathan Jagadeesan Public key passing
JP5138359B2 (en) * 2007-12-27 2013-02-06 エヌ・ティ・ティ アイティ株式会社 Remote access method
US8312147B2 (en) * 2008-05-13 2012-11-13 Adobe Systems Incorporated Many-to-one mapping of host identities
WO2010127610A1 (en) * 2009-05-04 2010-11-11 成都市华为赛门铁克科技有限公司 Method, equipment and system for processing visual private network node information
JP5650238B2 (en) 2009-11-25 2015-01-07 セキュリティー ファースト コープ. System and method for securing data in motion
CA2795206C (en) 2010-03-31 2014-12-23 Rick L. Orsini Systems and methods for securing data in motion
WO2011150346A2 (en) 2010-05-28 2011-12-01 Laurich Lawrence A Accelerator system for use with secure data storage
EP2619939A2 (en) 2010-09-20 2013-07-31 Rick L. Orsini Systems and methods for secure data sharing
CN102281179A (en) * 2011-06-27 2011-12-14 上海安达通信息安全技术股份有限公司 VPN tunnel relay acceleration technology
US10140049B2 (en) 2012-02-24 2018-11-27 Missing Link Electronics, Inc. Partitioning systems operating in multiple domains
CN102882859B (en) * 2012-09-13 2015-08-05 广东电网公司电力科学研究院 A kind of safety protecting method based on public network data transmission information system
CN103259736A (en) * 2013-05-24 2013-08-21 杭州华三通信技术有限公司 Tunnel building method and network equipment
US9942200B1 (en) * 2014-12-02 2018-04-10 Trend Micro Inc. End user authentication using a virtual private network
US20170310655A1 (en) * 2014-12-04 2017-10-26 Telefonaktiebolaget Lm Ericsson (Publ) Secure connections establishment
US10051000B2 (en) * 2015-07-28 2018-08-14 Citrix Systems, Inc. Efficient use of IPsec tunnels in multi-path environment
US10231151B2 (en) 2016-08-24 2019-03-12 Parallel Wireless, Inc. Optimized train solution
US10868803B2 (en) * 2017-01-13 2020-12-15 Parallel Wireless, Inc. Multi-stage secure network element certificate provisioning in a distributed mobile access network

Family Cites Families (31)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1997040610A2 (en) 1996-04-24 1997-10-30 Northern Telecom Limited Internet protocol filter
US6061346A (en) * 1997-01-17 2000-05-09 Telefonaktiebolaget Lm Ericsson (Publ) Secure access method, and associated apparatus, for accessing a private IP network
US6275941B1 (en) 1997-03-28 2001-08-14 Hiatchi, Ltd. Security management method for network system
US6229894B1 (en) 1997-07-14 2001-05-08 Entrust Technologies, Ltd. Method and apparatus for access to user-specific encryption information
US6202156B1 (en) 1997-09-12 2001-03-13 Sun Microsystems, Inc. Remote access-controlled communication
US6064736A (en) 1997-09-15 2000-05-16 International Business Machines Corporation Systems, methods and computer program products that use an encrypted session for additional password verification
US6631402B1 (en) 1997-09-26 2003-10-07 Worldcom, Inc. Integrated proxy interface for web based report requester tool set
US6070244A (en) 1997-11-10 2000-05-30 The Chase Manhattan Bank Computer network security management system
US6339595B1 (en) 1997-12-23 2002-01-15 Cisco Technology, Inc. Peer-model support for virtual private networks with potentially overlapping addresses
JPH11338798A (en) 1998-05-27 1999-12-10 Ntt Communication Ware Kk Network system and computer readable recording medium recording program
US6470453B1 (en) 1998-09-17 2002-10-22 Cisco Technology, Inc. Validating connections to a network system
US6154543A (en) 1998-11-25 2000-11-28 Hush Communications Anguilla, Inc. Public key cryptosystem with roaming user capability
US6678283B1 (en) 1999-03-10 2004-01-13 Lucent Technologies Inc. System and method for distributing packet processing in an internetworking device
US6081900A (en) * 1999-03-16 2000-06-27 Novell, Inc. Secure intranet access
US6678827B1 (en) 1999-05-06 2004-01-13 Watchguard Technologies, Inc. Managing multiple network security devices from a manager device
GB2364477B (en) 2000-01-18 2003-11-05 Ericsson Telefon Ab L M Virtual private networks
GB2366631B (en) 2000-03-04 2004-10-20 Ericsson Telefon Ab L M Communication node, communication network and method of recovering from a temporary failure of a node
JP2002077274A (en) 2000-08-31 2002-03-15 Toshiba Corp Home gateway device, access server and communication method
US20020042883A1 (en) 2000-10-04 2002-04-11 Soundvoice Limited Method and system for controlling access by clients to servers over an internet protocol network
US20030041268A1 (en) 2000-10-18 2003-02-27 Noriaki Hashimoto Method and system for preventing unauthorized access to the internet
KR100416541B1 (en) 2000-11-30 2004-02-05 삼성전자주식회사 Method for accessing to home-network using home-gateway and home-portal sever and apparatus thereof
US6983381B2 (en) 2001-01-17 2006-01-03 Arcot Systems, Inc. Methods for pre-authentication of users using one-time passwords
US20020129271A1 (en) 2001-03-12 2002-09-12 Lucent Technologies Inc. Method and apparatus for order independent processing of virtual private network protocols
GB2378009B (en) 2001-07-27 2005-08-31 Hewlett Packard Co Method of establishing a secure data connection
US20030204752A1 (en) 2001-08-13 2003-10-30 Garrison Greg B. System and method for securely accessing a database from a remote location
JP2003091503A (en) 2001-09-14 2003-03-28 Toshiba Corp Authentication method using port access and server equipment to which the same is applied
JP3864743B2 (en) 2001-10-04 2007-01-10 株式会社日立製作所 Firewall device, information device, and information device communication method
KR100470915B1 (en) 2001-12-28 2005-03-08 한국전자통신연구원 Method for controlling internet information security system in ip packet level
JP2003304268A (en) 2002-04-12 2003-10-24 Nec Corp Server, user restriction type home server access system having the server and access control method
US7159242B2 (en) 2002-05-09 2007-01-02 International Business Machines Corporation Secure IPsec tunnels with a background system accessible via a gateway implementing NAT
US7596629B2 (en) 2002-11-21 2009-09-29 Cisco Technology, Inc. System and method for interconnecting heterogeneous layer 2 VPN applications

Also Published As

Publication number Publication date
US7305706B2 (en) 2007-12-04
CN101076796A (en) 2007-11-21
AU2005206904A1 (en) 2005-08-04
US20050160290A1 (en) 2005-07-21
CN101076796B (en) 2010-12-15
AU2005206904B2 (en) 2010-02-11
WO2005069864A2 (en) 2005-08-04
EP1730651A4 (en) 2013-12-25
CA2548341C (en) 2010-01-12
EP1730651B1 (en) 2018-10-31
EP1730651A2 (en) 2006-12-13
WO2005069864A3 (en) 2006-10-26

Similar Documents

Publication Publication Date Title
CA2548341A1 (en) Establishing a virtual private network for a road warrior
US9819666B2 (en) Pass-thru for client authentication
US7587598B2 (en) Interlayer fast authentication or re-authentication for network communication
KR100883648B1 (en) Method of access control in wireless environment and recording medium in which the method is recorded
US7913080B2 (en) Setting information distribution apparatus, method, program, and medium, authentication setting transfer apparatus, method, program, and medium, and setting information reception program
US6971005B1 (en) Mobile host using a virtual single account client and server system for network access and management
US8893240B2 (en) Mobile host using a virtual single account client and server system for network access and management
WO2005006703A3 (en) System and method for authenticating clients in a client-server environment
US11451959B2 (en) Authenticating client devices in a wireless communication network with client-specific pre-shared keys
EP1540878A1 (en) Linked authentication protocols
WO2005065132B1 (en) System, method, and devices for authentication in a wireless local area network (wlan)
CA2540590A1 (en) System and method for secure access
US20060021036A1 (en) Method and system for network security management
CN114553430B (en) SDP-based safety access system for power service terminal
CA2571814A1 (en) System and method for secure access
CN101212465B (en) Method for authenticating validity of IKE V2 certificate
CN113645115B (en) Virtual private network access method and system
Kâafar et al. A Kerberos-based authentication architecture for Wireless Lans
CN116506199A (en) Service hiding method based on dynamic seed SPA single packet detection
CN114189855A (en) DSA algorithm-based Portal authentication method

Legal Events

Date Code Title Description
EEER Examination request
MKLA Lapsed

Effective date: 20180115