Flexible automated connection to virtual private networks
Abstract
A network interface unit is provided for use intermediate a LAN and a public or private network, or a combination of both, for establishing secure links to a VPN gateway. Login by a LAN client with the network interface unit, addressing, authentication, and other configuration operations achieved using a web page-based GUI are applied in establishing tunnels from LAN clients to desired VPN destinations. Illustrative network interface units include a DHCP server and provide encryption-decryption and encapsulation-decapsulation of data packets for communication with VPN nodes. Configuration and connection of a client are further enhanced by a built-in DNS server and other functional servers to provide a high degree of autonomy in establishing connections to a desired VPN gateway via an ISP or other public and/or private network links to. The interface unit then performs required authentication exchanges, and required encryption key exchanges.
Claims
exact text as granted — not AI-modified1 . A method performed at a network interface unit (NIU) for communicating data packets over a non-secure network between client devices on a local area network (LAN) and an access node for a secure virtual private network (VPN) comprising
authenticating at least one of said client devices seeking to access said VPN, thereby establishing at least one authenticated client device, sending configuration information from a configuration server at said NIU to said authenticated client devices, sending at least one menu from a GUI server at said NIU to authenticated client devices, receiving at least a first message reflecting at least one selection at at least one of said authenticated client devices from said at least one menu, and means for accessing said non-secure network using information in said at least a first message, and establishing a secure connection between said non-secure network and said access node using a security server at said NIU.
2 . The method of claim 1 wherein said configuration information for each authenticated client device comprises information received on behalf of each of said client devices upon an initial authenticating of respective ones of said client devices.
3 . The method of claim 1 wherein said authenticating comprises
sending a GUI page to each client device seeking access to said VPN, said GUI page soliciting authentication information, and receiving authentication information from client devices seeking access to said VPN, and authenticating said at least one client device seeking access to said VPN when received authentication information bears a predetermined relationship to information stored at said NIU for respective ones of said client devices.
4 . The method of claim 1 further comprising storing a plurality of web pages for use by said GUI server.
5 . The method of claim 1 wherein said at least one menu comprises a main menu comprising selections corresponding to predefined access connections to said non-secure network.
6 . The method of claim 5 wherein said first message comprises information indicating a selection of a predefined access connection to said non-secure network.
7 . The method of claim 6 wherein said predefined access connection is a dial-up connection and said accessing of said non-secure network is accomplished using configuration information corresponding to said dial-up connection.
8 . The method of claim 5 wherein said first message comprises information indicating a selection of a predefined type of access connection to said non-secure network.
9 . The method of claim 8 further comprising sending a second menu from said GUI server to a client device seeking access to said VPN in response to said first message, said second menu including information regarding at least one connection to said non-secure network, said second menu including only information for connections of only said predefined type.
10 . The method of claim 9 wherein said predefined type of connection is a dial-up connection.
11 . The method of claim 9 wherein said predefined type of connection is a network connection employing a fixed IP address.
12 . The method of claim 9 wherein said predefined type of connection is a network connection employing a temporary IP address.
13 . The method of claim 12 further comprising accessing a DHCP server at said NIU to obtain said temporary IP address.
14 . The method of claim 12 further comprising accessing a DHCP server in said non-secure network to obtain said temporary IP address, said accessing of said DHCP server comprising employing a DHCP client at said NIU to access said DHCP server in said non-secure network.
15 . The method of claim 9 wherein said predefined type of connection is a network connection employing a fixed point-to-point over Ethernet (PPPOE) address.
16 . The method of claim 5 wherein said first message comprises information indicating a request for a new connection to said non-secure network.
17 . The method of claim 16 further comprising sending a form from said GUI server to a client device seeking access to said VPN in response to said first message, said form soliciting information regarding said new connection.
18 . The method of claim 17 wherein said new connection is a dial-up connection, and said information solicited by said form comprises dial-up information relating to said new connection.
19 . The method of claim 18 wherein said new connection is a network connection, and said information solicited by said form comprises network information relating to said new connection.
20 . The method of claim 16 further comprising storing information received from a client device responding to said form, said information being stored as configuration information associated with said responding client device relating to a connection of an indicated type.
21 . The method of claim 20 wherein said storing configuration information comprises storing configuration information in a removable memory module.
22 . A method practiced at a network interface unit (NIU) for communicating data packets over a non-secure network between client devices on at least one local area networl (LAN) and at least one access node of a secure virtual private network (VPN), the method comprising
receiving data packets from said devices by way of said LANs, multiplexing said data packets into at least one packet data stream, modifying said packet data streams in a security server in accordance with a secure communications protocol by encrypting packets in said data streams and encapsulating resulting encrypted packets, providing network destination address information from a DNS server for at least selected ones of said data streams.
23 . The method of claim 22 wherein said modifying said packet data streams ona security server comprises modifying said packet streams in an IPsec server.
24 . The method of claim 23 further comprising
receiving at least one stream of data packets from said non-secure network, filtering out packets in said streams received packets that are not from said VPN network, said filtering being performed by a firewall in said security server, modifying said packets in said at least one stream by decrypting said packets in said at least one received data stream and decapsulating resulting decrypted packets, said decrypting and decapsulating being performed by said security server, demultiplexing said at least one stream of received data packets to form at least one demultiplexed stream of data packets for delivery to said at least one LAN.
25 . The method of claim 24 further comprising
authenticating client devices on said at least one LAN, and wherein packets from authenticated client devices on said at least one LAN that are received at said network interface device are processed as packets received from said VPN.
26 . A method for securely communicating data packets over a non-secure network between client devices on a local area network (LAN) and a secure network, the method performed at a network interface unit (NIU) appearing as a device on said LAN, the method comprising
(1) authenticating at least one of said client devices seeking to access said secure network, thereby establishing at least one authenticated client device, (2) sending configuration information from a configuration server in said NIU to at least one of said at least one authenticated client device, thereby establishing at least one configured client device, (3) in response to a request from at least one configured client device to connect to said secure network, providing destination address resolution information from a Domain Name System (DNS) server in said NIU, (4) establishing a secure VPN connection between said at least one configured client device and an access node at an address provided by said DNS server, said secure VPN connection using a security server in said NIU.
27 . The method of claim 26 wherein said NIU is a portable unit and said method further comprises connecting said NIU as a device on said LAN.
28 . The method of claim 26 wherein said NIU comprises a memory for storing programs for controlling said NIU and data comprising data for configuring at least said client devices on said LAN.
29 . The method of claim 26 wherein said NIU includes at least one removable memory device for storing programs for controlling said NIU.
30 . The method of claim 26 wherein said NIU includes at least one removable memory device for storing configuration information for at least said client devices on said LAN.
31 . The method of claim 28 wherein said memory stores data comprising translation data for providing said destination address resolution information from said DNS server.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.