Abstract: IP security is provided in a virtual private network using network address translation (NAT) by performing one or a combination of the four types of VPN NAT, including VPN NAT type ‘a source-outbound’ IP NAT, VPN NAT type ‘b destination-outbound, VPN NAT type ‘c inbound-source’ IP NAT, and VPN NAT type ‘d inbound-destination’ IP NAT. This involves dynamically generating NAT rules and associating them with the manual or dynamically generated (IKE) Security Associations, before beginning IP security that uses the Security Associations. Then, as IP Sec is performed on outbound and inbound datagrams, the NAT function is also performed.

Abstract: Virtual Private Networking (VPN) is an emerging technology area enabling e-business on the Internet. A key underlying VPN technology is IP Security (IPsec), a means of providing private (encrypted and authenticated) secure data transmission over public (Internet) networks. The definition of what data to protect ultimately results in IP filter rules, loaded to the operating system kernel. These are used to select the correct IP datagrams and cause each to be processed by the correct IPsec Security Associations. Along with other attributes, a VPN connection can be started, stopped, and monitored. Connection filters which are used to implement VPN connections are dynamic, and must be inserted and deleted within the currently installed set of IP filters (non-VPN related). Since IP filter order is crucial to proper functioning, the basic problem is, where to place these dynamic filters. This filter placement problem has a macro and a micro part.

Abstract: A single point of control is provided for all IPSec tunnels and also for VPN connections at a node within a virtual private network. The control of the connections include the ability to start and stop manual and dynamic VPN connections, to delete connections that might have had errors associated with them, to query VPN connection status information on these connections, to manage such things as connection lifetimes, and the refresh of keying material, that is the re-negotiation of dynamic Security Associations (SAs), and to create VPN connections when this system is acting in a responder role, that is the opposite endpoint of an initiated connection.

Abstract: A data model for abstracting customer-defined VPN security policy information. By employing this model, a VPN node (computer system existing in a Virtual Private Network) can gather policy configuration information for itself through a GUY, or some distributed policy source, store this information in a system-defined database, and use this information to dynamically negotiate, create, delete, and maintain secure connections at the IP level with other VPN nodes.