Browse Prior Art Database

METHOD TO HOST MULTIPLE VPN GATEWAYS WITH DIFFERENT SECURITY POLICIES ON SINGLE IP ADDRESS

IP.com Disclosure Number: IPCOM000246344D
Publication Date: 2016-Jun-01
Document File: 4 page(s) / 87K

Publishing Venue

The IP.com Prior Art Database

Related People

Graham Bartlett: AUTHOR

Abstract

Presented herein is a method to separate multiple cryptographic policies for groups of users, on a Internet Protocol Security (IPsec) virtual private network (VPN) gateway containing a single IP address. Having the ability differentiate cryptographic algorithms prior to authentication allows single hardware devices to be used for users or groups of multiple accredited cryptographic policies. This minimizes the risks of connecting using the lowest set of cryptographic algorithms (lowest common denominator). Moreover, this allows service providers to host VPNs for separate entities on the same hardware without being constrained to allocate multiple IP addresses

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 52% of the total text.

Page 01 of 4

METHOD TO HOST MULTIPLE VPN GATEWAYS WITH DIFFERENT SECURITY POLICIES ON SINGLE IP ADDRESS

AUTHORS:

Graham Bartlett

CISCO SYSTEMS, INC.

ABSTRACT

    Presented herein is a method to separate multiple cryptographic policies for groups of users, on a Internet Protocol Security (IPsec) virtual private network (VPN) gateway containing a single IP address. Having the ability differentiate cryptographic algorithms prior to authentication allows single hardware devices to be used for users or groups of multiple accredited cryptographic policies. This minimizes the risks of connecting using the lowest set of cryptographic algorithms (lowest common denominator). Moreover, this allows service providers to host VPNs for separate entities on the same hardware without being constrained to allocate multiple IP addresses

DETAILED DESCRIPTION

    The Internet Key Exchange protocol, version 2, (IKEv2) has a number of stages. The first stage is SA_INIT where an IKEv2 Security Association (SA) is created, then IKE_AUTH, where peers authenticate themselves. Because SA_INIT occurs before a device has authenticated itself, if a VPN gateway is configured to be used by multiple clients, all clients must either use the same cryptographic algorithms or different algorithms. If clients require different cryptographic algorithms (due to policy or client implementation) a method is needed to differentiate clients, such as each group of clients connecting to a different local Internet Protocol (IP) address.

    Having to use a separate IP address for every client type requires the complexity of a virtual private network (VPN) architecture. Internet Service Providers (ISPs) charge additional fees for multiple IP addresses. In some instances, IPv4 are so limited that they are simply not available. For compliance, clients must only use the algorithms defined in

Copyright 2016 Cisco Systems, Inc.

1


Page 02 of 4

the cryptographic profile, if there is a chance that clients can connect using other algorithms, accreditation will not be obtained.

    Figure 1 below shows the SA_INT message exchanges used today, according to IETF RFC 7296.

Figure 1

    Presented herein is a method that includes a hint as to the user or group in the initial handshake of the SA_INIT exchange. This allows an IPsec VPN gateway to instruct the gateway as to what IKEv2 proposal should be used. This hint can be constructed as a Vendor ID payload, which contains some form of identification.

    Figure 2 below illustrates the message exchange for this method, which is a modification of the message exchange used by IETF RFC 7296.

Figure 2

Copyright 2016 Cis...