adaptiveVPN, modifications

IPSec client modifications. To support adaptiveVPN, modifications have been made to both theLucent IKE module and the IPSec NDIS driver. TheLucent IKE module has been modified so that it cannegotiate IKE sessions with two or more externalendpoints at the same time. (To support adaptiveVPN, the ability to negotiate with two endpoints issufficient.) The modified Lucent IKE module is capable of pushing SA information and keys for multipleIPSec tunnels to the IPSec NDIS driver. The SA database has been modified so that it can maintain information about multiple IPSec tunnels, including thehost subnet IP addresses and TCP port numbers forwhich packets should be sent through that tunnel. Inaddition, the IPSec engine has been modified so that,based on the SA database information, it can addthe appropriate (outer) IP headers and de-multiplexthe packet through the appropriate tunnel. Let usconsider an example to illustrate the effect of thesemodifications. Figure 10 shows an example of a networkarchitecture. The client with physical IP address135.180.144.174 has two tunnels, one to an enterprise gateway at IP address 135.180.144.254 andthe other to a network VPN gateway (or an IPSS thatsupports VPN) at IP address 135.180.244.150. Thelocal presence IP addresses of the two tunnels are192.168.5.10 and 192.168.1.10, respectively. Thehosts behind the enterprise tunnel are in the subnet192.168.5.0/24 and the hosts behind the networktunnel are in subnets 192.168.1.0/24 and 192.168.3.0/24. With the modifications we have made, theLucent IKE module is able to negotiate IPSec parameters for both the tunnels with the two VPN gatewaysand to keep both tunnels active at the same time. TheSA database keeps information about both the tunnelsto enable the modified IPSec engine to de-multiplexpackets through the tunnels; packets destined to subnet 192.168.5.0/24 are sent through the enterprisetunnel, and packets destined to subnets 192.168.1.0/24 and 192.168.3.0/24 are sent through the networktunnel. Based on local presence IP address information and information about the hosts behind eachof the tunnels, the Lucent IKE process modifies the routing table. The modified routing table is shown inFigure 11. Let us examine how IPSec processing willtake place, based on the routing table shown in thefigure.