Secure Overlay-Based Auto-configuration of Complex IPsec VPNs

However, growing VPN sizes and a dynamic behavior of VPN gateways and clients, e.g., for mobility reasons or perhaps reactions due to denial-of-service (DoS) attacks, make a manual configuration of large, dynamic VPN complicated and expensive. First, the administrative overhead is subject to a quadratic growth with the number of VPN devices, if each VPN device shall be able to communicate with every other VPN device. This will not only lead to higher expenses, but also to more errors introduced by human failure. Second, the robustness of the VPN is not as high as it could be, e.g., in case of partial failures of the transport network some VPN devices could redirect traffic for other devices that cannot reach each other directly anymore. Even though IPsec could support such a resilient behavior by utilizing nested security associations, manual reconfiguration prohibits a timely reaction. Third, manually configured security associations cannot be adopted with sufficient flexibility to support mobile VPNs appropriately. It is impossible to configure security associations between two mobile devices as both regularly change the IP addresses that they are reachable over.