Remarks
Claims 1 and 3-20 are pending.  

Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant's submission filed on 2/22/2021 has been entered.
 
Response to Arguments
Applicant's arguments filed 2/22/2021 have been fully considered but they are not persuasive.  
It is noted that what Applicant is claiming and arguing is simply network address translation with the NAT device using a port per connection/device when devices connect to the outside.  Applicant does include a NAT at each side, but this is within the prior art and is an inevitability when using NAT devices on multiple networks that may communicate with each other.  Since Applicant is claiming such a well-known 
Tumuluru (U.S. Patent Application Publication 2018/0063077)
Kozakai (U.S. Patent Application Publication 2007/0110054)
Jakubik (U.S. Patent Application Publication 2006/0227807)
Nix (U.S. Patent 8,165,091)
The Examiner suggests Applicant review these publications prior to the next response in order to determine how to best amend the claims.  
Applicant alleges “Kivinen merely discloses using network address translation (NAT) to translate a source port and/or destination port of an IPSec packet.  (Sections 3 and 4).  Kivinen does not disclose at least:” the 2 determining limitations.  However, Applicant provides no reasons as to why Applicant believes this to be the case.  Applicant's arguments fail to comply with 37 CFR 1.111(b) because they amount to a general allegation that the claims define a patentable invention without specifically pointing out how the language of the claims patentably distinguishes them from the references.  Kivinen discloses the following with respect to these limitations:
Determining a first identifier for the first tunnel packets, the first identifier comprising a first from port number indicating that the first tunnel packets correspond to the IPSec gateway B1 (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2; from port, where each connection will have a unique from port at any given time, for example);
Determining a second identifier for the second tunnel packets, the second identifier comprising a second from port number indicating that the 
Therefore, Kivinen discloses the argued subject matter.  
Applicant then alleges “Kivinen does not provide an enabling disclosure of the method of amended claim 1.”  Applicant then appears to cite the MPEP and alleges “NAT alone, as disclosed by Kivinen, does not allow for end-to-end connectivity between two IPSec gateways each in multiplexed networks.  (See, e.g., Applicant’s Paragraphs [0018] and [0019]).  For example, Kivinen contains no disclosure that the source port number can encode a local destination address for the IPSec tunnel packet, where the local destination address is behind a multiplexed destination network.”  Applicant fails to cite any claim language or even allege that this subject matter from the specification is part of the claims.  In response to applicant's argument that the references fail to show certain features of applicant’s invention, it is noted that the features upon which applicant relies (i.e., end-to-end connectivity between two IPSec gateways each in multiplexed networks.  (See, e.g., Applicant’s Paragraphs [0018] and [0019]).  For example, Kivinen contains no disclosure that the source port number can encode a local destination address for the IPSec tunnel packet, where the local destination address is behind a multiplexed destination network) are not recited in the rejected claim(s).  Although the claims are interpreted in light of the specification, limitations from the specification are not read into the claims.  See In re Van Geuns, 988 
Applicant continues by alleging “Without a disclosure enabling one skilled in the art to use a from-port number as at least part of an identifier indicating that one or more tunnel packets correspond to a specific destination IPSec gateway, Kivinen would not be applicable as prior art.”  Kivinen discloses having specific ports for each gateway/host.  For example, section 3 states “for the first IPsec host, the NAT can keep the port 500, and the NAT will only change the port number for later connections”.  Section 4 is titled “Changing to New Ports”.  The changing of ports for each gateway/host behind each NA(P)T (e.g., multiplexors) clearly discloses determining identifiers for the packets, where the identifiers comprise from port numbers, such as 500, 4500, X, Y, and the like, as seen throughout Kivinen.  Therefore, Kivinen discloses the claimed subject matter, despite Applicant not arguing any claim language.  
Applicant also alleges that Kaufman does not disclose subject matter in claim 1.  Kaufman is not cited in the rejection of claim 1.  Therefore, Applicant’s allegations are moot.  

Claim Interpretation
The claims are replete with subject matter that is not a part of the methods claimed therein.  For example, claim 1 includes the following language that is not part of the method, does not affect the scope of the claim, and cannot be part of the claim:
wherein the cloud A comprises an IPSec gateway A1, an IPSec gateway A2, and a first multiplexor MA, wherein the cloud B comprises an IPSec gateway 
transmitted by the IPSec gateway A1 and addressed to the multiplexor MB, the first tunnel packets corresponding to a first IPSec tunnel terminating at the IPSec gateway A1 and the IPSec gateway B1
transmitted by the IPSec gateway A2 and addressed to the multiplexor MB, the second tunnel packets corresponding to a second IPSec tunnel terminating at the IPSec gateway A2 and the IPSec gateway B2
Many claims have these issues, including the majority of each independent claim.  Any language that is not actually part of the method described by the claim cannot be part of the claim, since it is not performed thereby.  None of this subject matter has patentable weight, since it not actually part of the claimed method(s).  

Claim Rejections - 35 USC § 112
The following is a quotation of the first paragraph of 35 U.S.C. 112(a):
(a) IN GENERAL.—The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly connected, to make and use the same, and shall set forth the best mode contemplated by the inventor or joint inventor of carrying out the invention.

The following is a quotation of the first paragraph of pre-AIA  35 U.S.C. 112:
The specification shall contain a written description of the invention, and of the manner and process of making and using it, in such full, clear, concise, and exact terms as to enable any person skilled in the art to which it pertains, or with which it is most nearly 

Claim 10 is rejected under 35 U.S.C. 112(a) or 35 U.S.C. 112 (pre-AIA ), first paragraph, as failing to comply with the written description requirement. The claim(s) contains subject matter which was not described in the specification in such a way as to reasonably convey to one skilled in the relevant art that the inventor or a joint inventor, or for applications subject to pre-AIA  35 U.S.C. 112, the inventor(s), at the time the application was filed, had possession of the claimed invention.
Claim 10 states that “for at least a first portion of the first tunnel packets, the first identifier further identifies a first tunnel” and “for at least a second portion of the first tunnel packets, the first identifier further identifies a third tunnel”.  The application as originally filed does not have basis for this subject matter.  

The following is a quotation of 35 U.S.C. 112(b):
(b)  CONCLUSION.—The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the inventor or a joint inventor regards as the invention.


The following is a quotation of 35 U.S.C. 112 (pre-AIA ), second paragraph:
The specification shall conclude with one or more claims particularly pointing out and distinctly claiming the subject matter which the applicant regards as his invention.


Claim 10 is rejected under 35 U.S.C. 112(b) or 35 U.S.C. 112 (pre-AIA ), second paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter which the inventor or a joint inventor (or for applications subject to pre-AIA  35 U.S.C. 112, the applicant), regards as the invention.  
Claim 10 states that “for at least a first portion of the first tunnel packets, the first identifier further identifies a first tunnel” and “for at least a second portion of the first 

Claim Rejections - 35 USC § 102
In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the statutory basis for the rejection will not be considered a new ground of rejection if the prior art relied upon, and the rationale supporting the rejection, would be the same under either status.  
The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the basis for the rejections under this section made in this Office action:
A person shall be entitled to a patent unless –

(a)(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.


(a)(2) the claimed invention was described in a patent issued under section 151, or in an application for patent published or deemed published under section 122(b), in which the patent or application, as the case may be, names another inventor and was effectively filed before the effective filing date of the claimed invention.

Claims 1, 3-15, and 20 are rejected under 35 U.S.C. 102(a)(1) and/or 102(a)(2) as being anticipated by Kivinen (Kivinen et al., “Negotiation of NAT-Traversal in the IKE”, RFC 3947, January 2005, 16 pages).
Regarding Claim 1,
Kivinen discloses a method of transmitting IPSec tunnel packets between a cloud A and a cloud B, wherein the cloud A comprises an IPSec gateway A1, an IPSec gateway A2, and a first multiplexor MA, 
Receiving, by the multiplexor MA, first tunnel packets transmitted by the IPSec gateway A1 and addressed to the multiplexor MB, the first tunnel packets corresponding to a first IPSec tunnel terminating at the IPSec gateway A1 and the IPSec gateway B1 (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2; receiving IPSec packets at a NA(P)T, for example.  It is noted that both ends may be behind NA(P)Ts (e.g., as shown in section 1));
Receiving, by the multiplexor MA, second tunnel packets transmitted by the IPSec gateway A2 and addressed to the multiplexor MB, the second tunnel packets corresponding to a second IPSec tunnel terminating at the IPSec gateway A2 and the IPSec gateway B2 (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2; receiving IPSec packets at a NA(P)T for another IPSec connection, for example);
Determining a first identifier for the first tunnel packets, the first identifier comprising a first from port number indicating that the first tunnel packets correspond to the IPSec gateway B1 (Exemplary Citations: for 
Determining a second identifier for the second tunnel packets, the second identifier comprising a second from port number indicating that the second tunnel packets correspond to the IPSec gateway B2 (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2; from port, where each connection will have a unique from port at any given time, for example);
Before transmitting the received first tunnel packets over the common network to the multiplexor MB, modifying, by the multiplexor MA, first headers of the first tunnel packets to include the first identifier and to include a routable from address comprising the first address on the common network (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2; translating the packets, for example, by changing the from port, where each connection will have a unique from port at any given time, for example); and
Before transmitting the received second tunnel packets over the common network to the multiplexor MB, modifying, by the multiplexor MA, second headers of the second tunnel packets to include the second identifier and to include the routable from address comprising the first address on the common network (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2; translating the packets, for example, by 
Regarding Claim 3,
Kivinen discloses that the modifying comprises changing original from port numbers of the first headers to the first identifier and changing original from port numbers of the second headers to the second identifier (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2).  
Regarding Claim 4,
Kivinen discloses that the headers of the first and second tunnel packets comprise a standard to port number of an IPSec protocol when they are transmitted over the common network (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2; port 500 or 4500, as examples).  
Regarding Claim 5,
Kivinen discloses that the first identifier comprises a first static identifier preconfigured at cloud A and cloud B prior to transmitting any packets related to the first IPSec tunnel, and wherein the second identifier comprises a second static identifier preconfigured at the cloud A and the cloud B prior to transmitting any packets related to the second IPSec tunnel (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2; ports 500 and 4500, for example).  
Regarding Claim 6,
Kivinen discloses that the first identifier comprises a first dynamic value configured during negotiation of a first SA for the first tunnel, and 
Regarding Claim 7,
Kivinen discloses, at the cloud B:
Receiving the first and second tunnel packets from the common network (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2);
Based on the first identifier in the first tunnel packets, addressing, by the multiplexor MB, the first tunnel packets to a first cloud B address of the IPSec gateway B1, the first cloud B address not routable on the common network (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2; NA(P)T changes IP addresses and/or ports, for example); and
Based on the second identifier in the second tunnel packets, addressing, by the multiplexor MB, the second tunnel packets to a second cloud B address of the IPSec gateway B2, the second cloud B address not routable on the common network (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2).  
Regarding Claim 8,
Kivinen discloses that the addressing the first tunnel packets comprises translating the second address of the multiplexor MB on the common network to the first cloud B address of the gateway B1 and translating the second address of the multiplexor MB to the second cloud 
Regarding Claim 9,
Kivinen discloses a method performed at a cloud B communicatively coupled with a cloud A, wherein the cloud A comprises an IPSec gateway A1, an IPSec gateway A2, and a multiplexor MA, wherein the cloud B comprises an IPSec gateway B1, an IPSec gateway B2, and a multiplexor MB, wherein a common network connects the multiplexor MA with the multiplexor MB, wherein the multiplexor MA comprises a first address on the common network and the multiplexor MB comprises a second address on the common network, and wherein the IPSec gateways do not have addresses on the common network, the method comprising:
Receiving, by the multiplexor MB, first tunnel packets of a first IPSec tunnel terminating at the IPSec gateway A1 and the IPSec gateway B1 and second tunnel packets of a second IPSec tunnel terminating at the IPSec gateway A2 and the IPSec gateway B2, the first and second tunnel packets sent by the multiplexor MA and received therefrom via the common network, wherein the first tunnel packets comprise a first identifier identifying IPSec gateway B1 and the second tunnel packets comprise a second identifier identifying IPSec gateway B2, the first identifier comprising a first from port number indicating that the first tunnel 
Determining, by multiplexor MB, to address the first tunnel packets to a first cloud B address of gateway B1 based on the first identifier in the first tunnel packets, and determining, by multiplexor MB, to address the second tunnel packets to a second cloud B address based on the second identifier in the second tunnel packets (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2).  
Regarding Claim 10,
Kivinen discloses that, for at least a first portion of the first tunnel packets, the first identifier further identifies a first tunnel and for at least a second portion of the firs tunnel packets, the first identifier further identifies a third tunnel, the first and third tunnels terminating at gateway B1 (Sections 1, 3, 3.2, 4, 5.2, and 7; a different connection later on, for example.  This could be after the NA(P)T removes mappings due to slow keepalives or a normal connection to the same entity later on, as examples).  
Regarding Claim 11,
Kivinen discloses that the first identifier comprises a port number and wherein the addressing the first tunnel packets is based on the port number (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2).  

Kivinen discloses that the first and second tunnel packets comprise IKE packets or ESP packets (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2).  
Regarding Claim 13,
Kivinen discloses that when the first and second tunnel packets are received by multiplexor MB they are addressed as being from the first address of multiplexor MA (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2).  
Regarding Claim 14,
Kivinen discloses that the first identifier comprises a first hash of fields of headers of the first tunnel packets and wherein the second identifier comprises a second hash of fields of headers of the second tunnel packets (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2; IP address and port numbers being sent in hashed form, for example).  
`	Regarding Claim 15,
Kivinen discloses a method for enabling a multiplexor device in a cloud to multiplex inbound IPSec packets to IPSec gateways of the cloud and to demultiplex outbound IPSec packets sent from the IPSec gateways, the multiplexor device connecting the cloud with a common network, the multiplexor device comprising an address routable in the 
Receiving the inbound IPSec packets from the common network, the inbound IPSec packets routed through the common network to the multiplexor device according to their respective headers having the address as their to address (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2);
Determining, according to first identifiers in the inbound IPSec packets, which tunnels and/or gateways the inbound IPSec packets are associated with and, according thereto, addressing each inbound IPSec packet to whichever tunnel and/or gateway was determined to correspond thereto, the first identifiers comprising a first from port number indicating a destination IPSec gateway for the inbound IPSec packets (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2);
Receiving the outbound IPSec packets from the IPSec gateways, and adding second identifiers to the outbound IPSec packets, the second identifiers identifying which tunnels and/or IPSec gateways the outbound IPSec packets correspond to, the second identifiers comprising a second from port number indicating a destination IPSec gateway for the outbound IPSec packets (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2); and
Sending the outbound IPSec packets with the second identifiers to the common network, each sent outbound IPSec packet comprising a 
Regarding Claim 20,
Kivinen discloses that the multiplexor device performs the method by modifying network and transport headers of the inbound and outbound IPSec packets, and wherein the multiplexor device does not modify IPSec headers of the inbound and outbound IPSec packets (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2; NA(P)T cannot modify IPSec headers, only direct routing headers at the network and/or transport layers, for example).  

Claim Rejections - 35 USC § 103
The following is a quotation of 35 U.S.C. 103 which forms the basis for all obviousness rejections set forth in this Office action:
A patent for a claimed invention may not be obtained, notwithstanding that the claimed invention is not identically disclosed as set forth in section 102, if the differences between the claimed invention and the prior art are such that the claimed invention as a whole would have been obvious before the effective filing date of the claimed invention to a person having ordinary skill in the art to which the claimed invention pertains. Patentability shall not be negated by the manner in which the invention was made.

Claims 16-19 are rejected under 35 U.S.C. 103 as being unpatentable over Kivinen in view of Kaufman (Kaufman et al., “Internet Key Exchange Protocol Version 2 (IKEv2)”, RFC 7296, October 2014, 142 pages).
Regarding Claim 16,

But does not explicitly disclose that the message is an IKE_SA_AUTH message.  
Kaufman, however, discloses sending at least part of a tunnel identifier in an initiator or responder ID payload of an IKE_SA_AUTH message (Exemplary Citations: for example, Sections 1, 1.2, 2.1, 2.2, 2.4, 2.16, 2.17, 2.19, 2.21.2, 4, C.2, and C3).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the IKE protocol of Kaufman into the NAT traversal negotiation system of Kivinen because Kivinen is directed to NAT traversal in the IKE protocol, in order to ensure that the IKE for which NAT traversal is being negotiated complies with protocol standards, to increase the modes in which IKE can be implemented, and/or to increase security in the system.  
Regarding Claim 17,
Kivinen discloses maintaining a first association between the first identifier and a first security policy, and applying the first security policy to the inbound IPSec packets based on the first identifier in the inbound IPSec packets and based on the first association between the first identifier and the first security policy (Exemplary Citations: for example, 
Maintaining a second association between the second identifier and a second security policy, and applying the second security policy to the outbound IPSec packets based on the second identifier in the outbound IPSec packets and based on the second association between the second identifier and the second security policy (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2).  
Kaufman also discloses maintaining a first association between the first identifier and a first security policy, and applying the first security policy to the inbound IPSec packets based on the first identifier in the inbound IPSec packets and based on the first association between the first identifier and the first security policy (Exemplary Citations: for example, Sections 2.8, 2.8.1, 2.9, 2.9.1, 2.9.2, 2.16, 2.21, 3.3.4, 3.5, 3.13, 3.15.2, and 5); and
Maintaining a second association between the second identifier and a second security policy, and applying the second security policy to the outbound IPSec packets based on the second identifier in the outbound IPSec packets and based on the second association between the second identifier and the second security policy (Exemplary Citations: for example, Sections 2.8, 2.8.1, 2.9, 2.9.1, 2.9.2, 2.16, 2.21, 3.3.4, 3.5, 3.13, 3.15.2, and 5).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing 
Regarding Claim 18,
Kivinen as modified by Kaufman discloses the method of claim 17, in addition, Kivinen discloses selecting the first security policy to apply to the inbound IPSec packets according to either presence of the first identifier in the inbound IPSec packets or according to one or more fields of the inbound IPSec packets (Exemplary Citations: for example, Sections 1, 3, 3.2, 4, and 5.2); and
Kaufman discloses selecting the first security policy to apply to the inbound IPSec packets according to either presence of the first identifier in the inbound IPSec packets or according to one or more fields of the inbound IPSec packets (Exemplary Citations: for example, Sections 2.8, 2.8.1, 2.9, 2.9.1, 2.9.2, 2.16, 2.21, 3.3.4, 3.5, 3.13, 3.15.2, and 5).  
Regarding Claim 19,
Kivinen discloses that an initiator of an IPSec tunnel terminating at one of the IPSec gateways selects an IKE policy to be used by the multiplexor device when processing IPSec packets of the IPSec tunnel 
Kaufman also discloses that the initiator of an IPSec tunnel terminating at one of the IPSec gateways selects an IKE policy to be used when processing IPSec packets of the IPSec tunnel (Exemplary Citations: for example, Sections 2.8, 2.8.1, 2.9, 2.9.1, 2.9.2, 2.16, 2.21, 3.3.4, 3.5, 3.13, 3.15.2, and 5).  It would have been obvious to one of ordinary skill in the art at the time of applicant’s invention, which is before any effective filing date of the claimed invention, to incorporate the IKE protocol of Kaufman into the NAT traversal negotiation system of Kivinen because Kivinen is directed to NAT traversal in the IKE protocol, in order to ensure that the IKE for which NAT traversal is being negotiated complies with protocol standards, to increase the modes in which IKE can be implemented, and/or to increase security in the system.  

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to Jeffrey D Popham whose telephone number is (571)272-7215.  The examiner can normally be reached on Monday through Friday 9:00-5:30.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an 
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Jeffrey Nickerson can be reached on (469) 295-9235.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/Jeffrey D. Popham/Primary Examiner, Art Unit 2432