DETAILED ACTION
Notice of Pre-AIA  or AIA  Status
The present application is being examined under the pre-AIA  first to invent provisions. 
Double Patenting
The nonstatutory double patenting rejection is based on a judicially created doctrine grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or improper timewise extension of the “right to exclude” granted by a patent and to prevent possible harassment by multiple assignees.  A nonstatutory double patenting rejection is appropriate where the claims at issue are not identical, but at least one examined application claim is not patentably distinct from the reference claim(s) because the examined application claim is either anticipated by, or would have been obvious over, the reference claim(s). See, e.g., In re Berg, 140 F.3d 1428, 46 USPQ2d 1226 (Fed. Cir. 1998); In re Goodman, 11 F.3d 1046, 29 USPQ2d 2010 (Fed. Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornum, 686 F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); and In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969).
A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) or 1.321(d) may be used to overcome an actual or provisional rejection based on a nonstatutory double patenting ground provided the reference application or patent either is shown to be commonly owned with this application, or claims an invention made as a result of activities undertaken within the scope of a joint research agreement. A terminal disclaimer must be signed in compliance with 37 CFR 1.321(b).
The USPTO internet Web site contains terminal disclaimer forms which may be used.  Please visit http://www.uspto.gov/forms/.  The filing date of the application will determine what 
Claims 22-36 are rejected on the ground of nonstatutory obviousness-type double patenting as being unpatentable over claims 1-5, 7, and 9-17 respectively, of U.S. Patent 10432587. Although the conflicting claims are not identical, they are not patentably distinct from each other because the claims of the instant application are broader in scope than the claims 1-5, 7, and 9-17 respectively, of U.S. Patent 10432587. Therefore, claims 22-36 of the instant application are anticipated by claims 1-5, 7, and 9-17 respectively, of U.S. Patent 10432587.

Information Disclosure Statement
The information disclosure statement (IDS) submitted on 3/18/2021 is in compliance with the provisions of 37 CFR 1.97.  Accordingly, the information disclosure statement is being considered by the examiner.
Claim Rejections - 35 USC § 103
The following is a quotation of pre-AIA  35 U.S.C. 103(a) which forms the basis for all obviousness rejections set forth in this Office action:
(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in section 102, if the differences between the subject matter sought to be patented and the prior art are such that the subject matter as a whole would have been obvious at the time the invention was made to a person having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the manner in which the invention was made.

In the event the determination of the status of the application as subject to AIA  35 U.S.C. 102 and 103 (or as subject to pre-AIA  35 U.S.C. 102 and 103) is incorrect, any correction of the 
Claims 22, 25-29, and 32-36 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Larson (US 20130014246) and further in view of Riordan (US 20120096548).
As per claims 22, 29, and 36, Larson discloses a method for securing a computer network, the method comprising:
 receiving a list at a gateway device, the list including device address information associated with a rule specifying application-level information associated with allowing a virtual private network (VPN) session to be established in association with the device address information (Larson, Para. 0065, The VPN device can also optionally publish to the repository a list of entity names to which the central repository should respond, thereby limiting the number of entities that have access to the IP address and certificate of the entity controlling the VPN device; Also, Para. 0067, Information contained in VPNbyName table and SecurityPolicy table is used by VPN device for instantiating a VPN link. Preferably, VPNbyName table contains a list of VPN connection rules by name. The rules are preferably specified by a source/destination designation, referred to herein as a VPN name pair. The type of VPN connection is also specified for each name rule, such as whether a standing VPN link should be maintained or whether an on-demand VPN link should be established in response to a connection request. ); 
allowing the VPN session to be established based on the identified application-level information in accordance with the rule (Larson, Para. 0067, Information contained in VPNbyName table and SecurityPolicy table is used by VPN device for instantiating a VPN link. Preferably, VPNbyName table contains a list of VPN connection rules by name. The rules are preferably specified by a source/destination designation, referred to herein as a VPN name pair. The type of VPN connection is also specified for each name rule, such as whether a standing VPN link should be maintained or whether an on-demand VPN link should be established in response to a connection request.);
Larson does not disclose; however, Riordan discloses receiving a packet at the gateway device, the packet sent over a communication network from an originating device (Riordan, Para. 0039-0041, A mechanism is provided to capture the ICMP message at the router 430 local to the originating user system. The routers open the IP packets of data to read the destination address, calculate the best route, and then send the packet toward its final destination. If the destination is on the same network as the sending computer, the router sends the packet directly to the destination computer.); 
identifying that the packet does not correspond to an existing session (Riordan, Para. 0040-0041, If the packet is going to a destination outside the local network (does not correspond to an existing session), the router instead sends the packet to another router closer to the destination. When an input port receives a packet, a software routine called a routing process is run. This process looks inside the header information in the IP packet and finds the address to which the data is being sent. It then compares this address against an internal database, called a routing table, which has detailed information about the ports to which packets with various IP addresses should be sent; Also, Para. 0043, An originating user system 420 with an originating IP address 410 sends a message 501 to a destination address. If a return message 511 is identified by the mechanism 460 as being an ICMP message indicating an unreachable destination, the mechanism 460 sets up a temporary route 541 to direct traffic addressed to the unreachable destination from the originating IP address 410 to an IDS 160 local to the router 430. The mechanism 460 can herefor comprise a message checker that is able to analyze the nature of the intercepted return message 511 and identify those that are of a specified nature.); and
identifying the application-level information of the originating device by spoofing a protocol exchange with the originating device (Riordan, Para. 0011, The intrusion detection sensor may spoof an exchange with the originating user system. In this way, an intrusion detection sensor local to an originating user system of a message sent to an inaccessible address can determine the nature of the originating user system's intent. ). 
Therefore, it would have been obvious to a person having ordinary skill in the art at the time the invention was made to incorporate the teachings of Riordan with Larson given the benefit of detecting network attacks on a data communication network locally to the attack originating user system.
As per claims 25 and 32, Larson discloses the method of claim 22, wherein the device address information in the list corresponds to a port, and further comprising sending a communication associated with the VPN session via the port in accordance with the port address information (Larson, Para. 0044, The request for establishing the VPN is sent in response to a request received from a client device that is associated with the first VPN device. The request received from the client device includes a destination designation, and preferably includes a source/destination designation. Also, Para. 0067, Information contained in VPNbyName table and SecurityPolicy table is used by VPN device for instantiating a VPN link. Preferably, VPNbyName table contains a list of VPN connection rules by name. The rules are preferably specified by a source/destination designation, referred to herein as a VPN name pair. The type of VPN connection is also specified for each name rule, such as whether a standing VPN link should be maintained or whether an on-demand VPN link should be established in response to a connection request.). 
As per claims 26 and 33, Larson discloses the method of claim 22, wherein the device address information in the list includes a wildcard corresponding to a plurality of ports over which communications associated with the VPN session are sent (Larson, Para. 0068-0069, An exemplary policy can be defined so that a VPN device will accept an input from a DNS proxy or a modified DNS server and/or will automatically attempt to instantiate a VPN link based on a destination name. Moreover, the VPN name pair rules in VPNbyName table can be specified using wildcard flags. The wildcard flag for specifying a VPN name pair can be extended to a wildcard that includes all names in which VPN's of opportunity are automatically established with all VPN devices that are registered with the central certificate server. When the VPN device receives a request for establishing a VPN to another site, VPN device looks in VPNbyName table for the local name that is to be used by VPN device for representing VPN device to the other site.). 
As per claims 27 and 34, Larson discloses the method of claim 22, wherein allowing the VPN session including identifying a proxy server to receive communications associated with the VPN session (Larson, Para. 0068, An exemplary policy can be defined so that a VPN device will accept an input from a DNS proxy or a modified DNS server and/or will automatically attempt to instantiate a VPN link based on a destination name. A VPN device having a local name of can have a remote name entry for either maintaining a standing VPN with every VPN device or for allowing a VPN of opportunity connection with from any VPN device. ). 
As per claims 28 and 35, Larson discloses the method of claim 27, further comprising passing to the proxy server an identifier that allows the proxy server to provide policy server requests (Larson, Para. 0068, An exemplary policy can be defined so that a VPN device will accept an input from a DNS proxy or a modified DNS server and/or will automatically attempt to instantiate a VPN link based on a destination name. A VPN device having a local name of can have a remote name entry for either maintaining a standing VPN with every VPN device or for allowing a VPN of opportunity connection with from any VPN device. A VPN connection that is created on demand or in response to a request to a VPN device that is registered with a central certificate server (repository).).
Claims 23-24, and 30-31 are rejected under pre-AIA  35 U.S.C. 103(a) as being unpatentable over Larson (US 20130014246) in view of Riordan (US 20120096548) and further in view of Yoshimoto (US 20060120374).
As per claims 23 and 30,  Larson and Riordan do not disclose; however, Yoshimoto discloses the method of claim 22, further comprising: 
receiving a connection request associated with a user identifier and a hardware identifier (Yoshimoto, Para. 0016, Upon receiving a request for connection to the Internet from a user terminal TE (TE-1, TE-2, . . . ) connected to a LAN, each LAC 10 communicates with the LAC management server 11 and sends a query asking for an identifier of LNS which is the egress of the L2TP tunnel corresponding to the user ID; Also, Para. 0077, Upon the completion of setting up the L2TP session (eL1), the L2TP packet forwarding apparatus 30 requests the gateway Re-1 for user authentication information via the LAC 10-1 and receives the user name “user1” and password as the user authentication information from the gateway Re-1 (SQ6). Then, the L2TP packet forwarding apparatus 30 transmits an authentication request including the above authentication information to the forwarding apparatus management server 31 (SQ7).); and
 identifying that the user identifier and the hardware identifier match authentication information, wherein allowing the VPN session is further based on the user identifier and the hardware identifier matching the authentication information (Yoshimoto, Para. 0017, when receiving the connection request from the user, the LNS 20 (20-1, 20-2) communicates with its affiliated LNS management server 21 (21-1, 21-2) in order to carry out user authentication by the LNS management server. The LNS management server 21 notifies the LNS 20 of a result of the user authentication; Also, Para. 0078-0079, The forwarding apparatus management server searches the user management table for an entry having the user name “user1” specified in the above authentication request, compares the password specified in the above authentication request with the password registered in that entry, and notifies the L2TP packet forwarding apparatus of a result of the user authentication). 
Therefore, it would have been obvious to a person having ordinary skill in the art at the time the invention was made to incorporate the teachings of Yoshimoto with Larson and Riordan given the benefit of specifying a VPN-ID from the lookup table based on the tunnel ID and the session ID of a received packet.
As per claims 24 and 31, Larson and Riordan do not disclose; however, Yoshimoto discloses the method of claim 23, further comprising accessing the authentication information from an authentication data store (Yoshimoto, Para. 0078, The forwarding apparatus management server 31 searches the user management table 310 for an entry having the user name “user1” specified in the above authentication request, compares the password specified in the above authentication request with the password 312 registered in that entry, and notifies the L2TP packet forwarding apparatus 30 of a result of the user authentication (SQ8)). 
Therefore, it would have been obvious to a person having ordinary skill in the art at the time the invention was made to incorporate the teachings of Yoshimoto with Larson and Riordan given the benefit of specifying a VPN-ID from the lookup table based on the tunnel ID and the session ID of a received packet.
Conclusion
The prior art made of record and not relied upon is considered pertinent to applicant's disclosure. 
McGrew (20100223458): A method for generating and distributing keys retains the scalability of a group VPN, but also provides true pair-wise keying such that an attacker who compromises one of the devices in a VPN cannot use the keys gained by that compromise to decrypt the packets from the other gateways in the VPN, or spoof one of the communicating gateways. The method is resistant to collusion when co-operating attackers overtake several VPN gateways and observe the keys stored in those gateways.
Yan (US 20120173694): The implementation of the VPN is based on the Location/ID separation network, and the corresponding VPN attribute is added to the mapping relation between the ID identifier and the location identifier. 
Any inquiry concerning this communication or earlier communications from the examiner should be directed to ANGELA R HOLMES whose telephone number is (571)270-3357.  The examiner can normally be reached on Monday-Friday 8:00AM-4:00PM.

If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Yin-Chen Shaw can be reached on 571-272-8878.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/ANGELA R HOLMES/Examiner, Art Unit 2498                                                                                                                                                                                                        
/THANHNGA B TRUONG/Primary Examiner, Art Unit 2498