IPSEC Daemon

The IPSEC Daemon is responsible for providing all the necessary protocol and operating system interfaces required by the client. When the VPN Client is installed, the IPSEC Daemon is configured as an application service and can be Managed using the Service Control Manager.

The IPSEC Daemon relies on two NDIS kernel drivers that allow it to access a subset of the available Ethernet Frame traffic and to Manage any number of Virtual Ethernet Adapters. These drivers are named the Shrew Soft Virtual Protocol Driver ( or VProt ) and the Shrew Soft Virtual Network Driver ( or VNet ). The drivers were designed to be very simplistic in nature to allow for a high degree of reliability.

The VPN Access Manager application is used to prepare site configuration data and store it for future use. The VPN Connect application forwards this site configuration data to the IPSEC Daemon and provides a user interface for the lifetime of a connection. The VPN Trace application provides a user interface for examining the raw IPSEC Daemon log information. All three of these applications are very light weight and serve a very specific purpose.

The VPN Connect application will attach to the Daemon, upload a site configuration and request that communication be initiated. After the configuration is verified, the Daemon will initiate IKE communications with the remote Client Gateway. If the phase 1 negotiation succeeds, the Daemon will then process an Extended Authentication request if required.

At this point, both ends of the connection should be authentication. The Daemon then uses the Configuration Transaction Exchange to request any configuration information it may require. Once a Virtual Adapter has been created and configured, routes are then added to ensure certain network traffic will be sourced from the Virtual Network Adapter. Any traffic Transmitted on the Virtual Adapter is read directly by the IPSEC Daemon and processed.

At this point, the Client is ready to send and receive traffic from the Virtual Network adapter, negotiate any phase 2 security policies required and protect traffic between the Client and the remote Client Gateway using the ESP Transport protocol.

The IPSEC Daemon considers the ISAKMP SA lifetime to be the lifetime of the connection. During this lifetime, any number of IPSEC SAs can be negotiated, expired and re-negotiated. Once the ISAKMP SA expires, the site configuration is removed, SA's are deleted and the VPN Connect application is detached.