Usage: vpnc [--version] [--print-config] [--help] [--long-help] [options] [config files] Options: --gateway <ip/hostname> IP/name of your IPSec gateway conf-variable: IPSec gateway <ip/hostname> --id <ASCII string> your group name conf-variable: IPSec ID <ASCII string> (configfile only option) your group password (cleartext) conf-variable: IPSec secret <ASCII string> (configfile only option) your group password (obfuscated) conf-variable: IPSec obfuscated secret <hex string> --username <ASCII string> your username conf-variable: Xauth username <ASCII string> (configfile only option) your password (cleartext) conf-variable: Xauth password <ASCII string> (configfile only option) your password (obfuscated) conf-variable: Xauth obfuscated password <hex string> --domain <ASCII string> (NT-) Domain name for authentication conf-variable: Domain <ASCII string> --xauth-inter enable interactive extended authentication (for challenge response auth) conf-variable: Xauth interactive --vendor <cisco/netscreen> vendor of your IPSec gateway Default: cisco conf-variable: Vendor <cisco/netscreen> --natt-mode <natt/none/force-natt/cisco-udp> Which NAT-Traversal Method to use: * natt -- NAT-T as defined in RFC3947 * none -- disable use of any NAT-T method * force-natt -- always use NAT-T encapsulation even without presence of a NAT device (useful if the OS captures all ESP traffic) * cisco-udp -- Cisco proprietary UDP encapsulation, commonly over Port 10000 Note: cisco-tcp encapsulation is not yet supported Default: natt conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp> --script <command> command is executed using system() to configure the interface, routing and so on. Device name, IP, etc. are passed using enviroment variables, see README. This script is executed right after ISAKMP is done, but before tunneling is enabled. It is called when vpnc terminates, too Default: /etc/vpnc/vpnc-script conf-variable: Script <command> --dh <dh1/dh2/dh5> name of the IKE DH Group Default: dh2 conf-variable: IKE DH Group <dh1/dh2/dh5> --pfs <nopfs/dh1/dh2/dh5/server> Diffie-Hellman group to use for PFS Default: server conf-variable: Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server> --enable-1des enables weak single DES encryption conf-variable: Enable Single DES --enable-no-encryption enables using no encryption for data traffic (key exchanged must be encrypted) conf-variable: Enable no encryption --application-version <ASCII string> Application Version to report. Note: Default string is generated at runtime. Default: Cisco Systems VPN Client 0.5.1:Linux conf-variable: Application version <ASCII string> --ifname <ASCII string> visible name of the TUN/TAP interface conf-variable: Interface name <ASCII string> --ifmode <tun/tap> mode of TUN/TAP interface: * tun: virtual point to point interface (default) * tap: virtual ethernet interface Default: tun conf-variable: Interface mode <tun/tap> --debug <0/1/2/3/99> Show verbose debug messages * 0: Do not print debug information. * 1: Print minimal debug information. * 2: Show statemachine and packet/payload type information. * 3: Dump everything exluding authentication data. * 99: Dump everything including authentication data (e.g. passwords). conf-variable: Debug <0/1/2/3/99> --no-detach Don't detach from the console after login conf-variable: No Detach --pid-file <filename> store the pid of background process in <filename> Default: /var/run/vpnc/pid conf-variable: Pidfile <filename> --local-addr <ip/hostname> local IP to use for ISAKMP / ESP / ... (0.0.0.0 == automatically assign) Default: 0.0.0.0 conf-variable: Local Addr <ip/hostname> --local-port <0-65535> local ISAKMP port number to use (0 == use random port) Default: 500 conf-variable: Local Port <0-65535> --udp-port <0-65535> Local UDP port number to use (0 == use random port). This is only relevant if cisco-udp nat-traversal is used. This is the _local_ port, the remote udp port is discovered automatically. It is especially not the cisco-tcp port. Default: 10000 conf-variable: Cisco UDP Encapsulation Port <0-65535> --dpd-idle <0,10-86400> Send DPD packet after not receiving anything for <idle> seconds. Use 0 to disable DPD completely (both ways). Default: 300 conf-variable: DPD idle timeout (our side) <0,10-86400> --non-inter Don't ask anything, exit on missing options conf-variable: Noninteractive --auth-mode <psk/cert/hybrid> Authentication mode: * psk: pre-shared key (default) * cert: server + client certificate (not implemented yet) * hybrid: server certificate + xauth (if built with openssl support) Default: psk conf-variable: IKE Authmode <psk/cert/hybrid> --ca-file <filename> filename and path to the CA-PEM-File conf-variable: CA-File <filename> --ca-dir <directory> path of the trusted CA-Directory Default: /etc/ssl/certs conf-variable: CA-Dir <directory> --dns-update DEPRECATED extension, see README.Debian for details Default: Yes conf-variable: DNSUpdate --target-networks DEPRECATED extension, see README.Debian for details Default: conf-variable: Target Networks Report bugs to vpnc@unix-ag.uni-kl.de