1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
|
Usage: vpnc [--version] [--print-config] [--help] [--long-help] [options] [config files]
Options:
--gateway <ip/hostname>
IP/name of your IPSec gateway
conf-variable: IPSec gateway <ip/hostname>
--id <ASCII string>
your group name
conf-variable: IPSec ID <ASCII string>
(configfile only option)
your group password (cleartext)
conf-variable: IPSec secret <ASCII string>
(configfile only option)
your group password (obfuscated)
conf-variable: IPSec obfuscated secret <hex string>
--username <ASCII string>
your username
conf-variable: Xauth username <ASCII string>
(configfile only option)
your password (cleartext)
conf-variable: Xauth password <ASCII string>
(configfile only option)
your password (obfuscated)
conf-variable: Xauth obfuscated password <hex string>
--domain <ASCII string>
(NT-) Domain name for authentication
conf-variable: Domain <ASCII string>
--xauth-inter
enable interactive extended authentication (for challenge response auth)
conf-variable: Xauth interactive
--vendor <cisco/netscreen>
vendor of your IPSec gateway
Default: cisco
conf-variable: Vendor <cisco/netscreen>
--natt-mode <natt/none/force-natt/cisco-udp>
Which NAT-Traversal Method to use:
* natt -- NAT-T as defined in RFC3947
* none -- disable use of any NAT-T method
* force-natt -- always use NAT-T encapsulation even
without presence of a NAT device
(useful if the OS captures all ESP traffic)
* cisco-udp -- Cisco proprietary UDP encapsulation, commonly over Port 10000
Note: cisco-tcp encapsulation is not yet supported
Default: natt
conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp>
--script <command>
command is executed using system() to configure the interface,
routing and so on. Device name, IP, etc. are passed using enviroment
variables, see README. This script is executed right after ISAKMP is
done, but before tunneling is enabled. It is called when vpnc
terminates, too
Default: /etc/vpnc/vpnc-script
conf-variable: Script <command>
--dh <dh1/dh2/dh5>
name of the IKE DH Group
Default: dh2
conf-variable: IKE DH Group <dh1/dh2/dh5>
--pfs <nopfs/dh1/dh2/dh5/server>
Diffie-Hellman group to use for PFS
Default: server
conf-variable: Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server>
--enable-1des
enables weak single DES encryption
conf-variable: Enable Single DES
--enable-no-encryption
enables using no encryption for data traffic (key exchanged must be encrypted)
conf-variable: Enable no encryption
--application-version <ASCII string>
Application Version to report. Note: Default string is generated at runtime.
Default: Cisco Systems VPN Client 0.5.1:Linux
conf-variable: Application version <ASCII string>
--ifname <ASCII string>
visible name of the TUN/TAP interface
conf-variable: Interface name <ASCII string>
--ifmode <tun/tap>
mode of TUN/TAP interface:
* tun: virtual point to point interface (default)
* tap: virtual ethernet interface
Default: tun
conf-variable: Interface mode <tun/tap>
--debug <0/1/2/3/99>
Show verbose debug messages
* 0: Do not print debug information.
* 1: Print minimal debug information.
* 2: Show statemachine and packet/payload type information.
* 3: Dump everything exluding authentication data.
* 99: Dump everything including authentication data (e.g. passwords).
conf-variable: Debug <0/1/2/3/99>
--no-detach
Don't detach from the console after login
conf-variable: No Detach
--pid-file <filename>
store the pid of background process in <filename>
Default: /var/run/vpnc/pid
conf-variable: Pidfile <filename>
--local-addr <ip/hostname>
local IP to use for ISAKMP / ESP / ... (0.0.0.0 == automatically assign)
Default: 0.0.0.0
conf-variable: Local Addr <ip/hostname>
--local-port <0-65535>
local ISAKMP port number to use (0 == use random port)
Default: 500
conf-variable: Local Port <0-65535>
--udp-port <0-65535>
Local UDP port number to use (0 == use random port).
This is only relevant if cisco-udp nat-traversal is used.
This is the _local_ port, the remote udp port is discovered automatically.
It is especially not the cisco-tcp port.
Default: 10000
conf-variable: Cisco UDP Encapsulation Port <0-65535>
--dpd-idle <0,10-86400>
Send DPD packet after not receiving anything for <idle> seconds.
Use 0 to disable DPD completely (both ways).
Default: 300
conf-variable: DPD idle timeout (our side) <0,10-86400>
--non-inter
Don't ask anything, exit on missing options
conf-variable: Noninteractive
--auth-mode <psk/cert/hybrid>
Authentication mode:
* psk: pre-shared key (default)
* cert: server + client certificate (not implemented yet)
* hybrid: server certificate + xauth (if built with openssl support)
Default: psk
conf-variable: IKE Authmode <psk/cert/hybrid>
--ca-file <filename>
filename and path to the CA-PEM-File
conf-variable: CA-File <filename>
--ca-dir <directory>
path of the trusted CA-Directory
Default: /etc/ssl/certs
conf-variable: CA-Dir <directory>
--dns-update
DEPRECATED extension, see README.Debian for details
Default: Yes
conf-variable: DNSUpdate
--target-networks
DEPRECATED extension, see README.Debian for details
Default:
conf-variable: Target Networks
Report bugs to vpnc@unix-ag.uni-kl.de
|
