1VPNC(8) System Administration Utilities VPNC(8)
2
6 vpnc - client for Cisco VPN3000 Concentrator, IOS and PIX
7
9 vpnc [--version] [--print-config] [--help] [--long-help] [options]
10 [config files]
11
13 This manual page documents briefly the vpnc and vpnc-disconnect com‐
14 mands.
15 vpnc is a VPN client for the Cisco 3000 VPN Concentrator, creating a
17 IPSec-like connection as a tunneling network device for the local sys‐
18 tem. It uses the TUN/TAP driver in Linux kernel 2.4 and above and
19 device tun(4) on BSD. The created connection is presented as a tunnel‐
20 ing network device to the local system.
21 OBLIGATORY WARNING: the most used configuration (XAUTH authentication
23 with pre-shared keys and password authentication) is insecure by
24 design, be aware of this fact when you use vpnc to exchange sensitive
25 data like passwords!
26 The vpnc daemon by itself does not set any routes, but it calls
28 vpnc-script to do this job. vpnc-script displays a connect banner. If
29 the concentrator supplies a network list for split-tunneling these net‐
30 works are added to the routing table. Otherwise the default-route will
31 be modified to point to the tunnel. Further a host route to the con‐
32 centrator is added in the later case. If the client host needs DHCP,
33 care must be taken to add another host route to the DHCP-Server around
34 the tunnel.
35 The vpnc-disconnect command is used to terminate the connection previ‐
37 ously created by vpnc and restore the previous routing configuration.
38
41 The daemon reads configuration data from the following places:
42 · command line options
43 · config file(s) specified on the command line
44 · /etc/vpnc/default.conf
45 · /etc/vpnc.conf
46 · prompting the user if not found above
47 vpnc can parse options and configuration files in any order. However
49 the first place to set an option wins. configuration filenames which
50 do not contain a / will be searched at /etc/vpnc/<filename> and
51 /etc/vpnc/<filename>.conf. Otherwise <filename> and <filename>.conf
52 will be used. If no configuration file is specified on the command-
53 line at all, both /etc/vpnc/default.conf and /etc/vpnc.conf will be
54 loaded.
55
57 The program options can be either given as arguments (but not all of
58 them for security reasons) or be stored in a configuration file.
59 --gateway <ip/hostname>
61 IP/name of your IPSec gateway
62 conf-variable: IPSec gateway <ip/hostname>
63 --id <ASCII string>
65 your group name
66 conf-variable: IPSec ID <ASCII string>
67 (configfile only option)
69 your group password (cleartext)
70 conf-variable: IPSec secret <ASCII string>
71 (configfile only option)
73 your group password (obfuscated)
74 conf-variable: IPSec obfuscated secret <hex string>
75 --username <ASCII string>
77 your username
78 conf-variable: Xauth username <ASCII string>
79 (configfile only option)
81 your password (cleartext)
82 conf-variable: Xauth password <ASCII string>
83 (configfile only option)
85 your password (obfuscated)
86 conf-variable: Xauth obfuscated password <hex string>
87 --domain <ASCII string>
89 (NT-) Domain name for authentication
90 conf-variable: Domain <ASCII string>
91 --xauth-inter
93 enable interactive extended authentication (for challenge
94 response auth)
95 conf-variable: Xauth interactive
96 --vendor <cisco/netscreen>
98 vendor of your IPSec gateway
99 Default: cisco
100 conf-variable: Vendor <cisco/netscreen>
101 --natt-mode <natt/none/force-natt/cisco-udp>
103 Which NAT-Traversal Method to use:
104 · natt -- NAT-T as defined in RFC3947
105 · none -- disable use of any NAT-T method
106 · force-natt -- always use NAT-T encapsulation even without
107 presence of a NAT device (useful if the OS captures all
108 ESP traffic)
109 · cisco-udp -- Cisco proprietary UDP encapsulation, com‐
110 monly over Port 10000
111 Note: cisco-tcp encapsulation is not yet supported
112 Default: natt
113 conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp>
114 --script <command>
116 command is executed using system() to configure the interface,
117 routing and so on. Device name, IP, etc. are passed using envi‐
118 roment variables, see README. This script is executed right
119 after ISAKMP is done, but before tunneling is enabled. It is
120 called when vpnc terminates, too
121 Default: /etc/vpnc/vpnc-script
122 conf-variable: Script <command>
123 --dh <dh1/dh2/dh5>
125 name of the IKE DH Group
126 Default: dh2
127 conf-variable: IKE DH Group <dh1/dh2/dh5>
128 --pfs <nopfs/dh1/dh2/dh5/server>
130 Diffie-Hellman group to use for PFS
131 Default: server
132 conf-variable: Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server>
133 --enable-1des
135 enables weak single DES encryption
136 conf-variable: Enable Single DES
137 --enable-no-encryption
139 enables using no encryption for data traffic (key exchanged must
140 be encrypted)
141 conf-variable: Enable no encryption
142 --application-version <ASCII string>
144 Application Version to report. Note: Default string is generated
145 at runtime.
146 Default: Cisco Systems VPN Client 0.5.3:Linux
147 conf-variable: Application version <ASCII string>
148 --ifname <ASCII string>
150 visible name of the TUN/TAP interface
151 conf-variable: Interface name <ASCII string>
152 --ifmode <tun/tap>
154 mode of TUN/TAP interface:
155 · tun: virtual point to point interface (default)
156 · tap: virtual ethernet interface
157 Default: tun
158 conf-variable: Interface mode <tun/tap>
159 --debug <0/1/2/3/99>
161 Show verbose debug messages
162 ·
163 0: Do not print debug information.
164 ·
165 1: Print minimal debug information.
166 ·
167 2: Show statemachine and packet/payload type informa‐
168 tion.
169 ·
170 3: Dump everything exluding authentication data.
171 · 99: Dump everything INCLUDING AUTHENTICATION data (e.g.
172 PASSWORDS).
173 conf-variable: Debug <0/1/2/3/99>
174 --no-detach
176 Don't detach from the console after login
177 conf-variable: No Detach
178 --pid-file <filename>
180 store the pid of background process in <filename>
181 Default: /var/run/vpnc/pid
182 conf-variable: Pidfile <filename>
183 --local-addr <ip/hostname>
185 local IP to use for ISAKMP / ESP / ... (0.0.0.0 == automatically
186 assign)
187 Default: 0.0.0.0
188 conf-variable: Local Addr <ip/hostname>
189 --local-port <0-65535>
191 local ISAKMP port number to use (0 == use random port)
192 Default: 500
193 conf-variable: Local Port <0-65535>
194 --udp-port <0-65535>
196 Local UDP port number to use (0 == use random port). This is
197 only relevant if cisco-udp nat-traversal is used. This is the
198 _local_ port, the remote udp port is discovered automatically.
199 It is especially not the cisco-tcp port.
200 Default: 10000
201 conf-variable: Cisco UDP Encapsulation Port <0-65535>
202 --dpd-idle <0,10-86400>
204 Send DPD packet after not receiving anything for <idle> seconds.
205 Use 0 to disable DPD completely (both ways).
206 Default: 600
207 conf-variable: DPD idle timeout (our side) <0,10-86400>
208 --non-inter
210 Don't ask anything, exit on missing options
211 conf-variable: Noninteractive
212 --auth-mode <psk/cert/hybrid>
214 Authentication mode:
215 · psk: pre-shared key (default)
216 · cert: server + client certificate (not implemented yet)
217 · hybrid: server certificate + xauth (if built with openssl
218 support)
219 Default: psk
220 conf-variable: IKE Authmode <psk/cert/hybrid>
221 --ca-file <filename>
223 filename and path to the CA-PEM-File
224 conf-variable: CA-File <filename>
225 --ca-dir <directory>
227 path of the trusted CA-Directory
228 Default: /etc/ssl/certs
229 conf-variable: CA-Dir <directory>
230 --target-network <target network/netmask>
232 Target network in dotted decimal or CIDR notation
233 Default: 0.0.0.0/0.0.0.0
234 conf-variable: IPSEC target network <target network/netmask>
235 --print-config
237 Prints your configuration; output can be used as vpnc.conf
238
240 /etc/vpnc.conf /etc/vpnc/default.conf
241 The default configuration file. You can specify the same config
242 directives as with command line options and additionaly IPSec
243 secret and Xauth password both supplying a cleartext password.
244 Scrambled passwords from the Cisco configuration profiles can be
245 used with IPSec obfuscated secret and Xauth obfuscated password.
246 See EXAMPLES for further details.
248 /etc/vpnc/*.conf
250 vpnc will read configuration files in this directory when the
251 config filename (with or without .conf) is specified on the com‐
252 mand line.
253
256 This is an example vpnc.conf with pre-shared keys:
257 IPSec gateway vpn.example.com
259 IPSec ID ExampleVpnPSK
260 IKE Authmode psk
261 IPSec secret PskS3cret!
262 Xauth username user@example.com
263 Xauth password USecr3t
264 And another one with hybrid authentication (requires that vpnc was
266 built with openssl support):
267 IPSec gateway vpn.example.com
269 IPSec ID ExampleVpnHybrid
270 IKE Authmode hybrid
271 CA-Dir /etc/vpnc
272 or
273 CA-File /etc/vpnc/vpn-example-com.pem
274 IPSec secret HybS3cret?
275 Xauth username user@example.com
276 Xauth password 123456
277 The lines begin with a keyword (no leading spaces!). The values start
279 exactly one space after the keywords, and run to the end of line. This
280 lets you put any kind of weird character (except CR, LF and NUL) in
281 your strings, but it does mean you can't add comments after a string,
282 or spaces before them.
283 In case the the CA-Dir option is used, your certificate needs to be
285 named something like 722d15bd.X, where X is a manually assigned number
286 to make sure that files with colliding hashes have different names. The
287 number can be derived from the certificate file itself:
288 openssl x509 -subject_hash -noout -in /etc/vpnc/vpn-example-com.pem
290 See also the --print-config option to generate a config file, and the
292 example file in the package documentation directory where more advanced
293 usage is demonstrated.
294 Advanced features like manual setting of multiple target routes and
296 disabling /etc/resolv.conf rewriting is documented in the README of the
297 vpnc package.
298
301 Certificate support (Pre-Shared-Key + XAUTH is known to be insecure).
302 Further points can be found in the TODO file.
303
306 This man-page has been written by Eduard Bloch <blade(at)debian.org>
307 and Christian Lackas <delta(at)lackas.net>, based on vpnc README by
308 Maurice Massar <vpnc(at)unix-ag.uni-kl.de>. Permission is granted to
309 copy, distribute and/or modify this document under the terms of the GNU
310 General Public License, Version 2 any later version published by the
311 Free Software Foundation.
312 On Debian systems, the complete text of the GNU General Public License
314 can be found in /usr/share/common-licenses/GPL.
315
317 pcf2vpnc(1), cisco-decrypt(1), ip(8), ifconfig(8), route(1),
318 http://www.unix-ag.uni-kl.de/~massar/vpnc/
319vpnc version 0.5.3 December 2009 VPNC(8)