1VPNC(8) System Administration Utilities VPNC(8)
2
6 vpnc - client for Cisco VPN3000 Concentrator, IOS and PIX
7
9 vpnc [--version] [--print-config] [--help] [--long-help] [options]
10 [config files]
11
13 This manual page documents briefly the vpnc and vpnc-disconnect com‐
14 mands.
15 vpnc is a VPN client for the Cisco 3000 VPN Concentrator, creating a
17 IPSec-like connection as a tunneling network device for the local sys‐
18 tem. It uses the TUN/TAP driver in Linux kernel 2.4 and above and
19 device tun(4) on BSD. The created connection is presented as a tunnel‐
20 ing network device to the local system.
21 OBLIGATORY WARNING: the most used configuration (XAUTH authentication
23 with pre-shared keys and password authentication) is insecure by
24 design, be aware of this fact when you use vpnc to exchange sensitive
25 data like passwords!
26 The vpnc daemon by itself does not set any routes, but it calls
28 vpnc-script to do this job. vpnc-script displays a connect banner. If
29 the concentrator supplies a network list for split-tunneling these net‐
30 works are added to the routing table. Otherwise the default-route will
31 be modified to point to the tunnel. Further a host route to the con‐
32 centrator is added in the later case. If the client host needs DHCP,
33 care must be taken to add another host route to the DHCP-Server around
34 the tunnel.
35 The vpnc-disconnect command is used to terminate the connection previ‐
37 ously created by vpnc and restore the previous routing configuration.
38
41 The daemon reads configuration data from the following places:
42 · command line options
43 · config file(s) specified on the command line
44 · /etc/vpnc/default.conf
45 · /etc/vpnc.conf
46 · prompting the user if not found above
47 vpnc can parse options and configuration files in any order. However
49 the first place to set an option wins. configuration filenames which
50 do not contain a / will be searched at /etc/vpnc/<filename> and
51 /etc/vpnc/<filename>.conf. Otherwise <filename> and <filename>.conf
52 will be used. If no configuration file is specified on the command-
53 line at all, both /etc/vpnc/default.conf and /etc/vpnc.conf will be
54 loaded.
55 Additionally, if the configuration file "-" is specified on the com‐
57 mand-line vpnc will read configuration from stdin. The configuration
58 is parsed and the connection proceeds when stdin is closed or the spe‐
59 cial character CEOT (CTRL-D) is read.
60
62 The program options can be either given as arguments (but not all of
63 them for security reasons) or be stored in a configuration file.
64 --gateway <ip/hostname>
66 IP/name of your IPSec gateway
67 conf-variable: IPSec gateway <ip/hostname>
68 --id <ASCII string>
70 your group name
71 conf-variable: IPSec ID <ASCII string>
72 (configfile only option)
74 your group password (cleartext)
75 conf-variable: IPSec secret <ASCII string>
76 (configfile only option)
78 your group password (obfuscated)
79 conf-variable: IPSec obfuscated secret <hex string>
80 --username <ASCII string>
82 your username
83 conf-variable: Xauth username <ASCII string>
84 (configfile only option)
86 your password (cleartext)
87 conf-variable: Xauth password <ASCII string>
88 (configfile only option)
90 your password (obfuscated)
91 conf-variable: Xauth obfuscated password <hex string>
92 --domain <ASCII string>
94 (NT-) Domain name for authentication
95 conf-variable: Domain <ASCII string>
96 --xauth-inter
98 enable interactive extended authentication (for challenge
99 response auth)
100 conf-variable: Xauth interactive
101 --vendor <cisco/netscreen>
103 vendor of your IPSec gateway
104 Default: cisco
105 conf-variable: Vendor <cisco/netscreen>
106 --natt-mode <natt/none/force-natt/cisco-udp>
108 Which NAT-Traversal Method to use:
109 · natt -- NAT-T as defined in RFC3947
110 · none -- disable use of any NAT-T method
111 · force-natt -- always use NAT-T encapsulation even without
112 presence of a NAT device (useful if the OS captures all
113 ESP traffic)
114 · cisco-udp -- Cisco proprietary UDP encapsulation, com‐
115 monly over Port 10000
116 Note: cisco-tcp encapsulation is not yet supported
117 Default: natt
118 conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp>
119 --script <command>
121 command is executed using system() to configure the interface,
122 routing and so on. Device name, IP, etc. are passed using envi‐
123 ronment variables, see README. This script is executed right
124 after ISAKMP is done, but before tunneling is enabled. It is
125 called when vpnc terminates, too
126 Default: /etc/vpnc/vpnc-script
127 conf-variable: Script <command>
128 --dh <dh1/dh2/dh5>
130 name of the IKE DH Group
131 Default: dh2
132 conf-variable: IKE DH Group <dh1/dh2/dh5>
133 --pfs <nopfs/dh1/dh2/dh5/server>
135 Diffie-Hellman group to use for PFS
136 Default: server
137 conf-variable: Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server>
138 --enable-1des
140 enables weak single DES encryption
141 conf-variable: Enable Single DES
142 --enable-no-encryption
144 enables using no encryption for data traffic (key exchanged must
145 be encrypted)
146 conf-variable: Enable no encryption
147 --application-version <ASCII string>
149 Application Version to report. Note: Default string is generated
150 at runtime.
151 Default: Cisco Systems VPN Client 0.5.3:Linux
152 conf-variable: Application version <ASCII string>
153 --ifname <ASCII string>
155 visible name of the TUN/TAP interface
156 conf-variable: Interface name <ASCII string>
157 --ifmode <tun/tap>
159 mode of TUN/TAP interface:
160 · tun: virtual point to point interface (default)
161 · tap: virtual ethernet interface
162 Default: tun
163 conf-variable: Interface mode <tun/tap>
164 --ifmtu <0-65535>
166 Set MTU for TUN/TAP interface (default 0 == automatic detect)
167 conf-variable: Interface MTU <0-65535>
168 --debug <0/1/2/3/99>
170 Show verbose debug messages
171 ·
172 0: Do not print debug information.
173 ·
174 1: Print minimal debug information.
175 ·
176 2: Show statemachine and packet/payload type informa‐
177 tion.
178 ·
179 3: Dump everything exluding authentication data.
180 · 99: Dump everything INCLUDING AUTHENTICATION data (e.g.
181 PASSWORDS).
182 conf-variable: Debug <0/1/2/3/99>
183 --no-detach
185 Don't detach from the console after login
186 conf-variable: No Detach
187 --pid-file <filename>
189 store the pid of background process in <filename>
190 Default: /var/run/vpnc.pid
191 conf-variable: Pidfile <filename>
192 --local-addr <ip/hostname>
194 local IP to use for ISAKMP / ESP / ... (0.0.0.0 == automatically
195 assign)
196 Default: 0.0.0.0
197 conf-variable: Local Addr <ip/hostname>
198 --local-port <0-65535>
200 local ISAKMP port number to use (0 == use random port)
201 Default: 500
202 conf-variable: Local Port <0-65535>
203 --udp-port <0-65535>
205 Local UDP port number to use (0 == use random port). This is
206 only relevant if cisco-udp nat-traversal is used. This is the
207 _local_ port, the remote udp port is discovered automatically.
208 It is especially not the cisco-tcp port.
209 Default: 10000
210 conf-variable: Cisco UDP Encapsulation Port <0-65535>
211 --dpd-idle <0,10-86400>
213 Send DPD packet after not receiving anything for <idle> seconds.
214 Use 0 to disable DPD completely (both ways).
215 Default: 600
216 conf-variable: DPD idle timeout (our side) <0,10-86400>
217 --non-inter
219 Don't ask anything, exit on missing options
220 conf-variable: Noninteractive
221 --auth-mode <psk/cert/hybrid>
223 Authentication mode:
224 · psk: pre-shared key (default)
225 · cert: server + client certificate (not implemented yet)
226 · hybrid: server certificate + xauth (if built with openssl
227 support)
228 Default: psk
229 conf-variable: IKE Authmode <psk/cert/hybrid>
230 --ca-file <filename>
232 filename and path to the CA-PEM-File
233 conf-variable: CA-File <filename>
234 --ca-dir <directory>
236 path of the trusted CA-Directory
237 Default: /etc/ssl/certs
238 conf-variable: CA-Dir <directory>
239 --target-network <target network/netmask>
241 Target network in dotted decimal or CIDR notation
242 Default: 0.0.0.0/0.0.0.0
243 conf-variable: IPSEC target network <target network/netmask>
244 --password-helper <executable>
246 path to password program or helper name
247 conf-variable: Password helper <executable>
248 --print-config
250 Prints your configuration; output can be used as vpnc.conf
251
253 /etc/vpnc.conf /etc/vpnc/default.conf
254 The default configuration file. You can specify the same config
255 directives as with command line options and additionally IPSec
256 secret and Xauth password both supplying a cleartext password.
257 Scrambled passwords from the Cisco configuration profiles can be
258 used with IPSec obfuscated secret and Xauth obfuscated password.
259 See EXAMPLES for further details.
261 /etc/vpnc/*.conf
263 vpnc will read configuration files in this directory when the
264 config filename (with or without .conf) is specified on the com‐
265 mand line.
266
269 This is an example vpnc.conf with pre-shared keys:
270 IPSec gateway vpn.example.com
272 IPSec ID ExampleVpnPSK
273 IKE Authmode psk
274 IPSec secret PskS3cret!
275 Xauth username user@example.com
276 Xauth password USecr3t
277 And another one with hybrid authentication (requires that vpnc was
279 built with openssl support):
280 IPSec gateway vpn.example.com
282 IPSec ID ExampleVpnHybrid
283 IKE Authmode hybrid
284 CA-Dir /etc/vpnc
285 or
286 CA-File /etc/vpnc/vpn-example-com.pem
287 IPSec secret HybS3cret?
288 Xauth username user@example.com
289 Xauth password 123456
290 The lines begin with a keyword (no leading spaces!). The values start
292 exactly one space after the keywords, and run to the end of line. This
293 lets you put any kind of weird character (except CR, LF and NUL) in
294 your strings, but it does mean you can't add comments after a string,
295 or spaces before them.
296 In case the the CA-Dir option is used, your certificate needs to be
298 named something like 722d15bd.X, where X is a manually assigned number
299 to make sure that files with colliding hashes have different names. The
300 number can be derived from the certificate file itself:
301 openssl x509 -subject_hash -noout -in /etc/vpnc/vpn-example-com.pem
303 See also the --print-config option to generate a config file, and the
305 example file in the package documentation directory where more advanced
306 usage is demonstrated.
307 Advanced features like manual setting of multiple target routes and
309 disabling /etc/resolv.conf rewriting is documented in the README of the
310 vpnc package.
311
315 This man-page has been written by Eduard Bloch <blade(at)debian.org>
316 and Christian Lackas <delta(at)lackas.net>, based on vpnc README by
317 Maurice Massar <vpnc(at)unix-ag.uni-kl.de>. Permission is granted to
318 copy, distribute and/or modify this document under the terms of the GNU
319 General Public License, Version 2 any later version published by the
320 Free Software Foundation.
321 On Debian systems, the complete text of the GNU General Public License
323 can be found in /usr/share/common-licenses/GPL.
324
326 pcf2vpnc(1), cisco-decrypt(1), ip(8), ifconfig(8), route(1),
327 http://www.unix-ag.uni-kl.de/~massar/vpnc/
328vpnc version 0.5.3 February 2014 VPNC(8)