1VPNC(8)                 System Administration Utilities                VPNC(8)
2
3
4

NAME

6       vpnc - client for Cisco VPN3000 Concentrator, IOS and PIX
7

SYNOPSIS

9       vpnc  [--version]  [--print-config]  [--help]  [--long-help]  [options]
10       [config files]
11

DESCRIPTION

13       This manual page documents briefly the vpnc  and  vpnc-disconnect  com‐
14       mands.
15
16       vpnc is a VPN client for the Cisco 3000 VPN  Concentrator,  creating  a
17       IPSec-like connection as a tunneling network device for the local  sys‐
18       tem. It uses the TUN/TAP driver in  Linux  kernel  2.4  and  above  and
19       device tun(4) on BSD. The created connection is presented as a  tunnel‐
20       ing network device to the local system.
21
22       OBLIGATORY  WARNING:  the most used configuration (XAUTH authentication
23       with pre-shared  keys  and  password  authentication)  is  insecure  by
24       design,  be  aware of this fact when you use vpnc to exchange sensitive
25       data like passwords!
26
27       The vpnc daemon by itself  does  not  set  any  routes,  but  it  calls
28       vpnc-script  to  do this job. vpnc-script displays a connect banner. If
29       the concentrator supplies a network list for split-tunneling these net‐
30       works are added to the routing table.  Otherwise the default-route will
31       be modified to point to the tunnel.  Further a host route to  the  con‐
32       centrator  is  added in the later case.  If the client host needs DHCP,
33       care must be taken to add another host route to the DHCP-Server  around
34       the tunnel.
35
36       The  vpnc-disconnect command is used to terminate the connection previ‐
37       ously created by vpnc and restore the previous routing configuration.
38
39

CONFIGURATION

41       The daemon reads configuration data from the following places:
42       ·      command line options
43       ·      config file(s) specified on the command line
44       ·      /etc/vpnc/default.conf
45       ·      /etc/vpnc.conf
46       ·      prompting the user if not found above
47
48       vpnc can parse options and configuration files in  any  order.  However
49       the  first  place to set an option wins.  configuration filenames which
50       do not contain  a  /  will  be  searched  at  /etc/vpnc/<filename>  and
51       /etc/vpnc/<filename>.conf.   Otherwise  <filename>  and <filename>.conf
52       will be used.  If no configuration file is specified  on  the  command-
53       line  at  all,  both  /etc/vpnc/default.conf and /etc/vpnc.conf will be
54       loaded.
55
56       Additionally, if the configuration file "-" is specified  on  the  com‐
57       mand-line  vpnc  will read configuration from stdin.  The configuration
58       is parsed and the connection proceeds when stdin is closed or the  spe‐
59       cial character CEOT (CTRL-D) is read.
60

OPTIONS

62       The  program  options  can be either given as arguments (but not all of
63       them for security reasons) or be stored in a configuration file.
64
65       --gateway <ip/hostname>
66              IP/name of your IPSec gateway
67       conf-variable: IPSec gateway <ip/hostname>
68
69       --id <ASCII string>
70              your group name
71       conf-variable: IPSec ID <ASCII string>
72
73       (configfile only option)
74              your group password (cleartext)
75       conf-variable: IPSec secret <ASCII string>
76
77       (configfile only option)
78              your group password (obfuscated)
79       conf-variable: IPSec obfuscated secret <hex string>
80
81       --username <ASCII string>
82              your username
83       conf-variable: Xauth username <ASCII string>
84
85       (configfile only option)
86              your password (cleartext)
87       conf-variable: Xauth password <ASCII string>
88
89       (configfile only option)
90              your password (obfuscated)
91       conf-variable: Xauth obfuscated password <hex string>
92
93       --domain <ASCII string>
94              (NT-) Domain name for authentication
95       conf-variable: Domain <ASCII string>
96
97       --xauth-inter
98              enable  interactive  extended  authentication   (for   challenge
99              response auth)
100       conf-variable: Xauth interactive
101
102       --vendor <cisco/netscreen>
103              vendor of your IPSec gateway
104              Default: cisco
105       conf-variable: Vendor <cisco/netscreen>
106
107       --natt-mode <natt/none/force-natt/cisco-udp>
108              Which NAT-Traversal Method to use:
109              ·      natt -- NAT-T as defined in RFC3947
110              ·      none -- disable use of any NAT-T method
111              ·      force-natt -- always use NAT-T encapsulation even without
112                     presence of a NAT device (useful if the OS  captures  all
113                     ESP traffic)
114              ·      cisco-udp  --  Cisco  proprietary UDP encapsulation, com‐
115                     monly over Port 10000
116              Note: cisco-tcp encapsulation is not yet supported
117              Default: natt
118       conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp>
119
120       --script <command>
121              command is executed using system() to configure  the  interface,
122              routing  and so on. Device name, IP, etc. are passed using envi‐
123              ronment variables, see README. This  script  is  executed  right
124              after  ISAKMP  is  done,  but before tunneling is enabled. It is
125              called when vpnc terminates, too
126              Default: /etc/vpnc/vpnc-script
127       conf-variable: Script <command>
128
129       --dh <dh1/dh2/dh5>
130              name of the IKE DH Group
131              Default: dh2
132       conf-variable: IKE DH Group <dh1/dh2/dh5>
133
134       --pfs <nopfs/dh1/dh2/dh5/server>
135              Diffie-Hellman group to use for PFS
136              Default: server
137       conf-variable: Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server>
138
139       --enable-1des
140              enables weak single DES encryption
141       conf-variable: Enable Single DES
142
143       --enable-no-encryption
144              enables using no encryption for data traffic (key exchanged must
145              be encrypted)
146       conf-variable: Enable no encryption
147
148       --application-version <ASCII string>
149              Application Version to report. Note: Default string is generated
150              at runtime.
151              Default: Cisco Systems VPN Client 0.5.3:Linux
152       conf-variable: Application version <ASCII string>
153
154       --ifname <ASCII string>
155              visible name of the TUN/TAP interface
156       conf-variable: Interface name <ASCII string>
157
158       --ifmode <tun/tap>
159              mode of TUN/TAP interface:
160              ·      tun: virtual point to point interface (default)
161              ·      tap: virtual ethernet interface
162              Default: tun
163       conf-variable: Interface mode <tun/tap>
164
165       --ifmtu <0-65535>
166              Set MTU for TUN/TAP interface (default 0 == automatic detect)
167       conf-variable: Interface MTU <0-65535>
168
169       --debug <0/1/2/3/99>
170              Show verbose debug messages
171              ·
172                      0: Do not print debug information.
173              ·
174                      1: Print minimal debug information.
175              ·
176                      2: Show statemachine and  packet/payload  type  informa‐
177                     tion.
178              ·
179                      3: Dump everything exluding authentication data.
180              ·      99:  Dump  everything INCLUDING AUTHENTICATION data (e.g.
181                     PASSWORDS).
182       conf-variable: Debug <0/1/2/3/99>
183
184       --no-detach
185              Don't detach from the console after login
186       conf-variable: No Detach
187
188       --pid-file <filename>
189              store the pid of background process in <filename>
190              Default: /var/run/vpnc.pid
191       conf-variable: Pidfile <filename>
192
193       --local-addr <ip/hostname>
194              local IP to use for ISAKMP / ESP / ... (0.0.0.0 == automatically
195              assign)
196              Default: 0.0.0.0
197       conf-variable: Local Addr <ip/hostname>
198
199       --local-port <0-65535>
200              local ISAKMP port number to use (0 == use random port)
201              Default: 500
202       conf-variable: Local Port <0-65535>
203
204       --udp-port <0-65535>
205              Local  UDP  port  number to use (0 == use random port).  This is
206              only relevant if cisco-udp nat-traversal is used.  This  is  the
207              _local_  port,  the remote udp port is discovered automatically.
208              It is especially not the cisco-tcp port.
209              Default: 10000
210       conf-variable: Cisco UDP Encapsulation Port <0-65535>
211
212       --dpd-idle <0,10-86400>
213              Send DPD packet after not receiving anything for <idle> seconds.
214              Use 0 to disable DPD completely (both ways).
215              Default: 600
216       conf-variable: DPD idle timeout (our side) <0,10-86400>
217
218       --non-inter
219              Don't ask anything, exit on missing options
220       conf-variable: Noninteractive
221
222       --auth-mode <psk/cert/hybrid>
223              Authentication mode:
224              ·      psk:    pre-shared key (default)
225              ·      cert:   server + client certificate (not implemented yet)
226              ·      hybrid: server certificate + xauth (if built with openssl
227                     support)
228              Default: psk
229       conf-variable: IKE Authmode <psk/cert/hybrid>
230
231       --ca-file <filename>
232              filename and path to the CA-PEM-File
233       conf-variable: CA-File <filename>
234
235       --ca-dir <directory>
236              path of the trusted CA-Directory
237              Default: /etc/ssl/certs
238       conf-variable: CA-Dir <directory>
239
240       --target-network <target network/netmask>
241              Target network in dotted decimal or CIDR notation
242              Default: 0.0.0.0/0.0.0.0
243       conf-variable: IPSEC target network <target network/netmask>
244
245       --password-helper <executable>
246              path to password program or helper name
247       conf-variable: Password helper <executable>
248
249       --print-config
250              Prints your configuration; output can be used as vpnc.conf
251

FILES

253       /etc/vpnc.conf /etc/vpnc/default.conf
254              The default configuration file. You can specify the same  config
255              directives  as  with command line options and additionally IPSec
256              secret and Xauth password both supplying a  cleartext  password.
257              Scrambled passwords from the Cisco configuration profiles can be
258              used with IPSec obfuscated secret and Xauth obfuscated password.
259
260              See EXAMPLES for further details.
261
262       /etc/vpnc/*.conf
263              vpnc will read configuration files in this  directory  when  the
264              config filename (with or without .conf) is specified on the com‐
265              mand line.
266
267

EXAMPLES

269       This is an example vpnc.conf with pre-shared keys:
270
271              IPSec gateway vpn.example.com
272              IPSec ID ExampleVpnPSK
273              IKE Authmode psk
274              IPSec secret PskS3cret!
275              Xauth username user@example.com
276              Xauth password USecr3t
277
278       And another one with hybrid  authentication  (requires  that  vpnc  was
279       built with openssl support):
280
281              IPSec gateway vpn.example.com
282              IPSec ID ExampleVpnHybrid
283              IKE Authmode hybrid
284              CA-Dir /etc/vpnc
285              or
286              CA-File /etc/vpnc/vpn-example-com.pem
287              IPSec secret HybS3cret?
288              Xauth username user@example.com
289              Xauth password 123456
290
291       The  lines begin with a keyword (no leading spaces!).  The values start
292       exactly one space after the keywords, and run to the end of line.  This
293       lets  you  put  any  kind of weird character (except CR, LF and NUL) in
294       your strings, but it does mean you can't add comments after  a  string,
295       or spaces before them.
296
297       In  case  the  the  CA-Dir option is used, your certificate needs to be
298       named something like 722d15bd.X, where X is a manually assigned  number
299       to make sure that files with colliding hashes have different names. The
300       number can be derived from the certificate file itself:
301
302       openssl x509 -subject_hash -noout -in /etc/vpnc/vpn-example-com.pem
303
304       See also the --print-config option to generate a config file,  and  the
305       example file in the package documentation directory where more advanced
306       usage is demonstrated.
307
308       Advanced features like manual setting of  multiple  target  routes  and
309       disabling /etc/resolv.conf rewriting is documented in the README of the
310       vpnc package.
311
312
313

AUTHOR

315       This man-page has been written by  Eduard  Bloch  <blade(at)debian.org>
316       and  Christian  Lackas  <delta(at)lackas.net>,  based on vpnc README by
317       Maurice Massar <vpnc(at)unix-ag.uni-kl.de>.  Permission is  granted  to
318       copy, distribute and/or modify this document under the terms of the GNU
319       General Public License, Version 2 any later version  published  by  the
320       Free Software Foundation.
321
322       On  Debian systems, the complete text of the GNU General Public License
323       can be found in /usr/share/common-licenses/GPL.
324

SEE ALSO

326       pcf2vpnc(1),   cisco-decrypt(1),    ip(8),    ifconfig(8),    route(1),
327       http://www.unix-ag.uni-kl.de/~massar/vpnc/
328
329
330
331vpnc version 0.5.3               February 2014                         VPNC(8)
Impressum