Usage: vpnc [--version] [--print-config] [--help] [--long-help] [options] [config files]
|
|
Options:
|
--gateway <ip/hostname>
|
IP/name of your IPSec gateway
|
conf-variable: IPSec gateway <ip/hostname>
|
|
--id <ASCII string>
|
your group name
|
conf-variable: IPSec ID <ASCII string>
|
|
(configfile only option)
|
your group password (cleartext)
|
conf-variable: IPSec secret <ASCII string>
|
|
(configfile only option)
|
your group password (obfuscated)
|
conf-variable: IPSec obfuscated secret <hex string>
|
|
--username <ASCII string>
|
your username
|
conf-variable: Xauth username <ASCII string>
|
|
(configfile only option)
|
your password (cleartext)
|
conf-variable: Xauth password <ASCII string>
|
|
(configfile only option)
|
your password (obfuscated)
|
conf-variable: Xauth obfuscated password <hex string>
|
|
--domain <ASCII string>
|
(NT-) Domain name for authentication
|
conf-variable: Domain <ASCII string>
|
|
--xauth-inter
|
enable interactive extended authentication (for challenge response auth)
|
conf-variable: Xauth interactive
|
|
--vendor <cisco/netscreen>
|
vendor of your IPSec gateway
|
Default: cisco
|
conf-variable: Vendor <cisco/netscreen>
|
|
--natt-mode <natt/none/force-natt/cisco-udp>
|
Which NAT-Traversal Method to use:
|
* natt -- NAT-T as defined in RFC3947
|
* none -- disable use of any NAT-T method
|
* force-natt -- always use NAT-T encapsulation even
|
without presence of a NAT device
|
(useful if the OS captures all ESP traffic)
|
* cisco-udp -- Cisco proprietary UDP encapsulation, commonly over Port 10000
|
Note: cisco-tcp encapsulation is not yet supported
|
Default: natt
|
conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp>
|
|
--script <command>
|
command is executed using system() to configure the interface,
|
routing and so on. Device name, IP, etc. are passed using enviroment
|
variables, see README. This script is executed right after ISAKMP is
|
done, but before tunneling is enabled. It is called when vpnc
|
terminates, too
|
Default: /etc/vpnc/vpnc-script
|
conf-variable: Script <command>
|
|
--dh <dh1/dh2/dh5>
|
name of the IKE DH Group
|
Default: dh2
|
conf-variable: IKE DH Group <dh1/dh2/dh5>
|
|
--pfs <nopfs/dh1/dh2/dh5/server>
|
Diffie-Hellman group to use for PFS
|
Default: server
|
conf-variable: Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server>
|
|
--enable-1des
|
enables weak single DES encryption
|
conf-variable: Enable Single DES
|
|
--enable-no-encryption
|
enables using no encryption for data traffic (key exchanged must be encrypted)
|
conf-variable: Enable no encryption
|
|
--application-version <ASCII string>
|
Application Version to report. Note: Default string is generated at runtime.
|
Default: Cisco Systems VPN Client 0.5.3-394:Linux
|
conf-variable: Application version <ASCII string>
|
|
--ifname <ASCII string>
|
visible name of the TUN/TAP interface
|
conf-variable: Interface name <ASCII string>
|
|
--ifmode <tun/tap>
|
mode of TUN/TAP interface:
|
* tun: virtual point to point interface (default)
|
* tap: virtual ethernet interface
|
Default: tun
|
conf-variable: Interface mode <tun/tap>
|
|
--debug <0/1/2/3/99>
|
Show verbose debug messages
|
* 0: Do not print debug information.
|
* 1: Print minimal debug information.
|
* 2: Show statemachine and packet/payload type information.
|
* 3: Dump everything exluding authentication data.
|
* 99: Dump everything INCLUDING AUTHENTICATION data (e.g. PASSWORDS).
|
conf-variable: Debug <0/1/2/3/99>
|
|
--no-detach
|
Don't detach from the console after login
|
conf-variable: No Detach
|
|
--pid-file <filename>
|
store the pid of background process in <filename>
|
Default: /var/run/vpnc/pid
|
conf-variable: Pidfile <filename>
|
|
--local-addr <ip/hostname>
|
local IP to use for ISAKMP / ESP / ... (0.0.0.0 == automatically assign)
|
Default: 0.0.0.0
|
conf-variable: Local Addr <ip/hostname>
|
|
--local-port <0-65535>
|
local ISAKMP port number to use (0 == use random port)
|
Default: 500
|
conf-variable: Local Port <0-65535>
|
|
--udp-port <0-65535>
|
Local UDP port number to use (0 == use random port).
|
This is only relevant if cisco-udp nat-traversal is used.
|
This is the _local_ port, the remote udp port is discovered automatically.
|
It is especially not the cisco-tcp port.
|
Default: 10000
|
conf-variable: Cisco UDP Encapsulation Port <0-65535>
|
|
--dpd-idle <0,10-86400>
|
Send DPD packet after not receiving anything for <idle> seconds.
|
Use 0 to disable DPD completely (both ways).
|
Default: 300
|
conf-variable: DPD idle timeout (our side) <0,10-86400>
|
|
--non-inter
|
Don't ask anything, exit on missing options
|
conf-variable: Noninteractive
|
|
--auth-mode <psk/cert/hybrid>
|
Authentication mode:
|
* psk: pre-shared key (default)
|
* cert: server + client certificate (not implemented yet)
|
* hybrid: server certificate + xauth (if built with openssl support)
|
Default: psk
|
conf-variable: IKE Authmode <psk/cert/hybrid>
|
|
--ca-file <filename>
|
filename and path to the CA-PEM-File
|
conf-variable: CA-File <filename>
|
|
--ca-dir <directory>
|
path of the trusted CA-Directory
|
Default: /etc/ssl/certs
|
conf-variable: CA-Dir <directory>
|
|
--target-network <target network/netmask>
|
Target network in dotted decimal or CIDR notation
|
Default: 0.0.0.0/0.0.0.0
|
conf-variable: IPSEC target network <target network/netmask>
|
|
Report bugs to vpnc@unix-ag.uni-kl.de
|
