Patrick Williams | b48b7b4 | 2016-08-17 15:04:38 -0500 | [diff] [blame^] | 1 | Usage: vpnc [--version] [--print-config] [--help] [--long-help] [options] [config files] |
| 2 | |
| 3 | Options: |
| 4 | --gateway <ip/hostname> |
| 5 | IP/name of your IPSec gateway |
| 6 | conf-variable: IPSec gateway <ip/hostname> |
| 7 | |
| 8 | --id <ASCII string> |
| 9 | your group name |
| 10 | conf-variable: IPSec ID <ASCII string> |
| 11 | |
| 12 | (configfile only option) |
| 13 | your group password (cleartext) |
| 14 | conf-variable: IPSec secret <ASCII string> |
| 15 | |
| 16 | (configfile only option) |
| 17 | your group password (obfuscated) |
| 18 | conf-variable: IPSec obfuscated secret <hex string> |
| 19 | |
| 20 | --username <ASCII string> |
| 21 | your username |
| 22 | conf-variable: Xauth username <ASCII string> |
| 23 | |
| 24 | (configfile only option) |
| 25 | your password (cleartext) |
| 26 | conf-variable: Xauth password <ASCII string> |
| 27 | |
| 28 | (configfile only option) |
| 29 | your password (obfuscated) |
| 30 | conf-variable: Xauth obfuscated password <hex string> |
| 31 | |
| 32 | --domain <ASCII string> |
| 33 | (NT-) Domain name for authentication |
| 34 | conf-variable: Domain <ASCII string> |
| 35 | |
| 36 | --xauth-inter |
| 37 | enable interactive extended authentication (for challenge response auth) |
| 38 | conf-variable: Xauth interactive |
| 39 | |
| 40 | --vendor <cisco/netscreen> |
| 41 | vendor of your IPSec gateway |
| 42 | Default: cisco |
| 43 | conf-variable: Vendor <cisco/netscreen> |
| 44 | |
| 45 | --natt-mode <natt/none/force-natt/cisco-udp> |
| 46 | Which NAT-Traversal Method to use: |
| 47 | * natt -- NAT-T as defined in RFC3947 |
| 48 | * none -- disable use of any NAT-T method |
| 49 | * force-natt -- always use NAT-T encapsulation even |
| 50 | without presence of a NAT device |
| 51 | (useful if the OS captures all ESP traffic) |
| 52 | * cisco-udp -- Cisco proprietary UDP encapsulation, commonly over Port 10000 |
| 53 | Note: cisco-tcp encapsulation is not yet supported |
| 54 | Default: natt |
| 55 | conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp> |
| 56 | |
| 57 | --script <command> |
| 58 | command is executed using system() to configure the interface, |
| 59 | routing and so on. Device name, IP, etc. are passed using enviroment |
| 60 | variables, see README. This script is executed right after ISAKMP is |
| 61 | done, but before tunneling is enabled. It is called when vpnc |
| 62 | terminates, too |
| 63 | Default: /etc/vpnc/vpnc-script |
| 64 | conf-variable: Script <command> |
| 65 | |
| 66 | --dh <dh1/dh2/dh5> |
| 67 | name of the IKE DH Group |
| 68 | Default: dh2 |
| 69 | conf-variable: IKE DH Group <dh1/dh2/dh5> |
| 70 | |
| 71 | --pfs <nopfs/dh1/dh2/dh5/server> |
| 72 | Diffie-Hellman group to use for PFS |
| 73 | Default: server |
| 74 | conf-variable: Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server> |
| 75 | |
| 76 | --enable-1des |
| 77 | enables weak single DES encryption |
| 78 | conf-variable: Enable Single DES |
| 79 | |
| 80 | --enable-no-encryption |
| 81 | enables using no encryption for data traffic (key exchanged must be encrypted) |
| 82 | conf-variable: Enable no encryption |
| 83 | |
| 84 | --application-version <ASCII string> |
| 85 | Application Version to report. Note: Default string is generated at runtime. |
| 86 | Default: Cisco Systems VPN Client 0.5.3-394:Linux |
| 87 | conf-variable: Application version <ASCII string> |
| 88 | |
| 89 | --ifname <ASCII string> |
| 90 | visible name of the TUN/TAP interface |
| 91 | conf-variable: Interface name <ASCII string> |
| 92 | |
| 93 | --ifmode <tun/tap> |
| 94 | mode of TUN/TAP interface: |
| 95 | * tun: virtual point to point interface (default) |
| 96 | * tap: virtual ethernet interface |
| 97 | Default: tun |
| 98 | conf-variable: Interface mode <tun/tap> |
| 99 | |
| 100 | --debug <0/1/2/3/99> |
| 101 | Show verbose debug messages |
| 102 | * 0: Do not print debug information. |
| 103 | * 1: Print minimal debug information. |
| 104 | * 2: Show statemachine and packet/payload type information. |
| 105 | * 3: Dump everything exluding authentication data. |
| 106 | * 99: Dump everything INCLUDING AUTHENTICATION data (e.g. PASSWORDS). |
| 107 | conf-variable: Debug <0/1/2/3/99> |
| 108 | |
| 109 | --no-detach |
| 110 | Don't detach from the console after login |
| 111 | conf-variable: No Detach |
| 112 | |
| 113 | --pid-file <filename> |
| 114 | store the pid of background process in <filename> |
| 115 | Default: /var/run/vpnc/pid |
| 116 | conf-variable: Pidfile <filename> |
| 117 | |
| 118 | --local-addr <ip/hostname> |
| 119 | local IP to use for ISAKMP / ESP / ... (0.0.0.0 == automatically assign) |
| 120 | Default: 0.0.0.0 |
| 121 | conf-variable: Local Addr <ip/hostname> |
| 122 | |
| 123 | --local-port <0-65535> |
| 124 | local ISAKMP port number to use (0 == use random port) |
| 125 | Default: 500 |
| 126 | conf-variable: Local Port <0-65535> |
| 127 | |
| 128 | --udp-port <0-65535> |
| 129 | Local UDP port number to use (0 == use random port). |
| 130 | This is only relevant if cisco-udp nat-traversal is used. |
| 131 | This is the _local_ port, the remote udp port is discovered automatically. |
| 132 | It is especially not the cisco-tcp port. |
| 133 | Default: 10000 |
| 134 | conf-variable: Cisco UDP Encapsulation Port <0-65535> |
| 135 | |
| 136 | --dpd-idle <0,10-86400> |
| 137 | Send DPD packet after not receiving anything for <idle> seconds. |
| 138 | Use 0 to disable DPD completely (both ways). |
| 139 | Default: 300 |
| 140 | conf-variable: DPD idle timeout (our side) <0,10-86400> |
| 141 | |
| 142 | --non-inter |
| 143 | Don't ask anything, exit on missing options |
| 144 | conf-variable: Noninteractive |
| 145 | |
| 146 | --auth-mode <psk/cert/hybrid> |
| 147 | Authentication mode: |
| 148 | * psk: pre-shared key (default) |
| 149 | * cert: server + client certificate (not implemented yet) |
| 150 | * hybrid: server certificate + xauth (if built with openssl support) |
| 151 | Default: psk |
| 152 | conf-variable: IKE Authmode <psk/cert/hybrid> |
| 153 | |
| 154 | --ca-file <filename> |
| 155 | filename and path to the CA-PEM-File |
| 156 | conf-variable: CA-File <filename> |
| 157 | |
| 158 | --ca-dir <directory> |
| 159 | path of the trusted CA-Directory |
| 160 | Default: /etc/ssl/certs |
| 161 | conf-variable: CA-Dir <directory> |
| 162 | |
| 163 | --target-network <target network/netmask> |
| 164 | Target network in dotted decimal or CIDR notation |
| 165 | Default: 0.0.0.0/0.0.0.0 |
| 166 | conf-variable: IPSEC target network <target network/netmask> |
| 167 | |
| 168 | Report bugs to vpnc@unix-ag.uni-kl.de |