Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
VPNC(8)			System Administration Utilities		       VPNC(8)

       vpnc - client for Cisco VPN3000 Concentrator, IOS and PIX

       vpnc  [--version]  [--print-config]  [--help]  [--long-help]  [options]
       [config files]

       This manual page	documents briefly the vpnc  and	 vpnc-disconnect  com-

       vpnc is a VPN client for	the Cisco 3000 VPN  Concentrator,  creating  a
       IPSec-like connection as	a tunneling network device for the local  sys-
       tem. It uses the	TUN/TAP	driver in  Linux  kernel  2.4  and  above  and
       device tun(4) on	BSD. The created connection is presented as a  tunnel-
       ing network device to the local system.

       OBLIGATORY  WARNING:  the most used configuration (XAUTH	authentication
       with pre-shared keys and	password authentication) is  insecure  by  de-
       sign,  be  aware	 of  this fact when you	use vpnc to exchange sensitive
       data like passwords!

       The vpnc	daemon by itself  does	not  set  any  routes,	but  it	 calls
       vpnc-script  to	do this	job. vpnc-script displays a connect banner. If
       the concentrator	supplies a network list	for split-tunneling these net-
       works are added to the routing table.  Otherwise	the default-route will
       be modified to point to the tunnel.  Further a host route to  the  con-
       centrator  is  added in the later case.	If the client host needs DHCP,
       care must be taken to add another host route to the DHCP-Server	around
       the tunnel.

       The  vpnc-disconnect command is used to terminate the connection	previ-
       ously created by	vpnc and restore the previous routing configuration.

       The daemon reads	configuration data from	the following places:
       o      command line options
       o      config file(s) specified on the command line
       o      /usr/local/etc/vpnc/default.conf
       o      /usr/local/etc/vpnc.conf
       o      prompting	the user if not	found above

       vpnc can	parse options and configuration	files in  any  order.  However
       the  first  place to set	an option wins.	 configuration filenames which
       do not contain a	/ will be searched  at	/usr/local/etc/vpnc/<filename>
       and   /usr/local/etc/vpnc/<filename>.conf.   Otherwise  <filename>  and
       <filename>.conf will be used.  If no configuration file is specified on
       the  command-line  at  all,  both  /usr/local/etc/vpnc/default.conf and
       /usr/local/etc/vpnc.conf	will be	loaded.

       The program options can be either given as arguments (but  not  all  of
       them for	security reasons) or be	stored in a configuration file.

       --gateway _ip/hostname_
	      IP/name of your IPSec gateway
       conf-variable: IPSec gateway _ip/hostname_

       --id _ASCII string_
	      your group name
       conf-variable: IPSec ID _ASCII string_

       (configfile only	option)
	      your group password (cleartext)
       conf-variable: IPSec secret _ASCII string_

       (configfile only	option)
	      your group password (obfuscated)
       conf-variable: IPSec obfuscated secret _hex string_

       --username _ASCII string_
	      your username
       conf-variable: Xauth username _ASCII string_

       (configfile only	option)
	      your password (cleartext)
       conf-variable: Xauth password _ASCII string_

       (configfile only	option)
	      your password (obfuscated)
       conf-variable: Xauth obfuscated password	_hex string_

       --domain	_ASCII string_
	      (NT-) Domain name	for authentication
       conf-variable: Domain _ASCII string_

	      enable  interactive  extended  authentication (for challenge re-
	      sponse auth)
       conf-variable: Xauth interactive

       --vendor	_cisco/netscreen_
	      vendor of	your IPSec gateway
	      Default: cisco
       conf-variable: Vendor _cisco/netscreen_

       --natt-mode _natt/none/force-natt/cisco-udp_
	      Which NAT-Traversal Method to use:
	      o	     natt -- NAT-T as defined in RFC3947
	      o	     none -- disable use of any	NAT-T method
	      o	     force-natt	-- always use NAT-T encapsulation even without
		     presence  of  a NAT device	(useful	if the OS captures all
		     ESP traffic)
	      o	     cisco-udp -- Cisco	proprietary  UDP  encapsulation,  com-
		     monly over	Port 10000
	      Note: cisco-tcp encapsulation is not yet supported
	      Default: natt
       conf-variable: NAT Traversal Mode _natt/none/force-natt/cisco-udp_

       --script	_command_
	      command  is  executed using system() to configure	the interface,
	      routing and so on. Device	name, IP, etc. are passed using	 envi-
	      roment  variables, see README. This script is executed right af-
	      ter ISAKMP is done, but  before  tunneling  is  enabled.	It  is
	      called when vpnc terminates, too
	      Default: /usr/local/sbin/vpnc-script
       conf-variable: Script _command_

       --dh _dh1/dh2/dh5_
	      name of the IKE DH Group
	      Default: dh2
       conf-variable: IKE DH Group _dh1/dh2/dh5_

       --pfs _nopfs/dh1/dh2/dh5/server_
	      Diffie-Hellman group to use for PFS
	      Default: server
       conf-variable: Perfect Forward Secrecy _nopfs/dh1/dh2/dh5/server_

	      enables weak single DES encryption
       conf-variable: Enable Single DES

	      enables using no encryption for data traffic (key	exchanged must
	      be encrypted)
       conf-variable: Enable no	encryption

       --application-version _ASCII string_
	      Application Version to report. Note: Default string is generated
	      at runtime.
	      Default: Cisco Systems VPN Client	0.5.3:FreeBSD
       conf-variable: Application version _ASCII string_

       --ifname	_ASCII string_
	      visible name of the TUN/TAP interface
       conf-variable: Interface	name _ASCII string_

       --ifmode	_tun/tap_
	      mode of TUN/TAP interface:
	      o	     tun: virtual point	to point interface (default)
	      o	     tap: virtual ethernet interface
	      Default: tun
       conf-variable: Interface	mode _tun/tap_

       --debug _0/1/2/3/99_
	      Show verbose debug messages
		      0: Do not	print debug information.
		      1: Print minimal debug information.
		      2:  Show	statemachine  and packet/payload type informa-
		      3: Dump everything exluding authentication data.
	      o	     99: Dump everything INCLUDING AUTHENTICATION  data	 (e.g.
       conf-variable: Debug _0/1/2/3/99_

	      Don't detach from	the console after login
       conf-variable: No Detach

       --pid-file _filename_
	      store the	pid of background process in <filename>
	      Default: /var/run/vpnc/pid
       conf-variable: Pidfile _filename_

       --local-addr _ip/hostname_
	      local IP to use for ISAKMP / ESP / ... ( == automatically
       conf-variable: Local Addr _ip/hostname_

       --local-port _0-65535_
	      local ISAKMP port	number to use (0 == use	random port)
	      Default: 500
       conf-variable: Local Port _0-65535_

       --udp-port _0-65535_
	      Local UDP	port number to use (0 == use random  port).   This  is
	      only  relevant  if cisco-udp nat-traversal is used.  This	is the
	      _local_ port, the	remote udp port	is  discovered	automatically.
	      It is especially not the cisco-tcp port.
	      Default: 10000
       conf-variable: Cisco UDP	Encapsulation Port _0-65535_

       --dpd-idle _0,10-86400_
	      Send DPD packet after not	receiving anything for <idle> seconds.
	      Use 0 to disable DPD completely (both ways).
	      Default: 300
       conf-variable: DPD idle timeout (our side) _0,10-86400_

	      Don't ask	anything, exit on missing options
       conf-variable: Noninteractive

       --auth-mode _psk/cert/hybrid_
	      Authentication mode:
	      o	     psk:    pre-shared	key (default)
	      o	     cert:   server + client certificate (not implemented yet)
	      o	     hybrid: server certificate	+ xauth	(if built with openssl
	      Default: psk
       conf-variable: IKE Authmode _psk/cert/hybrid_

       --ca-file _filename_
	      filename and path	to the CA-PEM-File
       conf-variable: CA-File _filename_

       --ca-dir	_directory_
	      path of the trusted CA-Directory
	      Default: /etc/ssl/certs
       conf-variable: CA-Dir _directory_

       --target-network	_target	network/netmask_
	      Target network in	dotted decimal or CIDR notation
       conf-variable: IPSEC target network _target network/netmask_

	      Prints your configuration; output	can be used as vpnc.conf

       /usr/local/etc/vpnc.conf	/usr/local/etc/vpnc/default.conf
	      The  default configuration file. You can specify the same	config
	      directives as with command line options  and  additionaly	 IPSec
	      secret  and  Xauth password both supplying a cleartext password.
	      Scrambled	passwords from the Cisco configuration profiles	can be
	      used with	IPSec obfuscated secret	and Xauth obfuscated password.

	      See EXAMPLES for further details.

	      vpnc  will  read	configuration files in this directory when the
	      config filename (with or without .conf) is specified on the com-
	      mand line.

       This is an example vpnc.conf with pre-shared keys:

	      IPSec gateway
	      IPSec ID ExampleVpnPSK
	      IKE Authmode psk
	      IPSec secret PskS3cret!
	      Xauth username
	      Xauth password USecr3t

       And  another  one  with	hybrid	authentication (requires that vpnc was
       built with openssl support):

	      IPSec gateway
	      IPSec ID ExampleVpnHybrid
	      IKE Authmode hybrid
	      CA-Dir /usr/local/etc/vpnc
	      CA-File /usr/local/etc/vpnc/vpn-example-com.pem
	      IPSec secret HybS3cret?
	      Xauth username
	      Xauth password 123456

       The lines begin with a keyword (no leading spaces!).  The values	 start
       exactly	one space after	the keywords, and run to the end of line. This
       lets you	put any	kind of	weird character	(except	CR,  LF	 and  NUL)  in
       your  strings,  but it does mean	you can't add comments after a string,
       or spaces before	them.

       In case the the CA-Dir option is	used, your  certificate	 needs	to  be
       named  something	like 722d15bd.X, where X is a manually assigned	number
       to make sure that files with colliding hashes have different names. The
       number can be derived from the certificate file itself:

       openssl	x509 -subject_hash -noout -in /usr/local/etc/vpnc/vpn-example-

       See also	the --print-config option to generate a	config file,  and  the
       example file in the package documentation directory where more advanced
       usage is	demonstrated.

       Advanced	features like manual setting of	 multiple  target  routes  and
       disabling /etc/resolv.conf rewriting is documented in the README	of the
       vpnc package.

       Certificate support (Pre-Shared-Key + XAUTH is known to be insecure).
       Further points can be found in the TODO file.

       This man-page has been written by  Eduard  Bloch	 <blade(at)>
       and  Christian  Lackas  <delta(at)>,  based on	vpnc README by
       Maurice Massar <vpnc(at)>.  Permission is  granted  to
       copy, distribute	and/or modify this document under the terms of the GNU
       General Public License, Version 2 any later version  published  by  the
       Free Software Foundation.

       On  Debian systems, the complete	text of	the GNU	General	Public License
       can be found in /usr/share/common-licenses/GPL.

       pcf2vpnc(1),   cisco-decrypt(1),	   ip(8),    ifconfig(8),    route(1),

vpnc version 0.5.3		  August 2021			       VPNC(8)


Want to link to this manual page? Use this URL:

home | help