updated todo list

[vpnc.git] / vpnc.8

.TH "VPNC" "8" "13 Mai 2004" "Debian" "vpnc"

.SH NAME
vpnc \- client for cisco3000 VPN Concentrator
.SH SYNOPSIS

.B vpnc  [ \-\-gateway 
.I <IP or hostname>
.B ] [ \-\-id
.I <IPSec group Id>
.B ] [ \-\-username
.I <user name>
.B ] [ \-\-script 
.I <command>
.B ] [ \-\-domain
.I <domain name>
.B ] [ \-\-dh
.I <dh1/dh2/dh5>
.B ] [ \-\-pfs
.I <nopfs/dh1/dh2/dh5/server>
.B ] [ \-\-enable-1des 
.B ] [ \-\-application-version 
.I <version string>
.B ] [ \-\-ifname 
.I <interface>
.B ] [ \-\-debug
.I <0/1/2/3/99>
.B ] [ \-\-no-detach 
.B ] [ \-\-pid-file 
.I <filename>
.B ] [ \-\-local-port
.I <0-65535>
.B ] [ \-\-non-inter 
.B ] 


.SH "DESCRIPTION"
.PP
This manual page documents briefly the
\fBvpnc\fR, \fBvpnc\-connect\fR and
\fBvpnc\-disconnect\fR commands.
.PP
\fBvpnc\fR is a 
VPN client for the Cisco 3000 VPN  Concentrator,  creating  a IPSec-like
connection as a tunneling network device for the local system. It uses
the TUN/TAP driver in  Linux  kernel  2.4  and  above  and device tun(4)
on BSD. The created connection is presented as a tunneling network
device to the local system.
.PP
The vpnc daemon by it self does not set any routes, the user (or
the connect script, see below) has to do it on its own, e.g. for a full
tunnel with IP routing under Linux. Further, the user must care about
setting a minimal route to the gateway to not cut the essential
connection.
.PP
However, when connection has been established, vpnc will run a simple
command (see \-\-script) to configure the interface and care about the
route setup. By default, only a simple ifconfig command is executed.
.PP
The command \fBvpnc\-connect\fR is a helper script that will assist on
connection invocation and routing configuration. It can also be used to manage configuration files
for multiple VPN connections. The script can be started by the user or
from the daemon (see \-\-script) when the connection is established. In
the first case, it will simply run the daemon after some environment
checks. When executed by the daemon later, it will create a minimalistic
host route to the gateway and configures the default gateway
configuration of Linux to run over the VPN tunnel.
.PP
The \fBvpnc\-disconnect\fR command is used to terminate
the connection previously created by \fBvpnc\-connect\fR
and restore the previous routing configuration.

.SH CONFIGURATION
The daemon reads configuration data from the following places:
.PD 0
.IP "- command line options"
.IP "- config file(s) specified on the command line"
.IP "- /etc/vpnc/default.conf"
.IP "- /etc/vpnc.conf"
.IP "- prompting the user if not found above"

.PP

The vpnc-connect script expects the 
.B configuration file
as the first parameter. This
can either be an absolute path or the name
of a config file located in 
.B /etc/vpnc/<filename>.conf.
If no config is specified, 
.B vpnc\-connect
will try
to load 
.B /etc/vpnc/default.conf
or as a last resort
.B /etc/vpnc.conf.

.SH OPTIONS
The program options can be either given as argument (but not all of them
for security reasons) or be stored in a configuration file.


.IP "\-\-gateway <ip/hostname>"
IP or host name of your IPSec gateway

.IP "\-\-id <ASCII string>"
 Your group name in <ASCII string>
      
.IP "\-\-username <ASCII string>"
  Your username

.IP "\-\-script <command>"
  The <command> specified here is executed when the connection has been
  established, in order to configure the interface, routing and so on.
  Device name, IP, etc. are passed using enviroment variables, see
  README. This script is executed right after ISAKMP is done, but befor
  tunneling is enabled. Some environment variables are set and can be
  used for the detail configuration. Default command: ifconfig $TUNDEV
  inet $INTERNAL_IP4_ADDRESS pointopoint $INTERNAL_IP4_ADDRESS netmask
  255.255.255.255 mtu 1412 up

.IP "\-\-domain <ASCII string>"
  Domain name for authentication, sometimes needed for authentification
  against Windows NT domains.

.IP "\-\-dh <dh1/dh2/dh5>"
  Name of the IKE DH Group (default: dh2)

.IP "\-\-pfs <nopfs/dh1/dh2/dh5/server>"
  Diffie-Hellman group to use for PFS, one of nopfs, dh1, dh2, dh5 or
  server (default: server).

.IP "\-\-enable\-1des"
 Enables weak Single DES encryption

.IP "\-\-application\-version <ASCII string>"
 Application Version to report to the server when identifying ourself
 (default: Cisco Systems VPN Client <vpnc-version>)

.IP "\-\-ifname <ASCII string>"
 The virtual name of the Linux network interface assigned to the tunnel
 endpoint

.IP "\-\-debug <0/1/2/3/99>"
  Show verbose debug messages with different verbosity levels

.IP "\-\-no\-detach"
 Don't detach from the console (go to background) after login

.IP "\-\-pid\-file <filename>"
 Store the pid of background process in a file

.IP "\-\-local-port <0-65535>"
  Local ISAKMP port number to use (0 == use random port, 500 is default)

.IP "\-\-non-inter"
 Don't ask anything, exit on missing options

.IP "\-\-print\-config"
 Prints your configuration; output can be used as vpnc.conf

.SH FILES
.I /etc/vpnc.conf
.RS
The default configuration file. You can specify the same config
directives as with command line options and additionaly
.B IPSec secret
and
.B Xauth password
both supplying a cleartext password. Scrambled passwords from the Cisco
configuration profiles are not supported.

See
.BR EXAMPLES
for further details.
.RE

.I /etc/vpnc/*.conf
.RS
The vpnc\-connect will read configuration files in this directory when
the config script name (without .conf) is specified on the command line.
.RE


.SH EXAMPLES
This is an example vpnc.conf:

.RS
.PD 0
IPSec gateway vpn.rwth\-aachen.de
.P
IPSec ID MoPS
.P
IPSec secret mopsWLAN
.P
Xauth username abcdef
.P
Xauth password 123456
.PD
.RE

The lines begin with a keyword (no leading spaces!).
The values start exactly one space after the keywords, and run to the end of
line. This lets you put any kind of weird character (except EOL and NUL) in
your strings, but it does mean you can't add comments after a string, or spaces
before them.

See also the
.B \-\-print\-config
option to generate a config file, and the example file in the package
documentation directory where more advanced usage is demonstrated.

Advanced features like manual setting of multiple target routes is
documented in the example files of the vpnc package.

.SH TODO
.PD 0
Re-keying is not implemented yet (default rekey-intervall is 8 hours).
.P
Certificate support (Pre-Shared-Key + XAUTH is known to be insecure).
.P
IPSec over UDP
.PD

.SH AUTHOR
This man-page has been written by Eduard Bloch <blade(at)debian.org> and
Christian Lackas <delta(at)lackas.net>, based on vpnc README by
Maurice Massar <vpnc(at)unix\-ag.uni\-kl.de>.
Permission is
granted to copy, distribute and/or modify this document under
the terms of the GNU General Public License, Version 2 any 
later version published by the Free Software Foundation.
.PP
On Debian systems, the complete text of the GNU General Public
License can be found in /usr/share/common\-licenses/GPL.
.SH "SEE ALSO"
.BR ip (8),
.BR ifconfig (8),
.BR route (1),
.BR http://www.unix\-ag.uni\-kl.de/~massar/vpnc/