1 .\" connman-vpn-provider.config(5) manual page
3 .\" Copyright (C) 2015 Intel Corporation
5 .TH "connection_name.config" "5" "2015-10-15" ""
7 connection_name.config \- ConnMan vpn connection provisioning file
9 .B @vpn_storagedir@/\fIconnection-name\fB.config
12 \fIConnMan\fP's vpn connections are configured with so called
13 "\fBprovisioning files\fP" which reside under \fI@vpn_storagedir@/\fP.
14 The files can be named anything, as long as they contain only printable
15 ascii characers, for example letters, numbers and underscores. The file
16 must end with \fB.config\fP. Each VPN connection requires a provisioning
17 file, but multiple connections can be specified in the same file.
20 The configuration file format is key file format.
21 It consists of sections (groups) of key-value pairs.
22 Lines beginning with a '#' and blank lines are considered comments.
23 Sections are started by a header line containing the section enclosed
24 in '[' and ']', and ended implicitly by the start of the next section
25 or the end of the file. Each key-value pair must be contained in a section.
27 Description of sections and available keys follows:
29 This section is optional, and can be used to describe the actual file. The
30 two allowed fields for this section are:
35 .BI Description= description
36 Description of the network.
38 Each provisioned connection must start with a [provider_*] tag,
39 with * replaced by an unique name within the file.
40 The following fields are mandatory:
42 .B Type=OpenConnect \fR|\fB OpenVPN \fR|\fB VPNC \fR|\fB L2TP \fR|\fB PPTP
43 Specifies the VPN type.
46 VPN server IP address.
49 Domain name for the VPN service.
51 The following field is optional:
53 .BI Networks= network / netmask / gateway [,...]
54 Networks behind the VPN. If all traffic should go through the VPN, this
55 field can be left out. The gateway can be left out. For IPv6 addresses,
56 only the prefix length is accepted as the netmask.
58 The following keys can be used for \fBopenconnect\fP(8) networks:
60 .BI OpenConnect.ServerCert= cert
61 SHA1 fingerprint of the VPN server's certificate.
63 .BI OpenConnect.CACert= cert
64 File containing additional CA certificates in addition to the system
65 trusted certificate authorities.
67 .BI OpenConnect.ClientCert= cert
68 Client certificate, if needed by web authentication.
70 .BI OpenConnect.MTU= mtu
71 Request \fImtu\fP from the server as the MTU of the tunnel.
73 .BI OpenConnect.Cookie= cookie
74 The resulting cookie of the authentication process. As the cookie lifetime
75 can be very limited, it does not usually make sense to add it into the
78 .BI OpenConnect.VPNHost= host
79 The final VPN server to use after completing the web authentication. Only
80 usable for extremely simple VPN configurations and should normally be set
81 only via the VPN Agent API.
83 If \fBOpenConnect.Cookie\fP, \fBOpenConnect.VPNHost\fP or
84 \fBOpenConnect.ServerCert\fP are missing, the VPN Agent will be contacted
85 to supply the information.
87 The following keys are mandatory for \fBopenvpn\fP(8) networks:
89 .BI OpenVPN.CACert= cert
90 Certificate authority file.
92 .BI OpenVPN.Cert= cert
93 Local peer's signed certificate.
95 .BI OpenVPN.Cert= cert
96 Local peer's signed certificate.
99 Local peer's private key.
101 The following keys are optional for \fBopenvpn\fP(8) networks:
106 .B OpenVPN.NSCertType=client \fR|\fB server
107 Peer certificate type, either \fBclient\fP or \fBserver\fP.
109 .BI OpenVPN.Protocol= protocol
112 .BI OpenVPN.Port= port
115 .B OpenVPN.AuthUserPass=true \fR|\fB false
116 Authenticate on the server using username/password.
118 .BI OpenVPN.AskPass= file
119 Get certificate password from \fIfile\fP.
121 .B OpenVPN.AuthNoCache=true \fR|\fB false
122 Don't cache AskPass or AuthUserPass value.
124 .BI OpenVPN.TLSRemote= name
125 Accept connections only from a host with X509 name or common
126 name equal to \fIname\fP.
128 .BI OpenVPN.TLSAuth= file
129 Use \fIfile\fP for HMAC authentication.
131 .BI OpenVPN.TLSAuthDir= direction
132 Use \fIdirection\fP for HMAC authentication direction.
134 .BI OpenVPN.Cipher= cipher
135 Use \fIcipher\fP as the cipher.
137 .B OpenVPN.Auth=true \fR|\fB false
138 Use HMAC authentication.
140 .B OpenVPN.CompLZO=yes \fR|\fB no \fR|\fB adaptive
141 Use fast LZO compression.
143 .B OpenVPN.RemoteCertTls=client \fR|\fB server
144 Require that remote certificate is signed based on RFC3280 TLS rules.
146 .BI OpenVPN.ConfigFile= file
147 OpenVPN config file for extra options not supported by the OpenVPN plugin.
149 .BI OpenVPN.DeviceType= tun \fR|\fB tap
150 Whether the VPN should use a tun (OSI layer 3) or tap (OSI layer 2) device.
151 Defaults to tun if omitted.
153 The following key is mandatory for \fBvpnc\fP(8) networks:
155 .BI VPNC.IPSec.ID= id
158 The following keys are optional for \fBvpnc\fP(8) networks:
160 .BI VPNC.IPSec.Secret= secret
163 .BI VPNC.XAuth.Username= username
166 .BI VPNC.XAuth.Password= password
169 .BI VPNC.IKE.Authmode= mode
170 IKE authentication mode.
172 .BI VPNC.IKE.DHGroup= group
176 Diffie-Hellman group for perfect forward secrecy.
178 .BI VPNC.Domain= domain
179 Domain name for authentication.
181 .BI VPNC.Vendor= vendor
182 Vendor of the IPSec gateway.
184 .BI VPNC.LocalPort= port
185 Local ISAKMP port number to use.
187 .BI VPNC.CiscoPort= port
188 Cisco UDP Encapsulation Port.
190 .BI VPNC.AppVersion= version
191 Application version to report.
193 .BI VPNC.NATTMode= mode
194 NAT-Traversal Method to use.
196 .BI VPNC.DPDTimeout= timeout
199 .B VPNC.SingleDES=true \fR|\fB false
200 Enable single DES encryption.
202 .B VPNC.NoEncryption=true \fR|\fB false
203 Enable usage of no encryption for data traffic.
205 .BI VPNC.DeviceType= tun \fR|\fB tap
206 Whether the VPN should use a tun (OSI layer 3) or tap (OSI layer 2) device.
207 Defaults to tun if omitted.
209 The following keys are optional for l2tp (\fBxl2tp.conf\fP(5), \fBpppd\fP(8))
215 .BI L2TP.Password= password
219 Max bandwidth to use.
222 Max transmit bandwidth to use.
225 Max receive bandwidth to use.
227 .B L2TP.LengthBit=yes \fR|\fB no
230 .B L2TP.Challenge=yes \fR|\fB no
231 Use challenge authentication.
233 .BI L2TP.DefaultRoute= route
234 Add \fIroute\fP to the routing tables.
236 .B L2TP.FlowBit=yes \fR|\fB no
239 .BI L2TP.TunnelRWS= size
242 .B L2TP.Exclusive=yes \fR|\fB no
243 Use only one control channel.
245 .B L2TP.Redial=yes \fR|\fB no
246 Redial if disconnected.
248 .BI L2TP.RedialTimeout= timeout
251 .BI L2TP.MaxRedials= count
252 Maximum amount of redial tries.
254 .B L2TP.RequirePAP=yes \fR|\fB no
257 .B L2TP.RequireCHAP=yes \fR|\fB no
260 .B L2TP.ReqAuth=yes \fR|\fB no
261 Require authentication.
263 .B L2TP.AccessControl=yes \fR|\fB no
266 .BI L2TP.AuthFile= file
267 Authentication file location.
269 .BI L2TP.ListenAddr= address
272 .B L2TP.IPSecSaref=yes \fR|\fB no
278 .BI PPPD.EchoFailure= count
281 .BI PPPD.EchoFailure= count
282 Dead peer check count.
284 .BI PPPD.EchoInterval= interval
285 Dead peer check interval.
287 .BI PPPD.Debug= level
290 .B PPPD.RefuseEAP=true \fR|\fB false
291 Refuse EAP authentication.
293 .B PPPD.RefusePAP=true \fR|\fB false
294 Refuse PAP authentication.
296 .B PPPD.RefuseCHAP=true \fR|\fB false
297 Refuse CHAP authentication.
299 .B PPPD.RefuseMSCHAP=true \fR|\fB false
300 Refuse MSCHAP authentication.
302 .B PPPD.RefuseMSCHAP2=true \fR|\fB false
303 Refuse MSCHAPv2 authentication.
305 .B PPPD.NoBSDComp=true \fR|\fB false
306 Disable BSD compression.
308 .B PPPD.NoPcomp=true \fR|\fB false
309 Disable protocol compression.
311 .B PPPD.UseAccomp=true \fR|\fB false
312 Disable Access/Control compression.
314 .B PPPD.NoDeflate=true \fR|\fB false
315 Disable deflate compression.
317 .B PPPD.ReqMPPE=true \fR|\fB false
318 Require the use of MPPE.
320 .B PPPD.ReqMPPE40=true \fR|\fB false
321 Require the use of MPPE 40 bit.
323 .B PPPD.ReqMPPE128=true \fR|\fB false
324 Require the use of MPPE 128 bit.
326 .B PPPD.ReqMPPEStateful=true \fR|\fB false
327 Allow MPPE to use stateful mode.
329 .B PPPD.NoVJ=true \fR|\fB false
330 No Van Jacobson compression.
332 The following keys are optional for \fBpptp\fP(8) (see also \fBpppd\fP(8))
335 .BI PPTP.User= username
338 .BI PPTP.Password= password
341 .BI PPPD.EchoFailure= count
344 .BI PPPD.EchoFailure= count
345 Dead peer check count.
347 .BI PPPD.EchoInterval= interval
348 Dead peer check interval.
350 .BI PPPD.Debug= level
353 .B PPPD.RefuseEAP=true \fR|\fB false
354 Refuse EAP authentication.
356 .B PPPD.RefusePAP=true \fR|\fB false
357 Refuse PAP authentication.
359 .B PPPD.RefuseCHAP=true \fR|\fB false
360 Refuse CHAP authentication.
362 .B PPPD.RefuseMSCHAP=true \fR|\fB false
363 Refuse MSCHAP authentication.
365 .B PPPD.RefuseMSCHAP2=true \fR|\fB false
366 Refuse MSCHAPv2 authentication.
368 .B PPPD.NoBSDComp=true \fR|\fB false
369 Disable BSD compression.
371 .B PPPD.NoPcomp=true \fR|\fB false
372 Disable protocol compression.
374 .B PPPD.UseAccomp=true \fR|\fB false
375 Disable Access/Control compression.
377 .B PPPD.NoDeflate=true \fR|\fB false
378 Disable deflate compression.
380 .B PPPD.ReqMPPE=true \fR|\fB false
381 Require the use of MPPE.
383 .B PPPD.ReqMPPE40=true \fR|\fB false
384 Require the use of MPPE 40 bit.
386 .B PPPD.ReqMPPE128=true \fR|\fB false
387 Require the use of MPPE 128 bit.
389 .B PPPD.ReqMPPEStateful=true \fR|\fB false
390 Allow MPPE to use stateful mode.
392 .B PPPD.NoVJ=true \fR|\fB false
393 No Van Jacobson compression.
396 This is a configuration file for a VPN providing L2TP, OpenVPN and
397 OpenConnect services. It could, for example, be in the file
398 .B @vpn_storagedir@/example.config\fR.
403 Description = Example VPN configuration
407 Name = Connection to corporate network
409 Domain = corporate.com
410 Networks = 10.10.30.0/24
413 [provider_openconnect]
415 Name = Connection to corporate network using Cisco VPN
417 Domain = corporate.com
418 Networks = 10.10.20.0/255.255.255.0/10.20.1.5,192.168.99.1/24,2001:db8::1/64
419 OpenConnect.ServerCert = 263AFAB4CB2E6621D12E90182008AEF44AEFA031
420 OpenConnect.CACert = /etc/certs/certificate.p12
424 Name = Connection to corporate network using OpenVPN
426 Domain = my.home.network
427 OpenVPN.CACert = /etc/certs/cacert.pem
428 OpenVPN.Cert = /etc/certs/cert.pem
429 OpenVPN.Key = /etc/certs/cert.key
432 .BR connmanctl (1),\ connman (8),\ connman-vpn (8)