summaryrefslogtreecommitdiff
path: root/doc/vpn-config-format.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/vpn-config-format.txt')
-rw-r--r--doc/vpn-config-format.txt215
1 files changed, 0 insertions, 215 deletions
diff --git a/doc/vpn-config-format.txt b/doc/vpn-config-format.txt
deleted file mode 100644
index f3c4569..0000000
--- a/doc/vpn-config-format.txt
+++ /dev/null
@@ -1,215 +0,0 @@
-Connman configuration file format for VPN
-*****************************************
-
-Connman VPN uses configuration files to provision existing providers.
-vpnd will be looking for its configuration files at VPN_STORAGEDIR
-which by default points to /var/lib/connman-vpn. Configuration file names
-must not include other characters than letters or numbers and must have
-a .config suffix. Those configuration files are text files with a simple
-format and we typically have one file per provisioned network.
-
-If the config file is removed, then vpnd tries to remove the
-provisioned service. If individual service entry inside config is removed,
-then the corresponding provisioned service is removed. If service
-entry is changed, then corresponding service is removed and then
-immediately re-provisioned.
-
-
-Global entry [global]
-=====================
-
-These files can have an optional global entry describing the actual file.
-The 2 allowed fields for that entry are:
-- Name: Name of the network.
-- Description: Description of the network.
-
-
-Provider entry [provider_*]
-===========================
-
-Each provisioned provider must start with the [provider_*] tag.
-Replace * with an identifier unique to the config file.
-
-Allowed fields:
-- Type: Provider type. Value of OpenConnect, OpenVPN, VPNC, L2TP or PPTP
-
-VPN related parameters (M = mandatory, O = optional):
-- Name: A user defined name for the VPN (M)
-- Host: VPN server IP address (M)
-- Domain: Domain name for the VPN service (M)
-- Networks: The networks behind the VPN link can be defined here. This can
- be missing if all traffic should go via VPN tunnel. If there are more
- than one network, then separate them by comma. Format of the entry
- is network/netmask/gateway. The gateway can be left out. (O)
- Example: 192.168.100.0/24/10.1.0.1,192.168.200.0/255.255.255.0/10.1.0.2
- For IPv6 addresses only prefix length is accepted like this 2001:db8::1/64
-
-OpenConnect VPN supports following options (see openconnect(8) for details):
- Option name OpenConnect option Description
- OpenConnect.ServerCert --servercert Accept server's SSL certificate
- only if its fingerprint matches
- this value (SHA1) (M)
- OpenConnect.CACert --cafile Cert file for server
- verification (M)
- VPN.MTU --mtu Request MTU from server as the
- MTU of the tunnel (O)
-
-OpenVPN VPN supports following options (see openvpn(8) for details):
- Option name OpenVPN option Description
- OpenVPN.CACert --ca Certificate authority file (M)
- OpenVPN.Cert --cert Local peer's signed certificate (M)
- OpenVPN.Key --key Local peer's private key (M)
- OpenVPN.MTU --mtu MTU of the tunnel (O)
- OpenVPN.NSCertType --ns-cert-type Peer certificate type, value of
- either server or client (O)
- OpenVPN.Proto --proto Use protocol (O)
- OpenVPN.Port --port TCP/UDP port number (O)
- OpenVPN.AuthUserPass --auth-user-pass Authenticate with server using
- username/password (O)
- OpenVPN.AskPass --askpass Get certificate password from file (O)
- OpenVPN.AuthNoCache --auth-nocache Don't cache --askpass or
- --auth-user-pass value (O)
- OpenVPN.TLSRemote --tls-remote Accept connections only from a host
- with X509 name or common name equal
- to name parameter (O)
- OpenVPN.TLSAuth sub-option of --tls-remote (O)
- OpenVPN.TLSAuthDir sub-option of --tls-remote (O)
- OpenVPN.Cipher --cipher Encrypt packets with cipher algorithm
- given as parameter (O)
- OpenVPN.Auth --auth Authenticate packets with HMAC using
- message digest algorithm alg (O)
- OpenVPN.CompLZO --comp-lzo Use fast LZO compression. Value can
- be "yes", "no", or "adaptive". Default
- is adaptive (O)
- OpenVPN.RemoteCertTls --remote-cert-tls Require that peer certificate was
- signed based on RFC3280 TLS rules.
- Value is "client" or "server" (O)
-
-VPNC VPN supports following options (see vpnc(8) for details):
- Option name VPNC config value Description
- VPNC.IPSec.ID IPSec ID your group username (M)
- VPNC.IPSec.Secret IPSec secret your group password (cleartext) (O)
- VPNC.Xauth.Username Xauth username your username (O)
- VPNC.Xauth.Password Xauth password your password (cleartext) (O)
- VPNC.IKE.Authmode IKE Authmode IKE Authentication mode (O)
- VPNC.IKE.DHGroup IKE DH Group name of the IKE DH Group (O)
- VPNC.PFS Perfect Forward Secrecy Diffie-Hellman group to use for PFS (O)
- VPNC.Domain Domain Domain name for authentication (O)
- VPNC.Vendor Vendor vendor of your IPSec gateway (O)
- VPNC.LocalPort Local Port local ISAKMP port number to use
- VPNC.CiscoPort Cisco UDP Encapsulation Port Local UDP port number to use (O)
- VPNC.AppVersion Application Version Application Version to report (O)
- VPNC.NATTMode NAT Traversal Mode Which NAT-Traversal Method to use (O)
- VPNC.DPDTimeout DPD idle timeout (our side) Send DPD packet after timeout (O)
- VPNC.SingleDES Enable Single DES enables single DES encryption (O)
- VPNC.NoEncryption Enable no encryption enables using no encryption for data traffic (O)
-
-L2TP VPN supports following options (see xl2tpd.conf(5) and pppd(8) for details)
- Option name xl2tpd config value Description
- L2TP.User - L2TP user name, asked from the user
- if not set here (O)
- L2TP.Password - L2TP password, asked from the user
- if not set here (O)
- L2TP.BPS bps Max bandwith to use (O)
- L2TP.TXBPS tx bps Max transmit bandwith to use (O)
- L2TP.RXBPS rx bps Max receive bandwith to use (O)
- L2TP.LengthBit length bit Use length bit (O)
- L2TP.Challenge challenge Use challenge authentication (O)
- L2TP.DefaultRoute defaultroute Default route (O)
- L2TP.FlowBit flow bit Use seq numbers (O)
- L2TP.TunnelRWS tunnel rws Window size (O)
- L2TP.Exclusive exclusive Use only one control channel (O)
- L2TP.Redial redial Redial if disconnected (O)
- L2TP.RedialTimeout redial timeout Redial timeout (O)
- L2TP.MaxRedials max redials How many times to try redial (O)
- L2TP.RequirePAP require pap Need pap (O)
- L2TP.RequireCHAP require chap Need chap (O)
- L2TP.ReqAuth require authentication Need auth (O)
- L2TP.AccessControl access control Accept only these peers (O)
- L2TP.AuthFile auth file Authentication file location (O)
- L2TP.ListenAddr listen-addr Listen address (O)
- L2TP.IPsecSaref ipsec saref Use IPSec SA (O)
- L2TP.Port port What UDP port is used (O)
-
- Option name pppd config value Description
- PPPD.EchoFailure lcp-echo-failure Dead peer check count (O)
- PPPD.EchoInterval lcp-echo-interval Dead peer check interval (O)
- PPPD.Debug debug Debug level (O)
- PPPD.RefuseEAP refuse-eap Deny eap auth (O)
- PPPD.RefusePAP refuse-pap Deny pap auth (O)
- PPPD.RefuseCHAP refuse-chap Deny chap auth (O)
- PPPD.RefuseMSCHAP refuse-mschap Deny mschap auth (O)
- PPPD.RefuseMSCHAP2 refuse-mschapv2 Deny mschapv2 auth (O)
- PPPD.NoBSDComp nobsdcomp Disables BSD compression (O)
- PPPD.NoPcomp nopcomp Disable protocol compression (O)
- PPPD.UseAccomp accomp Disable address/control compression (O)
- PPPD.NoDeflate nodeflate Disable deflate compression (O)
- PPPD.ReqMPPE require-mppe Require the use of MPPE (O)
- PPPD.ReqMPPE40 require-mppe-40 Require the use of MPPE 40 bit (O)
- PPPD.ReqMPPE128 require-mppe-128 Require the use of MPPE 128 bit (O)
- PPPD.ReqMPPEStateful mppe-stateful Allow MPPE to use stateful mode (O)
- PPPD.NoVJ no-vj-comp No Van Jacobson compression (O)
-
-
-PPTP VPN supports following options (see pptp(8) and pppd(8) for details)
- Option name pptp config value Description
- PPTP.User - PPTP user name, asked from the user
- if not set here (O)
- PPTP.Password - PPTP password, asked from the user
- if not set here (O)
-
- Option name pppd config value Description
- PPPD.EchoFailure lcp-echo-failure Dead peer check count (O)
- PPPD.EchoInterval lcp-echo-interval Dead peer check interval (O)
- PPPD.Debug debug Debug level (O)
- PPPD.RefuseEAP refuse-eap Deny eap auth (O)
- PPPD.RefusePAP refuse-pap Deny pap auth (O)
- PPPD.RefuseCHAP refuse-chap Deny chap auth (O)
- PPPD.RefuseMSCHAP refuse-mschap Deny mschap auth (O)
- PPPD.RefuseMSCHAP2 refuse-mschapv2 Deny mschapv2 auth (O)
- PPPD.NoBSDComp nobsdcomp Disables BSD compression (O)
- PPPD.NoDeflate nodeflate Disable deflate compression (O)
- PPPD.RequirMPPE require-mppe Require the use of MPPE (O)
- PPPD.RequirMPPE40 require-mppe-40 Require the use of MPPE 40 bit (O)
- PPPD.RequirMPPE128 require-mppe-128 Require the use of MPPE 128 bit (O)
- PPPD.RequirMPPEStateful mppe-stateful Allow MPPE to use stateful mode (O)
- PPPD.NoVJ no-vj-comp No Van Jacobson compression (O)
-
-
-Example
-=======
-
-This is a configuration file for a VPN providing L2TP, OpenVPN and
-OpenConnect services.
-
-
-example@example:[~]$ cat /var/lib/connman/vpn/example.config
-[global]
-Name = Example
-Description = Example VPN configuration
-
-[provider_l2tp]
-Type = L2TP
-Name = Connection to corporate network
-Host = 1.2.3.4
-Domain = corporate.com
-Networks = 10.10.30.0/24
-L2TP.User = username
-
-[provider_openconnect]
-Type = OpenConnect
-Name = Connection to corporate network using Cisco VPN
-Host = 7.6.5.4
-Domain = corporate.com
-Networks = 10.10.20.0/255.255.255.0/10.20.1.5,192.168.99.1/24,2001:db8::1/64
-OpenConnect.ServerCert = 263AFAB4CB2E6621D12E90182008AEF44AEFA031
-OpenConnect.CACert = /etc/certs/certificate.p12
-
-[provider_openvpn]
-Type = OpenVPN
-Name = Connection to corporate network using OpenVPN
-Host = 3.2.5.6
-Domain = my.home.network
-OpenVPN.CACert = /etc/certs/cacert.pem
-OpenVPN.Cert = /etc/certs/cert.pem
-OpenVPN.Key = /etc/certs/cert.key