Usage: vpnc [--version] [--print-config] [--help] [--long-help] [options] [config files]

Options:
  --gateway <ip/hostname>
      IP/name of your IPSec gateway
  conf-variable: IPSec gateway <ip/hostname>

  --id <ASCII string>
      your group name
  conf-variable: IPSec ID <ASCII string>

  (configfile only option) 
      your group password (cleartext)
  conf-variable: IPSec secret <ASCII string>

  (configfile only option) 
      your group password (obfuscated)
  conf-variable: IPSec obfuscated secret <hex string>

  --username <ASCII string>
      your username
  conf-variable: Xauth username <ASCII string>

  (configfile only option) 
      your password (cleartext)
  conf-variable: Xauth password <ASCII string>

  (configfile only option) 
      your password (obfuscated)
  conf-variable: Xauth obfuscated password <hex string>

  --domain <ASCII string>
      (NT-) Domain name for authentication
  conf-variable: Domain <ASCII string>

  --xauth-inter 
      enable interactive extended authentication (for challenge response auth)
  conf-variable: Xauth interactive

  --vendor <cisco/netscreen>
      vendor of your IPSec gateway
    Default: cisco
  conf-variable: Vendor <cisco/netscreen>

  --natt-mode <natt/none/force-natt/cisco-udp>
      Which NAT-Traversal Method to use:
       * natt -- NAT-T as defined in RFC3947
       * none -- disable use of any NAT-T method
       * force-natt -- always use NAT-T encapsulation even
                       without presence of a NAT device
                       (useful if the OS captures all ESP traffic)
       * cisco-udp -- Cisco proprietary UDP encapsulation, commonly over Port 10000
      Note: cisco-tcp encapsulation is not yet supported
    Default: natt
  conf-variable: NAT Traversal Mode <natt/none/force-natt/cisco-udp>

  --script <command>
      command is executed using system() to configure the interface,
      routing and so on. Device name, IP, etc. are passed using enviroment
      variables, see README. This script is executed right after ISAKMP is
      done, but before tunneling is enabled. It is called when vpnc
      terminates, too
    Default: /etc/vpnc/vpnc-script
  conf-variable: Script <command>

  --dh <dh1/dh2/dh5>
      name of the IKE DH Group
    Default: dh2
  conf-variable: IKE DH Group <dh1/dh2/dh5>

  --pfs <nopfs/dh1/dh2/dh5/server>
      Diffie-Hellman group to use for PFS
    Default: server
  conf-variable: Perfect Forward Secrecy <nopfs/dh1/dh2/dh5/server>

  --enable-1des 
      enables weak single DES encryption
  conf-variable: Enable Single DES

  --enable-no-encryption 
      enables using no encryption for data traffic (key exchanged must be encrypted)
  conf-variable: Enable no encryption

  --application-version <ASCII string>
      Application Version to report. Note: Default string is generated at runtime.
    Default: Cisco Systems VPN Client 0.5.3-394:Linux
  conf-variable: Application version <ASCII string>

  --ifname <ASCII string>
      visible name of the TUN/TAP interface
  conf-variable: Interface name <ASCII string>

  --ifmode <tun/tap>
      mode of TUN/TAP interface:
       * tun: virtual point to point interface (default)
       * tap: virtual ethernet interface
    Default: tun
  conf-variable: Interface mode <tun/tap>

  --debug <0/1/2/3/99>
      Show verbose debug messages
       *  0: Do not print debug information.
       *  1: Print minimal debug information.
       *  2: Show statemachine and packet/payload type information.
       *  3: Dump everything exluding authentication data.
       * 99: Dump everything INCLUDING AUTHENTICATION data (e.g. PASSWORDS).
  conf-variable: Debug <0/1/2/3/99>

  --no-detach 
      Don't detach from the console after login
  conf-variable: No Detach

  --pid-file <filename>
      store the pid of background process in <filename>
    Default: /var/run/vpnc/pid
  conf-variable: Pidfile <filename>

  --local-addr <ip/hostname>
      local IP to use for ISAKMP / ESP / ... (0.0.0.0 == automatically assign)
    Default: 0.0.0.0
  conf-variable: Local Addr <ip/hostname>

  --local-port <0-65535>
      local ISAKMP port number to use (0 == use random port)
    Default: 500
  conf-variable: Local Port <0-65535>

  --udp-port <0-65535>
      Local UDP port number to use (0 == use random port).
      This is only relevant if cisco-udp nat-traversal is used.
      This is the _local_ port, the remote udp port is discovered automatically.
      It is especially not the cisco-tcp port.
    Default: 10000
  conf-variable: Cisco UDP Encapsulation Port <0-65535>

  --dpd-idle <0,10-86400>
      Send DPD packet after not receiving anything for <idle> seconds.
      Use 0 to disable DPD completely (both ways).
    Default: 300
  conf-variable: DPD idle timeout (our side) <0,10-86400>

  --non-inter 
      Don't ask anything, exit on missing options
  conf-variable: Noninteractive

  --auth-mode <psk/cert/hybrid>
      Authentication mode:
       * psk:    pre-shared key (default)
       * cert:   server + client certificate (not implemented yet)
       * hybrid: server certificate + xauth (if built with openssl support)
    Default: psk
  conf-variable: IKE Authmode <psk/cert/hybrid>

  --ca-file <filename>
      filename and path to the CA-PEM-File
  conf-variable: CA-File <filename>

  --ca-dir <directory>
      path of the trusted CA-Directory
    Default: /etc/ssl/certs
  conf-variable: CA-Dir <directory>

  --target-network <target network/netmask>
      Target network in dotted decimal or CIDR notation
    Default: 0.0.0.0/0.0.0.0
  conf-variable: IPSEC target network <target network/netmask>

Report bugs to vpnc@unix-ag.uni-kl.de