linuxOS_AP05/debian/base-linaro/binary/usr/share/doc/vpnc/README.Debian

vpnc for Debian
===============

The Debian-specific extensions "Target networks" and "DNSupdate" were
deprecated in wheezy and have been removed in jessie. Please use the
upstream configuration way now. See /usr/share/doc/vpnc/README.gz file for
details about replacing network routes with custom ones using the variables of
vpnc-script. You can either wrap /etc/vpnc/vpnc-script into a custom script
which presets those variables (like documented in the example in README.gz) or
use the newer connect and disconnect hooks from vpnc-script to set them
separately (see below).


NETWORK MANAGER AND VPNC
========================

NetworkManager does not play well with other programs that modify routes and
interfaces outside of its framework. This means your VPN will go down as soon
as NetworkManager decides to reconfigure your internet connection, possibly in
response to discovering the newly-established VPN. Please install the
network-manager-vpnc package for proper NetworkManager integration.


CONFIGURATION
=============

/etc/vpnc/default.conf contains a sample config for vpnc/vpnc-connect. You can
uncomment and adjust the settings, or create a different configuration by
copying it to, say, myvpn.conf and then select that by calling

    vpnc myvpn

Or use the pcf2vpnc script to convert existing pcf files (Cisco client
configuration), running the following command:

    /usr/share/vpnc/pcf2vpnc myvpn.pcf > /etc/vpnc/myvpn.conf

You may edit the resulting file to add the remote username.

In order to use the DNS server reported by the VPN server, please install the
resolvconf package.

vpnc-script, which handles routing and DNS updates, can be customized by adding
hook scripts to be run on initialisation as well as before and after connecting
and disconnecting. The names of the directories from where these hook scripts
will be sourced are:

    /etc/vpnc/pre-init.d/
    /etc/vpnc/connect.d/
    /etc/vpnc/post-connect.d/
    /etc/vpnc/disconnect.d/
    /etc/vpnc/post-disconnect.d/
    /etc/vpnc/reconnect.d/ (not currently used by vpnc)

See the comments at the top of vpnc-script for the environment variables you
have access to.


(IN)SECURITY WARNING
====================

As described at this URL:

<http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml>,

which references a Bugtraq thread starting at:

<http://www.securityfocus.com/archive/1/347351> ("ISSUE 2")

simple XAUTH relying only on pre-shared keys ("group password" method),
is not a secure way to set up a trusted connection. In addition to
giving away the confidentiality of the VPN session (man-in-the-middle
attack), this configuration may disclose the user's password and thus
enable the attacker to establish future VPN connections on his own
and/or access other services protected by that password (identity
theft).

Cisco has implemented a different authentication mechanism that requires
the use of a certificate in the client in order to securely establish
the identity of the VPN server ("Hybrid Auth", "Mutual Group
Authentication"). This mechanism is not known to be vulnerable.


In short: If a simple configuration file with a group key and your
password is enough to establish a VPN connection (auth-mode psk), you're
vulnerable. Don't use a password that can also be used in other places,
and don't assume your connection to be more secure. If however
establishing a VPN connection requires a certificate identifying the
server in addition to a group key and your password (auth-mode hybrid),
you should be safe.
add debian 2025-09-26 01:40:02 +00:00			`vpnc for Debian`
			`===============`

			`The Debian-specific extensions "Target networks" and "DNSupdate" were`
			`deprecated in wheezy and have been removed in jessie. Please use the`
			`upstream configuration way now. See /usr/share/doc/vpnc/README.gz file for`
			`details about replacing network routes with custom ones using the variables of`
			`vpnc-script. You can either wrap /etc/vpnc/vpnc-script into a custom script`
			`which presets those variables (like documented in the example in README.gz) or`
			`use the newer connect and disconnect hooks from vpnc-script to set them`
			`separately (see below).`


			`NETWORK MANAGER AND VPNC`
			`========================`

			`NetworkManager does not play well with other programs that modify routes and`
			`interfaces outside of its framework. This means your VPN will go down as soon`
			`as NetworkManager decides to reconfigure your internet connection, possibly in`
			`response to discovering the newly-established VPN. Please install the`
			`network-manager-vpnc package for proper NetworkManager integration.`


			`CONFIGURATION`
			`=============`

			`/etc/vpnc/default.conf contains a sample config for vpnc/vpnc-connect. You can`
			`uncomment and adjust the settings, or create a different configuration by`
			`copying it to, say, myvpn.conf and then select that by calling`

			`vpnc myvpn`

			`Or use the pcf2vpnc script to convert existing pcf files (Cisco client`
			`configuration), running the following command:`

			`/usr/share/vpnc/pcf2vpnc myvpn.pcf > /etc/vpnc/myvpn.conf`

			`You may edit the resulting file to add the remote username.`

			`In order to use the DNS server reported by the VPN server, please install the`
			`resolvconf package.`

			`vpnc-script, which handles routing and DNS updates, can be customized by adding`
			`hook scripts to be run on initialisation as well as before and after connecting`
			`and disconnecting. The names of the directories from where these hook scripts`
			`will be sourced are:`

			`/etc/vpnc/pre-init.d/`
			`/etc/vpnc/connect.d/`
			`/etc/vpnc/post-connect.d/`
			`/etc/vpnc/disconnect.d/`
			`/etc/vpnc/post-disconnect.d/`
			`/etc/vpnc/reconnect.d/ (not currently used by vpnc)`

			`See the comments at the top of vpnc-script for the environment variables you`
			`have access to.`


			`(IN)SECURITY WARNING`
			`====================`

			`As described at this URL:`

			`<http://www.cisco.com/warp/public/707/cisco-sn-20040415-grppass.shtml>,`

			`which references a Bugtraq thread starting at:`

			`<http://www.securityfocus.com/archive/1/347351> ("ISSUE 2")`

			`simple XAUTH relying only on pre-shared keys ("group password" method),`
			`is not a secure way to set up a trusted connection. In addition to`
			`giving away the confidentiality of the VPN session (man-in-the-middle`
			`attack), this configuration may disclose the user's password and thus`
			`enable the attacker to establish future VPN connections on his own`
			`and/or access other services protected by that password (identity`
			`theft).`

			`Cisco has implemented a different authentication mechanism that requires`
			`the use of a certificate in the client in order to securely establish`
			`the identity of the VPN server ("Hybrid Auth", "Mutual Group`
			`Authentication"). This mechanism is not known to be vulnerable.`


			`In short: If a simple configuration file with a group key and your`
			`password is enough to establish a VPN connection (auth-mode psk), you're`
			`vulnerable. Don't use a password that can also be used in other places,`
			`and don't assume your connection to be more secure. If however`
			`establishing a VPN connection requires a certificate identifying the`
			`server in addition to a group key and your password (auth-mode hybrid),`
			`you should be safe.`