[PATCH v2 07/15] doc: VPN config file specification

Jukka Rissanen jukka.rissanen at linux.intel.com
Tue Nov 27 06:10:17 PST 2012


---
 doc/vpn-config-format.txt | 215 ++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 215 insertions(+)
 create mode 100644 doc/vpn-config-format.txt

diff --git a/doc/vpn-config-format.txt b/doc/vpn-config-format.txt
new file mode 100644
index 0000000..d6afcb5
--- /dev/null
+++ b/doc/vpn-config-format.txt
@@ -0,0 +1,215 @@
+Connman configuration file format for VPN
+*****************************************
+
+Connman VPN uses configuration files to provision existing providers.
+vpnd will be looking for its configuration files at STORAGEDIR/vpn
+which by default points to /var/lib/connman/vpn. Configuration file names
+must not include other characters than letters or numbers and must have
+a .config suffix. Those configuration files are text files with a simple
+format and we typically have one file per provisioned network.
+
+If the config file is removed, then vpnd tries to remove the
+provisioned service. If individual service entry inside config is removed,
+then the corresponding provisioned service is removed. If service
+entry is changed, then corresponding service is removed and then
+immediately re-provisioned.
+
+
+Global entry [global]
+=====================
+
+These files can have an optional global entry describing the actual file.
+The 2 allowed fields for that entry are:
+- Name: Name of the network.
+- Description: Description of the network.
+
+
+Provider entry [provider_*]
+===========================
+
+Each provisioned provider must start with the [provider_*] tag.
+Replace * with an identifier unique to the config file.
+
+Allowed fields:
+- Type: Provider type. Value of OpenConnect, OpenVPN, VPNC, L2TP or PPTP
+
+VPN related parameters (M = mandatory, O = optional):
+- Name: A user defined name for the VPN (M)
+- Host: VPN server IP address (M)
+- Domain: Domain name for the VPN service (M)
+- Networks: The networks behind the VPN link can be defined here. This can
+  be missing if all traffic should go via VPN tunnel. If there are more
+  than one network, then separate them by comma. Format of the entry
+  is network/netmask/gateway. The gateway can be left out. (O)
+  Example: 192.168.100.0/24/10.1.0.1,192.168.200.0/255.255.255.0/10.1.0.2
+  For IPv6 addresses only prefix length is accepted like this 2001:db8::1/64
+
+OpenConnect VPN supports following options (see openconnect(8) for details):
+ Option name            OpenConnect option   Description
+ OpenConnect.ServerCert --servercert         Accept server's SSL certificate
+                                             only if its fingerprint matches
+                                             this value (SHA1) (M)
+ OpenConnect.CACert     --cafile             Cert file for server
+                                             verification (M)
+ VPN.MTU                --mtu                Request MTU from server as the
+                                             MTU of the tunnel (O)
+
+OpenVPN VPN supports following options (see openvpn(8) for details):
+ Option name            OpenVPN option   Description
+ OpenVPN.CACert         --ca             Certificate authority file (M)
+ OpenVPN.Cert           --cert           Local peer's signed certificate (M)
+ OpenVPN.Key            --key            Local peer's private key (M)
+ OpenVPN.MTU            --mtu            MTU of the tunnel (O)
+ OpenVPN.NSCertType     --ns-cert-type   Peer certificate type, value of
+                                         either server or client (O)
+ OpenVPN.Proto          --proto          Use protocol (O)
+ OpenVPN.Port           --port           TCP/UDP port number (O)
+ OpenVPN.AuthUserPass   --auth-user-pass Authenticate with server using
+                                         username/password (O)
+ OpenVPN.AskPass        --askpass        Get certificate password from file (O)
+ OpenVPN.AuthNoCache    --auth-nocache   Don't cache --askpass or
+                                         --auth-user-pass value (O)
+ OpenVPN.TLSRemote      --tls-remote     Accept connections only from a host
+                                         with X509 name or common name equal
+                                         to name parameter (O)
+ OpenVPN.TLSAuth        sub-option of --tls-remote (O)
+ OpenVPN.TLSAuthDir     sub-option of --tls-remote (O)
+ OpenVPN.Cipher         --cipher         Encrypt packets with cipher algorithm
+                                         given as parameter (O)
+ OpenVPN.Auth           --auth           Authenticate  packets with HMAC using
+                                         message digest algorithm alg (O)
+ OpenVPN.CompLZO        --comp-lzo       Use  fast  LZO compression. Value can
+                                         be "yes", "no", or "adaptive". Default
+                                         is adaptive (O)
+ OpenVPN.RemoteCertTls  --remote-cert-tls Require that peer certificate was
+                                          signed based on RFC3280 TLS rules.
+                                          Value is "client" or "server" (O)
+
+VPNC VPN supports following options (see vpnc(8) for details):
+ Option name         VPNC config value     Description
+ VPNC.IPSec.ID       IPSec ID              your group username (M)
+ VPNC.IPSec.Secret   IPSec secret          your group password (cleartext) (O)
+ VPNC.Xauth.Username Xauth username        your username (O)
+ VPNC.Xauth.Password Xauth password        your password (cleartext) (O)
+ VPNC.IKE.Authmode   IKE Authmode          IKE Authentication mode (O)
+ VPNC.IKE.DHGroup    IKE DH Group          name of the IKE DH Group (O)
+ VPNC.PFS Perfect    Forward Secrecy       Diffie-Hellman group to use for PFS (O)
+ VPNC.Domain         Domain                Domain name for authentication (O)
+ VPNC.Vendor         Vendor                vendor of your IPSec gateway (O)
+ VPNC.LocalPort      Local Port            local ISAKMP port number to use
+ VPNC.CiscoPort      Cisco UDP Encapsulation Port  Local UDP port number to use (O)
+ VPNC.AppVersion     Application Version   Application Version to report (O)
+ VPNC.NATTMode       NAT Traversal Mode    Which NAT-Traversal Method to use (O)
+ VPNC.DPDTimeout     DPD idle timeout (our side)  Send DPD packet after timeout (O)
+ VPNC.SingleDES      Enable Single DES     enables single DES encryption (O)
+ VPNC.NoEncryption   Enable no encryption  enables using no encryption for data traffic (O)
+
+L2TP VPN supports following options (see xl2tpd.conf(5) and pppd(8) for details)
+ Option name         xl2tpd config value    Description
+ L2TP.User           -                      L2TP user name, asked from the user
+                                            if not set here (O)
+ L2TP.Password       -                      L2TP password, asked from the user
+                                            if not set here (O)
+ L2TP.BPS            bps                    Max bandwith to use (O)
+ L2TP.TXBPS          tx bps                 Max transmit bandwith to use (O)
+ L2TP.RXBPS          rx bps                 Max receive bandwith to use (O)
+ L2TP.LengthBit      length bit             Use length bit (O)
+ L2TP.Challenge      challenge              Use challenge authentication (O)
+ L2TP.DefaultRoute   defaultroute           Default route (O)
+ L2TP.FlowBit        flow bit               Use seq numbers (O)
+ L2TP.TunnelRWS      tunnel rws             Window size (O)
+ L2TP.Exclusive      exclusive              Use only one control channel (O)
+ L2TP.Redial         redial                 Redial if disconnected (O)
+ L2TP.RedialTimeout  redial timeout         Redial timeout (O)
+ L2TP.MaxRedials     max redials            How many times to try redial (O)
+ L2TP.RequirePAP     require pap            Need pap (O)
+ L2TP.RequireCHAP    require chap           Need chap (O)
+ L2TP.ReqAuth        require authentication Need auth (O)
+ L2TP.AccessControl  access control         Accept only these peers (O)
+ L2TP.AuthFile       auth file              Authentication file location (O)
+ L2TP.ListenAddr     listen-addr            Listen address (O)
+ L2TP.IPsecSaref     ipsec saref            Use IPSec SA (O)
+ L2TP.Port           port                   What UDP port is used (O)
+
+ Option name         pppd config value      Description
+ PPPD.EchoFailure    lcp-echo-failure       Dead peer check count (O)
+ PPPD.EchoInterval   lcp-echo-interval      Dead peer check interval (O)
+ PPPD.Debug          debug                  Debug level (O)
+ PPPD.RefuseEAP      refuse-eap             Deny eap auth (O)
+ PPPD.RefusePAP      refuse-pap             Deny pap auth (O)
+ PPPD.RefuseCHAP     refuse-chap            Deny chap auth (O)
+ PPPD.RefuseMSCHAP   refuse-mschap          Deny mschap auth (O)
+ PPPD.RefuseMSCHAP2  refuse-mschapv2        Deny mschapv2 auth (O)
+ PPPD.NoBSDComp      nobsdcomp              Disables BSD compression (O)
+ PPPD.NoPcomp        nopcomp                Disable protocol compression (O)
+ PPPD.UseAccomp      accomp                 Disable address/control compression (O)
+ PPPD.NoDeflate      nodeflate              Disable deflate compression (O)
+ PPPD.ReqMPPE        require-mppe           Require the use of MPPE (O)
+ PPPD.ReqMPPE40      require-mppe-40        Require the use of MPPE 40 bit (O)
+ PPPD.ReqMPPE128     require-mppe-128       Require the use of MPPE 128 bit (O)
+ PPPD.ReqMPPEStateful mppe-stateful         Allow MPPE to use stateful mode (O)
+ PPPD.NoVJ           no-vj-comp             No Van Jacobson compression (O)
+
+
+PPTP VPN supports following options (see pptp(8) and pppd(8) for details)
+ Option name         pptp config value    Description
+ PPTP.User           -                    PPTP user name, asked from the user
+                                          if not set here (O)
+ PPTP.Password       -                    PPTP password, asked from the user
+                                          if not set here (O)
+
+ Option name         pppd config value    Description
+ PPPD.EchoFailure    lcp-echo-failure     Dead peer check count (O)
+ PPPD.EchoInterval   lcp-echo-interval    Dead peer check interval (O)
+ PPPD.Debug          debug                Debug level (O)
+ PPPD.RefuseEAP      refuse-eap           Deny eap auth (O)
+ PPPD.RefusePAP      refuse-pap           Deny pap auth (O)
+ PPPD.RefuseCHAP     refuse-chap          Deny chap auth (O)
+ PPPD.RefuseMSCHAP   refuse-mschap        Deny mschap auth (O)
+ PPPD.RefuseMSCHAP2  refuse-mschapv2      Deny mschapv2 auth (O)
+ PPPD.NoBSDComp      nobsdcomp            Disables BSD compression (O)
+ PPPD.NoDeflate      nodeflate            Disable deflate compression (O)
+ PPPD.RequirMPPE     require-mppe         Require the use of MPPE (O)
+ PPPD.RequirMPPE40   require-mppe-40      Require the use of MPPE 40 bit (O)
+ PPPD.RequirMPPE128  require-mppe-128     Require the use of MPPE 128 bit (O)
+ PPPD.RequirMPPEStateful mppe-stateful    Allow MPPE to use stateful mode (O)
+ PPPD.NoVJ           no-vj-comp           No Van Jacobson compression (O)
+
+
+Example
+=======
+
+This is a configuration file for a VPN providing L2TP, OpenVPN and
+OpenConnect services.
+
+
+example at example:[~]$ cat /var/lib/connman/vpn/example.config
+[global]
+Name = Example
+Description = Example VPN configuration
+
+[provider_l2tp]
+Type = L2TP
+Name = Connection to corporate network
+Host = 1.2.3.4
+Domain = corporate.com
+Networks = 10.10.30.0/24
+L2TP.User = username
+
+[provider_openconnect]
+Type = OpenConnect
+Name = Connection to corporate network using Cisco VPN
+Host = 7.6.5.4
+Domain = corporate.com
+Networks = 10.10.20.0/255.255.255.0/10.20.1.5,192.168.99.1/24,2001:db8::1/64
+OpenConnect.ServerCert = 263AFAB4CB2E6621D12E90182008AEF44AEFA031
+OpenConnect.CACert = /etc/certs/certificate.p12
+
+[provider_openvpn]
+Type = OpenVPN
+Name = Connection to corporate network using OpenVPN
+Host = 3.2.5.6
+Domain = my.home.network
+OpenVPN.CACert = /etc/certs/cacert.pem
+OpenVPN.Cert = /etc/certs/cert.pem
+OpenVPN.Key = /etc/certs/cert.key
-- 
1.7.11.4




More information about the connman mailing list