Source code VPNC

IPsec (Cisco/Juniper) VPN concentrator client


VPNC is a VPN client compatible with Cisco's EasyVPN equipment. It supports IPSec (ESP) with Mode Configuration and Xauth. Supports only shared-secret IPSec authentication with Xauth, AES (256, 192, 128), 3DES, 1DES, MD5, SHA1, DH1/2/5 and IP tunneling. It runs entirely in userspace. Only "Universal TUN/TAP device driver support" is needed in kernel.

Development status

This repository has been forked to follow the work started originally by Maurice Massar. For more information about that, please, point to VPNC original web page.

As stated in vpnc-devel mailing-list (vpnc-devel@2017-November), this repository hasn't been started to start working actively on this project, but to passively merge security patches, fixes and features additions explicitly requested by the community.

This means I won't even consider issues such as "Please, implement this", or "Look at that, maybe you can find ideas and fixes", but I will if requested via explicit PRs and/or issues pointing to a (or many) specific patch.


git clone https://github.com/streambinder/vpnc.git
cd vpnc
sudo make install

General configuration

Few libraries are required to let VPNC work properly:

Configuration data gets read from:

Essential configuration information (both with key name for specifying option via command line or config file) it currently needs are:

Input optionFile option
--gatewayIPSec gateway
--idIPSec ID
--secretIPSec secret
--usernameXauth username
--passwordXauth password

A sample configuration file is:

IPSec gateway
IPSec ID sample-vpn
IPSec secret s4mpl3
Xauth username johndoe

Note that all strings start exactly one space after the keyword string, and run to the end of the line. This lets you put any kind of weird character (except CR, LF and NUL) in your strings, but it does mean you can't add comments after a string, or spaces before them.

It may be easier to use the --print-config option to generate the config file, and then delete any lines (like a password) that you want to be prompted for.

If you don't know the Group ID and Secret string, ask your administrator. If they decline and refer to the configuration files provided for the vpnclient program, tell them that the contents of that files are (though scrambled) not really protected. If you have a working configuration file (.pcf file) for the Cisco client then you can use the pcf2vpnc utility instead, which will extract most/all of the required information and convert it into a vpnc configuration file.

Using a modified script

Please note that VPNC itself does not setup routing. You need to do this yourself, or use --script script.sh/Script script.sh (the first one to pass it as input parameters, the other one as config file value). The default script is /etc/vpnc/vpnc-script which sets a default route to the remote network, or if the Concentrator provided split-network settings, these are used to setup routes.

This option is passed to system(), so you can use any shell-specials you like. This script gets called tree times:

  1. $reason == pre-init: this is before VPNC opens the tun device, so you can do what is necessary to ensure that it is available. Note that none of the variables mentioned below is available.
  2. $reason == connect: this is what used to be "Config Script". The connection is established, but vpnc will not begin forwarding packets until the script finishes.
  3. $reason == disconnect: This is called just after vpnc received a signal. Note that VPNC will not forward packets anymore while the script is running or thereafter.

Information is passed from VPNC via environment variables:

Currently vpnc-script is not directly configurable from config files. However, a workaround is to use a wrapper-script like this, to disable /etc/resolv.conf rewriting and setup a custom split-routing:


# this effectively disables changes to /etc/resolv.conf

# This sets up split networking regardless
# of the concentrators specifications.
# You can add as many routes as you want,
# but you must set the counter $CISCO_SPLIT_INC
# accordingly

Store this example script, for example in /etc/vpnc/custom-script, do a chmod +x /etc/vpnc/custom-script and add Script /etc/vpnc/custom-script to your configuration.

Additional steps to configure hybrid authentication

Input optionFile option
--hybridUse Hybrid Auth
--ca-file <ca.pem>CA-File <ca.pem>
--ca-dir <ca/dir>CA-Dir <ca/dir>

Default CA-Dir is /etc/ssl. A link can also be used like in /etc/ssl/certs/.

As the trusted certificate is referenced by the hash of the subject name, the directory has to contain the certificate named like that hash value. As an example, the hash value can be calculated using the following command: openssl x509 -in <ca_certfile.pem> -noout -hash


Use the client with Nortel Contivity

Matt Chapman (matthewc@cse.unsw.edu.au) got vpnc working with a Nortel Contivity VPN concentrator. According to him, the differences are:

Thus the changes are fairly intrusive - phase 1 is common but XAUTH/Mode-Config/phase 2 diverge.

According to Zingo Andersen, NORTELVPN_XAUTHTYPE_AS_REQUEST has to be set and this patch applied:

    if (ap->af != isakmp_attr_16 || !(ap->u.attr_16 == 0 || ap->u.attr_16 == 5))
    xauth_type_requested = ap->u.attr_16;
    if (ap->af != isakmp_attr_16 || ap->u.attr_16 != 0)

Setting up VPNC on Windows Vista (64 bit)

  1. Install cygwin: follow steps at cygwin.com
  2. Make sure you install the development options for cygwin to give you access to make, gcc, and all the other development libraries
  3. Make sure you install libgcrypt for cygwin as it is needed in the make procedure
  4. Modify the bash.exe to run as administrator or you will have privilege issues later, this is done on the properties tab of the executable in C:/cygwin/bin
  5. Download the latest VPNC tarball
  6. Unzip and explode the tarball
  7. Modify tap-win32.h to change #define TAP_COMPONENT_ID "tap0801" to #define TAP_COMPONENT_ID "tap0901" (not sure if this is always necessary, but at least once it has been needed)
  8. make
  9. Download OpenVPN. It has been tested with success on version 2.1_rc4
  10. Just install TAP-Win32 Adapter V9
  11. Go to Control Panel, and then Network Connections and rename the TAP device to my-tap
  12. Use a default.conf built like this:
IPSec obfuscated secret YOURREALYLONGHEXVALUE (you can use your clear
text password here if you remove obfuscated)
Xauth username YOURUSERNAME
Xauth password YOURPASSWORD
Interface name my-tap
Interface mode tap
Local Port 0

Suddenly client stops without any specific reason

The DHCP leases are very short intervals and on each renew the DHCP client overwrites things like /etc/resolv.conf and maybe the default route To solve the issue, fix your dhcpclient: on Debian it can be done by installing and using resolvconf to modify that file instead of modifying it directly.