openconnect.8.in 18 KB
Newer Older
Ray Kohler's avatar
Ray Kohler committed
1
.TH OPENCONNECT 8
David Woodhouse's avatar
David Woodhouse committed
2
.SH NAME
3
openconnect \- Multi-protocol VPN client, for Cisco AnyConnect VPNs and others
David Woodhouse's avatar
David Woodhouse committed
4
.SH SYNOPSIS
5
.SY openconnect
6
.OP \-\-config configfile
7 8 9 10 11 12 13
.OP \-b,\-\-background
.OP \-\-pid\-file pidfile
.OP \-c,\-\-certificate cert
.OP \-e,\-\-cert\-expire\-warning days
.OP \-k,\-\-sslkey key
.OP \-C,\-\-cookie cookie
.OP \-\-cookie\-on\-stdin
14
.OP \-\-compression MODE
15 16 17
.OP \-d,\-\-deflate
.OP \-D,\-\-no\-deflate
.OP \-\-force\-dpd interval
18
.OP \-F,\-\-form\-entry form:opt=value
19 20
.OP \-g,\-\-usergroup group
.OP \-h,\-\-help
21
.OP \-\-http\-auth methods
22 23
.OP \-i,\-\-interface ifname
.OP \-l,\-\-syslog
24
.OP \-\-timestamp
25
.OP \-\-passtos
26 27 28
.OP \-U,\-\-setuid user
.OP \-\-csd\-user user
.OP \-m,\-\-mtu mtu
29
.OP \-\-base\-mtu mtu
30 31
.OP \-p,\-\-key\-password pass
.OP \-P,\-\-proxy proxyurl
32
.OP \-\-proxy\-auth methods
33 34 35 36 37 38 39 40 41 42 43 44
.OP \-\-no\-proxy
.OP \-\-libproxy
.OP \-\-key\-password\-from\-fsid
.OP \-q,\-\-quiet
.OP \-Q,\-\-queue\-len len
.OP \-s,\-\-script vpnc\-script
.OP \-S,\-\-script\-tun
.OP \-u,\-\-user name
.OP \-V,\-\-version
.OP \-v,\-\-verbose
.OP \-x,\-\-xmlconfig config
.OP \-\-authgroup group
45
.OP \-\-authenticate
46 47 48 49 50
.OP \-\-cookieonly
.OP \-\-printcookie
.OP \-\-cafile file
.OP \-\-disable\-ipv6
.OP \-\-dtls\-ciphers list
51
.OP \-\-dtls12\-ciphers list
52
.OP \-\-dtls\-local\-port port
53
.OP \-\-dump\-http\-traffic
54
.OP \-\-no\-system\-trust
55
.OP \-\-pfs
56 57 58
.OP \-\-no\-dtls
.OP \-\-no\-http\-keepalive
.OP \-\-no\-passwd
59
.OP \-\-no\-xmlpost
60 61
.OP \-\-non\-inter
.OP \-\-passwd\-on\-stdin
David Woodhouse's avatar
David Woodhouse committed
62
.OP \-\-protocol proto
63 64
.OP \-\-token\-mode mode
.OP \-\-token\-secret {secret\fR[\fI,counter\fR]|@\fIfile\fR}
65
.OP \-\-reconnect\-timeout
66
.OP \-\-resolve host:ip
67 68
.OP \-\-servercert sha1
.OP \-\-useragent string
69
.OP \-\-version\-string string
70
.OP \-\-local-hostname string
71
.OP \-\-os string
72 73
.B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]
.YS
David Woodhouse's avatar
David Woodhouse committed
74 75 76 77

.SH DESCRIPTION
The program
.B openconnect
78 79 80 81 82 83 84 85 86
connects to VPN servers which use standard TLS/SSL, DTLS, and ESP
protocols for data transport.

It was originally written to support Cisco "AnyConnect" VPN servers,
and has since been extended with experimental support for Juniper
Network Connect and Junos Pulse VPN servers
.RB ( \-\-protocol=nc )
and PAN GlobalProtect VPN servers
.RB ( \-\-protocol=gp ).
David Woodhouse's avatar
David Woodhouse committed
87 88 89 90

The connection happens in two phases. First there is a simple HTTPS
connection over which the user authenticates somehow \- by using a
certificate, or password or SecurID, etc.  Having authenticated, the
91
user is rewarded with an authentication cookie which can be used to make the
David Woodhouse's avatar
David Woodhouse committed
92 93
real VPN connection.

94 95 96 97 98 99 100 101 102 103
The second phase uses that cookie to connect to a tunnel via HTTPS,
and data packets can be passed over the resulting connection. When
possible, a UDP tunnel is also configured: AnyConnect uses DTLS, while
Juniper and GlobalProtect use UDP-encapsulated ESP. The UDP tunnel
may be disabled with
.BR \-\-no\-dtls ,
but is preferred when correctly supported by the server and network
for performance reasons. (TCP performs poorly and unreliably over
TCP-based tunnels; see
.IR http://sites.inka.de/~W1011/devel/tcp-tcp.html .)
David Woodhouse's avatar
David Woodhouse committed
104 105 106

.SH OPTIONS
.TP
107 108 109 110 111 112 113 114 115 116 117 118
.B \-\-config=CONFIGFILE
Read further options from
.I CONFIGFILE
before continuing to process options from the command line. The file
should contain long-format options as would be accepted on the command line,
but without the two leading \-\- dashes. Empty lines, or lines where the
first non-space character is a # character, are ignored.

Any option except the
.B config
option may be specified in the file.
.TP
119
.B \-b,\-\-background
120 121
Continue in background after startup
.TP
122
.B \-\-pid\-file=PIDFILE
Steven Allen's avatar
Steven Allen committed
123 124 125 126
Save the pid to
.I PIDFILE
when backgrounding
.TP
127
.B \-c,\-\-certificate=CERT
David Woodhouse's avatar
David Woodhouse committed
128 129
Use SSL client certificate
.I CERT
130 131
which may be either a file name or, if OpenConnect has been built with an appropriate
version of GnuTLS, a PKCS#11 URL.
David Woodhouse's avatar
David Woodhouse committed
132
.TP
133
.B \-e,\-\-cert\-expire\-warning=DAYS
134 135 136 137
Give a warning when SSL client certificate has
.I DAYS
left before expiry
.TP
138
.B \-k,\-\-sslkey=KEY
139
Use SSL private key
David Woodhouse's avatar
David Woodhouse committed
140
.I KEY
141 142
which may be either a file name or, if OpenConnect has been built with an appropriate
version of GnuTLS, a PKCS#11 URL.
David Woodhouse's avatar
David Woodhouse committed
143
.TP
144
.B \-C,\-\-cookie=COOKIE
145 146
Use authentication cookie
.IR COOKIE .
David Woodhouse's avatar
David Woodhouse committed
147
.TP
148
.B \-\-cookie\-on\-stdin
149
Read cookie from standard input.
David Woodhouse's avatar
David Woodhouse committed
150
.TP
151
.B \-d,\-\-deflate
152 153
Enable all compression, including stateful modes. By default, only stateless
compression algorithms are enabled.
David Woodhouse's avatar
David Woodhouse committed
154
.TP
155
.B \-D,\-\-no\-deflate
156
Disable all compression.
David Woodhouse's avatar
David Woodhouse committed
157
.TP
158 159 160 161
.B \-\-compression=MODE
Set compression mode, where
.I MODE
is one of
162 163 164 165
.IR "stateless" ,
.IR "none" ,
or
.IR "all" .
166 167 168 169 170 171 172

By default, only stateless compression algorithms which do not maintain state
from one packet to the next (and which can be used on UDP transports) are
enabled. By setting the mode to
.I "all"
stateful algorithms (currently only zlib deflate) can be enabled. Or all
compression can be disabled by setting the mode to
173
.IR "none" .
174
.TP
175
.B \-\-force\-dpd=INTERVAL
David Woodhouse's avatar
David Woodhouse committed
176 177 178 179
Use
.I INTERVAL
as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it.
.TP
180
.B \-g,\-\-usergroup=GROUP
David Woodhouse's avatar
David Woodhouse committed
181 182 183 184
Use
.I GROUP
as login UserGroup
.TP
185 186 187 188 189 190 191 192 193 194 195 196 197
.B \-F,\-\-form\-entry=FORM:OPTION=VALUE
Provide authentication form input, where
.I FORM
and
.I OPTION
are the identifiers from the form and the specific input field, and
.I VALUE
is the string to be filled in automatically. For example, the standard username field
.I (also handled by the \-\-user option)
could also be provided with this option thus:
.I \-\-form\-entry
.IR main:username=joebloggs .
.TP
198
.B \-h,\-\-help
David Woodhouse's avatar
David Woodhouse committed
199 200
Display help text
.TP
201 202 203 204 205 206 207 208 209
.B \-\-http\-auth=METHODS
Use only the specified methods for HTTP authentication to a server.  By default,
only Negotiate, NTLM and Digest authentication are enabled. Basic authentication
is also supported but because it is insecure it must be explicitly enabled. The
argument is a comma-separated list of methods to be enabled. Note that the order
does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic
authentication in that order, if each is enabled, regardless of the order
specified in the METHODS string.
.TP
210
.B \-i,\-\-interface=IFNAME
David Woodhouse's avatar
David Woodhouse committed
211 212 213 214
Use
.I IFNAME
for tunnel interface
.TP
215
.B \-l,\-\-syslog
David Woodhouse's avatar
David Woodhouse committed
216 217
Use syslog for progress messages
.TP
218 219 220
.B \-\-timestamp
Prepend a timestamp to each progress message
.TP
221 222 223
.B \-\-passtos
Copy TOS / TCLASS of payload packet into DTLS packets.
.TP
224
.B \-U,\-\-setuid=USER
David Woodhouse's avatar
David Woodhouse committed
225 226 227
Drop privileges after connecting, to become user
.I USER
.TP
228
.B \-\-csd\-user=USER
229
Drop privileges during execution of trojan binary or script (CSD, TNCC, or HIP).
Paul Brook's avatar
Paul Brook committed
230
.TP
231
.B \-\-csd\-wrapper=SCRIPT
Paul Brook's avatar
Paul Brook committed
232 233
Run
.I SCRIPT
234
instead of the trojan binary or script.
235
.TP
236
.B \-m,\-\-mtu=MTU
David Woodhouse's avatar
David Woodhouse committed
237 238
Request
.I MTU
239 240
from server as the MTU of the tunnel.
.TP
241
.B \-\-base\-mtu=MTU
242 243 244 245 246
Indicate
.I MTU
as the path MTU between client and server on the unencrypted network. Newer
servers will automatically calculate the MTU to be used on the tunnel from
this value.
David Woodhouse's avatar
David Woodhouse committed
247
.TP
248
.B \-p,\-\-key\-password=PASS
249 250
Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
.TP
251
.B \-P,\-\-proxy=PROXYURL
252 253 254 255
Use HTTP or SOCKS proxy for connection. A username and password can be provided
in the given URL, and will be used for authentication. If authentication is
required but no credentials are given, GSSAPI and automatic NTLM authentication
using Samba's ntlm_auth helper tool may be attempted.
256
.TP
257
.B \-\-proxy\-auth=METHODS
258 259 260 261 262 263 264
Use only the specified methods for HTTP authentication to a proxy.  By default,
only Negotiate, NTLM and Digest authentication are enabled. Basic authentication
is also supported but because it is insecure it must be explicitly enabled. The
argument is a comma-separated list of methods to be enabled. Note that the order
does not matter: OpenConnect will use Negotiate, NTLM, Digest and Basic
authentication in that order, if each is enabled, regardless of the order
specified in the METHODS string.
265
.TP
266
.B \-\-no\-proxy
267
Disable use of proxy
268
.TP
269
.B \-\-libproxy
270 271
Use libproxy to configure proxy automatically (when built with libproxy support)
.TP
272
.B \-\-key\-password\-from\-fsid
273 274 275 276
Passphrase for certificate file is automatically generated from the
.I fsid
of the file system on which it is stored. The
.I fsid
277
is obtained from the
278 279 280 281 282 283
.BR statvfs (2)
or
.BR statfs (2)
system call, depending on the operating system. On a Linux or similar system
with GNU coreutils, the
.I fsid
284 285 286 287 288
used by this option should be equal to the output of the command:
.EX
stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE
.EE
It is not the same as the 128\-bit UUID of the file system.
289
.TP
290
.B \-q,\-\-quiet
David Woodhouse's avatar
David Woodhouse committed
291 292
Less output
.TP
293
.B \-Q,\-\-queue\-len=LEN
294
Set packet queue limit to
David Woodhouse's avatar
David Woodhouse committed
295 296 297
.I LEN
pkts
.TP
298 299 300 301 302 303 304 305 306
.B \-s,\-\-script=SCRIPT
Invoke
.I SCRIPT
to configure the network after connection. Without this, routing and name
service are unlikely to work correctly. The script is expected to be
compatible with the
.B vpnc\-script
which is shipped with the "vpnc" VPN client. See
.I http://www.infradead.org/openconnect/vpnc-script.html
307 308 309 310 311 312 313
for more information. This version of OpenConnect is configured to
use \fB@DEFAULT_VPNCSCRIPT@\fR by default.

On Windows, a relative directory for the default script will be handled as
starting from the directory that the openconnect executable is running from,
rather than the current directory. The script will be invoked with the
command-based script host \fBcscript.exe\fR.
314 315
.TP
.B \-S,\-\-script\-tun
316 317 318 319
Pass traffic to 'script' program over a UNIX socket, instead of to a kernel
tun/tap device. This allows the VPN IP traffic to be handled entirely in
userspace, for example by a program which uses lwIP to provide SOCKS access
into the VPN.
David Woodhouse's avatar
David Woodhouse committed
320
.TP
321
.B \-u,\-\-user=NAME
David Woodhouse's avatar
David Woodhouse committed
322 323 324
Set login username to
.I NAME
.TP
325
.B \-V,\-\-version
David Woodhouse's avatar
David Woodhouse committed
326 327
Report version number
.TP
328
.B \-v,\-\-verbose
329
More output (may be specified multiple times for additional output)
David Woodhouse's avatar
David Woodhouse committed
330
.TP
331
.B \-x,\-\-xmlconfig=CONFIG
David Woodhouse's avatar
David Woodhouse committed
332 333
XML config file
.TP
334
.B \-\-authgroup=GROUP
335 336
Choose authentication login selection
.TP
337
.B \-\-authenticate
338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356
Authenticate only, and output the information needed to make the connection
a form which can be used to set shell environment variables. When invoked with
this option, openconnect will not make the connection, but if successful will
output something like the following to stdout:
.nf
.B COOKIE=3311180634@13561856@1339425499@B315A0E29D16C6FD92EE...
.B HOST=10.0.0.1
.B FINGERPRINT=469bb424ec8835944d30bc77c77e8fc1d8e23a42
.fi
Thus, you can invoke openconnect as a non-privileged user
.I (with access to the user's PKCS#11 tokens, etc.)
for authentication, and then invoke openconnect separately to make the actual
connection as root:
.nf
.B eval `openconnect --authenticate https://vpnserver.example.com`;
.B [ -n "$COOKIE" ] && echo "$COOKIE" |
.B \ \ sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT
.fi
.TP
357
.B \-\-cookieonly
358
Fetch and print cookie only; don't connect
David Woodhouse's avatar
David Woodhouse committed
359
.TP
360
.B \-\-printcookie
361
Print cookie before connecting
David Woodhouse's avatar
David Woodhouse committed
362
.TP
363
.B \-\-cafile=FILE
David Woodhouse's avatar
David Woodhouse committed
364 365
Cert file for server verification
.TP
366
.B \-\-disable\-ipv6
David Woodhouse's avatar
David Woodhouse committed
367 368
Do not advertise IPv6 capability to server
.TP
369
.B \-\-dtls\-ciphers=LIST
370
Set OpenSSL ciphers to support for DTLS
371
.TP
372 373 374
.B \-\-dtls12\-ciphers=LIST
Set OpenSSL ciphers for Cisco's DTLS v1.2
.TP
375 376 377
.B \-\-dtls\-local\-port=PORT
Use
.I PORT
378
as the local port for DTLS and UDP datagrams
379 380 381 382 383
.TP
.B \-\-dump\-http\-traffic
Enable verbose output of all HTTP requests and the bodies of all responses
received from the server.
.TP
384 385 386 387 388
.B \-\-no\-system\-trust
Do not trust the system default certificate authorities. If this option is
given, only certificate authorities given with the
.B \-\-cafile
option, if any, will be trusted automatically.
389

390 391 392 393 394 395 396
.TP
.B \-\-pfs
Enforces Perfect Forward Secrecy (PFS). That ensures that if the server's
long-term key is compromised, any session keys established before the compromise
will be unaffected. If this option is provided and the server does not support PFS
in the TLS channel the connection will fail.

397 398 399 400 401
PFS is available in Cisco ASA releases 9.1(2) and higher; a suitable cipher
suite may need to be manually enabled by the administrator using the
.B ssl encryption
setting.

402
.TP
403
.B \-\-no\-dtls
404
Disable DTLS and ESP
David Woodhouse's avatar
David Woodhouse committed
405
.TP
406
.B \-\-no\-http\-keepalive
407
Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget
408
the client's SSL certificate when HTTP connections are being re\-used for
409 410
multiple requests. So far, this has only been seen on the initial connection,
where the server gives an HTTP/1.0 redirect response with an explicit
411
.B Connection: Keep\-Alive
412 413 414 415 416 417
directive. OpenConnect as of v2.22 has an unconditional workaround for this,
which is never to obey that directive after an HTTP/1.0 response.

However, Cisco's support team has failed to give any competent
response to the bug report and we don't know under what other
circumstances their bug might manifest itself. So this option exists
418
to disable ALL re\-use of HTTP sessions and cause a new connection to be
419 420 421
made for each request. If your server seems not to be recognising your
certificate, try this option. If it makes a difference, please report
this information to the
422
.B openconnect\-devel@lists.infradead.org
423 424
mailing list.
.TP
425
.B \-\-no\-passwd
David Woodhouse's avatar
David Woodhouse committed
426 427
Never attempt password (or SecurID) authentication.
.TP
428 429 430 431 432 433 434 435 436 437 438 439 440
.B \-\-no\-xmlpost
Do not attempt to post an XML authentication/configuration request to the
server; use the old style GET method which was used by older clients and
servers instead.

This option is a temporary safety net, to work around potential
compatibility issues with the code which falls back to the old method
automatically. It causes OpenConnect to behave more like older
versions (4.08 and below) did. If you find that you need to use this
option, then you have found a bug in OpenConnect. Please see
http://www.infradead.org/openconnect/mail.html and report this to the
developers.
.TP
441
.B \-\-non\-inter
David Woodhouse's avatar
David Woodhouse committed
442
Do not expect user input; exit if it is required.
443
.TP
444
.B \-\-passwd\-on\-stdin
David Woodhouse's avatar
David Woodhouse committed
445
Read password from standard input
David Woodhouse's avatar
David Woodhouse committed
446 447 448 449 450 451
.TP
.B \-\-protocol=PROTO
Select VPN protocol
.I PROTO
to be used for the connection. Supported protocols are
.I anyconnect
452
for Cisco AnyConnect (the default),
David Woodhouse's avatar
David Woodhouse committed
453 454
.I nc
for experimental support for Juniper Network Connect (also supported
455 456 457
by Junos Pulse servers), and
.I gp
for experimental support for PAN GlobalProtect.
458
.TP
459 460 461 462 463
.B \-\-token\-mode=MODE
Enable one-time password generation using the
.I MODE
algorithm.
.B \-\-token\-mode=rsa
464
will call libstoken to generate an RSA SecurID tokencode,
465
.B \-\-token\-mode=totp
466 467
will call liboath to generate an RFC 6238 time-based password, and
.B \-\-token\-mode=hotp
468 469 470
will call liboath to generate an RFC 4226 HMAC-based password. Yubikey
tokens which generate OATH codes in hardware are supported with
.B \-\-token\-mode=yubioath
471
.TP
472
.B \-\-token\-secret={ SECRET[,COUNTER] | @FILENAME }
473
The secret to use when generating one-time passwords/verification codes.
474 475 476 477
Base 32-encoded TOTP/HOTP secrets can be used by specifying "base32:" at the
beginning of the secret, and for HOTP secrets the token counter can be
specified following a comma.

478 479 480
RSA SecurID secrets can be specified as an Android/iPhone URI or a raw numeric
CTF string (with or without dashes).

481 482 483 484
For Yubikey OATH the token secret specifies the name of the credential to be
used. If not provided, the first OATH credential found on the device will be
used.

485 486 487 488
.IR FILENAME ,
if specified, can contain any of the above strings.  Or, it can contain a
SecurID XML (SDTID) seed.

489
If this option is omitted, and \-\-token\-mode is
490 491 492
"rsa", libstoken will try to use the software token seed saved in
.B ~/.stokenrc
by the "stoken import" command.
493
.TP
494
.B \-\-reconnect\-timeout
495 496 497
Keep reconnect attempts until so much seconds are elapsed. The default
timeout is 300 seconds, which means that openconnect can recover
VPN connection after a temporary network down time of 300 seconds.
498
.TP
499 500 501 502 503 504 505
.B \-\-resolve=HOST:IP
Automatically resolve the hostname
.IR HOST
to
.IR IP
instead of using the normal resolver to look it up.
.TP
506 507 508 509
.B \-\-servercert=HASH
Accept server's SSL certificate only if the provided fingerprint matches.
The allowed fingerprint types are
.IR SHA1 ,
510
.IR SHA256 ,
511
and
512 513 514 515 516 517 518
.IR PIN-SHA256 .
They are distinguished by the 'sha1:', 'sha256:' and 'pin-sha256:' prefixes to the
encoded hash. The first two are custom identifiers providing hex
encoding of the peer's public key, while 'pin-sha256:' is the RFC7469 key
PIN, which utilizes base64 encoding. To ease certain
testing use-cases, a partial match of the hash will also
be accepted, if it is at least 4 characters past the prefix.
Antonio Borneo's avatar
Antonio Borneo committed
519
.TP
520 521 522 523 524
.B \-\-useragent=STRING
Use
.I STRING
as 'User\-Agent:' field value in HTTP header.
(e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
525
.TP
526 527 528 529 530 531
.B \-\-version\-string=STRING
Use
.I STRING
as the software version reported to the head end.
(e.g. \-\-version\-string '2.2.0133')
.TP
532 533 534 535 536 537
.B \-\-local-hostname=STRING
Use
.I STRING
as 'X\-CSTP\-Hostname:' field value in HTTP header. For example \-\-local\-hostname 'mypc',
will advertise the value 'mypc' as the suggested hostname to point to the provided IP address.
.TP
538
.B \-\-os=STRING
539 540 541 542 543 544 545 546 547 548 549 550
OS type to report to gateway.  Recognized values are:
.BR linux ,
.BR linux\-64 ,
.BR win ,
.BR mac\-intel ,
.BR android ,
.BR apple\-ios .
Reporting a different OS type may affect the dynamic access policy (DAP)
applied to the VPN session.  If the gateway requires CSD, it will also cause
the corresponding CSD trojan binary to be downloaded, so you may need to use
.B \-\-csd\-wrapper
if this code is not executable on the local machine.
551 552 553
.SH SIGNALS
In the data phase of the connection, the following signals are handled:
.TP
554
.B SIGINT / SIGTERM
555 556 557 558 559 560 561 562 563 564 565 566
performs a clean shutdown by logging the session off, disconnecting from the
gateway, and running the vpnc\-script to restore the network configuration.
.TP
.B SIGHUP
disconnects from the gateway and runs the vpnc\-script, but does not log the
session off; this allows for reconnection later using
.BR \-\-cookie .
.TP
.B SIGUSR2
forces an immediate disconnection and reconnection; this can be used to
quickly recover from LAN IP address changes.
.TP
David Woodhouse's avatar
David Woodhouse committed
567
.SH LIMITATIONS
568
Note that although IPv6 has been tested on all platforms on which
David Woodhouse's avatar
David Woodhouse committed
569
.B openconnect
570
is known to run, it depends on a suitable
571
.B vpnc\-script
572
to configure the network. The standard
573
.B vpnc\-script
574
shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from
575
.B git://git.infradead.org/users/dwmw2/vpnc\-scripts.git
576
will be required.
577 578
.SH SEE ALSO
.BR ocserv (8)
David Woodhouse's avatar
David Woodhouse committed
579 580 581

.SH AUTHORS
David Woodhouse <dwmw2@infradead.org>