vpnc for Debian =============== The Debian-specific extensions "Target networks" and "DNSupdate" were deprecated in wheezy and have been removed in jessie. Please use the upstream configuration way now. See /usr/share/doc/vpnc/README.gz file for details about replacing network routes with custom ones using the variables of vpnc-script. You can either wrap /etc/vpnc/vpnc-script into a custom script which presets those variables (like documented in the example in README.gz) or use the newer connect and disconnect hooks from vpnc-script to set them separately (see below). NETWORK MANAGER AND VPNC ======================== NetworkManager does not play well with other programs that modify routes and interfaces outside of its framework. This means your VPN will go down as soon as NetworkManager decides to reconfigure your internet connection, possibly in response to discovering the newly-established VPN. Please install the network-manager-vpnc package for proper NetworkManager integration. CONFIGURATION ============= /etc/vpnc/default.conf contains a sample config for vpnc/vpnc-connect. You can uncomment and adjust the settings, or create a different configuration by copying it to, say, myvpn.conf and then select that by calling vpnc myvpn Or use the pcf2vpnc script to convert existing pcf files (Cisco client configuration), running the following command: /usr/share/vpnc/pcf2vpnc myvpn.pcf > /etc/vpnc/myvpn.conf You may edit the resulting file to add the remote username. In order to use the DNS server reported by the VPN server, please install the resolvconf package. vpnc-script, which handles routing and DNS updates, can be customized by adding hook scripts to be run on initialisation as well as before and after connecting and disconnecting. The names of the directories from where these hook scripts will be sourced are: /etc/vpnc/pre-init.d/ /etc/vpnc/connect.d/ /etc/vpnc/post-connect.d/ /etc/vpnc/disconnect.d/ /etc/vpnc/post-disconnect.d/ /etc/vpnc/reconnect.d/ (not currently used by vpnc) See the comments at the top of vpnc-script for the environment variables you have access to. (IN)SECURITY WARNING ==================== As described at this URL: , which references a Bugtraq thread starting at: ("ISSUE 2") simple XAUTH relying only on pre-shared keys ("group password" method), is not a secure way to set up a trusted connection. In addition to giving away the confidentiality of the VPN session (man-in-the-middle attack), this configuration may disclose the user's password and thus enable the attacker to establish future VPN connections on his own and/or access other services protected by that password (identity theft). Cisco has implemented a different authentication mechanism that requires the use of a certificate in the client in order to securely establish the identity of the VPN server ("Hybrid Auth", "Mutual Group Authentication"). This mechanism is not known to be vulnerable. In short: If a simple configuration file with a group key and your password is enough to establish a VPN connection (auth-mode psk), you're vulnerable. Don't use a password that can also be used in other places, and don't assume your connection to be more secure. If however establishing a VPN connection requires a certificate identifying the server in addition to a group key and your password (auth-mode hybrid), you should be safe.