So a short explanation of the main options you have in a pcf file.
The Description is a string of maximum 246 alphanumeric characters describing the use of the VPN connection
The Host line is used to provide a IP address of the VPN server/device or the domain name. Max 255 alphanumeric characters!
The AuthType will define the way the user is athenticated against the server/device. 1 = Pre-shared keys (default)
3 = Digital Certificate using an RSA signature. 5 = Mutual authentication
The name of the IPSec group that contains this user. Used with pre-shared keys. The exact name of the IPSec group configured on the VPN central-site device. Maximum 32 alphanumeric characters. Case-sensitive.
Group Password. The password for the IPSec group that contains this user. Used with pre-shared keys. The first time the VPN Client reads this password, it replaces it with an encypted one (enc_GroupPwd). The exact password for the IPSec group configured on the VPN central-site device. Minimum of 4, maximum 32 alphanumeric characters. Case-sensitive clear text.
The password for the IPSec group that contains the user. Used with pre-shared keys. This is the scrambled version of the GroupPwd. Binary data represented as alphanumeric text.
Connect to the Internet via Dial-Up Networking. Specifies whether the VPN Client automatically connects to an ISP before initiating the IPSec connection; determines whether to use PppType parameter. 0 = ISPConnect (default) 1 = ISPCommand. The VPN Client GUI ignores a read-only setting on this parameter.
Dial-Up Networking Phonebook Entry (Microsoft). Use this parameter to dial into the Microsoft network; dials the specified dial-up networking phone book entry for the user's connection. Applies only if EnableISPconnect=1 and ISPConnectType=0.
Dial-Up Networking Phonebook Entry (command). Use this parameter to specify a command to dial the user's ISP dialer. Applies only if EnableISPconnect=1 and ISPConnectType=1. Command string: This variable includes the pathname to the command and the name of the command complete with arguments; for example: "c:\isp\ispdialer.exe dialEngineering" Maximum 512 alphanumeric characters.
User Authentication: Username. The name that authenticates a user as a valid member of the IPSec group specified in GroupName. The exact username. Case-sensitive, clear text, maximum of 32 characters. The VPN Client prompts the user for this value during user authentication.
User Authentication: Password. The password used during extended authentication. The first time the VPN Client reads this password, it saves it in the file as the enc_UserPassword and deletes the clear-text version. If SaveUserPassword is disabled, then the VPN Client deletes the UserPassword and does not create an encrypted version. You should only modify this parameter manually if there is no GUI interface to manage profiles.
Scrambled version of the user's password
Determines whether or not the user password or its encrypted version are valid in the profile. This value is pushed down from the VPN central-site device. 0 = (default) do not allow user to save password information locally. 1 = allow user to save password locally.
User Authentication: Domain. The NT Domain name configured for the user's IPSec group. Applies only to user authentication via a Windows NT Domain server. Maximum 14 alphanumeric characters. Underbars are not allowed.
Enable backup server(s) specifies whether to use backup servers if the primary server is not available. 0 = Disable (default) 1 = Enable.
(Backup server list). List of hostnames or IP addresses of backup servers. Applies only if EnableBackup=1. Legitimate Internet hostnames, or IP addresses in dotted decimal notation. Separate multiple entries by commas. Maximum of 255 characters in length.
Logon to Microsoft Network. Specifies that users log on to a Microsoft network.Applies only to systems running Windows 9x. 0 = Disable 1 = Enable (Default)
Use default system logon credentials. Prompt for network logon credentials. Specifies whether the Microsoft network accepts the user's Windows username and password for logon, or whether the Microsoft network prompts for a username and password. Applies only if EnableMSLogon=1. 0 = (default) Use default system logon credentials; i.e., use the Windows logon username and password. 1 = Prompt for network logon username and password.
Enable Transparent Tunneling. Allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall, which may also be performing NAT or PAT. 0 = Disable 1 = Enable (default)
Specifies the mode of transparent tunneling, over UDP or over TCP; must match that used by the secure gateway with which you are connecting. 0 = UDP (default)1 = TCP
Specifies the TCP port number, which must match the port number configured on the secure gateway. Port number from 1 through 65545 Default = 10000
Allow Local LAN Access. Specifies whether to enable access to resources on a local LAN at the Client site while connected through a secure gateway to a VPN device at a central site. 0 = Disable (default) 1 = Enable
Peer response time-out The number of seconds to wait before terminating a connection because the VPN central-site device on the other end of the tunnel is not responding. Number of seconds Minimum = 30 seconds Maximum = 480 seconds Default = 90 seconds
Certificate Store. Identifies the type of store containing the configured certificate. 0 = No certificate (default) 1 = Cisco 2 = Microsoft The VPN Client GUI ignores a read-only (!) setting on this parameter.
Certificate Name. Identifies the certificate used to connect to a VPN central-site device. Maximum 129 alphanumeric characters The VPN Client GUI ignores a read-only setting on this parameter.
The complete pathname of the directory containing the certificate file. Maximum 259 alphanumeric characters The VPN Client GUI ignores a read-only setting on this parameter.
The fully qualified distinguished name (DN) of certificate's owner. If present, the VPN Dialer enters the value for this parameter. Either do not include this parameter or leave it blank. The VPN Client GUI ignores a read-only setting on this parameter.
A hash of the certificate's complete contents, which provides a means of validating the authenticity of the certificate. If present, the VPN Dialer enters the value for this parameter. Either do not include this parameter or leave it blank. The VPN Client GUI ignores a read-only setting on this parameter.
Sends the chain of CA certificates between the root certificate and the identity certificate plus the identity certificate to the peer for validation of the identity certificate. 0 = disable (default) 1 = enable
Prevents a user from connecting to a valid gateway by using a stolen but valid certificate and a hijacked IP address. If the attempt to verify the domain name of the peer certificate fails, the client connection also fails.
Allows a network administrator to override the default group value on a VPN device used to generate Diffie- Hellman key pairs.
Tells the VPN Client to assume that Radius SDI is being used for extended authentication (XAuth).
Enables a connection entry to avoid using RSA SoftID software.
Determines whether the connection entry is using splitDNS, which can direct packets in clear text over the Internet to domains served through an external DNS or through an IPSec tunnel to domains served by a corporate DNS. This feature is configured on the VPN 3000 Concentrator and is used in a split-tunneling connection.
Changes the default IKE port from 500/4500 to dynamic ports to be used during all connections. You must explicitly enter this parameter into the .pcf file.
(windows-only) Enables the Force Net Login feature for this connection profile.