Thursday, October 09, 2008

Cisco PCF files

I was recently asked to prep some vpn profiles files for a customer as I have been playing around with Cisco PIX firewalls. Playing with a Cisco PIX firewall is NOT an indication that I know all about it and that I know all about the cisco pcf file format. However I found out that a .pcf file a flat text file you can modify with vi to your licking. A basic file looks like this the one below. All you have to know is what the meaning is of every line and you can create a .pcf file.


Description=some-name
!Host=10.20.30.40
!AuthType=1
!GroupName=
!GroupPwd=
!enc_GroupPwd=
EnableISPConnect=0
ISPConnectType=0
ISPConnect=
ISPCommand=
Username=
SaveUserPassword=0
UserPassword=
enc_UserPassword=
!NTDomain=
!EnableBackup=0
!BackupServer=
!EnableMSLogon=1
!MSLogonType=0
!EnableNat=1
!TunnelingMode=0
!TcpTunnelingPort=10000
CertStore=0
CertName=
CertPath=
CertSubjectName=
CertSerialHash=00000000000000000000000000000000
SendCertChain=0
VerifyCertDN=
DHGroup=2
ForceKeepAlives=1
PeerTimeout=90
!EnableLocalLAN=0
!EnableSplitDNS=1
ISPPhonebook=


So a short explanation of the main options you have in a pcf file.

Description
The Description is a string of maximum 246 alphanumeric characters describing the use of the VPN connection

Host
The Host line is used to provide a IP address of the VPN server/device or the domain name. Max 255 alphanumeric characters!

AuthType
The AuthType will define the way the user is athenticated against the server/device. 1 = Pre-shared keys (default)
3 = Digital Certificate using an RSA signature. 5 = Mutual authentication

GroupName
The name of the IPSec group that contains this user. Used with pre-shared keys. The exact name of the IPSec group configured on the VPN central-site device. Maximum 32 alphanumeric characters. Case-sensitive.

GroupPwd
Group Password. The password for the IPSec group that contains this user. Used with pre-shared keys. The first time the VPN Client reads this password, it replaces it with an encypted one (enc_GroupPwd). The exact password for the IPSec group configured on the VPN central-site device. Minimum of 4, maximum 32 alphanumeric characters. Case-sensitive clear text.

encGroupPwd
The password for the IPSec group that contains the user. Used with pre-shared keys. This is the scrambled version of the GroupPwd. Binary data represented as alphanumeric text.

EnableISPConnect
Connect to the Internet via Dial-Up Networking. Specifies whether the VPN Client automatically connects to an ISP before initiating the IPSec connection; determines whether to use PppType parameter. 0 = ISPConnect (default) 1 = ISPCommand. The VPN Client GUI ignores a read-only setting on this parameter.

ISPConnect
Dial-Up Networking Phonebook Entry (Microsoft). Use this parameter to dial into the Microsoft network; dials the specified dial-up networking phone book entry for the user's connection. Applies only if EnableISPconnect=1 and ISPConnectType=0.

ISPCommand
Dial-Up Networking Phonebook Entry (command). Use this parameter to specify a command to dial the user's ISP dialer. Applies only if EnableISPconnect=1 and ISPConnectType=1. Command string: This variable includes the pathname to the command and the name of the command complete with arguments; for example: "c:\isp\ispdialer.exe dialEngineering" Maximum 512 alphanumeric characters.

Username
User Authentication: Username. The name that authenticates a user as a valid member of the IPSec group specified in GroupName. The exact username. Case-sensitive, clear text, maximum of 32 characters. The VPN Client prompts the user for this value during user authentication.

UserPassword
User Authentication: Password. The password used during extended authentication. The first time the VPN Client reads this password, it saves it in the file as the enc_UserPassword and deletes the clear-text version. If SaveUserPassword is disabled, then the VPN Client deletes the UserPassword and does not create an encrypted version. You should only modify this parameter manually if there is no GUI interface to manage profiles.

encUserPassword
Scrambled version of the user's password

SaveUserPassword
Determines whether or not the user password or its encrypted version are valid in the profile. This value is pushed down from the VPN central-site device. 0 = (default) do not allow user to save password information locally. 1 = allow user to save password locally.

NTDomain
User Authentication: Domain. The NT Domain name configured for the user's IPSec group. Applies only to user authentication via a Windows NT Domain server. Maximum 14 alphanumeric characters. Underbars are not allowed.

EnableBackup
Enable backup server(s) specifies whether to use backup servers if the primary server is not available. 0 = Disable (default) 1 = Enable.

BackupServer
(Backup server list). List of hostnames or IP addresses of backup servers. Applies only if EnableBackup=1. Legitimate Internet hostnames, or IP addresses in dotted decimal notation. Separate multiple entries by commas. Maximum of 255 characters in length.

EnableMSLogon
Logon to Microsoft Network. Specifies that users log on to a Microsoft network.Applies only to systems running Windows 9x. 0 = Disable 1 = Enable (Default)

MSLogonType
Use default system logon credentials. Prompt for network logon credentials. Specifies whether the Microsoft network accepts the user's Windows username and password for logon, or whether the Microsoft network prompts for a username and password. Applies only if EnableMSLogon=1. 0 = (default) Use default system logon credentials; i.e., use the Windows logon username and password. 1 = Prompt for network logon username and password.

EnableNat
Enable Transparent Tunneling. Allows secure transmission between the VPN Client and a secure gateway through a router serving as a firewall, which may also be performing NAT or PAT. 0 = Disable 1 = Enable (default)

TunnelingMode
Specifies the mode of transparent tunneling, over UDP or over TCP; must match that used by the secure gateway with which you are connecting. 0 = UDP (default)1 = TCP

TCPTunnelingPort
Specifies the TCP port number, which must match the port number configured on the secure gateway. Port number from 1 through 65545 Default = 10000

EnableLocalLAN
Allow Local LAN Access. Specifies whether to enable access to resources on a local LAN at the Client site while connected through a secure gateway to a VPN device at a central site. 0 = Disable (default) 1 = Enable

PeerTimeout
Peer response time-out The number of seconds to wait before terminating a connection because the VPN central-site device on the other end of the tunnel is not responding. Number of seconds Minimum = 30 seconds Maximum = 480 seconds Default = 90 seconds

CertStore
Certificate Store. Identifies the type of store containing the configured certificate. 0 = No certificate (default) 1 = Cisco 2 = Microsoft The VPN Client GUI ignores a read-only (!) setting on this parameter.

CertName
Certificate Name. Identifies the certificate used to connect to a VPN central-site device. Maximum 129 alphanumeric characters The VPN Client GUI ignores a read-only setting on this parameter.

CertPath
The complete pathname of the directory containing the certificate file. Maximum 259 alphanumeric characters The VPN Client GUI ignores a read-only setting on this parameter.

CertSubjectName
The fully qualified distinguished name (DN) of certificate's owner. If present, the VPN Dialer enters the value for this parameter. Either do not include this parameter or leave it blank. The VPN Client GUI ignores a read-only setting on this parameter.

CertSerialHash
A hash of the certificate's complete contents, which provides a means of validating the authenticity of the certificate. If present, the VPN Dialer enters the value for this parameter. Either do not include this parameter or leave it blank. The VPN Client GUI ignores a read-only setting on this parameter.

SendCertChain
Sends the chain of CA certificates between the root certificate and the identity certificate plus the identity certificate to the peer for validation of the identity certificate. 0 = disable (default) 1 = enable

VerifyCertDN
Prevents a user from connecting to a valid gateway by using a stolen but valid certificate and a hijacked IP address. If the attempt to verify the domain name of the peer certificate fails, the client connection also fails.

DHGroup
Allows a network administrator to override the default group value on a VPN device used to generate Diffie- Hellman key pairs.

RadiusSDI
Tells the VPN Client to assume that Radius SDI is being used for extended authentication (XAuth).

SDIUseHardwareToken
Enables a connection entry to avoid using RSA SoftID software.

EnableSplitDNS
Determines whether the connection entry is using splitDNS, which can direct packets in clear text over the Internet to domains served through an external DNS or through an IPSec tunnel to domains served by a corporate DNS. This feature is configured on the VPN 3000 Concentrator and is used in a split-tunneling connection.

UseLegacyIKEPort
Changes the default IKE port from 500/4500 to dynamic ports to be used during all connections. You must explicitly enter this parameter into the .pcf file.

ForceNetlogin
(windows-only) Enables the Force Net Login feature for this connection profile.


Post a Comment