This chapter explains how to use the VPN Client command-line interface (CLI) to connect to a Cisco VPN device, generate statistical reports, and disconnect from the device. You can create your own script files that use the CLI commands to perform routine tasks, such as connect to a corporate server, run reports, and then disconnect from the server.
This section lists each command, its syntax, and gives sample output for each command. It is organized by task.
Displaying a List of VPN Client Commands
To display a list of all VPN Client commands, go to the directory that contains the VPN Client software, and enter the vpnclient command at the command-line prompt:
Note The vpnclient command lists all the commands and parameters available for your platform. Not all
commands and parameters are available on all platforms.
Starting a Connectionvpnclient connect
To start a connection, enter the following command:
Table 4-1 lists the command options you can use with the vpnclient connect command, includes the task that each option performs, and gives an example of each option.
Table 4-1 Command Line Options
Notes and Examples
Name of the connection entry (.pcf file), that you have previously configured. Required.
If the filename contains spaces, enclose it in double quotes on the command line.
Example: vpnclient connect "to work"
Specifies a username for authentication; with the pwd option, suppresses the username prompt in authentication dialog. Optional.
Updates the username in the .pcf file with this name. However, if the name supplied is not valid, the VPN Client displays the authentication dialog on a subsequent request.
Example: vpnclient connect user robron pwd siltango toVPN
Erases the user password saved on the Client PC thereby forcing the VPN Client to prompt for a password. Optional.
You might have configured a connection with Saved Password to suppress a password prompt when connecting using a batch file. You can then use the eraseuserpwd to return to the more secure state of requiring password input from the console when connecting.
Example: vpnclient connect eraseuserpwd toVPN
Specifies a password for authentication; with the user option on the command line, suppresses the password prompt in authentication dialog. Optional.
If the password supplied is not valid, the VPN Client displays the authentication dialog on a subsequent request. After encrypting and using the password for the connection, the VPN Client clears the password in the .pcf file. Using this option on the command line compromises security and is not recommended.
Example: vpnclient connect user robron pwd siltango toVPN
Suppresses prompting for a certificate password. Optional.
Example: vpnclient connect nocertpwd toVPN
cliauth (Windows platforms only)
Prompts for authentication information on the command line. Eliminates the GUI prompt that displays during a connection request from the command line.
The VPN client prompts for username and password. The password is displayed as asterisks.
Example: vpnclientconnect cliauth towork
Example 4-1 vpnclient connect Command
This example shows the vpnclient connect command that connects you to the Engineering Server using the profile name "engineering"
At this point, the VPN Client displays an authentication dialog box that prompts for your username and password.
Figure 4-1 Authenticating a User
After you enter your name and password, authentication succeeds, and the command continues executing.
Example 4-2 vpn connect Command Using cliauth
Alternatively, to suppress the User Authentication window shown in Example 4-1, you can use the cliauth parameter. The command line then prompts for username and password. Using the cliauth parameter avoids having a password display in clear text on the command line.
Example 4-3 vpnclient connect Command Using Parameters
The following command connects to the remote network without user interaction. Notice that the password appears on the command line in clear text.
Displaying a Notificationvpnclient notify
When you connect, you can display a notification using the vpnclient notify command:
Example 4-4 vpnclient notify Command
The following session shows how to use the vpnclient notify command to display a notification from a network administrator.
To suspend the stateful firewall, enter the following command:
To resume a suspended stateful firewall, enter the following command;
Example 4-6 Suspending and Resuming Stateful Firewall
The following commands control the setting of the stateful firewall. The first command output shows the response displayed when the stateful firewall is not enabled when the command is executed. The next two commands, executed after enabling the stateful firewall, first suspend the firewall and then resume it.
Note If you reboot the PC after suspending the stateful firewall, the software restores the Stateful Firewall
setting to enable and this will block traffic.
Ending a Connectionvpnclient disconnect
To disconnect from your session, enter the following command:
Example 4-7 vpnclient disconnect Command
The following command disconnects you from your secure connection.
Displaying Information About Your Connectionvpnclient stat
To generate status information about your connection, enter the following command:
vpnclient stat [reset] [traffic] [tunnel] [route] [firewall] [repeat]
When entered without any of the optional parameters, the vpnclient stat command displays all status information. The following parameters are optional:
Restarts all connection counts from zero. SA stats are not reset.
Displays a summary of bytes in and out, packets encrypted and decrypted, packets bypassed, and packets discarded.
Displays IPSec tunneling information.
Displays configured routes.
Identifies the type of filewall in use and displays information generated by the firewall configuration.
Provides a continuous display, refreshing it every few seconds. To end the display, press <ctrl-C>.
The following examples show sample output from the vpnclient stat command. For more information on statistical output, see VPN Client User Guide for Windows.
Example 4-8 vpnclient stat Command
Following is an example of the information that the vpnclient stat command displays.
Example 4-9 vpnclient stat reset Command
The vpnclient stat reset command resets all connection counters.
Example 4-10 vpnclient stat traffic Command
Here is a sample of the information that the vpnclient stat traffic command generates.
Example 4-11 vpnclient stat tunnel Command
To display only tunneling information, use the vpnclient stat tunnel command. Here is a sample.
Example 4-12 vpnclient stat route Command
The vpnclient stat route command displays information similar to the following display.
Example 4-13 vpnclient stat firewall CommandWindows Only
The vpnclient stat firewall command displays information similar to the following display.
This section lists the error levels (return codes) that you can receive when using the VPN Client command-line interface.
The VPN Client connection started successfully.
The VPN Client connection has ended.
The VPN Client has generated statistical information successfully.
The enumppp command has succeeded. This command lists phone book entries when connecting to the Internet via dial-up.
An unidentifiable error has occurred during command-line parsing.
Command is missing from command-line input.
There is an error in the command entered; check spelling.
The command-line input is missing required parameter(s).
The parameter(s) in the command input are incorrect; check spelling.
The command-line input contains too many parameters.
The command entered does not require parameters.
Interprocess communication error occurred attaching to the generic interface.
Interprocess communication error occurred detaching from the generic interface.
The VPN Client failed to read the profile.
The password contains too many characters. The group password limit is 32 characters; the certificate password limit is 255 characters.
Attempts to enter a valid password have exceed the amount allowed. The limit is three times.
The connection attempt has failed; unable to connect.
The disconnect action has failed; unable to disconnect.
The attempt to display connection status has failed.
Unable to list phonebook entries.
A serious interprocess communication error has occurred.
Set console control handler failed.
Attempt to clean up after a user break failed.
Out of memory. Memory allocation failed.
Internal display error.
In communicating with the Connection Manager, an unexpected callback (response) occurred.
User quit at a banner requesting "continue?"
Cannot use the command-line interface when connected through the graphical interface dialer application.
The attempt to set the working directory has failed. This is the directory where the program files reside.
Attempt to display status has failed because there is no connection in effect.
The group name configured for the connection is too long. The limit is 128 characters.
The group password configured for the connection is too long. The limit is 32 characters.
The authentication type configured for the connection is invalid.
Interprocess communication timed out.
Failed to launch a third-party dialer.
ERR_DAEMON_NOT_RUNNING (CVPND.EXE)Non-Windows only
Connection needs to be established for command to execute.
ERR_DAEMON_ALREADY_RUNNING (CVPND.EXE)Non-Windows only
Command cannot work because connection is already established.
Application ExampleWindows Only
Here is an example of a DOS batch file (.bat) that uses CLI commands to connect to the corporate office from a branch office, run an application, and then disconnect from the corporate site.
rem assume you have generated a report in the middle of the night that needs