.I speed
An option that is a decimal number is taken as the desired baud rate
for the serial device. On systems such as
-4.4BSD and NetBSD, any speed can be specified. Other systems
-(e.g. Linux, SunOS) only support the commonly-used baud rates.
+Linux, 4.4BSD and NetBSD, any speed can be specified. Other systems
+(e.g. SunOS) only support the commonly-used baud rates.
.TP
.B asyncmap \fImap
This option sets the Async-Control-Character-Map (ACCM) for this end
value of -1, the route is only added if there is no default route at
all.
.TP
-.B defaultroute6
-Add a default IPv6 route to the system routing tables, using the peer as
-the gateway, when IPv6CP negotiation is successfully completed.
-This entry is removed when the PPP connection is broken. This option
-is privileged if the \fInodefaultroute6\fR option has been specified.
+.B replacedefaultroute
+This option is a flag to the defaultroute option. If defaultroute is
+set and this flag is also set, pppd replaces an existing default route
+with the new default route. This option is privileged.
.TP
.B disconnect \fIscript
Execute the command specified by \fIscript\fR, by passing it to a
omitted. The identifier must be specified in standard ASCII notation of
IPv6 addresses (e.g. ::dead:beef). If the
\fIipv6cp\-use\-ipaddr\fR
-option is given, the local identifier is the local IPv4 address (see above).
+option is given, the local identifier is the local IPv4 address and the
+remote identifier is the remote IPv4 address (see above).
+If the \fIipv6cp-use-remotenumber\fR option is given, the remote identifier
+is set to the value from \fIremotenumber\fR option.
On systems which supports a unique persistent id, such as EUI\-48 derived
from the Ethernet MAC address, \fIipv6cp\-use\-persistent\fR option can be
-used to replace the \fIipv6 <local>,<remote>\fR option. Otherwise the
-identifier is randomized.
+used to set local identifier. Otherwise both local and remote identifiers
+are randomized.
.TP
.B active\-filter \fIfilter\-expression
Specifies a packet filter to be applied to data packets to determine
\fIbsdcomp 0\fR to disable BSD-Compress compression entirely.
.TP
.B ca \fIca-file
-(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority
+(EAP-TLS, or PEAP) Use the file \fIca-file\fR as the X.509 Certificate Authority
(CA) file (in PEM format), needed for setting up an EAP-TLS connection.
This option is used on the client-side in conjunction with the \fBcert\fR
-and \fBkey\fR options.
+and \fBkey\fR options. Either \fIca\fR, or \fIcapath\fR options are required
+for PEAP. EAP-TLS may also use the entry in eaptls-client or eaptls-server
+for a CA certificate associated with a particular peer.
+.TP
+.B capath \fIpath
+(EAP-TLS, or PEAP) Specify a location that contains public CA certificates.
+Either \fIca\fR, or \fIcapath\fR options are required for PEAP.
.TP
.B cdtrcts
Use a non-standard hardware flow control (i.e. DTR/CTS) to control
.B chap-timeout \fIn
Set timeout for CHAP authentication by peer to \fIn\fR seconds (default 60).
.TP
+.B chapms\-strip\-domain
+Some Windows 9x/ME clients might be transmitting the MS domain before the
+username in the provided client name. This option enables stripping the domain
+from the client name on the server side before matching it against the secret
+file.
+.TP
.B child\-timeout \fIn
When exiting, wait for up to \fIn\fR seconds for any child processes
(such as the command specified with the \fBpty\fR command) to exit
or \fBpty\fR option is used.
.TP
.B crl \fIfilename
-(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List
+(EAP-TLS, or PEAP) Use the file \fIfilename\fR as the Certificate Revocation List
to check for the validity of the peer's certificate. This option is not
-mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR
+mandatory for setting up a TLS connection. Also see the \fBcrl-dir\fR
option.
.TP
.B crl-dir \fIdirectory
-(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in
+(EAP-TLS, or PEAP) Use the directory \fIdirectory\fR to scan for CRL files in
has format ($hash.r0) to check for the validity of the peer's certificate.
-This option is not mandatory for setting up an EAP-TLS connection.
+This option is not mandatory for setting up a TLS connection.
Also see the \fBcrl\fR option.
.TP
.B debug
pppd will use the default MRU value of 1500 bytes for both the
transmit and receive direction.
.TP
+.B defaultroute6
+Add a default IPv6 route to the system routing tables, using the peer as
+the gateway, when IPv6CP negotiation is successfully completed.
+This entry is removed when the PPP connection is broken. This option
+is privileged if the \fInodefaultroute6\fR option has been specified.
+\fBWARNING: Do not enable this option by default\fR. IPv6 routing tables
+are managed by kernel (as apposite to IPv4) and IPv6 default route is
+configured by kernel automatically too based on ICMPv6 Router Advertisement
+packets. This option may conflict with kernel IPv6 route setup and should
+be used only for broken IPv6 networks.
+.TP
.B deflate \fInr,nt
Request that the peer compress packets that it sends, using the
Deflate scheme, with a maximum window size of \fI2**nr\fR bytes, and
Set the maximum number of IPCP terminate-request transmissions to
\fIn\fR (default 3).
.TP
+.B ipcp\-no\-address
+Disable negotiation of addresses via IP-Address IPCP option.
+.TP
+.B ipcp\-no\-addresses
+Disable negotiation of addresses via old-style deprecated IP-Addresses
+IPCP option. pppd by default try to use new-style IP-Address IPCP option.
+If new-style is not supported by peer or is disabled by \fBipcp\-no\-address\fR
+option then pppd fallbacks to old-style deprecated IP-Addresses IPCP option.
+When both new-style and old-style are disabled by both \fBipcp\-no\-address\fR
+and \fBipcp\-no\-addresses\fR options then negotiation of IP addresses
+is completely disabled.
+.TP
.B ipcp\-restart \fIn
Set the IPCP restart interval (retransmission timeout) to \fIn\fR
seconds (default 3).
.TP
.B ipparam \fIstring
-Provides an extra parameter to the ip\-up, ip\-pre\-up and ip\-down
+Provides an extra parameter most of the notification scripts, most notably
+ip\-up, ip\-pre\-up, ip\-down, ipv6\-up, ipv6\-down, auth\-up and auth\-down
scripts. If this
option is given, the \fIstring\fR supplied is given as the 6th
parameter to those scripts.
IPv6 interface identifier, even if the remote IPv6 interface
identifier was specified in an option.
.TP
+.B ipv6cp\-noremote
+Allow pppd to operate without having an IPv6 link local address for the peer.
+This option is only available under Linux. Normally, pppd will request the
+peer's IPv6 interface identifier (used for composing IPv6 link local address),
+and if the peer does not supply it, pppd will generate one for the peer.
+With this option, if the peer does not supply its IPv6 interface identifier,
+pppd will not ask the peer for it, and will not set the destination IPv6
+link local address of the ppp interface. In this situation, the ppp interface
+can be used for routing by creating device routes, but the peer itself cannot
+be addressed directly for IPv6 traffic until the peer starts announcing ICMPv6
+Router Advertisement or ICMPv6 Neighbor Advertisement packets. Note that IPv6
+router must announce ICMPv6 Router Advertisement packets.
+.TP
+.B ipv6cp\-nosendip
+Don't send our local IPv6 interface identifier to peer during IPv6 interface
+identifier negotiation.
+.TP
.B ipv6cp\-max\-configure \fIn
Set the maximum number of IPv6CP configure-request transmissions to
\fIn\fR (default 10).
Set the IPv6CP restart interval (retransmission timeout) to \fIn\fR
seconds (default 3).
.TP
-.B ipx
-Enable the IPXCP and IPX protocols. This option is presently only
-supported under Linux, and only if your kernel has been configured to
-include IPX support.
-.TP
-.B ipx\-network \fIn
-Set the IPX network number in the IPXCP configure request frame to
-\fIn\fR, a hexadecimal number (without a leading 0x). There is no
-valid default. If this option is not specified, the network number is
-obtained from the peer. If the peer does not have the network number,
-the IPX protocol will not be started.
-.TP
-.B ipx\-node \fIn\fB:\fIm
-Set the IPX node numbers. The two node numbers are separated from each
-other with a colon character. The first number \fIn\fR is the local
-node number. The second number \fIm\fR is the peer's node number. Each
-node number is a hexadecimal number, at most 10 digits long. The node
-numbers on the ipx\-network must be unique. There is no valid
-default. If this option is not specified then the node numbers are
-obtained from the peer.
-.TP
-.B ipx\-router\-name \fI<string>
-Set the name of the router. This is a string and is sent to the peer
-as information data.
-.TP
-.B ipx\-routing \fIn
-Set the routing protocol to be received by this option. More than one
-instance of \fIipx\-routing\fR may be specified. The '\fInone\fR'
-option (0) may be specified as the only instance of ipx\-routing. The
-values may be \fI0\fR for \fINONE\fR, \fI2\fR for \fIRIP/SAP\fR, and
-\fI4\fR for \fINLSP\fR.
-.TP
-.B ipxcp\-accept\-local
-Accept the peer's NAK for the node number specified in the ipx\-node
-option. If a node number was specified, and non-zero, the default is
-to insist that the value be used. If you include this option then you
-will permit the peer to override the entry of the node number.
-.TP
-.B ipxcp\-accept\-network
-Accept the peer's NAK for the network number specified in the
-ipx\-network option. If a network number was specified, and non-zero, the
-default is to insist that the value be used. If you include this
-option then you will permit the peer to override the entry of the node
-number.
-.TP
-.B ipxcp\-accept\-remote
-Use the peer's network number specified in the configure request
-frame. If a node number was specified for the peer and this option was
-not specified, the peer will be forced to use the value which you have
-specified.
-.TP
-.B ipxcp\-max\-configure \fIn
-Set the maximum number of IPXCP configure request frames which the
-system will send to \fIn\fR. The default is 10.
-.TP
-.B ipxcp\-max\-failure \fIn
-Set the maximum number of IPXCP NAK frames which the local system will
-send before it rejects the options. The default value is 3.
-.TP
-.B ipxcp\-max\-terminate \fIn
-Set the maximum number of IPXCP terminate request frames before the
-local system considers that the peer is not listening to them. The
-default value is 3.
-.TP
.B kdebug \fIn
Enable debugging code in the kernel-level PPP driver. The argument
values depend on the specific kernel driver, but in general a value of
Terminate after \fIn\fR consecutive failed connection attempts. A
value of 0 means no limit. The default value is 10.
.TP
+.B max-tls-version \fIstring
+(EAP-TLS, or PEAP) Configures the max allowed TLS version used during
+negotiation with a peer. The default value for this is \fI1.2\fR. Values
+allowed for this option is \fI1.0.\fR, \fI1.1\fR, \fI1.2\fR, \fI1.3\fR.
+.TP
.B modem
Use the modem control lines. This option is the default. With this
option, pppd will wait for the CD (Carrier Detect) signal from the
.TP
.B nodefaultroute
Disable the \fIdefaultroute\fR option. The system administrator who
-wishes to prevent users from creating default routes with pppd
+wishes to prevent users from adding a default route with pppd
can do so by placing this option in the /etc/ppp/options file.
.TP
+.B noreplacedefaultroute
+Disable the \fIreplacedefaultroute\fR option. This allows to disable a
+\fIreplacedefaultroute\fR option set previously in the configuration.
+.TP
.B nodefaultroute6
Disable the \fIdefaultroute6\fR option. The system administrator who
wishes to prevent users from adding a default route with pppd
address during IPCP negotiation (unless it specified explicitly on the
command line or in an options file).
.TP
-.B noipx
-Disable the IPXCP and IPX protocols. This option should only be
-required if the peer is buggy and gets confused by requests from pppd
-for IPXCP negotiation.
-.TP
.B noktune
Opposite of the \fIktune\fR option; disables pppd from changing system
settings.
device routes, but the peer itself cannot be addressed directly for IP
traffic.
.TP
+.B nosendip
+Don't send our local IP address to peer during IP address negotiation.
+.TP
.B notty
Normally, pppd requires a terminal device. With this option, pppd
will allocate itself a pseudo-tty master/slave pair and use the slave
Currently supports Microgate SyncLink adapters
under Linux and FreeBSD 2.2.8 and later.
.TP
+.B tls-verify-method \fIstring
+(EAP-TLS, or PEAP) Match the value specified for \fIremotename\fR to that that
+of the X509 certificates subject name, common name, or suffix of the common
+name. Respective values allowed for this option is: \fInone\fR, \fIsubject\fR,
+\fIname\fR, or \fIsuffix\fR. The default value for this option is \fIname\fR.
+.TP
+.B tls-verify-key-usage
+(EAP-TLS, or PEAP) Enables examination of peer certificate's purpose, and
+extended key usage attributes.
+.TP
.B unit \fInum
Sets the ppp unit number (for a ppp0 or ppp1 etc interface name) for outbound
connections. If the unit is already in use a dynamically allocated number will
/etc/ppp/resolv.conf file containing one or two nameserver lines with
the address(es) supplied by the peer.
.TP
+.B usepeerwins
+Ask the peer for up to 2 WINS server addresses. The addresses supplied
+by the peer (if any) are passed to the /etc/ppp/ip\-up script in the
+environment variables WINS1 and WINS2, and the environment variable
+USEPEERWINS will be set to 1.
+.LP
+Please note that some modems (like the Huawei E220) requires this option in
+order to avoid a race condition that results in the incorrect DNS servers
+being assigned.
+.TP
.B user \fIname
Sets the name used for authenticating the local system to the peer to
\fIname\fR.
\fBrp_pppoe_sess\fP option name is supported.
.TP
.B pppoe-verbose \fIn
-Be verbose about discovered access concentrators. For backward
-compatibility also \fBrp_pppoe_verbose\fP option name is supported.
+Be verbose about discovered access concentrators. When set to 2 or bigger
+value then dump also discovery packets. For backward compatibility also
+\fBrp_pppoe_verbose\fP option name is supported.
.TP
.B pppoe-mac \fImacaddr
Connect to specified MAC address.
The IP address for the remote end of the link. This is only set when
IPCP has come up.
.TP
+.B LLLOCAL
+The Link-Local IPv6 address for the local end of the link. This is only
+set when IPV6CP has come up.
+.TP
+.B LLREMOTE
+The Link-Local IPv6 address for the remote end of the link. This is only
+set when IPV6CP has come up.
+.TP
.B PEERNAME
The authenticated name of the peer. This is only set if the peer
authenticates itself.
If the peer supplies DNS server addresses, this variable is set to the
second DNS server address supplied (whether or not the usepeerdns
option was given).
+.TP
+.B WINS1
+If the peer supplies WINS server addresses, this variable is set to the
+first WINS server address supplied.
+.TP
+.B WINS2
+If the peer supplies WINS server addresses, this variable is set to the
+second WINS server address supplied.
+.P
.P
Pppd invokes the following scripts, if they exist. It is not an error
if they don't exist.
A program or script which is executed after the remote system
successfully authenticates itself. It is executed with the parameters
.IP
-\fIinterface\-name peer\-name user\-name tty\-device speed\fR
+\fIinterface\-name peer\-name user\-name tty\-device speed ipparam\fR
.IP
Note that this script is not executed if the peer doesn't authenticate
itself, for example when the \fInoauth\fR option is used.
longer be transmitted on the link. It is executed with the same parameters
as the ipv6\-up script.
.TP
-.B /etc/ppp/ipx\-up
-A program or script which is executed when the link is available for
-sending and receiving IPX packets (that is, IPXCP has come up). It is
-executed with the parameters
-.IP
-\fIinterface\-name tty\-device speed network\-number local\-IPX\-node\-address
-remote\-IPX\-node\-address local\-IPX\-routing\-protocol remote\-IPX\-routing\-protocol
-local\-IPX\-router\-name remote\-IPX\-router\-name ipparam pppd\-pid\fR
-.IP
-The local\-IPX\-routing\-protocol and remote\-IPX\-routing\-protocol field
-may be one of the following:
-.IP
-NONE to indicate that there is no routing protocol
-.br
-RIP to indicate that RIP/SAP should be used
-.br
-NLSP to indicate that Novell NLSP should be used
-.br
-RIP NLSP to indicate that both RIP/SAP and NLSP should be used
-.TP
-.B /etc/ppp/ipx\-down
-A program or script which is executed when the link is no longer
-available for sending and receiving IPX packets. This script can be
-used for undoing the effects of the /etc/ppp/ipx\-up script. It is
-invoked in the same manner and with the same parameters as the ipx\-up
-script.
-.SH FILES
-.TP
.B /var/run/ppp\fIn\fB.pid \fR(BSD or Linux), \fB/etc/ppp/ppp\fIn\fB.pid \fR(others)
Process-ID for pppd process on ppp interface unit \fIn\fR.
.TP
projects / ppp.git / blobdiff