X-Git-Url: https://git.ozlabs.org/?p=ppp.git;a=blobdiff_plain;f=pppd%2Fpppd.8;h=b31594ac3be8b97b5b67cacd02ae55328a37ccbf;hp=b5790d9b3d1e6f3af6cf55db4eafbe63dd83da05;hb=032020241d270c53dff479a7b0eb7fe487c56a78;hpb=182f4caedee9ea797656359d8b0594c3abd5f24b diff --git a/pppd/pppd.8 b/pppd/pppd.8 index b5790d9..b31594a 100644 --- a/pppd/pppd.8 +++ b/pppd/pppd.8 @@ -55,8 +55,8 @@ non-privileged user. .I speed An option that is a decimal number is taken as the desired baud rate for the serial device. On systems such as -4.4BSD and NetBSD, any speed can be specified. Other systems -(e.g. Linux, SunOS) only support the commonly-used baud rates. +Linux, 4.4BSD and NetBSD, any speed can be specified. Other systems +(e.g. SunOS) only support the commonly-used baud rates. .TP .B asyncmap \fImap This option sets the Async-Control-Character-Map (ACCM) for this end @@ -127,12 +127,6 @@ is no other default route with the same metric. With the default value of -1, the route is only added if there is no default route at all. .TP -.B defaultroute6 -Add a default IPv6 route to the system routing tables, using the peer as -the gateway, when IPv6CP negotiation is successfully completed. -This entry is removed when the PPP connection is broken. This option -is privileged if the \fInodefaultroute6\fR option has been specified. -.TP .B replacedefaultroute This option is a flag to the defaultroute option. If defaultroute is set and this flag is also set, pppd replaces an existing default route @@ -266,10 +260,16 @@ compression in the corresponding direction. Use \fInobsdcomp\fR or \fIbsdcomp 0\fR to disable BSD-Compress compression entirely. .TP .B ca \fIca-file -(EAP-TLS) Use the file \fIca-file\fR as the X.509 Certificate Authority +(EAP-TLS, or PEAP) Use the file \fIca-file\fR as the X.509 Certificate Authority (CA) file (in PEM format), needed for setting up an EAP-TLS connection. This option is used on the client-side in conjunction with the \fBcert\fR -and \fBkey\fR options. +and \fBkey\fR options. Either \fIca\fR, or \fIcapath\fR options are required +for PEAP. EAP-TLS may also use the entry in eaptls-client or eaptls-server +for a CA certificate associated with a particular peer. +.TP +.B capath \fIpath +(EAP-TLS, or PEAP) Specify a location that contains public CA certificates. +Either \fIca\fR, or \fIcapath\fR options are required for PEAP. .TP .B cdtrcts Use a non-standard hardware flow control (i.e. DTR/CTS) to control @@ -326,15 +326,15 @@ negotiation by sending its first LCP packet. The default value is or \fBpty\fR option is used. .TP .B crl \fIfilename -(EAP-TLS) Use the file \fIfilename\fR as the Certificate Revocation List +(EAP-TLS, or PEAP) Use the file \fIfilename\fR as the Certificate Revocation List to check for the validity of the peer's certificate. This option is not -mandatory for setting up an EAP-TLS connection. Also see the \fBcrl-dir\fR +mandatory for setting up a TLS connection. Also see the \fBcrl-dir\fR option. .TP .B crl-dir \fIdirectory -(EAP-TLS) Use the directory \fIdirectory\fR to scan for CRL files in +(EAP-TLS, or PEAP) Use the directory \fIdirectory\fR to scan for CRL files in has format ($hash.r0) to check for the validity of the peer's certificate. -This option is not mandatory for setting up an EAP-TLS connection. +This option is not mandatory for setting up a TLS connection. Also see the \fBcrl\fR option. .TP .B debug @@ -354,6 +354,17 @@ Disable MRU [Maximum Receive Unit] negotiation. With this option, pppd will use the default MRU value of 1500 bytes for both the transmit and receive direction. .TP +.B defaultroute6 +Add a default IPv6 route to the system routing tables, using the peer as +the gateway, when IPv6CP negotiation is successfully completed. +This entry is removed when the PPP connection is broken. This option +is privileged if the \fInodefaultroute6\fR option has been specified. +\fBWARNING: Do not enable this option by default\fR. IPv6 routing tables +are managed by kernel (as apposite to IPv4) and IPv6 default route is +configured by kernel automatically too based on ICMPv6 Router Advertisement +packets. This option may conflict with kernel IPv6 route setup and should +be used only for broken IPv6 networks. +.TP .B deflate \fInr,nt Request that the peer compress packets that it sends, using the Deflate scheme, with a maximum window size of \fI2**nr\fR bytes, and @@ -493,6 +504,18 @@ to send configure-Rejects instead to \fIn\fR (default 10). Set the maximum number of IPCP terminate-request transmissions to \fIn\fR (default 3). .TP +.B ipcp\-no\-address +Disable negotiation of addresses via IP-Address IPCP option. +.TP +.B ipcp\-no\-addresses +Disable negotiation of addresses via old-style deprecated IP-Addresses +IPCP option. pppd by default try to use new-style IP-Address IPCP option. +If new-style is not supported by peer or is disabled by \fBipcp\-no\-address\fR +option then pppd fallbacks to old-style deprecated IP-Addresses IPCP option. +When both new-style and old-style are disabled by both \fBipcp\-no\-address\fR +and \fBipcp\-no\-addresses\fR options then negotiation of IP addresses +is completely disabled. +.TP .B ipcp\-restart \fIn Set the IPCP restart interval (retransmission timeout) to \fIn\fR seconds (default 3). @@ -707,6 +730,11 @@ network control protocol comes up). Terminate after \fIn\fR consecutive failed connection attempts. A value of 0 means no limit. The default value is 10. .TP +.B max-tls-version \fIstring +(EAP-TLS, or PEAP) Configures the max allowed TLS version used during +negotiation with a peer. The default value for this is \fI1.2\fR. Values +allowed for this option is \fI1.0.\fR, \fI1.1\fR, \fI1.2\fR, \fI1.3\fR. +.TP .B modem Use the modem control lines. This option is the default. With this option, pppd will wait for the CD (Carrier Detect) signal from the @@ -924,6 +952,9 @@ situation, the ppp interface can be used for routing by creating device routes, but the peer itself cannot be addressed directly for IP traffic. .TP +.B nosendip +Don't send our local IP address to peer during IP address negotiation. +.TP .B notty Normally, pppd requires a terminal device. With this option, pppd will allocate itself a pseudo-tty master/slave pair and use the slave @@ -1153,6 +1184,16 @@ The device used by pppd with this option must have sync support. Currently supports Microgate SyncLink adapters under Linux and FreeBSD 2.2.8 and later. .TP +.B tls-verify-method \fIstring +(EAP-TLS, or PEAP) Match the value specified for \fIremotename\fR to that that +of the X509 certificates subject name, common name, or suffix of the common +name. Respective values allowed for this option is: \fInone\fR, \fIsubject\fR, +\fIname\fR, or \fIsuffix\fR. The default value for this option is \fIname\fR. +.TP +.B tls-verify-key-usage +(EAP-TLS, or PEAP) Enables examination of peer certificate's purpose, and +extended key usage attributes. +.TP .B unit \fInum Sets the ppp unit number (for a ppp0 or ppp1 etc interface name) for outbound connections. If the unit is already in use a dynamically allocated number will @@ -1253,8 +1294,9 @@ Attach to existing PPPoE session. For backward compatibility also \fBrp_pppoe_sess\fP option name is supported. .TP .B pppoe-verbose \fIn -Be verbose about discovered access concentrators. For backward -compatibility also \fBrp_pppoe_verbose\fP option name is supported. +Be verbose about discovered access concentrators. When set to 2 or bigger +value then dump also discovery packets. For backward compatibility also +\fBrp_pppoe_verbose\fP option name is supported. .TP .B pppoe-mac \fImacaddr Connect to specified MAC address. @@ -1760,6 +1802,14 @@ IPCP has come up. The IP address for the remote end of the link. This is only set when IPCP has come up. .TP +.B LLLOCAL +The Link-Local IPv6 address for the local end of the link. This is only +set when IPV6CP has come up. +.TP +.B LLREMOTE +The Link-Local IPv6 address for the remote end of the link. This is only +set when IPV6CP has come up. +.TP .B PEERNAME The authenticated name of the peer. This is only set if the peer authenticates itself.