The goal of this section is to explain how to generate Certificates, convert Certificates to PEM format and import Certificates into TheGreenBow IPSec VPN Client.
Certificate User Guide
For users who want to use Certificates, we especially provide a User Guide which details the procedure
to generate and use certificates with our IPSec VPN Client.
Certificate generation tool
It is necessary to use a third party Certification Authority to be able to generate X509 Certificates and to open a VPN tunnel securely. There are many options to generate Certificates like using Microsoft Certificates server (i.e. Microsoft Certificate Service) available under Windows 2000-2003 Server, OpenSSL or some VPN Router themselves.
IPSec VPN Client command line
Stop the IPSec VPN Client
TheGreenBow IPSec VPN Client can be stopped at any time with the command line option: "/stop"
Example: " vpnconf.exe /stop "
This functionality allows the IPSec VPN Client to be called within a script, opening the IPSec
VPN Client as the network connection is starting, closing the IPSec VPN Client as the connection ends.
Note: If one or several tunnels are active, they are correctly closed.
Open and Close VPN connections
TheGreenBow IPSec VPN Client can be open and close VPN connections at any time with the command line options: "/open", "/close"
This option enables to open a VPN tunnel.
Example: vpnconf.exe /open :Corporate-gateway1
This option enables to close a VPN tunnel.
Example: vpnconf.exe /close :"Home gateway-cnx1" (double quote required because name contains a space character).
Import a VPN Configuration
TheGreenBow IPSec VPN Client can import a specific VPN configuration file using the command line options:
"/import:" or "/importonce:"
Example: " vpnconf.exe /importonce:"C:\My documents\config.tgb" "
- /import: may be used whether the IPSec VPN Client is running or not. When the IPSec VPN Client is already
running, it imports dynamically the new VPN configuration and automatically applies it (i.e. restarts
the IKE service). If the IPSec VPN Client is not running, it is launched with the new VPN configuration.
||The "/import" option can be used to open a tunnel with a double-clic on a "tgb" file
(also called the "dial-up" mode): This allows for example to open a tunnel with a double-clic on a 'tgb'
file from the desktop, or to deploy a configuration by email.
- /importonce: allows to import a VPN configuration file without running the IPsec VPN Client. This command
is especially useful in installation scripts: it allows to run a silent installation and to import a VPN
- /replace: enables to replace the current configuration by a new VPN Configuration. This feature is available in software release 4.1 and older, and may be used instead of the /importonce option to import a VPN configuration file without running the VPN Client.
- /add: Import a new VPN Configuration into an existing VPN Configuration and merge both
into a single VPN Configuration. This command line may be used either if the VPN Client is
running or not. This command doesn't start the VPN Client if it is not running already.
||Since the release 3.1 of TheGreenBow IPSec VPN Client, certificates can be embedded within
a configuration file to be imported. For more details, see the IPSec VPN Client User Guide.
Export a VPN Configuration
TheGreenBow IPSec VPN Client can export a specific IPSec VPN configuration file using the command line options:
"/export:" or "/exportonce:"
Example: " vpnconf.exe /export:"C:\My documents\export.tgb " "
- /export: may be used whether the IPSec VPN Client is running or not. When the IPSec VPN Client is already
running, it exports dynamically the VPN configuration. If the IPSec VPN Client is not running, it is launched
after having exported the configuration.
- /exportonce: allows to export a VPN configuration file without running the IPSec VPN Client. This command
is especially useful in installation scripts: it allows to run a silent uninstallation and to export a VPN
||All 6 arguments "import", "importonce", "export", "exportonce", "replace" and "add" are exclusives and cannot be used together.
Best implementations using IPSec VPN Client command line
- Devolution: Remote Desktop Manager is an application used to manage all your remote connections and virtual machines. Add, edit, delete, share, organize and find your remote connection quickly. Devolution developed a plugin to start/open tunnels before opening the RDP session and to import a VPN configuration file. Pretty cool, see the tutorial video.
IPSec VPN Client Deployment tools
Embedded VPN Configuration
A specific VPN Configuration file can be embedded within the VPN Setup. This VPN Configuration will be automatically imported at the first time the software is run. This feature enables to embed pre-configured VPN configuration and to deploy "customized" setups to end-users.
See our Deployment Guide
for details about how to embed a VPN Configuration in a VPN setup.
VPN Setup Options
The VPN Setup handles several command line options. These options are used to customized the Software installation and must be preceded by 2 dashes.
Enables to define the way the software will start:
- 1: the software will automatically starts after Windows logon. For opening VPN tunnel before logon, please have look the 'Gina Mode' in the IPSec VPN Client User Guide
- 2: the software will start only when it is run by the end-user.
Enables to define the way the software will be displayed to the end-user:
- full: Configuration Panel
- user: Connection Panel
- hidden: No GUI can be displayed by the end-user.
He only can open/close tunnels via the systray menu.
Enables to specify the items of the systray menu, the value is a bitfield, where each bit defines a menuitem:
- 1: Quit
- 2: Connection Panel
- 4: Console
- 8: Save & Apply
- 16: Configuration Panel
Example: menuitem=5 will configure a systray menu with Quit + Console.
Note 1: the tunnels are always shown in the systray menu, and can always be opened and closed from this systray menu.
Note 2: 'Menuitem' and 'guidefs=hidden'.
By default, guidefs=hidden set the systray menu to Quit + Console.
But 'menuitem' takes precedent over 'guidefs'. It means the following options:
"--guidefs=hidden --menuitem=1" will set a systray menu with only the 'Quit' item.
Enables to embed the license number of the software.
Enables to control the access to the VPN Configuration Panel with a password.
The end-user will be asked for the password:
- when he clicks or double-clicks on the VPN systray icon
- when he wants to switch from the Connection Panel to the Config. Panel.
Enables to define the email to which the software activation confirmation
will be sent. Thus, it enables IT Managers to check each software activation on a single email address. When this
email is pre-configured, it cannot be modified by end-users.
- --autoactiv, --noactiv, --lang
See also our Deployment Guide
for details about these setup options.
- --pkicheck, --smartcardroaming
Allow to configure how to select Certificates from token and smart card readers, and how Certificated are used by the software.
See also our Deployment Guide
for details about these setup options.