3 openconnect \- Connect to Cisco AnyConnect VPN
6 .OP \-\-config configfile
8 .OP \-\-pid\-file pidfile
9 .OP \-c,\-\-certificate cert
10 .OP \-e,\-\-cert\-expire\-warning days
11 .OP \-k,\-\-sslkey key
12 .OP \-C,\-\-cookie cookie
13 .OP \-\-cookie\-on\-stdin
15 .OP \-D,\-\-no\-deflate
16 .OP \-\-force\-dpd interval
17 .OP \-g,\-\-usergroup group
19 .OP \-i,\-\-interface ifname
21 .OP \-U,\-\-setuid user
22 .OP \-\-csd\-user user
25 .OP \-p,\-\-key\-password pass
26 .OP \-P,\-\-proxy proxyurl
29 .OP \-\-key\-password\-from\-fsid
31 .OP \-Q,\-\-queue\-len len
32 .OP \-s,\-\-script vpnc\-script
33 .OP \-S,\-\-script\-tun
37 .OP \-x,\-\-xmlconfig config
38 .OP \-\-authgroup group
44 .OP \-\-dtls\-ciphers list
45 .OP \-\-no\-cert\-check
47 .OP \-\-no\-http\-keepalive
50 .OP \-\-passwd\-on\-stdin
51 .OP \-\-reconnect\-timeout
52 .OP \-\-servercert sha1
53 .OP \-\-useragent string
54 .B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]
60 connects to Cisco "AnyConnect" VPN servers, which use standard TLS
61 and DTLS protocols for data transport.
63 The connection happens in two phases. First there is a simple HTTPS
64 connection over which the user authenticates somehow \- by using a
65 certificate, or password or SecurID, etc. Having authenticated, the
66 user is rewarded with an HTTP cookie which can be used to make the
69 The second phase uses that cookie in an HTTPS
71 request, and data packets can be passed over the resulting
72 connection. In auxiliary headers exchanged with the
74 request, a Session\-ID and Master Secret for a DTLS connection are also
75 exchanged, which allows data transport over UDP to occur.
80 .B \-\-config=CONFIGFILE
81 Read further options from
83 before continuing to process options from the command line. The file
84 should contain long-format options as would be accepted on the command line,
85 but without the two leading \-\- dashes. Empty lines, or lines where the
86 first non-space character is a # character, are ignored.
90 option may be specified in the file.
93 Continue in background after startup
95 .B \-\-pid\-file=PIDFILE
100 .B \-c,\-\-certificate=CERT
101 Use SSL client certificate
103 which may be either a file name or, if OpenConnect has been built with an appropriate
104 version of GnuTLS, a PKCS#11 URL.
106 .B \-e,\-\-cert\-expire\-warning=DAYS
107 Give a warning when SSL client certificate has
111 .B \-k,\-\-sslkey=KEY
114 which may be either a file name or, if OpenConnect has been built with an appropriate
115 version of GnuTLS, a PKCS#11 URL.
117 .B \-C,\-\-cookie=COOKIE
121 .B \-\-cookie\-on\-stdin
122 Read cookie from standard input
125 Enable compression (default)
127 .B \-D,\-\-no\-deflate
130 .B \-\-force\-dpd=INTERVAL
133 as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it.
135 .B \-g,\-\-usergroup=GROUP
143 .B \-i,\-\-interface=IFNAME
149 Use syslog for progress messages
151 .B \-U,\-\-setuid=USER
152 Drop privileges after connecting, to become user
155 .B \-\-csd\-user=USER
156 Drop privileges during CSD (Cisco Secure Desktop) script execution.
158 .B \-\-csd\-wrapper=SCRIPT
161 instead of the CSD (Cisco Secure Desktop) script.
166 from server as the MTU of the tunnel.
171 as the path MTU between client and server on the unencrypted network. Newer
172 servers will automatically calculate the MTU to be used on the tunnel from
175 .B \-p,\-\-key\-password=PASS
176 Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
178 .B \-P,\-\-proxy=PROXYURL
179 Use HTTP or SOCKS proxy for connection
185 Use libproxy to configure proxy automatically (when built with libproxy support)
187 .B \-\-key\-password\-from\-fsid
188 Passphrase for certificate file is automatically generated from the
190 of the file system on which it is stored. The
196 system call, depending on the operating system. On a Linux or similar system
197 with GNU coreutils, the
199 used by this option should be equal to the output of the command:
201 stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE
203 It is not the same as the 128\-bit UUID of the file system.
208 .B \-Q,\-\-queue\-len=LEN
209 Set packet queue limit to
213 .B \-s,\-\-script=SCRIPT
216 to configure the network after connection. Without this, routing and name
217 service are unlikely to work correctly. The script is expected to be
220 which is shipped with the "vpnc" VPN client. See
221 .I http://www.infradead.org/openconnect/vpnc-script.html
222 for more information. This version of OpenConnect is configured to use
223 .B @DEFAULT_VPNCSCRIPT@
226 .B \-S,\-\-script\-tun
227 Pass traffic to 'script' program over a UNIX socket, instead of to a kernel
228 tun/tap device. This allows the VPN IP traffic to be handled entirely in
229 userspace, for example by a program which uses lwIP to provide SOCKS access
233 Set login username to
237 Report version number
242 .B \-x,\-\-xmlconfig=CONFIG
245 .B \-\-authgroup=GROUP
246 Choose authentication login selection
249 Authenticate only, and output the information needed to make the connection
250 a form which can be used to set shell environment variables. When invoked with
251 this option, openconnect will not make the connection, but if successful will
252 output something like the following to stdout:
254 .B COOKIE=3311180634@13561856@1339425499@B315A0E29D16C6FD92EE...
256 .B FINGERPRINT=469bb424ec8835944d30bc77c77e8fc1d8e23a42
258 Thus, you can invoke openconnect as a non-privileged user
259 .I (with access to the user's PKCS#11 tokens, etc.)
260 for authentication, and then invoke openconnect separately to make the actual
263 .B eval `openconnect --authenticate https://vpnserver.example.com`;
264 .B [ -n "$COOKIE" ] && echo "$COOKIE" |
265 .B \ \ sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT
269 Fetch webvpn cookie only; don't connect
272 Print webvpn cookie before connecting
275 Cert file for server verification
278 Do not advertise IPv6 capability to server
280 .B \-\-dtls\-ciphers=LIST
281 Set OpenSSL ciphers to support for DTLS
283 .B \-\-no\-cert\-check
284 Do not require server SSL certificate to be valid. Checks will still happen
285 and failures will cause a warning message, but the connection will continue
286 anyway. You should not need to use this option \- if your servers have SSL
287 certificates which are not signed by a trusted Certificate Authority, you can
288 still add them (or your private CA) to a local file and use that file with the
296 .B \-\-no\-http\-keepalive
297 Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget
298 the client's SSL certificate when HTTP connections are being re\-used for
299 multiple requests. So far, this has only been seen on the initial connection,
300 where the server gives an HTTP/1.0 redirect response with an explicit
301 .B Connection: Keep\-Alive
302 directive. OpenConnect as of v2.22 has an unconditional workaround for this,
303 which is never to obey that directive after an HTTP/1.0 response.
305 However, Cisco's support team has failed to give any competent
306 response to the bug report and we don't know under what other
307 circumstances their bug might manifest itself. So this option exists
308 to disable ALL re\-use of HTTP sessions and cause a new connection to be
309 made for each request. If your server seems not to be recognising your
310 certificate, try this option. If it makes a difference, please report
311 this information to the
312 .B openconnect\-devel@lists.infradead.org
316 Never attempt password (or SecurID) authentication.
319 Do not expect user input; exit if it is required.
321 .B \-\-passwd\-on\-stdin
322 Read password from standard input
324 .B \-\-reconnect\-timeout
325 Keep reconnect attempts until so much seconds are elapsed. The default
326 timeout is 300 seconds, which means that openconnect can recover
327 VPN connection after a temporary network down time of 300 seconds.
329 .B \-\-servercert=SHA1
330 Accept server's SSL certificate only if its fingerprint matches
333 .B \-\-useragent=STRING
336 as 'User\-Agent:' field value in HTTP header.
337 (e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
340 Note that although IPv6 has been tested on all platforms on which
342 is known to run, it depends on a suitable
344 to configure the network. The standard
346 shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from
347 .B git://git.infradead.org/users/dwmw2/vpnc\-scripts.git
351 David Woodhouse <dwmw2@infradead.org>