3 openconnect \- Connect to Cisco AnyConnect VPN
6 .OP \-\-config configfile
8 .OP \-\-pid\-file pidfile
9 .OP \-c,\-\-certificate cert
10 .OP \-e,\-\-cert\-expire\-warning days
11 .OP \-k,\-\-sslkey key
12 .OP \-C,\-\-cookie cookie
13 .OP \-\-cookie\-on\-stdin
15 .OP \-D,\-\-no\-deflate
16 .OP \-\-force\-dpd interval
17 .OP \-g,\-\-usergroup group
19 .OP \-i,\-\-interface ifname
21 .OP \-U,\-\-setuid user
22 .OP \-\-csd\-user user
25 .OP \-p,\-\-key\-password pass
26 .OP \-P,\-\-proxy proxyurl
29 .OP \-\-key\-password\-from\-fsid
31 .OP \-Q,\-\-queue\-len len
32 .OP \-s,\-\-script vpnc\-script
33 .OP \-S,\-\-script\-tun
37 .OP \-x,\-\-xmlconfig config
38 .OP \-\-authgroup group
43 .OP \-\-dtls\-ciphers list
44 .OP \-\-no\-cert\-check
46 .OP \-\-no\-http\-keepalive
49 .OP \-\-passwd\-on\-stdin
50 .OP \-\-reconnect\-timeout
51 .OP \-\-servercert sha1
52 .OP \-\-useragent string
53 .B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]
59 connects to Cisco "AnyConnect" VPN servers, which use standard TLS
60 and DTLS protocols for data transport.
62 The connection happens in two phases. First there is a simple HTTPS
63 connection over which the user authenticates somehow \- by using a
64 certificate, or password or SecurID, etc. Having authenticated, the
65 user is rewarded with an HTTP cookie which can be used to make the
68 The second phase uses that cookie in an HTTPS
70 request, and data packets can be passed over the resulting
71 connection. In auxiliary headers exchanged with the
73 request, a Session\-ID and Master Secret for a DTLS connection are also
74 exchanged, which allows data transport over UDP to occur.
79 .B \-\-config=CONFIGFILE
80 Read further options from
82 before continuing to process options from the command line. The file
83 should contain long-format options as would be accepted on the command line,
84 but without the two leading \-\- dashes. Empty lines, or lines where the
85 first non-space character is a # character, are ignored.
89 option may be specified in the file.
92 Continue in background after startup
94 .B \-\-pid\-file=PIDFILE
99 .B \-c,\-\-certificate=CERT
100 Use SSL client certificate
102 which may be either a file name or, if OpenConnect has been built with an appropriate
103 version of GnuTLS, a PKCS#11 URL.
105 .B \-e,\-\-cert\-expire\-warning=DAYS
106 Give a warning when SSL client certificate has
110 .B \-k,\-\-sslkey=KEY
113 which may be either a file name or, if OpenConnect has been built with an appropriate
114 version of GnuTLS, a PKCS#11 URL.
116 .B \-C,\-\-cookie=COOKIE
120 .B \-\-cookie\-on\-stdin
121 Read cookie from standard input
124 Enable compression (default)
126 .B \-D,\-\-no\-deflate
129 .B \-\-force\-dpd=INTERVAL
132 as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it.
134 .B \-g,\-\-usergroup=GROUP
142 .B \-i,\-\-interface=IFNAME
148 Use syslog for progress messages
150 .B \-U,\-\-setuid=USER
151 Drop privileges after connecting, to become user
154 .B \-\-csd\-user=USER
155 Drop privileges during CSD (Cisco Secure Desktop) script execution.
157 .B \-\-csd\-wrapper=SCRIPT
160 instead of the CSD (Cisco Secure Desktop) script.
165 from server as the MTU of the tunnel.
170 as the path MTU between client and server on the unencrypted network. Newer
171 servers will automatically calculate the MTU to be used on the tunnel from
174 .B \-p,\-\-key\-password=PASS
175 Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
177 .B \-P,\-\-proxy=PROXYURL
178 Use HTTP or SOCKS proxy for connection
184 Use libproxy to configure proxy automatically (when built with libproxy support)
186 .B \-\-key\-password\-from\-fsid
187 Passphrase for certificate file is automatically generated from the
189 of the file system on which it is stored. The
195 system call, depending on the operating system. On a Linux or similar system
196 with GNU coreutils, the
198 used by this option should be equal to the output of the command:
200 stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE
202 It is not the same as the 128\-bit UUID of the file system.
207 .B \-Q,\-\-queue\-len=LEN
208 Set packet queue limit to
212 .B \-s,\-\-script=SCRIPT
215 to configure the network after connection. Without this, routing and name
216 service are unlikely to work correctly. The script is expected to be
219 which is shipped with the "vpnc" VPN client. See
220 .I http://www.infradead.org/openconnect/vpnc-script.html
221 for more information. This version of OpenConnect is configured to use
222 .B @DEFAULT_VPNCSCRIPT@
225 .B \-S,\-\-script\-tun
226 Pass traffic to 'script' program over a UNIX socket, instead of to a kernel
227 tun/tap device. This allows the VPN IP traffic to be handled entirely in
228 userspace, for example by a program which uses lwIP to provide SOCKS access
232 Set login username to
236 Report version number
241 .B \-x,\-\-xmlconfig=CONFIG
244 .B \-\-authgroup=GROUP
245 Choose authentication login selection
248 Fetch webvpn cookie only; don't connect
251 Print webvpn cookie before connecting
254 Cert file for server verification
257 Do not advertise IPv6 capability to server
259 .B \-\-dtls\-ciphers=LIST
260 Set OpenSSL ciphers to support for DTLS
262 .B \-\-no\-cert\-check
263 Do not require server SSL certificate to be valid. Checks will still happen
264 and failures will cause a warning message, but the connection will continue
265 anyway. You should not need to use this option \- if your servers have SSL
266 certificates which are not signed by a trusted Certificate Authority, you can
267 still add them (or your private CA) to a local file and use that file with the
275 .B \-\-no\-http\-keepalive
276 Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget
277 the client's SSL certificate when HTTP connections are being re\-used for
278 multiple requests. So far, this has only been seen on the initial connection,
279 where the server gives an HTTP/1.0 redirect response with an explicit
280 .B Connection: Keep\-Alive
281 directive. OpenConnect as of v2.22 has an unconditional workaround for this,
282 which is never to obey that directive after an HTTP/1.0 response.
284 However, Cisco's support team has failed to give any competent
285 response to the bug report and we don't know under what other
286 circumstances their bug might manifest itself. So this option exists
287 to disable ALL re\-use of HTTP sessions and cause a new connection to be
288 made for each request. If your server seems not to be recognising your
289 certificate, try this option. If it makes a difference, please report
290 this information to the
291 .B openconnect\-devel@lists.infradead.org
295 Never attempt password (or SecurID) authentication.
298 Do not expect user input; exit if it is required.
300 .B \-\-passwd\-on\-stdin
301 Read password from standard input
303 .B \-\-reconnect\-timeout
304 Keep reconnect attempts until so much seconds are elapsed. The default
305 timeout is 300 seconds, which means that openconnect can recover
306 VPN connection after a temporary network down time of 300 seconds.
308 .B \-\-servercert=SHA1
309 Accept server's SSL certificate only if its fingerprint matches
312 .B \-\-useragent=STRING
315 as 'User\-Agent:' field value in HTTP header.
316 (e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
319 Note that although IPv6 has been tested on all platforms on which
321 is known to run, it depends on a suitable
323 to configure the network. The standard
325 shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from
326 .B git://git.infradead.org/users/dwmw2/vpnc\-scripts.git
330 David Woodhouse <dwmw2@infradead.org>