3 openconnect \- Connect to Cisco AnyConnect VPN
6 .OP \-\-config configfile
8 .OP \-\-pid\-file pidfile
9 .OP \-c,\-\-certificate cert
10 .OP \-e,\-\-cert\-expire\-warning days
11 .OP \-k,\-\-sslkey key
12 .OP \-C,\-\-cookie cookie
13 .OP \-\-cookie\-on\-stdin
15 .OP \-D,\-\-no\-deflate
16 .OP \-\-force\-dpd interval
17 .OP \-g,\-\-usergroup group
19 .OP \-i,\-\-interface ifname
21 .OP \-U,\-\-setuid user
22 .OP \-\-csd\-user user
25 .OP \-p,\-\-key\-password pass
26 .OP \-P,\-\-proxy proxyurl
29 .OP \-\-key\-password\-from\-fsid
31 .OP \-Q,\-\-queue\-len len
32 .OP \-s,\-\-script vpnc\-script
33 .OP \-S,\-\-script\-tun
37 .OP \-x,\-\-xmlconfig config
38 .OP \-\-authgroup group
44 .OP \-\-dtls\-ciphers list
45 .OP \-\-dtls\-local\-port port
46 .OP \-\-no\-cert\-check
48 .OP \-\-no\-http\-keepalive
51 .OP \-\-passwd\-on\-stdin
52 .OP \-\-stoken[=\fItoken-string\fP]
53 .OP \-\-reconnect\-timeout
54 .OP \-\-servercert sha1
55 .OP \-\-useragent string
56 .B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]
62 connects to Cisco "AnyConnect" VPN servers, which use standard TLS
63 and DTLS protocols for data transport.
65 The connection happens in two phases. First there is a simple HTTPS
66 connection over which the user authenticates somehow \- by using a
67 certificate, or password or SecurID, etc. Having authenticated, the
68 user is rewarded with an HTTP cookie which can be used to make the
71 The second phase uses that cookie in an HTTPS
73 request, and data packets can be passed over the resulting
74 connection. In auxiliary headers exchanged with the
76 request, a Session\-ID and Master Secret for a DTLS connection are also
77 exchanged, which allows data transport over UDP to occur.
82 .B \-\-config=CONFIGFILE
83 Read further options from
85 before continuing to process options from the command line. The file
86 should contain long-format options as would be accepted on the command line,
87 but without the two leading \-\- dashes. Empty lines, or lines where the
88 first non-space character is a # character, are ignored.
92 option may be specified in the file.
95 Continue in background after startup
97 .B \-\-pid\-file=PIDFILE
102 .B \-c,\-\-certificate=CERT
103 Use SSL client certificate
105 which may be either a file name or, if OpenConnect has been built with an appropriate
106 version of GnuTLS, a PKCS#11 URL.
108 .B \-e,\-\-cert\-expire\-warning=DAYS
109 Give a warning when SSL client certificate has
113 .B \-k,\-\-sslkey=KEY
116 which may be either a file name or, if OpenConnect has been built with an appropriate
117 version of GnuTLS, a PKCS#11 URL.
119 .B \-C,\-\-cookie=COOKIE
123 .B \-\-cookie\-on\-stdin
124 Read cookie from standard input
127 Enable compression (default)
129 .B \-D,\-\-no\-deflate
132 .B \-\-force\-dpd=INTERVAL
135 as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it.
137 .B \-g,\-\-usergroup=GROUP
145 .B \-i,\-\-interface=IFNAME
151 Use syslog for progress messages
153 .B \-U,\-\-setuid=USER
154 Drop privileges after connecting, to become user
157 .B \-\-csd\-user=USER
158 Drop privileges during CSD (Cisco Secure Desktop) script execution.
160 .B \-\-csd\-wrapper=SCRIPT
163 instead of the CSD (Cisco Secure Desktop) script.
168 from server as the MTU of the tunnel.
173 as the path MTU between client and server on the unencrypted network. Newer
174 servers will automatically calculate the MTU to be used on the tunnel from
177 .B \-p,\-\-key\-password=PASS
178 Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
180 .B \-P,\-\-proxy=PROXYURL
181 Use HTTP or SOCKS proxy for connection
187 Use libproxy to configure proxy automatically (when built with libproxy support)
189 .B \-\-key\-password\-from\-fsid
190 Passphrase for certificate file is automatically generated from the
192 of the file system on which it is stored. The
198 system call, depending on the operating system. On a Linux or similar system
199 with GNU coreutils, the
201 used by this option should be equal to the output of the command:
203 stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE
205 It is not the same as the 128\-bit UUID of the file system.
210 .B \-Q,\-\-queue\-len=LEN
211 Set packet queue limit to
215 .B \-s,\-\-script=SCRIPT
218 to configure the network after connection. Without this, routing and name
219 service are unlikely to work correctly. The script is expected to be
222 which is shipped with the "vpnc" VPN client. See
223 .I http://www.infradead.org/openconnect/vpnc-script.html
224 for more information. This version of OpenConnect is configured to use
225 .B @DEFAULT_VPNCSCRIPT@
228 .B \-S,\-\-script\-tun
229 Pass traffic to 'script' program over a UNIX socket, instead of to a kernel
230 tun/tap device. This allows the VPN IP traffic to be handled entirely in
231 userspace, for example by a program which uses lwIP to provide SOCKS access
235 Set login username to
239 Report version number
244 .B \-x,\-\-xmlconfig=CONFIG
247 .B \-\-authgroup=GROUP
248 Choose authentication login selection
251 Authenticate only, and output the information needed to make the connection
252 a form which can be used to set shell environment variables. When invoked with
253 this option, openconnect will not make the connection, but if successful will
254 output something like the following to stdout:
256 .B COOKIE=3311180634@13561856@1339425499@B315A0E29D16C6FD92EE...
258 .B FINGERPRINT=469bb424ec8835944d30bc77c77e8fc1d8e23a42
260 Thus, you can invoke openconnect as a non-privileged user
261 .I (with access to the user's PKCS#11 tokens, etc.)
262 for authentication, and then invoke openconnect separately to make the actual
265 .B eval `openconnect --authenticate https://vpnserver.example.com`;
266 .B [ -n "$COOKIE" ] && echo "$COOKIE" |
267 .B \ \ sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT
271 Fetch webvpn cookie only; don't connect
274 Print webvpn cookie before connecting
277 Cert file for server verification
280 Do not advertise IPv6 capability to server
282 .B \-\-dtls\-ciphers=LIST
283 Set OpenSSL ciphers to support for DTLS
285 .B \-\-no\-cert\-check
286 Do not require server SSL certificate to be valid. Checks will still happen
287 and failures will cause a warning message, but the connection will continue
288 anyway. You should not need to use this option \- if your servers have SSL
289 certificates which are not signed by a trusted Certificate Authority, you can
290 still add them (or your private CA) to a local file and use that file with the
298 .B \-\-no\-http\-keepalive
299 Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget
300 the client's SSL certificate when HTTP connections are being re\-used for
301 multiple requests. So far, this has only been seen on the initial connection,
302 where the server gives an HTTP/1.0 redirect response with an explicit
303 .B Connection: Keep\-Alive
304 directive. OpenConnect as of v2.22 has an unconditional workaround for this,
305 which is never to obey that directive after an HTTP/1.0 response.
307 However, Cisco's support team has failed to give any competent
308 response to the bug report and we don't know under what other
309 circumstances their bug might manifest itself. So this option exists
310 to disable ALL re\-use of HTTP sessions and cause a new connection to be
311 made for each request. If your server seems not to be recognising your
312 certificate, try this option. If it makes a difference, please report
313 this information to the
314 .B openconnect\-devel@lists.infradead.org
318 Never attempt password (or SecurID) authentication.
321 Do not expect user input; exit if it is required.
323 .B \-\-passwd\-on\-stdin
324 Read password from standard input
326 .B \-\-stoken[=\fItoken-string\fP]
327 Use libstoken to generate one-time passwords compatible with the RSA SecurID
328 system (when built with libstoken support). If \fItoken-string\fP is omitted,
329 libstoken will try to use the software token seed stored in \fI~/.stokenrc\fP,
332 .B \-\-reconnect\-timeout
333 Keep reconnect attempts until so much seconds are elapsed. The default
334 timeout is 300 seconds, which means that openconnect can recover
335 VPN connection after a temporary network down time of 300 seconds.
337 .B \-\-servercert=SHA1
338 Accept server's SSL certificate only if its fingerprint matches
341 .B \-\-useragent=STRING
344 as 'User\-Agent:' field value in HTTP header.
345 (e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
347 .B \-\-dtls\-local\-port=PORT
350 as the local port for DTLS datagrams
353 Note that although IPv6 has been tested on all platforms on which
355 is known to run, it depends on a suitable
357 to configure the network. The standard
359 shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from
360 .B git://git.infradead.org/users/dwmw2/vpnc\-scripts.git
364 David Woodhouse <dwmw2@infradead.org>