3 openconnect \- Connect to Cisco AnyConnect VPN
6 .OP \-\-config configfile
8 .OP \-\-pid\-file pidfile
9 .OP \-c,\-\-certificate cert
10 .OP \-e,\-\-cert\-expire\-warning days
11 .OP \-k,\-\-sslkey key
12 .OP \-K,\-\-key\-type type
13 .OP \-C,\-\-cookie cookie
14 .OP \-\-cookie\-on\-stdin
16 .OP \-D,\-\-no\-deflate
17 .OP \-\-force\-dpd interval
18 .OP \-g,\-\-usergroup group
20 .OP \-i,\-\-interface ifname
22 .OP \-U,\-\-setuid user
23 .OP \-\-csd\-user user
26 .OP \-p,\-\-key\-password pass
27 .OP \-P,\-\-proxy proxyurl
30 .OP \-\-key\-password\-from\-fsid
31 .OP \-\-key\-type type
33 .OP \-Q,\-\-queue\-len len
34 .OP \-s,\-\-script vpnc\-script
35 .OP \-S,\-\-script\-tun
39 .OP \-x,\-\-xmlconfig config
40 .OP \-\-authgroup group
45 .OP \-\-dtls\-ciphers list
46 .OP \-\-no\-cert\-check
48 .OP \-\-no\-http\-keepalive
51 .OP \-\-passwd\-on\-stdin
52 .OP \-\-reconnect\-timeout
53 .OP \-\-servercert sha1
54 .OP \-\-useragent string
55 .B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]
61 connects to Cisco "AnyConnect" VPN servers, which use standard TLS
62 and DTLS protocols for data transport.
64 The connection happens in two phases. First there is a simple HTTPS
65 connection over which the user authenticates somehow \- by using a
66 certificate, or password or SecurID, etc. Having authenticated, the
67 user is rewarded with an HTTP cookie which can be used to make the
70 The second phase uses that cookie in an HTTPS
72 request, and data packets can be passed over the resulting
73 connection. In auxiliary headers exchanged with the
75 request, a Session\-ID and Master Secret for a DTLS connection are also
76 exchanged, which allows data transport over UDP to occur.
81 .B \-\-config=CONFIGFILE
82 Read further options from
84 before continuing to process options from the command line. The file
85 should contain long-format options as would be accepted on the command line,
86 but without the two leading \-\- dashes. Empty lines, or lines where the
87 first non-space character is a # character, are ignored.
91 option may be specified in the file.
94 Continue in background after startup
96 .B \-\-pid\-file=PIDFILE
101 .B \-c,\-\-certificate=CERT
102 Use SSL client certificate
105 .B \-e,\-\-cert\-expire\-warning=DAYS
106 Give a warning when SSL client certificate has
110 .B \-k,\-\-sslkey=KEY
111 Use SSL private key file
114 .B \-C,\-\-cookie=COOKIE
118 .B \-\-cookie\-on\-stdin
119 Read cookie from standard input
122 Enable compression (default)
124 .B \-D,\-\-no\-deflate
127 .B \-\-force\-dpd=INTERVAL
130 as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it.
132 .B \-g,\-\-usergroup=GROUP
140 .B \-i,\-\-interface=IFNAME
146 Use syslog for progress messages
148 .B \-U,\-\-setuid=USER
149 Drop privileges after connecting, to become user
152 .B \-\-csd\-user=USER
153 Drop privileges during CSD (Cisco Secure Desktop) script execution.
155 .B \-\-csd\-wrapper=SCRIPT
158 instead of the CSD (Cisco Secure Desktop) script.
163 from server as the MTU of the tunnel.
168 as the path MTU between client and server on the unencrypted network. Newer
169 servers will automatically calculate the MTU to be used on the tunnel from
172 .B \-p,\-\-key\-password=PASS
173 Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
175 .B \-P,\-\-proxy=PROXYURL
176 Use HTTP or SOCKS proxy for connection
182 Use libproxy to configure proxy automatically (when built with libproxy support)
184 .B \-\-key\-password\-from\-fsid
185 Passphrase for certificate file is automatically generated from the
187 of the file system on which it is stored. The
193 system call, depending on the operating system. On a Linux or similar system
194 with GNU coreutils, the
196 used by this option should be equal to the output of the command:
198 stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE
200 It is not the same as the 128\-bit UUID of the file system.
202 .B \-\-key\-type=TYPE
203 Type of private key file (PKCS#12, TPM or PEM)
208 .B \-Q,\-\-queue\-len=LEN
209 Set packet queue limit to
213 .B \-s,\-\-script=SCRIPT
216 to configure the network after connection. Without this, routing and name
217 service are unlikely to work correctly. The script is expected to be
220 which is shipped with the "vpnc" VPN client. See
221 .I http://www.infradead.org/openconnect/vpnc-script.html
222 for more information. This version of OpenConnect is configured to use
223 .B @DEFAULT_VPNCSCRIPT@
226 .B \-S,\-\-script\-tun
227 Pass traffic to 'script' program over a UNIX socket, instead of to a kernel
228 tun/tap device. This allows the VPN IP traffic to be handled entirely in
229 userspace, for example by a program which uses lwIP to provide SOCKS access
233 Set login username to
237 Report version number
242 .B \-x,\-\-xmlconfig=CONFIG
245 .B \-\-authgroup=GROUP
246 Choose authentication login selection
249 Fetch webvpn cookie only; don't connect
252 Print webvpn cookie before connecting
255 Cert file for server verification
258 Do not advertise IPv6 capability to server
260 .B \-\-dtls\-ciphers=LIST
261 Set OpenSSL ciphers to support for DTLS
263 .B \-\-no\-cert\-check
264 Do not require server SSL certificate to be valid. Checks will still happen
265 and failures will cause a warning message, but the connection will continue
266 anyway. You should not need to use this option \- if your servers have SSL
267 certificates which are not signed by a trusted Certificate Authority, you can
268 still add them (or your private CA) to a local file and use that file with the
276 .B \-\-no\-http\-keepalive
277 Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget
278 the client's SSL certificate when HTTP connections are being re\-used for
279 multiple requests. So far, this has only been seen on the initial connection,
280 where the server gives an HTTP/1.0 redirect response with an explicit
281 .B Connection: Keep\-Alive
282 directive. OpenConnect as of v2.22 has an unconditional workaround for this,
283 which is never to obey that directive after an HTTP/1.0 response.
285 However, Cisco's support team has failed to give any competent
286 response to the bug report and we don't know under what other
287 circumstances their bug might manifest itself. So this option exists
288 to disable ALL re\-use of HTTP sessions and cause a new connection to be
289 made for each request. If your server seems not to be recognising your
290 certificate, try this option. If it makes a difference, please report
291 this information to the
292 .B openconnect\-devel@lists.infradead.org
296 Never attempt password (or SecurID) authentication.
299 Do not expect user input; exit if it is required.
301 .B \-\-passwd\-on\-stdin
302 Read password from standard input
304 .B \-\-reconnect\-timeout
305 Keep reconnect attempts until so much seconds are elapsed. The default
306 timeout is 300 seconds, which means that openconnect can recover
307 VPN connection after a temporary network down time of 300 seconds.
309 .B \-\-servercert=SHA1
310 Accept server's SSL certificate only if its fingerprint matches
313 .B \-\-useragent=STRING
316 as 'User\-Agent:' field value in HTTP header.
317 (e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
320 Note that although IPv6 has been tested on all platforms on which
322 is known to run, it depends on a suitable
324 to configure the network. The standard
326 shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from
327 .B git://git.infradead.org/users/dwmw2/vpnc\-scripts.git
331 David Woodhouse <dwmw2@infradead.org>