3 openconnect \- Connect to Cisco AnyConnect VPN
6 .OP \-\-config configfile
8 .OP \-\-pid\-file pidfile
9 .OP \-c,\-\-certificate cert
10 .OP \-e,\-\-cert\-expire\-warning days
11 .OP \-k,\-\-sslkey key
12 .OP \-K,\-\-key\-type type
13 .OP \-C,\-\-cookie cookie
14 .OP \-\-cookie\-on\-stdin
16 .OP \-D,\-\-no\-deflate
17 .OP \-\-force\-dpd interval
18 .OP \-g,\-\-usergroup group
20 .OP \-i,\-\-interface ifname
22 .OP \-U,\-\-setuid user
23 .OP \-\-csd\-user user
26 .OP \-p,\-\-key\-password pass
27 .OP \-P,\-\-proxy proxyurl
30 .OP \-\-key\-password\-from\-fsid
31 .OP \-\-key\-type type
33 .OP \-Q,\-\-queue\-len len
34 .OP \-s,\-\-script vpnc\-script
35 .OP \-S,\-\-script\-tun
39 .OP \-x,\-\-xmlconfig config
40 .OP \-\-authgroup group
45 .OP \-\-dtls\-ciphers list
46 .OP \-\-no\-cert\-check
48 .OP \-\-no\-http\-keepalive
51 .OP \-\-passwd\-on\-stdin
52 .OP \-\-reconnect\-timeout
53 .OP \-\-servercert sha1
54 .OP \-\-useragent string
55 .B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]
61 connects to Cisco "AnyConnect" VPN servers, which use standard TLS
62 and DTLS protocols for data transport.
64 The connection happens in two phases. First there is a simple HTTPS
65 connection over which the user authenticates somehow \- by using a
66 certificate, or password or SecurID, etc. Having authenticated, the
67 user is rewarded with an HTTP cookie which can be used to make the
70 The second phase uses that cookie in an HTTPS
72 request, and data packets can be passed over the resulting
73 connection. In auxiliary headers exchanged with the
75 request, a Session\-ID and Master Secret for a DTLS connection are also
76 exchanged, which allows data transport over UDP to occur.
81 .B \-\-config=CONFIGFILE
82 Read further options from
84 before continuing to process options from the command line. The file
85 should contain long-format options as would be accepted on the command line,
86 but without the two leading \-\- dashes. Empty lines, or lines where the
87 first non-space character is a # character, are ignored.
91 option may be specified in the file.
94 Continue in background after startup
96 .B \-\-pid\-file=PIDFILE
101 .B \-c,\-\-certificate=CERT
102 Use SSL client certificate
104 which may be either a file name or, if OpenConnect has been built with an appropriate
105 version of GnuTLS, a PKCS#11 URL.
107 .B \-e,\-\-cert\-expire\-warning=DAYS
108 Give a warning when SSL client certificate has
112 .B \-k,\-\-sslkey=KEY
115 which may be either a file name or, if OpenConnect has been built with an appropriate
116 version of GnuTLS, a PKCS#11 URL.
118 .B \-C,\-\-cookie=COOKIE
122 .B \-\-cookie\-on\-stdin
123 Read cookie from standard input
126 Enable compression (default)
128 .B \-D,\-\-no\-deflate
131 .B \-\-force\-dpd=INTERVAL
134 as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it.
136 .B \-g,\-\-usergroup=GROUP
144 .B \-i,\-\-interface=IFNAME
150 Use syslog for progress messages
152 .B \-U,\-\-setuid=USER
153 Drop privileges after connecting, to become user
156 .B \-\-csd\-user=USER
157 Drop privileges during CSD (Cisco Secure Desktop) script execution.
159 .B \-\-csd\-wrapper=SCRIPT
162 instead of the CSD (Cisco Secure Desktop) script.
167 from server as the MTU of the tunnel.
172 as the path MTU between client and server on the unencrypted network. Newer
173 servers will automatically calculate the MTU to be used on the tunnel from
176 .B \-p,\-\-key\-password=PASS
177 Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
179 .B \-P,\-\-proxy=PROXYURL
180 Use HTTP or SOCKS proxy for connection
186 Use libproxy to configure proxy automatically (when built with libproxy support)
188 .B \-\-key\-password\-from\-fsid
189 Passphrase for certificate file is automatically generated from the
191 of the file system on which it is stored. The
197 system call, depending on the operating system. On a Linux or similar system
198 with GNU coreutils, the
200 used by this option should be equal to the output of the command:
202 stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE
204 It is not the same as the 128\-bit UUID of the file system.
206 .B \-\-key\-type=TYPE
207 Type of private key file (PKCS#12, TPM or PEM)
212 .B \-Q,\-\-queue\-len=LEN
213 Set packet queue limit to
217 .B \-s,\-\-script=SCRIPT
220 to configure the network after connection. Without this, routing and name
221 service are unlikely to work correctly. The script is expected to be
224 which is shipped with the "vpnc" VPN client. See
225 .I http://www.infradead.org/openconnect/vpnc-script.html
226 for more information. This version of OpenConnect is configured to use
227 .B @DEFAULT_VPNCSCRIPT@
230 .B \-S,\-\-script\-tun
231 Pass traffic to 'script' program over a UNIX socket, instead of to a kernel
232 tun/tap device. This allows the VPN IP traffic to be handled entirely in
233 userspace, for example by a program which uses lwIP to provide SOCKS access
237 Set login username to
241 Report version number
246 .B \-x,\-\-xmlconfig=CONFIG
249 .B \-\-authgroup=GROUP
250 Choose authentication login selection
253 Fetch webvpn cookie only; don't connect
256 Print webvpn cookie before connecting
259 Cert file for server verification
262 Do not advertise IPv6 capability to server
264 .B \-\-dtls\-ciphers=LIST
265 Set OpenSSL ciphers to support for DTLS
267 .B \-\-no\-cert\-check
268 Do not require server SSL certificate to be valid. Checks will still happen
269 and failures will cause a warning message, but the connection will continue
270 anyway. You should not need to use this option \- if your servers have SSL
271 certificates which are not signed by a trusted Certificate Authority, you can
272 still add them (or your private CA) to a local file and use that file with the
280 .B \-\-no\-http\-keepalive
281 Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget
282 the client's SSL certificate when HTTP connections are being re\-used for
283 multiple requests. So far, this has only been seen on the initial connection,
284 where the server gives an HTTP/1.0 redirect response with an explicit
285 .B Connection: Keep\-Alive
286 directive. OpenConnect as of v2.22 has an unconditional workaround for this,
287 which is never to obey that directive after an HTTP/1.0 response.
289 However, Cisco's support team has failed to give any competent
290 response to the bug report and we don't know under what other
291 circumstances their bug might manifest itself. So this option exists
292 to disable ALL re\-use of HTTP sessions and cause a new connection to be
293 made for each request. If your server seems not to be recognising your
294 certificate, try this option. If it makes a difference, please report
295 this information to the
296 .B openconnect\-devel@lists.infradead.org
300 Never attempt password (or SecurID) authentication.
303 Do not expect user input; exit if it is required.
305 .B \-\-passwd\-on\-stdin
306 Read password from standard input
308 .B \-\-reconnect\-timeout
309 Keep reconnect attempts until so much seconds are elapsed. The default
310 timeout is 300 seconds, which means that openconnect can recover
311 VPN connection after a temporary network down time of 300 seconds.
313 .B \-\-servercert=SHA1
314 Accept server's SSL certificate only if its fingerprint matches
317 .B \-\-useragent=STRING
320 as 'User\-Agent:' field value in HTTP header.
321 (e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
324 Note that although IPv6 has been tested on all platforms on which
326 is known to run, it depends on a suitable
328 to configure the network. The standard
330 shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from
331 .B git://git.infradead.org/users/dwmw2/vpnc\-scripts.git
335 David Woodhouse <dwmw2@infradead.org>