.OP \-c,\-\-certificate cert
.OP \-e,\-\-cert\-expire\-warning days
.OP \-k,\-\-sslkey key
-.OP \-K,\-\-key\-type type
.OP \-C,\-\-cookie cookie
.OP \-\-cookie\-on\-stdin
.OP \-d,\-\-deflate
.OP \-\-no\-proxy
.OP \-\-libproxy
.OP \-\-key\-password\-from\-fsid
-.OP \-\-key\-type type
.OP \-q,\-\-quiet
.OP \-Q,\-\-queue\-len len
.OP \-s,\-\-script vpnc\-script
.OP \-v,\-\-verbose
.OP \-x,\-\-xmlconfig config
.OP \-\-authgroup group
+.OP \-\-authenticate
.OP \-\-cookieonly
.OP \-\-printcookie
.OP \-\-cafile file
.OP \-\-disable\-ipv6
.OP \-\-dtls\-ciphers list
+.OP \-\-dtls\-local\-port port
.OP \-\-no\-cert\-check
.OP \-\-no\-dtls
.OP \-\-no\-http\-keepalive
.OP \-\-no\-passwd
.OP \-\-non\-inter
.OP \-\-passwd\-on\-stdin
+.OP \-\-stoken[=\fItoken-string\fP]
.OP \-\-reconnect\-timeout
.OP \-\-servercert sha1
.OP \-\-useragent string
+.OP \-\-os string
.B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]
.YS
.EE
It is not the same as the 128\-bit UUID of the file system.
.TP
-.B \-\-key\-type=TYPE
-Type of private key file (PKCS#12, TPM or PEM)
-.TP
.B \-q,\-\-quiet
Less output
.TP
.B \-\-authgroup=GROUP
Choose authentication login selection
.TP
+.B \-\-authenticate
+Authenticate only, and output the information needed to make the connection
+a form which can be used to set shell environment variables. When invoked with
+this option, openconnect will not make the connection, but if successful will
+output something like the following to stdout:
+.nf
+.B COOKIE=3311180634@13561856@1339425499@B315A0E29D16C6FD92EE...
+.B HOST=10.0.0.1
+.B FINGERPRINT=469bb424ec8835944d30bc77c77e8fc1d8e23a42
+.fi
+Thus, you can invoke openconnect as a non-privileged user
+.I (with access to the user's PKCS#11 tokens, etc.)
+for authentication, and then invoke openconnect separately to make the actual
+connection as root:
+.nf
+.B eval `openconnect --authenticate https://vpnserver.example.com`;
+.B [ -n "$COOKIE" ] && echo "$COOKIE" |
+.B \ \ sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT
+.fi
+.TP
.B \-\-cookieonly
Fetch webvpn cookie only; don't connect
.TP
.B \-\-passwd\-on\-stdin
Read password from standard input
.TP
+.B \-\-stoken[=\fItoken-string\fP]
+Use libstoken to generate one-time passwords compatible with the RSA SecurID
+system (when built with libstoken support). If \fItoken-string\fP is omitted,
+libstoken will try to use the software token seed stored in \fI~/.stokenrc\fP,
+if this file exists.
+.TP
.B \-\-reconnect\-timeout
Keep reconnect attempts until so much seconds are elapsed. The default
timeout is 300 seconds, which means that openconnect can recover
.I STRING
as 'User\-Agent:' field value in HTTP header.
(e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
+.TP
+.B \-\-os=STRING
+OS type to report to gateway. Recognized values are: linux, linux-64, mac,
+win. Reporting a different OS type may affect the security policy applied
+to the VPN session.
+.TP
+.B \-\-dtls\-local\-port=PORT
+Use
+.I PORT
+as the local port for DTLS datagrams
.SH LIMITATIONS
Note that although IPv6 has been tested on all platforms on which