.OP \-c,\-\-certificate cert
.OP \-e,\-\-cert\-expire\-warning days
.OP \-k,\-\-sslkey key
-.OP \-K,\-\-key\-type type
.OP \-C,\-\-cookie cookie
.OP \-\-cookie\-on\-stdin
.OP \-d,\-\-deflate
.OP \-U,\-\-setuid user
.OP \-\-csd\-user user
.OP \-m,\-\-mtu mtu
+.OP \-\-basemtu mtu
.OP \-p,\-\-key\-password pass
.OP \-P,\-\-proxy proxyurl
.OP \-\-no\-proxy
.OP \-\-libproxy
.OP \-\-key\-password\-from\-fsid
-.OP \-\-key\-type type
.OP \-q,\-\-quiet
.OP \-Q,\-\-queue\-len len
.OP \-s,\-\-script vpnc\-script
.OP \-v,\-\-verbose
.OP \-x,\-\-xmlconfig config
.OP \-\-authgroup group
+.OP \-\-authenticate
.OP \-\-cookieonly
.OP \-\-printcookie
.OP \-\-cafile file
.OP \-\-disable\-ipv6
.OP \-\-dtls\-ciphers list
+.OP \-\-dtls\-local\-port port
.OP \-\-no\-cert\-check
.OP \-\-no\-dtls
.OP \-\-no\-http\-keepalive
.OP \-\-no\-passwd
.OP \-\-non\-inter
.OP \-\-passwd\-on\-stdin
+.OP \-\-stoken[=\fItoken-string\fP]
.OP \-\-reconnect\-timeout
.OP \-\-servercert sha1
.OP \-\-useragent string
+.OP \-\-os string
.B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]
.YS
.B \-c,\-\-certificate=CERT
Use SSL client certificate
.I CERT
+which may be either a file name or, if OpenConnect has been built with an appropriate
+version of GnuTLS, a PKCS#11 URL.
.TP
.B \-e,\-\-cert\-expire\-warning=DAYS
Give a warning when SSL client certificate has
left before expiry
.TP
.B \-k,\-\-sslkey=KEY
-Use SSL private key file
+Use SSL private key
.I KEY
+which may be either a file name or, if OpenConnect has been built with an appropriate
+version of GnuTLS, a PKCS#11 URL.
.TP
.B \-C,\-\-cookie=COOKIE
Use WebVPN cookie
.B \-m,\-\-mtu=MTU
Request
.I MTU
-from server
+from server as the MTU of the tunnel.
+.TP
+.B \-\-basemtu=MTU
+Indicate
+.I MTU
+as the path MTU between client and server on the unencrypted network. Newer
+servers will automatically calculate the MTU to be used on the tunnel from
+this value.
.TP
.B \-p,\-\-key\-password=PASS
Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
.EE
It is not the same as the 128\-bit UUID of the file system.
.TP
-.B \-\-key\-type=TYPE
-Type of private key file (PKCS#12, TPM or PEM)
-.TP
.B \-q,\-\-quiet
Less output
.TP
.B \-\-authgroup=GROUP
Choose authentication login selection
.TP
+.B \-\-authenticate
+Authenticate only, and output the information needed to make the connection
+a form which can be used to set shell environment variables. When invoked with
+this option, openconnect will not make the connection, but if successful will
+output something like the following to stdout:
+.nf
+.B COOKIE=3311180634@13561856@1339425499@B315A0E29D16C6FD92EE...
+.B HOST=10.0.0.1
+.B FINGERPRINT=469bb424ec8835944d30bc77c77e8fc1d8e23a42
+.fi
+Thus, you can invoke openconnect as a non-privileged user
+.I (with access to the user's PKCS#11 tokens, etc.)
+for authentication, and then invoke openconnect separately to make the actual
+connection as root:
+.nf
+.B eval `openconnect --authenticate https://vpnserver.example.com`;
+.B [ -n "$COOKIE" ] && echo "$COOKIE" |
+.B \ \ sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT
+.fi
+.TP
.B \-\-cookieonly
Fetch webvpn cookie only; don't connect
.TP
.B \-\-passwd\-on\-stdin
Read password from standard input
.TP
+.B \-\-stoken[=\fItoken-string\fP]
+Use libstoken to generate one-time passwords compatible with the RSA SecurID
+system (when built with libstoken support). If \fItoken-string\fP is omitted,
+libstoken will try to use the software token seed stored in \fI~/.stokenrc\fP,
+if this file exists.
+.TP
.B \-\-reconnect\-timeout
Keep reconnect attempts until so much seconds are elapsed. The default
timeout is 300 seconds, which means that openconnect can recover
.I STRING
as 'User\-Agent:' field value in HTTP header.
(e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
+.TP
+.B \-\-os=STRING
+OS type to report to gateway. Recognized values are: linux, linux-64, mac,
+win. Reporting a different OS type may affect the security policy applied
+to the VPN session.
+.TP
+.B \-\-dtls\-local\-port=PORT
+Use
+.I PORT
+as the local port for DTLS datagrams
.SH LIMITATIONS
Note that although IPv6 has been tested on all platforms on which