.SH NAME
openconnect \- Connect to Cisco AnyConnect VPN
.SH SYNOPSIS
-.B openconnect
-[
-.B -b,--background
-]
-[
-.B --pid-file
-.I PIDFILE
-]
-[
-.B -c,--certificate
-.I CERT
-]
-[
-.B -e,--cert-expire-warning
-.I DAYS
-]
-[
-.B -k,--sslkey
-.I KEY
-]
-[
-.B -K,--key-type
-.I TYPE
-]
-[
-.B -C,--cookie
-.I COOKIE
-]
-[
-.B --cookie-on-stdin
-]
-[
-.B -d,--deflate
-]
-[
-.B -D,--no-deflate
-]
-[
-.B --force-dpd
-.I INTERVAL
-]
-[
-.B -g,--usergroup
-.I GROUP
-]
-[
-.B -h,--help
-]
-[
-.B -i,--interface
-.I IFNAME
-]
-[
-.B -l,--syslog
-]
-[
-.B -U,--setuid
-.I USER
-]
-[
-.B --csd-user
-.I USER
-]
-[
-.B -m,--mtu
-.I MTU
-]
-[
-.B -p,--key-password
-.I PASS
-]
-[
-.B -P,--proxy
-.I PROXYURL
-]
-[
-.B --no-proxy
-]
-[
-.B --libproxy
-]
-[
-.B --key-password-from-fsid
-]
-[
-.B --key-type
-.I TYPE
-]
-[
-.B -q,--quiet
-]
-[
-.B -Q,--queue-len
-.I LEN
-]
-[
-.B -s,--script
-.I SCRIPT
-]
-[
-.B -S,--script-tun
-]
-[
-.B -u,--user
-.I NAME
-]
-[
-.B -V,--version
-]
-[
-.B -v,--verbose
-]
-[
-.B -x,--xmlconfig
-.I CONFIG
-]
-[
-.B --authgroup
-.I GROUP
-]
-[
-.B --cookieonly
-]
-[
-.B --printcookie
-]
-[
-.B --cafile
-.I FILE
-]
-[
-.B --disable-ipv6
-]
-[
-.B --dtls-ciphers
-.I LIST
-]
-[
-.B --no-cert-check
-]
-[
-.B --no-dtls
-]
-[
-.B --no-http-keepalive
-]
-[
-.B --no-passwd
-]
-[
-.B --non-inter
-]
-[
-.B --passwd-on-stdin
-]
-[
-.B --reconnect-timeout
-]
-[
-.B --servercert
-.I FINGERPRINT
-]
-[
-.B --useragent
-.I STRING
-]
-[https://]\fIserver\fR[:\fIport\fR][/\fIgroup\fR]
+.SY openconnect
+.OP \-b,\-\-background
+.OP \-\-pid\-file pidfile
+.OP \-c,\-\-certificate cert
+.OP \-e,\-\-cert\-expire\-warning days
+.OP \-k,\-\-sslkey key
+.OP \-K,\-\-key\-type type
+.OP \-C,\-\-cookie cookie
+.OP \-\-cookie\-on\-stdin
+.OP \-d,\-\-deflate
+.OP \-D,\-\-no\-deflate
+.OP \-\-force\-dpd interval
+.OP \-g,\-\-usergroup group
+.OP \-h,\-\-help
+.OP \-i,\-\-interface ifname
+.OP \-l,\-\-syslog
+.OP \-U,\-\-setuid user
+.OP \-\-csd\-user user
+.OP \-m,\-\-mtu mtu
+.OP \-p,\-\-key\-password pass
+.OP \-P,\-\-proxy proxyurl
+.OP \-\-no\-proxy
+.OP \-\-libproxy
+.OP \-\-key\-password\-from\-fsid
+.OP \-\-key\-type type
+.OP \-q,\-\-quiet
+.OP \-Q,\-\-queue\-len len
+.OP \-s,\-\-script vpnc\-script
+.OP \-S,\-\-script\-tun
+.OP \-u,\-\-user name
+.OP \-V,\-\-version
+.OP \-v,\-\-verbose
+.OP \-x,\-\-xmlconfig config
+.OP \-\-authgroup group
+.OP \-\-cookieonly
+.OP \-\-printcookie
+.OP \-\-cafile file
+.OP \-\-disable\-ipv6
+.OP \-\-dtls\-ciphers list
+.OP \-\-no\-cert\-check
+.OP \-\-no\-dtls
+.OP \-\-no\-http\-keepalive
+.OP \-\-no\-passwd
+.OP \-\-non\-inter
+.OP \-\-passwd\-on\-stdin
+.OP \-\-reconnect\-timeout
+.OP \-\-servercert sha1
+.OP \-\-useragent string
+.B [https://]\fIserver\fB[:\fIport\fB][/\fIgroup\fB]
+.YS
.SH DESCRIPTION
The program
request, and data packets can be passed over the resulting
connection. In auxiliary headers exchanged with the
.I CONNECT
-request, a Session-ID and Master Secret for a DTLS connection are also
+request, a Session\-ID and Master Secret for a DTLS connection are also
exchanged, which allows data transport over UDP to occur.
.SH OPTIONS
.TP
-.B -b,--background
+.B \-b,\-\-background
Continue in background after startup
.TP
-.B --pid-file=PIDFILE
+.B \-\-pid\-file=PIDFILE
Save the pid to
.I PIDFILE
when backgrounding
.TP
-.B -c,--certificate=CERT
+.B \-c,\-\-certificate=CERT
Use SSL client certificate
.I CERT
.TP
-.B -e,--cert-expire-warning=DAYS
+.B \-e,\-\-cert\-expire\-warning=DAYS
Give a warning when SSL client certificate has
.I DAYS
left before expiry
.TP
-.B -k,--sslkey=KEY
+.B \-k,\-\-sslkey=KEY
Use SSL private key file
.I KEY
.TP
-.B -C,--cookie=COOKIE
+.B \-C,\-\-cookie=COOKIE
Use WebVPN cookie
.I COOKIE
.TP
-.B --cookie-on-stdin
+.B \-\-cookie\-on\-stdin
Read cookie from standard input
.TP
-.B -d,--deflate
+.B \-d,\-\-deflate
Enable compression (default)
.TP
-.B -D,--no-deflate
+.B \-D,\-\-no\-deflate
Disable compression
.TP
-.B --force-dpd=INTERVAL
+.B \-\-force\-dpd=INTERVAL
Use
.I INTERVAL
as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn't request it.
.TP
-.B -g,--usergroup=GROUP
+.B \-g,\-\-usergroup=GROUP
Use
.I GROUP
as login UserGroup
.TP
-.B -h,--help
+.B \-h,\-\-help
Display help text
.TP
-.B -i,--interface=IFNAME
+.B \-i,\-\-interface=IFNAME
Use
.I IFNAME
for tunnel interface
.TP
-.B -l,--syslog
+.B \-l,\-\-syslog
Use syslog for progress messages
.TP
-.B -U,--setuid=USER
+.B \-U,\-\-setuid=USER
Drop privileges after connecting, to become user
.I USER
.TP
-.B --csd-user=USER
+.B \-\-csd\-user=USER
Drop privileges during CSD (Cisco Secure Desktop) script execution.
.TP
-.B --csd-wrapper=SCRIPT
+.B \-\-csd\-wrapper=SCRIPT
Run
.I SCRIPT
instead of the CSD (Cisco Secure Desktop) script.
.TP
-.B -m,--mtu=MTU
+.B \-m,\-\-mtu=MTU
Request
.I MTU
from server
.TP
-.B -p,--key-password=PASS
+.B \-p,\-\-key\-password=PASS
Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
.TP
-.B -P,--proxy=PROXYURL
+.B \-P,\-\-proxy=PROXYURL
Use HTTP or SOCKS proxy for connection
.TP
-.B --no-proxy
+.B \-\-no\-proxy
Disable use of proxy
.TP
-.B --libproxy
+.B \-\-libproxy
Use libproxy to configure proxy automatically (when built with libproxy support)
.TP
-.B --key-password-from-fsid
+.B \-\-key\-password\-from\-fsid
Passphrase for certificate file is automatically generated from the
.I fsid
of the file system on which it is stored. The
system call, depending on the operating system. On a Linux or similar system
with GNU coreutils, the
.I fsid
-used by this option should be equal to the output of the command
-.BR "stat --file-system --printf=%i\e\en $CERTIFICATE" .
-It is not the same as the 128-bit UUID of the file system.
+used by this option should be equal to the output of the command:
+.EX
+stat \-\-file\-system \-\-printf=%i\e\en $CERTIFICATE
+.EE
+It is not the same as the 128\-bit UUID of the file system.
.TP
-.B --key-type=TYPE
+.B \-\-key\-type=TYPE
Type of private key file (PKCS#12, TPM or PEM)
.TP
-.B -q,--quiet
+.B \-q,\-\-quiet
Less output
.TP
-.B -Q,--queue-len=LEN
+.B \-Q,\-\-queue\-len=LEN
Set packet queue limit to
.I LEN
pkts
.TP
-.B -s,--script=SCRIPT
-Shell command line for using a vpnc-compatible config script
-.TP
-.B -S,--script-tun
+.B \-s,\-\-script=SCRIPT
+Invoke
+.I SCRIPT
+to configure the network after connection. Without this, routing and name
+service are unlikely to work correctly. The script is expected to be
+compatible with the
+.B vpnc\-script
+which is shipped with the "vpnc" VPN client. See
+.I http://www.infradead.org/openconnect/vpnc-script.html
+for more information.
+.TP
+.B \-S,\-\-script\-tun
Pass traffic to 'script' program over a UNIX socket, instead of to a kernel
tun/tap device. This allows the VPN IP traffic to be handled entirely in
userspace, for example by a program which uses lwIP to provide SOCKS access
into the VPN.
.TP
-.B -u,--user=NAME
+.B \-u,\-\-user=NAME
Set login username to
.I NAME
.TP
-.B -V,--version
+.B \-V,\-\-version
Report version number
.TP
-.B -v,--verbose
+.B \-v,\-\-verbose
More output
.TP
-.B -x,--xmlconfig=CONFIG
+.B \-x,\-\-xmlconfig=CONFIG
XML config file
.TP
-.B --authgroup=GROUP
+.B \-\-authgroup=GROUP
Choose authentication login selection
.TP
-.B --cookieonly
+.B \-\-cookieonly
Fetch webvpn cookie only; don't connect
.TP
-.B --printcookie
+.B \-\-printcookie
Print webvpn cookie before connecting
.TP
-.B --cafile=FILE
+.B \-\-cafile=FILE
Cert file for server verification
.TP
-.B --disable-ipv6
+.B \-\-disable\-ipv6
Do not advertise IPv6 capability to server
.TP
-.B --dtls-ciphers=LIST
+.B \-\-dtls\-ciphers=LIST
Set OpenSSL ciphers to support for DTLS
.TP
-.B --no-cert-check
+.B \-\-no\-cert\-check
Do not require server SSL certificate to be valid. Checks will still happen
and failures will cause a warning message, but the connection will continue
-anyway. You should not need to use this option -- if your servers have SSL
+anyway. You should not need to use this option \- if your servers have SSL
certificates which are not signed by a trusted Certificate Authority, you can
still add them (or your private CA) to a local file and use that file with the
-.B --cafile
+.B \-\-cafile
option.
.TP
-.B --no-dtls
+.B \-\-no\-dtls
Disable DTLS
.TP
-.B --no-http-keepalive
+.B \-\-no\-http\-keepalive
Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget
-the client's SSL certificate when HTTP connections are being re-used for
+the client's SSL certificate when HTTP connections are being re\-used for
multiple requests. So far, this has only been seen on the initial connection,
where the server gives an HTTP/1.0 redirect response with an explicit
-.B Connection: Keep-Alive
+.B Connection: Keep\-Alive
directive. OpenConnect as of v2.22 has an unconditional workaround for this,
which is never to obey that directive after an HTTP/1.0 response.
However, Cisco's support team has failed to give any competent
response to the bug report and we don't know under what other
circumstances their bug might manifest itself. So this option exists
-to disable ALL re-use of HTTP sessions and cause a new connection to be
+to disable ALL re\-use of HTTP sessions and cause a new connection to be
made for each request. If your server seems not to be recognising your
certificate, try this option. If it makes a difference, please report
this information to the
-.B openconnect-devel@lists.infradead.org
+.B openconnect\-devel@lists.infradead.org
mailing list.
.TP
-.B --no-passwd
+.B \-\-no\-passwd
Never attempt password (or SecurID) authentication.
.TP
-.B --non-inter
+.B \-\-non\-inter
Do not expect user input; exit if it is required.
.TP
-.B --passwd-on-stdin
+.B \-\-passwd\-on\-stdin
Read password from standard input
.TP
-.B --reconnect-timeout
+.B \-\-reconnect\-timeout
Keep reconnect attempts until so much seconds are elapsed. The default
timeout is 300 seconds, which means that openconnect can recover
VPN connection after a temporary network down time of 300 seconds.
.TP
-.B --servercert
-Accept server's SSL certificate only if its SHA1 fingerprint matches.
+.B \-\-servercert=SHA1
+Accept server's SSL certificate only if its fingerprint matches
+.IR SHA1 .
.TP
-.B --useragent=STRING
-Use STRING as 'User-Agent:' field value in HTTP header.
-(e.g. --useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
+.B \-\-useragent=STRING
+Use
+.I STRING
+as 'User\-Agent:' field value in HTTP header.
+(e.g. \-\-useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
.SH LIMITATIONS
Note that although IPv6 has been tested on all platforms on which
.B openconnect
is known to run, it depends on a suitable
-.B vpnc-script
+.B vpnc\-script
to configure the network. The standard
-.B vpnc-script
+.B vpnc\-script
shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from
-.B git://git.infradead.org/users/dwmw2/vpnc-scripts.git
+.B git://git.infradead.org/users/dwmw2/vpnc\-scripts.git
will be required.
.SH AUTHORS