Provided by: openconnect_5.02-1_amd64 
NAME
openconnect - Connect to Cisco AnyConnect VPN
SYNOPSIS
openconnect [--config configfile] [-b,--background] [--pid-file pidfile]
[-c,--certificate cert] [-e,--cert-expire-warning days] [-k,--sslkey key]
[-C,--cookie cookie] [--cookie-on-stdin] [-d,--deflate] [-D,--no-deflate]
[--force-dpd interval] [-g,--usergroup group] [-h,--help]
[-i,--interface ifname] [-l,--syslog] [-U,--setuid user] [--csd-user user]
[-m,--mtu mtu] [--basemtu mtu] [-p,--key-password pass] [-P,--proxy proxyurl]
[--no-proxy] [--libproxy] [--key-password-from-fsid] [-q,--quiet]
[-Q,--queue-len len] [-s,--script vpnc-script] [-S,--script-tun]
[-u,--user name] [-V,--version] [-v,--verbose] [-x,--xmlconfig config]
[--authgroup group] [--authenticate] [--cookieonly] [--printcookie]
[--cafile file] [--disable-ipv6] [--dtls-ciphers list]
[--dtls-local-port port] [--dump-http-traffic] [--no-cert-check] [--no-dtls]
[--no-http-keepalive] [--no-passwd] [--no-xmlpost] [--non-inter]
[--passwd-on-stdin] [--token-mode mode] [--token-secret secret]
[--reconnect-timeout] [--servercert sha1] [--useragent string] [--os string]
[https://]server[:port][/group]
DESCRIPTION
The program openconnect connects to Cisco "AnyConnect" VPN servers, which use standard TLS
and DTLS protocols for data transport.
The connection happens in two phases. First there is a simple HTTPS connection over which
the user authenticates somehow - by using a certificate, or password or SecurID, etc.
Having authenticated, the user is rewarded with an HTTP cookie which can be used to make
the real VPN connection.
The second phase uses that cookie in an HTTPS CONNECT request, and data packets can be
passed over the resulting connection. In auxiliary headers exchanged with the CONNECT
request, a Session-ID and Master Secret for a DTLS connection are also exchanged, which
allows data transport over UDP to occur.
OPTIONS
--config=CONFIGFILE
Read further options from CONFIGFILE before continuing to process options from the
command line. The file should contain long-format options as would be accepted on
the command line, but without the two leading -- dashes. Empty lines, or lines
where the first non-space character is a # character, are ignored.
Any option except the config option may be specified in the file.
-b,--background
Continue in background after startup
--pid-file=PIDFILE
Save the pid to PIDFILE when backgrounding
-c,--certificate=CERT
Use SSL client certificate CERT which may be either a file name or, if OpenConnect
has been built with an appropriate version of GnuTLS, a PKCS#11 URL.
-e,--cert-expire-warning=DAYS
Give a warning when SSL client certificate has DAYS left before expiry
-k,--sslkey=KEY
Use SSL private key KEY which may be either a file name or, if OpenConnect has been
built with an appropriate version of GnuTLS, a PKCS#11 URL.
-C,--cookie=COOKIE
Use WebVPN cookie COOKIE
--cookie-on-stdin
Read cookie from standard input
-d,--deflate
Enable compression (default)
-D,--no-deflate
Disable compression
--force-dpd=INTERVAL
Use INTERVAL as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use
of DPD even when the server doesn't request it.
-g,--usergroup=GROUP
Use GROUP as login UserGroup
-h,--help
Display help text
-i,--interface=IFNAME
Use IFNAME for tunnel interface
-l,--syslog
Use syslog for progress messages
-U,--setuid=USER
Drop privileges after connecting, to become user USER
--csd-user=USER
Drop privileges during CSD (Cisco Secure Desktop) script execution.
--csd-wrapper=SCRIPT
Run SCRIPT instead of the CSD (Cisco Secure Desktop) script.
-m,--mtu=MTU
Request MTU from server as the MTU of the tunnel.
--basemtu=MTU
Indicate MTU as the path MTU between client and server on the unencrypted network.
Newer servers will automatically calculate the MTU to be used on the tunnel from
this value.
-p,--key-password=PASS
Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
-P,--proxy=PROXYURL
Use HTTP or SOCKS proxy for connection
--no-proxy
Disable use of proxy
--libproxy
Use libproxy to configure proxy automatically (when built with libproxy support)
--key-password-from-fsid
Passphrase for certificate file is automatically generated from the fsid of the
file system on which it is stored. The fsid is obtained from the statvfs(2) or
statfs(2) system call, depending on the operating system. On a Linux or similar
system with GNU coreutils, the fsid used by this option should be equal to the
output of the command:
stat --file-system --printf=%i\\n $CERTIFICATE
It is not the same as the 128-bit UUID of the file system.
-q,--quiet
Less output
-Q,--queue-len=LEN
Set packet queue limit to LEN pkts
-s,--script=SCRIPT
Invoke SCRIPT to configure the network after connection. Without this, routing and
name service are unlikely to work correctly. The script is expected to be
compatible with the vpnc-script which is shipped with the "vpnc" VPN client. See
http://www.infradead.org/openconnect/vpnc-script.html for more information. This
version of OpenConnect is configured to use /usr/share/vpnc-scripts/vpnc-script by
default.
-S,--script-tun
Pass traffic to 'script' program over a UNIX socket, instead of to a kernel tun/tap
device. This allows the VPN IP traffic to be handled entirely in userspace, for
example by a program which uses lwIP to provide SOCKS access into the VPN.
-u,--user=NAME
Set login username to NAME
-V,--version
Report version number
-v,--verbose
More output
-x,--xmlconfig=CONFIG
XML config file
--authgroup=GROUP
Choose authentication login selection
--authenticate
Authenticate only, and output the information needed to make the connection a form
which can be used to set shell environment variables. When invoked with this
option, openconnect will not make the connection, but if successful will output
something like the following to stdout:
COOKIE=3311180634@13561856@1339425499@B315A0E29D16C6FD92EE...
HOST=10.0.0.1
FINGERPRINT=469bb424ec8835944d30bc77c77e8fc1d8e23a42
Thus, you can invoke openconnect as a non-privileged user (with access to the
user's PKCS#11 tokens, etc.) for authentication, and then invoke openconnect
separately to make the actual connection as root:
eval `openconnect --authenticate https://vpnserver.example.com`;
[ -n $COOKIE ] && echo $COOKIE |
sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT
--cookieonly
Fetch webvpn cookie only; don't connect
--printcookie
Print webvpn cookie before connecting
--cafile=FILE
Cert file for server verification
--disable-ipv6
Do not advertise IPv6 capability to server
--dtls-ciphers=LIST
Set OpenSSL ciphers to support for DTLS
--dtls-local-port=PORT
Use PORT as the local port for DTLS datagrams
--dump-http-traffic
Enable verbose output of all HTTP requests and the bodies of all responses received
from the server.
--no-cert-check
Do not require server SSL certificate to be valid. Checks will still happen and
failures will cause a warning message, but the connection will continue anyway. You
should not need to use this option - if your servers have SSL certificates which
are not signed by a trusted Certificate Authority, you can still add them (or your
private CA) to a local file and use that file with the --cafile option.
--no-dtls
Disable DTLS
--no-http-keepalive
Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget the
client's SSL certificate when HTTP connections are being re-used for multiple
requests. So far, this has only been seen on the initial connection, where the
server gives an HTTP/1.0 redirect response with an explicit Connection: Keep-Alive
directive. OpenConnect as of v2.22 has an unconditional workaround for this, which
is never to obey that directive after an HTTP/1.0 response.
However, Cisco's support team has failed to give any competent response to the bug
report and we don't know under what other circumstances their bug might manifest
itself. So this option exists to disable ALL re-use of HTTP sessions and cause a
new connection to be made for each request. If your server seems not to be
recognising your certificate, try this option. If it makes a difference, please
report this information to the openconnect-devel@lists.infradead.org mailing list.
--no-passwd
Never attempt password (or SecurID) authentication.
--no-xmlpost
Do not attempt to post an XML authentication/configuration request to the server;
use the old style GET method which was used by older clients and servers instead.
This option is a temporary safety net, to work around potential compatibility
issues with the code which falls back to the old method automatically. It causes
OpenConnect to behave more like older versions (4.08 and below) did. If you find
that you need to use this option, then you have found a bug in OpenConnect. Please
see http://www.infradead.org/openconnect/mail.html and report this to the
developers.
--non-inter
Do not expect user input; exit if it is required.
--passwd-on-stdin
Read password from standard input
--token-mode=MODE
Enable one-time password generation using the MODE algorithm. --token-mode=rsa
will call libstoken to generate an RSA SecurID tokencode, and --token-mode=totp
will call liboath to generate an RFC 6238 password.
--token-secret=SECRET
The secret to use when generating one-time passwords/verification codes. Base
32-encoded TOTP secrets can be used by specifying "base32:" at the beginning of the
secret. If this option is omitted, and --token-mode is "rsa", libstoken will try
to use the software token seed saved in ~/.stokenrc by the "stoken import" command.
--reconnect-timeout
Keep reconnect attempts until so much seconds are elapsed. The default timeout is
300 seconds, which means that openconnect can recover VPN connection after a
temporary network down time of 300 seconds.
--servercert=SHA1
Accept server's SSL certificate only if its fingerprint matches SHA1.
--useragent=STRING
Use STRING as 'User-Agent:' field value in HTTP header. (e.g. --useragent 'Cisco
AnyConnect VPN Agent for Windows 2.2.0133')
--os=STRING
OS type to report to gateway. Recognized values are: linux, linux-64, mac, win.
Reporting a different OS type may affect the security policy applied to the VPN
session.
LIMITATIONS
Note that although IPv6 has been tested on all platforms on which openconnect is known to
run, it depends on a suitable vpnc-script to configure the network. The standard
vpnc-script shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from
git://git.infradead.org/users/dwmw2/vpnc-scripts.git will be required.
AUTHORS
David Woodhouse <dwmw2@infradead.org>
OPENCONNECT(8)