1OPENCONNECT(8) System Manager's Manual OPENCONNECT(8)
2
6 openconnect - Connect to Cisco AnyConnect VPN
7
9 openconnect [ -b,--background ] [ -c,--certificate CERT ] [ -k,--sslkey
10 KEY ] [ -K,--key-type TYPE ] [ -C,--cookie COOKIE ] [ --cookie-on-stdin
11 ] [ -d,--deflate ] [ -D,--no-deflate ] [ --force-dpd INTERVAL ] [
12 -g,--usergroup GROUP ] [ -h,--help ] [ -i,--interface IFNAME ] [
13 -l,--syslog ] [ -U,--setuid USER ] [ --csd-user USER ] [ -m,--mtu MTU ]
14 [ -p,--key-password PASS ] [ -P,--proxy PROXYURL ] [ --no-proxy ] [
15 --libproxy ] [ --key-password-from-fsid ] [ --key-type TYPE ] [
16 -q,--quiet ] [ -Q,--queue-len LEN ] [ -s,--script SCRIPT ] [
17 -S,--script-tun ] [ -u,--user NAME ] [ -V,--version ] [ -v,--verbose ]
18 [ -x,--xmlconfig CONFIG ] [ --authgroup GROUP ] [ --cookieonly ] [
19 --printcookie ] [ --cafile FILE ] [ --disable-ipv6 ] [ --dtls-ciphers
20 LIST ] [ --no-cert-check ] [ --no-dtls ] [ --no-http-keepalive ] [
21 --no-passwd ] [ --passwd-on-stdin ] [ --reconnect-timeout ] [
22 --servercert FINGERPRINT ] [ --useragent STRING ]
23 [https://]server[:port][/group]
24
27 The program openconnect connects to Cisco "AnyConnect" VPN servers,
28 which use standard TLS and DTLS protocols for data transport.
29 The connection happens in two phases. First there is a simple HTTPS
31 connection over which the user authenticates somehow - by using a cer‐
32 tificate, or password or SecurID, etc. Having authenticated, the user
33 is rewarded with an HTTP cookie which can be used to make the real VPN
34 connection.
35 The second phase uses that cookie in an HTTPS CONNECT request, and data
37 packets can be passed over the resulting connection. In auxiliary head‐
38 ers exchanged with the CONNECT request, a Session-ID and Master Secret
39 for a DTLS connection are also exchanged, which allows data transport
40 over UDP to occur.
41
45 -b,--background
46 Continue in background after startup
47 -c,--certificate=CERT
49 Use SSL client certificate CERT
50 -k,--sslkey=KEY
52 Use SSL private key file KEY
53 -C,--cookie=COOKIE
55 Use WebVPN cookie COOKIE
56 --cookie-on-stdin
58 Read cookie from standard input
59 -d,--deflate
61 Enable compression (default)
62 -D,--no-deflate
64 Disable compression
65 --force-dpd=INTERVAL
67 Use INTERVAL as minimum Dead Peer Detection interval for CSTP
68 and DTLS, forcing use of DPD even when the server doesn't
69 request it.
70 -g,--usergroup=GROUP
72 Use GROUP as login UserGroup
73 -h,--help
75 Display help text
76 -i,--interface=IFNAME
78 Use IFNAME for tunnel interface
79 -l,--syslog
81 Use syslog for progress messages
82 -U,--setuid=USER
84 Drop privileges after connecting, to become user USER
85 --csd-user=USER
87 Drop privileges during CSD (Cisco Secure Desktop) script execu‐
88 tion. This option is required when connecting to a server with
89 CSD.
90 -m,--mtu=MTU
92 Request MTU from server
93 -p,--key-password=PASS
95 Provide passphrase for certificate file, or SRK (System Root
96 Key) PIN for TPM
97 -P,--proxy=PROXYURL
99 Use HTTP or SOCKS proxy for connection
100 --no-proxy
102 Disable use of proxy
103 --libproxy
105 Use libproxy to configure proxy automatically (when built with
106 libproxy support)
107 --key-password-from-fsid
109 Passphrase for certificate file is automatically generated from
110 the fsid of the file system on which it is stored
111 --key-type=TYPE
113 Type of private key file (PKCS#12, TPM or PEM)
114 -q,--quiet
116 Less output
117 -Q,--queue-len=LEN
119 Set packet queue limit to LEN pkts
120 -s,--script=SCRIPT
122 Use vpnc-compatible config script
123 -S,--script-tun
125 Pass traffic to 'script' program over a UNIX socket, instead of
126 to a kernel tun/tap device. This allows the VPN IP traffic to be
127 handled entirely in userspace, for example by a program which
128 uses lwIP to provide SOCKS access into the VPN.
129 -u,--user=NAME
131 Set login username to NAME
132 -V,--version
134 Report version number
135 -v,--verbose
137 More output
138 -x,--xmlconfig=CONFIG
140 XML config file
141 --authgroup=GROUP
143 Choose authentication login selection
144 --cookieonly
146 Fetch webvpn cookie only; don't connect
147 --printcookie
149 Print webvpn cookie before connecting
150 --cafile=FILE
152 Cert file for server verification
153 --disable-ipv6
155 Do not advertise IPv6 capability to server
156 --dtls-ciphers=LIST
158 Set OpenSSL ciphers to support for DTLS
159 --no-cert-check
161 Do not require server SSL certificate to be valid. Checks will
162 still happen and failures will cause a warning message, but the
163 connection will continue anyway. You should not need to use this
164 option -- if your servers have SSL certificates which are not
165 signed by a trusted Certificate Authority, you can still add
166 them (or your private CA) to a local file and use that file with
167 the --cafile option.
168 --no-dtls
171 Disable DTLS
172 --no-http-keepalive
174 Version 8.2.2.5 of the Cisco ASA software has a bug where it
175 will forget the client's SSL certificate when HTTP connections
176 are being re-used for multiple requests. So far, this has only
177 been seen on the initial connection, where the server gives an
178 HTTP/1.0 redirect response with an explicit Connection: Keep-
179 Alive directive. OpenConnect as of v2.22 has an unconditional
180 workaround for this, which is never to obey that directive after
181 an HTTP/1.0 response.
182 However, Cisco's support team has failed to give any competent
184 response to the bug report and we don't know under what other
185 circumstances their bug might manifest itself. So this option
186 exists to disable ALL re-use of HTTP sessions and cause a new
187 connection to be made for each request. If your server seems not
188 to be recognising your certificate, try this option. If it makes
189 a difference, please report this information to the openconnect-
190 devel@lists.infradead.org mailing list.
191 --no-passwd
193 Never attempt password (or SecurID) authentication
194 --passwd-on-stdin
196 Read password from standard input
197 --reconnect-timeout
199 Keep reconnect attempts until so much seconds are elapsed. The
200 default timeout is 300 seconds, which means that openconnect can
201 recover VPN connection after a temporary network down time of
202 300 seconds.
203 --servercert
205 Accept server's SSL certificate only if its SHA1 fingerprint
206 matches.
207 --useragent=STRING
209 Use STRING as 'User-Agent:' field value in HTTP header. (e.g.
210 --useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
211
214 The openconnect client is not tested with IPv6 connectivity on OpenBSD
215 or Mac OS X. A patch to the tun/tap driver is required on Solaris to
216 make IPv6 work.
217 Note also that the standard vpnc-script shipped with vpnc 0.5.3 is not
220 capable of setting up IPv6 routes; the one from
221 git://git.infradead.org/users/dwmw2/vpnc-scripts.git will be required.
222
225 David Woodhouse <dwmw2@infradead.org>
226 OPENCONNECT(8)