Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages


home | help
OPENCONNECT(8)		    System Manager's Manual		OPENCONNECT(8)

       openconnect - Connect to	Cisco AnyConnect VPN

       openconnect [--config configfile] [-b,--background]
		   [--pid-file pidfile]	[-c,--certificate cert]
		   [-e,--cert-expire-warning days] [-k,--sslkey	key]
		   [-C,--cookie	cookie]	[--cookie-on-stdin]
		   [--compression MODE]	[-d,--deflate] [-D,--no-deflate]
		   [--force-dpd	interval] [-g,--usergroup group] [-h,--help]
		   [--http-auth	methods] [-i,--interface ifname] [-l,--syslog]
		   [--timestamp] [--passtos] [-U,--setuid user]
		   [--csd-user user] [-m,--mtu mtu] [--base-mtu	mtu]
		   [-p,--key-password pass] [-P,--proxy	proxyurl]
		   [--proxy-auth methods] [--no-proxy] [--libproxy]
		   [--key-password-from-fsid] [-q,--quiet]
		   [-Q,--queue-len len]	[-s,--script vpnc-script]
		   [-S,--script-tun] [-u,--user	name] [-V,--version]
		   [-v,--verbose] [-x,--xmlconfig config] [--authgroup group]
		   [--authenticate] [--cookieonly] [--printcookie]
		   [--cafile file] [--disable-ipv6] [--dtls-ciphers list]
		   [--dtls-local-port port] [--dump-http-traffic]
		   [--no-system-trust] [--pfs] [--no-dtls]
		   [--no-http-keepalive] [--no-passwd] [--no-xmlpost]
		   [--non-inter] [--passwd-on-stdin] [--protocol proto]
		   [--token-mode mode]
		   [--token-secret {secret[,counter]|@file}]
		   [--reconnect-timeout] [--resolve host:ip]
		   [--servercert sha1] [--useragent string] [--local-
		   hostname string] [--os string]

       The  program  openconnect  connects  to Cisco "AnyConnect" VPN servers,
       which use standard TLS and DTLS protocols for data transport.

       The connection happens in two phases. First there  is  a	 simple	 HTTPS
       connection  over	which the user authenticates somehow - by using	a cer-
       tificate, or password or	SecurID, etc.  Having authenticated, the  user
       is  rewarded with an HTTP cookie	which can be used to make the real VPN

       The second phase	uses that cookie in an HTTPS CONNECT request, and data
       packets can be passed over the resulting	connection. In auxiliary head-
       ers exchanged with the CONNECT request, a Session-ID and	Master	Secret
       for  a  DTLS connection are also	exchanged, which allows	data transport
       over UDP	to occur.

	      Read  further  options  from  CONFIGFILE	before	continuing  to
	      process  options	from the command line. The file	should contain
	      long-format options as would be accepted on  the	command	 line,
	      but  without  the	 two  leading -- dashes. Empty lines, or lines
	      where the	first non-space	character is a #  character,  are  ig-

	      Any  option  except  the	config	option may be specified	in the

	      Continue in background after startup

	      Save the pid to PIDFILE when backgrounding

	      Use SSL client certificate CERT which may	be either a file  name
	      or, if OpenConnect has been built	with an	appropriate version of
	      GnuTLS, a	PKCS#11	URL.

	      Give a warning when SSL client certificate has DAYS left	before

	      Use  SSL	private	key KEY	which may be either a file name	or, if
	      OpenConnect has  been  built  with  an  appropriate  version  of
	      GnuTLS, a	PKCS#11	URL.

	      Use WebVPN cookie.  COOKIE

	      Read cookie from standard	input.

	      Enable  all  compression,	 including stateful modes. By default,
	      only stateless compression algorithms are	enabled.

	      Disable all compression.

	      Set compression mode, where MODE is one of stateless , none , or
	      all .

	      By  default,  only stateless compression algorithms which	do not
	      maintain state from one packet to	the next  (and	which  can  be
	      used  on UDP transports) are enabled. By setting the mode	to all
	      stateful algorithms (currently only zlib	deflate)  can  be  en-
	      abled. Or	all compression	can be disabled	by setting the mode to
	      none .

	      Use INTERVAL as minimum Dead Peer	Detection  interval  for  CSTP
	      and  DTLS,  forcing  use of DPD even when	the server doesn't re-
	      quest it.

	      Use GROUP	as login UserGroup

	      Display help text

	      Use only the specified methods  for  HTTP	 authentication	 to  a
	      server.  By default, only	Negotiate, NTLM	and Digest authentica-
	      tion are enabled.	Basic authentication is	also supported but be-
	      cause it is insecure it must be explicitly enabled. The argument
	      is a comma-separated list	of methods to be  enabled.  Note  that
	      the order	does not matter: OpenConnect will use Negotiate, NTLM,
	      Digest and Basic authentication in that order, if	 each  is  en-
	      abled, regardless	of the order specified in the METHODS string.

	      Use IFNAME for tunnel interface

	      Use syslog for progress messages

	      Prepend a	timestamp to each progress message

	      Copy TOS / TCLASS	of payload packet into DTLS packets.

	      Drop privileges after connecting,	to become user USER

	      Drop  privileges during CSD (Cisco Secure	Desktop) script	execu-

	      Run SCRIPT instead of the	CSD (Cisco Secure Desktop) script.

	      Request MTU from server as the MTU of the	tunnel.

	      Indicate MTU as the path MTU between client and  server  on  the
	      unencrypted  network. Newer servers will automatically calculate
	      the MTU to be used on the	tunnel from this value.

	      Provide passphrase for certificate file,	or  SRK	 (System  Root
	      Key) PIN for TPM

	      Use  HTTP	or SOCKS proxy for connection. A username and password
	      can be provided in the given URL,	and will be used for authenti-
	      cation.  If  authentication  is  required	but no credentials are
	      given, GSSAPI and	automatic NTLM	authentication	using  Samba's
	      ntlm_auth	helper tool may	be attempted.

	      Use  only	 the  specified	 methods  for HTTP authentication to a
	      proxy.  By default, only Negotiate, NTLM and Digest  authentica-
	      tion are enabled.	Basic authentication is	also supported but be-
	      cause it is insecure it must be explicitly enabled. The argument
	      is  a  comma-separated  list of methods to be enabled. Note that
	      the order	does not matter: OpenConnect will use Negotiate, NTLM,
	      Digest  and  Basic  authentication in that order,	if each	is en-
	      abled, regardless	of the order specified in the METHODS string.

	      Disable use of proxy

	      Use libproxy to configure	proxy automatically (when  built  with
	      libproxy support)

	      Passphrase  for certificate file is automatically	generated from
	      the fsid of the file system on which it is stored. The  fsid  is
	      obtained from the	statvfs(2) or statfs(2)	system call, depending
	      on the operating system. On a Linux or similar system  with  GNU
	      coreutils,  the  fsid used by this option	should be equal	to the
	      output of	the command:
	      stat --file-system --printf=%i\\n	$CERTIFICATE
	      It is not	the same as the	128-bit	UUID of	the file system.

	      Less output

	      Set packet queue limit to	LEN pkts

	      Invoke SCRIPT to configure the network after connection. Without
	      this,  routing  and name service are unlikely to work correctly.
	      The script is expected to	be  compatible	with  the  vpnc-script
	      which  is	shipped	with the "vpnc"	VPN client. See for  more  information.
	      This  version  of	 OpenConnect  is  configured  to  use /usr/lo-
	      cal/sbin/vpnc-script by default.

	      On Windows, a relative directory for the default script will  be
	      handled as starting from the directory that the openconnect exe-
	      cutable is running from, rather than the current directory.  The
	      script  will  be	invoked	 with  the  command-based  script host

	      Pass traffic to 'script' program over a UNIX socket, instead  of
	      to a kernel tun/tap device. This allows the VPN IP traffic to be
	      handled entirely in userspace, for example by  a	program	 which
	      uses lwIP	to provide SOCKS access	into the VPN.

	      Set login	username to NAME

	      Report version number

	      More output (may be specified multiple times for additional out-

	      XML config file

	      Choose authentication login selection

	      Authenticate only, and output the	information needed to make the
	      connection  a  form  which  can be used to set shell environment
	      variables. When invoked with this	option,	openconnect  will  not
	      make  the	 connection,  but  if successful will output something
	      like the following to stdout:
	      Thus, you	can invoke openconnect as a non-privileged user	 (with
	      access  to the user's PKCS#11 tokens, etc.)  for authentication,
	      and then invoke openconnect separately to	make the  actual  con-
	      nection as root:
	      eval `openconnect	--authenticate`;
	      [	-n $COOKIE ] &&	echo $COOKIE |
		sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT

	      Fetch webvpn cookie only;	don't connect

	      Print webvpn cookie before connecting

	      Cert file	for server verification

	      Do not advertise IPv6 capability to server

	      Set OpenSSL ciphers to support for DTLS

	      Use PORT as the local port for DTLS datagrams

	      Enable verbose output of all HTTP	requests and the bodies	of all
	      responses	received from the server.

	      Do not trust the system default certificate authorities. If this
	      option  is  given,  only	certificate authorities	given with the
	      --cafile option, if any, will be trusted automatically.

       --pfs  Enforces Perfect Forward Secrecy (PFS). That ensures that	if the
	      server's	long-term  key is compromised, any session keys	estab-
	      lished before the	compromise will	be unaffected. If this	option
	      is provided and the server does not support PFS in the TLS chan-
	      nel the connection will fail.

	      PFS is available in Cisco	ASA  releases  9.1(2)  and  higher;  a
	      suitable cipher suite may	need to	be manually enabled by the ad-
	      ministrator using	the ssl	encryption setting.

	      Disable DTLS

	      Version of the Cisco ASA software	has  a	bug  where  it
	      will  forget  the	client's SSL certificate when HTTP connections
	      are being	re-used	for multiple requests. So far, this  has  only
	      been  seen  on the initial connection, where the server gives an
	      HTTP/1.0	redirect  response  with   an	explicit   Connection:
	      Keep-Alive  directive.  OpenConnect  as of v2.22 has an uncondi-
	      tional workaround	for this, which	is never to obey  that	direc-
	      tive after an HTTP/1.0 response.

	      However,	Cisco's	 support team has failed to give any competent
	      response to the bug report and we	don't know  under  what	 other
	      circumstances  their  bug	 might manifest	itself.	So this	option
	      exists to	disable	ALL re-use of HTTP sessions and	 cause	a  new
	      connection to be made for	each request. If your server seems not
	      to be recognising	your certificate, try this option. If it makes
	      a	 difference,  please  report  this information to the opencon- mailing list.

	      Never attempt password (or SecurID) authentication.

	      Do not attempt to	post an	XML  authentication/configuration  re-
	      quest to the server; use the old style GET method	which was used
	      by older clients and servers instead.

	      This option is a temporary safety	net, to	work around  potential
	      compatibility  issues  with the code which falls back to the old
	      method automatically. It causes OpenConnect to behave more  like
	      older  versions  (4.08 and below)	did. If	you find that you need
	      to use this option, then you have	found a	 bug  in  OpenConnect.
	      Please  see  and
	      report this to the developers.

	      Do not expect user input;	exit if	it is required.

	      Read password from standard input

	      Select VPN protocol PROTO	to be used for	the  connection.  Sup-
	      ported  protocols	 are  anyconnect for Cisco AnyConnect (the de-
	      fault), and nc for experimental support for Juniper Network Con-
	      nect (also supported by Junos Pulse servers).

	      Enable  one-time	password  generation using the MODE algorithm.
	      --token-mode=rsa will call libstoken to generate an RSA  SecurID
	      tokencode,  --token-mode=totp  will  call	liboath	to generate an
	      RFC 6238 time-based password, and	 --token-mode=hotp  will  call
	      liboath to generate an RFC 4226 HMAC-based password. Yubikey to-
	      kens which generate OATH codes in	hardware  are  supported  with

       --token-secret={	SECRET[,COUNTER] | @FILENAME }
	      The  secret  to use when generating one-time passwords/verifica-
	      tion codes.  Base	32-encoded TOTP/HOTP secrets can  be  used  by
	      specifying  "base32:"  at	 the  beginning	of the secret, and for
	      HOTP secrets the token counter  can  be  specified  following  a

	      RSA SecurID secrets can be specified as an Android/iPhone	URI or
	      a	raw numeric CTF	string (with or	without	dashes).

	      For Yubikey OATH the token secret	specifies the name of the cre-
	      dential  to  be used. If not provided, the first OATH credential
	      found on the device will be used.

	      FILENAME,	if specified, can contain any of  the  above  strings.
	      Or, it can contain a SecurID XML (SDTID) seed.

	      If  this option is omitted, and --token-mode is "rsa", libstoken
	      will try to use the software token seed saved in ~/.stokenrc  by
	      the "stoken import" command.

	      Keep  reconnect  attempts	until so much seconds are elapsed. The
	      default timeout is 300 seconds, which means that openconnect can
	      recover  VPN  connection	after a	temporary network down time of
	      300 seconds.

	      Automatically resolve the	hostname HOST to IP instead  of	 using
	      the normal resolver to look it up.

	      Accept server's SSL certificate only if the provided fingerprint
	      matches.	The allowed fingerprint	types are  SHA1,  and  SHA256.
	      They  are	 distinguished by the 'sha1:' or 'sha256:' prefixes to
	      the hex encoded hash. To ease certain testing use-cases, a  par-
	      tial  match of the hash will also	be accepted, if	it is at least
	      4	characters.

	      Use STRING as 'User-Agent:' field	value in HTTP  header.	 (e.g.
	      --useragent 'Cisco AnyConnect VPN	Agent for Windows 2.2.0133')

	      Use STRING as 'X-CSTP-Hostname:' field value in HTTP header. For
	      example --local-hostname 'mypc', will advertise the value	'mypc'
	      as the suggested hostname	to point to the	provided IP address.

	      OS  type	to  report  to gateway.	 Recognized values are:	linux,
	      linux-64,	win, mac-intel,	android, apple-ios.  Reporting a  dif-
	      ferent  OS  type	may affect the dynamic access policy (DAP) ap-
	      plied to the VPN session.	 If the	gateway	requires CSD, it  will
	      also cause the corresponding CSD trojan binary to	be downloaded,
	      so you may need to use --csd-wrapper if this code	 is  not  exe-
	      cutable on the local machine.

       In the data phase of the	connection, the	following signals are handled:

       SIGINT performs	a  clean  shutdown by logging the session off, discon-
	      necting from the gateway,	and running the	vpnc-script to restore
	      the network configuration.

       SIGHUP disconnects  from	the gateway and	runs the vpnc-script, but does
	      not log the session off; this allows for reconnection later  us-
	      ing --cookie.

	      forces  an immediate disconnection and reconnection; this	can be
	      used to quickly recover from LAN IP address changes.

	      exits immediately	without	logging	off or running vpnc-script.

       Note that although IPv6 has been	tested on all platforms	on which open-
       connect	is  known to run, it depends on	a suitable vpnc-script to con-
       figure the network. The standard	vpnc-script shipped with vpnc 0.5.3 is
       not  capable  of	 setting  up  IPv6  routes; the	one from git://	will be	required.

       David Woodhouse <>



Want to link to this manual page? Use this URL:

home | help