NAME¶
openconnect - Connect to Cisco AnyConnect VPN
SYNOPSIS¶
[
--config configfile]
[
-b,--background]
[
--pid-file pidfile]
[
-c,--certificate cert]
[
-e,--cert-expire-warning days]
[
-k,--sslkey key]
[
-K,--key-type type]
[
-C,--cookie cookie]
[
--cookie-on-stdin]
[
-d,--deflate]
[
-D,--no-deflate]
[
--force-dpd interval]
[
-g,--usergroup group]
[
-h,--help]
[
-i,--interface ifname]
[
-l,--syslog]
[
-U,--setuid user]
[
--csd-user user]
[
-m,--mtu mtu]
[
-p,--key-password pass]
[
-P,--proxy proxyurl]
[
--no-proxy]
[
--libproxy]
[
--key-password-from-fsid]
[
--key-type type]
[
-q,--quiet]
[
-Q,--queue-len len]
[
-s,--script vpnc-script]
[
-S,--script-tun]
[
-u,--user name]
[
-V,--version]
[
-v,--verbose]
[
-x,--xmlconfig config]
[
--authgroup group]
[
--cookieonly]
[
--printcookie]
[
--cafile file]
[
--disable-ipv6]
[
--dtls-ciphers list]
[
--no-cert-check]
[
--no-dtls]
[
--no-http-keepalive]
[
--no-passwd]
[
--non-inter]
[
--passwd-on-stdin]
[
--reconnect-timeout]
[
--servercert sha1]
[
--useragent string]
[https://]server
[:port][/group]
DESCRIPTION¶
The program
openconnect connects to Cisco "AnyConnect" VPN
servers, which use standard TLS and DTLS protocols for data transport.
The connection happens in two phases. First there is a simple HTTPS connection
over which the user authenticates somehow - by using a certificate, or
password or SecurID, etc. Having authenticated, the user is rewarded with an
HTTP cookie which can be used to make the real VPN connection.
The second phase uses that cookie in an HTTPS
CONNECT request, and data
packets can be passed over the resulting connection. In auxiliary headers
exchanged with the
CONNECT request, a Session-ID and Master Secret for
a DTLS connection are also exchanged, which allows data transport over UDP to
occur.
OPTIONS¶
- --config=CONFIGFILE
- Read further options from CONFIGFILE before
continuing to process options from the command line. The file should
contain long-format options as would be accepted on the command line, but
without the two leading -- dashes. Empty lines, or lines where the first
non-space character is a # character, are ignored.
Any option except the config option may be specified in the
file.
- -b,--background
- Continue in background after startup
- --pid-file=PIDFILE
- Save the pid to PIDFILE when backgrounding
- -c,--certificate=CERT
- Use SSL client certificate CERT
- -e,--cert-expire-warning=DAYS
- Give a warning when SSL client certificate has DAYS
left before expiry
- -k,--sslkey=KEY
- Use SSL private key file KEY
- -C,--cookie=COOKIE
- Use WebVPN cookie COOKIE
- --cookie-on-stdin
- Read cookie from standard input
- -d,--deflate
- Enable compression (default)
- -D,--no-deflate
- Disable compression
- --force-dpd=INTERVAL
- Use INTERVAL as minimum Dead Peer Detection interval
for CSTP and DTLS, forcing use of DPD even when the server doesn't request
it.
- -g,--usergroup=GROUP
- Use GROUP as login UserGroup
- -h,--help
- Display help text
- -i,--interface=IFNAME
- Use IFNAME for tunnel interface
- -l,--syslog
- Use syslog for progress messages
- -U,--setuid=USER
- Drop privileges after connecting, to become user
USER
- --csd-user=USER
- Drop privileges during CSD (Cisco Secure Desktop) script
execution.
- --csd-wrapper=SCRIPT
- Run SCRIPT instead of the CSD (Cisco Secure Desktop)
script.
- -m,--mtu=MTU
- Request MTU from server
- -p,--key-password=PASS
- Provide passphrase for certificate file, or SRK (System
Root Key) PIN for TPM
- -P,--proxy=PROXYURL
- Use HTTP or SOCKS proxy for connection
- --no-proxy
- Disable use of proxy
- --libproxy
- Use libproxy to configure proxy automatically (when built
with libproxy support)
- --key-password-from-fsid
- Passphrase for certificate file is automatically generated
from the fsid of the file system on which it is stored. The
fsid is obtained from the statvfs(2) or statfs(2)
system call, depending on the operating system. On a Linux or similar
system with GNU coreutils, the fsid used by this option should be
equal to the output of the command:
stat --file-system --printf=%i\\n $CERTIFICATE
It is not the same as the 128-bit UUID of the file system.
- --key-type=TYPE
- Type of private key file (PKCS#12, TPM or PEM)
- -q,--quiet
- Less output
- -Q,--queue-len=LEN
- Set packet queue limit to LEN pkts
- -s,--script=SCRIPT
- Invoke SCRIPT to configure the network after
connection. Without this, routing and name service are unlikely to work
correctly. The script is expected to be compatible with the
vpnc-script which is shipped with the "vpnc" VPN client.
See http://www.infradead.org/openconnect/vpnc-script.html for more
information. This version of OpenConnect is configured to use
/usr/share/vpnc-scripts/vpnc-script by default.
- -S,--script-tun
- Pass traffic to 'script' program over a UNIX socket,
instead of to a kernel tun/tap device. This allows the VPN IP traffic to
be handled entirely in userspace, for example by a program which uses lwIP
to provide SOCKS access into the VPN.
- -u,--user=NAME
- Set login username to NAME
- -V,--version
- Report version number
- -v,--verbose
- More output
- -x,--xmlconfig=CONFIG
- XML config file
- --authgroup=GROUP
- Choose authentication login selection
- --cookieonly
- Fetch webvpn cookie only; don't connect
- --printcookie
- Print webvpn cookie before connecting
- --cafile=FILE
- Cert file for server verification
- --disable-ipv6
- Do not advertise IPv6 capability to server
- --dtls-ciphers=LIST
- Set OpenSSL ciphers to support for DTLS
- --no-cert-check
- Do not require server SSL certificate to be valid. Checks
will still happen and failures will cause a warning message, but the
connection will continue anyway. You should not need to use this option -
if your servers have SSL certificates which are not signed by a trusted
Certificate Authority, you can still add them (or your private CA) to a
local file and use that file with the --cafile option.
- --no-dtls
- Disable DTLS
- --no-http-keepalive
- Version 8.2.2.5 of the Cisco ASA software has a bug where
it will forget the client's SSL certificate when HTTP connections are
being re-used for multiple requests. So far, this has only been seen on
the initial connection, where the server gives an HTTP/1.0 redirect
response with an explicit Connection: Keep-Alive directive.
OpenConnect as of v2.22 has an unconditional workaround for this, which is
never to obey that directive after an HTTP/1.0 response.
However, Cisco's support team has failed to give any competent response to
the bug report and we don't know under what other circumstances their bug
might manifest itself. So this option exists to disable ALL re-use of HTTP
sessions and cause a new connection to be made for each request. If your
server seems not to be recognising your certificate, try this option. If
it makes a difference, please report this information to the
openconnect-devel@lists.infradead.org mailing list.
- --no-passwd
- Never attempt password (or SecurID) authentication.
- --non-inter
- Do not expect user input; exit if it is required.
- --passwd-on-stdin
- Read password from standard input
- --reconnect-timeout
- Keep reconnect attempts until so much seconds are elapsed.
The default timeout is 300 seconds, which means that openconnect can
recover VPN connection after a temporary network down time of 300
seconds.
- --servercert=SHA1
- Accept server's SSL certificate only if its fingerprint
matches SHA1.
- --useragent=STRING
- Use STRING as 'User-Agent:' field value in HTTP
header. (e.g. --useragent 'Cisco AnyConnect VPN Agent for Windows
2.2.0133')
LIMITATIONS¶
Note that although IPv6 has been tested on all platforms on which
openconnect is known to run, it depends on a suitable
vpnc-script to configure the network. The standard
vpnc-script
shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from
git://git.infradead.org/users/dwmw2/vpnc-scripts.git will be required.
AUTHORS¶
David Woodhouse <dwmw2@infradead.org>
