openconnect − Connect to Cisco AnyConnect VPN
[−−config configfile] [−b,−−background] [−−pid−file pidfile] [−c,−−certificate cert] [−e,−−cert−expire−warning days] [−k,−−sslkey key] [−C,−−cookie cookie] [−−cookie−on−stdin] [−d,−−deflate] [−D,−−no−deflate] [−−force−dpd interval] [−g,−−usergroup group] [−h,−−help] [−i,−−interface ifname] [−l,−−syslog] [−U,−−setuid user] [−−csd−user user] [−m,−−mtu mtu] [−−basemtu mtu] [−p,−−key−password pass] [−P,−−proxy proxyurl] [−−no−proxy] [−−libproxy] [−−key−password−from−fsid] [−q,−−quiet] [−Q,−−queue−len len] [−s,−−script vpnc−script] [−S,−−script−tun] [−u,−−user name] [−V,−−version] [−v,−−verbose] [−x,−−xmlconfig config] [−−authgroup group] [−−authenticate] [−−cookieonly] [−−printcookie] [−−cafile file] [−−disable−ipv6] [−−dtls−ciphers list] [−−dtls−local−port port] [−−no−cert−check] [−−no−dtls] [−−no−http−keepalive] [−−no−passwd] [−−non−inter] [−−passwd−on−stdin] [−−stoken[=token-string]] [−−reconnect−timeout] [−−servercert sha1] [−−useragent string] [−−os string] [https://]server[:port][/group]
The program openconnect connects to Cisco "AnyConnect" VPN servers, which use standard TLS and DTLS protocols for data transport.
The connection happens in two phases. First there is a simple HTTPS connection over which the user authenticates somehow − by using a certificate, or password or SecurID, etc. Having authenticated, the user is rewarded with an HTTP cookie which can be used to make the real VPN connection.
The second phase uses that cookie in an HTTPS CONNECT request, and data packets can be passed over the resulting connection. In auxiliary headers exchanged with the CONNECT request, a Session−ID and Master Secret for a DTLS connection are also exchanged, which allows data transport over UDP to occur.
Read further options from CONFIGFILE before continuing to process options from the command line. The file should contain long-format options as would be accepted on the command line, but without the two leading −− dashes. Empty lines, or lines where the first non-space character is a # character, are ignored.
Any option except the config option may be specified in the file.
Continue in background after startup
Save the pid to PIDFILE when backgrounding
Use SSL client certificate CERT which may be either a file name or, if OpenConnect has been built with an appropriate version of GnuTLS, a PKCS#11 URL.
Give a warning when SSL client certificate has DAYS left before expiry
Use SSL private key KEY which may be either a file name or, if OpenConnect has been built with an appropriate version of GnuTLS, a PKCS#11 URL.
Use WebVPN cookie COOKIE
Read cookie from standard input
Enable compression (default)
Use INTERVAL as minimum Dead Peer Detection interval for CSTP and DTLS, forcing use of DPD even when the server doesn’t request it.
Use GROUP as login UserGroup
Display help text
Use IFNAME for tunnel interface
Use syslog for progress messages
Drop privileges after connecting, to become user USER
Drop privileges during CSD (Cisco Secure Desktop) script execution.
Run SCRIPT instead of the CSD (Cisco Secure Desktop) script.
Request MTU from server as the MTU of the tunnel.
Indicate MTU as the path MTU between client and server on the unencrypted network. Newer servers will automatically calculate the MTU to be used on the tunnel from this value.
Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
Use HTTP or SOCKS proxy for connection
Disable use of proxy
Use libproxy to configure proxy automatically (when built with libproxy support)
Passphrase for certificate file is automatically generated from the fsid of the file system on which it is stored. The fsid is obtained from the statvfs(2) or statfs(2) system call, depending on the operating system. On a Linux or similar system with GNU coreutils, the fsid used by this option should be equal to the output of the command:
stat −−file−system −−printf=%i\\n $CERTIFICATE
It is not the same as the 128−bit UUID of the file system.
Set packet queue limit to LEN pkts
Invoke SCRIPT to configure the network after connection. Without this, routing and name service are unlikely to work correctly. The script is expected to be compatible with the vpnc−script which is shipped with the "vpnc" VPN client. See http://www.infradead.org/openconnect/vpnc-script.html for more information. This version of OpenConnect is configured to use /etc/vpnc/vpnc-script by default.
Pass traffic to ’script’ program over a UNIX socket, instead of to a kernel tun/tap device. This allows the VPN IP traffic to be handled entirely in userspace, for example by a program which uses lwIP to provide SOCKS access into the VPN.
Set login username to NAME
Report version number
XML config file
Choose authentication login selection
Authenticate only, and output
the information needed to make the connection a form which
can be used to set shell environment variables. When invoked
with this option, openconnect will not make the connection,
but if successful will output something like the following
Thus, you can invoke openconnect as a non-privileged user (with access to the user’s PKCS#11 tokens, etc.) for authentication, and then invoke openconnect separately to make the actual connection as root:
eval ‘openconnect --authenticate https://vpnserver.example.com‘;
[ -n $COOKIE ] && echo $COOKIE |
sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT
Fetch webvpn cookie only; don’t connect
Print webvpn cookie before connecting
Cert file for server verification
Do not advertise IPv6 capability to server
Set OpenSSL ciphers to support for DTLS
Do not require server SSL certificate to be valid. Checks will still happen and failures will cause a warning message, but the connection will continue anyway. You should not need to use this option − if your servers have SSL certificates which are not signed by a trusted Certificate Authority, you can still add them (or your private CA) to a local file and use that file with the −−cafile option.
Version 126.96.36.199 of the Cisco ASA software has a bug where it will forget the client’s SSL certificate when HTTP connections are being re−used for multiple requests. So far, this has only been seen on the initial connection, where the server gives an HTTP/1.0 redirect response with an explicit Connection: Keep−Alive directive. OpenConnect as of v2.22 has an unconditional workaround for this, which is never to obey that directive after an HTTP/1.0 response.
However, Cisco’s support team has failed to give any competent response to the bug report and we don’t know under what other circumstances their bug might manifest itself. So this option exists to disable ALL re−use of HTTP sessions and cause a new connection to be made for each request. If your server seems not to be recognising your certificate, try this option. If it makes a difference, please report this information to the openconnect−email@example.com mailing list.
Never attempt password (or SecurID) authentication.
Do not expect user input; exit if it is required.
Read password from standard input
Use libstoken to generate one-time passwords compatible with the RSA SecurID system (when built with libstoken support). If token-string is omitted, libstoken will try to use the software token seed stored in ~/.stokenrc, if this file exists.
Keep reconnect attempts until so much seconds are elapsed. The default timeout is 300 seconds, which means that openconnect can recover VPN connection after a temporary network down time of 300 seconds.
Accept server’s SSL certificate only if its fingerprint matches SHA1.
Use STRING as ’User−Agent:’ field value in HTTP header. (e.g. −−useragent ’Cisco AnyConnect VPN Agent for Windows 2.2.0133’)
OS type to report to gateway. Recognized values are: linux, linux-64, mac, win. Reporting a different OS type may affect the security policy applied to the VPN session.
Use PORT as the local port for DTLS datagrams
Note that although IPv6 has been tested on all platforms on which openconnect is known to run, it depends on a suitable vpnc−script to configure the network. The standard vpnc−script shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from git://git.infradead.org/users/dwmw2/vpnc−scripts.git will be required.
David Woodhouse <firstname.lastname@example.org>