openconnect man page on Manjaro

Man page or keyword search:  
man Server   11224 pages
apropos Keyword Search (all sections)
Output format
Manjaro logo
[printable version]

OPENCONNECT(8)							OPENCONNECT(8)

NAME
       openconnect - Connect to Cisco AnyConnect VPN

SYNOPSIS
       openconnect [--config configfile] [-b,--background]
		   [--pid-file pidfile] [-c,--certificate cert]
		   [-e,--cert-expire-warning days] [-k,--sslkey key]
		   [-C,--cookie cookie] [--cookie-on-stdin] [-d,--deflate]
		   [-D,--no-deflate] [--force-dpd interval]
		   [-g,--usergroup group] [-h,--help] [-i,--interface ifname]
		   [-l,--syslog] [-U,--setuid user] [--csd-user user]
		   [-m,--mtu mtu] [--basemtu mtu] [-p,--key-password pass]
		   [-P,--proxy proxyurl] [--no-proxy] [--libproxy]
		   [--key-password-from-fsid] [-q,--quiet]
		   [-Q,--queue-len len] [-s,--script vpnc-script]
		   [-S,--script-tun] [-u,--user name] [-V,--version]
		   [-v,--verbose] [-x,--xmlconfig config] [--authgroup group]
		   [--authenticate] [--cookieonly] [--printcookie]
		   [--cafile file] [--disable-ipv6] [--dtls-ciphers list]
		   [--dtls-local-port port] [--dump-http-traffic]
		   [--no-cert-check] [--no-dtls] [--no-http-keepalive]
		   [--no-passwd] [--no-xmlpost] [--non-inter]
		   [--passwd-on-stdin] [--token-mode mode] [--token-
		   secret secret] [--reconnect-timeout] [--servercert sha1]
		   [--useragent string] [--os string]
		   [https://]server[:port][/group]

DESCRIPTION
       The program openconnect connects to  Cisco  "AnyConnect"	 VPN  servers,
       which use standard TLS and DTLS protocols for data transport.

       The  connection	happens	 in  two phases. First there is a simple HTTPS
       connection over which the user authenticates somehow - by using a  cer‐
       tificate,  or password or SecurID, etc.	Having authenticated, the user
       is rewarded with an HTTP cookie which can be used to make the real  VPN
       connection.

       The second phase uses that cookie in an HTTPS CONNECT request, and data
       packets can be passed over the resulting connection. In auxiliary head‐
       ers  exchanged with the CONNECT request, a Session-ID and Master Secret
       for a DTLS connection are also exchanged, which allows  data  transport
       over UDP to occur.

OPTIONS
       --config=CONFIGFILE
	      Read  further  options  from  CONFIGFILE	before	continuing  to
	      process options from the command line. The file  should  contain
	      long-format  options  as	would be accepted on the command line,
	      but without the two leading -- dashes.  Empty  lines,  or	 lines
	      where  the  first	 non-space  character  is  a  # character, are
	      ignored.

	      Any option except the config option  may	be  specified  in  the
	      file.

       -b,--background
	      Continue in background after startup

       --pid-file=PIDFILE
	      Save the pid to PIDFILE when backgrounding

       -c,--certificate=CERT
	      Use  SSL client certificate CERT which may be either a file name
	      or, if OpenConnect has been built with an appropriate version of
	      GnuTLS, a PKCS#11 URL.

       -e,--cert-expire-warning=DAYS
	      Give  a warning when SSL client certificate has DAYS left before
	      expiry

       -k,--sslkey=KEY
	      Use SSL private key KEY which may be either a file name  or,  if
	      OpenConnect  has	been  built  with  an  appropriate  version of
	      GnuTLS, a PKCS#11 URL.

       -C,--cookie=COOKIE
	      Use WebVPN cookie COOKIE

       --cookie-on-stdin
	      Read cookie from standard input

       -d,--deflate
	      Enable compression (default)

       -D,--no-deflate
	      Disable compression

       --force-dpd=INTERVAL
	      Use INTERVAL as minimum Dead Peer Detection  interval  for  CSTP
	      and  DTLS,  forcing  use	of  DPD	 even  when the server doesn't
	      request it.

       -g,--usergroup=GROUP
	      Use GROUP as login UserGroup

       -h,--help
	      Display help text

       -i,--interface=IFNAME
	      Use IFNAME for tunnel interface

       -l,--syslog
	      Use syslog for progress messages

       -U,--setuid=USER
	      Drop privileges after connecting, to become user USER

       --csd-user=USER
	      Drop privileges during CSD (Cisco Secure Desktop) script	execu‐
	      tion.

       --csd-wrapper=SCRIPT
	      Run SCRIPT instead of the CSD (Cisco Secure Desktop) script.

       -m,--mtu=MTU
	      Request MTU from server as the MTU of the tunnel.

       --basemtu=MTU
	      Indicate	MTU  as	 the path MTU between client and server on the
	      unencrypted network. Newer servers will automatically  calculate
	      the MTU to be used on the tunnel from this value.

       -p,--key-password=PASS
	      Provide  passphrase  for	certificate  file, or SRK (System Root
	      Key) PIN for TPM

       -P,--proxy=PROXYURL
	      Use HTTP or SOCKS proxy for connection

       --no-proxy
	      Disable use of proxy

       --libproxy
	      Use libproxy to configure proxy automatically (when  built  with
	      libproxy support)

       --key-password-from-fsid
	      Passphrase  for certificate file is automatically generated from
	      the fsid of the file system on which it is stored. The  fsid  is
	      obtained from the statvfs(2) or statfs(2) system call, depending
	      on the operating system. On a Linux or similar system  with  GNU
	      coreutils,  the  fsid used by this option should be equal to the
	      output of the command:
	      stat --file-system --printf=%i\\n $CERTIFICATE
	      It is not the same as the 128-bit UUID of the file system.

       -q,--quiet
	      Less output

       -Q,--queue-len=LEN
	      Set packet queue limit to LEN pkts

       -s,--script=SCRIPT
	      Invoke SCRIPT to configure the network after connection. Without
	      this,  routing  and name service are unlikely to work correctly.
	      The script is expected to be  compatible	with  the  vpnc-script
	      which   is   shipped   with   the	  "vpnc"   VPN	 client.   See
	      http://www.infradead.org/openconnect/vpnc-script.html  for  more
	      information.  This  version  of OpenConnect is configured to use
	      /etc/vpnc/vpnc-script by default.

       -S,--script-tun
	      Pass traffic to 'script' program over a UNIX socket, instead  of
	      to a kernel tun/tap device. This allows the VPN IP traffic to be
	      handled entirely in userspace, for example by  a	program	 which
	      uses lwIP to provide SOCKS access into the VPN.

       -u,--user=NAME
	      Set login username to NAME

       -V,--version
	      Report version number

       -v,--verbose
	      More output

       -x,--xmlconfig=CONFIG
	      XML config file

       --authgroup=GROUP
	      Choose authentication login selection

       --authenticate
	      Authenticate only, and output the information needed to make the
	      connection a form which can be used  to  set  shell  environment
	      variables.  When	invoked with this option, openconnect will not
	      make the connection, but if  successful  will  output  something
	      like the following to stdout:
	      COOKIE=3311180634@13561856@1339425499@B315A0E29D16C6FD92EE...
	      HOST=10.0.0.1
	      FINGERPRINT=469bb424ec8835944d30bc77c77e8fc1d8e23a42
	      Thus,  you can invoke openconnect as a non-privileged user (with
	      access to the user's PKCS#11 tokens, etc.)  for  authentication,
	      and  then	 invoke openconnect separately to make the actual con‐
	      nection as root:
	      eval `openconnect --authenticate https://vpnserver.example.com`;
	      [ -n $COOKIE ] && echo $COOKIE |
		sudo openconnect --cookie-on-stdin $HOST --servercert $FINGERPRINT

       --cookieonly
	      Fetch webvpn cookie only; don't connect

       --printcookie
	      Print webvpn cookie before connecting

       --cafile=FILE
	      Cert file for server verification

       --disable-ipv6
	      Do not advertise IPv6 capability to server

       --dtls-ciphers=LIST
	      Set OpenSSL ciphers to support for DTLS

       --dtls-local-port=PORT
	      Use PORT as the local port for DTLS datagrams

       --dump-http-traffic
	      Enable verbose output of all HTTP requests and the bodies of all
	      responses received from the server.

       --no-cert-check
	      Do  not  require server SSL certificate to be valid. Checks will
	      still happen and failures will cause a warning message, but  the
	      connection will continue anyway. You should not need to use this
	      option - if your servers have SSL	 certificates  which  are  not
	      signed  by  a  trusted  Certificate Authority, you can still add
	      them (or your private CA) to a local file and use that file with
	      the --cafile option.

       --no-dtls
	      Disable DTLS

       --no-http-keepalive
	      Version  8.2.2.5	of  the	 Cisco ASA software has a bug where it
	      will forget the client's SSL certificate when  HTTP  connections
	      are  being  re-used for multiple requests. So far, this has only
	      been seen on the initial connection, where the server  gives  an
	      HTTP/1.0	 redirect   response   with  an	 explicit  Connection:
	      Keep-Alive directive. OpenConnect as of v2.22  has  an  uncondi‐
	      tional  workaround  for this, which is never to obey that direc‐
	      tive after an HTTP/1.0 response.

	      However, Cisco's support team has failed to give	any  competent
	      response	to  the	 bug report and we don't know under what other
	      circumstances their bug might manifest itself.  So  this	option
	      exists  to  disable  ALL re-use of HTTP sessions and cause a new
	      connection to be made for each request. If your server seems not
	      to be recognising your certificate, try this option. If it makes
	      a difference, please report this	information  to	 the  opencon‐
	      nect-devel@lists.infradead.org mailing list.

       --no-passwd
	      Never attempt password (or SecurID) authentication.

       --no-xmlpost
	      Do  not  attempt	to  post  an  XML authentication/configuration
	      request to the server; use the old style GET  method  which  was
	      used by older clients and servers instead.

	      This  option is a temporary safety net, to work around potential
	      compatibility issues with the code which falls back to  the  old
	      method  automatically. It causes OpenConnect to behave more like
	      older versions (4.08 and below) did. If you find that  you  need
	      to  use  this  option, then you have found a bug in OpenConnect.
	      Please  see  http://www.infradead.org/openconnect/mail.html  and
	      report this to the developers.

       --non-inter
	      Do not expect user input; exit if it is required.

       --passwd-on-stdin
	      Read password from standard input

       --token-mode=MODE
	      Enable  one-time	password  generation using the MODE algorithm.
	      --token-mode=rsa will call libstoken to generate an RSA  SecurID
	      tokencode,  and  --token-mode=totp will call liboath to generate
	      an RFC 6238 password.

       --token-secret=SECRET
	      The secret to use when generating	 one-time  passwords/verifica‐
	      tion  codes.  Base 32-encoded TOTP secrets can be used by speci‐
	      fying "base32:" at the beginning of the secret.  If this	option
	      is omitted, and --token-mode is "rsa", libstoken will try to use
	      the software token seed saved  in	 ~/.stokenrc  by  the  "stoken
	      import" command.

       --reconnect-timeout
	      Keep  reconnect  attempts until so much seconds are elapsed. The
	      default timeout is 300 seconds, which means that openconnect can
	      recover  VPN  connection	after a temporary network down time of
	      300 seconds.

       --servercert=SHA1
	      Accept server's SSL certificate only if its fingerprint  matches
	      SHA1.

       --useragent=STRING
	      Use  STRING  as 'User-Agent:' field value in HTTP header.	 (e.g.
	      --useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')

       --os=STRING
	      OS type to report to gateway.   Recognized  values  are:	linux,
	      linux-64,	 mac,  win.   Reporting a different OS type may affect
	      the security policy applied to the VPN session.

LIMITATIONS
       Note that although IPv6 has been tested on all platforms on which open‐
       connect	is  known to run, it depends on a suitable vpnc-script to con‐
       figure the network. The standard vpnc-script shipped with vpnc 0.5.3 is
       not    capable	 of   setting	up   IPv6   routes;   the   one	  from
       git://git.infradead.org/users/dwmw2/vpnc-scripts.git will be required.

AUTHORS
       David Woodhouse <dwmw2@infradead.org>

								OPENCONNECT(8)
[top]

List of man pages available for Manjaro

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net