Rechercher une page de manuel
openconnect
Langue: en
Version: 386140 (fedora - 01/12/10)
Section: 8 (Commandes administrateur)
NAME
openconnect - Connect to Cisco AnyConnect VPNSYNOPSIS
openconnect [ -b,--background ] [ -c,--certificate CERT ] [ -k,--sslkey KEY ] [ -K,--key-type TYPE ] [ -C,--cookie COOKIE ] [ --cookie-on-stdin ] [ -d,--deflate ] [ -D,--no-deflate ] [ -g,--usergroup GROUP ] [ -h,--help ] [ -i,--interface IFNAME ] [ -l,--syslog ] [ -U,--setuid USER ] [ --csd-user USER ] [ -m,--mtu MTU ] [ -p,--key-password PASS ] [ -P,--proxy PROXYURL ] [ --no-proxy ] [ --libproxy ] [ --key-password-from-fsid ] [ --key-type TYPE ] [ -q,--quiet ] [ -Q,--queue-len LEN ] [ -s,--script SCRIPT ] [ -S,--script-tun ] [ -T,--tun-fd ] [ -u,--user NAME ] [ -V,--version ] [ -v,--verbose ] [ -x,--xmlconfig CONFIG ] [ --authgroup GROUP ] [ --cookieonly ] [ --printcookie ] [ --cafile FILE ] [ --disable-ipv6 ] [ --dtls-ciphers LIST ] [ --no-cert-check ] [ --no-dtls ] [ --no-http-keepalive ] [ --no-passwd ] [ --passwd-on-stdin ] [ --reconnect-timeout ] [ --servercert FINGERPRINT ] [ --useragent STRING ] [https://]server[:port][/group]DESCRIPTION
The program openconnect connects to Cisco "AnyConnect" VPN servers, which use standard TLS and DTLS protocols for data transport.The connection happens in two phases. First there is a simple HTTPS connection over which the user authenticates somehow - by using a certificate, or password or SecurID, etc. Having authenticated, the user is rewarded with an HTTP cookie which can be used to make the real VPN connection.
The second phase uses that cookie in an HTTPS CONNECT request, and data packets can be passed over the resulting connection. In auxiliary headers exchanged with the CONNECT request, a Session-ID and Master Secret for a DTLS connection are also exchanged, which allows data transport over UDP to occur.
OPTIONS
- -b,--background
- Continue in background after startup
- -c,--certificate=CERT
- Use SSL client certificate CERT
- -k,--sslkey=KEY
- Use SSL private key file KEY
- -C,--cookie=COOKIE
- Use WebVPN cookie COOKIE
- --cookie-on-stdin
- Read cookie from standard input
- -d,--deflate
- Enable compression (default)
- -D,--no-deflate
- Disable compression
- -g,--usergroup=GROUP
- Use GROUP as login UserGroup
- -h,--help
- Display help text
- -i,--interface=IFNAME
- Use IFNAME for tunnel interface
- -l,--syslog
- Use syslog for progress messages
- -U,--setuid=USER
- Drop privileges after connecting, to become user USER
- --csd-user=USER
- Drop privileges during CSD (Cisco Secure Desktop) script execution. This option is required when connecting to a server with CSD.
- -m,--mtu=MTU
- Request MTU from server
- -p,--key-password=PASS
- Provide passphrase for certificate file, or SRK (System Root Key) PIN for TPM
- -P,--proxy=PROXYURL
- Use HTTP or SOCKS proxy for connection
- --no-proxy
- Disable use of proxy
- --libproxy
- Use libproxy to configure proxy automatically (when built with libproxy support)
- --key-password-from-fsid
- Passphrase for certificate file is automatically generated from the fsid of the file system on which it is stored
- --key-type=TYPE
- Type of private key file (PKCS#12, TPM or PEM)
- -q,--quiet
- Less output
- -Q,--queue-len=LEN
- Set packet queue limit to LEN pkts
- -s,--script=SCRIPT
- Use vpnc-compatible config script
- -S,--script-tun
- Pass traffic to 'script' program, not tun
- -T,--tun-fd
- File descriptor to use for passing traffic
- -u,--user=NAME
- Set login username to NAME
- -V,--version
- Report version number
- -v,--verbose
- More output
- -x,--xmlconfig=CONFIG
- XML config file
- --authgroup=GROUP
- Choose authentication login selection
- --cookieonly
- Fetch webvpn cookie only; don't connect
- --printcookie
- Print webvpn cookie before connecting
- --cafile=FILE
- Cert file for server verification
- --disable-ipv6
- Do not advertise IPv6 capability to server
- --dtls-ciphers=LIST
- Set OpenSSL ciphers to support for DTLS
- --no-cert-check
- Do not require server SSL certificate to be valid. Checks will still happen and failures will cause a warning message, but the connection will continue anyway. You should not need to use this option -- if your servers have SSL certificates which are not signed by a trusted Certificate Authority, you can still add them (or your private CA) to a local file and use that file with the --cafile option.
- --no-dtls
- Disable DTLS
- --no-http-keepalive
- Version 8.2.2.5 of the Cisco ASA software has a bug where it will forget the client's SSL certificate when HTTP connections are being re-used for multiple requests. So far, this has only been seen on the initial connection, where the server gives an HTTP/1.0 redirect response with an explicit Connection: Keep-Alive directive. OpenConnect as of v2.22 has an unconditional workaround for this, which is never to obey that directive after an HTTP/1.0 response.
However, Cisco's support team has failed to give any competent response to the bug report and we don't know under what other circumstances their bug might manifest itself. So this option exists to disable ALL re-use of HTTP sessions and cause a new connection to be made for each request. If your server seems not to be recognising your certificate, try this option. If it makes a difference, please report this information to the openconnect-devel@lists.infradead.org mailing list.
- --no-passwd
- Never attempt password (or SecurID) authentication
- --passwd-on-stdin
- Read password from standard input
- --reconnect-timeout
- Keep reconnect attempts until so much seconds are elapsed. The default timeout is 300 seconds, which means that openconnect can recover VPN connection after a temporary network down time of 300 seconds.
- --servercert
- Accept server's SSL certificate only if its SHA1 fingerprint matches.
- --useragent=STRING
- Use STRING as 'User-Agent:' field value in HTTP header. (e.g. --useragent 'Cisco AnyConnect VPN Agent for Windows 2.2.0133')
LIMITATIONS
The openconnect client is not tested with IPv6 connectivity on OpenBSD or Mac OS X. A patch to the tun/tap driver is required on Solaris to make IPv6 work.Note also that the standard vpnc-script shipped with vpnc 0.5.3 is not capable of setting up IPv6 routes; the one from git://git.infradead.org/users/dwmw2/vpnc-scripts.git will be required.
AUTHORS
David Woodhouse <dwmw2@infradead.org>Contenus ©2006-2024 Benjamin Poulain
Design ©2006-2024 Maxime Vantorre