openconnect with safenet token

David Woodhouse dwmw2 at
Wed Jul 9 09:46:47 PDT 2014

On Wed, 2014-07-09 at 11:22 -0400, DeadManMoving wrote:
> Hi list,
> Is it possible to use openconnect to connect to a cisco VPN which use
> safenet token for authentication?
> I am trying openconnect version v5.99-175-g7a2b2e8 (with oath version
> 2.4.1) with --token-mode=hotp option but, does'nt look like i have much
> success.
> I can successfuly connect to the VPN using cisco anyconnect client on
> windows, using the safenet token.
> I was unable to find some example over the internet on how to use
> openconnect with software token, beside RSA software token with stoken.

Let's start with TOTP, as it's easier.

We don't yet support file storage for [HT]OTP tokens — you have to
provide the required information on the OpenConnect command line.

If your token is stored in a standard PKSC file (as defined by RFC6030)
then it's fairly simple to find the information you need; just use
pkcstool. For the SafeNet token, you have to interpret their
non-standard file format but at least LinOTP is capable of that so it
shouldn't be impossible to work it out.

For testing it's best to start by generating the PINs manually with
oathtool, and entering them manually until you're sure you have the OTP
part working.

 oathtool --totp 5a5a5a5a5a5a5a5a5a5a5a5a

However, HOTP is more interesting because you have a *counter* rather
than just a timestamp. And that counter needs to be updated in the file.

So you can make openconnect work by passing 
 --token-mode HOTP --token-secret $SECRET,$COUNTER

But the question of how you remember that the counter should be
increased is not yet solved.

We really *do* want to have file storage support, but oath-toolkit
doesn't give us anything we can sanely use. We'd need to define locking
semantics for it too, and I *really* didn't want to do that in isolation
just for OpenConnect.

> Also, passing --token-mode option, without passing the --token-secret
> option makes openconnect segfault, which seem odd.

Oops. I've just fixed that in the git tree; thanks for pointing it out.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5745 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list