openconnect with safenet token

DeadManMoving sequel at
Wed Jul 9 11:38:37 PDT 2014

Hi David,

Thank you so much for your reply, greatly appreciated.

I am not using some sort of usb device as a token, i am using a software
base token (

Under windows, when using cisco anyconnect and the above software from
safenet, when i connect to the VPN, anyconnect is prompting me for my
username and the passcode (PIN+token) so, i generate a token with the
safenet software then i enter my PIN+token given to me by the software.

Is it something possible with openconnect?

Thanks again,


On Wed, 2014-07-09 at 17:46 +0100, David Woodhouse wrote: 
> On Wed, 2014-07-09 at 11:22 -0400, DeadManMoving wrote:
> > Hi list,
> > 
> > Is it possible to use openconnect to connect to a cisco VPN which use
> > safenet token for authentication?
> > 
> > I am trying openconnect version v5.99-175-g7a2b2e8 (with oath version
> > 2.4.1) with --token-mode=hotp option but, does'nt look like i have much
> > success.
> > 
> > I can successfuly connect to the VPN using cisco anyconnect client on
> > windows, using the safenet token.
> > 
> > I was unable to find some example over the internet on how to use
> > openconnect with software token, beside RSA software token with stoken.
> Let's start with TOTP, as it's easier.
> We don't yet support file storage for [HT]OTP tokens — you have to
> provide the required information on the OpenConnect command line.
> If your token is stored in a standard PKSC file (as defined by RFC6030)
> then it's fairly simple to find the information you need; just use
> pkcstool. For the SafeNet token, you have to interpret their
> non-standard file format but at least LinOTP is capable of that so it
> shouldn't be impossible to work it out.
> For testing it's best to start by generating the PINs manually with
> oathtool, and entering them manually until you're sure you have the OTP
> part working.
>  oathtool --totp 5a5a5a5a5a5a5a5a5a5a5a5a
> However, HOTP is more interesting because you have a *counter* rather
> than just a timestamp. And that counter needs to be updated in the file.
> So you can make openconnect work by passing 
>  --token-mode HOTP --token-secret $SECRET,$COUNTER
> But the question of how you remember that the counter should be
> increased is not yet solved.
> We really *do* want to have file storage support, but oath-toolkit
> doesn't give us anything we can sanely use. We'd need to define locking
> semantics for it too, and I *really* didn't want to do that in isolation
> just for OpenConnect.
> > Also, passing --token-mode option, without passing the --token-secret
> > option makes openconnect segfault, which seem odd.
> Oops. I've just fixed that in the git tree; thanks for pointing it out.

More information about the openconnect-devel mailing list