Build of OpenConnect 7.05+ for EL6?

David Woodhouse dwmw2 at
Wed Jul 13 08:15:44 PDT 2016

On Wed, 2016-07-13 at 07:58 -0400, Oliver Hernandez wrote:
> With some one-on-one help from David (thank you!), I finally got
> OpenConnect working to connect to my corporate Cisco VPN.  The
> solution consists of a workaround, similar to one I have to do to
> connect to another VPN with OpenConnect's Juniper support.
> Not having success connecting to the Cisco VPN, trying all kinds of
> options and suggestions from David, I looked into maybe using the
> workaround where I obtain a valid webvpn cookie and passing it to
> OpenConnect.  The VPN has a website for initially connecting to the
> VPN over the web and downloading the Cisco AnyConnect client, which of
> course is Windows only.  Using a Windows VM, I connect to the VPN with
> the IE browser, and obtain the webvpn cookie value.  At first, that
> didn't work either.  But then I noticed the URL to the VPN in the
> browser had a path appended to the FQDN after authenticating.  So I
> ran OpenConnect with this extended URL, and voila, it connected!
> Granted, not ideal, and David wanted to help me figure out how to get
> OpenConnect to mimic what the Cisco client does on the wire, but I can
> live with this workaround.

If you mean you start with a URL like
then that's probably the '--usergroup' option.

If the Cisco client *infers* that somehow when it's only given a
hostname, that would be interesting to know. But if the Cisco client
was provisioned with an XML file which specifies it, then they're no
better off than we are...

I suppose we *should* make the NM tool capable of eating the
'OrionAnyConnect.xml' file (or whatever it's called) from the Cisco
client. In fact, openconnect itself *can* do that, I think — use the
'-x foo.xml' option and it'll use hosts defined therein, *and* update
the profile file with the latest from the server when it needs to.

I'm glad you have it working though. Please could you also test (and
leave karma for) the "official" build of OpenConnect for EL6 with
PKCS#11 support:

We should probably update EL7 too...

David Woodhouse                            Open Source Technology Centre
David.Woodhouse at                              Intel Corporation
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: <>

More information about the openconnect-devel mailing list