Child pages
  • Connecting To Cisco AnyConnect with Linux

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


The great news is: you have quite a few options on Linux for usable VPN connectivity. The bad news is: you have to pick which one you want to use. They're listed below, in no particular order. This article describes an unsupported configuration, and is provided as a courtesy only.

Web-Browser based official AnyConnect Client

At this time, this method has not been successfully tested. Cisco only supports the client on a very select few platforms, with specific requirements. That environment has not been replicated and tested.

Cisco's official system requirements for Linux clients can be found here.

If you wish to try this method, and meet all of the requirements listed, visit in your web browser.

OpenConnect SSL Client

OpenConnect GUI

If you use a Linux variant that uses NetworkManager, or ConnMan, you may be able to take advantage of a GUI frontend to the OpenConnect client. On Debian/Ubuntu-based systems, you must install "network-manager-openconnect-gnome". Elsewhere, see


Once the GUI is installed, you can right click on your NM taskbar icon, and "Edit Connections":

Then head to the VPN tab, and Add a new connection: the type will be "Cisco AnyConnect Compatible VPN (openconnect)":

Supply the value for Gateway (, and give the connection a name at the top; leave the rest at defaults, and save:

After the connection is created, you should be able to left click on your NM taskbar icon, and under VPN Connections, your new VPN should be listed:

Click on your newly created VPN connection ("Clarkson VPN", above), and you should get a "Connect to VPN" dialog that looks like the following image. Make sure the correct host is selected (""), and click the connect button to the right, which looks like a cord plugged into a wall outlet.

If everything succeeds to this point, you should get a username/password challenge. Enter your username (without '') and password, and click Login:


At this point, hopefully everything went well, and you should see a popup notification like the following one, indicating that you're connected:

If you cannot get connected, you'll need to copy the contents of the "Log" box (accessible from username/password step noted above) and open a ticket with the Service Center (

OpenConnect CLI

Basic Instructions

On Debian/Ubuntu based systems: apt-get install openconnect vpnc

If your package manager of choice doesn't have it:

Install openconnect and vpnc, because openconnect seems to be a pretty clean drop-in fit if you use
the connect script supplied with vpnc

The basic instructions are the same once the client is installed.
You need to locate "vpnc-script", usually /etc/vpnc/vpnc-script, and then call the client like this:

$ sudo openconnect -u yourusername --authgroup=default --script=/etc/vpnc/vpnc-script

The group will be "default", and it uses your normal AD password. Once connected, the client doesn't go into the
background, so you'll have to open another terminal to work in, and any DTLS errors you get are harmless.
They can be avoided by passing the '--no-dtls' argument to openconnect. Once you believe you're connected,
you can confirm your connection by heading to the following URL in a browser:

You should also be able to observe a bunch of routes to the 128.153.x.x network in your routing table, via
"ip route ls", or "route".


It's probably easiest to create a shell or simple one-line script somewhere within your $PATH with the above command, so that you don't have to remember all of the arguments.

Advanced Usage

For those wishing to do things a bit differently, or are scripting their session, the following will start OpenConnect in the background (printing the PID to stdout, and to a file: /tmp/, and drop privileges to a local user named "mylocaluser":

$ sudo openconnect -u myclarksonuser -U mylocaluser -b --authgroup=default --no-dtls --script=/etc/vpnc/vpnc-script --pid-file=/tmp/

To stop the (backgrounded) openconnect client instance:

$ sudo kill -9 ´cat /tmp/´

There is also the ability to feed it your password: --passwd-on-stdin, however, the exact usage will be left as an exercise for the reader. If you do this: *heavily guard the mechanism you use to store the password*, using whatever means is most appropriate for you.