-
name—Unique name for the connection entry to
appear in the connection list of the AnyConnect home screen and the Description
field of the AnyConnect connection entry. AnyConnect responds only if the name
is unique. We recommend using a maximum of 24 characters to ensure that they
fit in the connection list. Use letters, numbers, or symbols on the keyboard
displayed on the device when you enter text into a field. The letters are
case-sensitive.
-
host—Enter the domain name, IP address, or Group
URL of the ASA with which to connect. AnyConnect inserts the value of this
parameter into the Server Address field of the AnyConnect connection entry.
anyconnect://create/?name=SimpleExample&host=vpn.example.com
anyconnect:create?name=SimpleExample&host=vpn.example.com
-
protocol (optional, defaults to SSL if
unspecified)—The VPN protocol used for this connection. The valid values are:
anyconnect:create?name=ExampleIPsec&host=vpn.company.com&protocol=IPsec
-
authentication (optional, applies when protocol
specifies IPsec only, defaults to EAP-AnyConnect)—The authentication method
used for an IPsec VPN connection. The valid values are:
-
EAP-AnyConnect
-
EAP-GTC
-
EAP-MD5
-
EAP-MSCHAPv2
-
IKE-RSA
-
ike-identity (required if authentication is set to
EAP-GTC, EAP-MD5, or EAP-MSCAPv2)—The IKE identify when AUTHENTICATION is set
to EAP-GTC, EAP-MD5, or EAP-MSCHAPv2. This parameter is invalid when used for
other authentication settings.
anyconnect:create?name=Description&host=vpn.company.com&protocol=IPsec
&authentication=eap-md5&ike-identity=012A4F8B29A9BCD
-
netroam (optional, applies to Apple iOS
only)—Determines whether to limit the time that it takes to reconnect after the
device wakes up or after a change to the connection type (such as EDGE, 3G, or
Wi-Fi).This parameter does not affect data roaming or the use of multiple
mobile service providers. The valid values are:
-
true—(Default) This option optimizes VPN access. AnyConnect
inserts the value ON into the Network Roaming field of the AnyConnect
connection entry. If AnyConnect loses a connection, it tries to establish a new
one until it succeeds. This setting lets applications rely on a sustained
connection to the VPN. AnyConnect does not impose a limit on the time that it
takes to reconnect.
-
false—This
option optimizes battery life. AnyConnect associates this value with the OFF
value in the Network Roaming field of the AnyConnect connection entry. If
AnyConnect loses a connection, it tries to establish a a new one for 20 seconds
and then stops trying. The user or application must start a new VPN connection
if one is necessary.
anyconnect:create?name=Example%201&host=vpn.example.com&netroam=true
-
keychainalias (optional)—Imports a certificate from
the System Certificate Store to the AnyConnect Certificate Store. This
option is for the Android mobile platform only.
If the named certifiate is not already in the system store, the user will be
prompted to choose and install it before being prompted to allow or deny it
being copied into the AnyConnect store. External Control must be enabled on
the mobile device.
The following example
creates a new connection entry named SimpleExample whose IP address is set to vpn.example.com with the certificate named client assigned to it for authentication.
anyconnect://create/?name=SimpleExample&host=vpn.example.com&keychainalias=client
-
usecert (optional)—Determines whether to use a
digital certificate installed on the device when establishing a VPN connection
to the host. The valid values are:
-
true
(default setting)—Enables automatic certificate selection when establishing a
VPN connection with the host. Turning usecert to true without specifying a
certcommonname value sets the Certificates field to Automatic, selecting a
certificate from the AnyConnect certificate store at connection time.
-
false—Disables automatic certificate selection.
anyconnect:create?name=Example%201&host=vpn.example.com&usecert=true
-
certcommonname (optional, but requires the usecert
parameter)—Matches the Common Name of a valid certificate pre-installed on the
device. AnyConnect inserts the value into the Certificate field of the
AnyConnect connection entry.
To view this
certificate installed on the device, tap
. You might need to scroll
to view the certificate required by the host. Tap the detail disclosure button
to view the Common Name parameter read from the certificate, as well as the
other values.
-
useondemand
(optional, applies to Apple iOS only and requires the usecert, certcommonname
parameters, and domain specifications below)—Determines whether applications,
such as Safari, can start VPN connections. Valid values are:
-
false
(Default)—Prevents applications from starting a VPN connection. Using this
option is the only way to prevent an application that makes a DNS request from
potentially triggering a VPN connection. AnyConnect associates this option with
the OFF value in the Connect on Demand field of the AnyConnect connection
entry.
-
true—Lets
an application use Apple iOS to start a VPN connection. If you set the
useondemand parameter to true, AnyConnect inserts the value ON into the Connect
on Demand field of the AnyConnect connection entry. (domainlistalways or
domainlistifneeded parameter required if useondemand=true)
anyconnect:create?name=Example%20with%20certificate&host=vpn.example.com
&netroam=true&usecert=true&certcommonname=example-ID&useondemand=true
&domainlistalways=email.example.com,pay.examplecloud.com
&domainlistnever=www.example.com&domainlistifneeded=intranet.example.com
-
domainlistnever (optional, requires
useondemand=true)—Lists the domains to evaluate for a match to disqualify the
use of the Connect on Demand feature. This list is the first one AnyConnect
uses to evaluate domain requests for a match. If a domain request matches,
AnyConnect ignores the domain request. AnyConnect inserts this list into the
Never Connect field of the AnyConnect connection entry. This list lets you
exclude certain resources. For example, you might not want an automatic VPN
connection over a public-facing web server. An example value is
www.example.com.
-
domainlistalways(domainlistalways or
domainlistifneeded parameter required if useondemand=true)—Lists the domains to
evaluate for a match for the Connect on Demand feature. This list is the second
one AnyConnect uses to evaluate domain requests for a match. If an application
requests access to one of the domains specified by this parameter and a VPN
connection is not already in progress, Apple iOS attempts to establish a VPN
connection. AnyConnect inserts this list into the Always Connect field of the
AnyConnect connection entry. An example value list is
email.example.com,pay.examplecloud.com.
-
domainlistifneeded (domainlistalways or
domainlistifneeded parameter required if useondemand=true)—AnyConnect evaluates
a domain request for a match against this list if a DNS error occurred. If a
string in this list matches the domain, Apple iOS attempts to establish a VPN
connection. AnyConnect inserts this list into the Connect if Needed field of
the AnyConnect connection entry. The most common use case for this list is to
obtain brief access to an internal resource that is not accessible in a LAN
within the corporate network. An example value is
intranet.example.com.
Use a
comma-delimited list to specify multiple domains. The Connect-on-Demand rules
support only domain names, not IP addresses. However, AnyConnect is flexible
about the domain name format of each list entry, as follows: