Building OpenConnect 7 on Ubuntu 14 (trusty), 15 (vivid), and 16 (xenial)

openconnect-7-ubuntu-build.md

READ FIRST

This is outdated information, though the concepts are valid. A script implmenting these concepts for OpenConnect 8 on Ubuntu 18 (bionic) and 19 (eoan) is available

Building OpenConnect 7 on Ubuntu 14 (trusty) and 15 (vivid)

The steps in this guide are available as an autobuild shell script

Why?

Because the OpenConnect package from Ubuntu is a bit outdated, and if you have a recent AnyConnect server, you need a newer OpenConnect to play with it.

Why this guide uses OpenSSL instead of GnuTLS

We'll be building OpenConnect mostly with its defaults, but we're going to use OpenSSL rather than GnuTLS. This isn't a philosophical choice: GnuTLS is still maturing, and my testing showed that compilation with GnuTLS leads to a bit of a crapshoot when connecting to AnyConnect endpoints. I haven't debugged this; if you find a good path to compiling with GnuTLS that works reliably, I'm all ears.

Build

Preflight

sudo apt-get install curl vpnc-scripts build-essential libssl-dev libxml2-dev liblz4-dev
curl -O ftp://ftp.infradead.org/pub/openconnect/openconnect-7.08.tar.gz
curl -O ftp://ftp.infradead.org/pub/openconnect/openconnect-7.08.tar.gz.asc
gpg --keyserver pgp.mit.edu --recv-key 67e2f359

Verify

gpg --verify openconnect-7.08.tar.gz.asc

You should see something very much like:

gpg: assuming signed data in `openconnect-7.08.tar.gz'
gpg: Signature made Tue 17 Mar 2015 08:33:15 AM CDT using RSA key ID 67E2F359
gpg: Good signature from "David Woodhouse <dwmw2@infradead.org>"
gpg:                 aka "David Woodhouse <dwmw2@exim.org>"
gpg:                 aka "David Woodhouse <david@woodhou.se>"
gpg:                 aka "David Woodhouse <dwmw2@kernel.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE07 D9FD 5480 9AB2 C4B0  FF5F 6376 2CDA 67E2 F359

Build

tar xzf openconnect-7.08.tar.gz
cd openconnect-7.08
./configure --without-gnutls --with-vpnc-script=/usr/share/vpnc-scripts/vpnc-script
make
sudo make install
sudo ldconfig /usr/local/lib

OpenConnect will be at /usr/local/sbin/openconnect

configure: error: The pkg-config script could not be found or is too old. Make sure it is in your PATH or set the PKG_CONFIG environment variable to the full path to pkg-config.

Any idea how to solve this problem?

@colintsteele

if using ubuntu install pkg-config by

apt-get install pkg-config -y

We are running firmware version 8.2R5.1 (build 50797) on our MAG 2600 HA Pair and had to install openconnect-7.08 in order to connect via VPN from Ubuntu. The instructions above work almost flawlessly by simply substituting '7.06' with '7.08'. The one thing we needed to add to the /.configure command was --without-openssl-version-check.

How can I build with PKCS#11 support?
Autobuild script worked successfully, but I get This version of OpenConnect was built without PKCS#11 support error when I run:
$ openconnect --juniper --no-cert-check -c 'pkcs11:MY_PARAMS' example.com

EDIT:
Got the answer: for PKCS#11 support you need to install the following libraries before building:
sudo apt-get install libp11-kit-dev libp11-dev

I have an error in 'make check':

...
PASS: lzstest
PASS: seqtest
FAIL: bad_dtls_test
============================================================================
Testsuite summary for openconnect 7.08
============================================================================
# TOTAL: 3
# PASS:  2
# SKIP:  0
# XFAIL: 0
# FAIL:  1
# XPASS: 0
# ERROR: 0

Any clue about what means that fail?: bad_dtls_test.

It doesn't matter, install is ok and working.

Working, thanks for advice.