This is outdated information, though the concepts are valid. A script implmenting these concepts for OpenConnect 8 on Ubuntu 18 (bionic) and 19 (eoan) is available
The steps in this guide are available as an autobuild shell script
Because the OpenConnect package from Ubuntu is a bit outdated, and if you have a recent AnyConnect server, you need a newer OpenConnect to play with it.
We'll be building OpenConnect mostly with its defaults, but we're going to use OpenSSL rather than GnuTLS. This isn't a philosophical choice: GnuTLS is still maturing, and my testing showed that compilation with GnuTLS leads to a bit of a crapshoot when connecting to AnyConnect endpoints. I haven't debugged this; if you find a good path to compiling with GnuTLS that works reliably, I'm all ears.
sudo apt-get install curl vpnc-scripts build-essential libssl-dev libxml2-dev liblz4-dev
curl -O ftp://ftp.infradead.org/pub/openconnect/openconnect-7.08.tar.gz
curl -O ftp://ftp.infradead.org/pub/openconnect/openconnect-7.08.tar.gz.asc
gpg --keyserver pgp.mit.edu --recv-key 67e2f359
gpg --verify openconnect-7.08.tar.gz.asc
You should see something very much like:
gpg: assuming signed data in `openconnect-7.08.tar.gz'
gpg: Signature made Tue 17 Mar 2015 08:33:15 AM CDT using RSA key ID 67E2F359
gpg: Good signature from "David Woodhouse <dwmw2@infradead.org>"
gpg: aka "David Woodhouse <dwmw2@exim.org>"
gpg: aka "David Woodhouse <david@woodhou.se>"
gpg: aka "David Woodhouse <dwmw2@kernel.org>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
Primary key fingerprint: BE07 D9FD 5480 9AB2 C4B0 FF5F 6376 2CDA 67E2 F359
tar xzf openconnect-7.08.tar.gz
cd openconnect-7.08
./configure --without-gnutls --with-vpnc-script=/usr/share/vpnc-scripts/vpnc-script
make
sudo make install
sudo ldconfig /usr/local/lib
OpenConnect will be at /usr/local/sbin/openconnect
We are running firmware version 8.2R5.1 (build 50797) on our MAG 2600 HA Pair and had to install openconnect-7.08 in order to connect via VPN from Ubuntu. The instructions above work almost flawlessly by simply substituting '7.06' with '7.08'. The one thing we needed to add to the /.configure command was --without-openssl-version-check.