diff --git a/Makefile.am b/Makefile.am
index fd335bf0..1cfc15bc 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -25,7 +25,7 @@ openconnect_LDADD = libopenconnect.la $(SSL_LIBS) $(LIBXML2_LIBS) $(LIBPROXY_LIB
 
 library_srcs = ssl.c http.c auth-common.c library.c compat.c lzs.c mainloop.c script.c ntlm.c digest.c
 lib_srcs_cisco = auth.c cstp.c dtls.c
-lib_srcs_juniper = oncp.c esp.c
+lib_srcs_juniper = oncp.c
 lib_srcs_gnutls = gnutls.c gnutls_pkcs12.c gnutls_tpm.c
 lib_srcs_openssl = openssl.c openssl-pkcs11.c
 lib_srcs_win32 = tun-win32.c sspi.c
@@ -37,7 +37,7 @@ lib_srcs_yubikey = yubikey.c
 lib_srcs_stoken = stoken.c
 
 POTFILES = $(openconnect_SOURCES) $(lib_srcs_cisco) $(lib_srcs_juniper) \
-	   gnutls-esp.c openssl-esp.c \
+	   gnutls-esp.c openssl-esp.c esp.c \
 	   $(lib_srcs_openssl) $(lib_srcs_gnutls) $(library_srcs) \
 	   $(lib_srcs_win32) $(lib_srcs_posix) $(lib_srcs_gssapi) $(lib_srcs_iconv) \
 	   $(lib_srcs_oath) $(lib_srcs_yubikey) $(lib_srcs_stoken) openconnect-internal.h
@@ -59,10 +59,10 @@ if OPENCONNECT_GNUTLS
 library_srcs += $(lib_srcs_gnutls)
 endif
 if ESP_GNUTLS
-lib_srcs_juniper += gnutls-esp.c
+lib_srcs_juniper += gnutls-esp.c esp.c
 endif
 if ESP_OPENSSL
-lib_srcs_juniper += openssl-esp.c
+lib_srcs_juniper += openssl-esp.c esp.c
 endif
 if OPENCONNECT_OPENSSL
 library_srcs += $(lib_srcs_openssl)
diff --git a/library.c b/library.c
index e6d4d45c..318887fe 100644
--- a/library.c
+++ b/library.c
@@ -120,10 +120,14 @@ void openconnect_set_juniper(struct openconnect_info *vpninfo)
 	vpninfo->proto.tcp_mainloop = oncp_mainloop;
 	vpninfo->proto.add_http_headers = oncp_common_headers;
 	vpninfo->proto.obtain_cookie = oncp_obtain_cookie;
+#if defined(ESP_GNUTLS) || defined(ESP_OPENSSL)
 	vpninfo->proto.udp_setup = esp_setup;
 	vpninfo->proto.udp_mainloop = esp_mainloop;
 	vpninfo->proto.udp_close = esp_close;
 	vpninfo->proto.udp_shutdown = esp_shutdown;
+#else
+	vpninfo->dtls_state = DTLS_DISABLED;
+#endif
 }
 
 int openconnect_setup_dtls(struct openconnect_info *vpninfo,
@@ -254,9 +258,11 @@ void openconnect_vpninfo_free(struct openconnect_info *vpninfo)
 #ifdef DTLS_GNUTLS
 	gnutls_free(vpninfo->gnutls_dtls_cipher);
 #endif
+#if defined(ESP_GNUTLS) || defined(ESP_OPENSSL)
 	destroy_esp_ciphers(&vpninfo->esp_in[0]);
 	destroy_esp_ciphers(&vpninfo->esp_in[1]);
 	destroy_esp_ciphers(&vpninfo->esp_out);
+#endif
 	free(vpninfo->dtls_addr);
 
 	if (vpninfo->csd_scriptname) {
diff --git a/oncp.c b/oncp.c
index 974ccb4b..b604eb43 100644
--- a/oncp.c
+++ b/oncp.c
@@ -1192,7 +1192,6 @@ int oncp_connect(struct openconnect_info *vpninfo)
 	group = reqbuf->pos;
 	buf_append_tlv_be32(reqbuf, 2, vpninfo->ip_info.mtu);
 	if (buf_error(reqbuf)) {
-	enomem:
 		vpn_progress(vpninfo, PRG_ERR,
 			     _("Error creating oNCP negotiation request\n"));
 		ret = buf_error(reqbuf);
@@ -1201,6 +1200,7 @@ int oncp_connect(struct openconnect_info *vpninfo)
 	put_len32(reqbuf, group);
 	put_len16(reqbuf, kmp);
 
+#if defined(ESP_GNUTLS) || defined(ESP_OPENSSL)
 	if (!setup_esp_keys(vpninfo)) {
 		struct esp *esp = &vpninfo->esp_in[vpninfo->current_esp_in];
 		/* Since we'll want to do this in the oncp_mainloop too, where it's easier
@@ -1210,10 +1210,14 @@ int oncp_connect(struct openconnect_info *vpninfo)
 		buf_append_bytes(reqbuf, &esp->spi, sizeof(esp->spi));
 		buf_append_bytes(reqbuf, esp_kmp_part2, sizeof(esp_kmp_part2));
 		buf_append_bytes(reqbuf, &esp->secrets, sizeof(esp->secrets));
-		if (buf_error(reqbuf))
-			goto enomem;
+		if (buf_error(reqbuf)) {
+			vpn_progress(vpninfo, PRG_ERR,
+				     _("Error negotiating ESP keys\n"));
+			ret = buf_error(reqbuf);
+			goto out;
+		}
 	}
-
+#endif
 	/* Length at the start of the packet is little-endian */
 	reqbuf->data[0] = (reqbuf->pos - 2);
 	reqbuf->data[1] = (reqbuf->pos - 2) >> 8;
@@ -1241,6 +1245,7 @@ int oncp_connect(struct openconnect_info *vpninfo)
 
 static int oncp_receive_espkeys(struct openconnect_info *vpninfo, int len)
 {
+#if defined(ESP_GNUTLS) || defined(ESP_OPENSSL)
 	int ret;
 
 	ret = parse_conf_pkt(vpninfo, vpninfo->cstp_pkt->oncp_hdr + 2, len + 20, 301);
@@ -1267,7 +1272,13 @@ static int oncp_receive_espkeys(struct openconnect_info *vpninfo, int len)
 		print_esp_keys(vpninfo, _("new outgoing"), &vpninfo->esp_out);
 	}
 	return ret;
+#else
+	vpn_progress(vpninfo, PRG_DEBUG,
+		     _("Ignoring ESP keys since ESP support not available in this build\n"));
+	return 0;
+#endif
 }
+
 static int oncp_receive_data(struct openconnect_info *vpninfo, int len, int unreceived)
 {
 	struct pkt *pkt = vpninfo->cstp_pkt;
diff --git a/openconnect-internal.h b/openconnect-internal.h
index b6ff4208..65623a4c 100644
--- a/openconnect-internal.h
+++ b/openconnect-internal.h
@@ -773,7 +773,7 @@ void esp_close(struct openconnect_info *vpninfo);
 void esp_shutdown(struct openconnect_info *vpninfo);
 int print_esp_keys(struct openconnect_info *vpninfo, const char *name, struct esp *esp);
 
-/* gnutls-esp.c */
+/* {gnutls,openssl}-esp.c */
 int setup_esp_keys(struct openconnect_info *vpninfo);
 void destroy_esp_ciphers(struct esp *esp);
 int decrypt_esp_packet(struct openconnect_info *vpninfo, struct esp *esp, struct pkt *pkt);