How To Install Libreswan on Ubuntu 22.04|20.04|18.04|16.04

Welcome to today’s guide on how to Install Libreswan on Ubuntu 22.04/20.04/18.04/16.04 server. Libreswan is an Internet Key Exchange (IKE) implementation for Linux systems. It has support for IKEv1 and IKEv2 and other extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.

Original content from computingforgeeks.com - post 21641

Libreswan was forked from Openswan 2.6.38 and it uses the native Linux IPsec stack (NETKEY/XFRM) per default. We will install Libreswan on Ubuntu from source.

Step 1: Update system

Ensure you’re using an up-to-date installation of Ubuntu.

sudo apt -y update && sudo apt -y upgrade
[ -f /var/run/reboot-required ] && sudo reboot -f

Once the system is up, proceed to step two.

Step 2: Install build dependencies

There are a few packages required for Libreswan to compile from source. Install them on your Ubuntu system by running the following commands.

sudo apt install curl libnss3-dev libnspr4-dev pkg-config libpam-dev \
 libcap-ng-dev libcap-ng-utils libselinux-dev \
 libcurl3-nss-dev flex bison gcc make libldns-dev \
 libunbound-dev libnss3-tools libevent-dev xmlto \
 libsystemd-dev git devscripts build-essential fakeroot libsystemd-dev

Step 3: Download Libreswan source code

Since we will build Libreswan from source to ensure we’re using the latest release. Clone the project from Github.

SWAN_VER=4.12
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
  exit 1
fi

Once the file is downloaded, extract it.

tar xzf "$swan_file" && /bin/rm -f "$swan_file"

Step 4: Build and Install Libreswan on Ubuntu

We can now build and install Libreswan on Ubuntu. First change to libreswan directory.

cd "libreswan-$SWAN_VER" || exit 1

Create build options file.

cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
USE_DH31 = false
USE_NSS_AVA_COPY = true
USE_NSS_IPSEC_PROFILE = false
USE_GLIBC_KERN_FLIP_HEADERS = true
EOF

Finally build Libreswan.

NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && sudo make -s install-base

Successful build should output.

.......................................................
running: systemctl --system daemon-reload
running: systemd-tmpfiles --create /usr/lib/tmpfiles.d/libreswan.conf
DESTDIR=''
************************** WARNING ***********************************
The ipsec service is currently disabled. To enable this service issue:
 systemctl enable ipsec.service
**********************************************************************
../../OBJ.linux.x86_64/testing/enumcheck/enumcheck -> /usr/local/libexec/ipsec/enumcheck
../../OBJ.linux.x86_64/testing/ipcheck/ipcheck -> /usr/local/libexec/ipsec/ipcheck
../../OBJ.linux.x86_64/testing/fmtcheck/fmtcheck -> /usr/local/libexec/ipsec/fmtcheck
../../OBJ.linux.x86_64/testing/timecheck/timecheck -> /usr/local/libexec/ipsec/timecheck

If installation was successful. you should be able to check version.

$ /usr/local/sbin/ipsec --version
Libreswan 4.12

Step 5: Start and enable Libreswan ipsec service

The ipsec service is currently disabled. To enable this service issue:

sudo systemctl enable --now ipsec.service

Verify service status.

$ systemctl status ipsec.service
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
     Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-06-06 02:07:16 UTC; 4s ago
       Docs: man:ipsec(8)
             man:pluto(8)
             man:ipsec.conf(5)
    Process: 10783 ExecStartPre=/usr/local/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
    Process: 10784 ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
    Process: 11124 ExecStartPre=/usr/local/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
    Process: 11127 ExecStartPre=/usr/local/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
   Main PID: 11141 (pluto)
     Status: "Startup completed."
      Tasks: 3 (limit: 4537)
     Memory: 7.1M
        CPU: 778ms
     CGroup: /system.slice/ipsec.service
             └─11141 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface eth0 49.12.192.27:500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface eth0 49.12.192.27:4500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface lo 127.0.0.1:500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface lo 127.0.0.1:4500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface lo [::1]:500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface lo [::1]:4500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface eth0 [2a01:4f8:c0c:f12e::1]:500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface eth0 [2a01:4f8:c0c:f12e::1]:4500
Jun 06 02:07:16 jammy pluto[11141]: loading secrets from "/etc/ipsec.secrets"
Jun 06 02:07:16 jammy pluto[11141]: no secrets filename matched "/etc/ipsec.d/*.secrets"

Step 6: Configure IPSec VPN with LibreSwan

In our next guide, we will cover how to configure IPSEC VPN using Libreswan. In the meantime, check other VPN related guides.

• Setup IPSec VPN server with L2TP and Cisco IPsec on Linux
• Install Cisco AnyConnect on Ubuntu / Debian / Fedora
• How to Install and Configure OPNSense Firewall
• Best Linux Books for Beginners & Experts