Welcome to today’s guide on how to Install Libreswan on Ubuntu 18.04/16.04 server. Libreswan is an Internet Key Exchange (IKE) implementation for Linux systems. It has support for IKEv1 and IKEv2 and other extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.
Libreswan was forked from Openswan 2.6.38 and it uses the native Linux IPsec stack (NETKEY/XFRM) per default. We will install Libreswan on Ubuntu 18.04/16.04 from source.
Step 1: Update system
Ensure you’re using an up-to-date installation of Ubuntu.
sudo apt -y update && sudo apt -y upgrade
sudo rebootOnce the system is up, proceed to step two.
Step 2: Install build dependencies
There are a few packages required for Libreswan to compile from source. Install them on your Ubuntu system by running the following commands.
sudo apt install libnss3-dev libnspr4-dev pkg-config libpam-dev \
libcap-ng-dev libcap-ng-utils libselinux-dev \
libcurl3-nss-dev flex bison gcc make libldns-dev \
libunbound-dev libnss3-tools libevent-dev xmlto \
libsystemd-dev git devscripts build-essential fakeroot libsystemd-devStep 3: Download Libreswan source code
Since we will build Libreswan from source to ensure we’re using the latest release. Clone the project from Github.
SWAN_VER=3.29
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exit 1
fiOnce the file is downloaded, extract it.
tar xzf "$swan_file" && /bin/rm -f "$swan_file"Step 4: Build and Install Libreswan on Ubuntu
We can now build and install Libreswan on Ubuntu. First change to libreswan directory.
cd "libreswan-$SWAN_VER" || exit 1
Create build options file.
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
USE_DH31 = false
USE_NSS_AVA_COPY = true
USE_NSS_IPSEC_PROFILE = false
USE_GLIBC_KERN_FLIP_HEADERS = true
EOFFinally build Libreswan.
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-baseSuccessful build should output.
.......................................................
running: systemctl --system daemon-reload
running: systemd-tmpfiles --create /usr/lib/tmpfiles.d/libreswan.conf
DESTDIR=''
************************** WARNING ***********************************
The ipsec service is currently disabled. To enable this service issue:
systemctl enable ipsec.service
**********************************************************************
../../OBJ.linux.x86_64/testing/enumcheck/enumcheck -> /usr/local/libexec/ipsec/enumcheck
../../OBJ.linux.x86_64/testing/ipcheck/ipcheck -> /usr/local/libexec/ipsec/ipcheck
../../OBJ.linux.x86_64/testing/fmtcheck/fmtcheck -> /usr/local/libexec/ipsec/fmtcheck
../../OBJ.linux.x86_64/testing/timecheck/timecheck -> /usr/local/libexec/ipsec/timecheckIf installation was successful. you should be able to check version.
/usr/local/sbin/ipsec --versionStep 5: Start and enable Libreswan ipsec service
The ipsec service is currently disabled. To enable this service issue:
sudo systemctl enable --now ipsec.serviceVerify service status.
$ systemctl status ipsec.service
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor preset: enabled)
Active: active (running) since Sat 2019-06-29 09:17:26 CEST; 37s ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Main PID: 13782 (pluto)
Status: "Startup completed."
Tasks: 2 (limit: 2299)
CGroup: /system.slice/ipsec.service
└─13782 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface eth0/eth0 116.203.48.203:4500
Jun 29 09:17:26 ubuntu16 pluto[13782]: Kernel supports NIC esp-hw-offload
Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface lo/lo (esp-hw-offload=no) 127.0.0.1:500
Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface lo/lo 127.0.0.1:4500
Jun 29 09:17:26 ubuntu16 pluto[13782]: Kernel supports NIC esp-hw-offload
Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface lo/lo (esp-hw-offload=no) ::1:500
Jun 29 09:17:26 ubuntu16 pluto[13782]: Kernel supports NIC esp-hw-offload
Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface eth0/eth0 (esp-hw-offload=no) 2a01:4f8:c2c:83a2::1:500
Jun 29 09:17:26 ubuntu16 pluto[13782]: loading secrets from "/etc/ipsec.secrets"
Jun 29 09:17:26 ubuntu16 pluto[13782]: no secrets filename matched "/etc/ipsec.d/*.secrets"
Step 6: Configure IPSec VPN with LibreSwan
In our next guide, we will cover how to configure IPSEC VPN using Libreswan. In the meantime, check other VPN related guides.
How to Setup IPSec VPN server with L2TP and Cisco IPsec on Linux
Install Cisco AnyConnect on Ubuntu / Debian / Fedora
How to Install and Configure OPNSense Firewall
Best Linux Books for Beginners & Experts
