Welcome to today’s guide on how to Install Libreswan on Ubuntu 22.04/20.04/18.04/16.04 server. Libreswan is an Internet Key Exchange (IKE) implementation for Linux systems. It has support for IKEv1 and IKEv2 and other extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.
Libreswan was forked from Openswan 2.6.38 and it uses the native Linux IPsec stack (NETKEY/XFRM) per default. We will install Libreswan on Ubuntu from source.
Step 1: Update system
Ensure you’re using an up-to-date installation of Ubuntu.
sudo apt -y update && sudo apt -y upgrade
[ -f /var/run/reboot-required ] && sudo reboot -f
Once the system is up, proceed to step two.
Step 2: Install build dependencies
There are a few packages required for Libreswan to compile from source. Install them on your Ubuntu system by running the following commands.
sudo apt install curl libnss3-dev libnspr4-dev pkg-config libpam-dev \
libcap-ng-dev libcap-ng-utils libselinux-dev \
libcurl3-nss-dev flex bison gcc make libldns-dev \
libunbound-dev libnss3-tools libevent-dev xmlto \
libsystemd-dev git devscripts build-essential fakeroot libsystemd-dev
Step 3: Download Libreswan source code
Since we will build Libreswan from source to ensure we’re using the latest release. Clone the project from Github.
SWAN_VER=4.12
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exit 1
fi
Once the file is downloaded, extract it.
tar xzf "$swan_file" && /bin/rm -f "$swan_file"
Step 4: Build and Install Libreswan on Ubuntu
We can now build and install Libreswan on Ubuntu. First change to libreswan directory.
cd "libreswan-$SWAN_VER" || exit 1
Create build options file.
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
USE_DH31 = false
USE_NSS_AVA_COPY = true
USE_NSS_IPSEC_PROFILE = false
USE_GLIBC_KERN_FLIP_HEADERS = true
EOF
Finally build Libreswan.
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && sudo make -s install-base
Successful build should output.
.......................................................
running: systemctl --system daemon-reload
running: systemd-tmpfiles --create /usr/lib/tmpfiles.d/libreswan.conf
DESTDIR=''
************************** WARNING ***********************************
The ipsec service is currently disabled. To enable this service issue:
systemctl enable ipsec.service
**********************************************************************
../../OBJ.linux.x86_64/testing/enumcheck/enumcheck -> /usr/local/libexec/ipsec/enumcheck
../../OBJ.linux.x86_64/testing/ipcheck/ipcheck -> /usr/local/libexec/ipsec/ipcheck
../../OBJ.linux.x86_64/testing/fmtcheck/fmtcheck -> /usr/local/libexec/ipsec/fmtcheck
../../OBJ.linux.x86_64/testing/timecheck/timecheck -> /usr/local/libexec/ipsec/timecheck
If installation was successful. you should be able to check version.
$ /usr/local/sbin/ipsec --version
Libreswan 4.12
Step 5: Start and enable Libreswan ipsec service
The ipsec service is currently disabled. To enable this service issue:
sudo systemctl enable --now ipsec.service
Verify service status.
$ systemctl status ipsec.service
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2023-06-06 02:07:16 UTC; 4s ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 10783 ExecStartPre=/usr/local/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Process: 10784 ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
Process: 11124 ExecStartPre=/usr/local/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
Process: 11127 ExecStartPre=/usr/local/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
Main PID: 11141 (pluto)
Status: "Startup completed."
Tasks: 3 (limit: 4537)
Memory: 7.1M
CPU: 778ms
CGroup: /system.slice/ipsec.service
└─11141 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface eth0 49.12.192.27:500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface eth0 49.12.192.27:4500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface lo 127.0.0.1:500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface lo 127.0.0.1:4500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface lo [::1]:500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface lo [::1]:4500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface eth0 [2a01:4f8:c0c:f12e::1]:500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface eth0 [2a01:4f8:c0c:f12e::1]:4500
Jun 06 02:07:16 jammy pluto[11141]: loading secrets from "/etc/ipsec.secrets"
Jun 06 02:07:16 jammy pluto[11141]: no secrets filename matched "/etc/ipsec.d/*.secrets"
Step 6: Configure IPSec VPN with LibreSwan
In our next guide, we will cover how to configure IPSEC VPN using Libreswan. In the meantime, check other VPN related guides.
- Setup IPSec VPN server with L2TP and Cisco IPsec on Linux
- Install Cisco AnyConnect on Ubuntu / Debian / Fedora
- How to Install and Configure OPNSense Firewall
- Best Linux Books for Beginners & Experts
Thank you, it worked at first try
Awesome we’re happy for you!
Hi, thanks for the tutorial
I ran into an error though when I ran the final build cmd, see below.
/root/libreswan-4.11/lib/libswan/pubkey_rsa.c: In function ‘RSA_ipseckey_rdata_to_pubkey_content’:
/root/libreswan-4.11/lib/libswan/pubkey_rsa.c:203:6: warning: implicit declaration of function ‘SECITEM_MakeItem’; did you mean ‘SECITEM_FreeIte’? [-Wimplicit-function-declaration]
if (SECITEM_MakeItem(arena, &rsa->modulus, modulus.ptr, modulus.len) != SECSuccess) {
^~~~~~~~~~~~~~~~
SECITEM_FreeItem
/root/libreswan-4.11/lib/libswan/pubkey_rsa.c:203:6: warning: nested extern declaration of ‘SECITEM_MakeItem’ [-Wnested-externs]
.
.
.
/root/libreswan-4.11/programs/pluto/kernel_xfrm.c: In function ‘add_icmpv6_bypass_policy’:
/root/libreswan-4.11/programs/pluto/kernel_xfrm.c:2299:4: warning: missing initializer for field ‘ifindex’ of ‘struct xfrm_selector’ [-Wmissing-field-initializers]
.sel.dport = htons(icmp_code),
^
In file included from /root/libreswan-4.11/programs/pluto/kernel_xfrm.c:70:0:
/root/libreswan-4.11/programs/pluto/linux-copy/linux/xfrm.h:60:6: note: ‘ifindex’ declared here
int ifindex;
^~~~~~~
/root/libreswan-4.11/programs/pluto/kernel_xfrm.c:2300:4: warning: missing initializer for field ‘ifindex’ of ‘struct xfrm_selector’ [-Wmissing-field-initializers]
.sel.sport_mask = 0xffff,
^
In file included from /root/libreswan-4.11/programs/pluto/kernel_xfrm.c:70:0:
/root/libreswan-4.11/programs/pluto/linux-copy/linux/xfrm.h:60:6: note: ‘ifindex’ declared here
int ifindex;
^~~~~~~
/root/libreswan-4.11/OBJ.linux.x86_64.tapestry/lib/libswan/libswan.a(pubkey_rsa.o): In function `RSA_ipseckey_rdata_to_pubkey_content’:
/root/libreswan-4.11/lib/libswan/pubkey_rsa.c:203: undefined reference to `SECITEM_MakeItem’
/root/libreswan-4.11/lib/libswan/pubkey_rsa.c:209: undefined reference to `SECITEM_MakeItem’
collect2: error: ld returned 1 exit status
../../mk/program.mk:65: recipe for target ‘pluto’ failed
make[3]: *** [pluto] Error 1
../../mk/targets.mk:69: recipe for target ‘base’ failed
make[2]: *** [base] Error 2
../mk/targets.mk:69: recipe for target ‘recursive-base’ failed
make[1]: *** [recursive-base] Error 2
/root/libreswan-4.11/mk/targets.mk:69: recipe for target ‘recursive-base’ failed
Pls advise.
Thanks