You can support us by downloading this article as PDF from the Link below. Download the guide as PDF

Welcome to today’s guide on how to Install Libreswan on Ubuntu 20.04/18.04/16.04 server. Libreswan is an Internet Key Exchange (IKE) implementation for Linux systems. It has support for IKEv1 and IKEv2 and other extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.

Libreswan was forked from Openswan 2.6.38 and it uses the native Linux IPsec stack (NETKEY/XFRM) per default. We will install Libreswan on Ubuntu 20.04/18.04/16.04 from source.

Step 1: Update system

Ensure you’re using an up-to-date installation of Ubuntu.

sudo apt -y update && sudo apt -y upgrade
sudo reboot

Once the system is up, proceed to step two.

Step 2: Install build dependencies

There are a few packages required for Libreswan to compile from source. Install them on your Ubuntu system by running the following commands.

sudo apt install libnss3-dev libnspr4-dev pkg-config libpam-dev \
 libcap-ng-dev libcap-ng-utils libselinux-dev \
 libcurl3-nss-dev flex bison gcc make libldns-dev \
 libunbound-dev libnss3-tools libevent-dev xmlto \
 libsystemd-dev git devscripts build-essential fakeroot libsystemd-dev

Step 3: Download Libreswan source code

Since we will build Libreswan from source to ensure we’re using the latest release. Clone the project from Github.

SWAN_VER=3.32
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
  exit 1
fi

Once the file is downloaded, extract it.

tar xzf "$swan_file" && /bin/rm -f "$swan_file"

Step 4: Build and Install Libreswan on Ubuntu

We can now build and install Libreswan on Ubuntu. First change to libreswan directory.

cd "libreswan-$SWAN_VER" || exit 1

Create build options file.

cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
USE_DH31 = false
USE_NSS_AVA_COPY = true
USE_NSS_IPSEC_PROFILE = false
USE_GLIBC_KERN_FLIP_HEADERS = true
EOF

Finally build Libreswan.

NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && sudo make -s install-base

Successful build should output.

.......................................................
running: systemctl --system daemon-reload
running: systemd-tmpfiles --create /usr/lib/tmpfiles.d/libreswan.conf
DESTDIR=''
************************** WARNING ***********************************
The ipsec service is currently disabled. To enable this service issue:
 systemctl enable ipsec.service
**********************************************************************
../../OBJ.linux.x86_64/testing/enumcheck/enumcheck -> /usr/local/libexec/ipsec/enumcheck
../../OBJ.linux.x86_64/testing/ipcheck/ipcheck -> /usr/local/libexec/ipsec/ipcheck
../../OBJ.linux.x86_64/testing/fmtcheck/fmtcheck -> /usr/local/libexec/ipsec/fmtcheck
../../OBJ.linux.x86_64/testing/timecheck/timecheck -> /usr/local/libexec/ipsec/timecheck

If installation was successful. you should be able to check version.

$ /usr/local/sbin/ipsec --version
Linux Libreswan 3.32 (netkey) on 5.4.0-26-generic

Step 5: Start and enable Libreswan ipsec service

The ipsec service is currently disabled. To enable this service issue:

sudo systemctl enable --now ipsec.service

Verify service status.

$ systemctl status ipsec.service
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-06-29 09:17:26 CEST; 37s ago
     Docs: man:ipsec(8)
           man:pluto(8)
           man:ipsec.conf(5)
 Main PID: 13782 (pluto)
   Status: "Startup completed."
    Tasks: 2 (limit: 2299)
   CGroup: /system.slice/ipsec.service
           └─13782 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface eth0/eth0 116.203.48.203:4500
Jun 29 09:17:26 ubuntu16 pluto[13782]: Kernel supports NIC esp-hw-offload
Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface lo/lo (esp-hw-offload=no) 127.0.0.1:500
Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface lo/lo 127.0.0.1:4500
Jun 29 09:17:26 ubuntu16 pluto[13782]: Kernel supports NIC esp-hw-offload
Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface lo/lo (esp-hw-offload=no) ::1:500
Jun 29 09:17:26 ubuntu16 pluto[13782]: Kernel supports NIC esp-hw-offload
Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface eth0/eth0 (esp-hw-offload=no) 2a01:4f8:c2c:83a2::1:500
Jun 29 09:17:26 ubuntu16 pluto[13782]: loading secrets from "/etc/ipsec.secrets"
Jun 29 09:17:26 ubuntu16 pluto[13782]: no secrets filename matched "/etc/ipsec.d/*.secrets"

Step 6: Configure IPSec VPN with LibreSwan

In our next guide, we will cover how to configure IPSEC VPN using Libreswan. In the meantime, check other VPN related guides.

How to Setup IPSec VPN server with L2TP and Cisco IPsec on Linux

Install Cisco AnyConnect on Ubuntu / Debian / Fedora

How to Install and Configure OPNSense Firewall

Best Linux Books for Beginners & Experts

As an appreciation for the content we put out,
we would be thrilled if you support us!

As we continue to grow, we would wish to reach and impact more people who visit and take advantage of the guides we have on our blog. This is a big task for us and we are so far extremely grateful for the kind people who have shown amazing support for our work over the time we have been online.

Thank You for your support as we work to give you the best of guides and articles. Click below to buy us a coffee.

Coffee Box

RELATED ARTICLESMORE FROM AUTHOR

LEAVE A REPLY

Please enter your comment!
Please enter your name here