(Last Updated On: June 29, 2019)

Welcome to today’s guide on how to Install Libreswan on Ubuntu 18.04/16.04 server. Libreswan is an Internet Key Exchange (IKE) implementation for Linux systems. It has support for IKEv1 and IKEv2 and other extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.

Libreswan was forked from Openswan 2.6.38 and it uses the native Linux IPsec stack (NETKEY/XFRM) per default. We will install Libreswan on Ubuntu 18.04/16.04 from source.

Step 1: Update system

Ensure you’re using an up-to-date installation of Ubuntu.

sudo apt -y update && sudo apt -y upgrade
sudo reboot

Once the system is up, proceed to step two.

Step 2: Install build dependencies

There are a few packages required for Libreswan to compile from source. Install them on your Ubuntu system by running the following commands.

sudo apt install libnss3-dev libnspr4-dev pkg-config libpam-dev \
 libcap-ng-dev libcap-ng-utils libselinux-dev \
 libcurl3-nss-dev flex bison gcc make libldns-dev \
 libunbound-dev libnss3-tools libevent-dev xmlto \
 libsystemd-dev git devscripts build-essential fakeroot libsystemd-dev

Step 3: Download Libreswan source code

Since we will build Libreswan from source to ensure we’re using the latest release. Clone the project from Github.

SWAN_VER=3.29
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
  exit 1
fi

Once the file is downloaded, extract it.

tar xzf "$swan_file" && /bin/rm -f "$swan_file"

Step 4: Build and Install Libreswan on Ubuntu

We can now build and install Libreswan on Ubuntu. First change to libreswan directory.

cd "libreswan-$SWAN_VER" || exit 1

Create build options file.

cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
USE_DH31 = false
USE_NSS_AVA_COPY = true
USE_NSS_IPSEC_PROFILE = false
USE_GLIBC_KERN_FLIP_HEADERS = true
EOF

Finally build Libreswan.

NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && make -s install-base

Successful build should output.

.......................................................
running: systemctl --system daemon-reload
running: systemd-tmpfiles --create /usr/lib/tmpfiles.d/libreswan.conf
DESTDIR=''
************************** WARNING ***********************************
The ipsec service is currently disabled. To enable this service issue:
 systemctl enable ipsec.service
**********************************************************************
../../OBJ.linux.x86_64/testing/enumcheck/enumcheck -> /usr/local/libexec/ipsec/enumcheck
../../OBJ.linux.x86_64/testing/ipcheck/ipcheck -> /usr/local/libexec/ipsec/ipcheck
../../OBJ.linux.x86_64/testing/fmtcheck/fmtcheck -> /usr/local/libexec/ipsec/fmtcheck
../../OBJ.linux.x86_64/testing/timecheck/timecheck -> /usr/local/libexec/ipsec/timecheck

If installation was successful. you should be able to check version.

/usr/local/sbin/ipsec --version

Step 5: Start and enable Libreswan ipsec service

The ipsec service is currently disabled. To enable this service issue:

sudo systemctl enable --now ipsec.service

Verify service status.

$ systemctl status ipsec.service
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
   Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor preset: enabled)
   Active: active (running) since Sat 2019-06-29 09:17:26 CEST; 37s ago
     Docs: man:ipsec(8)
           man:pluto(8)
           man:ipsec.conf(5)
 Main PID: 13782 (pluto)
   Status: "Startup completed."
    Tasks: 2 (limit: 2299)
   CGroup: /system.slice/ipsec.service
           └─13782 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface eth0/eth0 116.203.48.203:4500
Jun 29 09:17:26 ubuntu16 pluto[13782]: Kernel supports NIC esp-hw-offload
Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface lo/lo (esp-hw-offload=no) 127.0.0.1:500
Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface lo/lo 127.0.0.1:4500
Jun 29 09:17:26 ubuntu16 pluto[13782]: Kernel supports NIC esp-hw-offload
Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface lo/lo (esp-hw-offload=no) ::1:500
Jun 29 09:17:26 ubuntu16 pluto[13782]: Kernel supports NIC esp-hw-offload
Jun 29 09:17:26 ubuntu16 pluto[13782]: adding interface eth0/eth0 (esp-hw-offload=no) 2a01:4f8:c2c:83a2::1:500
Jun 29 09:17:26 ubuntu16 pluto[13782]: loading secrets from "/etc/ipsec.secrets"
Jun 29 09:17:26 ubuntu16 pluto[13782]: no secrets filename matched "/etc/ipsec.d/*.secrets"

Step 6: Configure IPSec VPN with LibreSwan

In our next guide, we will cover how to configure IPSEC VPN using Libreswan. In the meantime, check other VPN related guides.

How to Setup IPSec VPN server with L2TP and Cisco IPsec on Linux

Install Cisco AnyConnect on Ubuntu / Debian / Fedora

How to Install and Configure OPNSense Firewall

Best Linux Books for Beginners & Experts