Welcome to today’s guide on how to Install Libreswan on Ubuntu 22.04/20.04/18.04/16.04 server. Libreswan is an Internet Key Exchange (IKE) implementation for Linux systems. It has support for IKEv1 and IKEv2 and other extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others.
Libreswan was forked from Openswan 2.6.38 and it uses the native Linux IPsec stack (NETKEY/XFRM) per default. We will install Libreswan on Ubuntu 22.04/20.04/18.04/16.04 from source.
Step 1: Update system
Ensure you’re using an up-to-date installation of Ubuntu.
sudo apt -y update && sudo apt -y upgrade
[ -f /var/run/reboot-required ] && sudo reboot -fOnce the system is up, proceed to step two.
Step 2: Install build dependencies
There are a few packages required for Libreswan to compile from source. Install them on your Ubuntu system by running the following commands.
sudo apt install curl libnss3-dev libnspr4-dev pkg-config libpam-dev \
libcap-ng-dev libcap-ng-utils libselinux-dev \
libcurl3-nss-dev flex bison gcc make libldns-dev \
libunbound-dev libnss3-tools libevent-dev xmlto \
libsystemd-dev git devscripts build-essential fakeroot libsystemd-dev
Step 3: Download Libreswan source code
Since we will build Libreswan from source to ensure we’re using the latest release. Clone the project from Github.
SWAN_VER=4.11
swan_file="libreswan-$SWAN_VER.tar.gz"
swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
swan_url2="https://download.libreswan.org/$swan_file"
if ! { wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url1" || wget -t 3 -T 30 -nv -O "$swan_file" "$swan_url2"; }; then
exit 1
fiOnce the file is downloaded, extract it.
tar xzf "$swan_file" && /bin/rm -f "$swan_file"Step 4: Build and Install Libreswan on Ubuntu
We can now build and install Libreswan on Ubuntu. First change to libreswan directory.
cd "libreswan-$SWAN_VER" || exit 1Create build options file.
cat > Makefile.inc.local <<'EOF'
WERROR_CFLAGS =
USE_DNSSEC = false
USE_DH31 = false
USE_NSS_AVA_COPY = true
USE_NSS_IPSEC_PROFILE = false
USE_GLIBC_KERN_FLIP_HEADERS = true
EOFFinally build Libreswan.
NPROCS=$(grep -c ^processor /proc/cpuinfo)
[ -z "$NPROCS" ] && NPROCS=1
make "-j$((NPROCS+1))" -s base && sudo make -s install-base
Successful build should output.
.......................................................
running: systemctl --system daemon-reload
running: systemd-tmpfiles --create /usr/lib/tmpfiles.d/libreswan.conf
DESTDIR=''
************************** WARNING ***********************************
The ipsec service is currently disabled. To enable this service issue:
systemctl enable ipsec.service
**********************************************************************
../../OBJ.linux.x86_64/testing/enumcheck/enumcheck -> /usr/local/libexec/ipsec/enumcheck
../../OBJ.linux.x86_64/testing/ipcheck/ipcheck -> /usr/local/libexec/ipsec/ipcheck
../../OBJ.linux.x86_64/testing/fmtcheck/fmtcheck -> /usr/local/libexec/ipsec/fmtcheck
../../OBJ.linux.x86_64/testing/timecheck/timecheck -> /usr/local/libexec/ipsec/timecheckIf installation was successful. you should be able to check version.
$ /usr/local/sbin/ipsec --version
Libreswan 4.11Step 5: Start and enable Libreswan ipsec service
The ipsec service is currently disabled. To enable this service issue:
sudo systemctl enable --now ipsec.serviceVerify service status.
$ systemctl status ipsec.service
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
Loaded: loaded (/lib/systemd/system/ipsec.service; enabled; vendor preset: enabled)
Active: active (running) since Tue 2023-06-06 02:07:16 UTC; 4s ago
Docs: man:ipsec(8)
man:pluto(8)
man:ipsec.conf(5)
Process: 10783 ExecStartPre=/usr/local/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
Process: 10784 ExecStartPre=/usr/local/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
Process: 11124 ExecStartPre=/usr/local/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
Process: 11127 ExecStartPre=/usr/local/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
Main PID: 11141 (pluto)
Status: "Startup completed."
Tasks: 3 (limit: 4537)
Memory: 7.1M
CPU: 778ms
CGroup: /system.slice/ipsec.service
└─11141 /usr/local/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface eth0 49.12.192.27:500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface eth0 49.12.192.27:4500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface lo 127.0.0.1:500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface lo 127.0.0.1:4500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface lo [::1]:500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface lo [::1]:4500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface eth0 [2a01:4f8:c0c:f12e::1]:500
Jun 06 02:07:16 jammy pluto[11141]: adding UDP interface eth0 [2a01:4f8:c0c:f12e::1]:4500
Jun 06 02:07:16 jammy pluto[11141]: loading secrets from "/etc/ipsec.secrets"
Jun 06 02:07:16 jammy pluto[11141]: no secrets filename matched "/etc/ipsec.d/*.secrets"
Step 6: Configure IPSec VPN with LibreSwan
In our next guide, we will cover how to configure IPSEC VPN using Libreswan. In the meantime, check other VPN related guides.
- Setup IPSec VPN server with L2TP and Cisco IPsec on Linux
- Install Cisco AnyConnect on Ubuntu / Debian / Fedora
- How to Install and Configure OPNSense Firewall
- Best Linux Books for Beginners & Experts
