Repository files navigation

The Libreswan Projecthttps://libreswan.org/

Libreswan is an Internet Key Exchange (IKE) implementation for Linux,FreeBSD, NetBSD and OpenBSD. It supports IKEv1 and IKEv2 and hassupport for most of the extensions (RFC + IETF drafts) related toIPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, andmany others.

Libreswan was forked from Openswan 2.6.38, which was forked fromFreeS/WAN 2.04. See the CREDITS files for contributoracknowledgments.

It can be downloaded from:

https://download.libreswan.org/

A Git repository is available at:

https://github.com/libreswan/libreswan/

The bulk of libreswan is licensed under the GNU General Public Licenseversion 2; see the LICENSE and CREDIT.* files. Some smaller partshave a different license.

A pre-built Libreswan package is available on the following OSdistributions: RHEL, Fedora, CentOS, Ubuntu, Debian, Arch, Apline,OpenWrt and FreeBSD. On NetBSD the package sources are inwip/libreswan.

Unless a source-based build is truly needed, it is often best to usethe pre-built version of the distribution you are using.

There are a few packages required for Libreswan to compile from source:

For Debian/Ubuntu

apt-get install net-tools make build-essential \  libnss3-dev pkg-config libevent-dev libunbound-dev \  bison flex libsystemd-dev libcurl4-nss-dev \  libpam0g-dev libcap-ng-dev libldns-dev xmlto

For Fedora/CentOS-Stream/RHEL/AlmaLinux/RockyLinux etc.

dnf install audit-libs-devel bison curl-devel flex \  gcc ldns-devel libcap-ng-devel libevent-devel \  libseccomp-devel libselinux-devel make nspr-devel \  nss-devel pam-devel pkgconfig systemd-devel \  unbound-devel xmlto

Alpine Linux:

aph add mandoc mandoc-doc apk-tools-doc bison \  bison-doc bsd-compat-headers coreutils coreutils-doc \  curl-dev curl-doc flex flex-doc gcc gcc-doc git git-doc \  gmp-dev gmp-doc ldns-dev ldns-doc libcap-ng-dev \  libcap-ng-doc libevent-dev linux-pam-dev linux-pam-doc \  make make-doc musl-dev nspr-dev nss-dev nss-tools \  pkgconfig sed sed-doc unbound-doc unbound-dev \  xmlto xmlto-doc

FreeBSD:

pkg install gmake git pkgconf nss libevent unbound bison \  flex ldns xmlto gcc

NetBSD:

pkgin install git gmake nss unbound bison flex ldns xmlto pkgconf

OpenBSD:

pkg_add gmake nss libevent libunbound bison libldns xmlto \  curl git llvm%16

Install requirements for rpm package building:

dnf install rpm-build rpmdevtools

The packaging/ directory is used to find the proper spec file for yourdistribution. Simply issue the command:

make rpm

You can also pick a specific spec file. For example, to build forCentOS8, use:

rpmbuild -ba packaging/centos/8/libreswan.spec

The packaging/debian directory is used to build deb files. Simplyissue the command:

make deb

GNU Make is used:

gmakesudo gmake install

If you want to build without creating and installing manual pages, run:

gmake basesudo gmake install-base

The install will detect the init system used (systemd, upstart,sysvinit, openrc) and should integrate with the linux distribution.The service name is called "ipsec". For example, on CentOS Stream 9,one would use:

systemctl enable ipsec.servicesystemctl start ipsec.service

If unsure of the specific init system used on the system, the "ipsec"command can also be used to start or stop the ipsec service. Thiscommand will auto-detect the init system and invoke it:

ipsec startipsec stop

For a connection status overview, use:

ipsec trafficstatus

For a brief status overview, use:

ipsec briefstatus

For a machine readable global status, use:

ipsec globalstatus

Most of the libreswan configuration is stored in /etc/ipsec.conf and/etc/ipsec.secrets . Include files may be present in /etc/ipsec.d/See the respective man pages for more information.

Libreswan uses NSS to store private keys and X.509 certificates. TheNSS database should have been initialised by the package installer.If not, the NSS database can be initialised using:

ipsec initnss

PKCS#12 certificates (.p12 files) can be imported using:

ipsec import /path/to/your.p12

See README.NSS andcertutil --help for more details on using NSS andmigrating from the old Openswan/etc/ipsec.d/ directories to usingNSS.

If you are upgrading from older Libreswan versions, Libreswan 5.x youmight need to adjust your config files, although great care has beenput into making the configuration files full backwards compatible.

See 'man ipsec.conf' for the list of options to find any new features.

You can runmake install on top of your old version - it will notoverwrite your your/etc/ipsec.* configuration files. The defaultinstall target installs in/usr/local. Ensure you do not installlibreswan twice, one from a distribution package in /usr and oncemanually in /usr/local.

Note that for rpm based systems, the NSS directory changed from/etc/ipsec.d to /var/lib/ipsec/nss/

Mailing lists:

The mailing lists, including archives are athttps://lists.libreswan.org/

Wiki:

Libreswan's wiki is athttps://libreswan.org/wiki/Main_Page. Itcontains documentation, interop guides and other useful information.

IRC:

Libreswan developers and users can be found on IRC, onirc.libera.chat #libreswan

Bugs can be reported on the mailing listswan-dev@lists.libreswan.orgor using our bug tracking system, at:

https://github.com/libreswan/libreswan/issues

All security issues found that require public disclosure will receiveproper CVE tracking numbers (seehttps://www.mitre.org/) and will beco-ordinated via the vendor-sec / oss-security lists. A complete listof known security vulnerabilities is available at:

https://libreswan.org/security/

Please contactsecurity@libreswan.org or:

https://github.com/libreswan/libreswan/security

if you suspect you have found a security issue or vulnerability inlibreswan. Encrypted email can be received encrypted to the libreswanOpenPGP key. We strongly encourage you to report potential securityvulnerabilities to us before disclosing them in a public forum or in apublic security paper or conference.

Those interested in the development, patches, and beta releases ofLibreswan can join the development mailing listswan-dev@lists.libreswan.org or talk to the development team on IRC in#libreswan on irc.libera.chat

For those who want to track things a bit more closely, theswan-commits@lists.libreswan.org mailing list will mail all the commitmessages when they happen. This list is quite busy during activedevelopment periods.

The most up to date documentation consists of the man pages that comewith the software. Further documentation can be found at:

https://libreswan.org/

and the wiki at:

https://libreswan.org/wiki/