C Shell Python Makefile Assembly C++ Other
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.
contrib c-swan: make functions file-static where appropriate Apr 21, 2018
docs grammar: replace "which" by "that" where it is a defining or restrict… Feb 7, 2018
include lswlog: don't #include libreswan.h into lswlog.h Apr 24, 2018
initsystems initsystems: make all init systems only conditionally run portexcludes Apr 17, 2018
lib shunk: #include <string.h> directly, not via "lswalloc.h" (which isn'… Apr 23, 2018
linux eliminate scattered and redundant #includes of <stdbool.h> Apr 21, 2018
macports pervasive: get rid of useless trailing whitespace Jul 22, 2015
mk testing: travis Ubuntu xenial need USE_GLIBC_KERN_FLIP_HEADERS=true Apr 17, 2018
nat-t Revert "added osx app and put the source code inside" May 3, 2009
packaging d/control: Rules-Requires-Root: no Apr 17, 2018
pam.d PAM: update pluto pam config and add google-authenticator example Sep 4, 2013
ports pluto: remove traces of HOST_NAME_MAX Aug 16, 2017
programs ipsec checknss: add option --settruts to reset CA trusts in nss db Apr 26, 2018
scripts testing: update travis test files Dec 8, 2017
security Fix various spelling errors Jan 26, 2017
testing testing: merge ikev2-algo-13-null and ikev2-algo-esp-null-01 creating… Apr 26, 2018
.gitignore packaging: do not .gitignore debian/* Nov 12, 2017
.travis.yml testing: .travis.yml cleanup Dec 13, 2017
CHANGES update CHANGES Apr 26, 2018 documentation: added Nov 30, 2015
COPYING documentation: correct/clarify GPL 2.0 Aug 8, 2016
CREDITS updated CREDITS Apr 30, 2017 pervasive: get rid of useless trailing whitespace Jul 22, 2015
INSTALL INSTALL: document audit and curl devel deps Jun 9, 2017
LIBRESWAN-GPG-KEY.txt * Added our GPG key as LIBRESWAN-GPG-KEY.txt Mar 30, 2013
LICENSE LICENSE: keep width in control Aug 8, 2016
Makefile building: have the default (help) target fail Jan 11, 2018 buiding: copy, Makefile.ver, Makefile.tmp to mk/config.m… Feb 25, 2015
Makefile.ver buiding: copy, Makefile.ver, Makefile.tmp to mk/config.m… Feb 25, 2015
README.KLIPS pervasive: get rid of useless trailing whitespace Jul 22, 2015 documentation: Typo in Jan 2, 2018
README.nss documentation: fix README.nss for the -w/-v confusion Apr 2, 2018
README.x509 README.x509: fix reference to README.nss May 29, 2017
TRADEMARK * Added TRADEMARK file placeholder Oct 27, 2012 Revert "added osx app and put the source code inside" May 3, 2009


The Libreswan Project

Libreswan is an IPsec implementation for Linux. It has support for most of the extensions (RFC + IETF drafts) related to IPsec, including IKEv2, X.509 Digital Certificates, NAT Traversal, and many others. Libreswan uses the native Linux IPsec stack (NETKEY/XFRM) per default. For more information about the alternative Libreswan kernel IPsec stack, see README.KLIPS.

Libreswan was forked from Openswan 2.6.38, which was forked from FreeS/WAN 2.04. See the CREDITS files for contributor acknowledgments.

It can be downloaded from:

A Git repository is available at:


The bulk of libreswan is licensed under the GNU General Public License version 2; see the LICENSE and CREDIT.* files. Some smaller parts have a different license.


A recent Linux distribution based on either kernel 2.4.x, 2.6.x or 3.x are the currently supported platforms. Libreswan has been ported to Win2k/BSD/OSX as well.

Most distributions have native packaged support for Libreswan. Libreswan is available for RHEL, Fedora, Ubuntu, Debian, Arch, OpenWrt and more.

Unless a source-based build is truly needed, it is often best to use the pre-built version of the distribution you are using.

There are a few packages required for Libreswan to compile from source:

For Debian/Ubuntu

apt-get install libnss3-dev libnspr4-dev pkg-config libpam-dev \
	libcap-ng-dev libcap-ng-utils libselinux-dev \
	libcurl3-nss-dev flex bison gcc make libldns-dev \
	libunbound-dev libnss3-tools libevent-dev xmlto \

(there is no fipscheck library for these, set USE_FIPSCHECK=false)
(unbound is build without event api, set USE_DNSSEC=false)

For Fedora/RHEL7/CentOS7

yum install audit-libs-devel bison curl-devel fipscheck-devel flex \
	gcc ldns-devel libcap-ng-devel libevent-devel \
	libseccomp-devel libselinux-devel make nspr-devel nss-devel \
	pam-devel pkgconfig systemd-devel unbound-devel xmlto

   (on rhel/centos unbound is too old, set USE_DNSSEC=false)

For RHEL6/CentOS6

yum install audit-libs-devel bison curl-devel fipscheck-devel flex \
	gcc libcap-ng-devel libevent2-devel libseccomp-devel \
	libselinux-devel make nspr-devel nss-devel pam-devel \
	pkgconfig systemd-devel xmlto

   (unbound is too old to build dnssec support, set USE_DNSSEC=false)

Runtime requirements (usually already present on the system)

nss, iproute2, iptables, sed, awk, bash, cut, procps-ng, which

(note: the Busybox version of "ip" does not support 'ip xfrm', so
       ensure you enable the iproute(2) package for busybox)

Python is used for "ipsec verify", which helps debugging problems
python-ipaddress is used for "ipsec show", which shows tunnels

Compiling the userland and IKE daemon

make programs
sudo make install

If you want to build without creating and installing manual pages, run:

make base
sudo make install-base

Note: The ipsec-tools package or setkey is not needed. Instead the iproute2 packakge (>= 2.6.8) is required. Run ipsec verify to determine if your system misses any of the requirements. This will also tell you if any of the kernel sysctl values needs changing.

Starting Libreswan

The install will detect the init system used (systemd, upstart, sysvinit, openrc) and should integrate with the linux distribution. The service name is called "ipsec". For example, on RHEL7, one would use:

systemctl enable ipsec.service
systemctl start ipsec.service

If unsure of the specific init system used on the system, the "ipsec" command can also be used to start or stop the ipsec service:

ipsec start
ipsec stop


Most of the libreswan configuration is stored in /etc/ipsec.conf and /etc/ipsec.secrets. Include files may be present in /etc/ipsec.d/ See the respective man pages for more information.

NSS initialisation

Libreswan uses NSS to store private keys and X.509 certificates. The NSS database should have been initialised by the package installer. If not, the NSS database can be initialised using:

ipsec initnss

PKCS#12 certificates (.p12 files) can be imported using:

ipsec import /path/to/your.p12

See README.NSS and certutil --help for more details on using NSS and migrating from the old Openswan /etc/ipsec.d/ directories to using NSS.


If you are upgrading from FreeS/WAN 1.x or Openswan 2.x to Libreswan 3.x, you might need to adjust your config files, although great care has been put into making the configuration files full backwards compatible. See also:

See 'man ipsec.conf' for the list of options to find any new features.

You can run make install on top of your old version - it will not overwrite your your /etc/ipsec.* configuration files. The default install target installs in /usr/local. Ensure you do not install libreswan twice, one from a distribution package in /usr and once manually in /usr/local.


Mailing lists: is home of all our the mailing lists

Wiki: is home to the Libreswan wiki.  it contains
documentation, interop guides and other useful information.


Libreswan developers and users can be found on IRC, on #swan


Bugs can be reported on the mailing list or using our bug tracking system, at

Security Information

All security issues found that require public disclosure will receive proper CVE tracking numbers (see and will be co-ordinated via the vendor-sec / oss-security lists. A complete list of known security vulnerabilities is available at:


Those interested in the development, patches, and beta releases of Libreswan can join the development mailing list "swan-dev" or talk to the development team on IRC in #swan on

For those who want to track things a bit more closely, the mailinglist will mail all the commit messages when they happen. This list is quite busy during active development periods.


The most up to date documentation consists of the man pages that come with the software. Further documentation can be found at and the wiki at