August 24st, 2015: CVE-2015-3240: Receiving a bad DH gx causes IKE daemon restart

Libreswan up to 3.14 is vulnerable to unauthenticated packets with a malicious DH gx payload causing the daemon to hit a passert() and restart. See our CVE-2015-3240 page for details. No remote code execution is possible. Please upgrade libreswan to version 3.15 or later.

Libreswan VPN software

Libreswan is a free software implementation of the most widely supported and standarized VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE"). These standards are produced and maintained by the Internet Engineering Task Force ("IETF").

Libreswan has been under active development for over 15 years, going back to The FreeS/WAN Project founded in 1997 by John Gilmore and Hugh Daniel. For more information, see the project's History. Libreswan supports IKE versions 1 and 2. It runs on Linux 2.4 to 3.x, FreeBSD and Apple OSX. On Linux, it can use the built-in IPsec stack ("XFRM/NETKEY") or its own IPsec stack ("KLIPS"). It uses the NSS crypto library. See the Supported Features.


Libreswan is licensed under the GNU Public License ("GPLv2"). See the License. It ships as part of many Linux distributions, including Fedora, RHEL/EPEL and Arch Linux and can be installed on those systems using the native software management tools. The source code is available as tar ball and via our git repository. Older versions, patches and pre-compiled versions are available on our download site.