Libreswan on Debian Wheezy

From Libreswan
Revision as of 15:56, 21 August 2017 by Antony (talk | contribs)
Jump to navigation Jump to search

You need 3 workarounds to compile on Debian Wheezy. The workaround #1 is very specific to Wheezy (libc < 2.19 and kernel < 3.12). Later distributions fixed issues #1 and #2. #3 is because libunbound is too old.

There workarounds

echo "USE_DNSSEC=false" >>
echo "USE_SYSTEMD_WATCHDOG=false" >>

programs/pluto/kernel_netlink.c swap these two lines. xfrm.h first

52 #include "linux/xfrm.h" /* local (if configured) or system copy */
51 #include "libreswan.h" /* before xfrm.h otherwise break on F22 */

Compiling libreswan 3.21 on Debian Wheezy

conflict between netinet/in.h and linux/in6.h

It got worse by commit 07a01d3 to in libreswan. The issue has a long history. It is partly due to UAPI ABI out of sync and partly due to updating local copy of xfrm.h with commit 07a01d3 while supporting nic-offload for mellonex cards. We could have worked around 07a01d3, however, it was easy to keep xfrm.h in sync with kernel UAPI copy 4.12 which seemed to work in most cases(glibc 2.19+ kernel 3.12+); except Wheezy!

                -c /home/build/libreswan/programs/pluto/kernel_netlink.c
/bin/bash: warning: setlocale: LC_ALL: cannot change locale (en_US.UTF-8)
In file included from
/usr/include/linux/in6.h:30:8: error: redefinition of 'struct in6_addr'
In file included from /home/build/libreswan/linux/include/libreswan.h:212:0,
/usr/include/netinet/in.h:198:8: note: originally defined here

dpkg -S linux/in6.h
linux-libc-dev:amd64: /usr/include/linux/in.h

dpkg -S netinet/in.h
libc6-dev:amd64: /usr/include/netinet/in.h

Package: libc6-dev
Source: eglibc
Version: 2.13-38+deb7u10

The local copy
programs/pluto/linux-copy/linux/xfrm.h is updated linux kernel 4.12

Workaround : remove the following line from


#include <linux/in6.h>

Details about the conflict

glibc 2.19+ If you have glibc 2.19+ you may have flip the two lines in programs/pluto/kernel_netlink.c

52 #include "linux/xfrm.h" /* local (if configured) or system copy */
51 #include "libreswan.h" /* before xfrm.h otherwise break on F22 */
Why not commit this

Well if we commit this F22 will break. Which is the ancient test VMs upstream developers use. So do not commit this change.

How does this work on RHEL/CentOS 7.3 or even 6.8

Most likely they have backports to fix this. 7.3 has kernel 3.10 and glibc 2.17

With kernel 3.12 and libc-dev 2.19+ =

Kernel made more efforts fix this issue

NOTE: Fedora 22 keep the order in kernel_netlink.c

Can't link with libsystemd

This error is with. This is not new in 3.21, an old one.

/usr/bin/ld: cannot find -lsystemd 
collect2: error: ld returned 1 exit status
 Package: libsystemd-daemon-dev
 Source: systemd
 Version: 44-11+deb7u5

Workaround: USE_SYSTEMD_WATCHDOG=false

in libreswan src directory

echo "USE_SYSTEMD_WATCHDOG=false" >>

FYI: debian stretch seems to have proper libsystemd-dev

Wheezy libunbound2 (1.4.17) do not support libevent

(NOTE: this is not re-compiling issue, you need > 1.5x)

/home/build/libreswan/lib/libswan/unbound.c:187: undefined reference to
collect2: error: ld returned 1 exit status

apt-cache show libunbound2
Package: libunbound2
Source: unbound
Version: 1.4.17-3+deb7u2

Workaround : USE_DNSSEC=false

echo "USE_DNSSEC=false" >>

If you have libunbound version less than 1.5.0 disable is the only way. libunbound2 1.5.0 above should be compiled with --with-libevent --enable-event-api

NOTE: to compile libunbound2 + libevent on Wheezy your best bet is upstream. unbound-1.6.0 from jessie-backports has unmet dependencies on Wheeezy. Strech package is not dowards compaitable.