[Swan-dev] 'error: ‘CKM_AES_CTR’ undeclared' while compiling libreswan-3.15

Paul Wouters paul at nohats.ca
Tue Sep 22 19:55:18 EEST 2015

On Tue, 22 Sep 2015, prasad zambare wrote:

> Please find the below steps and let me know what I am missing or doing wrong. Please guide me on how can I use or deploy the
> compiled binaries of libreswan+nss.

> Commented lines from Makefile.inc starting with NSSFLAGS and NSSLIBS (as Makefile.inc.local was not present)

Makefile.inc.local will never be created by us. The idea is you can
always just copy your Makefile.inc.local into any libreswan-3.xx/
directory and everything in Makefile.inc.local overrides what is in

So yes, you can change Makefile.inc too.
> Appended below lines to Makefile.inc (as i did not find nss folder in /usr/local/include, but found it in
> /root/libreconfig/nss-3.16/dist/public/nss)
> NSSFLAGS=-I/root/libreconfig/nss-3.16/dist/public/nss -I/usr/local/include/nspr
> NSSLIBS=-L/usr/local/lib -lssl3 -lsmime3 -lnss3 -lnssutil3 -lplds4 -lplc4 -lnspr4 -lpthread -ldl

These should get auto-detected using pkg-config. If not, then your
install of nss or nspr was not complete. You should never need to
link against things in the nss-3.16 source tree!

> Also, set LD_LIBRARY_PATH to /root/libreconfig/nss-3.16/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/lib (to resolve undefined reference
> errors)

That seems wrong. is /usr/local/lib in your /etc/ld.so.conf? You need to
install the nss library and headers using something like "make install".

> Then copied certutil to /usr/bin (to avoid error "/usr/local/sbin/ipsec: line 342: certutil: command not found" while starting
> ipsec service)

> cp ../nss-3.16/dist/Linux2.6_x86_glibc_PTH_DBG.OBJ/bin/certutil /usr/bin/

/usr/local/bin and /usr/local/sbin tend to not be in root's PATH on
modern linux.

> After these steps when '/etc/ipsec start' ipsec got started but immediately after; the '/etc/ipsec status' showed it has stopped.

the ipsec command should not be in /etc ???
the ipsec command should be in your path, and then you can issue:
ipsec status
ipsec restart
etc etc.


More information about the Swan-dev mailing list