diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml
index 67cdfc8..5751a64 100644
--- a/.github/workflows/main.yml
+++ b/.github/workflows/main.yml
@@ -103,13 +103,13 @@ jobs:
           iptables -nL -t nat | grep -q '192\.168\.43\.0/24'
           if [ "$1" = "centos" ]; then
             grep pluto /var/log/secure
-            grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"'
-            grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"'
+            grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
+            grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
             grep xl2tpd /var/log/messages
           else
             grep pluto /var/log/auth.log
-            grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"'
-            grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
             grep xl2tpd /var/log/syslog
           fi
           cat /var/log/fail2ban.log
@@ -147,11 +147,11 @@ jobs:
             systemctl restart ipsec
             sleep 10
             grep pluto /var/log/secure | tail -n 20
-            grep pluto /var/log/secure | grep -q 'added connection description "ikev2-cp"'
+            grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
           else
             sleep 10
             grep pluto /var/log/auth.log | tail -n 20
-            grep pluto /var/log/auth.log | grep -q 'added connection description "ikev2-cp"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
           fi
 
           bash ikev2.sh <<ANSWERS
@@ -301,13 +301,13 @@ jobs:
           iptables -nL -t nat | grep -q '192\.168\.43\.0/24'
           if [ "$OS_NAME" = "centos" ]; then
             grep pluto /var/log/secure
-            grep pluto /var/log/secure | grep -q 'added connection description "l2tp-psk"'
-            grep pluto /var/log/secure | grep -q 'added connection description "xauth-psk"'
+            grep pluto /var/log/secure | grep -q 'added IKEv1 connection "l2tp-psk"'
+            grep pluto /var/log/secure | grep -q 'added IKEv1 connection "xauth-psk"'
             grep xl2tpd /var/log/messages
           else
             grep pluto /var/log/auth.log
-            grep pluto /var/log/auth.log | grep -q 'added connection description "l2tp-psk"'
-            grep pluto /var/log/auth.log | grep -q 'added connection description "xauth-psk"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "l2tp-psk"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv1 connection "xauth-psk"'
             grep xl2tpd /var/log/syslog
           fi
           cat /var/log/fail2ban.log
@@ -341,10 +341,10 @@ jobs:
           sleep 10
           if [ "$OS_NAME" = "centos" ]; then
             grep pluto /var/log/secure | tail -n 20
-            grep pluto /var/log/secure | grep -q 'added connection description "ikev2-cp"'
+            grep pluto /var/log/secure | grep -q 'added IKEv2 connection "ikev2-cp"'
           else
             grep pluto /var/log/auth.log | tail -n 20
-            grep pluto /var/log/auth.log | grep -q 'added connection description "ikev2-cp"'
+            grep pluto /var/log/auth.log | grep -q 'added IKEv2 connection "ikev2-cp"'
           fi
 
           bash ikev2.sh <<ANSWERS
diff --git a/docs/ikev2-howto-zh.md b/docs/ikev2-howto-zh.md
index d5e3bc5..20187ac 100644
--- a/docs/ikev2-howto-zh.md
+++ b/docs/ikev2-howto-zh.md
@@ -85,7 +85,7 @@ wget https://git.io/ikev2setup -O ikev2.sh && sudo bash ikev2.sh
      ikev2=insist
      rekey=no
      pfs=no
-     ike-frag=yes
+     fragmentation=yes
      ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
      phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
    EOF
diff --git a/docs/ikev2-howto.md b/docs/ikev2-howto.md
index 4d3e24e..0de367b 100644
--- a/docs/ikev2-howto.md
+++ b/docs/ikev2-howto.md
@@ -85,7 +85,7 @@ The following example shows how to manually configure IKEv2 with Libreswan. Comm
      ikev2=insist
      rekey=no
      pfs=no
-     ike-frag=yes
+     fragmentation=yes
      ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
      phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
    EOF
diff --git a/extras/ikev2setup.sh b/extras/ikev2setup.sh
index 38d6824..5f7611a 100644
--- a/extras/ikev2setup.sh
+++ b/extras/ikev2setup.sh
@@ -92,14 +92,14 @@ if grep -qs "hwdsl2" /opt/src/run.sh; then
 fi
 
 case "$swan_ver" in
-  3.19|3.2[01235679]|3.3[12])
+  3.19|3.2[01235679]|3.3[12]|4.1)
     /bin/true
     ;;
   *)
 cat 1>&2 <<EOF
 Error: Libreswan version '$swan_ver' is not supported.
   This script requires one of these versions:
-  3.19-3.23, 3.25-3.27, 3.29, 3.31 or 3.32
+  3.19-3.23, 3.25-3.27, 3.29, 3.31-3.32 or 4.1
   To upgrade Libreswan, see:
   https://github.com/hwdsl2/setup-ipsec-vpn#upgrade-libreswan
 EOF
@@ -315,7 +315,7 @@ fi
 # Check for MOBIKE support
 mobike_support=0
 case "$swan_ver" in
-  3.2[35679]|3.3[12])
+  3.2[35679]|3.3[12]|4.1)
     mobike_support=1
     ;;
 esac
@@ -490,14 +490,14 @@ conn ikev2-cp
   ikev2=insist
   rekey=no
   pfs=no
-  ike-frag=yes
+  fragmentation=yes
   ike=aes256-sha2,aes128-sha2,aes256-sha1,aes128-sha1,aes256-sha2;modp1024,aes128-sha1;modp1024
   phase2alg=aes_gcm-null,aes128-sha1,aes256-sha1,aes128-sha2,aes256-sha2
   encapsulation=yes
 EOF
 
 case "$swan_ver" in
-  3.2[35679]|3.3[12])
+  3.2[35679]|3.3[12]|4.1)
     if [ -n "$dns_server_2" ]; then
 cat >> /etc/ipsec.d/ikev2.conf <<EOF
   modecfgdns="$dns_servers"
diff --git a/vpnsetup.sh b/vpnsetup.sh
index 07ef2d2..b4df81a 100755
--- a/vpnsetup.sh
+++ b/vpnsetup.sh
@@ -182,7 +182,7 @@ apt-get -yq install fail2ban || exiterr2
 
 bigecho "Compiling and installing Libreswan..."
 
-SWAN_VER=3.32
+SWAN_VER=4.1
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@@ -193,16 +193,18 @@ fi
 tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 cd "libreswan-$SWAN_VER" || exit 1
 cat > Makefile.inc.local <<'EOF'
-WERROR_CFLAGS = -w
-USE_DNSSEC = false
-USE_DH2 = true
-USE_DH31 = false
-USE_NSS_AVA_COPY = true
-USE_NSS_IPSEC_PROFILE = false
-USE_GLIBC_KERN_FLIP_HEADERS = true
+WERROR_CFLAGS=-w
+USE_DNSSEC=false
+USE_DH2=true
+USE_DH31=false
+USE_NSS_AVA_COPY=true
+USE_NSS_IPSEC_PROFILE=false
+USE_GLIBC_KERN_FLIP_HEADERS=true
+USE_NSS_KDF=false
+FINALNSSDIR=/etc/ipsec.d
 EOF
 if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
-  echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local
+  echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
 fi
 if [ "$(packaging/utils/lswan_detect.sh init)" = "systemd" ]; then
   apt-get -yq install libsystemd-dev || exiterr2
@@ -276,7 +278,7 @@ conn xauth-psk
   rightmodecfgclient=yes
   modecfgpull=yes
   xauthby=file
-  ike-frag=yes
+  fragmentation=yes
   cisco-unity=yes
   also=shared
 
diff --git a/vpnsetup_centos.sh b/vpnsetup_centos.sh
index 6d016b6..6bf420b 100755
--- a/vpnsetup_centos.sh
+++ b/vpnsetup_centos.sh
@@ -185,7 +185,7 @@ yum "$REPO1" -y install fail2ban || exiterr2
 
 bigecho "Compiling and installing Libreswan..."
 
-SWAN_VER=3.32
+SWAN_VER=4.1
 swan_file="libreswan-$SWAN_VER.tar.gz"
 swan_url1="https://github.com/libreswan/libreswan/archive/v$SWAN_VER.tar.gz"
 swan_url2="https://download.libreswan.org/$swan_file"
@@ -196,16 +196,18 @@ fi
 tar xzf "$swan_file" && /bin/rm -f "$swan_file"
 cd "libreswan-$SWAN_VER" || exit 1
 cat > Makefile.inc.local <<'EOF'
-WERROR_CFLAGS = -w
-USE_DNSSEC = false
-USE_DH2 = true
-USE_DH31 = false
-USE_NSS_AVA_COPY = true
-USE_NSS_IPSEC_PROFILE = false
-USE_GLIBC_KERN_FLIP_HEADERS = true
+WERROR_CFLAGS=-w
+USE_DNSSEC=false
+USE_DH2=true
+USE_DH31=false
+USE_NSS_AVA_COPY=true
+USE_NSS_IPSEC_PROFILE=false
+USE_GLIBC_KERN_FLIP_HEADERS=true
+USE_NSS_KDF=false
+FINALNSSDIR=/etc/ipsec.d
 EOF
 if ! grep -qs IFLA_XFRM_LINK /usr/include/linux/if_link.h; then
-  echo "USE_XFRM_INTERFACE_IFLA_HEADER = true" >> Makefile.inc.local
+  echo "USE_XFRM_INTERFACE_IFLA_HEADER=true" >> Makefile.inc.local
 fi
 NPROCS=$(grep -c ^processor /proc/cpuinfo)
 [ -z "$NPROCS" ] && NPROCS=1
@@ -276,7 +278,7 @@ conn xauth-psk
   rightmodecfgclient=yes
   modecfgpull=yes
   xauthby=file
-  ike-frag=yes
+  fragmentation=yes
   cisco-unity=yes
   also=shared
 
@@ -487,9 +489,9 @@ fi
 
 bigecho "Starting services..."
 
-restorecon /etc/ipsec.d/*db >/dev/null
-restorecon /usr/local/sbin -Rv >/dev/null
-restorecon /usr/local/libexec/ipsec -Rv >/dev/null
+restorecon /etc/ipsec.d/*db 2>/dev/null
+restorecon /usr/local/sbin -Rv 2>/dev/null
+restorecon /usr/local/libexec/ipsec -Rv 2>/dev/null
 
 sysctl -e -q -p