Regression Preventing VPN to Meraki MX
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| network-manager-l2tp (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
On freshly installed and fully updated Ubuntu 24.04.2 there is a regression that prevents VPN connections to Meraki MX firewalls using the following configuration (which worked perfectly in Ubuntu 22.04 and prior releases):
https:/
The pertinent error from the logs is:
level=debug tunnel_name=t1 function=transport message=recv message_
level=error tunnel_name=t1 message="bad control message" message_
The connection process shows:
1. The IPsec tunnel establishes successfully
2. The L2TP tunnel starts to establish
3. Then there's a failure when receiving a "Set Link Info" (SLI) message from the Meraki server
4. The local L2TP client doesn't understand this message type and disconnects.
Important Behavior Pattern:
- Fresh Ubuntu 24.04.2 installations: VPN connections FAIL
- Fresh Debian 12 installations: VPN connections WORK
- Ubuntu 22.04 upgraded to 24.04.2: ONLY pre-existing VPN profiles continue to work
* Cannot create new profiles on upgraded systems
* Cannot recreate deleted profiles on upgraded systems
This pattern creates a severe limitation requiring a cumbersome workaround:
1. Install Ubuntu 22.04
2. Create VPN profile
3. Upgrade to 24.04.2
4. Never delete the profile
Since fresh Debian 12 installations work correctly, this regression appears specific to Ubuntu 24.04.2's implementation of the L2TP protocol.
This appears to be a compatibility issue between the L2TP implementation in fresh Ubuntu 24.04.2 and the Meraki MX firewall. The following factors may be involved:
- The L2TP protocol implementation may have changed in Ubuntu 24.04.2
- There might be a version mismatch between packages in fresh vs. upgraded installations
- Some configuration file or setting that handles these message types properly might be preserved during upgrades but not set correctly in fresh installations
Workaround:
sudo add-apt-repository ppa:nm-
After adding the repository above and replacing the packages from Ubuntu 24.04.2 with the ones from this repository (and restarting NetworkManager), the previously failing VPN profile immediately begins to work as expected.
This work-around was provided by Douglas Kosovic during this bug report:
https:/
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: network-
ProcVersionSign
Uname: Linux 6.11.0-21-generic x86_64
ApportVersion: 2.28.1-0ubuntu3.5
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Sat Apr 12 22:39:02 2025
InstallationDate: Installed on 2025-04-13 (0 days ago)
InstallationMedia: Ubuntu 24.04.2 LTS "Noble Numbat" - Release amd64 (20250215)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-
XDG_RUNTIME_
SourcePackage: network-
UpgradeStatus: No upgrade log present (probably fresh install)
| Lonnie Lee Best (launchpad-startport) wrote | #1 |
| information type: | Public → Private |
| description: | updated |
| description: | updated |
| information type: | Private → Public |
| description: | updated |
| description: | updated |
| Lonnie Lee Best (launchpad-startport) wrote | #2 |
I'd like to note that this bug is directly related to Bug #2068687 (https:/
In that bug report, Douglas Kosovic identified the root cause as a missing implementation of the avpMsgTypeSli message type in the go-l2tp package (version used in Ubuntu 24.04). This was fixed in go-l2tp 0.1.8 with this commit: https:/
Two solutions have been confirmed to work:
1. Install xl2tpd and remove go-l2tp: `sudo apt install xl2tpd && sudo apt purge go-l2tp`
2. Use the PPA as described in my original report, which includes the fixed go-l2tp package
Since this appears to be a known issue with an identified fix, it would be extremely helpful if the fixed packages could be included in the Ubuntu repositories to ensure all Ubuntu 24.04 users can connect to L2TP VPNs without needing to use workarounds.