L2TP client support for PSK removed from 15.04/15.10

Bug #1457078 reported by Kevin Pattison
This bug affects 32 people
Affects Status Importance Assigned to Milestone
network-manager-strongswan (Ubuntu)

Bug Description

Since OpenSwan has been completely removed from 15.04 and StrongSwan-network-manager shipped (1.3.0-2) doesn't support pre-shared keys (support added in 1.3.1) many users will not be able to connect to business VPNs after the upgrade to 15.04.

This is a critical requirement for many users.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in network-manager-strongswan (Ubuntu):
status: New → Confirmed
Revision history for this message
Mario Harvey (marioharvey) wrote :

I must second this is super critical for users.

I tried to build 1.3.1 network manager from source and got the following error:

main.c: In function ‘lookup_password’:
main.c:43:2: error: ‘gnome_keyring_find_network_password_sync’ is deprecated (declared at /usr/include/gnome-keyring-1/gnome-keyring.h:551): Use 'SECRET_SCHEMA_COMPAT_NETWORK' instead [-Werror=deprecated-declarations]
  if (gnome_keyring_find_network_password_sync(g_get_user_name(), NULL, name,
main.c:59:2: error: ‘gnome_keyring_network_password_list_free’ is deprecated (declared at /usr/include/gnome-keyring-1/gnome-keyring.h:537) [-Werror=deprecated-declarations]
main.c: In function ‘main’:
main.c:222:6: error: ‘gnome_keyring_set_network_password_sync’ is deprecated (declared at /usr/include/gnome-keyring-1/gnome-keyring.h:573): Use 'SECRET_SCHEMA_COMPAT_NETWORK' instead [-Werror=deprecated-declarations]
      if (gnome_keyring_set_network_password_sync(keyring,
cc1: all warnings being treated as errors
Makefile:393: recipe for target 'nm_strongswan_auth_dialog-main.o' failed
make[2]: *** [nm_strongswan_auth_dialog-main.o] Error 1
make[2]: Leaving directory '/media/mario/Windows/Users/Mario/Shared/Downloads/NetworkManager-strongswan-1.3.1/auth-dialog'
Makefile:445: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/media/mario/Windows/Users/Mario/Shared/Downloads/NetworkManager-strongswan-1.3.1'
Makefile:334: recipe for target 'all' failed
make: *** [all] Error 2

Revision history for this message
Mario Harvey (marioharvey) wrote :

There is a workaround to get l2tp-ipsec on 15.04 but its not very elegant.

I uninstalled strongswan and installed an old openswan trusty .deb package.

I then found .deb files of the old l2tp-ipsec-vpn and l2tp-ipsec-vpn-daemon from trusty by Werner Jaeger.

I installed those and was able to connect. However, this took quite a bit of time to get working properly and required installing deprecated packages.

Slavik (pzv-lviv)
information type: Public → Public Security
information type: Public Security → Private Security
information type: Private Security → Public Security
Slavik (pzv-lviv)
information type: Public Security → Public
Revision history for this message
Trent Petersen (trentpetersen-523) wrote :

I would like to add that this is a major issue for as I am not able to use and Ubuntu based distro on my company laptop newer than 1404 now.

I have tried several workarounds and nothing has been successful.

Revision history for this message
Mozzy Mozbourne (kmhusseini) wrote :

Same here, it cost me 2 days of work not being able to setup a VPN client after upgrade. I will have to downgrade now to 14.04

Revision history for this message
Martins Jakubovics (martins-k) wrote :

I faced too this issue. I would agree that this is critical.

Revision history for this message
Jakke Kuukkanen (cukkimo) wrote :

Same here. It is a Critical issue.

Revision history for this message
Matthew Kleinsmith (matthew.kleinsmith) wrote :

I'm also facing this issue. I also find it critical.

Revision history for this message
Jose Moreno (jmoreno-8) wrote :


I have the same problem, this issue is critical

Revision history for this message
ZuLu (nenominal) wrote :

The issue is still present in 15.10 as well.

summary: - L2TP client support for PSK removed from 15.04
+ L2TP client support for PSK removed from 15.04/15.10
Revision history for this message
Anthony Kamau (ak-launchpad) wrote :

This begs 2 questions from my end:

1. How does the removal of such a critical VPN component get past QA?
2. How is it that the very vulnerable PPTP VPN is still readily available while a more secure option gets tossed to the gutter?

Can anyone at Canonical please answer these questions?

Revision history for this message
Kevin Pattison (kevpatts) wrote :

I've also tried this in 15.10. It offers the PSK option now but still only for IPSec as far as I can see. There doesn't seem to be any way of setting up an L2TP connection. Can others confirm this?

Is there any way to escalate this to Canonical without signing up for Enterprise support?

Revision history for this message
Tobias Brunner (tobias-strongswan) wrote :

strongSwan's NM plugin only supports IKEv2. IKEv1 and in particular L2TP are not supported by that GUI (they could be configured via config files though).

Revision history for this message
Kevin Pattison (kevpatts) wrote :

Thanks Tobias, unfortunately I've tried this multiple times using multiple different guides on different versions of Ubuntu and have never got this solution to work. I can never get a response to the INFORMATIONAL_V1 request packet and the server complains that it's receiving an unencrypted packet on an encrypted port.

I'm not trying to turn this into a support ticket though, the reason I mention this is to point out that even for experienced users it's VERY difficult to configure via the files, and is not user friendly. For this reason the feature has been effectively removed for 95% of Ubuntu users.

Revision history for this message
Kevin Pattison (kevpatts) wrote :

n.b. over email Tobias, the developer of StrongSwan said to me:

"We have absolutely no intentions of ever adding support for L2TP (or IKEv1 for that matter) to our NM plugin. So I doubt there will be any traction on this issue (unless Canonical tracks back and readds the removed Openswan/Libreswan stuff).

You should perhaps consider using a more modern VPN protocol, for instance, IKEv2. <redacted> appliances (at least some of them) support that too."

However it is not possible to create "on demand"/random source IPSec VPNs using IKEv2 on the appliances that I'm using, so I'm back tot he beginning again.

Simon Déziel (sdeziel)
description: updated
Revision history for this message
Paweł Szubert (9-pqwel-0) wrote :

Finally got it to work after hours of fiddling.
l2tp connection with psk and xauth, configured via conffiles.
Ubuntu 15.10, strongswan 5.1.2-0ubuntu6.2
Had to remove package xl2tpd (1.3.6+dfsg-3) - crashed with segfault every time while trying to connect.
Manually installed openl2tp_1.8-1_amd64.deb from:
Work much better than my last attempt on 14.04 (openswan+pluto+openl2tp)

I have to start the connection manually (will write a short script for it, but for now it's OK)
Will post my conffiles if someone will be interested in ;-)

But it will be great to have a network-manager plugin to manage such a connection.



Revision history for this message
Kevin Pattison (kevpatts) wrote :

Very interested! Please share!

Revision history for this message
Paweł Szubert (9-pqwel-0) wrote :
Revision history for this message
Adrian Wilkins (adrian-wilkins) wrote :

This has frustrated me for a month or so... I can get onto my work VPN via the ShrewSoft client (ike and ike-qtgui) but it's not integrated with NetworkManager (and overwrites /etc/resolv.conf, interfering with it).

You have to resort to manual configuration of the dnsmasq instance created by NetworkManager in order to get it to play nice with managed connections - turn off the DNS settings in the ShrewSoft client and add them manually to dnsmasq to stop it overwriting /etc/resolv.conf

The manual config above may also work, but likewise, won't play nice with other NetworkManager connections.

The NM plugin for StrongSwan has been updated to support PSK but I don't know if this means it supports IKEv1... it imposes a 20 character minimum, and of course, my network admin has configured a PSK shorter than this, so I can't test it.

I agree with the sentiments expressed above that removing support for an exceedingly common (if not best-practice) VPN configuration does not create the best impression of Ubuntu. RedHat has retained support via the NetworkManager-libreswan plugin as described in the page below.


Sadly, Debian still has libreswan in the "experimental" section.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.