Ubuntu

Please add NM option for connecting to L2TP IPSEC VPN

Reported by Thomas N on 2008-09-04
376
This bug affects 73 people
Affects Status Importance Assigned to Milestone
NetworkManager
Confirmed
Wishlist
network-manager (Debian)
Invalid
Undecided
Unassigned
network-manager (Ubuntu)
Wishlist
Unassigned
Nominated for Karmic by SlonoInquisitor
Nominated for Lucid by nikkus

Bug Description

Binary package hint: network-manager

Missing feature:

You cannot connect to a (Microsoft) L2TP IPSEC VPN with Network Manager.

The server I want to connect to expects a login / password and a PSK.

When you do a connection in XP you can see the following details on a connection:

Device name: L2TP
Server type: PPP
Authentication: MS CHAP v2
IPSEC Encryption: IPSEC ESP 3DES
Compression: MPPC

Alexander Sack (asac) wrote :

how can you connect to such a VPN without network-manager under linux? Please give me some insights. Thanks!

Changed in network-manager:
importance: Undecided → Wishlist
status: New → Incomplete
Thomas N (konstigt) wrote :

Hello

It can be done by using xl2tpd and openswan.

More information can be found on these two sites for example:

http://www.jacco2.dds.nl/networking/linux-l2tp.html

http://gentoo-wiki.com/HOWTO_StrongSwan_VPN_using_FreeRadius_/_Active_Directory

Changed in network-manager:
status: Incomplete → New
Alexander Sack (asac) wrote :

please verify that this still doesnt work in intrepid. If the featuer is still missing there, please open a bug in bugzilla.gnome.org against network-manager and give us the bug id so we can properly follow your bug.

Please search the gnome database for duplicates before filing your bug. Thanks!

Changed in network-manager:
status: New → Triaged
Thomas N (konstigt) wrote :

Bug is now added on Bugzilla. Have I linked it correctly?

Changed in network-manager:
status: Unknown → New

@ThomasNovin: Nearly correct. The bug watch belongs to the project, because it was reported in the grnome bug tracker. If it was reported in the debian bug tracker you would have done right ;)

Changed in network-manager:
importance: Unknown → Undecided
importance: Undecided → Unknown
status: New → Unknown
Changed in network-manager:
status: Unknown → Confirmed
Pedro Villavicencio (pedro) wrote :

setting the debian task as invalid, there's no point on open upstream tasks if there's no bug to link to there.

Changed in network-manager:
status: New → Invalid

There is a package strongSwap in 9.10-alpha5, but a dependency 'strongswan-nm' is missing.

There is an implementation, which is created by the maintainers of xl2tp: https://gsoc.xelerance.com/projects/openswan-nm and ftp://ftp.openswan.org/NetworkManager-openswan/
Can we use this?

Whoopie (whoopie79) wrote :

I packaged the nm-openswan for karmic. I had to change some code to get it compiled. The patch is included in the diff.gz

I attach the current version if someone is interesting. A deb file for karmic is also included.

Thanks whoopie for the package. I did the installation but I don't see any input box to enter my username/password (actually the advanced button doesn't seem to have any effect). Anybody is using this successfully? Thanks

Dirk Bundies (dirk-bundies) wrote :

Hi,

I've solved the thing for me.
I got help by Jacco de Leeuw's informations (http://www.jacco2.dds.nl/networking/linux-l2tp.html) and made an installation script. I've tested it under 9.10 Karmic and it is working fine. Here you can download my script:

http://www.dialog-edv.de/public/db/ubuntu/vpn

After starting the script You simply must enter the VPN server's TCPIP address, the Preshared Key, the VPN user and password. Then, if needed, Openswan and xl2tp are installed. Furthermore three Desktop Icons will be created, one for "Connect", one for "Disconnect" and one for "Kill VPN". Sometimes the last von must be hit before hitting "Connect". I could not do it better because it is my first work in Linux/bash programming.

Ok, good luck with it.

Dirk - from Germany

Changed in network-manager (Ubuntu):
status: Triaged → Confirmed
Kai Hendrik Behrends (kbehren) wrote :

Still nothing working in Karmic and Lucid Beta1

nikkus (nickkuz) wrote :

I confirm that L2TP option via Network Manager is very important for users in
Russia, where most of Internet providers use pptp or L2TP tunneling, with no
alternatives. Many providers migrate from pptp to L2TP.
NM+pptp is already present in Lycid Beta installation media-- its great! One step
forward is to add L2TP connection plugin for NM.

Jasey (jason-rivers) wrote :

I'd be quite interested in seeing this, too. L2TP is not really anything to do with Windows VPN, they use it. but it's Layer 2 Networking which my ISP uses to route traffic on backup lines.

L2TP is quite important to the failover working, and our systems having reduced down-time. It would be really good to see this in Network Manager

Eran Gross (erang-gross) on 2010-06-12
Changed in network-manager (Ubuntu):
status: Confirmed → In Progress
Eran Gross (erang-gross) wrote :

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy. Although L2TP acts like a Data Link Layer protocol in the OSI model, L2TP is in fact a Session Layer protocol, and uses the registered UDP port 1701.

Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. This is referred to as L2TP/IPsec, and is standardized in IETF RFC 3193. The process of setting up an L2TP/IPsec VPN is as follows:
Negotiation of IPsec Security Association (SA), typically through Internet Key Exchange (IKE). This is carried out over UDP port 500, and commonly uses either a shared password (so-called "pre-shared keys"), public keys, or X.509 certificates on both ends, although other keying methods exist.
Establishment of Encapsulating Security Payload (ESP) communication in transport mode. The IP Protocol number for ESP is 50 (compare TCP's 6 and UDP's 17). At this point, a secure channel has been established, but no tunneling is taking place.
Negotiation and establishment of L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA's secure channel, within the IPsec encryption. L2TP uses UDP port 1701.

When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal private network can be garnered from the encrypted packet. Also, it is not necessary to open UDP port 1701 on firewalls between the endpoints, since the inner packets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints.

A potential point of confusion in L2TP/IPsec is the use of the terms "tunnel" and "secure channel." Tunnel refers to a channel which allows untouched packets of one network to be transported over another network.

 In the case of L2TP/IPsec, it allows L2TP/PPP packets to be transported over IP. A secure channel refers to a connection within which the confidentiality of all data is guaranteed.

In L2TP/IPsec, first IPsec provides a secure channel, then L2TP provides a tunnel.

 It will be very important addition for day to day work in organization that need access to internal networks for daily task, not just sys admins

Alex (ubuntu-alex-caro) wrote :

Has this bug still not been dealt with?

Right, can somebody please test if this works properly using the network-manager-strongswan package in universe? I do not have a L2TP test VPN to check with :)

If that doesn't work, then we'll have to check how/if to include nm-openswan as in comment 8 in a future release or through a PPA.

Alex (ubuntu-alex-caro) wrote :

My L2TP/IPsec VPN connection requires me to enter a "shared secret" key. I don't see anywhere to enter that in the Openswan Network Manager plugin.

Changed in network-manager:
importance: Unknown → Wishlist
Despite (despite) wrote :

I can confirm the networkmanager-strongswan package does not work for L2TP/IPSec. It implements a pure IPSec VPN. IPSec VPN's are easy to setup in Linux, but difficult or impossible in Windows and OS X.

Despite (despite) wrote :

I can confirm that the networkmanager-strongswan package does not address this. I doubt the networkmanager-openswan package does either.

networkmanager-strongswan does not include the L2TP side. Pure IPSec can be used for VPN, in fact that is easiest in Linux, but Windows and OS X complicate things by requiring L2TP/IPSec.

Werner Jaeger (werner-jaeger) wrote :

I came across this bug accidentally, but it got immediately my attention because I uploaded a corresponding GUI application to my private package archive (PPA).

If I got things right it does exactly what is wanted here, namely managing L2TP over IPsec VPN connections. In case you want to give it a try, you'll find the packages at

https://launchpad.net/~werner-jaeger/+archive/ppa-werner-vpn/+packages

You'll need to install all three packages!

Unfortunately there is not yet any user documentation so, if you have questions feel free to contact me.

Another solution with GUI: http://code.google.com/p/vpnpptp/

Whoopie (whoopie79) wrote :

There's a new network-manager-l2tp available at https://github.com/atorkhov/NetworkManager-l2tp
But the IPSec part is missing until now. Let's see how this project evolves.

Whoopie, thanks for the reminder. I think this NM plugin should be packaged in Debian and Ubuntu regardless; I'll file the necessary bugs tomorrow unless someone is eager to work on this now ;)

FWIW, debian has ITP bugs for two packages that would do something similar, though not through NM. Those are *ITP* bugs (intent to package), which doesn't mean there is any form of package anywhere near a ready state though; but someone curious might want to inquire about those... with Werner, who seems to be the one who filed those bugs.

Werner, are you still working on the packages, and if so, do you need any help to make them available on Debian or Ubuntu?

Whoopie (whoopie79) wrote :

I have built a first package based on the network-manager-pptp package. It should be soon available in my testing PPA: https://launchpad.net/~whoopie79/+archive/testing

As I don't have a working L2TP connection right now, I couldn't test it.

But I have a question: What should be put under Vcs-Bzr in debian/control?

Mathieu, could you please have a look and review it?

Whoopie (whoopie79) wrote :

Sorry to spam this bug report, but I just found out that nm-openswan at https://gsoc.xelerance.com/projects/openswan-nm now has a 'testing' branch which supports L2TP and L2TP/IPSec according to the git log.

I'll try to build a package for it, too.

Werner Jaeger (werner-jaeger) wrote :

Mathieu, yes I'm still working on this package, it is available at https://launchpad.net/~werner-jaeger/+archive/ppa-werner-vpn/+packages (see also comment #20).

I also uploaded it to http://revu.ubuntuwire.com/ and I'm currently waiting for some one to review/advocate it.

Whoopie (whoopie79) wrote :

I have uploaded packages for network-manager-openswan and openswan (to enable external stats daemon support) for Maverick and Natty to my testing PPA.

Feedback is very welcome, as I couldn't test it thoroughly.

@Whoopie,

Are your network-manager-openswan packages in your PPA (comment #27) from the testing branch?

Whoopie (whoopie79) wrote :

Brian, yes, the network-manager-openswan package is based on the GIT testing branch.

Mohegan (jack-mohegan) wrote :

I just test the Whoopie's ppa with natty but it doesn't work.
I use the giganews vpn (http://www.giganews.com/vyprvpn/setup/windows-7/l2tp.html).
I have this message : "The VPN connection failed because there were no valid VPN secrets"

Any solution ?

On Thu, 2011-02-10 at 21:41 +0000, Mohegan wrote:
> I just test the Whoopie's ppa with natty but it doesn't work.

Works for me, on Maverick.

> I use the giganews vpn (http://www.giganews.com/vyprvpn/setup/windows-7/l2tp.html).
> I have this message : "The VPN connection failed because there were no valid VPN secrets"

Not sure why that is. I do notice that that connection requires
certificates. My working installation is using a PSK. Maybe the
certificate functionality is not quite working.

I also get the no valid VPN secrets error. Any ideas (using whoopies packages on natty), this is with a VPN that only requires a psk, no certs..

Werner: A review/upload from revu will almost never happen, ubuntu dosn't have enough reviewers.. A package for Debian Sid and an RFS mail to the debian-mentors list is usually the quickest way of getting a package into Ubuntu. Besides, it has the added benefit of the package making it to all Debian derivates. Contact me if you'd like some help with the process. mentors.debian.net is a great place to start.

Werner Jaeger (werner-jaeger) wrote :

Andreas: thanks for your kind offer.

I already got the package uploaded to debian sid (http://packages.debian.org/sid/l2tp-ipsec-vpn) and wheezy (http://packages.debian.org/wheezy/l2tp-ipsec-vpn).

It is now also available in ubuntu precise (https://launchpad.net/ubuntu/precise/+source/l2tp-ipsec-vpn).

The homepage for the package is https://launchpad.net/l2tp-ipsec-vpn.

But why have yet another application taking up yet more system tray space to do what NM should be doing itself? IMHO, a completely different application for managing only l2tp-ipsec VPNs when we already have a VPN managing application is the completely wrong approach.

This ticket is about this functionality missing in NM, not about promoting yet another application to do what NM should be doing.

Sergey Prokhorov (seriy-pr) wrote :

Hi.
I continue developing plugin from https://github.com/atorkhov/NetworkManager-l2tp in my github fork https://github.com/seriyps/NetworkManager-l2tp . Also, I plan to further support this plugin.

You can test it through installing from my PPA
https://launchpad.net/~seriy-pr/+archive/network-manager-l2tp

I tested it with Russian ISP beeline.ru - works well. Beeline doesn't use IPSec, so, I doesn't test IPSec capabilities, but author of IPSec part of plugin says that it can connect to Sonicwall VPN provider.

So, any comments, feature-requests and bugreports are welcome!

Sergey Prokhorov (seriy-pr) wrote :

Oh, forgot to say: there is a screenshot (ru locale) http://dl.seriyps.ru/img/network-manager-l2tp.png

Pavel Nogaev (unpropable) wrote :

Hello!
I took the NM-plugin for L2tp VPN from PPA https://launchpad.net/~seriy-pr/+archive/network-manager-l2tp.
It works fine.
I think it should be included in the standard ubuntu repository.

Xiaojun Ma (damage3025) wrote :

@Sergey Prokhorov
You plugin works very well in GNOME Shell.
But it is problematic in Unity, unfortunately...

My test environment is CUHK VPN:
http://www.cuhk.edu.hk/itsc/network/vpn/vpn.html

Thomas Hood (jdthood) on 2012-07-17
Changed in network-manager (Ubuntu):
status: In Progress → Confirmed
Xiaojun Ma (damage3025) wrote :

I wonder why the importance is "Wishlist" !?

L2TP is the built-in capacity of Android, Mac OS X, Windows for years.
Ubuntu and Linux Desktop is just missing graphical L2TP support so far.

Why a missing feature that could cause some people unable to connect Internet be regarded as a "Wishlist"?

Thomas Hood (jdthood) on 2012-07-17
summary: - NM 0.7 No option for connecting to L2TP IPSEC VPN
+ Please add NM option for connecting to L2TP IPSEC VPN
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.