Please add NM option for connecting to L2TP IPSEC VPN

Bug #264691 reported by Thomas N on 2008-09-04
This bug affects 88 people
Affects Status Importance Assigned to Milestone
network-manager (Debian)
network-manager (Ubuntu)
Nominated for Karmic by SlonoInquisitor
Nominated for Lucid by nikkus

Bug Description

Binary package hint: network-manager

Missing feature:

You cannot connect to a (Microsoft) L2TP IPSEC VPN with Network Manager.

The server I want to connect to expects a login / password and a PSK.

When you do a connection in XP you can see the following details on a connection:

Device name: L2TP
Server type: PPP
Authentication: MS CHAP v2
Compression: MPPC

Alexander Sack (asac) wrote :

how can you connect to such a VPN without network-manager under linux? Please give me some insights. Thanks!

Changed in network-manager:
importance: Undecided → Wishlist
status: New → Incomplete


It can be done by using xl2tpd and openswan.

More information can be found on these two sites for example:

Changed in network-manager:
status: Incomplete → New
Alexander Sack (asac) wrote :

please verify that this still doesnt work in intrepid. If the featuer is still missing there, please open a bug in against network-manager and give us the bug id so we can properly follow your bug.

Please search the gnome database for duplicates before filing your bug. Thanks!

Changed in network-manager:
status: New → Triaged

Bug is now added on Bugzilla. Have I linked it correctly?

Changed in network-manager:
status: Unknown → New

@ThomasNovin: Nearly correct. The bug watch belongs to the project, because it was reported in the grnome bug tracker. If it was reported in the debian bug tracker you would have done right ;)

Changed in network-manager:
importance: Unknown → Undecided
importance: Undecided → Unknown
status: New → Unknown
Changed in network-manager:
status: Unknown → Confirmed
Pedro Villavicencio (pedro) wrote :

setting the debian task as invalid, there's no point on open upstream tasks if there's no bug to link to there.

Changed in network-manager:
status: New → Invalid

There is a package strongSwap in 9.10-alpha5, but a dependency 'strongswan-nm' is missing.

There is an implementation, which is created by the maintainers of xl2tp: and
Can we use this?

Peter Meiser (meiser79) wrote :

I packaged the nm-openswan for karmic. I had to change some code to get it compiled. The patch is included in the diff.gz

I attach the current version if someone is interesting. A deb file for karmic is also included.

Thanks whoopie for the package. I did the installation but I don't see any input box to enter my username/password (actually the advanced button doesn't seem to have any effect). Anybody is using this successfully? Thanks

Dirk Bundies (dirk-bundies) wrote :


I've solved the thing for me.
I got help by Jacco de Leeuw's informations ( and made an installation script. I've tested it under 9.10 Karmic and it is working fine. Here you can download my script:

After starting the script You simply must enter the VPN server's TCPIP address, the Preshared Key, the VPN user and password. Then, if needed, Openswan and xl2tp are installed. Furthermore three Desktop Icons will be created, one for "Connect", one for "Disconnect" and one for "Kill VPN". Sometimes the last von must be hit before hitting "Connect". I could not do it better because it is my first work in Linux/bash programming.

Ok, good luck with it.

Dirk - from Germany

Changed in network-manager (Ubuntu):
status: Triaged → Confirmed
Kai Hendrik Behrends (kbehren) wrote :

Still nothing working in Karmic and Lucid Beta1

nikkus (nickkuz) wrote :

I confirm that L2TP option via Network Manager is very important for users in
Russia, where most of Internet providers use pptp or L2TP tunneling, with no
alternatives. Many providers migrate from pptp to L2TP.
NM+pptp is already present in Lycid Beta installation media-- its great! One step
forward is to add L2TP connection plugin for NM.

Jasey (jason-rivers) wrote :

I'd be quite interested in seeing this, too. L2TP is not really anything to do with Windows VPN, they use it. but it's Layer 2 Networking which my ISP uses to route traffic on backup lines.

L2TP is quite important to the failover working, and our systems having reduced down-time. It would be really good to see this in Network Manager

Eran Gross (erang-gross) on 2010-06-12
Changed in network-manager (Ubuntu):
status: Confirmed → In Progress
Eran Gross (erang-gross) wrote :

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy. Although L2TP acts like a Data Link Layer protocol in the OSI model, L2TP is in fact a Session Layer protocol, and uses the registered UDP port 1701.

Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. This is referred to as L2TP/IPsec, and is standardized in IETF RFC 3193. The process of setting up an L2TP/IPsec VPN is as follows:
Negotiation of IPsec Security Association (SA), typically through Internet Key Exchange (IKE). This is carried out over UDP port 500, and commonly uses either a shared password (so-called "pre-shared keys"), public keys, or X.509 certificates on both ends, although other keying methods exist.
Establishment of Encapsulating Security Payload (ESP) communication in transport mode. The IP Protocol number for ESP is 50 (compare TCP's 6 and UDP's 17). At this point, a secure channel has been established, but no tunneling is taking place.
Negotiation and establishment of L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA's secure channel, within the IPsec encryption. L2TP uses UDP port 1701.

When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal private network can be garnered from the encrypted packet. Also, it is not necessary to open UDP port 1701 on firewalls between the endpoints, since the inner packets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints.

A potential point of confusion in L2TP/IPsec is the use of the terms "tunnel" and "secure channel." Tunnel refers to a channel which allows untouched packets of one network to be transported over another network.

 In the case of L2TP/IPsec, it allows L2TP/PPP packets to be transported over IP. A secure channel refers to a connection within which the confidentiality of all data is guaranteed.

In L2TP/IPsec, first IPsec provides a secure channel, then L2TP provides a tunnel.

 It will be very important addition for day to day work in organization that need access to internal networks for daily task, not just sys admins

Alex (ubuntu-alex-caro) wrote :

Has this bug still not been dealt with?

Right, can somebody please test if this works properly using the network-manager-strongswan package in universe? I do not have a L2TP test VPN to check with :)

If that doesn't work, then we'll have to check how/if to include nm-openswan as in comment 8 in a future release or through a PPA.

Alex (ubuntu-alex-caro) wrote :

My L2TP/IPsec VPN connection requires me to enter a "shared secret" key. I don't see anywhere to enter that in the Openswan Network Manager plugin.

Changed in network-manager:
importance: Unknown → Wishlist
Despite (despite) wrote :

I can confirm the networkmanager-strongswan package does not work for L2TP/IPSec. It implements a pure IPSec VPN. IPSec VPN's are easy to setup in Linux, but difficult or impossible in Windows and OS X.

Despite (despite) wrote :

I can confirm that the networkmanager-strongswan package does not address this. I doubt the networkmanager-openswan package does either.

networkmanager-strongswan does not include the L2TP side. Pure IPSec can be used for VPN, in fact that is easiest in Linux, but Windows and OS X complicate things by requiring L2TP/IPSec.

Werner Jaeger (werner-jaeger) wrote :

I came across this bug accidentally, but it got immediately my attention because I uploaded a corresponding GUI application to my private package archive (PPA).

If I got things right it does exactly what is wanted here, namely managing L2TP over IPsec VPN connections. In case you want to give it a try, you'll find the packages at

You'll need to install all three packages!

Unfortunately there is not yet any user documentation so, if you have questions feel free to contact me.

Another solution with GUI:

Peter Meiser (meiser79) wrote :

There's a new network-manager-l2tp available at
But the IPSec part is missing until now. Let's see how this project evolves.

Whoopie, thanks for the reminder. I think this NM plugin should be packaged in Debian and Ubuntu regardless; I'll file the necessary bugs tomorrow unless someone is eager to work on this now ;)

FWIW, debian has ITP bugs for two packages that would do something similar, though not through NM. Those are *ITP* bugs (intent to package), which doesn't mean there is any form of package anywhere near a ready state though; but someone curious might want to inquire about those... with Werner, who seems to be the one who filed those bugs.

Werner, are you still working on the packages, and if so, do you need any help to make them available on Debian or Ubuntu?

Peter Meiser (meiser79) wrote :

I have built a first package based on the network-manager-pptp package. It should be soon available in my testing PPA:

As I don't have a working L2TP connection right now, I couldn't test it.

But I have a question: What should be put under Vcs-Bzr in debian/control?

Mathieu, could you please have a look and review it?

Peter Meiser (meiser79) wrote :

Sorry to spam this bug report, but I just found out that nm-openswan at now has a 'testing' branch which supports L2TP and L2TP/IPSec according to the git log.

I'll try to build a package for it, too.

Werner Jaeger (werner-jaeger) wrote :

Mathieu, yes I'm still working on this package, it is available at (see also comment #20).

I also uploaded it to and I'm currently waiting for some one to review/advocate it.

Peter Meiser (meiser79) wrote :

I have uploaded packages for network-manager-openswan and openswan (to enable external stats daemon support) for Maverick and Natty to my testing PPA.

Feedback is very welcome, as I couldn't test it thoroughly.


Are your network-manager-openswan packages in your PPA (comment #27) from the testing branch?

Peter Meiser (meiser79) wrote :

Brian, yes, the network-manager-openswan package is based on the GIT testing branch.

Mohegan (jack-mohegan) wrote :

I just test the Whoopie's ppa with natty but it doesn't work.
I use the giganews vpn (
I have this message : "The VPN connection failed because there were no valid VPN secrets"

Any solution ?

On Thu, 2011-02-10 at 21:41 +0000, Mohegan wrote:
> I just test the Whoopie's ppa with natty but it doesn't work.

Works for me, on Maverick.

> I use the giganews vpn (
> I have this message : "The VPN connection failed because there were no valid VPN secrets"

Not sure why that is. I do notice that that connection requires
certificates. My working installation is using a PSK. Maybe the
certificate functionality is not quite working.

I also get the no valid VPN secrets error. Any ideas (using whoopies packages on natty), this is with a VPN that only requires a psk, no certs..

Werner: A review/upload from revu will almost never happen, ubuntu dosn't have enough reviewers.. A package for Debian Sid and an RFS mail to the debian-mentors list is usually the quickest way of getting a package into Ubuntu. Besides, it has the added benefit of the package making it to all Debian derivates. Contact me if you'd like some help with the process. is a great place to start.

Werner Jaeger (werner-jaeger) wrote :

Andreas: thanks for your kind offer.

I already got the package uploaded to debian sid ( and wheezy (

It is now also available in ubuntu precise (

The homepage for the package is

But why have yet another application taking up yet more system tray space to do what NM should be doing itself? IMHO, a completely different application for managing only l2tp-ipsec VPNs when we already have a VPN managing application is the completely wrong approach.

This ticket is about this functionality missing in NM, not about promoting yet another application to do what NM should be doing.

Sergey Prokhorov (seriy-pr) wrote :

I continue developing plugin from in my github fork . Also, I plan to further support this plugin.

You can test it through installing from my PPA

I tested it with Russian ISP - works well. Beeline doesn't use IPSec, so, I doesn't test IPSec capabilities, but author of IPSec part of plugin says that it can connect to Sonicwall VPN provider.

So, any comments, feature-requests and bugreports are welcome!

Sergey Prokhorov (seriy-pr) wrote :

Oh, forgot to say: there is a screenshot (ru locale)

Pavel Nogaev (unpropable) wrote :

I took the NM-plugin for L2tp VPN from PPA
It works fine.
I think it should be included in the standard ubuntu repository.

Ma Hsiao-chun (mahsiaochun) wrote :

@Sergey Prokhorov
You plugin works very well in GNOME Shell.
But it is problematic in Unity, unfortunately...

My test environment is CUHK VPN:

Thomas Hood (jdthood) on 2012-07-17
Changed in network-manager (Ubuntu):
status: In Progress → Confirmed
Ma Hsiao-chun (mahsiaochun) wrote :

I wonder why the importance is "Wishlist" !?

L2TP is the built-in capacity of Android, Mac OS X, Windows for years.
Ubuntu and Linux Desktop is just missing graphical L2TP support so far.

Why a missing feature that could cause some people unable to connect Internet be regarded as a "Wishlist"?

Thomas Hood (jdthood) on 2012-07-17
summary: - NM 0.7 No option for connecting to L2TP IPSEC VPN
+ Please add NM option for connecting to L2TP IPSEC VPN
Nathan Dorfman (ndorf) wrote :

The network-manager-l2tp package in #37 works very well for me, using Ubuntu 14.04 to connect to a Cisco L2TP/IPsec VPN. (Just a couple of minor tweaks needed to get the IPsec part working, for me.)

This project works, is well-integrated with Network Manager, and has an active and helpful developer. It should be added to Ubuntu ASAP, IMO.

Sergey Pashinin (pashinin) wrote :

I've used xl2tpd for many years. If this thing (#37) isn't still a part of Ubuntu - I do not understand why!
Blocking Internet is actually "critical" importance, not "wishlist"!

Switched to a MacBook Pro with OS X 10.9 and that solved the issue very nicely for me (also a big number of other Ubuntu-bugs).

So that is my best tips to anyone still hoping to see this get fixed, switch away from Ubuntu because this bug is from 2008!

Kẏra (thekyriarchy) wrote :

But do any of the NetworkManager plugins properly support the requirement of a PSK

Ludwig Tirazona (ljtirazona-j) wrote :

This should not be a "Wishlist" item. This is important.

novaBS (novabs) wrote :

I think it might be a solution if libreswan ( would be added to the repositories, including network-manager-libreswan (, which is being developed by GNOME. There isn't any launchpad repository available (for at least wily) at the moment…

Schmirrwurst (schmirrwurst) wrote :

There is also a working package here... please add it out of the box in nm...

Changed in network-manager:
status: Confirmed → Unknown
Michael Weimann (m982) wrote :

Still no support in 16.04 and I didn't find a solution using a PPA or things like this :/

Douglas Kosovic (dkosovic) wrote :

I've posted a summary of current NetworkManager-l2tp known issues and workarounds for Ubuntu and Debian here :

I haven't created a new network-manager-l2tp PPA because because of the strongSwan AppArmor name space issue involving NetworkManager and also some Ubuntu 16.04 users have had an issues with the system xl2tpd, but not with a locally built copy. Unfortunately I haven't been able to reproduce the xl2tpd issue since I changed computers a couple of months ago.

I hope to submit a network-manager-l2tp package to Debian once the strongSwan AppArmor issue has been resolved.

Douglas Kosovic (dkosovic) wrote :

There is now a new PPA, network-manager-l2tp 1.2.4 for 17.04 (zesty), 16.10 (yakkety) and 16.04 (xenial) packages can be found here:

strongswan stable release updates for yakkety and xenial which fix the aforementioned AppArmor name space issue were released in the last couple of weeks. So I've decided to release PPA packages as Debian strongswan doesn't have the fix yet. The network-manager-l2tp 1.2.4 PPA packages on yakkety and xenial have explicit dependencies for the versions of the strongswan packages with the fix.

Douglas Kosovic (dkosovic) wrote :

network-manager-l2tp 1.2.6-2 was accepted into Debian sid :

The Debian package was automatically added to Ubuntu artful (17.10).

I've requested an Ubuntu backport of network-manager-l2tp from artful to xenial (16.04) which includes intermediate zesty (17.04) and yakkety (16:10) releases :

Please vote for the backport by clicking the "this bug affects me" link in the backport request.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.