Please add NM option for connecting to L2TP IPSEC VPN

how can you connect to such a VPN without network-manager under linux? Please give me some insights. Thanks!

Hello

It can be done by using xl2tpd and openswan.

More information can be found on these two sites for example:

http://www.jacco2.dds.nl/networking/linux-l2tp.html

http://gentoo-wiki.com/HOWTO_StrongSwan_VPN_using_FreeRadius_/_Active_Directory

please verify that this still doesnt work in intrepid. If the featuer is still missing there, please open a bug in bugzilla.gnome.org against network-manager and give us the bug id so we can properly follow your bug.

Please search the gnome database for duplicates before filing your bug. Thanks!

Bug is now added on Bugzilla. Have I linked it correctly?

@ThomasNovin: Nearly correct. The bug watch belongs to the project, because it was reported in the grnome bug tracker. If it was reported in the debian bug tracker you would have done right ;)

setting the debian task as invalid, there's no point on open upstream tasks if there's no bug to link to there.

There is a package strongSwap in 9.10-alpha5, but a dependency 'strongswan-nm' is missing.

There is an implementation, which is created by the maintainers of xl2tp: https://gsoc.xelerance.com/projects/openswan-nm and ftp://ftp.openswan.org/NetworkManager-openswan/
Can we use this?

I packaged the nm-openswan for karmic. I had to change some code to get it compiled. The patch is included in the diff.gz

I attach the current version if someone is interesting. A deb file for karmic is also included.

Thanks whoopie for the package. I did the installation but I don't see any input box to enter my username/password (actually the advanced button doesn't seem to have any effect). Anybody is using this successfully? Thanks

Hi,

I've solved the thing for me.
I got help by Jacco de Leeuw's informations (http://www.jacco2.dds.nl/networking/linux-l2tp.html) and made an installation script. I've tested it under 9.10 Karmic and it is working fine. Here you can download my script:

http://www.dialog-edv.de/public/db/ubuntu/vpn

After starting the script You simply must enter the VPN server's TCPIP address, the Preshared Key, the VPN user and password. Then, if needed, Openswan and xl2tp are installed. Furthermore three Desktop Icons will be created, one for "Connect", one for "Disconnect" and one for "Kill VPN". Sometimes the last von must be hit before hitting "Connect". I could not do it better because it is my first work in Linux/bash programming.

Ok, good luck with it.

Dirk - from Germany

Still nothing working in Karmic and Lucid Beta1

I confirm that L2TP option via Network Manager is very important for users in
Russia, where most of Internet providers use pptp or L2TP tunneling, with no
alternatives. Many providers migrate from pptp to L2TP.
NM+pptp is already present in Lycid Beta installation media-- its great! One step
forward is to add L2TP connection plugin for NM.

I'd be quite interested in seeing this, too. L2TP is not really anything to do with Windows VPN, they use it. but it's Layer 2 Networking which my ISP uses to route traffic on backup lines.

L2TP is quite important to the failover working, and our systems having reduced down-time. It would be really good to see this in Network Manager

In computer networking, Layer 2 Tunneling Protocol (L2TP) is a tunneling protocol used to support virtual private networks (VPNs). It does not provide any encryption or confidentiality by itself; it relies on an encryption protocol that it passes within the tunnel to provide privacy. Although L2TP acts like a Data Link Layer protocol in the OSI model, L2TP is in fact a Session Layer protocol, and uses the registered UDP port 1701.

Because of the lack of confidentiality inherent in the L2TP protocol, it is often implemented along with IPsec. This is referred to as L2TP/IPsec, and is standardized in IETF RFC 3193. The process of setting up an L2TP/IPsec VPN is as follows:
Negotiation of IPsec Security Association (SA), typically through Internet Key Exchange (IKE). This is carried out over UDP port 500, and commonly uses either a shared password (so-called "pre-shared keys"), public keys, or X.509 certificates on both ends, although other keying methods exist.
Establishment of Encapsulating Security Payload (ESP) communication in transport mode. The IP Protocol number for ESP is 50 (compare TCP's 6 and UDP's 17). At this point, a secure channel has been established, but no tunneling is taking place.
Negotiation and establishment of L2TP tunnel between the SA endpoints. The actual negotiation of parameters takes place over the SA's secure channel, within the IPsec encryption. L2TP uses UDP port 1701.

When the process is complete, L2TP packets between the endpoints are encapsulated by IPsec. Since the L2TP packet itself is wrapped and hidden within the IPsec packet, no information about the internal private network can be garnered from the encrypted packet. Also, it is not necessary to open UDP port 1701 on firewalls between the endpoints, since the inner packets are not acted upon until after IPsec data has been decrypted and stripped, which only takes place at the endpoints.

A potential point of confusion in L2TP/IPsec is the use of the terms "tunnel" and "secure channel." Tunnel refers to a channel which allows untouched packets of one network to be transported over another network.

 In the case of L2TP/IPsec, it allows L2TP/PPP packets to be transported over IP. A secure channel refers to a connection within which the confidentiality of all data is guaranteed.

In L2TP/IPsec, first IPsec provides a secure channel, then L2TP provides a tunnel.

 It will be very important addition for day to day work in organization that need access to internal networks for daily task, not just sys admins

Has this bug still not been dealt with?

Right, can somebody please test if this works properly using the network-manager-strongswan package in universe? I do not have a L2TP test VPN to check with :)

If that doesn't work, then we'll have to check how/if to include nm-openswan as in comment 8 in a future release or through a PPA.

My L2TP/IPsec VPN connection requires me to enter a "shared secret" key. I don't see anywhere to enter that in the Openswan Network Manager plugin.

I can confirm the networkmanager-strongswan package does not work for L2TP/IPSec. It implements a pure IPSec VPN. IPSec VPN's are easy to setup in Linux, but difficult or impossible in Windows and OS X.

I can confirm that the networkmanager-strongswan package does not address this. I doubt the networkmanager-openswan package does either.

networkmanager-strongswan does not include the L2TP side. Pure IPSec can be used for VPN, in fact that is easiest in Linux, but Windows and OS X complicate things by requiring L2TP/IPSec.

I came across this bug accidentally, but it got immediately my attention because I uploaded a corresponding GUI application to my private package archive (PPA).

If I got things right it does exactly what is wanted here, namely managing L2TP over IPsec VPN connections. In case you want to give it a try, you'll find the packages at

https://launchpad.net/~werner-jaeger/+archive/ppa-werner-vpn/+packages

You'll need to install all three packages!

Unfortunately there is not yet any user documentation so, if you have questions feel free to contact me.

Another solution with GUI: http://code.google.com/p/vpnpptp/

There's a new network-manager-l2tp available at https://github.com/atorkhov/NetworkManager-l2tp
But the IPSec part is missing until now. Let's see how this project evolves.

Whoopie, thanks for the reminder. I think this NM plugin should be packaged in Debian and Ubuntu regardless; I'll file the necessary bugs tomorrow unless someone is eager to work on this now ;)

FWIW, debian has ITP bugs for two packages that would do something similar, though not through NM. Those are *ITP* bugs (intent to package), which doesn't mean there is any form of package anywhere near a ready state though; but someone curious might want to inquire about those... with Werner, who seems to be the one who filed those bugs.

Werner, are you still working on the packages, and if so, do you need any help to make them available on Debian or Ubuntu?

I have built a first package based on the network-manager-pptp package. It should be soon available in my testing PPA: https://launchpad.net/~whoopie79/+archive/testing

As I don't have a working L2TP connection right now, I couldn't test it.

But I have a question: What should be put under Vcs-Bzr in debian/control?

Mathieu, could you please have a look and review it?

Sorry to spam this bug report, but I just found out that nm-openswan at https://gsoc.xelerance.com/projects/openswan-nm now has a 'testing' branch which supports L2TP and L2TP/IPSec according to the git log.

I'll try to build a package for it, too.

Mathieu, yes I'm still working on this package, it is available at https://launchpad.net/~werner-jaeger/+archive/ppa-werner-vpn/+packages (see also comment #20).

I also uploaded it to http://revu.ubuntuwire.com/ and I'm currently waiting for some one to review/advocate it.

I have uploaded packages for network-manager-openswan and openswan (to enable external stats daemon support) for Maverick and Natty to my testing PPA.

Feedback is very welcome, as I couldn't test it thoroughly.

@Whoopie,

Are your network-manager-openswan packages in your PPA (comment #27) from the testing branch?

Brian, yes, the network-manager-openswan package is based on the GIT testing branch.

I just test the Whoopie's ppa with natty but it doesn't work.
I use the giganews vpn (http://www.giganews.com/vyprvpn/setup/windows-7/l2tp.html).
I have this message : "The VPN connection failed because there were no valid VPN secrets"

Any solution ?

On Thu, 2011-02-10 at 21:41 +0000, Mohegan wrote:
> I just test the Whoopie's ppa with natty but it doesn't work.

Works for me, on Maverick.

> I use the giganews vpn (http://www.giganews.com/vyprvpn/setup/windows-7/l2tp.html).
> I have this message : "The VPN connection failed because there were no valid VPN secrets"

Not sure why that is. I do notice that that connection requires
certificates. My working installation is using a PSK. Maybe the
certificate functionality is not quite working.

I also get the no valid VPN secrets error. Any ideas (using whoopies packages on natty), this is with a VPN that only requires a psk, no certs..

Werner: A review/upload from revu will almost never happen, ubuntu dosn't have enough reviewers.. A package for Debian Sid and an RFS mail to the debian-mentors list is usually the quickest way of getting a package into Ubuntu. Besides, it has the added benefit of the package making it to all Debian derivates. Contact me if you'd like some help with the process. mentors.debian.net is a great place to start.

Andreas: thanks for your kind offer.

I already got the package uploaded to debian sid (http://packages.debian.org/sid/l2tp-ipsec-vpn) and wheezy (http://packages.debian.org/wheezy/l2tp-ipsec-vpn).

It is now also available in ubuntu precise (https://launchpad.net/ubuntu/precise/+source/l2tp-ipsec-vpn).

The homepage for the package is https://launchpad.net/l2tp-ipsec-vpn.

But why have yet another application taking up yet more system tray space to do what NM should be doing itself? IMHO, a completely different application for managing only l2tp-ipsec VPNs when we already have a VPN managing application is the completely wrong approach.

This ticket is about this functionality missing in NM, not about promoting yet another application to do what NM should be doing.

Hi.
I continue developing plugin from https://github.com/atorkhov/NetworkManager-l2tp in my github fork https://github.com/seriyps/NetworkManager-l2tp . Also, I plan to further support this plugin.

You can test it through installing from my PPA
https://launchpad.net/~seriy-pr/+archive/network-manager-l2tp

I tested it with Russian ISP beeline.ru - works well. Beeline doesn't use IPSec, so, I doesn't test IPSec capabilities, but author of IPSec part of plugin says that it can connect to Sonicwall VPN provider.

So, any comments, feature-requests and bugreports are welcome!

Oh, forgot to say: there is a screenshot (ru locale) http://dl.seriyps.ru/img/network-manager-l2tp.png

Hello!
I took the NM-plugin for L2tp VPN from PPA https://launchpad.net/~seriy-pr/+archive/network-manager-l2tp.
It works fine.
I think it should be included in the standard ubuntu repository.

@Sergey Prokhorov
You plugin works very well in GNOME Shell.
But it is problematic in Unity, unfortunately...

My test environment is CUHK VPN:
http://www.cuhk.edu.hk/itsc/network/vpn/vpn.html

I wonder why the importance is "Wishlist" !?

L2TP is the built-in capacity of Android, Mac OS X, Windows for years.
Ubuntu and Linux Desktop is just missing graphical L2TP support so far.

Why a missing feature that could cause some people unable to connect Internet be regarded as a "Wishlist"?

The network-manager-l2tp package in #37 works very well for me, using Ubuntu 14.04 to connect to a Cisco L2TP/IPsec VPN. (Just a couple of minor tweaks needed to get the IPsec part working, for me.)

This project works, is well-integrated with Network Manager, and has an active and helpful developer. It should be added to Ubuntu ASAP, IMO.

I've used xl2tpd for many years. If this thing (#37) isn't still a part of Ubuntu - I do not understand why!
Blocking Internet is actually "critical" importance, not "wishlist"!

Switched to a MacBook Pro with OS X 10.9 and that solved the issue very nicely for me (also a big number of other Ubuntu-bugs).

So that is my best tips to anyone still hoping to see this get fixed, switch away from Ubuntu because this bug is from 2008!

But do any of the NetworkManager plugins properly support the requirement of a PSK

This should not be a "Wishlist" item. This is important.

I think it might be a solution if libreswan (https://libreswan.org/) would be added to the repositories, including network-manager-libreswan (https://github.com/GNOME/network-manager-libreswan), which is being developed by GNOME. There isn't any launchpad repository available (for at least wily) at the moment…

There is also a working package here... please add it out of the box in nm...
https://launchpad.net/~ikuya-fruitsbasket/+archive/ubuntu/network-manager-l2tp

Still no support in 16.04 and I didn't find a solution using a PPA or things like this :/

I've posted a summary of current NetworkManager-l2tp known issues and workarounds for Ubuntu and Debian here :
  https://github.com/nm-l2tp/network-manager-l2tp/issues/12

I haven't created a new network-manager-l2tp PPA because because of the strongSwan AppArmor name space issue involving NetworkManager and also some Ubuntu 16.04 users have had an issues with the system xl2tpd, but not with a locally built copy. Unfortunately I haven't been able to reproduce the xl2tpd issue since I changed computers a couple of months ago.

I hope to submit a network-manager-l2tp package to Debian once the strongSwan AppArmor issue has been resolved.

There is now a new PPA, network-manager-l2tp 1.2.4 for 17.04 (zesty), 16.10 (yakkety) and 16.04 (xenial) packages can be found here:
    https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp

strongswan stable release updates for yakkety and xenial which fix the aforementioned AppArmor name space issue were released in the last couple of weeks. So I've decided to release PPA packages as Debian strongswan doesn't have the fix yet. The network-manager-l2tp 1.2.4 PPA packages on yakkety and xenial have explicit dependencies for the versions of the strongswan packages with the fix.

network-manager-l2tp 1.2.6-2 was accepted into Debian sid :

   https://tracker.debian.org/pkg/network-manager-l2tp

The Debian package was automatically added to Ubuntu artful (17.10).

I've requested an Ubuntu backport of network-manager-l2tp from artful to xenial (16.04) which includes intermediate zesty (17.04) and yakkety (16:10) releases :

   https://bugs.launchpad.net/xenial-backports/+bug/1697934

Please vote for the backport by clicking the "this bug affects me" link in the backport request.