How to connect to L2TP over IPSec VPN?

Question

I'm having trouble connecting to my company's VPN on Ubuntu 15.04. It uses L2TP over IPsec, and I have a username, password and shared secret. How do I connect?

Seems there is no easy way anymore to establish a L2tp VPN connection since OpenSwan has been deprecated and removed in Ubuntu 14.10. Need it myself, found no working solution after months of sporadic research. — derFunk, May 21 '15 at 18:11
http://askubuntu.com/a/578881
Answer seems to be strongswan. — Artistan, Aug 03 '15 at 16:25
@Powel Szubert, can't understant the last step. I don't know witch IP i have to use for create this route. could you help me? please. — , Mar 18 '16 at 19:38

zed · Answer 1 · 2017-03-29T12:11:30.207

12

Update: A PPA exists now for network-manager-l2tp:

You can use

sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp  
sudo apt-get update  
sudo apt-get install network-manager-l2tp

To install the network manager l2tp that supports L2TP for Ubuntu 16.04

Walkthrough for building from source: http://blog.z-proj.com/enabling-l2tp-over-ipsec-on-ubuntu-16-04/

Old Answer

Another solution is to use network-manager-l2tp. You can get it from https://github.com/nm-l2tp/network-manager-l2tp.

For installation walk-through: http://blog.z-proj.com/enabling-l2tp-over-ipsec-on-ubuntu-16-04/

It works for Ubuntu 16.04

edited Mar 29 '17 at 12:11

answered Aug 22 '16 at 19:08

zed

551

1

I have just tested that with Ubuntu 16.04 and I can confirm that it works – lewiatan Sep 15 '16 at 21:25
1

Works for me too in 16.04! I had to apt install strongswan-plugin-openssl for "VPN service failed to start" in Network Manager which was caused by ENCRYPTION_ALGORITHM 3DES_CBC (key size 0) not supported! in syslog. – 13rac1 Sep 21 '16 at 22:51
There's now a PPA, which simplifies the installation. One note: I did have to stop the system xl2tpd service with sudo service xl2tpd stop before I could connect to my VPN -- otherwise xl2tpd would ignore the IPsec tunnel and try connecting directly over L2TP. – Marius Gedminas Mar 22 '17 at 14:33
1

You will also need a GUI: apt install network-manager-l2tp-gnome. See https://askubuntu.com/questions/934350/connect-to-l2tp-over-ipsec – Julien Carsique Oct 16 '17 at 10:06
This also worked for me on 16.04 LTS, and as @JulienCarsique mentioned, also had to run apt install network-manager-l2tp-gnome along with network-manager-l2tp (this should be the accepted answer IMO) – DarkCygnus Mar 22 '18 at 04:38

score 3 · Answer 2 · edited Apr 13 '17 at 12:25

Patch NM-L2TP package with script

#!/bin/bash
CUR_PATH=$(dirname $(readlink -f $0))
TMP_PATH=/tmp/nm-l2tp
mkdir ${TMP_PATH}
cd ${TMP_PATH}
wget https://launchpad.net/~seriy-pr/+archive/ubuntu/network-manager-l2tp/+build/6512073/+files/network-manager-l2tp_0.9.8.5-0utopic1_amd64.deb
ar vx network-manager-l2tp_0.9.8.5-0utopic1_amd64.deb
mkdir new
tar -xpvf data.tar.xz -C ./new
mv ./new/usr/lib/pppd/2.4.5 ./new/usr/lib/pppd/2.4.6
sed -i 's/2.4.5/2.4.6/g' ./new/usr/lib/NetworkManager/nm-l2tp-service
sed -i 's/2.4.5/2.4.6/g' ./new/usr/lib/pppd/2.4.6/nm-l2tp-pppd-plugin.so
mkdir new/DEBIAN
tar -xpvf control.tar.gz -C ./new/DEBIAN
sed -i 's/, ppp (<< 2.4.6)//g' ./new/DEBIAN/control
sed -i 's/0utopic1/0vivid1/g' ./new/DEBIAN/control
rm ./new/DEBIAN/md5sums
dpkg-deb -b ./new/ ${CUR_PATH}/network-manager-l2tp_0.9.8.5-0vivid1_amd64.deb
rm -rf ${TMP_PATH}

Then download and install an appropriate Openswan package from the http://www.ubuntuupdates.org/pm/openswan and run the following commands

sudo apt-get update
sudo dpkg -i network-manager-l2tp_0.9.8.5-0vivid1_amd64.deb
sudo service xl2tpd stop
sudo update-rc.d xl2tpd disable

Then just go to the Network manager, choose VPN connections and create l2tp. You need only set up a username, password and the IPSec PSK in the IPSec additional settings.

Part taken from this answer

Thanks - unfortunately this doesn't seem to work (no l2tp option in Network Manager). — thomson_matt, Jun 11 '15 at 07:11

score 3 · Accepted Answer · answered Jun 23 '15 at 08:03

3

The first comment is probably the answer for most of us, except, maybe, some real experts:

"Seems there is no easy way anymore to establish a L2tp VPN connection since OpenSwan has been deprecated and removed in Ubuntu 14.10. Need it myself, found no working solution after months of sporadic research. – derFunk May 21 at 18:11"

No solution seems to be planned, see https://wiki.strongswan.org/issues/254. Another needed functionality removed from Ubuntu.

answered Jun 23 '15 at 08:03

hako

191

I have proposed a solution below that should be very easy for a novice user. It doesn't involve patching the package. There are ways to do it but it's not as trivial as using the built-in functionality. – badmadrad Sep 24 '15 at 22:36

score 2 · Answer 4 · answered Dec 10 '19 at 11:42

2

Note that for the accepted answer, the correct installation command for Ubuntu 18 is

sudo apt install network-manager-l2tp network-manager-l2tp-gnome

Since Ubuntu now ships with Gnome.

answered Dec 10 '19 at 11:42

herman

121

score 2 · Answer 5 · answered Jan 11 '16 at 07:40

Another workaround, tested on 15.10, should work on 15.04 also. Requires manual editing of conffiles and manual establishing connection.

leave original strongswan from ubuntu repo
remove xl2tpd package (U can try with xl2tpd but on my computer xl2tpd crashed with segfault on every start)
install openl2tpd from: ftp://ftp.openl2tp.org/releases/openl2tp-1.8/debian-squeeze/openl2tp_1.8-1_amd64.deb
edit /etc/ipsec.conf:

config setup strictcrlpolicy=yes conn %default ikelifetime=30m keylife=15m rekeymargin=3m keyingtries=1 mobike=no dpdaction=restart dpddelay=30 dpdtimeout=120 conn MYSERVER left=192.168.101.157 leftprotoport=17/1701 right=77.78.79.80 # public IP of VPN gw rightprotoport=17/1701 authby=secret type=transport keyexchange=ikev1 auto=route

edit /etc/ipsec.secrets:

: PSK "StrongPSKgivenByProvider"

edit (or create) /etc/openl2tpd.conf:

ppp profile modify profile_name=default \ auth_eap=no auth_mschapv1=no auth_mschapv2=no tunnel create tunnel_name=MYSERVER \ dest_ipaddr=77.78.79.80 \ hello_timeout=10 \ retry_timeout=10 \ max_retries=60 \ persist=yes session create session_name=MeOnMYSERVER \ tunnel_name=MYSERVER \ interface_name=ppp1 \ user_name=MyLogin \ user_password=MyPassword

restart and test ipsec:

ipsec restart ipsec status
output should be like this:

Routed Connections: MYSERVER{1}: ROUTED, TRANSPORT MYSERVER{1}: 192.168.101.157/32[udp/l2f] === 77.78.79.80/32[udp/l2f] Security Associations (0 up, 0 connecting): none
connect

sudo service openl2tpd restart sudo route add -net {net_behing_VPN_gateway/mask} gw {local_IP_of_VPN_gw}

Hope this helps someone.

what is the "{net_behing_VPN_gateway/mask}" in the last command? can you write an example with the actual numbers please? — Jana, Sep 22 '16 at 22:55

badmadrad · Answer 6 · 2015-09-24T22:29:08.333

There is a workaround to get l2tp-ipsec on 15.04 but its not very elegant.

I uninstalled strongswan and installed an old openswan trusty .deb package.

http://packages.ubuntu.com/trusty/openswan

I then found .deb files of the old l2tp-ipsec-vpn and l2tp-ipsec-vpn-daemon from trusty by Werner Jaeger.

http://packages.ubuntu.com/trusty/l2tp-ipsec-vpn

http://packages.ubuntu.com/trusty/l2tp-ipsec-vpn-daemon

I installed those, and after I restarted, I was able to connect. However, this took quite a bit of time to get working properly and required installing deprecated packages.

I think that's all I did but if you try this and get another error there may be another package I installed I don't remember.

UPDATE: I had to do this again so I figured I would share the steps. Install the old client: https://launchpad.net/l2tp-ipsec-vpn

Again this is a workaround if you need it in pinch and currently works. That being said, this really needs to be apart of the OS.

sudo apt-get install gksu libgksu2-0 libctemplate2 libengine-pkcs11-openssl libp11-2 xl2tpd

Next download the old binaries and install with dpkg:

wget http://mirrors.kernel.org/ubuntu/pool/universe/o/openswan/openswan_2.6.38-1_amd64.deb

sudo dpkg -i openswan_2.6.38-1_amd64.deb 

wget http://mirrors.kernel.org/ubuntu/pool/universe/l/l2tp-ipsec-vpn/l2tp-ipsec-vpn_1.0.9-1_amd64.deb

wget http://mirrors.kernel.org/ubuntu/pool/universe/l/l2tp-ipsec-vpn-daemon/l2tp-ipsec-vpn-daemon_0.9.9-1_amd64.deb

sudo dpkg -i l2tp-ipsec-vpn_1.0.9-1_amd64.deb
sudo dpkg -i l2tp-ipsec-vpn-daemon_0.9.9-1_amd64.deb

Open the client. Add a connection and configure as needed. Once you try to connect it may take awhile but be patient.

I tried many solutions for my ubuntu 16.04, only this one works! Thank you a lot! — vkostromin, Aug 11 '16 at 08:53
I know this is not related, but for anyone interested: it doesn't work on debian 9.0 (the GUI doesn't render properly). — andresp, Feb 06 '17 at 14:32
For Debian 9.0, use network-manager-l2tp and network-manager-l2tp-gnome packages from Debian Sid: https://tracker.debian.org/pkg/network-manager-l2tp — Douglas Kosovic, Nov 20 '17 at 23:40

How to connect to L2TP over IPSec VPN?

6 Answers6

Linked