1

I want to connect an Ubuntu client to a VPN server in l2tp/ipsec mode. I used l2tp-ipsec-vpn and network-manager-l2tp on Ubuntu 16 . in 2 cases I get this error : "vpn-connection failed to connect because VPN service fails to start" Also I used xl2tpd and strongswan and I get the same error Is there a stable package ( on Ubuntu ot or other distro ) ? If yes can you provide me a link for step by step configuration

test test
  • 11

1 Answers1

2

The two most likely issues users have with network-manager-l2tp :

  1. Using a VPN server that is using legacy IPsec IKEv1 ciphers that current stable releases of strongswan consider to be broken as they have been cracked:

See the 'IPsec IKEv1 ciphers' section on the following page on how to query your VPN server for a list of supported ciphers and how to specify legacy ciphers in the Phase 1 and Phase 2 algorithm text boxes of the advanced section of the IPsec dialog box.

-

  1. Issue with not stopping system xl2tpd service, see:

If you are having IPsec issues with strongswan and network-manger-l2tp, you could try installing and using libreswan instead with:

sudo apt install libreswan

Also have a look at the following page for other issues:

A backport of network-manager-l2tp packages from Debian Sid and Ubuntu 17.10 (Artful Aardvark) can be found here:

Douglas Kosovic
  • 721
  • The "other issues" were rather important for me (libreswan). Setting Phase 2 to aes256-sha1,aes128-sha1,3des-sha1 worked. That info is buried in the page, so I'm adding it here for others/future self. – Jonathan Dickinson Nov 18 '20 at 20:49
  • sudo systemctl stop xl2tpd && sudo systemctl disable xl2tpd was also important despite the lack of the error message the README indicates. – Jonathan Dickinson Nov 18 '20 at 20:56
  • Ubuntu seems to be restarting xl2tpd on its own accord - despite disabling it. Another option is to edit /etc/xl2tpd/xl2tpd.conf, uncomment the [global] and port lines and set the port to something arbitrary (e.g. 17010) - that way it won't interfere with the client. – Jonathan Dickinson Nov 24 '20 at 21:13
  • Newer versions of network-manager-l2tp now use a combination of Phase 1 & 2 proposals from iOS and Win10 for its defaults, so in general you shouldn't need to set Phase 1 & 2 anymore. Ubuntu 18.04 has a really old version of network-manager-l2tp from 2017. I would recommend the newer network-manager-l2tp packages from https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp. There is no error message mentioned in the "Issue with not stopping system xl2tpd service" section of the README.md file, which error message are you saying it is indicating? – Douglas Kosovic Nov 25 '20 at 03:32
  • All my comments were required to get it working on Groovy.

    My second and third comments refer to "Issue with not stopping system xl2tpd service." On Groovy, stopping the service does work but disabling it has no effect. In addition, something (I am not sure what) restarts the service after some time, which will even terminate an active connection (after black-holing it for a few minutes).

     – Jonathan Dickinson Nov 30 '20 at 17:52