After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 554046 - vpn: L2TP VPN support
vpn: L2TP VPN support
Status: RESOLVED NOTGNOME
Product: NetworkManager
Classification: Platform
Component: VPN (general)
git master
Other All
: Normal enhancement
: ---
Assigned To: Dan Williams
NetworkManager maintainer(s)
Depends on:
Blocks:
 
 
Reported: 2008-09-27 08:16 UTC by g11024342@trbvm.com
Modified: 2016-03-20 15:19 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
tail -f -n 0 /var/log/syslog (5.86 KB, text/plain)
2012-05-16 18:59 UTC, Ma Hsiao-chun
Details
My L2TP Setting for CUHKVPN (419 bytes, application/octet-stream)
2012-05-16 19:00 UTC, Ma Hsiao-chun
Details

Description g11024342@trbvm.com 2008-09-27 08:16:03 UTC
Missing feature:

You cannot connect to a (Microsoft) L2TP IPSEC VPN with Network Manager.

The server I want to connect to expects a login / password and a PSK.

When you do a connection in XP you can see the following details on a connection:

Device name: L2TP
Server type: PPP
Authentication: MS CHAP v2
IPSEC Encryption: IPSEC ESP 3DES
Compression: MPPC

It can be done by using xl2tpd and openswan.

More information can be found on these two sites for example:

http://www.jacco2.dds.nl/networking/linux-l2tp.html

http://gentoo-wiki.com/HOWTO_StrongSwan_VPN_using_FreeRadius_/_Active_Directory
Comment 1 Maxim Levitsky 2008-12-10 18:46:55 UTC
I also need that feature
Comment 2 Paul Handly 2008-12-17 03:54:36 UTC
IPSec-Tools (http://ipsec-tools.sourceforge.net/) would be an alternative to Openswan, if one is desired.

On Windows XP and Mac OS X, IPsec + L2TP is the only flavor of IPSec VPN supported out of the box; it would be really nice to have a plugin available for NM.  I'd be more than happy to assist in testing such a plugin, but I don't have the expertise to write it myself.
Comment 3 Julien Iguchi-Cartigny 2009-04-14 18:54:20 UTC
Notice the following Google Summer of code:

http://www.xelerance.com/GSoC2009/
Comment 4 g11024342@trbvm.com 2009-04-14 20:30:37 UTC
@Julein Iguchi-Cartigny:

Very nice, this is exactly what we are looking for. I'm sending this bug id to the mail address on that page.

Also, the Launchpad bug id for the Ubuntu bug is #264691 (https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/264691)
Comment 5 Lex Ross 2009-10-15 14:37:28 UTC
May I point out that 80% of home users in Ukrain and Russia will need this feature to be able to get online. Right now they are given an option of using either PPTP or L2TP but are pushed by ISPs towards L2TP more and more. This trend is not to be overlooked.
Comment 6 Geoffrey Pursell 2009-11-26 16:43:03 UTC
I'd like to point out that L2TP is the only non-proprietary type of VPN supported by many widely deployed SonicWall firewalls in the US.

Support in NM would be great, since other methods of becoming an L2TP client on the Linux desktop seem to be pretty painful to use.
Comment 7 nikkus 2010-04-16 06:21:21 UTC
I confirm that L2TP option via Network Manager is very important for users in Russia, where most of Internet providers use pptp/L2TP tunneling, with no alternatives. NM+pptp is already present in major distributives-- its great!
NM is extremely useful application, I don't know any management suite for LAN+WiFi that is comparable to NM in functionality, even for Windows.
One step forward is to add L2TP connection plugin for NM.
Comment 8 lainme993 2010-08-20 05:43:39 UTC
L2TP is also used by some companies and schools in China. It's a pity that we can't use L2TP through NM.
Comment 9 Pavel Andreev 2010-09-25 01:13:10 UTC
I confirm other comments. I very important for most of NM users to implement possibility to connect over L2TP.
Comment 10 Werner Jaeger 2010-09-26 10:11:16 UTC
I actually implemented a GUI based on QT4 a few weeks ago.

The GUI is not a network manager plug-in. However, it provides a system tray icon in the notification area from which a non privileged user can establish and bring down L2TP over IPsec VPN connections.

There is also a 'Edit connections' menu item. In order to bring up the editor dialog, a non privileged user must authenticate as root.

From there the user can add, remove and edit VPN connections.

Editing allows configuring various options for IPsec, L2TP and PPP.

Among others, the user can configure eg. the gateway, the use of either PSK or a certificate for authentication, various L2TP options such as redial- timeout and attempts and of course all relevant PPP options.

When applying your settings, all necessary configuration files are written accordingly (ipsec.conf, xl2tp.conf, options.xl2tpd, opensc.conf up and down scripts ...).

It relies on Openswan and xl2tp packages as the underlying protocol handlers.

You can also use certificates on your local machine or, if e.g. OpenSC is installed and configured, even on a smart card to handle PPP
authentication.

The GUI automatically detects when network interfaces are going up or down and can (if so configured) automatically establish or close VPN connections.

In case you want to give it a try, you'll find the packages for Ubuntu Maverick at

https://launchpad.net/~werner-jaeger/+archive/ppa-werner-vpn/+packages

You'll need to install all three packages!

Unfortunately there is not yet any user documentation so, if you have questions feel free to contact me.
Comment 11 Alexey Torkhov 2011-01-17 10:08:45 UTC
I've implemented NetworkManager-l2tp plugin. It is based on -pptp plugin and works with xl2tpd to establish L2TP connection. Basic features are already functional but it needs polishing and testing.

Source code is here:
https://github.com/atorkhov/NetworkManager-l2tp

Fedora packages here, note that it currently needs permissive/disabled
SELinux:
http://atorkhov.fedorapeople.org/NetworkManager-l2tp/

People are welcome to work on plugin or include it in various distros :)
Comment 12 Sergey 2012-02-09 15:25:13 UTC
I continue support of Alexey Torkhov's plugin. So, it now supports NM 0.8 and NM 0.9, GTK3 and so on.
You can find it on my github page https://github.com/seriyps/NetworkManager-l2tp (branch "nm_0.8" contains NM 0.8 version, "master" - NM 0.9)

Also, it has rudimentary IPSec support.

I'll also create PPA deb repository on Launchpad for Ubuntu users (https://launchpad.net/~seriy-pr/+archive/network-manager-l2tp), some of them report that plugin works for them. Packages must work on debian I think.
Comment 13 Ma Hsiao-chun 2012-03-04 19:08:05 UTC
The Chinese University of Hong Kong or CUHK uses L2TP VPN for both external connection and internal connection. In the campus area, if I cannot connect the school's L2TP VPN, I cannot use network port in my dormitory and My wireless connection would be a limited one, e.g., I cannot SSH my department's Linux machines.

Currently, we have to do extensive CLI configuration. Note that we also use IPSec. 
http://www.cuhk.edu.hk/itsc/network/vpn/linuxvpn.html

L2TP setup for other major systems are much much easier
http://www.cuhk.edu.hk/itsc/network/vpn/vpn.html
Comment 14 Sergey 2012-03-04 21:54:07 UTC
(In reply to comment #13)
Can you, please, try my L2TP plugin from comment #12. It support IPSec + psk L2TP
Comment 15 Ma Hsiao-chun 2012-03-11 03:09:42 UTC
(In reply to comment #14)
I'm sorry for late reply.
I have no time to install a clean Ubuntu and test your package currently.

But from my experience of shell script connection, I find several key points.

1. determine whether it is a internal connection and external (across Internet) connection.

2. if INTERNAL, script like this would work, this case is easier
http://www.cuhk.edu.hk/itsc/network/vpn/linuxvpn/connect.sh

3. if EXTERNAL, script like this is needed, this a bit more complicated
http://dl.dropbox.com/u/45139465/connect.sh

4. for EXTERNAL, we have to know our public IP. Otherwise, we cannot set IPSec correctly. I'm using IPsec-Tools.
http://ipsec-tools.sourceforge.net/

5. for EXTERNAL, we have to gracefully replace default router.

If it was an Ethernet connection. We need routing table like this. Note that VPN_PEER_IP can be determined by ping beforehand, at least for my university's VPN server. 192.168.1.1 was the previous Ethernet gateway.
VPN_PEER_IP     192.168.1.1
192.168.0.0     eth0
0.0.0.0         ppp0

If it was already an PPP connection, e.g., ADSL, 3G. We need routing like this.
VPN_PEER_IP     ppp0
0.0.0.0         ppp1

As far as I can tell, PPPD do not an option to do such setting. We may use some scripts, though.
Comment 16 Ma Hsiao-chun 2012-03-11 03:11:36 UTC
Note that VPN_PEER_IP canNOT be determined by ping beforehand, at least for my university's VPN server.

I'm sorry.
Comment 17 Pavel Nogaev 2012-03-25 05:39:11 UTC
I took the NM-plugin for L2tp VPN from ubuntu PPA https://launchpad.net/~seriy-pr/+archive/network-manager-l2tp. It works fine.
I think it should be included to upstream.
Comment 18 Ma Hsiao-chun 2012-04-26 04:26:32 UTC
Hi, all.

I just checked the mailing list archive.
http://mail.gnome.org/archives/networkmanager-list/2008-May/msg00282.html

4 year later. What changed?
Comment 19 Bin Li 2012-05-16 03:36:52 UTC
(In reply to comment #18)
> Hi, all.
> 
> I just checked the mailing list archive.
> http://mail.gnome.org/archives/networkmanager-list/2008-May/msg00282.html
> 
> 4 year later. What changed?

Do you try the package in Comment#17?
Comment 20 Ma Hsiao-chun 2012-05-16 04:56:38 UTC
Hi,

I just tried the package in #c17. My distro is Ubuntu 12.04, 32bit. I'm inside CUHK. I'm using a LAN port on the wall.

PPP Settings:
Set the authentication methods to be PAP and MSCHAPv2
Uncheck all compression stuff.

Then I can connect with my username, password and IPSec PSK.

By using "ifconfig", I can see "ppp0", this is correct.
By using "route", I cannot see default router, this is NOT correct.
I issued the following command before I can visit GNOME's BugZilla :)
sudo route add default dev ppp0
Comment 21 Sergey 2012-05-16 10:56:32 UTC
(In reply to comment #20)
> By using "ifconfig", I can see "ppp0", this is correct.
> By using "route", I cannot see default router, this is NOT correct.
> I issued the following command before I can visit GNOME's BugZilla :)
> sudo route add default dev ppp0

This will be cool, if you provide me output of `tail -f -n 0 /var/log/syslog` when the VPN connection setup time. Also you can use "export" feature (on the "VPN" label of network manager settings window) to export VPN settings to file and attach it there.
One more thing you can do: run `/usr/lib/NetworkManager/nm-l2tp-service --debug` before starting VPN and provide it's output (check it for sensitive data like passwords!).
Comment 22 Ma Hsiao-chun 2012-05-16 18:59:16 UTC
Created attachment 214204 [details]
tail -f -n 0 /var/log/syslog
Comment 23 Ma Hsiao-chun 2012-05-16 19:00:19 UTC
Created attachment 214205 [details]
My L2TP Setting for CUHKVPN
Comment 24 Ma Hsiao-chun 2012-05-16 19:05:30 UTC
$ /usr/lib/NetworkManager/nm-l2tp-service --debug
** Message: nm-l2tp-service (version 0.3.3-0precise1) starting...

** (nm-l2tp-service:2180): WARNING **: Failed to initialize VPN plugin: Connection ":1.60" is not allowed to own the service "org.freedesktop.NetworkManager.l2tp" due to security policies in the configuration file

I don't know whether this is normal...
Comment 25 Sergey 2012-05-17 10:54:26 UTC
(In reply to comment #24)
> I don't know whether this is normal...

Sorry, forgot to say that you must run this as root, eg
`sudo /usr/lib/NetworkManager/nm-l2tp-service --debug`

But I will review already provided data soon. Thanks!
Comment 26 Ma Hsiao-chun 2012-05-24 16:37:24 UTC
I'm using Ubuntu 12.04 LTS on another machine and this time it's 64bit.

I'm external to CUHK now.

I installed the same plugin in Comment#17 and imported same configuration.
And it seems like the whole plugin doesn't work at all:(

$ tail -n0 -f /var/log/syslog
May 25 00:26:17 precise NetworkManager[903]: <info> VPN service 'l2tp' appeared; activating connections
May 25 00:26:24 precise NetworkManager[903]: <error> [1337876784.313191] [nm-vpn-connection.c:892] plugin_need_secrets_cb(): (73683d37-9a5a-4cb3-b553-4e42ad076441/VPN connection 1) plugin NeedSecrets request #1 failed: dbus-glib-error-quark Rejected send message, 1 matched rules; type="method_call", sender=":1.5" (uid=0 pid=903 comm="NetworkManager ") interface="org.freedesktop.NetworkManager.VPN.Plugin" member="NeedSecrets" error name="(unset)" requested_reply="0" destination="org.freedesktop.NetworkManager.l2tp" (uid=0 pid=5303 comm="/usr/lib/NetworkManager/nm-l2tp-service --debug ")
May 25 00:26:24 precise NetworkManager[903]: <warn> error disconnecting VPN: Rejected send message, 1 matched rules; type="method_call", sender=":1.5" (uid=0 pid=903 comm="NetworkManager ") interface="org.freedesktop.NetworkManager.VPN.Plugin" member="Disconnect" error name="(unset)" requested_reply="0" destination="org.freedesktop.NetworkManager.l2tp" (uid=0 pid=5303 comm="/usr/lib/NetworkManager/nm-l2tp-service --debug ")
May 25 00:26:24 precise NetworkManager[903]: <info> Policy set 'Auto Ethernet' (eth0) as default for IPv4 routing and DNS.
Comment 27 Sergey 2012-05-24 17:43:36 UTC
(In reply to comment #26)
I'v seen a similar message sometimes after install on some machines, but not sure about the reason of that error. Not remember the good workaround, but you can try to restart dbus daemon or computer...

Also, can you try to run recomendations from #25 on your previous machine and upload syslog and --debug output? I checked the logs from #22 and didn't find the reason of routes issue...
Comment 28 Ma Hsiao-chun 2012-06-28 01:03:52 UTC
Sorry for late reply.

I switched to GNOME Shell on my Ubuntu 12.04 box outside CUHK.
Then the plugin works quite well.
Comment 29 Dan Winship 2013-05-02 16:05:20 UTC
NM bugzilla reorganization... sorry for the bug spam.
Comment 30 surak 2013-06-15 17:20:12 UTC
The comment #17 works for a very specific subset of users - namely, those with a current (not bleeding-edge) version of ubuntu.

The fact that this bug is still marked as NEW since 2008 is telling. What can I, as a developer, do in order to have that code as an integral part of NM, so all distros and people affected can benefit from it?
Comment 31 Thomas Haller 2014-07-23 15:58:06 UTC
(In reply to comment #30)
> The comment #17 works for a very specific subset of users - namely, those with
> a current (not bleeding-edge) version of ubuntu.
> 
> The fact that this bug is still marked as NEW since 2008 is telling. What can
> I, as a developer, do in order to have that code as an integral part of NM, so
> all distros and people affected can benefit from it?


There exists a NetworkManager plugin that seems to work (I didn't test it myself).

It is packaged for quite a while now with Ubuntu (network-manager-l2tp) and Fedora (NetworkManager-l2tp) (probably many other distributions as well).

While the NetworkManager core project does not provide this and it does not maintain the plugin, it explicitly enables plugins to provide missing functionality.

Let's keep this bug open, until https://github.com/seriyps/NetworkManager-l2tp decides to move under the NetworkManager umbrella, or until we create another plugin for l2tp.

In practice, users can use l2tp with NetworkManager and users can benefit from it (can they not??).
Comment 32 Sergey 2014-07-23 19:36:14 UTC
(In reply to comment #31)
> There exists a NetworkManager plugin that seems to work (I didn't test it
> myself).
> 
> It is packaged for quite a while now with Ubuntu (network-manager-l2tp) and
> Fedora (NetworkManager-l2tp) (probably many other distributions as well).
> 
> While the NetworkManager core project does not provide this and it does not
> maintain the plugin, it explicitly enables plugins to provide missing
> functionality.
> 
> Let's keep this bug open, until https://github.com/seriyps/NetworkManager-l2tp
> decides to move under the NetworkManager umbrella, or until we create another
> plugin for l2tp.
> 
> In practice, users can use l2tp with NetworkManager and users can benefit from
> it (can they not??).

I have contacted with NM devs via IRC about a year ago, asking if this plugin may be included as oficial NM plugin, but some of them (maybe dcbw, not sure..) said that they don't like the fact, that plugin creates files on filesystem.
But there is no way to fix this, since xl2tpd can't be configured entirely via command-line.

Also, I mostly lost interest in this project (while still using it for my own needs), so, will be happy, if someone continue it's development (especially in IPSec part, since it's the most limited and buggy).

Also, someone suggests me to port IPSec part from openswan to racoon, because latter is better maintained.
Comment 33 Dan Williams 2014-07-23 20:53:39 UTC
Looking at it again, the xl2tpd configuration part isn't so bad, though the LAC can be configured through the control socket at least.  But possibly even easier than that is modifying xl2tpd to accept configuration on 'stdin', which might simply be:

file.c::init_config():

    deflac = (struct lac *) calloc (1, sizeof (struct lac));

    if (!strcmp (gconfig.configfile, "-"))
    	f = stdin;
    else
        f = fopen (gconfig.configfile, "r");

    if (!f) 
    {

The openswan part is somewhat more worrisome, but that's openswan/freeswan/libreswan's fault at the moment, and something we hope to work on cleanup up quite soon.
Comment 34 Ma Hsiao-chun 2014-07-26 17:54:23 UTC
Dear all:

Have you ever wondered why Android's L2TP works just fine?

I did an investigation some time before:
http://lists.linuxfoundation.org/pipermail/ce-android-mainline/2013-December/000114.html

TL; DR version

IPSec: A wrapper is added to racoon so that it accepts stuff from argv:
https://github.com/CyanogenMod/android_external_ipsec-tools

L2TP: Google independently has kernel module(s), a daemon and UI stuff in Java.

Regards,
Comment 35 master_volkov 2015-04-01 08:13:06 UTC
In Fedora 20 already include as rpm 

NetworkManager-l2tp-0.9.8.6-1.fc20.x86_64

Whi not add l2tp to official tree?
Comment 36 Lubomir Rintel 2016-03-20 15:19:43 UTC
No reason to keep this open. There's a maintained plugin and we do provide a stable plugin API precisely to enable this.