GNOME Bugzilla – Bug 554046
vpn: L2TP VPN support
Last modified: 2016-03-20 15:19:43 UTC
Missing feature: You cannot connect to a (Microsoft) L2TP IPSEC VPN with Network Manager. The server I want to connect to expects a login / password and a PSK. When you do a connection in XP you can see the following details on a connection: Device name: L2TP Server type: PPP Authentication: MS CHAP v2 IPSEC Encryption: IPSEC ESP 3DES Compression: MPPC It can be done by using xl2tpd and openswan. More information can be found on these two sites for example: http://www.jacco2.dds.nl/networking/linux-l2tp.html http://gentoo-wiki.com/HOWTO_StrongSwan_VPN_using_FreeRadius_/_Active_Directory
I also need that feature
IPSec-Tools (http://ipsec-tools.sourceforge.net/) would be an alternative to Openswan, if one is desired. On Windows XP and Mac OS X, IPsec + L2TP is the only flavor of IPSec VPN supported out of the box; it would be really nice to have a plugin available for NM. I'd be more than happy to assist in testing such a plugin, but I don't have the expertise to write it myself.
Notice the following Google Summer of code: http://www.xelerance.com/GSoC2009/
@Julein Iguchi-Cartigny: Very nice, this is exactly what we are looking for. I'm sending this bug id to the mail address on that page. Also, the Launchpad bug id for the Ubuntu bug is #264691 (https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/264691)
May I point out that 80% of home users in Ukrain and Russia will need this feature to be able to get online. Right now they are given an option of using either PPTP or L2TP but are pushed by ISPs towards L2TP more and more. This trend is not to be overlooked.
I'd like to point out that L2TP is the only non-proprietary type of VPN supported by many widely deployed SonicWall firewalls in the US. Support in NM would be great, since other methods of becoming an L2TP client on the Linux desktop seem to be pretty painful to use.
I confirm that L2TP option via Network Manager is very important for users in Russia, where most of Internet providers use pptp/L2TP tunneling, with no alternatives. NM+pptp is already present in major distributives-- its great! NM is extremely useful application, I don't know any management suite for LAN+WiFi that is comparable to NM in functionality, even for Windows. One step forward is to add L2TP connection plugin for NM.
L2TP is also used by some companies and schools in China. It's a pity that we can't use L2TP through NM.
I confirm other comments. I very important for most of NM users to implement possibility to connect over L2TP.
I actually implemented a GUI based on QT4 a few weeks ago. The GUI is not a network manager plug-in. However, it provides a system tray icon in the notification area from which a non privileged user can establish and bring down L2TP over IPsec VPN connections. There is also a 'Edit connections' menu item. In order to bring up the editor dialog, a non privileged user must authenticate as root. From there the user can add, remove and edit VPN connections. Editing allows configuring various options for IPsec, L2TP and PPP. Among others, the user can configure eg. the gateway, the use of either PSK or a certificate for authentication, various L2TP options such as redial- timeout and attempts and of course all relevant PPP options. When applying your settings, all necessary configuration files are written accordingly (ipsec.conf, xl2tp.conf, options.xl2tpd, opensc.conf up and down scripts ...). It relies on Openswan and xl2tp packages as the underlying protocol handlers. You can also use certificates on your local machine or, if e.g. OpenSC is installed and configured, even on a smart card to handle PPP authentication. The GUI automatically detects when network interfaces are going up or down and can (if so configured) automatically establish or close VPN connections. In case you want to give it a try, you'll find the packages for Ubuntu Maverick at https://launchpad.net/~werner-jaeger/+archive/ppa-werner-vpn/+packages You'll need to install all three packages! Unfortunately there is not yet any user documentation so, if you have questions feel free to contact me.
I've implemented NetworkManager-l2tp plugin. It is based on -pptp plugin and works with xl2tpd to establish L2TP connection. Basic features are already functional but it needs polishing and testing. Source code is here: https://github.com/atorkhov/NetworkManager-l2tp Fedora packages here, note that it currently needs permissive/disabled SELinux: http://atorkhov.fedorapeople.org/NetworkManager-l2tp/ People are welcome to work on plugin or include it in various distros :)
I continue support of Alexey Torkhov's plugin. So, it now supports NM 0.8 and NM 0.9, GTK3 and so on. You can find it on my github page https://github.com/seriyps/NetworkManager-l2tp (branch "nm_0.8" contains NM 0.8 version, "master" - NM 0.9) Also, it has rudimentary IPSec support. I'll also create PPA deb repository on Launchpad for Ubuntu users (https://launchpad.net/~seriy-pr/+archive/network-manager-l2tp), some of them report that plugin works for them. Packages must work on debian I think.
The Chinese University of Hong Kong or CUHK uses L2TP VPN for both external connection and internal connection. In the campus area, if I cannot connect the school's L2TP VPN, I cannot use network port in my dormitory and My wireless connection would be a limited one, e.g., I cannot SSH my department's Linux machines. Currently, we have to do extensive CLI configuration. Note that we also use IPSec. http://www.cuhk.edu.hk/itsc/network/vpn/linuxvpn.html L2TP setup for other major systems are much much easier http://www.cuhk.edu.hk/itsc/network/vpn/vpn.html
(In reply to comment #13) Can you, please, try my L2TP plugin from comment #12. It support IPSec + psk L2TP
(In reply to comment #14) I'm sorry for late reply. I have no time to install a clean Ubuntu and test your package currently. But from my experience of shell script connection, I find several key points. 1. determine whether it is a internal connection and external (across Internet) connection. 2. if INTERNAL, script like this would work, this case is easier http://www.cuhk.edu.hk/itsc/network/vpn/linuxvpn/connect.sh 3. if EXTERNAL, script like this is needed, this a bit more complicated http://dl.dropbox.com/u/45139465/connect.sh 4. for EXTERNAL, we have to know our public IP. Otherwise, we cannot set IPSec correctly. I'm using IPsec-Tools. http://ipsec-tools.sourceforge.net/ 5. for EXTERNAL, we have to gracefully replace default router. If it was an Ethernet connection. We need routing table like this. Note that VPN_PEER_IP can be determined by ping beforehand, at least for my university's VPN server. 192.168.1.1 was the previous Ethernet gateway. VPN_PEER_IP 192.168.1.1 192.168.0.0 eth0 0.0.0.0 ppp0 If it was already an PPP connection, e.g., ADSL, 3G. We need routing like this. VPN_PEER_IP ppp0 0.0.0.0 ppp1 As far as I can tell, PPPD do not an option to do such setting. We may use some scripts, though.
Note that VPN_PEER_IP canNOT be determined by ping beforehand, at least for my university's VPN server. I'm sorry.
I took the NM-plugin for L2tp VPN from ubuntu PPA https://launchpad.net/~seriy-pr/+archive/network-manager-l2tp. It works fine. I think it should be included to upstream.
Hi, all. I just checked the mailing list archive. http://mail.gnome.org/archives/networkmanager-list/2008-May/msg00282.html 4 year later. What changed?
(In reply to comment #18) > Hi, all. > > I just checked the mailing list archive. > http://mail.gnome.org/archives/networkmanager-list/2008-May/msg00282.html > > 4 year later. What changed? Do you try the package in Comment#17?
Hi, I just tried the package in #c17. My distro is Ubuntu 12.04, 32bit. I'm inside CUHK. I'm using a LAN port on the wall. PPP Settings: Set the authentication methods to be PAP and MSCHAPv2 Uncheck all compression stuff. Then I can connect with my username, password and IPSec PSK. By using "ifconfig", I can see "ppp0", this is correct. By using "route", I cannot see default router, this is NOT correct. I issued the following command before I can visit GNOME's BugZilla :) sudo route add default dev ppp0
(In reply to comment #20) > By using "ifconfig", I can see "ppp0", this is correct. > By using "route", I cannot see default router, this is NOT correct. > I issued the following command before I can visit GNOME's BugZilla :) > sudo route add default dev ppp0 This will be cool, if you provide me output of `tail -f -n 0 /var/log/syslog` when the VPN connection setup time. Also you can use "export" feature (on the "VPN" label of network manager settings window) to export VPN settings to file and attach it there. One more thing you can do: run `/usr/lib/NetworkManager/nm-l2tp-service --debug` before starting VPN and provide it's output (check it for sensitive data like passwords!).
Created attachment 214204 [details] tail -f -n 0 /var/log/syslog
Created attachment 214205 [details] My L2TP Setting for CUHKVPN
$ /usr/lib/NetworkManager/nm-l2tp-service --debug ** Message: nm-l2tp-service (version 0.3.3-0precise1) starting... ** (nm-l2tp-service:2180): WARNING **: Failed to initialize VPN plugin: Connection ":1.60" is not allowed to own the service "org.freedesktop.NetworkManager.l2tp" due to security policies in the configuration file I don't know whether this is normal...
(In reply to comment #24) > I don't know whether this is normal... Sorry, forgot to say that you must run this as root, eg `sudo /usr/lib/NetworkManager/nm-l2tp-service --debug` But I will review already provided data soon. Thanks!
I'm using Ubuntu 12.04 LTS on another machine and this time it's 64bit. I'm external to CUHK now. I installed the same plugin in Comment#17 and imported same configuration. And it seems like the whole plugin doesn't work at all:( $ tail -n0 -f /var/log/syslog May 25 00:26:17 precise NetworkManager[903]: <info> VPN service 'l2tp' appeared; activating connections May 25 00:26:24 precise NetworkManager[903]: <error> [1337876784.313191] [nm-vpn-connection.c:892] plugin_need_secrets_cb(): (73683d37-9a5a-4cb3-b553-4e42ad076441/VPN connection 1) plugin NeedSecrets request #1 failed: dbus-glib-error-quark Rejected send message, 1 matched rules; type="method_call", sender=":1.5" (uid=0 pid=903 comm="NetworkManager ") interface="org.freedesktop.NetworkManager.VPN.Plugin" member="NeedSecrets" error name="(unset)" requested_reply="0" destination="org.freedesktop.NetworkManager.l2tp" (uid=0 pid=5303 comm="/usr/lib/NetworkManager/nm-l2tp-service --debug ") May 25 00:26:24 precise NetworkManager[903]: <warn> error disconnecting VPN: Rejected send message, 1 matched rules; type="method_call", sender=":1.5" (uid=0 pid=903 comm="NetworkManager ") interface="org.freedesktop.NetworkManager.VPN.Plugin" member="Disconnect" error name="(unset)" requested_reply="0" destination="org.freedesktop.NetworkManager.l2tp" (uid=0 pid=5303 comm="/usr/lib/NetworkManager/nm-l2tp-service --debug ") May 25 00:26:24 precise NetworkManager[903]: <info> Policy set 'Auto Ethernet' (eth0) as default for IPv4 routing and DNS.
(In reply to comment #26) I'v seen a similar message sometimes after install on some machines, but not sure about the reason of that error. Not remember the good workaround, but you can try to restart dbus daemon or computer... Also, can you try to run recomendations from #25 on your previous machine and upload syslog and --debug output? I checked the logs from #22 and didn't find the reason of routes issue...
Sorry for late reply. I switched to GNOME Shell on my Ubuntu 12.04 box outside CUHK. Then the plugin works quite well.
NM bugzilla reorganization... sorry for the bug spam.
The comment #17 works for a very specific subset of users - namely, those with a current (not bleeding-edge) version of ubuntu. The fact that this bug is still marked as NEW since 2008 is telling. What can I, as a developer, do in order to have that code as an integral part of NM, so all distros and people affected can benefit from it?
(In reply to comment #30) > The comment #17 works for a very specific subset of users - namely, those with > a current (not bleeding-edge) version of ubuntu. > > The fact that this bug is still marked as NEW since 2008 is telling. What can > I, as a developer, do in order to have that code as an integral part of NM, so > all distros and people affected can benefit from it? There exists a NetworkManager plugin that seems to work (I didn't test it myself). It is packaged for quite a while now with Ubuntu (network-manager-l2tp) and Fedora (NetworkManager-l2tp) (probably many other distributions as well). While the NetworkManager core project does not provide this and it does not maintain the plugin, it explicitly enables plugins to provide missing functionality. Let's keep this bug open, until https://github.com/seriyps/NetworkManager-l2tp decides to move under the NetworkManager umbrella, or until we create another plugin for l2tp. In practice, users can use l2tp with NetworkManager and users can benefit from it (can they not??).
(In reply to comment #31) > There exists a NetworkManager plugin that seems to work (I didn't test it > myself). > > It is packaged for quite a while now with Ubuntu (network-manager-l2tp) and > Fedora (NetworkManager-l2tp) (probably many other distributions as well). > > While the NetworkManager core project does not provide this and it does not > maintain the plugin, it explicitly enables plugins to provide missing > functionality. > > Let's keep this bug open, until https://github.com/seriyps/NetworkManager-l2tp > decides to move under the NetworkManager umbrella, or until we create another > plugin for l2tp. > > In practice, users can use l2tp with NetworkManager and users can benefit from > it (can they not??). I have contacted with NM devs via IRC about a year ago, asking if this plugin may be included as oficial NM plugin, but some of them (maybe dcbw, not sure..) said that they don't like the fact, that plugin creates files on filesystem. But there is no way to fix this, since xl2tpd can't be configured entirely via command-line. Also, I mostly lost interest in this project (while still using it for my own needs), so, will be happy, if someone continue it's development (especially in IPSec part, since it's the most limited and buggy). Also, someone suggests me to port IPSec part from openswan to racoon, because latter is better maintained.
Looking at it again, the xl2tpd configuration part isn't so bad, though the LAC can be configured through the control socket at least. But possibly even easier than that is modifying xl2tpd to accept configuration on 'stdin', which might simply be: file.c::init_config(): deflac = (struct lac *) calloc (1, sizeof (struct lac)); if (!strcmp (gconfig.configfile, "-")) f = stdin; else f = fopen (gconfig.configfile, "r"); if (!f) { The openswan part is somewhat more worrisome, but that's openswan/freeswan/libreswan's fault at the moment, and something we hope to work on cleanup up quite soon.
Dear all: Have you ever wondered why Android's L2TP works just fine? I did an investigation some time before: http://lists.linuxfoundation.org/pipermail/ce-android-mainline/2013-December/000114.html TL; DR version IPSec: A wrapper is added to racoon so that it accepts stuff from argv: https://github.com/CyanogenMod/android_external_ipsec-tools L2TP: Google independently has kernel module(s), a daemon and UI stuff in Java. Regards,
In Fedora 20 already include as rpm NetworkManager-l2tp-0.9.8.6-1.fc20.x86_64 Whi not add l2tp to official tree?
No reason to keep this open. There's a maintained plugin and we do provide a stable plugin API precisely to enable this.