Connecting to a L2TP/IPSec VPN from Ubuntu desktop

In my previous post, “Secure IPsec/L2TP VPN for on the road android devices” I have written on how to set up an IPsec/L2TP VPN server and connect to it from any android device. I was really impressed how simple it was to configure a secure VPN tunnel with IPSEC, so I decided to go a bit further and try to use the same tunnel with Ubuntu Desktop. Unfortunately the IPsec/L2TP client side isn’t well supported under Linux, this is maybe beacuse everyone is using OpenVpn. At the end I stumbled into Werner Jaeger launchpad page, where I found a GUI to manage IPsec/L2TP connection from Ubuntu Desktop, the connection set up is very straightforward and without glitches. Along with a simple PSK configuration, the GUI allow to use certificate for authentication and more advanced L2TP options as redial- timeout and attempts and of course all important PPP options.

A more extended guide can be found at http://wiki.l2tpipsecvpn.tuxfamily.org

l2tp-ipsec-vpn installation

apt-add-repository ppa:werner-jaeger/ppa-werner-vpn
apt-get update
apt-get install l2tp-ipsec-vpn
reboot

1) Right click on the icon in the notification area,
and go to ‘Edit connections’.

2) Authenticate as root.

3) Choose a name for the VPN

4) IPsec configuration:

Remote server: The ip address of the VPN server
Use pre-shared key for authentication: use the passphrase
from the server /etc/ipsec.secrets

L2TP Configuration:

Select Length bit

PPP configuration:

Select only CHAP authentication and enter the User name and

the password from the server /etc/ppp/chap-secrets copy

Click on OK

Connecting to the VPN: Go to the icon in the notification area and
click on vpnhome, wait for a couple of seconds and you must be
connected to the VPN.

24 thoughts on “Connecting to a L2TP/IPSec VPN from Ubuntu desktop

  1. guille

    Thanks god i found your blog and l2tp-ipsec-vpn. Your tutorial worked really well to setup my VPN connection. I still had to iterate a few times with the IP settings to make it work (eg. need to put the DNS servers in automatic)

    you made my day!

    g

    Reply
  2. chev

    Yes excellent tuto .

    but,…

    the application of this tutorial does not allow the operation of the vpn long term.
    and if the internet crash, the vpn also planted but does not reconnect

    Result: vpn connection interrupted the exposure causes the PC concerned.

    this problem has been, is found in Debian and derivatives (Ubuntu and others).

    For my part,
    I note that the key concern in the debian en fr version while it does not seem worried.

    A solution you one? If so I am very interested because my machines are remote and therefore a source vpn death is bad security.

    Thank you for the follow-up to this post.

    Reply
  3. chev

    Correction with apologies: I did not read before sending:

    debian concerned: Fr, De (utschland) and En.
    It (alian) has no worries.

    Reply
  4. Prakash

    Hi,

    Have followed all steps but I am getting following error on Ubuntu 11.10

    ——————————————-
    ipsec_setup: Stopping Openswan IPsec…
    Stopping xl2tpd: xl2tpd.
    ipsec_setup: Starting Openswan IPsec 2.6.28…
    ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
    ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
    Starting xl2tpd: xl2tpd.
    Last command timed out
    000 initiating all conns with alias=’connName’
    021 no connection named “connName”
    [ERROR 300] ‘IPsec’ failed to negotiate or establish security associations

    Reply
  5. Nk

    Hi,

    I tried this on Ubuntu 11.04 and it seems after install and reboot, I couldnt find L2Tp in edit connections.
    Any idea?
    Thanks

    Reply
  6. bijan

    hello,
    nice post but i have a problem. i am behind NAT (like many others) and on vpn server (WinServer2003) i limited to a static ip address (like: 192.168.255.12). but with this method, vpn connection tries to connect with the ip address of my local network (192.168.2.4)!!

    so consequently, connection will fail!
    how could i set a manual ip address to connect with?

    Reply
  7. Gary

    Hi All,

    Please could you let me which version of Ubuntu this works for? I have tried 11.10 Desktop x32 to no avail. Many thanks

    Gary

    Reply
  8. pbailey Post author

    Hi Gary,

    unfortunately the ipsec modules are not working on the 3.* kernel version. Let’s hope for some good news in the Ubuntu 12.04 release. This how to was written for Ubuntu 11.04.

    Best,

    Phillip

    Reply
  9. Arian

    Hi

    I don’t have pre shared key and my company don’t no what is it and don’t have.
    How i can find this?

    Reply
  10. Jonner

    Philip,
    ‘Worked a treat. Had tried this before but as you had hoped, this seems to have been fixed on 12.04 that I am currently using. Can’t seem to get DNS at the minute but can RDP over IP which is all I require. Ubuntu x64 Desktop to Sonicwall TZ200 L2TP server.

    Cheers

    Reply
  11. Archil

    I am getting the following errot
    what can it be ?

    buntu-1204-precise-64-minimal ~ # nmcli con up id vpn1

    (process:6418): GLib-WARNING **: (/build/buildd/glib2.0-2.32.3/./glib/gerror.c:390):g_error_new_valist: runtime check failed: (domain != 0)
    Error: No suitable device found: no active connection or device.
    root@Ubuntu-1204-precise-64-minimal ~ #

    more details about my configuration

    ~ # lsb_release -a
    No LSB modules are available.
    Distributor ID: Ubuntu
    Description: Ubuntu 12.04.1 LTS
    Release: 12.04
    Codename: precise
    uname -a
    Linux Ubuntu-1204-precise-64-minimal 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:33:09 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

    Reply
  12. Jonathan Mergy

    Bummer. Trying to get it going on Ubuntu 12.10. No dice

    Starting xl2tpd: invoke-rc.d: initscript xl2tpd, action “start” failed.
    dpkg: error processing xl2tpd (–configure):
    subprocess installed post-installation script returned error exit status 1
    dpkg: dependency problems prevent configuration of l2tp-ipsec-vpn-daemon:
    l2tp-ipsec-vpn-daemon depends on xl2tpd (>= 1.2.5); however:
    Package xl2tpd is not configured yet.

    dpkg: error processing l2tp-ipsec-vpn-daemon (–configure):
    dependency problems – leaving unconfigured
    dpkg: dependency problems prevent configuration of l2tp-ipsec-vpn:
    l2tp-ipsec-vpn depends on l2tp-ipsec-vpn-daemon (>= 0.9.8); however:
    Package l2tp-ipsec-vpn-daemon is not configured yet.

    dpkg: error processing l2tp-ipsec-vpn (–configure):
    dependency problems – leaving unconfigured
    Setting up libcli1.9:amd64 (1.9.6-1) …
    Setting up l2tpns (2.1.21-1.1ubuntu1) …
    Starting l2tpns: l2tpns.
    Processing triggers for libc-bin …
    ldconfig deferred processing now taking place
    Processing triggers for ureadahead …
    Errors were encountered while processing:
    xl2tpd
    l2tp-ipsec-vpn-daemon
    l2tp-ipsec-vpn
    E: Sub-process /usr/bin/dpkg returned an error code (1)

    Reply
  13. Gulfam wani

    Hi pbailey,
    I am trying to create an ipsec vpn connection in vyatta 5.0.2
    Here is my configuration file:

    ipsec {
    copy-tos disable
    esp-group esp-vyatta {
    compression disable
    proposal 1 {
    encryption 3des
    }
    }
    ike-group ike-vyatta {
    aggressive-mode disable
    lifetime 3600
    proposal 1 {
    dh-group 2
    encryption 3des
    }
    }
    ipsec-interfaces {
    interface eth0
    }
    site-to-site {
    peer 192.168.1.219 {
    authentication {
    mode pre-shared-secret
    pre-shared-secret presharedsecret
    }
    ike-group ike-vyatta
    local-ip 192.168.1.39
    tunnel 1 {
    allow-nat-networks disable
    esp-group esp-vyatta
    local-subnet 192.168.1.0/24
    remote-subnet 192.168.1.0/24
    }
    }
    }

    After installing the ipsec clint on my local machine (ubuntu 12.04 LTS) for testing,when i am trying to connect i am getting following error:

    May 28 15:25:40.141 ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-40-generic-pae…
    May 28 15:25:40.473 ipsec_setup: multiple default routes, using 192.168.1.1 on eth0
    May 28 15:25:40.490 ipsec__plutorun: Starting Pluto subsystem…
    May 28 15:25:40.534 recvref[30]: Protocol not available
    May 28 15:25:40.550 xl2tpd[5388]: This binary does not support kernel L2TP.
    May 28 15:25:40.551 Starting xl2tpd: xl2tpd.
    May 28 15:25:40.557 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
    May 28 15:25:40.558 xl2tpd[5390]: xl2tpd version xl2tpd-1.3.1 started on gulfamwani-desktop PID:5390
    May 28 15:25:40.559 xl2tpd[5390]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    May 28 15:25:40.565 xl2tpd[5390]: Forked by Scott Balmos and David Stipp, (C) 2001
    May 28 15:25:40.565 xl2tpd[5390]: Inherited by Jeff McAdams, (C) 2002
    May 28 15:25:40.566 xl2tpd[5390]: Forked again by Xelerance (www.xelerance.com) (C) 2006
    May 28 15:25:40.566 xl2tpd[5390]: Listening on IP address 0.0.0.0, port 1701
    May 28 15:25:40.612 ipsec__plutorun: 002 added connection description “Test_vpn”
    May 28 15:26:50.918 104 “Test_vpn” #1: STATE_MAIN_I1: initiate
    May 28 15:26:50.919 003 “Test_vpn” #1: ignoring unknown Vendor ID payload [4f45606c50487c5662707575]
    May 28 15:26:50.919 003 “Test_vpn” #1: received Vendor ID payload [Dead Peer Detection]
    May 28 15:26:50.921 003 “Test_vpn” #1: received Vendor ID payload [RFC 3947] method set to=109
    May 28 15:26:50.922 106 “Test_vpn” #1: STATE_MAIN_I2: sent MI2, expecting MR2
    May 28 15:26:50.922 003 “Test_vpn” #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
    May 28 15:26:50.922 108 “Test_vpn” #1: STATE_MAIN_I3: sent MI3, expecting MR3
    May 28 15:26:50.923 004 “Test_vpn” #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
    May 28 15:26:50.923 117 “Test_vpn” #2: STATE_QUICK_I1: initiate
    May 28 15:26:50.924 010 “Test_vpn” #2: STATE_QUICK_I1: retransmission; will wait 20s for response
    May 28 15:26:50.924 010 “Test_vpn” #2: STATE_QUICK_I1: retransmission; will wait 40s for response
    May 28 15:26:50.925 031 “Test_vpn” #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    May 28 15:26:50.925 000 “Test_vpn” #2: starting keying attempt 2 of at most 3, but releasing whack
    May 28 15:26:50.935 [ERROR 300] ‘IPsec’ failed to negotiate or establish security associations
    May 28 15:40:55.576 xl2tpd[5390]: death_handler: Fatal signal 15 received
    May 28 15:40:55.579 Stopping xl2tpd: xl2tpd.
    May 28 15:40:55.660 ipsec_setup: Stopping Openswan IPsec…

    Please let me know were i am going wrong.

    Reply
  14. Pingback: A bit of L2TP debuging | Len

  15. Sabrina

    I have a similar output as Gulfam wani, and I’m on Ubuntu 13.04. Does anyone have insight on what’s wrong?

    Reply
  16. Matt

    as root:

    touch /etc/xl2tpd/xl2tpd.conf
    apt-get install -f

    This should allow the install of xl2tpd and, thereby, everything else..

    Reply
  17. Ross

    I’m trying to set up an L2TP connection to my ISP for a static IP. They can’t offer me any help as they only support L2TP enabled routers, not servers running ubuntu >.>

    The only settings I have are below.

    Connection Type Remote Access
    Type________________________Dial Out
    Sever IP____________________196.30.121.50
    Username_________________Your DSL Username
    Password__________________Your DSL Password
    Authentication Type_______PAP
    Tunnel Authentication_____Yes
    Secret______________________h3lp
    Active as Default Route___Yes
    IPSec_______________________No

    What is the “secret”? Is it the same as the preshared key?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>