Connecting to a L2TP/IPSec VPN from Ubuntu desktop

facebooktwittergoogle_plusredditpinterestlinkedinmailby feather

In my previous post, “Secure IPsec/L2TP VPN for on the road android devices” I have written on how to set up an IPsec/L2TP VPN server and connect to it from any android device. I was really impressed how simple it was to configure a secure VPN tunnel with IPSEC, so I decided to go a bit further and try to use the same tunnel with Ubuntu Desktop. Unfortunately the IPsec/L2TP client side isn’t well supported under Linux, this is maybe beacuse everyone is using OpenVpn. At the end I stumbled into Werner Jaeger launchpad page, where I found a GUI to manage IPsec/L2TP connection from Ubuntu Desktop, the connection set up is very straightforward and without glitches. Along with a simple PSK configuration, the GUI allow to use certificate for authentication and more advanced L2TP options as redial- timeout and attempts and of course all important PPP options.

A more extended guide can be found at http://wiki.l2tpipsecvpn.tuxfamily.org

l2tp-ipsec-vpn installation

[sourcecode language="bash"]
apt-add-repository ppa:werner-jaeger/ppa-werner-vpn
apt-get update
apt-get install l2tp-ipsec-vpn
reboot
[/sourcecode]

1) Right click on the icon in the notification area,
and go to ‘Edit connections’.

2) Authenticate as root.

3) Choose a name for the VPN

4) IPsec configuration:

Remote server: The ip address of the VPN server
Use pre-shared key for authentication: use the passphrase
from the server /etc/ipsec.secrets

L2TP Configuration:

Select Length bit

PPP configuration:

Select only CHAP authentication and enter the User name and

the password from the server /etc/ppp/chap-secrets copy

Click on OK

Connecting to the VPN: Go to the icon in the notification area and
click on vpnhome, wait for a couple of seconds and you must be
connected to the VPN.


Comments

  1. thanks for vpn tutorial bro, im waiting your next post about ubuntu or other linux

  2. Il’l try to do my best.

    Phillip

  3. Thank you for the post. I cannot connect your way. The official wiki suggests checking the last three PPP protocols. After that I can connect.

  4. Thanks god i found your blog and l2tp-ipsec-vpn. Your tutorial worked really well to setup my VPN connection. I still had to iterate a few times with the IP settings to make it work (eg. need to put the DNS servers in automatic)

    you made my day!

    g

  5. Yes excellent tuto .

    but,…

    the application of this tutorial does not allow the operation of the vpn long term.
    and if the internet crash, the vpn also planted but does not reconnect

    Result: vpn connection interrupted the exposure causes the PC concerned.

    this problem has been, is found in Debian and derivatives (Ubuntu and others).

    For my part,
    I note that the key concern in the debian en fr version while it does not seem worried.

    A solution you one? If so I am very interested because my machines are remote and therefore a source vpn death is bad security.

    Thank you for the follow-up to this post.

  6. Correction with apologies: I did not read before sending:

    debian concerned: Fr, De (utschland) and En.
    It (alian) has no worries.

  7. Hi,

    Have followed all steps but I am getting following error on Ubuntu 11.10

    ——————————————-
    ipsec_setup: Stopping Openswan IPsec…
    Stopping xl2tpd: xl2tpd.
    ipsec_setup: Starting Openswan IPsec 2.6.28…
    ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
    ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
    Starting xl2tpd: xl2tpd.
    Last command timed out
    000 initiating all conns with alias=’connName’
    021 no connection named “connName”
    [ERROR 300] ‘IPsec’ failed to negotiate or establish security associations

  8. Hi,

    I tried this on Ubuntu 11.04 and it seems after install and reboot, I couldnt find L2Tp in edit connections.
    Any idea?
    Thanks

  9. [ERROR 99] L2tpIPsecVpnControlDaemon is either not started or connection to it failed

  10. Nk: Same problem here with Ubuntu 11.10

  11. Hello,

    looks like it’s a problem related with the new 3.0 kernel and the IPSEC module.

  12. hello,
    nice post but i have a problem. i am behind NAT (like many others) and on vpn server (WinServer2003) i limited to a static ip address (like: 192.168.255.12). but with this method, vpn connection tries to connect with the ip address of my local network (192.168.2.4)!!

    so consequently, connection will fail!
    how could i set a manual ip address to connect with?

  13. Hi All,

    Please could you let me which version of Ubuntu this works for? I have tried 11.10 Desktop x32 to no avail. Many thanks

    Gary

  14. Hi Gary,

    unfortunately the ipsec modules are not working on the 3.* kernel version. Let’s hope for some good news in the Ubuntu 12.04 release. This how to was written for Ubuntu 11.04.

    Best,

    Phillip

  15. Hi

    I don’t have pre shared key and my company don’t no what is it and don’t have.
    How i can find this?

  16. Philip,
    ‘Worked a treat. Had tried this before but as you had hoped, this seems to have been fixed on 12.04 that I am currently using. Can’t seem to get DNS at the minute but can RDP over IP which is all I require. Ubuntu x64 Desktop to Sonicwall TZ200 L2TP server.

    Cheers

  17. I am getting the following errot
    what can it be ?

    buntu-1204-precise-64-minimal ~ # nmcli con up id vpn1

    (process:6418): GLib-WARNING **: (/build/buildd/glib2.0-2.32.3/./glib/gerror.c:390):g_error_new_valist: runtime check failed: (domain != 0)
    Error: No suitable device found: no active connection or device.
    root@Ubuntu-1204-precise-64-minimal ~ #

    more details about my configuration

    ~ # lsb_release -a
    No LSB modules are available.
    Distributor ID: Ubuntu
    Description: Ubuntu 12.04.1 LTS
    Release: 12.04
    Codename: precise
    uname -a
    Linux Ubuntu-1204-precise-64-minimal 3.2.0-32-generic #51-Ubuntu SMP Wed Sep 26 21:33:09 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

  18. Bummer. Trying to get it going on Ubuntu 12.10. No dice

    Starting xl2tpd: invoke-rc.d: initscript xl2tpd, action “start” failed.
    dpkg: error processing xl2tpd (–configure):
    subprocess installed post-installation script returned error exit status 1
    dpkg: dependency problems prevent configuration of l2tp-ipsec-vpn-daemon:
    l2tp-ipsec-vpn-daemon depends on xl2tpd (>= 1.2.5); however:
    Package xl2tpd is not configured yet.

    dpkg: error processing l2tp-ipsec-vpn-daemon (–configure):
    dependency problems – leaving unconfigured
    dpkg: dependency problems prevent configuration of l2tp-ipsec-vpn:
    l2tp-ipsec-vpn depends on l2tp-ipsec-vpn-daemon (>= 0.9.8); however:
    Package l2tp-ipsec-vpn-daemon is not configured yet.

    dpkg: error processing l2tp-ipsec-vpn (–configure):
    dependency problems – leaving unconfigured
    Setting up libcli1.9:amd64 (1.9.6-1) …
    Setting up l2tpns (2.1.21-1.1ubuntu1) …
    Starting l2tpns: l2tpns.
    Processing triggers for libc-bin …
    ldconfig deferred processing now taking place
    Processing triggers for ureadahead …
    Errors were encountered while processing:
    xl2tpd
    l2tp-ipsec-vpn-daemon
    l2tp-ipsec-vpn
    E: Sub-process /usr/bin/dpkg returned an error code (1)

  19. hi dear

    thank you for tutorial

    which is difference between your tutorial and below tutorial?

    https://strongvpn.com/setup_ubuntu_11.10_l2tp.shtml

  20. Hi pbailey,
    I am trying to create an ipsec vpn connection in vyatta 5.0.2
    Here is my configuration file:

    ipsec {
    copy-tos disable
    esp-group esp-vyatta {
    compression disable
    proposal 1 {
    encryption 3des
    }
    }
    ike-group ike-vyatta {
    aggressive-mode disable
    lifetime 3600
    proposal 1 {
    dh-group 2
    encryption 3des
    }
    }
    ipsec-interfaces {
    interface eth0
    }
    site-to-site {
    peer 192.168.1.219 {
    authentication {
    mode pre-shared-secret
    pre-shared-secret presharedsecret
    }
    ike-group ike-vyatta
    local-ip 192.168.1.39
    tunnel 1 {
    allow-nat-networks disable
    esp-group esp-vyatta
    local-subnet 192.168.1.0/24
    remote-subnet 192.168.1.0/24
    }
    }
    }

    After installing the ipsec clint on my local machine (ubuntu 12.04 LTS) for testing,when i am trying to connect i am getting following error:

    May 28 15:25:40.141 ipsec_setup: Starting Openswan IPsec U2.6.37/K3.2.0-40-generic-pae…
    May 28 15:25:40.473 ipsec_setup: multiple default routes, using 192.168.1.1 on eth0
    May 28 15:25:40.490 ipsec__plutorun: Starting Pluto subsystem…
    May 28 15:25:40.534 recvref[30]: Protocol not available
    May 28 15:25:40.550 xl2tpd[5388]: This binary does not support kernel L2TP.
    May 28 15:25:40.551 Starting xl2tpd: xl2tpd.
    May 28 15:25:40.557 ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
    May 28 15:25:40.558 xl2tpd[5390]: xl2tpd version xl2tpd-1.3.1 started on gulfamwani-desktop PID:5390
    May 28 15:25:40.559 xl2tpd[5390]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
    May 28 15:25:40.565 xl2tpd[5390]: Forked by Scott Balmos and David Stipp, (C) 2001
    May 28 15:25:40.565 xl2tpd[5390]: Inherited by Jeff McAdams, (C) 2002
    May 28 15:25:40.566 xl2tpd[5390]: Forked again by Xelerance (www.xelerance.com) (C) 2006
    May 28 15:25:40.566 xl2tpd[5390]: Listening on IP address 0.0.0.0, port 1701
    May 28 15:25:40.612 ipsec__plutorun: 002 added connection description “Test_vpn”
    May 28 15:26:50.918 104 “Test_vpn” #1: STATE_MAIN_I1: initiate
    May 28 15:26:50.919 003 “Test_vpn” #1: ignoring unknown Vendor ID payload [4f45606c50487c5662707575]
    May 28 15:26:50.919 003 “Test_vpn” #1: received Vendor ID payload [Dead Peer Detection]
    May 28 15:26:50.921 003 “Test_vpn” #1: received Vendor ID payload [RFC 3947] method set to=109
    May 28 15:26:50.922 106 “Test_vpn” #1: STATE_MAIN_I2: sent MI2, expecting MR2
    May 28 15:26:50.922 003 “Test_vpn” #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): no NAT detected
    May 28 15:26:50.922 108 “Test_vpn” #1: STATE_MAIN_I3: sent MI3, expecting MR3
    May 28 15:26:50.923 004 “Test_vpn” #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
    May 28 15:26:50.923 117 “Test_vpn” #2: STATE_QUICK_I1: initiate
    May 28 15:26:50.924 010 “Test_vpn” #2: STATE_QUICK_I1: retransmission; will wait 20s for response
    May 28 15:26:50.924 010 “Test_vpn” #2: STATE_QUICK_I1: retransmission; will wait 40s for response
    May 28 15:26:50.925 031 “Test_vpn” #2: max number of retransmissions (2) reached STATE_QUICK_I1. No acceptable response to our first Quick Mode message: perhaps peer likes no proposal
    May 28 15:26:50.925 000 “Test_vpn” #2: starting keying attempt 2 of at most 3, but releasing whack
    May 28 15:26:50.935 [ERROR 300] ‘IPsec’ failed to negotiate or establish security associations
    May 28 15:40:55.576 xl2tpd[5390]: death_handler: Fatal signal 15 received
    May 28 15:40:55.579 Stopping xl2tpd: xl2tpd.
    May 28 15:40:55.660 ipsec_setup: Stopping Openswan IPsec…

    Please let me know were i am going wrong.

  21. I have a similar output as Gulfam wani, and I’m on Ubuntu 13.04. Does anyone have insight on what’s wrong?

  22. as root:

    touch /etc/xl2tpd/xl2tpd.conf
    apt-get install -f

    This should allow the install of xl2tpd and, thereby, everything else..

  23. I’m trying to set up an L2TP connection to my ISP for a static IP. They can’t offer me any help as they only support L2TP enabled routers, not servers running ubuntu >.>

    The only settings I have are below.

    Connection Type Remote Access
    Type________________________Dial Out
    Sever IP____________________196.30.121.50
    Username_________________Your DSL Username
    Password__________________Your DSL Password
    Authentication Type_______PAP
    Tunnel Authentication_____Yes
    Secret______________________h3lp
    Active as Default Route___Yes
    IPSec_______________________No

    What is the “secret”? Is it the same as the preshared key?

  24. Hello,

    your set-up instructions for Ubuntu don’t work:
    neither with 11.10. nor 12.04. !

    Mainly because the repository ppa:werner-jaeger/ppa-werner-vpn
    is not available anymore, therefore “other ppa is used instead”
    by Ubuntu: therefore it doesn’t work to connect!

    Any help and advice on hand?!?! Thank you!

    From Germany,
    Dirk

    (using 12.04. and own/private Ubuntu-server)

Leave a Reply

Your email address will not be published / Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">