Unable to connect to L2TP+IPSec from Ubuntu 24.04

[sadra-barikbin]

Hi there!

I'm unable to connect to a L2TP+IPSec connection from my Ubuntu 24.04 system. However I'm able to connect to it using an ordinary L2TP profile in iPhone.

What journalctl prints:

Aug 04 23:52:50 X450LD NetworkManager[935]: <info>  [1722802970.7090] vpn[0x6001db995ec0,2262dbdb-4c54-4382-815f-1794dae008a7,7090] vpn[0x6001db995ec0,2262dbdb-4c54-4382-815f-1794dae008a7,"test"]: starting l2tp

Other options:

I would be grateful if you help me!

[dkosovic]

Don't use the very weak Microsoft Point-to-Point (MPPE) encryption if you have enabled the much stronger IPsec encryption. Most VPN server don't support both.

I would also recommend using the newer version of network-manager-l2tp and go-l2tp from the following site which contain a number of bug fixes:

• https://launchpad.net/~nm-l2tp/+archive/ubuntu/network-manager-l2tp

there should be much more in the log output with the following:

sudo journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + _COMM=kl2tpd + SYSLOG_IDENTIFIER=pppd

[sadra-barikbin]

@dkosovic , thank you for prompt response!

The VPN admin had me set those encryption params. By the way, I could connect to it in a Ubuntu 22.04 system. Here is the log for Ubuntu 24.04 (I installed the packages according to the link you provided) :

NetworkManager[987]: <info>  [1722872800.6981] vpn[0x5d376628a3c0,dc38cd8b-ece4-4b70-a590-a00473a0bbd8,"MYVPN"]: starting l2tp
NetworkManager[987]: <info>  [1722872800.6986] audit: op="connection-activate" uuid="dc38cd8b-ece4-4b70-a590-a00473a0bbd8" name="MYVPN" pid=2050 uid=1000 result="success"
generate[13299]: Permissions for /etc/netplan/01-network-manager-all.yaml are too open. Netplan configuration should NOT be accessible by others.
generate[13299]: nm-device: NM-2262dbdb-4c54-4382-815f-1794dae008a7: the renderer for nm-devices must be NetworkManager, it will be used instead of the defined one.
generate[13299]: nm-device: NM-dc38cd8b-ece4-4b70-a590-a00473a0bbd8: the renderer for nm-devices must be NetworkManager, it will be used instead of the defined one.
generate[13299]: nm-device: NM-f8e5e60b-5e4f-4bb4-929d-f45da6fc5d7e: the renderer for nm-devices must be NetworkManager, it will be used instead of the defined one.
nm-l2tp-service[13291]: Check port 1701
NetworkManager[13448]: Redirecting to: systemctl restart ipsec.service
NetworkManager[13755]: debugging mode enabled
NetworkManager[13755]: end of file /run/nm-l2tp-dc38cd8b-ece4-4b70-a590-a00473a0bbd8/ipsec.conf
NetworkManager[13755]: Loading conn dc38cd8b-ece4-4b70-a590-a00473a0bbd8
NetworkManager[13755]: conn: "dc38cd8b-ece4-4b70-a590-a00473a0bbd8" modecfgdns=<unset>
NetworkManager[13755]: conn: "dc38cd8b-ece4-4b70-a590-a00473a0bbd8" modecfgdomains=<unset>
NetworkManager[13755]: conn: "dc38cd8b-ece4-4b70-a590-a00473a0bbd8" modecfgbanner=<unset>
NetworkManager[13755]: conn: "dc38cd8b-ece4-4b70-a590-a00473a0bbd8" mark=<unset>
NetworkManager[13755]: conn: "dc38cd8b-ece4-4b70-a590-a00473a0bbd8" mark-in=<unset>
NetworkManager[13755]: conn: "dc38cd8b-ece4-4b70-a590-a00473a0bbd8" mark-out=<unset>
NetworkManager[13755]: conn: "dc38cd8b-ece4-4b70-a590-a00473a0bbd8" vti_iface=<unset>
NetworkManager[13755]: conn: "dc38cd8b-ece4-4b70-a590-a00473a0bbd8" redirect-to=<unset>
NetworkManager[13755]: conn: "dc38cd8b-ece4-4b70-a590-a00473a0bbd8" accept-redirect-to=<unset>
NetworkManager[13755]: conn: "dc38cd8b-ece4-4b70-a590-a00473a0bbd8" esp=aes256-sha1,aes128-sha1,3des-sha1
NetworkManager[13755]: conn: "dc38cd8b-ece4-4b70-a590-a00473a0bbd8" ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-ecp_384,aes128-sha1-ecp_256,3des-sha1-modp2048
NetworkManager[13755]: opening file: /run/nm-l2tp-dc38cd8b-ece4-4b70-a590-a00473a0bbd8/ipsec.conf
NetworkManager[13755]: loading named conns: dc38cd8b-ece4-4b70-a590-a00473a0bbd8
NetworkManager[13755]: resolving family=IPv4 src=172.20.10.4 gateway=<not-set> peer {{SERVER}}
NetworkManager[13755]:   seeking NOTHING
NetworkManager[13755]: resolving family=IPv4 src={{SERVER}} gateway=<not-set> peer 172.20.10.4
NetworkManager[13755]:   seeking NOTHING
NetworkManager[13756]: Usage: ipsec {command} [argument] ...>
NetworkManager[13756]: where {command} is one of:
NetworkManager[13756]:         start                        stop
NetworkManager[13756]:         restart                        status
NetworkManager[13756]:         trafficstatus                traffic
NetworkManager[13756]:         globalstatus                shuntstatus
NetworkManager[13756]:         briefstatus                showstates
NetworkManager[13756]:         fips                        import
NetworkManager[13756]:         initnss                        checknss
NetworkManager[13756]:         checknflog                addconn
NetworkManager[13756]:         algparse                asn1check
NetworkManager[13756]:         auto                        barf
NetworkManager[13756]:         cavp                        dncheck
NetworkManager[13756]:         ecdsasigkey                enumcheck
NetworkManager[13756]:         getpeercon_server        hunkcheck
NetworkManager[13756]:         ipcheck                        jambufcheck
NetworkManager[13756]:         keyidcheck                letsencrypt
NetworkManager[13756]:         look                        newhostkey
NetworkManager[13756]:         pluto                        readwriteconf
NetworkManager[13756]:         rsasigkey                setup
NetworkManager[13756]:         show                        showhostkey
NetworkManager[13756]:         showroute                timecheck
NetworkManager[13756]:         vendoridcheck                verify
NetworkManager[13756]:         whack
NetworkManager[13756]: See also: man ipsec <command> or ipsec <command> --help
NetworkManager[13756]: See <https://libreswan.org/> for more general info.
NetworkManager[13756]: Libreswan 4.14
nm-l2tp-service[13291]: Could not establish IPsec connection.
nm-l2tp-service[13291]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

[dkosovic]

MPPE negotiation support had been broken for 10 years, effectively causing the MPPE option to be ignored, now that it has been fixed, you would most likely see a MPPE negotiations failure in the logs (after libreswan IPsec connection is established). More info in bug https://github.com/nm-l2tp/NetworkManager-l2tp/issues/221

For the libreswan bug in the log output, I suspect you might be encountering bug https://github.com/nm-l2tp/NetworkManager-l2tp/issues/227 and that the journalctl command-line I suggested isn't showing the libreswan's pluto daemon log output, i.e. global ikev1-policy does not allow IKEv1 connections. As suggested in that bug report, see the fix in the README.md file on how to enable IKEv1 :

• https://github.com/nm-l2tp/NetworkManager-l2tp?tab=readme-ov-file#libreswan-no-longer-supports-ikev1-packets-by-default

Ubuntu 24.04 ships with Libreswan 4.14 that no longer has DH2 support enabled, i.e. modp1024 as they consider it too weak or broken. Consequently, if your VPN server is only proposing weak IPsec algorithms, you might encounter a no proposal selected error. You could ask your admin to reconfigure the VPN server to offer more proposals that include stronger algorithms. Alternatively, you could switch to strongswan with sudo apt install strongswan or rebuild the libreswan sourcecode with DH2 support.

[sadra-barikbin]

@dkosovic , thanks a lot! It got fixed ✅ by removing libreswan, then installing strongswan and removing MPPE check box. With MPPE, it was showing this error: