L2TP client support for PSK removed from 15.04/15.10

Status changed to 'Confirmed' because the bug affects multiple users.

I must second this is super critical for users.

I tried to build 1.3.1 network manager from source and got the following error:

main.c: In function ‘lookup_password’:
main.c:43:2: error: ‘gnome_keyring_find_network_password_sync’ is deprecated (declared at /usr/include/gnome-keyring-1/gnome-keyring.h:551): Use 'SECRET_SCHEMA_COMPAT_NETWORK' instead [-Werror=deprecated-declarations]
  if (gnome_keyring_find_network_password_sync(g_get_user_name(), NULL, name,
  ^
main.c:59:2: error: ‘gnome_keyring_network_password_list_free’ is deprecated (declared at /usr/include/gnome-keyring-1/gnome-keyring.h:537) [-Werror=deprecated-declarations]
  gnome_keyring_network_password_list_free(list);
  ^
main.c: In function ‘main’:
main.c:222:6: error: ‘gnome_keyring_set_network_password_sync’ is deprecated (declared at /usr/include/gnome-keyring-1/gnome-keyring.h:573): Use 'SECRET_SCHEMA_COMPAT_NETWORK' instead [-Werror=deprecated-declarations]
      if (gnome_keyring_set_network_password_sync(keyring,
      ^
cc1: all warnings being treated as errors
Makefile:393: recipe for target 'nm_strongswan_auth_dialog-main.o' failed
make[2]: *** [nm_strongswan_auth_dialog-main.o] Error 1
make[2]: Leaving directory '/media/mario/Windows/Users/Mario/Shared/Downloads/NetworkManager-strongswan-1.3.1/auth-dialog'
Makefile:445: recipe for target 'all-recursive' failed
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory '/media/mario/Windows/Users/Mario/Shared/Downloads/NetworkManager-strongswan-1.3.1'
Makefile:334: recipe for target 'all' failed
make: *** [all] Error 2

There is a workaround to get l2tp-ipsec on 15.04 but its not very elegant.

I uninstalled strongswan and installed an old openswan trusty .deb package.

I then found .deb files of the old l2tp-ipsec-vpn and l2tp-ipsec-vpn-daemon from trusty by Werner Jaeger.

I installed those and was able to connect. However, this took quite a bit of time to get working properly and required installing deprecated packages.

I would like to add that this is a major issue for as I am not able to use and Ubuntu based distro on my company laptop newer than 1404 now.

I have tried several workarounds and nothing has been successful.

Same here, it cost me 2 days of work not being able to setup a VPN client after upgrade. I will have to downgrade now to 14.04

I faced too this issue. I would agree that this is critical.

Same here. It is a Critical issue.

I'm also facing this issue. I also find it critical.

Hello,

I have the same problem, this issue is critical

The issue is still present in 15.10 as well.

This begs 2 questions from my end:

1. How does the removal of such a critical VPN component get past QA?
2. How is it that the very vulnerable PPTP VPN is still readily available while a more secure option gets tossed to the gutter?

Can anyone at Canonical please answer these questions?

I've also tried this in 15.10. It offers the PSK option now but still only for IPSec as far as I can see. There doesn't seem to be any way of setting up an L2TP connection. Can others confirm this?

Is there any way to escalate this to Canonical without signing up for Enterprise support?

strongSwan's NM plugin only supports IKEv2. IKEv1 and in particular L2TP are not supported by that GUI (they could be configured via config files though).

Thanks Tobias, unfortunately I've tried this multiple times using multiple different guides on different versions of Ubuntu and have never got this solution to work. I can never get a response to the INFORMATIONAL_V1 request packet and the server complains that it's receiving an unencrypted packet on an encrypted port.

I'm not trying to turn this into a support ticket though, the reason I mention this is to point out that even for experienced users it's VERY difficult to configure via the files, and is not user friendly. For this reason the feature has been effectively removed for 95% of Ubuntu users.

n.b. over email Tobias, the developer of StrongSwan said to me:

"We have absolutely no intentions of ever adding support for L2TP (or IKEv1 for that matter) to our NM plugin. So I doubt there will be any traction on this issue (unless Canonical tracks back and readds the removed Openswan/Libreswan stuff).

You should perhaps consider using a more modern VPN protocol, for instance, IKEv2. <redacted> appliances (at least some of them) support that too."

However it is not possible to create "on demand"/random source IPSec VPNs using IKEv2 on the appliances that I'm using, so I'm back tot he beginning again.

Finally got it to work after hours of fiddling.
l2tp connection with psk and xauth, configured via conffiles.
Ubuntu 15.10, strongswan 5.1.2-0ubuntu6.2
Had to remove package xl2tpd (1.3.6+dfsg-3) - crashed with segfault every time while trying to connect.
Manually installed openl2tp_1.8-1_amd64.deb from:
ftp://ftp.openl2tp.org/releases/openl2tp-1.8/debian-squeeze/openl2tp_1.8-1_amd64.deb
Work much better than my last attempt on 14.04 (openswan+pluto+openl2tp)

I have to start the connection manually (will write a short script for it, but for now it's OK)
Will post my conffiles if someone will be interested in ;-)

But it will be great to have a network-manager plugin to manage such a connection.

Cheers

Gimbus109

Very interested! Please share!

Answer #4 here:
http://askubuntu.com/questions/617785/how-to-connect-to-l2tp-over-ipsec-vpn
Cheers :-)

This has frustrated me for a month or so... I can get onto my work VPN via the ShrewSoft client (ike and ike-qtgui) but it's not integrated with NetworkManager (and overwrites /etc/resolv.conf, interfering with it).

You have to resort to manual configuration of the dnsmasq instance created by NetworkManager in order to get it to play nice with managed connections - turn off the DNS settings in the ShrewSoft client and add them manually to dnsmasq to stop it overwriting /etc/resolv.conf

The manual config above may also work, but likewise, won't play nice with other NetworkManager connections.

The NM plugin for StrongSwan has been updated to support PSK but I don't know if this means it supports IKEv1... it imposes a 20 character minimum, and of course, my network admin has configured a PSK shorter than this, so I can't test it.

I agree with the sentiments expressed above that removing support for an exceedingly common (if not best-practice) VPN configuration does not create the best impression of Ubuntu. RedHat has retained support via the NetworkManager-libreswan plugin as described in the page below.

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Securing_Virtual_Private_Networks.html

Sadly, Debian still has libreswan in the "experimental" section.