Ubuntu – I can’t get any L2TP + IPSEC client to work on Ubuntu 14.04 with pre-shared key, can you

14.04vpn

Such a simple question, why is it so difficult to get working?

It seems unbelievable but I haven't found a single solution to this that actually worked. Which is why I'm actually asking this question again.

None of the proposed answers to similar questions here or anywhere else work, nope, not one. And you will notice that none of them have accepted answers.
And so the question keeps getting asked. Can we end this madness?

I'm really quite happy for this question to be a community wiki but I don't know how to do that. I'd just like to know how for the benefit of the entire Ubuntu community, we go about setting this up. Once and for all.

It's such a common protocol and yet Ubuntu seems to be seriously lagging on support for it. Even though it works out of the box for Windows and OSX. It seems we have to jump hoops in Ubuntu.

Could someone please share your secret on how you personally got L2TP + IPSec working with a pre-shared key? I think a reliable working answer will give many Ubuntu users rest at night 🙂

Cheers.


This is what I've tried:

1. strongswan

apt-get install strongswan network-manager-strongswan

Well that's just great, the UI doesn't seem to allow a pre-shared key?!?!

2. network-manager-l2tp

https://launchpad.net/~seriy-pr/+archive/ubuntu/network-manager-l2tp

This looked promising but doesn't work. I get the below errors. Besides that, it's deprecated now because it uses openswan which is no longer supported. Now we have strongswan (Maybe the Ubuntu developers need to switch to workingswan!)

I wonder if some of these errors are because I'm using an AMD CPU?

Jul  2 14:44:00 xen ipsec_setup: Starting Openswan IPsec 2.6.38...
Jul  2 14:44:01 xen ipsec_setup: Using KLIPS/legacy stack
Jul  2 14:44:01 xen kernel: [   49.125995] sha512_ssse3: Neither AVX nor SSSE3 is available/usable.
Jul  2 14:44:01 xen kernel: [   49.152561] sha256_ssse3: Neither AVX nor SSSE3 is available/usable.
Jul  2 14:44:01 xen kernel: [   49.172064] AVX instructions are not detected.
Jul  2 14:44:01 xen kernel: [   49.189713] AVX instructions are not detected.
Jul  2 14:44:01 xen kernel: [   49.207982] AVX instructions are not detected.
Jul  2 14:44:01 xen kernel: [   49.232719] AVX instructions are not detected.
Jul  2 14:44:01 xen kernel: [   49.261421] AVX instructions are not detected.
Jul  2 14:44:01 xen kernel: [   49.287047] AVX or AES-NI instructions are not detected.
Jul  2 14:44:01 xen kernel: [   49.307848] AVX or AES-NI instructions are not detected.
Jul  2 14:44:01 xen ipsec_setup: No KLIPS support found while requested, desperately falling back to netkey
Jul  2 14:44:01 xen ipsec_setup: NETKEY support found. Use protostack=netkey in /etc/ipsec.conf to avoid attempts to use KLIPS. Attempting to continue with NETKEY
Jul  2 14:44:01 xen kernel: [   49.329498] NET: Registered protocol family 15
Jul  2 14:44:01 xen ipsec_setup: Using NETKEY(XFRM) stack
Jul  2 14:44:01 xen kernel: [   49.403213] Initializing XFRM netlink socket
Jul  2 14:44:01 xen kernel: [   49.501839] sha512_ssse3: Neither AVX nor SSSE3 is available/usable.
Jul  2 14:44:01 xen kernel: [   49.516281] sha256_ssse3: Neither AVX nor SSSE3 is available/usable.
Jul  2 14:44:01 xen kernel: [   49.539742] AVX instructions are not detected.
Jul  2 14:44:01 xen kernel: [   49.561641] AVX instructions are not detected.
Jul  2 14:44:01 xen kernel: [   49.579962] AVX instructions are not detected.
Jul  2 14:44:01 xen kernel: [   49.604578] AVX instructions are not detected.
Jul  2 14:44:01 xen kernel: [   49.621050] AVX instructions are not detected.
Jul  2 14:44:01 xen kernel: [   49.646920] AVX or AES-NI instructions are not detected.
Jul  2 14:44:01 xen kernel: [   49.667841] AVX or AES-NI instructions are not detected.
Jul  2 14:44:01 xen kernel: [   49.686945] netlink: 24 bytes leftover after parsing attributes in process `ip'.
Jul  2 14:44:01 xen ipsec_setup: ...Openswan IPsec started
Jul  2 14:44:01 xen pluto: adjusting ipsec.d to /etc/ipsec.d
Jul  2 14:44:01 xen ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
Jul  2 14:44:01 xen NetworkManager[806]: <info> VPN connection 'OTOY Cluster' (Connect) reply received.
Jul  2 14:44:11 xen NetworkManager[806]: <warn> VPN plugin failed: 7
Jul  2 14:44:42 xen NetworkManager[806]: <warn> VPN connection 'OTOY Cluster' (IP Config Get) timeout exceeded.
Jul  2 14:44:42 xen NetworkManager[806]: <info> Policy set 'Wired connection 1' (eth0) as default for IPv4 routing and DNS.
Jul  2 14:44:47 xen NetworkManager[806]: <info> VPN service 'l2tp' disappeared
Jul  2 14:51:35 xen kernel: [  503.672175] netlink: 24 bytes leftover after parsing attributes in process `ip'.
Jul  2 14:51:35 xen kernel: [  503.680945] ip_tables: (C) 2000-2006 Netfilter Core Team
Jul  2 14:51:35 xen kernel: [  503.686441] ip6_tables: (C) 2000-2006 Netfilter Core Team
Jul  2 14:52:04 xen NetworkManager[806]: <info> Starting VPN service 'l2tp'...
Jul  2 14:52:04 xen NetworkManager[806]: <info> VPN service 'l2tp' started (org.freedesktop.NetworkManager.l2tp), PID 3589
Jul  2 14:52:04 xen NetworkManager[806]: <info> VPN service 'l2tp' appeared; activating connections
Jul  2 14:52:04 xen NetworkManager[806]: <info> VPN plugin state changed: starting (3)
Jul  2 14:52:04 xen ipsec_setup: Stopping Openswan IPsec...
Jul  2 14:52:05 xen kernel: [  533.776479] netlink: 24 bytes leftover after parsing attributes in process `ip'.
Jul  2 14:52:05 xen kernel: [  534.105661] NET: Unregistered protocol family 15
Jul  2 14:52:06 xen ipsec_setup: ...Openswan IPsec stopped

3. And a bunch of others

These all involved editing .conf files. None of which worked out either.

Best Answer

(I did not manage to test this yet, as of lack of terminal skills)

somebody made a little docker image with an vpn client with preshared-key support. The motivation behind:

Does your office or a client have a VPN server already setup and you just need to connect to it? Do you use Linux and are jealous that the one thing a MAC can do better is quickly setup this kind of VPN?

https://github.com/ubergarm/l2tp-ipsec-vpn-client

(also check out the fork - there is atm just one real which extends it with a run.sh script)

In a best case scenario you need to:

  • install docker
    • add docker package-source url (for ubuntu xenial 16.04): deb [arch=amd64] https://download.docker.com/linux/ubuntu xenial stable enter image description here
    • install docker, docker.io, docker.ce (I guess)enter image description here
  • download l2tp-ipsec-vpn-client as zip-file from github
  • edit the vpn configuration in the run script (see fork from ChenXiaoTemp)
  • run the docker image

I hope this helps a little