Package Details: networkmanager-l2tp 1.8.2-1

Git Clone URL: https://aur.archlinux.org/networkmanager-l2tp.git (read-only, click to copy)
Package Base: networkmanager-l2tp
Description: L2TP support for NetworkManager
Upstream URL: https://github.com/nm-l2tp/NetworkManager-l2tp
Licenses: GPL2
Submitter: bradpitcher
Maintainer: smfsh
Last Packager: smfsh
Votes: 100
Popularity: 3.51
First Submitted: 2013-03-13 17:16
Last Updated: 2020-03-31 21:04

Pinned Comments

dkosovic commented on 2019-03-26 13:30

With NetworkManager-l2tp 1.2.12, PFS (Perfect Forward Secrecy) is no longer disabled (which is libreswan's default behavior).

If your VPN server doesn't use PFS, you will now need to click the new "Disable PFS" tick box in the IPsec settings to explicitly disable PFS .

I can confirm clicking "Disable PFS" tick box fixed the issue for another NetworkManager-l2tp 1.2.12 user.

If you are using strongswan, the "Disable PFS" tick box is greyed out as the pfs option is ignored by strongswan (as it automatically tries to use PFS anyway).

smfsh commented on 2018-11-03 21:05

If you receive an unknown public key error, please add it to your gpg keychain:

gpg --recv-keys 49A7787EF8D3C039

Latest Comments

1 2 3 4 5 6 ... Next › Last »

jdelgadocr commented on 2020-04-27 14:16

Needed this to finally setup Cisco Meraki client VPN

2dorf4u commented on 2020-04-21 10:54

@dkosovic I think I only have strongswan in my system. That may be part of the problem.

dkosovic commented on 2020-04-20 23:43

libreswan >= 3.30 is no longer built with DH2(modp1024) support by default.

Consequently networkmanager-l2tp 1.8.2 removed modp1024 proposals from its default phase 1 algorithms when libreswan is used.

networkmanager-l2tp 1.8.2 now has a --enable-libreswan-dh2 configure switch for older versions of Libreswan or newer versions explicitly built with DH2 (modp1024) support.

Extract from libreswan mailing list regarding DH2(modp1024) :

https://lists.libreswan.org/pipermail/swan/2020/003438.html

If you really want, you can enable it at compile time with USE_DH2=true

But everything that supports DH2 also supports DH5. We are pretty sure nationstates can successfully attack DH2. You really cannot expect to use crypto parameters that were already not the most secure TWENTY years ago to still keep working unmodified.

So if you need the old weak DH2(modp1024) phase 1 algorithm support, there are a few options, including:

  • replace libreswan with strongswan.
  • rebuild libreswan with USE_DH2=true and rebuild networkmanager-1.8.2 with --enable-libreswan-dh2 configure switch.
  • use libreswan < 3.30 and networkmanager-l2tp < 1.8.2.
  • manually enter the networkmanager-l2tp phase 1 algorithms and use libreswan < 3.30 or a newer version built with USE_DH2=true

EDIT: 2dorf4u's issue was KDE plasma-nm specific. NetworkManager-l2tp 1.8.0 had a bug that ignored plasma-nm's "Gateway ID" and the bug was fixed in 1.8.2. The "Gateway ID" that 2dorf4u entered was wrong, to get it working with 1.8.2 he just deleted the "Gateway ID". The GNOME GUI was never affected as it now uses "Remote ID" instead of "Gateway ID".

2dorf4u commented on 2020-04-20 22:24

Could not connect to my employer's L2TP after updating to 1.8.2. Discovered this just recently (had not updated for a while). Was getting this in the journal:

Apr 20 14:14:25 arch-t103 nm-l2tp-service[6121]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

Apr 20 14:14:25 arch-t103 NetworkManager[653]: <warn>  [1587381265.6874] vpn-connection[0x5574731cc330,65d69011-53e5-4334-a221-63797df9b923,"REDACTED",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

Downgrading back to 1.8.0 "solved" the problem (well it's not really a solution, but you know...)

bezirg commented on 2019-08-15 09:35

Thank you @dkosovic ! Please use the suggestion of @dkosovic

eblau commented on 2019-03-27 00:37

@dkosovic thanks for the suggestion! That was the issue. Disabling PFS in my NetworkManager VPN connection settings with 1.2.12-2 allowed me to connect successfully again. I had looked through the connection settings but did not realize the significance of disabling PFS.

dkosovic commented on 2019-03-26 13:30

With NetworkManager-l2tp 1.2.12, PFS (Perfect Forward Secrecy) is no longer disabled (which is libreswan's default behavior).

If your VPN server doesn't use PFS, you will now need to click the new "Disable PFS" tick box in the IPsec settings to explicitly disable PFS .

I can confirm clicking "Disable PFS" tick box fixed the issue for another NetworkManager-l2tp 1.2.12 user.

If you are using strongswan, the "Disable PFS" tick box is greyed out as the pfs option is ignored by strongswan (as it automatically tries to use PFS anyway).

eblau commented on 2019-03-26 13:11

The update to 1.2.12-2 broke my VPN connection. I did some cursory debugging by running with the "--debug" option in the foreground but could not immediately figure it out. The connection seems to time out when launching the ipsec script now. Reverting to 1.2.10-4 fixes the issue for me.

Anyone else seeing similar issues?

bezirg commented on 2019-03-18 09:56

Thank you EarthMind. Your workarounds are correct.

EarthMind commented on 2019-03-17 20:45

The problem is not only the checksum mismatch but also the package name. The script is trying to cd to the network-manager-l2tp folder but there is no such folder. The extracted folder name is NetworkManager-l2tp-$pkgver

That needs to be fixed too