VPN L2TP/IPSec client on Ubuntu 16.04 VPN service failed to start
I found a solution in developer's repository.
https://github.com/nm-l2tp/network-manager-l2tp/issues/38#issuecomment-303052751
Version 1.2.6 no longer overrides the default IPsec ciphers and I suspect your VPN server is using a legacy cipher newer strongSwan versions consider to be broken.
See the user specified IPsec cipher suites section in the README.md file on how to supplement the strongSwan default ciphers with your own :
https://github.com/nm-l2tp/network-manager-l2tp#user-specified-ipsec-ikev1-cipher-suites
I would recommend installing the ike-scan package to check what ciphers your VPN server is advertising it supports, e.g. :
$ sudo systemctl stop strongswan
$ sudo ike-scan 123.54.76.9
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
123.54.76.9 Main Mode Handshake returned HDR=(CKY-R=5735eb949670e5dd) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
Ending ike-scan 1.9: 1 hosts scanned in 0.263 seconds (3.80 hosts/sec). 1 returned handshake; 0 returned notify
So with this example where a broken 3DES cipher is advertised, in the advanced section of the IPsec dialog box for version 1.2.6, add the following:
Phase1 Algorithms : 3des-sha1-modp1024
Phase2 Algorithms : 3des-sha1
After all steps try you L2TP connnection, it must be established.
This answer is specific to connecting to a Cisco Meraki account on an L2TP/IP VPN. The solution is works on my Ubuntu 16.04 system. All the instructions are directly copied from the answer by Pigman on this Meraki forum thread. Hats off to him, he saved me hours of frustration.
- Install network-manager-l2tp:
sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp
and `sudo apt-get update sudo apt-get install network-manager-l2tp - If using gnome, install the gnome plugin (if using another desktop environment, see if there's a plugin for its network manager):
sudo apt-get install network-manager-l2tp-gnome
- Reboot
- Navigate to Settings > Network > Click the +button > Select "Layer 2 Tunneling Protocol (L2TP)"
- Name the new VPN connection something
- Put the host name or address in the Gateway field.
- Put username in the Username field.
- Click the icon in the Password field and select your preference for how to supply the password.
- Click IPSec Settings...
- Click the box for "Enable IPsec tunnel to L2TP host"
- Enter the shared secret into the Pre-shared key field.
- Leave the Gateway ID field empty.
- Expand the Advanced options area
- Enter "3des-sha1-modp1024" into the Phase 1 Algorithms box.
- Enter "3des-sha1" into the Phase 2 Algorithms box.
- Leave the box checked for "Enforce UDP encapsulation".
- Click OK.
- Click Save.
- Open a terminal and enter the following commands to permanently disable the xl2tpdservice:
sudo service xl2tpd stop
- Also enter the following:
sudo systemctl disable xl2tpd
- Open Network Settings and try to turn the VPN on.
A few more steps taken from previous answers, just to be foolproof
sudo service strongswan stop
sudo systemctl disable strongswan
- You can save the password on VPN configuration page by clicking on the icon to right of the password text box