VPN L2TP/IPSec client on Ubuntu 16.04 VPN service failed to start

16.04 networking network-manager vpn ipsec
20,648

Solution 1

I found a solution in developer's repository.

https://github.com/nm-l2tp/network-manager-l2tp/issues/38#issuecomment-303052751

Version 1.2.6 no longer overrides the default IPsec ciphers and I suspect your VPN server is using a legacy cipher newer strongSwan versions consider to be broken.

See the user specified IPsec cipher suites section in the README.md file on how to supplement the strongSwan default ciphers with your own :

https://github.com/nm-l2tp/network-manager-l2tp#user-specified-ipsec-ikev1-cipher-suites

I would recommend installing the ike-scan package to check what ciphers your VPN server is advertising it supports, e.g. :

$ sudo systemctl stop strongswan  
$ sudo ike-scan 123.54.76.9  
Starting ike-scan 1.9 with 1 hosts (http://www.nta-monitor.com/tools/ike-scan/)
123.54.76.9   Main Mode Handshake returned HDR=(CKY-R=5735eb949670e5dd) SA=(Enc=3DES Hash=SHA1 Auth=PSK Group=2:modp1024 LifeType=Seconds LifeDuration(4)=0x00007080)
Ending ike-scan 1.9: 1 hosts scanned in 0.263 seconds (3.80 hosts/sec).  1 returned handshake; 0 returned notify

So with this example where a broken 3DES cipher is advertised, in the advanced section of the IPsec dialog box for version 1.2.6, add the following:

  • Phase1 Algorithms : 3des-sha1-modp1024

  • Phase2 Algorithms : 3des-sha1

After all steps try you L2TP connnection, it must be established.

Solution 2

This answer is specific to connecting to a Cisco Meraki account on an L2TP/IP VPN. The solution is works on my Ubuntu 16.04 system. All the instructions are directly copied from the answer by Pigman on this Meraki forum thread. Hats off to him, he saved me hours of frustration.

  1. Install network-manager-l2tp: sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp and `sudo apt-get update sudo apt-get install network-manager-l2tp
  2. If using gnome, install the gnome plugin (if using another desktop environment, see if there's a plugin for its network manager): sudo apt-get install network-manager-l2tp-gnome
  3. Reboot
  4. Navigate to Settings > Network > Click the +button > Select "Layer 2 Tunneling Protocol (L2TP)"
  5. Name the new VPN connection something
  6. Put the host name or address in the Gateway field.
  7. Put username in the Username field.
  8. Click the icon in the Password field and select your preference for how to supply the password.
  9. Click IPSec Settings...
  10. Click the box for "Enable IPsec tunnel to L2TP host"
  11. Enter the shared secret into the Pre-shared key field.
  12. Leave the Gateway ID field empty.
  13. Expand the Advanced options area
  14. Enter "3des-sha1-modp1024" into the Phase 1 Algorithms box.
  15. Enter "3des-sha1" into the Phase 2 Algorithms box.
  16. Leave the box checked for "Enforce UDP encapsulation".
  17. Click OK.
  18. Click Save.
  19. Open a terminal and enter the following commands to permanently disable the xl2tpdservice: sudo service xl2tpd stop
  20. Also enter the following: sudo systemctl disable xl2tpd
  21. Open Network Settings and try to turn the VPN on.

A few more steps taken from previous answers, just to be foolproof

  1. sudo service strongswan stop
  2. sudo systemctl disable strongswan
  3. You can save the password on VPN configuration page by clicking on the icon to right of the password text box
Share:
20,648

Related videos on Youtube

Fabiano
Author by

Fabiano

Updated on September 18, 2022

Comments

  • Fabiano
    Fabiano over 1 year

    On Ubuntu 16.04, I've already followed a couple of tutorials to rebuild network-manager, also installed via apt-get install network-manager-l2tp network-manager-l2tp-gnome.

    It was working until yesterday, when a random message saying The VPN connection failed because the VPN service failed to start. There is no errors in configuration since the same VPN credentials and host are been using in another Ubuntu, also 16.04, and Windows 8.1.

    Looking on /var/log/syslog:

    NetworkManager[899]: <info>  [1496143714.1953] audit: op="connection-activate" uuid="cac1651d-9cbd-4989-bc57-b9707ddd012a" name="VPNCS" pid=2295 uid=1000 result="success"
NetworkManager[899]: <info>  [1496143714.1973] vpn-connection[0xa56420,cac1651d-9cbd-4989-bc57-b9707ddd012a,"VPNCS",0]: Started the VPN service, PID 5798
NetworkManager[899]: <info>  [1496143714.2013] vpn-connection[0xa56420,cac1651d-9cbd-4989-bc57-b9707ddd012a,"VPNCS",0]: Saw the service appear; activating connection
NetworkManager[899]: <info>  [1496143714.2760] vpn-connection[0xa56420,cac1651d-9cbd-4989-bc57-b9707ddd012a,"VPNCS",0]: VPN connection: (ConnectInteractive) reply received
NetworkManager[899]: nm-l2tp[5798] <info>  ipsec enable flag: yes
NetworkManager[899]: ** Message: Check port 1701
NetworkManager[899]: nm-l2tp[5798] <info>  starting ipsec
NetworkManager[899]: Stopping strongSwan IPsec...
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22167, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22168, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22169, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22170, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22171, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22172, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22173, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22174, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22175, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22176, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22177, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22178, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22179, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22180, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22181, major_opcode = 33, minor_opcode = 0
gnome-session[1843]: X protocol error:
gnome-session[1843]: <class 'Xlib.error.BadWindow'>: code = 3, resource_id = Xlib.xobject.resource.Resource(0x00e003ad), sequence_number = 22182, major_opcode = 33, minor_opcode = 0
NetworkManager[899]: Starting strongSwan 5.5.2 IPsec [starter]...
NetworkManager[899]: Loading config setup
NetworkManager[899]: Loading conn 'cac1651d-9cbd-4989-bc57-b9707ddd012a'
NetworkManager[899]: found netkey IPsec stack
charon: 00[DMN] Starting IKE charon daemon (strongSwan 5.5.2, Linux 4.4.0-78-generic, x86_64)
NetworkManager[899]: nm-l2tp[5798] <warn>  IPsec service is not ready.
NetworkManager[899]: nm-l2tp[5798] <warn>  Could not establish IPsec tunnel.
NetworkManager[899]: (nm-l2tp-service:5798): GLib-GIO-CRITICAL **: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed
NetworkManager[899]: <info>  [1496143732.4905] vpn-connection[0xa56420,cac1651d-9cbd-4989-bc57-b9707ddd012a,"VPNCS",0]: VPN plugin: state changed: stopped (6)
NetworkManager[899]: <info>  [1496143732.4929] vpn-connection[0xa56420,cac1651d-9cbd-4989-bc57-b9707ddd012a,"VPNCS",0]: VPN plugin: state change reason: unknown (0)
NetworkManager[899]: <info>  [1496143732.4952] vpn-connection[0xa56420,cac1651d-9cbd-4989-bc57-b9707ddd012a,"VPNCS",0]: VPN service disappeared
NetworkManager[899]: <warn>  [1496143732.4971] vpn-connection[0xa56420,cac1651d-9cbd-4989-bc57-b9707ddd012a,"VPNCS",0]: VPN connection: failed to connect: 'Message recipient disconnected from message bus without replying'

    I've already tried removing network-manager-l2tp and -gnome packages and reinstalling them but I still have the same error.

    Any fix?

  • Fabiano
    Fabiano almost 7 years
    Life saver! I'd like to add that if you run sudo ike-scan <address> and it return something about binding and port already in use, it's possible that systemctl stop strongswan wasn't enough and charon is still running. One can confirm that running sudo netstat -npl and checking the upper block where it's shown processes and ports being use. I could fully stop charon running sudo service strongswan stop, not sure why the different behavior than systemctl though.
  • brisssou
    brisssou almost 7 years
    The -s switch of ike-scan ca save you some PID hunt ;). It can even save you to sudo: ike-scan -s 60066 <IP>
  • dragon788
    dragon788 almost 7 years
    I think that because Strongswan is a "legacy" service the systemctl scripts hand off to a compatibility layer which may not handle all the dependencies properly. I've noticed a similar issue with the systemctl stop not being enough to enable using ike-scan.
  • Fabiano
    Fabiano about 6 years
    I just ran into another problem with process using port 500. It also makes my connection to return timeout. In this case, I found it by trying running ike-scan and it said the port 500 was already in use. using netstat -npl shown that docker-proxy was using it. As I don't depend on docker I stopped it with sudo service docker stop and I could successfully connect to the L2TP VPN.
  • Aaron Chamberlain
    Aaron Chamberlain over 4 years
    Thanks this worked for me. Linux Mint 19.2 (U18.04). I didn't have to turn off strongswan or xl2tpd I just had put a value in the 'Gateway ID' field and that was what broke it. For a work TP-Link Box it was 3des-md5-modp1024 yikes.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Unable to create VPN connection in Ubuntu 16.04?
Unable to connect L2TP IPSec VPN from ubuntu 16.04
Where to add the Pre-Shared Key for the Server Authentication with Network Manager for L2TP/IPSEC?
How to stablish a Fortinet-VPN connection on Ubuntu 16.04 (as client)?
ssh: connect to host [ip] port 22: No route to host
/dev/ppp can't be opened
OpenVPN setup with PIA - Connects but no internet
How to auto(re)connect to openvpn connection?
How to connect to two VPNs at the same time?
Ubuntu 16.04 Cannot resolve hostnames