A client of Kensio Software is using an L2TP VPN with Ipsec that’s using an obsolete DH2 (modp1024) algorithm. This algorithm was considered insecure as far back as 2001, and has now been deprecated in encryption libraries such as libreswan.
Most of the permanent engineers at the client are on MacOS, which still supports DH2 / modp1024 algorithm out of the box. I was able to get the VPN connected on a Macbook, but still wanted to try and get it working on Ubuntu as that’s my main working OS.
This required manually compiling libreswan and network-manager-l2tp in order to enable the deprecated DH2 / modp1024 algorithm in them.
Remove repo-installed versions
If you’ve been trying to get a similar VPN working you’ve most likely tried installing libreswan and network-manager-l2tp from the repos. As we’re going to manually compile and install them, these will need removing first:
sudo apt-get remove libreswan network-manager-l2tp
Manually install libreswan with USE_DH2=true
Manually compile and install libreswan with the
USE_DH2=true env flag to
enable the deprecated DH2 / modp1024 algorithm.
sudo apt-get install libnss3-dev libnspr4-dev pkg-config libpam-dev \ libcap-ng-dev libcap-ng-utils libselinux-dev \ libcurl3-nss-dev flex bison gcc make libldns-dev \ libunbound-dev libnss3-tools libevent-dev xmlto \ libsystemd-dev git clone email@example.com:libreswan/libreswan.git cd libreswan export USE_DH2=true USE_DH2=true make programs USE_DH2=true sudo make install
Manually install network-manager-l2tp
Manually compile and install network-manager-l2tp with the
--enable-libreswan-dh2 option to enable use of the DH2 algorithm in libreswan
that we enabled above.
sudo apt install \ build-essential \ git \ intltool \ libtool \ network-manager-dev \ libnm-dev \ libnma-dev \ ppp-dev \ libdbus-glib-1-dev \ libsecret-1-dev \ libgtk-3-dev \ libglib2.0-dev \ libssl-dev \ libnss3-dev \ libxml2-utils \ xl2tpd git clone firstname.lastname@example.org:nm-l2tp/NetworkManager-l2tp.git cd NetworkManager-l2tp ./autogen.sh ./configure \ --disable-static --prefix=/usr \ --sysconfdir=/etc --libdir=/usr/lib/x86_64-linux-gnu \ --libexecdir=/usr/lib/NetworkManager \ --localstatedir=/var \ --with-pppd-plugin-dir=/usr/lib/pppd/2.4.7 --enable-libreswan-dh2 make sudo make install
Now reboot your OS:
Configure the VPN
Now there’s some clicking around in the Network Manager UI, which is written up as notes here:
Settings -> VPN -> + Gateway: [VPN gateway IP] Type: Password User name: [username] Password: [password] IPsec Settings... [✔] Enable IPsec tunnel to L2TP host Type: Pre-shared key (PSK) Pre-shared key: [psk] Advanced Remote ID: [VPN gateway IP] Phase1 Algorithms: [blank] Phase2 Algorithms: [blank] [✔] Enforce UDP encapsulation [✔] Disable PFS
Now you can try connecting, and if you’re lucky the VPN will connect. If it still fails, don’t panic, as there are a couple more things to try below.
Potentially disable xl2tpd.service
sudo systemctl stop xl2tpd.service
If that does allow you to connect to the VPN, then make it permanent with:
sudo systemctl disable xl2tpd.service
Potentially unmask ipsec.service
The last thing that might be blocking the VPN connection is that the ipsec service is masked. If so you can unmask it with:
systemctl unmask ipsec.service