Connecting to an old modp1024 L2TP Ipsec VPN on Ubuntu 21.04

A client of Kensio Software is using an L2TP VPN with Ipsec that’s using an obsolete DH2 (modp1024) algorithm. This algorithm was considered insecure as far back as 2001, and has now been deprecated in encryption libraries such as libreswan.

Most of the permanent engineers at the client are on MacOS, which still supports DH2 / modp1024 algorithm out of the box. I was able to get the VPN connected on a Macbook, but still wanted to try and get it working on Ubuntu as that’s my main working OS.

This required manually compiling libreswan and network-manager-l2tp in order to enable the deprecated DH2 / modp1024 algorithm in them.

Remove repo-installed versions

If you’ve been trying to get a similar VPN working you’ve most likely tried installing libreswan and network-manager-l2tp from the repos. As we’re going to manually compile and install them, these will need removing first:

sudo apt-get remove libreswan network-manager-l2tp

Manually install libreswan with USE_DH2=true

Manually compile and install libreswan with the USE_DH2=true env flag to enable the deprecated DH2 / modp1024 algorithm.

sudo apt-get install libnss3-dev libnspr4-dev pkg-config libpam-dev \
	libcap-ng-dev libcap-ng-utils libselinux-dev \
	libcurl3-nss-dev flex bison gcc make libldns-dev \
	libunbound-dev libnss3-tools libevent-dev xmlto \

git clone
cd libreswan
export USE_DH2=true
USE_DH2=true make programs
USE_DH2=true sudo make install

Manually install network-manager-l2tp

Manually compile and install network-manager-l2tp with the --enable-libreswan-dh2 option to enable use of the DH2 algorithm in libreswan that we enabled above.

sudo apt install \
build-essential \
git \
intltool \
libtool \
network-manager-dev \
libnm-dev \
libnma-dev \
ppp-dev \
libdbus-glib-1-dev \
libsecret-1-dev \
libgtk-3-dev \
libglib2.0-dev \
libssl-dev \
libnss3-dev \
libxml2-utils \

git clone
cd NetworkManager-l2tp
./configure \
  --disable-static --prefix=/usr \
  --sysconfdir=/etc --libdir=/usr/lib/x86_64-linux-gnu \
  --libexecdir=/usr/lib/NetworkManager \
  --localstatedir=/var \
sudo make install

Now reboot your OS:

sudo reboot

Configure the VPN

Now there’s some clicking around in the Network Manager UI, which is written up as notes here:

Settings -> VPN -> +

Gateway: [VPN gateway IP]
Type: Password
User name: [username]
Password: [password]

IPsec Settings...

[✔] Enable IPsec tunnel to L2TP host

Type: Pre-shared key (PSK)
Pre-shared key: [psk]


Remote ID: [VPN gateway IP]

Phase1 Algorithms: [blank]
Phase2 Algorithms: [blank]

[✔] Enforce UDP encapsulation
[✔] Disable PFS

Now you can try connecting, and if you’re lucky the VPN will connect. If it still fails, don’t panic, as there are a couple more things to try below.

Potentially disable xl2tpd.service

sudo systemctl stop xl2tpd.service

If that does allow you to connect to the VPN, then make it permanent with:

sudo systemctl disable xl2tpd.service

Potentially unmask ipsec.service

The last thing that might be blocking the VPN connection is that the ipsec service is masked. If so you can unmask it with:

systemctl unmask ipsec.service

Good luck!

Tech mentioned