{"id":13907708,"url":"https://github.com/nm-l2tp/NetworkManager-l2tp","last_synced_at":"2025-07-18T06:30:50.621Z","repository":{"id":42221236,"uuid":"56431822","full_name":"nm-l2tp/NetworkManager-l2tp","owner":"nm-l2tp","description":"L2TP and L2TP/IPsec support for NetworkManager","archived":false,"fork":false,"pushed_at":"2025-01-17T11:24:38.000Z","size":6440,"stargazers_count":503,"open_issues_count":5,"forks_count":85,"subscribers_count":21,"default_branch":"main","last_synced_at":"2025-06-08T13:28:16.209Z","etag":null,"topics":["ipsec","l2tp","networkmanager","vpn-client"],"latest_commit_sha":null,"homepage":"","language":"C","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nm-l2tp.png","metadata":{"files":{"readme":"README.md","changelog":"NEWS","contributing":null,"funding":null,"license":"COPYING","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":"AUTHORS","dei":null,"publiccode":null,"codemeta":null}},"created_at":"2016-04-17T10:58:14.000Z","updated_at":"2025-06-05T22:04:18.000Z","dependencies_parsed_at":"2023-02-08T10:02:08.070Z","dependency_job_id":"8410431f-684b-4164-a585-344ba42fd495","html_url":"https://github.com/nm-l2tp/NetworkManager-l2tp","commit_stats":{"total_commits":620,"total_committers":26,"mean_commits":"23.846153846153847","dds":"0.27419354838709675","last_synced_commit":"9c0d5379958e7a6f46926015f9dd663d07384311"},"previous_names":[],"tags_count":50,"template":false,"template_full_name":null,"purl":"pkg:github/nm-l2tp/NetworkManager-l2tp","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nm-l2tp%2FNetworkManager-l2tp","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nm-l2tp%2FNetworkManager-l2tp/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nm-l2tp%2FNetworkManager-l2tp/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nm-l2tp%2FNetworkManager-l2tp/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nm-l2tp","download_url":"https://codeload.github.com/nm-l2tp/NetworkManager-l2tp/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nm-l2tp%2FNetworkManager-l2tp/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":265710530,"owners_count":23815373,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ipsec","l2tp","networkmanager","vpn-client"],"created_at":"2024-08-06T23:02:06.750Z","updated_at":"2025-07-18T06:30:50.607Z","avatar_url":"https://github.com/nm-l2tp.png","language":"C","funding_links":[],"categories":["HarmonyOS"],"sub_categories":["Windows Manager"],"readme":"# NetworkManager-l2tp\n\nNetworkManager-l2tp is a VPN plugin for NetworkManager 1.20 and later which\nprovides support for L2TP and L2TP/IPsec (i.e. L2TP over IPsec) connections.\n\nFor L2TP support, it uses either of the following :\n* kl2tpd from Katalix's go-l2tp project\n  ( https://github.com/katalix/go-l2tp )\n* xl2tpd ( https://github.com/xelerance/xl2tpd )\n\nFor IPsec support, it uses either of the following :\n* Libreswan ( https://libreswan.org )\n* strongSwan ( https://www.strongswan.org )\n\nFor user authentication it supports either:\n* username/password credentials.\n* TLS certificates.\n\nFor machine authentication it supports either:\n* Pre-shared key (PSK).\n* TLS certificates.\n\nFor TLS user certificate support, ppp \u003e= 2.4.9 is required or the EAP-TLS\npatch for pppd needs to be applied to the ppp source code for older versions :\n\n* https://www.nikhef.nl/~janjust/ppp/\n\nThe configure script will attempt to determine if pppd EAP-TLS support is\navailable and will disable the build time TLS user certificate support if it\ncan not be detected.\n\nFor details on pre-built packages, known issues and build dependencies,\nplease visit the Wiki :\n* https://github.com/nm-l2tp/NetworkManager-l2tp/wiki\n\n## Building\n\n    ./autogen.sh\n    ./configure  # (see below)\n    make\n\nThe default ./configure settings aren't reasonable and should be explicitly\noverridden with ./configure arguments. In the configure examples below, if you\nhave pppd \u003c 2.5.0 you may need to use `--with-pppd-plugin-dir` and set it to\nan appropriate directory that exists, similarly `--with-nm-ipsec-nss-dir` may\nneed to be set to the Libreswan NSS database location if it is not located in\n`/var/lib/ipsec/nss`. The `--enable-libreswan-dh2` switch can be used with\nlibreswan \u003c 3.30 or libreswan packages built with `USE_DH2=true` i.e. have\nmodp1024 support.\n\n#### Debian 13 and Ubuntu 24.04 (AMD64, i.e. x86-64)\n\n    ./configure \\\n      --disable-static --prefix=/usr \\\n      --sysconfdir=/etc --libdir=/usr/lib/x86_64-linux-gnu \\\n      --runstatedir=/run \\\n      --with-gtk4\n\n#### Debian 12 and Ubuntu 22.04 (AMD64, i.e. x86-64)\n\n    ./configure \\\n      --disable-static --prefix=/usr \\\n      --sysconfdir=/etc --libdir=/usr/lib/x86_64-linux-gnu \\\n      --libexecdir=/usr/lib/NetworkManager \\\n      --runstatedir=/run \\\n      --with-pppd-plugin-dir=/usr/lib/pppd/2.4.9\n\n#### Fedora 39 and later (x86-64)\n\n    ./configure \\\n      --disable-static --prefix=/usr \\\n      --sysconfdir=/etc --libdir=/usr/lib64 \\\n      --runstatedir=/run \\\n      --with-gtk4\n\n#### Red Hat Enterprise Linux 8 (x86-64)\n\n    ./configure \\\n      --disable-static --prefix=/usr \\\n      --sysconfdir=/etc --libdir=/usr/lib64 \\\n      --localstatedir=/var \\\n      --enable-libreswan-dh2 \\\n      --with-nm-ipsec-nss-dir=/etc/ipsec.d \\\n      --with-pppd-plugin-dir=/usr/lib64/pppd/2.4.7\n\n#### openSUSE Tumbleweed (x86-64)\n\n    ./configure \\\n      --disable-static --prefix=/usr \\\n      --sysconfdir=/etc --libdir=/usr/lib64 \\\n      --libexecdir=/usr/lib \\\n      --localstatedir=/var \\\n      --enable-libreswan-dh2 \\\n      --with-gtk4\n\n## VPN connection profile files\n\nVPN connection profile files will be one of the following, with the latter\nused when Netplan integration is enabled in NetworkManager:\n- /etc/NetworkManager/system-connections/*.nmconnection\n- /etc/netplan/90-NM-*.yaml\n\n## Run-time generated files\n\nThe following files located under `/var/run` assume `--localstatedir=/var` or\n`--runstatedir=/var/run` were supplied to the configure script at build time.\n\n* /var/run/nm-l2tp-_UUID_/xl2tpd.conf\n* /var/run/nm-l2tp-_UUID_/xl2tpd-control\n* /var/run/nm-l2tp-_UUID_/xl2tpd.pid\n* /var/run/nm-l2tp-_UUID_/ppp-options\n* /var/run/nm-l2tp-_UUID_/ipsec.conf\n* /etc/ipsec.d/ipsec.nm-l2tp.secrets\n\nwhere _UUID_ is the NetworkManager UUID for the VPN connection.\n\nIf strongswan is being used, NetworkManager-l2tp will append the following line\nto `/etc/ipsec.secrets` at run-time if the line is missing:\n\n    include ipsec.d/ipsec.nm-l2tp.secrets\n\n## Password protecting the libreswan NSS database\n\nThe NSS database is used by NetworkManager-l2tp for machine certificate VPN\nconnections using libreswan.\n\nlibreswan \u003e= 4.0 default NSS database location is `/var/lib/ipsec/nss/` and\nfor all versions of libreswan on Debian/Ubuntu. Older libreswan versions often\nuse `/etc/ipsec.d/` such as on older version of RHEL/Fedora/CentOS.\n\nThe default libreswan package install for most Linux distributions uses an\nempty password. It is up to the administrator to decide on whether to use a\npassword or not. However, a non-empty database password must be provided when\nrunning in FIPS mode.\n\nSee the following page on how to set the password for the libreswan NSS\ndatabase and the syntax for the `/var/lib/ipsec/nss/nsspassword` file where the\npassword is stored:\n* https://libreswan.org/wiki/HOWTO:_Using_NSS_with_libreswan\n\n## Debugging\n\nFor Systemd based Linux distributions logging goes to the Systemd journal\nwhich can be viewed by issuing the following :\n\n    journalctl --no-hostname _COMM=nm-l2tp-service _COMM=ipsec _COMM=pluto _COMM=charon _COMM=kl2tpd _COMM=xl2tpd _COMM=pppd\n\nFor non-Systemd based Linux distributions, view the appropriate system log\nfile which is most likely located under `/var/log/`.\n\n### Increase Debugging Output\n\nTo increase debugging output, issue the following on the command line, it\nwill also prevent the run-time generated config files from being deleted after\nthe VPN connection is disconnected :\n\n#### Debian \u003c 13 and Ubuntu \u003c 24.04\n    sudo killall -TERM nm-l2tp-service\n    sudo /usr/lib/NetworkManager/nm-l2tp-service --debug\n\n#### Debian, Ubuntu, Fedora and Red Hat Enterprise Linux\n    sudo killall -TERM nm-l2tp-service\n    sudo /usr/libexec/nm-l2tp-service --debug\n\n#### openSUSE\n    sudo killall -TERM nm-l2tp-service\n    sudo /usr/lib/nm-l2tp-service --debug\n\nthen start your VPN connection and reproduce the problem.\n\nFor Systemd based Linux distributions when increasing the debugging output\nby running `nm-l2tp-service --debug` on the command-line, you may need to\nissue the following to see more log output:\n\n    journalctl -b\n\n### Libreswan Custom Debugging\n\nThe Libreswan debugging can be customized by setting the `PLUTODEBUG` env\nvariable which corresponds to the `plutodebug` ipsec.conf config section option.\nThe syntax for `PLUTODEBUG` is a white-space separated list of the following\nformat :\n\n    PLUTODEBUG=\"TYPE TYPE ... TYPE\"\n\nWhere TYPE is a debug option from the list output by issuing the following on\nthe command-line :\n\n    ipsec whack --debug list\n\n*Examples:*\n\n#### Debian \u003c 13 and Ubuntu \u003c 24.04\n    sudo PLUTODEBUG=\"all proposal-parser\" /usr/lib/NetworkManager/nm-l2tp-service --debug\n\n#### Debian, Ubuntu, Fedora and Red Hat Enterprise Linux\n    sudo PLUTODEBUG=\"all proposal-parser\" /usr/libexec/nm-l2tp-service --debug\n\n#### openSUSE\n    sudo PLUTODEBUG=\"all proposal-parser\" /usr/lib/nm-l2tp-service --debug\n\n### strongSwan Custom Debugging\n\nThe strongSwan debugging can be cutomized by setting the `CHARONDEBUG` env\nvariable which corresponds to the `charondebug` ipsec.conf config section option.\nThe syntax for `CHARONDEBUG` is a comma separated list of the following format :\n\n    CHARONDEBUG=\"TYPE LEVEL, TYPE LEVEL, ..., TYPE LEVEL\"\n\nwhere TYPE is:\n    any|dmn|mgr|ike|chd|job|cfg|knl|net|asn|enc|tnc|imc|imv|pts|tls|esp|lib\n\nand LEVEL is: -1|0|1|2|3|4\n\n*Examples:*\n\n#### Debian \u003c 13 and Ubuntu \u003c 24.04\n    sudo CHARONDEBUG=\"knl 1, ike 2, esp 2, lib 1, cfg 3\" /usr/lib/NetworkManager/nm-l2tp-service --debug\n\n#### Debian, Ubuntu, Fedora and Red Hat Enterprise Linux\n    sudo CHARONDEBUG=\"knl 1, ike 2, esp 2, lib 1, cfg 3\" /usr/libexec/nm-l2tp-service --debug\n\n#### openSUSE\n    sudo CHARONDEBUG=\"knl 1, ike 2, esp 2, lib 1, cfg 3\" /usr/lib/nm-l2tp-service --debug\n\n## Libreswan no longer supports IKEv1 packets by default\n\nLibreswan 5.0 and later, along with earlier versions of Libreswan on some\nLinux distros, no longer support IKEv1 packets by default, the following\nerror occurs if this is the case :\n\n```\nfailed to add IKEv1 connection: global ikev1-policy does not allow IKEv1 connections\n```\n\nTo re-enable IKEv1, uncomment or add `ikev1-policy=accept` to the\n`config setup` section of `/etc/ipsec.conf`\n\n## Issue with blacklisting of L2TP kernel modules\n\ngo-l2tp's kl2tpd requires `l2tp_ppp` and `l2tp_netlink` kernel modules which\nwill fail to auto-load if the  kernel modules are blacklisted.\n\nIf you are using xl2tpd and see the following error message, then chances are\nthat the `l2tp_ppp` and `l2tp_netlink` kernel modules are blacklisted :\n```\nxl2tpd[1234]: L2TP kernel support not detected (try modprobing l2tp_ppp and pppol2tp)\n```\n\nFor xl2tpd compatibility with Microsoft L2TP servers (and some other L2TP\nservers), L2TP kernel modules are required.\n\n`sudo modprobe l2tp_ppp` (or `sudo modprobe pppol2tp` for older kernels) can\nbe used as a temporary workaround, but it is recommended to do a blacklist\nremoval as described further which provides a permanent solution.\n\nThe following is an extract from _\"Enhanced security of auto-loading kernel\nmodules in RHEL 8 \"_ web page :\n* https://access.redhat.com/articles/3760101\n\n\u003e To enhance Red Hat Enterprise Linux against possible future security\n\u003e vulnerabilities in lesser-known components which system administrators\n\u003e typically do not protect against, a set of kernel modules have been moved to\n\u003e the `kernel-modules-extra` package and blacklisted by default so those\n\u003e components cannot be loaded by non-root users.\n\u003e\n\u003e When a system requires use of one of these kernel modules, the system\n\u003e administrator must explicitly remove the module blacklist.\n\nAlthough the above is for RHEL8, it is also applicable to Fedora \u003e= 31,\nCentOS 8 and other derivatives.\n\nThe `/etc/modprobe.d/l2tp_netlink-blacklist.conf` file contains:\n```sh\n# Remove the blacklist by adding a comment # at the start of the line.\nblacklist l2tp_netlink\n```\n\nThe `/etc/modprobe.d/l2tp_ppp-blacklist.conf` file contains :\n```sh\n# Remove the blacklist by adding a comment # at the start of the line.\nblacklist l2tp_ppp\n```\n\nTo remove the blacklist of the L2TP modules by adding a # comment to the start\nof the blacklist lines can be achieved with:\n```\nsudo sed -e '/blacklist l2tp_netlink/s/^b/#b/g' -i /etc/modprobe.d/l2tp_netlink-blacklist.conf\nsudo sed -e '/blacklist l2tp_ppp/s/^b/#b/g' -i /etc/modprobe.d/l2tp_ppp-blacklist.conf\n```\n\n## L2TP connection issues with UDP source port 1701\n\nFirst some examples showing successful L2TP connections demonstrating source\nport and ephemeral port terminologies used by the subsequent issues.\n\nThe following example uses network diagnostic tools `netstat` and the newer\n`ss` to show a successful L2TP connection between a client with its local\naddress (source address and port) and a server with its foreign/peer address\nand port, where the source port is 1701.\n\n```\n$ netstat -u -n\nProto Recv-Q Send-Q Local Address           Foreign Address         State\nudp        0      0 10.184.42.84:1701      123.45.6.78:1701        ESTABLISHED\n\n$ ss -u -n\nRecv-Q   Send-Q         Local Address:Port        Peer Address:Port   Process\n0        0               10.184.42.84:1701         123.45.6.78:1701\n```\n\nThe following shows a successful L2TP connection where the source port is an\nephemeral port (i.e. random high port), in this example it is 45575.\n\n```\n$ netstat -un\nProto Recv-Q Send-Q Local Address           Foreign Address         State\nudp        0      0 10.184.42.84:45575     123.45.6.78:1701        ESTABLISHED\n\n$ ss -u -n\nRecv-Q   Send-Q         Local Address:Port        Peer Address:Port   Process\n0        0               10.184.42.84:45575        123.45.6.78:1701\n```\n### Unable to establish L2TP connection without UDP source port 1701\n\nThere are some L2TP/IPsec servers that will reject L2TP connections when an\nephemeral source port is used (i.e. when UDP source port 1701 is not used),\neven though the use of an ephemeral port is considered acceptable in RFC3193,\nthe L2TP/IPsec standard co-authored by Microsoft and Cisco.\n\nWhen NetworkManager-l2tp tries to start its own instance of xl2tpd or kl2tpd,\nif UDP port 1701 is not free (e.g. system xl2tpd is listening on UDP port\n 1701), an ephemeral source port will be used.\n\nThe following `netstat` and `ss` command-lines can be used to check if there\nis system xl2tpd (or some other daemon) listening on UDP port 1701 :\n\n```\n$ sudo netstat -unlp | grep 1701\nudp        0      0 0.0.0.0:1701            0.0.0.0:*                           4123/xl2tpd\n\n$ sudo ss -unlp | grep 1701\nUNCONN 0      0                               0.0.0.0:1701         0.0.0.0:*     users:((\"xl2tpd\",pid=4123,fd=3))\n```\n\nStopping the system xl2tpd service should free UDP port 1701 and on systemd\nbased Linux distributions, the xl2tpd service can be stopped with the\nfollowing:\n\n    sudo systemctl stop xl2tpd.service\n\nIf stopping the xl2tpd service fixes your VPN connection issue, you can\ndisable the xl2tpd service from starting at boot time with :\n\n    sudo systemctl disable xl2tpd.service\n\nThere are some cases where disabling a service doesn't stop it from being\nstarted at boot time. You can check if the xl2tp service is still running\nwith the following :\n\n    systemctl disable xl2tpd.service\n\nIf it is still running, you can issue the following to ensure is isn't started\nat boot time:\n\n    sudo systemctl mask xl2tpd.service\n\n### Unable to establish L2TP connection with UDP source port 1701\n\nGenerally NAT-Traversal does not work for multiple L2TP clients behind the\nsame NAT if the clients are all using UDP source port 1701, as the server is\nunable to differentiate between multiple L2TP connections coming from the same\nNAT.\n\nFor NetworkManager-l2tp the simplest workaround to allow the server to\ndifferentiate between multiple L2TP connections from the same NAT is to use an\nephemeral source port. Either click the \"Use L2TP ephemeral source port\"\ncheckbox in the settings, or enable and start the system xl2tpd.\n\nSome L2TP/IPsec servers can be configured to use a connmark plugin (or\nsimilar) to differentiate between L2TP connections from the same NAT.\n\n## IPsec IKEv1 weak legacy algorithms and backwards compatibility\n\nThere is a general consensus that the following legacy algorithms are now\nconsidered weak or broken in regards to security and should be phased out and\nreplaced with stronger algorithms.\n\nEncryption Algorithms :\n* 3DES\n* Blowfish\n\nIntegrity Algorithms :\n* MD5\n* SHA1\n\nDiffie Hellman Groups :\n* MODP768\n* MODP1024\n* MODP1536\n\nThe following strongSwan page has more details on which algorithms are\nconsidered broken:\n* https://wiki.strongswan.org/projects/strongswan/wiki/IKEv1CipherSuites\n\nLegacy algorithms that are considered weak or broken are regularly removed from\nthe default set of allowed algorithms with newer releases of strongSwan and\nlibreswan.\n\nAs of NetworkManager-l2tp version 1.2.16, it was decided to compromise for\nbackwards compatibility by not using the strongSwan and libreswan default set\nof allowed algorithms, instead algorithms that are a merge of Windows 10 and\nmacOS/iOS/iPadOS L2TP/IPsec clients' IKEv1 proposals are used instead. The\nweakest proposals that were not common to both Win10 and iOS were dropped, but\nall of the strongest ones were kept:\n\n| Phase 1 - Main Mode |\n| ------------------- |\n| {enc=AES_CBC_256 integ=HMAC_SHA2_256_128 group=MODP_2048} |\n| {enc=AES_CBC_256 integ=HMAC_SHA2_256_128 group=MODP_1536} |\n| {enc=AES_CBC_256 integ=HMAC_SHA2_256_128 group=MODP_1024} \u0026ast; |\n| {enc=AES_CBC_256 integ=HMAC_SHA1_96 group=MODP_2048} |\n| {enc=AES_CBC_256 integ=HMAC_SHA1_96 group=MODP_1536} |\n| {enc=AES_CBC_256 integ=HMAC_SHA1_96 group=MODP_1024} \u0026ast; |\n| {enc=AES_CBC_256 integ=HMAC_SHA1_96 group=ECP_384} |\n| {enc=AES_CBC_128 integ=HMAC_SHA1_96 group=MODP_1024} \u0026ast; |\n| {enc=AES_CBC_128 integ=HMAC_SHA1_96 group=ECP_256} |\n| {enc=3DES_CBC integ=HMAC_SHA1_96 group=MODP_2048} |\n| {enc=3DES_CBC integ=HMAC_SHA1_96 group=MODP_1024} \u0026ast; |\n\n| Phase 2 - Quick Mode |\n| ------------------- |\n| {enc=AES_CBC_256 integ=HMAC_SHA1_96} |\n| {enc=AES_CBC_128 integ=HMAC_SHA1_96} |\n| {enc=3DES_CBC integ=HMAC_SHA1_96} |\n\n\u0026ast; Libreswan \u003e= 3.30 is no longer built with DH2 (modp1024) support, so\nabove proposals which have modp1024 have been excluded when libreswan is used,\nexcept if NetworkManager-l2tp is built with the `--enable-libreswan-dh2`\nconfigure switch.\n\nThe above proposals are equivalent to setting the following phase 1 and 2\nalgorithms in the **Advanced** section of NetworkManager-l2tp's IPsec Options\ndialog box:\n\n**Phase 1 algorithms** with libreswan :\n\n    aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp_384,aes128-sha1-modp1024,aes128-sha1-ecp_256,3des-sha1-modp2048,3des-sha1-modp1024\n\n**Phase 2 algorithms** with libreswan :\n\n    aes256-sha1,aes128-sha1,3des-sha1\n\n**Phase 1 algorithms** with strongSwan :\n\n    aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha2_256-modp1024,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-modp1024,aes256-sha1-ecp384,aes128-sha1-modp1024,aes128-sha1-ecp256,3des-sha1-modp2048,3des-sha1-modp1024!\n\n**Phase 2 algorithms** with strongSwan :\n\n    aes256-sha1,aes128-sha1,3des-sha1!\n\nIf you are not sure if you are using libreswan or strongSwan, issue the\nfollowing on the command-line:\n\n```\nipsec --version\n```\n\nIf you are concerned about security and wish to use algorithms that are\nstronger than the proposals offered by Windows 10 and macOS/iOS/iPadOS\nL2TP/IPsec clients, user specified phase 1 (*ike* - Main Mode) and phase 2\n(*esp* - Quick Mode) algorithms can be specified in the IPsec Options dialog\nbox. Please see the libreswan or strongSwan `ipsec.conf` documentation for the\n*ike* and *esp* (aka *phase2alg*) syntax.\n\nIf you are not sure which IKEv1 Phase 1 algorithms your VPN server proposes,\nyou can query the VPN server with the `ike-scan.sh` script located in the\nIPsec IKEv1 algorithms section of the Wiki :\n* https://github.com/nm-l2tp/NetworkManager-l2tp/wiki/Known-Issues\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnm-l2tp%2FNetworkManager-l2tp","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnm-l2tp%2FNetworkManager-l2tp","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnm-l2tp%2FNetworkManager-l2tp/lists"}