version 1.8.0 release

Compatible with NetworkManager 1.8.0 and later.

Summary of changes since NetworkManager-l2tp 1.2.16 :

• User TLS certificate support
  • Requires EAP-TLS patch for pppd to be applied to the pppd source code (which many Linux distributions already do).
• Machine TLS certificate support
  • Requires OpenSSL >= 1.1.0 and NSS.
• Auto detect the following TLS certificate and private key file formats by looking at the file contents and not the file extension :
  • PKCS#12 certificates.
  • X509 certificates (PEM or DER).
  • PKCS#8 private keys (PEM or DER)
  • traditional OpenSSL RSA, DSA and ECDSA private keys (PEM or DER).
• Routines to import certificates and privates keys into the system Libreswan NSS database.
• Update translations.

version 1.2.16 release

Compatible with NetworkManager 1.2.0 and later.

• Updated translations.
• Fixed label geometry in LT2P dialog box.
• Removed "Prevalent Algorithms" button
  Made the phase 1 & 2 proposals previously provided by the Prevalent Algorithms button the new default for the IKEv1 proposals. They are a merge of proposals from Win10 and macOS/iOS/iPadOS L2TP/IPsec clients instead of using the libreswan or strongswan default set of proposals. The weakest proposals that weren't common to both Win10 and iOS were dropped, but all of the strongest ones were kept.

version 1.2.14 release

Compatible with NetworkManager 1.2.0 and later.

• Update translations by merging from various sources.
• Changed Legacy Proposal button to Prevalent Algorithms button.
  Clicking Prevalent Algorithms button populates Phase 1 and 2 Algorithm text entry boxes with the following proposals, which are a merge of Windows 10 and macOS/iOS/iPadOS L2TP clients' IKEv1 proposals (note: it auto-detects if you are using strongSwan or Libreswan and populates appropriately with the correct syntax):
  • Phase 1 - Main Mode :
    {enc=AES_CBC_256 integ=HMAC_SHA2_256_128 group=MODP_2048},
    {enc=AES_CBC_256 integ=HMAC_SHA2_256_128 group=MODP_1536},
    {enc=AES_CBC_256 integ=HMAC_SHA2_256_128 group=MODP_1024},
    {enc=AES_CBC_256 integ=HMAC_SHA1_96 group=MODP_2048},
    {enc=AES_CBC_256 integ=HMAC_SHA1_96 group=MODP_1536},
    {enc=AES_CBC_256 integ=HMAC_SHA1_96 group=MODP_1024},
    {enc=AES_CBC_256 integ=HMAC_SHA1_96 group=ECP_384},
    {enc=AES_CBC_128 integ=HMAC_SHA1_96 group=MODP_1024},
    {enc=AES_CBC_128 integ=HMAC_SHA1_96 group=ECP_256},
    {enc=3DES_CBC integ=HMAC_SHA1_96 group=MODP_2048},
    {enc=3DES_CBC integ=HMAC_SHA1_96 group=MODP_1024}
  • Phase 2 - Quick Mode :
    {enc=AES_CBC_256 integ=HMAC_SHA1_96},
    {enc=AES_CBC_128 integ=HMAC_SHA1_96},
    {enc=3DES_CBC integ=HMAC_SHA1_96}
• Added use IKEv2 key exchange option.
• Improved debugging output for Libreswan and strongSwan.
  Libreswan debugging can now be cutomized by setting the PLUTODEBUG environment variable.
  strongSwan debugging can now be cutomized by setting the CHARONDEBUG environment variable.
• Gray out "IPsec Settings..." button if neither Libreswan nor strongSwan are found.
  Also fix crash if "IPsec Settings..." button pressed and no *swan installed.

version 1.2.12 release

Compatible with NetworkManager 1.2.0 and later.

• Update translations by merging from various sources.
• Added Legacy Proposal button.
  Clicking Legacy Proposals button populates Phase 1 and 2 Algorithm text entry boxes with proposals offered by Windows Server 2019:
  • AES256, SHA-1, ECP384 and AES128, SHA-1, ECP256 strong proposals.
    strongSwan recommends not using SHA-1 in its security recommendations documentation.
  • 3DES, SHA-1, MODP1024 broken proposal.
    Legacy Windows 2000 Server era proposal still commonly offered, especially with consumer routers
• Added following IPsec configuration options:
  • Phase1 Lifetime - ikelifetime.
  • Phase2 Lifetime - salifetime (libreswan) / lifetime (strongswan).
  • Use IP compression - compress.
  • Disable PFS - pfs (libreswan).
• renamed Gateway ID to Remote ID and provided GUI tooltip.
  Remote ID is more commonly used than Gateway ID, e.g. NetworkManager-libreswan and macOS/iOS IPsec IKEv2 clients use Remote ID . User confusion should hopefully be reduced.
• removed restrictions that only IP addresses are allowed for Remote ID.
• Generated config file changes, following config files :
  • /var/run/nm-l2tp-xl2tpd-UUID.conf
  • /var/run/nm-l2tp-xl2tpd-control-UUID
  • /var/run/nm-l2tp-xl2tpd-UUID.pid
  • /var/run/nm-l2tp-ppp-options-UUID
    are now:
  • /var/run/nm-l2tp-UUID/xl2tpd.conf
  • /var/run/nm-l2tp-UUID/xl2tpd-control
  • /var/run/nm-l2tp-UUID/xl2tpd-.pid
  • /var/run/nm-l2tp-UUID/ppp-options
• Use same IP secrets file for all L2TP connections,
  /etc/ipsec.d/ipsec.nm-l2tp.secrets is now used instead of /etc/ipsec.d/nm-l2tp-ipsec-UUID.secrets, where UUID was the UUID of the VPN connection.
• Force ikev2=never for Libreswan
  ikev2=permit was the implicit default setting, which tries to detect a "bid down" attack from IKEv2 to IKEv1 and can have an impact on the default proposals.
• Add nm-l2tp-service- prefix back to pppd ipparam argument. The ipparam argument is used by a condition in the Debian resolvconf's /etc/ppp/ip-up.d/000resolvconf script.
• PSK is now Base64 encoded, allows PSK to contain double quotation mark (").
• Fix build without GTK/Gnome.
• Legacy KDE Plasma-nm user certificate support.
• libnm-glib compatibility (NetworkManager < 1.0) is disabled by default. It can be enabled by passing --with-libnm-glib to configure script. Nobody should need it by now. Users that still use this are encouraged to let us know before the libnm-glib support is removed for good.
• The auth helper in external UI mode can now be run without a display server. Future nmcli version will utilize this for handling the secrets without a graphical desktop.

version 1.0.12 release

Compatible with NetworkManager 0.9.8 and 1.0.x.

• Merged translations from NetworkManager-l2tp-1.2.12.
• Removed 'fuzzy' marked translations.
• Corrected Makefile.am for make dist-xz to work.

version 1.0.10 release

Compatible with NetworkManager 0.9.8 and 1.0.x.

• /etc/ipsec.d/ipsec.nm-l2tp.secrets is now used instead of /etc/ipsec.d/nm-l2tp-ipsec-_UUID_.secrets.
• For strongSwan, include ipsec.d/ipsec.nm-l2tp.secrets is now added to /etc/ipsec.secrets instead of include /etc/ipsec.d/*.secrets.
• Allow IPsec ID selectors commencing with with @ or %.
• Replaced older syntax IPsec keyingtries=0 with keyingtries=%forever.
• Write PSK as Base64 encoded value which allows PSKs containing single quotation marks (').
• Force ikev2=never for Libreswan.
• Add nm-l2tp-service- prefix for PPP ipparam argument which is used by Debian's resolvconf package.

version 1.2.10 release

Compatible with NetworkManager 1.2.0 and later.

• Point version 1.2.10 appdata image URIs to nm-1-2 github branch:
  • https://raw.githubusercontent.com/nm-l2tp/network-manager-l2tp/nm-1-2/appdata/l2tp.png
  • https://raw.githubusercontent.com/nm-l2tp/network-manager-l2tp/nm-1-2/appdata/l2tp-ppp.png
• Corrected force UDP encapsulation toggle button behavior.
• Workaround for libreswan ipsec status issue with short (< 8 char) PSKs.
• fix gcc -Wimplicit-fallthrough warning.

version 1.2.8 release

Compatible with NetworkManager 1.2.0 and later.

• Updated translations, merged from NetworkManager-applet, NetworkManager-libreswan, NetworkManager-pptp and KDE Plasma NetworkManagement L2TP. Removed obsolete translations.
• Enforce UDP encapsulation toggle button fix.
• Stop strongSwan service when a connection cannot be established.
• fix entries in Debian Lintian spelling-error-in-binary report.
• configure --runstatedir support if using Autoconf >= 2.7.0.
• If "Automatic (VPN) Addresses Only" mode is enabled in the the IPv4 config settings, do not use the pppd usepeerdns option. i.e. do not override /etc/resolv.conf

version 1.0.8 release

Compatible with NetworkManager 0.9.8 and 1.0.x.

• Updated translations, merged from NetworkManager-applet, NetworkManager-libreswan, NetworkManager-pptp and KDE Plasma NetworkManagement L2TP. Removed obsolete translations.
• Stop strongSwan service when a connection cannot be established.
• fix entries in Debian Lintian spelling-error-in-binary report.
• runstatedir support if using Autoconf >= 2.7.0.
• If using strongSwan, sets phase 1 (ike) and phase 2 (esp) to the following if no user supplied values are provided:
  • ike=aes128-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024
  • esp=aes128-sha1,3des-sha1
• If "Automatic (VPN) Addresses Only" mode is enabled in the the IPv4 config settings, do not use the pppd usepeerdns option. i.e. do not overide /etc/resolv.conf.
• Ubuntu 14.04 compatibility fixes.

version 1.0.6 release

• retrofitted changes from version 1.2.6.
• retrofitted password combo box originally from version 1.2.2.
• Added local code to provide missing password, storage and icon functions with older libnm-gtk versions which were required for the password combo box.