1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
|
==========================================================
NetworkManager-l2tp-1.52.0
Overview of changes since NetworkManager-l2tp-1.20.22
==========================================================
Changes:
* Verify file permissions for private connections to
prevent unprivileged user from using other user's
certs (CVE-2025-9615). Requires NetworkManager 1.52.2,
1.54.3 or 1.56.0 and later.
* Fixes g_dbus_method_invocation_take_error: assertion
'error != NULL' failed warning.
* Merge translations from NetworkManager-fortisslvpn,
NetworkManager-libreswan and NetworkManager-openvpn.
==========================================================
NetworkManager-l2tp-1.20.22
Overview of changes since NetworkManager-l2tp-1.20.20
==========================================================
Changes:
* Add group read permission to /etc/ipsec.d/ipsec.nm-l2tp.secrets.
Required when Gentoo strongswan package is built with the "non-root" local
USE flag, otherwise charon daemon does not have the privileges to read
the ipsec.nm-l2tp.secrets file.
* Stored PSK is no longer visible in auth-dialog.
* Stored machine certificate passphrase is no longer visible in auth-dialog.
* Check the presence of the L2TP editor plugin and provide feedback via the
capabilities.
* Wide character password fix.
* Port auth-dialog Gtk4
* Update and improve zh_TW Traditional Chinese locale.
==========================================================
NetworkManager-l2tp-1.20.20
Overview of changes since NetworkManager-l2tp-1.20.18
==========================================================
Changes:
* ipsec, xl2tpd & kl2tpd command-line debugging output
added.
* Fixes for gcc -Werror=format-security errors.
* Silence gcc -Wmaybe-uninitialized warning.
* No longer ignore libreswan failed to add connection
errors, such as:
global ikev1-policy does not allow IKEv1 connections.
* Fix for libreswan 5.x deprecation warnings when using
libreswan 5.x:
- ikev2=no has been replaced by keyexchange=ikev1.
- keyingtries=0 ignored, UP connection will attempt
to establish until marked DOWN.
* Merge translations from from NetworkManager-openvpn and
NetworkManager-pptp.
==========================================================
NetworkManager-l2tp-1.20.18
Overview of changes since NetworkManager-l2tp-1.20.16
==========================================================
Changes:
* validation of properties fix.
* cinnamon-control-center compatibility fix.
* The starting message for nm-l2tp-service, which includes
the version number, is now visible in journalctl output
even when not in debug mode.
* Fix autoconf 2.69 syntax error for configure.ac.
==========================================================
NetworkManager-l2tp-1.20.16
Overview of changes since NetworkManager-l2tp-1.20.14
==========================================================
Changes:
* Libreswan 4.15 compatibility.
Previous Libreswan 5.0 compatibility changes involving
"auto" command detection broke with Libreswan 4.15, but
not earlier version.
* Merge translations from KDE Frameworks 6 plasma-nm
* Merge translations from NetworkManager and libnma
==========================================================
NetworkManager-l2tp-1.20.14
Overview of changes since NetworkManager-l2tp-1.20.12
==========================================================
Changes:
* Libreswan 5.0 compatibility
* get_localaddr() for non-ephemeral source port fallback
* Update Chinese (zh_CN) translation.
==========================================================
NetworkManager-l2tp-1.20.12
Overview of changes since NetworkManager-l2tp-1.20.10
==========================================================
Changes:
* Add support for usernames that contain a space
* Fixes MPPE protocol negotiation by not using noccp ppp
option when MPPE is selected.
* Determine correct local IP address for IPSec
* Update Georgian (ka) translation.
==========================================================
NetworkManager-l2tp-1.20.10
Overview of changes since NetworkManager-l2tp-1.20.8
==========================================================
Changes:
* Fix missing ppp user option.
* Add support for compiling against pppd-2.5.0.
* Add error output for missing TLS filenames.
* Remove bashisms in configure script.
* Spell checked code with CSpell.
==========================================================
NetworkManager-l2tp-1.20.8
Overview of changes since NetworkManager-l2tp-1.20.6
==========================================================
Changes:
* Fix padding of PPP Options dialog.
* Undo PTP peer & ext GW routing prevention workaround first introduced
with NetworkManager-l2tp 1.8.4 as workaround no longer works with
NetworkManager 1.36. The actial fix should be done in NetworkManager.
* Add support for Manual IPv4 configuration options:
Address, Netmask and Gateway.
* Remove deprecated OpenSSL 3 related code
* Load L2TP kernel modules if NM_L2TP_MODPROBE env variable set.
==========================================================
NetworkManager-l2tp-1.20.6
Overview of changes since NetworkManager-l2tp-1.20.4
==========================================================
Changes:
* Fix for Libreswan 4.9 and later detection.
* Fix for ipsec-psk-flags setting not being saved.
* Fix out-of-bounds access in export_ip4.
* Add getenv NM_L2TP_XL2TPD_MAX_RETRIES to allow setting the xl2tpd
max retries value with an env variable.
* Drop unused ChangeLog file.
* Increase IPsec and L2TP daemon wait timeouts for better debugging.
* Update Georgian (ka) translation.
==========================================================
NetworkManager-l2tp-1.20.4
Overview of changes since NetworkManager-l2tp-1.20.2
==========================================================
Changes:
* Security fix for properly detecting that strongswan CHILD_SA connection
has been estabilished.
* Fix for libreswan cannot route template policy error.
==========================================================
NetworkManager-l2tp-1.20.2
Overview of changes since NetworkManager-l2tp-1.20.0
==========================================================
Changes:
* Gtk4 version of the editor plugin is now available (for use with Control
Center of GNOME 42 or later).
* Updated translations.
==========================================================
NetworkManager-l2tp-1.20.0
Overview of changes since NetworkManager-l2tp-1.8.6
==========================================================
Changes:
* Support for kl2tpd from Katalix's go-l2tp project added.
* Support for Multilink PPP added.
* L2TP ephemeral source port checkbox added.
* deprecated libnm-glib/libnm-util code removed and
--with-libnm-glib configure option removed.
* Honors $CHARONDEBUG and $PLUTODEBUG even without --debug.
* Sourcecode reformatted with clang-format.
* intltool for i18n build support no longer required.
* Updated translations.
==========================================================
NetworkManager-l2tp-1.8.6
Overview of changes since NetworkManager-l2tp-1.8.4
==========================================================
Changes:
* Fix for preventing Fedora RPMs from building.
add missing properties/import-export.c to POTFILES.in
==========================================================
NetworkManager-l2tp-1.8.4
Overview of changes since NetworkManager-l2tp-1.8.2
==========================================================
Changes:
* Update translations.
* Update strings for new dialog design in gnome-shell.
e.g use "Password" instead of "Password:".
* Use /usr/share/metainfo for AppData files.
* Move D-Bus policy file to /usr/share/dbus-1/system.d/
* Add --with-nm-ipsec-nss-dir configure switch for Libreswan NSS
database location with default value of /var/lib/ipsec/nss
* Do not add broken route to VPN gateway IP address.
* Add back import/export capability.
* update default PPPD_PLUGIN_DIR to ${libdir}/pppd/2.4.8
* Fix for user certificate password flags for connection editor.
==========================================================
NetworkManager-l2tp-1.8.2
Overview of changes since NetworkManager-l2tp-1.8.0
==========================================================
Changes:
* Fixes for user certificate support.
* Remove modp1024 in default phase 1 algorithms for Libreswan, as
libreswan >= 3.30 is no longer built with DH2 (modp1024) support.
* Provide --enable-libreswan-dh2 configure switch for older libreswan versions.
* KDE plasma-nm compatibility for "Gateway ID".
==========================================================
NetworkManager-l2tp-1.8.0
Overview of changes since NetworkManager-l2tp-1.2.16
==========================================================
* User and machine TLS certificate support.
* New dependency on OpenSSL's libcrypto (>= 1.1.0).
* New dependency on Network Security Services (NSS) libraries.
* Routines to auto detect the following TLS certificate and private key file
formats by looking at the file contents and not the file extension, also
determines if the files are encrypted with a password, which includes
testing if the password is the empty string or NULL :
- PKCS#12 certificates.
- X509 certificates (PEM or DER).
- PKCS#8 private keys (PEM or DER)
- traditional OpenSSL RSA, DSA and ECDSA private keys (PEM or DER).
* Routines to import certificates and privates keys into a Libreswan NSS
database.
* Grey out the auth type selection for user authentication if EAP-TLS
pppd patch not detected.
* Update translations.
==========================================================
NetworkManager-l2tp-1.2.16
Overview of changes since network-manager-l2tp-1.2.14
==========================================================
* Update translations.
* Fix label geometry in LT2P dialog box.
* Remove "Prevalent Algorithms" button, override default algorithms.
Made the phase 1 & 2 proposals previously provided by the Prevalent
Algorithms button the new default for the IKEv1 proposals.
==========================================================
NetworkManager-l2tp-1.2.14
Overview of changes since network-manager-l2tp-1.2.12
==========================================================
* Update translations by merging from various sources.
* Changed Legacy Proposal button to Prevalent Algorithms button.
Clicking Prevalent Algorithms button populates Phase 1 and 2 Algorithm text
entry boxes with the following proposals, which are a merge of Windows 10
and macOS/iOS/iPadOS L2TP clients' IKEv1 proposals.
- Phase 1 - Main Mode :
{enc=AES_CBC_256 integ=HMAC_SHA2_256_128 group=MODP_2048},
{enc=AES_CBC_256 integ=HMAC_SHA2_256_128 group=MODP_1536},
{enc=AES_CBC_256 integ=HMAC_SHA2_256_128 group=MODP_1024},
{enc=AES_CBC_256 integ=HMAC_SHA1_96 group=MODP_2048},
{enc=AES_CBC_256 integ=HMAC_SHA1_96 group=MODP_1536},
{enc=AES_CBC_256 integ=HMAC_SHA1_96 group=MODP_1024},
{enc=AES_CBC_256 integ=HMAC_SHA1_96 group=ECP_384},
{enc=AES_CBC_128 integ=HMAC_SHA1_96 group=MODP_1024},
{enc=AES_CBC_128 integ=HMAC_SHA1_96 group=ECP_256},
{enc=3DES_CBC integ=HMAC_SHA1_96 group=MODP_2048},
{enc=3DES_CBC integ=HMAC_SHA1_96 group=MODP_1024}
- Phase 2 - Quick Mode :
{enc=AES_CBC_256 integ=HMAC_SHA1_96},
{enc=AES_CBC_128 integ=HMAC_SHA1_96},
{enc=3DES_CBC integ=HMAC_SHA1_96}
* Added use IKEv2 key exchange option.
* Improved debugging output for Libreswan and strongSwan.
Libreswan debugging can now be cutomized by setting the `PLUTODEBUG`
environment variable.
strongSwan debugging can now be cutomized by setting the `CHARONDEBUG`
environment variable.
* Gray out "IPsec Settings..." button if no *swan found.
Also fix crash if "IPsec Settings..." button pressed and no *swan installed.
==========================================================
NetworkManager-l2tp-1.2.12
Overview of changes since NetworkManager-l2tp-1.2.10
==========================================================
* Update translations by merging from various sources.
* Added Legacy Proposal button.
Clicking Legacy Proposals button populates Phase 1 and 2 Algorithm text entry
boxes with proposals offered by Windows Server 2019:
- AES256, SHA-1, ECP384 and AES128, SHA-1, ECP256 strong proposals.
strongSwan recommends not using SHA-1 in its security recommendations
documentation.
- 3DES, SHA-1, MODP1024 broken proposal.
Legacy Windows 2000 Server era proposal still commonly offered, especially
with consumer routers
* Added following IPsec configuration options:
- Phase1 Lifetime - ikelifetime.
- Phase2 Lifetime - salifetime (libreswan) / lifetime (strongswan).
- Use IP compression - compress.
- Disable PFS - pfs.
* renamed Gateway ID to Remote ID and updated GUI tooltip.
* removed restrictions that only IP addresses are allowed for the Remote ID.
* Generated config file changes, following config files :
- /var/run/nm-l2tp-xl2tpd-_UUID_.conf
- /var/run/nm-l2tp-xl2tpd-control-_UUID_
- /var/run/nm-l2tp-xl2tpd-_UUID_.pid
- /var/run/nm-l2tp-ppp-options-_UUID_
are now:
- /var/run/nm-l2tp-_UUID_/xl2tpd.conf
- /var/run/nm-l2tp-_UUID_/xl2tpd-control
- /var/run/nm-l2tp-_UUID_/xl2tpd-.pid
- /var/run/nm-l2tp-_UUID_/ppp-options
* Use same IP secrets file for all L2TP connections,
/etc/ipsec.d/ipsec.nm-l2tp.secrets is now used instead of
/etc/ipsec.d/nm-l2tp-ipsec-_UUID_.secrets, where _UUID_ was the UUID of the
VPN connection.
* Force ikev2=never for Libreswan
ikev2=permit is the implicit default setting, which tries to detect
a "bid down" attack from IKEv2 to IKEv1 and can have an impact on
the default proposals.
* Add nm-l2tp-service- prefix back to pppd ipparam argument.
The ipparam argument is used by a condition in the Debian resolvconf's
/etc/ppp/ip-up.d/000resolvconf script.
* PSK is now Base64 encoded, allows PSK to contain double quotation mark (").
* Fix build without GTK/Gnome.
* Legacy KDE Plasman-nm user certificate support.
* libnm-glib compatibility (NetworkManager < 1.0) is disabled by default.
It can be enabled by passing --with-libnm-glib to configure script.
Nobody should need it by now. Users that still use this are encouraged
to let us know before the libnm-glib support is removed for good.
* The auth helper in external UI mode can now be run without a display
server. Future nmcli version will utilize this for handling the
secrets without a graphical desktop.
=======================================================
NetworkManager-l2tp-1.2.10
Overview of changes since NetworkManager-l2tp-1.2.8
=======================================================
This is a new stable release of NetworkManager-l2tp. Notable changes include:
* Point version 1.2.10 appdata image URIs to nm-1-2 github branch:
https://raw.githubusercontent.com/nm-l2tp/NetworkManager-l2tp/nm-1-2/appdata
* Corrected force UDP encapsulation toggle button behavior.
* Workaround for libreswan `ipsec status` issue with short (< 8 char) PSKs.
* fix gcc -Wimplicit-fallthrough warning.
=======================================================
NetworkManager-l2tp-1.2.8
Overview of changes since NetworkManager-l2tp-1.2.6
=======================================================
This is a new stable release of NetworkManager-l2tp. Notable changes include:
* Updated translations, merged from NetworkManager-applet,
NetworkManager-libreswan, NetworkManager-pptp and
KDE Plasma NetworkManagement L2TP. Removed obsolete translations.
* Enforce UDP encapsulation toggle button fix.
* Stop strongSwan service when a connection cannot be established.
* fix entries in Debian Lintian spelling-error-in-binary report.
* configure --runstatedir support if using Autoconf >= 2.7.0.
* If "Automatic (VPN) Addresses Only" mode is enabled in the the IPv4
config settings, do not use the pppd usepeerdns option.
i.e. do not overide /etc/resolv.conf.
=======================================================
NetworkManager-l2tp-1.2.6
Overview of changes since NetworkManager-l2tp-1.2.4
=======================================================
This is a new stable release of NetworkManager-l2tp. Notable changes include:
* If L2TP port 1701 is already in use, no longer writes
"leftprotoport=udp/l2tp" (which is equivalent to "leftprotoport=udp/1701") to
the ipsec config file. This was done to ensures L2TP is encapsulated in IPsec
* Uses UUID instead of PID for run-time generated filenames
* No longer temporarily replaces system /etc/ipsec.secrets file
* IPsec rekeying is now possible because the following file remains for the
lifetime of the VPN connection :
/etc/ipsec.d/nm-l2tp-ipsec-UUID.secrets
* Following line is appended to /etc/ipsec.secrets if the include line is
missing:
include /etc/ipsec.d/*.secrets
* Removed IPsec Group Name from user interface
* Added IPsec Phase 1 (ike) & Phase 2 (esp) to user interface
* New timeout code for IPsec connection up script.
=======================================================
NetworkManager-l2tp-1.2.4
Overview of changes since NetworkManager-l2tp-1.2.2
=======================================================
This is a new stable release of NetworkManager-l2tp. Notable changes include:
* Prefer building against stable libsecret API
* Split libnm-vpn-plugin-l2tp.so into a GTK-free core plugin
usable by nmcli and a UI plugin for nm-applet and gnome components
* Successfully builds on 32bit Linux
* Explicitly check strongSwan connection has been established
and not trust use exit status of strongSwan 'ipsec up' command
* Support weaker initial proposals on later versions of strongSwan
* Support IP addresses for IPsec leftid and rightid
* 10 second timeout for ipsec starter process
|
