After upgrade to F42 from F41, I can not use L2TP VPN

,

I use Fedora from long time ago and upgrade it to release when new release is coming.
I have L2TP VPN for connect to my office, everything was fine until I upgrade it to Fedora 42
Right now I can not connect to office
I see

 sudo journalctl -u NetworkManager --since "10 minutes ago" | grep -i vpn 
Apr 17 19:58:14 fedora NetworkManager[1458]: <info>  [1744907294.5819] vpn[0x55eb26e10150,acfd79cf-8ea1-483b-bcbc-3b76303d900c,"m.faridi"]: starting l2tp
Apr 17 19:58:15 fedora NetworkManager[1458]: <warn>  [1744907295.0277] vpn[0x55eb26e10150,acfd79cf-8ea1-483b-bcbc-3b76303d900c,"m.faridi"]: failed to connect: 'Could not add ipsec connection.'

I am also experiencing this issue. Tried reinstalling the packages and creating a new VPN connection with the same username and password but the error is still present.

Just wanted to add that the same error is present even if using fresh install of Fedora 42.

Due to RFC 9395 :

IKEv1 is deprecated and disabled by default with Libreswan >= 5.0. Basically the Libreswan developers want to encourage users to move from L2TP/IPsec which in many cases is using weak or broken algorithms to the more secure IKEv2.

You can re-enable IKEv1 by uncommenting the #ikev1-policy=accept line in /etc/ipsec.conf, e.g:

sudo sed -i -e 's/#ikev1-policy=accept/ikev1-policy=accept/' /etc/ipsec.conf

I would also recommend commenting the blacklisting of the L2TP kernel modules, e.g.:

sudo sed -e '/blacklist l2tp_netlink/s/^b/#b/g' -i /etc/modprobe.d/l2tp_netlink-blacklist.conf
sudo sed -e '/blacklist l2tp_ppp/s/^b/#b/g' -i /etc/modprobe.d/l2tp_ppp-blacklist.conf

See the NetworkManager-l2tp README.md file for more details.

For debugging I recommend the following:
sudo journalctl --no-hostname _COMM=nm-l2tp-service _COMM=ipsec _COMM=pluto _COMM=charon _COMM=kl2tpd _COMM=xl2tpd _COMM=pppd

1 Like

@dkosovic Thank you for you help. It solved the problem.

The thing is, it’s not my choice that the company uses IPSec/L2TP, and since I am probably the only one using Fedora (if not Linux in general), I don’t think they will change it to something else in the near future. I am glad there is a workaround, though, and I hope it will remain an option.