Unable to connect to VPN (l2tp) after upgrade to F43

odisej · November 5, 2025, 7:54pm

After upgrading to F43 I am unable to connect to VPN (l2tp).

This is the journalctl output:

[1762371988.9269] vpn[xyz,“xyz”]: dbus: failure: connect-failed (1)

Packages are installed, tried creating the VPN connection again but the result is the same. Would appreciate any help. Thank you.

jvanek · November 7, 2025, 1:48pm

Do you have something like

Nov 07 12:24:01 fedora nm-openvpn[83419]: OpenSSL: error:0A000086:SSL routines::certificate verify failed:
Nov 07 12:24:01 fedora nm-openvpn[83419]: TLS_ERROR: BIO read tls_read_plaintext error
Nov 07 12:24:01 fedora nm-openvpn[83419]: TLS Error: TLS object -> incoming plaintext read error
Nov 07 12:24:01 fedora nm-openvpn[83419]: TLS Error: TLS handshake failed
Nov 07 12:24:01 fedora nm-openvpn[83419]: SIGUSR1[soft,tls-error] received, process restarting
Nov 07 12:24:08 fedora nm-openvpn-service[83404]: Connect timer expired, disconnecting.

INn logs? It seesm that something with certificates went wild

dkosovic · November 9, 2025, 12:09am

See the following SELinux policy issue which has a workaround for the kl2tpd permission issue:
https://bugzilla.redhat.com/show_bug.cgi?id=2407022#c6

Along with a SELinux workaround or disabling, will also need to remove the Blacklisting of L2TP kernel modules which can be achieved with:

sudo sed -e '/blacklist l2tp_netlink/s/^b/#b/g' -i /etc/modprobe.d/l2tp_netlink-blacklist.conf

sudo sed -e '/blacklist l2tp_ppp/s/^b/#b/g' -i /etc/modprobe.d/l2tp_ppp-blacklist.conf

IKEv1 is deprecated and disabled by default with Libreswan >= 5.0, so if you are using Libreswan, will also need to re-enable IKEv1 which can be achieved with:

sudo sed -e 's/#ikev1-policy=.*/ikev1-policy=accept/' -i /etc/ipsec.conf

poltpolt · November 15, 2025, 10:14pm

i did all that , disabled enforce and still cannot get connected (same config works on ubuntu)

Cytat
is 15 23:12:28 azahar11c pluto[84114]: started thread for helper 2
lis 15 23:12:28 azahar11c systemd[1]: Started ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec.
lis 15 23:12:28 azahar11c pluto[84114]: started thread for helper 3
lis 15 23:12:28 azahar11c pluto[84114]: started thread for helper 4
lis 15 23:12:28 azahar11c pluto[84114]: started thread for helper 5
lis 15 23:12:28 azahar11c pluto[84114]: started thread for helper 6
lis 15 23:12:28 azahar11c pluto[84114]: started thread for helper 7
lis 15 23:12:28 azahar11c audit[1]: SERVICE_START pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=‘unit=ipsec comm=“systemd” exe=“/usr/lib/systemd/systemd” hostname=? addr=? terminal=? res=success’
lis 15 23:12:28 azahar11c pluto[84114]: started thread for helper 8
lis 15 23:12:28 azahar11c pluto[84114]: started thread for helper 9
lis 15 23:12:28 azahar11c pluto[84114]: started thread for helper 10
lis 15 23:12:28 azahar11c pluto[84114]: started thread for helper 11
lis 15 23:12:28 azahar11c pluto[84114]: started thread for helper 12
lis 15 23:12:28 azahar11c pluto[84114]: started thread for helper 13
lis 15 23:12:28 azahar11c pluto[84114]: started thread for helper 14
lis 15 23:12:28 azahar11c pluto[84114]: using Linux xfrm kernel support code on #1 SMP PREEMPT_DYNAMIC Sun Nov 2 15:30:09 UTC 2025
lis 15 23:12:28 azahar11c pluto[84114]: setting expire-lifetime= to 30 from ‘/proc/sys/net/core/xfrm_acq_expires’
lis 15 23:12:28 azahar11c pluto[84114]: CRL fetch support [disabled]
lis 15 23:12:28 azahar11c pluto[84114]: SELinux support is enabled in PERMISSIVE mode.
lis 15 23:12:28 azahar11c pluto[84114]: systemd watchdog for ipsec service configured with timeout of 200000000 usecs
lis 15 23:12:28 azahar11c pluto[84114]: watchdog: sending probes every 100 secs
lis 15 23:12:28 azahar11c pluto[84114]: DNSSEC support [enabled]
lis 15 23:12:28 azahar11c pluto[84114]: kernel: directional SA supported by kernel
lis 15 23:12:28 azahar11c pluto[84114]: kernel: IPTFS ipsec SA error: requires option CONFIG_XFRM_IPTFS
lis 15 23:12:28 azahar11c pluto[84114]: kernel: MIGRATE SA supported by kernel
lis 15 23:12:28 azahar11c pluto[84114]: seccomp security is not enabled
lis 15 23:12:28 azahar11c pluto[84114]: listening for IKE messages
lis 15 23:12:28 azahar11c pluto[84114]: Kernel supports NIC esp-hw-offload
lis 15 23:12:28 azahar11c pluto[84114]: adding interface wlp0s20f3 192.168.198.35:UDP/500
lis 15 23:12:28 azahar11c pluto[84114]: adding interface wlp0s20f3 192.168.198.35:UDP/4500 (NAT)
lis 15 23:12:28 azahar11c pluto[84114]: adding interface lo 127.0.0.1:UDP/500
lis 15 23:12:28 azahar11c pluto[84114]: adding interface lo 127.0.0.1:UDP/4500 (NAT)
lis 15 23:12:28 azahar11c pluto[84114]: adding interface lo [::1]:UDP/500
lis 15 23:12:28 azahar11c pluto[84114]: adding interface lo [::1]:UDP/4500 (NAT)
lis 15 23:12:28 azahar11c pluto[84114]: loading secrets from “/etc/ipsec.secrets”
lis 15 23:12:28 azahar11c pluto[84114]: loading secrets from “/etc/ipsec.d/ipsec.nm-l2tp.secrets”
lis 15 23:12:28 azahar11c pluto[84114]: addconn: listening for IKE messages
lis 15 23:12:28 azahar11c pluto[84114]: addconn: Kernel supports NIC esp-hw-offload
lis 15 23:12:28 azahar11c pluto[84114]: addconn: adding interface wlp0s20f3 192.168.198.35:UDP/500
lis 15 23:12:28 azahar11c pluto[84114]: addconn: adding interface wlp0s20f3 192.168.198.35:UDP/4500 (NAT)
lis 15 23:12:28 azahar11c pluto[84114]: addconn: adding interface lo 127.0.0.1:UDP/500
lis 15 23:12:28 azahar11c pluto[84114]: addconn: adding interface lo 127.0.0.1:UDP/4500 (NAT)
lis 15 23:12:28 azahar11c pluto[84114]: addconn: adding interface lo [::1]:UDP/500
lis 15 23:12:28 azahar11c pluto[84114]: addconn: adding interface lo [::1]:UDP/4500 (NAT)
lis 15 23:12:28 azahar11c pluto[84114]: addconn: loading secrets from “/etc/ipsec.secrets”
lis 15 23:12:28 azahar11c pluto[84114]: addconn: loading secrets from “/etc/ipsec.d/ipsec.nm-l2tp.secrets”
lis 15 23:12:28 azahar11c pluto[84114]: addconn:
lis 15 23:12:28 azahar11c nm-l2tp-service[84073]: /usr/bin/ipsec add ‘fde824ca-9313-4b60-8bc3-151796f827e2’ --config /run/nm-l2tp-fde824ca-9313-4b60-8bc3-151796f827e2/ipsec.conf --verbose
lis 15 23:12:28 azahar11c pluto[84114]: “fde824ca-9313-4b60-8bc3-151796f827e2”: added IKEv1 connection
lis 15 23:12:28 azahar11c NetworkManager[84157]: “fde824ca-9313-4b60-8bc3-151796f827e2”: added IKEv1 connection
lis 15 23:12:28 azahar11c NetworkManager[84157]: opening file: /run/nm-l2tp-fde824ca-9313-4b60-8bc3-151796f827e2/ipsec.conf
lis 15 23:12:28 azahar11c NetworkManager[84157]: loading conns matching fde824ca-9313-4b60-8bc3-151796f827e2:
lis 15 23:12:28 azahar11c NetworkManager[84157]: sending to pluto
lis 15 23:12:28 azahar11c nm-l2tp-service[84073]: /usr/bin/ipsec up fde824ca-9313-4b60-8bc3-151796f827e2
lis 15 23:12:28 azahar11c pluto[84114]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: initiating IKEv1 Main Mode connection
lis 15 23:12:28 azahar11c NetworkManager[84159]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: initiating IKEv1 Main Mode connection
lis 15 23:12:28 azahar11c NetworkManager[84159]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: sent Main Mode request
lis 15 23:12:28 azahar11c pluto[84114]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: sent Main Mode request
lis 15 23:12:28 azahar11c pluto[84114]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
lis 15 23:12:28 azahar11c NetworkManager[84159]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 0.5 seconds for response
lis 15 23:12:29 azahar11c pluto[84114]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 1 seconds for response
lis 15 23:12:29 azahar11c NetworkManager[84159]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 1 seconds for response
lis 15 23:12:30 azahar11c pluto[84114]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 2 seconds for response
lis 15 23:12:30 azahar11c NetworkManager[84159]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 2 seconds for response
lis 15 23:12:32 azahar11c pluto[84114]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 4 seconds for response
lis 15 23:12:32 azahar11c NetworkManager[84159]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 4 seconds for response
lis 15 23:12:36 azahar11c pluto[84114]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 8 seconds for response
lis 15 23:12:36 azahar11c NetworkManager[84159]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 8 seconds for response
lis 15 23:12:37 azahar11c NetworkManager[1806]: [1763244757.8784] vpn[0x5646f333ddc0,fde824ca-9313-4b60-8bc3-151796f827e2,“em”]: failed to connect: ‘Przekroczono czas oczekiwania’
lis 15 23:12:44 azahar11c nm-l2tp-service[84073]: Could not establish IPsec connection.
lis 15 23:12:44 azahar11c nm-l2tp-service[84073]: g_dbus_method_invocation_take_error: assertion ‘error != NULL’ failed
lis 15 23:12:44 azahar11c pluto[84114]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 16 seconds for response
lis 15 23:12:44 azahar11c NetworkManager[84159]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 16 seconds for response
^[lis 15 23:13:00 azahar11c pluto[84114]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 32 seconds for response
lis 15 23:13:00 azahar11c NetworkManager[84159]: “fde824ca-9313-4b60-8bc3-151796f827e2” #1: STATE_MAIN_I1: retransmission; will wait 32 seconds for response

Cytat

dkosovic · November 19, 2025, 2:48am

It is not clear if it is the same config as you have on Ubuntu. For historical reasons, Ubuntu defaults to strongswan with network-manager-l2tp and Fedora to libreswan with NetworkManager-l2tp.

From the logs, the VPN server is not responding to the Main Mode (i.e. phase 1) negotiation. If you are using an old or weak encryption VPN server, it most likely hasn’t been setup for Perfect Forward Secrecy (PFS) which is a security feature in the encryption that ensures past communications remain secure even if a long-term private key is compromised.

In the NetworkManager-l2tp IPsec settings, try ticking the “Disable PFS” checkbox (when using libreswan, when it detects you are using strongswan, the checkbox is greyed).

Strongswan handles PFS completely differently to libreswan. I won’t go into the details on how to enable PFS with strongswan.

If you still aren’t able to establish a connection on Fedora, try switching to strongswan by doing:

sudo dnf install strongswan
sudo rpm -e libreswan

poltpolt · November 19, 2025, 2:42pm

that was it, plus a restart was needed for some reason

dklann · January 13, 2026, 5:36pm

Here it is 2026! I’m running Fedora 43 and I needed to migrate a NetworkManager L2TP configuration from an older workstation that was running Fedora 42. Comment 5 from @dkosovic proved effective for my use case!

Note to future self: read the comment thoroughly and uncheck “Enable PFS” in the IPSec advanced options for older IPSec networks.

Thanks all for creating a clear and concise solution to the problem!

dkosovic · January 17, 2026, 12:22am

A follow up regarding the SELinux policy issue for kl2tpd, selinux-policy-42.21-1.fc43 is now in Fedora 43 Updates and fixes that issue.

Topic		Replies	Views
After upgrade to F42 from F41, I can not use L2TP VPN Ask Fedora vpn , f42	6	2756	December 4, 2025
[solved] F42 l2tp not connecting, while live USB Debian 13 does Ask Fedora	3	189	October 24, 2025
Having trouble with connecting to l2tp and pptp vpns Ask Fedora pptp , vpn , networkmanager	1	1817	February 24, 2021
Fedora 31/32 - IPSec/L2TP problem using strongswan/libreswan Ask Fedora f31 , f32 , vpn	1	2781	May 22, 2020
How to set up L2TP/IPsec VPN on Fedora 34 Ask Fedora f34 , vpn	15	16999	August 6, 2021

Unable to connect to VPN (l2tp) after upgrade to F43

Related topics