Upgrade from F43 to F44 broke strongswan VPN

Ask Fedora
1

Last week I upgraded my F43 VM (VirtualBox, Windows) to F44. The VPN connection that is using strongswan stopped working after that. Since then I have recreated an new F43 VM from a snapshot and it works fine. However neither the upgraded VM or F44 installed from scratch do not work.

The problem feels like some new permission problem even though the permissions are the same in F43 and F44. The problem is that I have not been able to figure out what is the temporary file that is tried to be created when I try to bring the VPN up. The only errors that I see are:

$ nmcli c u DC1
Error: Connection activation failed: No valid secrets
Hint: use 'journalctl -xe NM_CONNECTION=ee18f107-63eb-4d30-b59f-2a6d594a15a1 + NM_DEVICE=enp0s3' to get more details.

and the error that is seen in the journal is:

Apr 30 18:59:11 fedora NetworkManager[1112]: <info>  [1777564751.9492] device (enp0s3): Activation: successful, device activated.
Apr 30 19:11:19 fedora NetworkManager[1112]: <info>  [1777565479.1580] vpn[0x560f6616c500,ee18f107-63eb-4d30-b59f-2a6d594a15a1,"DC1"]: starting strongswan
Apr 30 19:11:19 fedora NetworkManager[1112]: <warn>  [1777565479.4678] vpn[0x560f6616c500,ee18f107-63eb-4d30-b59f-2a6d594a15a1,"DC1"]: plugin NeedSecrets request #1 failed: GDBus.Error:org.freedesktop.NetworkManager.Settings.Connection.InvalidProperty: Failure creating the temporary file

If I rise the log level it does not give any more information about the file it tries to create.

What has changed between F43 and F44 that could cause this? And especially what is the file that F44 version tries to create here?

F43 strongswan packages:

Installed packages
NetworkManager-strongswan.x86_64       1.6.0-10.fc43 fedora
NetworkManager-strongswan-gnome.x86_64 1.6.0-10.fc43 fedora
strongswan.x86_64                      6.0.2-6.fc43  fedora
strongswan-charon-nm.x86_64            6.0.2-6.fc43  fedora

Available packages
plasma-nm-strongswan.x86_64            6.6.4-1.fc43  updates
strongswan-libipsec.x86_64             6.0.2-6.fc43  fedora
strongswan-sqlite.x86_64               6.0.2-6.fc43  fedora
strongswan-tnc-imcvs.x86_64            6.0.2-6.fc43  fedora

F44 strongswan packages:

Installed packages
NetworkManager-strongswan.x86_64       1.6.0-12.fc44 fedora
NetworkManager-strongswan-gnome.x86_64 1.6.0-12.fc44 fedora
strongswan.x86_64                      6.0.4-2.fc44  fedora
strongswan-charon-nm.x86_64            6.0.4-2.fc44  fedora

Available packages
plasma-nm-strongswan.x86_64            6.6.4-1.fc44  fedora
strongswan-libipsec.x86_64             6.0.4-2.fc44  fedora
strongswan-sqlite.x86_64               6.0.4-2.fc44  fedora
strongswan-tnc-imcvs.x86_64            6.0.4-2.fc44  fedora
1 Like
2

I’m having the same extact issue

3

strongSwan 6.0.4 and later contain a fix for CVE-2025-9615, see:

I think Fedora 43 has the older strongswan 6.0.2.

I think the nm_utils_copy_cert_as_user function mentioned on the above page creates a temp file.

I imagine there is some SELinux output in the journalctl logs regarding the temp file. As a temp workaround could disable SELinux.

4

As you can see from my original post there is difference in the versions just like you tell too. I tried to debug the issue earlier this week and and it is indeed the above mentioned fix to CVE that is probably the cause of my (and others) problem.

However if I set the VPN to be available for all the users (not just me) then I will get further as there is no more “Failure creating the temporary file” problem. So I suspect that the root cause is in what user accounts are used to run the processes. I could not easily find what is the difference when you VPN is only for one user or for all the users.

Also changing the VPN to be “all users” there is another error that gives even less information what goes wrong. The VPN is opened and cert is changed, but it comes always as invalid and no access is granted. However exactly the same certs work on F43 fine.