L2TP VPNs with NetworkManager and strongswan failing to connect, with no meaningful logs

jcqellis · October 22, 2021, 11:34am

Installed L2TP packages: NetworkManager-l2tp, plasma-nm5-l2tp, xl2tpd
Installed strongswan packages: NetworkManager-strongswan, plasma-nm5-strongswan, strongswan, and its libraries for IPSEC, libs0-, and nm-
I have an L2TP VPN config setup in the Network Manager GUI: pre-shared key, with username and password

Relevant journalctl -xe NM_CONNECTION=… + NM_DEVICE=… logs:

Started the VPN service, PID 3288
    Saw the service appear; activating connection
    VPN connection: (ConnectInteractive) reply received
    VPN plugin: state changed: starting (3)
    VPN plugin: failed: connect-failed (1)
    VPN plugin: failed: connect-failed (1)
    VPN plugin: state changed: stopping (5)
    VPN plugin: state changed: stopped (6)
    VPN service disappeared

Relevant journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd logs:

NetworkManager[1281]: <info>  [1634854280.8774] vpn-connection[0x5637e7ca60f0,d67a0914-7f17-442b-bf27-ec41aa364b81,"<VPN name>",0]: VPN plugin: state changed: starting (3)
    charon[4477]: 14[NET] received packet: from <VPN gateway>[4500] to 192.168.20.2[4500] (204 bytes)
    charon[4477]: 14[IKE] received retransmit of response with ID 1015903007, but next request already sent
    NetworkManager[4510]: xl2tpd[4510]: death_handler: Fatal signal 15 received
    NetworkManager[4510]: xl2tpd[4510]: Connection 0 closed to <VPN gateway>, port 1701 (Server closing)
    NetworkManager[1281]: <warn>  [1634854294.8915] vpn-connection[0x5637e7ca60f0,d67a0914-7f17-442b-bf27-ec41aa364b81,"<VPN name>",0]: VPN plugin: failed: connect-failed (1)
    NetworkManager[1281]: <warn>  [1634854294.8916] vpn-connection[0x5637e7ca60f0,d67a0914-7f17-442b-bf27-ec41aa364b81,"<VPN name>",0]: VPN plugin: failed: connect-failed (1)
    NetworkManager[1281]: <info>  [1634854294.8916] vpn-connection[0x5637e7ca60f0,d67a0914-7f17-442b-bf27-ec41aa364b81,"<VPN name>",0]: VPN plugin: state changed: stopping (5)
    NetworkManager[4567]: Stopping strongSwan IPsec...
    charon[4477]: 00[DMN] SIGINT received, shutting down
    charon[4477]: 00[IKE] deleting IKE_SA d67a0914-7f17-442b-bf27-ec41aa364b81[1] between 192.168.20.2[192.168.20.2]...<VPN gateway><VPN gateway>]
    charon[4477]: 00[IKE] deleting IKE_SA d67a0914-7f17-442b-bf27-ec41aa364b81[1] between 192.168.20.2[192.168.20.2]...<VPN gateway><VPN gateway>]
    charon[4477]: 00[IKE] sending DELETE for IKE_SA d67a0914-7f17-442b-bf27-ec41aa364b81[1]
    charon[4477]: 00[ENC] generating INFORMATIONAL_V1 request 2475207184  HASH D ]
    charon[4477]: 00[NET] sending packet: from 192.168.20.2[4500] to <VPN gateway>[4500] (84 bytes)
    ipsec_starter[4476]: child 4477 (charon) has quit (exit code 0)
    ipsec_starter[4476]:
    ipsec_starter[4476]: charon stopped after 200 ms
    ipsec_starter[4476]: ipsec starter stopped
    nm-l2tp-service[4457]: ipsec shut down
    NetworkManager[1281]: <info>  [1634854294.9995] vpn-connection[0x5637e7ca60f0,d67a0914-7f17-442b-bf27-ec41aa364b81,"<VPN name>",0]: VPN plugin: state changed: stopped (6)
    NetworkManager[1281]: <info>  [1634854295.0010] vpn-connection[0x5637e7ca60f0,d67a0914-7f17-442b-bf27-ec41aa364b81,"<VPN name>",0]: VPN service disappeared

strongSwan service is running, # systemctl status strongswan active and running. xl2tpd is not running, $ systemctl status xl2tpd inactive.

There’s only one /etc/nsswitch.conf, no duplicate from rpmnew.

The actual output from # nmcli con up id VPN is simply Error: Connection activation failed: Unknown reason.

I have edited /etc/NetworkManager/system-connections/VPN.nmconnection to include password-flags=0 and [vpn-secrets] with a plain text password.

In the VPN config on Network Manager, I have it set to store password for all users.

What else can I try?

marel · October 22, 2021, 9:23pm

I would try setting up the connection from the console, see https://github.com/hwdsl2/setup-ipsec-vpn/blob/master/docs/clients.md#linux
That way you are likely getting more useful logging.

I did do the same my VPN connection and only when that worked I did make Network Manager work.

jcqellis · October 23, 2021, 7:37am

From command line the VPN works but I am unable to set up split tunneling, something which would otherwise be simple through network manager. Is there a strongswan option to do so? It’s also interesting that the instructions seem to use the old ipsec command instead of swanctl. Specifying a right subnet of 0.0.0.0/0 does not work. The VPN does allow me to enable split tunnelling.

jcqellis · October 23, 2021, 11:07am

Edit: Solved now. Got it correctly working with the setup in this Github doc, and changed my routing table to allow tunnelling. Had to change my netconfig update policy to “” so it would stop overriding my DNS.

marel · October 23, 2021, 11:17am

Good things are solved using the command line, next step could be to get it working via the Network Manager, changing yout routing table is possible using Network Manager, it might be that you need nmcli for that.