VPN connection is up, but the servers aren’t fully reachable after some time

[tukusejssirs]

Related to #132

---

@dkosovic, I am not sure what happened, but today I wanted to connect to a L2TP/IPSec VPN after some time (a month?) which worked last time I tried, I have made no config change at all, but now behaves strangely. All I did is upgrade the packages as usual.

Current behaviour:

• nmcli c up $vpn_con_name connects to the the VPN as expected and the connection never ceases (unless I execute nmcli c down $vpn_con_name).
• Initially, I can connect to a server behind the VPN via SSH, open a website running on that server, ping that server, list open ports via nmap.
• After some time (2-3 minutes?), I still can ping the server, however, nmap lists no open ports, the website cannot be open, SSH connection cannot be made (Connection refused).
• If I connect to the server via SSH before it ceases to work, the SSH connection is not disconnected and it works even after the problems appear.

---

Now, the only change I see is that today I have upgraded networkmanager to 1.42.6-1. I tried to downgrade it to 1.42.4-2 and 1.42.4-1, but the problems are the same. I haven’t tried to downgrade to older versions. As for this packages, I use networkmanager-l2tp-git@1.20.6.r3.g6483691-1 since 13 Dec 2022. I have noticed that yay (my AUR helper command) does not know if there is a new nm-l2tp version (because the package uses Git commits), so I created a BASH script to check if there is a new commit in nm-l2tp repository and update the package then. Therefore right now, I have installed version 1.20.10.r0.g8760535-1, however, it behaves all the same.

Note that I have rebooted my computer after each upgrade/download of each package before testing if the connection works as expected.

I use Arch Linux x86_64 BTW. 😉

[dkosovic]

Extract from kernel 6.1.26 LTS changelog :

commit ea854a25c8327f51f7ff529b745794a985185563
Author: Florian Westphal <fw @ strlen.de>
Date: Mon Apr 3 13:54:37 2023 +0200

netfilter: br_netfilter: fix recent physdev match breakage

[ Upstream commit 94623f579ce338b5fa61b5acaa5beb8aa657fb9e ]

Recent attempt to ensure PREROUTING hook is executed again when a decrypted ipsec packet received on a bridge passes through the network stack a second time broke the physdev match in INPUT hook.

We can't discard the nf_bridge info strct from sabotage_in hook, as this is needed by the physdev match.

You might like to try a different kernel.

[tukusejssirs]

Thanks for such a prompt reply! 🙏

Oh, another kernel issue. Do you watch this kernel issue? If so, could you notify me if/when it is resolved please! 🙏

---

I’ve been running linux@6.2.13.arch1-1. I have just booted up linux-lts@6.1.26-1, but nmcli c up $vpn_con_name fails and I am not connected to the VPN at all (see below for some journalctl log; I tried to connect to the VPN multiple times in a row). From this point of view, it works much better on linux@6.2.13.arch1-1 than on the LTS kernel.

May 02 14:26:20 $hostname NetworkManager[851]: <info>  [1683030380.9495] device (wlan0): driver supports Access Point (AP) mode
May 02 14:26:20 $hostname NetworkManager[851]: <info>  [1683030380.9499] manager: (wlan0): new 802.11 Wi-Fi device (/org/freedesktop/NetworkManager/Devices/3)
May 02 14:26:20 $hostname NetworkManager[851]: <info>  [1683030380.9501] device (wlan0): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'external')
May 02 14:26:21 $hostname NetworkManager[851]: <info>  [1683030381.1858] device (wlan0): set-hw-addr: set MAC address to 11:11:22:33:44:55 (scanning)
May 02 14:26:21 $hostname NetworkManager[851]: <info>  [1683030381.5212] device (wlan0): supplicant interface state: internal-starting -> disconnected
May 02 14:26:21 $hostname NetworkManager[851]: <info>  [1683030381.5235] device (wlan0): state change: unavailable -> disconnected (reason 'supplicant-available', sys-iface-state: 'managed')
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.2113] device (wlan0): Activation: starting connection '$wifi_con_name' (8e344155-c22d-46d3-8f35-00bf345bddf7)
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.2114] device (wlan0): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.2480] device (wlan0): set-hw-addr: reset MAC address to 00:11:22:33:44:55 (preserve)
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.2507] device (wlan0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.2514] device (wlan0): Activation: (wifi) access point '$wifi_con_name' has security, but secrets are required.
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.2514] device (wlan0): state change: config -> need-auth (reason 'none', sys-iface-state: 'managed')
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.2537] device (wlan0): supplicant interface state: disconnected -> inactive
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.2539] device (wlan0): state change: need-auth -> prepare (reason 'none', sys-iface-state: 'managed')
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.2545] device (wlan0): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.2550] device (wlan0): Activation: (wifi) connection '$wifi_con_name' has security, and secrets exist.  No new secrets needed.
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.2792] device (wlan0): supplicant interface state: inactive -> authenticating
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.3070] device (wlan0): supplicant interface state: authenticating -> associating
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.4214] device (wlan0): supplicant interface state: associating -> completed
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.4215] device (wlan0): Activation: (wifi) Stage 2 of 5 (Device Configure) successful. Connected to wireless network "$wifi_ssid"
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.4226] device (wlan0): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed')
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.4239] dhcp4 (wlan0): activation: beginning transaction (timeout in 45 seconds)
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.4273] dhcp4 (wlan0): state changed new lease, address=192.168.1.31
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.4366] device (wlan0): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'managed')
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.4405] device (wlan0): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'managed')
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.4408] device (wlan0): state change: secondaries -> activated (reason 'none', sys-iface-state: 'managed')
May 02 14:26:25 $hostname NetworkManager[851]: <info>  [1683030385.4429] device (wlan0): Activation: successful, device activated.
May 02 14:27:11 $hostname NetworkManager[851]: <info>  [1683030431.1502] vpn[0x5590b5954e00,4ecb50e8-337d-4123-9643-d98ee724343e,"$vpn_con_name"]: starting l2tp
May 02 14:27:21 $hostname NetworkManager[851]: <warn>  [1683030441.1903] vpn[0x5590b5954e00,4ecb50e8-337d-4123-9643-d98ee724343e,"$vpn_con_name"]: failed to connect: 'Timeout was reached'
May 02 14:27:24 $hostname NetworkManager[851]: <info>  [1683030444.1528] vpn[0x5590b5b81dc0,4ecb50e8-337d-4123-9643-d98ee724343e,"$vpn_con_name"]: starting l2tp
May 02 14:27:30 $hostname NetworkManager[851]: <warn>  [1683030450.7039] vpn[0x5590b5b81dc0,4ecb50e8-337d-4123-9643-d98ee724343e,"$vpn_con_name"]: plugin NeedSecrets request #1 failed: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Message recipient disconnected from message bus without replying
May 02 14:27:35 $hostname NetworkManager[851]: <info>  [1683030455.6693] vpn[0x5590b5aeef40,4ecb50e8-337d-4123-9643-d98ee724343e,"$vpn_con_name"]: starting l2tp
May 02 14:27:45 $hostname NetworkManager[851]: <warn>  [1683030465.7295] vpn[0x5590b5aeef40,4ecb50e8-337d-4123-9643-d98ee724343e,"$vpn_con_name"]: failed to connect: 'Timeout was reached'
May 02 14:28:40 $hostname NetworkManager[851]: <info>  [1683030520.6785] vpn[0x5590b5bf0bb0,4ecb50e8-337d-4123-9643-d98ee724343e,"$vpn_con_name"]: starting l2tp
May 02 14:28:50 $hostname NetworkManager[851]: <warn>  [1683030530.6915] vpn[0x5590b5bf0bb0,4ecb50e8-337d-4123-9643-d98ee724343e,"$vpn_con_name"]: failed to connect: 'Timeout was reached'

---

Update

19 minutes after startup (using linux-lts kernel), I’ve been able to connect to the VPN, however, only for a minute or so, then the problems described in the OP prevailed.

However, I have just noticed you explicitly stated that the issue is in kernel 6.1.26 LTS, so I need to use an older kernel release. 🤦‍♂️

[dkosovic]

All I did was just look at the changelog file for the current LTS kernel release and searched for ipsec and l2tp. The kernel ChangeLog-6.2.13 file also mentions the same ipsec fix.

I'm using kernel-6.2.13-300.fc38 on Fedora 38 and not able to reproduce the issue.

I'll try and reproduce the issue on my existing Arch Linux VM tomorrow, I'm going to have to do a lot of updates to get it current.

[tukusejssirs]

I am in the middle of downgrade to linux-lts@6.1.25-1. Actually, I have no idea which release to test, which kernel version is not affected by this.

All I did was just look at the changelog file for the current LTS kernel release and searched for ipsec and l2tp. The kernel ChangeLog-6.2.13 file also mentions the same ipsec fix.

Thanks! 🙏 I am not that good at browsing the code and changelogs of the kernel, as I don’t code in C/Rust nor I understand much of such low-level stuff. Basically, I am lost in there, that is why I am grateful you have looked it up for me. 🙏

I'm using kernel-6.2.13-300.fc38 on Fedora 38 and not able to reproduce the issue.

Yeah, all RHEL-like distros use patched kernels AFAIK and definitely are more rigorously tested than Arch Linux kernels, therefore that kernel might not be affected by this issue (be it a bug in the kernel, or nm or nm-l2tp due to some recent changes in any of them).

I'll try and reproduce the issue on my existing Arch Linux VM tomorrow, I'm going to have to do a lot of updates to get it current.

That’d be awesome! 🙏

[tukusejssirs]

Well, the same behaviour as I described in the OP happened with linux-lts@6.1.25-1. Then I tried linux-lts@5.15.94-1, without any change. Therefore, I think it is not related to that issue, or at least not only related to it.

Note that I switched only the kernels, not the nm and nm-l2tp versions.

[dkosovic]

I've updated my Arch Linux VM to be current, but unable to reproduce this issue.

Other people who have been connecting to VPN servers which have the same IP address for the external gateway and PTP host have still been reporting routing issues (not in issues here, but elsewhere), they have had to delete the ppp0 route to the VPN external gateway, e.g. sudo ip route del 80.7.6.5 dev ppp0. Perhaps you are encountering this issue and have to remove that ppp0 route?

So I think the NetworkManager code still needs to be fixed for the routing issues when the VPN Ext Gateway and PTP host are the same IP address. Here are the relevant locations in the NetworkManager 1.42.6 code where the PTP host and Ext gateway values are obtained (from the values supplied to it by NetworkManager-l2tp):

NM_VPN_PLUGIN_IP4_CONFIG_PTP:

• https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/1.42.6/src/core/vpn/nm-vpn-connection.c?ref_type=tags#L2013

NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY:

• https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/blob/1.42.6/src/core/vpn/nm-vpn-connection.c?ref_type=tags#L1823

src/core/vpn/nm-vpn-connection.c is where the VPN routes get added and the kernel is queried to add some of the routes.

I think someone with programming skills who is able to reproduce the issue would need to fix src/core/vpn/nm-vpn-connection.c to not add the route to the external gateway when NM_VPN_PLUGIN_IP4_CONFIG_PTP == NM_VPN_PLUGIN_CONFIG_EXT_GATEWAY and submit a git pull request.

[tukusejssirs]

Other people who have been connecting to VPN servers which have the same IP address for the external gateway and PTP host have still been reporting routing issues (not in issues here, but elsewhere), they have had to delete the ppp0 route to the VPN external gateway, e.g. sudo ip route del 80.7.6.5 dev ppp0. Perhaps you are encountering this issue and have to remove that ppp0 route?

I had that issue and commented on this in #132, however, it seemed to be resolved for me with nm@1.40.8-2. Now I use nm@1.42.6-1.

Below are my routes. I have removed Docker-related routes. I have commented out routes which are up even when I am not connected to the VPN.

# Routes: before connecting to the VPN
default via 192.168.1.1 dev wlan0 proto dhcp src 192.168.1.31 metric 60
default via 192.168.1.1 dev enp0s31f6 proto dhcp src 192.168.1.13 metric 100
192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.31 metric 60
192.168.1.0/24 dev enp0s31f6 proto kernel scope link src 192.168.1.13 metric 100

# Routes: during VPN connection (it does not change when the VPN stops behaving as expected)
default dev ppp0 proto static scope link metric 50
# default via 192.168.1.1 dev wlan0 proto dhcp src 192.168.1.31 metric 60
# default via 192.168.1.1 dev enp0s31f6 proto dhcp src 192.168.1.13 metric 100
$vpn_remote_ip_address dev ppp0 proto kernel scope link src 192.168.100.100
# 192.168.1.0/24 dev wlan0 proto kernel scope link src 192.168.1.31 metric 60
# 192.168.1.0/24 dev enp0s31f6 proto kernel scope link src 192.168.1.13 metric 100
192.168.1.1 dev wlan0 proto static scope link metric 50
$vpn_host via 192.168.1.1 dev wlan0 proto static metric 50

When I remove the extra route using sudo ip r del $vpn_host, nmap fails to list the open ports the server behind VPN and ping fails immediately (when I don’t remove it, I can ping the server at all times and nmap fails only after a few minutes).

I believe the issue is related to that issue, but it might not be exactly the same.

---

Here is the output of sudo journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd (which you asked for in this comment to debug a different issue). I have censored some stuff and removed the Docker-related logs (those containing veth*, br-* and docker). Could you check it if you can find anything that would give us some idea why it stopped working please? Thanks!

[dkosovic]

The log is useful. The following looks weird in the log output:

pppd[17080]: Could not determine remote IP address: defaulting to $vpn_remote_ip_address

Normally it would fallback to a defaulting made up arbitrary address of 10.64.64.64 with ppp0 :

pppd[17082]: Could not determine remote IP address: defaulting to 10.64.64.64

In the pppd code, for that warning ifunit is 0 for eth0, 1 for eth1, etc, or similar for other interfaces and 0x0a404040 is 10.64.64.64 :

• https://github.com/ppp-project/ppp/blob/ppp-2.4.9/pppd/ipcp.c#L1778

So I'm not sure how you could get something other than 0x0a404040 or 10.64.64.64 arbitrary address.

But even if it is 10.64.64.64 that still looks bogus. With commit# bdd7501 first introduced with NetworkManager-l2tp 1.20.8, you can override that address by manual settings for the Address, Netmask and Gateway in the IPv4 settings of the VPN connection.

[tukusejssirs]

The log is useful. The following looks weird in the log output:vpn_remote_ip_address

pppd[17080]: Could not determine remote IP address: defaulting to $vpn_remote_ip_address

Well, I was not sure where 10.64.64.64 comes from, so I have replaced it with $vpn_remote_ip_address. 😉 I should have listed all replacements and their meaning.

$hostname              : my hostname                          
$vpn_dns_1             : DNS 1 used by the VPN (all comm needs to go through the VPN
                         and without the DNSes, I would have no Internet access
                         when I am connected to the VPN)
$vpn_dns_2             : DNS 2 used by the VPN
$vpn_host              : VPN server I connect to using L2TP/IPSec
$vpn_remote_ip_address : 10.64.64.64
$wifi_con_name         : Wi-Fi connection name
$wifi_ssid             : Wi-Fi SSID
$wlan0_mac_address     : wirelles network interface MAC address

Anyway, would would happen the the LAN is 10.64.64.0/24 for example? 🤔

[tukusejssirs]

Anyway, all works as expected on Fedora Workstation 37 with nm@1.40.10-1.fc37 and nm-l2tp@1.20.8-1.fc37 on kernel@6.1.9-200.fc37.x86_64.

[dkosovic]

On Fedora it is also 10.64.64.64?

I've never encountered the 10.64.64.64 made up address issue myself, so don't have any firsthand experiance, it might be an issue if the LAN is 10.64.64.0/24, but not usre.

[tukusejssirs]

On Fedora it is also 10.64.64.64?

Give me a moment, I need to reboot my system. Update: Yes, it is the same 10.64.64.64.
Here’s the output of journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd -b.

---

I have just installed Fedora Workstation 38 (Sway spin) with nm@1.42.6-1.fc38 and nm-l2tp@1.20.8-2.fc38 on kernel@6.2.14-300.fc38.x86_64 and it fails to connect:

# journalctl -xe NM_CONNECTION=852aaffa-938e-451a-b623-514482ced0d6 + NM_DEVICE=enp44s0u1u1
May 03 12:14:22 p15lnx-fsway NetworkManager[913]: <info>  [1683108862.8886] manager: (enp44s0u1u1): new Ethernet device (/org/freedesktop/NetworkManager/Devices/3)
May 03 12:14:22 p15lnx-fsway NetworkManager[913]: <info>  [1683108862.8897] device (enp44s0u1u1): state change: unmanaged -> unavailable (reason 'managed', sys-iface-state: 'external')
May 03 12:14:23 p15lnx-fsway NetworkManager[913]: <info>  [1683108863.3379] device (enp44s0u1u1): carrier: link connected
May 03 12:14:23 p15lnx-fsway NetworkManager[913]: <info>  [1683108863.3420] device (enp44s0u1u1): state change: unavailable -> disconnected (reason 'carrier-changed', sys-iface-state: 'managed')
May 03 12:14:23 p15lnx-fsway NetworkManager[913]: <info>  [1683108863.3426] device (enp44s0u1u1): Activation: starting connection 'Wired connection 2' (68b90275-8b2d-326e-8cc4-73bc3c68b722)
May 03 12:14:23 p15lnx-fsway NetworkManager[913]: <info>  [1683108863.3426] device (enp44s0u1u1): state change: disconnected -> prepare (reason 'none', sys-iface-state: 'managed')
May 03 12:14:23 p15lnx-fsway NetworkManager[913]: <info>  [1683108863.3428] device (enp44s0u1u1): state change: prepare -> config (reason 'none', sys-iface-state: 'managed')
May 03 12:14:23 p15lnx-fsway NetworkManager[913]: <info>  [1683108863.3518] device (enp44s0u1u1): state change: config -> ip-config (reason 'none', sys-iface-state: 'managed')
May 03 12:14:23 p15lnx-fsway NetworkManager[913]: <info>  [1683108863.3522] dhcp4 (enp44s0u1u1): activation: beginning transaction (timeout in 45 seconds)
May 03 12:14:25 p15lnx-fsway NetworkManager[913]: <info>  [1683108865.3536] dhcp4 (enp44s0u1u1): state changed new lease, address=192.168.1.32
May 03 12:14:25 p15lnx-fsway NetworkManager[913]: <info>  [1683108865.3577] device (enp44s0u1u1): state change: ip-config -> ip-check (reason 'none', sys-iface-state: 'managed')
May 03 12:14:25 p15lnx-fsway NetworkManager[913]: <info>  [1683108865.3588] device (enp44s0u1u1): state change: ip-check -> secondaries (reason 'none', sys-iface-state: 'managed')
May 03 12:14:25 p15lnx-fsway NetworkManager[913]: <info>  [1683108865.3590] device (enp44s0u1u1): state change: secondaries -> activated (reason 'none', sys-iface-state: 'managed')
May 03 12:14:25 p15lnx-fsway NetworkManager[913]: <info>  [1683108865.3595] device (enp44s0u1u1): Activation: successful, device activated.
May 03 12:15:44 p15lnx-fsway NetworkManager[913]: <info>  [1683108944.4627] vpn[0x55828493cf30,852aaffa-938e-451a-b623-514482ced0d6,"$vpn_con_name"]: starting l2tp
May 03 12:15:54 p15lnx-fsway NetworkManager[913]: <warn>  [1683108954.4791] vpn[0x55828493cf30,852aaffa-938e-451a-b623-514482ced0d6,"$vpn_con_name"]: failed to connect: 'Timeout was reached'

The censored output of journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd -b is here.

I've never encountered the 10.64.64.64 made up address issue myself, so don't have any firsthand experiance, it might be an issue if the LAN is 10.64.64.0/24, but not usre.

I hope nm checks at least the local LAN config and changes that IP before using it. Or is it defined on the VPN server? 🤔

[dkosovic]

pppd uses IPCP (Internet Protocol Control Protocol) to obtain the remote IP address from the remote pppd, but in your case it never gets an address as indicated by the Could not determine remote IP address error, so the local pppd defaulted to the made up address of 10.64.64.64.

Maybe the L2TP VPN server doesn't have a pool of IP addresses it could provide, if xl2tpd is being used for the VPN server, I believe the configuration option is ip range. Otherwise configure the VPN server to use RADIUS (or something else) to provide the IP address.

[tukusejssirs]

I do not manage the VPN server. All I know is that it should be a Zyxel VPN and that it works on Fedora 37, macOS, MS Windows 10+, Android 11 (using the built-in VPN manager). I always get some issues on Arch Linux (which is expected due to its bleeding-edge nature). 😉

[tukusejssirs]

Actually, ATM the VPN connection on Android 11 behaves the same way as in the OP (I tested this directly on the phone using Termux and indirectly on my laptop via VPN Hotspot app, as described in this comment). 🤦‍♂️

I am thinking of using Fedora (again) as my daily driver just because of this, however, I like many stuff on Arch Linux much more than on Fedora. 🤔

[tukusejssirs]

@dkosovic, did you check the Fedora 38 (Sway) logs I shared with you in this comment? I am not sure what changed between F37 and F38, or the nm and nm-l2tp versions in those Fedora versions, but it does not work for me on F38 for some reason. Thanks! 🙏

[tukusejssirs]

FYI, F38 (Sway) is a vanilla installation where I only run sud dnf -y update && sudo dnf -y install xl2tpd strongswan NetworkManager NetworkManager-l2tp && sudo systemctl restart --now NetworkManager (and a system reboot). Then I configured the VPN connection. Is there anything else I might miss? 🤔

[dkosovic]

The Fedora 38 IPsec connection is failing main mode (phase 1) as the VPN server couldn't agree on using any of the the phase 1 proposals sent to it. From the logs, here are the libreswan proposals that are getting sent:

aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-ecp_384,aes128-sha1-ecp_256,3des-sha1-modp2048

I'm guessing the libreswan proposals are too strong for the VPN server and they couldn't agree on any proposal. For IPsec IKEv1, strongswan still supports modp1024 and that weak algorithm is probably what the VPN server is using.

Although you installed strongswan, NetworkManager-l2tp default is libreswan, to use strongswam, remove libreswan with:

sudo rpm -e libreswan

Unlike other linux distros, Fedora can have both libreswan and strongswan installed at the same time.

Also don't forget to remove the blacklisting of the L2TP kernel modules. See the README.md file in this repo for more details.

[tukusejssirs]

Okay, after I did you told me now (as you have told me multiple times, but I have forgotten to note it down in my installation script), I am able to connect to the VPN without any issues. Bellow is the script I used. Thanks for the help! 🙏

# Update system packages
sudo dnf -y update

# Install dependencies
# Note: Unlike on other Linux distributions, RHEL-like systems can have both `libreswan` and `strongswan` installed at the same time.
sudo dnf -y remove libreswan
sudo dnf -y install xl2tpd strongswan NetworkManager NetworkManager-l2tp  # NetworkManager-l2tp-gnome

# Un-blacklist the L2TP modules
for n in l2tp_netlink l2tp_ppp; do
  sudo sed -i "s/^blacklist $n$/# &/g" "/etc/modprobe.d/${n}-blacklist.conf"
done

# Remove some experimental and problematic `strongswan` plugins
# Note: `/etc/strongswan.d/charon` is used on Arch Linux and `/etc/strongswan/strongswan.d/charon` on RHEL-like systems.
if [ -d /etc/strongswan.d/charon ]; do
  charon_path='/etc/strongswan.d/charon'
else
  charon_path='/etc/strongswan/strongswan.d/charon'
fi

for n in bypass-lan connmark forecast sha3; do
  # Note: On Fedora 38, there are no `connmark.conf`, `forecast.conf` and `sha3.conf` files.
  if [ -f "$charon_path/$n.conf" ]; then
    sudo sed -i 's/load = yes/load = no/' "$charon_path/$n.conf"
  fi
done

# Restart `NetworkManager` service
sudo systemctl restart --now NetworkManager

---

Anyway, I’d like to fix my original issue on Arch Linux if possible. I don’t mean to hurry you or something, take your time. Thanks in advance! 🙏

[dkosovic]

Regarding the script you mentioned for the installation on Fedora. Here is the strongswan RPM spec file used to build the RPM:

• https://src.fedoraproject.org/rpms/strongswan/blob/rawhide/f/strongswan.spec

You'll notice the following comment in that RPM spec file:

# too broken to enable:    --enable-sha3 --enable-rdrand --enable-connmark --enable-forecast

There is no need to re-disable them in your script on Fedora. Unlike other Linux distros, Arch Linux enables all of the experimental strongswan plug-ins, I got the idea from Fedora to disable them on Arch Linux.

Regarding the made-up address 10.64.64.64 issue that has some side-effects on Arch Linux, but for some reason not Fedora. Could you try the Manual IPv4 workaround mentioned at the end of #210 (comment) , there is more info here:

• https://askubuntu.com/questions/1445338/l2tp-vpn-connection-does-not-use-manually-set-ip-address

Where IPv4 manual settings correspond to the following pppd settings:

• Address : <local_IP_address>
• Gateway : <remote_IP_address>
• Netmask : netmask

Set the <local_IP_address> to your current local IP address, set the <remote_IP_address> to something other than 10.64.64.64, you could try setting it to the VPN's external gateway address, you'll then get the routing issue and will need to remove the route to the external gateway.

[dkosovic]

Chances are there is something different between the Arch Linux pppd and the Fedora one:

• https://github.com/archlinux/svntogit-packages/tree/packages/ppp/trunk
• https://src.fedoraproject.org/rpms/ppp/tree/rawhide

Both ppp packages have a lot of linux distro bundled files, in particular the ppp scripts that get installed to /etc/ppp/.

[tukusejssirs]

Regarding the script you mentioned for the installation on Fedora. Here is the strongswan RPM spec file used to build the RPM:

Thanks for the detailed info. 🙏 My installation script checks if the files exists and makes sure the plugins/modules are disabled. Yes, it might be unnecessary, but I’d rather keep the checks in place, so that the script could be cross-platform (although I still need to add commands to install dependencies on using other package managers, at the very least pacman).

Regarding the made-up address 10.64.64.64 issue that has some side-effects on Arch Linux, but for some reason not Fedora. Could you try the Manual IPv4 workaround mentioned at the end of #210 (comment) , there is more info here:

Yeah, I’ll test it later today.

Chances are there is something different between the Arch Linux pppd and the Fedora one:

I think we need to compare the files between the packages, but I believe I won’t have that much time this week.

[tukusejssirs]

Regarding the local and remote IP configuration: I am not sure if I configure it correctly, but it fails with failed to connect: 'property 'ipcp-accept-local' invalid or not supported'.

All I did is modified the connection as bellow. I have only added ipcp-accept-local and ipcp-accept-remote.

nmcli c mod $vpn_con_name vpn.data 'gateway = $vpn_host, ipsec-enabled = yes, \
  ipsec-psk = $psk, password-flags = 0, user = $vpn_user, \
  ipcp-accept-local = $local_ip, ipcp-accept-remote = $vpn_host'

Update

I have also tried to add netmask setting to vpn.data, but it failed with the same error.

However, I am not sure what should be the format of netmask: CIDR prefix or IP address format? Also note that as far as I know it correctly, on this VPN server I should use 32/255.255.255.255, so I used that.

[dkosovic]

I just tried now and used the same netmask as ifconfig ppp0 was outputting when my VPN connection was up, which was 255.255.255.255.

[tukusejssirs]

Regarding the local and remote IP configuration: I am not sure if I configure it correctly, but it fails with failed to connect: 'property 'ipcp-accept-local' invalid or not supported'.

@dkosovic, about this error?

[dkosovic]

Oh, you are using nmcli instead of the L2TP editor GUI from this repository.

'ipcp-accept-local' is not a NetworkManager-l2tp property, but a pppd option that is put in the generated ppp-options file.

An IPv4 Manual setting with address of 72.16.244.135, NetMask of 2555.2555.255.255 and Gateway of 146.70.140.60 results in the following being added to the VPN's connection config file (located under /etc/NetworkManager/system-connections/) :

[ipv4]
address1=72.16.244.135/32,146.70.140.60
method=manual

I'm starting to suspect the issue might be something else, so wouldn't worry too much about getting the manual IPv4 settings working. Arch Linux is using strongswan 5.9.9, while Fedora 37 & 38 are using 5.9.10 which has some XFRM routes changes.