Cannot Connect to VPN

Same thing happens, albeit with a slightly different looking popup box.

Running

journalctl -u NetworkManager

I get the same underlying issue

Mar 05 23:24:12 jsxfed nm-l2tp-service[45887]: g_dbus_method_invocation_take_error: assertion ‘error != NULL’ failed
Mar 05 23:24:12 jsxfed NetworkManager[1340]: [1583472252.1259] vpn-connection[0x55aa0e62e2e0,bf5994ca-f567-4c4b-a89b-c2a2b7f937c7,“Fouville”,0]: VPN plugin: state changed: stopped (6)
Mar 05 23:24:12 jsxfed NetworkManager[1340]: [1583472252.1289] vpn-connection[0x55aa0e62e2e0,bf5994ca-f567-4c4b-a89b-c2a2b7f937c7,“Fouville”,0]: VPN service disappeared
Mar 05 23:24:12 jsxfed NetworkManager[1340]: [1583472252.1300] vpn-connection[0x55aa0e62e2e0,bf5994ca-f567-4c4b-a89b-c2a2b7f937c7,“Fouville”,0]: VPN connection: failed to connect: ‘Remote peer disconnected’
Mar 05 23:24:41 jsxfed NetworkManager[1340]: [1583472281.6279] agent-manager: req[0x55aa0e5de9b0, :1.2306/org.gnome.Shell.NetworkAgent/1000]: agent registered
Mar 05 23:25:23 jsxfed NetworkManager[1340]: [1583472323.5248] agent-manager: req[0x55aa0e5dee30, :1.3347/org.kde.plasma.networkmanagement/1000]: agent registered

Okay, I gave this a shot. Even restarted and everything. Re-created the VPN connection from scratch.

Exact same problem. Logs identical.

Thank you kindly for your help, even if it was not successful.

1 Like

There were other cases in the server configuration, so I thought I could try other things if needed. And @vits95 seems to be really enthusiastic to help. I hope it works fine. Because we all use fedora. Have a nice day!

Forget everything about OpenVPN, it’s an excellent program but as long the remote site is running l2tp it’s irrelevant. One line in the logs triggers me:
jsxfed NetworkManager[1417]: [1583344083.8178] ++ vpn.secrets = ((GHashTable) 0x55ff62213300) < ((GHashTable) 0x55ff6224e6a0)

Could it be an indication that somehow client and server do not agree with each other? Unfortunately no clue at which stage. But the ipsec part is not irrelevant, if the VPN is implemented as the NAT router unfriendly IPsec protocol tunneled in the more router-friendly L2TP protocol. What I would try in this case is to study anf try Linux command-line lt2p/ipsec clients to bypass the additional layer Networkmanager and see whether I could get more info from their logs, but that’s not easy…

Good luck!

That was the line that was also triggering me when I examined the logs. I initially thought it was something to do with password or pre-shared key (secrets) so I tried fiddling with the “Save password for this user” vs “Save password for all users” vs “Enter password every time” settings to no avail.

I would like to downgrade NetworkManager and the associated packages that provide NetworkManager/L2TP/IPSec to one or two versions ago when everything worked perfectly … but I do not know which packages or commands to do this cleanly.

I will start looking at command line LT2P/IPSec clients.

Thanks!

OK, after about an hour of pulling my hair out - I have to say this really really f*cking sucks and is very painful
I am honestly considering switching to a different Linux distribution.
It would be easier than trying to configure LT2P/IPSec via command line

I am also getting error connecting VPN after the latest update to 5.5.7-200 kernel in FC31. The error message is
Failed to add connection “edc9c375-d4b7-44ca-9fd2-548d0ee639f5”: ike string error: IKE DH algorithm ‘modp1024’ is not supported
This is what we I see in libreswan man page

Weak algorithms are regularly removed from libreswan. Currently, 1DES and modp768 have been removed and modp1024 will be removed in the near future. Additionally, md5 and sha1 will be removed within the next few years. Null encryption is available, and should only be used for testing or benchmarking purposes. Please do not request for insecure algorithms to be re-added to libreswan.

Diffie-Hellman groups 19,20 and 21 from RFC- 5903 and 22, 23 and 24 from RFC-5114 are also supported. For all groups, the “dh” keyword can be used. For the MODP based groups, the modp= keyword can be used. for example ike=3des-sha1;dh19. The RFC-5114 DH groups are extremely controversial and MUST NOT be used unless forced (administratively) by the other party. Support for these groups will most likely be removed in 2017, as it cannot be proven these DH groups do not have a cryptographic trapdoor embedded in them (a backdoor by the USG who provided these primes without revealing the seeds and generation process used). Due the the weakness od DH22, support for this group is not compiled in by default and can be re-enabled using USE_DH22=true.

The modp syntax will be removed in favour of the dh syntax in the future

It looks like the last line also means that the modp setting cannot be used. Atleast the ipsec configuration looks different. My libreswan version is 3.3.0

Is there a way to force libreswan 3.3 to support modp1024 DH algorithm?

2 Likes

Thank you for this information. This is very useful and good to know.

I am slightly confused.

Does this mean that for phase1

aes128-sha1-modp2048,3des-sha1-modp1536,3des-sha1-modp1024

would be a problem?

OK, great news!

I finally figured out what the problem was…

I somehow had both libreswan and strongswan installed, and somehow or another the configurations got messed up.

I ran the following to fix the problem

dnf remove libreswan
dnf remove strongswan
dnf install strongswan

The following was useful for increasing the debugging information

nmcli general logging level DEBUG

This restores it back to the original amount

nmcli general logging level INFO

This is for viewing the connection logs

journalctl -u NetworkManager

For controlling services

systemctl stop strongswan.service
systemctl stop xl2tpd.service

Best of luck to anyone else experiencing this very frustrating problem!

1 Like

It looks like libreswan 3.3 stopped support for weaker algorithms. I am going to remove libreswan and try with strongswan to see if it helps

Thanks

Venkat

Yes, removing libreswan helped. It looks like with libreswan and strongswan installed, NM chooses libreswan. Not sure how long this setup works though :slight_smile:

1 Like

Congratulations! The complexity of this VPN system is incredible. It is good that weak cryptographic algorithms are removed, but at the end this can imply that you update your system and end up with client and server which cannot agree a common algorithm anymore… But fortunately you found the clue!

With Fedora 31 and NetworkManager-l2tp, there are two separate recent issues:

  1. Libreswan >= 3.30 is no longer built with modp1024 support.
  2. Upgraded kernel breaks L2TP connection

For Libreswan >= 3.30, new NetworkManager-l2tp RPMs have be released which no longer uses modp1024 with its default proposal, see bugzilla report:

that bug report will also show how to use strongswan if you need modp1024 support.

For upgraded kernel breaking L2TP connection, see following on how to unblacklist the L2TP kernel modules :

1 Like

please, try to import tls.key manually. the action is not performed automatically by the “Network Management”

Continuing the discussion from Cannot Connect to VPN:

Hi i’m a newbie trying to connect via vpn l2tp to my job. This is absolutly imperative becayse of COVID-19. Here is mt jounalctl output
Mar 15 10:48:01 localhost.localdomain charon[245982]: 00[DMN] signal of type SIGINT received. Shutting down
Mar 15 10:48:01 localhost.localdomain ipsec_starter[245981]: child 245982 (charon) has quit (exit code 0)
Mar 15 10:48:01 localhost.localdomain ipsec_starter[245981]:
Mar 15 10:48:01 localhost.localdomain ipsec_starter[245981]: charon stopped after 200 ms
Mar 15 10:48:01 localhost.localdomain ipsec_starter[245981]: ipsec starter stopped
Mar 15 10:48:01 localhost.localdomain nm-l2tp-service[245940]: g_dbus_method_invocation_take_error: assertion ‘error != NULL’ failed
Mar 15 10:48:01 localhost.localdomain NetworkManager[907]: [1584283681.8916] vpn-connection[0x55cea3b8c580,c129ca3c-1460-4c29-9029-4032c4517bde,“BTX-l2tp”,0]: VPN plugin: state changed: stopped (6)
Mar 15 10:48:01 localhost.localdomain NetworkManager[907]: [1584283681.9096] vpn-connection[0x55cea3b8c580,c129ca3c-1460-4c29-9029-4032c4517bde,“BTX-l2tp”,0]: VPN service disappeared
Mar 15 10:48:01 localhost.localdomain NetworkManager[907]: [1584283681.9124] vpn-connection[0x55cea3b8c580,c129ca3c-1460-4c29-9029-4032c4517bde,“BTX-l2tp”,0]: VPN connection: failed to connect: ‘Remote peer disconnected’
Mar 15 10:48:36 localhost.localdomain NetworkManager[907]: [1584283716.5915] audit: op=“connection-update” uuid=“c129ca3c-1460-4c29-9029-4032c4517bde” name=“BTX-l2tp” args=“vpn.data” pid=245642 uid=1000 result=“success”
I m totally lost. This i my first time posting.

   Hi :).  Ok, as switching to strongswan from libreswan didn’t helped, please open a new topic (this thread already is long).  In new thread please mention that solution from this one didn’t helped.  As you need this for work, there is nothing bad to push the issue up.  Also, try use an Live USB or DVD to WorkAround this until it’s solved (hint: maybe Ubuntu).

Hi Vitaly,

My company is providing me with a laptop. It solves the problem for now. I hopefully will find a way to get it up and running on my Fedora laptop at a lte date. Thank you for your kind help.

I was also getting the same sort of VPN update.The informations are illustrative and brief.I have tried out that .I have following two queries in this trail that I have setup my router to create a OpenVPN connection and I have installed the OpenVPN app on my Samsung Android phone. Uptil this it worked out fine.
Now I just want to view my cameras using the iVMS-4500 app on my phone, while I’m on the OpenVPN connection. But I don’t know anything about what information I have to enter into the app.I have thought that I can choose between HiDDNS - IP/Domain - IP Server, but I think I have to use IP/Domain.
But,when I selecting the IP/Domain, I entered the IP of my Laptop(10.0.0.100) in the adresse field, and the portnumber in the port field, and then username and password. But it does not work.And secondly,I am unable to setup VPN server In my Laptop 2.Suggest us what to do regarding these garmin map updates free download 2019 for the solution.

I would suggest creating a new topic for this particular problem as the differences are more than the similarities, and there may be particularities regarding Garmin Map Updates and HiDDNS.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.