F33 ipsec l2tp libreswan 4.1 and older Gateways

FYI for those that are having problems with L2TP VPN connections to older gateways on Fedora 33. There were two things I needed to do in order for my vpn connection to work from a Fedora 33 workstation to a Ubiquit Unifi USG vpn gateway.

First I needed to add selinux labels to /var/lib/ipsec
# semanage fcontext --add --type ipsec_key_file_t '/var/lib/ipsec(/.*)?'
# restorecon -rv /var/lib/ipsec

Next, I needed to downgrade libreswan from 4.1 to 3.32.
# dnf downgrade libreswan
Make sure you add exclude=libreswan to /etc/dnf/dnf.conf and reboot.

I am not sure if the downgrade means I still need to label /var/lib/ipsec, but that’s what worked for me.

I believe there are already bugs out on this for Fedora, but as far as I am aware, the problem is more that Ubiquiti isn’t likely to include a newer version of libreswan into their USG products considering it’s fairly dated hardware.

I figured I would share for those that are looking for a work-around. Not sure how long it will be valid, but for now, it seems to be what works for me. If I remember later, I’ll pull up the related bugs.

1 Like

It looks like 2 separate problems, you’d best report them properly:

1 Like

As I mentioned, but didn’t bother to look them up, both are already filed:


The second one is problematic in that I wouldn’t want to support insecure methods at some point. That’s a decision for the maintainers to decide. For now, downgrading works.

1 Like

Is it possible to work around this way?

1 Like

That’s specifically unrelated to libreswan, at least from the package list perspective, although this is a situation where libreswan 4.1 disables some less secure methods with a similar goal. I believe it is appropriate to disable insecure methods. The problem is my vendor-provided VPN uses older methods with no obvious path to newer, more secure methods on their side.

At least for now, downgrading libreswan on the client side works. I don’t expect Fedora maintainers to continue to support this in newer releases. My ultimate goal is to get Ubiquiti to either upgrade their vpn or come up with a better solution for a vpn gateway.

1 Like

i’ve had a very similar problem, my company is using a cisco firewall as l2tp/ipsec server with weak ciphers. Libreswan dropped the support. I’ve had replaced libreswan with strongswan. Before do so, remove your cipher config in your NM Configuration. After installing, establish a connection, it will usually auto-detect useable ciphers, DH Groups, ans so on … Of course, you can use your preferred ciphers as well. See the strongswan Wiki for more information.

Hope, this helps you out.

2 Likes

That worked for me. I chose to completely remove libreswan, then install strongswan. Remove my previous NetworkManager setup and recreated the VPN settings (gateway, username, password and psk secret).