F33 ipsec l2tp libreswan 4.1 and older Gateways

,

FYI for those that are having problems with L2TP VPN connections to older gateways on Fedora 33. There were two things I needed to do in order for my vpn connection to work from a Fedora 33 workstation to a Ubiquit Unifi USG vpn gateway.

First I needed to add selinux labels to /var/lib/ipsec
# semanage fcontext --add --type ipsec_key_file_t '/var/lib/ipsec(/.*)?'
# restorecon -rv /var/lib/ipsec

Next, I needed to downgrade libreswan from 4.1 to 3.32.
# dnf downgrade libreswan
Make sure you add exclude=libreswan to /etc/dnf/dnf.conf and reboot.

I am not sure if the downgrade means I still need to label /var/lib/ipsec, but that’s what worked for me.

I believe there are already bugs out on this for Fedora, but as far as I am aware, the problem is more that Ubiquiti isn’t likely to include a newer version of libreswan into their USG products considering it’s fairly dated hardware.

I figured I would share for those that are looking for a work-around. Not sure how long it will be valid, but for now, it seems to be what works for me. If I remember later, I’ll pull up the related bugs.

1 Like

It looks like 2 separate problems, you’d best report them properly:

1 Like

As I mentioned, but didn’t bother to look them up, both are already filed:
https://bugzilla.redhat.com/show_bug.cgi?id=1895436
https://bugzilla.redhat.com/show_bug.cgi?id=1894381

The second one is problematic in that I wouldn’t want to support insecure methods at some point. That’s a decision for the maintainers to decide. For now, downgrading works.

1 Like

Is it possible to work around this way?
https://fedoraproject.org/wiki/Changes/StrongCryptoSettings2#Upgrade.2Fcompatibility_impact

1 Like

That’s specifically unrelated to libreswan, at least from the package list perspective, although this is a situation where libreswan 4.1 disables some less secure methods with a similar goal. I believe it is appropriate to disable insecure methods. The problem is my vendor-provided VPN uses older methods with no obvious path to newer, more secure methods on their side.

At least for now, downgrading libreswan on the client side works. I don’t expect Fedora maintainers to continue to support this in newer releases. My ultimate goal is to get Ubiquiti to either upgrade their vpn or come up with a better solution for a vpn gateway.

1 Like

i’ve had a very similar problem, my company is using a cisco firewall as l2tp/ipsec server with weak ciphers. Libreswan dropped the support. I’ve had replaced libreswan with strongswan. Before do so, remove your cipher config in your NM Configuration. After installing, establish a connection, it will usually auto-detect useable ciphers, DH Groups, ans so on … Of course, you can use your preferred ciphers as well. See the strongswan Wiki for more information.

Hope, this helps you out.

2 Likes

That worked for me. I chose to completely remove libreswan, then install strongswan. Remove my previous NetworkManager setup and recreated the VPN settings (gateway, username, password and psk secret).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.