FYI for those that are having problems with L2TP VPN connections to older gateways on Fedora 33. There were two things I needed to do in order for my vpn connection to work from a Fedora 33 workstation to a Ubiquit Unifi USG vpn gateway.
First I needed to add selinux labels to /var/lib/ipsec # semanage fcontext --add --type ipsec_key_file_t '/var/lib/ipsec(/.*)?' # restorecon -rv /var/lib/ipsec
Next, I needed to downgrade libreswan from 4.1 to 3.32. # dnf downgrade libreswan
Make sure you add exclude=libreswan to /etc/dnf/dnf.conf and reboot.
I am not sure if the downgrade means I still need to label /var/lib/ipsec, but that’s what worked for me.
I believe there are already bugs out on this for Fedora, but as far as I am aware, the problem is more that Ubiquiti isn’t likely to include a newer version of libreswan into their USG products considering it’s fairly dated hardware.
I figured I would share for those that are looking for a work-around. Not sure how long it will be valid, but for now, it seems to be what works for me. If I remember later, I’ll pull up the related bugs.
The second one is problematic in that I wouldn’t want to support insecure methods at some point. That’s a decision for the maintainers to decide. For now, downgrading works.
That’s specifically unrelated to libreswan, at least from the package list perspective, although this is a situation where libreswan 4.1 disables some less secure methods with a similar goal. I believe it is appropriate to disable insecure methods. The problem is my vendor-provided VPN uses older methods with no obvious path to newer, more secure methods on their side.
At least for now, downgrading libreswan on the client side works. I don’t expect Fedora maintainers to continue to support this in newer releases. My ultimate goal is to get Ubiquiti to either upgrade their vpn or come up with a better solution for a vpn gateway.
i’ve had a very similar problem, my company is using a cisco firewall as l2tp/ipsec server with weak ciphers. Libreswan dropped the support. I’ve had replaced libreswan with strongswan. Before do so, remove your cipher config in your NM Configuration. After installing, establish a connection, it will usually auto-detect useable ciphers, DH Groups, ans so on … Of course, you can use your preferred ciphers as well. See the strongswan Wiki for more information.
That worked for me. I chose to completely remove libreswan, then install strongswan. Remove my previous NetworkManager setup and recreated the VPN settings (gateway, username, password and psk secret).