Solved Help Connecting to L2TP VPN in Linux Debian 12

[arcturus]

Good day! I just started linux the other day (noob). It seems that I can't connect to the L2TP VPN provided by my company, but in windows built-in l2tp its working fine.
Here's the log from sudo journalctl -u NetworkManager -f

Oct 22 10:52:47 jobus NetworkManager[1317]: <info>  [1729565567.4091] audit: op="statistics" interface="wlo1" ifindex=3 args="2000" pid=2337 uid=1000 result="success"
Oct 22 10:52:50 jobus NetworkManager[1317]: <info>  [1729565570.3348] vpn[0x559e56d3e3a0,3b6cd445-7c9e-465a-81f7-8ac278c7af63,"New vpn connection"]: starting l2tp
Oct 22 10:52:50 jobus NetworkManager[1317]: <info>  [1729565570.3357] audit: op="connection-activate" uuid="3b6cd445-7c9e-465a-81f7-8ac278c7af63" name="New vpn connection" pid=2337 uid=1000 result="success"
Oct 22 10:52:50 jobus nm-l2tp-service[21328]: Check port 1701
Oct 22 10:52:50 jobus NetworkManager[21345]: Stopping strongSwan IPsec failed: starter is not running
Oct 22 10:52:52 jobus NetworkManager[21342]: Starting strongSwan 5.9.8 IPsec [starter]...
Oct 22 10:52:52 jobus NetworkManager[21342]: Loading config setup
Oct 22 10:52:52 jobus NetworkManager[21342]: Loading conn '3b6cd445-7c9e-465a-81f7-8ac278c7af63'
Oct 22 10:52:52 jobus ipsec_starter[21342]: Starting strongSwan 5.9.8 IPsec [starter]...
Oct 22 10:52:52 jobus ipsec_starter[21342]: Loading config setup
Oct 22 10:52:52 jobus ipsec_starter[21342]: Loading conn '3b6cd445-7c9e-465a-81f7-8ac278c7af63'
Oct 22 10:52:52 jobus ipsec_starter[21355]: Attempting to start charon...
Oct 22 10:52:52 jobus charon[21356]: 00[DMN] Starting IKE charon daemon (strongSwan 5.9.8, Linux 6.1.0-26-amd64, x86_64)
Oct 22 10:52:52 jobus charon[21356]: 00[CFG] PKCS11 module '<name>' lacks library path
Oct 22 10:52:52 jobus charon[21356]: 00[LIB] providers loaded by OpenSSL: legacy default
Oct 22 10:52:52 jobus charon[21356]: 00[CFG] loading ca certificates from '/etc/ipsec.d/cacerts'
Oct 22 10:52:52 jobus charon[21356]: 00[CFG] loading aa certificates from '/etc/ipsec.d/aacerts'
Oct 22 10:52:52 jobus charon[21356]: 00[CFG] loading ocsp signer certificates from '/etc/ipsec.d/ocspcerts'
Oct 22 10:52:52 jobus charon[21356]: 00[CFG] loading attribute certificates from '/etc/ipsec.d/acerts'
Oct 22 10:52:52 jobus charon[21356]: 00[CFG] loading crls from '/etc/ipsec.d/crls'
Oct 22 10:52:52 jobus charon[21356]: 00[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 22 10:52:52 jobus charon[21356]: 00[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Oct 22 10:52:52 jobus charon[21356]: 00[CFG]   loaded IKE secret for %any
Oct 22 10:52:52 jobus charon[21356]: 00[CFG]   loaded IKE secret for %any
Oct 22 10:52:52 jobus charon[21356]: 00[LIB] loaded plugins: charon test-vectors ldap pkcs11 tpm aesni aes rc2 sha2 sha1 md5 mgf1 rdrand random nonce x509 revocation constraints pubkey pkcs1 pkcs7 pkcs12 pgp dnskey sshkey pem openssl gcrypt pkcs8 af-alg fips-prf gmp curve25519 agent chapoly xcbc cmac hmac kdf ctr ccm gcm drbg curl attr kernel-netlink resolve socket-default connmark stroke vici updown eap-mschapv2 xauth-generic counters
Oct 22 10:52:52 jobus charon[21356]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Oct 22 10:52:52 jobus charon[21356]: 00[JOB] spawning 16 worker threads
Oct 22 10:52:52 jobus ipsec_starter[21355]: charon (21356) started after 40 ms
Oct 22 10:52:52 jobus charon[21356]: 05[CFG] received stroke: add connection '3b6cd445-7c9e-465a-81f7-8ac278c7af63'
Oct 22 10:52:52 jobus charon[21356]: 05[CFG] added configuration '3b6cd445-7c9e-465a-81f7-8ac278c7af63'
Oct 22 10:52:53 jobus charon[21356]: 07[CFG] rereading secrets
Oct 22 10:52:53 jobus charon[21356]: 07[CFG] loading secrets from '/etc/ipsec.secrets'
Oct 22 10:52:53 jobus charon[21356]: 07[CFG] loading secrets from '/etc/ipsec.d/ipsec.nm-l2tp.secrets'
Oct 22 10:52:53 jobus charon[21356]: 07[CFG]   loaded IKE secret for %any
Oct 22 10:52:53 jobus charon[21356]: 07[CFG]   loaded IKE secret for %any
Oct 22 10:52:53 jobus charon[21356]: 10[CFG] received stroke: initiate '3b6cd445-7c9e-465a-81f7-8ac278c7af63'
Oct 22 10:52:53 jobus charon[21356]: 11[IKE] initiating Main Mode IKE_SA 3b6cd445-7c9e-465a-81f7-8ac278c7af63[1] to [SERVER_ADDRESS]
Oct 22 10:52:53 jobus charon[21356]: 11[IKE] initiating Main Mode IKE_SA 3b6cd445-7c9e-465a-81f7-8ac278c7af63[1] to [SERVER_ADDRESS]
Oct 22 10:52:53 jobus charon[21356]: 11[ENC] generating ID_PROT request 0 [ SA V V V V V ]
Oct 22 10:52:53 jobus charon[21356]: 11[NET] sending packet: from 192.168.68.122[500] to [SERVER_ADDRESS][500] (532 bytes)
Oct 22 10:52:53 jobus charon[21356]: 12[NET] received packet: from [SERVER_ADDRESS][500] to 192.168.68.122[500] (200 bytes)
Oct 22 10:52:53 jobus charon[21356]: 12[ENC] parsed ID_PROT response 0 [ SA V V V V ]
Oct 22 10:52:53 jobus charon[21356]: 12[IKE] received XAuth vendor ID
Oct 22 10:52:53 jobus charon[21356]: 12[IKE] received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 22 10:52:53 jobus charon[21356]: 12[IKE] received DPD vendor ID
Oct 22 10:52:53 jobus charon[21356]: 12[ENC] received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4d:54:41:75:4d:79:42:43:54:6a:30:32:4f:54:51:35:4f:54:51:3d
Oct 22 10:52:53 jobus charon[21356]: 12[CFG] selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 22 10:52:53 jobus charon[21356]: 12[ENC] generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 22 10:52:53 jobus charon[21356]: 12[NET] sending packet: from 192.168.68.122[500] to [SERVER_ADDRESS][500] (396 bytes)
Oct 22 10:52:53 jobus charon[21356]: 13[NET] received packet: from [SERVER_ADDRESS][500] to 192.168.68.122[500] (372 bytes)
Oct 22 10:52:53 jobus charon[21356]: 13[ENC] parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Oct 22 10:52:53 jobus charon[21356]: 13[IKE] local host is behind NAT, sending keep alives
Oct 22 10:52:53 jobus charon[21356]: 13[ENC] generating ID_PROT request 0 [ ID HASH ]
Oct 22 10:52:53 jobus charon[21356]: 13[NET] sending packet: from 192.168.68.122[4500] to [SERVER_ADDRESS][4500] (92 bytes)
Oct 22 10:52:57 jobus charon[21356]: 06[IKE] sending retransmit 1 of request message ID 0, seq 3
Oct 22 10:52:57 jobus charon[21356]: 06[NET] sending packet: from 192.168.68.122[4500] to [SERVER_ADDRESS][4500] (92 bytes)
Oct 22 10:52:57 jobus charon[21356]: 05[NET] received packet: from [SERVER_ADDRESS][4500] to 192.168.68.122[4500] (372 bytes)
Oct 22 10:52:57 jobus charon[21356]: 05[IKE] received retransmit of response with ID 0, but next request already sent
Oct 22 10:53:00 jobus NetworkManager[1317]: <warn>  [1729565580.4007] vpn[0x559e56d3e3a0,3b6cd445-7c9e-465a-81f7-8ac278c7af63,"New vpn connection"]: failed to connect: 'Timeout was reached'
Oct 22 10:53:01 jobus charon[21356]: 08[NET] received packet: from [SERVER_ADDRESS][4500] to 192.168.68.122[4500] (372 bytes)
Oct 22 10:53:01 jobus charon[21356]: 08[IKE] received retransmit of response with ID 0, but next request already sent
Oct 22 10:53:04 jobus charon[21356]: 09[IKE] sending retransmit 2 of request message ID 0, seq 3
Oct 22 10:53:04 jobus charon[21356]: 09[NET] sending packet: from 192.168.68.122[4500] to [SERVER_ADDRESS][4500] (92 bytes)
Oct 22 10:53:05 jobus charon[21356]: 11[NET] received packet: from [SERVER_ADDRESS][4500] to 192.168.68.122[4500] (372 bytes)
Oct 22 10:53:05 jobus charon[21356]: 11[IKE] received retransmit of response with ID 0, but next request already sent
Oct 22 10:53:09 jobus NetworkManager[21411]: Stopping strongSwan IPsec...
Oct 22 10:53:09 jobus charon[21356]: 00[DMN] SIGINT received, shutting down
Oct 22 10:53:09 jobus charon[21356]: 00[IKE] destroying IKE_SA in state CONNECTING without notification
Oct 22 10:53:09 jobus NetworkManager[21386]: initiating Main Mode IKE_SA 3b6cd445-7c9e-465a-81f7-8ac278c7af63[1] to [SERVER_ADDRESS]
Oct 22 10:53:09 jobus NetworkManager[21386]: generating ID_PROT request 0 [ SA V V V V V ]
Oct 22 10:53:09 jobus NetworkManager[21386]: sending packet: from 192.168.68.122[500] to [SERVER_ADDRESS][500] (532 bytes)
Oct 22 10:53:09 jobus NetworkManager[21386]: received packet: from [SERVER_ADDRESS][500] to 192.168.68.122[500] (200 bytes)
Oct 22 10:53:09 jobus NetworkManager[21386]: parsed ID_PROT response 0 [ SA V V V V ]
Oct 22 10:53:09 jobus NetworkManager[21386]: received XAuth vendor ID
Oct 22 10:53:09 jobus NetworkManager[21386]: received draft-ietf-ipsec-nat-t-ike-02\n vendor ID
Oct 22 10:53:09 jobus NetworkManager[21386]: received DPD vendor ID
Oct 22 10:53:09 jobus NetworkManager[21386]: received unknown vendor ID: bf:c2:2e:98:56:ba:99:36:11:c1:1e:48:a6:d2:08:07:a9:5b:ed:b3:93:02:6a:49:e6:0f:ac:32:7b:b9:60:1b:56:6b:34:39:4d:54:49:75:4d:54:41:75:4d:79:42:43:54:6a:30:32:4f:54:51:35:4f:54:51:3d
Oct 22 10:53:09 jobus NetworkManager[21386]: selected proposal: IKE:AES_CBC_256/HMAC_SHA2_256_128/PRF_HMAC_SHA2_256/MODP_2048
Oct 22 10:53:09 jobus NetworkManager[21386]: generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
Oct 22 10:53:09 jobus NetworkManager[21386]: sending packet: from 192.168.68.122[500] to [SERVER_ADDRESS][500] (396 bytes)
Oct 22 10:53:09 jobus NetworkManager[21386]: received packet: from [SERVER_ADDRESS][500] to 192.168.68.122[500] (372 bytes)
Oct 22 10:53:09 jobus NetworkManager[21386]: parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
Oct 22 10:53:09 jobus NetworkManager[21386]: local host is behind NAT, sending keep alives
Oct 22 10:53:09 jobus NetworkManager[21386]: generating ID_PROT request 0 [ ID HASH ]
Oct 22 10:53:09 jobus NetworkManager[21386]: sending packet: from 192.168.68.122[4500] to [SERVER_ADDRESS][4500] (92 bytes)
Oct 22 10:53:09 jobus NetworkManager[21386]: sending retransmit 1 of request message ID 0, seq 3
Oct 22 10:53:09 jobus NetworkManager[21386]: sending packet: from 192.168.68.122[4500] to [SERVER_ADDRESS][4500] (92 bytes)
Oct 22 10:53:09 jobus NetworkManager[21386]: received packet: from [SERVER_ADDRESS][4500] to 192.168.68.122[4500] (372 bytes)
Oct 22 10:53:09 jobus NetworkManager[21386]: received retransmit of response with ID 0, but next request already sent
Oct 22 10:53:09 jobus NetworkManager[21386]: received packet: from [SERVER_ADDRESS][4500] to 192.168.68.122[4500] (372 bytes)
Oct 22 10:53:09 jobus NetworkManager[21386]: received retransmit of response with ID 0, but next request already sent
Oct 22 10:53:09 jobus NetworkManager[21386]: sending retransmit 2 of request message ID 0, seq 3
Oct 22 10:53:09 jobus NetworkManager[21386]: sending packet: from 192.168.68.122[4500] to [SERVER_ADDRESS][4500] (92 bytes)
Oct 22 10:53:09 jobus NetworkManager[21386]: received packet: from [SERVER_ADDRESS][4500] to 192.168.68.122[4500] (372 bytes)
Oct 22 10:53:09 jobus NetworkManager[21386]: received retransmit of response with ID 0, but next request already sent
Oct 22 10:53:09 jobus NetworkManager[21386]: destroying IKE_SA in state CONNECTING without notification
Oct 22 10:53:09 jobus NetworkManager[21386]: establishing connection '3b6cd445-7c9e-465a-81f7-8ac278c7af63' failed
Oct 22 10:53:09 jobus ipsec_starter[21355]: child 21356 (charon) has quit (exit code 0)
Oct 22 10:53:09 jobus ipsec_starter[21355]:
Oct 22 10:53:09 jobus ipsec_starter[21355]: charon stopped after 200 ms
Oct 22 10:53:09 jobus ipsec_starter[21355]: ipsec starter stopped
Oct 22 10:53:09 jobus nm-l2tp-service[21328]: Could not establish IPsec connection.
Oct 22 10:53:09 jobus nm-l2tp-service[21328]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

I replaced the acutal server adress by [SERVER_ADDRESS].

 

[dkosovic]

You could also try switching from strongswan to libreswan for the IPsec daemon and see if that makes a difference, e.g.:
sudo apt install libreswan

to revert back to strongswan, issue:
sudo apt install strongswan

 

[arcturus]

You could also try switching from strongswan to libreswan for the IPsec daemon and see if that makes a difference, e.g.:
sudo apt install libreswan

to revert back to strongswan, issue:
sudo apt install strongswan

Thank you for your reply sir.

Do I need to remove all strongswan related package? I removed strongswan via sudo apt remove strongswan then sudo apt autoremove then installed libreswan via the command you provided and I got this error.

Oct 23 16:53:31 jobus nm-l2tp-service[2509]: Check port 1701
Oct 23 16:53:31 jobus NetworkManager[2515]: whack: Pluto is not running (no "/run/pluto/pluto.ctl")
Oct 23 16:53:31 jobus NetworkManager[2519]: Redirecting to: systemctl restart ipsec.service
Oct 23 16:53:31 jobus systemctl[2519]: Job for ipsec.service failed because the control process exited with error code.
Oct 23 16:53:31 jobus systemctl[2519]: See "systemctl status ipsec.service" and "journalctl -xeu ipsec.service" for details.
Oct 23 16:53:31 jobus NetworkManager[1047]: <warn>  [1729673611.2448] vpn[0x5565fe7c0240,c34198ec-be2e-4734-9699-fb2ced703793,"vpn_name"]: failed to connect: 'Could not restart the ipsec service.'

➜  ~ sudo apt list | grep strong

WARNING: apt does not have a stable CLI interface. Use with caution in scripts.

libstrongswan-extra-plugins/stable,stable-security,now 5.9.8-5+deb12u1 amd64 [installed]
libstrongswan-extra-plugins/stable,stable-security 5.9.8-5+deb12u1 i386
libstrongswan-standard-plugins/stable,stable-security,now 5.9.8-5+deb12u1 amd64 [installed]
libstrongswan-standard-plugins/stable,stable-security 5.9.8-5+deb12u1 i386
libstrongswan/stable,stable-security,now 5.9.8-5+deb12u1 amd64 [installed,automatic]
libstrongswan/stable,stable-security 5.9.8-5+deb12u1 i386
network-manager-strongswan/stable 1.6.0-1+deb12u1 amd64
network-manager-strongswan/stable 1.6.0-1+deb12u1 i386
python3-django-stronghold/stable,stable 0.4.0+debian-1 all
strongswan-charon/stable,stable-security,now 5.9.8-5+deb12u1 amd64 [residual-config]
strongswan-charon/stable,stable-security 5.9.8-5+deb12u1 i386
strongswan-libcharon/stable,stable-security,now 5.9.8-5+deb12u1 amd64 [residual-config]
strongswan-libcharon/stable,stable-security 5.9.8-5+deb12u1 i386
strongswan-nm/stable,stable-security 5.9.8-5+deb12u1 amd64
strongswan-nm/stable,stable-security 5.9.8-5+deb12u1 i386
strongswan-pki/stable,stable-security 5.9.8-5+deb12u1 amd64
strongswan-pki/stable,stable-security 5.9.8-5+deb12u1 i386
strongswan-starter/stable,stable-security,now 5.9.8-5+deb12u1 amd64 [residual-config]
strongswan-starter/stable,stable-security 5.9.8-5+deb12u1 i386
strongswan-swanctl/stable,stable-security,now 5.9.8-5+deb12u1 amd64 [installed]
strongswan-swanctl/stable,stable-security 5.9.8-5+deb12u1 i386
strongswan/stable,stable,stable-security,stable-security 5.9.8-5+deb12u1 all
sword-dict-strongs-greek/stable,stable 3.0-3 all
sword-dict-strongs-hebrew/stable,stable 3.0-1 all

 

[dkosovic]

The libreswan package has the following Conflicts:

• ike-server
• strongswan-libcharon
• strongswan-starter

So, when libreswan is installed, any conflicts which prevent the libreswan package from running are automatically removed. There are some strongswan remnants left behind that are harmless and are used by other packages like network-manager-strongswan which uses a completely different strongswan daemon from the packages that were removed.

But having said that, what you did should have worked.

What is the output of systemctl status ipsec.service or journalctl -xeu ipsec.service ?

Once you get systemctl start ipsec.service or systemctl restart ipsec.service working, things should be better.

I recommend using the following for viewing the log output, otherwise you won't see the pppd output which doesn't matter in this case yet as you haven't gotten past the IPsec connection phases yet:
journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd

 

[arcturus]

sudo journalctl -xeu ipsec.service returns:

 ~ sudo journalctl -xeu ipsec.service                         
Oct 23 18:23:28 jobus ipsec[8346]: cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:4: syntax error [charondebug]
Oct 23 18:23:28 jobus systemd[1]: ipsec.service: Failed with result 'exit-code'.
Subject: Unit failed
Defined-By: systemd

The unit ipsec.service has entered the 'failed' state with result 'exit-code'.
Oct 23 18:23:28 jobus systemd[1]: Failed to start ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Subject: A start job for unit ipsec.service has failed
Defined-By: systemd

A start job for unit ipsec.service has finished with a failure.

The job identifier is 2863 and the job result is failed.
Oct 23 18:23:28 jobus systemd[1]: ipsec.service: Scheduled restart job, restart counter is at 5.
Subject: Automatic restarting of a unit has been scheduled
Defined-By: systemd

Automatic restarting of the unit ipsec.service has been scheduled, as the result for
the configured Restart= setting for the unit.
Oct 23 18:23:28 jobus systemd[1]: Stopped ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Subject: A stop job for unit ipsec.service has finished
Defined-By: systemd

A stop job for unit ipsec.service has finished.

The job identifier is 2974 and the job result is done.
Oct 23 18:23:28 jobus systemd[1]: ipsec.service: Start request repeated too quickly.
Oct 23 18:23:28 jobus systemd[1]: ipsec.service: Failed with result 'exit-code'.
Subject: Unit failed
Defined-By: systemd


The unit ipsec.service has entered the 'failed' state with result 'exit-code'.
Oct 23 18:23:28 jobus systemd[1]: Failed to start ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Subject: A start job for unit ipsec.service has failed
Defined-By: systemd

A start job for unit ipsec.service has finished with a failure.

The job identifier is 2974 and the job result is failed.

 

[arcturus]

sudo systemctl status ipsec.service returns:

➜  ~ systemctl status ipsec.service
× ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
     Loaded: loaded (/lib/systemd/system/ipsec.service; disabled; preset: disabled)
     Active: failed (Result: exit-code) since Wed 2024-10-23 18:23:28 PST; 1min 30s ago
       Docs: man:ipsec(8)
             man:pluto(8)
             man:ipsec.conf(5)
    Process: 8340 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=3)
    Process: 8341 ExecStopPost=/bin/bash -c if test "$EXIT_STATUS" != "12"; then /sbin/ip xfrm policy flush; /sbin/ip xfrm state flush; fi (code=exited, status=0/SUCCESS)
    Process: 8344 ExecStopPost=/usr/sbin/ipsec --stopnflog (code=exited, status=0/SUCCESS)
        CPU: 32ms

I commented out the some of my previous inputted text on /etc/ipsec.conf and now this is the log using the log command taht you mentioned.

sudo journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd -f

Oct 23 18:30:06 nm-l2tp-service[9174]: Check port 1701
Oct 23 18:30:06 NetworkManager[9180]: whack: Pluto is not running (no "/run/pluto/pluto.ctl")
Oct 23 18:30:06 NetworkManager[9184]: Redirecting to: systemctl restart ipsec.service
Oct 23 18:30:07 NetworkManager[1070]: <info>  [1729679407.2180] manager: (ip_vti0): new IPTunnel device (/org/freedesktop/NetworkManager/Devices/5)
Oct 23 18:30:07 NetworkManager[9646]: 002 listening for IKE messages
Oct 23 18:30:07 NetworkManager[9646]: 002 Kernel supports NIC esp-hw-offload
Oct 23 18:30:07 NetworkManager[9646]: 002 adding UDP interface wlo1 192.168.69.98:500
Oct 23 18:30:07 NetworkManager[9646]: 002 adding UDP interface wlo1 192.168.69.98:4500
Oct 23 18:30:07 NetworkManager[9646]: 002 adding UDP interface lo 127.0.0.1:500
Oct 23 18:30:07 NetworkManager[9646]: 002 adding UDP interface lo 127.0.0.1:4500
Oct 23 18:30:07 NetworkManager[9646]: 002 adding UDP interface lo [::1]:500
Oct 23 18:30:07 NetworkManager[9646]: 002 adding UDP interface lo [::1]:4500
Oct 23 18:30:07 NetworkManager[9646]: 002 adding UDP interface wlo1 [2405:8d40:4471:1003:78c4:bff1:d99e:21cb]:500
Oct 23 18:30:07 NetworkManager[9646]: 002 adding UDP interface wlo1 [2405:8d40:4471:1003:78c4:bff1:d99e:21cb]:4500
Oct 23 18:30:07 NetworkManager[9646]: 002 adding UDP interface wlo1 [2405:8d40:4471:1003:caff:28ff:fe16:459]:500
Oct 23 18:30:07 NetworkManager[9646]: 002 adding UDP interface wlo1 [2405:8d40:4471:1003:caff:28ff:fe16:459]:4500
Oct 23 18:30:07 NetworkManager[9646]: 002 loading secrets from "/etc/ipsec.secrets"
Oct 23 18:30:07 NetworkManager[9646]: 002 loading secrets from "/etc/ipsec.d/ipsec.nm-l2tp.secrets"
Oct 23 18:30:07 NetworkManager[9652]: debugging mode enabled
Oct 23 18:30:07 NetworkManager[9652]: end of file /run/nm-l2tp-c34198ec-be2e-4734-9699-fb2ced703793/ipsec.conf
Oct 23 18:30:07 NetworkManager[9652]: Loading conn c34198ec-be2e-4734-9699-fb2ced703793
Oct 23 18:30:07 NetworkManager[9652]: starter: left is KH_DEFAULTROUTE
Oct 23 18:30:07 NetworkManager[9652]: conn: "c34198ec-be2e-4734-9699-fb2ced703793" modecfgdns=<unset>
Oct 23 18:30:07 NetworkManager[9652]: conn: "c34198ec-be2e-4734-9699-fb2ced703793" modecfgdomains=<unset>
Oct 23 18:30:07 NetworkManager[9652]: conn: "c34198ec-be2e-4734-9699-fb2ced703793" modecfgbanner=<unset>
Oct 23 18:30:07 NetworkManager[9652]: conn: "c34198ec-be2e-4734-9699-fb2ced703793" mark=<unset>
Oct 23 18:30:07 NetworkManager[9652]: conn: "c34198ec-be2e-4734-9699-fb2ced703793" mark-in=<unset>
Oct 23 18:30:07 NetworkManager[9652]: conn: "c34198ec-be2e-4734-9699-fb2ced703793" mark-out=<unset>
Oct 23 18:30:07 NetworkManager[9652]: conn: "c34198ec-be2e-4734-9699-fb2ced703793" vti_iface=<unset>
Oct 23 18:30:07 NetworkManager[9652]: conn: "c34198ec-be2e-4734-9699-fb2ced703793" redirect-to=<unset>
Oct 23 18:30:07 NetworkManager[9652]: conn: "c34198ec-be2e-4734-9699-fb2ced703793" accept-redirect-to=<unset>
Oct 23 18:30:07 NetworkManager[9652]: conn: "c34198ec-be2e-4734-9699-fb2ced703793" esp=aes256-sha1,aes128-sha1,3des-sha1
Oct 23 18:30:07 NetworkManager[9652]: conn: "c34198ec-be2e-4734-9699-fb2ced703793" ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-ecp_384,aes128-sha1-ecp_256,3des-sha1-modp2048
Oct 23 18:30:07 NetworkManager[9652]: opening file: /run/nm-l2tp-c34198ec-be2e-4734-9699-fb2ced703793/ipsec.conf
Oct 23 18:30:07 NetworkManager[9652]: loading named conns: c34198ec-be2e-4734-9699-fb2ced703793
Oct 23 18:30:07 NetworkManager[9652]: resolving family=IPv4 src=<defaultroute> gateway=<defaultroute> peer [SERVER_ADDRESS]
Oct 23 18:30:07 NetworkManager[9652]:   seeking GATEWAY
Oct 23 18:30:07 NetworkManager[9652]:     query GETROUTE+REQUEST+ROOT+MATCH
Oct 23 18:30:07 NetworkManager[9652]:     add RTA_DST [SERVER_ADDRESS] (peer->addr)
Oct 23 18:30:07 NetworkManager[9652]:     query returned 516 bytes
Oct 23 18:30:07 NetworkManager[9652]:   processing response
Oct 23 18:30:07 NetworkManager[9652]:     parsing route entry (RTA payloads)
Oct 23 18:30:07 NetworkManager[9652]:       RTA_TABLE=254
Oct 23 18:30:07 NetworkManager[9652]:       RTA_PRIORITY=600
Oct 23 18:30:07 NetworkManager[9652]:       RTA_PREFSRC=192.168.69.98
Oct 23 18:30:07 NetworkManager[9652]:       RTA_GATEWAY=192.168.69.59
Oct 23 18:30:07 NetworkManager[9652]:       using src=<unset-address> prefsrc=192.168.69.98 gateway=192.168.69.59 dst=<unset-address> dev='wlo1' priority=600 pref=-1 table=254
Oct 23 18:30:07 NetworkManager[9652]:     found gateway(host_nexthop): 192.168.69.59
Oct 23 18:30:07 NetworkManager[9652]:   please-call-again: src=<defaultroute> gateway=192.168.69.59
Oct 23 18:30:07 NetworkManager[9652]: resolving family=IPv4 src=<defaultroute> gateway=192.168.69.59 peer [SERVER_ADDRESS]
Oct 23 18:30:07 NetworkManager[9652]:   seeking PREFSRC
Oct 23 18:30:07 NetworkManager[9652]:     query GETROUTE+REQUEST
Oct 23 18:30:07 NetworkManager[9652]:     add RTA_DST 192.168.69.59 (host->nexthop)
Oct 23 18:30:07 NetworkManager[9652]:     query returned 104 bytes
Oct 23 18:30:07 NetworkManager[9652]:   processing response
Oct 23 18:30:07 NetworkManager[9652]:     parsing route entry (RTA payloads)
Oct 23 18:30:07 NetworkManager[9652]:       RTA_TABLE=254
Oct 23 18:30:07 NetworkManager[9652]:       RTA_DST=192.168.69.59
Oct 23 18:30:07 NetworkManager[9652]:       RTA_PREFSRC=192.168.69.98
Oct 23 18:30:07 NetworkManager[9652]:       using src=<unset-address> prefsrc=192.168.69.98 gateway=<unset-address> dst=192.168.69.59 dev='wlo1' priority=-1 pref=-1 table=254 +cacheinfo +uid
Oct 23 18:30:07 NetworkManager[9652]:     found prefsrc(host_addr): 192.168.69.98
Oct 23 18:30:07 NetworkManager[9652]:   success: src=192.168.69.98 gateway=192.168.69.59
Oct 23 18:30:07 NetworkManager[9652]: resolving family=IPv4 src=[SERVER_ADDRESS] gateway=<not-set> peer 192.168.69.98
Oct 23 18:30:07 NetworkManager[9652]:   seeking NOTHING
Oct 23 18:30:07 nm-l2tp-service[9174]: Could not establish IPsec connection.
Oct 23 18:30:07 nm-l2tp-service[9174]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

 

[dkosovic]

There are lots of syntax differences between strongswan with libreswan including with /etc/ipsec.conf and other files.

When replacing strongswan with libreswan, it would have come up with the following prompt:

Configuration file '/etc/ipsec.secrets'
 ==> Modified (by you or by a script) since installation.
 ==> Package distributor has shipped an updated version.
   What would you like to do about it ?  Your options are:
    Y or I  : install the package maintainer's version
    N or O  : keep your currently-installed version
      D     : show the differences between the versions
      Z     : start a shell to examine the situation
 The default action is to keep your current version.
*** ipsec.secrets (Y/I/N/O/D/Z) [default=N] ?

I suspect you didn't select Y or I to install the package maintainer's version of /etc/ipsec.secrets.

I would now recommend purging and installing the relevant packages again. e.g.:

sudo apt purge network-manager-l2tp network-manager-l2tp-gnome libreswan strongswan
sudo apt autoremove

sudo apt install libreswan
sudo apt install network-manager-l2tp-gnome

network-manager-l2tp package has a dependency on (strongswan or libreswan) so removing it helps in purging libreswan and/or strongswan successfully. Then libreswan is explicitly installed before network-manager-l2tp-gnome to avoid strongswan getting installed by default.

 

[dkosovic]

Oh I forgot, Debian 12 includes a patch to disable IKEv1 with libreswan, unfortunately the patch produces very misleading error messages, except if you are looking at the journalctl messages produced by the libreswan pluto daemon.

To re-enable IKEv1, see the NetworkManager-l2tp README.md file:
https://github.com/nm-l2tp/debian/blob/main/README.md

i.e. add ikev1-policy=accept to the config setup section of /etc/ipsec.conf

 

[arcturus]

Oh I forgot, Debian 12 includes a patch to disable IKEv1 with libreswan, unfortunately the patch produces very misleading error messages, except if you are looking at the journalctl messages produced by the libreswan pluto daemon.

To re-enable IKEv1, see the NetworkManager-l2tp README.md file:
https://github.com/nm-l2tp/debian/blob/main/README.md

i.e. add ikev1-policy=accept to the config setup section of /etc/ipsec.conf

Hello sir, I'm sorry but I decided to hop in Fedora 40 KDE and followed this post installation method: https://github.com/devangshekhawat/Fedora-40-Post-Install-Guide.
Libreswan was pre-installed.

Here's the log of sudo journalctl --no-hostname _SYSTEMD_UNIT=NetworkManager.service + SYSLOG_IDENTIFIER=pppd -f

Oct 24 15:01:37 NetworkManager[7469]: whack: Pluto is not running (no "/run/pluto/pluto.ctl")
Oct 24 15:01:37 NetworkManager[7470]: Redirecting to: systemctl restart ipsec.service
Oct 24 15:01:38 NetworkManager[1089]: <info>  [1729753298.6178] manager: (ip_vti0): new IPTunnel device (/org/freedesktop/NetworkManager/Devices/5)
Oct 24 15:01:38 NetworkManager[7772]: debugging mode enabled
Oct 24 15:01:38 NetworkManager[7772]: end of file /run/nm-l2tp-42ca90d5-7a35-4f4f-ac96-df8c5c9fda87/ipsec.conf
Oct 24 15:01:38 NetworkManager[7772]: Loading conn 42ca90d5-7a35-4f4f-ac96-df8c5c9fda87
Oct 24 15:01:38 NetworkManager[7772]: starter: left is KH_DEFAULTROUTE
Oct 24 15:01:38 NetworkManager[7772]: conn: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" modecfgdns=<unset>
Oct 24 15:01:38 NetworkManager[7772]: conn: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" modecfgdomains=<unset>
Oct 24 15:01:38 NetworkManager[7772]: conn: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" modecfgbanner=<unset>
Oct 24 15:01:38 NetworkManager[7772]: conn: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" mark=<unset>
Oct 24 15:01:38 NetworkManager[7772]: conn: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" mark-in=<unset>
Oct 24 15:01:38 NetworkManager[7772]: conn: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" mark-out=<unset>
Oct 24 15:01:38 NetworkManager[7772]: conn: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" vti_iface=<unset>
Oct 24 15:01:38 NetworkManager[7772]: conn: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" redirect-to=<unset>
Oct 24 15:01:38 NetworkManager[7772]: conn: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" accept-redirect-to=<unset>
Oct 24 15:01:38 NetworkManager[7772]: conn: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" esp=aes256-sha1,aes128-sha1,3des-sha1
Oct 24 15:01:38 NetworkManager[7772]: conn: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" ike=aes256-sha2_256-modp2048,aes256-sha2_256-modp1536,aes256-sha1-modp2048,aes256-sha1-modp1536,aes256-sha1-ecp_384,aes128-sha1-ecp_256,3des-sha1-modp2048
Oct 24 15:01:38 NetworkManager[7772]: opening file: /run/nm-l2tp-42ca90d5-7a35-4f4f-ac96-df8c5c9fda87/ipsec.conf
Oct 24 15:01:38 NetworkManager[7772]: loading named conns: 42ca90d5-7a35-4f4f-ac96-df8c5c9fda87
Oct 24 15:01:38 NetworkManager[7772]: resolving family=IPv4 src=<defaultroute> gateway=<defaultroute> peer [SERVER_ADDR}
Oct 24 15:01:38 NetworkManager[7772]:   seeking GATEWAY
Oct 24 15:01:38 NetworkManager[7772]:     query GETROUTE+REQUEST+ROOT+MATCH
Oct 24 15:01:38 NetworkManager[7772]:     add RTA_DST [SERVER_ADDR} (peer->addr)
Oct 24 15:01:38 NetworkManager[7772]:     query returned 456 bytes
Oct 24 15:01:38 NetworkManager[7772]:   processing response
Oct 24 15:01:38 NetworkManager[7772]:     parsing route entry (RTA payloads)
Oct 24 15:01:38 NetworkManager[7772]:       RTA_TABLE=254
Oct 24 15:01:38 NetworkManager[7772]:       RTA_PRIORITY=600
Oct 24 15:01:38 NetworkManager[7772]:       RTA_PREFSRC=192.168.116.193
Oct 24 15:01:38 NetworkManager[7772]:       RTA_GATEWAY=192.168.116.35
Oct 24 15:01:38 NetworkManager[7772]:       using src=<unset-address> prefsrc=192.168.116.193 gateway=192.168.116.35 dst=<unset-address> dev='wlo1' priority=600 pref=-1 table=254
Oct 24 15:01:38 NetworkManager[7772]:     found gateway(host_nexthop): 192.168.116.35
Oct 24 15:01:38 NetworkManager[7772]:   please-call-again: src=<defaultroute> gateway=192.168.116.35
Oct 24 15:01:38 NetworkManager[7772]: resolving family=IPv4 src=<defaultroute> gateway=192.168.116.35 peer [SERVER_ADDR}
Oct 24 15:01:38 NetworkManager[7772]:   seeking PREFSRC
Oct 24 15:01:38 NetworkManager[7772]:     query GETROUTE+REQUEST
Oct 24 15:01:38 NetworkManager[7772]:     add RTA_DST 192.168.116.35 (host->nexthop)
Oct 24 15:01:38 NetworkManager[7772]:     query returned 104 bytes
Oct 24 15:01:38 NetworkManager[7772]:   processing response
Oct 24 15:01:38 NetworkManager[7772]:     parsing route entry (RTA payloads)
Oct 24 15:01:38 NetworkManager[7772]:       RTA_TABLE=254
Oct 24 15:01:38 NetworkManager[7772]:       RTA_DST=192.168.116.35
Oct 24 15:01:38 NetworkManager[7772]:       RTA_PREFSRC=192.168.116.193
Oct 24 15:01:38 NetworkManager[7772]:       using src=<unset-address> prefsrc=192.168.116.193 gateway=<unset-address> dst=192.168.116.35 dev='wlo1' priority=-1 pref=-1 table=254 +cacheinfo +uid
Oct 24 15:01:38 NetworkManager[7772]:     found prefsrc(host_addr): 192.168.116.193
Oct 24 15:01:38 NetworkManager[7772]:   success: src=192.168.116.193 gateway=192.168.116.35
Oct 24 15:01:38 NetworkManager[7772]: resolving family=IPv4 src=[SERVER_ADDR} gateway=<not-set> peer 192.168.116.193
Oct 24 15:01:38 NetworkManager[7772]:   seeking NOTHING
Oct 24 15:01:38 NetworkManager[7774]: 002 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: initiating IKEv1 Main Mode connection
Oct 24 15:01:38 NetworkManager[7774]: 102 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: sent Main Mode request
Oct 24 15:01:39 NetworkManager[7774]: 003 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: ignoring unknown Vendor ID payload [bf c2 2e 98  56 ba 99 36  11 c1 1e 48  a6 d2 08 07  a9 5b ed b3  93 02 6a 49  e6 0f ac 32  7b b9 60 1b...]
Oct 24 15:01:39 NetworkManager[7774]: 002 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: WARNING: connection 42ca90d5-7a35-4f4f-ac96-df8c5c9fda87 PSK length of 11 bytes is too short for HMAC_SHA2_256 PRF in FIPS mode (16 bytes required)
Oct 24 15:01:39 NetworkManager[7774]: 104 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: sent Main Mode I2
Oct 24 15:01:39 NetworkManager[7774]: 106 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: sent Main Mode I3
Oct 24 15:01:39 NetworkManager[7774]: 002 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: Peer ID is ID_IPV4_ADDR: '[SERVER_ADDR}'
Oct 24 15:01:39 NetworkManager[7774]: 004 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: IKE SA established {auth=PRESHARED_KEY cipher=AES_CBC_256 integ=HMAC_SHA2_256 group=MODP2048}
Oct 24 15:01:39 NetworkManager[7774]: 002 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #2: initiating Quick Mode IKEv1+PSK+ENCRYPT+PFS+UP+IKE_FRAG_ALLOW+ESN_NO+ESN_YES {using isakmp#1 msgid:09ce5cbc proposal=AES_CBC_256-HMAC_SHA1_96, AES_CBC_128-HMAC_SHA1_96, 3DES_CBC-HMAC_SHA1_96 pfsgroup=MODP2048}
Oct 24 15:01:39 NetworkManager[7774]: 115 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #2: sent Quick Mode request
Oct 24 15:01:40 NetworkManager[7774]: 010 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #2: STATE_QUICK_I1: retransmission; will wait 0.5 seconds for response
Oct 24 15:01:40 NetworkManager[7774]: 010 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #2: STATE_QUICK_I1: retransmission; will wait 1 seconds for response
Oct 24 15:01:41 NetworkManager[7774]: 010 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #2: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
Oct 24 15:01:43 NetworkManager[7774]: 010 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #2: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
Oct 24 15:01:47 NetworkManager[1089]: <warn>  [1729753307.5037] vpn[0x5570173a71d0,42ca90d5-7a35-4f4f-ac96-df8c5c9fda87,"VPN_NAME"]: failed to connect: 'Timeout was reached'
Oct 24 15:01:47 NetworkManager[7774]: 010 "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #2: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
Oct 24 15:01:54 nm-l2tp-service[7460]: Could not establish IPsec connection.
Oct 24 15:01:54 nm-l2tp-service[7460]: g_dbus_method_invocation_take_error: assertion 'error != NULL' failed

 

[arcturus]

Heres the sudo systemctl status ipsec

➜  ~ sudo systemctl status ipsec   
● ipsec.service - Internet Key Exchange (IKE) Protocol Daemon for IPsec
     Loaded: loaded (/usr/lib/systemd/system/ipsec.service; disabled; preset: disabled)
    Drop-In: /usr/lib/systemd/system/service.d
             └─10-timeout-abort.conf
     Active: active (running) since Thu 2024-10-24 15:12:10 PST; 10s ago
       Docs: man:ipsec(8)
             man:pluto(8)
             man:ipsec.conf(5)
    Process: 9670 ExecStartPre=/usr/libexec/ipsec/addconn --config /etc/ipsec.conf --checkconfig (code=exited, status=0/SUCCESS)
    Process: 9672 ExecStartPre=/usr/libexec/ipsec/_stackmanager start (code=exited, status=0/SUCCESS)
    Process: 9905 ExecStartPre=/usr/sbin/ipsec --checknss (code=exited, status=0/SUCCESS)
    Process: 9907 ExecStartPre=/usr/sbin/ipsec --checknflog (code=exited, status=0/SUCCESS)
   Main PID: 9919 (pluto)
     Status: "Startup completed."
      Tasks: 12 (limit: 18691)
     Memory: 5.3M (peak: 7.9M)
        CPU: 990ms
     CGroup: /system.slice/ipsec.service
             └─9919 /usr/libexec/ipsec/pluto --leak-detective --config /etc/ipsec.conf --nofork

Oct 24 15:12:12 jobus pluto[9919]: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: received and ignored notification payload: NO_PROPOSAL_CHOSEN
Oct 24 15:12:13 jobus pluto[9919]: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #2: STATE_QUICK_I1: retransmission; will wait 2 seconds for response
Oct 24 15:12:13 jobus pluto[9919]: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=28
Oct 24 15:12:13 jobus pluto[9919]: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: received and ignored notification payload: NO_PROPOSAL_CHOSEN
Oct 24 15:12:15 jobus pluto[9919]: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #2: STATE_QUICK_I1: retransmission; will wait 4 seconds for response
Oct 24 15:12:15 jobus pluto[9919]: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=28
Oct 24 15:12:15 jobus pluto[9919]: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: received and ignored notification payload: NO_PROPOSAL_CHOSEN
Oct 24 15:12:19 jobus pluto[9919]: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #2: STATE_QUICK_I1: retransmission; will wait 8 seconds for response
Oct 24 15:12:19 jobus pluto[9919]: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: ignoring informational payload NO_PROPOSAL_CHOSEN, msgid=00000000, length=28
Oct 24 15:12:19 jobus pluto[9919]: "42ca90d5-7a35-4f4f-ac96-df8c5c9fda87" #1: received and ignored notification payload: NO_PROPOSAL_CHOSEN

 

[dkosovic]

Okay, it's getting further now in the IPsec connection, it has success with Main Mode (phase 1), but is failing with Quick Mode (phase 2).

In phase 2, I can see it is trying to use Perfect Forward Secrecy (PFS), I suspect your VPN server doesn't support PFS or wasn't configured to support PFS, so fails.

Try disabling PFS checkbox option in the IPSec advanced settings for the VPN connection.

As you are using Fedora, you should remove the blacklisting of L2TP kernel modules which can be done with:

sudo sed -e '/blacklist l2tp_netlink/s/^b/#b/g' -i /etc/modprobe.d/l2tp_netlink-blacklist.conf
sudo sed -e '/blacklist l2tp_ppp/s/^b/#b/g' -i /etc/modprobe.d/l2tp_ppp-blacklist.conf

More blacklisting details can be found in the NetworkManager-l2tp README.md file.

 

[arcturus]

Try disabling PFS checkbox option in the IPSec advanced settings for the VPN connection.

The VPN now works just by doing this sir!

Thank you so much for your time and effort!

 

[dkosovic]

Glad to hear.

Even if it is working without removing the blacklisting of the L2TP kernel modules, if you want a stable VPN connection that doesn't fail with certain network loads, I recommend removing the blacklisting so xl2tpd can make use of the kernel modules.