Description of problem: Configuration which worked before Fedora 43 upgrade no longer works. Strongswan package maintainer indicates this doesn't seem to be a problem with that package: https://github.com/strongswan/strongswan/discussions/2913#discussioncomment-14775413 Also filed here: * https://github.com/nm-l2tp/NetworkManager-l2tp/issues/241 * https://github.com/xelerance/xl2tpd/issues/280 Version-Release number of selected component (if applicable): ``` $ rpm -q strongswan strongswan-6.0.2-6.fc43.x86_64 $ rpm -q xl2tpd xl2tpd-1.3.17-8.fc43.x86_64 $ rpm -q NetworkManager-l2tp NetworkManager-l2tp-1.20.20-4.fc43.x86_64 $ rpm -q NetworkManager-l2tp-gnome NetworkManager-l2tp-gnome-1.20.20-4.fc43.x86_64 $ rpm -q strongswan-libipsec strongswan-libipsec-6.0.2-6.fc43.x86_64 ``` How reproducible: Help me find out? Steps to Reproduce: 1. See configuration in existing discussion Actual results: VPN disconnects immediately Expected results: Stable connection until user disables VPN Additional info: Ask and ye shall receive
I have the same problem on Fedora 43 (Kinoite), only Libreswan is using instead of strongSwan. In my case the first error is: ``` Oct 28 21:34:43 *** NetworkManager[6450]: 2025/10/28 21:34:43 failed to instantiate application: failed to create L2TP context: failed to initialise data plane: failed to establish a netlink/L2TP connection: socket: permission denied ``` In this case issue is with Selinux and kl2tpd/l2tpd_t, so, it could be fixed in this way: ``` # as root ausearch -c 'kl2tpd' --raw | audit2allow -M kl2tpd-custom semodule -i kl2tpd-custom.pp ``` `kl2tpd-custom.te` content: ``` module kl2tpd-custom 1.0; require { type l2tpd_t; type sysfs_t; class file { open read }; class netlink_generic_socket { bind create getattr getopt }; } #============= l2tpd_t ============== allow l2tpd_t self:netlink_generic_socket { bind create getattr getopt }; allow l2tpd_t sysfs_t:file { open read }; ``` After this fix I have the following error: ``` Oct 28 22:47:59 *** NetworkManager[14561]: 2025/10/28 22:47:59 failed to instantiate application: failed to create L2TP context: failed to initialise data plane: failed to establish a netlink/L2TP connection: netlink send: sendmsg: permission denied ``` After disabling Selinux: ``` setenforce 0 ``` The error is following: ``` Oct 28 23:35:12 *** NetworkManager[32314]: 2025/10/28 23:35:12 failed to instantiate application: failed to create L2TP context: failed to initialise data plane: failed to establish a netlink/L2TP connection: netlink receive: no such file or directory ```
xl2tpd package on Fedora 43 has been retired as it became an orphaned package, I'm not sure how you have xl2tpd-1.3.17-8.fc43.x86_64 installed as it is not listed here: https://src.fedoraproject.org/rpms/xl2tpd kl2tpd is part of the go-l2tp (aka golang-github-katalix-l2tp) package. As xl2tpd package has been orphaned, the NetworkManager-l2tp-1.20.20-4.fc43 RPM removed the xl2tpd dependency and replaced it with go-l2tp. The NetworkManager-l2tpd runtime uses kl2tpd as its preferred L2TP daemon and will only fallback to xl2tpd if it can't find kl2tpd. Regarding the SELinux netlink sendmsg permission issue, please see the upstream SELinux issue and pull request: - https://github.com/fedora-selinux/selinux-policy/issues/2259 - https://github.com/fedora-selinux/selinux-policy/pull/2317 Along with a SELinux fix or workaround, will also need to remove the Blacklisting of L2TP kernel modules which can be achieved with: sudo sed -e '/blacklist l2tp_netlink/s/^b/#b/g' -i /etc/modprobe.d/l2tp_netlink-blacklist.conf sudo sed -e '/blacklist l2tp_ppp/s/^b/#b/g' -i /etc/modprobe.d/l2tp_ppp-blacklist.conf IKEv1 is deprecated and disabled by default with Libreswan >= 5.0, so if you are using Libreswan, will also need to re-enable IKEv1 which can be achieved with: sudo sed -i -e 's/#ikev1-policy=.*/ikev1-policy=accept/' /etc/ipsec.conf Now back to the kl2tpd issue with "failed to initialise data plane: failed to establish a netlink/L2TP connection: netlink receive: no such file or directory", I'm not sure.
This error: ``` Oct 28 23:35:12 *** NetworkManager[32314]: 2025/10/28 23:35:12 failed to instantiate application: failed to create L2TP context: failed to initialise data plane: failed to establish a netlink/L2TP connection: netlink receive: no such file or directory ``` Is related with: https://github.com/nm-l2tp/NetworkManager-l2tp/blob/main/README.md#issue-with-blacklisting-of-l2tp-kernel-modules ``` sudo sed -e '/blacklist l2tp_netlink/s/^b/#b/g' -i /etc/modprobe.d/l2tp_netlink-blacklist.conf sudo sed -e '/blacklist l2tp_ppp/s/^b/#b/g' -i /etc/modprobe.d/l2tp_ppp-blacklist.conf ``` But now again: ``` Oct 29 01:34:04 *** NetworkManager[15332]: 2025/10/29 01:34:04 failed to instantiate application: failed to create L2TP context: failed to initialise data plane: failed to establish a netlink/L2TP connection: netlink send: sendmsg: permission denied ``` There is another Selinux issue: ``` ausearch -c 'tuned-ppd' --raw | audit2allow -M tuned-ppd-custom semodule -i tuned-ppd-custom.pp ``` `tuned-ppd-custom.te` content: ``` module tuned-ppd-custom 1.0; require { type lib_t; type tuned_ppd_t; class dir { add_name remove_name }; class file { create rename unlink write }; } #============= tuned_ppd_t ============== allow tuned_ppd_t lib_t:dir { add_name remove_name }; allow tuned_ppd_t lib_t:file { create rename unlink write }; ``` After this no any new Selinux denies in `ausearch`, but l2tp continues to fail. And, after disabling Selinux, it works: ``` setenforce 0 ``` How can I find what Selinx is preventing in this case?
So, above `tuned-ppd` Selinux config not related at all with this issue, can be ignored. Finally I got working Selinux `l2tpd_t` config: ``` module kl2tpd-custom 1.0; require { type sysfs_t; type pppd_t; type l2tpd_t; class file { open read }; class netlink_generic_socket { bind create getattr getopt read write }; class process noatsecure; } #============= l2tpd_t ============== allow l2tpd_t pppd_t:process noatsecure; allow l2tpd_t self:netlink_generic_socket { bind create getattr getopt read write }; allow l2tpd_t sysfs_t:file { open read }; ``` With this config works.
The assignee of this bug is "Orphan Owner" as the xl2tpd package has been orphaned. So, might be best to post a new bug and set component to seLinux-policy where they can fix the SELinux issue. In the upstream SELinux pull request I mentioned, the commit and review is: https://github.com/fedora-selinux/selinux-policy/pull/2317/commits/3f107f698c06bb55d4604ba2cc8b4ac4272d407b in the pull-request review they state that the "allow l2tpd_t sysfs_t:file { open read };" line is not required and I notice you are using that as well.
Regarding this: > in the pull-request review they state that the "allow l2tpd_t sysfs_t:file { open read };" line is not required and I notice you are using that as well. It's strange, but yes, after removing this line from the config, kl2tpd continues to work... But Selinux is giving these denied messages: ``` time->Wed Oct 29 13:31:42 2025 type=AVC msg=audit(1761737502.659:950): avc: denied { read } for pid=43312 comm="kl2tpd" name="hpage_pmd_size" dev="sysfs" ino=5245 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:sysfs_t:s0 tclass=file permissive=0 ```
Sorry I think I misread the SELinux pull request review I pointed at. I think it is saying that the "allow l2tpd_t sysfs_t:file { open read };" line is not required because of the "dev_read_sysfs(l2tpd_t)" line, which is also the correct way to access types from other modules. I haven't had a chance to install Fedora 43 to test things out and reproduce the issue myself.
After numerous tests, the final/minimal working (without avc denied) configuration of Selinux was obtained: ``` module kl2tpd-custom 1.0; require { type l2tpd_t; type sysfs_t; class file { open read }; class netlink_generic_socket { bind create getattr getopt read write }; } #============= l2tpd_t ============== allow l2tpd_t self:netlink_generic_socket { bind create getattr getopt read write }; allow l2tpd_t sysfs_t:file { open read }; ``` Now exactly this Selinx module works on my machine.
I'm marking this bug as a duplicate of the following which has the component correctly set to selinux-policy : https://bugzilla.redhat.com/show_bug.cgi?id=2407022 please post any comments to that bug report. *** This bug has been marked as a duplicate of bug 2407022 ***