Where to connect?

(In reply to comment #1)
> Where to connect?

I am connecting back to my firewall. I didnt want to put the address here

In this case I can't reproduce this error. I can only to redirect it to upstream. Or you might e-mail me your private data and I will work with them.

I will create credentials for you. They should be complete by this afternoon. I will email you when complete

Ok.

Did you connect to this vpn-server before? How did you do this?

(In reply to comment #6)
> Did you connect to this vpn-server before? How did you do this?


I could connect with Windows and Android but cant seem to do it with fedora

How do you connect with Windows?

(In reply to comment #8)
> How do you connect with Windows?

Control Panel > Set up a connection or Network > Connect to a Workplace > Use my Internet connection (VPN) > Internet Address: "the address that I gave to you" >
User name: "the username that I gave to you"
Password: "same as above"


Connect

The connection will fail at this point because more modifications need to be made to the profile.

Click Set up the connection anyway.

Go to the properties of the new VPN adapter that you just created.
Click on the Security tab, click the Advanced settings button. Click the use preshared key for authentication.
Enter the preshared key and click ok

You will now be able to connect

did you try connect with ipsec on Fedora?

(In reply to comment #10)
> did you try connect with ipsec on Fedora?

I did but maybe I got some settings wrong. Did you get it to work? if so can you share the settings that you used?

I didn't get it to work too.

you can try this http://sourceforge.net/projects/l2tp-ipsec-vpn/files/?source=navbar

for using NetworkManager-l2tp with IPSec you have enabled ipsec service. 
systemctl enable ipsec.service
systemctl start ipsec.service

also you need to add your pre shared key to /etc/ipsec.secrets
%any your_gateway: "your_pre_shared_key"

and something else ... I haven't found that yet.

Try it. Maybe it will work for you.

(In reply to comment #15)
> Try it. Maybe it will work for you.

I tried and gets hung in Phase 2

Created attachment 668604 [details]
selinux policy for ipsec/l2tp

Possible selinux fix for ipsec/l2tp

If 'setenforce 0' allows your connection, it is just an selinux issue, and the above policy might fix it for you.

I don't use selinux.

Adding Daniel Walsh for selinux issues.

The current NetworkManager-l2tp needs permissive mode to establish ipsec/l2tp vpn connections. I built an selinux policy attached above that works for me connecting F17 to a Vyatta 6.5 ipsec/l2tp vpn server. I presume fedora policy is to add selinux policy to selinux-policy package, rather than having individual packages running semodule command in post or postun scripts.

Should the 'requires' for NetworkManager-l2tp include openswan? That is needed if you are doing ipsec/l2tp, but some folks may be using just raw l2tp, in which case openswan would probably not be a requirement. I don't have a test system for that.

What is Fedora policy on such package requires? There must be other packages that have package dependencies that depend on the configuration. Do the rpm 'requires' always include all the dependent packages that might be required by any configuration?

Carl, do you have the AVC's you used to create this policy?

No, but it was just built with something like

grep some.l2tp.regex /var/log/audit/audit.log | audit2allow

It took a few tries to get all the parts.

Well I need the AVC's to beable ot build the policy.

*** Bug 924840 has been marked as a duplicate of this bug. ***

(In reply to comment #23)
> Well I need the AVC's to beable ot build the policy.

Mar 22 18:37:33 mysystem kernel: [  552.972740] type=1400 audit(1363963053.616:4): avc:  denied  { name_bind } for  pid=1564 comm="nm-l2tp-service" src=1701 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:l2tp_port_t:s0 tclass=udp_socket
Mar 22 18:37:33 mysystem kernel: [  553.034018] type=1400 audit(1363963053.678:5): avc:  denied  { rename } for  pid=1564 comm="nm-l2tp-service" name="ipsec.secrets" dev="dm-1" ino=394807 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:object_r:ipsec_key_file_t:s0 tclass=file

Is this the information you need?

I've been debugging this issue, myself.  There are three things that need to be address for Fedora to connect to common L2TP/IPSec VPNs.

First, while NetworkManager will start the ipsec service for IPSec VPNs, it will not do so for L2TP/IPSec.  This should be considered a bug of its own.  It can be worked around by manually enabling the ipsec service, as suggested by Ivan:
 # systemctl enable ipsec.service
 # systemctl start ipsec.service
NetworkManager-0.9.8.0-1.fc18.x86_64
NetworkManager-l2tp-0.9.6-2.fc18.x86_64

Second, the standard configuration for xl2tpd includes the noccp option, which is used on Android devices.  As best I can tell, this option MUST be specified on both sides of a ppp connction when it is specified by either side.  Since it's used on Android, we can expect it to be used on virtually all servers, and we should specify that option in /var/run/nm-ppp-options.xl2tpd.xxxxx.  This can be worked around for now by adding "noccp" to /etc/ppp/options.
NetworkManager-0.9.8.0-1.fc18.x86_64
NetworkManager-l2tp-0.9.6-2.fc18.x86_64

Finally, the SELinux policy does not allow the connection.  I have a smaller policy than Carl suggested.  I used "tail -f" to gather only the AVCs during a successful connection in permissive mode.  I don't know if his policy is larger because he has captured unrelated AVCs or because his client configuration is different.  I'll attach both the policy and AVCs following this comment.
selinux-policy-3.11.1-86.fc18.noarch
selinux-policy-targeted-3.11.1-86.fc18.noarch

Created attachment 717465 [details]
selinux module for NetworkManager-l2tp

Created attachment 717466 [details]
selinux AVCs from connection

(In reply to comment #26)
> First, while NetworkManager will start the ipsec service for IPSec VPNs, it
> will not do so for L2TP/IPSec.  This should be considered a bug of its own. 
> It can be worked around by manually enabling the ipsec service, as suggested
> by Ivan:
>  # systemctl enable ipsec.service
>  # systemctl start ipsec.service
> NetworkManager-0.9.8.0-1.fc18.x86_64
> NetworkManager-l2tp-0.9.6-2.fc18.x86_64

Is NetworkManager-l2tp must start ipsec service when connecting?

NetworkManager-l2tp starts ipsec internally with 'ipsec setup restart'

It is mean than first step is passed. In really 'ipsec setup restart' uses /usr/libexec/ipsec/setup. This setup is regular System V service. Maybe it should be replaced with systemd service?

(In reply to comment #26)
> First, while NetworkManager will start the ipsec service for IPSec VPNs, it
> will not do so for L2TP/IPSec.  This should be considered a bug of its own. 
> It can be worked around by manually enabling the ipsec service, as suggested
> by Ivan:
>  # systemctl enable ipsec.service
>  # systemctl start ipsec.service
> NetworkManager-0.9.8.0-1.fc18.x86_64
> NetworkManager-l2tp-0.9.6-2.fc18.x86_64

As Ivan said, plugin issues command "ipsec setup restart" https://github.com/seriyps/NetworkManager-l2tp/blob/0.9.6/src/nm-l2tp-service.c#L903 and this is the ~equiualent of systemctl restart ipsec.service

> Second, the standard configuration for xl2tpd includes the noccp option,
> which is used on Android devices.  As best I can tell, this option MUST be
> specified on both sides of a ppp connction when it is specified by either
> side.  Since it's used on Android, we can expect it to be used on virtually
> all servers, and we should specify that option in
> /var/run/nm-ppp-options.xl2tpd.xxxxx.  This can be worked around for now by
> adding "noccp" to /etc/ppp/options.
> NetworkManager-0.9.8.0-1.fc18.x86_64
> NetworkManager-l2tp-0.9.6-2.fc18.x86_64

Are you really sure, it must be specified on both sides? If yes, I can add checkbox on PPP settings tab, but not add it by default.

(In reply to all)

For better debug output, please, use instructions from https://github.com/seriyps/NetworkManager-l2tp/wiki#how-to-report-bugs

PS: I'm upstream maintainer/developer

Sorry about the delay.  The ISP providing my former email address has apparently died.

> As Ivan said, plugin issues command "ipsec setup restart"
> https://github.com/seriyps/NetworkManager-l2tp/blob/0.9.6/src/nm-l2tp-
> service.c#L903 and this is the ~equiualent of systemctl restart ipsec.service

I'm not sure why that doesn't work, but you can easily verify that it does not:

# "sh", "-c", ". /var/run/pluto/ipsec.info;PATH=/usr/local/sbin:/usr/sbin:/sbin; export PATH;[ \"x$defaultrouteaddr\" = \"x\" ] && ipsec setup restart"
sh: /var/run/pluto/ipsec.info: No such file or directory

For some reason, sh does not process the additional commands, so ipsec setup restart will only actually happen if ipsec is already running (that is, if /var/run/pluto/ipsec.info exists.)

> Are you really sure, it must be specified on both sides? If yes, I can add
> checkbox on PPP settings tab, but not add it by default.

Well, I haven't gone through the source to find out why not, but I've tested this fairly thoroughly.  If the server does not specify "noccp" in its ppp options file, then Android clients will not be able to negotiate ppp.  Once the "noccp" option is added to the server, GNU clients will not negotiate ppp until they also specify it.

Given that, it really seems like overkill to include another option.  Unless there are real-world servers that properly support iOS and Android, and which don't require the "noccp" option, everyone's life will be easier if that's simply made the standard configuration and no new checkboxes are introduced.  The checkbox is useless if no one needs it.

http://www.gnu.org/software/bash/manual/html_node/Bash-POSIX-Mode.html

#12  Non-interactive shells exit if filename in . filename is not found. 

...so this is the documented behavior of bash in POSIX mode, which it will be for system()

This message is a reminder that Fedora 17 is nearing its end of life.
Approximately 4 (four) weeks from now Fedora will stop maintaining
and issuing updates for Fedora 17. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '17'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 17's end of life.

Bug Reporter:  Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 17 is end of life. If you 
would still like  to see this bug fixed and are able to reproduce it 
against a later version  of Fedora, you are encouraged  change the 
'version' to a later Fedora version prior to Fedora 17's end of life.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

I've tested Fedora 19, and all of the problems are still present.  The options file requires "noccp", SELinux still needs an extended policy, and IPSec must be manually started.  Can someone bump the "version" on this bug entry?

I was also suffered from the same issue in F19.x86_64.

After finding out the conversations above, I have prepared clean-installed Fedora 19 system and changed these settings:

1. # setenforce 0
2. # systemctl start ipsec

Then I tried to connect to my VPN server using NM; it went well. :)

After this try, I got the following:
# audit2allow -b -w
type=AVC msg=audit(1376835388.779:679): avc:  denied  { search } for  pid=18729 comm="sh" name="pluto" dev="tmpfs" ino=380054 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=dir

Thus, I can conclude that current F19 has (at least) these 2 problems concerning L2TP/IPsec VPN and NetworkManager:
1. IPsec daemon should be started before establishing L2TP connections, but it is not; it runs just "ipsec setup restart", which should fail if the deamon is not started.
2. There is a missing SELinux rule, which is needed to work properly, in the current policy package.

So, my conclusion is the same as others are discussing, isn't it? I belive preparing patches for the is not so difficult. Why is there no progress?

P.S. About the "ipsec setup restart", I think we just have to s/setup\ //; it should work fine, as long as reading the source of /usr/sbin/ipsec .

As I can remember ipsec required specific settings. 
[root@localhost ~]# ipsec setup restart
systemd: ipsec service is not running
What I am doing wrong?

Try:
# ipsec restart

Oh, it does not work again after rebooting... Still investigating.

#40
This was a SELinux problem. When I run "# setenforce 0" regardless of custom SELinux policies which was generated in the prior steps, it worked.

The most incomprehensible thing is that there was no message about this in audit.log; there is no way for me to examine what is wrong with SELinux.



Although I got a log using journalctl saying:

Aug 19 02:22:39 dsk1.makotom.org pluto[6915]: initiating all conns with alias='nm-ipsec-l2tpd-6959'
Aug 19 02:22:39 dsk1.makotom.org NetworkManager[460]: 000 initiating all conns with alias='nm-ipsec-l2tpd-6959'
Aug 19 02:22:39 dsk1.makotom.org NetworkManager[460]: 021 no connection named "nm-ipsec-l2tpd-6959"

while in Permissive mode it was like:

Aug 19 02:34:29 dsk1.makotom.org pluto[8125]: loading secrets from "/etc/ipsec.secrets"
Aug 19 02:34:29 dsk1.makotom.org NetworkManager[460]: 002 loading secrets from "/etc/ipsec.secrets"
Aug 19 02:34:29 dsk1.makotom.org ipsec_starter[8190]: Warning: ignored obsolete keyword 'force_keepalive'
Aug 19 02:34:29 dsk1.makotom.org pluto[8125]: added connection description "nm-ipsec-l2tpd-8162"

However, running
# /bin/sh /usr/libexec/ipsec/auto --config /var/run/nm-ipsec-l2tp.6959/ipsec.conf --verbose --add nm-ipsec-l2tpd-6959
after it failed to establish IPsec connection worked as expected.

Therefore, it is obvious that SELinux prevents nm-l2tp-service run by NetworkManager to run ipsec binaries with custom configuration files in some manner.
That's all I was able to pull out with my knowledge about SELinux...



I am really sad to report that running /usr/lib/NetworkManager/nm-l2tp-service --debug as root suppresses this issue...

$ cat /etc/selinux/config 

# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
#     enforcing - SELinux security policy is enforced.
#     permissive - SELinux prints warnings instead of enforcing.
#     disabled - No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
#     targeted - Targeted processes are protected,
#     minimum - Modification of targeted policy. Only selected processes are protected. 
#     mls - Multi Level Security protection.
SELINUXTYPE=targeted

(In reply to Makoto Mizukami from comment #41)
> #40

> The most incomprehensible thing is that there was no message about this in
> audit.log; there is no way for me to examine what is wrong with SELinux.

semodule -DB
  run some tests
semodule -B

Policy entries have a 'dontaudit' flag, the -D disables that so you get everything logged.

(In reply to Carl Byington from comment #43)
> semodule -DB
Thanks! That's it!



Then I recreated a module with the following command:

# cat '
type=AVC msg=audit(1376835388.779:679): avc:  denied  { search } for  pid=18729 comm="sh" name="pluto" dev="tmpfs" ino=380054 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=dir
type=AVC msg=audit(1376858464.965:724): avc:  denied  { search } for  pid=6121 comm="addconn" name="nm-ipsec-l2tp.850" dev="tmpfs" ino=27374 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:l2tpd_var_run_t:s0 tclass=dir
' | audit2allow -M my-l2tp-ipsec

It looks like working well in Enforcing mode.

Created attachment 793782 [details]
Fixes ipsec restart and noccp options

I've tested F19 today and these seem to be the last required fixes.

First, /var/run/pluto/ipsec.info isn't sourced unless it exists.  That allows ipsec to be started when necessary.

Second, the noccp option is added to the ppp options file.  I mentioned previously that pppd+xl2tpd on Linux won't support Android and iOS without this option, and that pppd+NetworkManager-l2tp on Linux won't connect to such a server without a matching configuration.

(In reply to Gordon Messmer from comment #45)

Thanks.
Ipsec changes merged to upstream, but I didn't test if it works or no, because I have no IPSec server. https://github.com/seriyps/NetworkManager-l2tp/commit/cf9073df710b4c650b7617a88720d4d4cd0a51bf

noccp option by default merged too, I have tested it with my ISP VPN and it works good with and without that option. https://github.com/seriyps/NetworkManager-l2tp/commit/5fe98f70344e842faa28014be7ba259c2db7ae8b

> noccp  Disable  CCP  (Compression  Control  Protocol)  negotiation.   This  option should only be required if the peer is buggy and gets confused by
> requests from pppd for CCP negotiation.

But I still not sure - maybe add additional option for it in interface?

> But I still not sure - maybe add additional option for it in interface?

If I were you, I'd wait for someone to request it.  I'm not sure the option would benefit anyone.

Regarding SELinux, I wanted to confirm and follow up on Makoto's report.  These three should probably be added to the policy:

First, NetworkManager-l2tp runs sh and sources /var/run/pluto/ipsec.info to determine whether or not to restart ipsec, so that needs to be allowed:

type=AVC msg=audit(1378830567.245:1581): avc:  denied  { search } for  pid=16469 comm="sh" name="pluto" dev="tmpfs" ino=16321 scontext=system_u:system_r:l2tpd_t:s0 tcontext=system_u:object_r:ipsec_var_run_t:s0 tclass=dir

Second, NetworkManager-l2tp creates an ipsec configuration file at /var/run/nm-ipsec-l2tp.%d/ipsec.conf and runs addcon to start ipsec, which needs to be allowed.

type=AVC msg=audit(1378830911.583:1611): avc:  denied  { search } for  pid=16783 comm="addconn" name="nm-ipsec-l2tp.16747" dev="tmpfs" ino=391633 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:l2tpd_var_run_t:s0 tclass=dir

NetworkManger-l2tp doesn't run "ip" directly, so I'm not sure if this needs to be allowed or not:

type=AVC msg=audit(1378831022.548:1636): avc:  denied  { read write } for  pid=17036 comm="ip" path="socket:[392039]" dev="sockfs" ino=392039 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ipsec_t:s0 tclass=unix_stream_socket

Dan, can these be added to the policy?

40eba1fd4db6a69ca7e007221e53921f3812d6ec fixes this in git.

NetworkManager-l2tp-0.9.8-4.fc19 has been submitted as an update for Fedora 19.
https://admin.fedoraproject.org/updates/NetworkManager-l2tp-0.9.8-4.fc19

NetworkManager-l2tp-0.9.8-4.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/NetworkManager-l2tp-0.9.8-4.fc18

Package NetworkManager-l2tp-0.9.8-4.fc18:
* should fix your issue,
* was pushed to the Fedora 18 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing NetworkManager-l2tp-0.9.8-4.fc18'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-17458/NetworkManager-l2tp-0.9.8-4.fc18
then log in and leave karma (feedback).

NetworkManager-l2tp-0.9.8-4.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

NetworkManager-l2tp-0.9.8-4.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

NetworkManager-l2tp-0.9.8-4.fc20 has been submitted as an update for Fedora 20.
https://admin.fedoraproject.org/updates/NetworkManager-l2tp-0.9.8-4.fc20

Package NetworkManager-l2tp-0.9.8-4.fc20:
* should fix your issue,
* was pushed to the Fedora 20 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing NetworkManager-l2tp-0.9.8-4.fc20'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2013-19778/NetworkManager-l2tp-0.9.8-4.fc20
then log in and leave karma (feedback).

NetworkManager-l2tp-0.9.8-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

I believe I am still suffering from this bug.

Running NetworkManager-l2tp-0.9.8.5-1.fc20.x86_64 and connecting to an L2TP/IPsec VPN fails with:

  NetworkManager[818]: can not load config '/var/run/nm-ipsec-l2tp.12498/ipsec.conf': can't load file '/var/run/nm-ipsec-l2tp.12498/ipsec.conf'

Furthermore, after pluto fails like this, NetworkManager thinks it has succeeded, and proceeds to launch xl2tpd insecurely (i.e. my L2TP traffic starts going in plain text -- WTF):

  NetworkManager[818]: ** (nm-l2tp-service:12498): WARNING **: Possible error in IPSec setup.
  NetworkManager[818]: ** Message: ipsec ready for action
  NetworkManager[818]: ** Message: xl2tpd started with pid 12670
  NetworkManager[818]: xl2tpd[12670]: Connection established to 1.2.3.4, 1701.  Local: 7997, Remote: 11 (ref=0/0).

The above is a grave security problem. If IPsec is enabled, and it fails as above, it should refuse to connect.

After running "setenforce Permissive", pluto is happy to attempt to connect.

(In my case it does not actually work after that, because my VPN requires PFS of modp2048, but the plugin has modp1024 hardcoded in with no obvious way to change this, but that problem is outside the scope of this bug.)

(In reply to Jeremy Visser from comment #58)
> Furthermore, after pluto fails like this, NetworkManager thinks it has
> succeeded, and proceeds to launch xl2tpd insecurely (i.e. my L2TP traffic
> starts going in plain text -- WTF):
> 
>   NetworkManager[818]: ** (nm-l2tp-service:12498): WARNING **: Possible
> error in IPSec setup.
>   NetworkManager[818]: ** Message: ipsec ready for action
>   NetworkManager[818]: ** Message: xl2tpd started with pid 12670
>   NetworkManager[818]: xl2tpd[12670]: Connection established to 1.2.3.4,
> 1701.  Local: 7997, Remote: 11 (ref=0/0).
> 
> The above is a grave security problem. If IPsec is enabled, and it fails as
> above, it should refuse to connect.
> 

I fixed this https://github.com/seriyps/NetworkManager-l2tp/commit/73a30d4a0cc667a7fd9aadb91e84a5108a9ce698 Thanks! Now it stop attempting to connect if IPSec failed.

New version 0.9.8.6

https://admin.fedoraproject.org/updates/NetworkManager-l2tp-0.9.8.6-1.fc20

Hi,
I would like to up this topic as I have an issue with my IPSEC/L2TP VPN connexion using the latest version: NetworkManager-l2tp-0.9.8.6-1.fc20.x86_64

When using the latest version I cannot connect to the VPN:
[root@evangelion-nerv log]# tail -f messages | grep -i networkmanager
Apr 25 13:01:59 evangelion-nerv yum[13903]: Updated: NetworkManager-l2tp-0.9.8.6-1.fc20.x86_64
Apr 25 13:02:20 evangelion-nerv NetworkManager[926]: <info> Starting VPN service 'l2tp'...
Apr 25 13:02:20 evangelion-nerv NetworkManager[926]: <info> VPN service 'l2tp' started (org.freedesktop.NetworkManager.l2tp), PID 13917
Apr 25 13:02:20 evangelion-nerv NetworkManager[926]: <info> VPN service 'l2tp' appeared; activating connections
Apr 25 13:02:20 evangelion-nerv NetworkManager[926]: <info> VPN plugin state changed: init (1)
Apr 25 13:02:21 evangelion-nerv NetworkManager[926]: <info> VPN connection 'IPsec/L2TP' (ConnectInteractive) reply received.
Apr 25 13:02:21 evangelion-nerv NetworkManager[926]: <info> VPN plugin state changed: starting (3)
Apr 25 13:02:21 evangelion-nerv NetworkManager: ** Message: Use '82.66.147.74' as a gateway
Apr 25 13:02:21 evangelion-nerv NetworkManager: ** Message: Check port 1701
Apr 25 13:02:21 evangelion-nerv NetworkManager: ** Message: ipsec enable flag: yes
Apr 25 13:02:21 evangelion-nerv NetworkManager: ** Message: starting ipsec
Apr 25 13:02:21 evangelion-nerv NetworkManager: systemd: ipsec service is not running
Apr 25 13:02:21 evangelion-nerv NetworkManager: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Apr 25 13:02:21 evangelion-nerv NetworkManager: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Apr 25 13:02:21 evangelion-nerv NetworkManager: Warning: ignored obsolete keyword 'force_keepalive'
Apr 25 13:02:21 evangelion-nerv NetworkManager: connect(pluto_ctl) failed: No such file or directory
Apr 25 13:02:21 evangelion-nerv NetworkManager: debugging mode enabled
Apr 25 13:02:21 evangelion-nerv NetworkManager: end of file /var/run/nm-ipsec-l2tp.13917/ipsec.conf
Apr 25 13:02:21 evangelion-nerv NetworkManager: Warning: ignored obsolete keyword 'force_keepalive'
Apr 25 13:02:21 evangelion-nerv NetworkManager: Loading conn nm-ipsec-l2tpd-13917
Apr 25 13:02:21 evangelion-nerv NetworkManager: connection's  policy label: (null)
Apr 25 13:02:21 evangelion-nerv NetworkManager: starter: case KH_DEFAULTROUTE: empty
Apr 25 13:02:21 evangelion-nerv NetworkManager: conn: "nm-ipsec-l2tpd-13917" loopback=0
Apr 25 13:02:21 evangelion-nerv NetworkManager: conn: "nm-ipsec-l2tpd-13917" labeled_ipsec=0
Apr 25 13:02:21 evangelion-nerv NetworkManager: conn: "nm-ipsec-l2tpd-13917" policy_label=(null)
Apr 25 13:02:21 evangelion-nerv NetworkManager: conn: "nm-ipsec-l2tpd-13917" modecfgdomain=(null)
Apr 25 13:02:21 evangelion-nerv NetworkManager: conn: "nm-ipsec-l2tpd-13917" modecfgbanner=(null)
Apr 25 13:02:21 evangelion-nerv NetworkManager: connect(pluto_ctl) failed: No such file or directory
Apr 25 13:02:21 evangelion-nerv NetworkManager: opening file: /var/run/nm-ipsec-l2tp.13917/ipsec.conf
Apr 25 13:02:21 evangelion-nerv NetworkManager: loading named conns: nm-ipsec-l2tpd-13917
Apr 25 13:02:21 evangelion-nerv NetworkManager: parse_src = 1, parse_gateway = 0, has_dst = 1
Apr 25 13:02:21 evangelion-nerv NetworkManager: dst 82.66.147.74 via 138.195.30.1 dev em1 src 138.195.30.44
Apr 25 13:02:21 evangelion-nerv NetworkManager: set addr: 138.195.30.44
Apr 25 13:02:21 evangelion-nerv NetworkManager: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Apr 25 13:02:21 evangelion-nerv NetworkManager: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Apr 25 13:02:21 evangelion-nerv NetworkManager[926]: <info> VPN connection 'IPsec/L2TP' (Connect) reply received.
Apr 25 13:02:21 evangelion-nerv NetworkManager[926]: <warn> VPN connection 'IPsec/L2TP' failed to connect: 'Possible error in IPSec setup.'.
Apr 25 13:02:21 evangelion-nerv NetworkManager[926]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.


When downgrading to previous version: 
Apr 25 13:03:08 evangelion-nerv yum[13977]: Installed: NetworkManager-l2tp-0.9.8-4.fc20.x86_64


Everything works well. Please reopen this case as it is not fixed!

Any new AVC information?

Hi,
Still no AVC info with latest updates:
May 26 08:54:09 Updated: selinux-policy-doc-3.12.1-166.fc20.noarch
May 26 08:54:31 Updated: selinux-policy-targeted-3.12.1-166.fc20.noarch

Using the latest NetworkManager-l2tp still cannot connect but with the previous I can:
$ sudo yum downgrade NetworkManager-l2tp 
Résolution des dépendances
--> Lancement de la transaction de test
---> Le paquet NetworkManager-l2tp.x86_64 0:0.9.8-4.fc20 sera une rétrogradation
---> Le paquet NetworkManager-l2tp.x86_64 0:0.9.8.6-1.fc20 sera effacé
--> Résolution des dépendances terminée

Dépendances résolues

================================================================================
 Package                   Architecture Version              Dépôt        Taille
================================================================================
Retour à la version précédente :
 NetworkManager-l2tp       x86_64       0.9.8-4.fc20         fedora        90 k

Résumé de la transaction
================================================================================
Retour à la version précédente  1 Paquet

Taille totale des téléchargements : 90 k
Is this ok [y/d/N]: y
Downloading packages:
NetworkManager-l2tp-0.9.8-4.fc20.x86_64.rpm                |  90 kB   00:00     
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installation : NetworkManager-l2tp-0.9.8-4.fc20.x86_64                    1/2 
  Nettoyage    : NetworkManager-l2tp-0.9.8.6-1.fc20.x86_64                  2/2 
  Vérification : NetworkManager-l2tp-0.9.8-4.fc20.x86_64                    1/2 
  Vérification : NetworkManager-l2tp-0.9.8.6-1.fc20.x86_64                  2/2 

Supprimé :
  NetworkManager-l2tp.x86_64 0:0.9.8.6-1.fc20                                   

Installé :
  NetworkManager-l2tp.x86_64 0:0.9.8-4.fc20                                     

Terminé !

Dan, two of the three AVCs that I reported in comment 48 are still present on Fedora 20 with NetworkManager-l2tp-0.9.8-4.fc20.x86_64.  The newer version of NetworkManager-l2tp simply doesn't work, but that's not related to SELinux.

Saved too soon.  Thse are the two AVCs.

type=AVC msg=audit(1401215326.189:474): avc:  denied  { search } for  pid=5747 comm="addconn" name="nm-ipsec-l2tp.5589" dev="tmpfs" ino=75419 scontext=system_u:system_r:ipsec_mgmt_t:s0 tcontext=system_u:object_r:l2tpd_var_run_t:s0 tclass=dir
type=AVC msg=audit(1401215326.375:480): avc:  denied  { read write } for  pid=5774 comm="ip" path="socket:[75543]" dev="sockfs" ino=75543 scontext=system_u:system_r:ifconfig_t:s0 tcontext=system_u:system_r:ipsec_t:s0 tclass=unix_stream_socket

These are dontaudited in the Rawhide policy.
 audit2allow -i /tmp/t1


#============= ifconfig_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow ifconfig_t ipsec_t:unix_stream_socket { read write };

#============= ipsec_mgmt_t ==============

#!!!! This avc has a dontaudit rule in the current policy
allow ipsec_mgmt_t l2tpd_var_run_t:dir search;

Dan, I'm not sure how that's helpful.  I'm able to establish connections in permissive mode, but not in enforcing.

Am I reporting the wrong AVCs?  My understanding was that dontaudit rules are still denials, and in this case those need to be allowed in order for L2tp/Ipsec connections to work.

Server ist a fedora 19 ipsec/xl2tpd/pptpd server with libreswan.

It's working via Android, SELINUX is disabled atm:

CLIENT: 

Jun 20 18:12:29 eve NetworkManager: 002 "nm-ipsec-l2tpd-9072" #1: initiating Main Mode
Jun 20 18:12:29 eve NetworkManager: 104 "nm-ipsec-l2tpd-9072" #1: STATE_MAIN_I1: initiate
Jun 20 18:12:29 eve NetworkManager: 003 "nm-ipsec-l2tpd-9072" #1: received Vendor ID payload [Dead Peer Detection]
Jun 20 18:12:29 eve NetworkManager: 003 "nm-ipsec-l2tpd-9072" #1: received Vendor ID payload [FRAGMENTATION]
Jun 20 18:12:29 eve NetworkManager: 003 "nm-ipsec-l2tpd-9072" #1: received Vendor ID payload [RFC 3947]
Jun 20 18:12:29 eve NetworkManager: 002 "nm-ipsec-l2tpd-9072" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
Jun 20 18:12:29 eve NetworkManager: 002 "nm-ipsec-l2tpd-9072" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
Jun 20 18:12:29 eve NetworkManager: 106 "nm-ipsec-l2tpd-9072" #1: STATE_MAIN_I2: sent MI2, expecting MR2
Jun 20 18:12:29 eve NetworkManager: 003 "nm-ipsec-l2tpd-9072" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
Jun 20 18:12:29 eve NetworkManager: 002 "nm-ipsec-l2tpd-9072" #1: Not sending INITIAL_CONTACT
Jun 20 18:12:29 eve NetworkManager: 002 "nm-ipsec-l2tpd-9072" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
Jun 20 18:12:29 eve NetworkManager: 108 "nm-ipsec-l2tpd-9072" #1: STATE_MAIN_I3: sent MI3, expecting MR3
Jun 20 18:12:29 eve NetworkManager: 003 "nm-ipsec-l2tpd-9072" #1: received Vendor ID payload [CAN-IKEv2]
Jun 20 18:12:29 eve NetworkManager: 002 "nm-ipsec-l2tpd-9072" #1: Main mode peer ID is ID_IPV4_ADDR: '83.246.80.153'
Jun 20 18:12:29 eve NetworkManager: 002 "nm-ipsec-l2tpd-9072" #1: transition from state STATE_MAIN_I3 to state STATE_MAIN_I4
Jun 20 18:12:29 eve NetworkManager: 004 "nm-ipsec-l2tpd-9072" #1: STATE_MAIN_I4: ISAKMP SA established {auth=OAKLEY_PRESHARED_KEY cipher=oakley_3des_cbc_192 prf=oakley_sha group=modp1024}
Jun 20 18:12:29 eve NetworkManager: 002 "nm-ipsec-l2tpd-9072" #2: initiating Quick Mode PSK+ENCRYPT+UP+IKEv2ALLOW+SAREFTRACK+IKE_FRAG {using isakmp#1 msgid:248266fe proposal=3DES(3)_192-SHA1(2)_160 pfsgroup=no-pfs}
Jun 20 18:12:29 eve NetworkManager: 117 "nm-ipsec-l2tpd-9072" #2: STATE_QUICK_I1: initiate
Jun 20 18:12:29 eve NetworkManager: 002 "nm-ipsec-l2tpd-9072" #2: transition from state STATE_QUICK_I1 to state STATE_QUICK_I2
Jun 20 18:12:29 eve NetworkManager: 004 "nm-ipsec-l2tpd-9072" #2: STATE_QUICK_I2: sent QI2, IPsec SA established transport mode {ESP/NAT=>0x975e29eb <0x80d7ad5d xfrm=3DES_0-HMAC_SHA1 NATOA=none NATD=83.246.80.153:4500 DPD=none}
Jun 20 18:12:29 eve NetworkManager[943]: <info> VPN connection 'vpn.evolution-hosting.eu' (Connect) reply received.
Jun 20 18:12:29 eve NetworkManager[943]: <warn> VPN connection 'vpn.evolution-hosting.eu' failed to connect: 'Possible error in IPSec setup.'.
Jun 20 18:12:29 eve NetworkManager[943]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Jun 20 18:12:29 eve NetworkManager: 002 forgetting secrets
Jun 20 18:12:29 eve NetworkManager: 002 loading secrets from "/etc/ipsec.secrets"
Jun 20 18:12:32 eve NetworkManager: nm-pptp-service-8772 warn[open_inetsock:pptp_callmgr.c:352]: connect: Connection timed out
Jun 20 18:12:32 eve NetworkManager: nm-pptp-service-8772 fatal[callmgr_main:pptp_callmgr.c:134]: Could not open control connection to 83.246.80.153
Jun 20 18:12:35 eve NetworkManager[943]: <info> VPN service 'l2tp' disappeared


Server: 

Jun 20 18:11:03 vpn pluto[7117]: | cmd(   0):2>&1 PLUTO_VERB='up-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='roadwarrior2' PL:
Jun 20 18:11:03 vpn pluto[7117]: | executing prepare-host: 2>&1 PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='roadwarrior2' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='83.246.80.129' PLUTO_ME='83.246.80.153' PLUTO_MY_ID='83.246.80.153' PLUTO_MY_CLIENT='83.246.80.153/32' PLUTO_MY_CLIENT_NET='83.246.80.153' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701' PLUTO_MY_PROTOCOL='17' PLUTO_SA_REQID='16392' PLUTO_PEER='62.226.149.39' PLUTO_PEER_ID='@GroupVPN' PLUTO_PEER_CLIENT='192.168.0.34/32' PLUTO_PEER_CLIENT_NET='192.168.0.34' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='' PLUTO_STACK='netkey'   PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW+SAREFTRACK+IKE_FRAG' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME=''  PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
Jun 20 18:11:03 vpn pluto[7117]: | cmd(   0):2>&1 PLUTO_VERB='prepare-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='roadwarrior:
Jun 20 18:11:03 vpn pluto[7117]: | executing route-host: 2>&1 PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='roadwarrior2' PLUTO_INTERFACE='eth0' PLUTO_NEXT_HOP='83.246.80.129' PLUTO_ME='83.246.80.153' PLUTO_MY_ID='83.246.80.153' PLUTO_MY_CLIENT='83.246.80.153/32' PLUTO_MY_CLIENT_NET='83.246.80.153' PLUTO_MY_CLIENT_MASK='255.255.255.255' PLUTO_MY_PORT='1701' PLUTO_MY_PROTOCOL='17' PLUTO_SA_REQID='16392' PLUTO_PEER='62.226.149.39' PLUTO_PEER_ID='@GroupVPN' PLUTO_PEER_CLIENT='192.168.0.34/32' PLUTO_PEER_CLIENT_NET='192.168.0.34' PLUTO_PEER_CLIENT_MASK='255.255.255.255' PLUTO_PEER_PORT='0' PLUTO_PEER_PROTOCOL='17' PLUTO_PEER_CA='' PLUTO_STACK='netkey'   PLUTO_CONN_POLICY='PSK+ENCRYPT+TUNNEL+DONTREKEY+IKEv2ALLOW+SAREFTRACK+IKE_FRAG' PLUTO_CONN_ADDRFAMILY='ipv4' XAUTH_FAILED=0 PLUTO_XAUTH_USERNAME=''  PLUTO_IS_PEER_CISCO='0' PLUTO_PEER_DNS_INFO='' PLUTO_PEER_DOMAIN_INFO='' PLUTO_PEER_BANNER='' PLUTO_NM_CONFIGURED='0' ipsec _updown
Jun 20 18:11:03 vpn pluto[7117]: | cmd(   0):2>&1 PLUTO_VERB='route-host' PLUTO_VERSION='2.0' PLUTO_CONNECTION='roadwarrior2':
Jun 20 18:11:03 vpn pluto[7117]: | route_and_eroute: instance "roadwarrior2"[10] 62.226.149.39, setting eroute_owner {spd=0xb84b477c,sr=0xb84b477c} to #10 (was #0) (newest_ipsec_sa=#0)
Jun 20 18:11:03 vpn pluto[7117]: | inI2: instance roadwarrior2[10], setting newest_ipsec_sa to #10 (was #0) (spd.eroute=#10)
Jun 20 18:11:03 vpn pluto[7117]: "roadwarrior2"[10] 62.226.149.39 #10: transition from state STATE_QUICK_R1 to state STATE_QUICK_R2
Jun 20 18:11:03 vpn pluto[7117]: "roadwarrior2"[10] 62.226.149.39 #10: STATE_QUICK_R2: IPsec SA established tunnel mode {ESP=>0x80d7ad5d <0x975e29eb xfrm=3DES_0-HMAC_SHA1 NATOA=192.168.0.34 NATD=62.226.149.39:34369 DPD=none}


both ends tell me, that the connection is established, but thats it. And the error messages are NOT HELPFUL. 

BTW: PPTP doesn't work either, where it worked via WinXP !

sometimes i think bugreports get just addandoned by the maintainer :(

(In reply to customercare from comment #69)
> sometimes i think bugreports get just addandoned by the maintainer :(

Ok, you may try to send us more verbose log, as described in https://github.com/seriyps/NetworkManager-l2tp/wiki#how-to-report-bugs

And ipsec feature is quite unstable, no one of maintainers didn't uses it.

About not helpful error messages in GUI: that's true, but NM VPN plugin API doesn't provide any method to display custom error message.

About the error messages: /var/log/messages is a good place for detailed error messages them.


Infos: 

Fedora release 20 (Heisenbug)
Linux eve.resellerdesktop.de 3.15.6-200.fc20.x86_64 #1 SMP Fri Jul 18 02:36:27 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

rpm -q NetworkManager-l2tp xl2tpd ppp NetworkManager-openswan libreswan

NetworkManager-l2tp-0.9.8.6-1.fc20.x86_64
xl2tpd-1.3.6-1.fc20.x86_64
ppp-2.4.5-33.fc20.x86_64
Das Paket NetworkManager-openswan ist nicht installiert
libreswan-3.8-1.fc20.x86_64

Debuginfos: 

Jul 30 14:49:07 eve systemd: Started Hostname Service.
Jul 30 14:50:30 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:09 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:09 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:10 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:10 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:10 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:10 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:10 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:10 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:10 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:11 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:11 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:11 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:11 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:11 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:11 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:37 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:51:41 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:52:38 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:52:45 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:52:45 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:52:48 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:52:51 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:52:53 eve gnome-session: ** (gnome-control-center:32531): CRITICAL **: nm_setting_vpn_add_data_item: assertion 'strlen (item) > 0' failed
Jul 30 14:53:03 eve NetworkManager[3228]: <info> VPN plugin state changed: starting (3)
Jul 30 14:53:04 eve ipsec_starter[2022]: Warning: ignored obsolete keyword 'force_keepalive'
Jul 30 14:53:04 eve ipsec_starter[2022]: connect(pluto_ctl) failed: No such file or directory
Jul 30 14:53:04 eve NetworkManager[3228]: <info> VPN connection 'VPN 1' (Connect) reply received.
Jul 30 14:53:04 eve NetworkManager[3228]: <warn> VPN connection 'VPN 1' failed to connect: 'Possible error in IPSec setup.'.
Jul 30 14:53:04 eve NetworkManager[3228]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Jul 30 14:53:24 eve NetworkManager[3228]: <info> VPN service 'l2tp' disappeared

#######################################################################################################################################################

** Message: nm-l2tp-service (version 0.9.8.5) starting...
connection
	name : "connection"
	id : "VPN 1" (s)
	uuid : "aaf7280f-a031-4443-a84f-f5a7a3b0b805" (s)
	interface-name : NULL (sd)
	type : "vpn" (s)
	permissions : user:{USERNAME}: (s)
	autoconnect : FALSE (s)
	timestamp : 0 (sd)
	read-only : FALSE (sd)
	zone : NULL (sd)
	master : NULL (sd)
	slave-type : NULL (sd)
	secondaries :  (sd)
	gateway-ping-timeout : 0 (sd)


vpn
	name : "vpn"
	service-type : "org.freedesktop.NetworkManager.l2tp" (s)
	user-name : "{USERNAME}" (s)
	data : gateway=vpn.evolution-hosting.eu,ipsec-group-name=GroupVPN,user={USERNAME},ipsec-enabled=yes,ipsec-psk={L2TP-USERPASSWORD},password-flags=1,refuse-pap=yes (s)
	secrets : password={IPSEC-TUNNELPASSWORD} (s)


ipv6
	name : "ipv6"
	method : "ignore" (s)
	dhcp-hostname : NULL (sd)
	dns :  (s)
	dns-search :  (sd)
	addresses :  (s)
	routes :  (s)
	ignore-auto-routes : FALSE (sd)
	ignore-auto-dns : FALSE (sd)
	never-default : FALSE (sd)
	may-fail : TRUE (sd)
	ip6-privacy : -1 (sd)


ipv4
	name : "ipv4"
	method : "auto" (s)
	dns :  (s)
	dns-search :  (sd)
	addresses :  (s)
	routes :  (s)
	ignore-auto-routes : FALSE (sd)
	ignore-auto-dns : TRUE (s)
	dhcp-client-id : NULL (sd)
	dhcp-send-hostname : TRUE (sd)
	dhcp-hostname : NULL (sd)
	never-default : FALSE (sd)
	may-fail : TRUE (sd)


** Message: Use '83.246.80.153' as a gateway
** Message: Check port 1701
** Message: ipsec enable flag: yes
** Message: starting ipsec
systemd: ipsec service is not running
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Warning: ignored obsolete keyword 'force_keepalive'
connect(pluto_ctl) failed: No such file or directory
opening file: /var/run/nm-ipsec-l2tp.32058/ipsec.conf
debugging mode enabled
end of file /var/run/nm-ipsec-l2tp.32058/ipsec.conf
Warning: ignored obsolete keyword 'force_keepalive'
Loading conn nm-ipsec-l2tpd-32058
connection's  policy label: (null)
starter: case KH_DEFAULTROUTE: empty
loading named conns: nm-ipsec-l2tpd-32058
parse_src = 1, parse_gateway = 0, has_dst = 1
dst 83.246.80.153 via 192.168.0.254 dev p4p1 src 192.168.0.34
set addr: 192.168.0.34
conn: "nm-ipsec-l2tpd-32058" loopback=0
conn: "nm-ipsec-l2tpd-32058" labeled_ipsec=0
conn: "nm-ipsec-l2tpd-32058" policy_label=(null)
conn: "nm-ipsec-l2tpd-32058" modecfgdomain=(null)
conn: "nm-ipsec-l2tpd-32058" modecfgbanner=(null)
connect(pluto_ctl) failed: No such file or directory
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")

# cat /var/run/nm-ipsec-l2tp.32058/ipsec.conf
version 2.0
config setup
  nat_traversal=yes
  force_keepalive=yes
  protostack=netkey
  keep_alive=60

conn nm-ipsec-l2tpd-32058
  auto=add
  type=transport
  auth=esp
  pfs=no
  authby=secret
  keyingtries=0
  left=%defaultroute
  leftid=@GroupVPN
  right=83.246.80.153
  esp=3des-sha1
  keyexchange=ike
  ike=3des-sha1-modp1024
  aggrmode=no
  forceencaps=yes

Just found this typo in the GNOME-GUI-Translation

[checkbox] use Point-to-Point Encryption (MPPE) 

in german, someone wrote "anjreuzfeld" he meant "Ankreuzfeld" (checkbox) in the hover tool tip message :)

Pls forward it to the translation team.

Something changed :

** Message: Use '83.246.80.153' as a gateway
** Message: Check port 1701
** Message: ipsec enable flag: yes
** Message: starting ipsec
Redirecting to: systemctl stop+start ipsec.service
whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
002 forgetting secrets
002 loading secrets from "/etc/ipsec.secrets"
Warning: ignored obsolete keyword 'force_keepalive'
opening file: /var/run/nm-ipsec-l2tp.10448/ipsec.conf
debugging mode enabled
end of file /var/run/nm-ipsec-l2tp.10448/ipsec.conf
Warning: ignored obsolete keyword 'force_keepalive'
Loading conn nm-ipsec-l2tpd-10448
connection's  policy label: (null)
starter: case KH_DEFAULTROUTE: empty
loading named conns: nm-ipsec-l2tpd-10448
parse_src = 1, parse_gateway = 0, has_dst = 1
dst 83.246.80.153 via 192.168.0.254 dev p4p1 src 192.168.0.34
set addr: 192.168.0.34
conn: "nm-ipsec-l2tpd-10448" loopback=0
conn: "nm-ipsec-l2tpd-10448" labeled_ipsec=0
conn: "nm-ipsec-l2tpd-10448" policy_label=(null)
conn: "nm-ipsec-l2tpd-10448" modecfgdomain=(null)
conn: "nm-ipsec-l2tpd-10448" modecfgbanner=(null)
002 "nm-ipsec-l2tpd-10448": deleting connection
002 added connection description "nm-ipsec-l2tpd-10448"
002 "nm-ipsec-l2tpd-10448" #1: initiating Main Mode
104 "nm-ipsec-l2tpd-10448" #1: STATE_MAIN_I1: initiate
003 "nm-ipsec-l2tpd-10448" #1: received Vendor ID payload [Dead Peer Detection]
003 "nm-ipsec-l2tpd-10448" #1: received Vendor ID payload [FRAGMENTATION]
003 "nm-ipsec-l2tpd-10448" #1: received Vendor ID payload [RFC 3947]
002 "nm-ipsec-l2tpd-10448" #1: enabling possible NAT-traversal with method RFC 3947 (NAT-Traversal)
002 "nm-ipsec-l2tpd-10448" #1: transition from state STATE_MAIN_I1 to state STATE_MAIN_I2
106 "nm-ipsec-l2tpd-10448" #1: STATE_MAIN_I2: sent MI2, expecting MR2
003 "nm-ipsec-l2tpd-10448" #1: NAT-Traversal: Result using RFC 3947 (NAT-Traversal): both are NATed
002 "nm-ipsec-l2tpd-10448" #1: Not sending INITIAL_CONTACT
002 "nm-ipsec-l2tpd-10448" #1: transition from state STATE_MAIN_I2 to state STATE_MAIN_I3
108 "nm-ipsec-l2tpd-10448" #1: STATE_MAIN_I3: sent MI3, expecting MR3
002 "nm-ipsec-l2tpd-10448" #1: received 1 malformed payload notifies
010 "nm-ipsec-l2tpd-10448" #1: STATE_MAIN_I3: retransmission; will wait 20s for response
002 "nm-ipsec-l2tpd-10448" #1: received 2 malformed payload notifies
003 "nm-ipsec-l2tpd-10448" #1: discarding duplicate packet; already STATE_MAIN_I3
010 "nm-ipsec-l2tpd-10448" #1: STATE_MAIN_I3: retransmission; will wait 40s for response
002 "nm-ipsec-l2tpd-10448" #1: received 3 malformed payload notifies
003 "nm-ipsec-l2tpd-10448" #1: discarding duplicate packet; already STATE_MAIN_I3

######################################################################

Jul 30 15:08:58 eve NetworkManager[3228]: <info> Starting VPN service 'l2tp'...
Jul 30 15:08:58 eve NetworkManager[3228]: <info> VPN service 'l2tp' started (org.freedesktop.NetworkManager.l2tp), PID 9929
Jul 30 15:08:58 eve NetworkManager[3228]: <info> VPN service 'l2tp' appeared; activating connections
Jul 30 15:09:02 eve NetworkManager[3228]: <info> VPN plugin state changed: starting (3)
Jul 30 15:09:02 eve NetworkManager: ** Message: Use '83.246.80.153' as a gateway
Jul 30 15:09:02 eve NetworkManager: ** Message: Check port 1701
Jul 30 15:09:02 eve NetworkManager: ** Message: ipsec enable flag: yes
Jul 30 15:09:02 eve NetworkManager: ** Message: starting ipsec
Jul 30 15:09:02 eve NetworkManager: Redirecting to: systemctl stop+start ipsec.service
Jul 30 15:09:02 eve systemd: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Jul 30 15:09:02 eve whack: 002 shutting down
Jul 30 15:09:02 eve systemd: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Jul 30 15:09:02 eve systemd: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Jul 30 15:09:02 eve kernel: [22278.291365] AVX2 instructions are not detected.
Jul 30 15:09:02 eve kernel: AVX2 instructions are not detected.
Jul 30 15:09:02 eve kernel: [22278.324270] AVX2 or AES-NI instructions are not detected.
Jul 30 15:09:02 eve kernel: AVX2 or AES-NI instructions are not detected.
Jul 30 15:09:02 eve systemd: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Jul 30 15:09:02 eve NetworkManager: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Jul 30 15:09:02 eve NetworkManager: 002 forgetting secrets
Jul 30 15:09:02 eve NetworkManager: 002 loading secrets from "/etc/ipsec.secrets"
Jul 30 15:09:02 eve NetworkManager: can not load config '/var/run/nm-ipsec-l2tp.9929/ipsec.conf': can't load file '/var/run/nm-ipsec-l2tp.9929/ipsec.conf'
Jul 30 15:09:02 eve NetworkManager: debugging mode enabled
Jul 30 15:09:02 eve NetworkManager: can not load config '/var/run/nm-ipsec-l2tp.9929/ipsec.conf': can't load file '/var/run/nm-ipsec-l2tp.9929/ipsec.conf'
Jul 30 15:09:02 eve NetworkManager: opening file: /var/run/nm-ipsec-l2tp.9929/ipsec.conf
Jul 30 15:09:03 eve NetworkManager: 000 initiating all conns with alias='nm-ipsec-l2tpd-9929'
Jul 30 15:09:03 eve NetworkManager: 021 no connection named "nm-ipsec-l2tpd-9929"
Jul 30 15:09:03 eve NetworkManager: 002 forgetting secrets
Jul 30 15:09:03 eve NetworkManager: 002 loading secrets from "/etc/ipsec.secrets"
Jul 30 15:09:03 eve NetworkManager: 002 no secrets filename matched "/etc/ipsec.d/*.secrets"
Jul 30 15:09:03 eve NetworkManager[3228]: <info> VPN connection 'VPN 1' (Connect) reply received.
Jul 30 15:09:03 eve NetworkManager[3228]: <warn> VPN connection 'VPN 1' failed to connect: 'Possible error in IPSec setup.'.
Jul 30 15:09:03 eve NetworkManager[3228]: <warn> error disconnecting VPN: Could not process the request because no VPN connection was active.
Jul 30 15:09:08 eve NetworkManager[3228]: <info> VPN service 'l2tp' disappeared

BTW: 

        ├─sh───sh───pluto─┬─_pluto_adns
        │                 └─7*[{pluto}]

so , pluto is actually running.

I configured the ipsec tunnel myself manually. 

Here is a hint how it works :

1. I had to reset send_redirects , accept_redirects accordingly to "ipsec verify" , which isn't done automatically (?)..

and interestingly, a network restart disabled those, but it still works. I guess you can skip this part :

# ipsec verify
Verifying installed system and configuration files

Version check and ipsec on-path                   	[OK]
Libreswan 3.8 (netkey) on 3.15.6-200.fc20.x86_64
Checking for IPsec support in kernel              	[OK]
 NETKEY: Testing XFRM related proc values
         ICMP default/send_redirects              	[OK]
         ICMP default/accept_redirects            	[OK]
         XFRM larval drop                         	[OK]
Pluto ipsec.conf syntax                           	[OK]
Hardware random device                            	[N/A]
Two or more interfaces found, checking IP forwarding	[FAILED]  *RED* 
Checking rp_filter                                	[ENABLED] *RED*
 /proc/sys/net/ipv4/conf/default/rp_filter        	[ENABLED] *RED*
 /proc/sys/net/ipv4/conf/ppp0/rp_filter           	[ENABLED] *RED* 
  rp_filter is not fully aware of IPsec and should be disabled
Checking that pluto is running                    	[OK]
 Pluto listening for IKE on udp 500               	[OK]
 Pluto listening for IKE/NAT-T on udp 4500        	[OK]
 Pluto ipsec.secret syntax                        	[OK]
Checking NAT and MASQUERADEing                    	[TEST INCOMPLETE]
Checking 'ip' command                             	[OK]
Checking 'iptables' command                       	[OK]
Checking 'prelink' command does not interfere with FIPS	[PRESENT]
Checking for obsolete ipsec.conf options          	[OK]
Opportunistic Encryption                          	[DISABLED]

ipsec verify: encountered 7 errors - see 'man ipsec_verify' for help


2. The Ips involved here:

83.246.80.153  VPN Server
192.168.0.254  local gateway
192.168.0.34   local ip       interface p4p1

3. Configs :

# /etc/ipsec.d/vpn.conf 

config setup
       virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
       nat_traversal=yes
       protostack=netkey
       oe=no
# Replace eth0 with your network interface
       plutoopts="--interface=p4p1"
conn L2TP-PSK
       authby=secret
       pfs=yes
       auto=add
       keyingtries=3
       dpddelay=30
       dpdtimeout=120
       dpdaction=clear
       rekey=yes
       ikelifetime=8h
       keylife=1h
       type=transport
# Replace IP address with your local IP (private, behind NAT IP is okay as well)
       left=192.168.0.34
       leftnexthop=%defaultroute
       leftprotoport=17/1701
# Replace IP address with your VPN server's IP
       right=83.246.80.153
       rightprotoport=17/1701

# /etc/ipsec.d/vpn.secrets 
%any 83.246.80.153 : PSK "<-----ENTER IPSEC PASSWORD HERE---->"

[root@eve marius]# cat /etc/xl2tpd/xl2tpd.conf 
;
; This is a minimal sample xl2tpd configuration file for use
; with L2TP over IPsec.

; .... skipping .... 

[global]

[lac vpn-connection]
lns = 83.246.80.153
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes


# /etc/ppp/options.l2tpd.client 
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-mschap-v2
noccp
noauth
idle 1800
mtu 1410
mru 1410
defaultroute
usepeerdns
debug
lock
connect-delay 5000
name <--- VPN USERNAME --->
password <---- VPN PASSWORD --->

# systemctl start ipsec xl2tpd
# ipsec auto --up L2TP-PSK
# echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control

### Comment: there must be a better way to trigger the connection !!!

# ifconfig should show now a ppp0 

4. Routing :

ip route add 83.246.80.153 via 192.168.0.254 dev p4p1
ip route add default via 192.168.1.99 dev ppp0
ip route del default via 192.168.0.254 dev p4p1

5. Result

# route -n
Kernel IP Routentabelle
Ziel            Router          Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.99    0.0.0.0         UG    0      0        0 ppp0
83.246.80.153   192.168.0.254   255.255.255.255 UGH   0      0        0 p4p1
192.168.0.0     0.0.0.0         255.255.0.0     U     0      0        0 p4p1
192.168.1.99    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0

# ifconfig

p4p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.0.34  netmask 255.255.0.0  broadcast 192.168.255.255
        inet6 fe80::4216:7eff:fe24:a01  prefixlen 64  scopeid 0x20<link>
        ether 40:16:7e:24:0a:01  txqueuelen 1000  (Ethernet)
        RX packets 1297423  bytes 1303980487 (1.2 GiB)
        RX errors 0  dropped 17017  overruns 0  frame 0
        TX packets 912236  bytes 96503102 (92.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1410
        inet 83.246.x.x  netmask 255.255.255.255  destination 192.168.1.99
        ppp  txqueuelen 3  (Punkt-zu-Punkt Verbindung)
        RX packets 2359  bytes 2225340 (2.1 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2012  bytes 226762 (221.4 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

I have no clue where "83.246.x.x" came from, as it's not involved at all.

###############################################################

@Ivan + Sergey:

If this does not help you finding the bug, i can't help you ;)

I should be very easy now to compare the generated configs and see whats different. So theres no excuse for another longterm silence in this bugreport. 

If you don't have time, send me the sources for x86_64, a few hints about the compile environment it needs and I debug it myself. 

Some questions I have:

- why is the config dynamically generated in /var/run/ instead of /etc/ipsec.d/ (or the according xl2tpd/pppd dirs ) ?

The NetworkManager is asking about a connection name, just use this as a filenamebasis to generate files as you need them. It will reduce complexity and makes less resource intensive starts possible , as the NM is no longer involved.

- how you wanne manage that only this users session can use a tunnel ?

Do i guess correctly, that netfilter will get a rule for the tunnel interface to match for the active uid ?

- Why is there an option "GroupID" in the IPSEC Gui settings ?

I removed it, but it got reinserted. I guess as a default .
I saw it in the created config file, but i didn't catch the purpose of it.

- short analyses of the created NM files:

created ipsec.conf :
  force_keepalive=yes    <-- obsolete
  type=transport         <-- not needed
  auth=esp               <-- what if the server does not support it ?
  pfs=no                 <-- PFS now rules the world, make an option for it to checkbox PFS
  left=%defaultroute     <-- does not work
  leftid=@GroupVPN       <-- how cares ?
  right=83.246.80.153    <-- was correct

### BTW : NM does not remove old sessions from /var/run/ . A bit more housekeeping is advised ###

created nm-xl2tpd.conf :

    name = <VPN USERNAME>     <-- completly unneeded
    autodial = yes            <-- didn't know my ethernetcard is a telephone modem :)

created nm-ppp-options.xl2tpd: 

ipparam nm-l2tp-service-XXXXXXX
nodetach                      <- not used by me
lock                          
usepeerdns
noipdefault                   <- i guess thats somehow usefull if you wanne keep up the default routing tables
nodefaultroute                <- same here
noauth
noccp
name <VPN USERNAME>           
lcp-echo-failure 0            <- does what excatly ?
lcp-echo-interval 0           <- 

Missing : 

ipcp-accept-local
ipcp-accept-remote
refuse-eap                    <- is it msising because it's a security problem ?
require-mschap-v2             <- I know I checked that in the gui !
idle 1800
password <---- VPN PASSWORD --->      

#### The VPN Password is missing, if it's not supplied via a pipe or option to a command, no chance that it will work.

I hope thats enough input ;)

(In reply to customercare from comment #75)
> I configured the ipsec tunnel myself manually. 
> 
> Here is a hint how it works :
> 
> 1. I had to reset send_redirects , accept_redirects accordingly to "ipsec
> verify" , which isn't done automatically (?)..
> 
> and interestingly, a network restart disabled those, but it still works. I
> guess you can skip this part :
> 
> # ipsec verify
> Verifying installed system and configuration files
> 
> Version check and ipsec on-path                   	[OK]
> Libreswan 3.8 (netkey) on 3.15.6-200.fc20.x86_64
> Checking for IPsec support in kernel              	[OK]
>  NETKEY: Testing XFRM related proc values
>          ICMP default/send_redirects              	[OK]
>          ICMP default/accept_redirects            	[OK]
>          XFRM larval drop                         	[OK]
> Pluto ipsec.conf syntax                           	[OK]
> Hardware random device                            	[N/A]
> Two or more interfaces found, checking IP forwarding	[FAILED]  *RED* 
> Checking rp_filter                                	[ENABLED] *RED*
>  /proc/sys/net/ipv4/conf/default/rp_filter        	[ENABLED] *RED*
>  /proc/sys/net/ipv4/conf/ppp0/rp_filter           	[ENABLED] *RED* 
>   rp_filter is not fully aware of IPsec and should be disabled
> Checking that pluto is running                    	[OK]
>  Pluto listening for IKE on udp 500               	[OK]
>  Pluto listening for IKE/NAT-T on udp 4500        	[OK]
>  Pluto ipsec.secret syntax                        	[OK]
> Checking NAT and MASQUERADEing                    	[TEST INCOMPLETE]
> Checking 'ip' command                             	[OK]
> Checking 'iptables' command                       	[OK]
> Checking 'prelink' command does not interfere with FIPS	[PRESENT]
> Checking for obsolete ipsec.conf options          	[OK]
> Opportunistic Encryption                          	[DISABLED]
> 
> ipsec verify: encountered 7 errors - see 'man ipsec_verify' for help
> 
> 
> 2. The Ips involved here:
> 
> 83.246.80.153  VPN Server
> 192.168.0.254  local gateway
> 192.168.0.34   local ip       interface p4p1
> 
> 3. Configs :
> 
> # /etc/ipsec.d/vpn.conf 
> 
> config setup
>        virtual_private=%v4:10.0.0.0/8,%v4:192.168.0.0/16,%v4:172.16.0.0/12
>        nat_traversal=yes
>        protostack=netkey
>        oe=no
> # Replace eth0 with your network interface
>        plutoopts="--interface=p4p1"
> conn L2TP-PSK
>        authby=secret
>        pfs=yes
>        auto=add
>        keyingtries=3
>        dpddelay=30
>        dpdtimeout=120
>        dpdaction=clear
>        rekey=yes
>        ikelifetime=8h
>        keylife=1h
>        type=transport
> # Replace IP address with your local IP (private, behind NAT IP is okay as
> well)
>        left=192.168.0.34
>        leftnexthop=%defaultroute
>        leftprotoport=17/1701
> # Replace IP address with your VPN server's IP
>        right=83.246.80.153
>        rightprotoport=17/1701
> 
> # /etc/ipsec.d/vpn.secrets 
> %any 83.246.80.153 : PSK "<-----ENTER IPSEC PASSWORD HERE---->"
> 
> [root@eve marius]# cat /etc/xl2tpd/xl2tpd.conf 
> ;
> ; This is a minimal sample xl2tpd configuration file for use
> ; with L2TP over IPsec.
> 
> ; .... skipping .... 
> 
> [global]
> 
> [lac vpn-connection]
> lns = 83.246.80.153
> ppp debug = yes
> pppoptfile = /etc/ppp/options.l2tpd.client
> length bit = yes
> 
> 
> # /etc/ppp/options.l2tpd.client 
> ipcp-accept-local
> ipcp-accept-remote
> refuse-eap
> require-mschap-v2
> noccp
> noauth
> idle 1800
> mtu 1410
> mru 1410
> defaultroute
> usepeerdns
> debug
> lock
> connect-delay 5000
> name <--- VPN USERNAME --->
> password <---- VPN PASSWORD --->
> 
> # systemctl start ipsec xl2tpd
> # ipsec auto --up L2TP-PSK
> # echo "c vpn-connection" > /var/run/xl2tpd/l2tp-control
> 
> ### Comment: there must be a better way to trigger the connection !!!

Plugin launches separate xl2tpd instance with generated config - files.

> # ifconfig should show now a ppp0 
> 
> 4. Routing :
> 
> ip route add 83.246.80.153 via 192.168.0.254 dev p4p1
> ip route add default via 192.168.1.99 dev ppp0
> ip route del default via 192.168.0.254 dev p4p1
> 
> 5. Result
> 
> # route -n
> Kernel IP Routentabelle
> Ziel            Router          Genmask         Flags Metric Ref    Use Iface
> 0.0.0.0         192.168.1.99    0.0.0.0         UG    0      0        0 ppp0
> 83.246.80.153   192.168.0.254   255.255.255.255 UGH   0      0        0 p4p1
> 192.168.0.0     0.0.0.0         255.255.0.0     U     0      0        0 p4p1
> 192.168.1.99    0.0.0.0         255.255.255.255 UH    0      0        0 ppp0
> 
> # ifconfig
> 
> p4p1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
>         inet 192.168.0.34  netmask 255.255.0.0  broadcast 192.168.255.255
>         inet6 fe80::4216:7eff:fe24:a01  prefixlen 64  scopeid 0x20<link>
>         ether 40:16:7e:24:0a:01  txqueuelen 1000  (Ethernet)
>         RX packets 1297423  bytes 1303980487 (1.2 GiB)
>         RX errors 0  dropped 17017  overruns 0  frame 0
>         TX packets 912236  bytes 96503102 (92.0 MiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
> 
> ppp0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1410
>         inet 83.246.x.x  netmask 255.255.255.255  destination 192.168.1.99
>         ppp  txqueuelen 3  (Punkt-zu-Punkt Verbindung)
>         RX packets 2359  bytes 2225340 (2.1 MiB)
>         RX errors 0  dropped 0  overruns 0  frame 0
>         TX packets 2012  bytes 226762 (221.4 KiB)
>         TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
> 
> I have no clue where "83.246.x.x" came from, as it's not involved at all.
> 
> ###############################################################
> 
> @Ivan + Sergey:
> 
> If this does not help you finding the bug, i can't help you ;)
> 
> I should be very easy now to compare the generated configs and see whats
> different. So theres no excuse for another longterm silence in this
> bugreport. 
> 
> If you don't have time, send me the sources for x86_64, a few hints about
> the compile environment it needs and I debug it myself. 

To be honest, yes, I have no time, especialy for ipsec-related stuff, which I don't use personally and which was added by some other peoples long time ago...
If you may help somehow, sources are there https://github.com/seriyps/NetworkManager-l2tp

> Some questions I have:
> 
> - why is the config dynamically generated in /var/run/ instead of
> /etc/ipsec.d/ (or the according xl2tpd/pppd dirs ) ?
> 
> The NetworkManager is asking about a connection name, just use this as a
> filenamebasis to generate files as you need them. It will reduce complexity
> and makes less resource intensive starts possible , as the NM is no longer
> involved.
> 

Ideally (and this is confirmed by NM authors) VPN plugins shouldn't create anything on filesystem (and this is one of the reasons, why this plugin isn't oficial one).
This problem discussed, for example there: https://bugzilla.gnome.org/show_bug.cgi?id=554046#c32

> - how you wanne manage that only this users session can use a tunnel ?
> 
> Do i guess correctly, that netfilter will get a rule for the tunnel
> interface to match for the active uid ?
> 

Not sure, if I understand correctly, but, AFAIK, VPN connection, when established, available for all users. I mean, all routing apply to whole machine, but only one user can start and stop it (while there is still an option 'All users may connect to this network' at 'General' tab).

> - Why is there an option "GroupID" in the IPSEC Gui settings ?
> 
> I removed it, but it got reinserted. I guess as a default .
> I saw it in the created config file, but i didn't catch the purpose of it.

I don't know =)
It was inherited from previous author https://github.com/geocar/NetworkManager-l2tp/commit/f655c2fcd78495f7686bf9cbfff905a01e4f7f2d

> - short analyses of the created NM files:
> 
> created ipsec.conf :
>   force_keepalive=yes    <-- obsolete
>   type=transport         <-- not needed
>   auth=esp               <-- what if the server does not support it ?
>   pfs=no                 <-- PFS now rules the world, make an option for it
> to checkbox PFS
>   left=%defaultroute     <-- does not work
>   leftid=@GroupVPN       <-- how cares ?
>   right=83.246.80.153    <-- was correct
> 
> ### BTW : NM does not remove old sessions from /var/run/ . A bit more
> housekeeping is advised ###
> 

yeah, for some reason they are not removed. Sure, should be fixed.

> created nm-xl2tpd.conf :
> 
>     name = <VPN USERNAME>     <-- completly unneeded
>     autodial = yes            <-- didn't know my ethernetcard is a telephone
> modem :)
> 
> created nm-ppp-options.xl2tpd: 
> 
> ipparam nm-l2tp-service-XXXXXXX
> nodetach                      <- not used by me

nodetach is useful, in a way, that xl2tpd can kill pppd when exiting.

> lock                          
> usepeerdns
> noipdefault                   <- i guess thats somehow usefull if you wanne
> keep up the default routing tables
> nodefaultroute                <- same here
> noauth
> noccp
> name <VPN USERNAME>           
> lcp-echo-failure 0            <- does what excatly ?
> lcp-echo-interval 0           <- 

Last two options are controlled by checkbox 'Send PPP echo packets' in 'PPP settings' dialog.

> Missing : 
> 
> ipcp-accept-local
> ipcp-accept-remote
> refuse-eap                    <- is it msising because it's a security
> problem ?
> require-mschap-v2             <- I know I checked that in the gui !

auth methods options are controlled via GUI.

> idle 1800
> password <---- VPN PASSWORD --->      
> 
> #### The VPN Password is missing, if it's not supplied via a pipe or option
> to a command, no chance that it will work.
> 

Password supplied by pppd plugin via DBus, see https://github.com/seriyps/NetworkManager-l2tp/blob/master/src/nm-l2tp-pppd-plugin.c

> I hope thats enough input ;)


About all that default config options: I have an idea, that configs shouldn't be hardcoded in C code, but should be separate 'template' files with placeholders like

```
[global]

[lac vpn-connection]
lns = {{ lns }}
ppp debug = yes
```

So, user may add options they need without recompiling plugin.

And, as a resume: yes, I know about a lot of problems with ipsec and that configuration UI is very primitive and limited. But implementation was inherited from previous author, plus I don't use ipsec personally and have no IPSec-enabled VPN servers for tests, so I really don't like to touch anything ipsec - related in this plugin. Anyway, patches are always welcome!

Still not solved with 0.9.8.7-1.fc20

On Fedora20, NetworkManager-l2tp-0.9.8-4.fc20.x86_64.rpm works properly, but 0.9.8.7-1.fc20 fails.

On Fedora21, the only available version, NetworkManager-l2tp-0.9.8.7-3.fc21.x86_64 fails.

Created attachment 972147 [details]
modified spec file

The modified spec file above fixes this by reverting to a previously working upstream version. Source rpm is available at www.five-ten-sg.com/util/NetworkManager-l2tp-0.9.8.7-4.fc22.src.rpm

Such .spec is not correct. Should be used patches for the latest upstream version. If only way to fix it is use old version then need to use Epoch tag.

Ivan - I fully agree. It is a terrible quick and dirty patch to (re)enable l2tp connections here. I did not have time to produce patches for the latest (apparently broken) upstream. I left the version that way (no epoch) in the hope that some future proper fix will just update my systems cleanly.

Happy New Year to all of you! 

Hopefully NetworkManager-l2tp in Fedora will be fixed this year once for all!

I'd be an even happier user of Fedora 20 if this would work.

(In reply to Carl Byington from comment #78)
> On Fedora20, NetworkManager-l2tp-0.9.8-4.fc20.x86_64.rpm works properly, but
> 0.9.8.7-1.fc20 fails.
> 
> On Fedora21, the only available version,
> NetworkManager-l2tp-0.9.8.7-3.fc21.x86_64 fails.

For me, with NetworkManager-l2tp-0.9.8-4, indeed, the connection starts at least, but it fails after a while. I'm trying to connect to a L2tp server on CheckPoint 600 appliance.

Please use Microsoft Windows instead, as I do now.
(Thus I am removing myself from the Cc. list.)

(In reply to redacted from comment #85)
> I have the same problem with Fedora 21 when connecting to our company VPN.
> Is there any easy way to test this fix on Fedora 21?

You should be able to rebuild it and install the resulting binary rpm.

wget http://www.five-ten-sg.com/util/NetworkManager-l2tp-0.9.8.7-4.fc22.src.rpm
rpmbuild --rebuild NetworkManager-l2tp-0.9.8.7-4.fc22.src.rpm
yum install ~/rpmbuild/RPMS/x86_64/NetworkManager-l2tp-0.9.8.7-4.fc21.x86_64.rpm

Thanks. This worked well. I noticed that fixed version is older than the one which is in fedora 21. Is there a plan to get this to latest version in into fedora for 22?

I tested this in a virtual environment and it worked. Now I installed fedora 21 as my primary system and I again have problems.

This is what log shows:

Feb 01 22:36:41 redacted.domain NetworkManager[985]: <info>  Starting VPN service 'l2tp'...
Feb 01 22:36:41 redacted.domain NetworkManager[985]: <info>  VPN service 'l2tp' started (org.freedesktop.NetworkManager.l2tp), PID 24088
Feb 01 22:36:41 redacted.domain NetworkManager[985]: <info>  VPN service 'l2tp' appeared; activating connections
Feb 01 22:36:41 redacted.domain firewall-config.desktop[20273]: (firewall-config:20273): Gtk-CRITICAL **: gtk_list_store_iter_next: assertion 'priv->stamp == iter->stamp' failed
Feb 01 22:36:41 redacted.domain org.gnome.Caribou.Daemon[1872]: ** (caribou:2131): WARNING **: AT-SPI: Error in GetItems, sender=org.freedesktop.DBus, error=The name :1.178 was not provided by any .service files
Feb 01 22:36:41 redacted.domain NetworkManager[985]: <info>  VPN connection 'VPN' (ConnectInteractive) reply received.
Feb 01 22:36:41 redacted.domain NetworkManager[985]: <info>  VPN plugin state changed: starting (3)
Feb 01 22:36:41 redacted.domain NetworkManager[985]: ** Message: Use 'IP_ADDR_REPLACE' as a gateway
Feb 01 22:36:41 redacted.domain NetworkManager[985]: ** Message: Check port 1701
Feb 01 22:36:41 redacted.domain NetworkManager[985]: ** Message: ipsec enable flag: yes
Feb 01 22:36:41 redacted.domain NetworkManager[985]: ** Message: starting ipsec
Feb 01 22:36:41 redacted.domain NetworkManager[985]: systemd: ipsec service is not running
Feb 01 22:36:41 redacted.domain NetworkManager[985]: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Feb 01 22:36:41 redacted.domain NetworkManager[985]: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Feb 01 22:36:41 redacted.domain NetworkManager[985]: debugging mode enabled
Feb 01 22:36:41 redacted.domain NetworkManager[985]: cannot load config '/var/run/nm-ipsec-l2tp.24088/ipsec.conf': can't load file '/var/run/nm-ipsec-l2tp.24088/ipsec.conf'
Feb 01 22:36:41 redacted.domain NetworkManager[985]: opening file: /var/run/nm-ipsec-l2tp.24088/ipsec.conf
Feb 01 22:36:41 redacted.domain NetworkManager[985]: debugging mode enabled
Feb 01 22:36:41 redacted.domain NetworkManager[985]: cannot load config '/var/run/nm-ipsec-l2tp.24088/ipsec.conf': can't load file '/var/run/nm-ipsec-l2tp.24088/ipsec.conf'
Feb 01 22:36:41 redacted.domain NetworkManager[985]: opening file: /var/run/nm-ipsec-l2tp.24088/ipsec.conf
Feb 01 22:36:41 redacted.domain NetworkManager[985]: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Feb 01 22:36:41 redacted.domain NetworkManager[985]: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Feb 01 22:36:41 redacted.domain NetworkManager[985]: ** (nm-l2tp-service:24088): WARNING **: Possible error in IPSec setup.
Feb 01 22:36:41 redacted.domain NetworkManager[985]: ** Message: ipsec ready for action
Feb 01 22:36:41 redacted.domain NetworkManager[985]: ** Message: xl2tpd started with pid 24121
Feb 01 22:36:41 redacted.domain NetworkManager[985]: <info>  VPN connection 'VPN' (Connect) reply received.
Feb 01 22:36:41 redacted.domain NetworkManager[985]: xl2tpd[24121]: Not looking for kernel SAref support.
Feb 01 22:36:41 redacted.domain NetworkManager[985]: xl2tpd[24121]: Using l2tp kernel support.
Feb 01 22:36:41 redacted.domain NetworkManager[985]: xl2tpd[24121]: xl2tpd version xl2tpd-1.3.6 started on redacted.domain PID:24121
Feb 01 22:36:41 redacted.domain NetworkManager[985]: xl2tpd[24121]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Feb 01 22:36:41 redacted.domain NetworkManager[985]: xl2tpd[24121]: Forked by Scott Balmos and David Stipp, (C) 2001
Feb 01 22:36:41 redacted.domain NetworkManager[985]: xl2tpd[24121]: Inherited by Jeff McAdams, (C) 2002
Feb 01 22:36:41 redacted.domain NetworkManager[985]: xl2tpd[24121]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Feb 01 22:36:41 redacted.domain NetworkManager[985]: xl2tpd[24121]: Listening on IP address 0.0.0.0, port 1701
Feb 01 22:36:41 redacted.domain NetworkManager[985]: xl2tpd[24121]: Connecting to host IP_ADDR_REPLACE, port 1701
Feb 01 22:36:46 redacted.domain NetworkManager[985]: xl2tpd[24121]: Maximum retries exceeded for tunnel 26990.  Closing.
Feb 01 22:36:46 redacted.domain NetworkManager[985]: xl2tpd[24121]: Connection 0 closed to IP_ADDR_REPLACE, port 1701 (Timeout)
Feb 01 22:36:51 redacted.domain NetworkManager[985]: ** (nm-l2tp-service:24088): WARNING **: pppd timeout. Looks like pppd didn't initialize our dbus module
Feb 01 22:36:51 redacted.domain NetworkManager[985]: <warn>  VPN plugin failed: unknown (7)
Feb 01 22:36:51 redacted.domain NetworkManager[985]: xl2tpd[24121]: Unable to deliver closing message for tunnel 26990. Destroying anyway.
Feb 01 22:37:21 redacted.domain NetworkManager[985]: <warn>  VPN connection 'VPN' connect timeout exceeded.
Feb 01 22:37:21 redacted.domain NetworkManager[985]: (nm-l2tp-service:24088): GLib-CRITICAL **: Source ID 8 was not found when attempting to remove it
Feb 01 22:37:21 redacted.domain NetworkManager[985]: ** Message: Terminated l2tp daemon with PID 24121.
Feb 01 22:37:21 redacted.domain NetworkManager[985]: xl2tpd[24121]: death_handler: Fatal signal 15 received
Feb 01 22:37:21 redacted.domain NetworkManager[985]: ** (nm-l2tp-service:24088): WARNING **: xl2tpd exited with error code 1

I have got further by restarting services ipsec and xl2tpd.

But I still have problem connecting:

Feb 01 22:55:10 redacted.domain org.gnome.Caribou.Daemon[1872]: ** (caribou:2131): WARNING **: AT-SPI: Error in GetItems, sender=org.freedesktop.DBus, error=The name :1.246 was not provided by any .service files
Feb 01 22:55:10 redacted.domain NetworkManager[985]: <info>  VPN connection 'VPN' (ConnectInteractive) reply received.
Feb 01 22:55:10 redacted.domain NetworkManager[985]: <info>  VPN plugin state changed: starting (3)
Feb 01 22:55:10 redacted.domain NetworkManager[985]: ** Message: Use 'IP_ADDR_REPLACE' as a gateway
Feb 01 22:55:10 redacted.domain NetworkManager[985]: ** Message: Check port 1701
Feb 01 22:55:10 redacted.domain NetworkManager[985]: ** Message: Can't bind to port 1701
Feb 01 22:55:10 redacted.domain NetworkManager[985]: ** (nm-l2tp-service:32118): WARNING **: Port 1701 is busy, use ephemeral.
Feb 01 22:55:10 redacted.domain NetworkManager[985]: ** Message: ipsec enable flag: yes
Feb 01 22:55:10 redacted.domain NetworkManager[985]: ** Message: starting ipsec
Feb 01 22:55:10 redacted.domain NetworkManager[985]: Redirecting to: systemctl stop+start ipsec.service
Feb 01 22:55:10 redacted.domain pluto[32379]: shutting down
Feb 01 22:55:10 redacted.domain pluto[32379]: shutting down interface lo/lo ::1:500
Feb 01 22:55:10 redacted.domain pluto[32379]: shutting down interface lo/lo 127.0.0.1:4500
Feb 01 22:55:10 redacted.domain pluto[32379]: shutting down interface lo/lo 127.0.0.1:500
Feb 01 22:55:10 redacted.domain pluto[32379]: shutting down interface enp6s0/enp6s0 192.168.0.10:4500
Feb 01 22:55:10 redacted.domain pluto[32379]: shutting down interface enp6s0/enp6s0 192.168.0.10:500
Feb 01 22:55:10 redacted.domain whack[32469]: 002 shutting down
Feb 01 22:55:10 redacted.domain kernel: AVX2 instructions are not detected.
Feb 01 22:55:10 redacted.domain kernel: AVX2 or AES-NI instructions are not detected.
Feb 01 22:55:10 redacted.domain NetworkManager[985]: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Feb 01 22:55:10 redacted.domain pluto[32718]: nss directory plutomain: /etc/ipsec.d
Feb 01 22:55:10 redacted.domain pluto[32718]: NSS Initialized
Feb 01 22:55:10 redacted.domain pluto[32718]: libcap-ng support [enabled]
Feb 01 22:55:10 redacted.domain pluto[32718]: FIPS HMAC integrity verification test passed
Feb 01 22:55:10 redacted.domain pluto[32718]: FIPS: pluto daemon NOT running in FIPS mode
Feb 01 22:55:10 redacted.domain pluto[32718]: Linux audit support [disabled]
Feb 01 22:55:10 redacted.domain pluto[32718]: Starting Pluto (Libreswan Version 3.12 XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER KLIPS_MAST CURL(non-NSS) LDAP(non-NSS)) pid:32718
Feb 01 22:55:10 redacted.domain pluto[32718]: core dump dir: /var/run/pluto/
Feb 01 22:55:10 redacted.domain pluto[32718]: secrets file: /etc/ipsec.secrets
Feb 01 22:55:10 redacted.domain pluto[32718]: leak-detective disabled
Feb 01 22:55:10 redacted.domain pluto[32718]: SAref support [disabled]: Protocol not available
Feb 01 22:55:10 redacted.domain pluto[32718]: SAbind support [disabled]: Protocol not available
Feb 01 22:55:10 redacted.domain pluto[32718]: NSS crypto [enabled]
Feb 01 22:55:10 redacted.domain pluto[32718]: XAUTH PAM support [enabled]
Feb 01 22:55:10 redacted.domain pluto[32718]: NAT-Traversal support  [enabled]
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_enc(): Activating DISABLED-OAKLEY_AES_CTR: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_enc(): Activating DISABLED-OAKLEY_CAMELLIA_CBC: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: starting up 7 crypto helpers
Feb 01 22:55:10 redacted.domain pluto[32718]: started thread for crypto helper 0 (master fd 7)
Feb 01 22:55:10 redacted.domain pluto[32718]: started thread for crypto helper 1 (master fd 9)
Feb 01 22:55:10 redacted.domain pluto[32718]: started thread for crypto helper 2 (master fd 11)
Feb 01 22:55:10 redacted.domain pluto[32718]: started thread for crypto helper 3 (master fd 14)
Feb 01 22:55:10 redacted.domain pluto[32718]: started thread for crypto helper 4 (master fd 16)
Feb 01 22:55:10 redacted.domain pluto[32718]: started thread for crypto helper 5 (master fd 18)
Feb 01 22:55:10 redacted.domain pluto[32718]: started thread for crypto helper 6 (master fd 20)
Feb 01 22:55:10 redacted.domain pluto[32718]: Using Linux XFRM/NETKEY IPsec interface code on 3.18.3-201.fc21.x86_64
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_enc(): Activating aes_ccm_8: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_enc(): Activating aes_ccm_12: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_enc(): Activating aes_ccm_16: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_enc(): Activating aes_gcm_8: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_enc(): Activating aes_gcm_12: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: ike_alg_register_enc(): Activating aes_gcm_16: Ok
Feb 01 22:55:10 redacted.domain pluto[32718]: | selinux support is enabled.
Feb 01 22:55:10 redacted.domain pluto[32718]: loading secrets from "/etc/ipsec.secrets"
Feb 01 22:55:10 redacted.domain NetworkManager[985]: 002 loading secrets from "/etc/ipsec.secrets"
Feb 01 22:55:10 redacted.domain NetworkManager[985]: debugging mode enabled
Feb 01 22:55:10 redacted.domain NetworkManager[985]: cannot load config '/var/run/nm-ipsec-l2tp.32118/ipsec.conf': can't load file '/var/run/nm-ipsec-l2tp.32118/ipsec.conf'
Feb 01 22:55:10 redacted.domain NetworkManager[985]: opening file: /var/run/nm-ipsec-l2tp.32118/ipsec.conf
Feb 01 22:55:10 redacted.domain NetworkManager[985]: debugging mode enabled
Feb 01 22:55:10 redacted.domain NetworkManager[985]: cannot load config '/var/run/nm-ipsec-l2tp.32118/ipsec.conf': can't load file '/var/run/nm-ipsec-l2tp.32118/ipsec.conf'
Feb 01 22:55:10 redacted.domain NetworkManager[985]: opening file: /var/run/nm-ipsec-l2tp.32118/ipsec.conf
Feb 01 22:55:10 redacted.domain NetworkManager[985]: 024 need --listen before --initiate
Feb 01 22:55:10 redacted.domain pluto[32718]: forgetting secrets
Feb 01 22:55:10 redacted.domain pluto[32718]: loading secrets from "/etc/ipsec.secrets"
Feb 01 22:55:10 redacted.domain pluto[32718]: no secrets filename matched "/etc/ipsec.d/*.secrets"
Feb 01 22:55:10 redacted.domain NetworkManager[985]: 002 forgetting secrets
Feb 01 22:55:10 redacted.domain NetworkManager[985]: 002 loading secrets from "/etc/ipsec.secrets"
Feb 01 22:55:10 redacted.domain NetworkManager[985]: 002 no secrets filename matched "/etc/ipsec.d/*.secrets"
Feb 01 22:55:10 redacted.domain NetworkManager[985]: ** (nm-l2tp-service:32118): WARNING **: Possible error in IPSec setup.
Feb 01 22:55:10 redacted.domain NetworkManager[985]: ** Message: ipsec ready for action
Feb 01 22:55:10 redacted.domain NetworkManager[985]: ** Message: xl2tpd started with pid 307
Feb 01 22:55:10 redacted.domain NetworkManager[985]: <info>  VPN connection 'VPN' (Connect) reply received.
Feb 01 22:55:10 redacted.domain NetworkManager[985]: xl2tpd[307]: Not looking for kernel SAref support.
Feb 01 22:55:10 redacted.domain NetworkManager[985]: xl2tpd[307]: Using l2tp kernel support.
Feb 01 22:55:10 redacted.domain NetworkManager[985]: xl2tpd[307]: xl2tpd version xl2tpd-1.3.6 started on redacted.domain PID:307
Feb 01 22:55:10 redacted.domain NetworkManager[985]: xl2tpd[307]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Feb 01 22:55:10 redacted.domain NetworkManager[985]: xl2tpd[307]: Forked by Scott Balmos and David Stipp, (C) 2001
Feb 01 22:55:10 redacted.domain NetworkManager[985]: xl2tpd[307]: Inherited by Jeff McAdams, (C) 2002
Feb 01 22:55:10 redacted.domain NetworkManager[985]: xl2tpd[307]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Feb 01 22:55:10 redacted.domain NetworkManager[985]: xl2tpd[307]: Listening on IP address 0.0.0.0, port 47798
Feb 01 22:55:10 redacted.domain NetworkManager[985]: xl2tpd[307]: Connecting to host IP_ADDR_REPLACE, port 1701
Feb 01 22:55:11 redacted.domain pluto[32718]: listening for IKE messages
Feb 01 22:55:11 redacted.domain pluto[32718]: adding interface enp6s0/enp6s0 192.168.0.10:500
Feb 01 22:55:11 redacted.domain pluto[32718]: adding interface enp6s0/enp6s0 192.168.0.10:4500
Feb 01 22:55:11 redacted.domain pluto[32718]: adding interface lo/lo 127.0.0.1:500
Feb 01 22:55:11 redacted.domain pluto[32718]: adding interface lo/lo 127.0.0.1:4500
Feb 01 22:55:11 redacted.domain pluto[32718]: adding interface lo/lo ::1:500
Feb 01 22:55:11 redacted.domain pluto[32718]: loading secrets from "/etc/ipsec.secrets"
Feb 01 22:55:11 redacted.domain pluto[32718]: no secrets filename matched "/etc/ipsec.d/*.secrets"
Feb 01 22:55:15 redacted.domain NetworkManager[985]: xl2tpd[307]: Maximum retries exceeded for tunnel 57009.  Closing.
Feb 01 22:55:15 redacted.domain NetworkManager[985]: xl2tpd[307]: Connection 0 closed to IP_ADDR_REPLACE, port 1701 (Timeout)
Feb 01 22:55:20 redacted.domain NetworkManager[985]: ** (nm-l2tp-service:32118): WARNING **: pppd timeout. Looks like pppd didn't initialize our dbus module
Feb 01 22:55:20 redacted.domain NetworkManager[985]: <warn>  VPN plugin failed: unknown (7)
Feb 01 22:55:20 redacted.domain NetworkManager[985]: xl2tpd[307]: Unable to deliver closing message for tunnel 57009. Destroying anyway.
Feb 01 22:55:50 redacted.domain NetworkManager[985]: <warn>  VPN connection 'VPN' connect timeout exceeded.
Feb 01 22:55:50 redacted.domain NetworkManager[985]: (nm-l2tp-service:32118): GLib-CRITICAL **: Source ID 15 was not found when attempting to remove it
Feb 01 22:55:50 redacted.domain NetworkManager[985]: ** Message: Terminated l2tp daemon with PID 307.
Feb 01 22:55:50 redacted.domain NetworkManager[985]: xl2tpd[307]: death_handler: Fatal signal 15 received
Feb 01 22:55:50 redacted.domain NetworkManager[985]: ** (nm-l2tp-service:32118): WARNING **: xl2tpd exited with error code 1
Feb 01 22:56:10 redacted.domain NetworkManager[985]: <info>  VPN service 'l2tp' disappeared

OK, this is strange now. I wanted to test VPN again today and maybe help finding what could be wrong. But today VPN connection works without any issues. I didn't even edit connection. The only thing I did is power up computer.

I will gladly help with logs or anything which will help you getting this stable.

NetworkManager-l2tp-0.9.8.7-4.fc22.src.rpm(sha1:671cc5a1add7f6b512db2b6f228b7979cf2c3f3b)

It works for me. I just want to know why is v0.9.8.7-4 not in official repo?

Hi,

I just upgraded to Fedora 21 and now I cannot get my VPN working while it was working with the old version in F20. Please fix it!

Forgot to give the log of the connexion:
Mar 23 14:53:25 evangelion NetworkManager[926]: <info>  Starting VPN service 'l2tp'...
Mar 23 14:53:25 evangelion NetworkManager[926]: <info>  VPN service 'l2tp' started (org.freedesktop.NetworkManager.l2tp), PID 19838
Mar 23 14:53:25 evangelion NetworkManager[926]: <info>  VPN service 'l2tp' appeared; activating connections
Mar 23 14:53:25 evangelion NetworkManager[926]: <info>  VPN connection 'IPsec/L2TP' (ConnectInteractive) reply received.
Mar 23 14:53:25 evangelion NetworkManager[926]: <info>  VPN plugin state changed: starting (3)
Mar 23 14:53:25 evangelion NetworkManager: ** Message: Use 'XX.XX.XX.74' as a gateway
Mar 23 14:53:25 evangelion NetworkManager: ** Message: Check port 1701
Mar 23 14:53:25 evangelion NetworkManager: ** Message: ipsec enable flag: yes
Mar 23 14:53:25 evangelion NetworkManager: ** Message: starting ipsec
Mar 23 14:53:26 evangelion NetworkManager: systemd: ipsec service is not running
Mar 23 14:53:26 evangelion NetworkManager: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Mar 23 14:53:26 evangelion NetworkManager: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Mar 23 14:53:26 evangelion NetworkManager: debugging mode enabled
Mar 23 14:53:26 evangelion NetworkManager: end of file /var/run/nm-ipsec-l2tp.19838/ipsec.conf
Mar 23 14:53:26 evangelion NetworkManager: Warning: ignored obsolete keyword 'nat_traversal'
Mar 23 14:53:26 evangelion NetworkManager: Warning: ignored obsolete keyword 'force_keepalive'
Mar 23 14:53:26 evangelion NetworkManager: Loading conn nm-ipsec-l2tpd-19838
Mar 23 14:53:26 evangelion NetworkManager: starter: case KH_DEFAULTROUTE: empty
Mar 23 14:53:26 evangelion NetworkManager: conn: "nm-ipsec-l2tpd-19838" loopback=0
Mar 23 14:53:26 evangelion NetworkManager: conn: "nm-ipsec-l2tpd-19838" labeled_ipsec=0
Mar 23 14:53:26 evangelion NetworkManager: conn: "nm-ipsec-l2tpd-19838" policy_label=(null)
Mar 23 14:53:26 evangelion NetworkManager: conn: "nm-ipsec-l2tpd-19838" modecfgdomain=(null)
Mar 23 14:53:26 evangelion NetworkManager: conn: "nm-ipsec-l2tpd-19838" modecfgbanner=(null)
Mar 23 14:53:26 evangelion NetworkManager: connect(pluto_ctl) failed: No such file or directory
Mar 23 14:53:26 evangelion NetworkManager: opening file: /var/run/nm-ipsec-l2tp.19838/ipsec.conf
Mar 23 14:53:26 evangelion NetworkManager: loading named conns: nm-ipsec-l2tpd-19838
Mar 23 14:53:26 evangelion NetworkManager: seeking_src = 0, seeking_gateway = 1, has_dst = 1
Mar 23 14:53:26 evangelion NetworkManager: dst  via YY.YY.YY.1 dev em1 src  table 254 (ignored)
Mar 23 14:53:26 evangelion NetworkManager: set nexthop: YY.YY.YY.1
Mar 23 14:53:26 evangelion NetworkManager: dst YY.YY.YY.0 via  dev em1 src YY.YY.YY.12 table 254 (ignored)
Mar 23 14:53:26 evangelion NetworkManager: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 254 (ignored)
Mar 23 14:53:26 evangelion NetworkManager: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst YY.YY.YY.0 via  dev em1 src YY.YY.YY.12 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst YY.YY.YY.12 via  dev em1 src YY.YY.YY.12 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst ZZ.ZZ.ZZ.255 via  dev em1 src YY.YY.YY.12 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst 192.168.122.1 via  dev virbr0 src 192.168.122.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst 192.168.122.255 via  dev virbr0 src 192.168.122.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: seeking_src = 1, seeking_gateway = 0, has_dst = 1
Mar 23 14:53:26 evangelion NetworkManager: dst YY.YY.YY.1 via  dev em1 src YY.YY.YY.12 table 254 (ignored)
Mar 23 14:53:26 evangelion NetworkManager: set addr: YY.YY.YY.12
Mar 23 14:53:26 evangelion NetworkManager: debugging mode enabled
Mar 23 14:53:26 evangelion NetworkManager: end of file /var/run/nm-ipsec-l2tp.19838/ipsec.conf
Mar 23 14:53:26 evangelion NetworkManager: Warning: ignored obsolete keyword 'nat_traversal'
Mar 23 14:53:26 evangelion NetworkManager: Warning: ignored obsolete keyword 'force_keepalive'
Mar 23 14:53:26 evangelion NetworkManager: Loading conn nm-ipsec-l2tpd-19838
Mar 23 14:53:26 evangelion NetworkManager: starter: case KH_DEFAULTROUTE: empty
Mar 23 14:53:26 evangelion NetworkManager: conn: "nm-ipsec-l2tpd-19838" loopback=0
Mar 23 14:53:26 evangelion NetworkManager: conn: "nm-ipsec-l2tpd-19838" labeled_ipsec=0
Mar 23 14:53:26 evangelion NetworkManager: conn: "nm-ipsec-l2tpd-19838" policy_label=(null)
Mar 23 14:53:26 evangelion NetworkManager: conn: "nm-ipsec-l2tpd-19838" modecfgdomain=(null)
Mar 23 14:53:26 evangelion NetworkManager: conn: "nm-ipsec-l2tpd-19838" modecfgbanner=(null)
Mar 23 14:53:26 evangelion NetworkManager: connect(pluto_ctl) failed: No such file or directory
Mar 23 14:53:26 evangelion NetworkManager: opening file: /var/run/nm-ipsec-l2tp.19838/ipsec.conf
Mar 23 14:53:26 evangelion NetworkManager: loading named conns: nm-ipsec-l2tpd-19838
Mar 23 14:53:26 evangelion NetworkManager: seeking_src = 0, seeking_gateway = 1, has_dst = 1
Mar 23 14:53:26 evangelion NetworkManager: dst  via YY.YY.YY.1 dev em1 src  table 254 (ignored)
Mar 23 14:53:26 evangelion NetworkManager: set nexthop: YY.YY.YY.1
Mar 23 14:53:26 evangelion NetworkManager: dst YY.YY.YY.0 via  dev em1 src YY.YY.YY.12 table 254 (ignored)
Mar 23 14:53:26 evangelion NetworkManager: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 254 (ignored)
Mar 23 14:53:26 evangelion NetworkManager: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst YY.YY.YY.0 via  dev em1 src YY.YY.YY.12 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst YY.YY.YY.12 via  dev em1 src YY.YY.YY.12 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst ZZ.ZZ.ZZ.255 via  dev em1 src YY.YY.YY.12 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst 192.168.122.1 via  dev virbr0 src 192.168.122.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: dst 192.168.122.255 via  dev virbr0 src 192.168.122.1 table 255
Mar 23 14:53:26 evangelion NetworkManager: seeking_src = 1, seeking_gateway = 0, has_dst = 1
Mar 23 14:53:26 evangelion NetworkManager: dst YY.YY.YY.1 via  dev em1 src YY.YY.YY.12 table 254 (ignored)
Mar 23 14:53:26 evangelion NetworkManager: set addr: YY.YY.YY.12
Mar 23 14:53:26 evangelion NetworkManager: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Mar 23 14:53:26 evangelion NetworkManager: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Mar 23 14:53:26 evangelion NetworkManager[926]: <info>  VPN connection 'IPsec/L2TP' (Connect) reply received.
Mar 23 14:53:26 evangelion NetworkManager[926]: <warn>  VPN connection 'IPsec/L2TP' failed to connect: 'Possible error in IPSec setup.'.
Mar 23 14:53:26 evangelion NetworkManager[926]: <warn>  error disconnecting VPN: Could not process the request because no VPN connection was active.
Mar 23 14:53:34 evangelion /etc/gdm/Xsession: Window manager warning: Log level 16: STACK_OP_LOWER_BELOW: window 0x3000047 not in stack
Mar 23 14:53:34 evangelion /etc/gdm/Xsession: Window manager warning: Log level 16: STACK_OP_LOWER_BELOW: sibling window 0x3000047 not in stack
Mar 23 14:53:46 evangelion NetworkManager: (nm-l2tp-service:19838): GLib-CRITICAL **: Source ID 7 was not found when attempting to remove it
Mar 23 14:53:46 evangelion NetworkManager[926]: <info>  VPN service 'l2tp' disappeared

I asked the developer. So waiting him.

Hi, 

In fedora 21, a simple sleep after ipsec restart solves the problem for me. See https://github.com/zzsoni/NetworkManager-l2tp/commit/2bf12020b38ca5248482009052c1944da9e39c2c

(In reply to Carl Byington from comment #87)
> (In reply to redacted from comment #85)
> > I have the same problem with Fedora 21 when connecting to our company VPN.
> > Is there any easy way to test this fix on Fedora 21?
> 
> You should be able to rebuild it and install the resulting binary rpm.
> 
> wget
> http://www.five-ten-sg.com/util/NetworkManager-l2tp-0.9.8.7-4.fc22.src.rpm
> rpmbuild --rebuild NetworkManager-l2tp-0.9.8.7-4.fc22.src.rpm
> yum install
> ~/rpmbuild/RPMS/x86_64/NetworkManager-l2tp-0.9.8.7-4.fc21.x86_64.rpm

This RPM works for me too on fc21, after having struggled with the official one, and the suggested fix in Comment 96 (which did not work).

Tryed the RPM as said in #97 and it works as the default RPM from F21 repos does not work!

one last research from today.

When I try to configure LTP client without Ipsec PSK, it is trying to connect for a longer time. It is doing something...

When I configure Ipsec with PSK - it ends very quickly with "unable to activate network connection".  Seems that it is doing nothing ;). 

Fedora 22, 64bit, workstation.

This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle.
Changing version to '23'.

(As we did not run this process for some time, it could affect also pre-Fedora 23 development
cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.)

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23

This issue is happening again for me. I wasn't using VPN connection for last month or more. Now I wanted to use it and it doesn't work :(

Here is the relevant log for connection:
Aug 24 14:39:30 redacted.domain NetworkManager[1292]: <info>  Starting VPN service 'l2tp'...
Aug 24 14:39:30 redacted.domain NetworkManager[1292]: <info>  VPN service 'l2tp' started (org.freedesktop.NetworkManager.l2tp), PID 10256
Aug 24 14:39:30 redacted.domain gnome-session[1964]: (gnome-shell:1971): Gjs-WARNING **: JS ERROR: TypeError: a._connection is null
Aug 24 14:39:30 redacted.domain gnome-session[1964]: NMVPNSection<.setActiveConnections/<@resource:///org/gnome/shell/ui/status/network.js:1533
Aug 24 14:39:30 redacted.domain gnome-session[1964]: NMVPNSection<.setActiveConnections@resource:///org/gnome/shell/ui/status/network.js:1532
Aug 24 14:39:30 redacted.domain gnome-session[1964]: wrapper@resource:///org/gnome/gjs/modules/lang.js:169
Aug 24 14:39:30 redacted.domain gnome-session[1964]: NMApplet<._syncVPNConnections@resource:///org/gnome/shell/ui/status/network.js:1821
Aug 24 14:39:30 redacted.domain gnome-session[1964]: wrapper@resource:///org/gnome/gjs/modules/lang.js:169
Aug 24 14:39:30 redacted.domain NetworkManager[1292]: <info>  VPN service 'l2tp' appeared; activating connections
Aug 24 14:39:30 redacted.domain NetworkManager[1292]: <info>  VPN connection 'redacted' (ConnectInteractive) reply received.
Aug 24 14:39:30 redacted.domain NetworkManager[1292]: <info>  VPN plugin state changed: starting (3)
Aug 24 14:39:30 redacted.domain NetworkManager[1292]: ** Message: Use '...' as a gateway
Aug 24 14:39:30 redacted.domain NetworkManager[1292]: ** Message: Check port 1701
Aug 24 14:39:30 redacted.domain NetworkManager[1292]: ** Message: ipsec enable flag: yes
Aug 24 14:39:30 redacted.domain NetworkManager[1292]: ** Message: starting ipsec
Aug 24 14:39:30 redacted.domain NetworkManager[1292]: Redirecting to: systemctl stop+start ipsec.service
Aug 24 14:39:30 redacted.domain systemd[1]: Stopping Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Aug 24 14:39:30 redacted.domain pluto[10022]: shutting down
Aug 24 14:39:30 redacted.domain pluto[10022]: "nm-ipsec-l2tpd-9412": deleting connection
Aug 24 14:39:30 redacted.domain pluto[10022]: shutting down interface lo/lo ::1:500
Aug 24 14:39:30 redacted.domain pluto[10022]: shutting down interface lo/lo 127.0.0.1:4500
Aug 24 14:39:30 redacted.domain pluto[10022]: shutting down interface lo/lo 127.0.0.1:500
Aug 24 14:39:30 redacted.domain pluto[10022]: shutting down interface wlp3s0/wlp3s0 192.168.55.192:4500
Aug 24 14:39:30 redacted.domain pluto[10022]: shutting down interface wlp3s0/wlp3s0 192.168.55.192:500
Aug 24 14:39:30 redacted.domain pluto[10022]: shutting down interface virbr0/virbr0 192.168.122.1:4500
Aug 24 14:39:30 redacted.domain pluto[10022]: shutting down interface virbr0/virbr0 192.168.122.1:500
Aug 24 14:39:30 redacted.domain whack[10265]: 002 shutting down
Aug 24 14:39:30 redacted.domain systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Aug 24 14:39:30 redacted.domain audit[1]: <audit-1131> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 24 14:39:30 redacted.domain systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Aug 24 14:39:30 redacted.domain kernel: AVX2 instructions are not detected.
Aug 24 14:39:30 redacted.domain kernel: AVX2 or AES-NI instructions are not detected.
Aug 24 14:39:30 redacted.domain systemd[1]: Started Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Aug 24 14:39:30 redacted.domain audit[1]: <audit-1130> pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=ipsec comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
Aug 24 14:39:30 redacted.domain NetworkManager[1292]: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Aug 24 14:39:31 redacted.domain pluto[10514]: nss directory plutomain: /etc/ipsec.d
Aug 24 14:39:31 redacted.domain pluto[10514]: NSS Initialized
Aug 24 14:39:31 redacted.domain pluto[10514]: libcap-ng support [enabled]
Aug 24 14:39:31 redacted.domain pluto[10514]: FIPS HMAC integrity verification test passed
Aug 24 14:39:31 redacted.domain pluto[10514]: FIPS: pluto daemon NOT running in FIPS mode
Aug 24 14:39:31 redacted.domain pluto[10514]: Linux audit support [disabled]
Aug 24 14:39:31 redacted.domain pluto[10514]: Starting Pluto (Libreswan Version 3.13 XFRM(netkey) KLIPS NSS DNSSEC FIPS_CHECK LABELED_IPSEC LIBCAP_NG XAUTH_PAM NETWORKMANAGER KLIPS_MAST CURL(non-NSS) LDAP(non-NSS)) pid:10514
Aug 24 14:39:31 redacted.domain pluto[10514]: core dump dir: /var/run/pluto/
Aug 24 14:39:31 redacted.domain pluto[10514]: secrets file: /etc/ipsec.secrets
Aug 24 14:39:31 redacted.domain pluto[10514]: leak-detective disabled
Aug 24 14:39:31 redacted.domain pluto[10514]: SAref support [disabled]: Protocol not available
Aug 24 14:39:31 redacted.domain pluto[10514]: SAbind support [disabled]: Protocol not available
Aug 24 14:39:31 redacted.domain pluto[10514]: NSS crypto [enabled]
Aug 24 14:39:31 redacted.domain pluto[10514]: XAUTH PAM support [enabled]
Aug 24 14:39:31 redacted.domain pluto[10514]:    NAT-Traversal support  [enabled]
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC_SSH: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_enc(): Activating OAKLEY_TWOFISH_CBC: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_enc(): Activating OAKLEY_SERPENT_CBC: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_enc(): Activating OAKLEY_AES_CBC: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_enc(): Activating DISABLED-OAKLEY_AES_CTR: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_hash(): Activating DISABLED-OAKLEY_AES_XCBC: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_enc(): Activating DISABLED-OAKLEY_CAMELLIA_CBC: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_enc(): Activating OAKLEY_CAMELLIA_CTR: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_hash(): Activating OAKLEY_SHA2_512: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_hash(): Activating OAKLEY_SHA2_384: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_hash(): Activating OAKLEY_SHA2_256: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: starting up 3 crypto helpers
Aug 24 14:39:31 redacted.domain pluto[10514]: started thread for crypto helper 0 (master fd 6)
Aug 24 14:39:31 redacted.domain pluto[10514]: started thread for crypto helper 1 (master fd 8)
Aug 24 14:39:31 redacted.domain pluto[10514]: started thread for crypto helper 2 (master fd 10)
Aug 24 14:39:31 redacted.domain pluto[10514]: Using Linux XFRM/NETKEY IPsec interface code on 4.1.5-200.fc22.x86_64
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_enc(): Activating aes_ccm_8: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_enc(): Activating aes_ccm_12: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_enc(): Activating aes_ccm_16: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_enc(): Activating aes_gcm_8: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_enc(): Activating aes_gcm_12: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: ike_alg_register_enc(): Activating aes_gcm_16: Ok
Aug 24 14:39:31 redacted.domain pluto[10514]: | selinux support is enabled.
Aug 24 14:39:31 redacted.domain pluto[10514]: loading secrets from "/etc/ipsec.secrets"
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: 002 loading secrets from "/etc/ipsec.secrets"
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: debugging mode enabled
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: end of file /var/run/nm-ipsec-l2tp.10256/ipsec.conf
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: Warning: ignored obsolete keyword 'nat_traversal'
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: Warning: ignored obsolete keyword 'force_keepalive'
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: Loading conn nm-ipsec-l2tpd-10256
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: starter: case KH_DEFAULTROUTE: empty
Aug 24 14:39:31 redacted.domain pluto[10514]: added connection description "nm-ipsec-l2tpd-10256"
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: conn: "nm-ipsec-l2tpd-10256" loopback=0
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: conn: "nm-ipsec-l2tpd-10256" labeled_ipsec=0
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: conn: "nm-ipsec-l2tpd-10256" policy_label=(null)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: conn: "nm-ipsec-l2tpd-10256" modecfgdomain=(null)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: conn: "nm-ipsec-l2tpd-10256" modecfgbanner=(null)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: opening file: /var/run/nm-ipsec-l2tp.10256/ipsec.conf
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: loading named conns: nm-ipsec-l2tpd-10256
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: seeking_src = 0, seeking_gateway = 1, has_dst = 1
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst  via 192.168.55.1 dev wlp3s0 src  table 254 (ignored)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: set nexthop: 192.168.55.1
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 92.37.89.183 via 192.168.55.1 dev wlp3s0 src 192.168.55.192 table 254 (ignored)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.55.0 via  dev wlp3s0 src 192.168.55.192 table 254 (ignored)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 254 (ignored)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.55.0 via  dev wlp3s0 src 192.168.55.192 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.55.192 via  dev wlp3s0 src 192.168.55.192 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.55.255 via  dev wlp3s0 src 192.168.55.192 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.122.1 via  dev virbr0 src 192.168.122.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.122.255 via  dev virbr0 src 192.168.122.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: seeking_src = 1, seeking_gateway = 0, has_dst = 1
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.55.1 via  dev wlp3s0 src 192.168.55.192 table 254 (ignored)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: set addr: 192.168.55.192
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: debugging mode enabled
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: end of file /var/run/nm-ipsec-l2tp.10256/ipsec.conf
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: Warning: ignored obsolete keyword 'nat_traversal'
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: Warning: ignored obsolete keyword 'force_keepalive'
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: Loading conn nm-ipsec-l2tpd-10256
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: starter: case KH_DEFAULTROUTE: empty
Aug 24 14:39:31 redacted.domain pluto[10514]: "nm-ipsec-l2tpd-10256": deleting connection
Aug 24 14:39:31 redacted.domain pluto[10514]: added connection description "nm-ipsec-l2tpd-10256"
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: conn: "nm-ipsec-l2tpd-10256" loopback=0
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: conn: "nm-ipsec-l2tpd-10256" labeled_ipsec=0
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: conn: "nm-ipsec-l2tpd-10256" policy_label=(null)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: conn: "nm-ipsec-l2tpd-10256" modecfgdomain=(null)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: conn: "nm-ipsec-l2tpd-10256" modecfgbanner=(null)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: opening file: /var/run/nm-ipsec-l2tp.10256/ipsec.conf
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: loading named conns: nm-ipsec-l2tpd-10256
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: seeking_src = 0, seeking_gateway = 1, has_dst = 1
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst  via 192.168.55.1 dev wlp3s0 src  table 254 (ignored)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: set nexthop: 192.168.55.1
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 92.37.89.183 via 192.168.55.1 dev wlp3s0 src 192.168.55.192 table 254 (ignored)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.55.0 via  dev wlp3s0 src 192.168.55.192 table 254 (ignored)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 254 (ignored)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.55.0 via  dev wlp3s0 src 192.168.55.192 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.55.192 via  dev wlp3s0 src 192.168.55.192 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.55.255 via  dev wlp3s0 src 192.168.55.192 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.122.1 via  dev virbr0 src 192.168.122.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.122.255 via  dev virbr0 src 192.168.122.1 table 255
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: seeking_src = 1, seeking_gateway = 0, has_dst = 1
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: dst 192.168.55.1 via  dev wlp3s0 src 192.168.55.192 table 254 (ignored)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: set addr: 192.168.55.192
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: 024 need --listen before --initiate
Aug 24 14:39:31 redacted.domain pluto[10514]: forgetting secrets
Aug 24 14:39:31 redacted.domain pluto[10514]: loading secrets from "/etc/ipsec.secrets"
Aug 24 14:39:31 redacted.domain pluto[10514]: no secrets filename matched "/etc/ipsec.d/*.secrets"
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: 002 forgetting secrets
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: 002 loading secrets from "/etc/ipsec.secrets"
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: 002 no secrets filename matched "/etc/ipsec.d/*.secrets"
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: ** (nm-l2tp-service:10256): WARNING **: Possible error in IPSec setup.
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: ** Message: ipsec ready for action
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: ** Message: xl2tpd started with pid 10564
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: Not looking for kernel SAref support.
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: <info>  VPN connection 'redacted' (Connect) reply received.
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: Using l2tp kernel support.
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: xl2tpd version xl2tpd-1.3.6 started on redacted.domain PID:10564
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: Inherited by Jeff McAdams, (C) 2002
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: Listening on IP address 0.0.0.0, port 1701
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: Connecting to host ..., port 1701
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: Connection established to ..., 1701.  Local: 44824, Remote: 159 (ref=0/0).
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: Calling on tunnel 44824
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: Call established with ..., Local: 56834, Remote: 1, Serial: 1 (ref=0/0)
Aug 24 14:39:31 redacted.domain pppd[10566]: Plugin /usr/lib64/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: ** Message: nm-l2tp-ppp-plugin: (plugin_init): initializing
Aug 24 14:39:31 redacted.domain pppd[10566]: Plugin pppol2tp.so loaded.
Aug 24 14:39:31 redacted.domain pppd[10566]: pppd 2.4.7 started by root, uid 0
Aug 24 14:39:31 redacted.domain pppd[10566]: Using interface ppp0
Aug 24 14:39:31 redacted.domain pppd[10566]: Connect: ppp0 <-->
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 3 / phase 'serial connection'
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 6 / phase 'authenticate'
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: ** Message: nm-l2tp-ppp-plugin: (get_credentials): passwd-hook, requesting credentials...
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: ** Message: nm-l2tp-ppp-plugin: (get_credentials): got credentials from NetworkManager-l2tp
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: <info>  (ppp0): new Generic device (driver: 'unknown' ifindex: 22)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: <info>  (ppp0): exported as /org/freedesktop/NetworkManager/Devices/21
Aug 24 14:39:31 redacted.domain pppd[10566]: CHAP authentication succeeded
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 8 / phase 'network'
Aug 24 14:39:31 redacted.domain pppd[10566]: LCP terminated by peer (Encryption negotiation rejected)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: result_code_avp: avp is incorrect size.  8 < 10
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: call_close: Call 56834 to ... disconnected
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: result_code_avp: avp is incorrect size.  8 < 10
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
Aug 24 14:39:31 redacted.domain pppd[10566]: Terminating on signal 15
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: xl2tpd[10564]: Connection 159 closed to ..., port 1701 (Result Code: expected at least 10, got 8)
Aug 24 14:39:31 redacted.domain NetworkManager[1292]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 10 / phase 'terminate'
Aug 24 14:39:32 redacted.domain pluto[10514]: listening for IKE messages
Aug 24 14:39:32 redacted.domain pluto[10514]: adding interface virbr0/virbr0 192.168.122.1:500
Aug 24 14:39:32 redacted.domain pluto[10514]: adding interface virbr0/virbr0 192.168.122.1:4500
Aug 24 14:39:32 redacted.domain pluto[10514]: adding interface wlp3s0/wlp3s0 192.168.55.192:500
Aug 24 14:39:32 redacted.domain pluto[10514]: adding interface wlp3s0/wlp3s0 192.168.55.192:4500
Aug 24 14:39:32 redacted.domain pluto[10514]: adding interface lo/lo 127.0.0.1:500
Aug 24 14:39:32 redacted.domain pluto[10514]: adding interface lo/lo 127.0.0.1:4500
Aug 24 14:39:32 redacted.domain pluto[10514]: adding interface lo/lo ::1:500
Aug 24 14:39:32 redacted.domain pluto[10514]: loading secrets from "/etc/ipsec.secrets"
Aug 24 14:39:32 redacted.domain pluto[10514]: no secrets filename matched "/etc/ipsec.d/*.secrets"
Aug 24 14:39:34 redacted.domain NetworkManager[1292]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect'
Aug 24 14:39:34 redacted.domain pppd[10566]: Connection terminated.
Aug 24 14:39:34 redacted.domain NetworkManager[1292]: <warn>  VPN plugin failed: connect-failed (1)
Aug 24 14:39:34 redacted.domain pppd[10566]: Modem hangup
Aug 24 14:39:34 redacted.domain pppd[10566]: Exit.
Aug 24 14:39:34 redacted.domain NetworkManager[1292]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 1 / phase 'dead'
Aug 24 14:39:34 redacted.domain NetworkManager[1292]: ** Message: nm-l2tp-ppp-plugin: (nm_exit_notify): cleaning up
Aug 24 14:39:34 redacted.domain gnome-session[2448]: Gjs-Message: JS LOG: Removing a network device that was not added
Aug 24 14:39:34 redacted.domain gnome-session[1964]: Gjs-Message: JS LOG: Removing a network device that was not added
Aug 24 14:39:34 redacted.domain NetworkManager[1292]: <warn>  VPN plugin failed: connect-failed (1)

My company WIFI also stopped working. Maybe these two bugs are connected:

https://bugzilla.redhat.com/show_bug.cgi?id=1241930

I have finally enabled debug information for pppd service and here is what goes wrong.

Aug 24 18:59:55 redacted.domain pppd[11833]: CHAP authentication succeeded
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [IPCP ConfReq id=0x1 <addr 192.168.80.1>]
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [IPCP ConfAck id=0x1 <addr 192.168.80.1>]
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [proto=0x8281] 01 01 00 04
Aug 24 18:59:55 redacted.domain pppd[11833]: Unsupported protocol 'MPLSCP' (0x8281) received


It looks like it doesn't support the protocol we are using "Unsupported protocol 'MPLSCP' (0x8281) received".
I don't know why this stopped working, but from my perspective it looks like one of the upgrades broke this.

Here is also the whole log if it will help:
Aug 24 18:59:54 redacted.domain NetworkManager[1069]: <info>  Starting VPN service 'l2tp'...
Aug 24 18:59:54 redacted.domain NetworkManager[1069]: <info>  VPN service 'l2tp' started (org.freedesktop.NetworkManager.l2tp), PID 11510
Aug 24 18:59:54 redacted.domain NetworkManager[1069]: <info>  VPN service 'l2tp' appeared; activating connections
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: <info>  VPN connection '...' (ConnectInteractive) reply received.
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: <info>  VPN plugin state changed: starting (3)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: Use '' as a gateway
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: Check port 1701
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: ipsec enable flag: yes
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: starting ipsec
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: Redirecting to: systemctl stop+start ipsec.service
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: whack: Pluto is not running (no "/var/run/pluto/pluto.ctl")
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: 002 loading secrets from "/etc/ipsec.secrets"
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: debugging mode enabled
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: end of file /var/run/nm-ipsec-l2tp.11510/ipsec.conf
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: Warning: ignored obsolete keyword 'nat_traversal'
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: Warning: ignored obsolete keyword 'force_keepalive'
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: Loading conn nm-ipsec-l2tpd-11510
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: starter: case KH_DEFAULTROUTE: empty
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: conn: "nm-ipsec-l2tpd-11510" loopback=0
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: conn: "nm-ipsec-l2tpd-11510" labeled_ipsec=0
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: conn: "nm-ipsec-l2tpd-11510" policy_label=(null)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: conn: "nm-ipsec-l2tpd-11510" modecfgdomain=(null)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: conn: "nm-ipsec-l2tpd-11510" modecfgbanner=(null)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: opening file: /var/run/nm-ipsec-l2tp.11510/ipsec.conf
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: loading named conns: nm-ipsec-l2tpd-11510
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: seeking_src = 0, seeking_gateway = 1, has_dst = 1
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst  via 192.168.0.1 dev enp7s0 src  table 254 (ignored)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: set nexthop: 192.168.0.1
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.0.0 via  dev enp7s0 src 192.168.0.10 table 254 (ignored)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 254 (ignored)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.0.0 via  dev enp7s0 src 192.168.0.10 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.0.10 via  dev enp7s0 src 192.168.0.10 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.0.255 via  dev enp7s0 src 192.168.0.10 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.122.1 via  dev virbr0 src 192.168.122.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.122.255 via  dev virbr0 src 192.168.122.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: seeking_src = 1, seeking_gateway = 0, has_dst = 1
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.0.1 via  dev enp7s0 src 192.168.0.10 table 254 (ignored)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: set addr: 192.168.0.10
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: debugging mode enabled
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: end of file /var/run/nm-ipsec-l2tp.11510/ipsec.conf
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: Warning: ignored obsolete keyword 'nat_traversal'
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: Warning: ignored obsolete keyword 'force_keepalive'
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: Loading conn nm-ipsec-l2tpd-11510
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: starter: case KH_DEFAULTROUTE: empty
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: conn: "nm-ipsec-l2tpd-11510" loopback=0
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: conn: "nm-ipsec-l2tpd-11510" labeled_ipsec=0
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: conn: "nm-ipsec-l2tpd-11510" policy_label=(null)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: conn: "nm-ipsec-l2tpd-11510" modecfgdomain=(null)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: conn: "nm-ipsec-l2tpd-11510" modecfgbanner=(null)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: opening file: /var/run/nm-ipsec-l2tp.11510/ipsec.conf
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: loading named conns: nm-ipsec-l2tpd-11510
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: seeking_src = 0, seeking_gateway = 1, has_dst = 1
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst  via 192.168.0.1 dev enp7s0 src  table 254 (ignored)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: set nexthop: 192.168.0.1
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.0.0 via  dev enp7s0 src 192.168.0.10 table 254 (ignored)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 254 (ignored)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 127.0.0.0 via  dev lo src 127.0.0.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 127.0.0.1 via  dev lo src 127.0.0.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 127.255.255.255 via  dev lo src 127.0.0.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.0.0 via  dev enp7s0 src 192.168.0.10 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.0.10 via  dev enp7s0 src 192.168.0.10 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.0.255 via  dev enp7s0 src 192.168.0.10 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.122.0 via  dev virbr0 src 192.168.122.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.122.1 via  dev virbr0 src 192.168.122.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.122.255 via  dev virbr0 src 192.168.122.1 table 255
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: seeking_src = 1, seeking_gateway = 0, has_dst = 1
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: dst 192.168.0.1 via  dev enp7s0 src 192.168.0.10 table 254 (ignored)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: set addr: 192.168.0.10
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: 024 need --listen before --initiate
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: 002 forgetting secrets
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: 002 loading secrets from "/etc/ipsec.secrets"
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: 002 no secrets filename matched "/etc/ipsec.d/*.secrets"
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** (nm-l2tp-service:11510): WARNING **: Possible error in IPSec setup.
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: ipsec ready for action
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: xl2tpd started with pid 11831
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: Not looking for kernel SAref support.
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: <info>  VPN connection '...' (Connect) reply received.
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: Using l2tp kernel support.
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: xl2tpd version xl2tpd-1.3.6 started on redacted.domain PID:11831
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: Written by Mark Spencer, Copyright (C) 1998, Adtran, Inc.
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: Forked by Scott Balmos and David Stipp, (C) 2001
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: Inherited by Jeff McAdams, (C) 2002
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: Forked again by Xelerance (www.xelerance.com) (C) 2006
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: Listening on IP address 0.0.0.0, port 1701
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: Connecting to host ..., port 1701
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: Connection established to ..., 1701.  Local: 14615, Remote: 172 (ref=0/0).
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: Calling on tunnel 14615
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: Call established with ..., Local: 57186, Remote: 1, Serial: 1 (ref=0/0)
Aug 24 18:59:55 redacted.domain pppd[11833]: Plugin /usr/lib64/pppd/2.4.7/nm-l2tp-pppd-plugin.so loaded.
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: nm-l2tp-ppp-plugin: (plugin_init): initializing
Aug 24 18:59:55 redacted.domain pppd[11833]: Plugin pppol2tp.so loaded.
Aug 24 18:59:55 redacted.domain pppd[11833]: pppd 2.4.7 started by root, uid 0
Aug 24 18:59:55 redacted.domain pppd[11833]: using channel 16
Aug 24 18:59:55 redacted.domain pppd[11833]: Using interface ppp0
Aug 24 18:59:55 redacted.domain pppd[11833]: Connect: ppp0 <-->
Aug 24 18:59:55 redacted.domain pppd[11833]: PPPoL2TP options: debugmask 0
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [LCP ConfReq id=0x1 <asyncmap 0x0> <magic 0x5ee40bf0>]
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 3 / phase 'serial connection'
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: <info>  (ppp0): new Generic device (driver: 'unknown' ifindex: 21)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: <info>  (ppp0): exported as /org/freedesktop/NetworkManager/Devices/20
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [LCP ConfReq id=0x1 <auth chap MS-v2> <mru 1460> <magic 0xaaa91204> <mrru 1614>]
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [LCP ConfRej id=0x1 <mrru 1614>]
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [LCP ConfRej id=0x1 <asyncmap 0x0>]
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [LCP ConfReq id=0x2 <magic 0x5ee40bf0>]
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [LCP ConfReq id=0x2 <auth chap MS-v2> <mru 1460> <magic 0xaaa91204>]
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [LCP ConfAck id=0x2 <auth chap MS-v2> <mru 1460> <magic 0xaaa91204>]
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [LCP ConfAck id=0x2 <magic 0x5ee40bf0>]
Aug 24 18:59:55 redacted.domain pppd[11833]: PPPoL2TP options: debugmask 0
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [LCP EchoReq id=0x0 magic=0x5ee40bf0]
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 6 / phase 'authenticate'
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [CHAP Challenge id=0x1 <09df5dc64f219a8b5a4a2725c1a0b083>, name = "GateKeeper"]
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: nm-l2tp-ppp-plugin: (get_credentials): passwd-hook, requesting credentials...
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: nm-l2tp-ppp-plugin: (get_credentials): got credentials from NetworkManager-l2tp
Aug 24 18:59:55 redacted.domain pppd[11833]: added response cache entry 0
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [CHAP Response id=0x1 <b26a1ba4d0157034e6bf90ce6f01edf300000000000000001146ecf935732c6974878339b1b0b320711dc3b23ba78c3700>, name = "redacted"]
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [LCP EchoRep id=0x0 magic=0xaaa91204]
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [CHAP Success id=0x1 "S=98FB00A06F54BCF13C820F3431582BB0BA9D2376"]
Aug 24 18:59:55 redacted.domain pppd[11833]: response found in cache (entry 0)
Aug 24 18:59:55 redacted.domain pppd[11833]: CHAP authentication succeeded
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [IPCP ConfReq id=0x1 <addr 0.0.0.0> <ms-dns1 0.0.0.0> <ms-dns2 0.0.0.0>]
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [IPCP ConfReq id=0x1 <addr 192.168.80.1>]
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [IPCP ConfAck id=0x1 <addr 192.168.80.1>]
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [proto=0x8281] 01 01 00 04
Aug 24 18:59:55 redacted.domain pppd[11833]: Unsupported protocol 'MPLSCP' (0x8281) received
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [LCP ProtRej id=0x3 82 81 01 01 00 04]
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [CCP ConfReq id=0x1 <mppe +H -M +S -L -D -C>]
Aug 24 18:59:55 redacted.domain pppd[11833]: Unsupported protocol 'Compression Control Protocol' (0x80fd) received
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [LCP ProtRej id=0x4 80 fd 01 01 00 0a 12 06 01 00 00 40]
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 8 / phase 'network'
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [IPCP ConfNak id=0x1 <addr 192.168.80.89> <ms-dns1 192.168.41.250> <ms-dns2 192.168.41.251>]
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [IPCP ConfReq id=0x2 <addr 192.168.80.89> <ms-dns1 192.168.41.250> <ms-dns2 192.168.41.251>]
Aug 24 18:59:55 redacted.domain pppd[11833]: rcvd [LCP TermReq id=0x3 "Encryption negotiation rejected"]
Aug 24 18:59:55 redacted.domain pppd[11833]: LCP terminated by peer (Encryption negotiation rejected)
Aug 24 18:59:55 redacted.domain pppd[11833]: PPPoL2TP options: debugmask 0
Aug 24 18:59:55 redacted.domain pppd[11833]: sent [LCP TermAck id=0x3]
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 5 / phase 'establish'
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: result_code_avp: avp is incorrect size.  8 < 10
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: call_close: Call 57186 to ... disconnected
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: result_code_avp: avp is incorrect size.  8 < 10
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: handle_avps: Bad exit status handling attribute 1 (Result Code) on mandatory packet.
Aug 24 18:59:55 redacted.domain pppd[11833]: Terminating on signal 15
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: xl2tpd[11831]: Connection 172 closed to ..., port 1701 (Result Code: expected at least 10, got 8)
Aug 24 18:59:55 redacted.domain NetworkManager[1069]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 10 / phase 'terminate'
Aug 24 18:59:58 redacted.domain NetworkManager[1069]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 11 / phase 'disconnect'
Aug 24 18:59:58 redacted.domain pppd[11833]: Connection terminated.
Aug 24 18:59:58 redacted.domain NetworkManager[1069]: <warn>  VPN plugin failed: connect-failed (1)
Aug 24 18:59:58 redacted.domain NetworkManager[1069]: ** Message: nm-l2tp-ppp-plugin: (nm_phasechange): status 1 / phase 'dead'
Aug 24 18:59:58 redacted.domain pppd[11833]: Modem hangup
Aug 24 18:59:58 redacted.domain NetworkManager[1069]: <warn>  VPN plugin failed: connect-failed (1)
Aug 24 18:59:58 redacted.domain NetworkManager[1069]: ** Message: nm-l2tp-ppp-plugin: (nm_exit_notify): cleaning up

Sorry, but as I mentioned before network-manager-l2tp developer hasn't interesting with this app now. No new since previous year. I tried some times to ask the developer to do something with this problem but he did nothing. Personnaly I don't use l2tp I only made package and don't know nothing about the this plugin code or l2tp network. So I can't help here. Seems need somebody who will be care about network-manager-l2tp app.

Yep. I'm sorry, but I'm not yet able to continue development of this plugin. Mostly because I don't need to use it myself now.
Also, there is a lot of issues related to ipsec, which I never used myself either.
So, looking for a new maintainer.

Thanks to both. As it looks like nothing will change shortly, we changed to sstp for linux users.

on fedora 23 the NetworkManager-l2tp source code needs at least 2 modifications of nm-l2tp-service.c:
1) there must be a delay between the execution of the command that restart the ipsec  and the execution of the "ipsec whack" command, else the what will be executed befor the daemon is ready. the suggestion of soni (comment 96) should work fine. my solution is a little different:
	"[ \"x$defaultrouteaddr\" = \"x\" ] && ipsec setup restart");
        system("sleep 1");
 	sys += system("PATH=/usr/local/sbin:/usr/sbin:/sbin ipsec whack"
 			" --listen");

but the result is the same.

2) as fedora 23 uses libreswan in place of openswan, at least 3 lines of the ipsec config file created by the plugin must be eliminated/commented as they are obsoleted by the libreswan daemon:

version 2.0
  nat_traversal=yes
  force_keepalive=yes

after these modification the l2tp/ipsec connection are executed as expected

the final result is:
@@ -903,6 +903,8 @@
 	"PATH=/usr/local/sbin:/usr/sbin:/sbin; export PATH;"
 	"[ \"x$defaultrouteaddr\" = \"x\" ] && ipsec setup restart");
 
+        system("sleep 1");
+
 	sys += system("PATH=/usr/local/sbin:/usr/sbin:/sbin ipsec whack"
 			" --listen");
 	sprintf(cmd1,"test -e /var/run/pluto/ipsec.info && . /var/run/pluto/ipsec.info;"
@@ -962,14 +964,6 @@
 
 	rename(tmp_secrets, "/etc/ipsec.secrets");
 	sys += system("PATH=\"/sbin:/usr/sbin:/usr/local/sbin:$PATH\" ipsec secrets");
-	if (sys != 0) {
-		g_set_error (error,
-		             NM_VPN_PLUGIN_ERROR,
-		             NM_VPN_PLUGIN_ERROR_LAUNCH_FAILED,
-		             "%s",
-		             _("Possible error in IPSec setup."));
-		return FALSE;
-	}
 
 	g_message(_("ipsec ready for action"));
 	return TRUE;
@@ -1140,10 +1134,10 @@
 					 _("Could not write ipsec config."));
 		return FALSE;
 	}
-	write_config_option (ipsec_fd, "version 2.0\n"
+	write_config_option (ipsec_fd, "#version 2.0\n"
 "config setup\n"
-"  nat_traversal=yes\n"
-"  force_keepalive=yes\n"
+"#  nat_traversal=yes\n"
+"#  force_keepalive=yes\n"
 "  protostack=netkey\n"
 "  keep_alive=60\n"
 "\n");

@Ivan: There is new development at: https://github.com/seriyps/NetworkManager-l2tp/commits/master 
with the version updated to at least 1.1.0. The repository is Sergey's but someone else (Lubomir Rintel) is continuing the development. Would you please consider updating the plugin?

Thanks

I have downloaded the new version you indicated, but besides the generous updates to clean the code, the failing lines are still there, so no, even the 1.1.x version is destined to fail to activate an l2tp/ipsec connection. unfortunately I cannot verify the code, as I cannot run this latest version on my fedora 23 installation. 
what I can say is that besides the already proposed modifications of my previous comment, there are also another couple of lines that should be updated in the configuration of the ipsec daemon.
I'm proposing here the full changes (for NetworkManager-l2tp-master):

$ diff -Naru nm-l2tp-service.c.org nm-l2tp-service.c
--- nm-l2tp-service.c.org	2015-12-06 02:43:14.329691002 +0100
+++ nm-l2tp-service.c	2015-12-06 02:51:09.569872532 +0100
@@ -933,7 +933,7 @@
 	if (sys) {
 		return nm_l2tp_ipsec_error(error, "Could not restart the ipsec service.");
 	}
-
+	sys = system("sleep 1");
 	sys = system(PATH_PREFIX " ipsec whack --listen");
 	if (sys) {
 		return nm_l2tp_ipsec_error(error, "Could not talk to IPsec key exchange service.");
@@ -1157,10 +1157,10 @@
 	if (ipsec_fd == -1) {
 		return nm_l2tp_ipsec_error(error, "Could not write ipsec config.");
 	}
-	write_config_option (ipsec_fd, "version 2.0\n"
+	write_config_option (ipsec_fd, "#version 2.0\n"
 "config setup\n"
-"  nat_traversal=yes\n"
-"  force_keepalive=yes\n"
+"#  nat_traversal=yes\n"
+"#  force_keepalive=yes\n"
 "  protostack=netkey\n"
 "  keep_alive=60\n"
 "\n");
@@ -1168,7 +1168,7 @@
 	write_config_option (ipsec_fd,
 "  auto=add\n"
 "  type=transport\n"
-"  auth=esp\n"
+"#  auth=esp\n"
 "  pfs=no\n"
 "  authby=secret\n"
 "  keyingtries=0\n"
@@ -1182,11 +1182,11 @@
 	value = nm_setting_vpn_get_data_item (s_vpn, NM_L2TP_KEY_IPSEC_GATEWAY_ID);
 	if(value)write_config_option (ipsec_fd, "  rightid=@%s\n", value);
 	write_config_option (ipsec_fd,
-"  esp=3des-sha1\n"
-"  keyexchange=ike\n"
-"  ike=3des-sha1-modp1024\n"
-"  aggrmode=no\n"
-"  forceencaps=yes\n");
+"#  esp=3des-sha1\n"
+"#  keyexchange=ike\n"
+"#  ike=3des-sha1-modp1024\n"
+"#  aggrmode=no\n"
+"#  forceencaps=yes\n");

as before I have left the config strings commented out, instead of removing them, so the modifications are clear to understand (I hope).
with the proposed modifications the l2tp/ipsec client should never try to force a specific protocol/algorithm on the VPN server, but it will accept what the server suggests.
this modifications works with a Cisco VPN concentrator (identified as "Cisco VPN 3000 Series") with aes_128-sha/3des-sha1 and a Centos 7 Server with aes_256-sha/aes_128-sha1.

I'm sorry to propose these modification using this way, but I'm not a real programmer and I don't know what is the right process to follow.

thanks
damir

Thanks! Please at least create an issue in the github project and propose your changes there. (BTW, instead of 'sys = system("sleep 1")' you should use 'sleep(1)'). The better is to fork the repo, apply the changes in your fork and create a pull request against the main repo, so that the developer(s) can accept your changes directly. But if you don't want to go through this, just create an issue there and propose your changes.

Why does this exist in fedora if it's completely broken and no one is willing to maintain it?

Incredibly frustrating to spend time debugging vpn configuration only to find out the problem is a 4 year old unmaintained package

*** Bug 1272767 has been marked as a duplicate of this bug. ***

My workplace is using L2TP/IPsec with a preshared key and it was only Linux users (other than Android) having issues connecting. I have provided command-line and config file instructions, but most of our users prefer a GUI NetworkManager solution.

Consequently I've started fixing NetworkManager-l2tp with a new GitHub branch (which I hope to submit a pull request at some point) :
   https://github.com/dkosovic/NetworkManager-l2tp/tree/nm_0.9

A quick summary of the Fedora 23 issues encountered with the https://github.com/seriyps/NetworkManager-l2tp repo, nm-1-0 and master branches :

nm-1-0 branch no longer builds with NetworkManager-1.0.x as it is contaminated with NetworkManager 1.2 configure script and code updates. The master branch no longer builds either, but that is to be expected.

nm-1-0 and master branches contains an update to do runtime detection of strongswan and libreswan. Unfortunately it expects strongswan to be using /usr/sbin/ipsec instead of /usr/sbin/strongswan. On Fedora 23, /usr/sbin/ipsec is exclusively libreswan.


In my branch I forked before the NetworkManager 1.2 master branch updates, but cherry picked the strongswan/libreswan update, although I had to do bug fixes to get it to work with libreswan.

I'm still deciding how to handle both strongswan and libreswan , maybe introduce a --with-ipsec-stack configure time option to select between libreswan and strongswan, then maybe use an env variable to override which IPSec stack is used. 

I'm still doing testing, but hope to put up a scratch NetworkManager-l2tp RPM build available for testing soon.

Thank you for sharing your work. I finally getting it to work. However, a few issues:
- The code doesn't compile for me, because of some errors about deprecated functions. I need to remove `-Werror` flag to get it compiled (however, the correct fix is certainly using the new API).

- I was still unable to connect until I added pfs=no option to ipsec.conf file; because the server I was trying to connect to doesn't support PFS. I think we should either add the options we find useful to the IPSec options UI, or add the possibility for the user to add any desired options to the config file. 

- Sometimes after restarting ipsec, it can't connect to pluto immediately and fails. When I retry connecting, it works. I think we should either add a small sleep before running 'ipsec --ready' as suggested by others, or we should retry it a few times if it fails.

- Instead of replacing ipsec.secrets, it is probably better to add a secrets file inside /etc/ipsec.d/. It'll allow the user to customize connection options by adding other files there too. But I think I should discuss about these on GitHub rather than here. I might add a pull request too.

Anyway, I wanted to mainly tell you that I got it working.

> - The code doesn't compile for me, because of some errors about deprecated
> functions. I need to remove `-Werror` flag to get it compiled (however, the
> correct fix is certainly using the new API).

I agree about being the proper fix.

I was using the following like in the RPM spec file :
  ./configure --disable-static --enable-more-warnings=yes
which sidestepped the deprecated gnome_keyring issue.

But it was definitely something I wanted to get back to, but postponed after seeing Ubuntu build issues here:
  https://github.com/seriyps/NetworkManager-l2tp/pull/27

> - I was still unable to connect until I added pfs=no option to ipsec.conf
> file; because the server I was trying to connect to doesn't support PFS. I
> think we should either add the options we find useful to the IPSec options
> UI, or add the possibility for the user to add any desired options to the
> config file. 

Interesting, as pfs was taken out of the strongswan section of code, when I updated the libreswan section of code, I incorrectly assumed if pfs was left out it would default to pfs=yes.

I'm in the process of adding MRU and MTU options to the GUI, as I need to set them to 1200 to successfully connect to my workplace.

I agree that config file templates would be good solution, in particular with obscurer options. I previously had a look at other NetworkManager VPN plugins to see if they use template files, but couldn't find one that did.

> - Sometimes after restarting ipsec, it can't connect to pluto immediately
> and fails. When I retry connecting, it works. I think we should either add a
> small sleep before running 'ipsec --ready' as suggested by others, or we
> should retry it a few times if it fails.

I liked your solution (in the pull request) of trying a few times, with a sleep in between each time when it fails. It was something I was going to get back to, but glad you fixed it.

> - Instead of replacing ipsec.secrets, it is probably better to add a secrets
> file inside /etc/ipsec.d/. It'll allow the user to customize connection
> options by adding other files there too. But I think I should discuss about
> these on GitHub rather than here. I might add a pull request too.

Although I agree, there is an issues with doing that, /etc/ipsec.secrets might not contain (or may have commented out) the following line :
   include /etc/ipsec.d/*.secrets 

e.g. on Fedora 23 if strongswan is used instead of libreswan, /etc/strongswan/ipsec.secrets doesn't include /etc/strongswan/ipsec.d/*.secrets by default.

> Anyway, I wanted to mainly tell you that I got it working.

Thanks for the pull request, I don't see any issues with it from code reading, but just want to do a bit of hands-on testing before accepting.

Some other issues I want to fix include changing sprintf()s to snprintf()s, make sure the IPsec connection is really up before attempting the L2TP connection (which can be an issue with strongswan, but I need to check libreswan if it has similar issue in some scenarios).

I should have MTU/MRU support added soon and with the pull-request, I think it would make for a good initial scratch NetworkManager-l2tp RPM build.

(In reply to Douglas Kosovic from comment #115)
> 
> I agree about being the proper fix.
>  ...
> But it was definitely something I wanted to get back to, but postponed after
> seeing Ubuntu build issues here:
>   https://github.com/seriyps/NetworkManager-l2tp/pull/27

My pull request contains a commit from another user which solves this issue. And it works fine for me in F23.


> 
> Interesting, as pfs was taken out of the strongswan section of code, when I
> updated the libreswan section of code, I incorrectly assumed if pfs was left
> out it would default to pfs=yes.
Your assumption is true: libreswan defaults to pfs=yes, and I needed the opposite to be able to connect. In my PR, I'll add pfs=no to config file if user unchecks the corresponding option.


> 
> I agree that config file templates would be good solution, in particular
> with obscurer options. I previously had a look at other NetworkManager VPN
> plugins to see if they use template files, but couldn't find one that did.
Yes. PPTP had decided to include many options in UI, and I think it is fine to add useful options to UI too. But I agree that letting the user provide additional options is a good thing in the long run. Instead of being able to provide a template file for each connection, we can also use the 'also' option (libreswan has it, I don't know about strongswan though). Then we can include a file which might contain additional options, e.g. nm-ipsec-<conn_name>. (if we have access to connection name inside the plugin, which I hope we have).


> 
> Although I agree, there is an issues with doing that, /etc/ipsec.secrets
> might not contain (or may have commented out) the following line :
>    include /etc/ipsec.d/*.secrets 
Yes, I was going to do that but didn't, because I thought that it might not be the case for other distributions (I thought that it is always like this in Fedora though!).


> Thanks for the pull request, I don't see any issues with it from code
> reading, but just want to do a bit of hands-on testing before accepting.
> 
> Some other issues I want to fix include changing sprintf()s to snprintf()s,
> make sure the IPsec connection is really up before attempting the L2TP
> connection (which can be an issue with strongswan, but I need to check
> libreswan if it has similar issue in some scenarios).
> 
> I should have MTU/MRU support added soon and with the pull-request, I think
> it would make for a good initial scratch NetworkManager-l2tp RPM build.
That's great, thanks for working on this. I hope merging the changes back to master will be easy enough, as you are actually developing the plugin in this branch :)

Apologise for not make a scratch NetworkManager-l2tp RPMs available sooner. Had to do a minor libreswan compatibly fix, as it din't work with libreswan that ships with Fedora 23, but did with the newer libreswan from Fedora 23 Updates. Ended up replacing 'ipsec auto --start' with 'ipsec auto --add' and 'ipsec auto --up'.


If you want to test it, I've put up NetworkManager-l2tp-0.9.8.8-0.1.20160306.fc23.src.rpm and NetworkManager-l2tp-0.9.8.8-0.1.20160306.fc23.x86_64.rpm here :
  https://outbox.eait.uq.edu.au/uqdkosov/networkmanager-l2tp/

SELinux still needs to be set to permissive or disabled.

Ensure the L2TP kernel modules are available by installing the kernel-modules-extra RPM :

  sudo dnf install kernel-modules-extra

If there are issues, you can debug by doing :
  sudo /usr/libexec/nm-l2tp-service --debug
(but make sure to kill any existing nm-l2tp-service process if it is already running)

Thanks. Why not adding updated libreswan as a dependency instead?
I do see SELinux alerts, but I can successfully connect even in enforcing mode. BTW, I've filled a bug report to fix SELinux issue too (#1313937).

> Why not adding updated libreswan as a dependency instead?

For the upstream source code, I think it is better to be backwards compatible with older versions of libreswan. Plus what I was originally doing with 'ipsec auto --start' was a workaround for what I think is a libreswan bug, it was ignoring auto=add in the config file. As --start is a combination of -add followed by --up, I believe we should have been able to get away with just using --up (like with strongswan) if it didn't ignore auto=add.

Thanks regarding SELinux

Forgot to mention, I put in a GitHub pull request :
  https://github.com/seriyps/NetworkManager-l2tp/pull/45
but wasn't certain how to do it for a new branch and ended up selecting the nm_0.8.1 branch for the pull.

Perhaps it might have been most appropriate for the pull request to use the nm-1.0 branch, but that branch has been contaminated with NetworkManager 1.1/1.2 updates and no longer builds with NetworkManager 1.0.


If it gets pulled, I'll start using Fedora RawHide and work on the master branch to cherry pick and merge changes.

There are a few other thing I would like to improve, but might leave that for the master branch.

As Sergey isn't going to continue development, I think we should forget getting PR merged. I guess you can be the new maintainer Douglas (at least, currently, you are!).

Ivan, would you please package new l2tp plugin package from Douglas branch? It works, unlike the one currently is in Fedora.

Rather than using my GitHub user account's repository as an upstream source, I think it's better to create a GitHub organisation account and people that want to be admins or members can be invited, I'm more than happy to invite previous maintainers.

I've tentatively created a nm-l2tp GitHub organisation account :
   https://github.com/nm-l2tp

If I get time tomorrow, I'll add the NetworkManager-l2tp repository there and do a bit of maintenace.

Hope I'm not stepping on anybody's toes.

I've created a new GitHub repository and nm-1-0 branch in particular for NetworkManager 1.0 based Fedora 23 :
   https://github.com/nm-l2tp/network-manager-l2tp/tree/nm-1-0

NetworkManager-l2tp version 1.0.0 source tarball can be downloaded from:
   https://github.com/nm-l2tp/network-manager-l2tp/archive/1.0.0/NetworkManager-l2tp-1.0.0.tar.gz

So if it can be packaged up into a new NetworkManager-l2tp-1.0.0 RPM for Fedora 23 that would be great. 

I'll now start working on the master branch for the NetworkManger 1.2 based Fedora 24.


Some notes about the new GitHub repository:

The repository name has been renamed from NetworkManager-l2tp to network-manager-l2tp, so that it uses the same naming convention as other NetworkManager VPN plugins in the Gnome Git Repository. Note: URLs to the repository can contain either NetworkManager-l2tp or network-manager-l2tp as redirections are taken care of by GitHub. 

Similarly, the branches have been renamed to use the same naming convention as used in the Gnome Git Repository where the other NetworkManager VPN plugins are located.

Thanks. Ivan, still there? :P

Yes, I'm here. I will check repo and update package.

Douglas I rebuilt package for F22 and F23. Please chech it in Koji http://koji.fedoraproject.org/koji/taskinfo?taskID=13729407 and http://koji.fedoraproject.org/koji/taskinfo?taskID=13729587 . Then I will update git.

Thanks Ivan.

I've tested the RPM on a clean install of Fedora 23 with latest updates and can confirm the rebuilt RPM is working.

The only minor nitpick I have is that the RPM's requires dependency is on openswan instead of libreswan (which now provides the openswan RPM dependency on later Fedoras). But it doesn't bother me if the requires is modified or not.

I didn't test on F22, but as F22 is NetworkManage 1.0 based and has libreswan, I don't envisage any issues.

Created attachment 1156937 [details]
NetworkManager-l2tp.spec for version 1.0.2

Ivan,

I've released a new NetworkManager-l2tp 1.0.2 :
https://github.com/nm-l2tp/network-manager-l2tp/archive/1.0.2/NetworkManager-l2tp-1.0.2.tar.gz

The changes for NetworkManager-l2tp 1.0.2 are only minor GUI cosmetic changes and a fix for another linux distribution.

As the previous 1.0.0 RPM hadn't been pushed out yet, please find attached a new NetworkManager-l2tp.spec file which I have tested on Fedora 22 & 23 and RHEL7.2 / EPEL7.

SPEC file changes include :
- creates a separate NetworkManager-l2tp-gnome RPM for GNOME files, like other NetworkManaager VPN plugins do for their RPMs.

- updated BuildRequires, Requires, URL and Source. The BR is mostly based on current NetworkManager-pptp.spec.

- replaced filter_provides macro with newer macros

Minor correction to the SPEC file I attached, the following lines :

# Most of code uses GPLv2+ license.
# Only vpn-password-dialog has LGPLv2+.
License:   GPLv2+ and LGPLv2+

can be changed to:

License:   GPLv2+



As the vpn-password-dialog code was obsoleted and removed.

NetworkManager-l2tp-1.0.2-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-54c8a74b61

NetworkManager-l2tp-1.0.2-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-54c8a74b61

NetworkManager-l2tp-1.0.2-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.

I came here because error "result_code_avp: avp is incorrect size.  8 < 10"

Once I installed libreswan with

> dnf install libreswan.x86_64

now it is working.

I hope it helps