How to Fix L2TP/IPSec VPN on Fedora 43: Solving IKEv1 and kl2tpd Issues
If you recently upgraded to Fedora 43 and found your L2TP/IPSec VPN connection dead in the water, you aren’t alone. Between security policy changes in Libreswan and a bug in the new L2TP daemon (kl2tpd), getting a stable connection can be frustrating.
I recently debugged this setup and found two distinct issues blocking the connection. Here is a step-by-step guide to getting your VPN working again.
The Symptoms
You are likely facing this specific combination of problems if:
- NetworkManager immediately fails to connect.
- Libreswan logs show errors regarding “ikev1-policy”.
- System logs (journalctl) show “netlink” protocol errors regarding the data plane.
Here is how to fix both layers of the problem.
Issue 1: IKEv1 is Blocked by Default
The Problem
Fedora 43 includes Libreswan 5.x, which adheres to RFC 9395 by deprecating IKEv1. By default, the policy is set to drop, meaning any VPN negotiation attempting to use IKEv1 is immediately rejected. Unfortunately, standard L2TP/IPSec implementations strictly require IKEv1.
The Error
If you check your IPsec logs, you will see:
Could not add ipsec connection - global ikev1-policy=drop does not allow IKEv1 connections
The Fix
You need to explicitly allow IKEv1 in your IPsec configuration.
- Open the global configuration file:
sudo nano /etc/ipsec.conf
- Find the line commenting out the policy and change it to
accept.
- Change:
#ikev1-policy=drop - To:
ikev1-policy=accept
- Restart the IPsec service:
sudo systemctl restart ipsec
Security Note: IKEv1 is an older protocol with known weaknesses compared to IKEv2. Only enable this if your VPN provider absolutely requires L2TP/IPSec.
Issue 2: The kl2tpd Netlink Bug
The Problem
Fedora 43 switched its default L2TP provider from the classic xl2tpd (C-based) to kl2tpd (part of the go-l2tp suite). While modern, kl2tpd currently has a bug interacting with newer Linux kernels, causing it to fail when trying to establish the data plane via netlink.
The Error
In your journal logs (journalctl -xe), you will see a failure to establish the data plane:
failed to establish data plane: netlink receive: protocol not supported
The Workaround
The NetworkManager-l2tp plugin has a fallback mechanism. If it cannot find kl2tpd, it will automatically look for the legacy xl2tpd binary (which still works perfectly). We can force this fallback by renaming the kl2tpd binary.
Run the following command to “hide” kl2tpd:
sudo mv /usr/bin/kl2tpd /usr/bin/kl2tpd.bak
Now, when you attempt to connect, NetworkManager will skip the broken daemon and use xl2tpd instead.
Summary of Fixes
| Component | Issue | Solution |
|---|---|---|
| Libreswan | IKEv1 disabled by default in v5.x | Set ikev1-policy=accept in /etc/ipsec.conf |
| L2TP Daemon | kl2tpd netlink protocol failure | Rename /usr/bin/kl2tpd to force fallback to xl2tpd |
Future Proofing: Restoring kl2tpd
Eventually, the bug in kl2tpd will be patched. When that happens (keep an eye on the bug reports linked below), you should restore the original binary to use the modern implementation intended for Fedora 43.
To restore it:
sudo mv /usr/bin/kl2tpd.bak /usr/bin/kl2tpd
References & Tracking
If you want to track the progress of these bugs, check the following reports:
- RedHat Bugzilla #2406859: Failed to establish netlink/L2TP connection after upgrade
- RedHat Bugzilla #2407022: SELinux preventing kl2tpd
- GitHub Issue: nm-l2tp/NetworkManager-l2tp#241