Ovpn, L2TP & IPsec client connection for newbies

Hello
I have been struggling for some days now to get VPN connections to different servers using ovpn, L2TP & IPsec. I have read a large number of websites that primarily involve installing services in the terminal but without success. My frustration is that my colleagues on mac & windows breeze through this same process with only the most rudimentary connection information. I have tried to get the Gnome implementation going … but without success.
So, for those that are not IT and are not looking for a hardcore terminal session, is there an app for lazy VPN users like me, that can guide me through the issues?
If not , is there somewhere a detailed idiots guide to troubleshooting the Advanced Network Configurations app or just troubleshooting VPN all together?
Many thanks for any advice.

An example …

[admin@lowrocky ~]$ sudo openvpn --config /etc/openvpn/client/config_openvpn_bridge_christopher.ovpn
Thu Jul 14 17:03:28 2022 OpenVPN 2.4.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 17 2022
Thu Jul 14 17:03:28 2022 library versions: OpenSSL 1.1.1k  FIPS 25 Mar 2021, LZO 2.08
Enter Auth Username: **********
Enter Auth Password: **********
Thu Jul 14 17:03:45 2022 TCP/UDP: Preserving recently used remote address: [AF_INET]78.193.192.14:32048
Thu Jul 14 17:03:45 2022 UDP link local: (not bound)
Thu Jul 14 17:03:45 2022 UDP link remote: [AF_INET]78.193.****.***:32048
Thu Jul 14 17:03:45 2022 read UDP [ECONNREFUSED]: Connection refused (code=111)
Thu Jul 14 17:03:47 2022 read UDP [ECONNREFUSED]: Connection refused (code=111)
Thu Jul 14 17:03:51 2022 read UDP [ECONNREFUSED]: Connection refused (code=111)
^CThu Jul 14 17:03:54 2022 event_wait : Interrupted system call (code=4)
Thu Jul 14 17:03:54 2022 SIGTERM received, sending exit notification to peer
Thu Jul 14 17:03:57 2022 SIGTERM[soft,exit-with-notification] received, process exiting

Install the Network Manager OpenVPN plugins and it can then be configured through Network Manager and the little network icon available in the desktop:

[root@rocky ~]# dnf search openvpn
Last metadata expiration check: 1 day, 19:45:40 ago on Tue 12 Jul 2022 21:31:37 CEST.
====================================== Name Exactly Matched: openvpn ======================================
openvpn.x86_64 : A full-featured SSL VPN solution
===================================== Name & Summary Matched: openvpn =====================================
NetworkManager-openvpn.x86_64 : NetworkManager VPN plugin for OpenVPN
NetworkManager-openvpn-gnome.x86_64 : NetworkManager VPN plugin for OpenVPN - GNOME files

and then import the ovpn file.

Thank you for your suggestions. You have introduced me to a very useful command

dnf search openvpn

I have installed everything that I can for

dnf search openvpn
dnf search l2TP
dnf search ipsec
dnf search strongswan

Strongswan is needed for IKEv2 connections.

A machine restart and the protocols show up both the GNOME admin network list and the “Advanced Network Configuration” app.

There is lots of confusion on the internet about libreswan and strongswan. Do they conflict as I have taken both?

For all these services, all the connections fail. To see a live system log of the connection failures when connecting using the Network Manager VPN menu

sudo journalctl -f

ovpn

Jul 15 10:55:21 lowrocky nm-openvpn[7234]: OpenVPN 2.4.12 x86_64-redhat-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [PKCS11] [MH/PKTINFO] [AEAD] built on Mar 17 2022
Jul 15 10:55:21 lowrocky nm-openvpn[7234]: library versions: OpenSSL 1.1.1k  FIPS 25 Mar 2021, LZO 2.08
Jul 15 10:55:21 lowrocky nm-openvpn[7234]: NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
Jul 15 10:55:21 lowrocky nm-openvpn[7234]: TCP/UDP: Preserving recently used remote address: [AF_INET]78.193.192.14:32048
Jul 15 10:55:21 lowrocky nm-openvpn[7234]: UDP link local: (not bound)
Jul 15 10:55:21 lowrocky nm-openvpn[7234]: UDP link remote: [AF_INET]78.193.***.**:32048
Jul 15 10:55:21 lowrocky nm-openvpn[7234]: NOTE: UID/GID downgrade will be delayed because of --client, --pull, or --up-delay
Jul 15 10:55:21 lowrocky nm-openvpn[7234]: read UDP [ECONNREFUSED]: Connection refused (code=111)
Jul 15 10:55:23 lowrocky nm-openvpn[7234]: read UDP [ECONNREFUSED]: Connection refused (code=111)
Jul 15 10:55:27 lowrocky nm-openvpn[7234]: read UDP [ECONNREFUSED]: Connection refused (code=111)
Jul 15 10:55:35 lowrocky nm-openvpn[7234]: read UDP [ECONNREFUSED]: Connection refused (code=111)
Jul 15 10:55:45 lowrocky NetworkManager[1663]: <warn>  [1657875345.6250] vpn[0x56074f04c220,d7635a5d-005d-46f2-97f3-5996f64784fe,"config_openvpn_bridge_christ"]: connect timeout exceeded
Jul 15 10:55:45 lowrocky nm-openvpn-serv[7198]: Connect timer expired, disconnecting.
Jul 15 10:55:45 lowrocky nm-openvpn[7201]: TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
Jul 15 10:55:45 lowrocky nm-openvpn[7201]: TLS Error: TLS handshake failed
Jul 15 10:55:45 lowrocky nm-openvpn[7201]: SIGTERM[hard,tls-error] received, process exiting

IKEv2 error

Jul 15 10:58:24 lowrocky NetworkManager[1663]: <info>  [1657875504.7641] vpn[0x56074f04c9a0,30211bf0-950c-4c11-b2e1-7bb2881d6276,"IKEv2 christopher.freeboxos.fr"]: starting strongswan
Jul 15 10:58:24 lowrocky NetworkManager[1663]: <info>  [1657875504.7645] audit: op="connection-activate" uuid="30211bf0-950c-4c11-b2e1-7bb2881d6276" name="IKEv2 christopher.freeboxos.fr" pid=3747 uid=1000 result="success"
Jul 15 10:58:24 lowrocky charon-nm[7305]: 00[DMN] Starting charon NetworkManager backend (strongSwan 5.9.6)
Jul 15 10:58:24 lowrocky charon-nm[7305]: 00[PTS] TPM 2.0 - could not load "libtss2-tcti-tabrmd.so.0"
Jul 15 10:58:24 lowrocky charon-nm[7305]: 00[LIB] plugin 'tpm': failed to load - tpm_plugin_create returned NULL
Jul 15 10:58:24 lowrocky charon-nm[7305]: 00[LIB] OpenSSL FIPS mode(0) - disabled
Jul 15 10:58:24 lowrocky charon-nm[7305]: 00[LIB] created TUN device: tun0
Jul 15 10:58:24 lowrocky NetworkManager[1663]: <info>  [1657875504.7851] manager: (tun0): new Tun device (/org/freedesktop/NetworkManager/Devices/11)
Jul 15 10:58:24 lowrocky systemd-udevd[7308]: link_config: autonegotiation is unset or enabled, the speed and duplex are not writable.
Jul 15 10:58:24 lowrocky charon-nm[7305]: 00[LIB] loaded plugins: nm-backend charon-nm pkcs11 aesni aes des rc2 sha2 sha1 md4 md5 mgf1 random nonce x509 revocation constraints pkcs1 pkcs7 sshkey pem openssl gcrypt pkcs8 fips-prf gmp curve25519 chapoly xcbc cmac hmac kdf ctr ccm gcm drbg newhope curl kernel-netlink socket-default bypass-lan eap-identity eap-md5 eap-gtc eap-mschapv2 eap-tls eap-ttls eap-peap
Jul 15 10:58:24 lowrocky charon-nm[7305]: 00[LIB] dropped capabilities, running as uid 0, gid 0
Jul 15 10:58:24 lowrocky charon-nm[7305]: 00[JOB] spawning 16 worker threads
Jul 15 10:58:24 lowrocky charon-nm[7305]: 07[IKE] installed bypass policy for 192.168.0.0/24
Jul 15 10:58:24 lowrocky dbus-daemon[1318]: [system] Activating service name='org.fedoraproject.Setroubleshootd' requested by ':1.25' (uid=0 pid=1281 comm="/usr/sbin/sedispatch " label="system_u:system_r:auditd_t:s0") (using servicehelper)
Jul 15 10:58:24 lowrocky charon-nm[7305]: 07[IKE] installed bypass policy for 192.168.122.0/24
Jul 15 10:58:24 lowrocky charon-nm[7305]: 07[IKE] installed bypass policy for ::1/128
Jul 15 10:58:24 lowrocky charon-nm[7305]: 07[IKE] installed bypass policy for 2a01:e34:ecbd:9200::/64
Jul 15 10:58:24 lowrocky charon-nm[7305]: 07[IKE] installed bypass policy for fe80::/64
Jul 15 10:58:24 lowrocky charon-nm[7305]: 07[IKE] interface change for bypass policy for fe80::/64 (from ipsec0 to wlp112s0)
Jul 15 10:58:24 lowrocky charon-nm[7305]: 06[CFG] received initiate for NetworkManager connection IKEv2 christopher.freeboxos.fr
Jul 15 10:58:24 lowrocky charon-nm[7305]: 06[CFG] using gateway identity '79.193.**.**'
Jul 15 10:58:24 lowrocky charon-nm[7305]: 06[IKE] initiating IKE_SA IKEv2 christopher.freeboxos.fr[1] to 79.193.***.**
Jul 15 10:58:24 lowrocky charon-nm[7305]: 06[ENC] generating IKE_SA_INIT request 0 [ SA KE No N(NATD_S_IP) N(NATD_D_IP) N(FRAG_SUP) N(HASH_ALG) N(REDIR_SUP) ]
Jul 15 10:58:24 lowrocky charon-nm[7305]: 06[NET] sending packet: from 192.168.0.32[33362] to 79.193.***.**[500] (1016 bytes)
Jul 15 10:58:25 lowrocky dbus-daemon[1318]: [system] Successfully activated service 'org.fedoraproject.Setroubleshootd'
Jul 15 10:58:26 lowrocky setroubleshoot[7328]: AnalyzeThread.run(): Cancel pending alarm
Jul 15 10:58:26 lowrocky setroubleshoot[7328]: failed to retrieve rpm info for /dev/tpmrm0
Jul 15 10:58:26 lowrocky dbus-daemon[1318]: [system] Activating service name='org.fedoraproject.SetroubleshootPrivileged' requested by ':1.2118' (uid=991 pid=7328 comm="/usr/libexec/platform-python -Es /usr/sbin/setroub" label="system_u:system_r:setroubleshootd_t:s0-s0:c0.c1023") (using servicehelper)
Jul 15 10:58:26 lowrocky dbus-daemon[1318]: [system] Successfully activated service 'org.fedoraproject.SetroubleshootPrivileged'
Jul 15 10:58:27 lowrocky setroubleshoot[7328]: SELinux is preventing /usr/sbin/charon-systemd from getattr access on the chr_file /dev/tpmrm0. For complete SELinux messages run: sealert -l d7b4ab82-8db2-44d0-ae2e-7a4c61fda00a
Jul 15 10:58:27 lowrocky setroubleshoot[7328]: SELinux is preventing /usr/sbin/charon-systemd from getattr access on the chr_file /dev/tpmrm0.
                                               
                                               *****  Plugin catchall (100. confidence) suggests   **************************
                                               
                                               If you believe that charon-systemd should be allowed getattr access on the tpmrm0 chr_file by default.
                                               Then you should report this as a bug.
                                               You can generate a local policy module to allow this access.
                                               Do
                                               allow this access for now by executing:
                                               # ausearch -c 'charon-systemd' --raw | audit2allow -M my-charonsystemd
                                               # semodule -X 300 -i my-charonsystemd.pp
                                               
Jul 15 10:58:27 lowrocky setroubleshoot[7328]: AnalyzeThread.run(): Set alarm timeout to 10
Jul 15 10:58:28 lowrocky charon-nm[7305]: 16[IKE] retransmit 1 of request with message ID 0
Jul 15 10:58:28 lowrocky charon-nm[7305]: 16[NET] sending packet: from 192.168.0.32[33362] to 79.193.***.**[500] (1016 bytes)
Jul 15 10:58:35 lowrocky charon-nm[7305]: 01[IKE] retransmit 2 of request with message ID 0
Jul 15 10:58:35 lowrocky charon-nm[7305]: 01[NET] sending packet: from 192.168.0.32[33362] to 79.193.192.**[500] (1016 bytes)
Jul 15 10:58:48 lowrocky charon-nm[7305]: 04[IKE] retransmit 3 of request with message ID 0
Jul 15 10:58:48 lowrocky charon-nm[7305]: 04[NET] sending packet: from 192.168.0.32[33362] to 79.193.***.**[500] (1016 bytes)
Jul 15 10:59:12 lowrocky charon-nm[7305]: 08[IKE] retransmit 4 of request with message ID 0
Jul 15 10:59:12 lowrocky charon-nm[7305]: 08[NET] sending packet: from 192.168.0.32[33362] to 79.193.***.**[500] (1016 bytes)
Jul 15 10:59:24 lowrocky NetworkManager[1663]: <warn>  [1657875564.6245] vpn[0x56074f04c9a0,30211bf0-950c-4c11-b2e1-7bb2881d6276,"IKEv2 christopher.freeboxos.fr"]: connect timeout exceeded
Jul 15 10:59:24 lowrocky charon-nm[7305]: Connect timer expired, disconnecting.
Jul 15 10:59:24 lowrocky charon-nm[7305]: 09[IKE] destroying IKE_SA in state CONNECTING without notification
^C

L2TP error

Jul 15 11:08:53 lowrocky NetworkManager[1663]: <warn>  [1657876133.4433] vpn[0x56074f04c4a0,da0b0430-6998-4991-93b5-81c9060f1dca,"Sextant VPN 1"]: failed to connect: 'Could not restart the ipsec service.'
Jul 15 11:08:53 lowrocky systemd[1]: ipsec.service: Service RestartSec=100ms expired, scheduling restart.
Jul 15 11:08:53 lowrocky systemd[1]: ipsec.service: Scheduled restart job, restart counter is at 1.
Jul 15 11:08:53 lowrocky systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Jul 15 11:08:53 lowrocky systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Jul 15 11:08:53 lowrocky addconn[7657]: cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:44: syntax error, unexpected FIRST_SPACES, expecting $end [         ]
Jul 15 11:08:53 lowrocky systemd[1]: ipsec.service: Control process exited, code=exited status=3
Jul 15 11:08:53 lowrocky ipsec[7665]: cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:44: syntax error, unexpected FIRST_SPACES, expecting $end [         ]
Jul 15 11:08:53 lowrocky systemd[1]: ipsec.service: Failed with result 'exit-code'.
Jul 15 11:08:53 lowrocky systemd[1]: Failed to start Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Jul 15 11:08:53 lowrocky systemd[1]: ipsec.service: Service RestartSec=100ms expired, scheduling restart.
Jul 15 11:08:53 lowrocky systemd[1]: ipsec.service: Scheduled restart job, restart counter is at 2.
Jul 15 11:08:53 lowrocky systemd[1]: Stopped Internet Key Exchange (IKE) Protocol Daemon for IPsec.
Jul 15 11:08:53 lowrocky systemd[1]: Starting Internet Key Exchange (IKE) Protocol Daemon for IPsec...
Jul 15 11:08:53 lowrocky addconn[7670]: cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:44: syntax error, unexpected FIRST_SPACES, expecting $end [         ]
Jul 15 11:08:53 lowrocky systemd[1]: ipsec.service: Control process exited, code=exited status=3
Jul 15 11:08:53 lowrocky ipsec[7678]: cannot load config '/etc/ipsec.conf': /etc/ipsec.conf:44: syntax error, unexpected FIRST_SPACES, expecting $end [         ]
Jul 15 11:08:53 lowrocky systemd[1]: ipsec.service: Failed with result 'exit-code'.
Jul 

I cannot see a constant with all these connection failures. They going to different servers and the connection work on mac and windows. Any ideas what I am doing wrong?

Maybe I missed it, but you don’t seem to explain what’s on the other end?

A VPN can be a server or a client (left and right). Some people say “VPN” meaning something on a laptop for remote workers, others mean a big server or network appliance running a specific type of VPN server (SSL, IKE etc).

Nearly all "VPN"s are incompatible; try using Cisco to connect to Checkpoint…

You are right as I have not explained what I am trying to do. I am a laptop client trying to connect to 3 private routers that have 3 different vpn protocles activated.

I also use open connect on a cisco network and that works great.

I agree about open connect and cisco being good.

Are you in contact with the sysadmins at the other end, they should be able to help, and also check their logs at the exact time of your connection.

These are mostly ISP router / modems where the VPN access is managed by the box.
But I suppose what I asking is, what in the errors shows that the services my (the client ) machine are not working properly and what is a config / connection issue?
Many thanks

In the first one:

Check that port 32048 really is open on the remote side. Check with the owner of the “remote private router” to ensure you’re using the settings they told you to use.

In the second one:

looks like it’s trying to use a “Trusted Platform Module”, but can’t, which then causes some selinux errors.

In the third one

It says there’s a syntax error in the *.conf file.

Hello Gerry
Thank you for all your comments.
I am discovery all sorts of reasons from how mac & linux manage certificates to formatting issues, it seems that these connections are far less normalised than I presumed. Mac seems to have a different strategy to strongswan on IKEv2 on certificates and the mac version works extremely simply on the servers that I am dealing with.

Openvpn should work but again the ovpn file I receive from the server seemingly needs to parsed before being imported into GNOME.

I am frustrated that I am stumped by mac, but I don’t have the knowledge to trouble shoot these complex issues. Thank you very much for all your help.