After upgrading to Linux Mint 22.3 "Zena" based on Ubuntu 24.04 LTS "Noble," my L2TP/IPsec VPN connection to my home network stopped working. Here's the solution.

Note

This article describes connecting to a home VPN, which I have using the L2TP/IPsec (IKEv1) type.
I previously used the tunnel to stream audio from a radio speaker to my smartphone via the SoundWire app.

This article is not an advertisement for VPN internet technologies, but rather describes a solution to a technical issue with Linux OS.

Introduction

The error "Could not add IPsec connection."** appears in the journalctl log when attempting to connect to an L2TP over IPsec VPN. It appears as if an attempt is made to connect to the VPN and then disconnects after a few seconds. The VPN connection is reset to the wired connection without displaying an error message.

The journalctl log shows the NetworkManager warning "no acceptable traffic selectors found."** Connecting to an L2TP/IPsec VPN on Linux Green operating system based on Linux Mint 21.3 doesn't produce this error. The connection parameters are the same in Linux Mint 22.3 and 21.3.

0. Linux version with the problem

lsb_release -a

No LSB modules are available.
Distributor ID: Linuxmint
Description:    Linux Mint 22.3
Release:        22.3
Codename:       zena

1. NetworkManager "L2TP" Plugin Update

This update does not fix the NetworkManager bug, but it does allow L2TP/IPsec VPN connections to function properly.

Linux Mint has an outdated version of the networkmanager-l2tp plugin. I updated it to the latest version:

1.1 Adding the ppa:nm-l2tp/network-manager-l2tp PPA repository to the system:

sudo add-apt-repository ppa:nm-l2tp/network-manager-l2tp

1.2 Adding a repository signing key

gpg --keyserver keyserver.ubuntu.com --recv 80B70870665AB177
gpg --export 80B70870665AB177 | sudo tee /etc/apt/trusted.gpg.d/networkmanager-l2tp.gpg > /dev/null

The netoworkmanager repository key was saved to the keyring in the file networkmanager-l2tp.gpg/

1.3 Editing the networkmanager-l2tp repository description file, which is contained in the current version of Linux Mint in the file /etc/apt/sources.list.d/nm-l2tp-network-manager-l2tp-noble.list:

cd /etc/apt/sources.list.d/
ls
sudo nano nm-l2tp-network-manager-l2tp-noble.list 

In the file, I replaced the line in "signed-by" from noble/keyrings to /etc/apt/trusted.gpg.d/networkmanager-l2tp.gpg :

deb [signed-by=/etc/apt/trusted.gpg.d/networkmanager-l2tp.gpg] https://ppa.launchpadcontent.net/nm-l2tp/network-manager-l2tp/ubuntu noble main

sudo apt update
sudo apt upgrade

1.4 Reinstalling the "networkmanager-l2tp" package

sudo apt install --reinstall network-manager-l2tp network-manager-gnome

The visual difference between the new version of the networkmanager-l2tp plugin and the old one is the text fields with a gradient or shadow effect.

2. Replacing the LibreSwan package with StrongSwan

Since many guides recommend replacing LibreSwan with StrongSwan, I followed the same approach.

sudo apt remove libreswan

Removing the libreswan package will automatically install the StrongSwan component for IPsec/L2TP VPN.

3. Editing the /etc/strongswan.conf configuration file

sudo nano /etc/strongswan.conf

The file should look like this:

# strongswan.conf - strongSwan configuration file
#
# Refer to the strongswan.conf(5) manpage for details
#
# Configuration changes should be made in the included files

charon {
        load_modular = yes
        plugins {
                include strongswan.d/charon/*.conf
        }
}

include strongswan.d/*.conf

Where the default load_modular = no has been replaced with load_modular = yes. When load_modular is enabled, the plugin list is generated dynamically, based solely on the loading settings specific to each plugin. This list completely replaces the list created during compilation. Source

Press Ctrl+O, Ctrl+X.

As we can see, the strongswan.conf file references the configuration files in the strongswan.d subdirectory.

4. Editing the /etc/strongswan.d/charon.conf configuration file

sudo nano /etc/strongswan.d/charon.conf

Find the line "cisco_unity" and assign it the value "no" instead of "yes" and remove the comment sign (#) at the beginning of the line. It should look like this:

cisco_unity = no

This line disables the Cisco flag, which affects L2TP/IPsec (IKEv1) connection establishment.

The charon.conf file without the comment lines looks like this:

charon {
cisco_unity = no
    crypto_test {
    }
    host_resolver {
    }
    leak_detective {
    }
    processor {
        priority_threads {
        }
    }
    start-scripts {
    }
    stop-scripts {
    }
    tls {
    }
    x509 {
    }
}

Save the file: Ctrl+O, Ctrl+X.

5. Creating the file /etc/strongswan.d/charon/unity.conf

If the file doesn't exist, create it:

sudo nano /etc/strongswan.d/charon/unity.conf

unity {

    # Whether to load the plugin. Can also be an integer to increase the
    # priority of this plugin.
    load = no
}

Press Ctrl+O, Ctrl+X.

We see that Unity loading is disabled: load=no. The Unity plugin provides libcharon support for some parts of the Cisco Unity Extensions for the IKEv1 protocol.

6. Diagnostics

The standard journalctl -xe command doesn't provide complete information about NetworkManager errors. If a connection cannot be established, the log displays only one message: "Could not add ipsec connection.", without specifying the reason.

In a separate terminal window, run the command to display a detailed NetworkManager log:

sudo journalctl -f 20 --no-hostname _SYSTEMD_UNIT=NetworkManager.service + _COMM=kl2tpd + SYSLOG_IDENTIFIER=pppd

7. Testing the Connection

To "start" the connection, run in the terminal

sudo nmcli c up --ask "VPN IPsec"

where "VPN IPsec" is the name of the L2TP/IPsec connection. Alternatively, you can enable the VPN connection through the NetworkManager plugin graphical interface in the system tray (near the clock).

If the connection is successful, nmcli will display the following message in the terminal:
"Connection successfully activated (active D-Bus path: /org/freedesktop/NetworkManager/ActiveConnection/18)"

Or, a pop-up message indicating a successful connection will briefly appear in the upper corner of the screen. The Ethernet connection icon in the system tray will change to a lock symbol.

If the connection was unsuccessful, check the extended NetworkManager log (in the current or another Terminal window):

sudo journalctl -f 20 --no-hostname _SYSTEMD_UNIT=NetworkManager.service + _COMM=kl2tpd + SYSLOG_IDENTIFIER=pppd

When successfully connecting to an L2TP/IPsec (IKEv1) VPN, the terminal window periodically displays messages about "keep-alive" packets.

Source:

• Know issues of NetworkManager
• Solved - Help Connecting to L2TP VPN in Linux Debian 12

Related publications

Stop and disable TimeShift to save disk space

Hard disk partitioning for installing Linux Mint on an old PC with BIOS in GPT mode

Updating Linux Mint 21.3 Virginia to Linux Mint 22.3 Zena

Removing the Xanmod kernel from a Linux operating system

Устранение отклонений при установке драйвера видеокарты nVidia