Can't connect two VPN - L2TP/IPSec + IKEv2/IPSec - simultaneously

Hi there!

I’m trying to connect two different VPNs. Both are ‘local’, for work shares only.
First has the L2TP+IPSec connection with pre-shared key in Kerio Control at the end, second - IKEv2+IPSec conn with certificates in MikroTik router.

Connection to Kerio works fine with GUI or with nmcli.
Connection to Mikrotik works ‘as it should’ only by nmcli. With network-manager GUI it connect to network, but access to internet is gone at the same moment. As i understand - some of routes are not registered as they should. So… nmcli is doing job great)

But in both cases there is something that i can’t understand. If kerio is connected, and in the same moment i want to connect to Mikrotik - either way with or w/o GUI - connection is established, but kerio is closing and cannot be restored. Another case - if Mikrotik was initially connected - kerio can’t establish connection.

This is an output for kerio connection in both cases.
nmcli connection up kerio
Error: Connection activation failed: Unknown reason
Hint: use 'journalctl -xe NM_CONNECTION=649efba3-a0dc-4fc5-af04-6287932b7015 + NM_DEVICE=wlo1' to get more details.

NetworkManager[608]: <info>  [1652083063.9583] vpn[0x55d0bc0100d0,649efba3-a0dc-4fc5-af04-6287932b7015,"kerio"]: starting l2tp
NetworkManager[608]: <warn>  [1652083081.6162] vpn[0x55d0bc0100d0,649efba3-a0dc-4fc5-af04-6287932b7015,"kerio"]: dbus: failure: connect-failed (1)
NetworkManager[608]: <warn>  [1652083081.6163] vpn[0x55d0bc0100d0,649efba3-a0dc-4fc5-af04-6287932b7015,"kerio"]: dbus: failure: connect-failed (1)

What can i do with it?

NetworkManager-l2tp is only a simple wrapper around strongswan or libreswan, and xl2tpd. What you are trying to do is too advanced for NetworkManager-l2tp which restarts the IPsec daemon and points it to a custom IPsec config file for that connection, this is basically what it does :

sudo ipsec restart --conf /var/run/nm-l2tp-649efba3-a0dc-4fc5-af04-6287932b7015/ipsec.conf --debug

Any existing IPsec connection will be killed and similarly any new simultaneous IPsec connection won’t work .

You could manually setup and start a strongswan IPsec connection and only use NetworkManager-l2tp for the L2TP connection (i.e. do not enable the IPsec checkbox in the IPsec configuration dialog box).

1 Like