clients.md

Configure IPsec/L2TP VPN Clients

Read this in other languages: English, 简体中文.

Note: You may also connect using IPsec/XAuth mode, or set up IKEv2.

After setting up your own VPN server, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.

An alternative setup guide with images is available, written by Tony Tran.

---

• Platforms
  • Windows
  • OS X (macOS)
  • Android
  • iOS (iPhone/iPad)
  • Chromebook
  • Windows Phone
  • Linux
• Troubleshooting
  • Windows Error 809
  • Windows Error 628
  • Android 6 and above
  • Chromebook
  • Other errors
  • Additional steps

Windows

Windows 10 and 8.x

1. Right-click on the wireless/network icon in your system tray.
2. Select Open Network and Sharing Center.
3. Click Set up a new connection or network.
4. Select Connect to a workplace and click Next.
5. Click Use my Internet connection (VPN).
6. Enter Your VPN Server IP in the Internet address field.
7. Enter anything you like in the Destination name field, and then click Create.
8. Return to Network and Sharing Center. On the left, click Change adapter settings.
9. Right-click on the new VPN entry and choose Properties.
10. Click the Security tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for the Type of VPN.
11. Click Allow these protocols. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox.
12. Click the Advanced settings button.
13. Select Use preshared key for authentication and enter Your VPN IPsec PSK for the Key.
14. Click OK to close the Advanced settings.
15. Click OK to save the VPN connection details.

Note: A one-time registry change is required before connecting. See details below.

Windows 7, Vista and XP

1. Click on the Start Menu and go to the Control Panel.
2. Go to the Network and Internet section.
3. Click Network and Sharing Center.
4. Click Set up a new connection or network.
5. Select Connect to a workplace and click Next.
6. Click Use my Internet connection (VPN).
7. Enter Your VPN Server IP in the Internet address field.
8. Enter anything you like in the Destination name field.
9. Check the Don't connect now; just set it up so I can connect later checkbox.
10. Click Next.
11. Enter Your VPN Username in the User name field.
12. Enter Your VPN Password in the Password field.
13. Check the Remember this password checkbox.
14. Click Create, and then Close.
15. Return to Network and Sharing Center. On the left, click Change adapter settings.
16. Right-click on the new VPN entry and choose Properties.
17. Click the Options tab and uncheck Include Windows logon domain.
18. Click the Security tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for the Type of VPN.
19. Click Allow these protocols. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox.
20. Click the Advanced settings button.
21. Select Use preshared key for authentication and enter Your VPN IPsec PSK for the Key.
22. Click OK to close the Advanced settings.
23. Click OK to save the VPN connection details.

Note: This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router).

To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click Connect. If prompted, enter Your VPN Username and Password, then click OK. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".

If you get an error when trying to connect, see Troubleshooting.

OS X

1. Open System Preferences and go to the Network section.
2. Click the + button in the lower-left corner of the window.
3. Select VPN from the Interface drop-down menu.
4. Select L2TP over IPSec from the VPN Type drop-down menu.
5. Enter anything you like for the Service Name.
6. Click Create.
7. Enter Your VPN Server IP for the Server Address.
8. Enter Your VPN Username for the Account Name.
9. Click the Authentication Settings button.
10. In the User Authentication section, select the Password radio button and enter Your VPN Password.
11. In the Machine Authentication section, select the Shared Secret radio button and enter Your VPN IPsec PSK.
12. Click OK.
13. Check the Show VPN status in menu bar checkbox.
14. Click the Advanced button and make sure the Send all traffic over VPN connection checkbox is checked.
15. Click the TCP/IP tab, and make sure Link-local only is selected in the Configure IPv6 section.
16. Click OK to close the Advanced settings, and then click Apply to save the VPN connection information.

To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose Connect. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".

Android

1. Launch the Settings application.
2. Tap More... in the Wireless & Networks section.
3. Tap VPN.
4. Tap Add VPN Profile or the + icon at top-right of screen.
5. Enter anything you like in the Name field.
6. Select L2TP/IPSec PSK in the Type drop-down menu.
7. Enter Your VPN Server IP in the Server address field.
8. Enter Your VPN IPsec PSK in the IPSec pre-shared key field.
9. Tap Save.
10. Tap the new VPN connection.
11. Enter Your VPN Username in the Username field.
12. Enter Your VPN Password in the Password field.
13. Check the Save account information checkbox.
14. Tap Connect.

Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".

If you get an error when trying to connect, see Troubleshooting.

iOS

1. Go to Settings -> General -> VPN.
2. Tap Add VPN Configuration....
3. Tap Type. Select L2TP and go back.
4. Tap Description and enter anything you like.
5. Tap Server and enter Your VPN Server IP.
6. Tap Account and enter Your VPN Username.
7. Tap Password and enter Your VPN Password.
8. Tap Secret and enter Your VPN IPsec PSK.
9. Make sure the Send All Traffic switch is ON.
10. Tap Done.
11. Slide the VPN switch ON.

Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".

Chromebook

1. If you haven't already, sign in to your Chromebook.
2. Click the status area, where your account picture appears.
3. Click Settings.
4. In the Internet connection section, click Add connection.
5. Click Add OpenVPN / L2TP.
6. Enter Your VPN Server IP for the Server hostname.
7. Enter anything you like for the Service name.
8. Make sure Provider type is L2TP/IPSec + pre-shared key.
9. Enter Your VPN IPsec PSK for the Pre-shared key.
10. Enter Your VPN Username for the Username.
11. Enter Your VPN Password for the Password.
12. Click Connect.

Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".

If you get an error when trying to connect, see Troubleshooting.

Windows Phone

Users with Windows Phone 8.1 and above, try this tutorial. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".

Linux

Instructions below are based on the work of Peter Sanford. Commands must be run as root on your VPN client.

To set up the VPN client, first install the following packages:

# Ubuntu & Debian
apt-get update
apt-get -y install strongswan xl2tpd

# CentOS & RHEL
yum -y install epel-release
yum -y install strongswan xl2tpd

# Fedora
yum -y install strongswan xl2tpd

Create VPN variables (replace with actual values):

VPN_SERVER_IP='your_vpn_server_ip'
VPN_IPSEC_PSK='your_ipsec_pre_shared_key'
VPN_USER='your_vpn_username'
VPN_PASSWORD='your_vpn_password'

Configure strongSwan:

cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
  # strictcrlpolicy=yes
  # uniqueids = no

# Add connections here.

# Sample VPN connections

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=aes128-sha1-modp1024,3des-sha1-modp1024!
  esp=aes128-sha1-modp1024,3des-sha1-modp1024!

conn myvpn
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=$VPN_SERVER_IP
EOF

cat > /etc/ipsec.secrets <<EOF
: PSK "$VPN_IPSEC_PSK"
EOF

chmod 600 /etc/ipsec.secrets

# For CentOS/RHEL & Fedora ONLY
mv /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.old 2>/dev/null
mv /etc/strongswan/ipsec.secrets /etc/strongswan/ipsec.secrets.old 2>/dev/null
ln -s /etc/ipsec.conf /etc/strongswan/ipsec.conf
ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets

Configure xl2tpd:

cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF

cat > /etc/ppp/options.l2tpd.client <<EOF
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name $VPN_USER
password $VPN_PASSWORD
EOF

chmod 600 /etc/ppp/options.l2tpd.client

The VPN client setup is now complete. Follow the steps below to connect.

Note: You must repeat all steps below every time you try to connect to the VPN.

Create xl2tpd control file:

mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control

Restart services:

service strongswan restart
service xl2tpd restart

Start the IPsec connection:

# Ubuntu & Debian
ipsec up myvpn

# CentOS/RHEL & Fedora
strongswan up myvpn

Start the L2TP connection:

echo "c myvpn" > /var/run/xl2tpd/l2tp-control

Run ifconfig and check the output. You should now see a new interface ppp0.

Check your existing default route:

ip route

Find this line in the output: default via X.X.X.X .... Write down this gateway IP for use in the two commands below.

Exclude your VPN server's IP from the new default route (replace with actual value):

route add YOUR_VPN_SERVER_IP gw X.X.X.X

If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value):

route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X

Add a new default route to start routing traffic via the VPN server：

route add default dev ppp0

The VPN connection is now complete. Verify that your traffic is being routed properly:

wget -qO- http://ipv4.icanhazip.com; echo

The above command should return Your VPN Server IP.

To stop routing traffic via the VPN server:

route del default dev ppp0

To disconnect:

# Ubuntu & Debian
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
ipsec down myvpn

# CentOS/RHEL & Fedora
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
strongswan down myvpn

Troubleshooting

Read this in other languages: English, 简体中文.

Windows Error 809

The network connection between your computer and the VPN server could not be established because the remote server is not responding.

To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Refer to the linked web page, or run the following from an elevated command prompt. When finished, reboot your PC.

• For Windows Vista, 7, 8.x and 10

  REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

• For Windows XP ONLY

  REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f

Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC.

REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f

Windows Error 628

The connection was terminated by the remote computer before it could be completed.

To fix this error, please follow these steps:

1. Right-click on the wireless/network icon in system tray, select Open Network and Sharing Center.
2. On the left, click Change adapter settings. Right-click on the new VPN and choose Properties.
3. Click the Security tab. Select "Layer 2 Tunneling Protocol with IPsec (L2TP/IPSec)" for Type of VPN.
4. Click Allow these protocols. Be sure to select the "Challenge Handshake Authentication Protocol (CHAP)" checkbox.
5. Click the Advanced settings button.
6. Select Use preshared key for authentication and enter Your VPN IPsec PSK for the Key.
7. Click OK to close the Advanced settings.
8. Click OK to save the VPN connection details.

Android 6 and above

If you are unable to connect using Android 6 or above:

1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists, enable it and reconnect the VPN. If not, try the next step.
2. (For Android 7.1.2 and newer) Edit /etc/ipsec.conf on the VPN server. Append ,aes256-sha2_512 to the end of both ike= and phase2alg= lines. Save the file and run service ipsec restart. (Ref) Note that the latest version of VPN scripts already includes this change.
3. Edit /etc/ipsec.conf on the VPN server. Find sha2-truncbug=yes and replace it with sha2-truncbug=no, indented with two spaces. Save the file and run service ipsec restart. (Ref)

Chromebook

Chromebook users: If you are unable to connect, try this workaround. Alternatively, edit /etc/ipsec.conf on the VPN server, find sha2-truncbug=yes and replace it with sha2-truncbug=no. Save the file and run service ipsec restart.

Other errors

If you encounter other errors, refer to the links below:

• http://www.tp-link.com/en/faq-1029.html
• https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Common_Connection_Issues
• https://blogs.technet.microsoft.com/rrasblog/2009/08/12/troubleshooting-common-vpn-related-errors/

Additional steps

Please try these additional troubleshooting steps:

First, restart services on the VPN server:

service ipsec restart
service xl2tpd restart

If using Docker, run docker restart ipsec-vpn-server.

Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly.

Check the Libreswan (IPsec) and xl2tpd logs for errors:

# Ubuntu & Debian
grep pluto /var/log/auth.log
grep xl2tpd /var/log/syslog

# CentOS & RHEL
grep pluto /var/log/secure
grep xl2tpd /var/log/messages

Check status of the IPsec VPN server:

ipsec status
ipsec verify

Show current established VPN connections:

ipsec whack --trafficstatus

Credits

This document was adapted from the Streisand project, maintained by Joshua Lund and contributors.

License

Note: This license applies to this document only.

Copyright (C) 2016-2017 Lin Song
Based on the work of Joshua Lund (Copyright 2014-2016)

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.