How to configure IPsec/L2TP VPN Clients on Linux

After setting up your own VPN server, follow these steps to configure your devices. In case you are unable to connect, first, check to make sure the VPN credentials were entered correctly.

Commands must be run as root on your VPN client.

To set up the VPN client, first install the following packages:

Create VPN variables (replace with actual values):

Configure strongSwan:

Configure xl2tpd:

The VPN client setup is now complete. Follow the steps below to connect.

Note: You must repeat all steps below every time you try to connect to the VPN.

Create xl2tpd control file:

Restart services:

Start the IPsec connection:

Start the L2TP connection:

Run ifconfig and check the output. You should now see a new interface ppp0.

Check your existing default route:

Find this line in the output: default via X.X.X.X .... Write down this gateway IP for use in the two commands below.

Exclude your VPN server’s IP from the new default route (replace with actual value):

If your VPN client is a remote server, you must also exclude your Local PC’s public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value):

Add a new default route to start routing traffic via the VPN server:

The VPN connection is now complete. Verify that your traffic is being routed properly:

The above command should return Your VPN Server IP.

To stop routing traffic via the VPN server:

To disconnect:

2 thoughts on “How to configure IPsec/L2TP VPN Clients on Linux”

  1. Is there a way for me to specify which IP should the client use? I have observed that I can specify the IP to be use by the machine on my Mac, was hoping I can also specify this when connecting via a centOS box.

  2. Hello, please help.
    root@frontlogistics-dev /var/log # ipsec up vpn
    initiating Main Mode IKE_SA vpn[1] to 92.242.39.89
    generating ID_PROT request 0 [ SA V V V V V ]
    sending packet: from 185.40.30.244[500] to 92.242.39.89[500] (180 bytes)
    received packet: from 92.242.39.89[500] to 185.40.30.244[500] (160 bytes)
    parsed ID_PROT response 0 [ SA V V V V ]
    received NAT-T (RFC 3947) vendor ID
    received XAuth vendor ID
    received DPD vendor ID
    received FRAGMENTATION vendor ID
    generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    sending packet: from 185.40.30.244[500] to 92.242.39.89[500] (372 bytes)
    received packet: from 92.242.39.89[500] to 185.40.30.244[500] (364 bytes)
    parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    remote host is behind NAT
    generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    sending packet: from 185.40.30.244[4500] to 92.242.39.89[4500] (108 bytes)
    received packet: from 92.242.39.89[4500] to 185.40.30.244[4500] (76 bytes)
    parsed ID_PROT response 0 [ ID HASH ]
    IDir ‘192.168.2.254’ does not match to ‘92.242.39.89’
    deleting IKE_SA vpn[1] between 185.40.30.244[185.40.30.244]…92.242.39.89[%any]
    sending DELETE for IKE_SA vpn[1]
    generating INFORMATIONAL_V1 request 3765921865 [ HASH D ]
    sending packet: from 185.40.30.244[4500] to 92.242.39.89[4500] (92 bytes)
    establishing connection ‘vpn’ failed

Leave a Reply

Your email address will not be published. Required fields are marked *