How to configure IPsec/L2TP VPN Clients on Linux

After setting up your own VPN server, follow these steps to configure your devices. In case you are unable to connect, first, check to make sure the VPN credentials were entered correctly.

Commands must be run as root on your VPN client.

To set up the VPN client, first install the following packages:

# For Ubuntu & Debian
apt-get update
apt-get -y install strongswan xl2tpd

# For RHEL/CentOS
yum -y install epel-release
yum --enablerepo=epel -y install strongswan xl2tpd

yum -y install strongswan xl2tpd

Create VPN variables (replace with actual values):

VPN_SERVER_IP=your_vpn_server_ip
VPN_IPSEC_PSK=your_ipsec_pre_shared_key
VPN_USER=your_vpn_username
VPN_PASSWORD=your_vpn_password

Configure strongSwan:

cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup
  # strictcrlpolicy=yes
  # uniqueids = no

# Add connections here.

# Sample VPN connections

conn %default
  ikelifetime=60m
  keylife=20m
  rekeymargin=3m
  keyingtries=1
  keyexchange=ikev1
  authby=secret
  ike=aes128-sha1-modp2048!
  esp=aes128-sha1-modp2048!

conn myvpn
  keyexchange=ikev1
  left=%defaultroute
  auto=add
  authby=secret
  type=transport
  leftprotoport=17/1701
  rightprotoport=17/1701
  right=$VPN_SERVER_IP
EOF

cat > /etc/ipsec.secrets <<EOF
: PSK "$VPN_IPSEC_PSK"
EOF

chmod 600 /etc/ipsec.secrets

# For CentOS/RHEL & Fedora ONLY
mv /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.old 2>/dev/null
mv /etc/strongswan/ipsec.secrets /etc/strongswan/ipsec.secrets.old 2>/dev/null
ln -s /etc/ipsec.conf /etc/strongswan/ipsec.conf
ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets

Configure xl2tpd:

cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF

cat > /etc/ppp/options.l2tpd.client <<EOF
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name $VPN_USER
password $VPN_PASSWORD
EOF

chmod 600 /etc/ppp/options.l2tpd.client

The VPN client setup is now complete. Follow the steps below to connect.

Note: You must repeat all steps below every time you try to connect to the VPN.

Create xl2tpd control file:

mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control

Restart services:

service strongswan restart
service xl2tpd restart

Start the IPsec connection:

# Ubuntu & Debian
ipsec up myvpn

# CentOS/RHEL & Fedora
strongswan up myvpn

Start the L2TP connection:

echo "c myvpn" > /var/run/xl2tpd/l2tp-control

Run ifconfig and check the output. You should now see a new interface ppp0.

Check your existing default route:

ip route

Find this line in the output: default via X.X.X.X .... Write down this gateway IP for use in the two commands below.

Exclude your VPN server’s IP from the new default route (replace with actual value):

route add YOUR_VPN_SERVER_IP gw X.X.X.X

If your VPN client is a remote server, you must also exclude your Local PC’s public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value):

route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X

Add a new default route to start routing traffic via the VPN server:

route add default dev ppp0

The VPN connection is now complete. Verify that your traffic is being routed properly:

wget -qO- http://ipv4.icanhazip.com; echo

The above command should return Your VPN Server IP.

To stop routing traffic via the VPN server:

route del default dev ppp0

To disconnect:

# Ubuntu & Debian
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
ipsec down myvpn

# CentOS/RHEL & Fedora
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
strongswan down myvpn

2 thoughts on “How to configure IPsec/L2TP VPN Clients on Linux

  1. Is there a way for me to specify which IP should the client use? I have observed that I can specify the IP to be use by the machine on my Mac, was hoping I can also specify this when connecting via a centOS box.

  2. Hello, please help.
    root@frontlogistics-dev /var/log # ipsec up vpn
    initiating Main Mode IKE_SA vpn[1] to 92.242.39.89
    generating ID_PROT request 0 [ SA V V V V V ]
    sending packet: from 185.40.30.244[500] to 92.242.39.89[500] (180 bytes)
    received packet: from 92.242.39.89[500] to 185.40.30.244[500] (160 bytes)
    parsed ID_PROT response 0 [ SA V V V V ]
    received NAT-T (RFC 3947) vendor ID
    received XAuth vendor ID
    received DPD vendor ID
    received FRAGMENTATION vendor ID
    generating ID_PROT request 0 [ KE No NAT-D NAT-D ]
    sending packet: from 185.40.30.244[500] to 92.242.39.89[500] (372 bytes)
    received packet: from 92.242.39.89[500] to 185.40.30.244[500] (364 bytes)
    parsed ID_PROT response 0 [ KE No NAT-D NAT-D ]
    remote host is behind NAT
    generating ID_PROT request 0 [ ID HASH N(INITIAL_CONTACT) ]
    sending packet: from 185.40.30.244[4500] to 92.242.39.89[4500] (108 bytes)
    received packet: from 92.242.39.89[4500] to 185.40.30.244[4500] (76 bytes)
    parsed ID_PROT response 0 [ ID HASH ]
    IDir ‘192.168.2.254’ does not match to ‘92.242.39.89’
    deleting IKE_SA vpn[1] between 185.40.30.244[185.40.30.244]…92.242.39.89[%any]
    sending DELETE for IKE_SA vpn[1]
    generating INFORMATIONAL_V1 request 3765921865 [ HASH D ]
    sending packet: from 185.40.30.244[4500] to 92.242.39.89[4500] (92 bytes)
    establishing connection ‘vpn’ failed

Leave a Reply

Your email address will not be published. Required fields are marked *