You may also connect using IKEv2 mode (recommended).
Your VPN Server IP in the Server name or address field.Your VPN IPsec PSK in the Pre-shared key field.Your VPN Username in the User name field.Your VPN Password in the Password field.Note: This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router).
To connect to the VPN: Click the Connect button, or click on the wireless/network icon in your system tray, click VPN, then select the new VPN entry and click Connect. If prompted, enter Your VPN Username and Password, then click OK. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".
If you get an error when trying to connect, see Troubleshooting.
Your VPN Server IP in the Internet address field.Your VPN IPsec PSK for the Key.Note: This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router).
To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click Connect. If prompted, enter Your VPN Username and Password, then click OK. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".
If you get an error when trying to connect, see Troubleshooting.
Alternatively, instead of following the steps above, you may create the VPN connection using these Windows PowerShell commands. Replace Your VPN Server IP and Your VPN IPsec PSK with your own values, enclosed in single quotes:
# Disable persistent command history
Set-PSReadlineOption –HistorySaveStyle SaveNothing
# Create VPN connection
Add-VpnConnection -Name 'My IPsec VPN' -ServerAddress 'Your VPN Server IP' `
-L2tpPsk 'Your VPN IPsec PSK' -TunnelType L2tp -EncryptionLevel Required `
-AuthenticationMethod Chap,MSChapv2 -Force -RememberCredential -PassThru
# Ignore the data encryption warning (data is encrypted in the IPsec tunnel)
Your VPN Server IP in the Internet address field.Your VPN Username in the User name field.Your VPN Password in the Password field.Your VPN IPsec PSK for the Key.Note: This one-time registry change is required if the VPN server and/or client is behind NAT (e.g. home router).
To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click Connect. If prompted, enter Your VPN Username and Password, then click OK. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".
If you get an error when trying to connect, see Troubleshooting.
You may also connect using IKEv2 (recommended) or IPsec/XAuth mode.
Your VPN Server IP for the Server address.Your VPN Username for the Account name.Your VPN Password for the Password.Your VPN IPsec PSK for the Shared secret.Show in Menu Bar from the VPN drop-down menu.To connect to the VPN: Use the menu bar icon, or go to the VPN section of System Settings and toggle the switch for your VPN configuration. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".
If you get an error when trying to connect, see Troubleshooting.
You may also connect using IKEv2 (recommended) or IPsec/XAuth mode.
Your VPN Server IP for the Server Address.Your VPN Username for the Account Name.Your VPN Password.Your VPN IPsec PSK.To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose Connect. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".
If you get an error when trying to connect, see Troubleshooting.
Important: Android users should instead connect using IKEv2 mode (recommended), which is more secure. Android 12+ only supports IKEv2 mode. The native VPN client in Android uses the less secure modp1024 (DH group 2) for the IPsec/L2TP and IPsec/XAuth ("Cisco IPsec") modes.
If you still want to connect using IPsec/L2TP mode, you must first edit /etc/ipsec.conf on the VPN server. Find the line ike=... and append ,aes256-sha2;modp1024,aes128-sha1;modp1024 at the end. Save the file and run service ipsec restart.
Docker users: Add VPN_ENABLE_MODP1024=yes to your env file, then re-create the Docker container.
After that, follow the steps below on your Android device:
Your VPN Server IP in the Server address field.Your VPN IPsec PSK in the IPSec pre-shared key field.Your VPN Username in the Username field.Your VPN Password in the Password field.Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".
If you get an error when trying to connect, see Troubleshooting.
You may also connect using IKEv2 (recommended) or IPsec/XAuth mode.
Your VPN Server IP.Your VPN Username.Your VPN Password.Your VPN IPsec PSK.Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".
If you get an error when trying to connect, see Troubleshooting.
You may also connect using IKEv2 mode (recommended).
Your VPN Server IP for the Server hostname.Your VPN Username for the Username.Your VPN Password for the Password.Your VPN IPsec PSK for the Pre-shared key.Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".
If you get an error when trying to connect, see Troubleshooting.
You may also connect using IKEv2 mode (recommended).
Ubuntu 18.04 (and newer) users can install the network-manager-l2tp-gnome package using apt, then configure the IPsec/L2TP VPN client using the GUI.
Your VPN Server IP for the Gateway.Your VPN Username for the User name.Your VPN Password for the Password.Your VPN IPsec PSK for the Pre-shared key.aes128-sha1-modp2048 for the Phase1 Algorithms.aes128-sha1 for the Phase2 Algorithms.If you get an error when trying to connect, try this fix.
Once connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say "Your public IP address is Your VPN Server IP".
Fedora 28 (and newer) and CentOS 8/7 users can connect using IPsec/XAuth mode.
First check here to see if the network-manager-l2tp and network-manager-l2tp-gnome packages are available for your Linux distribution. If yes, install them (select strongSwan) and follow the instructions above. Alternatively, you may configure Linux VPN clients using the command line.
Advanced users can configure Linux VPN clients using the command line. Alternatively, you may connect using IKEv2 mode (recommended), or configure using the GUI. Instructions below are inspired by the work of Peter Sanford. Commands must be run as root on your VPN client.
To set up the VPN client, first install the following packages:
# Ubuntu and Debian
apt-get update
apt-get install strongswan xl2tpd net-tools
# Fedora
yum install strongswan xl2tpd net-tools
# CentOS
yum install epel-release
yum --enablerepo=epel install strongswan xl2tpd net-tools
Create VPN variables (replace with actual values):
VPN_SERVER_IP='your_vpn_server_ip'
VPN_IPSEC_PSK='your_ipsec_pre_shared_key'
VPN_USER='your_vpn_username'
VPN_PASSWORD='your_vpn_password'
Configure strongSwan:
cat > /etc/ipsec.conf <<EOF
# ipsec.conf - strongSwan IPsec configuration file
conn myvpn
auto=add
keyexchange=ikev1
authby=secret
type=transport
left=%defaultroute
leftprotoport=17/1701
rightprotoport=17/1701
right=$VPN_SERVER_IP
ike=aes128-sha1-modp2048
esp=aes128-sha1
EOF
cat > /etc/ipsec.secrets <<EOF
: PSK "$VPN_IPSEC_PSK"
EOF
chmod 600 /etc/ipsec.secrets
# For CentOS and Fedora ONLY
mv /etc/strongswan/ipsec.conf /etc/strongswan/ipsec.conf.old 2>/dev/null
mv /etc/strongswan/ipsec.secrets /etc/strongswan/ipsec.secrets.old 2>/dev/null
ln -s /etc/ipsec.conf /etc/strongswan/ipsec.conf
ln -s /etc/ipsec.secrets /etc/strongswan/ipsec.secrets
Configure xl2tpd:
cat > /etc/xl2tpd/xl2tpd.conf <<EOF
[lac myvpn]
lns = $VPN_SERVER_IP
ppp debug = yes
pppoptfile = /etc/ppp/options.l2tpd.client
length bit = yes
EOF
cat > /etc/ppp/options.l2tpd.client <<EOF
ipcp-accept-local
ipcp-accept-remote
refuse-eap
require-chap
noccp
noauth
mtu 1280
mru 1280
noipdefault
defaultroute
usepeerdns
connect-delay 5000
name "$VPN_USER"
password "$VPN_PASSWORD"
EOF
chmod 600 /etc/ppp/options.l2tpd.client
The VPN client setup is now complete. Follow the steps below to connect.
Note: You must repeat all steps below every time you try to connect to the VPN.
Create xl2tpd control file:
mkdir -p /var/run/xl2tpd
touch /var/run/xl2tpd/l2tp-control
Restart services:
service strongswan restart
# For Ubuntu 20.04, if strongswan service not found
ipsec restart
service xl2tpd restart
Start the IPsec connection:
# Ubuntu and Debian
ipsec up myvpn
# CentOS and Fedora
strongswan up myvpn
Start the L2TP connection:
echo "c myvpn" > /var/run/xl2tpd/l2tp-control
Run ifconfig and check the output. You should now see a new interface ppp0.
Check your existing default route:
ip route
Find this line in the output: default via X.X.X.X .... Write down this gateway IP for use in the two commands below.
Exclude your VPN server's public IP from the new default route (replace with actual value):
route add YOUR_VPN_SERVER_PUBLIC_IP gw X.X.X.X
If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with actual value):
route add YOUR_LOCAL_PC_PUBLIC_IP gw X.X.X.X
Add a new default route to start routing traffic via the VPN server:
route add default dev ppp0
The VPN connection is now complete. Verify that your traffic is being routed properly:
wget -qO- http://ipv4.icanhazip.com; echo
The above command should return Your VPN Server IP.
To stop routing traffic via the VPN server:
route del default dev ppp0
To disconnect:
# Ubuntu and Debian
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
ipsec down myvpn
# CentOS and Fedora
echo "d myvpn" > /var/run/xl2tpd/l2tp-control
strongswan down myvpn
Read this in other languages: English, 中文.
See also: IKEv2 troubleshooting and Advanced usage.
Commands below must be run as root (or using sudo).
First, restart services on the VPN server:
service ipsec restart
service xl2tpd restart
Docker users: Run docker restart ipsec-vpn-server.
Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection. Make sure that the VPN server address and VPN credentials are entered correctly.
For servers with an external firewall (e.g. EC2/GCE), open UDP ports 500 and 4500 for the VPN.
Check the Libreswan (IPsec) and xl2tpd logs for errors:
# Ubuntu & Debian
grep pluto /var/log/auth.log
grep xl2tpd /var/log/syslog
# CentOS/RHEL, Rocky Linux, AlmaLinux, Oracle Linux & Amazon Linux 2
grep pluto /var/log/secure
grep xl2tpd /var/log/messages
# Alpine Linux
grep pluto /var/log/messages
grep xl2tpd /var/log/messages
Check the status of the IPsec VPN server:
ipsec status
Show currently established VPN connections:
ipsec trafficstatus
Error 809: The network connection between your computer and the VPN server could not be established because the remote server is not responding. This could be because one of the network devices (e.g, firewalls, NAT, routers, etc) between your computer and the remote server is not configured to allow VPN connections. Please contact your Administrator or your service provider to determine which device may be causing the problem.
Note: The registry change below is only required if you use IPsec/L2TP mode to connect to the VPN. It is NOT required for the IKEv2 and IPsec/XAuth modes.
To fix this error, a one-time registry change is required because the VPN server and/or client is behind NAT (e.g. home router). Download and import the .reg file below, or run the following from an elevated command prompt. You must reboot your PC when finished.
For Windows Vista, 7, 8, 10 and 11 (download .reg file)
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
For Windows XP ONLY (download .reg file)
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\IPSec /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d 0x2 /f
Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC.
For Windows XP, Vista, 7, 8, 10 and 11 (download .reg file)
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters /v ProhibitIpSec /t REG_DWORD /d 0x0 /f
Error 789: The L2TP connection attempt failed because the security layer encountered a processing error during initial negotiations with the remote computer.
Error 691: The remote connection was denied because the user name and password combination you provided is not recognized, or the selected authentication protocol is not permitted on the remote access server.
For error 789, click here for troubleshooting information. For error 691, you may try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly.
Error 628: The connection was terminated by the remote computer before it could be completed.
Error 766: A certificate could not be found. Connections that use the L2TP protocol over IPSec require the installation of a machine certificate, also known as a computer certificate.
To fix these errors, please follow these steps:
Your VPN IPsec PSK for the Key.If using Windows 10 and the VPN is stuck on "connecting" for more than a few minutes, try these steps:
Your VPN Username and Password, then click OK.After upgrading Windows 10/11 version (e.g. from 21H2 to 22H2), you may need to re-apply the fix above for Windows Error 809 and reboot.
Windows 8, 10 and 11 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter are from the local network segment. To fix, you may either disable smart multi-homed name resolution, or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). When finished, clear the DNS cache and reboot your PC.
In addition, if your computer has IPv6 enabled, all IPv6 traffic (including DNS queries) will bypass the VPN. Learn how to disable IPv6 in Windows. If you need a VPN with IPv6 support, you could instead try OpenVPN.
Some Android devices and Linux systems have MTU/MSS issues, that they are able to connect to the VPN using IPsec/XAuth ("Cisco IPsec") or IKEv2 mode, but cannot open websites. If you encounter this problem, try running the following commands on the VPN server. If successful, you may add these commands to /etc/rc.local to persist after reboot.
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir in \
-p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \
-j TCPMSS --set-mss 1360
iptables -t mangle -A FORWARD -m policy --pol ipsec --dir out \
-p tcp -m tcp --tcp-flags SYN,RST SYN -m tcpmss --mss 1361:1536 \
-j TCPMSS --set-mss 1360
echo 1 > /proc/sys/net/ipv4/ip_no_pmtu_disc
Docker users: Instead of running the commands above, you may apply this fix by adding VPN_ANDROID_MTU_FIX=yes to your env file, then re-create the Docker container.
Reference: [1].
OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show Your VPN Server IP, read the macOS section above and complete these steps. Save VPN configuration and re-connect.
For macOS 13 (Ventura) and newer:
For macOS 12 (Monterey) and older:
After trying the steps above, if your computer is still not sending traffic over the VPN, check the service order. From the main network preferences screen, select "set service order" in the cog drop down under the list of connections. Drag the VPN connection to the top.
To save battery, iOS devices (iPhone/iPad) will automatically disconnect Wi-Fi shortly after the screen turns off (sleep mode). As a result, the IPsec VPN disconnects. This behavior is by design and cannot be configured.
If you need the VPN to auto-reconnect when the device wakes up, you may connect using IKEv2 mode (recommended) and enable the "VPN On Demand" feature. Alternatively, you may try OpenVPN instead, which has support for options such as "Reconnect on Wakeup" and "Seamless Tunnel".
Android devices may also disconnect Wi-Fi after entering sleep mode. You may try enabling the "Always-on VPN" option to stay connected. Learn more here.
Debian users: Run uname -r to check your server's Linux kernel version. If it contains the word "cloud", and /dev/ppp is missing, then the kernel lacks ppp support and cannot use IPsec/L2TP mode. The VPN setup scripts try to detect this and show a warning. In this case, you may instead use IKEv2 or IPsec/XAuth mode to connect to the VPN.
To fix the issue with IPsec/L2TP mode, you may switch to the standard Linux kernel by installing e.g. the linux-image-amd64 package. Then update the default kernel in GRUB and reboot your server.