Android IPSec PSK VPN - Nexus One with OpenSWAN

Looking to secure my internet traffic when on a public network and away from home I decided to set up a VPN between my phone and my Ubuntu server. This would allow all of my phone's traffic to be encrypted and tunneled through my Ubuntu server and home internet connection. Effectively this will make it difficult for people to listen to my traffic and in essence would offer additional security to my browsing and email when on a public network. My phone is an Android Google Nexus One; and unfortunately Android versions up to and including Gingerbread (2.3.4) do not support OpenVPN out of the box, unless you root your device. Read on to see how I set up my Android to Home IPSec VPN...

The built-in Android VPN client allows for a choice of PPTP, L2TP and L2TP IPSec VPN connections. Due to security flaws with PPTP, and L2TP offering no encryption I opted to set up an L2TP IPSec VPN which as you'll discover wasn't the easiest of rides. 
IPSec is a security layer running on top of IP ('Internet Protocol'). My VPN end point again is my Ubuntu 10.04 server running the Openswan VPN suite. My client as already mentioned is an Android Google Nexus One 2.3.4; however, this setup has been tested on Nexus 4 and Nexus 5 across Froyo (2.2 , 2.2.1 and 2.2.2), Gingerbread (2.3.3 and 2.3.4), Icre Cream Sandwich ICS, Jelly Bean, Kitkat (4.41) using this configuration. 

This has also been tested on Ubuntu 12.04.

Trying to comprehend what happens during the creation of an IPSec VPN, I've drafted a novice parody & overview of what I believe happens based on my understanding (please shout in the comments if I've misunderstood).

A VPN Parody
A VPN is formed by encrypting a transport tunnel between two nodes. The nodes usually take the forn of a client-server or srever-server. Think of tunneling as having a computer delivered to you by UPS. The vendor packs the computer (point to point protocol) into a box (encapsulating protocol) which is then put on a UPS truck (transport protocol) which is then locked so bystanders cannot see what the truck contains (IPSec protocol). This all occurs at the vendor's warehouse (entry tunnel interface). The truck (transport protocol) travels over the highways (Internet) to your home (exit tunnel interface) and delivers the computer. The truck is unlocked  (IPSec protocol) so you can see inside the truck, you open the box (encapsulating protocol) and remove the computer (passenger protocol).

My setup 
OS = Ubuntu 10.04 Desktop LTS
Kernel = 2.6.32-31-generic 
L2TP daemon = xl2tpd 1.2.7
IPsec Implementation = Openswan 2.6.28 
IPsec Stack = Netkey ('26sec')   -   (supplied as part of Kernel 2.6)
IKE / Key management daemon = pluto   -   (supplied as part of Openswan)
A good background resource with lots of detail is Using a Linux L2TP/IPsec VPN server .

Overview of the tools involved
xl2tpd: is a Layer 2 Tunneling Protocol (L2TP) used to support virtual private networks (VPNs) (RFC2661). L2TP facilitates the tunneling of Point-to-Point Protocol (PPP) packets across an intervening network in a way that is as transparent as possible to both end-users and applications. The main purpose of this protocol is to tunnel PPP frames through IP networks  using the Link Control Protocol (LCP) which is responsilbe for establishing, maintaining and terminating the PPP connection.  L2TP does not provide any encryption or confidentiality itself; it relies on an encryption protocol encrypts then tunnel to provide privacy, hence L2TP are encrypted by using it with IPSec. xl2tpd is an open source implementation of the L2TP tunneling protocol and is a fork from l2tpd maintained by the Xelerance Corporation. xl2tpd replaces the obsolete and unmaintained l2tpd.

Openswan: is a set of tools for doing IPsec on Linux operating systems. The toolset consists of three major components:
  • configuration tools
  • key management tools (aka pluto ) 
  • kernel components (KLIPS and sec).  
pluto: is the key management daemon, it is an IPsec Key Exchange  (IKE) daemon. IKE's Job is to  to negotiate Security Associations for the node it is deployed on. A Security Association (SA) is an agreement between two network nodes on how to process certain traffic between them. This process involves encapsulation, authentication, encryption, or compression.

Note, IKE implementations can only negotiate with other IKE implementations, so IKE must be on each node that is to be an endpoint of an IKE-negotiated Security Association. No other nodes need to be running IKE.
IKE deals with two kinds of Security Associations. The first part of a negotiation between IKE instances is to build an ISAKMP (Internet Security Association and Key Management Protocol) SA. An ISAKMP SA is used to protect communication between the two IKEs. The second part of the security association for the IKEs is to build the IPsec SAs, these are used to carry protected PPP traffic between the systems. The negotiation of the ISAKMP SA is known as Phase 1. Any negotiation under the protection of an ISAKMP SA, including the negotiation of IPsec SAs, is part of Phase 2. 

In short, the IKE instance is prepared to automate the management of Security Associations in an IPsec environment. The actual secure transmission of packets is the responsibility of Netkey. 

It is worth noting that pluto only implements a subset of IKE, but enough for it to interoperate with other instances of pluto, and many other IKE implementations. pluto uses shared secrets or RSA signatures to authenticate peers with whom it is negotiating. pluto implements ISAKMP SAs itself. After it has negotiated the IPsec SA, it directs Netkey to implement it. When pluto shuts down, it closes all Security Associations (killing the VPN tunnel).

Netkey: is the name of the IPSec 'stack' in the 2.6 kernel used to encrypt the PPP packets over the L2TP tunnel. Netkey is a relatively new IPsec stack is based on the KAME stack from BSD. Netkey is also referred to as '26sec' or 'native' stack. Netkey supports both IPv4 and IPv6.

For Linux kernel 2.6, there is a choice of either KLIPS or Netkey, however, the Netkey components are already included in the 2.6 kernel. Netkey partially replaces KLIPS which was the previous IPSec stack used predominantly before Netkey shipped with kernel 2.6.
Users should note that Netkey unlike KLIPS hooks into the kernel networking code differently. With Netkey packets are intercepted by the IPsec stack after they are received on the physical (ethX) interface, this complicates iptables-based firewall rules. This interception also creates problems when using NAT and IPsec on the same machine, since the packet does not traverse through all the iptables as expected. Unencrypted packets never travel the POSTROUTING table.

PPPD: is the Point-to-Point Protocol daemon which is used to manage network connections between two nodes. Specifically pppd sets up the transport for IP traffic within the L2TP tunnel for the VPN. 

VPN client: In this post will be a Google Nexus One with Android 2.2.1-2.3.4 using an IPsec PSK tunnel with the l2tp secret not enabled. The client also support PPTP, basic L2TP and also certificate based authentication (the latter I've yet to get working on the Android side).

VPN Overview in practice 
  1. The VPN client (android phone), connects to the server, specifically the ipsec daemon (Openswan) on port 4500.
  2. The key management daemon (IKE pluto) kicks off and negotiates the Phase 1 ISAKMP Security Association on behalf of IPSec.
  3. With the ISAKMP SA in place the IKE (pluto) is now safe to negotiate the Phase 2 IPSec SA using the pre shared key on behalf of IPSec.
  4. Once authenticated with the pre shared key, encrypted traffic can now pass between the client and server. Authentication can now be initiated for the Point to Point (PPP) tunnel.
  5. xl2tpd kicks in to handle the PPP authentication and PPP Link Establishment using the Link Control Protocol (LCP). LCP creates the tunnel to the destination network and prepares the authentication protocol which is used in step 8.
  6. xl2tpd also negotiates and finds out if the two nodes in the PPP connection agree on any compression or encryption algorithm. If the answer is yes then it is implemented in steps 8 and 9.
  7. xl2tpd now initiates user authentication and will prompt for a username and password.
  8. Because the L2TP secret is disabled in this post, the credentials are sent to pppd (instead of the L2TP daemon) for authentication. There are different methods for secure User Authentication, in this example we use CHAPS to secure the authentication.  Once authenticated  the L2TP tunnel can now be set up encapsulated inside of the IPSec encrypted packets. This is the only time when the user must take care in exchanging credentials to prevent interception i.e. don't use plain text to authenticate user credentials. If for any reason these credentials were captured by an intruder, then the intruder may be able to take control of the connection.
  9. pppd now initiates the PPP tunnel and invokes the Network Layer Protocol(s) that were selected during the link establishment phase (step 6). The Network Layer Protocols include IPCP which assigns the dynamic IP address to the PPP client, and if permitted  compression is also now negotiated.
  10. PPP tunnel now up and IP assigned, with any luck you’re finally on your private network from your smart phone all under the guise of VPN.
Now... how to do this in 12 steps:

1. Install Openswan 2.6.28
The version supplied with Ubuntu 10.04 Lucid is version 2.6.23, I had some issues with this build so I manually compiled and install 2.6.28 from the source. See below for the steps:

sudo apt-get install build-essential libgmp3-dev gawk flex bison
tar -xzvf openswan-2.6.28.tar.gz 
rm openswan-2.6.28.tar.gz 
cd openswan-2.6.28
sudo make programs
sudo make install
sudo /etc/init.d/ipsec restart

2. Install xl2tpd 
The version supplied with Ubuntu 10.04 Lucid is version 1.2.5, this has some bugs so I'll move up to version 1.2.7 which works. This isn't in the repositories for Lucid as it is supplied with Natty (11.04) but you can still download and install the package from:

3. Configure xl2tpd
Open up the xl2pd configuration file:

sudo gedit /etc/xl2tpd/xl2tpd.conf 

Change the xl2tpd.conf according to your setup. My xl2tpd.conf file look something like below. It is a minimal xl2tpd config, the idea is to provide an L2TP daemon to which remote L2TP clients can connect. In my config the internal (protected) network is The remote clients connec to to, this probably isn't the best approach. You would ideally want your remote clients on a separated IP range such as (i.e. … However this reduces any headaches I may experience with routing.
The listen-addr parameter can be used if you want to bind the L2TP daemon to a specific IP address instead of to all interfaces. For instance, you can bind it to the interface of the internal LAN (e.g. in the example below).
 /etc/xl2tpd/xl2ptd.conf :
listen-addr = ;this is the external network address for the Ubuntu server
ipsec saref = no  ;Netkey which I am using does not support SAref at this time
auth file = /etc/ppp/chap-secrets
port = 1701
debug tunnel = yes
debug avp = yes
debug packet = yes
debug network = yes
debug state = yes

[lns default]
ip range =
local ip =
require chap = yes
refuse pap = yes
require authentication = yes
name = Yourservername
ppp debug = yes
pppoptfile = /etc/ppp/options.xl2tpd
length bit = yes 

Save and Close.

4. Configure PPP 
You can modify this file according to your requirement. The entire configuration is completed from xl2tp side, now time to configure the PPP parameters.

sudo gedit /etc/ppp/options.xl2tpd

You can change your dns & wins server IP address in the file. You can also add some other parameters that are supported by your pppd, like
require-mschap-v2, see the man page of your pppd.
/etc/ppp/options.xl2tpd :

idle 1800
mtu 1410
mru 1410
connect-delay 5000

Save and Close.

5. Configure CHAPS
The authentification data for L2TP is stored in the file /etc/ppp/chap-secrets. The same chap-secrets file can be used, if you are using mschap protocol in option file. To edit the file:

sudo gedit /etc/ppp/chap-secrets 

The IP address field is showing the remote tunnel static IP address. You can assign the dynamic IP addresses also by using radius server & dhcp-pppd plugin etc. But I don’t know what is the easiest method to do this & how to. Also my requirement is completed by using static IP address.

# Secrets for authentication using CHAP
# client server secret IP addresses
# username servername password Assigned IP
username * "yoursecrethere" *

You probably also want to define a username and an IP address for the client above. Create a new line for each additional user you want to authenticate with CHAPS. I only have one client so it's not a big issue.

Save, Close and make sure you set the permissions on your chap-secret file to keep it private.

sudo chown root:root /etc/ppp/chap-secrets
sudo chmod 600 /etc/ppp/chap-secrets 
6. Run xl2tpd
After doing the entire above configuration, you can start xl2tpd. First create the l2tp run control, this is a workaround for a bug in xl2tpd 1.2.7

sudo touch /var/log/xl2tpd/l2tp-control

Then start the daemon using this command:
xl2tpd -D
The -D option is opening the debug of xl2tpd. It is recommended to start the application in debugging mode at first time (during testing time). Remove –D option to stop the debugs.

7. Configure IPSec (Pluto / Netkey)
Open up the IPSec configuration file:

sudo gedit /etc/ipsec.conf

This file is sensitive to formatting, ensure you have the appropriate tab indents in place.

/etc/ipsec.conf : 

# /etc/ipsec.conf - Openswan IPsec configuration file
# RCSID $Id:,v 1.16 2005/07/26 12:29:45 ken Exp $

# This file: /usr/share/doc/openswan/ipsec.conf-sample
# Manual: ipsec.conf.5

version 2.0 # conforms to second version of ipsec.conf specification

# basic configuration
config setup

            # NAT-TRAVERSAL support, see README.NAT-Traversal
            # exclude networks used on server side by adding %v4:!a.b.c.0/24
            # OE is now off by default. Uncomment and change to on, to enable.
            # which IPsec stack to use. netkey,klips,mast,auto or none

            # Add connections here
conn L2TP



Save and Close.

For information....nhelpers: Pluto can also use helper children to off-load cryptographic operations. This behavior can be fine tuned using the --nhelpers. Pluto will start (n-1) of them, where n is the number of CPU's you have (including hypherthreaded CPU's). A value of 0 forces pluto to do all operations in the main process. A value of -1 tells pluto to perform the above calculation. Any other value forces the number to that amount.

8. Configure the IPSec secret pre shared key 
Open up the IPSec secrets file:
sudo gedit /etc/ipsec.secrets

This file is sensitive to formatting, ensure you have the appropriate tab indents in place.
Add the following line to the file:

/etc/ipsec.secrets :   

: PSK "yourpresharedkey" 

Save and Close.

Make sure you set the permissions on your secrets file to keep it private.

sudo chown root:root /etc/ipsec.secrets
sudo chmod 600 /etc/ipsec.secrets 

9. Configure the Linux Kernel
For Openswan to work icmp redirection must be disabled and IP forwarding also needs to be activated. For persistence these settings should be amended in /etc/sysctl.conf

sudo gedit /etc/sysctl.conf

Add the following lines (adjusting for your network adapters):

net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.lo.accept_redirects = 0
net.ipv4.conf.lo.secure_redirects = 0
net.ipv4.conf.lo.send_redirects = 0
net.ipv4.conf.eth0.accept_redirects = 0
net.ipv4.conf.eth0.secure_redirects = 0
net.ipv4.conf.eth0.send_redirects = 0 

Save and Close. Then reload the settings:

sudo sysctl -p /etc/sysctl.conf 

10. Verify the configuration
By now you should be pretty much done, time to check your configuration:

sudo ipsec verify

The output should be along the lines of: 

11. Configuring the firewall

Router side
1. Enable VPN pass through on your router.
2. Forward the following to the Ubuntu server:
  • Protocol 50 
  • Protocol 51
  • 500/UDP IKE
  • 4500/UDP (If you are using NAT-Traversal to tunnel through NAT/other Firewalls)
Ubuntu server side
3. Allow the following ports: 
  • 500/UDP IKE
  • 4500/UDP NAT-T
  • 1701/UDP L2TP
The key rule for this configuration to act as a 'road warrior' setup is the next one; which allows your VPN clients to masquerade through the VPN servers external interface i.e. allowing clients to access to the internet through the VPN servers WAN connection.

First check the ipsec interface using ifconfig, for me this is ppp0. Then modify and add the following rules to enable masquerading:
sudo /sbin/iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

sudo /sbin/iptables -A FORWARD -i eth0 -o ppp0 -m state --state RELATED,ESTABLISHED -j ACCEPT
sudo /sbin/iptables -A FORWARD -i ppp0 -o eth0 -j ACCEPT

Update 13/03/2014These iptables rules are not persistent i.e. when you reboot your PC iptables will flush. To make the iptables rules persistent through reboot I have included them in /etc/rc.local .This took me a while to figure out.

The forwarding and NAT rules will of course be specific to the respective configuration The above rules allow authenticated clients to connect to everything that interface eth0 leads to (the Internet in this case). 

12. Start VPN server / IPSec daemon on Ubuntu boot

The easiest option I found here was to add the following line to my rc.local script which is executed at boot time. This script is executed after all of networking bits and bobs which should therefore make it a lot easier to get the IPSec server to start.

sudo vi /etc/rc.local


/etc/init.d/ipsec start 

Save and exit. 

13. Setting up Android for the VPN connection (Froyo/Gingerbread)
  1. Settings >
  2. Wireless & networks >
  3. VPN Settings >
  4. Add VPN >
  5. L2TP/IPSec PSK;
  6. Enter your details as below:
  • VPN Name =  your VPN server description can be anything you want
  • Set VPN Server = your server IP address or your dynamic dns hostname
  • Set IPSec preshared key = enter your preshared key as setup
  • Enable L2TP secret = unchecked
  • DNS seach domains = leave blank 
Note: L2TP Secret

Note I don't use an L2TP secret in this blog, here's why... personally I don't think it adds much to the overall process. pppd already authenticates the user using CHAPS authentication to set up the tunnel and pluto authenticates the encryption of the tunnel using the pre shared key. Having yet another gatekeeper to authenticate the tunnel seems a little pointless, offering only another set of credentials to remember and area to troubleshoot hence I don't discuss it in this post mainly to keep are rather complex process as simple as possible.

Note: Certificate based authentication 

Work in progress... on hold until iOS implements certificate based auth for L2TP IPSec.

14.  Setting up iPhone iOS  for the VPN connection
The following steps I used on an iPhone 3GS iOS 5.0, 5.01 and 5.1 to connect to the Ubuntu IPSec VPN.

  1. Settings
  2. General
  3. Network
  4. VPN
  5. Add VPN Configuration:
  • Select L2TP
  • Description: any
  • Server: server address
  • Account: ubuntu username
  • RSA SecurID: off
  • Password: as per /etc/ppp/chap-secrets
  • Secret: PSK as per /etc/ipsec.secrets
  • Send All Traffic: on
  • Proxy: off  
After setting up the iPhone to work with this IPSec openswan configuration I experienced the issue that should the iPhone disconnect either intentionally or through a dropped tunnel I was unable to get the iPhone to reconnect to the VPN. The only way to get the phone to reconnect was to restart the IPSec daemon on the Ubunutu  server.             

As Jacco points out one problem is that Apple do not appear to send a “Delete SA” message when the device disconnects. The IPsec connection remains up and the VPN client may not be able to reconnect, and reports an error. He pointed out that the problem is resolved when Dead Peer Detection (DPD) times out, the SA itself times out (if DPD is disabled) or the Openswan daemon is restarted. For this reason it is highly recommended to enable DPD on the Openswan VPN server by adding these parameters to your Openswan configuration (suggested time-out values):

These lines need to be added to /etc/ipsec.conf under the connection configuration and not the daemon configuration from my experience. Putting them in the before the connection configuration will cause openswan to fail when restarting reporting a "confread.c:248: load_setup: Assertion `kw->keyword.keydef->validity & kv_config' failed" error in the terminal.


The example config in the body of this post has already been updated to reflect this addition. 

Other Useful resources

Eclectic Security: Secure IPsec/L2TP VPN for on the road android devices

BrainBlog: Android L2TP/IPSec VPN mini-howto 

Jacco de Leeuw: Using a Linux L2TP/IPsec VPN server


  1. Hello,

    First of all thanks for sharing the nice solution.

    I'm having a problem with my xl2tpd and pppd. When I try to connect with exactly the same configurations you described here I get a 'peer refused to authenticate: terminating link'. Obviously if I disable the authentication it works but thats exactly what I don't want.

    Would appreciate some help here. Thanks for the attention.

    1. Have you checked your logs?


  2. This comment has been removed by the author.

  3. Do you know anything about the issue where the Android client will initially connect, but then disconnect after about ten seconds? I can get a VPN working using L2TP alone (though of course it isn't encrypted), but if I want to use IPSEC (either PSK or CRT), whether I use StrongSwan or OpenSwan, on Android 2.2 or 2.3.3, I authenticate, the tunnel starts, and then around ten seconds later I get disconnected with log messages like:

    pppd[26296]: rcvd [LCP TermReq id=0x2 "User request"]
    pppd[26296]: LCP terminated by peer (User request)
    pppd[26296]: Connect time 0.2 minutes.

    It seems to be a fairly common problem, but I have yet to see a solution.

  4. Yes I originally had this problem which from recollection was firewall related. Try your configuration without a firewall, with a dmz first briefly to see if the problem persists. Ensure that your router is set to port forward and pass thru IPSec.

  5. This is the first tutorial of this quality I've been able to find on this -- thank you. I have a server with a few public websites running on it and wanted to add this setup to that just to give me a personal road-warrior connection. I'm concerned about whether this would interfere with normal operations of such a server, particularly the changes in step #9. Have you any comments on this?

    Thanks again for taking the time to illustrate all this.

  6. Thanks for your comment, it took me a fair amount of time to get my head around this all and I thought I'd better write it down to make sure I was clear.

    I don't run any dedicated public webservers on my box, I do however run several services which have web front ends built in i.e. Webmin, XBMC, SABNZB and an FTP server. None of these services have experienced any difficulties through configuring the VPN as described in this guide.

  7. Hey there, thanks for posting this tutorial I have been following it all the way through, I'm kinda of a noob on Ubuntu overall... Where I got stuck is the following:
    When I did ipsec verify, everything was the same as in your screenshot but:
    Checking NAT and MASQUERADEing there it says [N/A]
    Also when I did ifconfig -a I only see eth0 ham0 (hamachi) and lo
    I don't see the ppp0 you are talking about.

    Please helpe me! :)

    Thanks in advance!

    1. Have you checked your logs?


  8. This comment has been removed by the author.

  9. Thank you very much for posting such a great how-to. There is indeed little information about the usage of L2TP/IPSec VPNs in the net. Seems like OpenVPN dominates the Linux community.

    I followed your instruction and I have a small problem that is probably due to the IPTABLES. I need to tell you that I am running a Virtual Machine within a data center (so directly in the Internet with a own IP address, I call it

    When using the following command in '/etc/rc.local' I can easily establish a VPN connection but I can't access the Internet (I can only access my VM).

    iptables -t nat -A POSTROUTING -o eth0 -s -j SNAT --to is the dedicated IP of my VM is the IP address range of my L2TP/IPSec VPN

    When replacing the above line with

    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

    I can't establish a VPN connection. It worked once or twice from an iPhone and then I had access to the internet, however the VPN tunnel was unstable and I was not able to build it up on a regular basis.

    Do you have a good idea what the IPTABLES command needs to be?

    By the way, for the OpenVPN-Server I am running the following command works great:

    iptables -t nat -A POSTROUTING -o eth0 -s -j SNAT --to is the dedicated IP of my VM is the IP address range of my OpenVPN

  10. I don't think the issue is with your iptables. I similarly have an issue whereby after a number of connection the OpenSWAN server no longer allows further reconnections. I have spoken to others with similar issues and I think it is because Apple do not appear to send a “Delete SA” message when a device disconnects. The IPsec connection remains up and the VPN client may not be able to reconnect even with the DPD dead peer detection setting enabled I still have intermittent issues and have to restart OpenSWAN occassionally to reconnect to the VPN this isn't ideal I am hoping that later builds may prove more stable.

    Can you reconnect successively to your VPN albeit without internet?

  11. I must agree with you, it's not a problem of the IPTABLES. I have now set-up my VPN server based on the manual from Phillip Bailey ( and the VPN works quite good on my Android 2.2 mobile phone while connected through WiFi (VPN not working through 3G network).

    The iPhone sometimes works but most often doesn't. The problem always starts after the iPhone has been inactive and lost/deactivated the VPN connection. When I disconned manually (using the iPhone's menu) I can reestablish the connection. But when the iPhone loses/deactivate itself I can not reconnect.

    I can also not reconnect after rebooting the server.

  12. Have you tried adding DPD timeout? they still don't fully resolve my issues ymmv.

  13. Yes, I added the three lines mentioned in the tutorial. The VPN works great on my Android 2.2 but not at all on iOS. Even though I restarted the server and the IPSec Service.

  14. Hmmm I still have issues on Android 2.3 with DPD and reconnecting after a period of time. Well good luck with your search for a solution post back with any fix you find.

  15. I would like to try from behind a dd-wrt. I could find much on forwarding the protocol 50 via iptables command. would you have any pointers?

  16. Try in DD-WRT v24:

    Security > VPN > IPSec Passthrough - Enable

  17. Great tutorial and thank you for the effort. I still have some problem with step "12. Start VPN server / IPSec daemon on Ubuntu boot"

    As you described in your manual I did add the line "/etc/init.d/ipsec start" to the file "/etc/rc.local" before the "exit 0" line. However I can not establish the VPN with my iPhone after my machine did a reboot (it is a virtual machine running in a data center).

    Strange enough things work well when I enter manually "sudo /etc/init.d/ipsec restart" after the machine did a reboot. Then my iPhone can without any problem establish the VPN tunnel.

    Do you have any idea what is wrong on my machine? Is there a problem with the boot up script and the order the services are loaded. E.g. is the machine trying to start "ipsec" before the network interface is available? Any idea what I could do or try?

    Thank you for your help and happy New Year

  18. Which version of linux are you running, is your rc.local file definitely executing on boot?

    I suggest putting some additional actions into the rc local file such as output a debug message to a log file to check it is running.

  19. I tried exactly the config posted here, but I cant make my iPad2 5.0.1 connect to the VPN.. is there any tricks for iPad2 5.0.1?

  20. I've not retried it on my iPad since upgrading to 5.0.1 I will have to give this a try and report back, it may be a few weeks though...

    1. I've since tested the same configuration with iOS 5.0.1 and 5.1 and have not had to change anything described above, it worked straight away.

  21. Thanks a lot for this great tutorial, it's been very useful for setting up my IPSec VPN. The only problem I have is I'm getting lots of asynchronous packets that break the channel everytime I log in from a NATted network, I worked around the problem by accessing the VPN only with 3G, anyway I don't think it's a configuration issue, I'm more for an OpenSwan/CentOS incompatibility...

  22. Tested and works with iOS 5.01 and 5.1.

  23. Have OpenSWAN/xl2tpd set up similarly for iPhone access - which works. This help in getting an Android 2.2 HTC phone to connect. But the phone doesn't properly set up the routing table for the office LAN net. It appears I might be able to us "ip ro add" in a terminal to correct that - haven't fully tested because the connection tends to drop while I'm fumbling around. But that begs the question: what's necessary to have the Android client set the LAN routing properly on connection?

  24. Update: No, ip ro won't let a normal user update the routing table. With iPhones this setup gets the users right into the LAN. Maybe Android's client is just incomplete?

  25. This config should work for 2.2 I've used it. It will be a server side issue with NAT section 11 and IP forward section 9. Check IP tables do not have conflicting rules.

  26. Any idea why Openswan doesn't seem to work with Android ICS?

    1. its a bug in android. for workaround, see

    2. Thanks, for the note I'll no doubt need that come the fall - I'm looking forward to the next range of Nexus'. As side note what's going on with the comment wrapping blogger!

  27. I've not got ICS yet, I'm still rocking Gingerbread on the Nexus One - I like the 3.7" screen. I'm probably going to move to the iPhone 5 when they launch if the screen is smaller than the current SGSIII and the newly announced Nexus' due fall.

  28. i am trying to setup it on a Amazon EC2 Ubuntu 12.04LTS.

    But it seems wont work. These setup is it usable on a amazon ec2 server?

    1. Not tried EC2 does this help ?

  29. This comment has been removed by the author.

  30. THANKS FOR THE TUTORIAL. NICE.... but..... what can i do if i want only "some" traffic tunneled".

    for example... i want to realise all the normal operations trhough my -normal-android-defaultroute but i want to connect to my ftp server (as example- over the tunnel.

    can i play with default routes....metric .....?

    1. this needs to be done on the client side I believe, which depends on your client.

  31. I got this error:

    packet from 188.188.86.XX:887: initial Main Mode message received on 193.105.XX.XYZ:500 but no connection has been authorized with policy=PSK

    Any idea what went wrong in my config?

    1. Does your PSK match exactly that used in /etc/ipsec.secrets ?

  32. Hi!

    First of all thanks for the guide.

    I have a hard time to make L2TP/Ipsec work on a Debian Stable installation.

    From syslog i get the following :

    Oct 4 21:53:23 debian-vb ipsec_setup: ...Openswan IPsec started
    Oct 4 21:53:23 debian-vb ipsec__plutorun: adjusting ipsec.d to /etc/ipsec.d
    Oct 4 21:53:23 debian-vb pluto: adjusting ipsec.d to /etc/ipsec.d
    Oct 4 21:53:23 debian-vb ipsec__plutorun: 002 added connection description "L2TP-PSK-CLIENTS"
    Oct 4 21:53:23 debian-vb ipsec__plutorun: 003 NAT-Traversal: Trying new style NAT-T
    Oct 4 21:53:23 debian-vb ipsec__plutorun: 003 NAT-Traversal: ESPINUDP(1) setup failed for new style NAT-T family IPv4 (errno=19)
    Oct 4 21:53:23 debian-vb ipsec__plutorun: 003 NAT-Traversal: Trying old style NAT-T
    Oct 4 21:54:17 debian-vb xl2tpd[1643]: network_thread: recv packet from, size = 69, tunnel = 0, call = 0 ref=0 refhim=0
    Oct 4 21:54:17 debian-vb xl2tpd[1643]: get_call: allocating new tunnel for host, port 42964.
    Oct 4 21:54:17 debian-vb xl2tpd[1643]: handle_avps: handling avp's for tunnel 40986, call 0
    Oct 4 21:54:17 debian-vb xl2tpd[1643]: message_type_avp: message type 1 (Start-Control-Connection-Request)
    Oct 4 21:54:17 debian-vb xl2tpd[1643]: protocol_version_avp: peer is using version 1, revision 0.
    Oct 4 21:54:17 debian-vb xl2tpd[1643]: hostname_avp: peer reports hostname 'anonymous'
    Oct 4 21:54:17 debian-vb xl2tpd[1643]: framing_caps_avp: supported peer frames: async sync
    Oct 4 21:54:17 debian-vb xl2tpd[1643]: assigned_tunnel_avp: using peer's tunnel 12792
    Oct 4 21:54:17 debian-vb xl2tpd[1643]: receive_window_size_avp: peer wants RWS of 1. Will use flow control.

    1. 1. enable debug in options.l2tpd

      2. add to xl2tpd.conf under
      debug tunnel = yes
      debug avp = yes
      debug packet = yes
      debug network = yes
      debug state = yes

      [lns default]
      ppp debug = yes

      3. dump the syslog and /var/log/auth.log to pastebin and post the link here

      4. what are you connecting from?

      5. which version of openswan are you using?

    2. 1. I am using options.xl2tpd. Is that wrong? Debug is already enabled.

      2. xl2tpd.conf has already all the necessary debug flags


      4. From an Android smartphone running 4.1.1 version.

      5. 2.6.28

    3. looks like you are getting stuck here "STATE_MAIN_R2: sent MR2, expecting MI3" and "max number of retransmissions (2) reached STATE_MAIN_R2".

      Is your client NAT'd?
      Can your try connecting the client using a different network?
      What length is your psk / certificate?

    4. do you have nat_traversal set to yes in your ipsec.conf?

  33. I am trying to connect though EDGE/GPRS network. So i don't really know if the client is NAT'd or not.

    I tried through another network also, where the client was indeed NAT'd.
    The psk is 8 char long.
    nat_traversal is set to yes.

  34. hello can i use your tutorial in ubuntu 12.10?

    1. yes should be entirely possible, I think 12.10 uses KLIPS instead of Netkey. I have used this guide on my 12.10 box, I'll update it at somepoint.

    2. where is the point that you update?
      i've got this message in server log
      packet from initial Main Mode message received on but no connection has been authorized with policy=PSK
      can you help me?

    3. this is my server log file :

      Feb 19 13:04:36 unsoed-Aspire-M1610 pluto[5705]: loading secrets from "/etc/ipsec.secrets"
      Feb 19 13:05:25 unsoed-Aspire-M1610 pluto[5705]: packet from received Vendor ID payload [RFC 3947] method set to=109
      Feb 19 13:05:25 unsoed-Aspire-M1610 pluto[5705]: packet from received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
      Feb 19 13:05:25 unsoed-Aspire-M1610 pluto[5705]: packet from received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
      Feb 19 13:05:25 unsoed-Aspire-M1610 pluto[5705]: packet from received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
      Feb 19 13:05:25 unsoed-Aspire-M1610 pluto[5705]: packet from received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
      Feb 19 13:05:25 unsoed-Aspire-M1610 pluto[5705]: packet from initial Main Mode message received on but no connection has been authorized with policy=PSK
      Feb 19 13:05:45 unsoed-Aspire-M1610 pluto[5705]: packet from received Vendor ID payload [Openswan (this version) 2.6.37 ]
      Feb 19 13:05:45 unsoed-Aspire-M1610 pluto[5705]: packet from received Vendor ID payload [Dead Peer Detection]
      Feb 19 13:05:45 unsoed-Aspire-M1610 pluto[5705]: packet from received Vendor ID payload [RFC 3947] method set to=109
      Feb 19 13:05:45 unsoed-Aspire-M1610 pluto[5705]: packet from received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-03] meth=108, but already using method 109
      Feb 19 13:05:45 unsoed-Aspire-M1610 pluto[5705]: packet from received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02_n] meth=106, but already using method 109
      Feb 19 13:05:45 unsoed-Aspire-M1610 pluto[5705]: packet from received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-02] meth=107, but already using method 109
      Feb 19 13:05:45 unsoed-Aspire-M1610 pluto[5705]: packet from received Vendor ID payload [draft-ietf-ipsec-nat-t-ike-00]
      Feb 19 13:05:45 unsoed-Aspire-M1610 pluto[5705]: packet from initial Main Mode message received on but no connection has been authorized with policy=PSK

  35. hello,

    ihave a problem when windows client try to connect, the ipsec SA established but drop again..

    Mar 5 15:55:02 labpuskom pluto[2618]: "L2TP-PSK-NAT"[11] #50: STATE_QUICK_R2: IPsec SA established transport mode {ESP=>0xd52fefe7 <0x4c8b4372 xfrm=AES_128-HMAC_SHA1 NATOA=none NATD= DPD=none}
    Mar 5 15:55:02 labpuskom pluto[2618]: "L2TP-PSK-NAT"[11] #45: received Delete SA(0x62735a16) payload: deleting IPSEC State #49
    Mar 5 15:55:02 labpuskom pluto[2618]: "L2TP-PSK-NAT"[11] #45: received and ignored informational message

    is that problem from windows?
    what should i do?

    thanks before :)

  36. This comment has been removed by a blog administrator.

  37. This comment has been removed by a blog administrator.

  38. try waselpro vpn service , the best choice for android

  39. Marvelous site. In the event that you don't need anybody to realize what you are downloading including your Web access Supplier then you ought to be utilizing a VPN Administration. Locate the best ones here.

  40. What is VPN? How does it work. Please explain it to someone with zero knowledge on it.?
    Top VPN Provider

  41. What are the differences between Open VPN and PPTP?
    Hebergement site maroc

  42. Wow, what a blog! I mean, you just have so much guts to go ahead and tell it like it is. Youre what blogging needs, an open minded superhero who isnt afraid to tell it like it is. This is definitely something people need to be up on. Good luck in the future, man

  43. Thanks for the post. Im a big fan of the blog, i've even put a little bookmark right on the tool bar of my Firefox you'll be happy to find out!

  44. Nice blog and the details about it really interesting.
    I liked your blog.


  45. McAfee provides security for all sorts of users. They supply services and products for home and office at home, enterprise businesses with over 250 workers, and small organizations with under 250 employees, and also venture opportunities. activate
    mcafee com activate
    mcafee activate

  46. We are providing help and support for Microsoft office Setup and activation. Call us or email us the error or problem, our one of the expert contact you with the suitable perfect solution. Get the MS Office application suite and as per your need and see how it is easy to work with Microsoft Office. setup
    www office com setup
    Install Office

  47. Online Help – Step by Step guide for Norton Setup, Download & complete installation online. We are providing independent support service if in case you face problem to activate or Setup Norton product.

  48. Enter Key for, after purchasing Office from visit, sign in to your account then enter product key for Office Setup.

  49. Online Help :– Step by Step guide for McAfee Activate, Download & complete installation online. We are providing independent support service if in case you face problem to activate or Activate McAfee product. Just fill the form below and will get in touch with you as quick as possible.

  50. Online Help – Step by Step guide for office Setup, Download & complete installation online. We are providing independent support service if in case you face problem to activate or Setup office product.

  51. Looking for Aol Support? Call now on toll free number to get instant 24/7 email support AOL, AOL Mail Technical Support, Click here for more Email support

  52. Support For Adobe at is an online technical support company. We provide trustworthy tech support and services for the third party products.adobe support

  53. We provide Outlook customer service phone number or on Chat ,Outlook tech support phone number for recover outlook password recovery and other outlook support


    Before you plan to install the Office 2016 or Office 365 on your device be it a Computer, Laptop, Mobile Phone or a Tablet, you are required to take few important steps on of them is to remove any existing Office installations from your PC. Just like the previous Office products, Office 2016 & 365 will conflict with the previously installed versions. So, it becomes necessary to remove the previous office files properly.



    To Setup retail card please visit official website Www.Office.Com/Setup. Office Retail Cards allow you to download your security product from the internet instead of installing from a CD, ensuring recent versions.
    Microsoft Office product

  56. Microsoft office setup is the software setup file with this setup file you can install on your computer and some of the supported device to use Microsoft office.
    office com setup

  57. We are a third party technical support service. Avast Customer Support is here to help you out with the whole procedure to Download Avast Antivirus online, We not only fix your Avast Support related issues but will guide with how to get started with your new Avast product once it gets installed successfully.We at Avast Tech Support provides service to protect your PC from potential online threats and external attacks like viruses, Trojans, malwares, spywares and phishing scams. And Avast Refund. Call on our Avast Phone Number.

    Norton Tech Support is a third party service provider and not in any way associated with Norton or any of its partner companies. At Norton Support we offer support for Norton products and sell subscription based additional warranty on computer and other peripheral devices. setup
    Norton setup

  58. Intuit offer you QuickBooks Desktop Support that assemble it phenomenally sparing and esteem rehearsed to ask on-line particular help support from the pros with reference to, process and concentrated devices and programming.


  59. with your entire process to setup office product online. Have you Just bought Microsoft Office product ? If yes then you can complete your Office Setup online with your product key code. You just need open , Install Office , Install Microsoft Office or into your web browser.

    office setup


  60. In case any message saying ‘Stop’ pops up while installing Microsoft Office 365 due to a compatibility issue, contact our live chat support.Our online Experts through live chat will guide you through the entire process of Office setup, covering all steps and issues.Keep your 25 characters long product key with you.

    Office Com Setup
    office com/setup

  61. We are an independent support company office support

  62. support for office products. Feel-free to visit our website.

  63. Great post! I am actually getting ready to across this information, is very helpful my friend. Also great blog here with all of the valuable information you have. Keep up the good work you are doing here.
    It was a great informative post.Go so many useful and informative links.Loved your writings also. Concept of the topic was well discussed. Love to come here again.
    Regards -

  64., www office com setup,, Office Com Setup,, Office Setup,, Office Com Set Up, office 2017 download, Office Setup Enter Product Key,

  65. Microsoft Office includes a wide range of desktop applications such as Word, Excel, Access, PowerPoint, Groove, OneNote, Publisher and Outlook which helps you to complete the various task easily such as writing a letter, sending an email and creating PowerPoint presentation.

  66. Norton has vast range of software such as Norton security premium, Norton Security Basic, Norton Security Standard, Norton Internet Security, Norton 360, and Norton Antivirus etc, which provides the protection from threats and identity theft and monitors the antimalware.

  67. McAfee Installation is such an easy or simple process as you have to make sure that above-mentioned prerequisites should be fulfilled before getting started with the McAfee Activation Process.

  68. If user wants to use the Microsoft Office online then open the web browser you are using on your system and visit Login to your Microsoft account with your registered email id and password. The data which you have stored on OneDrive or DropBox, you can access and modify it.

  69. Norton has vast range of software such as Norton security premium, Norton Security Basic, Norton Security Standard, Norton Internet Security, Norton 360, and Norton Antivirus etc, which provides the protection from threats and identity theft and monitors the antimalware. The security or protection provided by the Norton is better than any other security tool, because of it's unique structure and easy to use interface it is very popular among the users.


  70. McAfee Installation is such an easy or simple process as you have to make sure that above-mentioned prerequisites should be fulfilled before getting started with the McAfee Activation Process.

  71. Hi there! I simply want to offer you a huge thumbs
    up for your excellent info you have here on this post.
    I am coming back to your web site for more soon
    Warm Regards

  72. Use of MS Office is also simple and the user can learn the use of it easily. Online help option is also available in all application of the MS Office which provides an instant guideline.

  73. If your echo won't connect to wifi Or having any problem to setup Alexa to Wifi then Don't Worry we are here to help you just follow the simple steps which is given on our website. We'll help you to connect Alexa to wifi, connect echo to wifi and amazon echo not connecting to wifi and other problems. For instant help, call us at our amazon echo dot help number +1-888-745-1666

    Setup echo.
    Setup Echo Dot

  74. Download and install your Norton product on your computer. Sign In to Norton. If you are not signed in to Norton already, you will be prompted to sign in. In the Norton Setup window, click Download Norton. Click Agree & Download. Do one of the following depending on your browser:

  75. Are you looking for best Digital Marketing Course in Panchkula, Then we are here always guide to you about Digital Marketing Course.We are google certified Institute in Panchkula.You can schedule your DEMO classes of 2 days to know more about Digital Marketing.

  76. Do not panic if your Echo Look Setup is not running working. We are always here to solve all the problems related to your echo spot like echo Look wifi settings,installation,troubleshooting.Now the solution is at your fingertips. Just pick your phone and call us at :+1-888-745-1666 if you want to Connect Echo Look To Wifi.

  77. Insert the Microsoft Office media disc into the DVD drive. Click "Start" followed by "Computer." Double-click the disc drive if Windows fails to launch setup automatically. Enter your product key when prompted and click "Continue."

  78. Very nice post. I just stumbled up?n your weblog and wished to say that I have really enjoyed browsing ?our blog posts.
    Regards -