Home Create IPSec/L2TP, IPSec EAP for Android VPN

Create IPSec/L2TP, IPSec EAP for Android VPN


Android supports IPSEC/L2TP & IPSEC with XAuth with either PSK or Certificates. I struggled to find any thorough information on setting up the server in its various forms so have written this blog mainly so I don't forget how to do it! I am using a Ubuntu server with Strongswan providing the IPSec, XL2TPD providing the XL2TP and PPP. IPSec provides the encryption, L2TP does not provide any security! Firewall rules need to be added to prevent someone trying to connect to the L2TP port outside of the IPSec tunnel.

IPSec/L2TP PSK (Pre Shared Key)

Firstly lets start with the easiest one to setup; this doesn't use certificates so makes it quicker to setup. We need to install strongswan to provide the IPSec, ppp and xl2tpd.

apt-get install strongswan xl2tpd ppp

Once that is installed then we need to configure strongswan first. There are several files to configure. Firstly lets configure /etc/ipsec.conf

You can create many connections in here ("conn") and it gets matched when an incoming connection comes in.

# ipsec.conf - strongSwan IPsec configuration file

# basic configuration

config setup

        # strictcrlpolicy=yes

        # uniqueids = no

conn %default

 #Set this to "ike" so both IKEv1 (Android only supports this) or IKEv2 for the strongswan application and other devices.

# Add connections here.

conn L2TP-PSK-noNAT


    #shared secret. Use rsasig for certificates.


    #Disable pfs


    #start at boot


    #Only negotiate a conn. 3 times.




    #because we use l2tp as tunnel protocol

    left=SERVER IP

    #fill in server IP above




Now we need to edit the /etc/ipsec.secrets file, this contains the PSK in this case.

# This file holds shared secrets or RSA private keys for authentication.

# RSA private key for this host, authenticating it to any other host

# which knows the public part.  Suitable public keys, for ipsec.conf, DNS,

# or configuration of other implementations, can be extracted conveniently

# with "ipsec showhostkey".

SERVER IP : PSK "password"

You can test the IPSec out even though the connection will fail. While tailing the syslog conect via your android device and check if the IPSec connection gets established.

tail -f /var/log/syslog

Choose L2TP/IPSec PSK as the type. Enter the IPSec preshared key entered in the secrets file. Click Save and then tap to connect. When it asks for username and password just enter anything for now.

Once your happy that the IPSec is connecting then we can edit the XL2TPD configuration file /etc/xl2tpd/xl2tpd.conf

I'll just show the bottom bit of config as the rest is comments.

[lns default]

ip range =

local ip = SERVER IP

refuse pap = yes

require authentication = yes

ppp debug = yes

pppoptfile = /etc/ppp/options.xl2tpd

length bit = yes

The IP range is the IP's you want to give to clients, make sure you don't override anything in your network. I have a DHCP server configured to not hand out those addresses however they are still in the local network range. I have done this so I can use a internal Bind9 DNS server which I have configured to block Ads. I will write a post about this soon. The local ip is the servers IP.

Now we will configure the PPP part. Edit this file /etc/ppp/options.xl2tpd




mtu 1200

mru 1000




name l2tpd


lcp-echo-interval 30

lcp-echo-failure 4

Now we need to edit the /etc/ppp/chap-secrets file which contains the username/password the Android client asked for.

# Secrets for authentication using CHAP
# client server secret IP addresses
user l2tpd "pass" *

I have used an internal DNS server address here but you could use Googles

Restart all the services.

service strongswan restart
service xl2tpd restart

Firewall Rules and IP Forwarding

To allow devices to browse the web then we need to enable ip forwarding.

echo "net.ipv4.ip_forward = 1" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_redirects = 0" |  tee -a /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects = 0" |  tee -a /etc/sysctl.conf
for vpn in /proc/sys/net/ipv4/conf/*; do echo 0 > $vpn/accept_redirects; echo 0 > $vpn/send_redirects; done
 sysctl -p

To protect the L2TP tunnel from anything outside the IPSec layer enter these commands.

iptables -t filter -A INPUT -p udp -m policy --dir in --pol ipsec -m udp --dport l2tp -j ACCEPT
iptables -t filter -A INPUT -p udp -m udp --dport l2tp -j REJECT --reject-with icmp-port-unreachable
iptables -t filter -A OUTPUT -p udp -m policy --dir out --pol ipsec -m udp --sport l2tp -j ACCEPT
iptables -t filter -A OUTPUT -p udp -m udp --sport l2tp -j REJECT --reject-with icmp-port-unreachable

Other implementations coming soon




This post is licensed under CC BY 4.0 by the author.

If you have found this site useful, please consider buying me a coffee :)

Proud supporter of the Gnome Foundation

Become a Friend of GNOME


Gnome 3.16 Breaks Bluetooth Arch Linux

Restore missing LVM volume group

Comments powered by Disqus.