L2TP/IPSec VPN Setup on Centos 6 (64-bit) for use with Android ICS and iOS 5 Clients


This document describes a L2TP/IPSec setup on a CentOS 6 server for use with Android ICS clients. As Openswan is reported having issues with Android ICS (byte 7 of ISAKMP NAT-OA Payload must be zero), this VPN setup is based on the ipsec-tools.

The setup was successfully tested with Android 4.0.3 and iOS 5.0.1 in this network scenario:


The following values are used in this document. You must adjust them according to your needs.

Parameter or Value Description used in Local network IP of local PPP device /etc/xl2tpd/xl2tpd.conf IP range in the local network reserved for clients /etc/xl2tpd/xl2tpd.conf local IP address of the VPN server Firewall/Router port forwarding Primary nameserver /etc/ppp/options.xl2tpd Secondary nameserver (Google) /etc/ppp/options.xl2tpd
vpn.mydomain.com Server address Android VPN setup screen and iOS VPN setup screen (Server)
myhomelan IPSec identifier /etc/racoon/psk.txt and Android VPN setup screen. Not applicable on iOS.
d41d8cd98f00b204e980 IPSec pre-shared key /etc/racoon/psk.txt, Android VPN setup screen and iOS VPN setup screen (Secret)
janedoe Username /etc/ppp/chap-secrets, Android VPN connect screen and iOS VPN setup screen (Account)
jd480227 Password /etc/ppp/chap-secrets, Android VPN connect screen and iOS VPN setup screen

Basic CentOS Server installation

Set up the server as described here: Basic Installation of a CentOS 6 Server

Install the Nikoforge Repository

rpm -ivH http://repo.nikoforge.org/redhat/el6/nikoforge-release-latest

Install the EPEL Repository

Get the link to the latest EPEL repository setup package from http://vesta.informatik.rwth-aachen.de/ftp/pub/Linux/fedora-epel/. At time of writing it was version 6.7.

yum -y install http://vesta.informatik.rwth-aachen.de/ftp/pub/Linux/fedora-epel/6/i386/epel-release-6-8.noarch.rpm

Firewall/Router Configuration

Configure a port forwarding from WAN to the VPN server for the following ports:

Port Protocol Description
1701 UDP L2TP Traffic

L2TP/IPSec Installation

Packages Installation

Tools for configuring and using IPSEC

yum -y install ipsec-tools

The ipsec-tools package from the nikoforge repo is a patched version that allow the use of a wildcard ‘*’ as the IPSec identifier [1]. Not needed for Android, but iOS.

Layer 2 Tunnelling Protocol Daemon

yum -y install xl2tpd

Init Script

Create the script /etc/racoon/init.sh

# set security policies
echo -e "flush;\n\
        spdadd[0][1701] udp -P in  ipsec esp/transport//require;\n\
        spdadd[1701][0] udp -P out ipsec esp/transport//require;\n"\
        | setkey -c
# enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
chmod 750 /etc/racoon/init.sh

Add a call of the script to rc.local

sed --in-place '/\/etc\/racoon\/init.sh/d'  /etc/rc.d/rc.local
echo /etc/racoon/init.sh >> /etc/rc.d/rc.local

IPSec Configuration

Racoon config

Create the racoon configuration file


path include "/etc/racoon";
path pre_shared_key "/etc/racoon/psk.txt";
path certificate "/etc/racoon/certs";
path script "/etc/racoon/scripts";
remote anonymous
        exchange_mode    aggressive,main;
        passive          on;
        proposal_check   obey;
        support_proxy    on;
        nat_traversal    on;
        ike_frag         on;
        dpd_delay        20;
                encryption_algorithm  aes;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
                encryption_algorithm  3des;
                hash_algorithm        sha1;
                authentication_method pre_shared_key;
                dh_group              modp1024;
sainfo anonymous
        encryption_algorithm     aes,3des;
        authentication_algorithm hmac_sha1;
        compression_algorithm    deflate;
        pfs_group                modp1024;

Set permissions

chmod 600 /etc/racoon/racoon.conf

Racoon pre-shard keys file

Create the pre-shared keys file for IKE authentication. The 1st column the IPSec Identifier, the 2nd column is the IPSec preshared key.

This is the needed entry in /etc/racoon/psk.txt for Android clients:

myhomelan d41d8cd98f00b204e980 

This is the needed entry in /etc/racoon/psk.txt for iPhone and iPad iOS clients:

* d41d8cd98f00b204e980 

Set permissions

chmod 600 /etc/racoon/psk.txt

Configuring L2TP Daemon

Create the config file /etc/xl2tpd/xl2tpd.conf:

ipsec saref = yes
force userspace = yes
[lns default]
local ip =
ip range =
refuse pap = yes
require authentication = yes
ppp debug = yes
length bit = yes
pppoptfile = /etc/ppp/options.xl2tpd

Configuring PPP

Create PPP option file /etc/ppp/options.xl2tpd:

asyncmap 0
name l2tpd
lcp-echo-interval 10
lcp-echo-failure 100

Create the CHAP secrets file /etc/ppp/chap-secrets:

# client       server    secret       IP addresses
  janedoe      *         jd480227     *
chmod 600 /etc/ppp/chap-secrets

Start the Services

chkconfig racoon on
chkconfig xl2tpd on
service racoon start
service xl2tpd start

Update to Centos 6.3 or higher

Make sure that you have set force userspace = yes in the [global] section in file /etc/xl2tpd/xl2tpd.conf

Android ICS Client

VPN Setup

Settings -> More… -> VPN -> Add VPN network


VPN Connect

Settings -> More… -> VPN -> Home LAN


iOS Client iPhone and iPad

VPN Setup

Settings -> General -> Network -> VPN -> Add VPN Configuration IOS-LTP-VPN-Setup.PNG

VPN Connect