After <ahref="https://github.com/hwdsl2/setup-ipsec-vpn"target="_blank">setting up your own VPN server</a>, follow these steps to configure your devices. IPsec/L2TP is natively supported by Android, iOS, OS X, and Windows. There is no additional software to install. Setup should only take a few minutes. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.
1. Select **Open Network and Sharing Center**. Or, if using Windows 10 version 1709 or newer, select **Open Network & Internet settings**, then on the page that opens, click **Network and Sharing Center**.
Alternatively, instead of following the steps above, you may create the VPN connection using these Windows PowerShell commands. Replace `Your VPN Server IP` and `Your VPN IPsec PSK` with your own values, enclosed in single quotes:
To connect to the VPN: Click on the wireless/network icon in your system tray, select the new VPN entry, and click **Connect**. If prompted, enter `Your VPN Username` and `Password`, then click **OK**. You can verify that your traffic is being routed properly by <ahref="https://www.google.com/search?q=my+ip"target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose **Connect**. You can verify that your traffic is being routed properly by <ahref="https://www.google.com/search?q=my+ip"target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by <ahref="https://www.google.com/search?q=my+ip"target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by <ahref="https://www.google.com/search?q=my+ip"target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
Once connected, you will see a VPN icon overlay on the network status icon. You can verify that your traffic is being routed properly by <ahref="https://www.google.com/search?q=my+ip"target="_blank">looking up your IP address on Google</a>. It should say "Your public IP address is `Your VPN Server IP`".
Users with Windows Phone 8.1 and above, try <ahref="http://forums.windowscentral.com/windows-phone-8-1-preview-developers/301521-tutorials-windows-phone-8-1-support-l2tp-ipsec-vpn-now.html"target="_blank">this tutorial</a>.
Ubuntu 18.04 (and newer) users can install the <ahref="https://packages.ubuntu.com/search?keywords=network-manager-l2tp-gnome"target="_blank">network-manager-l2tp-gnome</a> package, then configure the IPsec/L2TP VPN client using the GUI (Settings -> Network -> VPN). Ubuntu 16.04 and 14.04 users may need to add the `nm-l2tp` PPA. Read more <ahref="https://medium.com/@hkdb/ubuntu-16-04-connecting-to-l2tp-over-ipsec-via-network-manager-204b5d475721"target="_blank">here</a>. For other Ubuntu versions, try the command line method below.
### Other Linux
First check <ahref="https://github.com/nm-l2tp/network-manager-l2tp/wiki/Prebuilt-Packages"target="_blank">here</a> to see if the `network-manager-l2tp` package is available for your Linux distribution. Alternatively, you may [configure Linux VPN clients using the command line](#configure-linux-vpn-clients-using-the-command-line).
> The network connection between your computer and the VPN server could not be established because the remote server is not responding.
To fix this error, a <ahref="https://documentation.meraki.com/MX-Z/Client_VPN/Troubleshooting_Client_VPN#Windows_Error_809"target="_blank">one-time registry change</a> is required because the VPN server and/or client is behind NAT (e.g. home router). Download and import the `.reg` file below, or run the following from an <ahref="http://www.winhelponline.com/blog/open-elevated-command-prompt-windows/"target="_blank">elevated command prompt</a>. **You must reboot your PC when finished.**
- For Windows Vista, 7, 8.x and 10 ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Windows_Vista_7_8_10_Reboot_Required.reg))
Although uncommon, some Windows systems disable IPsec encryption, causing the connection to fail. To re-enable it, run the following command and reboot your PC.
- For Windows XP, Vista, 7, 8.x and 10 ([download .reg file](https://static.ls20.com/reg-files/v1/Fix_VPN_Error_809_Allow_IPsec_Reboot_Required.reg))
After upgrading Windows 10 version (e.g. from 1709 to 1803), you may need to re-apply the fix above for [Windows Error 809](#windows-error-809) and reboot.
Windows 8.x and 10 use "smart multi-homed name resolution" by default, which may cause "DNS leaks" when using the native IPsec VPN client if your DNS servers on the Internet adapter are from the local network segment. To fix, you may either <ahref="https://www.neowin.net/news/guide-prevent-dns-leakage-while-using-a-vpn-on-windows-10-and-windows-8/"target="_blank">disable smart multi-homed name resolution</a>, or configure your Internet adapter to use DNS servers outside your local network (e.g. 8.8.8.8 and 8.8.4.4). When finished, <ahref="https://support.opendns.com/hc/en-us/articles/227988627-How-to-clear-the-DNS-Cache-"target="_blank">clear the DNS cache</a> and reboot your PC.
In addition, if your computer has IPv6 enabled, all IPv6 traffic (including DNS queries) will bypass the VPN. Learn how to <ahref="https://support.microsoft.com/en-us/help/929852/guidance-for-configuring-ipv6-in-windows-for-advanced-users"target="_blank">disable IPv6</a> in Windows.
OS X (macOS) users: If you can successfully connect using IPsec/L2TP mode, but your public IP does not show `Your VPN Server IP`, read the [OS X](#os-x) section above and complete this step: Click the **Advanced** button and make sure the **Send all traffic over VPN connection** checkbox is checked. Then re-connect the VPN.
To save battery, iOS devices (iPhone/iPad) will automatically disconnect Wi-Fi shortly after the screen turns off (sleep mode). As a result, the IPsec VPN disconnects. This behavior is <ahref="https://discussions.apple.com/thread/2333948"target="_blank">by design</a> and cannot be configured. If you need the VPN to auto-reconnect when the device wakes up, try <ahref="https://github.com/Nyr/openvpn-install"target="_blank">OpenVPN</a> instead, which <ahref="https://docs.openvpn.net/connecting/connecting-to-access-server-with-apple-ios/faq-regarding-openvpn-connect-ios/"target="_blank">has support for options</a> such as "Reconnect on Wakeup" and "Seamless Tunnel".
Android devices will also disconnect Wi-Fi shortly after entering sleep mode, unless the option "Keep Wi-Fi on during sleep" is enabled. This option is no longer available in Android 8 (Oreo). Alternatively, you may try enabling the "Always-on VPN" option to stay connected. Learn more <ahref="https://support.google.com/android/answer/9089766?hl=en"target="_blank">here</a>.
1. Tap the "Settings" icon next to your VPN profile. Select "Show advanced options" and scroll down to the bottom. If the option "Backward compatible mode" exists (see image below), enable it and reconnect the VPN. If not, try the next step.
1. Edit `/etc/ipsec.conf` on the VPN server. Find `sha2-truncbug=yes` and replace it with `sha2-truncbug=no`. Save the file and run `service ipsec restart` (<ahref="https://libreswan.org/wiki/FAQ#Configuration_Matters"target="_blank">Ref</a>).
Chromebook users: If you are unable to connect, try these steps: Edit `/etc/ipsec.conf` on the VPN server. Find the line `phase2alg=...` and append `,aes_gcm-null` at the end. Save the file and run `service ipsec restart`.
Please try these additional troubleshooting steps:
First, restart services on the VPN server:
```bash
service ipsec restart
service xl2tpd restart
```
If using Docker, run `docker restart ipsec-vpn-server`.
Then reboot your VPN client device, and retry the connection. If still unable to connect, try removing and recreating the VPN connection, by following the instructions in this document. Make sure that the VPN credentials are entered correctly.
Check the Libreswan (IPsec) and xl2tpd logs for errors:
Instructions below are based on [the work of Peter Sanford](https://gist.github.com/psanford/42c550a1a6ad3cb70b13e4aaa94ddb1c). Commands must be run as `root` on your VPN client.
If your VPN client is a remote server, you must also exclude your Local PC's public IP from the new default route, to prevent your SSH session from being disconnected (replace with <ahref="https://www.google.com/search?q=my+ip"target="_blank">actual value</a>):
This document was adapted from the <ahref="https://github.com/StreisandEffect/streisand"target="_blank">Streisand</a> project, maintained by Joshua Lund and contributors.
Based on <ahref="https://github.com/StreisandEffect/streisand/blob/6aa6b6b2735dd829ca8c417d72eb2768a89b6639/playbooks/roles/l2tp-ipsec/templates/instructions.md.j2"target="_blank">the work of Joshua Lund</a> (Copyright 2014-2016)
This program is free software: you can redistribute it and/or modify it under the terms of the <ahref="https://www.gnu.org/licenses/gpl.html"target="_blank">GNU General Public License</a> as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.