setup-ipsec-vpn

English | 中文

Configure IPsec/XAuth VPN Clients

After setting up your own VPN server, follow these steps to configure your devices. IPsec/XAuth (“Cisco IPsec”) is natively supported by Android, iOS and OS X. There is no additional software to install. Windows users can use the free Shrew Soft client. In case you are unable to connect, first check to make sure the VPN credentials were entered correctly.

IPsec/XAuth mode is also called “Cisco IPsec”. This mode is generally faster than IPsec/L2TP with less overhead.

Windows

You may also connect using IKEv2 (recommended) or IPsec/L2TP mode. No additional software is required.

  1. Download and install the free Shrew Soft VPN client. When prompted during install, select Standard Edition.
    Note: This VPN client does NOT support Windows 10/11.
  2. Click Start Menu -> All Programs -> ShrewSoft VPN Client -> VPN Access Manager
  3. Click the Add (+) button on toolbar.
  4. Enter Your VPN Server IP in the Host Name or IP Address field.
  5. Click the Authentication tab. Select Mutual PSK + XAuth from the Authentication Method drop-down menu.
  6. Under the Local Identity sub-tab, select IP Address from the Identification Type drop-down menu.
  7. Click the Credentials sub-tab. Enter Your VPN IPsec PSK in the Pre Shared Key field.
  8. Click the Phase 1 tab. Select main from the Exchange Type drop-down menu.
  9. Click the Phase 2 tab. Select sha1 from the HMAC Algorithm drop-down menu.
  10. Click Save to save the VPN connection details.
  11. Select the new VPN connection. Click the Connect button on toolbar.
  12. Enter Your VPN Username in the Username field.
  13. Enter Your VPN Password in the Password field.
  14. Click Connect.

Once connected, you will see tunnel enabled in the VPN Connect status window. Click the “Network” tab, and confirm that Established - 1 is displayed under “Security Associations”. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say “Your public IP address is Your VPN Server IP”.

If you get an error when trying to connect, see Troubleshooting.

OS X (macOS)

macOS 13 (Ventura) and newer

You may also connect using IKEv2 (recommended) or IPsec/L2TP mode.

  1. Open System Settings and go to the Network section.
  2. Click VPN on the right hand side of the window.
  3. Click the Add VPN Configuration drop-down menu and select Cisco IPSec.
  4. In the window that opens, enter anything you like for the Display name.
  5. Enter Your VPN Server IP for the Server address.
  6. Enter Your VPN Username for the Account name.
  7. Enter Your VPN Password for the Password.
  8. Select Shared secret from the Type drop-down menu.
  9. Enter Your VPN IPsec PSK for the Shared secret.
  10. Leave the Group name field blank.
  11. Click Create to save the VPN configuration.
  12. To show VPN status in your menu bar and for shortcut access, go to the Control Center section of System Settings. Scroll to the bottom and select Show in Menu Bar from the VPN drop-down menu.

To connect to the VPN: Use the menu bar icon, or go to the VPN section of System Settings and toggle the switch for your VPN configuration. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say “Your public IP address is Your VPN Server IP”.

If you get an error when trying to connect, see Troubleshooting.

macOS 12 (Monterey) and older

You may also connect using IKEv2 (recommended) or IPsec/L2TP mode.

  1. Open System Preferences and go to the Network section.
  2. Click the + button in the lower-left corner of the window.
  3. Select VPN from the Interface drop-down menu.
  4. Select Cisco IPSec from the VPN Type drop-down menu.
  5. Enter anything you like for the Service Name.
  6. Click Create.
  7. Enter Your VPN Server IP for the Server Address.
  8. Enter Your VPN Username for the Account Name.
  9. Enter Your VPN Password for the Password.
  10. Click the Authentication Settings button.
  11. In the Machine Authentication section, select the Shared Secret radio button and enter Your VPN IPsec PSK.
  12. Leave the Group Name field blank.
  13. Click OK.
  14. Check the Show VPN status in menu bar checkbox.
  15. Click Apply to save the VPN connection information.

To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose Connect. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say “Your public IP address is Your VPN Server IP”.

If you get an error when trying to connect, see Troubleshooting.

Android

Important: Android users should instead connect using IKEv2 mode (recommended), which is more secure. Android 12+ only supports IKEv2 mode. The native VPN client in Android uses the less secure modp1024 (DH group 2) for the IPsec/L2TP and IPsec/XAuth (“Cisco IPsec”) modes.

If you still want to connect using IPsec/XAuth mode, you must first edit /etc/ipsec.conf on the VPN server. Find the line ike=... and append ,aes256-sha2;modp1024,aes128-sha1;modp1024 at the end. Save the file and run service ipsec restart.

Docker users: Add VPN_ENABLE_MODP1024=yes to your env file, then re-create the Docker container.

After that, follow the steps below on your Android device:

  1. Launch the Settings application.
  2. Tap “Network & internet”. Or, if using Android 7 or earlier, tap More… in the Wireless & networks section.
  3. Tap VPN.
  4. Tap Add VPN Profile or the + icon at top-right of screen.
  5. Enter anything you like in the Name field.
  6. Select IPSec Xauth PSK in the Type drop-down menu.
  7. Enter Your VPN Server IP in the Server address field.
  8. Leave the IPSec identifier field blank.
  9. Enter Your VPN IPsec PSK in the IPSec pre-shared key field.
  10. Tap Save.
  11. Tap the new VPN connection.
  12. Enter Your VPN Username in the Username field.
  13. Enter Your VPN Password in the Password field.
  14. Check the Save account information checkbox.
  15. Tap Connect.

Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say “Your public IP address is Your VPN Server IP”.

If you get an error when trying to connect, see Troubleshooting.

iOS

You may also connect using IKEv2 (recommended) or IPsec/L2TP mode.

  1. Go to Settings -> General -> VPN.
  2. Tap Add VPN Configuration….
  3. Tap Type. Select IPSec and go back.
  4. Tap Description and enter anything you like.
  5. Tap Server and enter Your VPN Server IP.
  6. Tap Account and enter Your VPN Username.
  7. Tap Password and enter Your VPN Password.
  8. Leave the Group Name field blank.
  9. Tap Secret and enter Your VPN IPsec PSK.
  10. Tap Done.
  11. Slide the VPN switch ON.

Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on Google. It should say “Your public IP address is Your VPN Server IP”.

If you get an error when trying to connect, see Troubleshooting.

Linux

You may also connect using IKEv2 mode (recommended).

Fedora and CentOS

Fedora 28 (and newer) and CentOS 8/7 users can install the NetworkManager-libreswan-gnome package using yum, then configure the IPsec/XAuth VPN client using the GUI.

  1. Go to Settings -> Network -> VPN. Click the + button.
  2. Select IPsec based VPN.
  3. Enter anything you like in the Name field.
  4. Enter Your VPN Server IP for the Gateway.
  5. Select IKEv1 (XAUTH) in the Type drop-down menu.
  6. Enter Your VPN Username for the User name.
  7. Right-click the ? in the User password field, select Store the password only for this user.
  8. Enter Your VPN Password for the User password.
  9. Leave the Group name field blank.
  10. Right-click the ? in the Secret field, select Store the password only for this user.
  11. Enter Your VPN IPsec PSK for the Secret.
  12. Leave the Remote ID field blank.
  13. Click Add to save the VPN connection information.
  14. Turn the VPN switch ON.

Once connected, you can verify that your traffic is being routed properly by looking up your IP address on Google. It should say “Your public IP address is Your VPN Server IP”.

Other Linux

Other Linux users can connect using IPsec/L2TP mode.

License

Note: This license applies to this document only.

Copyright (C) 2016-2025 Lin Song View my profile on LinkedIn
Inspired by the work of Joshua Lund

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

This site is open source. Improve this page.