User Tools

Site Tools


Setting up an IPSEC tunnel

This guide will teach you how to setup a basic IPSEC tunnel to allow you to use your VPS as a VPN. IPSEC tunnels are similar to GRE's in that it can pass all forms of traffic but has the added bonus of being supported by Windows.

If you you're needing a tunnel between a buyvm linux based virtual server and a linux based destination, we highly recommend you use a GRE tunnel documented here: GRE tunnelling your filtered IP.

If you don't have administrative control over your destination (using a shared service of sorts) then your only choice is using a reverse proxy documented here: Redirecting your filtered IP.

Supported Operating Systems

All operating systems with IPSEC support are, you guessed it, supported.

We still highly recommend buying a KVM based plan with us if you're needing to protect a Windows server. You'll save on latency and bandwidth costs.

Please note, if you're setting this up on an OpenVZ with us, you must use a 64bit based template.


  • iptables installed on your BuyVM VPS (included already in most cases)
  • A 64bit based distribution if you're doing this on OpenVZ. This can't be stressed enough and will not work on a 32bit distribution (for the time being).


First you must install openswan & xl2tpd.

On Debian/Ubuntu:

apt-get update
apt-get install openswan xl2tpd

Note: During the install it will ask if you wish to generate certificates. Certificates can give you added security but isn't needed nor covered here.

On CentOS:

yum -y install xl2tpd openswan

Setup ipsec.conf

Open up /etc/ipsec.conf with your favorite editor. Replace the entire contents with the following:

# /etc/ipsec.conf - Openswan IPsec configuration file

# This file:  /usr/share/doc/openswan/ipsec.conf-sample
# Manual:     ipsec.conf.5

version 2.0     # conforms to second version of ipsec.conf specification

# basic configuration
config setup
	# Do not set debug options to debug configuration issues!
	# plutodebug / klipsdebug = "all", "none" or a combation from below:
	# "raw crypt parsing emitting control klips pfkey natt x509 dpd private"
	# eg:
	# plutodebug="control parsing"
	# enable to get logs per-peer
	# plutoopts="--perpeerlog"
	# Again: only enable plutodebug or klipsdebug when asked by a developer
	# NAT-TRAVERSAL support, see README.NAT-Traversal
	# exclude networks used on server side by adding %v4:!a.b.c.0/24
	# OE is now off by default. Uncomment and change to on, to enable.
	# which IPsec stack to use. auto will try netkey, then klips then mast

conn %default


conn L2TP-PSK-noNAT

Make sure you update YOUR_BUYVM_IP with your BuyVM IP.

Setup xl2tpd.conf

Open up /etc/xl2tpd/xl2tpd.conf with your favorite editor. Replace the entire contents with the following:

;listen-addr =                ; Global parameters:
port = 1701             ; * Bind to port 1701
auth file = /etc/xl2tpd/l2tp-secrets  ; * Where our challenge secrets are
access control = no         ; * Refuse connections without IP match
rand source = dev                     ; Source for entropy for random

[lns default]             ; Our fallthrough LNS definition
exclusive = yes            ; * Only permit one tunnel per host
ip range = -
local ip =
refuse authentication = yes     ; * Refuse authentication altogether
refuse pap = yes            ; * Refuse PAP authentication
refuse chap = yes
ppp debug = no            ; * Turn on PPP debugging
pppoptfile = /etc/ppp/options.l2tpd ; * ppp options file

Optional: Update the ip range & local ip to fit your needs.

Setup options.l2tpd

Open up /etc/ppp/options.l2tpd with your favorite editor. Replace the entire contents with the following:

# Do not support BSD compression.

# Allow all usernames to connect.
name *
lcp-echo-failure 10
lcp-echo-interval 5

# Do not authenticate incoming connections. This is handled by IPsec.

# Set the DNS servers the PPP clients will use.

mtu 1400
mru 1400

Setup ipsec.secrets

Open up /etc/ipsec.secrets with your favorite editor. Replace the entire contents with the following:

YOUR_BUYVM_IP %any: "mysecretpresharedkeypassword"

The mysecretpresharedkeypassword is the shared key you'll have to provide to your client sides configuration to connect. All authentication is handled by IPSEC.

Allow traffic to route out your VPS

As with all other VPN tutorials, use an SNAT rule to route traffic from the VPS:

iptables -A POSTROUTING -t nat -s -j SNAT --to-source YOUR_BUYVM_IP

Apply the configuration files

You must now restart the ipsec & xl2tpd daemons:

/etc/init.d/ipsec restart
/etc/init.d/xl2tpd restart

Client side configuration

From here you must configure your client side.

For a good Windows 2008/2012/7/8 guide, please check out Follow all the steps except 9 & 10 as it's specific to their platform.

ipsec.txt · Last modified: 2015/08/29 11:49 by Francisco Dias