Configure IPsec/XAuth VPN Clients

Following these steps allow you to configure your Android, iOS, MacOS, and Linux machine using IPsec/XAuth (Cisco IPsec) VPN.

IPsec/XAuth mode is also called “Cisco IPsec”. This mode is generally faster than IPsec/L2TP with less overhead. IPsec/XAuth ("Cisco IPsec") is natively supported by Android, iOS, and MacOS. There is no additional software to install for them.

NOTICE: You should upgrade Libreswan to the latest version due to IKEv1 informational exchange packets not integrity checked (CVE-2019-10155).

As a prerequisite to using this guide, and before continuing, you must make sure that you have successfully set up your own IPsec VPN server. Following these steps allow you to configure your Android, iOS, MacOS, and Linux machine using IPsec/XAuth ("Cisco IPsec").

MacOS Clients Configuration

  • Go to Network section in System Preferences.
  • Click the + button in the bottom-left corner of the window.
  • Select VPN from the Interface drop-down menu.
  • Select Cisco IPSec from the VPN Type drop-down menu. MacOS XAuth Config
  • Service Name: enter anything you like (usually name of the VPN connection).
  • Click Create.
  • Server Address: Your VPN Server IP.
  • Account Name: Your VPN Username.
  • Password: Your VPN Password.
  • Click the Authentication Settings button.
  • In the Machine Authentication section, select the Shared Secret radio button and enter Your VPN IPsec PSK.
  • Leave the Group Name field blank.
  • Click OK.
  • Show VPN status in menu bar checked.
  • Click Apply to save the VPN connection information.

To connect to the VPN: Use the menu bar icon, or go to the Network section of System Preferences, select the VPN and choose Connect. You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo.

iOS (iPhone/iPad) Clients Configuration

  • Go to Settings -> General -> VPN.
  • Tap Add VPN Configuration….
  • Tap Type. Select IPSec and go back.
  • Description: enter anything you like (usually name of the VPN connection).
  • Server: Your VPN Server IP.
  • Account: Your VPN Username.
  • Password: Your VPN Password.
  • Leave the Group Name field blank.
  • Secret: Your VPN IPsec PSK.
  • Tap Done and slide VPN switch ON. iPhone XAuth config

Once connected, you will see a VPN icon in the status bar. You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo.

Android Clients Configuration

  • Go to Settings > Wireless & Networks > VPN.
  • Add VPN Profile by tapping the + icon at top-right of screen.
  • Name: enter anything you like (usually name of the VPN connection).
  • Type: Choose IPSec Xauth PSK.
  • Server address: Your VPN Server IP.
  • Leave the IPSec identifier field blank.
  • IPSec pre-shared key: Your VPN IPsec PSK.
  • Tap Save.
  • Tap the new VPN connection.
  • Username: Your VPN Username.
  • Password: Your VPN Password.
  • Check the Save account information checkbox.
  • Tap Connect. Android XAuth config

Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo.

Linux Clients Configuration

Fedora and CentOS

Fedora > 28 and CentOS 7 users can install the NetworkManager-libreswan-gnome package, then configure the IPsec/XAuth VPN client using the GUI.

  • Go to Settings -> Network -> VPN. Click the + button.
  • Select IPsec based VPN.
  • Name: enter anything you like (usually name of the VPN connection).
  • Gateway: Your VPN Server IP.
  • Type: Select IKEv1 (XAUTH).
  • User name: Your VPN Username.
  • Password: Your VPN Password (click the ? in the password field, select Store the password only for this user)
  • Leave the Group name field blank.
  • Secret: Your VPN IPsec PSK (click the ? in the password field, select Store the password only for this user)
  • Leave the Remote ID field blank.
  • Click Add to save the VPN connection information.
  • Turn the VPN switch ON.

Once connected, you will see a VPN icon in the notification bar. You can verify that your traffic is being routed properly by looking up your IP address on DuckDuckGo.

Other Linux

Other Linux users can connect using IPsec/L2TP mode.

Windows Clients Configuration

Since I don’t have any Windows machine, you can follow source documentation by Lin Song.

Credits