I've had some success in Mac OSX Leopard 10.5.8. For my setup, I have a Mac Mini behind a Verizon FiOS Actiontec router. I was using Android phone to connect.
At first, it worked fine internally (Phone on the same Wifi), but would fail when connecting externally (Phone on data connection). In the end, it is working exactly the opposite.
I don't have a user account for the "VPN User" because this method just created a single user/password for the connection. I am not "logged in" to Mac, but could remote desktop with a "real user" after connected.
I used version 2.4b of iVPN to configure the settings, and here are some end results:
Forwarded ports
UDP Any->1701, UDP Any->500
Android Settings
Name: YourConnectionName (e.g. Mac Server)
Type: L2TP/IPSec PSK
Server address: hostname.no-ip.org
L2TP secret: (not used)
IPSec identifier: (not used)
IPSec pre-shared key: **YourSharedSecret**
When connecting
Username: auser
Password: challenge
/etc/ppp/user.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Password</key>
<string>challenge</string>
<key>User</key>
<string>auser</string>
</dict>
</plist>
/etc/ppp/chap-secrets
auser * challenge *
/Library/Preferences/SystemConfiguration/com.apple.RemoteAccessServers.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>ActiveServers</key>
<array>
<string>com.apple.ppp.l2tp</string>
</array>
<key>Servers</key>
<dict>
<key>com.apple.ppp.l2tp</key>
<dict>
<key>DNS</key>
<dict>
<key>OfferedSearchDomains</key>
<array/>
<key>OfferedServerAddresses</key>
<array>
<string>208.67.222.222</string>
<string>208.67.220.220</string>
</array>
</dict>
<key>IPv4</key>
<dict>
<key>ConfigMethod</key>
<string>Manual</string>
<key>DestAddressRanges</key>
<array>
<string>192.168.10.101</string>
<string>192.168.10.200</string>
</array>
<key>OfferedRouteAddresses</key>
<array>
<string>192.168.10.100</string>
</array>
<key>OfferedRouteMasks</key>
<array>
<string>255.255.255.0</string>
</array>
<key>OfferedRouteTypes</key>
<array>
<string>Private</string>
</array>
</dict>
<key>Interface</key>
<dict>
<key>SubType</key>
<string>L2TP</string>
<key>Type</key>
<string>PPP</string>
</dict>
<key>L2TP</key>
<dict>
<key>IPSecSharedSecret</key>
<string>**YourSharedSecret**</string>
<key>Transport</key>
<string>IPSec</string>
</dict>
<key>PPP</key>
<dict>
<key>AuthenticatorProtocol</key>
<array>
<string>MSCHAP2</string>
</array>
<key>LCPEchoEnabled</key>
<integer>1</integer>
<key>LCPEchoFailure</key>
<integer>5</integer>
<key>LCPEchoInterval</key>
<integer>60</integer>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>VerboseLogging</key>
<integer>1</integer>
</dict>
<key>Server</key>
<dict>
<key>Logfile</key>
<string>/var/log/ppp/vpnd.log</string>
<key>MaximumSessions</key>
<integer>128</integer>
<key>VerboseLogging</key>
<integer>1</integer>
</dict>
</dict>
</dict>
</dict>
</plist>
/etc/racoon/remote/anonymous.conf
remote anonymous {
doi ipsec_doi;
situation identity_only;
exchange_mode main;
verify_identifier off;
shared_secret use "**YourSharedSecret**";
nonce_size 16;
nat_traversal_multi_user on;
initial_contact on;
support_mip6 on;
proposal_check claim;
proposal {
authentication_method pre_shared_key;
hash_algorithm sha1;
encryption_algorithm 3des;
lifetime time 3600 sec;
dh_group 2;
}
}
sainfo anonymous {
encryption_algorithm aes, 3des;
authentication_algorithm hmac_sha1, hmac_md5;
compression_algorithm deflate;
lifetime time 3600 sec;
}
You might have to touch /var/log/ppp/vpnd.log and if you're not using iVPN, it looks like (from a ps -ax) the server is started with vpnd -i com.apple.ppp.l2tp. After changing settings and PSKs, I also racoonctl flush-sa ipsec.
Android since 4.0 supports plain IPsec out of the box. And there are several apps for 4.x that provide other VPN protocols on unrooted devices (e.g. IKEv2/IPsec with the strongSwan VPN Client).
Since Windows 7 you can use the built-in IKEv2/IPsec client. Granted racoon does not support IKEv2, but there are other open-source implementations that do (e.g. strongSwan or Libreswan).
Does anyone know why L2TP is still the standard way with IPSec?
I wouldn't say it's the standard way, as e.g. Windows 7 and newer first try IKEv2, but I agree that clients still offer it quite prominently.
One reason for its initial success was probably that it allowed reusing the PPP infrastructure that existed for dial-up connections (while being more secure and standardized than PPTP). And because L2TP installations have been around for a long time, and were deployed pretty widespread, about any client had (and still has) to support it. This makes it, of course, easier for VPN providers as they can reduce the number of offered VPN technologies. This, however, reduces the incentive to implement other protocols in clients.
There could also be licensing issues preventing other protocols from being used, for instance, the IKEv2 implementations mentioned above are GPL licensed, which Apple in iOS and Google in Android tend to avoid in favour of more permissively licensed software such as racoon (which they both use in their products).
Best Answer
There is a very detailed cookbook guide in this article : L2TP/IPSec VPN client on Fedora.
It is even pretty recent, from October 1, 2014.
It lists the packages to install :
And the files that require editing :
(The article is pretty much to the point, so no reason to reproduce it here entirely.)