How to setup the L2TP/IPSec client in Apple iOS 7.1.2 and later

I will guide you in this article through the process of setup of the L2TP/IPSec client in Apple iOS 7.1.2 and later versions. The client side setup does not depend on the type of VPN server.

Thanks to the Mikrotik RouterOS, setup for this kind of tunnel is very simple today. Moreover, this tutorial is the client-side part of our IPSec series. We will explain the server side after this mini-series related to client-side configuration.

Today, L2TP/IPSec client is supported out-of-the-box in IOS 7.1.2 and later versions. Moreover, Apple has withdrawn support for PPTP tunnel starting from iOS version 10. In addition, all users should update to the latest iOS version available for their device.

You can find the following tutorials related to the L2TP/IPSec VPN clients on my blog:


Our recipe

1) We have to open the icon Settings. Position may vary between versions of iOS.


2) A new window opens. We will choose the option General.


3) We will scroll down to the option for VPNs. It should has the status Not Connected. We will open it.

4) In the next step, we will choose the option Add VPN Configuration…


5) The new window will open. We need to fill the descriptive name of our connection. You should name this connection in a user friendly way, like Contoso VPN.

Server can be either an IP address or DNS name (as demonstrated in the screenshot). In case you want to use the DNS (a.k.a. FQDN) name, you must register it in your DNS zone. This option allows you to register multiple IP addresses under the same DNS name and to use so-called round-robin access.


That means that we can have two or more independent Internet links and to allow users to establish the VPN over a random link. In the event that one of the links is unavailable due any problem with the ISP, your VPN concentrator is still up and running.

We should enter the username (the field Account) and password. However, for security reasons it’s strongly advised that your password for the VPN connection is not saved. Yes, you will need to type it every time. But hey, this is a small price for greater security.

The last option is Secret. It is related to the IPSec part of the tunnel. We can use either the pre-shared key or certificate. In our case, and in most situations, we will choose the pre-shared key. In which case, the system administrator must provide us with the key. Type the IPSec pre-shared key here.

6) Choose the option Save. This window will close and the new connection will appear in the list.


7) Choose the new connection from the list. Touch it and slide the switch to the right, to turn it on. As we didn’t saved the password, the new window will appear with prompt for our VPN password.


8) When you enter the password, touch the button Done and the phone will begin with the process of connecting.


9) After a short while (depending on the quality of your Wi-Fi link) we should be connected to the remote network


10) We can click on the active VPN connection. We will see the parameters in the new window.



Security considerations

Now when you see how easy it is to setup this connection, you should consider replacing those old PPTP VPNs and replacing it with a modern and stronger L2TP/IPSec VPN tunnel. Keep in mind that from the iOS version 10, you can’t use ye olde PPTP tunnels.

The most vulnerable part here can be the IPSec pre-shared key, as all users on your system must share the same key. The key should be very complex. However, if you need to share it with other people and give it to them in clear text, then sooner or later the secret key will be leaked. If you’re administering the VPN system, you should configure all of this for your users or customers.

You can consider the idea of additional protection through the certificates, but this is another story to tell. Stay tuned.


5 thoughts on “How to setup the L2TP/IPSec client in Apple iOS 7.1.2 and later

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.